云安全 – 攻击

AWS

在 AWS VPN 客户端中将权限升级为 SYSTEM

• c6fK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5K9r3W2F1L8%4y4W2j5%4g2J5K9i4c8&6L8r3q4T1M7#2)9J5k6h3y4G2L8g2)9J5c8X3q4%4M7#2)9J5c8X3y4$3k6g2)9J5k6o6t1H3x3U0u0Q4x3X3b7J5y4e0p5$3y4g2)9J5k6r3q4%4M7#2)9J5k6s2k6H3L8W2)9J5k6r3y4D9K9h3g2F1N6q4)9J5c8R3`.`.

AWS WorkSpaces 远程代码执行

• aws/cve-2021-38112-aws-workspaces-rce/

CloudFormation 模板中的资源注入

• rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/

下载和探索 AWS EBS 快照

• a83K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5K9r3W2F1L8%4y4W2j5%4g2J5K9i4c8&6L8r3q4T1M7#2)9J5k6h3y4G2L8g2)9J5c8X3q4%4M7#2)9J5c8X3g2^5M7r3I4G2M7X3W2F1k6#2)9J5k6r3q4%4M7#2)9J5k6r3g2T1M7#2)9J5k6s2y4F1j5i4m8K6K9r3!0@1M7#2)9J5c8R3`.`.

CloudGoat ECS_EFS_Attack 演练

• cloud-security/cloudgoat-aws-ecs_efs_attack/

GKE Kubelet TLS Bootstrap 提权

• cloud-security/kubelet-tls-bootstrap-privilege-escalation/
• 

武器化 AWS ECS 任务定义以窃取正在运行的容器中的凭证

• weaponizing-ecs-task-definitions-steal-credentials-running-containers/

CloudGoat AWS 场景演练：“EC2_SSRF”

• cloud-security/cloudgoat-aws-scenario-ec2_ssrf/

掠夺硬编码机密的 AWS ECS 任务定义

• aws/pillaging-ecs-task-definitions-two-new-pacu-modules/

在 AWS 中滥用 VPC 流量镜像

• 244K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5K9r3W2F1L8%4y4W2j5%4g2J5K9i4c8&6L8r3q4T1M7#2)9J5k6h3y4G2L8g2)9J5c8X3q4%4M7#2)9J5c8X3q4T1N6i4y4A6L8X3N6Q4x3X3c8$3M7r3y4Q4x3X3c8@1M7X3q4X3k6X3W2U0i4K6u0V1L8h3W2J5M7X3!0J5K9h3&6Y4i4K6u0V1K9h3&6Q4x3X3c8S2N6%4y4Q4x3V1j5`.

使用云容器攻击工具 (CCAT) 利用 AWS ECR 和 ECS

• c67K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5K9r3W2F1L8%4y4W2j5%4g2J5K9i4c8&6L8r3q4T1M7#2)9J5k6h3y4G2L8g2)9J5c8X3q4%4M7#2)9J5c8X3y4D9L8%4g2V1i4K6u0V1j5$3!0F1N6r3q4A6L8X3g2J5i4K6u0V1j5i4c8@1j5h3y4C8i4K6u0V1N6r3!0G2L8q4)9J5c8R3`.`.

使用 AWS API Gateway 绕过基于 IP 的封锁

• 140K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5K9r3W2F1L8%4y4W2j5%4g2J5K9i4c8&6L8r3q4T1M7#2)9J5k6h3y4G2L8g2)9J5c8X3q4%4M7#2)9J5c8X3u0&6M7r3q4K6M7$3W2F1k6#2)9J5k6r3W2H3i4K6u0V1j5X3q4K6k6h3c8Q4x3X3c8T1L8r3!0U0K9$3W2F1k6#2)9J5k6r3q4%4M7#2)9J5c8R3`.`.

在 AWS 上使用 MFA 钓鱼用户

• 2caK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5K9r3W2F1L8%4y4W2j5%4g2J5K9i4c8&6L8r3q4T1M7#2)9J5k6h3y4G2L8g2)9J5c8X3q4%4M7#2)9J5c8X3#2X3j5g2)9J5k6s2m8Z5K9i4y4Z5K9h3&6Y4i4K6u0V1L8$3&6Q4x3X3c8S2N6%4y4Q4x3V1j5`.

AWS IAM 特权升级 – 方法和缓解措施

• aws/aws-privilege-escalation-methods-mitigation/

渗透测试 AWS 存储：踢 S3 存储桶

• penetration-testing/penetration-testing-aws-storage/

云安全风险 (P2)：AWS CloudTrail 中的 CSV 注入

• 19bK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5K9r3W2F1L8%4y4W2j5%4g2J5K9i4c8&6L8r3q4T1M7#2)9J5k6h3y4G2L8g2)9J5c8X3q4%4M7#2)9J5c8R3`.`.
  cloud-security-csv-injection-aws-cloudtrail/

亚马逊的 AWS 配置错误：在 Amazon Go 中上传任意文件

• amazon-aws-misconfiguration-amazon-go/

权限升级攻击：攻击 AWS IAM 权限错误配置

• 9b4K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6H3j5i4W2S2N6s2g2Q4x3X3g2U0L8$3#2Q4x3V1k6T1L8r3!0Y4i4K6u0r3L8h3q4&6j5h3&6C8i4K6u0W2j5i4u0G2M7X3q4Q4x3V1k6A6j5h3#2Q4y4h3k6H3M7X3W2$3K9h3I4W2k6$3g2Q4y4h3k6W2M7$3y4S2L8r3q4@1K9h3!0F1i4K6g2X3j5i4c8@1j5h3y4C8

IAM 易受攻击 – AWS IAM 特权升级游乐场

• 95dK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6T1K9i4y4Z5L8%4m8X3L8%4S2Q4x3X3g2U0L8$3#2Q4x3V1k6T1L8r3!0Y4i4K6u0r3j5i4N6K6i4K6u0V1K9h3q4E0i4K6u0V1M7s2u0A6N6X3W2D9k6h3N6W2i4K6u0V1k6i4y4U0j5h3I4S2N6r3W2G2L8W2)9J5k6s2m8D9j5i4W2Y4M7X3!0#2L8X3b7`.

通往云的自动扶梯：AWS 中的 5 个 Privesc 攻击向量

• 3cdK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6T1K9i4y4Z5L8%4m8X3L8%4S2Q4x3X3g2U0L8$3#2Q4x3V1k6T1L8r3!0Y4i4K6u0r3y4g2)9J5k6s2m8J5K9i4k6W2M7$3y4Q4x3X3c8S2N6s2c8S2j5$3E0Q4x3X3c8$3k6h3y4@1L8%4u0K6i4K6u0V1K9h3&6Q4x3X3c8S2N6%4x3`.

易受攻击的 AWS Lambda 函数——云攻击中的初始访问

• b5cK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6K6P5i4y4V1K9h3N6Q4x3X3g2U0L8$3#2Q4x3V1k6T1L8r3!0Y4i4K6u0r3k6i4S2H3L8r3!0A6N6q4)9J5k6r3#2A6N6r3W2Y4j5i4c8W2i4K6u0V1j5i4N6K6i4K6u0V1L8r3q4E0j5X3c8S2M7#2)9J5k6r3#2A6N6s2u0W2i4K6u0r3

通过 Amazon Web Services 的 EC2 进行特权升级攻击

• inside-a-privilege-escalation-attack-via-amazon-web-services-ec2/

AWS 攻击

• 325K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6H3k6h3&6@1k6i4y4@1j5X3!0G2K9#2)9J5k6i4y4A6P5o6u0V1k6i4A6Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8Y4g2E0k6i4u0S2N6r3W2G2L8W2)9J5c8X3y4D9L8%4g2V1i4K6u0r3j5i4N6K6

AWS 影子管理员

• Shadow-admin-permissions-and-your-AWS-account

通过 API 密钥获得 AWS 控制台访问权限

• gaining-aws-console-access-via-api-keys/

为 EC2 自动创建 AWS AMI 并复制到其他区域

• automate-aws-ami-creation-for-ec2-and
  -copy-to-other-region-or-disaster-recovery

Instance Connect – 将 SSH 密钥推送到 EC2 实例

• connect-to-your-ec2-instance-using-ssh-the-modern-way/

黄金 SAML 攻击

• golden-saml-newly-discovered-attack-technique-forges
  -authentication-to-cloud-apps
• blog.sygnia.co/detection-and-hunting-of-golden-saml-attack

从云中的域控制器窃取哈希

• cloudcopy-stealing-hashes-from-domain-controllers-in-the-cloud

AWS PenTest 方法论

• Methodology%20and%20Resources/Cloud%20-%20AWS%20Pentest

CloudGoat 官方攻略系列：“rce_web_app”

• b0aK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5K9r3W2F1L8%4y4W2j5%4g2J5K9i4c8&6L8r3q4T1M7#2)9J5k6h3y4G2L8g2)9J5c8X3q4%4M7#2)9J5c8X3y4D9L8%4g2V1k6$3!0S2N6q4)9J5k6s2N6S2L8r3E0@1K9s2u0G2N6h3N6Z5i4K6u0V1M7X3y4W2i4K6g2X3N6$3g2T1i4K6g2X3j5i4m8H3i4K6u0r3

Azure

GKE Kubelet TLS Bootstrap 提权

• cloud-security/kubelet-tls-bootstrap-privilege-escalation/

云安全风险（第 1 部分）：Azure CSV 注入漏洞

• cloud-security-risks-part-1-azure-csv-injection-vulnerability/

SaaS 公司的安全性：利用 Infosec 实现商业价值

• security-saas-companies-leveraging-infosec-business-value/

常见的 Azure 安全漏洞和错误配置

• rhinosecuritylabs.com/cloud-security/
  common-azure-security-vulnerabilities/

枚举有效的电子邮件

• ea8K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6*7K9h3N6E0j5i4S2Q4x3X3g2F1k6i4c8Q4x3V1k6W2L8Y4g2E0k6i4u0S2N6r3g2Q4x3X3c8$3j5h3I4A6k6q4)9J5k6r3g2E0j5h3W2D9M7#2)9J5k6r3q4U0j5$3!0#2L8Y4c8K6i4K6t1#2c8f1k6Q4x3U0g2n7c8W2)9J5y4f1u0o6i4K6u0r3

枚举 Azure 子域

• cloud-penetration-testing/enumerating-azure-services/
• Subdomain-Takeover-Azure-CDN.html

Azure 攻击

• cfaK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6H3k6h3&6@1k6i4y4@1j5X3!0G2K9#2)9J5k6i4y4A6P5o6u0V1k6i4A6Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8Y4g2E0k6i4u0S2N6r3W2G2L8W2)9J5c8X3y4D9L8%4g2V1i4K6u0r3j5i4A6#2M7X3f1`.

Azure Active Directory 帐户枚举

• azure-active-directory-account-enumeration/

滥用 Microsoft 的 Azure 域来托管网络钓鱼攻击

• abusing-microsofts-azure-domains-host-phishing-attacks

防御 EvilGinx2 MFA 绕过

• microsoft-entra-azure-ad/defending-against
  -the-evilginx2-mfa-bypass/mp/501719
• defending-against-evilginx2-in-office-365/

365-Stealer 简介 – 理解和执行非法许可授予攻击

• 212K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2S2L8s2c8W2M7X3g2V1M7$3g2U0N6i4u0A6N6s2W2Q4x3X3g2U0L8$3#2Q4x3V1k6H3L8%4y4@1i4K6u0r3K9h3&6@1M7X3!0V1N6h3y4@1K9h3!0F1i4K6u0V1N6r3!0Q4x3X3b7K6y4U0g2Q4x3X3c8K6N6r3g2S2L8r3g2J5
• detection-and-mitigation-consent-grant-attacks-azuread/

Azure AD 密码喷洒；从攻击到检测（和预防）。

• password-spray-from-attack-to-detection-and-prevention-87c48cede0c0
• protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad/

通过 PASS-THE-PRT 横向移动到云端

• ateral-movement-to-the-cloud-pass-the-prt/
• pass-the-prt-attack-and-detection-by-microsoft-defender-for

Azure AD 通过证书

• 390K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6E0k6h3c8A6N6h3#2Q4x3X3g2U0L8$3#2Q4x3V1k6Q4y4o6m8E0L8%4t1J5y4o6j5@1i4K6u0r3j5i4A6#2M7X3g2Q4x3X3c8S2k6q4)9J5k6s2m8S2M7%4y4Q4x3X3c8@1K9r3g2Q4x3X3c8U0k6i4u0@1K9h3k6A6j5$3q4@1k6b7`.`.

如何通过 SSH 连接到特定的 Azure Web App 实例

• a50K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0L8$3c8W2P5W2)9J5k6h3c8W2k6h3c8^5i4K6u0W2j5%4A6Q4x3V1k6H3L8%4y4@1M7#2)9J5c8X3S2G2N6#2)9J5k6s2c8G2i4K6u0V1M7%4y4Z5i4K6u0V1K9h3&6@1L8#2)9J5k6s2N6W2j5W2)9J5k6r3q4H3M7q4)9J5k6r3W2F1M7%4c8S2L8X3y4W2i4K6u0r3

攻击 Azure、Azure AD 并介绍 PowerZure

• attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a

未检测到的 Azure Active Directory 暴力破解攻击

• undetected-azure-active-directory-brute-force-attacks

Azure AD 如何容易受到暴力破解和 DOS 攻击

• 514K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6E0k6h3c8A6N6h3#2Q4x3X3g2U0L8$3#2Q4x3V1k6Z5j5h3y4C8k6i4u0F1L8$3!0F1i4K6u0r3j5i4A6#2M7X3g2Q4x3X3c8T1M7Y4g2@1k6g2)9J5k6r3k6S2M7X3y4W2i4K6u0V1x3e0N6W2x3U0N6V1j5K6l9#2k6U0R3#2

如何在 Azure 和 O365 中绕过 MFA

• b42K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6K6k6h3y4%4K9i4y4W2i4K6u0W2j5X3g2Q4x3V1k6Z5L8%4N6Q4x3X3c8@1L8#2)9J5k6r3u0&6M7r3q4K6M7#2)9J5k6r3#2X3j5g2)9J5k6r3W2F1i4K6u0V1j5i4A6#2M7X3g2Q4x3X3c8S2L8X3c8Q4x3X3c8G2x3K6j5#2i4K6u0V1M7r3q4J5N6q4)9J5k6o6q4Q4x3V1j5`.

AWS 安全工具

• github.com/toniblyx/my-arsenal-of-aws-security-tools
• d74K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6T1L8r3q4U0K9$3u0G2N6s2y4W2j5%4g2J5K9i4c8&6i4K6u0r3b7g2N6e0i4K6u0V1b7i4c8@1j5h3y4C8
• c55K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6S2N6%4y4D9j5h3u0K6i4K6u0r3j5i4N6K6i4K6u0V1j5$3I4G2N6h3c8K6j5h3N6S2
• b09K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6S2N6%4y4D9j5h3u0K6i4K6u0r3j5i4N6K6i4K6u0V1M7%4g2H3M7r3!0J5N6q4)9J5k6s2c8G2L8$3I4K6
• 6c5K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1j5H3P5q4k6S2M7X3W2S2j5X3I4W2i4K6u0r3b7g2N6e0i4K6u0V1f1$3g2U0N6i4u0A6N6s2W2Q4x3X3c8f1L8$3!0D9M7H3`.`.
• 5b1K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0P5h3u0W2M7Y4y4W2j5%4g2J5K9i4c8&6N6i4m8Q4x3X3g2Y4K9i4c8Z5N6h3u0Q4x3X3g2A6L8#2)9J5c8X3q4%4M7%4c8J5L8g2)9J5c8X3W2F1k6r3g2^5i4K6u0W2K9s2c8E0L8l9`.`.
• CloudPentestCheatsheets/blob/master/cheatsheets/AWS.md
• 940K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6d9K9r3W2F1L8#2y4W2j5%4g2J5K9i4c8&6e0r3q4T1M7#2)9J5c8X3y4D9L8%4g2V1k6$3!0S2N6l9`.`.

Azure 安全工具

• Invoke-EnumerateAzureBlobs.ps1
• 4f4K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6E0K9h3y4J5L8%4y4G2k6Y4c8Q4x3X3g2Y4K9i4c8Z5N6h3u0Q4x3X3g2A6L8#2)9J5c8V1q4*7N6i4u0W2i4K6u0V1g2r3S2J5k6h3q4@1i4K6u0V1f1X3g2K6k6h3q4J5j5$3S2Q4x3X3c8y4j5i4c8J5K9i4S2Q4x3V1j5`.
• 0afK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6o6L8r3!0#2k6q4)9J5k6p5q4J5j5$3S2A6N6r3g2C8N6q4)9J5c8V1q4*7N6i4u0W2b7f1c8Q4x3X3c8Q4c8e0k6Q4z5e0c8Q4b7V1u0Q4c8e0g2Q4z5o6N6Q4b7V1u0Q4x3X3c8Q4c8e0W2Q4z5e0S2Q4b7U0u0Q4c8e0g2Q4b7V1g2Q4b7e0p5`.
• CloudPentestCheatsheets/blob/master/cheatsheets
• 145K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6w2P5i4g2#2i4K6u0V1d9X3W2Q4x3V1k6m8N6$3g2K6L8$3#2W2i4K6u0V1b7i4A6#2M7X3g2Q4x3X3c8b7k6h3&6@1k6i4y4@1
• 8a5K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6A6L8X3g2Q4x3X3c8D9j5h3u0K6i4K6u0r3b7i4A6#2M7X3g2s2L8$3q4@1
• b15K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6C8L8h3y4I4N6h3q4V1k6g2)9J5c8X3q4%4k6i4y4G2L8h3g2Q4x3X3c8S2P5Y4g2J5k6g2)9J5k6s2y4W2j5%4g2J5K9i4c8&6
• 371K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6F1j5$3y4Y4M7X3!0#2M7q4)9J5c8X3q4*7N6h3y4S2M7R3`.`.

欢迎关注公众号：

[培训]科锐逆向工程师培训第53期2025年7月8日开班！