Table of Contents
Acknowledgments xiii
Introduction xv
How the Book Works xviii
The Vogue Plan xviii
Part I Catch Me If You Can 1
1 Becoming Anonymous Online 3
VPNs and Their Failings 4
Location, Location, Location 5
The Operation Laptop 6
Bouncing Servers 7
The Attack Infrastructure 8
Resources 9
2 Return of Command and Control 11
Command and Control Legacy 11
The Search for a New C2 12
Merlin 13
Koadic 15
SILENTTRINITY 17
Resources 19
3 Let There Be Infrastructure 21
Legacy Method 21
Containers and Visualization 23
Namespaces 24
Union Filesystem 28
Cgroups 30
IP Masquerading 32
Automating the Server Setup 33
Tuning the Server 36
Pushing to Production 39
Resources 41
Part II Try Harder 43
4 Healthy Stalking 45
Understanding Gretsch Politico 46
Finding Hidden Relationships 47
Scouring GitHub 49
Pulling Web Domains 53
From Certificates 53
By Harvesting the Internet 54
Discovering the Web Infrastructure Used 56
Resources 57
5 Vulnerability Seeking 59
Practice Makes Perfect 60
Revealing Hidden Domains 60
Investigating the S3 URLs 62
S3 Bucket Security 64
Examining the Buckets 65
Inspecting the Web-Facing Application 68
Interception with WebSocket 69
Server-Side Request Forgery 73
Exploring the Metadata 73
The Dirty Secret of the Metadata API 75
AWS IAM 80
Examining the Key List 82
Resources 83
Part III Total Immersion 85
6 Fracture 87
Server-Side Template Injection 89
Fingerprinting the Framework 90
Arbitrary Code Execution 92
Confirming the Owner 94
Smuggling Buckets 95
Quality Backdoor Using S3 97
Creating the Agent 98
Creating the Operator 100
Trying to Break Free 101
Checking tar Privileged Mode 102
Linux Capabilities 103
Docker Socket 105
Resources 106
7 Behind the Curtain 107
Kubernetes Overview 108
Introducing Pods 109
Balancing Traffic 113
Opening the App to the World 115
Kube Under the Hood 115
Resources 119
8 Shawshank Redemption: Breaking Out 121
RBAC in Kube 122
Recon 2.0 125
Breaking Into Datastores 129
API Exploration 132
Abusing the IAM Role Privileges 135
Abusing the Service Account Privileges 136
Infiltrating the Database 137
Redis and Real-Time Bidding 140
Deserialization 141
Cache Poisoning 143
Kube Privilege Escalation 148
Resources 151
9 Sticky Shell 153
Stable Access 155
The Stealthy Backdoor 160
Resources 163
Part IV The Enemy Inside 165
10 The Enemy Inside 167
The Path to Apotheosis 168
Automation Tool Takeover 172
Jenkins Almighty 173
Hell's Kitchen 174
Taking Over Lambda 181
Resources 185
11 Nevertheless, We Persisted 187
The AWS Sentries 188
Persisting in the Utmost Secrecy 190
The Program to Execute 191
Building the Lambda 192
Setting Up the Trigger Event 193
Covering Our Tracks 195
Recovering Access 195
Alternative (Worse) Methods 196
Resources 197
12 Apotheosis 199
Persisting the Access 201
Understanding Spark 204
Malicious Spark 205
Spark Takeover 210
Finding Raw Data 213
Stealing Processed Data 215
Privilege Escalation 216
Infiltrating Redshift 220
Resources 224
13 Final Cut 225
Hacking Google Workspace 226
Abusing CloudTrail 229
Creating a Google Workspace Super Admin Account 232
Sneaking a Peek 233
Closing Thoughts 235
Resources 235
Index 237