AWS
aws cli documentation
Configure
Copy aws configure
AWS Access Key ID [None]: key_id
AWS Secret Access Key [None]: access_key
Default region name [None]: eu-west-3
Default output format [None]:
Note: If you have a multiple of account you can specifie your account and your endpoint url with --profile <profile_name>
and --endpoint-url <url>
.
Example:
Copy aws --profile < profil e > --endpoint-url < ur l > iam list-attached-user-policies --user-name < USERNAM E >
IAM
aws iam documentation
List policies attached to an user
Copy aws iam list-attached-user-policies --user-name < USERNAM E >
This command will return an object like this:
Copy {
"AttachedPolicies" : [
{
"PolicyName" : "<POLICY_NAME>" ,
"PolicyArn" : "arn:aws:iam::......:policy/<POLICY_NAME>"
}
] ,
"IsTruncated" : false
}
Get policy detail from an policy arn
Copy aws iam get-policy --policy-arn < ARN_POLIC Y >
List user policy
Copy aws iam list-user-policies --user-name < USER_NAM E >
Get user policy detail for an user
Copy aws iam get-user-policy --user-name < USER_NAM E > --policy-name < POLICY_NAM E >
LAMBDA
aws lambda documentation
List function
Copy aws lambda list-functions
Get public url of the function
Copy aws lambda get-function-url-config --function-name < FUNCTION_NAM E >
S3
aws s3 documentation aws s3api documentation
List buckets
Copy aws s3api list-buckets --query "Buckets"
List object in buckets
Copy aws s3api list-objects --bucket < BUCKE T >
List bucket files
Copy aws s3 ls --recursive s3:// < bucket_nam e >
Get file from bucket
Copy aws s3 sync s3:// < bucket_nam e > < destinatio n >
Upload file to bucket
Copy aws s3 cp < path_to_fil e > s3:// < bucket_nam e >
Dynamodb
aws dynamodb documentation
List all tables
Copy aws dynamodb list-tables
Get data from table
Copy aws dynamodb scan --table-name < table_nam e >
Create table
Copy aws --endpoint-url http://localhost:4566 dynamodb create-table --table-name example \
--attribute-definitions AttributeName=example_attribute,AttributeType=S \
--key-schema AttributeName=example_attribute,KeyType=HASH \
--provisioned-throughput ReadCapacityUnits=10, WriteCapacityUnits= 5
Put item in table
Copy aws --endpoint-url http://localhost:4566 dynamodb put-item --table-name example \
--item '{"example_attribute":{"S":"Example"}}'
Kubernetes
Kubernetes commonly stylized as K8s is an open-source container orchestration system for automating software deployment, scaling, and management. Google originally designed Kubernetes, but the Cloud Native Computing Foundation now maintains the project.
Usefull paths
Copy /run/secrets/kubernetes.io/serviceaccount/ca.crt
/run/secrets/kubernetes.io/serviceaccount/namespace
/run/secrets/kubernetes.io/serviceaccount/token
/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
/var/run/secrets/kubernetes.io/serviceaccount/namespace
/var/run/secrets/kubernetes.io/serviceaccount/token
Namespace
Copy kubectl get namespace --server <HOST> --certificate-authority=ca.crt --token=$token
Authorization
Copy kubectl auth can-i --list --namespace=<NAMESPACES> --server <HOST> --certificate-authority=ca.crt --token=$token
Secrets
List all secrets:
Copy kubectl get secrets --namespace=<NAMESPACES> --server <HOST> --certificate-authority=ca.crt --token=$token
Get secret:
Copy kubectl describe secret <SECRET-ID> --namespace=<NAMESPACE> --server <HOST> --certificate-authority=ca.crt --token=$token
Pods
Get:
Copy kubectl --namespace=<NAMESPACE> --server <HOST> --certificate-authority=ca.crt --token=$token get pods
Describe:
You can get configuration of specific
Copy kubectl --namespace=<NAMESPACE> --server <HOST> --certificate-authority=ca.crt --token=$token describe pod <POD_ID>
Apply:
If you have good rights to apply a pod, most of the time you will be able to turn up the volume of the root machine.
You can find an definition of malicious pod here: pwn.yml
Copy kubectl --namespace=<NAMESPACE> --server <HOST> --certificate-authority=ca.crt --token=$token apply -f pwn.yml
Exec command
Copy kubectl --namespace=<NAMESPACE> --server <HOST> --certificate-authority=ca.crt --token=$token exec -it pwn -- bash
Usefull link
Azure
Domain name for Azure resources storages
Blob storage -> https://[account].blob.core.windows.net
Azure Data Lake Storage Gen2 -> https://[account].dfs.core.windows.net
Azure files -> https://[account].file.core.windows.net
Queue storage -> https://[account].queue.core.windows.net
Table storage -> https://[account].table.core.windows.net
List public blob
List all containers files.
Copy curl "http://<account>.blob.core.windows.net/<container>?restype=container&comp=list&se=<SE>&sp=<SP>&sv=<SV>&sr=c&sig=<SIG>%3D"
List one file
Copy curl "http://<account>.blob.core.windows.net/<container>/<file_name>?se=<SE>&sp=rl&sv=<SV>&sr=c&sig=<SIG>%3D"
Note %3D is '=' and it's required
Here you can find more information for query parameters
Azure cosmos
List table content
Copy # script.py
from azure . cosmosdb . table import TableService
table_service = TableService (account_name = "..." , sas_token = 'se=<SE>&sp=<SP>&sv=<SV>&tn=<Table>&sig=<SIG>%3D' , protocol = 'http' , endpoint_suffix = 'core.windows.net' )
print (table_service. exists ( '<TABLE>' ))
print ( list (table_service. query_entities ( '<TABLE>' )))
Docker registry
Recon
By default, docker registry run on port 5000. The first step to do is to know if the registry need authentication token or not. You can do this by sending a request to the registry.
Copy curl -I http:// < HOS T > :5000/v2/
Get authentication token
With the header www-authenticate
you can know if the registry need authentication token or not.
Example of response:
Copy Www-Authenticate: Bearer realm="http://<HOST>:5001/",service="Docker registry",error="invalid_token"
From this response you can try to get a token, the realm is the url to get the token.
Examples of requests:
Copy # Try to get only access on catalog
curl http:// < REALM_UR L > /auth?scope=registry:catalog:* & service =< NAME_OF_SERVICE >
Copy # Try to get only pull,push right on an image
curl http:// < REALM_UR L > /auth?scope=repository: < IMAGE_NAM E > :* & service =< NAME_OF_SERVICE >
Copy # Try to get only pull right on an image
curl http:// < REALM_UR L > /auth?scope=repository: < IMAGE_NAM E > :pull & service =< NAME_OF_SERVICE >
Get all images names
You can get all images names by sending a request to the registry with the authentication token.
Copy curl -H "Authorization: Bearer eyJ......" http:// < HOS T > :5000/v2/_catalog
Get all tags for an image
You can get all tags for an image by sending a request to the registry with the authentication token.
Copy curl -H "Authorization: Bearer eyJ......" http:// < HOS T > :5000/v2/ < IMAG E > /tags/list
Get image manifest
You can get image manifest by sending a request to the registry with the authentication token.
Copy curl -H "Authorization: Bearer eyJ......" http:// < HOS T > :5000/v2/ < IMAG E > /manifests/ < TA G >
Get image layer
Copy curl -H "Authorization: Bearer eyJ......" http:// < HOS T > :5000/v2/ < IMAG E > /blobs/ < LAYE R >
Automated tools
You can also use an automated tool like DockerRegistryGrabber .