gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-28 21:53:15 -08:00
Code Issues Packages Projects Releases Wiki Activity

Migrate to using mdbook

Browse Source
This commit is contained in:
Congon4tor
2024-12-31 17:04:35 +01:00
parent b9a9fed802
commit cd27cf5a2e
1373 changed files with 26143 additions and 34152 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/pentesting-cloud/digital-ocean-pentesting/do-services/README.md Normal file
View File

@@ -0,0 +1,19 @@
# DO - Services
{{#include ../../../banners/hacktricks-training.md}}
DO offers a few services, here you can find how to **enumerate them:**
- [**Apps**](do-apps.md)
- [**Container Registry**](do-container-registry.md)
- [**Databases**](do-databases.md)
- [**Droplets**](do-droplets.md)
- [**Functions**](do-functions.md)
- [**Images**](do-images.md)
- [**Kubernetes (DOKS)**](do-kubernetes-doks.md)
- [**Networking**](do-networking.md)
- [**Projects**](do-projects.md)
- [**Spaces**](do-spaces.md)
- [**Volumes**](do-volumes.md)
{{#include ../../../banners/hacktricks-training.md}}

34
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md Normal file
View File

@@ -0,0 +1,34 @@
# DO - Apps
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
[From the docs:](https://docs.digitalocean.com/glossary/app-platform/) App Platform is a Platform-as-a-Service (PaaS) offering that allows developers to **publish code directly to DigitalOcean** servers without worrying about the underlying infrastructure.
You can run code directly from **github**, **gitlab**, **docker hub**, **DO container registry** (or a sample app).
When defining an **env var** you can set it as **encrypted**. The only way to **retreive** its value is executing **commands** inside the host runnig the app.
An **App URL** looks like this [https://dolphin-app-2tofz.ondigitalocean.app](https://dolphin-app-2tofz.ondigitalocean.app)
### Enumeration
```bash
doctl apps list # You should get URLs here
doctl apps spec get <app-id> # Get yaml (including env vars, might be encrypted)
doctl apps logs <app-id> # Get HTTP logs
doctl apps list-alerts <app-id> # Get alerts
doctl apps list-regions # Get available regions and the default one
```
> [!CAUTION]
> **Apps doesn't have metadata endpoint**
### RCE & Encrypted env vars
To execute code directly in the container executing the App you will need **access to the console** and go to **`https://cloud.digitalocean.com/apps/<app-id>/console/<app-name>`**.
That will give you a **shell**, and just executing **`env`** you will be able to see **all the env vars** (including the ones defined as **encrypted**).
{{#include ../../../banners/hacktricks-training.md}}

33
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md Normal file
View File

@@ -0,0 +1,33 @@
# DO - Container Registry
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
DigitalOcean Container Registry is a service provided by DigitalOcean that **allows you to store and manage Docker images**. It is a **private** registry, which means that the images that you store in it are only accessible to you and users that you grant access to. This allows you to securely store and manage your Docker images, and use them to deploy containers on DigitalOcean or any other environment that supports Docker.
When creating a Container Registry it's possible to **create a secret with pull images access (read) over it in all the namespaces** of Kubernetes clusters.
### Connection
```bash
# Using doctl
doctl registry login
# Using docker (You need an API token, use it as username and as password)
docker login registry.digitalocean.com
Username: <paste-api-token>
Password: <paste-api-token>
```
### Enumeration
```bash
# Get creds to access the registry from the API
doctl registry docker-config
# List
doctl registry repository list-v2
```
{{#include ../../../banners/hacktricks-training.md}}

43
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md Normal file
View File

@@ -0,0 +1,43 @@
# DO - Databases
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
With DigitalOcean Databases, you can easily **create and manage databases in the cloud** without having to worry about the underlying infrastructure. The service offers a variety of database options, including **MySQL**, **PostgreSQL**, **MongoDB**, and **Redis**, and provides tools for administering and monitoring your databases. DigitalOcean Databases is designed to be highly scalable, reliable, and secure, making it an ideal choice for powering modern applications and websites.
### Connections details
When creating a database you can select to configure it **accessible from a public network**, or just from inside a **VPC**. Moreover, it request you to **whitelist IPs that can access it** (your IPv4 can be one).
The **host**, **port**, **dbname**, **username**, and **password** are shown in the **console**. You can even download the AD certificate to connect securely.
```bash
sql -h db-postgresql-ams3-90864-do-user-2700959-0.b.db.ondigitalocean.com -U doadmin -d defaultdb -p 25060
```
### Enumeration
```bash
# Databse clusters
doctl databases list
# Auth
doctl databases get <db-id> # This shows the URL with CREDENTIALS to access
doctl databases connection <db-id> # Another way to egt credentials
doctl databases user list <db-id> # Get all usernames and passwords
# Dbs inside a database cluster
doctl databases db list <cluster-id>
# Firewall (allowed IPs), you can also add
doctl databases firewalls list <cluster-id>
# Backups
doctl databases backups <db-id> # List backups of DB
# Pools
doctl databases pool list <db-id> # List pools of DB
```
{{#include ../../../banners/hacktricks-training.md}}

81
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-droplets.md Normal file
View File

@@ -0,0 +1,81 @@
# DO - Droplets
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
In DigitalOcean, a "droplet" is a v**irtual private server (VPS)** that can be used to host websites and applications. A droplet is a **pre-configured package of computing resources**, including a certain amount of CPU, memory, and storage, that can be quickly and easily deployed on DigitalOcean's cloud infrastructure.
You can select from **common OS**, to **applications** already running (such as WordPress, cPanel, Laravel...), or even upload and use **your own images**.
Droplets support **User data scripts**.
<details>
<summary>Difference between a snapshot and a backup</summary>
In DigitalOcean, a snapshot is a point-in-time copy of a Droplet's disk. It captures the state of the Droplet's disk at the time the snapshot was taken, including the operating system, installed applications, and all the files and data on the disk.
Snapshots can be used to create new Droplets with the same configuration as the original Droplet, or to restore a Droplet to the state it was in when the snapshot was taken. Snapshots are stored on DigitalOcean's object storage service, and they are incremental, meaning that only the changes since the last snapshot are stored. This makes them efficient to use and cost-effective to store.
On the other hand, a backup is a complete copy of a Droplet, including the operating system, installed applications, files, and data, as well as the Droplet's settings and metadata. Backups are typically performed on a regular schedule, and they capture the entire state of a Droplet at a specific point in time.
Unlike snapshots, backups are stored in a compressed and encrypted format, and they are transferred off of DigitalOcean's infrastructure to a remote location for safekeeping. This makes backups ideal for disaster recovery, as they provide a complete copy of a Droplet that can be restored in the event of data loss or other catastrophic events.
In summary, snapshots are point-in-time copies of a Droplet's disk, while backups are complete copies of a Droplet, including its settings and metadata. Snapshots are stored on DigitalOcean's object storage service, while backups are transferred off of DigitalOcean's infrastructure to a remote location. Both snapshots and backups can be used to restore a Droplet, but snapshots are more efficient to use and store, while backups provide a more comprehensive backup solution for disaster recovery.
</details>
### Authentication
For authentication it's possible to **enable SSH** through username and **password** (password defined when the droplet is created). Or **select one or more of the uploaded SSH keys**.
### Firewall
> [!CAUTION]
> By default **droplets are created WITHOUT A FIREWALL** (not like in oder clouds such as AWS or GCP). So if you want DO to protect the ports of the droplet (VM), you need to **create it and attach it**.
More info in:
{{#ref}}
do-networking.md
{{#endref}}
### Enumeration
```bash
# VMs
doctl compute droplet list # IPs will appear here
doctl compute droplet backups <droplet-id>
doctl compute droplet snapshots <droplet-id>
doctl compute droplet neighbors <droplet-id> # Get network neighbors
doctl compute droplet actions <droplet-id> # Get droplet actions
# VM interesting actions
doctl compute droplet-action password-reset <droplet-id> # New password is emailed to the user
doctl compute droplet-action enable-ipv6 <droplet-id>
doctl compute droplet-action power-on <droplet-id>
doctl compute droplet-action disable-backups <droplet-id>
# SSH
doctl compute ssh <droplet-id> # This will just run SSH
doctl compute ssh-key list
doctl compute ssh-key import <key-name> --public-key-file /path/to/key.pub
# Certificates
doctl compute certificate list
# Snapshots
doctl compute snapshot list
```
> [!CAUTION]
> **Droplets have metadata endpoints**, but in DO there **isn't IAM** or things such as role from AWS or service accounts from GCP.
### RCE
With access to the console it's possible to **get a shell inside the droplet** accessing the URL: **`https://cloud.digitalocean.com/droplets/<droplet-id>/terminal/ui/`**
It's also possible to launch a **recovery console** to run commands inside the host accessing a recovery console in **`https://cloud.digitalocean.com/droplets/<droplet-id>/console`**(but in this case you will need to know the root password).
{{#include ../../../banners/hacktricks-training.md}}

60
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md Normal file
View File

@@ -0,0 +1,60 @@
# DO - Functions
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
DigitalOcean Functions, also known as "DO Functions," is a serverless computing platform that lets you **run code without having to worry about the underlying infrastructure**. With DO Functions, you can write and deploy your code as "functions" that can be **triggered** via **API**, **HTTP requests** (if enabled) or **cron**. These functions are executed in a fully managed environment, so you **don't need to worry** about scaling, security, or maintenance.
In DO, to create a function first you need to **create a namespace** which will be **grouping functions**.\
Inside the namespace you can then create a function.
### Triggers
The way **to trigger a function via REST API** (always enabled, it's the method the cli uses) is by triggering a request with an **authentication token** like:
```bash
curl -X POST "https://faas-lon1-129376a7.doserverless.co/api/v1/namespaces/fn-c100c012-65bf-4040-1230-2183764b7c23/actions/functionname?blocking=true&result=true" \
-H "Content-Type: application/json" \
-H "Authorization: Basic MGU0NTczZGQtNjNiYS00MjZlLWI2YjctODk0N2MyYTA2NGQ4OkhwVEllQ2t4djNZN2x6YjJiRmFGc1FERXBySVlWa1lEbUxtRE1aRTludXA1UUNlU2VpV0ZGNjNqWnVhYVdrTFg="
```
To see how is the **`doctl`** cli tool getting this token (so you can replicate it), the **following command shows the complete network trace:**
```bash
doctl serverless connect --trace
```
**When HTTP trigger is enabled**, a web function can be invoked through these **HTTP methods GET, POST, PUT, PATCH, DELETE, HEAD and OPTIONS**.
> [!CAUTION]
> In DO functions, **environment variables cannot be encrypted** (at the time of this writing).\
> I couldn't find any way to read them from the CLI but from the console it's straight forward.
**Functions URLs** look like this: `https://<random>.doserverless.co/api/v1/web/<namespace-id>/default/<function-name>`
### Enumeration
```bash
# Namespace
doctl serverless namespaces list
# Functions (need to connect to a namespace)
doctl serverless connect
doctl serverless functions list
doctl serverless functions invoke <func-name>
doctl serverless functions get <func-name>
# Logs of executions
doctl serverless activations list
doctl serverless activations get <activation-id> # Get all the info about execution
doctl serverless activations logs <activation-id> # get only the logs of execution
doctl serverless activations result <activation-id> # get only the response result of execution
# I couldn't find any way to get the env variables form the CLI
```
> [!CAUTION]
> There **isn't metadata endpoint** from the Functions sandbox.
{{#include ../../../banners/hacktricks-training.md}}

19
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md Normal file
View File

@@ -0,0 +1,19 @@
# DO - Images
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
DigitalOcean Images are **pre-built operating system or application images** that can be used to create new Droplets (virtual machines) on DigitalOcean. They are similar to virtual machine templates, and they allow you to **quickly and easily create new Droplets with the operating system** and applications that you need.
DigitalOcean provides a wide range of Images, including popular operating systems such as Ubuntu, CentOS, and FreeBSD, as well as pre-configured application Images such as LAMP, MEAN, and LEMP stacks. You can also create your own custom Images, or use Images from the community.
When you create a new Droplet on DigitalOcean, you can choose an Image to use as the basis for the Droplet. This will automatically install the operating system and any pre-installed applications on the new Droplet, so you can start using it right away. Images can also be used to create snapshots and backups of your Droplets, so you can easily create new Droplets from the same configuration in the future.
### Enumeration
```
doctl compute image list
```
{{#include ../../../banners/hacktricks-training.md}}

39
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md Normal file
View File

@@ -0,0 +1,39 @@
# DO - Kubernetes (DOKS)
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
### DigitalOcean Kubernetes (DOKS)
DOKS is a managed Kubernetes service offered by DigitalOcean. The service is designed to **deploy and manage Kubernetes clusters on DigitalOcean's platform**. The key aspects of DOKS include:
1. **Ease of Management**: The requirement to set up and maintain the underlying infrastructure is eliminated, simplifying the management of Kubernetes clusters.
2. **User-Friendly Interface**: It provides an intuitive interface that facilitates the creation and administration of clusters.
3. **Integration with DigitalOcean Services**: It seamlessly integrates with other services provided by DigitalOcean, such as Load Balancers and Block Storage.
4. **Automatic Updates and Upgrades**: The service includes the automatic updating and upgrading of clusters to ensure they are up-to-date.
### Connection
```bash
# Generate kubeconfig from doctl
doctl kubernetes cluster kubeconfig save <cluster-id>
# Use a kubeconfig file that you can download from the console
kubectl --kubeconfig=/<pathtodirectory>/k8s-1-25-4-do-0-ams3-1670939911166-kubeconfig.yaml get nodes
```
### Enumeration
```bash
# Get clusters
doctl kubernetes cluster list
# Get node pool of cluster (number of nodes)
doctl kubernetes cluster node-pool list <cluster-id>
# Get DO resources used by the cluster
doctl kubernetes cluster list-associated-resources <cluster-id>
```
{{#include ../../../banners/hacktricks-training.md}}

45
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md Normal file
View File

@@ -0,0 +1,45 @@
# DO - Networking
{{#include ../../../banners/hacktricks-training.md}}
### Domains
```bash
doctl compute domain list
doctl compute domain records list <domain>
# You can also create records
```
### Reserverd IPs
```bash
doctl compute reserved-ip list
doctl compute reserved-ip-action unassign <ip>
```
### Load Balancers
```bash
doctl compute load-balancer list
doctl compute load-balancer remove-droplets <id> --droplet-ids 12,33
doctl compute load-balancer add-forwarding-rules <id> --forwarding-rules entry_protocol:tcp,entry_port:3306,...
```
### VPC
```
doctl vpcs list
```
### Firewall
> [!CAUTION]
> By default **droplets are created WITHOUT A FIREWALL** (not like in oder clouds such as AWS or GCP). So if you want DO to protect the ports of the droplet (VM), you need to **create it and attach it**.
```bash
doctl compute firewall list
doctl compute firewall list-by-droplet <droplet-id>
doctl compute firewall remove-droplets <fw-id> --droplet-ids <droplet-id>
```
{{#include ../../../banners/hacktricks-training.md}}

23
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md Normal file
View File

@@ -0,0 +1,23 @@
# DO - Projects
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
> project is just a container for all the **services** (droplets, spaces, databases, kubernetes...) **running together inside of it**.\
> For more info check:
{{#ref}}
../do-basic-information.md
{{#endref}}
### Enumeration
It's possible to **enumerate all the projects a user have access to** and all the resources that are running inside a project very easily:
```bash
doctl projects list # Get projects
doctl projects resources list <proj-id> # Get all the resources of a project
```
{{#include ../../../banners/hacktricks-training.md}}

46
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md Normal file
View File

@@ -0,0 +1,46 @@
# DO - Spaces
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
DigitalOcean Spaces are **object storage services**. They allow users to **store and serve large amounts of data**, such as images and other files, in a scalable and cost-effective way. Spaces can be accessed via the DigitalOcean control panel, or using the DigitalOcean API, and are integrated with other DigitalOcean services such as Droplets (virtual private servers) and Load Balancers.
### Access
Spaces can be **public** (anyone can access them from the Internet) or **private** (only authorised users). To access the files from a private space outside of the Control Panel, we need to generate an **access key** and **secret**. These are a pair of random tokens that serve as a **username** and **password** to grant access to your Space.
A **URL of a space** looks like this: **`https://uniqbucketname.fra1.digitaloceanspaces.com/`**\
Note the **region** as **subdomain**.
Even if the **space** is **public**, **files** **inside** of it can be **private** (you will be able to access them only with credentials).
However, **even** if the file is **private**, from the console it's possible to share a file with a link such as `https://fra1.digitaloceanspaces.com/uniqbucketname/filename?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=DO00PL3RA373GBV4TRF7%2F20221213%2Ffra1%2Fs3%2Faws4_request&X-Amz-Date=20221213T121017Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=6a183dbc42453a8d30d7cd2068b66aeb9ebc066123629d44a8108115def975bc` for a period of time:
<figure><img src="../../../images/image (277).png" alt=""><figcaption></figcaption></figure>
### Enumeration
```bash
# Unauthenticated
## Note how the region is specified in the endpoint
aws s3 ls --endpoint=https://fra1.digitaloceanspaces.com --no-sign-request s3://uniqbucketname
# Authenticated
## Configure spaces keys as AWS credentials
aws configure
AWS Access Key ID [None]: <spaces_key>
AWS Secret Access Key [None]: <Secret>
Default region name [None]:
Default output format [None]:
## List all buckets in a region
aws s3 ls --endpoint=https://fra1.digitaloceanspaces.com
## List files inside a bucket
aws s3 ls --endpoint=https://fra1.digitaloceanspaces.com s3://uniqbucketname
## It's also possible to generate authorized access to buckets from the API
```
{{#include ../../../banners/hacktricks-training.md}}

15
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md Normal file
View File

@@ -0,0 +1,15 @@
# DO - Volumes
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
DigitalOcean volumes are **block storage** devices that can be **attached to and detached from Droplets**. Volumes are useful for **storing data** that needs to **persist** independently of the Droplet itself, such as databases or file storage. They can be resized, attached to multiple Droplets, and snapshot for backups.
### Enumeration
```
compute volume list
```
{{#include ../../../banners/hacktricks-training.md}}