AWS Cloud metadata service abuse

A few weeks ago, I presented an internal meetup to the pentesters of my company on how they could take advantage of weak or poorly configured IaaS metadata services. The end of the presentation was backed by an interactive CTF-like workshop that I have setup based on the work from Avishay Bar from CyberArk. While some suggestions from the workshop have been merged into the master, the complete lab is available on the forked version of the original repository available on my Github account.…

Read more »

Integrate ServiceNow with your AWS Cloud!

Now that I’m on vacation, I wanted to introduce you to a project I’ve spent a couple of weeks on a few months ago on ServiceNow. I have already dived a first time in the ServiceNow API while I was working at the Governance of a SOC service. There I tried to integrate ServiceNow to our processes using Google script to enhance the service workflow throughput1. Sadly I wasn’t able to go that much farther as the IT accountability department refused to give me required credentials.…

Read more »

Happy New Year!

Hi everyone and welcome in 2019 !! 🎉 🍸 🎉 After close to 4 months without a single entry, I thought it was the right time to make a comeback. Although I haven’t written a lot for this period, it didn’t mean the blog stayed idle, I worked hard during my spare time to bring you, my readers, new thrilling functionalities. First of all, let start by the most obvious, I join a new audio file for each of my blog entries thanks to the great AWS Text-to-Speech service Amazon Polly.…

Read more »

Penetration testing on AWS

Posted on · 12 mins read · Tagged in aws, iam, pentest

In opposition with the general assumption, among companies which have a long compliance history in their field, top executives are often the most eager to migrate their On-premise infrastructure in favor of Public Cloud, expecting1 drastic operational cost savings. The opposition more often comes from the IT Operations and Security staffs who fear a loss of control on their data which goes along with the loss of control on the underlying infrastructure ( They miss Network and Security appliances, Hypervisors and sometimes even Racks and Wires 😏 ).…

Read more »

Mining on AWS

Posted on · 11 mins read · Tagged in aws, mining, ec2

WARNING: THE METHOD DESCRIBED IN THIS ARTICLE IS ONLY TARGETING PEOPLE WHO HAVE AWS CREDIT TO LOOSE, DON’T USE IT WITH PROFITS IN MIND Considering cloud instances are usually expensive, and price of cryptocurrencies ( and especially the ones that are still minable with CPU and GPU ) are collapsing lately, most of you must think I’m turning mad. And, indeed, the target of this walkthrough is absolutely NOT BEING PROFITABLE.…

Read more »