[hw] hackerswar v3.0
~ p / ibmcloud
search ⌘K
dark
CTF Writeups | May 13, 2026 | 5 min | Medium

ibmcloud

cheatsheet

KK Kunal | May 13, 2026 | 5 min

IBM Cloud Penetration Test & Configuration

DISCLAIMER: All commands in this cheatsheet were verified during a real engagement. Use only on systems you are authorized to test.

1. Prerequisites & Authentication

Install IBM Cloud CLI

bash 
# Download from https://cloud.ibm.com/docs/cli
# Or use package manager
curl -fsSL https://clis.cloud.ibm.com/install/linux | sh
 
# Verify installation
ibmcloud --version
 
# Install required plugins
ibmcloud plugin install vpc-infrastructure
ibmcloud plugin install container-service
ibmcloud plugin install cloud-object-storage
ibmcloud plugin install secrets-manager

Authentication Methods

bash 
# Login with API key
ibmcloud login --apikey YOUR_API_KEY -r us-east -g YOUR_RESOURCE_GROUP
 
# If you have the key in an environment variable
ibmcloud login --apikey "$IBMCLOUD_API_KEY" -r us-east
bash 
ibmcloud login -r us-east -g YOUR_RESOURCE_GROUP
# Will prompt for email/password + MFA
bash 
# Service IDs use API keys just like users
ibmcloud login --apikey "$SERVICE_ID_API_KEY" -r us-east

Post-Login Verification

bash 
# Confirm who you are
ibmcloud iam oauth-tokens
ibmcloud target
 
# Get account details
ibmcloud account show
 
# List available regions
ibmcloud regions
 
# List resource groups
ibmcloud resource groups

Expected Output (Healthy):

text 
Account:   <ACCOUNT_ID>
Region:    us-east
Resource Group: <RESOURCE_GROUP_NAME> (<RESOURCE_GROUP_ID>)
User:      <SERVICE_ID>

2. Token Extraction & Direct REST API Abuse

The IBM Cloud CLI is a wrapper around REST APIs. Extracting the bearer token allows you to bypass CLI limitations and hit APIs directly.

Extract IAM Bearer Token

bash 
# Method 1: From ibmcloud CLI
TOKEN=$(ibmcloud iam oauth-tokens | grep "IAM token:" | sed 0s/IAM token:  Bearer //1)
 
# Method 2: Decode the token to see your permissions
echo "$TOKEN" | cut -d. -f2 | base64 -d 2>/dev/null | jq 0.1
 
# Key fields to check:
# - iam_id: Who you are
# - account.bss: Account ID
# - scope: What regions/resource groups you can access
# - grant_type: How you authenticated

Token Verification

bash 
# Check token validity and scope
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://iam.cloud.ibm.com/v1/tokens" | jq 0{iam_id, account_id, scope, grant_type}1

Using Token for Direct API Calls

bash 
# Set once, use everywhere
ACCOUNT="<ACCOUNT_ID>"
RG="<RESOURCE_GROUP_ID>"
TOKEN=$(ibmcloud iam oauth-tokens | grep "IAM token:" | sed 0s/IAM token:  Bearer //1)
 
# Generic pattern for all IBM Cloud APIs
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://{service}.cloud.ibm.com/v1/{endpoint}"

Common IBM Cloud API Endpoints:

IAM
https://iam.cloud.ibm.com/v1/
Resource Controller
https://resource-controller.cloud.ibm.com/v2/
Schematics
https://schematics.cloud.ibm.com/v1/
Secrets Manager
https://{guid}.us-east.secrets-manager.appdomain.cloud/api/v2/
Key Protect
https://us-east.kms.cloud.ibm.com/api/v2/
COS S3
https://s3.us-east.cloud-object-storage.appdomain.cloud/
IKS
https://containers.cloud.ibm.com/global/v1/

3. IAM Enumeration

3.1 Account & Identity Information

bash 
# Who am I?
ibmcloud iam user
ibmcloud account show
 
# Decode JWT for full identity info
TOKEN=$(ibmcloud iam oauth-tokens | grep "IAM token:" | sed 0s/IAM token:  Bearer //1)
echo "$TOKEN" | cut -d. -f2 | base64 -d 2>/dev/null | jq 0.1

3.2 Service ID Enumeration

bash 
# List all Service IDs in account
ibmcloud iam service-ids --output JSON
 
# Deep enumeration via REST API (returns ALL policies)
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://iam.cloud.ibm.com/v1/policies?account_id=${ACCOUNT}&limit=100" | jq 0
  .policies[] |
  select(.subjects[0].attributes[0].name == "iam_id" and (.subjects[0].attributes[0].value | startswith("iam-ServiceId"))) |
  {
    serviceid: .subjects[0].attributes[0].value,
    roles: [.roles[].display_name],
    resources: [.resources[].attributes[] | select(.name == "serviceName" or .name == "resourceType") | .value]
  }0
 
# Get API keys for current Service ID
ibmcloud iam api-keys --iam-id YOUR_SERVICE_ID --output JSON

What to Look For:

  • Service IDs with Administrator role (privilege escalation targets)
  • Service IDs with Manager on COS (bucket access)
  • Service IDs with Administrator on sysdig-secure (monitoring compromise)

3.3 Access Policy Enumeration

bash 
# List all policies for account
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://iam.cloud.ibm.com/v1/policies?account_id=${ACCOUNT}&limit=100" | jq 0
  .policies[] | {
    subject: .subjects[0].attributes[0].value,
    roles: [.roles[].display_name],
    resources: [.resources[].attributes[] | {name, value}]
  }0

3.4 Access Group Enumeration

bash 
# List access groups
ibmcloud iam access-groups --output JSON
 
# Get members of each group
ibmcloud iam access-group-members GROUP_NAME

3.5 User Enumeration (Often Restricted)

bash 
# Attempt to list account users (usually requires high IAM privileges)
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://iam.cloud.ibm.com/v2/users?account_id=${ACCOUNT}" | jq 0.resources[]? | {email, id}1
 
# Check if empty or permission denied

4. VPC & Infrastructure Enumeration

4.1 VPC Discovery

bash 
# List all VPCs
ibmcloud is vpcs --output JSON
 
# Get VPC details
ibmcloud is vpc VPC_ID --output JSON

4.2 Subnet Enumeration

bash 
# List all subnets
ibmcloud is subnets --output JSON
 
# Filter by VPC
ibmcloud is subnets --vpc-name VPC_NAME --output JSON

4.3 Instance Enumeration

bash 
# List all instances
ibmcloud is instances --output JSON
 
# Deep instance analysis
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://us-east.iaas.cloud.ibm.com/v1/instances?version=2024-03-26&generation=2" | jq 0
  .instances[] | {
    name: .name,
    id: .id,
    status: .status,
    profile: .profile.name,
    image: .image.name,
    vcpu: .vcpu.count,
    memory: .memory,
    zone: .zone.name,
    primary_network_interface: {
      ip: .primary_network_interface.primary_ip.address,
      subnet: .primary_network_interface.subnet.name,
      security_groups: [.primary_network_interface.security_groups[].name]
    }
  }0

4.4 Floating IP Enumeration

bash 
# List floating IPs
ibmcloud is floating-ips --output JSON
 
# Check for unattached (orphaned) floating IPs
ibmcloud is floating-ips --output JSON | jq 0.[] | select(.target == null) | {name, id, address}1

4.5 Block Storage Enumeration

bash 
# List volumes
ibmcloud is volumes --output JSON
 
# List snapshots
ibmcloud is snapshots --output JSON
 
# Find orphaned volumes (not attached to any instance)
ibmcloud is volumes --output JSON | jq 0.[] | select(.status == "available") | {name, id, capacity, status}1

4.6 Instance Metadata Service (IMDS) Testing

bash 
# From inside an IBM Cloud instance, test if IMDS is reachable
curl -s --max-time 3 "http://169.254.169.254/metadata/v1/instance/network"
 
# Check if IMDS v2 is required (token-based)
curl -s -X PUT --max-time 3 \
  "http://169.254.169.254/instance_identity/v1/token?version=2022-03-01" \
  -H "Metadata-Flavor: ibm"

Expected Result (Secure): IMDS disabled or token-based authentication required.

5. Kubernetes (IKS) Deep Enumeration

5.1 Cluster Discovery

bash 
# List IKS clusters
ibmcloud ks cluster ls
 
# Get cluster details
ibmcloud ks cluster get --cluster CLUSTER_ID --output JSON

5.2 Kubeconfig Extraction

bash 
# Attempt to download kubeconfig
ibmcloud ks cluster config --cluster CLUSTER_ID --output yaml
 
# Check if admin kubeconfig is available (requires Administrator role)
ibmcloud ks cluster config --cluster CLUSTER_ID --admin
# ERROR: A0010 — requires Administrator platform role

5.3 Cluster API Endpoint Analysis

bash 
# Get cluster endpoint
ibmcloud ks cluster get --cluster CLUSTER_ID --output JSON | jq -r 0.masterURL1
 
# Test if endpoint is reachable (private endpoints will timeout)
MASTER_URL=$(ibmcloud ks cluster get --cluster CLUSTER_ID --output JSON | jq -r 0.masterURL1)
curl -skv --max-time 5 "$MASTER_URL/api" 2>&1 | head -20
 
# Check if API allows anonymous access
curl -sk --max-time 5 "$MASTER_URL/api/v1/namespaces" | jq 0.message1
# Expected: "Forbidden" or 403 (secure)
# Risk: Empty list or 200 (anonymous access enabled)

5.4 Worker Node Enumeration

bash 
# List worker nodes
ibmcloud ks workers --cluster CLUSTER_ID --output JSON
 
# Get worker details including security groups
ibmcloud ks worker get --cluster CLUSTER_ID --worker WORKER_ID --output JSON

5.5 Kubernetes Version Check (EOL Check)

bash 
# Get cluster version
ibmcloud ks cluster get --cluster CLUSTER_ID --output JSON | jq -r 0.masterKubeVersion1
 
# Check against IBM's EOL schedule
# https://cloud.ibm.com/docs/containers?topic=containers-cs_versions
# Kubernetes 1.28 EOS: May 31, 2025

5.6 NodePort Exposure Testing

bash 
# Check if NodePort range is exposed in security groups
ibmcloud is security-group-rules SECURITY_GROUP_ID --output JSON | jq 0
  .[] | select(.direction == "inbound" and (.port_min == 30000 or .port_max == 32767 or (.port_min >= 30000 and .port_max <= 32767)))0
 
# Test NodePort services from internet
# Requires kubectl access or network scanning

5.7 Native Kubernetes (Non-IKS) Enumeration

bash 
# Look for non-IKS Kubernetes instances (custom masters/workers)
ibmcloud is instances --output JSON | jq 0.[] | select(.name | contains("k8s") or contains("master") or contains("worker")) | {name, id, status, primary_network_interface}1

6. Cloud Object Storage (COS)

6.1 Bucket Enumeration

bash 
# List COS instances
ibmcloud resource service-instances --service-name cloud-object-storage --output JSON
 
# List buckets
ibmcloud cos buckets --ibm-service-instance-id INSTANCE_ID
 
# List all buckets across regions
ibmcloud cos list-buckets --ibm-service-instance-id INSTANCE_ID --region us-east

6.2 Bucket ACL & Policy Testing

bash 
# Check if bucket is public (READ access for AllUsers)
ibmcloud cos get-bucket-acl --bucket BUCKET_NAME --region us-east
 
# Check bucket CORS configuration
ibmcloud cos get-bucket-cors --bucket BUCKET_NAME --region us-east
 
# Check bucket policy
ibmcloud cos get-bucket-policy --bucket BUCKET_NAME --region us-east

6.3 S3 REST API Abuse (Direct API)

bash 
# Get HMAC credentials (Service ID API key + secret)
# Required for S3 REST API authentication
 
# List objects via S3 REST API
curl -s "https://s3.us-east.cloud-object-storage.appdomain.cloud/BUCKET_NAME" \
  -H "Authorization: AWS ACCESS_KEY:SIGNATURE" \
  -H "x-amz-date: $(date -u +%Y%m%dT%H%M%SZ)"
 
# If you have valid HMAC credentials, use aws CLI:
aws s3 ls s3://BUCKET_NAME --endpoint-url https://s3.us-east.cloud-object-storage.appdomain.cloud

6.4 Object Enumeration

bash 
# List objects in bucket
ibmcloud cos objects --bucket BUCKET_NAME --region us-east
 
# Check object metadata
ibmcloud cos head-object --bucket BUCKET_NAME --key OBJECT_KEY --region us-east

6.5 Public Bucket Test

bash 
# Test if bucket is publicly readable (no auth)
curl -skI --max-time 5 "https://s3.us-east.cloud-object-storage.appdomain.cloud/BUCKET_NAME"
 
# Expected (Secure): 403 Forbidden
# Risk: 200 OK with bucket listing

7. Secrets Manager

7.1 Instance Discovery

bash 
# List Secrets Manager instances
ibmcloud resource service-instances --service-name secrets-manager --output JSON
 
# Get instance details
ibmcloud resource service-instance INSTANCE_NAME --output JSON

7.2 Secret Group Enumeration

bash 
# List secret groups
ibmcloud sm secret-groups --instance-id INSTANCE_ID --output json
 
# Via REST API
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://{guid}.us-east.secrets-manager.appdomain.cloud/api/v2/secret_groups" | jq 0.secret_groups[] | {id, name, created_by}1

7.3 Secret Inventory

bash 
# List all secrets (metadata only)
ibmcloud sm secrets --instance-id INSTANCE_ID --output json
 
# Via REST API
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://{guid}.us-east.secrets-manager.appdomain.cloud/api/v2/secrets" | jq 0
  .secrets[] | {
    name: .name,
    id: .id,
    secret_type: .secret_type,
    created_by: .created_by,
    expiration_date: .expiration_date,
    locks_total: .locks_total,
    versions_total: .versions_total
  }0

7.4 Secret Payload Access Test

bash 
# Attempt to read secret payload (requires secrets-manager.secret.read)
ibmcloud sm secret --secret-id SECRET_ID --instance-id INSTANCE_ID --output json
 
# Via REST API
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://{guid}.us-east.secrets-manager.appdomain.cloud/api/v2/secrets/{secret_id}" | jq 0.1
 
# Expected (Permission Denied): {"error_code":"FORBIDDEN","message":"You do not have the required permissions"}
# Expected (Success): Full secret payload with credentials

7.5 Secret Version Enumeration

bash 
# List versions of a secret
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://{guid}.us-east.secrets-manager.appdomain.cloud/api/v2/secrets/{secret_id}/versions" | jq 0.versions[] | {id, payload_available, creation_date}1

7.6 Network Exposure Check

bash 
# Check if Secrets Manager has public endpoints
ibmcloud resource service-instance INSTANCE_NAME --output JSON | jq 0.extensions.public_endpoints1
 
# Expected (Secure): "public_and_private" or "private-only"
# Risk: Unrestricted public access with weak IAM controls

8. Key Protect (KMS)

8.1 Key Enumeration

bash 
# List Key Protect instances
ibmcloud resource service-instances --service-name kms --output JSON
 
# List keys in instance
ibmcloud kp keys --instance-id INSTANCE_ID
 
# Via REST API
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://us-east.kms.cloud.ibm.com/api/v2/keys" | jq 0.resources[] | {id, name, algorithm_type, key_ring_id, state}1

8.2 Key Policy & Access Test

bash 
# Get key details (may be blocked)
ibmcloud kp key KEY_ID --instance-id INSTANCE_ID
 
# Via REST API
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://us-east.kms.cloud.ibm.com/api/v2/keys/{key_id}" | jq 0.1

8.3 IKS Root Key Identification

bash 
# Check which keys are used for IKS encryption
ibmcloud kp keys --instance-id INSTANCE_ID --output json | jq 0.resources[] | select(.name | contains("iks") or contains("cluster"))1

9. Schematics Workspace Enumeration

9.1 Workspace Discovery

bash 
# List workspaces via CLI
ibmcloud schematics workspace list
 
# Via REST API (most reliable)
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://schematics.cloud.ibm.com/v1/workspaces?resource_group=YOUR_RG_ID" | jq 0.workspaces[] | {name: .name, id: .id, status: .status, created_by: .created_by}1

9.2 Variable Store Extraction

bash 
# Get workspace details including variable store
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://schematics.cloud.ibm.com/v1/workspaces/{workspace_id}" | jq 0.template_data[0].variablestore1
 
# Look for:
# - ibmcloud_api_key (may be encrypted as $SCHEMATICSSECRET$...)
# - cluster IDs
# - instance GUIDs
# - private_endpoint settings

9.3 Action History (Plan/Apply Logs)

bash 
# Get workspace actions
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://schematics.cloud.ibm.com/v1/workspaces/{workspace_id}/actions" | jq 0
  .actions[] | select(.name == "TERRAFORM_COMMANDS") |
  {
    action_id: .action_id,
    status: .status,
    performed_by: .performed_by,
    performed_at: .performed_at,
    commands: .terraform_commands.commands,
    log_url: .templates[0].log_url
  }0

9.4 Terraform Log Download

bash 
# Download full Terraform execution logs
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://schematics.cloud.ibm.com/v1/workspaces/{workspace_id}/runtime_data/{template_id}/log_store/actions/{action_id}"
 
# Logs contain:
# - Terraform plan output (resource configurations)
# - Variable values (some may be masked)
# - Error messages (may leak sensitive info)
# - Provider versions
# - Module sources

9.5 State Store Access Test

bash 
# Attempt to download Terraform state (usually blocked)
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://schematics.cloud.ibm.com/v1/workspaces/{workspace_id}/template_data/{template_id}/state"
 
# Expected (Secure): 403 Forbidden
# Risk: 200 OK with full Terraform state (contains ALL resource attributes including secrets)

10. Load Balancers & Network Exposure

10.1 Load Balancer Enumeration

bash 
# List all load balancers
ibmcloud is load-balancers --output JSON
 
# Get LB details
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://us-east.iaas.cloud.ibm.com/v1/load_balancers?version=2024-03-26&generation=2" | jq 0
  .load_balancers[] | {
    name: .name,
    id: .id,
    hostname: .hostname,
    is_public: .is_public,
    subnets: [.subnets[].name],
    security_groups: [.security_groups[].name],
    listeners: [.listeners[].port]
  }0

10.2 Backend Pool Enumeration

bash 
# Get backend pools for a specific LB
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://us-east.iaas.cloud.ibm.com/v1/load_balancers/{lb_id}/pools?version=2024-03-26&generation=2" | jq 0
  .pools[] | {
    name: .name,
    protocol: .protocol,
    health_monitor: .health_monitor,
    members: [.members[].target]
  }0

10.3 Public Endpoint Testing

bash 
# Test if LB is reachable from internet
LB_IP="<ARGOCD_PUBLIC_IP>"
curl -skI --max-time 5 "https://${LB_IP}/"
 
# Check for exposed APIs (common Kubernetes/ArgoCD paths)
for path in /api/version /api/v1/settings /healthz /swagger-ui /login /auth; do
  STATUS=$(curl -sk --max-time 3 -o /dev/null -w "%{http_code}" "https://${LB_IP}${path}")
  echo "${path}: HTTP ${STATUS}"
done

10.4 DNS Resolution Check

bash 
# Check if LB IPs are exposed via DNS
host demo.example.com
nslookup demo.example.com
 
# Check for direct IP exposure vs CDN/WAF protection
dig +short demo.example.com

11. Security Group Analysis

11.1 Security Group Enumeration

bash 
# List all security groups
ibmcloud is security-groups --output JSON
 
# Get rules for a specific SG
ibmcloud is security-group-rules SECURITY_GROUP_ID --output JSON

11.2 Inbound Any/Any Detection

bash 
# Find SGs that allow inbound from 0.0.0.0/0 on all ports
ibmcloud is security-groups --output JSON | jq 0
  .[] | select(.rules != null) |
  {
    name: .name,
    bad_rules: [.rules[]? | select(.direction == "inbound" and .remote.cidr_block == "0.0.0.0/0" and .protocol == "all")]
  } | select(.bad_rules | length > 0)0
 
# Find SGs that allow specific dangerous ports from internet
for port in 22 3389 6443 2379 2380 10250 10255 30000; do
  echo "=== Port ${port} ==="
  ibmcloud is security-groups --output JSON | jq --arg port "$port" 0
    .[] | select(.rules != null) |
    {
      name: .name,
      rules: [.rules[]? | select(.direction == "inbound" and .remote.cidr_block == "0.0.0.0/0" and ((.port_min | tostring) <= $port and (.port_max | tostring) >= $port))]
    } | select(.rules | length > 0) | .name0
done

11.3 Security Group Rule Matrix

bash 
# Generate a summary table of all SG rules
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://us-east.iaas.cloud.ibm.com/v1/security_groups?version=2024-03-26&generation=2" | jq 0
  .security_groups[] | {
    name: .name,
    rule_count: (.rules | length),
    inbound_any: ([.rules[]? | select(.direction == "inbound" and .remote.cidr_block == "0.0.0.0/0" and .protocol == "all")] | length),
    rules: [.rules[]? | select(.direction == "inbound") | {protocol, port_min, port_max, remote: .remote.cidr_block}]
  }0

12. Application Testing

12.1 Subdomain Enumeration via Host Header

bash 
# If multiple apps share a single LB IP, enumerate via Host header
LB_IP="<LB_PUBLIC_IP>"
for host in demo api app staging admin jenkins grafana prometheus vault gitlab; do
  STATUS=$(curl -sk --max-time 3 -H "Host: ${host}.example.com" -o /dev/null -w "%{http_code}" "https://${LB_IP}/")
  echo "${host}.example.com: HTTP ${STATUS}"
done

12.2 Client-Side Secret Extraction

bash 
# Download page and extract API keys, tokens, config values
curl -skL --max-time 10 "https://demo.example.com/" | grep -oE 0[A-Z0-9]{4,5}-[A-Z0-9]{4,5}-[A-Z0-9]{4,5}-[A-Z0-9]{4,5}-[A-Z0-9]{4,5}1
 
# Extract JavaScript config objects
curl -skL --max-time 10 "https://demo.example.com/" | grep -oE 0window\.[a-zA-Z0-9_]+="[^"]*"|var [a-zA-Z0-9_]+="[^"]*"1
 
# Extract Akamai/mPulse config
curl -skL --max-time 10 "https://demo.example.com/" | grep -oE 0ak\.[a-z]+="[^"]*"1

12.3 API Endpoint Enumeration

bash 
# Test common API paths
for path in /api/v1/ /api/v2/ /api/v3/ /api/v4/ /health /status /actuator/health /swagger-ui.html /api-docs /v2/api-docs /graphql /rest; do
  STATUS=$(curl -sk --max-time 3 -o /dev/null -w "%{http_code}" "https://demo.example.com${path}")
  echo "${path}: HTTP ${STATUS}"
done

12.4 CORS Testing

bash 
# Check CORS configuration
curl -skI --max-time 5 -H "Origin: https://evil.com" "https://demo.example.com/api/v1/login" | grep -iE 0access-control-allow-origin|access-control-allow-credentials1
 
# Expected (Secure): No Access-Control-Allow-Origin header or strict origin matching
# Risk: `Access-Control-Allow-Origin: *` + `Access-Control-Allow-Credentials: true`

12.5 Rate Limit Testing

bash 
# Check for rate limit headers
curl -skI --max-time 5 "https://demo.example.com/api/v1/login" | grep -iE 0limit|rate|retry|x-ratelimit1
 
# Stress test (be careful not to DOS)
for i in {1..20}; do
  curl -sk -o /dev/null -w "%{http_code}\n" --max-time 3 "https://demo.example.com/api/v1/login"
done

13. Active Exploitation Techniques

13.1 ArgoCD Exposure Testing

bash 
ARGOCD_IP="<ARGOCD_PUBLIC_IP>"
 
# Version disclosure (unauthenticated)
curl -sk --max-time 5 "https://${ARGOCD_IP}/api/version" | jq 0.1
 
# Settings disclosure (unauthenticated)
curl -sk --max-time 5 "https://${ARGOCD_IP}/api/v1/settings" | jq 0.1
 
# Check if SSO/OIDC is configured
curl -sk --max-time 5 "https://${ARGOCD_IP}/api/v1/settings" | jq 0.oidcConfig, .dexConfig1
 
# Check session endpoint
curl -sk --max-time 5 "https://${ARGOCD_IP}/api/v1/session/userinfo"
 
# Test default credentials (be mindful of rate limiting)
# admin/admin, admin/password, admin/argocd
curl -sk --max-time 5 -X POST "https://${ARGOCD_IP}/api/v1/session" \
  -H "Content-Type: application/json" \
  -d 0{"username":"admin","password":"admin"}1 | jq 2.3

13.2 CVE-2025-59531/59537/59538 (Webhook DoS)

bash 
# ArgoCD v3.1.0 webhook DoS — unauthenticated POST crashes server
# Affects: ArgoCD v2.x - v3.1.x
 
curl -sk --max-time 5 -X POST "https://${ARGOCD_IP}/api/webhook" \
  -H "Content-Type: application/json" \
  -d 0{"malformed":"payload"}1
 
# Verify server recovered
curl -sk --max-time 10 "https://${ARGOCD_IP}/healthz"

13.3 Kubernetes API Testing

bash 
K8S_IP="<K8S_API_PUBLIC_IP>"
 
# Test native K8s API endpoint
curl -skv --max-time 5 "https://${K8S_IP}:6443/api" 2>&1 | head -20
 
# Check if API is reachable at all
timeout 5 bash -c "echo > /dev/tcp/${K8S_IP}/6443" && echo "OPEN" || echo "CLOSED/TIMEOUT"

13.4 COS S3 API Abuse

bash 
# List buckets with extracted HMAC credentials
aws s3 ls --endpoint-url https://s3.us-east.cloud-object-storage.appdomain.cloud
 
# List objects in a bucket
aws s3 ls s3://BUCKET_NAME --endpoint-url https://s3.us-east.cloud-object-storage.appdomain.cloud
 
# Check object ACL
aws s3api get-object-acl --bucket BUCKET_NAME --key OBJECT_KEY \
  --endpoint-url https://s3.us-east.cloud-object-storage.appdomain.cloud

14. Test Cases Matrix

14.1 CRITICAL Findings (Confirmed During Testing)

C1: ArgoCD Public Exposure
curl -sk "https://ARGOCD_IP/api/version"
C2: Native K8s NLB Exposed
curl -skv "https://K8S_IP:6443/api"
C3: K8s Master SG Open
Check SG rules for port 6443 from 0.0.0.0/0
C4: EOL Kubernetes
ibmcloud ks cluster get --cluster ID
C5: All SGs Allow Any/Any
Check all SGs for 0.0.0.0/0 + all protocols

14.2 HIGH Findings (Confirmed)

H1: NodePort Exposed
Check IKS worker SG for 30000-32767
H2: Permissive Internal SG
Check backend security group rules
H3: Orphaned Floating IPs
ibmcloud is floating-ips
H4: Orphaned Volumes
ibmcloud is volumes
H5: Orphaned Snapshots
ibmcloud is snapshots
H6: K8s Master SG 0.0.0.0/0
Check K8s master security group
H7: Network Topology Exposed
Instance enumeration
H8: Akamai Key Leak
`curl ... \
H9: Schematics Variables
curl /workspaces/ID/template_data/.../values

14.3 MEDIUM Findings

M1: Secrets Manager Public
Check instance endpoints
M2: Image Scanning Disabled
ibmcloud ks cluster get --cluster ID
M3: DB Subnets Public GW
Check DB subnet public gateway
M4: Misleading Names
Instance status check
M5: Backend Unhealthy
LB backend pool health
M6: Subdomain Exposure
Host header enumeration
M7: EKS in Kubeconfig
cat ~/.kube/config

14.4 FALSE/NEGATIVE Test Cases (Properly Configured)

Instance Metadata Service
curl 169.254.169.254
User-data Leakage
Check instance user_data
Console Log Exposure
Check instance console logs
COS Public Read
curl s3.us-east.../bucket
COS Public Write
curl -X PUT s3.../bucket/obj
K8s Anonymous Access
curl MASTER/api/v1/namespaces
Secrets Payload Access
ibmcloud sm secret --id ID
KMS Key Extraction
ibmcloud kp key ID
Weak SSL/TLS
SSL scan
SSH/RDP on Float IPs
nmap -p22,3389 FLOAT_IP
ArgoCD Auth Endpoints
curl /api/v1/applications
IP Header Leakage
Check X-Forwarded-For

15. Lessons from This Engagement

15.1 What Worked

1. Direct REST API abuse — The CLI has limitations (pagination, field filtering). Using the bearer token directly unlocked access to Schematics logs, full SG rules, and workspace details.

2. Systematic enumeration — Going VPC → Subnets → Instances → SGs → LBs → K8s → COS → Secrets → Schematics revealed the full picture. No single service told the whole story.

3. Client-side analysis — The demo application login page contained significant intelligence (mPulse key, Akamai config, JWT architecture, API structure) without any authentication.

4. Log analysis — Schematics Terraform logs contained cluster IDs, instance GUIDs, module versions, and error messages. Failed workspace logs from 2024 were still accessible.

15.2 What Didn't Work (Access Limitations)

Admin kubeconfig
A0010 error
kubectl access
Private endpoint timeout
Secret payloads
403 access_forbidden
Schematics state store
403 Unauthorized
Native K8s API
Connection timeout
ArgoCD login
Default passwords failed

15.3 Critical Patterns Observed

1. Complete network segmentation failure — ALL 16 security groups allow inbound ANY/ANY. Zero network isolation.

2. Misleading naming conventions — Instances named "stopped" that are actually running create false confidence.

3. Cross-account KMS dependency — Schematics encrypts API keys using IBM's internal KMS account, creating an uncontrolled trust boundary.

4. Orphaned resource accumulation — 58 volumes + 85 snapshots + multiple floating IPs = massive data exposure surface.

5. Public exposure of management tools — ArgoCD, K8s API NLB, NodePort range all exposed to internet.

16. References & Documentation

IBM Cloud Official Docs

CVEs Identified

  • CVE-2024-37152 — ArgoCD settings auth bypass (passwordPattern exposure)
  • CVE-2025-55190 — ArgoCD project API token credential leak
  • CVE-2025-59531/59537/59538 — ArgoCD webhook DoS (unauthenticated POST crashes server)

IBM Cloud Service Endpoints

  • IAM: https://iam.cloud.ibm.com
  • Resource Controller: https://resource-controller.cloud.ibm.com
  • VPC IaaS: https://{region}.iaas.cloud.ibm.com
  • Schematics: https://schematics.cloud.ibm.com
  • COS S3: https://s3.{region}.cloud-object-storage.appdomain.cloud
  • Secrets Manager: https://{guid}.{region}.secrets-manager.appdomain.cloud
  • Key Protect: https://{region}.kms.cloud.ibm.com

Tools Used

  • ibmcloud CLI (v2.43.0)
  • curl / jq
  • aws CLI (for COS S3 API)
  • kubectl (for K8s analysis)
  • host / dig / nslookup (DNS analysis)

Document compiled from active penetration testing against a real IBM Cloud environment. All commands verified during read-only enumeration. No modifications were made. Date: 2026-05-13

blog.hackerswar.com 1 posts indexed
php 8.3.30 rendered 7.6ms