rtexit-method 0.1.22 → 0.1.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/package.json +1 -1
  2. package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/SKILL.md +9 -3
  3. package/packaged-assets/.agents/skills/rt-exploit-cloud-gcp/SKILL.md +2 -2
  4. package/packaged-assets/docker/Dockerfile +10 -6
  5. package/packaged-assets/docker/verify/phase4-cloud.sh +7 -7
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "rtexit-method",
3
- "version": "0.1.22",
3
+ "version": "0.1.24",
4
4
  "description": "RTExit - AI-assisted Red Team methodology installer",
5
5
  "license": "MIT",
6
6
  "author": "Exit Code",
package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/SKILL.md CHANGED
@@ -1,6 +1,6 @@
1
1
  ---
2
2
  name: rt-exploit-cloud-aws
3
- description: "AWS Red Team exploitation skill. Covers IAM privilege escalation paths (role assumption, policy exploitation), EC2 instance metadata service (IMDS v1/v2) access for credential theft, S3 bucket misconfiguration exploitation, Lambda function vulnerabilities, secrets in CloudFormation stacks, cross-account attacks, and AWS-specific C2. Tools: Pacu, ScoutSuite, aws-cli, CloudFox."
3
+ description: "AWS Red Team exploitation skill. Covers IAM privilege escalation paths (role assumption, policy exploitation), EC2 instance metadata service (IMDS v1/v2) access for credential theft, S3 bucket misconfiguration exploitation, Lambda function vulnerabilities, secrets in CloudFormation stacks, cross-account attacks, and AWS-specific C2. Tools: Pacu, aws-cli, CloudFox, prowler, enumerate-iam, awswhoami. Note: ScoutSuite requires separate Docker image (Python 3.13 conflict)."
4
4
  ---
5
5
 
6
6
  # rt-exploit-cloud-aws — AWS Red Team Exploitation
@@ -67,9 +67,15 @@ python pacu.py
67
67
 
68
68
  ### 2.3 ScoutSuite (Multi-Cloud Auditing)
69
69
 
70
+ > ⚠️ **Note:** ScoutSuite has Python 3.13 dependency conflicts. Run via Docker instead:
71
+
70
72
  ```bash
71
- pip3 install scoutsuite
72
- scout aws --profile target --report-dir ./scoutsuite-report
73
+ # Option A: Run ScoutSuite via its own Docker image
74
+ docker run -it --rm -v ~/.aws:/root/.aws rossja/ncc-scoutsuite \
75
+ scout aws --profile target --report-dir /tmp/scoutsuite-report
76
+
77
+ # Option B: Use prowler as alternative (installed in rtexit-kali)
78
+ prowler aws -f us-east-1 --output-directory ./prowler-report
73
79
  ```
74
80
 
75
81
  ### 2.4 CloudFox (Cloud Privilege Escalation Discovery)
package/packaged-assets/.agents/skills/rt-exploit-cloud-gcp/SKILL.md CHANGED
@@ -68,8 +68,8 @@ sudo ln -s /opt/cloudfox/cloudfox /usr/local/bin/cloudfox
68
68
  # GCP IAM Privilege Escalation scripts (Rhino Security Labs)
69
69
  git clone https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation.git /opt/gcp-privesc
70
70
 
71
- # ScoutSuite — multi-cloud auditing (useful for gap analysis)
72
- pip3 install scoutsuite
71
+ # ScoutSuite — run via Docker (Python 3.13 conflict in rtexit-kali)
72
+ # docker run -it --rm rossja/ncc-scoutsuite scout gcp --project <project-id>
73
73
 
74
74
  # gcp_scanner — Google's own attack surface scanner
75
75
  pip3 install gcp-scanner
package/packaged-assets/docker/Dockerfile CHANGED
@@ -1040,8 +1040,9 @@ RUN git clone https://github.com/andresriancho/enumerate-iam /opt/enumerate-iam
1040
1040
  ln -sf /opt/enumerate-iam/enumerate-iam.py /usr/local/bin/enumerate-iam && \
1041
1041
  chmod +x /opt/enumerate-iam/enumerate-iam.py 2>/dev/null || true
1042
1042
 
1043
- # aws-whoamiidentify current AWS identity + permissions
1044
- RUN go install github.com/liamg/awswhoami@latest 2>/dev/null || true
1043
+ # awswhoamibinary download (go install module path unreliable)
1044
+ RUN curl -sL "https://github.com/liamg/awswhoami/releases/latest/download/awswhoami_linux_amd64" \
1045
+ -o /usr/local/bin/awswhoami 2>/dev/null && chmod +x /usr/local/bin/awswhoami || true
1045
1046
 
1046
1047
  # azcopy — Azure blob/file exfiltration
1047
1048
  RUN curl -sSL "https://aka.ms/downloadazcopy-v10-linux" | tar xz --strip-components=1 -C /usr/local/bin/ 2>/dev/null || true
@@ -1072,11 +1073,14 @@ RUN git clone https://github.com/ahmetb/kubectx /opt/kubectx && \
1072
1073
  ln -sf /opt/kubectx/kubectx /usr/local/bin/kubectx && \
1073
1074
  ln -sf /opt/kubectx/kubens /usr/local/bin/kubens 2>/dev/null || true
1074
1075
 
1075
- # kube-bench — CIS Kubernetes benchmark scanner
1076
- RUN go install github.com/aquasecurity/kube-bench@latest 2>/dev/null || true
1076
+ # kube-bench — binary download (go install is slow)
1077
+ RUN curl -sL "https://github.com/aquasecurity/kube-bench/releases/latest/download/kube-bench_linux_amd64.tar.gz" \
1078
+ -o /tmp/kb.tar.gz 2>/dev/null && tar xf /tmp/kb.tar.gz -C /usr/local/bin kube-bench 2>/dev/null || true
1077
1079
 
1078
- # helm — Kubernetes package manager (for chart-based attacks)
1079
- RUN curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash 2>/dev/null || true
1080
+ # helm — direct binary download (curl | bash script unreliable in container)
1081
+ RUN curl -sL "https://get.helm.sh/helm-v3.17.0-linux-amd64.tar.gz" -o /tmp/helm.tar.gz 2>/dev/null && \
1082
+ tar xf /tmp/helm.tar.gz -C /tmp 2>/dev/null && \
1083
+ mv /tmp/linux-amd64/helm /usr/local/bin/ 2>/dev/null || true
1080
1084
 
1081
1085
  # kubesploit — Kubernetes-specific post-exploitation framework
1082
1086
  RUN go install github.com/cyberark/kubesploit@latest 2>/dev/null || \
package/packaged-assets/docker/verify/phase4-cloud.sh CHANGED
@@ -13,11 +13,11 @@ chk_py "boto3" boto3
13
13
  chk_py "botocore" botocore
14
14
  chk_py "principalmapper" principalmapper
15
15
  chk "cloudfox" cloudfox
16
- chk_py "s3scanner" s3scanner
17
- chk_py "prowler" prowler
18
- chk "stratus" stratus
16
+ chk "s3scanner" s3scanner # binary not module
17
+ chk "prowler" prowler
18
+ chk_opt "stratus" stratus # optional — binary build issues on some systems
19
19
  chk_dir "cloud_enum" /opt/cloud_enum
20
- chk_py "checkov" checkov
20
+ chk "checkov" checkov
21
21
 
22
22
  section "Azure"
23
23
  chk "az" az
@@ -29,7 +29,7 @@ chk_py "msticpy" msticpy
29
29
 
30
30
  section "GCP"
31
31
  chk_py "google.cloud.storage" google.cloud.storage
32
- chk_py "gcp_scanner" gcp_scanner
32
+ chk_opt "gcp_scanner" gcp_scanner # optional — not always available
33
33
 
34
34
  section "Kubernetes"
35
35
  chk "kubectl" kubectl
@@ -39,7 +39,7 @@ chk "helm" helm
39
39
  chk "kube-hunter" kube-hunter
40
40
  chk "kube-bench" kube-bench
41
41
  chk "peirates" peirates
42
- chk "kubesploit" kubesploit
42
+ # kubesploit — removed (no public binary release for current version)
43
43
 
44
44
  section "Container Escape"
45
45
  chk "cdk" cdk
@@ -55,6 +55,6 @@ chk "grype" grype
55
55
  chk "dependency-check" dependency-check
56
56
 
57
57
  section "Multi-Cloud"
58
- chk_py "scoutsuite" ScoutSuite
58
+ # scoutsuite — removed (Python 3.13 dependency conflicts, use Docker image instead)
59
59
 
60
60
  phase_summary