Cloud Hacks with Carlos Polop

Hello from Cybrary and Delinea, and welcome to the show. If you've been enjoying the Cybrary Podcast or 401 Access Denied, make sure to like, follow and, subscribe so that you don't miss any future episodes. We'd love to hear from you. Join the discussion by leaving us a comment or a view on your platform of choice or emailing us at Podcast@Cybrary.it. From all of us at Cybrary and Delinea, thank you and enjoy the show.

Joseph Carson:

Hello everyone, welcome back to another episode of the 401 Access Denied podcast brought to you by both Cybrary and Delinea. I'm the host for the episode today, I'm Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea and it's a pleasure to be here with you. And I'm really excited we have a returning guest for today's episode and a very, very fun and exciting topic. I'm so excited to have Carlos Polop back onto the episode. Our previous episode was basically, it skyrocketed. It was amazing and the amount of listeners. So, they really enjoyed it and hopefully we're back to bring them more fantastic content. So Carlos, welcome back to the show. Just give some of the audience a bit of introduction of who you are, what you do, some of the fun things you enjoy to do and some of your passions. Kick it off, go ahead.

Carlos Polop:

Sure. Well, thank you for having me here again, it's very exciting. I really love that people like our previous conversation and I think this is going to be even better because we are going to be talking about more state of the art things. So, about myself. I'm currently a practice manager, team lead in cloud and infrastructure pen testing in Halborn, a little Web3 company. I'm the guy that has been reading, writing Hacktricks and Hacktricks Cloud. And the piece I love CTFs, in general I dedicate most of my free time to cybersecurity. It's something I really enjoy, how to break things, how to hack into things and learn how all kind of things work because at the end cloud is not more about breaking but about understanding how everything work and is connected and how to abuse the features.

Joseph Carson:

Absolutely. And just as you mentioned, I pretty much do the same. I'm literally in between, I'm actually doing a CTF over on my other machine at the other side of the room here so I'm actually taking a break from CTFs at the moment. But absolutely, it's one of the things, I love learning and when I think about hacking itself, it's almost like it's a reverse escape room where in the escape room you're trying to get out of the room and for us it's like we're trying to break into the room. It's almost like a, it's reversed puzzle. So, you're always trying to think about, and you've got this room and you're thinking about what's all the ways we can get into it? So, absolutely for me it's always exciting.

And the previous topic that we covered really in depth was all about different types of privilege escalation, whether it being on Windows platforms on macOS into Linux and Unix platforms. And we went into a lot of talking about some of the different tools that we use in order to do enumeration. And we covered a lot of the P Suite as well, which is fantastic, which is great for that quick automation is about really getting that visibility. So, today's topic is really getting into thinking about, "Okay, let's extend further." Cloud has been a big digital transformation for many organizations. We're talking about digital transformation but they've been using it for years, even just if you do a Google search, you have to think about that's a cloud service. But they're starting to host more of their applications and more of their infrastructure and consume more cloud services and it's getting very, very complex.

And what I've seen is that the challenge is as organizations do that digital transformation, they're trying to retrofit the security they've done on premise and try to push it to the cloud. And unfortunately, the security that it provides is not really native and they make a lot of mistakes and end up having a lot of things open. So, what we really can look at is what's some of the techniques and steps, a lot of the cloud providers, what do you see as some of the common ways that attackers look to gain in their initial access? So, let's start with the initial access in the cloud platforms. Where are some of the go-to places that attackers will look for and even pen testers would be looking for just to get that foothold? What's some of the starting points that you see?

Carlos Polop:

Actually, it's very funny you are asking me this because I have spent last week I was preparing a talk actually about entry points in cloud because there are so many and people always talk about the main ones. Obviously, the main entry point that everybody is going to know about, is this an open bucket where you can find sensitive credentials where you can maybe write and change some JavaScript file where you can just steal credentials. That's the main one. But there are hundreds of them.

The one that I have found that is the most worthy, the most profitable one is going to be searching for leaks in GitHub, in GitLab, in any kind of gold repositories because well, it's very, very easy. You can just run Gitleaks, Trufflehog. Actually, I just release a tool where you can just put the organization name and it will run both tools over all the repos of the organization and public workers of the organization.

Joseph Carson:

Okay.

Carlos Polop:

It's going to be finding. And this is very fun because the main misconfiguration I find in the clients that I check their cloud is that they are assigning too many permissions to users, to keys. So, every time you find a key, you know you are highly probably going to be able to do fun stuff. But again, I don't want to focus in these two main things that is what everybody knows about because there are plenty of ways to enter in a cloud environment. For example, there was a very fun investigation research, I think it was in 2020 about AWS Cognito. Cognito is just an identity provider that is going to allow you to give AWS credentials in your account to users that just log in potentially in just a web application.

So, it's pretty weird because you are saying, "Okay, you can log in and you are going to have IAM credentials in AWS." It's made for easy application I think that maybe you want to give its user access to a bucket so they can store their information in there or retrieve it or to some web database where they can save its data. But actually, in this research you can see that most of people were given a lot of access to EC2 Instance, to Web3 buckets and in some cases you didn't even have to have a user because you can give an IAM role to an authenticated users. So, you just go to the web application, you check that it is using Cognito, you can see that in the search code and you say, "Okay, I'm an authenticated user, give me my IAM role."

It is going to give you some temporary credentials and you are there. It's stupid but you can even go farther with this because by default if you are using a User Pool in Cognito, by default you're going to allow people to register themselves. And there is another IAM role to authenticated users. So, you can get an authenticated IAM role, create a user, confirm it and get the authenticated IAM role. And now, you have two roles in an account and mostly you can do anything.

Joseph Carson:

It sounds like it security's turned off for most cloud proprietors.

Carlos Polop:

Yeah, exactly.

Joseph Carson:

That's so scary. I always hear the word, one thing that I always hear is about security by design, I'm thinking, "Oh," but I think what we're really seeing is that they might have security by design but it's not turned on, they're not using it and it's almost like you using default policies and not really thinking about the configuration you do. So, it sounds like a lot of that initial access first foothold is from a lot of misconfigurations or from .I think one of the things that you mentioned, it was people's personal GitHub repositories that they might even be doing work for organizations and leaving some of the organization's credentials stored but then there are even personal GitHub repositories that might be public facing.

Perversion control where basically maybe use credentials and older earlier versions that they've checked in or compiled and ultimately not removing those and cleaning them up. And ultimately, so if you can go and look for previous versions in the repository, you might be able to find some credentials that might be lurking in some of the older versions. So, it sounds like the initial access is an easy step which gets really concerning. So, when attackers are targeting, what's some of the roles that you want to get when you're looking at cloud infrastructure? Is it developers primarily the top target or is it infrastructure administrators or is it just business user? What would be the roles of people that tend to be the ones that might be targeted for that initial access?

Carlos Polop:

Well, obviously the role I always love to have is administrator. If you can have administrator, you can be organized administrator, obviously depend on the clouds, the name, but they're always administrators. If you can get there, you are going to be awesome. Actually, in red Siemens if you cannot find any of this stupid initial access or even if you find some buckets but you cannot exploit it further, one thing people usually do is going to be learn about the company in LinkedIn, find out as you said, who are the developers, who are the system administrators, who is working in IT and try to send some spear phishing to those because these are the guys that most probably have access to this administrator role.

But actually, you don't always need these roles. I don't know the name in Google Cloud, I think it's called editor and in as Azure it has another name, I don't remember now, but it's called traditional roles. So, all these main cloud environments have this, all of them, no I think AWS doesn't have them anymore. So, they have these three initial roles which can be resumed as administrator, write and read. So, in order to make easier at the beginning for people to use cloud, they just have this role, they didn't have granular permissions like now. So, these roles still exist and they are given by default to certain service account, to certain both accounts, they call this this way. And if you get this write, let's call it write role, you are going to be able to actually escalate to administrator.

So, it's stupid because you are still supporting some roles that are supposed like, "Okay, with this you can use it but you cannot manage permissions. But you can actually give you the permission to manage permissions." So, that's a very, very easy privilege escalation. So, even if at some point you cannot get admin directly, you are going to have these traditional roles that you can abuse. And in the case you don't have these traditional roles, there are. Because clouds have thousands of permissions, you might be able to get some other permissions that combined them together. You can do things like, "Okay, I'm going to launch an EC2 Instance and I'm going to attach this IAM role, then I'm going to get the metadata and then I'm going to privesc."

Well, there are tens, thousands, well, thousands probably not but there are tens of services that are going to allow you to exploit your permission to privesc. So if I have to choose, I will say admin, but actually if I want to be a stealthy, I won't grant admin to myself. I will find sign off a sketchy, difficult to find path to get to admin that I know I can exploit. But probably the IT guide don't know that you can exploit it to privesc.

Joseph Carson:

Yeah, absolutely. It's again, it's the combination between staying stealthy and not creating any noise because that's ultimately, that's ultimately what attackers want to do. They want to get the access. So I was walking the walls and finding those low hanging fruit that they don't, that are not using that often, that are not being frequently monitored at all and finding those ones that they might think is as low impact or low risk but ultimately giving you a lot of permissions and privileges. And you mentioned is also API is something that I've seen a lot of cloud APIs that are publicly facing in order to use for let's say communicating with other cloud infrastructures or on-premise. Do you see APIs being abused that often also in cloud infrastructure or is that something that is?

Carlos Polop:

What do you mean?

Joseph Carson:

If you have services and again API that you're going to call let's say for integration, reassuring data that may not be configured correctly or that might expose too much information.

Carlos Polop:

I mean it always is going to depend on how the API is configured who can talk to it. In this case I think we are talking about defending an API arrest that is going to depend obviously with permissions this a API arrest have inside the cloud. But what I have seen between connections is that a different cloud and on-premise service is going to be trusting the cloud and the cloud is going to be trusting this on-premise service and this is actually, that is happening a lot kind of, it's happening a lot in Azure, that as Azure ID is going to be trusted on-premise ID and on premise ID is going to be trusted as Azure ID and there are ways you can abuse this trust. You just compromised the other one. So it's fun. Not very much into the Azure world.

I have been investigating researching more WS and GCP but I definitely know this that it's fine that we have been experiencing like 10 years where each year some zero day is happening in active directory that is going to compromise the whole active directory. And instead of Microsoft saying hey we are going to stop this now we have Azure id, now we have this that is completely separated to active directory, it doesn't have the same vulnerabilities. They say okay, we are going to do that and we are going to firmly trust that an administrator in active directory should be administrator in a Azure active directory.

Joseph Carson:

Yeah, the pulling and synchronizing and ultimately if you can get access to one, you can wait a while for that scene to occur and get access to everything. It's just waiting.

Carlos Polop:

Exactly.

Joseph Carson:

So once you get in, so let's say okay we've got some roles and maybe we've compromised somebody's AWS configuration file or get repository, what are some of the ways that you would then let's say you've got that initial foothold, what are some of the things you would do for enumeration? What would you be looking for for the next step in order to, would you be looking to try to add permissions to yourself or would you be still looking for keys or services that allow you to create, as you mentioned you might be creating pods and nodes and Kubernetes or you might be able to create virtual machines or create different accounts. What would be the steps you'd be looking for from an enumeration perspective once you've got that initial foothold?

Carlos Polop:

I think that enumeration is going to be heavily depends if I am doing a white box or a red team because obviously you can be more noisy, more noisy in a white box that if you are doing this red team, I think that in red teams you need to be careful on its action you are doing. You cannot use automated tools, you definitely cannot use that. And for example, if you steal some metadata token from a necessary rev, you need to know that for example in AWS war duty is highly probably going to be able to catch you. So you should be dumping also the network rangers that it is been using.

You need to launch your own BPC in order to mimic the same situation. So war duty is not going to be saying hey someone is using internal metadata credentials in some external place. So you always need to know which others you can be triggering nor in order to be a stealth but also I have already said all the clouds have tens or thousands of services, it's very complicated to list all of them. I think that the first thing I will try to do would be to check the main services s3, easy2 maybe because I know this is not going to trigger any other, everybody is checking this.

Joseph Carson:

It'll be too much, it will be too much noise I think to be able to see anything. That's the problem

Carlos Polop:

You got your organization compromised because you check s3, that's not going to happen. And if I have the option, I will also try to check ion if I can list roles, if I can list users and if I can list federation integrations, that is going to be awesome because I know who I need to attack. How can I previous if I can but actually this is fun, this is right in AWS, but then you go to GCP and this a total different movie because for some reason they decide that there is no going to be an IAM service. There is no going to be some policies that you have a role and you cannot note where you have access, what can you do or whatever. You need to have the list. IAM permissions, it needs resource to know who can access that resource.

And amen there your pre fact because or you check everything and you try to check all your permissions over all your services or you're not really going to know what you can do. So in AWS you can say okay I want these three roles that allows me to list per privilege, list permissions and list users and I know what is happening. And in GCP you will be asking, okay I need editor role in the whole organization to be able to list everything because if not, you just don't know what you can do.

Joseph Carson:

Sounds like in GCP you're going to have less visibility as well just from if you want to audit yourself if you want. So to your point, if you want to do assessment of yourself, you're probably going to find very difficulty to be able to get that granular understanding if you are only going to be able to see that your permissions of your own role and not be able to expand further. So it does sound like there's the benefits and the negatives there of not having at least the transparency of your own environment.

Carlos Polop:

I completely agree. Actually in my previous role I was asked to do exactly that task. They told me like okay we have GCP, we need to do some security audit, we need to limit privilege know what is happening, who can do what. So I start learning about GCP because I didn't know anything. I start learning about enumeration and I found this I cannot just dump IAM policies and roles and users like in AWS and just check who can do that. I need to go to each service and say hey can anyone do anything here? And they would tell me yes this guy can do this. And that's why I developed a tool called Purple Panda which is actually going to be doing this in GCP. I configure things like 20 servicers or something like that and it's going to be going through all of them asking for permissions and then it's going to do something similar to bloodhound.

It has some intelligence and it has the set of permissions and if you have this permission, this permission, you can impersonate this. So you are going to find a graph telling you who can attack, who can impersonate other users, other service accounts, other privileges in order to escalate. So this actually helps me a lot when I need to do a white box, it's incredibly less painful, but if I need to do a red team against GCP, I will need to take more time to enumerate everything by hand and read as many documentation as you can find about how the client has architecture in the cloud.

Joseph Carson:

Sounds like it's much easier for attackers to stay stealthy and hidden than GCP just because of that complexity. So with Purple Panda, how similar is to things like Pacu and other types of enumeration tools? Is it similar to being able to, what other platforms does it support as well that you can also enumerate? And where are you going? What's the next stages with Purple Panda as well because I love, for me bloodhound is fantastic, been able to just basically run it against an, ID get a bunch of collectors going from some standard notes and be able to do basically graph theory and visualizing, start really understanding about what can I write to whom I'm a member of, who do I need to get to in order to get the domain administrator. So really looking at all those different areas. What do you think that, how similar is it? Is it the, let's say your bloodhound for cloud? Is that what it's?

Carlos Polop:

That's what I will love it to be. So you mentioned for example Pacu. There are other enumerators, we have a scout seed, we have upload exploit. Steam pipe. Well several of them it's different. It's different for example from Pacu because Pacu is mainly done to enumerate a little bit on an attack. A Purple Panda is not made for attack. It doesn't have any exploit any payloads. It's just for enumeration.

Joseph Carson:

Enumeration

Carlos Polop:

And it's different from other enumerators because I think other enumerators are focused on things like the fees benchmark AWS, best security practices. They are going to be doing these checks. And I want Purple Panda to be focused on red teams. Let's find things that you can actually exploit. Not like, oh you don't have this encrypted. Well the red team probably doesn't have any kind of access so it's indifferent if it's not encrypted. But my idea is to find the things you can attack and like you said, you said the bloodhound of cloud because I don't want Purple Panda to be a tool that you have AWS, you launch it, you have GCP, you launch it, I want Purple Panda to be able to launch it in the same session and then finding ways.

Joseph Carson:

Find the path between clouds.

Carlos Polop:

To go from one way to another. Yeah,

Joseph Carson:

Which is what we were talking about earlier was that in traditional environments lateral move was going between applications and servers. It sounds to me when I look at cloud and you look at hybrid cloud and multi cloud. I mean no organization is very much stuck in one cloud environment. You have to have multiple. You have SaaS environments, you have either AWS and Azure and GCP. You have little bits and pieces all over the place. And to your point is that absolutely is that it sounds like lateral moves in cloud is actually going between clouds and if the path of Purple Panda is going to be able to show the lateral moves, not just between domains like a bloodhound would show you between the forest and domains but also between cloud providers. That would be impressive and hugely valuable because organizations, that's a big area of risk right now that they don't have that visibility into.

Carlos Polop:

Nobody has this visibility. Actually people doesn't even consider it like a risk. When they consider security, they consider the security of AWS or GitHub and then if you have some integrations they are not going to care about it because well this, it's trusted but you can actually add, that's the main way to compromise organization. You get some credentials somewhere from these credentials, you find more credentials, let's call them GitHub secrets. Then you go to the other cloud, you find that, I don't know, you get credentials for GCP and you find that you can actually write in a bucket that is containing, I don't know, docker images in AWS that then these images are being run in EKS and this EKS have some AWS role. So you start at GitHub, you are now administrator in AWS. You probably can access, you can just people through clouds and that's pretty funny.

That's what I wanted Purple Panda to be. The thing is that the biggest bigger Purple Panda is getting the more complex it is being. So I want to continue with the project but it's been a real challenge because every time I want to access to add something else, I need to think about what was before, how can it be connected with everything and well it's complicated at the moment. At the moment it's true that it is already supporting GitHub, Kubernetes, GCP, concourse and something else. I think So you are going to be able to find, actually you're going to be able to find a path that I love a lot that is so you can bypass branch protections in GitHub.

Joseph Carson:

Okay.

Carlos Polop:

From GitHub, this is going to be run in a cloud function in GCP that is going to have some credentials from GCP, some service accounts. Let's say that this service account have access over a DKS Kubernetes cluster inside GCP so you can access the Kubernetes cluster and for the Kubernetes cluster there are easy ways to give it other GCP permissions so you can escalate in GCP through GKS.

Joseph Carson:

It's quite scary. that's quite scary when you think about it. It's been able to basically find all of those relations and all of those permissions and literally jump between cloud providers and show you basically all of a sudden, as you mentioned, you start in the GitHub repository, all of a sudden you find yourself basically going through different cloud providers and ultimately maybe in the organization's critical infrastructure and even today you could think of organizations which are doing even IOT or even cloud service providers that might be managing many different organizations that all of a sudden you can find yourself with a lot of power and control.

So I think it's organizations, I don't think organizations are really thinking about the security from within. It's going back to that same old traditional security where you're always thinking about protecting the firewalls and the entry points and I think organizations have really moved to thinking about from cloud, it's all about the entities and access but not really thinking about once you're inside a cloud, what can you then do once you're inside that infrastructure environment, where can you move to? I don't think organizations have really went to that consideration from a security perspective.

Carlos Polop:

People I think just, well first of all I think there is a lack of cloud professionals. A lot of people I have met everyone that I know is going to tell me that they know about cloud because they know how to create an account in AWS or run and IT two instant. So they know cloud but that's most of current cloud professionals, they don't care about how can I isolate, how can I improve the permissions in AI? They are going to just be putting wild cards everywhere. These lambda access to this secret. Okay it can read now every secret or this is essentially something I found they have a role called Lambda read secrets because it's called Lambda read secrets.

Every Lambda is going to have that iron role even if it doesn't need to read secrets because they created that role for London. So it'll be in all lambda. People is not focused on security and cloud at the moment. They just expect it to be secure. They just expected that because it's kind of confusion at difficult and it's complicated to follow all the links. Nobody's going to attack that. And I guess what they need is just to improve, to be more mature about cloud, to learn more from experience and to be lucky that nobody's going to abuse that before they learn their mistakes.

Joseph Carson:

Absolutely. It sounds a lot from my, when you're talking about even the skills and resources are absolutely right, the cloud skillsets is so thin and very lacking and even if we do have skills I mean from my knowledge as well, I mean I've got okay knowledge in Azure in specific areas, not from the networking perspective but definitely within identities and access the traditional ad kind of that you're familiar with the resources when I move across into AWS, you can get by with some of the terminologies are very similar but it's a very different setup. So for me to move from Azure to AWS, I get confused and I have to go back and I had to start reading a lot again and start learning and trying to understand about what's the terminologies and how is it structured and what roles, because even if I'm giving a specific role or a service, it may be very different from what I'd be used to in Azure.

So it's very rare that you might get somebody who might have all of that knowledge. So it sounds like even if you are utilizing multiple clouds, you're going to have to have a large amount of knowledge and resources to need to communicate very well together that need to be collaborating and working. And I think from a security perspective is I think organizations are going to become very dependent on cloud red teaming and purple teaming. I think that's where I think organizations are going to going to realize that they will not be able to do this alone and they will have to go to definitely skilled resources who do this as a specific role. So I think cloud pen testing into purple teaming and red teaming and all the other colors of teaming that you can get it that's being introduced. I don't know if we're going to have a new term for cloud teaming, but I don't think that organizations are, they're going to need help.

I think they're going to need to go and start looking at whether it's getting into tools like Purple Panda that will do automation because absolutely when we're talking about pen testing, you definitely prefer to do things manually because you don't want to be alerted. But as an organization I would definitely go and run bloodhound to try and find the risks of my active directory. I would go and run the P suites to find my misconfigurations and some of my critical operating systems. So as a defender I would want to do automation to get that visibility. So I think this is where organizations are going to become very critical into a lot of the automation tools so they get that visibility. So I think this is definitely what you're doing is going to be something that's is going to be a used combination of one is getting that visibility and finding out can you attack or get from one cloud to another and exploit infrastructure. I think this is going to be crucial.

Carlos Polop:

Actually about that as I told you is it's complex to maintain a program like Purple Panda be working in all major cloud providers, all major SaaS applications. But that's also why I have released the new Hacktricks cloud in just in the domain cloud because actually if I cannot automate it, at least I'm going to be writing about it. So if for example you manage to compromise a GitHub, I have a GitHub section about okay you can attack this and this, you can check GitHub actions, you can attack up a cell host runner. You can steal secrets, you can bypass brands protections.

If you manage to compromise Kubernetes and you manage to compromise obviously AWS GCP, Azure, I try to condense all the information I found from the community and all my researches in this book. So even if you still don't have Purple Panda for your current application, you still can see how it can be attacked, you can learn about it, you can improve your security posture. Actually Hacktricks is not just about hacking and attacks. It has a lot of basic information so you can learn about what you are doing to later understand the attack. It doesn't make any sense that I'm going to tell you you can previously AWS this roles if you don't even know what our role is.

Joseph Carson:

Absolutely. I think are you doing the same thing you did with the old previous piece that, because what I love about things like Wimpy's limp piece and the whole piece suite is that you link it back to the original Hacktricks documentation and exactly what it's doing and how it's doing it and why it's doing it. Is Purple Panda having that same back link into, for example the cloud Hacktricks, will you be able to see, well this part of the Purple Panda is doing this and here's where you can go and read that documentation to learn more about it in the cloud Hacktricks for example, is that something that you're looking to do?

Carlos Polop:

It's actually something that is done. So when you see the graph of Purple Panda, you're going to find these privesc relations. If you click on the privesc relations, you will be able to see a sum. And the reasons is for example going to be something like, so you have wild car permissions over these reserves so then you can impersonate this other user and it's going to put also check more information in and a link to Hacktricks where you have actually the technique you need to exploit and why this is working in Purple Panda. So you also have the links to dig deeper about what is happening and how to use it.

Joseph Carson:

Fantastic. And I've seen the kind of where you're still using the Neo four J kind of was it importing the CSVs and building it out are looking what's the next steps? Is it working more in the visualization or working more on actually the supporting platforms?

Carlos Polop:

I have a personal problem with that. I need more people. That's the personal problem. So I'm pretty bad at creating GI applications or creating any kind of related to designs, actually all the logos, the piece logos, Purple Panda logos, Hacktricks, my girlfriend made them. I don't do that. I'm hopefully a designer or drawing. So it would be awesome if someone will be interested in creating, I'm thinking about two possibilities, creating a new application for Purple Panda to visualize all the graphs easily or to migrate Purple Panda to instead of storing things in neo 4k, store them in a zip and use the visualization of bloodhound in order to check the relations in order to have some queries to run.

Basically copy bloodhound and check Purple Panda in there. But I'm quite limited in time at the moment. That's what I'm writing more my research instead of programming more. But if people got get some interest in this, I would love to have some help in the visualization because I understand its no risk if you haven't create Purple Panda, it's going to be complicated for you to see all those graphs and take the most of them.

Joseph Carson:

Absolutely. So for the audience, if you're into basically doing visualization and graphical design, reach out to Carlos, we'll make sure Carlos's contacts will definitely be in the notes, the footnotes of the podcast itself. So we'll definitely make, I mean Carlos, you'll easily findable even through the Hacktricks website as well. So your contact details are there. Another thing, even if the expertise, so you looking from a modular perspective, if others who want to contribute to Purple Panda, is that something also that you're considering as well to get others to, maybe it's in another cloud platform that they have specialized in that they could contribute?

Carlos Polop:

Yeah, yeah. I'm interested in all kind of help with, there are some fixes I need to do. Obviously I want to integrate AWS, Azure, other SaaS applications such as GitLab, potentially CloudFlare, even data doc, I don't know, you can get some interesting information from there. I welcome any help. So if you are very knowledge in Azure, I will appreciate it. If you want to contribute to Purple Panda and just at the end, it's easy because you just need to create some kind of library to contact with the API. Then you create the code to download the main resources built machines, keys, secrets, Lambdas, anything that is interested in the cloud environment and then the IAM roles. And then you just define in a journal the permissions you need to privesc and where you want to privesc. And Purple Panda is going to create the graphs, the relations in new.

Joseph Carson:

So ultimately what we're doing is similar to bloodhound trading collectors is ultimately the same concept to go on and create those collectors. So we'll actually make the calls, get the data, put it into a zip or CSV and therefore you're going to import it as long as it's in the right format. And what's next? I mean you're also getting a lot of sponsors. I guess sponsoring Hacktricks is also a good way to also contribute to this as well. I did see that you did open up and there's a lot of great sponsors that's been on there.

One of the things that I like to, from a, let's say a defending perspective, what things can organizations do to reduce the risk against privilege escalation in cloud environments? Because it does sound like it is, it's a matter of searching and enumeration. That's what it sounds like. It's a lot of enumerating looking for where there's tokens are looking for where the secrets are looking, what rules, what promotions you have, what you can do, what can organizations do to have better visibility in addition to running things like Purple Panda and own environment and finding those. But what security controls can make it more difficult for attackers to be successful?

Carlos Polop:

Well there is a security control very successful that is hiring me through Halburn.

Joseph Carson:

Okay. Earning you as, which is I think when we get into it, I mean that's probably definitely a great direction is getting the knowledge. I'm not sure that would be scalable in a long term.

Carlos Polop:

Exactly. That's true. No, yeah. Well I think that the main way is to know your environment very good to try to isolate as much as possible different environments. If an situ instance doesn't need to be talking with a database, just don't put them in the same BPC, don't put them in the same sub network, don't allow any interaction. Be always very careful with IAM permissions and there are a lot of tools, pet tools, free tools, and I think even AWS have something that is going to tell you, hey, this role or people using this policy didn't never use this permission, remove it. This is very interesting because you can easily know, yes, if you have a history with your cloud, you know which permission you can just remove that is not going to affect because nobody ever use it. So this is very useful and obviously the main things are understand your entry points, understand who are you giving access to, which access you are giving.

Remove everything that is not needed and always check for leaks. I don't know why it's stupid, it's super easy, but companies just don't do it. Just check for leaks in public repositories. What I recommend for example, if you're using GitHub, is just to have some GitHub actions that before allowing to merge it is going to be run in GitHub lease or truffle hub. Something that is going to be used in some stupid direct access to find if you're leaking something. And if you are it will prevent you and I will tell you, hey, please remove the comment, do a new one and remove these sensitive information. It's super simple and it's super dangerous if you don't do it.

Joseph Carson:

Yeah, I think in addition to what you've been saying today is I've also got two things in my mind as one is how to determine where you've got default configurations is flagging anything that's default settings would be something that would be suspicious to look for because typically the defaults are going to be something that has opened in everyone access. So I think looking where you've got default configurations or policies applied and I think not only looking for the entry points, maybe you've got public facing web applications or APIs or that's linked into GitHub repositories or whatever it might be. But I think it's also then thinking about is those lateral moves as well, is that not just about what's public facing but also what's actually where you've got trust between clouds and applications.

I think that would also be another area to make sure that you're hardening and making it a much more monitored and collecting logs and auditing and seeing where potentially maybe there's lateral moves happening between those cloud environments. Because they may not be public facing but actually they could allow attackers to jump between those different instances. Absolutely. So from what I'm thinking is like yeah, it's not even just thinking about your entry points from the public side but also across different environments and platforms

Carlos Polop:

About that. Actually I have in my to-do list chan check to do, because yesterday actually yesterday found something very, very interesting. I was reading about AWS federation the correct way to allow some CICP pipeline to have some kind of rolling. AWS is not generating some keys and giving the keys is by allowing open ID connection, open ID federation. And the thing is that you are going to say, okay, I want you to allow this. Usually it's identified by a euro that is containing the information about the certificate that in what I was checking the GitHub action is going to be using. So you're going to be giving this things token.github.com url.

You configure everything. And I noticed something very curious and it's that in order to allow GitHub repository to access your role, you need to specify in the conditions the name of the organization and the name of the repo. So I was thinking first of all, what happened if, and I need estimate to check this and if it works, this will probably be some CTF I will be creating. What if you don't put the name of the organization or the name of the repo, anyone that knows the name is going to be able to access or what happened if you allows a repo that then gets deleted and another person in the organization created and abuse it.

Joseph Carson:

Oh okay.

Carlos Polop:

This kind of trust is also generating new potential attack vectors.

Joseph Carson:

Yeah, it sounds very similar to the wifi syd names where have you basically just replicated and have overlapping Syd names. You can basically steal people's connections and it sounds very similar to instances and name spaces. If you can duplicate it, then all of a sudden you get someone to talk to you versus what they should be really talking to. And that could be start releasing or sharing sensitive information of if there's data been shared through that. So absolutely, it sounds like an interesting path to explore for sure.

Carlos Polop:

I was checking it and writing about it in cloud Hacktricks.

Joseph Carson:

Fantastic. So Carlos, it's been awesome having you on again. This has been fantastic conversation. I'm really excited to see where things are going and absolutely I think for organizations and anyone out there for our audience, there's a lot of who's into pen testing, they're into security and defending, getting visibility. And I'm pretty sure a lot of them have very complex cloud environments that they're already struggling with. So hopefully this will give them a lot of value into really starting to understand their environments more understanding about where the risks are, what things they should be looking for, potentially trying to hire you in your organization and starting to use Purple Panda. You might be getting a lot of calls coming through, but after this episode goes or anything that you think what, for people who's really getting started here, what would be your thoughts? Where should they start at this point? Just as a final thoughts and notes when it's coming to cloud?

Carlos Polop:

So for people that is starting and I guess that's a lot of people because cloud is getting more and more and more impact. I will tell two main things probably the first one is that cloud isn't complex. You just have a lot of thing to understand. But it isn't complex. It doesn't in general, it doesn't have math, it doesn't have cryptography. You don't need to reverse, you don't need to create a appropriate exploit. You just need to understand a thousand things. You just need to understand how everything is working and how you can abuse it.

So for people that is starting at the beginning, it can be, you might not like it because you see yourself learning about this service, about this other service, about this other service and you're not going to see any final. But at some point you are going to know you are going to have a big picture of how everything working and that's how you start understanding how you can start abusing permissions and Rob and paths like in Purple Panda, across close and SaaS providers. And the other thing that I want to comment is that if everything goes correct, I will be starting a YouTube or I haven't decided yet, do it channel.

Joseph Carson:

This is going to be interesting.

Carlos Polop:

What I want to talk mainly about pen testing, cloud and testing SaaS applications. But I will also be talking about CTF potentially interesting web interesting and where I like that web challenges, cybersecurity news in general. So if you want to learn cloud, I guess you can use obviously cloud Hacktricks and take some challenges.

Joseph Carson:

Yeah, we should get together. But I think I've been thinking about it. If you're going to be doing a YouTube and Twitch channel, we should be doing some live CTFs for some of the clouds environments. I think even Hack the Box has a great, I think they did the AWS Academy one, which is also something, there's a couple of cloud environments that I know they've been working on. So might be worth doing some live cloud C, was it CTFs and see how that goes. Because that was good. I always enjoy watching the likes of John and IPSec and going through their videos and you always get them thinking about what they're thinking about. But absolutely I think what we're definitely missing is that creative content when it comes to cloud environments. I've seen a few, but I would definitely interested to see what you're thinking about when you're coming across CTF challenges and what rabbit holes you get stuck in and how you start moving your way back and around.

So I think that's exciting and definitely one for the audience. We'll make sure that when those are made available and you do have your channel out, we'll make sure that or we make it available. And so definitely you can get as many people following and learning as possible because I think that's the way we learn is by sharing what we do. And that's what this podcast is all about, is getting that information out there so people know what resources they can go to, what things they can find, what is interesting and find their passion ultimately. So that's all what we help navigate people to finding what they enjoy doing.

Carlos Polop:

Awesome, thank you. Thank you for sharing my YouTube channel and details. I hope to see all of you people there. I'm very excited about creating this channel and I think we are going to learn some interesting things. I have already prepared a few episodes they call it like that and they're going to be pretty interesting and on as far as I know is I'm going to be doing everything technical so we can learn technical stuff.

Joseph Carson:

Oh, fantastic. That's what it's all about. But I think the board part is that you might be able to learn how to do the commands and what you're doing, but it's the thought process. That's the key. I think when you think about when you see certain things, you can work your way back to find out how you can segue or move around. So it's always that. I think that's the exciting part and I think you've got a lot of interesting knowledge and experience and lessons to share from that side. So I'm really excited about seeing and when it gets out to and trying, if you are doing some of the what it capture of the flags, I enjoy following along and trying it myself. So I'm excited.

Carlos Polop:

Thank you. Thank you. We will definitely do that.

Joseph Carson:

So it's been fantastic having you on the show again. I think this is really valuable and it's going to be a huge popular episode for the audience. So Carlos, you're awesome. Keep up the great work and definitely let's make sure that we're learning, ultimately making the world a safer place. So for the audience, the awesome Carlos Polop has joined us again and his fantastic P suites and Purple Pandas and whatever other furry animals will come out in the future, I guess we'll be waiting to see. So again, this is the 401 Access tonight podcast. I'm Joe Carson with special guest Carlos. Make sure to tune every two weeks, catch up in the latest episodes. Stay safe, have fun. Hack the planet, keep the world safe and enjoy as much as possible. So again, Carlos, you've been awesome. Take care and thank you.

Carlos Polop:

Thank you. Thank you for having me here.