trasnlate other half

This commit is contained in:
Carlos Polop
2024-12-31 18:48:54 +01:00
parent 4d622f5500
commit d96df379fd
245 changed files with 406 additions and 0 deletions
+2
View File
@@ -38,3 +38,5 @@ _Hacktricks logos & motion designed by_ [_@ppiernacho_](https://www.instagram.co
+2
View File
@@ -505,3 +505,5 @@
+2
View File
@@ -15,3 +15,5 @@
@@ -141,3 +141,4 @@ From a **white box security** review, you would need the **System Auditor role**
@@ -177,3 +177,4 @@ If they are used for example inside a a bash command, you could perform a comman
@@ -113,3 +113,4 @@ AUTH_ROLE_PUBLIC = 'Admin'
@@ -45,3 +45,4 @@ These are the default permissions per default role:
@@ -390,3 +390,4 @@ You can also pass these as environment variables `ATLANTIS_WEB_BASIC_AUTH=true`
@@ -257,3 +257,4 @@ jobs:
@@ -136,3 +136,4 @@ cloudflare-zero-trust-network.md
@@ -135,3 +135,4 @@ TODO
@@ -63,3 +63,4 @@ TODO
@@ -35,3 +35,4 @@ concourse-enumeration-and-attacks.md
@@ -40,3 +40,4 @@ In order to execute tasks concourse must have some workers. These workers **regi
@@ -444,3 +444,4 @@ Accept-Encoding: gzip.
@@ -153,3 +153,4 @@ Check a YAML pipeline example that triggers on new commits to master in [https:/
@@ -140,3 +140,4 @@ If you are inside the server you can also **use the `gitea` binary** to access/m
@@ -105,3 +105,4 @@ Different protections can be applied to a branch (like to master):
@@ -246,3 +246,4 @@ For more info check [https://www.chainguard.dev/unchained/what-the-fork-imposter
@@ -583,3 +583,4 @@ The following tools are useful to find Github Action workflows and even find vul
@@ -58,3 +58,4 @@ And the latest one use a short sha-1 that is bruteforceable.
@@ -257,3 +257,4 @@ Different protections can be applied to a branch (like to master):
@@ -414,3 +414,4 @@ println(hudson.util.Secret.decrypt("{...}"))
@@ -96,3 +96,4 @@ According to [**the docs**](https://www.jenkins.io/blog/2019/02/21/credentials-m
@@ -107,3 +107,4 @@ The example curl command provided demonstrates how to make a request to Jenkins
@@ -91,3 +91,4 @@ for (c in creds) {
@@ -41,3 +41,4 @@ If you can access the configuration file of some pipeline configured you could j
@@ -38,3 +38,4 @@ If you are not executing a reverse shell but a simple command you can **see the
@@ -65,3 +65,4 @@ msf> use exploit/multi/http/jenkins_script_console
@@ -116,3 +116,4 @@ okta-hardening.md
@@ -201,3 +201,4 @@ Here you can download Okta agents to sync Okta with other technologies.
@@ -106,3 +106,4 @@ Check this interesting article about the top 10 CI/CD risks according to Cider:
@@ -860,3 +860,4 @@ Granting excessive permissions to team members and external collaborators can le
@@ -165,3 +165,4 @@ It's possible to **store secrets** in supabase also which will be **accessible b
@@ -314,3 +314,4 @@ brew install terrascan
+1
View File
@@ -18,3 +18,4 @@ Github PRs are welcome explaining how to (ab)use those platforms from an attacke
@@ -67,3 +67,4 @@ If an attacker ends in an environment which uses **TravisCI enterprise** (more i
@@ -94,3 +94,4 @@ The amount of deployed TCI Worker and build environment OS images will determine
+1
View File
@@ -439,3 +439,4 @@ An **Access Group** in Vercel is a collection of projects and team members with
@@ -391,3 +391,5 @@ aws ...
@@ -388,3 +388,5 @@ If you are looking for something **similar** to this but for the **browser** you
@@ -131,3 +131,5 @@ In order to specify **which service account should be able to assume the role,**
@@ -19,3 +19,5 @@ These are the permissions you need on each AWS account you want to audit to be a
@@ -4,3 +4,5 @@
@@ -34,3 +34,5 @@ Or just remove the use of API keys.
@@ -44,3 +44,5 @@ By default this is disabled:
@@ -65,3 +65,5 @@ The compromised instances or Lambda functions can periodically check the C2 tabl
@@ -56,3 +56,5 @@ Create a peering connection between the victim VPC and the attacker VPC so he wi
@@ -99,3 +99,5 @@ aws ecr put-replication-configuration \
@@ -101,3 +101,5 @@ aws ecs create-service --service-name "undocumented-service" --task-definition "
@@ -23,3 +23,5 @@ You could **create an access point** (with root access to `/`) accessible from a
@@ -79,3 +79,5 @@ aws elasticbeanstalk update-environment --environment-name my-env --option-setti
@@ -51,3 +51,5 @@ If the account is already trusting a common identity provider (such as Github) t
@@ -41,3 +41,5 @@ aws kms list-grants --key-id <key-id>
@@ -66,3 +66,5 @@ Here you have some ideas to make your **presence in AWS more stealth by creating
@@ -44,3 +44,5 @@ The tool [**lambda-spy**](https://github.com/clearvector/lambda-spy) was created
@@ -132,3 +132,5 @@ aws lambda remove-layer-version-permission --layer-name ExternalBackdoor --state
@@ -35,3 +35,5 @@ If domains are configured:
@@ -33,3 +33,5 @@ aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-name> --
@@ -27,3 +27,5 @@ Although usually ACLs of buckets are disabled, an attacker with enough privilege
@@ -55,3 +55,5 @@ def generate_password():
@@ -83,3 +83,5 @@ aws sns subscribe --region <region> \
@@ -41,3 +41,5 @@ The following policy gives everyone in AWS access to everything in the queue cal
@@ -23,3 +23,5 @@ If the AWS account is using aliases to call step functions it would be possible
@@ -133,3 +133,5 @@ Write-Host "Role juggling check complete."
@@ -148,3 +148,5 @@ aws apigateway create-usage-plan-key --usage-plan-id $USAGE_PLAN --key-id $API_K
@@ -33,3 +33,5 @@ You can check the [**tf code to recreate this scenarios here**](https://github.c
@@ -86,3 +86,5 @@ aws codebuild delete-source-credentials --arn <value>
@@ -190,3 +190,5 @@ aws codebuild start-build --project-name <proj-name>
@@ -22,3 +22,5 @@ aws controltower enable-control --control-identifier <arn_control_id> --target-i
@@ -97,3 +97,5 @@ A template for the policy document can be seen here:
@@ -351,3 +351,5 @@ bashCopy codeaws dynamodbstreams get-records \
@@ -479,3 +479,5 @@ if __name__ == "__main__":
@@ -143,3 +143,5 @@ You can use this tool to automate the attack: [https://github.com/Static-Flow/Cl
@@ -17,3 +17,5 @@ For more information and access to the [**malmirror script**](https://github.com
@@ -98,3 +98,5 @@ aws ecr-public batch-delete-image --repository-name your-ecr-repo-name --image-i
@@ -65,3 +65,5 @@ The EC2 instance will probably also have the permission `ecr:GetAuthorizationTok
@@ -56,3 +56,5 @@ aws efs delete-access-point --access-point-id <value>
@@ -157,3 +157,5 @@ So, if an **attacker compromises a cluster using fargate** and **removes all the
@@ -82,3 +82,5 @@ aws elasticbeanstalk remove-tags --resource-arn arn:aws:elasticbeanstalk:us-west
@@ -105,3 +105,5 @@ A common way to avoid Confused Deputy problems is the use of a condition with `A
@@ -135,3 +135,5 @@ aws kms schedule-key-deletion \
@@ -31,3 +31,5 @@ Abusing Lambda Layers it's also possible to abuse extensions and persist in the
@@ -65,3 +65,5 @@ For more info check [https://github.com/carlospolop/lambda_bootstrap_switcher](h
@@ -32,3 +32,5 @@ Check out the Lightsail privesc options to learn different ways to access potent
@@ -21,3 +21,5 @@ aws organizations deregister-account --account-id <account_id> --region <region>
@@ -94,3 +94,5 @@ aws rds start-export-task --export-task-identifier attacker-export-task --source
@@ -40,3 +40,5 @@ Finally, the attacker could upload a final file, usually named "ransom-note.txt,
@@ -51,3 +51,5 @@ aws secretsmanager delete-secret \
@@ -85,3 +85,5 @@ Still to test.
@@ -82,3 +82,5 @@ aws sns untag-resource --resource-arn <value> --tag-keys <key>
@@ -89,3 +89,5 @@ arduinoCopy codeaws sqs remove-permission --queue-url <value> --label <value>
@@ -27,3 +27,5 @@ aws sso-admin delete-account-assignment --instance-arn <SSOInstanceARN> --target
@@ -76,3 +76,5 @@ aws stepfunctions untag-resource --resource-arn <value> --tag-keys <key>
@@ -106,3 +106,5 @@ response = client.get_secret_value(SecretId="flag_secret") print(response['Secre

Some files were not shown because too many files have changed in this diff Show More