translate

2026-06-29 09:48:48 -07:00 · 2025-01-01 21:36:15 +01:00
parent d0e6a85e6f
commit d0b9174054
243 changed files with 21 additions and 264 deletions
@@ -119,4 +119,3 @@ python rbdel.py -u <workgroup>\\<user> -p <pass> <ip> azureadssosvc$



-
@@ -70,4 +70,3 @@ Open-AADIntOffice365Portal -ImmutableID qIMPTm2Q3kimHgg4KQyveA== -Issuer "http:/



-
@@ -33,4 +33,3 @@ az storage queue policy set --name <queue-name> --permissions rwd --expiry 2024-



-
@@ -43,4 +43,3 @@ az storage blob service-properties delete-policy update \



-
@@ -27,4 +27,3 @@ An attacker could get access to the instances and backdoor them:



-
@@ -4,4 +4,3 @@



-
@@ -47,4 +47,3 @@ This would allow to delete objects inside the storage account which might **inte



-
@@ -50,4 +50,3 @@ This would allow to delete file inside the shared filesystem which might **inter



-
@@ -19,4 +19,3 @@ For more information about function apps check:



-
@@ -113,4 +113,3 @@ az keyvault secret restore --vault-name <vault-name> --file <backup-file-path>



-
@@ -91,4 +91,3 @@ az storage queue policy set --name <queue-name> --permissions rwd --expiry 2024-



-
@@ -101,4 +101,3 @@ Take a look here:



-
@@ -104,4 +104,3 @@ az sql db import --admin-user <admin-user> \



-
@@ -66,4 +66,3 @@ This would allow to delete file inside the shared filesystem which might **inter



-
@@ -183,4 +183,3 @@ az vm application set \



-
@@ -4,4 +4,3 @@



-
@@ -41,4 +41,3 @@ ssh root@127.0.0.1 -p 39895



-
@@ -84,4 +84,3 @@ az rest --method PUT \



-
@@ -359,4 +359,3 @@ az rest --method GET \



-
@@ -183,4 +183,3 @@ $data = Get-SharePointFilesFromGraph -authentication $token $data[0].downloadUrl



-
@@ -52,4 +52,3 @@ az rest --method GET \



-
@@ -459,4 +459,3 @@ az functionapp deployment source config \



-
@@ -36,4 +36,3 @@ az keyvault set-policy \



-
@@ -75,4 +75,3 @@ az storage queue policy set --name <queue-name> --permissions rwd --expiry 2024-



-
@@ -156,4 +156,3 @@ az servicebus namespace authorization-rule update \



-
@@ -113,4 +113,3 @@ az sql server azure-ad-only-auth disable \



-
@@ -154,4 +154,3 @@ az storage share-rm restore \



-
@@ -384,4 +384,3 @@ According to the [**docs**](https://learn.microsoft.com/en-us/azure/role-based-a



-
@@ -75,4 +75,3 @@ def main(req: func.HttpRequest) -> func.HttpResponse:



-
@@ -54,4 +54,3 @@ docker pull <corp-name>.azurecr.io/<image>:<tag>



-
@@ -89,8 +89,6 @@ az webapp config storage-account list --name <name> --resource-gl_group



-
-
 # List all the functions
 az functionapp list

@@ -216,4 +214,3 @@ git clone 'https://<username>:<password>@name.scm.azurewebsites.net/repo-name.gi



-
@@ -42,4 +42,3 @@ Get-ApplicationProxyAssignedUsersAndGroups -ObjectId <object-id>



-
@@ -33,4 +33,3 @@ cat <PATH TO .json FILE> | Select-String password



-
@@ -180,4 +180,3 @@ $response = Invoke-WebRequest -Method Post -Uri $uri -Body $body



-
@@ -67,4 +67,3 @@ The successful execution of this process opens numerous possibilities for furthe



-
@@ -1033,4 +1033,3 @@ The default mode is **Audit**:



-
@@ -174,4 +174,3 @@ Same as storage persistence:



-
@@ -268,4 +268,3 @@ az rest --url "https://management.azure.com/<subscription>/resourceGroups/<res-g



-
@@ -71,4 +71,3 @@ Get-AzLogicApp -ResourceGroupName <ResourceGroupName> -Name <LogicAppName>



-
@@ -58,4 +58,3 @@ az group list --subscription "<subscription>" --output table



-
@@ -97,4 +97,3 @@ $queueMessage.Value



-
@@ -102,4 +102,3 @@ az servicebus namespace authorization-rule keys list --resource-group <MyResourc



-
@@ -263,4 +263,3 @@ sqlcmd -S <sql-server>.database.windows.net -U <server-user> -P <server-passwork



-
@@ -439,4 +439,3 @@ az-file-shares.md



-
@@ -111,4 +111,3 @@ Same as storage persistence:



-
@@ -33,4 +33,3 @@ The execution of the script can take up to **one hour**.



-
@@ -186,4 +186,3 @@ done



-
@@ -863,4 +863,3 @@ Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt



-
@@ -466,4 +466,3 @@ Get-AzExpressRouteCircuit



-
@@ -250,4 +250,3 @@ az-password-spraying.md



-
@@ -9,4 +9,3 @@



-
@@ -153,4 +153,3 @@ Check the Applications and Service Principal sections of the page:



-
@@ -37,4 +37,3 @@ Invoke-PasswordSprayGmail -UserList .\userlist.txt -Password Fall2016 -Threads 1



-
@@ -43,4 +43,3 @@ az vm extension image list --publisher "Site24x7" --output table



-
@@ -45,4 +45,3 @@ do-services/



-
@@ -137,4 +137,3 @@ The **logs of a team** can be found in [**https://cloud.digitalocean.com/account



-
@@ -9,4 +9,3 @@ DO doesn't support granular permissions. So the **minimum role** that allows a u



-
@@ -21,4 +21,3 @@ DO offers a few services, here you can find how to **enumerate them:**



-
@@ -36,4 +36,3 @@ That will give you a **shell**, and just executing **`env`** you will be able to



-
@@ -35,4 +35,3 @@ doctl registry repository list-v2



-
@@ -45,4 +45,3 @@ doctl databases pool list <db-id> # List pools of DB



-
@@ -83,4 +83,3 @@ It's also possible to launch a **recovery console** to run commands inside the h



-
@@ -62,4 +62,3 @@ doctl serverless activations result <activation-id> # get only the response resu



-
@@ -21,4 +21,3 @@ doctl compute image list



-
@@ -41,4 +41,3 @@ doctl kubernetes cluster list-associated-resources <cluster-id>



-
@@ -47,4 +47,3 @@ doctl compute firewall remove-droplets <fw-id> --droplet-ids <droplet-id>



-
@@ -25,4 +25,3 @@ doctl projects resources list <proj-id> # Get all the resources of a project



-
@@ -48,4 +48,3 @@ aws s3 ls --endpoint=https://fra1.digitaloceanspaces.com s3://uniqbucketname



-
@@ -17,4 +17,3 @@ compute volume list



-
@@ -247,4 +247,3 @@ gcloud config unset auth/access_token_file



-
@@ -232,4 +232,3 @@ As defined by terraform in [https://registry.terraform.io/providers/hashicorp/go



-
@@ -155,4 +155,3 @@ jobs:



-
@@ -146,4 +146,3 @@ roles/bigquery.metadataViewer



-
@@ -4,4 +4,3 @@



-
@@ -23,4 +23,3 @@ Check how to do this in:



-
@@ -23,4 +23,3 @@ If yoi could just modify the code of a running version or create a new one yo co



-
@@ -44,4 +44,3 @@ https://book.hacktricks.xyz/pentesting-web/dependency-confusion



-
@@ -23,4 +23,3 @@ Grant further access over datasets, tables, rows and columns to compromised user



-
@@ -21,4 +21,3 @@ For more info about Cloud Functions check:



-
@@ -27,4 +27,3 @@ Create a backdoored Service or Job



-
@@ -71,4 +71,3 @@ But you can find further information in [https://github.com/FrancescoDiSalesGith



-
@@ -39,4 +39,3 @@ For more information check the technique in:



-
@@ -21,4 +21,3 @@ For more informatoin about Compute and VPC (Networking) check:



-
@@ -55,4 +55,3 @@ gcloud dataflow $NAME_TEMPLATE run testing \



-
@@ -23,4 +23,3 @@ gcp-filestore-persistence.md



-
@@ -23,4 +23,3 @@ gcloud logging sinks create <sink-name> <destination> --log-filter="FILTER_CONDI



-
@@ -106,4 +106,3 @@ Some remediations for these techniques are explained in [https://www.netskope.co



-
@@ -24,4 +24,3 @@ An attacker could update the secret to:



-
@@ -40,4 +40,3 @@ Another exploit script for this method can be found [here](https://github.com/Rh



-
@@ -4,4 +4,3 @@



-
@@ -45,4 +45,3 @@ Modify source code to steal credentials if they are being sent or perform a defa



-
@@ -23,4 +23,3 @@ The Post Exploitation and Privesc techniques of Artifact Registry were mixed in:



-
@@ -31,4 +31,3 @@ curl -X POST \



-
@@ -55,7 +55,6 @@ def hello_http(request, last=False, error=""):
            return "Hello World!"


-
 # Attacker code to inject
 # Code based on the one from https://github.com/Djkusik/serverless_persistency_poc/blob/master/gcp/exploit_files/switcher.py

@@ -130,4 +129,3 @@ def injection():



-
@@ -25,4 +25,3 @@ Modify the run image to steal information and redeploy the new version (just upl



-
@@ -104,4 +104,3 @@ The instructions were copied from [https://github.com/FrancescoDiSalesGithub/Goo



-
@@ -105,4 +105,3 @@ gcloud sql databases delete <db-name> --instance <instance-id>



-
@@ -122,4 +122,3 @@ If you **cannot give access to a external project** to the snapshot or disk, you



-
@@ -102,4 +102,3 @@ gcloud filestore backups create <back-name> \



-
@@ -31,4 +31,3 @@ This is the **highest level you can assign using the gcloud tool**.



-
--- a/Show More
+++ b/Show More
				`@@ -119,4 +119,3 @@ python rbdel.py -u <workgroup>\\<user> -p <pass> <ip> azureadssosvc$`
				`@@ -70,4 +70,3 @@ Open-AADIntOffice365Portal -ImmutableID qIMPTm2Q3kimHgg4KQyveA== -Issuer "http:/`
				`@@ -33,4 +33,3 @@ az storage queue policy set --name <queue-name> --permissions rwd --expiry 2024-`
				`@@ -43,4 +43,3 @@ az storage blob service-properties delete-policy update \`
				`@@ -27,4 +27,3 @@ An attacker could get access to the instances and backdoor them:`
				`@@ -47,4 +47,3 @@ This would allow to delete objects inside the storage account which might **inte`
				`@@ -50,4 +50,3 @@ This would allow to delete file inside the shared filesystem which might **inter`
				`@@ -19,4 +19,3 @@ For more information about function apps check:`
				`@@ -113,4 +113,3 @@ az keyvault secret restore --vault-name <vault-name> --file <backup-file-path>`
				`@@ -91,4 +91,3 @@ az storage queue policy set --name <queue-name> --permissions rwd --expiry 2024-`