Cloud Resource
Vulnerabilities in Cloud
Misconfigured resources by administrators can pose as a security risk
This often starts with the
S3 buckets(AWS),blobs(Azure),cloud storage(GCP), which can be accessed without authentication if configured incorrectly.
Searching for Cloud Company Hosted Servers/Documents
Using a list of IP Addresses to quickly find them
z3tssu@htb[/htb]$ for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done
blog.inlanefreight.com 10.129.24.93
inlanefreight.com 10.129.27.33
matomo.inlanefreight.com 10.129.127.22
www.inlanefreight.com 10.129.127.33
s3-website-us-west-2.amazonaws.com 10.129.95.250Target Website - Source Code
We can typically see files in the source code of a website
Third Party Providers
Domain Glass - What can it do?
Third-party providers such as domain.glass can also tell us a lot about the company's infrastructure. As a positive side effect, we can also see that Cloudflare's security assessment status has been classified as "Safe". This means we have already found a security measure that can be noted for the second layer (gateway).
GrayHatWarfare
Another very useful provider is GrayHatWarfare. We can do many different searches, discover AWS, Azure, and GCP cloud storage, and even sort and filter by file format. Therefore, once we have found them through Google, we can also search for them on GrayHatWarefare and passively discover what files are stored on the given cloud storage.
Private and Public SSH Keys Leaked
Sometimes when employees are overworked or under high pressure, mistakes can be fatal for the entire company. These errors can even lead to SSH private keys being leaked, which anyone can download and log onto one or even more machines in the company without using a password.
Last updated