hacking-the-cloud / hackingthe.cloud Goto Github PK

Had some folks reach out with additional content for the GuardDuty post.

• Auto Archive
• deletepusblishngdestination

Old faithful; How to steal IAM Role credentials via the EC2 Metadata service via SSRF.

Via via via via

From a cursory glance this CTF looks like it would be an excellent candidate for an article on Hacking the Cloud. My intention is to write a walk through explaining how to setup the CTF and how to complete it. Along the way we will highlight techniques covered by articles on HTC.

I was reminded that the wording in the Instance Metadata page is incorrect. Not "every" EC2 instance has IMDS. It can be disabled.

Need to modify this line in the opening.

Review this blog post and consider integrating it into the site.

Just creating an issue so that future me can find it more easily ;)

• https://www.elliotsegler.com/learnings-with-aws-waf-and-log4shell.html
• https://kloudle.com/blog/piercing-the-cloud-armor-the-8kb-bypass-in-google-cloud-platform-waf

I got a report that SneakyEndpoints is only working with S3 at the moment. Need to spin it up and test a bit. This may also be a good time to add some additional details to the HtC article.

I'm assuming a default changed in Terraform causing it to no longer work.

A few articles appear to exist without a period at the end of their descriptions. Not sure if this has an effect on SEO but might as well go in and fix.

Alert received Oct 5, 2023 that 2 videos are not properly being indexed. Not sure why since they should all be added in the same method. Allegedly the video on this page is correct.

It has been going around the cloudsec community for a while that newer versions of SSM will store IAM credentials on disk. I'm not sure if this would warrant an entire article on it (I'm leaning against that), but it may be worthwhile to add a note to existing articles mentioning this.

The example shown in Whoami - Get Principal Name From Keys is out of date. Since the time this article was written, a new format has been deployed for error messages. Update the example with the new format.

The documentation for Connection tracking has moved. Here is the new link.

There was a great thread on iam:CreateUser in the Cloud Security Forum. This included the following examples of real world usage. I will add this to the IAM persistence methods article.

• OUR APPROACH TO DETECTION: ANDROXGH0ST AND GREENBOT EDITION
• Trouble in Paradise
• Incident report: From CLI to console, chasing an attacker in AWS

I'm currently looking for resources on GCP and I'm gonna list them here to be potentially added to Hacking The Cloud:

• Add page on GCP permission enumeration #178
• Tutorial on privilege escalation and post exploitation tactics in Google Cloud Platform environments - Must read article by the GitLab Red Team
• Thunder CTF - CTF to practice attacking vulnerable cloud projects on GCP
• Add tools from GitLab post
• https://rhinosecuritylabs.com/blog/?category=gcp
  • https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
  • https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/
  • Add tools from rhinosecuritylabs post

I don't think there is anything that hasn't already been presented in blog posts, but it would be worth a read through and see if any techniques are missing from Hacking the Cloud.

2023-global-cloud-threat-report.pdf

Review this blog post for techniques/references to add to Hacking the Cloud.

I'm about 99.9% sure that there is no GuardDuty detection for this (all the existing ones are about EC2), but the question was asked and I wasn't 100% sure. Check if this is the case and update the page with a note. It would be good info to provide.

There is a formatting issue in this page where the resource links are at the bottom, and the first one has a syntax error.

YouTube video's embedded on Hacking the Cloud aren't loading on mobile. Need to figure out why.

On page: https://hackingthe.cloud/aws/enumeration/enum_iam_user_role/
The github link to the pacu module gives a 404, and might have been moved.
Found the module at other path, but please verify if this is the one.

https://github.com/RhinoSecurityLabs/pacu/tree/master/modules/iam__enum_roles
https://github.com/RhinoSecurityLabs/pacu/tree/master/pacu/modules/iam__enum_roles

It's a bit of a stretch, but need to review this article to see if anything can be included in Hacking the Cloud.

Review this blog post and add Seen in the Wild Cards: https://sysdig.com/blog/cloud-breach-terraform-data-theft/

It seems there is a second method to bypass the Instance Credential Exfiltration GuardDuty finding. I will need to test this for myself and add it to the site.

While it is mentioned in the article, it would be worth highlighting that with code execution in a Terraform Workspace, you can also do simple things such as dump environment variables.

The Bypass Credential Exfiltration Detection will need to be deprecated, and the new bypass will need to be added. Additionally, it's worth investing more research time into this. Aside from VPC Endpoints there may be more obscure ways to divert network traffic and get around this detection.

Just a note for myself. Add this post as a reference to some of the techniques used by this threat actor.

A great talk was done by Beau Bullock on 27-5-2021

https://www.youtube.com/watch?v=fCbVMWvncuw

BHIS Getting Started in Pentesting The Cloud Azure Beau Bullock.pdf

Tools that was mentioned on the talk

1- cloudenum
https://github.com/initstring/cloud_enum
2- onedrive_user_enum
https://github.com/nyxgeek/onedrive_user_enum
3- MSOLSpray
https://github.com/dafthack/MSOLSpray
4- FireProx
https://github.com/ustayready/fireprox
5- MFASweep
https://github.com/dafthack/MFASweep
6- scoutsuite
https://github.com/nccgroup/ScoutSuite
7- ROADTools
https://github.com/dirkjanm/ROADtools
8- PowerZure
https://github.com/hausec/PowerZure
9- MicroBurst
https://github.com/NetSPI/MicroBurst
10- StormSpotter
https://github.com/Azure/Stormspotter
11- AzureHound
https://github.com/BloodHoundAD/AzureHound/blob/master/AzureHound.ps1?fbclid=IwAR30uziP4l7sJSFd6BgNwJGLUGGUqKONF6luXhNYcTM5i_btpmemoOSN3pc

Hope that helps :)

I think we already have it covered in "Intercept SSM Communications", but review this for opportunities to improve existing content.

Add ECS privilege escalation methods in AmazonECS_FullAccess

terraform init --backend-config='token=$TFE_TOKEN'

Should be

terraform init --backend-config="token=$TFE_TOKEN"

The name of the tool changed. Needs to be updated.

An old principal enumeration technique is causing some confusion. sdb:list-domains was changed to be logged to CloudTrail. This should be put in the Deprecated section.

Review: https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/

Recently there was some confusion on who to credit for writing a particular page. While there is an author tag on each page, that information is not currently displayed in HTC. It would be optimal if there was some way to show an author or contributors section so folks can know who wrote something. This may also incentivize people to contribute as they now have their name on something (Which is totally okay and encouraged!).

In looking into this a bit more with Material for MKDocs, this is something that is being added to the Insiders build (or at least, is on the roadmap). Additionally, Martin Donath showed this on his Twitter page.

Once this feature is available, we will adopt this on Hacking the Cloud.

This issue is just to remind me of a bug. If you'd like to contribute, please checkout the contributing guide .

There is a strange behavior where every time there is a deploy, the custom domain in the repo settings reverts to null. This, obviously, breaks the site for as long as that custom domain is not changed. While I could go in an manually apply it every time, that is tedious to say the least.

It looks like in the time since May AWS has added SNS publish to the list of data events you can log to CloudTrail (most recent). Not a huge deal, just need to choose a new API call that doesn't log and add that to the post.

First of all, I really like the documentation :)

Thanks to you I discovered (or rediscovered I'm not sure) the tool AWS Consoler.

I think the requirements to use the tool should be added, if I understood correctly they are either:

• being able to call sts:GetFederationToken
• or sts:AssumeRole with a known role

Need to review and integrate this article. I from a quick skim I get the impression this will just be updating real world examples of attacks used, but there may be a technique we are missing here.

Validate this blog post and include as a post exploitation technique

https://canglad.com/blog/2023/aws-network-firewall-egress-filtering-can-be-easily-bypassed/

There is a typo on this page.

aws-vault was recommended as a replacement to aws-consoler. aws-vault is still maintained and so long as it functions as needed, it could serve as a replacement. Will need to test this to see.

Link to original research on this page is broken.

There is some legitimately interesting tradecraft in the second SCARLETEEL blog post. I'm sure at least something could be added to Hacking the Cloud from it.

Aidan Steele is a magic wizard. Gandalf better move over. Aidan shared this trick in the Cloud Security Slack and I think it would make for a great short article in the general knowledge section.

GCP-Goat is an intentionally vulnerable GCP environment to learn and practice GCP Security

• Create a policy for plagiarism
  • Policy for rejecting it
  • Information for an author to request content be removed

I really liked the ANSI escape technique described here This would be something of value to include in the Terraform section.

Hi,
sorry, I would not call myself a developer so hopefully this is not something totally silly and a 'user fault' by me.

I cloned the repo locally on my ubuntu machine and ran docker build -t mkdocs-material . however it fails with:

f860f95a24e2: Pull complete 

a1dee26347e0: Pull complete 

Digest: sha256:7346fbc9c31ac7af1c577db0f2301ba25d24ff076a15a4e049f1b8c29840b746

Status: Downloaded newer image for squidfunk/mkdocs-material:latest
 ---> 566a49fd70f9

Step 2/3 : RUN pip install mkdocs-awesome-pages-plugin
 ---> Running in 2cb15d5aa13f

WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f886fa9bd90>: Failed to establish a new connection: [Errno -3] Try again')': /simple/mkdocs-awesome-pages-plugin/

etc.
The command '/bin/sh -c pip install mkdocs-awesome-pages-plugin' returned a non-zero code: 1

link

There is a typo around the "Link to Tool" section. Both Gambit and the bucket tool are on the same line.