• Stars
    star
    653
  • Rank 68,968 (Top 2 %)
  • Language
    Python
  • License
    Other
  • Created almost 3 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Identify privilege escalation paths within and across different clouds

PurplePanda

This tool fetches resources from different cloud/saas applications focusing on permissions in order to identify privilege escalation paths and dangerous permissions in the cloud/saas configurations. Note that PurplePanda searches both privileges escalation paths within a platform and across platforms.

The name comes from the animal Red Panda. This panda eats peas, just like Purple Panda, which can ingest API keys/tokens found by these PEASS. The color was changed to purple because this tool is meant mainly for Purple Teams (because it can be highly useful for both Blue and Red Teams).

How to use

Each folder inside /intel defines one platform that can be enumerated and contains a README.md file explaining how to use that specific module.

Download Neo4jDesktop and create a database. Then export the env variables PURPLEPANDA_NEO4J_URL and PURPLEPANDA_PWD with the URL to the neo4j database and the password.

If you want shodan to be used with public IPs discovered during the enumeration export a env variable called SHODAN_KEY with a valid api key of shodan.

Then just install and launch the program indicating the platforms you want to enumerate comma separated like.

Local install

git clone https://github.com/carlospolop/PurplePanda
cd PurplePanda
python3 -m venv .
source bin/activate
python3 -m pip install -r requirements.txt
export PURPLEPANDA_NEO4J_URL="bolt://neo4j@localhost:7687"
export PURPLEPANDA_PWD="neo4j_pwd_4_purplepanda"
python3 main.py -h # Get help
python3 main.py -e -p google,github,k8s --github-only-org --k8s-get-secret-values --gcp-get-secret-values # Enumerate google, github and k8s

Docker

# Consider adding the API keys in the Dockerfile
docker rm -f purplepanda
docker build --tag=purplepanda .
# Execute -h
## CHange -h for the params you want to run purplepanda with
docker run -t \
    -e PURPLEPANDA_NEO4J_URL="bolt://[email protected]:7687" \
    -e PURPLEPANDA_PWD="s3cr3t" \
    -e GOOGLE_DISCOVERY=... \
    -e GITHUB_DISCOVERY=... \
    -e K8S_DISCOVERY=... \
    -e CONCOURSE_DISCOVERY=... \
    -e CIRCLECI_DISCOVERY=... \
    purplepanda python3 main.py -h

## -t is needed to see the output properly
## If you are using Neo4Desktop to connec to the DB use the domain host.docker.internal
## You might need to use the option '-v' to mount files with configurations

PurplePanda has 2 analysis modes:

  • -e (enumerate): This is the main one, it will try to gather data and analyze it.
  • -a (analyze): This will perform a quick analysis of the provided credentials.

Video tutorial

Check how to use and inspect the data gathered by PurplePanda:

Tutorial

For Blue/Purple Teams

Use credentials for each platform with at least admin read access to all the resources of the platform. This will help you to see exactly the privesc paths that can be abused within your configurations in each platform and across

For Red Teams

PurplePanda is also designed to be used by Red Teams. In general, cloud/saas platforms won't give everyone access to read the configuration of the platform, that's why PurplePanda supports the use of several keys for the same platform, in order to try to enumerate everything with all the keys you compromised and have the most accurate view of the configuration of the platform.

Supported platforms

How to use the data

Use the -d parameter indicating a directory. Then, PurplePanda will write in this directory several interesting analysis in csv format of the information obtained from all the platforms. The recommendation is to find interesting and unexpected things in those files and then move to analyze those interesting cases with the graphs.

Each folder inside /intel defines one platform that can be enumerated and contains a README.md file explaining how to use that specific module. Moreover, each folder also contains a HOW_TO_USE.md file and a QUERIES.md file.

In the HOW_TO_USE.md file you can find the best queries to perform an investigation on how to escalate privileges (for Purple, Blue, and Red Teams).

In the QUERIES.md file you will find all proposed queries to investigate the data easier.

How to visualize the data in graphs

Follow the instructions indicated in VISUALIZE_GRAPHS.md

How to Contribute

In the root folder and in each folder inside intel/ you will find a TODO.md file. You can find in those files how you can help. Just send a PR with the addition.

PRs with fixes are also welcome :)

Moreover, if you have other ideas that aren't in those TODO files feel free to send a PR.

By Carlos PolopTM

More Repositories

1

PEASS-ng

PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
C#
14,533
star
2

hacktricks

Welcome to the page where you will find each trick/technique/whatever I have learnt in CTFs, real life apps, and reading researches and news.
Python
7,927
star
3

Auto_Wordlists

Python
993
star
4

legion

Automatic Enumeration Tool based in Open Source tools
Python
851
star
5

hacktricks-cloud

Python
450
star
6

fuzzhttpbypass

This tool use fuuzzing to try to bypass unknown authentication methods, who knows...
Python
202
star
7

BotPEASS

Use this bot to monitor new CVEs containing defined keywords and send alerts to Slack and/or Telegram.
Python
197
star
8

MalwareWorld

System based on +500 blacklists and 5 external intelligences to detect internet potencially malicious hosts
JavaScript
140
star
9

autoVolatility

Run several volatility plugins at the same time
Python
104
star
10

winPE

Windows privilege escalation with cmd
Batchfile
87
star
11

su-bruteforce

Shell
82
star
12

bf-aws-permissions

Shell
70
star
13

Leakos

Python
62
star
14

Gorks

Python
61
star
15

DDexec

Shell
46
star
16

Pastos

Python
41
star
17

aws_iam_review

Python
31
star
18

prepkal

Simple script to download some missing tools in Kali
Shell
29
star
19

bashReconScan

Bash Recon Scan - Recon and Scan a network using Bash
Shell
28
star
20

phpwebshelllimited

PHP
25
star
21

sh2bin

Go
23
star
22

KAOSK-backdoors

Automate the creation of Backdoors and postexplotation activities
Python
22
star
23

gcp_privesc_scripts

Shell
22
star
24

MalwarePoC

Windows Malware Probe of Concept
C++
20
star
25

Tapjacking-ExportedActivity

Kotlin
19
star
26

easy_stegoCTF

Brutteforce for stego CTFs
Python
17
star
27

github_archive_scraper

Python
16
star
28

KeyLoggerWin

Windows Keylogger in C++
C++
16
star
29

SlackDump

Python
16
star
30

DistrolessRCE

Python
15
star
31

Cloudtrail2IAM

Python
15
star
32

bf-aws-perms-simulate

Python
15
star
33

selenium_webBot

Selenium based bot that automatize the creation of accounts in a web page
Python
12
star
34

easy_cryptoCTF

Try to bruteforce several cypher algorithms that can be used in CTFs
Python
12
star
35

nse_winVulnDetection_csv

Checks if a windows machine with the smb service actve is vulnerable to the CVEs of a CSV file passed as argument to the script
Lua
12
star
36

AutoHackBruteOs

10
star
37

aws-Perms2ManagedPolicies

Python
10
star
38

BeefHook-Extension

BeefHook-Extension
JavaScript
10
star
39

tfstate2IAM

Python
9
star
40

hackthebox-machines-challenges-SirBroccoli

SirBroccolis hackthebox writeups (protected by password)
9
star
41

easy_BFopensslCTF

Bash script that given a password (or a wordlist) tries to decrypt an OpenSSL encrypted file using several algorithms.
Shell
9
star
42

bf_my_gcp_permissions

Python
9
star
43

MSF-Credentials

Ruby
9
star
44

aws_tools

Shell
8
star
45

sqlmap_to_unicode_template

Python
7
star
46

correct_dict

Detect and remove repeated words of a Wordlist
Python
7
star
47

docker-mitm

Dockerfile
7
star
48

LambdaLayerBackdoor

Python
7
star
49

telegram_sshBot

Python
6
star
50

CheerUp-Bot

Telegram bot to cheerUP people
Python
6
star
51

byte-flipping

Byte flipping attack inside cookie
Python
6
star
52

docker-ps-spy

C
6
star
53

hacktricks-bot

Python
6
star
54

DirtyNIB

Swift
5
star
55

exploiting_examples

C
5
star
56

AddSectionToPE

Add a section to the beginning or to the end of sections
C++
5
star
57

aws_find_external_accounts

Python
4
star
58

gcp_oauth_phishing_example

Python
4
star
59

gcp_gen_delegation_token

Python
4
star
60

docker_auth_profiler

Go
3
star
61

carlospolop

3
star
62

terraform_external_module_rev_shell

HCL
1
star
63

CHack_bot

Python
1
star
64

TestAWSOpenID

1
star