[hw] hackerswar
~ p / ibmcloud
search ⌘K
dark
// browse
~index /search
// sections
λ AI Security 0 $_ CTF Writeups 7 ** Dispatches 0 ## Exam Reviews 1 >> Pentesting 1 -> Tutorials 0
// meta
iabout

ibmcloud

cheatsheet

KK Kunal | May 13, 2026 | 11 min | Medium | Pentesting

IBM Cloud Penetration Test & Configuration

DISCLAIMER: All commands in this cheatsheet were verified during a real engagement. Use only on systems you are authorized to test.

1. Prerequisites & Authentication

Install IBM Cloud CLI

bash 
# Download from https://cloud.ibm.com/docs/cli
# Or use package manager
curl -fsSL https://clis.cloud.ibm.com/install/linux | sh
 
# Verify installation
ibmcloud --version
 
# Install required plugins
ibmcloud plugin install vpc-infrastructure
ibmcloud plugin install container-service
ibmcloud plugin install cloud-object-storage
ibmcloud plugin install secrets-manager

Authentication Methods

bash 
# Login with API key
ibmcloud login --apikey YOUR_API_KEY -r us-east -g YOUR_RESOURCE_GROUP
 
# If you have the key in an environment variable
ibmcloud login --apikey "$IBMCLOUD_API_KEY" -r us-east
bash 
ibmcloud login -r us-east -g YOUR_RESOURCE_GROUP
# Will prompt for email/password + MFA
bash 
# Service IDs use API keys just like users
ibmcloud login --apikey "$SERVICE_ID_API_KEY" -r us-east

Post-Login Verification

bash 
# Confirm who you are
ibmcloud iam oauth-tokens
ibmcloud target
 
# Get account details
ibmcloud account show
 
# List available regions
ibmcloud regions
 
# List resource groups
ibmcloud resource groups

Expected Output (Healthy):

text 
Account:   <ACCOUNT_ID>
Region:    us-east
Resource Group: <RESOURCE_GROUP_NAME> (<RESOURCE_GROUP_ID>)
User:      <SERVICE_ID>

2. Token Extraction & Direct REST API Abuse

The IBM Cloud CLI is a wrapper around REST APIs. Extracting the bearer token allows you to bypass CLI limitations and hit APIs directly.

Extract IAM Bearer Token

bash 
# Method 1: From ibmcloud CLI
TOKEN=$(ibmcloud iam oauth-tokens | grep "IAM token:" | sed 's/IAM token:  Bearer //')
 
# Method 2: Decode the token to see your permissions
echo "$TOKEN" | cut -d. -f2 | base64 -d 2>/dev/null | jq '.'
 
# Key fields to check:
# - iam_id: Who you are
# - account.bss: Account ID
# - scope: What regions/resource groups you can access
# - grant_type: How you authenticated

Token Verification

bash 
# Check token validity and scope
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://iam.cloud.ibm.com/v1/tokens" | jq '{iam_id, account_id, scope, grant_type}'

Using Token for Direct API Calls

bash 
# Set once, use everywhere
ACCOUNT="<ACCOUNT_ID>"
RG="<RESOURCE_GROUP_ID>"
TOKEN=$(ibmcloud iam oauth-tokens | grep "IAM token:" | sed 's/IAM token:  Bearer //')
 
# Generic pattern for all IBM Cloud APIs
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://{service}.cloud.ibm.com/v1/{endpoint}"

Common IBM Cloud API Endpoints:

IAM
https://iam.cloud.ibm.com/v1/
Resource Controller
https://resource-controller.cloud.ibm.com/v2/
Schematics
https://schematics.cloud.ibm.com/v1/
Secrets Manager
https://{guid}.us-east.secrets-manager.appdomain.cloud/api/v2/
Key Protect
https://us-east.kms.cloud.ibm.com/api/v2/
COS S3
https://s3.us-east.cloud-object-storage.appdomain.cloud/
IKS
https://containers.cloud.ibm.com/global/v1/

3. IAM Enumeration

3.1 Account & Identity Information

bash 
# Who am I?
ibmcloud iam user
ibmcloud account show
 
# Decode JWT for full identity info
TOKEN=$(ibmcloud iam oauth-tokens | grep "IAM token:" | sed 's/IAM token:  Bearer //')
echo "$TOKEN" | cut -d. -f2 | base64 -d 2>/dev/null | jq '.'

3.2 Service ID Enumeration

bash 
# List all Service IDs in account
ibmcloud iam service-ids --output JSON
 
# Deep enumeration via REST API (returns ALL policies)
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://iam.cloud.ibm.com/v1/policies?account_id=${ACCOUNT}&limit=100" | jq '
  .policies[] |
  select(.subjects[0].attributes[0].name == "iam_id" and (.subjects[0].attributes[0].value | startswith("iam-ServiceId"))) |
  {
    serviceid: .subjects[0].attributes[0].value,
    roles: [.roles[].display_name],
    resources: [.resources[].attributes[] | select(.name == "serviceName" or .name == "resourceType") | .value]
  }'
 
# Get API keys for current Service ID
ibmcloud iam api-keys --iam-id YOUR_SERVICE_ID --output JSON

What to Look For:

  • Service IDs with Administrator role (privilege escalation targets)
  • Service IDs with Manager on COS (bucket access)
  • Service IDs with Administrator on sysdig-secure (monitoring compromise)

3.3 Access Policy Enumeration

bash 
# List all policies for account
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://iam.cloud.ibm.com/v1/policies?account_id=${ACCOUNT}&limit=100" | jq '
  .policies[] | {
    subject: .subjects[0].attributes[0].value,
    roles: [.roles[].display_name],
    resources: [.resources[].attributes[] | {name, value}]
  }'

3.4 Access Group Enumeration

bash 
# List access groups
ibmcloud iam access-groups --output JSON
 
# Get members of each group
ibmcloud iam access-group-members GROUP_NAME

3.5 User Enumeration (Often Restricted)

bash 
# Attempt to list account users (usually requires high IAM privileges)
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://iam.cloud.ibm.com/v2/users?account_id=${ACCOUNT}" | jq '.resources[]? | {email, id}'
 
# Check if empty or permission denied

4. VPC & Infrastructure Enumeration

4.1 VPC Discovery

bash 
# List all VPCs
ibmcloud is vpcs --output JSON
 
# Get VPC details
ibmcloud is vpc VPC_ID --output JSON

4.2 Subnet Enumeration

bash 
# List all subnets
ibmcloud is subnets --output JSON
 
# Filter by VPC
ibmcloud is subnets --vpc-name VPC_NAME --output JSON

4.3 Instance Enumeration

bash 
# List all instances
ibmcloud is instances --output JSON
 
# Deep instance analysis
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://us-east.iaas.cloud.ibm.com/v1/instances?version=2024-03-26&generation=2" | jq '
  .instances[] | {
    name: .name,
    id: .id,
    status: .status,
    profile: .profile.name,
    image: .image.name,
    vcpu: .vcpu.count,
    memory: .memory,
    zone: .zone.name,
    primary_network_interface: {
      ip: .primary_network_interface.primary_ip.address,
      subnet: .primary_network_interface.subnet.name,
      security_groups: [.primary_network_interface.security_groups[].name]
    }
  }'

4.4 Floating IP Enumeration

bash 
# List floating IPs
ibmcloud is floating-ips --output JSON
 
# Check for unattached (orphaned) floating IPs
ibmcloud is floating-ips --output JSON | jq '.[] | select(.target == null) | {name, id, address}'

4.5 Block Storage Enumeration

bash 
# List volumes
ibmcloud is volumes --output JSON
 
# List snapshots
ibmcloud is snapshots --output JSON
 
# Find orphaned volumes (not attached to any instance)
ibmcloud is volumes --output JSON | jq '.[] | select(.status == "available") | {name, id, capacity, status}'

4.6 Instance Metadata Service (IMDS) Testing

bash 
# From inside an IBM Cloud instance, test if IMDS is reachable
curl -s --max-time 3 "http://169.254.169.254/metadata/v1/instance/network"
 
# Check if IMDS v2 is required (token-based)
curl -s -X PUT --max-time 3 \
  "http://169.254.169.254/instance_identity/v1/token?version=2022-03-01" \
  -H "Metadata-Flavor: ibm"

Expected Result (Secure): IMDS disabled or token-based authentication required.

5. Kubernetes (IKS) Deep Enumeration

5.1 Cluster Discovery

bash 
# List IKS clusters
ibmcloud ks cluster ls
 
# Get cluster details
ibmcloud ks cluster get --cluster CLUSTER_ID --output JSON

5.2 Kubeconfig Extraction

bash 
# Attempt to download kubeconfig
ibmcloud ks cluster config --cluster CLUSTER_ID --output yaml
 
# Check if admin kubeconfig is available (requires Administrator role)
ibmcloud ks cluster config --cluster CLUSTER_ID --admin
# ERROR: A0010 — requires Administrator platform role

5.3 Cluster API Endpoint Analysis

bash 
# Get cluster endpoint
ibmcloud ks cluster get --cluster CLUSTER_ID --output JSON | jq -r '.masterURL'
 
# Test if endpoint is reachable (private endpoints will timeout)
MASTER_URL=$(ibmcloud ks cluster get --cluster CLUSTER_ID --output JSON | jq -r '.masterURL')
curl -skv --max-time 5 "$MASTER_URL/api" 2>&1 | head -20
 
# Check if API allows anonymous access
curl -sk --max-time 5 "$MASTER_URL/api/v1/namespaces" | jq '.message'
# Expected: "Forbidden" or 403 (secure)
# Risk: Empty list or 200 (anonymous access enabled)

5.4 Worker Node Enumeration

bash 
# List worker nodes
ibmcloud ks workers --cluster CLUSTER_ID --output JSON
 
# Get worker details including security groups
ibmcloud ks worker get --cluster CLUSTER_ID --worker WORKER_ID --output JSON

5.5 Kubernetes Version Check (EOL Check)

bash 
# Get cluster version
ibmcloud ks cluster get --cluster CLUSTER_ID --output JSON | jq -r '.masterKubeVersion'
 
# Check against IBM's EOL schedule
# https://cloud.ibm.com/docs/containers?topic=containers-cs_versions
# Kubernetes 1.28 EOS: May 31, 2025

5.6 NodePort Exposure Testing

bash 
# Check if NodePort range is exposed in security groups
ibmcloud is security-group-rules SECURITY_GROUP_ID --output JSON | jq '
  .[] | select(.direction == "inbound" and (.port_min == 30000 or .port_max == 32767 or (.port_min >= 30000 and .port_max <= 32767)))'
 
# Test NodePort services from internet
# Requires kubectl access or network scanning

5.7 Native Kubernetes (Non-IKS) Enumeration

bash 
# Look for non-IKS Kubernetes instances (custom masters/workers)
ibmcloud is instances --output JSON | jq '.[] | select(.name | contains("k8s") or contains("master") or contains("worker")) | {name, id, status, primary_network_interface}'

6. Cloud Object Storage (COS)

6.1 Bucket Enumeration

bash 
# List COS instances
ibmcloud resource service-instances --service-name cloud-object-storage --output JSON
 
# List buckets
ibmcloud cos buckets --ibm-service-instance-id INSTANCE_ID
 
# List all buckets across regions
ibmcloud cos list-buckets --ibm-service-instance-id INSTANCE_ID --region us-east

6.2 Bucket ACL & Policy Testing

bash 
# Check if bucket is public (READ access for AllUsers)
ibmcloud cos get-bucket-acl --bucket BUCKET_NAME --region us-east
 
# Check bucket CORS configuration
ibmcloud cos get-bucket-cors --bucket BUCKET_NAME --region us-east
 
# Check bucket policy
ibmcloud cos get-bucket-policy --bucket BUCKET_NAME --region us-east

6.3 S3 REST API Abuse (Direct API)

bash 
# Get HMAC credentials (Service ID API key + secret)
# Required for S3 REST API authentication
 
# List objects via S3 REST API
curl -s "https://s3.us-east.cloud-object-storage.appdomain.cloud/BUCKET_NAME" \
  -H "Authorization: AWS ACCESS_KEY:SIGNATURE" \
  -H "x-amz-date: $(date -u +%Y%m%dT%H%M%SZ)"
 
# If you have valid HMAC credentials, use aws CLI:
aws s3 ls s3://BUCKET_NAME --endpoint-url https://s3.us-east.cloud-object-storage.appdomain.cloud

6.4 Object Enumeration

bash 
# List objects in bucket
ibmcloud cos objects --bucket BUCKET_NAME --region us-east
 
# Check object metadata
ibmcloud cos head-object --bucket BUCKET_NAME --key OBJECT_KEY --region us-east

6.5 Public Bucket Test

bash 
# Test if bucket is publicly readable (no auth)
curl -skI --max-time 5 "https://s3.us-east.cloud-object-storage.appdomain.cloud/BUCKET_NAME"
 
# Expected (Secure): 403 Forbidden
# Risk: 200 OK with bucket listing

7. Secrets Manager

7.1 Instance Discovery

bash 
# List Secrets Manager instances
ibmcloud resource service-instances --service-name secrets-manager --output JSON
 
# Get instance details
ibmcloud resource service-instance INSTANCE_NAME --output JSON

7.2 Secret Group Enumeration

bash 
# List secret groups
ibmcloud sm secret-groups --instance-id INSTANCE_ID --output json
 
# Via REST API
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://{guid}.us-east.secrets-manager.appdomain.cloud/api/v2/secret_groups" | jq '.secret_groups[] | {id, name, created_by}'

7.3 Secret Inventory

bash 
# List all secrets (metadata only)
ibmcloud sm secrets --instance-id INSTANCE_ID --output json
 
# Via REST API
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://{guid}.us-east.secrets-manager.appdomain.cloud/api/v2/secrets" | jq '
  .secrets[] | {
    name: .name,
    id: .id,
    secret_type: .secret_type,
    created_by: .created_by,
    expiration_date: .expiration_date,
    locks_total: .locks_total,
    versions_total: .versions_total
  }'

7.4 Secret Payload Access Test

bash 
# Attempt to read secret payload (requires secrets-manager.secret.read)
ibmcloud sm secret --secret-id SECRET_ID --instance-id INSTANCE_ID --output json
 
# Via REST API
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://{guid}.us-east.secrets-manager.appdomain.cloud/api/v2/secrets/{secret_id}" | jq '.'
 
# Expected (Permission Denied): {"error_code":"FORBIDDEN","message":"You do not have the required permissions"}
# Expected (Success): Full secret payload with credentials

7.5 Secret Version Enumeration

bash 
# List versions of a secret
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://{guid}.us-east.secrets-manager.appdomain.cloud/api/v2/secrets/{secret_id}/versions" | jq '.versions[] | {id, payload_available, creation_date}'

7.6 Network Exposure Check

bash 
# Check if Secrets Manager has public endpoints
ibmcloud resource service-instance INSTANCE_NAME --output JSON | jq '.extensions.public_endpoints'
 
# Expected (Secure): "public_and_private" or "private-only"
# Risk: Unrestricted public access with weak IAM controls

8. Key Protect (KMS)

8.1 Key Enumeration

bash 
# List Key Protect instances
ibmcloud resource service-instances --service-name kms --output JSON
 
# List keys in instance
ibmcloud kp keys --instance-id INSTANCE_ID
 
# Via REST API
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://us-east.kms.cloud.ibm.com/api/v2/keys" | jq '.resources[] | {id, name, algorithm_type, key_ring_id, state}'

8.2 Key Policy & Access Test

bash 
# Get key details (may be blocked)
ibmcloud kp key KEY_ID --instance-id INSTANCE_ID
 
# Via REST API
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://us-east.kms.cloud.ibm.com/api/v2/keys/{key_id}" | jq '.'

8.3 IKS Root Key Identification

bash 
# Check which keys are used for IKS encryption
ibmcloud kp keys --instance-id INSTANCE_ID --output json | jq '.resources[] | select(.name | contains("iks") or contains("cluster"))'

9. Schematics Workspace Enumeration

9.1 Workspace Discovery

bash 
# List workspaces via CLI
ibmcloud schematics workspace list
 
# Via REST API (most reliable)
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://schematics.cloud.ibm.com/v1/workspaces?resource_group=YOUR_RG_ID" | jq '.workspaces[] | {name: .name, id: .id, status: .status, created_by: .created_by}'

9.2 Variable Store Extraction

bash 
# Get workspace details including variable store
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://schematics.cloud.ibm.com/v1/workspaces/{workspace_id}" | jq '.template_data[0].variablestore'
 
# Look for:
# - ibmcloud_api_key (may be encrypted as $SCHEMATICSSECRET$...)
# - cluster IDs
# - instance GUIDs
# - private_endpoint settings

9.3 Action History (Plan/Apply Logs)

bash 
# Get workspace actions
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://schematics.cloud.ibm.com/v1/workspaces/{workspace_id}/actions" | jq '
  .actions[] | select(.name == "TERRAFORM_COMMANDS") |
  {
    action_id: .action_id,
    status: .status,
    performed_by: .performed_by,
    performed_at: .performed_at,
    commands: .terraform_commands.commands,
    log_url: .templates[0].log_url
  }'

9.4 Terraform Log Download

bash 
# Download full Terraform execution logs
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://schematics.cloud.ibm.com/v1/workspaces/{workspace_id}/runtime_data/{template_id}/log_store/actions/{action_id}"
 
# Logs contain:
# - Terraform plan output (resource configurations)
# - Variable values (some may be masked)
# - Error messages (may leak sensitive info)
# - Provider versions
# - Module sources

9.5 State Store Access Test

bash 
# Attempt to download Terraform state (usually blocked)
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://schematics.cloud.ibm.com/v1/workspaces/{workspace_id}/template_data/{template_id}/state"
 
# Expected (Secure): 403 Forbidden
# Risk: 200 OK with full Terraform state (contains ALL resource attributes including secrets)

10. Load Balancers & Network Exposure

10.1 Load Balancer Enumeration

bash 
# List all load balancers
ibmcloud is load-balancers --output JSON
 
# Get LB details
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://us-east.iaas.cloud.ibm.com/v1/load_balancers?version=2024-03-26&generation=2" | jq '
  .load_balancers[] | {
    name: .name,
    id: .id,
    hostname: .hostname,
    is_public: .is_public,
    subnets: [.subnets[].name],
    security_groups: [.security_groups[].name],
    listeners: [.listeners[].port]
  }'

10.2 Backend Pool Enumeration

bash 
# Get backend pools for a specific LB
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://us-east.iaas.cloud.ibm.com/v1/load_balancers/{lb_id}/pools?version=2024-03-26&generation=2" | jq '
  .pools[] | {
    name: .name,
    protocol: .protocol,
    health_monitor: .health_monitor,
    members: [.members[].target]
  }'

10.3 Public Endpoint Testing

bash 
# Test if LB is reachable from internet
LB_IP="<ARGOCD_PUBLIC_IP>"
curl -skI --max-time 5 "https://${LB_IP}/"
 
# Check for exposed APIs (common Kubernetes/ArgoCD paths)
for path in /api/version /api/v1/settings /healthz /swagger-ui /login /auth; do
  STATUS=$(curl -sk --max-time 3 -o /dev/null -w "%{http_code}" "https://${LB_IP}${path}")
  echo "${path}: HTTP ${STATUS}"
done

10.4 DNS Resolution Check

bash 
# Check if LB IPs are exposed via DNS
host demo.example.com
nslookup demo.example.com
 
# Check for direct IP exposure vs CDN/WAF protection
dig +short demo.example.com

11. Security Group Analysis

11.1 Security Group Enumeration

bash 
# List all security groups
ibmcloud is security-groups --output JSON
 
# Get rules for a specific SG
ibmcloud is security-group-rules SECURITY_GROUP_ID --output JSON

11.2 Inbound Any/Any Detection

bash 
# Find SGs that allow inbound from 0.0.0.0/0 on all ports
ibmcloud is security-groups --output JSON | jq '
  .[] | select(.rules != null) |
  {
    name: .name,
    bad_rules: [.rules[]? | select(.direction == "inbound" and .remote.cidr_block == "0.0.0.0/0" and .protocol == "all")]
  } | select(.bad_rules | length > 0)'
 
# Find SGs that allow specific dangerous ports from internet
for port in 22 3389 6443 2379 2380 10250 10255 30000; do
  echo "=== Port ${port} ==="
  ibmcloud is security-groups --output JSON | jq --arg port "$port" '
    .[] | select(.rules != null) |
    {
      name: .name,
      rules: [.rules[]? | select(.direction == "inbound" and .remote.cidr_block == "0.0.0.0/0" and ((.port_min | tostring) <= $port and (.port_max | tostring) >= $port))]
    } | select(.rules | length > 0) | .name'
done

11.3 Security Group Rule Matrix

bash 
# Generate a summary table of all SG rules
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://us-east.iaas.cloud.ibm.com/v1/security_groups?version=2024-03-26&generation=2" | jq '
  .security_groups[] | {
    name: .name,
    rule_count: (.rules | length),
    inbound_any: ([.rules[]? | select(.direction == "inbound" and .remote.cidr_block == "0.0.0.0/0" and .protocol == "all")] | length),
    rules: [.rules[]? | select(.direction == "inbound") | {protocol, port_min, port_max, remote: .remote.cidr_block}]
  }'

12. Application Testing

12.1 Subdomain Enumeration via Host Header

bash 
# If multiple apps share a single LB IP, enumerate via Host header
LB_IP="<LB_PUBLIC_IP>"
for host in demo api app staging admin jenkins grafana prometheus vault gitlab; do
  STATUS=$(curl -sk --max-time 3 -H "Host: ${host}.example.com" -o /dev/null -w "%{http_code}" "https://${LB_IP}/")
  echo "${host}.example.com: HTTP ${STATUS}"
done

12.2 Client-Side Secret Extraction

bash 
# Download page and extract API keys, tokens, config values
curl -skL --max-time 10 "https://demo.example.com/" | grep -oE '[A-Z0-9]{4,5}-[A-Z0-9]{4,5}-[A-Z0-9]{4,5}-[A-Z0-9]{4,5}-[A-Z0-9]{4,5}'
 
# Extract JavaScript config objects
curl -skL --max-time 10 "https://demo.example.com/" | grep -oE 'window\.[a-zA-Z0-9_]+="[^"]*"|var [a-zA-Z0-9_]+="[^"]*"'
 
# Extract Akamai/mPulse config
curl -skL --max-time 10 "https://demo.example.com/" | grep -oE 'ak\.[a-z]+="[^"]*"'

12.3 API Endpoint Enumeration

bash 
# Test common API paths
for path in /api/v1/ /api/v2/ /api/v3/ /api/v4/ /health /status /actuator/health /swagger-ui.html /api-docs /v2/api-docs /graphql /rest; do
  STATUS=$(curl -sk --max-time 3 -o /dev/null -w "%{http_code}" "https://demo.example.com${path}")
  echo "${path}: HTTP ${STATUS}"
done

12.4 CORS Testing

bash 
# Check CORS configuration
curl -skI --max-time 5 -H "Origin: https://evil.com" "https://demo.example.com/api/v1/login" | grep -iE 'access-control-allow-origin|access-control-allow-credentials'
 
# Expected (Secure): No Access-Control-Allow-Origin header or strict origin matching
# Risk: `Access-Control-Allow-Origin: *` + `Access-Control-Allow-Credentials: true`

12.5 Rate Limit Testing

bash 
# Check for rate limit headers
curl -skI --max-time 5 "https://demo.example.com/api/v1/login" | grep -iE 'limit|rate|retry|x-ratelimit'
 
# Stress test (be careful not to DOS)
for i in {1..20}; do
  curl -sk -o /dev/null -w "%{http_code}\n" --max-time 3 "https://demo.example.com/api/v1/login"
done

13. Active Exploitation Techniques

13.1 ArgoCD Exposure Testing

bash 
ARGOCD_IP="<ARGOCD_PUBLIC_IP>"
 
# Version disclosure (unauthenticated)
curl -sk --max-time 5 "https://${ARGOCD_IP}/api/version" | jq '.'
 
# Settings disclosure (unauthenticated)
curl -sk --max-time 5 "https://${ARGOCD_IP}/api/v1/settings" | jq '.'
 
# Check if SSO/OIDC is configured
curl -sk --max-time 5 "https://${ARGOCD_IP}/api/v1/settings" | jq '.oidcConfig, .dexConfig'
 
# Check session endpoint
curl -sk --max-time 5 "https://${ARGOCD_IP}/api/v1/session/userinfo"
 
# Test default credentials (be mindful of rate limiting)
# admin/admin, admin/password, admin/argocd
curl -sk --max-time 5 -X POST "https://${ARGOCD_IP}/api/v1/session" \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"admin"}' | jq '.'

13.2 CVE-2025-59531/59537/59538 (Webhook DoS)

bash 
# ArgoCD v3.1.0 webhook DoS — unauthenticated POST crashes server
# Affects: ArgoCD v2.x - v3.1.x
 
curl -sk --max-time 5 -X POST "https://${ARGOCD_IP}/api/webhook" \
  -H "Content-Type: application/json" \
  -d '{"malformed":"payload"}'
 
# Verify server recovered
curl -sk --max-time 10 "https://${ARGOCD_IP}/healthz"

13.3 Kubernetes API Testing

bash 
K8S_IP="<K8S_API_PUBLIC_IP>"
 
# Test native K8s API endpoint
curl -skv --max-time 5 "https://${K8S_IP}:6443/api" 2>&1 | head -20
 
# Check if API is reachable at all
timeout 5 bash -c "echo > /dev/tcp/${K8S_IP}/6443" && echo "OPEN" || echo "CLOSED/TIMEOUT"

13.4 COS S3 API Abuse

bash 
# List buckets with extracted HMAC credentials
aws s3 ls --endpoint-url https://s3.us-east.cloud-object-storage.appdomain.cloud
 
# List objects in a bucket
aws s3 ls s3://BUCKET_NAME --endpoint-url https://s3.us-east.cloud-object-storage.appdomain.cloud
 
# Check object ACL
aws s3api get-object-acl --bucket BUCKET_NAME --key OBJECT_KEY \
  --endpoint-url https://s3.us-east.cloud-object-storage.appdomain.cloud

16. References & Documentation

IBM Cloud Official Docs

IBM Cloud Service Endpoints

  • IAM: https://iam.cloud.ibm.com
  • Resource Controller: https://resource-controller.cloud.ibm.com
  • VPC IaaS: https://{region}.iaas.cloud.ibm.com
  • Schematics: https://schematics.cloud.ibm.com
  • COS S3: https://s3.{region}.cloud-object-storage.appdomain.cloud
  • Secrets Manager: https://{guid}.{region}.secrets-manager.appdomain.cloud
  • Key Protect: https://{region}.kms.cloud.ibm.com

Tools Used

  • ibmcloud CLI (v2.43.0)
  • curl / jq
  • aws CLI (for COS S3 API)
  • kubectl (for K8s analysis)
  • host / dig / nslookup (DNS analysis)

Related

Exam Reviews
Offensive GCP Operations and Tactics Certification (OGOTC) - Course & Exam Review
May 20, 2026 · 9 min
CTF Writeups
RETRO2 – VULNLAB WRITEUP
Dec 23, 2024 · 7 min

Contents

blog.hackerswar.com 9 posts indexed
rendered 11.5ms