2. 👽 Welcome!
  3. HackTricks Cloud
  4. About the Author$$external:https://book.hacktricks.xyz/welcome/about-the-author$$
  5. HackTricks Values & faq$$external:https://book.hacktricks.xyz/welcome/hacktricks-values-and-faq$$
  7. 🏭 Pentesting CI/CD
  8. Pentesting CI/CD Methodology
  9. Github Security
    1. Abusing Github Actions
      1. Gh Actions - Artifact Poisoning
      2. GH Actions - Cache Poisoning
      3. Gh Actions - Context Script Injections
    3. Accessible Deleted Data in Github
    4. Basic Github Information
  11. Gitea Security
    1. Basic Gitea Information
  13. Concourse Security
    1. Concourse Architecture
    2. Concourse Lab Creation
    3. Concourse Enumeration & Attacks
  15. CircleCI Security
  16. TravisCI Security
    1. Basic TravisCI Information
  18. Jenkins Security
    1. Basic Jenkins Information
    2. Jenkins RCE with Groovy Script
    3. Jenkins RCE Creating/Modifying Project
    4. Jenkins RCE Creating/Modifying Pipeline
    5. Jenkins Arbitrary File Read to RCE via "Remember Me"
    6. Jenkins Dumping Secrets from Groovy
  20. Apache Airflow Security
    1. Airflow Configuration
    2. Airflow RBAC
  22. Terraform Security
  23. Atlantis Security
  24. Cloudflare Security
    1. Cloudflare Domains
    2. Cloudflare Zero Trust Network
  26. Okta Security
    1. Okta Hardening
  28. Serverless.com Security
  29. Supabase Security
  30. Ansible Tower / AWX / Automation controller Security
  31. Vercel Security
  32. TODO
  34. ⛈️ Pentesting Cloud
  35. Pentesting Cloud Methodology
  36. Kubernetes Pentesting
    1. Kubernetes Basics
    2. Pentesting Kubernetes Services
      1. Kubelet Authentication & Authorization
    4. Exposing Services in Kubernetes
    5. Attacking Kubernetes from inside a Pod
    6. Kubernetes Enumeration
    7. Kubernetes Role-Based Access Control(RBAC)
    8. Abusing Roles/ClusterRoles in Kubernetes
      1. Pod Escape Privileges
      2. Kubernetes Roles Abuse Lab
    10. Kubernetes Namespace Escalation
    11. Kubernetes External Secret Operator
    12. Kubernetes Pivoting to Clouds
    13. Kubernetes Network Attacks
    14. Kubernetes Hardening
      1. Kubernetes SecurityContext(s)
    16. Kubernetes OPA Gatekeeper
      1. Kubernetes OPA Gatekeeper bypass
    18. Kubernetes Kyverno
      1. Kubernetes Kyverno bypass
    20. Kubernetes ValidatingWebhookConfiguration
  38. GCP Pentesting
    1. GCP - Basic Information
      1. GCP - Federation Abuse
    3. GCP - Permissions for a Pentest
    4. GCP - Post Exploitation
      1. GCP - App Engine Post Exploitation
      2. GCP - Artifact Registry Post Exploitation
      3. GCP - Cloud Build Post Exploitation
      4. GCP - Cloud Functions Post Exploitation
      5. GCP - Cloud Run Post Exploitation
      6. GCP - Cloud Shell Post Exploitation
      7. GCP - Cloud SQL Post Exploitation
      8. GCP - Compute Post Exploitation
      9. GCP - Filestore Post Exploitation
      10. GCP - IAM Post Exploitation
      11. GCP - KMS Post Exploitation
      12. GCP - Logging Post Exploitation
      13. GCP - Monitoring Post Exploitation
      14. GCP - Pub/Sub Post Exploitation
      15. GCP - Secretmanager Post Exploitation
      16. GCP - Security Post Exploitation
      17. GCP - Workflows Post Exploitation
      18. GCP - Storage Post Exploitation
    6. GCP - Privilege Escalation
      1. GCP - Apikeys Privesc
      2. GCP - AppEngine Privesc
      3. GCP - Artifact Registry Privesc
      4. GCP - Batch Privesc
      5. GCP - BigQuery Privesc
      6. GCP - ClientAuthConfig Privesc
      7. GCP - Cloudbuild Privesc
      8. GCP - Cloudfunctions Privesc
      9. GCP - Cloudidentity Privesc
      10. GCP - Cloud Scheduler Privesc
      11. GCP - Compute Privesc
        1. GCP - Add Custom SSH Metadata
      13. GCP - Composer Privesc
      14. GCP - Container Privesc
      15. GCP - Deploymentmaneger Privesc
      16. GCP - IAM Privesc
      17. GCP - KMS Privesc
      18. GCP - Orgpolicy Privesc
      19. GCP - Pubsub Privesc
      20. GCP - Resourcemanager Privesc
      21. GCP - Run Privesc
      22. GCP - Secretmanager Privesc
      23. GCP - Serviceusage Privesc
      24. GCP - Sourcerepos Privesc
      25. GCP - Storage Privesc
      26. GCP - Workflows Privesc
      27. GCP - Generic Permissions Privesc
      28. GCP - Network Docker Escape
      29. GCP - local privilege escalation ssh pivoting
    8. GCP - Persistence
      1. GCP - API Keys Persistence
      2. GCP - App Engine Persistence
      3. GCP - Artifact Registry Persistence
      4. GCP - BigQuery Persistence
      5. GCP - Cloud Functions Persistence
      6. GCP - Cloud Run Persistence
      7. GCP - Cloud Shell Persistence
      8. GCP - Cloud SQL Persistence
      9. GCP - Compute Persistence
      10. GCP - Dataflow Persistence
      11. GCP - Filestore Persistence
      12. GCP - Logging Persistence
      13. GCP - Secret Manager Persistence
      14. GCP - Storage Persistence
      15. GCP - Token Persistance
    10. GCP - Services
      1. GCP - AI Platform Enum
      2. GCP - API Keys Enum
      3. GCP - App Engine Enum
      4. GCP - Artifact Registry Enum
      5. GCP - Batch Enum
      6. GCP - Bigquery Enum
      7. GCP - Bigtable Enum
      8. GCP - Cloud Build Enum
      9. GCP - Cloud Functions Enum
      10. GCP - Cloud Run Enum
      11. GCP - Cloud Shell Enum
      12. GCP - Cloud SQL Enum
      13. GCP - Cloud Scheduler Enum
      14. GCP - Compute Enum
        1. GCP - Compute Instances
        2. GCP - VPC & Networking
      16. GCP - Composer Enum
      17. GCP - Containers & GKE Enum
      18. GCP - DNS Enum
      19. GCP - Filestore Enum
      20. GCP - Firebase Enum
      21. GCP - Firestore Enum
      22. GCP - IAM, Principals & Org Policies Enum
      23. GCP - KMS Enum
      24. GCP - Logging Enum
      25. GCP - Memorystore Enum
      26. GCP - Monitoring Enum
      27. GCP - Pub/Sub Enum
      28. GCP - Secrets Manager Enum
      29. GCP - Security Enum
      30. GCP - Source Repositories Enum
      31. GCP - Spanner Enum
      32. GCP - Stackdriver Enum
      33. GCP - Storage Enum
      34. GCP - Workflows Enum
    12. GCP <--> Workspace Pivoting
      1. GCP - Understanding Domain-Wide Delegation
    14. GCP - Unauthenticated Enum & Access
      1. GCP - API Keys Unauthenticated Enum
      2. GCP - App Engine Unauthenticated Enum
      3. GCP - Artifact Registry Unauthenticated Enum
      4. GCP - Cloud Build Unauthenticated Enum
      5. GCP - Cloud Functions Unauthenticated Enum
      6. GCP - Cloud Run Unauthenticated Enum
      7. GCP - Cloud SQL Unauthenticated Enum
      8. GCP - Compute Unauthenticated Enum
      9. GCP - IAM, Principals & Org Unauthenticated Enum
      10. GCP - Source Repositories Unauthenticated Enum
      11. GCP - Storage Unauthenticated Enum
        1. GCP - Public Buckets Privilege Escalation
  40. GWS - Workspace Pentesting
    1. GWS - Post Exploitation
    2. GWS - Persistence
    3. GWS - Workspace Sync Attacks (GCPW, GCDS, GPS, Directory Sync with AD & EntraID)
      1. GWS - Admin Directory Sync
      2. GCDS - Google Cloud Directory Sync
      3. GCPW - Google Credential Provider for Windows
      4. GPS - Google Password Sync
    5. GWS - Google Platforms Phishing
      1. GWS - App Scripts
  42. AWS Pentesting
    1. AWS - Basic Information
      1. AWS - Federation Abuse
    3. AWS - Permissions for a Pentest
    4. AWS - Persistence
      1. AWS - API Gateway Persistence
      2. AWS - Cognito Persistence
      3. AWS - DynamoDB Persistence
      4. AWS - EC2 Persistence
      5. AWS - ECR Persistence
      6. AWS - ECS Persistence
      7. AWS - Elastic Beanstalk Persistence
      8. AWS - EFS Persistence
      9. AWS - IAM Persistence
      10. AWS - KMS Persistence
      11. AWS - Lambda Persistence
        1. AWS - Abusing Lambda Extensions
        2. AWS - Lambda Layers Persistence
      13. AWS - Lightsail Persistence
      14. AWS - RDS Persistence
      15. AWS - S3 Persistence
      16. AWS - SNS Persistence
      17. AWS - Secrets Manager Persistence
      18. AWS - SQS Persistence
      19. AWS - SSM Perssitence
      20. AWS - Step Functions Persistence
      21. AWS - STS Persistence
    6. AWS - Post Exploitation
      1. AWS - API Gateway Post Exploitation
      2. AWS - CloudFront Post Exploitation
      3. AWS - CodeBuild Post Exploitation
        1. AWS Codebuild - Token Leakage
      5. AWS - Control Tower Post Exploitation
      6. AWS - DLM Post Exploitation
      7. AWS - DynamoDB Post Exploitation
      8. AWS - EC2, EBS, SSM & VPC Post Exploitation
        1. AWS - EBS Snapshot Dump
        2. AWS - Malicious VPC Mirror
      10. AWS - ECR Post Exploitation
      11. AWS - ECS Post Exploitation
      12. AWS - EFS Post Exploitation
      13. AWS - EKS Post Exploitation
      14. AWS - Elastic Beanstalk Post Exploitation
      15. AWS - IAM Post Exploitation
      16. AWS - KMS Post Exploitation
      17. AWS - Lambda Post Exploitation
        1. AWS - Steal Lambda Requests
      19. AWS - Lightsail Post Exploitation
      20. AWS - Organizations Post Exploitation
      21. AWS - RDS Post Exploitation
      22. AWS - S3 Post Exploitation
      23. AWS - Secrets Manager Post Exploitation
      24. AWS - SES Post Exploitation
      25. AWS - SNS Post Exploitation
      26. AWS - SQS Post Exploitation
      27. AWS - SSO & identitystore Post Exploitation
      28. AWS - Step Functions Post Exploitation
      29. AWS - STS Post Exploitation
      30. AWS - VPN Post Exploitation
    8. AWS - Privilege Escalation
      1. AWS - Apigateway Privesc
      2. AWS - Chime Privesc
      3. AWS - Codebuild Privesc
      4. AWS - Codepipeline Privesc
      5. AWS - Codestar Privesc
        1. codestar:CreateProject, codestar:AssociateTeamMember
        2. iam:PassRole, codestar:CreateProject
      7. AWS - Cloudformation Privesc
        1. iam:PassRole, cloudformation:CreateStack,and cloudformation:DescribeStacks
      9. AWS - Cognito Privesc
      10. AWS - Datapipeline Privesc
      11. AWS - Directory Services Privesc
      12. AWS - DynamoDB Privesc
      13. AWS - EBS Privesc
      14. AWS - EC2 Privesc
      15. AWS - ECR Privesc
      16. AWS - ECS Privesc
      17. AWS - EFS Privesc
      18. AWS - Elastic Beanstalk Privesc
      19. AWS - EMR Privesc
      20. AWS - EventBridge Scheduler Privesc
      21. AWS - Gamelift
      22. AWS - Glue Privesc
      23. AWS - IAM Privesc
      24. AWS - KMS Privesc
      25. AWS - Lambda Privesc
      26. AWS - Lightsail Privesc
      27. AWS - Mediapackage Privesc
      28. AWS - MQ Privesc
      29. AWS - MSK Privesc
      30. AWS - RDS Privesc
      31. AWS - Redshift Privesc
      32. AWS - Route53 Privesc
      33. AWS - SNS Privesc
      34. AWS - SQS Privesc
      35. AWS - SSO & identitystore Privesc
      36. AWS - Organizations Privesc
      37. AWS - S3 Privesc
      38. AWS - Sagemaker Privesc
      39. AWS - Secrets Manager Privesc
      40. AWS - SSM Privesc
      41. AWS - Step Functions Privesc
      42. AWS - STS Privesc
      43. AWS - WorkDocs Privesc
    10. AWS - Services
      1. AWS - Security & Detection Services
        1. AWS - CloudTrail Enum
        2. AWS - CloudWatch Enum
        3. AWS - Config Enum
        4. AWS - Control Tower Enum
        5. AWS - Cost Explorer Enum
        6. AWS - Detective Enum
        7. AWS - Firewall Manager Enum
        8. AWS - GuardDuty Enum
        9. AWS - Inspector Enum
        10. AWS - Macie Enum
        11. AWS - Security Hub Enum
        12. AWS - Shield Enum
        13. AWS - Trusted Advisor Enum
        14. AWS - WAF Enum
      3. AWS - API Gateway Enum
      4. AWS - Certificate Manager (ACM) & Private Certificate Authority (PCA)
      5. AWS - CloudFormation & Codestar Enum
      6. AWS - CloudHSM Enum
      7. AWS - CloudFront Enum
      8. AWS - Codebuild Enum
      9. AWS - Cognito Enum
        1. Cognito Identity Pools
        2. Cognito User Pools
      11. AWS - DataPipeline, CodePipeline & CodeCommit Enum
      12. AWS - Directory Services / WorkDocs Enum
      13. AWS - DocumentDB Enum
      14. AWS - DynamoDB Enum
      15. AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum
        1. AWS - Nitro Enum
        2. AWS - VPC & Networking Basic Information
      17. AWS - ECR Enum
      18. AWS - ECS Enum
      19. AWS - EKS Enum
      20. AWS - Elastic Beanstalk Enum
      21. AWS - ElastiCache
      22. AWS - EMR Enum
      23. AWS - EFS Enum
      24. AWS - EventBridge Scheduler Enum
      25. AWS - Kinesis Data Firehose Enum
      26. AWS - IAM, Identity Center & SSO Enum
      27. AWS - KMS Enum
      28. AWS - Lambda Enum
      29. AWS - Lightsail Enum
      30. AWS - MQ Enum
      31. AWS - MSK Enum
      32. AWS - Organizations Enum
      33. AWS - Redshift Enum
      34. AWS - Relational Database (RDS) Enum
      35. AWS - Route53 Enum
      36. AWS - Secrets Manager Enum
      37. AWS - SES Enum
      38. AWS - SNS Enum
      39. AWS - SQS Enum
      40. AWS - S3, Athena & Glacier Enum
      41. AWS - Step Functions Enum
      42. AWS - STS Enum
      43. AWS - Other Services Enum
    12. AWS - Unauthenticated Enum & Access
      1. AWS - Accounts Unauthenticated Enum
      2. AWS - API Gateway Unauthenticated Enum
      3. AWS - Cloudfront Unauthenticated Enum
      4. AWS - Cognito Unauthenticated Enum
      5. AWS - CodeBuild Unauthenticated Access
      6. AWS - DocumentDB Unauthenticated Enum
      7. AWS - DynamoDB Unauthenticated Access
      8. AWS - EC2 Unauthenticated Enum
      9. AWS - ECR Unauthenticated Enum
      10. AWS - ECS Unauthenticated Enum
      11. AWS - Elastic Beanstalk Unauthenticated Enum
      12. AWS - Elasticsearch Unauthenticated Enum
      13. AWS - IAM & STS Unauthenticated Enum
      14. AWS - Identity Center & SSO Unauthenticated Enum
      15. AWS - IoT Unauthenticated Enum
      16. AWS - Kinesis Video Unauthenticated Enum
      17. AWS - Lambda Unauthenticated Access
      18. AWS - Media Unauthenticated Enum
      19. AWS - MQ Unauthenticated Enum
      20. AWS - MSK Unauthenticated Enum
      21. AWS - RDS Unauthenticated Enum
      22. AWS - Redshift Unauthenticated Enum
      23. AWS - SQS Unauthenticated Enum
      24. AWS - SNS Unauthenticated Enum
      25. AWS - S3 Unauthenticated Enum
  44. Azure Pentesting
    1. Az - Basic Information
      1. Az - Tokens & Public Applications
    3. Az - Enumeration Tools
    4. Az - Unauthenticated Enum & Initial Entry
      1. Az - OAuth Apps Phishing
      2. Az - VMs Unath
      3. Az - Device Code Authentication Phishing
      4. Az - Password Spraying
    6. Az - Services
      1. Az - Entra ID (AzureAD) & Azure IAM
      2. Az - ACR
      3. Az - Application Proxy
      4. Az - ARM Templates / Deployments
      5. Az - Automation Account
        1. Az - State Configuration RCE
      7. Az - Azure App Services
      8. Az - Intune
      9. Az - File Shares
      10. Az - Function Apps
      11. Az - Key Vault
      12. Az - Logic Apps
      13. Az - Management Groups, Subscriptions & Resource Groups
      14. Az - Queue Storage
      15. Az - Service Bus
      16. Az - SQL
      17. Az - Static Web Applications
      18. Az - Storage Accounts & Blobs
      19. Az - Table Storage
      20. Az - Virtual Machines & Network
        1. Az - Azure Network
    8. Az - Permissions for a Pentest
    9. Az - Lateral Movement (Cloud - On-Prem)
      1. Az AD Connect - Hybrid Identity
        1. Az- Synchronising New Users
        2. Az - Default Applications
        3. Az - Cloud Kerberos Trust
        4. Az - Federation
        5. Az - PHS - Password Hash Sync
        6. Az - PTA - Pass-through Authentication
        7. Az - Seamless SSO
        8. Az - Arc vulnerable GPO Deploy Script
      3. Az - Local Cloud Credentials
      4. Az - Pass the Cookie
      5. Az - Pass the Certificate
      6. Az - Pass the PRT
      7. Az - Phishing Primary Refresh Token (Microsoft Entra)
      8. Az - Processes Memory Access Token
      9. Az - Primary Refresh Token (PRT)
    11. Az - Post Exploitation
      1. Az - Blob Storage Post Exploitation
      2. Az - File Share Post Exploitation
      3. Az - Function Apps Post Exploitation
      4. Az - Key Vault Post Exploitation
      5. Az - Queue Storage Post Exploitation
      6. Az - Service Bus Post Exploitation
      7. Az - Table Storage Post Exploitation
      8. Az - SQL Post Exploitation
      9. Az - VMs & Network Post Exploitation
    13. Az - Privilege Escalation
      1. Az - Azure IAM Privesc (Authorization)
      2. Az - App Services Privesc
      3. Az - EntraID Privesc
        1. Az - Conditional Access Policies & MFA Bypass
        2. Az - Dynamic Groups Privesc
      5. Az - Functions App Privesc
      6. Az - Key Vault Privesc
      7. Az - Queue Storage Privesc
      8. Az - Service Bus Privesc
      9. Az - Virtual Machines & Network Privesc
      10. Az - Static Web App Privesc
      11. Az - Storage Privesc
      12. Az - SQL Privesc
    15. Az - Persistence
      1. Az - Queue Storage Persistence
      2. Az - VMs Persistence
      3. Az - Storage Persistence
    17. Az - Device Registration
  46. Digital Ocean Pentesting
    1. DO - Basic Information
    2. DO - Permissions for a Pentest
    3. DO - Services
      1. DO - Apps
      2. DO - Container Registry
      3. DO - Databases
      4. DO - Droplets
      5. DO - Functions
      6. DO - Images
      7. DO - Kubernetes (DOKS)
      8. DO - Networking
      9. DO - Projects
      10. DO - Spaces
      11. DO - Volumes
  48. IBM Cloud Pentesting
    1. IBM - Hyper Protect Crypto Services
    2. IBM - Hyper Protect Virtual Server
    3. IBM - Basic Information
  50. OpenShift Pentesting
    1. OpenShift - Basic information
    2. Openshift - SCC
    3. OpenShift - Jenkins
      1. OpenShift - Jenkins Build Pod Override
    5. OpenShift - Privilege Escalation
      1. OpenShift - Missing Service Account
      2. OpenShift - Tekton
      3. OpenShift - SCC bypass
  53. 🛫 Pentesting Network Services
  54. HackTricks Pentesting Network$$external:https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network$$
  55. HackTricks Pentesting Services$$external:https://book.hacktricks.xyz/network-services-pentesting/pentesting-ssh$$