How to Hack Like a Ghost: Breaching the Cloud

ISBN-13: 9781718501263

Media Type: Paperback

Publisher: No Starch Press

Publication Date: 05-03-2021

Pages: 264

Product Dimensions: 6.90(w) x 9.10(h) x 0.70(d)

Sparc Flow is a computer security expert specializing in ethical hacking, who has presented his research at international security conferences like Black Hat, DEF CON, Hack In The Box, and more. While his day job consists mainly of performing penetration tests against companies so they can patch vulnerabilities, his passion is writing and sharing hacking knowledge through his acclaimed Hack the Planet books.

Table of Contents

Acknowledgments xiii

Introduction xv

How the Book Works xviii

The Vogue Plan xviii

Part I Catch Me If You Can 1

1 Becoming Anonymous Online 3

VPNs and Their Failings 4

Location, Location, Location 5

The Operation Laptop 6

Bouncing Servers 7

The Attack Infrastructure 8

Resources 9

2 Return of Command and Control 11

Command and Control Legacy 11

The Search for a New C2 12

Merlin 13

Koadic 15

SILENTTRINITY 17

Resources 19

3 Let There Be Infrastructure 21

Legacy Method 21

Containers and Visualization 23

Namespaces 24

Union Filesystem 28

Cgroups 30

IP Masquerading 32

Automating the Server Setup 33

Tuning the Server 36

Pushing to Production 39

Resources 41

Part II Try Harder 43

4 Healthy Stalking 45

Understanding Gretsch Politico 46

Finding Hidden Relationships 47

Scouring GitHub 49

Pulling Web Domains 53

From Certificates 53

By Harvesting the Internet 54

Discovering the Web Infrastructure Used 56

Resources 57

5 Vulnerability Seeking 59

Practice Makes Perfect 60

Revealing Hidden Domains 60

Investigating the S3 URLs 62

S3 Bucket Security 64

Examining the Buckets 65

Inspecting the Web-Facing Application 68

Interception with WebSocket 69

Server-Side Request Forgery 73

Exploring the Metadata 73

The Dirty Secret of the Metadata API 75

AWS IAM 80

Examining the Key List 82

Resources 83

Part III Total Immersion 85

6 Fracture 87

Server-Side Template Injection 89

Fingerprinting the Framework 90

Arbitrary Code Execution 92

Confirming the Owner 94

Smuggling Buckets 95

Quality Backdoor Using S3 97

Creating the Agent 98

Creating the Operator 100

Trying to Break Free 101

Checking tar Privileged Mode 102

Linux Capabilities 103

Docker Socket 105

Resources 106

7 Behind the Curtain 107

Kubernetes Overview 108

Introducing Pods 109

Balancing Traffic 113

Opening the App to the World 115

Kube Under the Hood 115

Resources 119

8 Shawshank Redemption: Breaking Out 121

RBAC in Kube 122

Recon 2.0 125

Breaking Into Datastores 129

API Exploration 132

Abusing the IAM Role Privileges 135

Abusing the Service Account Privileges 136

Infiltrating the Database 137

Redis and Real-Time Bidding 140

Deserialization 141

Cache Poisoning 143

Kube Privilege Escalation 148

Resources 151

9 Sticky Shell 153

Stable Access 155

The Stealthy Backdoor 160

Resources 163

Part IV The Enemy Inside 165

10 The Enemy Inside 167

The Path to Apotheosis 168

Automation Tool Takeover 172

Jenkins Almighty 173

Hell's Kitchen 174

Taking Over Lambda 181

Resources 185

11 Nevertheless, We Persisted 187

The AWS Sentries 188

Persisting in the Utmost Secrecy 190

The Program to Execute 191

Building the Lambda 192

Setting Up the Trigger Event 193

Covering Our Tracks 195

Recovering Access 195

Alternative (Worse) Methods 196

Resources 197

12 Apotheosis 199

Persisting the Access 201

Understanding Spark 204

Malicious Spark 205

Spark Takeover 210

Finding Raw Data 213

Stealing Processed Data 215

Privilege Escalation 216

Infiltrating Redshift 220

Resources 224

13 Final Cut 225

Hacking Google Workspace 226

Abusing CloudTrail 229

Creating a Google Workspace Super Admin Account 232

Sneaking a Peek 233

Closing Thoughts 235

Resources 235

Index 237