DO - Droplets

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

In DigitalOcean, a "droplet" is a virtual private server (VPS) that can be used to host websites and applications. A droplet is a pre-configured package of computing resources, including a certain amount of CPU, memory, and storage, that can be quickly and easily deployed on DigitalOcean's cloud infrastructure.

You can select from common OS, to applications already running (such as WordPress, cPanel, Laravel...), or even upload and use your own images.

Droplets support User data scripts.

Difference between a snapshot and a backup

In DigitalOcean, a snapshot is a point-in-time copy of a Droplet's disk. It captures the state of the Droplet's disk at the time the snapshot was taken, including the operating system, installed applications, and all the files and data on the disk.

Snapshots can be used to create new Droplets with the same configuration as the original Droplet, or to restore a Droplet to the state it was in when the snapshot was taken. Snapshots are stored on DigitalOcean's object storage service, and they are incremental, meaning that only the changes since the last snapshot are stored. This makes them efficient to use and cost-effective to store.

On the other hand, a backup is a complete copy of a Droplet, including the operating system, installed applications, files, and data, as well as the Droplet's settings and metadata. Backups are typically performed on a regular schedule, and they capture the entire state of a Droplet at a specific point in time.

Unlike snapshots, backups are stored in a compressed and encrypted format, and they are transferred off of DigitalOcean's infrastructure to a remote location for safekeeping. This makes backups ideal for disaster recovery, as they provide a complete copy of a Droplet that can be restored in the event of data loss or other catastrophic events.

In summary, snapshots are point-in-time copies of a Droplet's disk, while backups are complete copies of a Droplet, including its settings and metadata. Snapshots are stored on DigitalOcean's object storage service, while backups are transferred off of DigitalOcean's infrastructure to a remote location. Both snapshots and backups can be used to restore a Droplet, but snapshots are more efficient to use and store, while backups provide a more comprehensive backup solution for disaster recovery.

Authentication

For authentication it's possible to enable SSH through username and password (password defined when the droplet is created). Or select one or more of the uploaded SSH keys.

Firewall

By default droplets are created WITHOUT A FIREWALL (not like in oder clouds such as AWS or GCP). So if you want DO to protect the ports of the droplet (VM), you need to create it and attach it.

More info in:

DO - Networking

Enumeration

# VMs
doctl compute droplet list # IPs will appear here
doctl compute droplet backups <droplet-id>
doctl compute droplet snapshots <droplet-id>
doctl compute droplet neighbors <droplet-id> # Get network neighbors
doctl compute droplet actions <droplet-id> # Get droplet actions

# VM interesting actions
doctl compute droplet-action password-reset <droplet-id> # New password is emailed to the user
doctl compute droplet-action enable-ipv6 <droplet-id>
doctl compute droplet-action power-on <droplet-id>
doctl compute droplet-action disable-backups <droplet-id>

# SSH
doctl compute ssh <droplet-id> # This will just run SSH
doctl compute ssh-key list
doctl compute ssh-key import <key-name> --public-key-file /path/to/key.pub

# Certificates
doctl compute certificate list

# Snapshots
doctl compute snapshot list

Droplets have metadata endpoints, but in DO there isn't IAM or things such as role from AWS or service accounts from GCP.

RCE

With access to the console it's possible to get a shell inside the droplet accessing the URL: https://cloud.digitalocean.com/droplets/<droplet-id>/terminal/ui/

It's also possible to launch a recovery console to run commands inside the host accessing a recovery console in https://cloud.digitalocean.com/droplets/<droplet-id>/console(but in this case you will need to know the root password).