GCP Cloud Pentesting How Attackers Leverage Serverless Functions to Escalate Privileges and Move Laterally Credits- Photo by Tim Mossholder on Unsplash In Identity and Access Management (IAM), policies are a set of rules that define access controls by specifying who can do what on which resources. These policies help administrators manage permissions effectively within an environment. In Google Cloud Platform (GCP), a policy typically consists of three (3) main components: Members — These are usually users, service accounts, and groups. Roles/Permissions — These define what actions ..read more

CLOUD SECURITY Exploiting misconfigured IAM roles on GCP Compute Instances to obtain additional access and escalate privileges Credit — Photo by Zdeněk Macháček on Unsplash In the previous post, we learned how to steal an access token from a vulnerable cloud function with a misconfigured IAM policy. This misconfiguration allowed any user to invoke the function and retrieve the token for another service account. In this post, we’ll build on that by exploring how we can abuse the new service account to gain additional privileges within the GCP environment through Compute Instance IAM m ..read more

CLOUD SECURITY How Misconfigured IAM Policies in Google Cloud Can Lead to Cloud Function Access Token Exposure and Exploitation Credits: Photo by Charlein Gracia on Unsplash In Identity and Access Management (IAM), policies are a set of rules that define access controls by specifying who can do what on which resources. These policies help administrators manage permissions effectively within an environment. In Google Cloud Platform (GCP), a policy typically consists of three (3) main components: Members — These are usually users, service accounts, and groups. Roles/Permissions — Thes ..read more

RED TEAM SERIES A Step-by-Step Guide to Deploying C2 VMs Credits — Benoît Deschasaux Building a robust infrastructure is essential for the success of the red team operation. Cloud platforms provide red teamers with a resilient, scalable, and easy-to-deploy infrastructure that allows them to operate efficiently while minimizing exposure. In this guide, we will leverage Microsoft Azure Cloud platform to build our C2 infrastructure, which will include setting up a virtual machine as the Command & Control server, installing the Mythic C2 framework, and configuring Azure CDN redirecto ..read more

WINDOWS PRIVILEGE ESCALATION A Closer Look at Common Misconfigurations in Windows Service Permissions for Privilege Escalation Photo by Sandy Millar on Unsplash Windows services are an essential part of the operating system, providing various functions critical to the smooth running of a system. However, services can also be vulnerable to misconfiguration, which attackers can exploit to gain unauthorized access to a system. There are many different ways that service misconfigurations can be exploited. Some common methods include, Insecure Permissions on Service Executable, and Insecu ..read more

WINDOWS PRIVILEGE ESCALATION Photo by Ant Rozetsky on Unsplash Once we gain initial access to a system during an internal penetration testing assessment, the next step is to escalate privileges in order to run necessary tools and explore the network effectively. In a Windows environment, one of the common ways to do this is by exploiting a user’s privileges. Abusing the SeBackupPrivilege is one such way. A user with this privilege can create a full backup of the entire system, including sensitive files like the Security Account Manager (SAM) and the Active Directory database “NT Directory ..read more

CLOUD SECURITY Unlock the power of the AWS API gateway with Fireprox configuration Photo by Phil Goodwin on Unsplash During a penetration testing assessment, certain activities require some level of automation, such as web scraping from sites like LinkedIn to gather a list of valid employee names that can be used for social engineering activities, password-spraying login portals, or blind injections when testing web applications. However, performing these activities from a single source IP address could lead to being blocked during the test. To overcome this, we need to rotate our IP ..read more

RED TEAM SERIES A Step-by-Step Guide to Deploying C2 VMs Credits — Benoît Deschasaux Building a robust infrastructure is essential for the success of the red team operation. Cloud platforms provide red teamers with a resilient, scalable, and easy-to-deploy infrastructure that allows them to operate efficiently while minimizing exposure. In this guide, we will leverage Microsoft Azure Cloud platform to build our C2 infrastructure, which will include setting up a virtual machine as the Command & Control server, installing the Mythic C2 framework, and configuring Azure CDN redirecto ..read more

WEB SECURITY Testing APIs with Certificate-based authentication Credit — Getty Images When assessing APIs that use certificate-based authentication, it is necessary to add the certificates to our tools like Postman and Burp Suite. This allows us to proxy requests between the client and server in order to properly evaluate the API’s security. In this quick guide, we will cover the steps of incorporating certificates and private keys into Postman for authentication purposes. We will also cover how to include client certificates in the pkcs12 format for seamless traffic interception using Bu ..read more

RED TEAM SERIES Evading Detection: Obfuscating C2 Infrastructure with Azure FrontDoor Photo by Yifu Wu on Unsplash A redirector is a server that acts as a middleman between the C2 server and the targeted network. Its primary function is redirecting all communication between the C2 and the compromised target. Redirectors are commonly used to hide the origin of the traffic of the C2 server, making it more challenging for defenders to detect and block the C2 infrastructure. Cloud-based redirectors present a good opportunity to obscure the C2 traffic by routing it through a global networ ..read more