Digital Ocean Overview

We will start with a bit of basics on Digital Ocean and continue from there. This is not a Digital Ocean Tutorial, nor a marketing for it. I'm just giving an overview for latter blogs.

Digital Ocean is a cloud provider that offers cheap resources (cheaper than AWS, Azure or GCP at least) with services that include:

  • VPS - Droplets as DO calls them. They have features like AWS Instances like User-Data, Meta-Data.

  • Spaces - Like S3 Buckets (as we will see latter on, they use AWS S3 buckets, but with a different endpoint to access)

  • VPCs - Virtual Private Clouds

  • Container Registry

  • Kubernetes managed by DO

  • Networking and Firewall

  • Web Apps

  • Cloud Functions - Not the same as Lambda, and with not the same features (like roles), but can be tweaked to automate services. Mostly used for small apps. They have their own way of accessing, like an API

  • Block Storage - In their own words, network-based block devices that provide additional data storage for Droplets.

  • Databases - Managed DBs from DO, which include: MongoDB, PostgreSQL, MySQL, Redis.

  • API - We will be looking at it a lot. The API is offered as:

    • Digital Ocean API - Token Based API

    • OAuth API - Client ID and Secret based API

    • Meta-Data API - Accessed on Droplets on host 169.254.169.254

    • S3 API - AWS S3 API on another endpoint

Digital Ocean Regions

At the moment, DigitalOcean has 13 data centers across the globe:

  • New York City, The US: NYC1, NYC2, NYC3

  • San Francisco, The US: SFO1, SFO2, SFO3

  • Toronto, Canada: TOR1

  • London, United Kingdom: LON1

  • Frankfurt, Germany: FRA1

  • Amsterdam, the Netherlands: AMS2, AMS3

  • Singapore: SGP1

  • Bangalore, India: BLR1

Droplets

Droplets are DO VPS, offered currently only in Nix based systems (Ubuntu, Fedora, Debian, CentOS, Rocky and Rancher). No Windows Servers so far.

Authentication can be done using an SSH key or a password (we'll be touching upon this latter on)

Each machine also has a meta-data API. There are no credentials on meta-data, but there are also no ways to assign a role to a machine.

Each machine has User-Data and it can be accessed from the meta-data (and you get the rest).

Spaces

Spaces are the AWS S3 for Digital Ocean. Quite literally. They use AWS S3 for their hosts, and even use the AWS S3 API, but with different endpoints:

The possible hosts for a DO Space are:

https://region.digitaloceanspaces.com/space_name

https://space_name.region.digitaloceanspaces.com/

You can use that to check if a space is open, private or inexistant using HTTP return codes:

Space Static Web Hosting

Same as with AWS S3 buckets, you can host websites on DO Spaces too, but this time it requires a subdomain to configure it and an SSL Certificate. If you do not have a certificate, you will be given one from Let's Encrypt.

Kubernetes and Container Registry

Just K8s managed by DO and a Container Registry managed by DO. They can interact with each other. Just that. Nothing special.

Apps (aka One-Click-Apps)

One click apps are deployments of apps from Git Repositories (GitHub, GitLab), Containers (Docker), Container Registry or just putting the code.

We can check them for creds on Environment Variables.

Networking and Firewall

Networking and firewall lets you configure Domains and PTR Records, Reserved IPs, Load Balancers, VPCs and Firewalls.

  • You can configure a domain and it's hosts directly from DO, same as you'd do on your Domain Hosting portal. Also, you can manage hosts applied on Droplets or Spaces.

  • As in other cloud providers, you can assign reserved IPs to your droplets.

  • VPC and Firewalls are the same as AWS, but easier to implement.

  • Load Balancers are Port and Protocol Based (mostly HTTP and HTTPS).

Databases

Digital Ocean allows you to set up managed DBs from them, which include: MongoDB, PostgreSQL, MySQL, Redis.

You get access to it using username and a password and can configure network access rules.

Cloud Functions

These are kind of like Lambda on AWS, but running on machines as root and with no way of assigning a role to it, so the only way to add credentials on functions is through Environment Variables.

Functions can be in either Node, Go, PHP or Python:

Conclusion

This was a simple intro to DO's Services. Continue to the next topic to see more on hacking it.

PreviousHacking DigitalOcean for fun and ProfitNextReconnaissance

Last updated