Slash Command

/cloud

From greyhatcc

Hunt for cloud infrastructure misconfigurations - S3 buckets, Firebase, Cognito, CDN origins

Popularity

Forks

Invocation

How this command is triggered — by the user, by Claude, or both

Slash command

/greyhatcc:cloud <domain or org name>

Model invocable

No pre-commands

Tool Access

This command is limited to the following tools:

TaskBashReadWriteEditGlobGrepWebFetchWebSearch

Context Preview

The summary Claude sees in its command listing — used to decide when to auto-load this command

# Cloud Misconfiguration Hunting

Invoke the `greyhatcc:cloud-misconfig` skill for target: {{ARGUMENTS}}

Systematic cloud infrastructure assessment across all major providers:

**AWS:**
- S3 bucket discovery via DNS brute force, JS bundle extraction, and CNAME analysis
- S3 permission testing: ListBucket, GetObject, PutObject, ACL enumeration
- S3 bucket takeover detection for abandoned buckets still referenced by the target
- CloudFront misconfiguration: origin access, cache behavior, custom error pages
- Cognito user pool enumeration: self-signup, attribute manipulation, unverified claim...

Command Content

47 lines · ~525 tokens

Stats

LanguageJavaScript

Stars0

Forks1

MaintenanceExcellent

Last CommitMar 1, 2026

Actions

View Source View Plugin View on GitHub View README

Stats

Actions

Cloud Misconfiguration Hunting

Invoke the greyhatcc:cloud-misconfig skill for target: {{ARGUMENTS}}

Systematic cloud infrastructure assessment across all major providers:

AWS:

S3 bucket discovery via DNS brute force, JS bundle extraction, and CNAME analysis
S3 permission testing: ListBucket, GetObject, PutObject, ACL enumeration
S3 bucket takeover detection for abandoned buckets still referenced by the target
CloudFront misconfiguration: origin access, cache behavior, custom error pages
Cognito user pool enumeration: self-signup, attribute manipulation, unverified claims
EC2 metadata SSRF: IMDSv1 (169.254.169.254) and IMDSv2 token bypass attempts
Lambda function URL discovery and unauthenticated invocation testing
Elastic Beanstalk environment takeover via unclaimed CNAME

Google Cloud:

GCS bucket discovery and permission testing (allUsers, allAuthenticatedUsers)
Firebase Realtime Database: open read/write rules (/.json endpoint)
Firebase Storage: bucket permission enumeration
Firestore: collection listing and document access without authentication
Google API key restriction testing: unrestricted keys used in JS bundles

Azure:

Blob storage container enumeration and anonymous access testing
Azure App Service: deployment slot exposure, Kudu console access
Azure AD: tenant enumeration, user discovery, OAuth misconfiguration

General Cloud Attacks:

Serverless function discovery and unauthenticated invocation
CDN origin IP discovery behind WAF/CDN via certificate matching and DNS history
Cloud metadata SSRF exploitation for IAM credential theft
Supply chain via abandoned cloud resources still trusted by the application
Terraform/CloudFormation state file exposure for infrastructure secrets