- 👽 Welcome!
- HackTricks Cloud
- About the Author$$external:https://book.hacktricks.wiki/en/welcome/about-the-author.html$$
- HackTricks Values & faq$$external:https://book.hacktricks.wiki/en/welcome/hacktricks-values-and-faq.html$$
- 🏭 Pentesting CI/CD
- Pentesting CI/CD Methodology
- Docker Build Context Abuse in Cloud Envs
- Gitblit Security
❱
- Ssh Auth Bypass
- Github Security
❱
- Abusing Github Actions
❱
- Gh Actions - Artifact Poisoning
- GH Actions - Cache Poisoning
- Gh Actions - Context Script Injections
- Accessible Deleted Data in Github
- Basic Github Information
- Gitea Security
❱
- Basic Gitea Information
- Concourse Security
❱
- Concourse Architecture
- Concourse Lab Creation
- Concourse Enumeration & Attacks
- CircleCI Security
- TravisCI Security
❱
- Basic TravisCI Information
- Jenkins Security
❱
- Basic Jenkins Information
- Jenkins RCE with Groovy Script
- Jenkins RCE Creating/Modifying Project
- Jenkins RCE Creating/Modifying Pipeline
- Jenkins Arbitrary File Read to RCE via "Remember Me"
- Jenkins Dumping Secrets from Groovy
- Apache Airflow Security
❱
- Airflow Configuration
- Airflow RBAC
- Terraform Security
- Atlantis Security
- Cloudflare Security
❱
- Cloudflare Domains
- Cloudflare Workers Pass Through Proxy Ip Rotation
- Cloudflare Zero Trust Network
- Okta Security
❱
- Okta Hardening
- Serverless.com Security
- Supabase Security
- Check Automate Security
❱
- Chef Automate Enumeration And Attacks
- Vercel Security
- Ansible Tower / AWX / Automation controller Security
- TODO
- ⛈️ Pentesting Cloud
- Pentesting Cloud Methodology
❱
- Luks2 Header Malleability Null Cipher Abuse
- Kubernetes Pentesting
❱
- Kubernetes Basics
- Pentesting Kubernetes Services
❱
- Kubelet Authentication & Authorization
- Exposing Services in Kubernetes
- Attacking Kubernetes from inside a Pod
- Kubernetes Enumeration
- Kubernetes Role-Based Access Control(RBAC)
- Abusing Roles/ClusterRoles in Kubernetes
❱
- Pod Escape Privileges
- Kubernetes Roles Abuse Lab
- Kubernetes Namespace Escalation
- Kubernetes External Secret Operator
- Kubernetes Pivoting to Clouds
- Kubernetes Network Attacks
- Kubernetes Hardening
❱
- Kubernetes SecurityContext(s)
- Kubernetes OPA Gatekeeper
❱
- Kubernetes OPA Gatekeeper bypass
- Kubernetes Kyverno
❱
- Kubernetes Kyverno bypass
- Kubernetes ValidatingWebhookConfiguration
- GCP Pentesting
❱
- GCP - Basic Information
❱
- GCP - Federation Abuse
- GCP - Permissions for a Pentest
- GCP - Post Exploitation
❱
- GCP - App Engine Post Exploitation
- GCP - Artifact Registry Post Exploitation
- GCP - Bigtable Post Exploitation
- GCP - Cloud Build Post Exploitation
- GCP - Cloud Functions Post Exploitation
- GCP - Cloud Run Post Exploitation
- GCP - Cloud Shell Post Exploitation
- GCP - Cloud SQL Post Exploitation
- GCP - Compute Post Exploitation
- GCP - Filestore Post Exploitation
- GCP - IAM Post Exploitation
- GCP - KMS Post Exploitation
- GCP - Logging Post Exploitation
- GCP - Monitoring Post Exploitation
- GCP - Pub/Sub Post Exploitation
- GCP - Secretmanager Post Exploitation
- GCP - Security Post Exploitation
- GCP - Workflows Post Exploitation
- GCP - Storage Post Exploitation
- GCP - Privilege Escalation
❱
- GCP - Apikeys Privesc
- GCP - AppEngine Privesc
- GCP - Artifact Registry Privesc
- GCP - Batch Privesc
- GCP - BigQuery Privesc
- GCP - Bigtable Privesc
- GCP - ClientAuthConfig Privesc
- GCP - Cloudbuild Privesc
- GCP - Cloudfunctions Privesc
- GCP - Cloudidentity Privesc
- GCP - Cloud Scheduler Privesc
- GCP - Cloud Tasks Privesc
- GCP - Compute Privesc
❱
- GCP - Add Custom SSH Metadata
- GCP - Composer Privesc
- GCP - Container Privesc
- GCP - Dataproc Privesc
- GCP - Deploymentmaneger Privesc
- GCP - IAM Privesc
- GCP - KMS Privesc
- GCP - Orgpolicy Privesc
- GCP - Pubsub Privesc
- GCP - Resourcemanager Privesc
- GCP - Run Privesc
- GCP - Secretmanager Privesc
- GCP - Serviceusage Privesc
- GCP - Sourcerepos Privesc
- GCP - Storage Privesc
- GCP - Vertex AI Privesc
- GCP - Workflows Privesc
- GCP - Generic Permissions Privesc
- GCP - Network Docker Escape
- GCP - local privilege escalation ssh pivoting
- GCP - Persistence
❱
- GCP - API Keys Persistence
- GCP - App Engine Persistence
- GCP - Artifact Registry Persistence
- GCP - BigQuery Persistence
- GCP - Bigtable Persistence
- GCP - Cloud Functions Persistence
- GCP - Cloud Run Persistence
- GCP - Cloud Shell Persistence
- GCP - Cloud SQL Persistence
- GCP - Compute Persistence
- GCP - Dataflow Persistence
- GCP - Filestore Persistence
- GCP - Logging Persistence
- GCP - Secret Manager Persistence
- GCP - Storage Persistence
- GCP - Token Persistence
- GCP - Services
❱
- GCP - AI Platform Enum
- GCP - API Keys Enum
- GCP - App Engine Enum
- GCP - Artifact Registry Enum
- GCP - Batch Enum
- GCP - Bigquery Enum
- GCP - Bigtable Enum
- GCP - Cloud Build Enum
- GCP - Cloud Functions Enum
- GCP - Cloud Run Enum
- GCP - Cloud Shell Enum
- GCP - Cloud SQL Enum
- GCP - Cloud Scheduler Enum
- GCP - Compute Enum
❱
- GCP - Compute Instances
- GCP - VPC & Networking
- GCP - Composer Enum
- GCP - Containers & GKE Enum
- GCP - Dataproc Enum
- GCP - DNS Enum
- GCP - Filestore Enum
- GCP - Firebase Enum
- GCP - Firestore Enum
- GCP - IAM, Principals & Org Policies Enum
- GCP - KMS Enum
- GCP - Logging Enum
- GCP - Memorystore Enum
- GCP - Monitoring Enum
- GCP - Pub/Sub Enum
- GCP - Secrets Manager Enum
- GCP - Security Enum
- GCP - Source Repositories Enum
- GCP - Spanner Enum
- GCP - Stackdriver Enum
- GCP - Storage Enum
- GCP - Vertex AI Enum
- GCP - Workflows Enum
- GCP <--> Workspace Pivoting
❱
- GCP - Understanding Domain-Wide Delegation
- GCP - Unauthenticated Enum & Access
❱
- GCP - API Keys Unauthenticated Enum
- GCP - App Engine Unauthenticated Enum
- GCP - Artifact Registry Unauthenticated Enum
- GCP - Cloud Build Unauthenticated Enum
- GCP - Cloud Functions Unauthenticated Enum
- GCP - Cloud Run Unauthenticated Enum
- GCP - Cloud SQL Unauthenticated Enum
- GCP - Compute Unauthenticated Enum
- GCP - IAM, Principals & Org Unauthenticated Enum
- GCP - Source Repositories Unauthenticated Enum
- GCP - Storage Unauthenticated Enum
❱
- GCP - Public Buckets Privilege Escalation
- GWS - Workspace Pentesting
❱
- GWS - Post Exploitation
- GWS - Persistence
- GWS - Workspace Sync Attacks (GCPW, GCDS, GPS, Directory Sync with AD & EntraID)
❱
- GWS - Admin Directory Sync
- GCDS - Google Cloud Directory Sync
- GCPW - Google Credential Provider for Windows
- GPS - Google Password Sync
- GWS - Google Platforms Phishing
❱
- GWS - App Scripts
- AWS Pentesting
❱
- AWS - Basic Information
❱
- AWS - Federation Abuse
- AWS - Permissions for a Pentest
- AWS - Persistence
❱
- AWS - API Gateway Persistence
- AWS - Cloudformation Persistence
- AWS - Cognito Persistence
- AWS - DynamoDB Persistence
- AWS - EC2 Persistence
❱
- AWS - EC2 ReplaceRootVolume Task (Stealth Backdoor / Persistence)
- AWS - ECR Persistence
- AWS - ECS Persistence
- AWS - Elastic Beanstalk Persistence
- AWS - EFS Persistence
- AWS - IAM Persistence
- AWS - KMS Persistence
- AWS - Lambda Persistence
❱
- AWS - Abusing Lambda Extensions
- AWS - Lambda Alias Version Policy Backdoor
- AWS - Lambda Async Self Loop Persistence
- AWS - Lambda Layers Persistence
- AWS - Lambda Exec Wrapper Persistence
- AWS - Lightsail Persistence
- AWS - RDS Persistence
- AWS - S3 Persistence
- Aws Sagemaker Persistence
- AWS - SNS Persistence
- AWS - Secrets Manager Persistence
- AWS - SQS Persistence
❱
- AWS - SQS DLQ Backdoor Persistence via RedrivePolicy/RedriveAllowPolicy
- AWS - SQS OrgID Policy Backdoor
- AWS - SSM Perssitence
- AWS - Step Functions Persistence
- AWS - STS Persistence
- AWS - Post Exploitation
❱
- AWS - API Gateway Post Exploitation
- AWS - Bedrock Post Exploitation
- AWS - CloudFront Post Exploitation
- AWS - CodeBuild Post Exploitation
❱
- AWS Codebuild - Token Leakage
- AWS - Control Tower Post Exploitation
- AWS - DLM Post Exploitation
- AWS - DynamoDB Post Exploitation
- AWS - EC2, EBS, SSM & VPC Post Exploitation
❱
- AWS - EBS Snapshot Dump
- AWS – Covert Disk Exfiltration via AMI Store-to-S3 (CreateStoreImageTask)
- AWS - Live Data Theft via EBS Multi-Attach
- AWS - EC2 Instance Connect Endpoint backdoor + ephemeral SSH key injection
- AWS – EC2 ENI Secondary Private IP Hijack (Trust/Allowlist Bypass)
- AWS - Elastic IP Hijack for Ingress/Egress IP Impersonation
- AWS - Security Group Backdoor via Managed Prefix Lists
- AWS – Egress Bypass from Isolated Subnets via VPC Endpoints
- AWS - VPC Flow Logs Cross-Account Exfiltration to S3
- AWS - Malicious VPC Mirror
- AWS - ECR Post Exploitation
- AWS - ECS Post Exploitation
- AWS - EFS Post Exploitation
- AWS - EKS Post Exploitation
- AWS - Elastic Beanstalk Post Exploitation
- AWS - IAM Post Exploitation
- AWS - KMS Post Exploitation
- AWS - Lambda Post Exploitation
❱
- AWS - Lambda EFS Mount Injection
- AWS - Lambda Event Source Mapping Hijack
- AWS - Lambda Function URL Public Exposure
- AWS - Lambda LoggingConfig Redirection
- AWS - Lambda Runtime Pinning Abuse
- AWS - Lambda Steal Requests
- AWS - Lambda VPC Egress Bypass
- AWS - Lightsail Post Exploitation
- AWS - MWAA Post Exploitation
- AWS - Organizations Post Exploitation
- AWS - RDS Post Exploitation
- AWS - SageMaker Post-Exploitation
❱
- Feature Store Poisoning
- AWS - S3 Post Exploitation
- AWS - Secrets Manager Post Exploitation
- AWS - SES Post Exploitation
- AWS - SNS Post Exploitation
❱
- AWS - SNS Message Data Protection Bypass via Policy Downgrade
- SNS FIFO Archive Replay Exfiltration via Attacker SQS FIFO Subscription
- AWS - SNS to Kinesis Firehose Exfiltration (Fanout to S3)
- AWS - SQS Post Exploitation
❱
- AWS – SQS DLQ Redrive Exfiltration via StartMessageMoveTask
- AWS – SQS Cross-/Same-Account Injection via SNS Subscription + Queue Policy
- AWS - SSO & identitystore Post Exploitation
- AWS - Step Functions Post Exploitation
- AWS - STS Post Exploitation
- AWS - VPN Post Exploitation
- AWS - Privilege Escalation
❱
- AWS - Apigateway Privesc
- AWS - AppRunner Privesc
- AWS - Chime Privesc
- AWS - CloudFront
- AWS - Codebuild Privesc
- AWS - Codepipeline Privesc
- AWS - Codestar Privesc
❱
- codestar:CreateProject, codestar:AssociateTeamMember
- iam:PassRole, codestar:CreateProject
- AWS - Cloudformation Privesc
❱
- iam:PassRole, cloudformation:CreateStack,and cloudformation:DescribeStacks
- AWS - Cognito Privesc
- AWS - Datapipeline Privesc
- AWS - Directory Services Privesc
- AWS - DynamoDB Privesc
- AWS - EBS Privesc
- AWS - EC2 Privesc
- AWS - ECR Privesc
- AWS - ECS Privesc
- AWS - EFS Privesc
- AWS - Elastic Beanstalk Privesc
- AWS - EMR Privesc
- AWS - EventBridge Scheduler Privesc
- AWS - Gamelift
- AWS - Glue Privesc
- AWS - IAM Privesc
- AWS - KMS Privesc
- AWS - Lambda Privesc
- AWS - Lightsail Privesc
- AWS - Macie Privesc
- AWS - Mediapackage Privesc
- AWS - MQ Privesc
- AWS - MSK Privesc
- AWS - RDS Privesc
- AWS - Redshift Privesc
- AWS - Route53 Privesc
- AWS - SNS Privesc
- AWS - SQS Privesc
- AWS - SSO & identitystore Privesc
- AWS - Organizations Privesc
- AWS - S3 Privesc
- AWS - Sagemaker Privesc
- AWS - Secrets Manager Privesc
- AWS - SSM Privesc
- AWS - Step Functions Privesc
- AWS - STS Privesc
- AWS - WorkDocs Privesc
- AWS - Services
❱
- AWS - Security & Detection Services
❱
- AWS - CloudTrail Enum
- AWS - CloudWatch Enum
- AWS - Config Enum
- AWS - Control Tower Enum
- AWS - Cost Explorer Enum
- AWS - Detective Enum
- AWS - Firewall Manager Enum
- AWS - GuardDuty Enum
- AWS - Inspector Enum
- AWS - Security Hub Enum
- AWS - Shield Enum
- AWS - Trusted Advisor Enum
- AWS - WAF Enum
- AWS - API Gateway Enum
- AWS - Bedrock Enum
- AWS - Certificate Manager (ACM) & Private Certificate Authority (PCA)
- AWS - CloudFormation & Codestar Enum
- AWS - CloudHSM Enum
- AWS - CloudFront Enum
- AWS - Codebuild Enum
- AWS - Cognito Enum
❱
- Cognito Identity Pools
- Cognito User Pools
- AWS - DataPipeline, CodePipeline & CodeCommit Enum
- AWS - Directory Services / WorkDocs Enum
- AWS - DocumentDB Enum
- AWS - DynamoDB Enum
- AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum
❱
- AWS - Nitro Enum
- AWS - VPC & Networking Basic Information
- AWS - ECR Enum
- AWS - ECS Enum
- AWS - EKS Enum
- AWS - Elastic Beanstalk Enum
- AWS - ElastiCache
- AWS - EMR Enum
- AWS - EFS Enum
- AWS - EventBridge Scheduler Enum
- AWS - Kinesis Data Firehose Enum
- AWS - IAM, Identity Center & SSO Enum
- AWS - KMS Enum
- AWS - Lambda Enum
- AWS - Lightsail Enum
- AWS - Macie Enum
- AWS - MQ Enum
- AWS - MSK Enum
- AWS - Organizations Enum
- AWS - Redshift Enum
- AWS - Relational Database (RDS) Enum
- AWS - Route53 Enum
- AWS - SageMaker Enum
- AWS - Secrets Manager Enum
- AWS - SES Enum
- AWS - SNS Enum
- AWS - SQS Enum
- AWS - S3, Athena & Glacier Enum
- AWS - Step Functions Enum
- AWS - STS Enum
- AWS - Other Services Enum
- AWS - Unauthenticated Enum & Access
❱
- AWS - Accounts Unauthenticated Enum
- AWS - API Gateway Unauthenticated Enum
- AWS - Cloudfront Unauthenticated Enum
- AWS - Cognito Unauthenticated Enum
- AWS - CodeBuild Unauthenticated Access
- AWS - DocumentDB Unauthenticated Enum
- AWS - DynamoDB Unauthenticated Access
- AWS - EC2 Unauthenticated Enum
- AWS - ECR Unauthenticated Enum
- AWS - ECS Unauthenticated Enum
- AWS - Elastic Beanstalk Unauthenticated Enum
- AWS - Elasticsearch Unauthenticated Enum
- AWS - IAM & STS Unauthenticated Enum
- AWS - Identity Center & SSO Unauthenticated Enum
- AWS - IoT Unauthenticated Enum
- AWS - Kinesis Video Unauthenticated Enum
- AWS - Lambda Unauthenticated Access
- AWS - Media Unauthenticated Enum
- AWS - MQ Unauthenticated Enum
- AWS - MSK Unauthenticated Enum
- AWS - RDS Unauthenticated Enum
- AWS - Redshift Unauthenticated Enum
- AWS - SageMaker Unauthenticated Enum
- AWS - SQS Unauthenticated Enum
- AWS - SNS Unauthenticated Enum
- AWS - S3 Unauthenticated Enum
- Azure Pentesting
❱
- Az - Basic Information
❱
- Az Federation Abuse
- Az - Tokens & Public Applications
- Az - Enumeration Tools
- Az - Unauthenticated Enum & Initial Entry
❱
- Az - Container Registry Unauth
- Az - OAuth Apps Phishing
- Az - Storage Unauth
- Az - VMs Unauth
- Az - Device Code Authentication Phishing
- Az - Password Spraying
- Az - Services
❱
- Az - Entra ID (AzureAD) & Azure IAM
- Az - ACR
- Az - Application Proxy
- Az - ARM Templates / Deployments
- Az - Automation Accounts
- Az - Azure App Services
- Az - Cloud Shell
- Az - Container Registry
- Az - Container Instances, Apps & Jobs
- Az - CosmosDB
- Az - Defender
- Az - File Shares
- Az - Front Door
- Az - Function Apps
- Az - Intune
- Az - Key Vault
- Az - Logic Apps
- Az - Management Groups, Subscriptions & Resource Groups
- Az - Misc
- Az - Monitoring
- Az - MySQL
- Az - PostgreSQL
- Az - Queue Storage
- Az - Sentinel
- Az - Service Bus
- Az - SQL
- Az - Static Web Applications
- Az - Storage Accounts & Blobs
- Az - Table Storage
- Az - Virtual Desktop
- Az - Virtual Machines & Network
❱
- Az - Azure Network
- Az - Permissions for a Pentest
- Az - Lateral Movement (Cloud - On-Prem)
❱
- Az - Arc vulnerable GPO Deploy Script
- Az - Cloud Kerberos Trust
- Az - Cloud Sync
- Az - Connect Sync
- Az - Domain Services
- Az - Federation
- Az - Hybrid Identity Misc Attacks
- Az - Local Cloud Credentials
- Az - Pass the Certificate
- Az - Pass the Cookie
- Az - Primary Refresh Token (PRT)
- Az - PTA - Pass-through Authentication
- Az - Seamless SSO
- Az - Post Exploitation
❱
- Az Azure Ai Foundry Post Exploitation
- Az - Blob Storage Post Exploitation
- Az - CosmosDB Post Exploitation
- Az - File Share Post Exploitation
- Az - Function Apps Post Exploitation
- Az - Key Vault Post Exploitation
- Az - Logic Apps Post Exploitation
- Az - MySQL Post Exploitation
- Az - PostgreSQL Post Exploitation
- Az - Queue Storage Post Exploitation
- Az - Service Bus Post Exploitation
- Az - Table Storage Post Exploitation
- Az - SQL Post Exploitation
- Az - Virtual Desktop Post Exploitation
- Az - VMs & Network Post Exploitation
- Az - Privilege Escalation
❱
- Az - Azure IAM Privesc (Authorization)
- Az - App Services Privesc
- Az - Automation Accounts Privesc
- Az - Container Registry Privesc
- Az - Container Instances, Apps & Jobs Privesc
- Az - CosmosDB Privesc
- Az - EntraID Privesc
❱
- Az - Conditional Access Policies & MFA Bypass
- Az - Dynamic Groups Privesc
- Az - Functions App Privesc
- Az - Key Vault Privesc
- Az - Logic Apps Privesc
- Az - MySQL Privesc
- Az - PostgreSQL Privesc
- Az - Queue Storage Privesc
- Az - Service Bus Privesc
- Az - Static Web App Privesc
- Az - Storage Privesc
- Az - SQL Privesc
- Az - Virtual Desktop Privesc
- Az - Virtual Machines & Network Privesc
- Az - Persistence
❱
- Az - Automation Accounts Persistence
- Az - Cloud Shell Persistence
- Az - Logic Apps Persistence
- Az - SQL Persistence
- Az - Queue Storage Persistence
- Az - VMs Persistence
- Az - Storage Persistence
- Az - Device Registration
- Digital Ocean Pentesting
❱
- DO - Basic Information
- DO - Permissions for a Pentest
- DO - Services
❱
- DO - Apps
- DO - Container Registry
- DO - Databases
- DO - Droplets
- DO - Functions
- DO - Images
- DO - Kubernetes (DOKS)
- DO - Networking
- DO - Projects
- DO - Spaces
- DO - Volumes
- IBM Cloud Pentesting
❱
- IBM - Hyper Protect Crypto Services
- IBM - Hyper Protect Virtual Server
- IBM - Basic Information
- OpenShift Pentesting
❱
- OpenShift - Basic information
- Openshift - SCC
- OpenShift - Jenkins
❱
- OpenShift - Jenkins Build Pod Override
- OpenShift - Privilege Escalation
❱
- OpenShift - Missing Service Account
- OpenShift - Tekton
- OpenShift - SCC bypass
- 🛫 Pentesting Network Services
- HackTricks Pentesting Network$$external:https://book.hacktricks.wiki/en/generic-methodologies-and-resources/pentesting-network/index.html$$
- HackTricks Pentesting Services$$external:https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-ssh.html$$