Cloud Resource

Types of Cloud Providers

1. Amazon (AWS)

2. Google (GCP)

3. Microsoft (Azure)

Vulnerabilities in Cloud

1. Misconfigured resources by administrators can pose as a security risk

2. This often starts with the S3 buckets (AWS), blobs (Azure), cloud storage (GCP), which can be accessed without authentication if configured incorrectly.

Searching for Cloud Company Hosted Servers/Documents

Using a list of IP Addresses to quickly find them

z3tssu@htb[/htb]$ for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done

blog.inlanefreight.com 10.129.24.93
inlanefreight.com 10.129.27.33
matomo.inlanefreight.com 10.129.127.22
www.inlanefreight.com 10.129.127.33
s3-website-us-west-2.amazonaws.com 10.129.95.250

Google Search for AWS

intext: inurl:amazonaws.com

Google Search for Azure

intext: inurl:blob.core.windows.net

Target Website - Source Code

• We can typically see files in the source code of a website

Third Party Providers

Domain Glass - What can it do?

Third-party providers such as domain.glass can also tell us a lot about the company's infrastructure. As a positive side effect, we can also see that Cloudflare's security assessment status has been classified as "Safe". This means we have already found a security measure that can be noted for the second layer (gateway).

GrayHatWarfare

Another very useful provider is GrayHatWarfare. We can do many different searches, discover AWS, Azure, and GCP cloud storage, and even sort and filter by file format. Therefore, once we have found them through Google, we can also search for them on GrayHatWarefare and passively discover what files are stored on the given cloud storage.

Private and Public SSH Keys Leaked

Sometimes when employees are overworked or under high pressure, mistakes can be fatal for the entire company. These errors can even lead to SSH private keys being leaked, which anyone can download and log onto one or even more machines in the company without using a password.