mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-20 19:36:11 +00:00
Gaining AWS Console Access via API Keys
This commit is contained in:
parent
57b500b48e
commit
1538ccd7f2
@ -12,6 +12,7 @@
|
|||||||
* [Method for Container Service (Fargate)](#method-for-container-service-fargate)
|
* [Method for Container Service (Fargate)](#method-for-container-service-fargate)
|
||||||
* [AWS - Shadow Admin](#aws---shadow-admin)
|
* [AWS - Shadow Admin](#aws---shadow-admin)
|
||||||
* [Admin equivalent permission](#admin-equivalent-permission)
|
* [Admin equivalent permission](#admin-equivalent-permission)
|
||||||
|
* [AWS - Gaining AWS Console Access via API Keys](#aws---gaining-aws-console-access-via-api-keys)
|
||||||
* [AWS - Mount EBS volume to EC2 Linux](#aws---mount-ebs-volume-to-ec2-linux)
|
* [AWS - Mount EBS volume to EC2 Linux](#aws---mount-ebs-volume-to-ec2-linux)
|
||||||
* [AWS - Copy EC2 using AMI Image](#aws---copy-ec2-using-ami-image)
|
* [AWS - Copy EC2 using AMI Image](#aws---copy-ec2-using-ami-image)
|
||||||
* [AWS - Instance Connect - Push an SSH key to EC2 instance](#aws---instance-connect---push-an-ssh-key-to-ec2-instance)
|
* [AWS - Instance Connect - Push an SSH key to EC2 instance](#aws---instance-connect---push-an-ssh-key-to-ec2-instance)
|
||||||
@ -331,6 +332,23 @@ Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/me
|
|||||||
$ aws glue create-dev-endpoint –endpoint-name my_dev_endpoint –role-arn arn_of_glue_service_role –public-key file://path/to/my/public/ssh/key.pub
|
$ aws glue create-dev-endpoint –endpoint-name my_dev_endpoint –role-arn arn_of_glue_service_role –public-key file://path/to/my/public/ssh/key.pub
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## AWS - Gaining AWS Console Access via API Keys
|
||||||
|
|
||||||
|
A utility to convert your AWS CLI credentials into AWS console access.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$> git clone https://github.com/NetSPI/aws_consoler
|
||||||
|
$> aws_consoler -v -a AKIA[REDACTED] -s [REDACTED]
|
||||||
|
2020-03-13 19:44:57,800 [aws_consoler.cli] INFO: Validating arguments...
|
||||||
|
2020-03-13 19:44:57,801 [aws_consoler.cli] INFO: Calling logic.
|
||||||
|
2020-03-13 19:44:57,820 [aws_consoler.logic] INFO: Boto3 session established.
|
||||||
|
2020-03-13 19:44:58,193 [aws_consoler.logic] WARNING: Creds still permanent, creating federated session.
|
||||||
|
2020-03-13 19:44:58,698 [aws_consoler.logic] INFO: New federated session established.
|
||||||
|
2020-03-13 19:44:59,153 [aws_consoler.logic] INFO: Session valid, attempting to federate as arn:aws:sts::123456789012:federated-user/aws_consoler.
|
||||||
|
2020-03-13 19:44:59,668 [aws_consoler.logic] INFO: URL generated!
|
||||||
|
https://signin.aws.amazon.com/federation?Action=login&Issuer=consoler.local&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2Fconsole%2Fhome%3Fregion%3Dus-east-1&SigninToken=[REDACTED
|
||||||
|
```
|
||||||
|
|
||||||
## AWS - Mount EBS volume to EC2 Linux
|
## AWS - Mount EBS volume to EC2 Linux
|
||||||
|
|
||||||
:warning: EBS snapshots are block-level incremental, which means that every snapshot only copies the blocks (or areas) in the volume that had been changed since the last snapshot. To restore your data, you need to create a new EBS volume from one of your EBS snapshots. The new volume will be a duplicate of the initial EBS volume on which the snapshot was taken.
|
:warning: EBS snapshots are block-level incremental, which means that every snapshot only copies the blocks (or areas) in the volume that had been changed since the last snapshot. To restore your data, you need to create a new EBS volume from one of your EBS snapshots. The new volume will be a duplicate of the initial EBS volume on which the snapshot was taken.
|
||||||
@ -571,3 +589,4 @@ https://github.com/DenizParlak/Zeus
|
|||||||
* [How to Attach and Mount an EBS volume to EC2 Linux Instance - AUGUST 17, 2016](https://devopscube.com/mount-ebs-volume-ec2-instance/)
|
* [How to Attach and Mount an EBS volume to EC2 Linux Instance - AUGUST 17, 2016](https://devopscube.com/mount-ebs-volume-ec2-instance/)
|
||||||
* [Getting shell and data access in AWS by chaining vulnerabilities - Riyaz Walikar - Aug 29, 2019 ](https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed)
|
* [Getting shell and data access in AWS by chaining vulnerabilities - Riyaz Walikar - Aug 29, 2019 ](https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed)
|
||||||
* [Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019](https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2-2ad03a1f3650)
|
* [Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019](https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2-2ad03a1f3650)
|
||||||
|
* [Gaining AWS Console Access via API Keys - Ian Williams - March 18th, 2020](https://blog.netspi.com/gaining-aws-console-access-via-api-keys/)
|
@ -251,6 +251,7 @@ ForEach($role in $roles) {
|
|||||||
$roleUsers
|
$roleUsers
|
||||||
|
|
||||||
### Enumeration using Microburst
|
### Enumeration using Microburst
|
||||||
|
git clone https://github.com/NetSPI/MicroBurst/blob/master/Get-AzureADDomainInfo.ps1
|
||||||
Import-Module .\MicroBurst.psm1
|
Import-Module .\MicroBurst.psm1
|
||||||
|
|
||||||
# Anonymous enumeration
|
# Anonymous enumeration
|
||||||
@ -258,6 +259,7 @@ Invoke-EnumerateAzureBlobs -Base company
|
|||||||
Invoke-EnumerateAzureSubDomains -base company -verbose
|
Invoke-EnumerateAzureSubDomains -base company -verbose
|
||||||
|
|
||||||
# Authencticated enumeration
|
# Authencticated enumeration
|
||||||
|
Get-AzureADDomainInfo
|
||||||
Get-AzureDomainInfo -folder MicroBurst -VerboseGet-MSOLDomainInfo
|
Get-AzureDomainInfo -folder MicroBurst -VerboseGet-MSOLDomainInfo
|
||||||
Get-MSOLDomainInfo
|
Get-MSOLDomainInfo
|
||||||
```
|
```
|
||||||
@ -427,3 +429,4 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an
|
|||||||
* [Attacking Azure/Azure AD and introducing Powerzure - SpecterOps](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a)
|
* [Attacking Azure/Azure AD and introducing Powerzure - SpecterOps](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a)
|
||||||
* [Azure AD connect for RedTeam - @xpnsec](https://blog.xpnsec.com/azuread-connect-for-redteam/)
|
* [Azure AD connect for RedTeam - @xpnsec](https://blog.xpnsec.com/azuread-connect-for-redteam/)
|
||||||
* [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/)
|
* [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/)
|
||||||
|
* [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/)
|
Loading…
Reference in New Issue
Block a user