{"id":17922115,"url":"https://github.com/carlospolop/purplepanda","last_synced_at":"2025-05-15T08:06:27.417Z","repository":{"id":39642388,"uuid":"443531336","full_name":"carlospolop/PurplePanda","owner":"carlospolop","description":"Identify privilege escalation paths within and across different clouds","archived":false,"fork":false,"pushed_at":"2024-11-04T05:47:49.000Z","size":407,"stargazers_count":686,"open_issues_count":6,"forks_count":83,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-04-07T03:12:28.899Z","etag":null,"topics":["cloud","gcp","github","kubernetes","privesc"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/carlospolop.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"custom":["https://github.com/sponsors/carlospolop"]}},"created_at":"2022-01-01T12:10:40.000Z","updated_at":"2025-04-03T22:05:48.000Z","dependencies_parsed_at":"2023-01-30T19:45:51.051Z","dependency_job_id":"49370298-634c-409c-8532-51fa0f977985","html_url":"https://github.com/carlospolop/PurplePanda","commit_stats":{"total_commits":82,"total_committers":8,"mean_commits":10.25,"dds":0.426829268292683,"last_synced_commit":"0a8a0a6a92d2af16e54db9a60d6fe66884345057"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carlospolop%2FPurplePanda","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carlospolop%2FPurplePanda/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carlospolop%2FPurplePanda/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carlospolop%2FPurplePanda/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/carlospolop","download_url":"https://codeload.github.com/carlospolop/PurplePanda/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248870777,"owners_count":21175102,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud","gcp","github","kubernetes","privesc"],"created_at":"2024-10-28T20:37:41.177Z","updated_at":"2025-04-14T11:27:02.786Z","avatar_url":"https://github.com/carlospolop.png","language":"Python","funding_links":["https://github.com/sponsors/carlospolop"],"categories":[],"sub_categories":[],"readme":"# PurplePanda\n![](https://github.com/carlospolop/PurplePanda/raw/master/images/logo.png)\n\nThis tool fetches resources from different cloud/saas applications focusing on permissions in order to **identify privilege escalation paths and dangerous permissions** in the cloud/saas configurations. Note that PurplePanda searches both **privileges escalation paths within a platform and across platforms**.\n\nThe name comes from the animal **Red Panda**. This panda eats peas, just like Purple Panda, which can ingest API keys/tokens found by these **[PEASS](https://github.com/carlospolop/PEASS-ng)**. The color was changed to purple because this tool is meant mainly for **Purple Teams** (because it can be **highly useful for both Blue and Red Teams**).\n\n## How to use\nEach folder inside `/intel` defines one platform that can be enumerated and **contains a README.md file explaining how to use that specific module**.\n\nDownload **[Neo4jDesktop](https://neo4j.com/download-center/#desktop)** and create a database. Then **export the env variables `PURPLEPANDA_NEO4J_URL` and `PURPLEPANDA_PWD`** with the URL to the neo4j database and the password.\n\nIf you want **shodan** to be used with public IPs discovered during the enumeration **export a env variable called *SHODAN_KEY* with a valid api key of shodan**.\n\nThen just install and launch the program indicating the platforms you want to enumerate comma separated like.\n\n### Local install\n```bash\ngit clone https://github.com/carlospolop/PurplePanda\ncd PurplePanda\npython3 -m venv .\nsource bin/activate\npython3 -m pip install -r requirements.txt\nexport PURPLEPANDA_NEO4J_URL=\"bolt://neo4j@localhost:7687\"\nexport PURPLEPANDA_PWD=\"s3cr3tpassword\"\n# Install this if you are going to use GCP\ngcloud components install gke-gcloud-auth-plugin\npython3 main.py -h # Get help\npython3 main.py -e -p google,github,k8s --github-only-org --k8s-get-secret-values --gcp-get-secret-values # Enumerate google, github and k8s\n```\n\n### Docker\n```bash\n# Consider adding the API keys in the Dockerfile\ndocker rm -f purplepanda\ndocker build --tag=purplepanda .\n# Execute -h\n## CHange -h for the params you want to run purplepanda with\ndocker run -t \\\n    -e PURPLEPANDA_NEO4J_URL=\"bolt://neo4j@host.docker.internal:7687\" \\\n    -e PURPLEPANDA_PWD=\"s3cr3tpassword\" \\\n    -e GOOGLE_DISCOVERY=... \\\n    -e GITHUB_DISCOVERY=... \\\n    -e K8S_DISCOVERY=... \\\n    -e CONCOURSE_DISCOVERY=... \\\n    -e CIRCLECI_DISCOVERY=... \\\n    purplepanda python3 main.py -h\n\n## -t is needed to see the output properly\n## If you are using Neo4Desktop to connec to the DB use the domain host.docker.internal\n## You might need to use the option '-v' to mount files with configurations\n```\n\nPurplePanda has **2 analysis modes**:\n- `-e` (*enumerate*): This is the **main one**, it will try to gather data and analyze it.\n- `-a` (*analyze*): This will perform a **quick analysis of the provided credentials**.\n\n### Video tutorial\nCheck how to use and inspect the data gathered by PurplePanda:\n\n[![Tutorial](https://img.youtube.com/vi/zl5NdvoWHX4/0.jpg)](https://www.youtube.com/watch?v=zl5NdvoWHX4)\n\n### For Blue/Purple Teams\n\nUse credentials for each platform with at least **admin read access to all the resources** of the platform. This will help you to see exactly the **privesc paths** that can be abused within your configurations in each platform and across\n\n### For Red Teams\n\nPurplePanda is also **designed to be used by Red Teams**. In general, cloud/saas platforms **won't give everyone access to read** the configuration of the platform, that's why PurplePanda supports the **use of several keys for the same platform**, in order to try to enumerate everything with all the keys you compromised and have the most accurate view of the configuration of the platform.\n\n## Supported platforms\n- **Google Cloud Platform (GCP)**: To understand how GCP security works and how to abuse roles and permissions **read https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security**\n- **Github**: To understand how Github security works and how to bypass branch protections, steal secrets, privesc... **read https://cloud.hacktricks.xyz/pentesting-ci-cd/github-security**\n- **Kubernetes (K8s)**: To understand how Kubernetes RBAC security works and how to abuse roles, privesc to other clouds... **read https://cloud.hacktricks.xyz/pentesting-cloud/kubernetes-security**\n\n\n## How to use the data\n**Use the `-d` parameter** indicating a directory. Then, **PurplePanda will write in this directory several interesting analysis** in `csv` format of the information obtained from all the platforms. The recommendation is to **find interesting and unexpected things in those files** and then move to **analyze those interesting cases with the graphs**.\n\nEach folder inside `/intel` defines one platform that can be enumerated and **contains a README.md file explaining how to use that specific module**. Moreover, each folder also contains a `HOW_TO_USE.md` file and a `QUERIES.md` file. \n\nIn the `HOW_TO_USE.md` file you can find the **best queries to perform an investigation on how to escalate privileges** (*for Purple, Blue, and Red Teams*).\n\nIn the `QUERIES.md` file you will find **all proposed queries** to investigate the data easier.\n\n### How to visualize the data in graphs\nFollow the instructions indicated in **[VISUALIZE_GRAPHS.md](https://github.com/carlospolop/PurplePanda/blob/master/VISUALIZE_GRAPHS.md)**\n\n## How to Contribute\n\nIn the **root folder and in each folder inside `intel/`** you will find a **`TODO.md` file**. You can find in those files how you can help. Just **send a PR with the addition**.\n\n**PRs with fixes** are also welcome :)\n\nMoreover, if you have **other ideas** that aren't in those TODO files feel free to send a PR.\n\n\nBy Carlos Polop\u003csup\u003eTM\u003c/sup\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcarlospolop%2Fpurplepanda","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcarlospolop%2Fpurplepanda","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcarlospolop%2Fpurplepanda/lists"}