v1.0.0 — Now Available

S7ABA

Cloud Privilege Escalation & Post-Exploitation

A pure Bash framework for cloud security assessments. Auto-detect cloud providers, enumerate permissions, discover escalation paths, and generate detailed reports. Built for red teamers and cloud security professionals.

⚡ Quick Start View Source →
s7aba — bash — 92x24
┌──(s7aba)─[aws]
└─$ ./s7aba.sh -p aws recon
 
═══════════════════════════════════════
RECONNAISSANCE
═══════════════════════════════════════
 
[*] Querying AWS STS...
[+] Account: 1234***890 | ARN: arn:aws:iam::user/pentest
[*] Enumerating IAM permissions...
● [HIGH] Overprivileged Policy
AmazonS3FullAccess grants broad access
● [HIGH] IMDSv1 Enabled
Metadata accessible without token (SSRF risk)
[+] Recon complete. 14 findings saved.
Capabilities

Everything You Need for Cloud Assessments

🔍

Cloud Reconnaissance

Enumerate identities, permissions, services, network configs, and secrets across cloud environments automatically.

Privilege Escalation

Identify 14+ AWS IAM escalation paths including CreatePolicyVersion, PassRole+Lambda, AttachUserPolicy, and more.

🔗

Lateral Movement

Map trust relationships, cross-service pivots, and reachable targets. Move between accounts and services.

🛡️

Persistence

Evaluate and deploy persistence mechanisms. Backdoor IAM roles, Lambda triggers, and scheduled tasks.

📤

Data Exfiltration

Discover sensitive data stores, classify data, and evaluate exfiltration channels across S3, RDS, and more.

📊

Reporting

Generate assessment reports in text, JSON, or HTML format. Structured findings with severity ratings and evidence.

Methodology

Attack Flow

01

Reconnaissance

Auto-detect cloud provider via metadata endpoints and CLI tools. Enumerate identity, permissions, services, and network topology. ./s7aba.sh recon

02

Privilege Escalation

Simulate IAM actions to discover dangerous permissions. Map escalation paths ranked by severity. Optionally exploit with confirmation. ./s7aba.sh privesc

03

Lateral Movement

Discover cross-account trust relationships, service-linked roles, and pivot points to expand access across the environment. ./s7aba.sh lateral

04

Persistence & Exfiltration

Establish persistence through IAM backdoors and triggers. Discover and classify sensitive data for controlled exfiltration testing. ./s7aba.sh persist

05

Cleanup & Report

Remove all artifacts and traces. Generate comprehensive assessment reports with findings, severity ratings, and remediation guidance. ./s7aba.sh cleanup && ./s7aba.sh report

Multi-Cloud

Supported Providers

☁️
AWS
● Ready
🔷
Azure
● Ready
🌐
GCP
● Ready
Kubernetes
● Ready
Structure

Project Architecture

📁 Directory Layout

s7aba.sh ← Entry point
src/
  ├── lib/
  │   ├── utils.sh
  │   ├── logger.sh
  │   └── cloud_detect.sh
  └── modules/
      ├── recon_aws.sh
      ├── privesc_aws.sh
      ├── lateral_*.sh
      ├── persist_*.sh
      ├── exfil_*.sh
      ├── cleanup_*.sh
      └── report.sh
ui/ ← This landing page
docs/ ← Documentation

⚙️ Design Principles

Pure Bash — No Python/Go deps

Modular — Each provider & command
is a standalone module

Safe by Default — Dry-run mode,
confirmation prompts, full logging

Auto-Detection — Identifies cloud
provider via metadata & CLI tools

Extensible — Add new providers
by creating module files
Get Started

Installation

Terminal
# Clone the repository
$ git clone https://github.com/SiteQ8/S7aba.git
$ cd S7aba
 
# Make executable
$ chmod +x s7aba.sh
 
# Run recon (auto-detects cloud)
$ ./s7aba.sh recon
 
# Or specify provider
$ ./s7aba.sh -p aws privesc
 
# Interactive mode
$ ./s7aba.sh interactive

⚠ LEGAL DISCLAIMER

S7aba is designed for authorized security testing only. Usage of this tool for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, and federal laws. The author assumes no liability and is not responsible for any misuse or damage.