hacking-the-cloud / hackingthe.cloud Goto Github PK
View Code? Open in Web Editor NEWAn encyclopedia for offensive and defensive security knowledge in cloud native technologies.
Home Page: https://hackingthe.cloud
License: Other
An encyclopedia for offensive and defensive security knowledge in cloud native technologies.
Home Page: https://hackingthe.cloud
License: Other
There is a typo on this page.
GCP-Goat is an intentionally vulnerable GCP environment to learn and practice GCP Security
It seems there is a second method to bypass the Instance Credential Exfiltration GuardDuty finding. I will need to test this for myself and add it to the site.
Review this blog post and add Seen in the Wild Cards: https://sysdig.com/blog/cloud-breach-terraform-data-theft/
There is a formatting issue in this page where the resource links are at the bottom, and the first one has a syntax error.
First of all, I really like the documentation :)
Thanks to you I discovered (or rediscovered I'm not sure) the tool AWS Consoler.
I think the requirements to use the tool should be added, if I understood correctly they are either:
sts:GetFederationToken
sts:AssumeRole
with a known roleThis issue is just to remind me of a bug. If you'd like to contribute, please checkout the contributing guide .
There is a strange behavior where every time there is a deploy, the custom domain in the repo settings reverts to null. This, obviously, breaks the site for as long as that custom domain is not changed. While I could go in an manually apply it every time, that is tedious to say the least.
Recently there was some confusion on who to credit for writing a particular page. While there is an author
tag on each page, that information is not currently displayed in HTC. It would be optimal if there was some way to show an author
or contributors
section so folks can know who wrote something. This may also incentivize people to contribute as they now have their name on something (Which is totally okay and encouraged!).
In looking into this a bit more with Material for MKDocs, this is something that is being added to the Insiders build (or at least, is on the roadmap). Additionally, Martin Donath showed this on his Twitter page.
Once this feature is available, we will adopt this on Hacking the Cloud.
There is a typo around the "Link to Tool" section. Both Gambit and the bucket tool are on the same line.
There was a great thread on iam:CreateUser in the Cloud Security Forum. This included the following examples of real world usage. I will add this to the IAM persistence methods article.
I was reminded that the wording in the Instance Metadata page is incorrect. Not "every" EC2 instance has IMDS. It can be disabled.
Need to modify this line in the opening.
Just a note for myself. Add this post as a reference to some of the techniques used by this threat actor.
A few articles appear to exist without a period at the end of their descriptions. Not sure if this has an effect on SEO but might as well go in and fix.
Hi,
sorry, I would not call myself a developer so hopefully this is not something totally silly and a 'user fault' by me.
I cloned the repo locally on my ubuntu machine and ran docker build -t mkdocs-material . however it fails with:
f860f95a24e2: Pull complete
a1dee26347e0: Pull complete
Digest: sha256:7346fbc9c31ac7af1c577db0f2301ba25d24ff076a15a4e049f1b8c29840b746
Status: Downloaded newer image for squidfunk/mkdocs-material:latest
---> 566a49fd70f9
Step 2/3 : RUN pip install mkdocs-awesome-pages-plugin
---> Running in 2cb15d5aa13f
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f886fa9bd90>: Failed to establish a new connection: [Errno -3] Try again')': /simple/mkdocs-awesome-pages-plugin/
etc.
The command '/bin/sh -c pip install mkdocs-awesome-pages-plugin' returned a non-zero code: 1
It looks like in the time since May AWS has added SNS publish to the list of data events you can log to CloudTrail (most recent). Not a huge deal, just need to choose a new API call that doesn't log and add that to the post.
Just creating an issue so that future me can find it more easily ;)
Need to review and integrate this article. I from a quick skim I get the impression this will just be updating real world examples of attacks used, but there may be a technique we are missing here.
Review this blog post for techniques/references to add to Hacking the Cloud.
I'm currently looking for resources on GCP and I'm gonna list them here to be potentially added to Hacking The Cloud:
YouTube video's embedded on Hacking the Cloud aren't loading on mobile. Need to figure out why.
Link to original research on this page is broken.
A great talk was done by Beau Bullock on 27-5-2021
https://www.youtube.com/watch?v=fCbVMWvncuw
BHIS Getting Started in Pentesting The Cloud Azure Beau Bullock.pdf
Tools that was mentioned on the talk
1- cloudenum
https://github.com/initstring/cloud_enum
2- onedrive_user_enum
https://github.com/nyxgeek/onedrive_user_enum
3- MSOLSpray
https://github.com/dafthack/MSOLSpray
4- FireProx
https://github.com/ustayready/fireprox
5- MFASweep
https://github.com/dafthack/MFASweep
6- scoutsuite
https://github.com/nccgroup/ScoutSuite
7- ROADTools
https://github.com/dirkjanm/ROADtools
8- PowerZure
https://github.com/hausec/PowerZure
9- MicroBurst
https://github.com/NetSPI/MicroBurst
10- StormSpotter
https://github.com/Azure/Stormspotter
11- AzureHound
https://github.com/BloodHoundAD/AzureHound/blob/master/AzureHound.ps1?fbclid=IwAR30uziP4l7sJSFd6BgNwJGLUGGUqKONF6luXhNYcTM5i_btpmemoOSN3pc
Hope that helps :)
Old faithful; How to steal IAM Role credentials via the EC2 Metadata service via SSRF.
Via via via via
It's a bit of a stretch, but need to review this article to see if anything can be included in Hacking the Cloud.
Review this blog post and consider integrating it into the site.
I got a report that SneakyEndpoints is only working with S3 at the moment. Need to spin it up and test a bit. This may also be a good time to add some additional details to the HtC article.
I'm assuming a default changed in Terraform causing it to no longer work.
Had some folks reach out with additional content for the GuardDuty post.
The example shown in Whoami - Get Principal Name From Keys is out of date. Since the time this article was written, a new format has been deployed for error messages. Update the example with the new format.
I really liked the ANSI escape technique described here This would be something of value to include in the Terraform section.
Aidan Steele is a magic wizard. Gandalf better move over. Aidan shared this trick in the Cloud Security Slack and I think it would make for a great short article in the general knowledge section.
aws-vault was recommended as a replacement to aws-consoler. aws-vault is still maintained and so long as it functions as needed, it could serve as a replacement. Will need to test this to see.
From a cursory glance this CTF looks like it would be an excellent candidate for an article on Hacking the Cloud. My intention is to write a walk through explaining how to setup the CTF and how to complete it. Along the way we will highlight techniques covered by articles on HTC.
The Bypass Credential Exfiltration Detection will need to be deprecated, and the new bypass will need to be added. Additionally, it's worth investing more research time into this. Aside from VPC Endpoints there may be more obscure ways to divert network traffic and get around this detection.
Alert received Oct 5, 2023 that 2 videos are not properly being indexed. Not sure why since they should all be added in the same method. Allegedly the video on this page is correct.
There is some legitimately interesting tradecraft in the second SCARLETEEL blog post. I'm sure at least something could be added to Hacking the Cloud from it.
I think we already have it covered in "Intercept SSM Communications", but review this for opportunities to improve existing content.
Validate this blog post and include as a post exploitation technique
https://canglad.com/blog/2023/aws-network-firewall-egress-filtering-can-be-easily-bypassed/
Add ECS privilege escalation methods in AmazonECS_FullAccess
While it is mentioned in the article, it would be worth highlighting that with code execution in a Terraform Workspace, you can also do simple things such as dump environment variables.
The documentation for Connection tracking has moved. Here is the new link.
On page: https://hackingthe.cloud/aws/enumeration/enum_iam_user_role/
The github link to the pacu module gives a 404, and might have been moved.
Found the module at other path, but please verify if this is the one.
https://github.com/RhinoSecurityLabs/pacu/tree/master/modules/iam__enum_roles
https://github.com/RhinoSecurityLabs/pacu/tree/master/pacu/modules/iam__enum_roles
I don't think there is anything that hasn't already been presented in blog posts, but it would be worth a read through and see if any techniques are missing from Hacking the Cloud.
I'm about 99.9% sure that there is no GuardDuty detection for this (all the existing ones are about EC2), but the question was asked and I wasn't 100% sure. Check if this is the case and update the page with a note. It would be good info to provide.
It has been going around the cloudsec community for a while that newer versions of SSM will store IAM credentials on disk. I'm not sure if this would warrant an entire article on it (I'm leaning against that), but it may be worthwhile to add a note to existing articles mentioning this.
terraform init --backend-config='token=$TFE_TOKEN'
Should be
terraform init --backend-config="token=$TFE_TOKEN"
An old principal enumeration technique is causing some confusion. sdb:list-domains was changed to be logged to CloudTrail. This should be put in the Deprecated section.
The name of the tool changed. Needs to be updated.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.