Cloud Penetration Testing

This snippet is an explicit offensive guide for harvesting AWS secrets and discovering publicly shared resources. It demonstrates high-risk techniques (RDS public snapshot discovery, Lambda secret extraction, IMDS credential theft) that, if run by an unauthorized party, would enable data exfiltration and lateral movement. Treat this artifact as malicious in intent unless clear authorized use is documented; remediate victim-side risks by enforcing least privilege, avoiding plaintext secrets in env vars (use Secrets Manager/KMS), disabling public snapshot sharing, requiring IMDSv2 with metadata hop limits, and monitoring metadata and CLI usage for suspicious activity.

This fragment is an explicit operational playbook for abusing a compromised GCP service account to enumerate resources, retrieve SSH keys from metadata, and obtain interactive access to VMs. It is high-risk from an operational-security perspective because it provides actionable steps for lateral movement and data access. Remediation: assume compromise if a key like compromised-sa.json exists, rotate/revoke keys, audit IAM roles and metadata for unauthorized SSH keys, enable least privilege and short-lived credentials, and monitor relevant audit logs.

The code snippet demonstrates post-compromise or credential-theft tooling patterns: importing a file explicitly labeled as stolen, capturing credentials, and persisting authentication contexts to disk. Each command is individually legitimate for administrators, but the naming, sequence, and persistence to C:\Temp indicate likely malicious reuse of stolen tokens and establishing persistent Azure access. Do not run these commands; assume compromise of referenced artifacts and take incident response actions (rotate credentials, revoke sessions, delete persisted context files, and audit access).

This code fragment is a malicious reconnaissance and credential-harvesting checklist targeting Google Cloud environments. If executed by an unauthorized actor on a VM, container, or CI runner with network access to the metadata service and/or filesystem access to user config, it will very likely lead to credential compromise, decryption of protected secrets (if KMS permissions exist), and enumeration of serverless functions/logs that commonly contain sensitive data. Treat any system where these commands succeed as fully compromised for GCP resource access and perform incident response (rotate credentials, revoke tokens, audit KMS key IAM, and investigate lateral movement).

This script is a dual-use reconnaissance and data-collection tool. It contains no obfuscated code, embedded credentials, or explicit remote-control/backdoor behavior, but its actions (enumerating reachable S3 buckets, probing their contents, and downloading a named bucket into a local 'loot' directory) are consistent with unauthorized discovery and exfiltration. The security impact depends on the AWS credentials available at runtime. Recommend: treat as potentially dangerous in untrusted contexts, add safeguards (confirmation prompts, credential scoping, logging, rate limits), and do not run on systems with broad privileges unless authorized.

This code fragment is explicitly malicious in intent (credential harvesting, privilege escalation on Key Vault, and remote code execution on VMs). It performs discovery of potentially sensitive fields, actively modifies Key Vault access policies to enable secret retrieval, retrieves secret values, and executes arbitrary code on VMs. Do not run in a production environment. Audit access, revoke any unauthorized policy changes, rotate exposed secrets, and investigate the principal used to perform these actions.

This snippet and the instructions constitute a toolchain to perform password-spraying attacks against Azure AD with IP rotation via FireProx. The commands demonstrate malicious operational behavior (automated credential stuffing and evasion). Do not execute these commands. Treat related code (MSOLSpray.ps1, fire.py) and repositories as potentially malicious or dual-use at minimum; if encountered in an organization, block deployment, rotate any exposed AWS credentials, and report to appropriate abuse channels or law enforcement as required.

The fragment is an installer sequence that relies on remote sources and package registries to provision cloud CLIs and dual-use security/offense tools. There is no embedded malicious payload in the static snippet itself, but it contains high-risk operational patterns: direct execution of remote scripts, lack of integrity checks, elevated installs, and installation of offensive tools. These patterns substantially increase supply-chain and local compromise risk if any upstream source is tampered with or if commands are run on hosts with sensitive credentials. Apply integrity verification, version pinning, manual review of packages, and isolation when running these commands.

High-confidence malicious backdoor script: it creates a service principal, extracts its secret to plaintext, escalates the principal to Global Administrator, authenticates with it, and creates a persistent admin user. This establishes durable, high-privilege access to an Azure tenant and should be treated as a critical incident. Recommended actions: do not run the script; immediately investigate any instances where it executed; rotate/disable credentials; remove the created principal and any unauthorized users; audit tenant roles and sign-ins; check logs for related activity; and perform thorough remediation and forensics.

This fragment contains a canonical post-compromise pattern: enumeration of account resources and creation of a persistent IAM access key. The commands themselves are legitimate aws-cli operations but used together they enable reconnaissance and long-lived unauthorized access if executed by an attacker. Investigate any execution of these commands, audit recent create-access-key events, rotate/revoke unexpected keys, and review regions.txt and whoever supplied the <username> target.

This manifest is a powerful, offensive cloud penetration testing skill intended for authorized security assessments. It legitimately includes credential harvesting vectors (metadata access), privilege escalation, and persistence techniques. The file fragment contains no explicit obfuscated or covert exfiltration code, but it presents a substantial misuse and supply-chain risk if executed autonomously or by an untrusted actor. Recommend: (1) Treat as high-risk for automation — require human-in-the-loop and documented authorization for each execution; (2) Audit every ./sub-skills/* file for external downloads, hard-coded hosts/credentials, and exfiltration commands before use; (3) Enforce least-privilege and scoped credentials for testing; (4) Block automated agents from running exploitation/persistence phases without explicit operator approval.

This fragment is a concise reconnaissance checklist for enumerating Azure identity/tenant metadata and for enumerating cloud assets and IP-to-provider mappings. The visible commands are passive information-gathering steps and are not themselves exploitative, but they constitute high-risk reconnaissance activities that can facilitate targeted attacks. The main unknown and potential risk is the content of cloud_enum.py and ip2provider.py; those should be audited before use. If you lack authorization to scan the named targets, do not run these commands.