Hacking The Cloud

[Deprecated] Break LLM Workflows with Claude's Refusal Magic String

Tue, 05 May 2026 21:10:50 +0000

How Anthropic's refusal test string can be abused to stop streaming responses and create sticky failures.

Bypass GuardDuty Pentest Findings via Botocore Config

Tue, 24 Mar 2026 00:24:29 +0000

Override the default botocore user-agent string in boto3 to prevent GuardDuty PenTest findings from firing.

Obfuscated Admin IAM Policy

Mon, 23 Mar 2026 22:12:18 +0000

Using IAM action wildcards to create policies that grant admin-equivalent access while evading name-based detections.

Detect Public Resource Exposure via Session Policy Error Messages

Sun, 15 Mar 2026 13:50:26 +0000

Use session policy denials and verbose IAM error messages to determine if AWS resources have public resource-based policies.

GCP Cloud Workstations Privilege Escalation

Tue, 10 Feb 2026 03:39:26 +0000

Break out of a Cloud Workstations container through an exposed Docker socket, then access project credentials from instance metadata.

Get IAM Credentials from a Console Session

Mon, 02 Feb 2026 16:08:41 +0000

Convert access to the AWS Console into IAM credentials.

Call for research: AI and LLM security

Sun, 25 Jan 2026 20:17:53 +0000

Hacking the Cloud is opening the door to AI and LLM security research.

2025 Hacking the Cloud: Year in Review

Sun, 04 Jan 2026 21:02:59 +0000

An end of year summary for Hacking the Cloud in 2025.

AWS IAM Persistence Methods

Sun, 14 Dec 2025 13:33:00 +0000

A catalog of methods to maintain access to the AWS control plane.

IAM Persistence through Eventual Consistency

Sun, 14 Dec 2025 12:53:39 +0000

Abuse IAM's eventual consistency to maintain persistence against incident response containment.

Bypass Credential Exfiltration Detection

Thu, 30 Oct 2025 13:48:03 +0000

When stealing IAM credentials from an EC2 instance you can avoid a GuardDuty detection by using VPC Endpoints.

Apps Script project impersonation / Google Apps Script persistence

Thu, 09 Oct 2025 16:09:49 +0000

Google Workspace Apps Script projects create hidden GCP projects (sys-<...>) that can be impersonated by attackers. This technique enables stealthy persistence (service accounts, hidden compute, cryptomining) and can bypass common console inspections.

AWS Network Firewall Egress Filtering Bypass

Sun, 28 Sep 2025 20:45:11 +0000

Bypass AWS Network Firewall Egress Filtering using SNI spoofing and Host Header manipulation.

IAM Roles Anywhere Persistence

Sun, 21 Sep 2025 15:49:23 +0000

Abusing IAM Roles Anywhere to obtain persistent AWS access from outside the cloud.

AWS CodeBuild GitHub Runner Persistence

Sun, 21 Sep 2025 15:22:21 +0000

Abusing the CodeBuild managed GitHub Actions runner integration to obtain long‑term access to an AWS environment.

AWS IAM Privilege Escalation Techniques

Thu, 21 Aug 2025 08:44:24 +0000

Common techniques that can be leveraged to escalate privileges in an AWS account.

Whoami - Get Principal Name From Keys

Mon, 09 Jun 2025 19:08:37 +0000

During an assessment you may find AWS IAM credentials. Use these tactics to identify the principal of the keys.

Enumerate services via AWS Backup

Tue, 06 May 2025 06:06:53 +0000

Enumerate AWS services via AWS Backup

Why Recreating an IAM Role Doesn't Restore Trust: A Gotcha in Role ARNs

Tue, 06 May 2025 01:10:05 +0000

In AWS, deleting and recreating an IAM role results in a new identity that breaks existing trust policies. This behavior improves security by preventing identity spoofing but can cause failures in cross-account access and third-party integrations if not properly understood.

Tag Your Way In - GCP Privilege Escalation Using Tags

Fri, 02 May 2025 14:15:10 +0000

A new privilege escalation technique in Google Cloud that leverages tag bindings to bypass IAM conditions and gain unauthorized access to sensitive resources.

IAM Rogue OIDC Identity Provider Persistence

Thu, 06 Mar 2025 18:47:55 +0000

Obtain persistence by creating a rogue OIDC Identity Provider.

Exploiting Misconfigured Terraform Cloud OIDC AWS IAM Roles

Fri, 07 Feb 2025 21:01:24 +0000

Discover how to identify and exploit misconfigured AWS IAM roles using Terraform Cloud OIDC

Exploiting Misconfigured GitLab OIDC AWS IAM Roles

Fri, 07 Feb 2025 21:00:55 +0000

Discover how to identify and exploit misconfigured AWS IAM roles using GitLab OIDC, with a detailed, step-by-step guide.

Security and Constraints

Fri, 03 Jan 2025 01:03:08 +0000

Security considerations and constraints that are unique to GCP

2024 Cloud Security Highlights: Hacking the Cloud’s Year in Review

Mon, 23 Dec 2024 15:13:39 +0000

An end of year summary for Hacking the Cloud in 2024.

EC2 Privilege Escalation Through User Data

Sun, 15 Dec 2024 11:35:23 +0000

How to escalate privileges on an EC2 instance by abusing user data.

Run Shell Commands on EC2 with Send Command or Session Manager

Fri, 06 Dec 2024 22:32:07 +0000

Leverage privileged access in an AWS account to run arbitrary commands on an EC2 instance.

Exploiting Public AWS Resources Programmatically - The Playbook

Thu, 05 Dec 2024 19:54:43 +0000

A playbook on how to exploit AWS resources that can be misconfigured via resource-based policies.

[Deprecated] Enumerate Permissions without Logging to CloudTrail

Thu, 21 Nov 2024 02:14:01 +0000

Leverage a bug in the AWS API to enumerate permissions for a role without logging to CloudTrail and alerting the Blue Team.

Enumerate AWS Account ID from a Public S3 Bucket

Thu, 21 Nov 2024 02:14:01 +0000

Knowing only the name of a public S3 bucket, you can ascertain the account ID it resides in.

Unauthenticated Enumeration of IAM Users and Roles

Thu, 21 Nov 2024 02:14:01 +0000

Discover how to exploit cross-account behaviors to enumerate IAM users and roles in another AWS account without authentication.

Derive a Principal ARN from an AWS Unique Identifier

Thu, 21 Nov 2024 02:14:01 +0000

How to convert an unique identifier to a principal ARN.

CVE-2024-28056: Exploit an AWS Amplify Vulnerability in Same-Account Scenarios

Thu, 21 Nov 2024 02:14:01 +0000

An in-depth explanation of how to still abuse CVE-2024-28056, a vulnerability in AWS Amplify that exposed IAM roles to takeover.

Prevent Expensive AWS API Actions with SCPs

Thu, 21 Nov 2024 02:14:01 +0000

Avoid AWS bill surprises by blocking known-expensive API calls with an SCP.

Connection Tracking

Thu, 21 Nov 2024 02:14:01 +0000

Abuse security group connection tracking to maintain persistence even when security group rules are changed.

Intercept SSM Communications

Thu, 21 Nov 2024 02:14:01 +0000

With access to an EC2 instance you can intercept, modify, and spoof SSM communications.

Bypass GuardDuty Pentest Findings for the AWS CLI

Tue, 12 Nov 2024 03:00:45 +0000

Prevent Kali Linux, ParrotOS, and Pentoo Linux from throwing GuardDuty alerts by modifying the User Agent string when using the AWS CLI.

AWS CLI Tips and Tricks

Mon, 04 Nov 2024 03:15:10 +0000

A collection of tips and tricks for using the AWS CLI.

DNS and CloudFront Domain Takeover via Deleted S3 Buckets

Wed, 30 Oct 2024 21:58:21 +0000

How orphaned Route53 records and CloudFront distributions can be taken over if the backing S3 bucket is deleted.

Run Command Abuse

Sat, 05 Oct 2024 05:04:44 +0000

Utilise Azure RunCommands for execution and lateral movement.

Steal IAM Credentials and Event Data from Lambda

Tue, 20 Aug 2024 01:29:51 +0000

Leverage file read and SSRF vulnerabilities to steam IAM credentials and event data from Lambda.

Abusing Misconfigured Role Trust Policies with a Wildcard Principal

Sun, 04 Aug 2024 21:24:46 +0000

How to take advantage of misconfigured role trust policies that have wildcard principals.

Enumerate Org/Folder/Project Permissions + Individual Resource Permissions

Sun, 14 Jul 2024 21:50:00 +0000

Brute force the permissions of all resources above to see what permissions you have. Includes example of brute forcing ~9500 permissions at the end. Also introduces tool that passively collections permissions allowed as run (gcpwn)

Abusing Managed Identities

Sat, 15 Jun 2024 06:21:29 +0000

Abusing Managed Identities

Discover secrets in public AMIs

Wed, 29 May 2024 03:08:56 +0000

How to find public AMIs and get stored secrets.

Enumerate Root User Email Address from the AWS Console

Tue, 21 May 2024 20:10:23 +0000

Identify if an email address belongs to the root user of an AWS account.

AWS Organizations Defaults & Pivoting

Thu, 07 Mar 2024 02:17:49 +0000

How to abuse AWS Organizations' default behavior and lateral movement capabilities.

Anonymous Blob Access

Thu, 07 Mar 2024 02:17:49 +0000

Finding and accessing files stored in Azure Storage Accounts without authentication.

Soft Deleted Blobs

Thu, 07 Mar 2024 02:17:49 +0000

Recovering and accessing files in private Storage Accounts that have been deleted.

Hacking The Cloud