Crypto

Openssl

Enumeration

Containers

Docs

Snmp

Network_scanners

Windows

Exfiltration

Dns

Linux

Windows

Exploit

CPUs

meltdown

Binaries

aslr

Buffer_overflow

Docs

ropping

Canary_bypass

canary_bypass

Format_string

format_string

Integral_promotion

integral_promotion

Dns

zone_transfer

Hashes

collision

Imagemagick

imagetragick

Java

OGNL

cve_2022_26134

Level3_hypervisor

Docker_sec

docker

Linux

capabilities

Dirty_pipe

dirty_pipe

Pkexec

CVE_2021_4034

Sudo

wildard_exploitation

MacOS

Network

mac_spoofing

Padding

padbuster

Python

Samba

smbmap

Sqli

Ssl_tls

heartbleed

Web

Bypass_rate_limiting

bypass_rate_limiting

command_injection

Content_security_policy

content_security_policy

cookie_tampering
csrf

Forced_browsing

forced_browsing

http_header_injection

Idor

idor

Javascript

Jwt

local_file_inclusion
methodology

Nodejs

deserialization

Php

re_registration
remote_file_inclusion

Ssrf

Ssti

ssti

Xxe

Windows

Dll_hijacking

dll_hijacking

Docs

Macros

macros

Payloads

windows_scripting_host

Print_nightmare

CVE-2021-1675

Nightmare-dll

print_nightmare

Process_injection

Service_escalation

service_escalation

Zero_logon

zero_logon

Yaml

deserialization

Forensics

Hashes

Bruteforce

Password_cracking

Password_guessing

standard_passwords

Misc

Active_directory

Printer_hacking

preta

Telecommunications

_sipvicious

.github

ISSUE_TEMPLATE

Sipvicious

sip_vicious

Threat_intelligence

Wifi

airmon-ng

Osint

recon_ng

Social_engineering

spiderfoot
theharvester

Persistence

Post exploitation

Seatbelt

.github

ISSUE_TEMPLATE

CHANGELOG

Seatbelt

Commands

Windows

EventLogs

Output

Bc_security

Docs

Windows

pivoting

Priv_esc

Docs

linux_priv_esc
pspy

Windows

Kernel-exploits

Privesc-scripts

Docs

get_script_onto_target

Suid

Reverse engineering

Android

misc

Docs

Java

krakatau

Reverse shells

Docs

firewalls

Windows

Stego

Docs

AWS S3 Enumeration
- Usage
  - Simple Storage Service (S3)
    - ACL
- IAM
  - AWS ARN
  - Secrets

AWS S3 Enumeration

Usage

Regions
- --region

Simple Storage Service (S3)

S3
Methods of access control are as follows
- Bucket policies
- S3 ACL
Scheme is

http://<bucketname>.s3.amazonaws.com/file.name

http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext

List content of public bucket via

aws s3 ls s3://<bucketname>/ --no-sign-request

Download via curl, wget or s3 cli via

aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request

ACL

Anyone, just curl
AuthenticatedUsers, s3 cli with aws key

IAM

Not necessarily used by s3
Access key ID, starts with AKIA + 20 chars
Secret access key
Session token, ASIA + sessionToken
Add credentials to profile via

aws configure --profile PROFILENAME

Config and credentials is stored at ~/.aws
Sanity test profile via

aws s3 ls --profile PROFILENAME

Find account ID to an access key

aws sts get-access-key-info --access-key-id AKIAEXAMPLE

Find username to an access key

aws sts get-caller-identity --profile PROFILENAME

Listing EC2 instances of an account

aws ec2 describe-instances --output text --profile PROFILENAME

aws ec2 describe-instances --output text --profile PROFILENAME

aws ec2 describe-instances --output text --profile PROFILENAME

* In another region

aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME

AWS ARN

Unique ID is create via the following scheme

arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>

Secrets

aws secretsmanager help
aws secretsmanager list-secrets
ws secretsmanager get-secret-value --secret-id <Name> --region <region>