Basic knowledge of cloud penetration and cloud services
Types of Cloud Computing
SaaS(Software-as-a-service)
Pay to use certain software, such as Dropbox, Office 365.
IaaS(Infrastructure-as-a-service)
Pay to use/rent infrastructure, such as online virtual machines
PaaS(Platform-as-a-service)
Paid hosted applications such as backend APIs can be uploaded to PaaS systems. Make it available to the world. This way you only need to worry about the source code, everything else is handled by the cloud provider.
Cloud Service Framework
1) IAM: Identity and Access Management, a policy and technical framework that can be seen as an active directory, from which users, groups, and associated permissions can be managed. Cloud providers have very fine-grained permissions, which enable access to
specific resource. Almost all privilege escalation techniques in the cloud rely on misconfigured IAM permissions.
2) Virtual server
There is no physical access to the hardware, instead use SSH or RDP to interact with your machine.
3) Virtual private cloud
A VPC is a network in the cloud. All virtual servers and other machines will run in the VPC and will get a local IP like any other device on the local network.
4) Buckets
Buckets can be used to store and retrieve files. Buckets provide storage for images, files, etc.
5) Database
6) No service (Serverless)
No service means that users do not need to care about the status, resources (such as CPU, memory, disk, and network) and quantity of the underlying servers involved in the running of software applications. The computing resources required for the normal operation of software applications are dynamically provided by the underlying cloud computing platform.
Instead of coding an entire application and running it, serverless programming creates small functions that are invoked through API calls or other triggers. The main feature is that serverless programming can complex the application into multiple functions instead of coding all programs in a single application.
7) Container
A container is an application wrapped in an image that can run on any machine regardless of the OS and libraries on it
8) Pub/Sub
has two microservices that publish messages to a topic. Then, let the other three microservices consume these messages and perform some kind of work. This is how multiple microservices can communicate with each other.
Steps to Cloud Penetration
1) Initial Access: Get User Credentials
2) Enumeration: enumerate permissions and services that can be accessed; view and download sensitive information
3) Privilege Escalation: Attempts to compromise other users using privilege escalation and lateral movement techniques
4) Keep trying
5) Clean up traces
Cloud Penetration Perspective Analysis
Step on the spot
First, you need to access the cloud environment of the target user, which can be achieved using several techniques, that is, to obtain credentials:
1) SSRF: Currently the most popular method is Server Side Request Forgery (SSRF) SSRF is a technique to collect cloud credentials from metadata services. The following reference link has more information about SSRF.
● https://portswigger.net/web-security/ssrf
● https://cobalt.io/blog/a-pentesters-guide-to-server-side-request-forgery-ssrf
● https://www.youtube.com/watch?v=66ni2BTIjS8&ab_channel=HackerOne
source code
Another very popular technique used to compromise cloud accounts is to find hard-coded credentials in the target's source code.
Hard coding means that in software implementation, the relevant output or input parameters are directly written in the original code in the form of constants. Hard-coded credentials are digital authentication credentials (API keys, certificates, tokens, etc.) used within an application, service, or infrastructure. A hardcoded credential breach is when a developer keeps keys in an insecure location to make code changes easier, but doing so often results in information being mistakenly forgotten and released inadvertently.
Cloud Provider CLI
Most cloud providers have their own CLIs that can be used via the command line. Credentials are usually stored on disk. Depending on the CLI, these credentials can be found in different locations.
privilege escalation
There are two types of privilege escalation in cloud environments, one for cloud users and one for infrastructure. You can think about it through the following two points:
1) Check IAM, most privilege escalation flaws are due to over-permissioned accounts
2) Source code. For example, if you get a shell on a cloud virtual machine or document container, you can search for hardcoded passwords in all source code and scripts on that machine.
3) Infiltration and Misconfiguration
lateral movement
Most of the time, all the techniques and tactics used for privilege escalation can also be used for lateral movement.
enumerate
1) List what IAM authorization can and cannot do
2) Infrastructure:
Cloud infrastructure network diagrams can be constructed by
● Virtual Machines
● Databases
● Cloud Storage(Buckets)
● Load Balancers
● VPCs
● WAFs
● Network and Host Firewalls
● Docker Containers and Images
● Cloud Functions(Serverless)
● Kubernetes Environment
● Publish/Subscribe Systems
● Ect
other possible
Environment variables: Another popular place to store cloud credentials is in environment variables. If RCE is installed on the host, it can be checked here.
Phishing
Cookie: An attacker can use a cookie through the browser to log in as this user
bypass defense
1) Logs: One of the biggest ways to hide yourself is to simply delete logs or disable logging.
2) Noisy logs: Cloud providers log everything, which might slip under the radar if you don't look suspicious.