Cloud

---

• AWS

• Kubernetes

• Azure

• Docker registry

AWS

aws cli documentation

Configure

aws configure

AWS Access Key ID [None]: key_id
AWS Secret Access Key [None]: access_key
Default region name [None]: eu-west-3 
Default output format [None]:

Note: If you have a multiple of account you can specifie your account and your endpoint url with --profile <profile_name> and --endpoint-url <url>.

Example:

aws --profile <profile> --endpoint-url <url> iam list-attached-user-policies --user-name <USERNAME>

IAM

aws iam documentation

List policies attached to an user

aws iam list-attached-user-policies --user-name <USERNAME>

This command will return an object like this:

{
  "AttachedPolicies": [
      {
          "PolicyName": "<POLICY_NAME>",
          "PolicyArn": "arn:aws:iam::......:policy/<POLICY_NAME>"
      }
  ],
  "IsTruncated": false
}

Get policy detail from an policy arn

aws iam get-policy --policy-arn <ARN_POLICY>

List user policy

aws iam list-user-policies --user-name <USER_NAME>

Get user policy detail for an user

aws iam get-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME>

LAMBDA

aws lambda documentation

List function

aws lambda list-functions

Get public url of the function

aws lambda get-function-url-config --function-name <FUNCTION_NAME>

S3

aws s3 documentation aws s3api documentation

List buckets

aws s3api list-buckets --query "Buckets"

List object in buckets

aws s3api list-objects --bucket <BUCKET>

List bucket files

aws s3 ls --recursive s3://<bucket_name>

Get file from bucket

aws s3 sync s3://<bucket_name> <destination>

Upload file to bucket

aws s3 cp <path_to_file> s3://<bucket_name>

Dynamodb

aws dynamodb documentation

List all tables

aws dynamodb list-tables

Get data from table

aws dynamodb scan --table-name <table_name>

Create table

aws --endpoint-url http://localhost:4566 dynamodb create-table --table-name example \
  --attribute-definitions AttributeName=example_attribute,AttributeType=S \
  --key-schema AttributeName=example_attribute,KeyType=HASH \
  --provisioned-throughput ReadCapacityUnits=10, WriteCapacityUnits=5

Put item in table

aws --endpoint-url http://localhost:4566 dynamodb put-item --table-name example \
  --item '{"example_attribute":{"S":"Example"}}'

Kubernetes

Kubernetes commonly stylized as K8s is an open-source container orchestration system for automating software deployment, scaling, and management. Google originally designed Kubernetes, but the Cloud Native Computing Foundation now maintains the project.

Usefull paths

/run/secrets/kubernetes.io/serviceaccount/ca.crt
/run/secrets/kubernetes.io/serviceaccount/namespace
/run/secrets/kubernetes.io/serviceaccount/token

/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
/var/run/secrets/kubernetes.io/serviceaccount/namespace
/var/run/secrets/kubernetes.io/serviceaccount/token

Namespace

kubectl get namespace --server <HOST> --certificate-authority=ca.crt --token=$token

Authorization

kubectl auth can-i --list --namespace=<NAMESPACES> --server <HOST> --certificate-authority=ca.crt --token=$token

Secrets

List all secrets:

kubectl get secrets --namespace=<NAMESPACES> --server <HOST> --certificate-authority=ca.crt --token=$token

Get secret:

kubectl describe secret <SECRET-ID> --namespace=<NAMESPACE> --server <HOST> --certificate-authority=ca.crt --token=$token

Pods

Get:

kubectl --namespace=<NAMESPACE> --server <HOST> --certificate-authority=ca.crt --token=$token get pods

Describe:

You can get configuration of specific

kubectl --namespace=<NAMESPACE> --server <HOST> --certificate-authority=ca.crt --token=$token describe pod <POD_ID>

Apply:

If you have good rights to apply a pod, most of the time you will be able to turn up the volume of the root machine.

You can find an definition of malicious pod here: pwn.yml

kubectl --namespace=<NAMESPACE> --server <HOST> --certificate-authority=ca.crt --token=$token apply -f pwn.yml

Exec command

kubectl --namespace=<NAMESPACE> --server <HOST> --certificate-authority=ca.crt --token=$token exec -it pwn -- bash

Usefull link

• Kubernetes Methodology 1

• Kubernetes Methodology 2

• Pods PE

Azure

Domain name for Azure resources storages

• Blob storage -> https://[account].blob.core.windows.net

• Azure Data Lake Storage Gen2 -> https://[account].dfs.core.windows.net

• Azure files -> https://[account].file.core.windows.net

• Queue storage -> https://[account].queue.core.windows.net

• Table storage -> https://[account].table.core.windows.net

List public blob

List all containers files.

curl "http://<account>.blob.core.windows.net/<container>?restype=container&comp=list&se=<SE>&sp=<SP>&sv=<SV>&sr=c&sig=<SIG>%3D"

List one file

curl "http://<account>.blob.core.windows.net/<container>/<file_name>?se=<SE>&sp=rl&sv=<SV>&sr=c&sig=<SIG>%3D"

Note %3D is '=' and it's required

Here you can find more information for query parameters

Azure cosmos

List table content

# script.py
from azure.cosmosdb.table import TableService

table_service = TableService(account_name="...", sas_token='se=<SE>&sp=<SP>&sv=<SV>&tn=<Table>&sig=<SIG>%3D', protocol='http', endpoint_suffix='core.windows.net')
print(table_service.exists('<TABLE>'))
print(list(table_service.query_entities('<TABLE>')))

Docker registry

Recon

By default, docker registry run on port 5000. The first step to do is to know if the registry need authentication token or not. You can do this by sending a request to the registry.

curl -I http://<HOST>:5000/v2/

Get authentication token

With the header www-authenticate you can know if the registry need authentication token or not.

Example of response:

Www-Authenticate: Bearer realm="http://<HOST>:5001/",service="Docker registry",error="invalid_token"

From this response you can try to get a token, the realm is the url to get the token.

Examples of requests:

# Try to get only access on catalog
curl http://<REALM_URL>/auth?scope=registry:catalog:*&service=<NAME_OF_SERVICE>

# Try to get only pull,push right on an image
curl http://<REALM_URL>/auth?scope=repository:<IMAGE_NAME>:*&service=<NAME_OF_SERVICE>

# Try to get only pull right on an image
curl http://<REALM_URL>/auth?scope=repository:<IMAGE_NAME>:pull&service=<NAME_OF_SERVICE>

Get all images names

You can get all images names by sending a request to the registry with the authentication token.

curl -H "Authorization: Bearer eyJ......" http://<HOST>:5000/v2/_catalog

Get all tags for an image

You can get all tags for an image by sending a request to the registry with the authentication token.

curl -H "Authorization: Bearer eyJ......" http://<HOST>:5000/v2/<IMAGE>/tags/list

Get image manifest

You can get image manifest by sending a request to the registry with the authentication token.

curl -H "Authorization: Bearer eyJ......" http://<HOST>:5000/v2/<IMAGE>/manifests/<TAG>

Get image layer

curl  -H "Authorization: Bearer eyJ......" http://<HOST>:5000/v2/<IMAGE>/blobs/<LAYER>

Automated tools

You can also use an automated tool like DockerRegistryGrabber.