As a security researcher I read a lot of blog posts. Reading once doesn’t mean learning (atleast in my case). So I write down the important points I wish to learn from the blog posts and regularly recall them.
- When you get SSRF in AWS instance, try to visit http://169.254.169.254/latest/user-data. Explore more to get IAM credentials.
- To verify AWS credentials, use command
aws sts get-caller-identity
- For every ElasticBean AWS creates an S3 bucket to store the source code of the deployment in the following pattern:
The native libraries (which are stored in
.so files within the apk file) are loaded after the main activity loads. So starting the Frida hooker when starting the app might not work.
When you come across a docker registry endpoint, try to browse the following endpoints: