DO - Basic Information

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Basic Information

DigitalOcean is a cloud computing platform that provides users with a variety of services, including virtual private servers (VPS) and other resources for building, deploying, and managing applications. DigitalOcean's services are designed to be simple and easy to use, making them popular among developers and small businesses.

Some of the key features of DigitalOcean include:

  • Virtual private servers (VPS): DigitalOcean provides VPS that can be used to host websites and applications. These VPS are known for their simplicity and ease of use, and can be quickly and easily deployed using a variety of pre-built "droplets" or custom configurations.

  • Storage: DigitalOcean offers a range of storage options, including object storage, block storage, and managed databases, that can be used to store and manage data for websites and applications.

  • Development and deployment tools: DigitalOcean provides a range of tools that can be used to build, deploy, and manage applications, including APIs and pre-built droplets.

  • Security: DigitalOcean places a strong emphasis on security, and offers a range of tools and features to help users keep their data and applications safe. This includes encryption, backups, and other security measures.

Overall, DigitalOcean is a cloud computing platform that provides users with the tools and resources they need to build, deploy, and manage applications in the cloud. Its services are designed to be simple and easy to use, making them popular among developers and small businesses.

Main Differences from AWS

One of the main differences between DigitalOcean and AWS is the range of services they offer. DigitalOcean focuses on providing simple and easy-to-use virtual private servers (VPS), storage, and development and deployment tools. AWS, on the other hand, offers a much broader range of services, including VPS, storage, databases, machine learning, analytics, and many other services. This means that AWS is more suitable for complex, enterprise-level applications, while DigitalOcean is more suited to small businesses and developers.

Another key difference between the two platforms is the pricing structure. DigitalOcean's pricing is generally more straightforward and easier to understand than AWS, with a range of pricing plans that are based on the number of droplets and other resources used. AWS, on the other hand, has a more complex pricing structure that is based on a variety of factors, including the type and amount of resources used. This can make it more difficult to predict costs when using AWS.

Hierarchy

User

A user is what you expect, a user. He can create Teams and be a member of different teams.

Team

A team is a group of users. When a user creates a team he has the role owner on that team and he initially sets up the billing info. Other user can then be invited to the team.

Inside the team there might be several projects. A project is just a set of services running. It can be used to separate different infra stages, like prod, staging, dev...

Project

As explained, a project is just a container for all the services (droplets, spaces, databases, kubernetes...) running together inside of it. A Digital Ocean project is very similar to a GCP project without IAM.

Permissions

Team

Basically all members of a team have access to the DO resources in all the projects created within the team (with more or less privileges).

Roles

Each user inside a team can have one of the following three roles inside of it:

RoleShared ResourcesBilling InformationTeam Settings

Owner

Full access

Full access

Full access

Biller

No access

Full access

No access

Member

Full access

No access

No access

Owner and member can list the users and check their roles (biller cannot).

Access

Username + password (MFA)

As in most of the platforms, in order to access to the GUI you can use a set of valid username and password to access the cloud resources. Once logged in you can see all the teams you are part of in https://cloud.digitalocean.com/account/profile. And you can see all your activity in https://cloud.digitalocean.com/account/activity.

MFA can be enabled in a user and enforced for all the users in a team to access the team.

API keys

In order to use the API, users can generate API keys. These will always come with Read permissions but Write permission are optional. The API keys look like this:

dop_v1_1946a92309d6240274519275875bb3cb03c1695f60d47eaa1532916502361836

The cli tool is doctl. Initialise it (you need a token) with:

doctl auth init # Asks for the token
doctl auth init --context my-context # Login with a different token
doctl auth list # List accounts

By default this token will be written in clear-text in Mac in /Users/<username>/Library/Application Support/doctl/config.yaml.

Spaces access keys

These are keys that give access to the Spaces (like S3 in AWS or Storage in GCP).

They are composed by a name, a keyid and a secret. An example could be:

Name: key-example
Keyid: DO00ZW4FABSGZHAABGFX
Secret: 2JJ0CcQZ56qeFzAJ5GFUeeR4Dckarsh6EQSLm87MKlM

OAuth Application

OAuth applications can be granted access over Digital Ocean.

It's possible to create OAuth applications in https://cloud.digitalocean.com/account/api/applications and check all allowed OAuth applications in https://cloud.digitalocean.com/account/api/access.

SSH Keys

It's possible to add SSH keys to a Digital Ocean Team from the console in https://cloud.digitalocean.com/account/security.

This way, if you create a new droplet, the SSH key will be set on it and you will be able to login via SSH without password (note that newly uploaded SSH keys aren't set in already existent droplets for security reasons).

Functions Authentication Token

The way to trigger a function via REST API (always enabled, it's the method the cli uses) is by triggering a request with an authentication token like:

curl -X POST "https://faas-lon1-129376a7.doserverless.co/api/v1/namespaces/fn-c100c012-65bf-4040-1230-2183764b7c23/actions/functionname?blocking=true&result=true" \
  -H "Content-Type: application/json" \
  -H "Authorization: Basic MGU0NTczZGQtNjNiYS00MjZlLWI2YjctODk0N2MyYTA2NGQ4OkhwVEllQ2t4djNZN2x6YjJiRmFGc1FERXBySVlWa1lEbUxtRE1aRTludXA1UUNlU2VpV0ZGNjNqWnVhYVdrTFg="

Logs

User logs

The logs of a user can be found in https://cloud.digitalocean.com/account/activity

Team logs

The logs of a team can be found in https://cloud.digitalocean.com/account/security

References

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Last updated