SUMMARY.md

Table of contents

👽 Welcome!

• HackTricks Cloud
• About the Author
• HackTricks Values & faq

🏭 Pentesting CI/CD

• Pentesting CI/CD Methodology
• Github Security
  • Abusing Github Actions
    • Gh Actions - Artifact Poisoning
    • GH Actions - Cache Poisoning
    • Gh Actions - Context Script Injections
  • Accessible Deleted Data in Github
  • Basic Github Information
• Gitea Security
  • Basic Gitea Information
• Concourse Security
  • Concourse Architecture
  • Concourse Lab Creation
  • Concourse Enumeration & Attacks
• CircleCI Security
• TravisCI Security
  • Basic TravisCI Information
• Jenkins Security
  • Basic Jenkins Information
  • Jenkins RCE with Groovy Script
  • Jenkins RCE Creating/Modifying Project
  • Jenkins RCE Creating/Modifying Pipeline
  • Jenkins Arbitrary File Read to RCE via "Remember Me"
  • Jenkins Dumping Secrets from Groovy
• Apache Airflow Security
  • Airflow Configuration
  • Airflow RBAC
• Terraform Security
• Atlantis Security
• Cloudflare Security
  • Cloudflare Domains
  • Cloudflare Zero Trust Network
• Okta Security
  • Okta Hardening
• Supabase Security
• Ansible Tower / AWX / Automation controller Security
• TODO

⛈️ Pentesting Cloud

• Pentesting Cloud Methodology
• Kubernetes Pentesting
  • Kubernetes Basics
  • Pentesting Kubernetes Services
    • Kubelet Authentication & Authorization
  • Exposing Services in Kubernetes
  • Attacking Kubernetes from inside a Pod
  • Kubernetes Enumeration
  • Kubernetes Role-Based Access Control(RBAC)
  • Abusing Roles/ClusterRoles in Kubernetes
    • Pod Escape Privileges
    • Kubernetes Roles Abuse Lab
  • Kubernetes Namespace Escalation
  • Kubernetes External Secret Operator
  • Kubernetes Pivoting to Clouds
  • Kubernetes Network Attacks
  • Kubernetes Hardening
    • Kubernetes SecurityContext(s)
  • Kubernetes OPA Gatekeeper
    • Kubernetes OPA Gatekeeper bypass
  • Kubernetes Kyverno
    • Kubernetes Kyverno bypass
  • Kubernetes ValidatingWebhookConfiguration
• GCP Pentesting
  • GCP - Basic Information
    • GCP - Federation Abuse
  • GCP - Permissions for a Pentest
  • GCP - Post Exploitation
    • GCP - App Engine Post Exploitation
    • GCP - Artifact Registry Post Exploitation
    • GCP - Cloud Build Post Exploitation
    • GCP - Cloud Functions Post Exploitation
    • GCP - Cloud Run Post Exploitation
    • GCP - Cloud Shell Post Exploitation
    • GCP - Cloud SQL Post Exploitation
    • GCP - Compute Post Exploitation
    • GCP - Filestore Post Exploitation
    • GCP - IAM Post Exploitation
    • GCP - KMS Post Exploitation
    • GCP - Logging Post Exploitation
    • GCP - Monitoring Post Exploitation
    • GCP - Pub/Sub Post Exploitation
    • GCP - Secretmanager Post Exploitation
    • GCP - Security Post Exploitation
    • GCP - Workflows Post Exploitation
    • GCP - Storage Post Exploitation
  • GCP - Privilege Escalation
    • GCP - Apikeys Privesc
    • GCP - AppEngine Privesc
    • GCP - Artifact Registry Privesc
    • GCP - Batch Privesc
    • GCP - BigQuery Privesc
    • GCP - ClientAuthConfig Privesc
    • GCP - Cloudbuild Privesc
    • GCP - Cloudfunctions Privesc
    • GCP - Cloudidentity Privesc
    • GCP - Cloud Scheduler Privesc
    • GCP - Compute Privesc
      • GCP - Add Custom SSH Metadata
    • GCP - Composer Privesc
    • GCP - Container Privesc
    • GCP - Deploymentmaneger Privesc
    • GCP - IAM Privesc
    • GCP - KMS Privesc
    • GCP - Orgpolicy Privesc
    • GCP - Pubsub Privesc
    • GCP - Resourcemanager Privesc
    • GCP - Run Privesc
    • GCP - Secretmanager Privesc
    • GCP - Serviceusage Privesc
    • GCP - Sourcerepos Privesc
    • GCP - Storage Privesc
    • GCP - Workflows Privesc
    • GCP - Generic Permissions Privesc
    • GCP - Network Docker Escape
    • GCP - local privilege escalation ssh pivoting
  • GCP - Persistence
    • GCP - API Keys Persistence
    • GCP - App Engine Persistence
    • GCP - Artifact Registry Persistence
    • GCP - BigQuery Persistence
    • GCP - Cloud Functions Persistence
    • GCP - Cloud Run Persistence
    • GCP - Cloud Shell Persistence
    • GCP - Cloud SQL Persistence
    • GCP - Compute Persistence
    • GCP - Dataflow Persistence
    • GCP - Filestore Persistence
    • GCP - Logging Persistence
    • GCP - Secret Manager Persistence
    • GCP - Storage Persistence
    • GCP - Token Persistance
  • GCP - Services
    • GCP - AI Platform Enum
    • GCP - API Keys Enum
    • GCP - App Engine Enum
    • GCP - Artifact Registry Enum
    • GCP - Batch Enum
    • GCP - Bigquery Enum
    • GCP - Bigtable Enum
    • GCP - Cloud Build Enum
    • GCP - Cloud Functions Enum
    • GCP - Cloud Run Enum
    • GCP - Cloud Shell Enum
    • GCP - Cloud SQL Enum
    • GCP - Cloud Scheduler Enum
    • GCP - Compute Enum
      • GCP - Compute Instances
      • GCP - VPC & Networking
    • GCP - Composer Enum
    • GCP - Containers & GKE Enum
    • GCP - DNS Enum
    • GCP - Filestore Enum
    • GCP - Firebase Enum
    • GCP - Firestore Enum
    • GCP - IAM, Principals & Org Policies Enum
    • GCP - KMS Enum
    • GCP - Logging Enum
    • GCP - Memorystore Enum
    • GCP - Monitoring Enum
    • GCP - Pub/Sub Enum
    • GCP - Secrets Manager Enum
    • GCP - Security Enum
    • GCP - Source Repositories Enum
    • GCP - Spanner Enum
    • GCP - Stackdriver Enum
    • GCP - Storage Enum
    • GCP - Workflows Enum
  • GCP <--> Workspace Pivoting
    • GCP - Understanding Domain-Wide Delegation
  • GCP - Unauthenticated Enum & Access
    • GCP - API Keys Unauthenticated Enum
    • GCP - App Engine Unauthenticated Enum
    • GCP - Artifact Registry Unauthenticated Enum
    • GCP - Cloud Build Unauthenticated Enum
    • GCP - Cloud Functions Unauthenticated Enum
    • GCP - Cloud Run Unauthenticated Enum
    • GCP - Cloud SQL Unauthenticated Enum
    • GCP - Compute Unauthenticated Enum
    • GCP - IAM, Principals & Org Unauthenticated Enum
    • GCP - Source Repositories Unauthenticated Enum
    • GCP - Storage Unauthenticated Enum
      • GCP - Public Buckets Privilege Escalation
• GWS - Workspace Pentesting
  • GWS - Post Exploitation
  • GWS - Persistence
  • GWS - Workspace Sync Attacks (GCPW, GCDS, GPS, Directory Sync with AD & EntraID)
    • GWS - Admin Directory Sync
    • GCDS - Google Cloud Directory Sync
    • GCPW - Google Credential Provider for Windows
    • GPS - Google Password Sync
  • GWS - Google Platforms Phishing
    • GWS - App Scripts
• AWS Pentesting
  • AWS - Basic Information
    • AWS - Federation Abuse
  • AWS - Permissions for a Pentest
  • AWS - Persistence
    • AWS - API Gateway Persistence
    • AWS - Cognito Persistence
    • AWS - DynamoDB Persistence
    • AWS - EC2 Persistence
    • AWS - ECR Persistence
    • AWS - ECS Persistence
    • AWS - Elastic Beanstalk Persistence
    • AWS - EFS Persistence
    • AWS - IAM Persistence
    • AWS - KMS Persistence
    • AWS - Lambda Persistence
      • AWS - Abusing Lambda Extensions
      • AWS - Lambda Layers Persistence
    • AWS - Lightsail Persistence
    • AWS - RDS Persistence
    • AWS - S3 Persistence
    • AWS - SNS Persistence
    • AWS - Secrets Manager Persistence
    • AWS - SQS Persistence
    • AWS - SSM Perssitence
    • AWS - Step Functions Persistence
    • AWS - STS Persistence
  • AWS - Post Exploitation
    • AWS - API Gateway Post Exploitation
    • AWS - CloudFront Post Exploitation
    • AWS - CodeBuild Post Exploitation
      • AWS Codebuild - Token Leakage
    • AWS - Control Tower Post Exploitation
    • AWS - DLM Post Exploitation
    • AWS - DynamoDB Post Exploitation
    • AWS - EC2, EBS, SSM & VPC Post Exploitation
      • AWS - EBS Snapshot Dump
      • AWS - Malicious VPC Mirror
    • AWS - ECR Post Exploitation
    • AWS - ECS Post Exploitation
    • AWS - EFS Post Exploitation
    • AWS - EKS Post Exploitation
    • AWS - Elastic Beanstalk Post Exploitation
    • AWS - IAM Post Exploitation
    • AWS - KMS Post Exploitation
    • AWS - Lambda Post Exploitation
      • AWS - Steal Lambda Requests
    • AWS - Lightsail Post Exploitation
    • AWS - Organizations Post Exploitation
    • AWS - RDS Post Exploitation
    • AWS - S3 Post Exploitation
    • AWS - Secrets Manager Post Exploitation
    • AWS - SES Post Exploitation
    • AWS - SNS Post Exploitation
    • AWS - SQS Post Exploitation
    • AWS - SSO & identitystore Post Exploitation
    • AWS - Step Functions Post Exploitation
    • AWS - STS Post Exploitation
    • AWS - VPN Post Exploitation
  • AWS - Privilege Escalation
    • AWS - Apigateway Privesc
    • AWS - Chime Privesc
    • AWS - Codebuild Privesc
    • AWS - Codepipeline Privesc
    • AWS - Codestar Privesc
      • codestar:CreateProject, codestar:AssociateTeamMember
      • iam:PassRole, codestar:CreateProject
    • AWS - Cloudformation Privesc
      • iam:PassRole, cloudformation:CreateStack,and cloudformation:DescribeStacks
    • AWS - Cognito Privesc
    • AWS - Datapipeline Privesc
    • AWS - Directory Services Privesc
    • AWS - DynamoDB Privesc
    • AWS - EBS Privesc
    • AWS - EC2 Privesc
    • AWS - ECR Privesc
    • AWS - ECS Privesc
    • AWS - EFS Privesc
    • AWS - Elastic Beanstalk Privesc
    • AWS - EMR Privesc
    • AWS - EventBridge Scheduler Privesc
    • AWS - Gamelift
    • AWS - Glue Privesc
    • AWS - IAM Privesc
    • AWS - KMS Privesc
    • AWS - Lambda Privesc
    • AWS - Lightsail Privesc
    • AWS - Mediapackage Privesc
    • AWS - MQ Privesc
    • AWS - MSK Privesc
    • AWS - RDS Privesc
    • AWS - Redshift Privesc
    • AWS - Route53 Privesc
    • AWS - SNS Privesc
    • AWS - SQS Privesc
    • AWS - SSO & identitystore Privesc
    • AWS - Organizations Privesc
    • AWS - S3 Privesc
    • AWS - Sagemaker Privesc
    • AWS - Secrets Manager Privesc
    • AWS - SSM Privesc
    • AWS - Step Functions Privesc
    • AWS - STS Privesc
    • AWS - WorkDocs Privesc
  • AWS - Services
    • AWS - Security & Detection Services
      • AWS - CloudTrail Enum
      • AWS - CloudWatch Enum
      • AWS - Config Enum
      • AWS - Control Tower Enum
      • AWS - Cost Explorer Enum
      • AWS - Detective Enum
      • AWS - Firewall Manager Enum
      • AWS - GuardDuty Enum
      • AWS - Inspector Enum
      • AWS - Macie Enum
      • AWS - Security Hub Enum
      • AWS - Shield Enum
      • AWS - Trusted Advisor Enum
      • AWS - WAF Enum
    • AWS - API Gateway Enum
    • AWS - Certificate Manager (ACM) & Private Certificate Authority (PCA)
    • AWS - CloudFormation & Codestar Enum
    • AWS - CloudHSM Enum
    • AWS - CloudFront Enum
    • AWS - Codebuild Enum
    • AWS - Cognito Enum
      • Cognito Identity Pools
      • Cognito User Pools
    • AWS - DataPipeline, CodePipeline & CodeCommit Enum
    • AWS - Directory Services / WorkDocs Enum
    • AWS - DocumentDB Enum
    • AWS - DynamoDB Enum
    • AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum
      • AWS - Nitro Enum
      • AWS - VPC & Networking Basic Information
    • AWS - ECR Enum
    • AWS - ECS Enum
    • AWS - EKS Enum
    • AWS - Elastic Beanstalk Enum
    • AWS - ElastiCache
    • AWS - EMR Enum
    • AWS - EFS Enum
    • AWS - EventBridge Scheduler Enum
    • AWS - Kinesis Data Firehose Enum
    • AWS - IAM, Identity Center & SSO Enum
    • AWS - KMS Enum
    • AWS - Lambda Enum
    • AWS - Lightsail Enum
    • AWS - MQ Enum
    • AWS - MSK Enum
    • AWS - Organizations Enum
    • AWS - Redshift Enum
    • AWS - Relational Database (RDS) Enum
    • AWS - Route53 Enum
    • AWS - Secrets Manager Enum
    • AWS - SES Enum
    • AWS - SNS Enum
    • AWS - SQS Enum
    • AWS - S3, Athena & Glacier Enum
    • AWS - Step Functions Enum
    • AWS - STS Enum
    • AWS - Other Services Enum
  • AWS - Unauthenticated Enum & Access
    • AWS - Accounts Unauthenticated Enum
    • AWS - API Gateway Unauthenticated Enum
    • AWS - Cloudfront Unauthenticated Enum
    • AWS - Cognito Unauthenticated Enum
    • AWS - CodeBuild Unauthenticated Access
    • AWS - DocumentDB Unauthenticated Enum
    • AWS - DynamoDB Unauthenticated Access
    • AWS - EC2 Unauthenticated Enum
    • AWS - ECR Unauthenticated Enum
    • AWS - ECS Unauthenticated Enum
    • AWS - Elastic Beanstalk Unauthenticated Enum
    • AWS - Elasticsearch Unauthenticated Enum
    • AWS - IAM & STS Unauthenticated Enum
    • AWS - Identity Center & SSO Unauthenticated Enum
    • AWS - IoT Unauthenticated Enum
    • AWS - Kinesis Video Unauthenticated Enum
    • AWS - Lambda Unauthenticated Access
    • AWS - Media Unauthenticated Enum
    • AWS - MQ Unauthenticated Enum
    • AWS - MSK Unauthenticated Enum
    • AWS - RDS Unauthenticated Enum
    • AWS - Redshift Unauthenticated Enum
    • AWS - SQS Unauthenticated Enum
    • AWS - SNS Unauthenticated Enum
    • AWS - S3 Unauthenticated Enum
• Azure Pentesting
  • Az - Basic Information
  • Az - Enumeration Tools
  • Az - Unauthenticated Enum & Initial Entry
    • Az - Illicit Consent Grant
    • Az - Device Code Authentication Phishing
    • Az - Password Spraying
  • Az - Services
    • Az - Management Groups, Subscriptions & Resource Groups
    • Az - ACR
    • Az - Application Proxy
    • Az - ARM Templates / Deployments
    • Az - Automation Account
      • Az - State Configuration RCE
    • Az - Azure App Service & Function Apps
    • Az - Blob Storage
    • Az - Intune
    • Az - Key Vault
    • Az - Logic Apps
    • Az - SQL
    • Az - Virtual Machines & Network
      • Az - Azure Network
  • Az - Permissions for a Pentest
  • Az - Lateral Movement (Cloud - On-Prem)
    • Az AD Connect - Hybrid Identity
      • Az- Synchronising New Users
      • Az - Default Applications
      • Az - Cloud Kerberos Trust
      • Az - Federation
      • Az - PHS - Password Hash Sync
      • Az - PTA - Pass-through Authentication
      • Az - Seamless SSO
      • Az - Arc vulnerable GPO Deploy Script
    • Az - Local Cloud Credentials
    • Az - Pass the Cookie
    • Az - Pass the Certificate
    • Az - Pass the PRT
    • Az - Phishing Primary Refresh Token (Microsoft Entra)
    • Az - Processes Memory Access Token
    • Az - Primary Refresh Token (PRT)
  • Az - Persistence
  • Az - Device Registration
  • Az - Entra ID (formerly AzureAD - AAD)
    • Az - Conditional Access Policies / MFA Bypass
    • Az - Dynamic Groups Privesc
• Digital Ocean Pentesting
  • DO - Basic Information
  • DO - Permissions for a Pentest
  • DO - Services
    • DO - Apps
    • DO - Container Registry
    • DO - Databases
    • DO - Droplets
    • DO - Functions
    • DO - Images
    • DO - Kubernetes (DOKS)
    • DO - Networking
    • DO - Projects
    • DO - Spaces
    • DO - Volumes
• IBM Cloud Pentesting
  • IBM - Hyper Protect Crypto Services
  • IBM - Hyper Protect Virtual Server
  • IBM - Basic Information
• OpenShift Pentesting
  • OpenShift - Basic information
  • Openshift - SCC
  • OpenShift - Jenkins
    • OpenShift - Jenkins Build Pod Override
  • OpenShift - Privilege Escalation
    • OpenShift - Missing Service Account
    • OpenShift - Tekton
    • OpenShift - SCC bypass

🛫 Pentesting Network Services

• HackTricks Pentesting Network
• HackTricks Pentesting Services