AWS update

main
Swissky 2024-10-24 14:43:52 +02:00
parent 629e3f7c1e
commit 26d5c2e432
7 changed files with 153 additions and 1633 deletions

File diff suppressed because it is too large Load Diff

74
docs/cloud/aws/aws-cli.md Normal file
View File

@ -0,0 +1,74 @@
# AWS - CLI
The AWS Command Line Interface (CLI) is a unified tool to manage AWS services from the command line. Using the AWS CLI, you can control multiple AWS services, automate tasks, and manage configurations through profiles.
## Set up AWS CLI
Install AWS CLI and configure it for the first time:
```ps1
aws configure
```
This will prompt for:
* AWS Access Key ID
* AWS Secret Access Key
* Default region name
* Default output format
## Creating Profiles
You can configure multiple profiles in `~/.aws/credentials` and `~/.aws/config`.
* `~/.aws/credentials` (stores credentials)
```ini
[default]
aws_access_key_id = <default-access-key>
aws_secret_access_key = <default-secret-key>
[dev-profile]
aws_access_key_id = <dev-access-key>
aws_secret_access_key = <dev-secret-key>
[prod-profile]
aws_access_key_id = <prod-access-key>
aws_secret_access_key = <prod-secret-key>
```
* `~/.aws/config` (stores region and output settings)
```ini
[default]
region = us-east-1
output = json
[profile dev-profile]
region = us-west-2
output = yaml
[profile prod-profile]
region = eu-west-1
output = json
```
You can also create profiles via the command line:
```ps1
aws configure --profile dev-profile
```
## Using Profiles
When running AWS CLI commands, you can specify which profile to use by adding the `--profile` flag:
```ps1
aws s3 ls --profile dev-profile
```
If no profile is specified, the **default** profile is used.

View File

@ -3,6 +3,18 @@
* [dufflebag](https://labs.bishopfox.com/dufflebag) - Find secrets that are accidentally exposed via Amazon EBS's "public" mode * [dufflebag](https://labs.bishopfox.com/dufflebag) - Find secrets that are accidentally exposed via Amazon EBS's "public" mode
## Listing Information About EC2
```ps1
aws ec2 describe-instances
aws ec2 describe-instances --region region
aws ec2 describe-instances --instance-ids ID
```
## Copy EC2 using AMI Image ## Copy EC2 using AMI Image
First you need to extract data about the current instances and their AMI/security groups/subnet : `aws ec2 describe-images --region eu-west-1` First you need to extract data about the current instances and their AMI/security groups/subnet : `aws ec2 describe-images --region eu-west-1`

View File

@ -1,6 +1,19 @@
# AWS - Identity & Access Management # AWS - Identity & Access Management
## AWS - Shadow Admin ## Listing IAM access Keys
```ps1
aws iam list-access-keys
```
### Listing IAM Users and Groups
```ps1
aws iam list-users
aws iam list-groups
```
## Shadow Admin
### Admin equivalent permission ### Admin equivalent permission
@ -104,7 +117,6 @@
``` ```
## References ## References
* [Cloud Shadow Admin Threat 10 Permissions Protect - CyberArk](https://www.cyberark.com/threat-research-blog/cloud-shadow-admin-threat-10-permissions-protect/) * [Cloud Shadow Admin Threat 10 Permissions Protect - CyberArk](https://www.cyberark.com/threat-research-blog/cloud-shadow-admin-threat-10-permissions-protect/)

View File

@ -1,7 +1,21 @@
# AWS - Service - Lambda # AWS - Service - Lambda & API Gateway
## Extract function's code ## List Lambda Functions
```ps1
aws lambda list-functions
```
### Invoke a Lambda Function
```
aws lambda invoke --function-name name response.json --region region
```
## Extract Function's Code
```powershell ```powershell
aws lambda list-functions --profile uploadcreds aws lambda list-functions --profile uploadcreds
@ -10,6 +24,37 @@ wget -O lambda-function.zip url-from-previous-query --profile uploadcreds
``` ```
## List API Gateway
```ps1
aws apigateway get-rest-apis
aws apigateway get-rest-api --rest-api-id ID
```
## Listing Information About Endpoints
```ps1
aws apigateway get-resources --rest-api-id ID
aws apigateway get-resource --rest-api-id ID --resource-id ID
aws apigateway get-method --rest-api-id ApiID --resource-id ID --http-method method
```
## Listing API Keys
```ps1
aws apigateway get-api-keys --include-values
```
## Getting Information About A Specific Api Key
```ps1
aws apigateway get-api-key --api-key KEY
```
## References ## References
* [Getting shell and data access in AWS by chaining vulnerabilities - Appsecco - Riyaz Walikar - Aug 29, 2019](https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed) * [Getting shell and data access in AWS by chaining vulnerabilities - Appsecco - Riyaz Walikar - Aug 29, 2019](https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed)

View File

@ -5,7 +5,7 @@
:warning: Only working with IMDSv1. :warning: Only working with IMDSv1.
Enabling IMDSv2 : `aws ec2 modify-instance-metadata-options --instance-id <INSTANCE-ID> --profile <AWS_PROFILE> --http-endpoint enabled --http-token required`. Enabling IMDSv2 : `aws ec2 modify-instance-metadata-options --instance-id <INSTANCE-ID> --profile <AWS_PROFILE> --http-endpoint enabled --http-token required`.
In order to use IMDSv2 you must provide a token. In order to use **IMDSv2** you must provide a token.
```powershell ```powershell
export TOKEN=`curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token"` export TOKEN=`curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token"`

View File

@ -58,12 +58,13 @@ export AWS_SESSION_TOKEN=FQoGZXIvYXdzE[...]8aOK4QU=
``` ```
## Open S3 Bucket ## Public S3 Bucket
An open S3 bucket refers to an Amazon Simple Storage Service (Amazon S3) bucket that has been configured to allow public access, either intentionally or by mistake. This means that anyone on the internet could potentially access, read, or even modify the data stored in the bucket, depending on the permissions set. An open S3 bucket refers to an Amazon Simple Storage Service (Amazon S3) bucket that has been configured to allow public access, either intentionally or by mistake. This means that anyone on the internet could potentially access, read, or even modify the data stored in the bucket, depending on the permissions set.
* [http://s3.amazonaws.com/<bucket-name>/](http://s3.amazonaws.com/<bucket-name>/) * [http://s3.amazonaws.com/<bucket-name>/](http://s3.amazonaws.com/<bucket-name>/)
* [http://<bucket-name>.s3.amazonaws.com/](http://<bucket-name>.s3.amazonaws.com/) * [http://<bucket-name>.s3.amazonaws.com/](http://<bucket-name>.s3.amazonaws.com/)
* [https://<bucket-name>.region.amazonaws.com/<file>>](https://<bucket-name>.region.amazonaws.com/<file>)
AWS S3 buckets name examples: [http://flaws.cloud.s3.amazonaws.com](http://flaws.cloud.s3.amazonaws.com). AWS S3 buckets name examples: [http://flaws.cloud.s3.amazonaws.com](http://flaws.cloud.s3.amazonaws.com).
@ -107,21 +108,21 @@ aws s3 ls s3://flaws.cloud/ --no-sign-request --region us-west-2
### Copy, Upload and Download Files ### Copy, Upload and Download Files
* Copy * **Copy**
```bash ```bash
aws s3 cp <source> <target> [--options] aws s3 cp <source> <target> [--options]
aws s3 cp local.txt s3://bucket-name/remote.txt --acl authenticated-read aws s3 cp local.txt s3://bucket-name/remote.txt --acl authenticated-read
aws s3 cp login.html s3://bucket-name --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers aws s3 cp login.html s3://bucket-name --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
``` ```
* Upload * **Upload**
```bash ```bash
aws s3 mv <source> <target> [--options] aws s3 mv <source> <target> [--options]
aws s3 mv test.txt s3://hackerone.files aws s3 mv test.txt s3://hackerone.files
SUCCESS : "move: ./test.txt to s3://hackerone.files/test.txt" SUCCESS : "move: ./test.txt to s3://hackerone.files/test.txt"
``` ```
* Download * **Download**
```bash ```bash
aws s3 sync <source> <target> [--options] aws s3 sync <source> <target> [--options]
aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2 aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2