WEBVTT 1 00:00:00.080 --> 00:00:01.960 Welcome to the deep dive. We take a stack of 2 00:00:02.000 --> 00:00:05.839 information and extract those surprising nuggets of knowledge. Today we're 3 00:00:05.839 --> 00:00:09.640 plunging into a truly fascinating and frankly a bit in 4 00:00:09.759 --> 00:00:14.359 settling area that has entirely redefined cybersecurity, hacking the cloud. 5 00:00:15.080 --> 00:00:17.320 Our mission for this deep dive really is to understand 6 00:00:17.359 --> 00:00:20.480 just how profoundly the landscape of digital intrusion has shifted. 7 00:00:20.760 --> 00:00:23.280 We're going to sort of shed the old mental models 8 00:00:23.280 --> 00:00:26.839 of traditional network attacks and instead explore what it truly 9 00:00:26.920 --> 00:00:29.640 means to hack like a ghost in our modern cloud 10 00:00:29.679 --> 00:00:33.280 powered world. We're drawing our insights from Sparkflow's compelling work 11 00:00:33.600 --> 00:00:36.200 how to Hack like a Ghost Breaching the Cloud. 12 00:00:36.479 --> 00:00:38.960 And what's truly fascinating here, I think, is how the 13 00:00:39.079 --> 00:00:42.560 very architecture of cloud computing, and also principles like DevOps 14 00:00:42.600 --> 00:00:45.320 you know, which are designed for efficiency for speed, they 15 00:00:45.359 --> 00:00:48.840 also kind of inadvertently create entirely new classes. 16 00:00:48.439 --> 00:00:50.200 Of vulnerability right new ways. 17 00:00:50.200 --> 00:00:54.079 In exactly, we'll discover how attackers can manipulate core infrastructure 18 00:00:54.079 --> 00:00:57.520 elements from well virtually anywhere on Earth, which is a 19 00:00:57.560 --> 00:01:00.600 stark contrast to the old days of simply mischie hopping 20 00:01:00.640 --> 00:01:03.560 within a physical network a huge change. 21 00:01:04.000 --> 00:01:06.640 So what does this cutting edge knowledge mean for you 22 00:01:06.719 --> 00:01:09.840 listening in? Maybe you're prepping for a crucial meeting, or 23 00:01:09.920 --> 00:01:11.680 just catching up on the field, or maybe you're just 24 00:01:11.719 --> 00:01:14.799 driven by pure curiosity. Well, you're about to get a 25 00:01:14.879 --> 00:01:17.599 unique shortcut to being well informed on the bleeding edge 26 00:01:17.599 --> 00:01:21.719 of cybersecurity. We're going to trace a hacker's sophisticated journey 27 00:01:22.159 --> 00:01:26.040 from setting up completely anonymous operations to taking over critical 28 00:01:26.079 --> 00:01:30.760 cloud infrastructure and ultimately even accessing deeply personal data and 29 00:01:30.799 --> 00:01:34.519 company emails. Okay, so let's unpack this. The book argues 30 00:01:34.519 --> 00:01:37.400 that the entire zeitgeist, the spirit of the times, is 31 00:01:37.519 --> 00:01:41.760 changing in cybersecurity. Why can't attackers just use their traditional 32 00:01:41.840 --> 00:01:44.159 bag of tricks, you know, like a classic sequel injection 33 00:01:44.239 --> 00:01:47.239 attack against these sprawling modern cloud companies. 34 00:01:47.400 --> 00:01:48.959 Well, if we zoom out and connect this to the 35 00:01:49.000 --> 00:01:52.000 bigger picture, it's really about a fundamental architectural shift. Think 36 00:01:52.000 --> 00:01:55.319 about it. Companies aren't typically spinning up physical windows domain 37 00:01:55.319 --> 00:01:58.319 controllers in their server rooms anymore, not usually. 38 00:01:58.120 --> 00:02:00.480 Right, it's all cloud consoles now exactly. 39 00:02:00.760 --> 00:02:06.120 Instead, they're launching databases, dock or containers, even entire identity 40 00:02:06.159 --> 00:02:09.680 systems like active directory with literally one click in a 41 00:02:09.680 --> 00:02:14.439 cloud environment, and this fundamentally alters the attacker's ultimate goal. 42 00:02:14.520 --> 00:02:15.280 It's huge. 43 00:02:16.159 --> 00:02:19.520 It's no longer just about taking control of individual machines. 44 00:02:19.520 --> 00:02:23.800 That's almost secondary. Sometimes it's about gaining control over the 45 00:02:24.000 --> 00:02:27.039 entire infrastructure itself, the control plane. 46 00:02:27.080 --> 00:02:30.000 In DevOps too, you mentioned it's more than just a buzzword, 47 00:02:30.039 --> 00:02:31.520 isn't it. It feels like it changes everything. 48 00:02:31.560 --> 00:02:33.039 Oh, absolutely exactly. 49 00:02:33.199 --> 00:02:36.479 DevOps principles things like infrastructure as code, where. 50 00:02:36.360 --> 00:02:38.800 The whole setup is basically a script precisely. 51 00:02:39.280 --> 00:02:42.240 That and containerization mean companies are in this state of 52 00:02:42.479 --> 00:02:47.000 constant change. They're deploying new code, new applications at lightning speed. 53 00:02:47.360 --> 00:02:49.759 The old it mantra you know, if it's working, don't 54 00:02:49.840 --> 00:02:51.719 change it, that's completely out the window. 55 00:02:51.840 --> 00:02:54.919 Okay, So constant change, more opportunities for. 56 00:02:54.919 --> 00:02:58.199 Mistakes, that's part of it. This rapid evolution means that 57 00:02:58.319 --> 00:03:01.719 vulnerabilities that might have been mind or may be overlooked 58 00:03:01.879 --> 00:03:05.120 in a classic setup, they can acquire what the source 59 00:03:05.159 --> 00:03:09.520 calls lethal potential in the cloud. Your traditional hacker intuition, 60 00:03:09.639 --> 00:03:11.879 which might have served you well in the past, well, 61 00:03:11.960 --> 00:03:14.479 it definitely benefits from some small adjustments. 62 00:03:14.520 --> 00:03:15.879 Let's say to stay effective. 63 00:03:16.080 --> 00:03:19.560 Got a doubt, Okay, So before any actual hacking begins, 64 00:03:19.919 --> 00:03:24.240 the book emphasizes a crucial first step, becoming a ghost. 65 00:03:24.719 --> 00:03:29.039 This means focusing heavily on operational security OPSEC and building 66 00:03:29.080 --> 00:03:33.240 an anonymous, efficient hacking infrastructure. Why is this initial set 67 00:03:33.319 --> 00:03:37.159 up so incredibly vital, especially for real world attackers, not 68 00:03:37.319 --> 00:03:38.319 just you know testers. 69 00:03:38.520 --> 00:03:42.000 Yeah, this raises a really important question about anonymity. It's 70 00:03:42.039 --> 00:03:45.520 critical Unlike professional red teamers or penetration testers who often 71 00:03:45.560 --> 00:03:46.879 have a clear scope, maybe even do. 72 00:03:46.919 --> 00:03:48.960 Over the permission basically. 73 00:03:48.639 --> 00:03:51.960 Right, real hackers, though, they're betting their actual freedom on 74 00:03:52.000 --> 00:03:55.719 their ability to remain completely anonymous. And the source makes 75 00:03:55.719 --> 00:03:59.520 it crystal clear. Even popular VPN services will always always 76 00:03:59.639 --> 00:04:03.319 keep some form of logs, always, despite the marketing, despite 77 00:04:03.319 --> 00:04:06.199 the marketing, and even privacy networks like tour aren't a 78 00:04:06.199 --> 00:04:09.680 magical shield. They have limitations. You have to pay, As 79 00:04:09.719 --> 00:04:12.439 the book says, as much attention to your physical trail 80 00:04:12.479 --> 00:04:16.279 as you do to your Internet fingerprint. Leave no trace anywhere, 81 00:04:17.040 --> 00:04:17.920 so walk. 82 00:04:17.720 --> 00:04:21.240 Us through it. What does this anonymous setup actually look 83 00:04:21.360 --> 00:04:23.920 like in practice? The book gets pretty specific. 84 00:04:24.240 --> 00:04:28.680 It's all about layers, layers of obfuscation. First, an attacker 85 00:04:28.680 --> 00:04:32.399 would likely use an ephemeral operating system, something like TAILS 86 00:04:32.560 --> 00:04:33.800 loaded onto a USB. 87 00:04:33.720 --> 00:04:36.240 Drive fhmeral meaning temporary exactly. 88 00:04:36.639 --> 00:04:40.160 This OS is designed to flush everything away on every reboot. 89 00:04:40.360 --> 00:04:43.639 Nothing sticks, and it forces all Internet connections through tour, 90 00:04:44.000 --> 00:04:46.199 making it incredibly difficult to trace back. 91 00:04:46.279 --> 00:04:47.319 Okay, step one. 92 00:04:47.519 --> 00:04:49.759 Then what From there? They connect to a series of 93 00:04:49.759 --> 00:04:53.839 bouncing servers. These are virtual hosts like vms, set up 94 00:04:53.839 --> 00:04:57.959 anonymously in different locations, maybe different providers. Crucially, these bouncing 95 00:04:57.959 --> 00:04:59.920 servers never directly interact with the target. 96 00:05:00.360 --> 00:05:00.959 That's key. 97 00:05:01.040 --> 00:05:02.079 You're like middleman. 98 00:05:02.079 --> 00:05:06.160 Exactly, secure staging grounds. They host management tools like Terraform, 99 00:05:06.319 --> 00:05:11.240 Docker stuff to build the next layer. The actual attack infrastructure, 100 00:05:11.319 --> 00:05:14.360 the servers doing the real work, is even more fleeting, 101 00:05:14.759 --> 00:05:17.639 used for only a few days maybe, and completely unique 102 00:05:17.680 --> 00:05:20.160 to each operation, then destroyed. 103 00:05:20.800 --> 00:05:25.560 Wow. This level of automation using tools like Docker and Terraform, 104 00:05:26.079 --> 00:05:28.680 it all sounds like adopting a DevOps mindset for the 105 00:05:28.720 --> 00:05:30.000 hacking process itself. 106 00:05:30.040 --> 00:05:33.199 That's spot on it really is. It's about embracing efficiency. 107 00:05:33.519 --> 00:05:36.480 By automating the setup, it becomes much easier to spring 108 00:05:36.560 --> 00:05:40.560 fully configured attacking servers into existence, pop them up, tear 109 00:05:40.600 --> 00:05:43.600 them down, and that significantly reduces the gens of making 110 00:05:43.600 --> 00:05:45.680 critical mistakes when you're operating under pressure. 111 00:05:45.759 --> 00:05:48.560 Makes sense, fewer manual steps, fewer errors, right. 112 00:05:48.800 --> 00:05:50.920 The book gives examples of how an attacker can use 113 00:05:50.920 --> 00:05:53.839 simple commands like Docker, pul potion stuff to grab a 114 00:05:53.839 --> 00:05:57.319 pre built hacking tool, or terraform apply to automatically deploy 115 00:05:57.399 --> 00:05:59.319 their command and control servers their C two. 116 00:05:59.399 --> 00:06:01.279 That's the hacker mission control right. 117 00:06:01.319 --> 00:06:05.480 Yeah, basically where they manage the compromise systems and Terraform 118 00:06:05.519 --> 00:06:09.120 sets it all up even with secure connections, TLS certificates 119 00:06:09.199 --> 00:06:09.680 the works. 120 00:06:09.839 --> 00:06:15.040 Okay, anonymous infrastructure meticulously set up. What's next reconnaissance. I 121 00:06:15.079 --> 00:06:19.199 assume our fictional targets in this deep dive are Gretch, Politico, 122 00:06:19.560 --> 00:06:23.160 a firm specializing in political campaigns, and its close partner 123 00:06:23.399 --> 00:06:27.000 ms r ADS. How do hackers even begin to dig 124 00:06:27.040 --> 00:06:29.759 into these targets in a vast cloud environment, Where do 125 00:06:29.800 --> 00:06:30.399 you start looking? 126 00:06:30.600 --> 00:06:30.759 Well? 127 00:06:30.800 --> 00:06:34.000 This phase is all about what the book calls healthy stocking. 128 00:06:34.120 --> 00:06:34.560 Huh. 129 00:06:34.639 --> 00:06:38.720 It means gathering every piece of public facing information imaginable, 130 00:06:38.920 --> 00:06:42.759 just scooping it all up. The source emphasizes searching platforms 131 00:06:42.759 --> 00:06:47.240 like SlideShare, loogle drives, script document cloud places where documents might. 132 00:06:47.160 --> 00:06:50.079 Leak publicly accessible files they forgot about or didn't secure 133 00:06:50.120 --> 00:06:51.000 properly exactly. 134 00:06:51.040 --> 00:06:54.839 They use specific targeted search engine terms like site dot dox, 135 00:06:54.879 --> 00:06:57.480 c stack, Google dot com, gretch, Politico to uncover these 136 00:06:57.480 --> 00:06:59.120 digital breadcrumbs. 137 00:06:58.560 --> 00:07:01.720 And beyond public document where else can they unearth valuable 138 00:07:01.759 --> 00:07:04.240 clues about their target? Seems like documents are just one piece, 139 00:07:04.480 --> 00:07:05.120 oh for sure. 140 00:07:05.319 --> 00:07:08.920 GitHub is an absolute gold mine, a potential gold mine anyway. 141 00:07:09.279 --> 00:07:11.759 While basic searches have their limits, The real trick the 142 00:07:11.759 --> 00:07:15.560 book suggests is to download entire public repositories related to 143 00:07:15.600 --> 00:07:19.240 the target and then unleash the full wrath of good 144 00:07:19.240 --> 00:07:20.720 old rep on them. 145 00:07:20.839 --> 00:07:24.439 Rep The command line search tool YEP a powerful. 146 00:07:24.040 --> 00:07:26.720 Tool that can quickly search through massive amounts of text 147 00:07:26.720 --> 00:07:30.959 for specific patterns. They'd be looking for sensitive strings like ossicritic, 148 00:07:31.040 --> 00:07:34.279 sess kei, or maybe begin private key, things that should 149 00:07:34.319 --> 00:07:34.759 never be. 150 00:07:34.759 --> 00:07:36.920 In public code credentials just sitting there. 151 00:07:37.240 --> 00:07:40.399 It happens more often than you'd think. They also script 152 00:07:40.439 --> 00:07:43.600 code snippets from public code sharing sites like just dot 153 00:07:43.680 --> 00:07:47.800 GitHub dot com and pastebin dot com. Sometimes developers paste 154 00:07:47.800 --> 00:07:50.959 things there for quick sharing or debugging and accidentally expose 155 00:07:51.079 --> 00:07:53.879 log file extracts or even database extracts hops. 156 00:07:54.199 --> 00:07:56.800 Wow. Okay, so after all this digital slew thing, this 157 00:07:56.920 --> 00:08:00.879 healthy stocking, what did the reconnaissance reveal about Gretch, Politico 158 00:08:01.000 --> 00:08:02.079 and mxr ADS. 159 00:08:02.319 --> 00:08:05.079 Well, the initial SUITEP showed their core service is building 160 00:08:05.120 --> 00:08:09.240 these detailed voter profiles and that they have this incredibly 161 00:08:09.319 --> 00:08:12.959 intertwined relationship with mxr ADS for the advertising side, very 162 00:08:12.959 --> 00:08:13.959 close partners. 163 00:08:13.639 --> 00:08:16.480 Which could be good for business but bad for security exactly. 164 00:08:17.240 --> 00:08:21.199 The book notes this intertwined connection, while profitable, could prove 165 00:08:21.240 --> 00:08:24.720 fatal to both companies if one gets compromised. They also 166 00:08:24.759 --> 00:08:29.759 identified numerous subdomains like Dashboard dot Gretchpolitico dot com using 167 00:08:29.800 --> 00:08:33.399 specialized tools like sublister R and fern Melder, and then 168 00:08:33.399 --> 00:08:36.480 they performed ENDMP scans on those domains to see what 169 00:08:36.559 --> 00:08:39.080 ports were open, what services were running. 170 00:08:38.799 --> 00:08:40.399 Building a map of their online presence. 171 00:08:40.600 --> 00:08:44.840 Right. This whole process ultimately provided over one hundred domains 172 00:08:44.879 --> 00:08:48.279 belonging to both organizations, which, as the book says, offers 173 00:08:48.320 --> 00:08:50.960 a significant luxury of choice for finding a way in 174 00:08:51.440 --> 00:08:52.399 lots of doors. 175 00:08:52.159 --> 00:08:58.200 To check one hundred domains with literally dozens maybe hundreds identified. 176 00:08:58.399 --> 00:09:00.840 How do you even begin to find the ulnerabilities? It 177 00:09:00.879 --> 00:09:03.039 sounds like trying to find a needle in a haystack 178 00:09:03.080 --> 00:09:04.879 the size of a continent. Overwhelming. 179 00:09:05.200 --> 00:09:06.639 It absolutely can feel that way. 180 00:09:06.759 --> 00:09:09.720 Yeah, but the book emphasizes, you know, the more you practice, 181 00:09:09.720 --> 00:09:12.759 the better you will get. Experience counts, and in a 182 00:09:12.799 --> 00:09:16.759 full cloud environment, there are shortcuts. A crucial one is 183 00:09:16.799 --> 00:09:20.879 to reveal the real domains behind public facing domains. 184 00:09:21.120 --> 00:09:21.759 How do you do that? 185 00:09:22.039 --> 00:09:25.960 By looking for cnam entries in DNS records instead of 186 00:09:26.000 --> 00:09:29.159 just the raw IP addresses. A CNME is basically like 187 00:09:29.200 --> 00:09:31.840 a nickname for a server. It lets multiple web adjustes 188 00:09:31.879 --> 00:09:33.720 point to the same underlying resource. 189 00:09:34.039 --> 00:09:36.679 Oh okay, so it reveals the actual service provider. 190 00:09:36.440 --> 00:09:37.480 Sometimes exactly. 191 00:09:37.919 --> 00:09:41.120 This simple step revealed that many msr ADS domains were 192 00:09:41.159 --> 00:09:45.039 actually hosted on AWS using common services like CloudFront for 193 00:09:45.080 --> 00:09:49.080 content delivery, S three for storage, and ELB for load balancing. 194 00:09:49.360 --> 00:09:54.879 Standard stuff, but crucially gretch Politico's own dashboard URL dashboard 195 00:09:54.919 --> 00:09:58.279 dot gretsch politico dot com even pointed to an mxr 196 00:09:58.360 --> 00:09:59.399 ADS domain. 197 00:09:59.200 --> 00:10:01.159 Directly confirmed how tightly length they are. 198 00:10:01.240 --> 00:10:03.919 Yeah, strong confirmation of those deep operational ties. 199 00:10:04.080 --> 00:10:06.480 And what was the big aha moment in this phase, 200 00:10:06.480 --> 00:10:09.399 the critical breakthrough that opened the first real door. 201 00:10:09.440 --> 00:10:13.240 The discovery of vulnerable S three buckets. S three aws' 202 00:10:13.279 --> 00:10:15.600 is simple storage service basically. 203 00:10:15.279 --> 00:10:17.679 Cloud file story right use for everything. 204 00:10:17.399 --> 00:10:20.279 Pretty much now default S three security has tightened up 205 00:10:20.320 --> 00:10:23.039 over time, thankfully, but the book explains that the four 206 00:10:23.159 --> 00:10:28.559 overlapping settings, things like access control lists ACLS, core S configurations, 207 00:10:28.639 --> 00:10:32.399 bucket policies, and IAM policies. It all makes S three 208 00:10:32.440 --> 00:10:33.799 security very. 209 00:10:33.720 --> 00:10:35.799 Convoluted, easy to mess up, them. 210 00:10:35.799 --> 00:10:39.159 Very easy to misconfigure, and for one domain misc dot 211 00:10:39.279 --> 00:10:43.159 mxrads dot com, while directory listing was denied, you couldn't 212 00:10:43.200 --> 00:10:46.639 just browse it using the awscli, the command line tool 213 00:10:46.840 --> 00:10:50.480 to run list objects h V two. While that surprisingly 214 00:10:50.519 --> 00:10:54.440 revealed over four hundred thousand files stored in the single. 215 00:10:54.159 --> 00:10:57.120 Bucket, whoa just sitting there accessible. 216 00:10:56.639 --> 00:10:59.120 Accessible if you knew the command to list them, including 217 00:10:59.120 --> 00:11:01.200 an empty index dot m HTML at the root, which 218 00:11:01.240 --> 00:11:02.799 is often assigned. Something's not quite right. 219 00:11:02.919 --> 00:11:05.600 Okay, four hundred thousand files is a lot, but maybe not. 220 00:11:05.679 --> 00:11:08.159 The keys to the kingdom was that the biggest find. 221 00:11:07.840 --> 00:11:11.879 No, not the biggest breakthrough, but certainly highlighted poor configuration hygiene. 222 00:11:11.919 --> 00:11:12.679 A warning sign. 223 00:11:13.519 --> 00:11:16.799 The truly critical vulnerability, the one that really crack things open, 224 00:11:17.039 --> 00:11:20.840 was a server side request forgery or SSRF, found on 225 00:11:21.120 --> 00:11:23.440 demo dot mxrads dot com. 226 00:11:23.639 --> 00:11:26.919 SSRF. Okay, remind me again what that lets an attacker do, right. 227 00:11:27.279 --> 00:11:30.320 SSRF is like tricking a server one that's sitting inside 228 00:11:30.320 --> 00:11:33.559 a supposedly secure network to make a request on your behalf. 229 00:11:33.879 --> 00:11:36.399 It makes requests to other internal systems that the server 230 00:11:36.480 --> 00:11:38.360 can reach, but you from the outside can't. 231 00:11:38.440 --> 00:11:40.960 Okay, So you're using the server as a proxy to 232 00:11:41.080 --> 00:11:42.240 hit internal stuff. 233 00:11:42.360 --> 00:11:43.000 Essentially, Yes. 234 00:11:43.360 --> 00:11:46.399 By manipulating a URL and the demo application using a 235 00:11:46.399 --> 00:11:49.159 tool like burke Suite, a standard web app testing toolkit, 236 00:11:49.480 --> 00:11:52.440 the attacker could force the application to make internal requests 237 00:11:52.799 --> 00:11:55.600 specifically to the AWS metadata API. 238 00:11:55.879 --> 00:11:59.440 Ah, that's special address HTTP dot one six nine point 239 00:11:59.440 --> 00:12:01.559 two five four point one six nine point two five 240 00:12:01.600 --> 00:12:04.279 four littles, that's the one. Here's where it gets really interesting. 241 00:12:04.279 --> 00:12:06.240 As you said, this isn't a normal web address. What 242 00:12:06.320 --> 00:12:09.840 kind of information does this mysterious metadata API actually reveal? 243 00:12:10.120 --> 00:12:13.600 Yeah, it's a special internal address unique to cloud environments 244 00:12:13.639 --> 00:12:18.240 like AWS instances. Those virtual computers can query it to 245 00:12:18.320 --> 00:12:21.000 get information about themselves. Like asking who am I, what. 246 00:12:21.000 --> 00:12:24.159 Can I do? It reveals a whole trove. 247 00:12:23.919 --> 00:12:27.679 Of metadata, the machine's host name, its internal IP address, 248 00:12:27.879 --> 00:12:30.679 firewall rules, basic identity cards. 249 00:12:30.679 --> 00:12:33.279 Stuff. Okay, useful but maybe not devastating. 250 00:12:33.360 --> 00:12:36.159 Ah. But the dirty secret, as the book puts it, 251 00:12:36.240 --> 00:12:38.080 is that it can also expose the user. 252 00:12:37.919 --> 00:12:40.759 Data script, the script that runs when the machine first boots. 253 00:12:40.559 --> 00:12:44.639 Up exactly, often used for setup configuration, and sometimes developers 254 00:12:44.639 --> 00:12:47.799 put sensitive stuff in there. For mxri ads demo server, 255 00:12:48.159 --> 00:12:51.799 this user data script contained crucial environment variables, including a 256 00:12:51.840 --> 00:12:54.759 reference to a secrets dot em V file and guess 257 00:12:54.759 --> 00:12:55.279 what was in. 258 00:12:55.159 --> 00:12:57.440 There, daz passwords jackpot. 259 00:12:57.679 --> 00:13:00.080 The script or the file it pointed to yielded many 260 00:13:00.080 --> 00:13:04.759 passwords to access Cassandra clusters, Cassandra being a popular Noseql database. 261 00:13:04.840 --> 00:13:07.639 Yeah, okay, direct database access and it gets better. 262 00:13:07.759 --> 00:13:11.240 It also revealed IAM role credentials for the machine. 263 00:13:10.960 --> 00:13:14.240 Itself, imm identity and access management. The permissions in the 264 00:13:14.320 --> 00:13:16.519 machine has within AWS. 265 00:13:16.120 --> 00:13:19.080 Correct and these role credentials are often not subject to 266 00:13:19.120 --> 00:13:23.399 the same IP restrictions as regular user credentials. They're incredibly 267 00:13:23.480 --> 00:13:26.399 valuable because they can potentially be used from anywhere, So. 268 00:13:26.840 --> 00:13:31.240 A seemingly simple SSRF vulnerability maybe in a forgotten demo 269 00:13:31.320 --> 00:13:35.480 app could spiral into gaining highly privileged credentials for other 270 00:13:35.519 --> 00:13:38.039 AWS services. That's quite a leap. 271 00:13:38.279 --> 00:13:41.279 Absolutely, It's a classic cloud escalation path. Even though the 272 00:13:41.320 --> 00:13:44.360 attacker was initially denied direct access to list all S 273 00:13:44.399 --> 00:13:47.960 three buckets using these credentials, the im role itself, the 274 00:13:47.960 --> 00:13:51.519 specific permissions assigned to that demo application was successfully used 275 00:13:51.519 --> 00:13:55.000 to list objects V two within a different important looking 276 00:13:55.039 --> 00:13:59.080 bucket mex rads DL, and that revealed hundreds of thousands 277 00:13:59.080 --> 00:14:03.320 of JR files and other binaries, probably application code libraries. 278 00:14:03.399 --> 00:14:05.600 It's like finding a key that doesn't open the front door, 279 00:14:05.799 --> 00:14:07.960 but opens a side door to the engineering lab. 280 00:14:08.039 --> 00:14:10.960 That's a good analogy. Yes, once you're inside, even limited 281 00:14:10.960 --> 00:14:13.519 permissions can often be leveraged to find more access. 282 00:14:13.639 --> 00:14:16.679 Okay. The book then describes another major vulnerability found on 283 00:14:16.720 --> 00:14:21.000 a different site Www. Dot surveysandstats dot com. What was 284 00:14:21.039 --> 00:14:21.440 that one? 285 00:14:21.600 --> 00:14:25.360 That was a server side template injection or SSTI vulnerability. 286 00:14:25.600 --> 00:14:28.720 SSTI sounds similar to SSRF, but different. 287 00:14:28.759 --> 00:14:32.039 Similar in that you're tricking the server, but the mechanism 288 00:14:32.120 --> 00:14:35.200 is different. Instead of making external requests, you're tricking the 289 00:14:35.200 --> 00:14:39.159 server into executing code you provide within its own templating engine. 290 00:14:39.200 --> 00:14:41.679 Templeting engine like for generating web. 291 00:14:41.480 --> 00:14:45.240 Pages exactly things like jinga two in Python or handlebars 292 00:14:45.279 --> 00:14:48.600 and JavaScript. They take data and put it into a template. 293 00:14:48.919 --> 00:14:51.879 By injecting a simple string like into a form field 294 00:14:51.879 --> 00:14:54.320 on the website and seeing the server respond with sixteen 295 00:14:54.440 --> 00:14:56.440 instead of the original string means. 296 00:14:56.240 --> 00:14:59.519 The server actually calculated eight times too it ran code. 297 00:14:59.240 --> 00:15:03.679 Bingo confirmed the vulnerability. This then allowed the attacker to 298 00:15:03.759 --> 00:15:06.840 use advanced features of the programming language Python, in this 299 00:15:06.919 --> 00:15:11.159 case things like introspection and reflection, essentially letting the code 300 00:15:11.159 --> 00:15:15.519 examine and modify itself to eventually call subprocess. 301 00:15:15.039 --> 00:15:16.919 Popin, which basically means. 302 00:15:16.879 --> 00:15:20.639 Arbitrary code execution on the server. Full control, They could 303 00:15:20.639 --> 00:15:22.639 make the server run almost any command they wanted. 304 00:15:22.879 --> 00:15:25.480 Game over for that server then, and what was the 305 00:15:25.519 --> 00:15:29.639 immediate juicy payoff from gaining that arbitrary code execution. 306 00:15:29.480 --> 00:15:34.360 Well, they immediately gained SEES simple Email Service credentials, aws's 307 00:15:34.399 --> 00:15:36.159 email service, useful. 308 00:15:35.960 --> 00:15:38.879 For sending spam maybe or something more. 309 00:15:38.759 --> 00:15:42.679 More importantly, it confirmed that survey sandstats dot com belonged 310 00:15:42.679 --> 00:15:46.519 to the same AWS account as mxr ads, tying the 311 00:15:46.559 --> 00:15:50.600 infrastructure together. Further, and even more critically, they found that 312 00:15:50.720 --> 00:15:54.360 while external Internet access was blocked on this particular server 313 00:15:54.879 --> 00:15:56.639 at common security measures, so they. 314 00:15:56.519 --> 00:15:58.919 Couldn't just download tools or send data out easily. 315 00:15:59.039 --> 00:16:01.519 Right, But they discovered they could smuggle in a request 316 00:16:01.600 --> 00:16:05.039 to a bucket in our own AWS account by exploiting 317 00:16:05.080 --> 00:16:08.919 something for an S three VPC N point configuration. It's 318 00:16:08.960 --> 00:16:11.080 a way for internal servers to talk to S three 319 00:16:11.320 --> 00:16:13.720 without going over the public Internet clever, so. 320 00:16:13.679 --> 00:16:16.600 They could use S three as a communication channel exactly. 321 00:16:17.000 --> 00:16:19.879 This was huge. It led to a reliable way to 322 00:16:19.919 --> 00:16:20.600 communicate with. 323 00:16:20.559 --> 00:16:23.559 The outside world from this otherwise sealed off survey app, 324 00:16:24.080 --> 00:16:27.960 and it enabled command execution through S three files. They'd 325 00:16:28.000 --> 00:16:30.399 upload a command file to their own bucket, the server 326 00:16:30.480 --> 00:16:32.759 would fetch and run it via the endpoint and send 327 00:16:32.759 --> 00:16:34.000 results back the same. 328 00:16:33.799 --> 00:16:37.320 Way, essentially creating an S three base back door. Wow, 329 00:16:37.639 --> 00:16:39.799 it's like finding a secret pneumatic tube system out of 330 00:16:39.840 --> 00:16:40.440 a locked room. 331 00:16:40.639 --> 00:16:43.480 Hey, yeah, something like that. A very effective stealthy channel. 332 00:16:43.559 --> 00:16:47.519 Okay, So with initial access established via SSRF and SSTI 333 00:16:47.799 --> 00:16:50.679 leading to code execution and a back door, the hacker 334 00:16:50.720 --> 00:16:53.879 discovers there inside a container, but not just any container 335 00:16:53.960 --> 00:16:57.519 one managed by a Kubernetes cluster. For those less familiar, 336 00:16:57.720 --> 00:17:00.960 what does Kubernetes fundamentally change about the hacking target compared 337 00:17:00.960 --> 00:17:04.039 to just compromising a single traditional server. Right. 338 00:17:04.240 --> 00:17:07.559 Kubernetes, or cube as it's often called, is described in 339 00:17:07.599 --> 00:17:11.319 the book as the ultimate container orchestrator. It's a game changer. 340 00:17:11.759 --> 00:17:16.880 Imagine hundreds, maybe thousands of software containers which are like lightweight, 341 00:17:17.039 --> 00:17:22.519 isolated virtual machines, all running different parts of applications. Kubernetes 342 00:17:22.559 --> 00:17:25.359 manages all of them. It starts them, stops them, connects them, 343 00:17:25.519 --> 00:17:28.279 scales them up or down automatically based on demand. 344 00:17:28.400 --> 00:17:30.960 So it's like the conductor of a huge orchestra of software. 345 00:17:31.000 --> 00:17:32.000 That's a great way to put it. 346 00:17:32.400 --> 00:17:36.160 The book explains its core components pods, which are groups 347 00:17:36.200 --> 00:17:38.960 of one or more containers that run together, services which 348 00:17:38.960 --> 00:17:43.160 handle internal load balancing and networking between pods, and crucially, 349 00:17:43.400 --> 00:17:47.039 the API server and the etcetera database. These maintain the 350 00:17:47.079 --> 00:17:50.839 cluster's desired state. Kubernetes is always trying to make reality 351 00:17:51.000 --> 00:17:54.160 match that desired state, so attacking it isn't like attacking 352 00:17:54.200 --> 00:17:59.119 one server. It's about understanding and manipulating this complex dynamic system. 353 00:17:59.200 --> 00:18:02.279 Okay, so find yourself inside one of these containers, maybe 354 00:18:02.279 --> 00:18:05.039 through web vulnerability like we just discussed, how do you 355 00:18:05.160 --> 00:18:08.119 break out or gain more control over the entire Kubernetes 356 00:18:08.200 --> 00:18:11.200 cluster itself. That sounds like a monumental leap. 357 00:18:11.240 --> 00:18:14.039 It is, but often, like with S three, it comes 358 00:18:14.039 --> 00:18:18.720 down to misconfigurations. Small oversights can have big impacts and cube. 359 00:18:19.599 --> 00:18:22.240 The first key discovering the book scenario was that the 360 00:18:22.319 --> 00:18:26.079 compromised container was running with a default service account. 361 00:18:26.119 --> 00:18:29.039 A service account being like an identity for the software. 362 00:18:28.640 --> 00:18:33.039 Itself exactly, and Kubernetes gives containers a token, a JWT 363 00:18:33.319 --> 00:18:37.079 JSON webtoken like a digital passport associated with the service account. 364 00:18:37.440 --> 00:18:41.000 It's usually mounted automatically inside the container at a specific 365 00:18:41.039 --> 00:18:46.240 filepath run secret Scubernetes dot Io service account token. By 366 00:18:46.240 --> 00:18:49.680 grabbing this token, the attacker could directly query the Kubernetes 367 00:18:49.720 --> 00:18:52.000 API server pretending to be that container. 368 00:18:52.079 --> 00:18:54.559 Okay, but what can a default account usually do? Isn't 369 00:18:54.559 --> 00:18:55.200 it lockdown? 370 00:18:55.480 --> 00:18:58.359 It should be, But here's the critical part. The book 371 00:18:58.400 --> 00:19:01.680 notes that if this default account was unwittingly granted extra 372 00:19:01.720 --> 00:19:05.880 privileges by an administrator, maybe for some forgotten reason, then 373 00:19:06.240 --> 00:19:08.400 all the other pods running with the same identity will 374 00:19:08.440 --> 00:19:12.279 automatically inherit these same privileges. Suddenly, that default account isn't 375 00:19:12.319 --> 00:19:13.240 so basic anymore. 376 00:19:13.440 --> 00:19:17.759 Uh, A shared identity with escalated permissions precisely, and in 377 00:19:17.799 --> 00:19:20.440 this case, it allowed the attacker to list hundreds of 378 00:19:20.559 --> 00:19:23.960 pods specifically in the prod name space, usually the live 379 00:19:24.000 --> 00:19:24.839 production environment. 380 00:19:25.200 --> 00:19:29.559 And even more, they could extract their full Yamel manifests. 381 00:19:29.319 --> 00:19:31.640 The configuration files for those pods. 382 00:19:31.440 --> 00:19:36.119 Yes, revealing things like environment variables, container images used, and 383 00:19:36.200 --> 00:19:39.799 even secret key ref pointers. These are references that tell 384 00:19:39.839 --> 00:19:43.240 Kubernetes where to find other secrets like database passwords or 385 00:19:43.279 --> 00:19:45.640 API keys and inject them into the pod. 386 00:19:45.839 --> 00:19:49.039 So looking at the POD's configuration reveals pointers to the 387 00:19:49.079 --> 00:19:50.480 actual secrets if. 388 00:19:50.279 --> 00:19:51.039 Configured that way. 389 00:19:51.119 --> 00:19:54.000 Yes, it's like finding a treasure map inside the container. 390 00:19:54.359 --> 00:19:57.119 This sounds like a massive win an insider's view of 391 00:19:57.119 --> 00:20:01.480 the entire production environment, potentially exposing very sensitive data. What 392 00:20:01.640 --> 00:20:05.240 kind of stuff was actually exposed through this elevated Kubernetes access. 393 00:20:05.319 --> 00:20:09.720 They literally discovered containers configured to load AWS credentials directly 394 00:20:09.759 --> 00:20:14.319 as secrets, very sensitive stuff by abusing those Kubernetes service 395 00:20:14.319 --> 00:20:17.880 account privileges. Using the token they found, they could ask 396 00:20:17.920 --> 00:20:21.640 the Cube API to retrieve secrets like dbcore password directly 397 00:20:21.640 --> 00:20:23.000 from the cluster's secret store. 398 00:20:23.319 --> 00:20:25.920 Wow, just ask Cube for the password. 399 00:20:25.559 --> 00:20:28.480 If the service account had permission, Yes, and this led 400 00:20:28.519 --> 00:20:33.000 directly to campaign database credentials for a mysucle database. This 401 00:20:33.079 --> 00:20:36.400