AWS Penetration Testing

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Instruction to copy/paste content into terminal detected (CI012) [AITech 9.1.4] The code fragment reads as an offensive AWS pentesting playbook that prescribes credential harvesting, privilege escalation, and persistence including disabling CloudTrail. While potentially valuable in a tightly scoped, authorized red-team context, its public, unbounded presentation poses significant risk and is misaligned with safe supply-chain practices. Recommend restricting distribution, removing credential-exfiltration steps, and reframing as a defensible, tightly scoped engagement guide with clear authorization and safeguards. LLM verification: This SKILL.md is an explicit offensive playbook for compromising AWS environments. It contains direct, actionable instructions to harvest credentials (IMDS and container endpoints), escalate privileges (create access keys, attach AdministratorAccess, add user to groups), modify Lambda code to persist or escalate, and exfiltrate S3/Lambda contents. As documentation it is coherent with its stated pentesting purpose, but the capability set is highly dangerous and readily abused. There is no safe-gu

This document is a high-fidelity offensive AWS penetration testing reference that includes precise, actionable techniques to discover and exfiltrate AWS credentials and to persist via Lambda or container backdoors. It notably contains a concrete malicious Lambda code snippet that attaches AdministratorAccess — an explicit backdoor example. While not executable malware on its own, the guidance materially lowers the bar for attackers who already have some foothold (RCE, SSRF, or limited credentials). Treat this content as high-risk operational guidance: restrict access, audit usage, and do not execute these commands in production or without explicit authorization.