Got a list of potential corporate emails? You can verify which ones are valid Azure AD accounts without authentication using tools like CredMaster or Quiet Riot. Useful for password spraying or even pivoting to AWS root user testing.
What if an attacker could turn a simple Cognito login into full AWS account access? Misconfigured Identity Pools can grant excessive IAM permissions to anyone who authenticates, even anonymous users. Learn how this exploitation chain works.
EC2 user data scripts often contain hardcoded credentials, despite AWS explicitly warning against it. If you gain access to an instance, check 169.254.169.254/latest/user-... immediately.
Got IAM creds but tired of wrestling with CLI flags? You can spawn an AWS Console session using aws-vault. Temporary creds work directly, long-term creds need sts:GetFederationToken first. Heads up: this is noisy in CloudTrail.
ICYMI: A look at how a familiar container escape pattern shows up in GCP Cloud Workstations. We trace a path from a container to service account.
If youβre using Cloud Workstations, this is a useful model to keep in mind.
Got browser cookies but no AWS credentials? CloudShell has an undocumented metadata endpoint on port 1338 that exposes IAM creds. Load the session cookies, hit the endpoint, and you've got temporary credentials for your tools.
Tens of thousands of EBS snapshots are publicly exposed right now. Unlike most AWS resources, you can list all public snapshots via the API and filter by account ID. Easy recon, zero detection risk.
How do you know what permissions compromised AWS credentials actually have? Brute force them. enumerate-iam tests safe API calls to map your access. Just note: this is loud and will light up CloudTrail.
ICYMI: AI workloads are landing in the same cloud accounts weβve been breaking into (and defending) for years. It's time for Hacking the Cloud to catch up. We're announcing a call for research! Share your AI and LLM sec research with thousands of readers.
GCP buckets and AWS S3 buckets are nearly identical under the hood. CloudStorageFinder works for both with minimal changes - just swap the endpoint URL. Here's how to hunt for GCP buckets.
AWS Network Firewall checks SNI and Host headers but never verifies the actual destination IP. Attackers can bypass egress filtering by spoofing legitimate domains while routing traffic to malicious IPs.
In case you missed it, did you know Claude models have a "magic string" to test when a model refuses to respond? If that string enters prompt context, it can be abused to break LLM workflows until context is reset.
It's the EICAR test string of the AI age. Details:
Misconfigured GitLab OIDC with AWS IAM roles can lead to unauthorized role assumption. Learn to identify and exploit such vulnerabilities with a step-by-step guide. Stay informed to protect your cloud infrastructure from unauthorized access.
Discover how to enumerate IAM users and roles in AWS without prior access! Through clever techniques like exploiting resource-based policies, you can explore insights across AWS accounts. Harness tools like Quiet Riot for efficient execution. Dive deeper here:
Exploring the impact of misconfigured AWS IAM role trust policies. Learn how wildcard Principals in trust policies can open up roles to any AWS account, posing serious security risks. Are your policies airtight? Dive deeper into this cloud security issue with us!
Discover how a default configuration in Terraform Enterprise can expose sensitive credentials via the Metadata Service. By understanding the nuances of remote execution and Docker in Terraform, you can mitigate potential security risks before they affect your cloud infrastructure.
The 2025 Hacking the Cloud: Year in Review is out! We take a look at the growing tide of software supply chain attacks, discuss the most critical cloud vuln discovered to date, and share some stats for the site!
hackingthe.cloud/blog/2025_wr...
Discover how AWS connection tracking affects security group rules. Once connections are established, they persist even if rules change. Learn how this impacts security, illustrated with EC2 instances and penetration testing scenarios.
Dive into "CI/CDon't", an AWS/GitLab-themed CTF where you can test your security chops on vulnerable infrastructure. Deploy it using Terraform and explore fun, low-difficulty CI/CD challenges. Remember, it's in your AWS account, so handle with care! Check it out:
Learn how to bypass AWS GuardDuty's Tor Client detection on EC2 instances without triggering alerts. By leveraging Tor bridges and using obfs4proxy, you can connect discreetly to the Tor network, maintaining privacy while avoiding unauthorized access warnings. More details here:
New on @hackingthe.cloud, did you know that attackers can prevent you from kicking them out of your environment in certain situations? Eduard Agavriloae shares his research on how attackers can nullify containment attempts!
hackingthe.cloud/aws/post_exp...
Lambda's environment variables hold IAM credentials that attackers can target via file read and SSRF vulnerabilities. They can also extract event data using SSRF exploits. This blog explores practical techniques for exploiting these vulnerabilities in Lambda functions.
Public AMIs can reveal AWS secrets! If you have an account ID, you can use the AWS API to find these AMIs and launch instances to look for sensitive data. Manual and automated scanning can help find credentials, but remember: curiosity must come with a conscience.
Explore Google Cloud Security with GCP-Goat! This tool offers hands-on scenarios for testing vulnerabilities in GCP services like Compute Engine, SQL Instances, and GKE. Enhance your security skills by diving into realistic attack simulations. Check it out!
Explore how Azure Storage's anonymous blob access permissions can expose file data without authentication. Learn about the security implications of Container Access permissions and how attackers can exploit them to access files, complete with a practical example and steps.
Ever wonder how attackers discover valid Google Workspace emails without authentication? Learn about this technique using Quiet Riot and the potential implications for password spraying attacks and AWS Root User testing. Understanding these tactics is crucial for cloud security.
Explore unique GCP security strategies with us! Learn about project hierarchies and how policy constraints can enhance security but remember, most aren't retroactive. Dive into scenarios and constraints that shape your cloud environment securely. More insights here:
ver worried about detection when using AWS CLI from specific Linux distros? Modify the User-Agent string to bypass GuardDuty alerts. Our blog dives into using Burp Suite for this, ensuring you leave no suspicious trails. Take control of what your requests reveal. Read more: buff.ly/ycJiEvz
Exploring Lambda persistence? Our latest blog reveals how to establish persistence on AWS Lambda after gaining remote code execution using Python and Ruby runtimes as examples. Learn how to backdoor runtime files effectively while keeping things "warm." Check it out here:
Deleting compromised AWS IAM keys might not be enough! Attackers can use `sts:GetFederationToken` to create temporary access credentials. Explore this technique and learn defensive measures like monitoring and using a "DenyAll" policy. Stay one step ahead. Read more:
