Test lab

AWS tools

Preparation

Reconnaissance
Enumeration

Notes on techniques

Introduction
- What?
- Why?
- How?
Challenges and problems
Account and privilege attacks
Cloud-centric attacks
Abusing misconfigurations
Hacking CI/CD pipelines

IAM

Introduction
- What?
- Why?
- How?
IAM enumeration
Misconfigured trust policy
Overly permissive permission I
Dangerous policy combination I
Dangerous policy combination II
Overly permissive permission II
Pass Role: EC2
Pass Role: Lambda
Pass Role: CloudFormation

API Gateway

Introduction
- What?
- Why?
- How?
API gateway enumeration
Verb tampering
Misconfigured private API
IAM based authentication
Denial of service
Poor Lambda authoriser

More

Bust-a-Kube
flAWS 2
AWSGoat
CloudGoat

Head in the clouds

Ty Myrddin Home
Unseen University
Improbability Blog
About
Contact

Verb tampering

API-Key based authentication is a common method to protect an API.

Objective: Bypass the authentication enforced by the API Gateway and retrieve the flag.

Previous Next

Unseen University, 2024, with a forest garden fostered by /ut7.