HackTricks Cloud
Hacktricks Training
Twitter
Linkedin
Sponsor
Hacktricks Training
Twitter
Linkedin
Sponsor
Translations
Afrikaans
Chinese
English
French
German
Greek
Hindi
Italian
Japanese
Korean
Polish
Portuguese
Serbian
Spanish
Swahili
Turkish
Ukrainian
👽 Welcome!
HackTricks Cloud
About the Author
HackTricks Values & faq
🏭 Pentesting CI/CD
Pentesting CI/CD Methodology
Github Security
❱
Abusing Github Actions
❱
Gh Actions - Artifact Poisoning
GH Actions - Cache Poisoning
Gh Actions - Context Script Injections
Accessible Deleted Data in Github
Basic Github Information
Gitea Security
❱
Basic Gitea Information
Concourse Security
❱
Concourse Architecture
Concourse Lab Creation
Concourse Enumeration & Attacks
CircleCI Security
TravisCI Security
❱
Basic TravisCI Information
Jenkins Security
❱
Basic Jenkins Information
Jenkins RCE with Groovy Script
Jenkins RCE Creating/Modifying Project
Jenkins RCE Creating/Modifying Pipeline
Jenkins Arbitrary File Read to RCE via "Remember Me"
Jenkins Dumping Secrets from Groovy
Apache Airflow Security
❱
Airflow Configuration
Airflow RBAC
Terraform Security
Atlantis Security
Cloudflare Security
❱
Cloudflare Domains
Cloudflare Zero Trust Network
Okta Security
❱
Okta Hardening
Serverless.com Security
Supabase Security
Ansible Tower / AWX / Automation controller Security
Vercel Security
TODO
⛈️ Pentesting Cloud
Pentesting Cloud Methodology
Kubernetes Pentesting
❱
Kubernetes Basics
Pentesting Kubernetes Services
❱
Kubelet Authentication & Authorization
Exposing Services in Kubernetes
Attacking Kubernetes from inside a Pod
Kubernetes Enumeration
Kubernetes Role-Based Access Control(RBAC)
Abusing Roles/ClusterRoles in Kubernetes
❱
Pod Escape Privileges
Kubernetes Roles Abuse Lab
Kubernetes Namespace Escalation
Kubernetes External Secret Operator
Kubernetes Pivoting to Clouds
Kubernetes Network Attacks
Kubernetes Hardening
❱
Kubernetes SecurityContext(s)
Kubernetes OPA Gatekeeper
❱
Kubernetes OPA Gatekeeper bypass
Kubernetes Kyverno
❱
Kubernetes Kyverno bypass
Kubernetes ValidatingWebhookConfiguration
GCP Pentesting
❱
GCP - Basic Information
❱
GCP - Federation Abuse
GCP - Permissions for a Pentest
GCP - Post Exploitation
❱
GCP - App Engine Post Exploitation
GCP - Artifact Registry Post Exploitation
GCP - Cloud Build Post Exploitation
GCP - Cloud Functions Post Exploitation
GCP - Cloud Run Post Exploitation
GCP - Cloud Shell Post Exploitation
GCP - Cloud SQL Post Exploitation
GCP - Compute Post Exploitation
GCP - Filestore Post Exploitation
GCP - IAM Post Exploitation
GCP - KMS Post Exploitation
GCP - Logging Post Exploitation
GCP - Monitoring Post Exploitation
GCP - Pub/Sub Post Exploitation
GCP - Secretmanager Post Exploitation
GCP - Security Post Exploitation
GCP - Workflows Post Exploitation
GCP - Storage Post Exploitation
GCP - Privilege Escalation
❱
GCP - Apikeys Privesc
GCP - AppEngine Privesc
GCP - Artifact Registry Privesc
GCP - Batch Privesc
GCP - BigQuery Privesc
GCP - ClientAuthConfig Privesc
GCP - Cloudbuild Privesc
GCP - Cloudfunctions Privesc
GCP - Cloudidentity Privesc
GCP - Cloud Scheduler Privesc
GCP - Compute Privesc
❱
GCP - Add Custom SSH Metadata
GCP - Composer Privesc
GCP - Container Privesc
GCP - Deploymentmaneger Privesc
GCP - IAM Privesc
GCP - KMS Privesc
GCP - Orgpolicy Privesc
GCP - Pubsub Privesc
GCP - Resourcemanager Privesc
GCP - Run Privesc
GCP - Secretmanager Privesc
GCP - Serviceusage Privesc
GCP - Sourcerepos Privesc
GCP - Storage Privesc
GCP - Workflows Privesc
GCP - Generic Permissions Privesc
GCP - Network Docker Escape
GCP - local privilege escalation ssh pivoting
GCP - Persistence
❱
GCP - API Keys Persistence
GCP - App Engine Persistence
GCP - Artifact Registry Persistence
GCP - BigQuery Persistence
GCP - Cloud Functions Persistence
GCP - Cloud Run Persistence
GCP - Cloud Shell Persistence
GCP - Cloud SQL Persistence
GCP - Compute Persistence
GCP - Dataflow Persistence
GCP - Filestore Persistence
GCP - Logging Persistence
GCP - Secret Manager Persistence
GCP - Storage Persistence
GCP - Token Persistance
GCP - Services
❱
GCP - AI Platform Enum
GCP - API Keys Enum
GCP - App Engine Enum
GCP - Artifact Registry Enum
GCP - Batch Enum
GCP - Bigquery Enum
GCP - Bigtable Enum
GCP - Cloud Build Enum
GCP - Cloud Functions Enum
GCP - Cloud Run Enum
GCP - Cloud Shell Enum
GCP - Cloud SQL Enum
GCP - Cloud Scheduler Enum
GCP - Compute Enum
❱
GCP - Compute Instances
GCP - VPC & Networking
GCP - Composer Enum
GCP - Containers & GKE Enum
GCP - DNS Enum
GCP - Filestore Enum
GCP - Firebase Enum
GCP - Firestore Enum
GCP - IAM, Principals & Org Policies Enum
GCP - KMS Enum
GCP - Logging Enum
GCP - Memorystore Enum
GCP - Monitoring Enum
GCP - Pub/Sub Enum
GCP - Secrets Manager Enum
GCP - Security Enum
GCP - Source Repositories Enum
GCP - Spanner Enum
GCP - Stackdriver Enum
GCP - Storage Enum
GCP - Workflows Enum
GCP <--> Workspace Pivoting
❱
GCP - Understanding Domain-Wide Delegation
GCP - Unauthenticated Enum & Access
❱
GCP - API Keys Unauthenticated Enum
GCP - App Engine Unauthenticated Enum
GCP - Artifact Registry Unauthenticated Enum
GCP - Cloud Build Unauthenticated Enum
GCP - Cloud Functions Unauthenticated Enum
GCP - Cloud Run Unauthenticated Enum
GCP - Cloud SQL Unauthenticated Enum
GCP - Compute Unauthenticated Enum
GCP - IAM, Principals & Org Unauthenticated Enum
GCP - Source Repositories Unauthenticated Enum
GCP - Storage Unauthenticated Enum
❱
GCP - Public Buckets Privilege Escalation
GWS - Workspace Pentesting
❱
GWS - Post Exploitation
GWS - Persistence
GWS - Workspace Sync Attacks (GCPW, GCDS, GPS, Directory Sync with AD & EntraID)
❱
GWS - Admin Directory Sync
GCDS - Google Cloud Directory Sync
GCPW - Google Credential Provider for Windows
GPS - Google Password Sync
GWS - Google Platforms Phishing
❱
GWS - App Scripts
AWS Pentesting
❱
AWS - Basic Information
❱
AWS - Federation Abuse
AWS - Permissions for a Pentest
AWS - Persistence
❱
AWS - API Gateway Persistence
AWS - Cognito Persistence
AWS - DynamoDB Persistence
AWS - EC2 Persistence
AWS - ECR Persistence
AWS - ECS Persistence
AWS - Elastic Beanstalk Persistence
AWS - EFS Persistence
AWS - IAM Persistence
AWS - KMS Persistence
AWS - Lambda Persistence
❱
AWS - Abusing Lambda Extensions
AWS - Lambda Layers Persistence
AWS - Lightsail Persistence
AWS - RDS Persistence
AWS - S3 Persistence
AWS - SNS Persistence
AWS - Secrets Manager Persistence
AWS - SQS Persistence
AWS - SSM Perssitence
AWS - Step Functions Persistence
AWS - STS Persistence
AWS - Post Exploitation
❱
AWS - API Gateway Post Exploitation
AWS - CloudFront Post Exploitation
AWS - CodeBuild Post Exploitation
❱
AWS Codebuild - Token Leakage
AWS - Control Tower Post Exploitation
AWS - DLM Post Exploitation
AWS - DynamoDB Post Exploitation
AWS - EC2, EBS, SSM & VPC Post Exploitation
❱
AWS - EBS Snapshot Dump
AWS - Malicious VPC Mirror
AWS - ECR Post Exploitation
AWS - ECS Post Exploitation
AWS - EFS Post Exploitation
AWS - EKS Post Exploitation
AWS - Elastic Beanstalk Post Exploitation
AWS - IAM Post Exploitation
AWS - KMS Post Exploitation
AWS - Lambda Post Exploitation
❱
AWS - Steal Lambda Requests
AWS - Lightsail Post Exploitation
AWS - Organizations Post Exploitation
AWS - RDS Post Exploitation
AWS - S3 Post Exploitation
AWS - Secrets Manager Post Exploitation
AWS - SES Post Exploitation
AWS - SNS Post Exploitation
AWS - SQS Post Exploitation
AWS - SSO & identitystore Post Exploitation
AWS - Step Functions Post Exploitation
AWS - STS Post Exploitation
AWS - VPN Post Exploitation
AWS - Privilege Escalation
❱
AWS - Apigateway Privesc
AWS - Chime Privesc
AWS - Codebuild Privesc
AWS - Codepipeline Privesc
AWS - Codestar Privesc
❱
codestar:CreateProject, codestar:AssociateTeamMember
iam:PassRole, codestar:CreateProject
AWS - Cloudformation Privesc
❱
iam:PassRole, cloudformation:CreateStack,and cloudformation:DescribeStacks
AWS - Cognito Privesc
AWS - Datapipeline Privesc
AWS - Directory Services Privesc
AWS - DynamoDB Privesc
AWS - EBS Privesc
AWS - EC2 Privesc
AWS - ECR Privesc
AWS - ECS Privesc
AWS - EFS Privesc
AWS - Elastic Beanstalk Privesc
AWS - EMR Privesc
AWS - EventBridge Scheduler Privesc
AWS - Gamelift
AWS - Glue Privesc
AWS - IAM Privesc
AWS - KMS Privesc
AWS - Lambda Privesc
AWS - Lightsail Privesc
AWS - Mediapackage Privesc
AWS - MQ Privesc
AWS - MSK Privesc
AWS - RDS Privesc
AWS - Redshift Privesc
AWS - Route53 Privesc
AWS - SNS Privesc
AWS - SQS Privesc
AWS - SSO & identitystore Privesc
AWS - Organizations Privesc
AWS - S3 Privesc
AWS - Sagemaker Privesc
AWS - Secrets Manager Privesc
AWS - SSM Privesc
AWS - Step Functions Privesc
AWS - STS Privesc
AWS - WorkDocs Privesc
AWS - Services
❱
AWS - Security & Detection Services
❱
AWS - CloudTrail Enum
AWS - CloudWatch Enum
AWS - Config Enum
AWS - Control Tower Enum
AWS - Cost Explorer Enum
AWS - Detective Enum
AWS - Firewall Manager Enum
AWS - GuardDuty Enum
AWS - Inspector Enum
AWS - Macie Enum
AWS - Security Hub Enum
AWS - Shield Enum
AWS - Trusted Advisor Enum
AWS - WAF Enum
AWS - API Gateway Enum
AWS - Certificate Manager (ACM) & Private Certificate Authority (PCA)
AWS - CloudFormation & Codestar Enum
AWS - CloudHSM Enum
AWS - CloudFront Enum
AWS - Codebuild Enum
AWS - Cognito Enum
❱
Cognito Identity Pools
Cognito User Pools
AWS - DataPipeline, CodePipeline & CodeCommit Enum
AWS - Directory Services / WorkDocs Enum
AWS - DocumentDB Enum
AWS - DynamoDB Enum
AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum
❱
AWS - Nitro Enum
AWS - VPC & Networking Basic Information
AWS - ECR Enum
AWS - ECS Enum
AWS - EKS Enum
AWS - Elastic Beanstalk Enum
AWS - ElastiCache
AWS - EMR Enum
AWS - EFS Enum
AWS - EventBridge Scheduler Enum
AWS - Kinesis Data Firehose Enum
AWS - IAM, Identity Center & SSO Enum
AWS - KMS Enum
AWS - Lambda Enum
AWS - Lightsail Enum
AWS - MQ Enum
AWS - MSK Enum
AWS - Organizations Enum
AWS - Redshift Enum
AWS - Relational Database (RDS) Enum
AWS - Route53 Enum
AWS - Secrets Manager Enum
AWS - SES Enum
AWS - SNS Enum
AWS - SQS Enum
AWS - S3, Athena & Glacier Enum
AWS - Step Functions Enum
AWS - STS Enum
AWS - Other Services Enum
AWS - Unauthenticated Enum & Access
❱
AWS - Accounts Unauthenticated Enum
AWS - API Gateway Unauthenticated Enum
AWS - Cloudfront Unauthenticated Enum
AWS - Cognito Unauthenticated Enum
AWS - CodeBuild Unauthenticated Access
AWS - DocumentDB Unauthenticated Enum
AWS - DynamoDB Unauthenticated Access
AWS - EC2 Unauthenticated Enum
AWS - ECR Unauthenticated Enum
AWS - ECS Unauthenticated Enum
AWS - Elastic Beanstalk Unauthenticated Enum
AWS - Elasticsearch Unauthenticated Enum
AWS - IAM & STS Unauthenticated Enum
AWS - Identity Center & SSO Unauthenticated Enum
AWS - IoT Unauthenticated Enum
AWS - Kinesis Video Unauthenticated Enum
AWS - Lambda Unauthenticated Access
AWS - Media Unauthenticated Enum
AWS - MQ Unauthenticated Enum
AWS - MSK Unauthenticated Enum
AWS - RDS Unauthenticated Enum
AWS - Redshift Unauthenticated Enum
AWS - SQS Unauthenticated Enum
AWS - SNS Unauthenticated Enum
AWS - S3 Unauthenticated Enum
Azure Pentesting
❱
Az - Basic Information
❱
Az - Tokens & Public Applications
Az - Enumeration Tools
Az - Unauthenticated Enum & Initial Entry
❱
Az - OAuth Apps Phishing
Az - VMs Unath
Az - Device Code Authentication Phishing
Az - Password Spraying
Az - Services
❱
Az - Entra ID (AzureAD) & Azure IAM
Az - ACR
Az - Application Proxy
Az - ARM Templates / Deployments
Az - Automation Account
❱
Az - State Configuration RCE
Az - Azure App Service & Function Apps
Az - Intune
Az - File Shares
Az - Function Apps
Az - Key Vault
Az - Logic Apps
Az - Management Groups, Subscriptions & Resource Groups
Az - Queue Storage
Az - Service Bus
Az - SQL
Az - Storage Accounts & Blobs
Az - Table Storage
Az - Virtual Machines & Network
❱
Az - Azure Network
Az - Permissions for a Pentest
Az - Lateral Movement (Cloud - On-Prem)
❱
Az AD Connect - Hybrid Identity
❱
Az- Synchronising New Users
Az - Default Applications
Az - Cloud Kerberos Trust
Az - Federation
Az - PHS - Password Hash Sync
Az - PTA - Pass-through Authentication
Az - Seamless SSO
Az - Arc vulnerable GPO Deploy Script
Az - Local Cloud Credentials
Az - Pass the Cookie
Az - Pass the Certificate
Az - Pass the PRT
Az - Phishing Primary Refresh Token (Microsoft Entra)
Az - Processes Memory Access Token
Az - Primary Refresh Token (PRT)
Az - Post Exploitation
❱
Az - Blob Storage Post Exploitation
Az - File Share Post Exploitation
Az - Function Apps Post Exploitation
Az - Key Vault Post Exploitation
Az - Queue Storage Post Exploitation
Az - Service Bus Post Exploitation
Az - Table Storage Post Exploitation
Az - SQL Post Exploitation
Az - VMs & Network Post Exploitation
Az - Privilege Escalation
❱
Az - Azure IAM Privesc (Authorization)
Az - App Services Privesc
Az - EntraID Privesc
❱
Az - Conditional Access Policies & MFA Bypass
Az - Dynamic Groups Privesc
Az - Functions App Privesc
Az - Key Vault Privesc
Az - Queue Storage Privesc
Az - Service Bus Privesc
Az - Virtual Machines & Network Privesc
Az - Storage Privesc
Az - SQL Privesc
Az - Persistence
❱
Az - Queue Storage Persistence
Az - VMs Persistence
Az - Storage Persistence
Az - Device Registration
Digital Ocean Pentesting
❱
DO - Basic Information
DO - Permissions for a Pentest
DO - Services
❱
DO - Apps
DO - Container Registry
DO - Databases
DO - Droplets
DO - Functions
DO - Images
DO - Kubernetes (DOKS)
DO - Networking
DO - Projects
DO - Spaces
DO - Volumes
IBM Cloud Pentesting
❱
IBM - Hyper Protect Crypto Services
IBM - Hyper Protect Virtual Server
IBM - Basic Information
OpenShift Pentesting
❱
OpenShift - Basic information
Openshift - SCC
OpenShift - Jenkins
❱
OpenShift - Jenkins Build Pod Override
OpenShift - Privilege Escalation
❱
OpenShift - Missing Service Account
OpenShift - Tekton
OpenShift - SCC bypass
🛫 Pentesting Network Services
HackTricks Pentesting Network
HackTricks Pentesting Services
STM Cyber
If you are interested in
hacking career and hack the unhackable
- we are hiring! (fluent polish written and spoken required).
Learn more
Document not found (404)
This URL is invalid, sorry. Please use the navigation bar or search to continue.
Document not found (404)
STM Cyber
If you are interested in
hacking career and hack the unhackable
- we are hiring! (fluent polish written and spoken required).
Learn more