trasnlate other half

2026-06-27 08:54:23 -07:00 · 2024-12-31 18:48:54 +01:00
parent 4d622f5500
commit d96df379fd
245 changed files with 406 additions and 0 deletions
@@ -391,3 +391,5 @@ aws ...



+
+
@@ -388,3 +388,5 @@ If you are looking for something **similar** to this but for the **browser** you



+
+
@@ -131,3 +131,5 @@ In order to specify **which service account should be able to assume the role,**



+
+
@@ -19,3 +19,5 @@ These are the permissions you need on each AWS account you want to audit to be a



+
+
@@ -4,3 +4,5 @@



+
+
@@ -34,3 +34,5 @@ Or just remove the use of API keys.



+
+
@@ -44,3 +44,5 @@ By default this is disabled:



+
+
@@ -65,3 +65,5 @@ The compromised instances or Lambda functions can periodically check the C2 tabl



+
+
@@ -56,3 +56,5 @@ Create a peering connection between the victim VPC and the attacker VPC so he wi



+
+
@@ -99,3 +99,5 @@ aws ecr put-replication-configuration \



+
+
@@ -101,3 +101,5 @@ aws ecs create-service --service-name "undocumented-service" --task-definition "



+
+
@@ -23,3 +23,5 @@ You could **create an access point** (with root access to `/`) accessible from a



+
+
@@ -79,3 +79,5 @@ aws elasticbeanstalk update-environment --environment-name my-env --option-setti



+
+
@@ -51,3 +51,5 @@ If the account is already trusting a common identity provider (such as Github) t



+
+
@@ -41,3 +41,5 @@ aws kms list-grants --key-id <key-id>



+
+
@@ -66,3 +66,5 @@ Here you have some ideas to make your **presence in AWS more stealth by creating



+
+
@@ -44,3 +44,5 @@ The tool [**lambda-spy**](https://github.com/clearvector/lambda-spy) was created



+
+
@@ -132,3 +132,5 @@ aws lambda remove-layer-version-permission --layer-name ExternalBackdoor --state



+
+
@@ -35,3 +35,5 @@ If domains are configured:



+
+
@@ -33,3 +33,5 @@ aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-name> --



+
+
@@ -27,3 +27,5 @@ Although usually ACLs of buckets are disabled, an attacker with enough privilege



+
+
@@ -55,3 +55,5 @@ def generate_password():



+
+
@@ -83,3 +83,5 @@ aws sns subscribe --region <region> \



+
+
@@ -41,3 +41,5 @@ The following policy gives everyone in AWS access to everything in the queue cal



+
+
@@ -4,3 +4,5 @@



+
+
@@ -23,3 +23,5 @@ If the AWS account is using aliases to call step functions it would be possible



+
+
@@ -133,3 +133,5 @@ Write-Host "Role juggling check complete."



+
+
@@ -4,3 +4,5 @@



+
+
@@ -148,3 +148,5 @@ aws apigateway create-usage-plan-key --usage-plan-id $USAGE_PLAN --key-id $API_K



+
+
@@ -33,3 +33,5 @@ You can check the [**tf code to recreate this scenarios here**](https://github.c



+
+
@@ -86,3 +86,5 @@ aws codebuild delete-source-credentials --arn <value>



+
+
@@ -190,3 +190,5 @@ aws codebuild start-build --project-name <proj-name>



+
+
@@ -22,3 +22,5 @@ aws controltower enable-control --control-identifier <arn_control_id> --target-i



+
+
@@ -97,3 +97,5 @@ A template for the policy document can be seen here:



+
+
@@ -351,3 +351,5 @@ bashCopy codeaws dynamodbstreams get-records \



+
+
@@ -479,3 +479,5 @@ if __name__ == "__main__":



+
+
@@ -143,3 +143,5 @@ You can use this tool to automate the attack: [https://github.com/Static-Flow/Cl



+
+
@@ -17,3 +17,5 @@ For more information and access to the [**malmirror script**](https://github.com



+
+
@@ -98,3 +98,5 @@ aws ecr-public batch-delete-image --repository-name your-ecr-repo-name --image-i



+
+
@@ -65,3 +65,5 @@ The EC2 instance will probably also have the permission `ecr:GetAuthorizationTok



+
+
@@ -56,3 +56,5 @@ aws efs delete-access-point --access-point-id <value>



+
+
@@ -157,3 +157,5 @@ So, if an **attacker compromises a cluster using fargate** and **removes all the



+
+
@@ -82,3 +82,5 @@ aws elasticbeanstalk remove-tags --resource-arn arn:aws:elasticbeanstalk:us-west



+
+
@@ -105,3 +105,5 @@ A common way to avoid Confused Deputy problems is the use of a condition with `A



+
+
@@ -135,3 +135,5 @@ aws kms schedule-key-deletion \



+
+
@@ -31,3 +31,5 @@ Abusing Lambda Layers it's also possible to abuse extensions and persist in the



+
+
@@ -65,3 +65,5 @@ For more info check [https://github.com/carlospolop/lambda_bootstrap_switcher](h



+
+
@@ -32,3 +32,5 @@ Check out the Lightsail privesc options to learn different ways to access potent



+
+
@@ -21,3 +21,5 @@ aws organizations deregister-account --account-id <account_id> --region <region>



+
+
@@ -94,3 +94,5 @@ aws rds start-export-task --export-task-identifier attacker-export-task --source



+
+
@@ -40,3 +40,5 @@ Finally, the attacker could upload a final file, usually named "ransom-note.txt,



+
+
@@ -51,3 +51,5 @@ aws secretsmanager delete-secret \



+
+
@@ -85,3 +85,5 @@ Still to test.



+
+
@@ -82,3 +82,5 @@ aws sns untag-resource --resource-arn <value> --tag-keys <key>



+
+
@@ -89,3 +89,5 @@ arduinoCopy codeaws sqs remove-permission --queue-url <value> --label <value>



+
+
@@ -27,3 +27,5 @@ aws sso-admin delete-account-assignment --instance-arn <SSOInstanceARN> --target



+
+
@@ -76,3 +76,5 @@ aws stepfunctions untag-resource --resource-arn <value> --tag-keys <key>



+
+
@@ -106,3 +106,5 @@ response = client.get_secret_value(SecretId="flag_secret") print(response['Secre



+
+
@@ -15,3 +15,5 @@ For more information:



+
+
@@ -25,3 +25,4 @@ The way to escalate your privileges in AWS is to have enough permissions to be a



+
@@ -109,3 +109,5 @@ aws apigateway update-vpc-link --vpc-link-id $VPC_LINK_ID --patch-operations op=



+
+
@@ -11,3 +11,5 @@ TODO



+
+
@@ -120,3 +120,4 @@ An attacker could abuse this permission without the passRole permission to updat



+
@@ -83,3 +83,4 @@ aws cloudformation describe-stacks \



+
@@ -351,3 +351,4 @@ More details could be found [here](https://www.shielder.com/blog/2023/07/aws-cod



+
@@ -39,3 +39,4 @@ It might be possible to modify the role used and the command executed on a codep



+
@@ -75,3 +75,4 @@ You can find the exploit in [https://github.com/RhinoSecurityLabs/Cloud-Security



+
@@ -83,3 +83,4 @@ This is the created policy the user can privesc to (the project name was `superc



+
@@ -90,3 +90,4 @@ This exploit is based on the **Pacu exploit of these privileges**: [https://gith



+
@@ -316,3 +316,4 @@ For more information check [https://github.com/padok-team/cognito-scanner](https



+
@@ -76,3 +76,4 @@ The **pipeline definition file, crafted by the attacker, includes directives to



+
@@ -36,3 +36,4 @@ There isn't apparently any way to enable the application access URL, the AWS Man



+
@@ -25,3 +25,4 @@ As far as I know there is **no direct way to escalate privileges in AWS just by



+
@@ -29,3 +29,4 @@ You can use this tool to automate the attack: [https://github.com/Static-Flow/Cl



+
@@ -293,3 +293,4 @@ Assuming we find `aws_access_key_id` and `aws_secret_access_key`, we can use the



+
@@ -110,3 +110,4 @@ aws ecr set-repository-policy \



+
@@ -252,3 +252,4 @@ aws ecs update-service-primary-task-set --cluster existing-cluster --service exi



+
@@ -98,3 +98,5 @@ aws efs modify-mount-target-security-groups \



+
+
@@ -187,3 +187,4 @@ The developer has intentions to establish a reverse shell using Netcat or Socat



+
@@ -66,3 +66,5 @@ The URL of the notebook is `https://<notebook-id>.emrnotebooks-prod.eu-west-1.am



+
+
@@ -20,3 +20,4 @@ aws gamelift request-upload-credentials \



+
@@ -94,3 +94,4 @@ Just with the update permission an attacked could steal the IAM Credentials of t



+
@@ -275,3 +275,4 @@ aws iam update-open-id-connect-provider-thumbprint --open-id-connect-provider-ar



+
@@ -124,3 +124,5 @@ For more information check:



+
+
@@ -294,3 +294,4 @@ Some lambdas are going to be **receiving sensitive info from the users in parame



+
@@ -164,3 +164,4 @@ aws lightsail update-domain-entry \



+
@@ -27,3 +27,5 @@ aws mediapackage rotate-ingest-endpoint-credentials --id test --ingest-endpoint-



+
+
@@ -51,3 +51,5 @@ If you could somehow find the original credentials used by ActiveMQ you could pe



+
+
@@ -26,3 +26,4 @@ If **IAM role-based authentication** is used and **kafka is publicly exposed** y



+
@@ -20,3 +20,5 @@ To [**learn how check this page**](../#compromising-the-organization).



+
+
@@ -171,3 +171,5 @@ aws rds add-role-to-db-instance --db-instance-identifier target-instance --role-



+
+
@@ -109,3 +109,4 @@ Check [https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html



+
@@ -185,3 +185,4 @@ aws s3api put-object-acl --bucket <bucket-name> --key flag --version-id <value>



+
@@ -116,3 +116,4 @@ An attacker with those permissions will (potentially) be able to create an **hyp



+
@@ -53,3 +53,4 @@ policy.json:



+
@@ -45,3 +45,5 @@ aws sns add-permission --topic-arn <value> --label <value> --aws-account-id <val



+
+
@@ -48,3 +48,5 @@ aws sqs change-message-visibility --queue-url <value> --receipt-handle <value> -



+
+
@@ -134,3 +134,4 @@ aws-codebuild-privesc.md



+
@@ -134,3 +134,4 @@ aws sso-admin   delete-permissions-boundary-from-permission-set --instance-arn <



+
@@ -255,3 +255,5 @@ aws stepfunctions update-state-machine --state-machine-arn arn:aws:states:us-eas



+
+
--- a/Show More
+++ b/Show More
				`@@ -388,3 +388,5 @@ If you are looking for something similar to this but for the browser you`
				`@@ -131,3 +131,5 @@ In order to specify which service account should be able to assume the role,`
				`@@ -19,3 +19,5 @@ These are the permissions you need on each AWS account you want to audit to be a`
				`@@ -65,3 +65,5 @@ The compromised instances or Lambda functions can periodically check the C2 tabl`
				`@@ -56,3 +56,5 @@ Create a peering connection between the victim VPC and the attacker VPC so he wi`
				`@@ -101,3 +101,5 @@ aws ecs create-service --service-name "undocumented-service" --task-definition "`
				@@ -23,3 +23,5 @@ You could create an access point (with root access to `/`) accessible from a
				`@@ -79,3 +79,5 @@ aws elasticbeanstalk update-environment --environment-name my-env --option-setti`
				`@@ -51,3 +51,5 @@ If the account is already trusting a common identity provider (such as Github) t`
				`@@ -66,3 +66,5 @@ Here you have some ideas to make your **presence in AWS more stealth by creating`