SUMMARY.md

Table of contents

👽 Welcome!

• HackTricks Cloud
• About the Author

🏭 Pentesting CI/CD

• Pentesting CI/CD Methodology
• Github Security
  • Basic Github Information
• Gitea Security
  • Basic Gitea Information
• Concourse Security
  • Concourse Architecture
  • Concourse Lab Creation
  • Concourse Enumeration & Attacks
• CircleCI Security
• TravisCI Security
  • Basic TravisCI Information
• Jenkins Security
  • Basic Jenkins Information
  • Jenkins RCE with Groovy Script
  • Jenkins RCE Creating/Modifying Project
  • Jenkins RCE Creating/Modifying Pipeline
  • Jenkins Dumping Secrets from Groovy
  • SCM IP Whitelisting Bypass
• Apache Airflow Security
  • Airflow Configuration
  • Airflow RBAC
• Terraform Security
  • Terraform Enterprise Security
• Atlantis Security
• Cloudflare Security
  • Cloudflare Domains
  • Cloudflare Zero Trust Network
• TODO

⛈ Pentesting Cloud

• Pentesting Cloud Methodology
• Kubernetes Security
  • Kubernetes Basics
  • Pentesting Kubernetes Services
  • Exposing Services in Kubernetes
  • Attacking Kubernetes from inside a Pod
  • Kubernetes Enumeration
  • Kubernetes Role-Based Access Control(RBAC)
  • Abusing Roles/ClusterRoles in Kubernetes
    • Pod Escape Privileges
    • Kubernetes Roles Abuse Lab
  • Kubernetes Namespace Escalation
  • Kubernetes Pivoting to Clouds
  • Kubernetes Network Attacks
  • Kubernetes Hardening
    • kubernetes NetworkPolicies
    • Kubernetes SecurityContext(s)
    • Monitoring with Falco
• GCP Security
  • GCP - Basic Information
  • GCP - Non-svc Persistance
  • GCP - Permissions for a Pentest
  • GCP - Privilege Escalation
    • GCP - Apikeys Privesc
    • GCP - Cloudbuild Privesc
    • GCP - Cloudfunctions Privesc
    • GCP - Cloudscheduler Privesc
    • GCP - Compute Privesc
    • GCP - Composer Privesc
    • GCP - Container Privesc
    • GCP - Deploymentmaneger Privesc
    • GCP - IAM Privesc
    • GCP - KMS Privesc
    • GCP - Orgpolicy Privesc
    • GCP - Resourcemanager Privesc
    • GCP - Run Privesc
    • GCP - Secretmanager Privesc
    • GCP - Serviceusage Privesc
    • GCP - Storage Privesc
    • GCP - Misc Perms Privesc
    • GCP - Network Docker Escape
    • GCP - local privilege escalation ssh pivoting
  • GCP - Services
    • GCP - AI Platform Enum
    • GCP - Cloud Functions, App Engine & Cloud Run Enum
    • GCP - Compute Instances Enum
    • GCP - Compute Network Enum
    • GCP - Compute OS-Config Enum
    • GCP - Containers, GKE & Composer Enum
    • GCP - Databases Enum
      • GCP - Bigquery Enum
      • GCP - Bigtable Enum
      • GCP - Firebase Enum
      • GCP - Firestore Enum
      • GCP - Memorystore Enum
      • GCP - Spanner Enum
      • GCP - SQL Enum
    • GCP - DNS Enum
    • GCP - Filestore Enum
    • GCP - IAM & Org Policies Enum
    • GCP - KMS and Secrets Management Enum
    • GCP - Pub/Sub
    • GCP - Source Repositories Enum
    • GCP - Stackdriver Enum
    • GCP - Storage Enum
  • GCP - Unauthenticated Enum
    • GCP - Public Buckets Privilege Escalation
• Workspace Security
• AWS Security
  • AWS - Basic Information
    • AWS - Federation
    • Assume Role & Confused Deputy
  • AWS - Permissions for a Pentest
  • AWS - Privilege Escalation
    • AWS - Apigateway Privesc
    • AWS - Codebuild Privesc
    • AWS - Codepipeline Privesc
    • AWS - Codestar Privesc
      • codestar:CreateProject, codestar:AssociateTeamMember
      • iam:PassRole, codestar:CreateProject
    • AWS - Cloudformation Privesc
      • iam:PassRole, cloudformation:CreateStack,and cloudformation:DescribeStacks
    • AWS - Cognito Privesc
    • AWS - Datapipeline Privesc
    • AWS - DynamoDB Privesc
    • AWS - EBS Privesc
    • AWS - EC2 Privesc
    • AWS - ECR Privesc
    • AWS - ECS Privesc
    • AWS - EFS Privesc
    • AWS - EMR Privesc
    • AWS - Glue Privesc
    • AWS - IAM Privesc
    • AWS - KMS Privesc
    • AWS - Lambda Privesc
      • AWS - Steal Lambda Requests
    • AWS - Lightsail Privesc
    • AWS - MQ Privesc
    • AWS - MSK Privesc
    • AWS - RDS Privesc
    • AWS - Redshift Privesc
    • AWS - S3 Privesc
    • AWS - Sagemaker Privesc
    • AWS - Secrets Manager Privesc
    • AWS - SSM Privesc
    • AWS - STS Privesc
    • AWS - Misc Privesc
      • route53:CreateHostedZone, route53:ChangeResourceRecordSets, acm-pca:IssueCertificate, acm-pca:GetCer
  • AWS - Services
    • AWS - Security & Detection Services
      • AWS - CloudTrail Enum
      • AWS - CloudWatch Enum
      • AWS - Config Enum
      • AWS - Cost Explorer Enum
      • AWS - Detective Enum
      • AWS - Firewall Manager Enum
      • AWS - GuardDuty Enum
      • AWS - Inspector Enum
      • AWS - Macie Enum
      • AWS - Security Hub Enum
      • AWS - Shield Enum
      • AWS - Trusted Advisor Enum
      • AWS - WAF Enum
    • AWS - Databases
      • AWS - DynamoDB Enum
      • AWS - Redshift Enum
      • AWS - DocumentDB Enum
      • AWS - Relational Database (RDS) Enum
    • AWS - API Gateway Enum
    • AWS - CloudFormation & Codestar Enum
    • AWS - CloudHSM Enum
    • AWS - CloudFront Enum
    • AWS - Cognito Enum
      • Cognito Identity Pools
      • Cognito User Pools
    • AWS - DataPipeline, CodePipeline, CodeBuild & CodeCommit
    • AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum
      • AWS - VPCs-Network-Subnetworks-Ifaces-SecGroups-NAT
      • AWS - SSM Post-Exploitation
      • AWS - Malicious VPC Mirror
    • AWS - ECS, ECR & EKS Enum
    • AWS - EMR Enum
    • AWS - EFS Enum
    • AWS - Kinesis Data Firehose
    • AWS - IAM & STS Enum
      • AWS - Confused deputy
    • AWS - KMS Enum
    • AWS - Lambda Enum
    • AWS - Lightsail Enum
    • AWS - MQ Enum
    • AWS - MSK Enum
    • AWS - Route53 Enum
    • AWS - Secrets Manager Enum
    • AWS - SQS & SNS Enum
    • AWS - S3, Athena & Glacier Enum
    • AWS - Other Services Enum
  • AWS - Unauthenticated Enum
• Azure Security
  • Az - Basic Information
  • Az - Unauthenticated Enum & Initial Entry
    • Az - Illicit Consent Grant
    • Az - Device Code Authentication Phishing
    • Az - Password Spraying
  • Az - Services
    • Az - Application Proxy
    • Az - ARM Templates / Deployments
    • Az - Automation Account
      • Az - State Configuration RCE
    • Az - AzureAD
    • Az - Azure App Service & Function Apps
    • Az - Blob Storage
    • Az - Intune
    • Az - Keyvault
    • Az - Virtual Machines
  • Az - Permissions for a Pentest
  • Az - Lateral Movement (Cloud - On-Prem)
    • Az - Pass the Cookie
    • Az - Pass the PRT
    • Az - Pass the Certificate
    • Az - Local Cloud Credentials
    • Azure AD Connect - Hybrid Identity
      • Federation
      • PHS - Password Hash Sync
      • PTA - Pass-through Authentication
      • Seamless SSO
  • Az - Persistence
  • Az - Dynamic Groups Privesc

🛫 Pentesting Network Services

• HackTricks Pentesting Network
• HackTricks Pentesting Services