HackTricks Cloud
Hacktricks Training
Twitter
Linkedin
Sponsor
Hacktricks Training
Twitter
Linkedin
Sponsor
Translations
Afrikaans
Chinese
English
French
German
Greek
Hindi
Italian
Japanese
Korean
Polish
Portuguese
Serbian
Spanish
Swahili
Turkish
Ukrainian
👽 Welcome!
HackTricks Cloud
About the Author
HackTricks Values & faq
🏭 Pentesting CI/CD
Pentesting CI/CD Methodology
Github Security
❱
Abusing Github Actions
❱
Gh Actions - Artifact Poisoning
GH Actions - Cache Poisoning
Gh Actions - Context Script Injections
Accessible Deleted Data in Github
Basic Github Information
Gitea Security
❱
Basic Gitea Information
Concourse Security
❱
Concourse Architecture
Concourse Lab Creation
Concourse Enumeration & Attacks
CircleCI Security
TravisCI Security
❱
Basic TravisCI Information
Jenkins Security
❱
Basic Jenkins Information
Jenkins RCE with Groovy Script
Jenkins RCE Creating/Modifying Project
Jenkins RCE Creating/Modifying Pipeline
Jenkins Arbitrary File Read to RCE via "Remember Me"
Jenkins Dumping Secrets from Groovy
Apache Airflow Security
❱
Airflow Configuration
Airflow RBAC
Terraform Security
Atlantis Security
Cloudflare Security
❱
Cloudflare Domains
Cloudflare Zero Trust Network
Okta Security
❱
Okta Hardening
Serverless.com Security
Supabase Security
Ansible Tower / AWX / Automation controller Security
Vercel Security
TODO
⛈️ Pentesting Cloud
Pentesting Cloud Methodology
Kubernetes Pentesting
❱
Kubernetes Basics
Pentesting Kubernetes Services
❱
Kubelet Authentication & Authorization
Exposing Services in Kubernetes
Attacking Kubernetes from inside a Pod
Kubernetes Enumeration
Kubernetes Role-Based Access Control(RBAC)
Abusing Roles/ClusterRoles in Kubernetes
❱
Pod Escape Privileges
Kubernetes Roles Abuse Lab
Kubernetes Namespace Escalation
Kubernetes External Secret Operator
Kubernetes Pivoting to Clouds
Kubernetes Network Attacks
Kubernetes Hardening
❱
Kubernetes SecurityContext(s)
Kubernetes OPA Gatekeeper
❱
Kubernetes OPA Gatekeeper bypass
Kubernetes Kyverno
❱
Kubernetes Kyverno bypass
Kubernetes ValidatingWebhookConfiguration
GCP Pentesting
❱
GCP - Basic Information
❱
GCP - Federation Abuse
GCP - Permissions for a Pentest
GCP - Post Exploitation
❱
GCP - App Engine Post Exploitation
GCP - Artifact Registry Post Exploitation
GCP - Cloud Build Post Exploitation
GCP - Cloud Functions Post Exploitation
GCP - Cloud Run Post Exploitation
GCP - Cloud Shell Post Exploitation
GCP - Cloud SQL Post Exploitation
GCP - Compute Post Exploitation
GCP - Filestore Post Exploitation
GCP - IAM Post Exploitation
GCP - KMS Post Exploitation
GCP - Logging Post Exploitation
GCP - Monitoring Post Exploitation
GCP - Pub/Sub Post Exploitation
GCP - Secretmanager Post Exploitation
GCP - Security Post Exploitation
GCP - Workflows Post Exploitation
GCP - Storage Post Exploitation
GCP - Privilege Escalation
❱
GCP - Apikeys Privesc
GCP - AppEngine Privesc
GCP - Artifact Registry Privesc
GCP - Batch Privesc
GCP - BigQuery Privesc
GCP - ClientAuthConfig Privesc
GCP - Cloudbuild Privesc
GCP - Cloudfunctions Privesc
GCP - Cloudidentity Privesc
GCP - Cloud Scheduler Privesc
GCP - Compute Privesc
❱
GCP - Add Custom SSH Metadata
GCP - Composer Privesc
GCP - Container Privesc
GCP - Deploymentmaneger Privesc
GCP - IAM Privesc
GCP - KMS Privesc
GCP - Orgpolicy Privesc
GCP - Pubsub Privesc
GCP - Resourcemanager Privesc
GCP - Run Privesc
GCP - Secretmanager Privesc
GCP - Serviceusage Privesc
GCP - Sourcerepos Privesc
GCP - Storage Privesc
GCP - Workflows Privesc
GCP - Generic Permissions Privesc
GCP - Network Docker Escape
GCP - local privilege escalation ssh pivoting
GCP - Persistence
❱
GCP - API Keys Persistence
GCP - App Engine Persistence
GCP - Artifact Registry Persistence
GCP - BigQuery Persistence
GCP - Cloud Functions Persistence
GCP - Cloud Run Persistence
GCP - Cloud Shell Persistence
GCP - Cloud SQL Persistence
GCP - Compute Persistence
GCP - Dataflow Persistence
GCP - Filestore Persistence
GCP - Logging Persistence
GCP - Secret Manager Persistence
GCP - Storage Persistence
GCP - Token Persistance
GCP - Services
❱
GCP - AI Platform Enum
GCP - API Keys Enum
GCP - App Engine Enum
GCP - Artifact Registry Enum
GCP - Batch Enum
GCP - Bigquery Enum
GCP - Bigtable Enum
GCP - Cloud Build Enum
GCP - Cloud Functions Enum
GCP - Cloud Run Enum
GCP - Cloud Shell Enum
GCP - Cloud SQL Enum
GCP - Cloud Scheduler Enum
GCP - Compute Enum
❱
GCP - Compute Instances
GCP - VPC & Networking
GCP - Composer Enum
GCP - Containers & GKE Enum
GCP - DNS Enum
GCP - Filestore Enum
GCP - Firebase Enum
GCP - Firestore Enum
GCP - IAM, Principals & Org Policies Enum
GCP - KMS Enum
GCP - Logging Enum
GCP - Memorystore Enum
GCP - Monitoring Enum
GCP - Pub/Sub Enum
GCP - Secrets Manager Enum
GCP - Security Enum
GCP - Source Repositories Enum
GCP - Spanner Enum
GCP - Stackdriver Enum
GCP - Storage Enum
GCP - Workflows Enum
GCP <--> Workspace Pivoting
❱
GCP - Understanding Domain-Wide Delegation
GCP - Unauthenticated Enum & Access
❱
GCP - API Keys Unauthenticated Enum
GCP - App Engine Unauthenticated Enum
GCP - Artifact Registry Unauthenticated Enum
GCP - Cloud Build Unauthenticated Enum
GCP - Cloud Functions Unauthenticated Enum
GCP - Cloud Run Unauthenticated Enum
GCP - Cloud SQL Unauthenticated Enum
GCP - Compute Unauthenticated Enum
GCP - IAM, Principals & Org Unauthenticated Enum
GCP - Source Repositories Unauthenticated Enum
GCP - Storage Unauthenticated Enum
❱
GCP - Public Buckets Privilege Escalation
GWS - Workspace Pentesting
❱
GWS - Post Exploitation
GWS - Persistence
GWS - Workspace Sync Attacks (GCPW, GCDS, GPS, Directory Sync with AD & EntraID)
❱
GWS - Admin Directory Sync
GCDS - Google Cloud Directory Sync
GCPW - Google Credential Provider for Windows
GPS - Google Password Sync
GWS - Google Platforms Phishing
❱
GWS - App Scripts
AWS Pentesting
❱
AWS - Basic Information
❱
AWS - Federation Abuse
AWS - Permissions for a Pentest
AWS - Persistence
❱
AWS - API Gateway Persistence
AWS - Cognito Persistence
AWS - DynamoDB Persistence
AWS - EC2 Persistence
AWS - ECR Persistence
AWS - ECS Persistence
AWS - Elastic Beanstalk Persistence
AWS - EFS Persistence
AWS - IAM Persistence
AWS - KMS Persistence
AWS - Lambda Persistence
❱
AWS - Abusing Lambda Extensions
AWS - Lambda Layers Persistence
AWS - Lightsail Persistence
AWS - RDS Persistence
AWS - S3 Persistence
AWS - SNS Persistence
AWS - Secrets Manager Persistence
AWS - SQS Persistence
AWS - SSM Perssitence
AWS - Step Functions Persistence
AWS - STS Persistence
AWS - Post Exploitation
❱
AWS - API Gateway Post Exploitation
AWS - CloudFront Post Exploitation
AWS - CodeBuild Post Exploitation
❱
AWS Codebuild - Token Leakage
AWS - Control Tower Post Exploitation
AWS - DLM Post Exploitation
AWS - DynamoDB Post Exploitation
AWS - EC2, EBS, SSM & VPC Post Exploitation
❱
AWS - EBS Snapshot Dump
AWS - Malicious VPC Mirror
AWS - ECR Post Exploitation
AWS - ECS Post Exploitation
AWS - EFS Post Exploitation
AWS - EKS Post Exploitation
AWS - Elastic Beanstalk Post Exploitation
AWS - IAM Post Exploitation
AWS - KMS Post Exploitation
AWS - Lambda Post Exploitation
❱
AWS - Steal Lambda Requests
AWS - Lightsail Post Exploitation
AWS - Organizations Post Exploitation
AWS - RDS Post Exploitation
AWS - S3 Post Exploitation
AWS - Secrets Manager Post Exploitation
AWS - SES Post Exploitation
AWS - SNS Post Exploitation
AWS - SQS Post Exploitation
AWS - SSO & identitystore Post Exploitation
AWS - Step Functions Post Exploitation
AWS - STS Post Exploitation
AWS - VPN Post Exploitation
AWS - Privilege Escalation
❱
AWS - Apigateway Privesc
AWS - Chime Privesc
AWS - Codebuild Privesc
AWS - Codepipeline Privesc
AWS - Codestar Privesc
❱
codestar:CreateProject, codestar:AssociateTeamMember
iam:PassRole, codestar:CreateProject
AWS - Cloudformation Privesc
❱
iam:PassRole, cloudformation:CreateStack,and cloudformation:DescribeStacks
AWS - Cognito Privesc
AWS - Datapipeline Privesc
AWS - Directory Services Privesc
AWS - DynamoDB Privesc
AWS - EBS Privesc
AWS - EC2 Privesc
AWS - ECR Privesc
AWS - ECS Privesc
AWS - EFS Privesc
AWS - Elastic Beanstalk Privesc
AWS - EMR Privesc
AWS - EventBridge Scheduler Privesc
AWS - Gamelift
AWS - Glue Privesc
AWS - IAM Privesc
AWS - KMS Privesc
AWS - Lambda Privesc
AWS - Lightsail Privesc
AWS - Mediapackage Privesc
AWS - MQ Privesc
AWS - MSK Privesc
AWS - RDS Privesc
AWS - Redshift Privesc
AWS - Route53 Privesc
AWS - SNS Privesc
AWS - SQS Privesc
AWS - SSO & identitystore Privesc
AWS - Organizations Privesc
AWS - S3 Privesc
AWS - Sagemaker Privesc
AWS - Secrets Manager Privesc
AWS - SSM Privesc
AWS - Step Functions Privesc
AWS - STS Privesc
AWS - WorkDocs Privesc
AWS - Services
❱
AWS - Security & Detection Services
❱
AWS - CloudTrail Enum
AWS - CloudWatch Enum
AWS - Config Enum
AWS - Control Tower Enum
AWS - Cost Explorer Enum
AWS - Detective Enum
AWS - Firewall Manager Enum
AWS - GuardDuty Enum
AWS - Inspector Enum
AWS - Macie Enum
AWS - Security Hub Enum
AWS - Shield Enum
AWS - Trusted Advisor Enum
AWS - WAF Enum
AWS - API Gateway Enum
AWS - Certificate Manager (ACM) & Private Certificate Authority (PCA)
AWS - CloudFormation & Codestar Enum
AWS - CloudHSM Enum
AWS - CloudFront Enum
AWS - Codebuild Enum
AWS - Cognito Enum
❱
Cognito Identity Pools
Cognito User Pools
AWS - DataPipeline, CodePipeline & CodeCommit Enum
AWS - Directory Services / WorkDocs Enum
AWS - DocumentDB Enum
AWS - DynamoDB Enum
AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum
❱
AWS - Nitro Enum
AWS - VPC & Networking Basic Information
AWS - ECR Enum
AWS - ECS Enum
AWS - EKS Enum
AWS - Elastic Beanstalk Enum
AWS - ElastiCache
AWS - EMR Enum
AWS - EFS Enum
AWS - EventBridge Scheduler Enum
AWS - Kinesis Data Firehose Enum
AWS - IAM, Identity Center & SSO Enum
AWS - KMS Enum
AWS - Lambda Enum
AWS - Lightsail Enum
AWS - MQ Enum
AWS - MSK Enum
AWS - Organizations Enum
AWS - Redshift Enum
AWS - Relational Database (RDS) Enum
AWS - Route53 Enum
AWS - Secrets Manager Enum
AWS - SES Enum
AWS - SNS Enum
AWS - SQS Enum
AWS - S3, Athena & Glacier Enum
AWS - Step Functions Enum
AWS - STS Enum
AWS - Other Services Enum
AWS - Unauthenticated Enum & Access
❱
AWS - Accounts Unauthenticated Enum
AWS - API Gateway Unauthenticated Enum
AWS - Cloudfront Unauthenticated Enum
AWS - Cognito Unauthenticated Enum
AWS - CodeBuild Unauthenticated Access
AWS - DocumentDB Unauthenticated Enum
AWS - DynamoDB Unauthenticated Access
AWS - EC2 Unauthenticated Enum
AWS - ECR Unauthenticated Enum
AWS - ECS Unauthenticated Enum
AWS - Elastic Beanstalk Unauthenticated Enum
AWS - Elasticsearch Unauthenticated Enum
AWS - IAM & STS Unauthenticated Enum
AWS - Identity Center & SSO Unauthenticated Enum
AWS - IoT Unauthenticated Enum
AWS - Kinesis Video Unauthenticated Enum
AWS - Lambda Unauthenticated Access
AWS - Media Unauthenticated Enum
AWS - MQ Unauthenticated Enum
AWS - MSK Unauthenticated Enum
AWS - RDS Unauthenticated Enum
AWS - Redshift Unauthenticated Enum
AWS - SQS Unauthenticated Enum
AWS - SNS Unauthenticated Enum
AWS - S3 Unauthenticated Enum
Azure Pentesting
❱
Az - Basic Information
❱
Az - Tokens & Public Applications
Az - Enumeration Tools
Az - Unauthenticated Enum & Initial Entry
❱
Az - OAuth Apps Phishing
Az - VMs Unath
Az - Device Code Authentication Phishing
Az - Password Spraying
Az - Services
❱
Az - Entra ID (AzureAD) & Azure IAM
Az - ACR
Az - Application Proxy
Az - ARM Templates / Deployments
Az - Automation Account
❱
Az - State Configuration RCE
Az - Azure App Service & Function Apps
Az - Intune
Az - File Shares
Az - Function Apps
Az - Key Vault
Az - Logic Apps
Az - Management Groups, Subscriptions & Resource Groups
Az - Queue Storage
Az - Service Bus
Az - SQL
Az - Storage Accounts & Blobs
Az - Table Storage
Az - Virtual Machines & Network
❱
Az - Azure Network
Az - Permissions for a Pentest
Az - Lateral Movement (Cloud - On-Prem)
❱
Az AD Connect - Hybrid Identity
❱
Az- Synchronising New Users
Az - Default Applications
Az - Cloud Kerberos Trust
Az - Federation
Az - PHS - Password Hash Sync
Az - PTA - Pass-through Authentication
Az - Seamless SSO
Az - Arc vulnerable GPO Deploy Script
Az - Local Cloud Credentials
Az - Pass the Cookie
Az - Pass the Certificate
Az - Pass the PRT
Az - Phishing Primary Refresh Token (Microsoft Entra)
Az - Processes Memory Access Token
Az - Primary Refresh Token (PRT)
Az - Post Exploitation
❱
Az - Blob Storage Post Exploitation
Az - File Share Post Exploitation
Az - Function Apps Post Exploitation
Az - Key Vault Post Exploitation
Az - Queue Storage Post Exploitation
Az - Service Bus Post Exploitation
Az - Table Storage Post Exploitation
Az - SQL Post Exploitation
Az - VMs & Network Post Exploitation
Az - Privilege Escalation
❱
Az - Azure IAM Privesc (Authorization)
Az - App Services Privesc
Az - EntraID Privesc
❱
Az - Conditional Access Policies & MFA Bypass
Az - Dynamic Groups Privesc
Az - Functions App Privesc
Az - Key Vault Privesc
Az - Queue Storage Privesc
Az - Service Bus Privesc
Az - Virtual Machines & Network Privesc
Az - Storage Privesc
Az - SQL Privesc
Az - Persistence
❱
Az - Queue Storage Persistence
Az - VMs Persistence
Az - Storage Persistence
Az - Device Registration
Digital Ocean Pentesting
❱
DO - Basic Information
DO - Permissions for a Pentest
DO - Services
❱
DO - Apps
DO - Container Registry
DO - Databases
DO - Droplets
DO - Functions
DO - Images
DO - Kubernetes (DOKS)
DO - Networking
DO - Projects
DO - Spaces
DO - Volumes
IBM Cloud Pentesting
❱
IBM - Hyper Protect Crypto Services
IBM - Hyper Protect Virtual Server
IBM - Basic Information
OpenShift Pentesting
❱
OpenShift - Basic information
Openshift - SCC
OpenShift - Jenkins
❱
OpenShift - Jenkins Build Pod Override
OpenShift - Privilege Escalation
❱
OpenShift - Missing Service Account
OpenShift - Tekton
OpenShift - SCC bypass
🛫 Pentesting Network Services
HackTricks Pentesting Network
HackTricks Pentesting Services
Intigriti
Intigriti
is the
Europe's #1
ethical hacking and bug bounty platform.
Bug bounty tip
: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us today and start
earning bounties up to $100,000
!
Register
Document not found (404)
This URL is invalid, sorry. Please use the navigation bar or search to continue.
Document not found (404)
Intigriti
Intigriti
is the
Europe's #1
ethical hacking and bug bounty platform.
Bug bounty tip
: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us today and start
earning bounties up to $100,000
!
Register