From 1538ccd7f2932492006c4e97347cf80c19fd9f9a Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 19 Mar 2020 11:59:49 +0100 Subject: [PATCH] Gaining AWS Console Access via API Keys --- .../Cloud - AWS Pentest.md | 21 ++++++++++++++++++- .../Cloud - Azure Pentest.md | 5 ++++- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/Methodology and Resources/Cloud - AWS Pentest.md b/Methodology and Resources/Cloud - AWS Pentest.md index bfe25c0..904f7d8 100644 --- a/Methodology and Resources/Cloud - AWS Pentest.md +++ b/Methodology and Resources/Cloud - AWS Pentest.md @@ -12,6 +12,7 @@ * [Method for Container Service (Fargate)](#method-for-container-service-fargate) * [AWS - Shadow Admin](#aws---shadow-admin) * [Admin equivalent permission](#admin-equivalent-permission) +* [AWS - Gaining AWS Console Access via API Keys](#aws---gaining-aws-console-access-via-api-keys) * [AWS - Mount EBS volume to EC2 Linux](#aws---mount-ebs-volume-to-ec2-linux) * [AWS - Copy EC2 using AMI Image](#aws---copy-ec2-using-ami-image) * [AWS - Instance Connect - Push an SSH key to EC2 instance](#aws---instance-connect---push-an-ssh-key-to-ec2-instance) @@ -331,6 +332,23 @@ Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/me $ aws glue create-dev-endpoint –endpoint-name my_dev_endpoint –role-arn arn_of_glue_service_role –public-key file://path/to/my/public/ssh/key.pub ``` +## AWS - Gaining AWS Console Access via API Keys + +A utility to convert your AWS CLI credentials into AWS console access. + +```powershell +$> git clone https://github.com/NetSPI/aws_consoler +$> aws_consoler -v -a AKIA[REDACTED] -s [REDACTED] +2020-03-13 19:44:57,800 [aws_consoler.cli] INFO: Validating arguments... +2020-03-13 19:44:57,801 [aws_consoler.cli] INFO: Calling logic. +2020-03-13 19:44:57,820 [aws_consoler.logic] INFO: Boto3 session established. +2020-03-13 19:44:58,193 [aws_consoler.logic] WARNING: Creds still permanent, creating federated session. +2020-03-13 19:44:58,698 [aws_consoler.logic] INFO: New federated session established. +2020-03-13 19:44:59,153 [aws_consoler.logic] INFO: Session valid, attempting to federate as arn:aws:sts::123456789012:federated-user/aws_consoler. +2020-03-13 19:44:59,668 [aws_consoler.logic] INFO: URL generated! +https://signin.aws.amazon.com/federation?Action=login&Issuer=consoler.local&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2Fconsole%2Fhome%3Fregion%3Dus-east-1&SigninToken=[REDACTED +``` + ## AWS - Mount EBS volume to EC2 Linux :warning: EBS snapshots are block-level incremental, which means that every snapshot only copies the blocks (or areas) in the volume that had been changed since the last snapshot. To restore your data, you need to create a new EBS volume from one of your EBS snapshots. The new volume will be a duplicate of the initial EBS volume on which the snapshot was taken. @@ -570,4 +588,5 @@ https://github.com/DenizParlak/Zeus * [HOW I HACKED A WHOLE EC2 NETWORK DURING A PENETRATION TEST - by Federico Fernandez](https://www.secsignal.org/en/news/how-i-hacked-a-whole-ec2-network-during-a-penetration-test/) * [How to Attach and Mount an EBS volume to EC2 Linux Instance - AUGUST 17, 2016](https://devopscube.com/mount-ebs-volume-ec2-instance/) * [Getting shell and data access in AWS by chaining vulnerabilities - Riyaz Walikar - Aug 29, 2019 ](https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed) -* [Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019](https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2-2ad03a1f3650) \ No newline at end of file +* [Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019](https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2-2ad03a1f3650) +* [Gaining AWS Console Access via API Keys - Ian Williams - March 18th, 2020](https://blog.netspi.com/gaining-aws-console-access-via-api-keys/) \ No newline at end of file diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md index 3cbe340..26548db 100644 --- a/Methodology and Resources/Cloud - Azure Pentest.md +++ b/Methodology and Resources/Cloud - Azure Pentest.md @@ -251,6 +251,7 @@ ForEach($role in $roles) { $roleUsers ### Enumeration using Microburst +git clone https://github.com/NetSPI/MicroBurst/blob/master/Get-AzureADDomainInfo.ps1 Import-Module .\MicroBurst.psm1 # Anonymous enumeration @@ -258,6 +259,7 @@ Invoke-EnumerateAzureBlobs -Base company Invoke-EnumerateAzureSubDomains -base company -verbose # Authencticated enumeration +Get-AzureADDomainInfo Get-AzureDomainInfo -folder MicroBurst -VerboseGet-MSOLDomainInfo Get-MSOLDomainInfo ``` @@ -426,4 +428,5 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an * [Building Free Active Directory Lab in Azure - @kamran.bilgrami](https://medium.com/@kamran.bilgrami/ethical-hacking-lessons-building-free-active-directory-lab-in-azure-6c67a7eddd7f) * [Attacking Azure/Azure AD and introducing Powerzure - SpecterOps](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a) * [Azure AD connect for RedTeam - @xpnsec](https://blog.xpnsec.com/azuread-connect-for-redteam/) -* [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/) \ No newline at end of file +* [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/) +* [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/) \ No newline at end of file