A few weeks ago, I presented an internal meetup to the pentesters of my company on how they could take advantage of weak or poorly configured IaaS metadata services. The end of the presentation was backed by an interactive CTF-like workshop that I have setup based on the work from Avishay Bar from CyberArk. While some suggestions from the workshop have been merged into the master, the complete lab is available on the forked version of the original repository available on my Github account.…
Now that I’m on vacation, I wanted to introduce you to a project I’ve spent a couple of weeks on a few months ago on ServiceNow.
I have already dived a first time in the ServiceNow API while I was working at the Governance of a SOC service. There I tried to integrate ServiceNow to our processes using Google script to enhance the service workflow throughput1. Sadly I wasn’t able to go that much farther as the IT accountability department refused to give me required credentials.
After close to 4 months without a single entry, I thought it was the right time to make a comeback.
Although I haven’t written a lot for this period, it didn’t mean the blog stayed idle, I worked hard during my spare time to bring you, my readers, new thrilling functionalities.
First of all, let start by the most obvious, I join a new audio file for each of my blog entries thanks to the great AWS Text-to-Speech service Amazon Polly. This service makes a wonderful job for reading my posts in a lifelike speech fashion thanks to Matthew’s voice. I didn’t use any advanced SSML tags, but the result is already impressive. Furthermore, this is my first post written in both English and Dutch, the full blog translation is still a work in progress, but you can already see Polly results in both Dutch and English by scrolling down and switching the site default language.
In opposition with the general assumption, among companies which have a long compliance history in their field, top executives are often the most eager to migrate their On-premise infrastructure in favor of Public Cloud, expecting1 drastic operational cost savings. The opposition more often comes from the IT Operations and Security staffs who fear a loss of control on their data which goes along with the loss of control on the underlying infrastructure ( They miss Network and Security appliances, Hypervisors and sometimes even Racks and Wires 😏 ).
To defend the theory, according to which the Cloud is far less secure and does not fit their company business model; they often refer to past newspaper headlines about “Cloud Data Leak” or “Cloud Sudden Disruption”. Although it’s real (egg AWS, GCP …), the Disruption part won’t be addressed in this post, I tend to believe that those incidents follow a downtrend, albeit they’re clearly more mediatized now than at the beginning of Cloud computing ten years ago.…
WARNING: THE METHOD DESCRIBED IN THIS ARTICLE IS ONLY TARGETING PEOPLE WHO HAVE AWS CREDIT TO LOOSE, DON’T USE IT WITH PROFITS IN MIND
Considering cloud instances are usually expensive, and price of cryptocurrencies ( and especially the ones that are still minable with CPU and GPU ) are collapsing lately, most of you must think I’m turning mad. And, indeed, the target of this walkthrough is absolutely NOT BEING PROFITABLE.