0xd4y

0xd4y

Penetration Tester | Security Engineer | Global Top 0.1% at TryHackMe and HackTheBox

┌─[0xd4y@Writeup]─[/root/Writeups]
└──╼
$
bash ~/welcome.sh



Hacking in the Cloud - ec2_ssrf

Hacking in the Cloud - ec2_ssrf

As a low-privileged user, we compromised multiple other users and moved laterally within the environment. We then found a vulnerable EC2 instance which, when exploited, revealed the credentials for the role of the instance profile, which contained permissions to list and download credentials from a confidential S3 bucket.

in
Hacking in the Cloud - iam_privesc_by_attachment

Hacking in the Cloud - iam_privesc_by_attachment

We start off as a fairly high-privileged user who can perform multiple IAM and EC2 API calls. Using these permissions, it was possible to obtain full control over the AWS account by creating an EC2 instance with a high-privileged instance profile.

in
Hacking in the Cloud - cloud_breach_s3

Hacking in the Cloud - cloud_breach_s3

In this video we compromise an EC2 instance's metadata service, obtain credentials that result in exfiltrating sensitive data, and we do all of this while being completely undetected!

in
GCP Penetration Testing Notes 2

GCP Penetration Testing Notes 2

Compiled notes I read from additional blogs and posts about GCP penetration testing.

in
GCP Penetration Testing Notes

GCP Penetration Testing Notes

Notes I wrote while reading a blog post written about GCP penetration testing techniques and methodologies by Chris Moberly.

in
Hands on AWS Penetration Testing Notes

Hands on AWS Penetration Testing Notes

These are my notes for the Hands on AWS Penetration Testing book by Benjamin Caudill and Karl Gilbert.

in
Hacking in the Cloud - lambda_privesc

Hacking in the Cloud - lambda_privesc

We start off as a low-privileged user who can perform IAM Get and IAM List on all resources. In addition, this user can assume a role which has lambda:* and iam:PassRole on all resources. Using this permission, it was possible to create a function with another role that had AdministratorAccess attached to it. Therefore, we were able to attach AdministratorAccess on the low-privileged user.

in
Hacking in the Cloud - iam_privesc_by_rollback

Hacking in the Cloud - iam_privesc_by_rollback

This is the second scenario in the CloudGoat series, and it is the simplest one at the time of writing. We start off as a high-privileged user who can change their defualt policy version. One of the versions of this user's managed policy allows for performing any action on any resource. The user can therefore change their default version to this policy version and obtain Administrator access.

in