General Pen Testing
2003
<blank> is the technology AWS uses for server-side encryption
What is AES-256
What is the following code doing?
aws configure --add-model --service-model file://service.json --service name <name>
What is the AWS CLI command to add a service team provided model.json file
What is through the bucket policy.
{
"Properties": {
"Bucket": {
"ref": "Example-Bucket-Name",
"PolicyDocument": {
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "*",
"Condition": {
"Bool": {
"aws:SecureTransport": false
}
}
}
]
}
}
}
}
What is the first step to privilege escalation?
What is enumeration?
What does sudo stand for?
What is superuser do or substitute user do.
True or False. Linux tells fortunes.
True
This is a centralized repository that allows you to store all your structured and unstructured data at any scale.
What is a Data Lake.
What are the three types of pen testing methodologies?
What are black-box, white-box, and gray-box.
The famous <what> attack is an example of exploitation of a race condition vulnerability.
What command should you be very careful of using?
What is rm -f
How can you fix this IAM policy to allow read permissions from the "tricky" S3 bucket?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": ["arn:aws:s3:::tricky"]
}
]
}
2. Fix the resource arn (fixing the arn for the GetObject action)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::tricky"]
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": ["arn:aws:s3:::tricky/*"]
}
]
}