Cloud
AWS
Configure
aws configure
AWS Access Key ID [None]: key_id
AWS Secret Access Key [None]: access_key
Default region name [None]: eu-west-3
Default output format [None]:
Note: If you have a multiple of account you can specifie your account and your endpoint url with
--profile <profile_name>
and--endpoint-url <url>
.
Example:
aws --profile <profile> --endpoint-url <url> iam list-attached-user-policies --user-name <USERNAME>
IAM
List policies attached to an user
aws iam list-attached-user-policies --user-name <USERNAME>
This command will return an object like this:
{
"AttachedPolicies": [
{
"PolicyName": "<POLICY_NAME>",
"PolicyArn": "arn:aws:iam::......:policy/<POLICY_NAME>"
}
],
"IsTruncated": false
}
Get policy detail from an policy arn
aws iam get-policy --policy-arn <ARN_POLICY>
List user policy
aws iam list-user-policies --user-name <USER_NAME>
Get user policy detail for an user
aws iam get-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME>
LAMBDA
List function
aws lambda list-functions
Get public url of the function
aws lambda get-function-url-config --function-name <FUNCTION_NAME>
S3
aws s3 documentation aws s3api documentation
List buckets
aws s3api list-buckets --query "Buckets"
List object in buckets
aws s3api list-objects --bucket <BUCKET>
List bucket files
aws s3 ls --recursive s3://<bucket_name>
Get file from bucket
aws s3 sync s3://<bucket_name> <destination>
Upload file to bucket
aws s3 cp <path_to_file> s3://<bucket_name>
Dynamodb
List all tables
aws dynamodb list-tables
Get data from table
aws dynamodb scan --table-name <table_name>
Create table
aws --endpoint-url http://localhost:4566 dynamodb create-table --table-name example \
--attribute-definitions AttributeName=example_attribute,AttributeType=S \
--key-schema AttributeName=example_attribute,KeyType=HASH \
--provisioned-throughput ReadCapacityUnits=10, WriteCapacityUnits=5
Put item in table
aws --endpoint-url http://localhost:4566 dynamodb put-item --table-name example \
--item '{"example_attribute":{"S":"Example"}}'
Kubernetes
Kubernetes commonly stylized as K8s is an open-source container orchestration system for automating software deployment, scaling, and management. Google originally designed Kubernetes, but the Cloud Native Computing Foundation now maintains the project.
Usefull paths
/run/secrets/kubernetes.io/serviceaccount/ca.crt
/run/secrets/kubernetes.io/serviceaccount/namespace
/run/secrets/kubernetes.io/serviceaccount/token
/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
/var/run/secrets/kubernetes.io/serviceaccount/namespace
/var/run/secrets/kubernetes.io/serviceaccount/token
Namespace
kubectl get namespace --server <HOST> --certificate-authority=ca.crt --token=$token
Authorization
kubectl auth can-i --list --namespace=<NAMESPACES> --server <HOST> --certificate-authority=ca.crt --token=$token
Secrets
List all secrets:
kubectl get secrets --namespace=<NAMESPACES> --server <HOST> --certificate-authority=ca.crt --token=$token
Get secret:
kubectl describe secret <SECRET-ID> --namespace=<NAMESPACE> --server <HOST> --certificate-authority=ca.crt --token=$token
Pods
Get:
kubectl --namespace=<NAMESPACE> --server <HOST> --certificate-authority=ca.crt --token=$token get pods
Describe:
You can get configuration of specific
kubectl --namespace=<NAMESPACE> --server <HOST> --certificate-authority=ca.crt --token=$token describe pod <POD_ID>
Apply:
If you have good rights to apply a pod, most of the time you will be able to turn up the volume of the root machine.
You can find an definition of malicious pod here: pwn.yml
kubectl --namespace=<NAMESPACE> --server <HOST> --certificate-authority=ca.crt --token=$token apply -f pwn.yml
Exec command
kubectl --namespace=<NAMESPACE> --server <HOST> --certificate-authority=ca.crt --token=$token exec -it pwn -- bash
Usefull link
Azure
Domain name for Azure resources storages
Blob storage -> https://[account].blob.core.windows.net
Azure Data Lake Storage Gen2 -> https://[account].dfs.core.windows.net
Azure files -> https://[account].file.core.windows.net
Queue storage -> https://[account].queue.core.windows.net
Table storage -> https://[account].table.core.windows.net
List public blob
List all containers files.
curl "http://<account>.blob.core.windows.net/<container>?restype=container&comp=list&se=<SE>&sp=<SP>&sv=<SV>&sr=c&sig=<SIG>%3D"
List one file
curl "http://<account>.blob.core.windows.net/<container>/<file_name>?se=<SE>&sp=rl&sv=<SV>&sr=c&sig=<SIG>%3D"
Note %3D is '=' and it's required
Here you can find more information for query parameters
Azure cosmos
List table content
# script.py
from azure.cosmosdb.table import TableService
table_service = TableService(account_name="...", sas_token='se=<SE>&sp=<SP>&sv=<SV>&tn=<Table>&sig=<SIG>%3D', protocol='http', endpoint_suffix='core.windows.net')
print(table_service.exists('<TABLE>'))
print(list(table_service.query_entities('<TABLE>')))
Docker registry
Recon
By default, docker registry run on port 5000. The first step to do is to know if the registry need authentication token or not. You can do this by sending a request to the registry.
curl -I http://<HOST>:5000/v2/
Get authentication token
With the header
www-authenticate
you can know if the registry need authentication token or not.
Example of response:
Www-Authenticate: Bearer realm="http://<HOST>:5001/",service="Docker registry",error="invalid_token"
From this response you can try to get a token, the realm is the url to get the token.
Examples of requests:
# Try to get only access on catalog
curl http://<REALM_URL>/auth?scope=registry:catalog:*&service=<NAME_OF_SERVICE>
# Try to get only pull,push right on an image
curl http://<REALM_URL>/auth?scope=repository:<IMAGE_NAME>:*&service=<NAME_OF_SERVICE>
# Try to get only pull right on an image
curl http://<REALM_URL>/auth?scope=repository:<IMAGE_NAME>:pull&service=<NAME_OF_SERVICE>
Get all images names
You can get all images names by sending a request to the registry with the authentication token.
curl -H "Authorization: Bearer eyJ......" http://<HOST>:5000/v2/_catalog
Get all tags for an image
You can get all tags for an image by sending a request to the registry with the authentication token.
curl -H "Authorization: Bearer eyJ......" http://<HOST>:5000/v2/<IMAGE>/tags/list
Get image manifest
You can get image manifest by sending a request to the registry with the authentication token.
curl -H "Authorization: Bearer eyJ......" http://<HOST>:5000/v2/<IMAGE>/manifests/<TAG>
Get image layer
curl -H "Authorization: Bearer eyJ......" http://<HOST>:5000/v2/<IMAGE>/blobs/<LAYER>
Automated tools
You can also use an automated tool like DockerRegistryGrabber.
Last updated