Hacking AWS
Amazon Web Services is a subsidiary of Amazon providing on-demand cloud computing platforms and APIs.
AWSCLI Configuration¶
You can get your credential here https://console.aws.amazon.com/iam/home?#/security_credential but you need an aws account, free tier account : https://aws.amazon.com/s/dm/optimization/server-side-test/free-tier/free_np/
aws configure --profile <PROFILE_NAME>
AWSAccessKeyId= <AccessKeyID>
AWSSecretKey= <SecretKey>
Default Region Name= <Region>
Default Output Format = <json or text>
Or you can configure the default one stored in ~/.aws/credentials:
EC2¶
Amazon Elastic Compute Cloud (Amazon EC2) provides secure and resizable computing capacity in the AWS cloud. Using Amazon EC2 eliminates the need to invest in hardware up front, so you can develop and deploy applications faster. To resume an EC2 is a virtual machine. SSH keys are created when started to connect to linux devices, for windows it uses RDP. Exists security groups to handle open ports and allowed IPs.
STS¶
AWS Security Token Service (STS) enables you to request temporary, limited-privileges credentials for AWS IAM users or for users that you authenticate.
Identify the token¶
$ aws sts get-caller-identity
{
"UserId": "AROAxxxxxxxxxxxxxxxxx:i-xxxxxxxxxxxxxxxxx",
"Account": "19xxxxxxxxxx",
"Arn": "arn:aws:sts::19xxxxxxxxxx:assumed-role/webserver/i-xxxxxxxxxxxxxxxxx"
}
Get Key Info¶
IAM¶
AWS Identity and Access Management (IAM) is a web service for securely controlling access to AWS services. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users and applications can access.
aws iam get-account-password-policy
aws iam list-users
aws iam list-roles
aws iam list-access-keys --user-name <user>
aws iam create-access-key --user-name <user>
aws iam list-attached-user-policies --user-name <user>
aws iam get-policy
aws iam get-policy-version
SSM¶
AWS System Manager is a collection of capabilities that helps you automate management tasks such as collecting system inverntory, applying OS patches, automating the creation of AMIs. Systems Manager lets you remotely and securely manage the configuration of your managed instances.
A managed instance is any EC2 instance or any on-premise server or VM.
Check instances are accepted for executing commands¶
$ aws ssm describe-instance-information --output text --query "InstanceInformationList[*]"
1.2.3.4 example-1234567890.eu-west-1.elb.amazonaws.com 172.10.1.100 i-xxxxxxxxxxxxxxxxx False 2021-02-05T13:37:00.000000+01:00 Online Amazon Linux AMI Linux 2020.01 EC2Instance
Send Command¶
Copy the CommandId of the output for later usage.
$ aws ssm send-command --document-name "AWS-RunShellScript" --comment "RCE test: whoami" --targets "Key=instanceids,Values=[instanceid]" --parameters 'commands=whoami'
{
"Command": {
"CommandId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"DocumentName": "AWS-RunShellScript",
"DocumentVersion": "",
"Comment": "RCE test: whoami",
"ExpiresAfter": "2021-02-05T13:37:00.000000+01:00",
"Parameters": {
"commands": [
"whoami"
]
},
"InstanceIds": [],
"Targets": [
{
"Key": "instanceids",
"Values": [
"i-xxxxxxxxxxxxxxxxx"
]
}
],
"RequestedDateTime": "2021-02-05T13:37:00.000000+01:00",
"Status": "Pending",
"StatusDetails": "Pending",
"OutputS3BucketName": "",
"OutputS3KeyPrefix": "",
"MaxConcurrency": "50",
"MaxErrors": "0",
"TargetCount": 0,
"CompletedCount": 0,
"ErrorCount": 0,
"DeliveryTimedOutCount": 0,
"ServiceRole": "",
"NotificationConfig": {
"NotificationArn": "",
"NotificationEvents": [],
"NotificationType": ""
},
"CloudWatchOutputConfig": {
"CloudWatchLogGroupName": "",
"CloudWatchOutputEnabled": false
},
"TimeoutSeconds": 3600
}
}
Check command output¶
With the previous CommandId check the output. If the command didn't finish yet, the Status will be shown as pending.
$ aws ssm list-command-invocations --command-id "[CommandId]" --details
{
"CommandInvocations": [
{
"CommandId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"InstanceId": "i-xxxxxxxxxxxxxxxxx",
"InstanceName": "",
"Comment": "RCE test: whoami",
"DocumentName": "AWS-RunShellScript",
"DocumentVersion": "",
"RequestedDateTime": "2021-02-05T13:37:00.000000+01:00",
"Status": "Success",
"StatusDetails": "Success",
"StandardOutputUrl": "",
"StandardErrorUrl": "",
"CommandPlugins": [
{
"Name": "aws:runShellScript",
"Status": "Success",
"StatusDetails": "Success",
"ResponseCode": 0,
"ResponseStartDateTime": "2021-02-05T13:37:00.000000+01:00",
"ResponseFinishDateTime": "2021-02-05T13:37:00.000000+01:00",
"Output": "root\n",
"StandardOutputUrl": "",
"StandardErrorUrl": "",
"OutputS3Region": "eu-west-1",
"OutputS3BucketName": "",
"OutputS3KeyPrefix": ""
}
],
"ServiceRole": "",
"NotificationConfig": {
"NotificationArn": "",
"NotificationEvents": [],
"NotificationType": ""
},
"CloudWatchOutputConfig": {
"CloudWatchLogGroupName": "",
"CloudWatchOutputEnabled": false
}
}
]
}
S3 Buckets¶
Amazon Simple Storage Service as known as S3 Bucket has a simple web services interface that you can use to store and retrieve any amount of data, at any time, from anywhere on the web.
Search for S3 Buckets¶
We need to identify if the service running is a s3.
You can get the region of a bucket with a dig and nslookup:
$ dig flaws.cloud
;; ANSWER SECTION:
flaws.cloud. 5 IN A 52.218.192.11
$ nslookup 52.218.192.11
Non-authoritative answer:
11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.
Enumeration¶
We will use aws-cli tool
- Use
--no-sign-requestfor check Everyones permissions - Use
--profile <PROFILE_NAME>to indicate the previous configuration profile.
Search Buckets inside the same host:¶
List content of a bucket:¶
Copy content:¶
DynamoDB¶
Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. It's a fully managed, multi-region, multi-active, durable database with built-in security, backup and restore, and in-memory caching for internet-scale applications.
List tables¶
Get Table Content¶
aws dynamodb scan --table-name TABLENAME --endpoint-url http://s3.DOMAIN.COM/
{
"Items": [
{
"password": {
"S": "PWD@#1@#"
},
"username": {
"S": "USER3"
}
},
{
"password": {
"S": "PWD!"
},
"username": {
"S": "USER2"
}
},
{
"password": {
"S": "PWD"
},
"username": {
"S": "USER1"
}
}
],
"Count": 3,
"ScannedCount": 3,
"ConsumedCapacity": null
}
Create Table¶
aws dynamodb create-table --table-name TABLENAME--attribute-definitions AttributeName=title,AttributeType=S AttributeName=data,AttributeType=S --key-schema AttributeName=title,KeyType=HASH AttributeName=data,KeyType=RANGE --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 --endpoint-url http://s3.DOMAIN.COM/
Create Item¶
aws dynamodb update-item --table-name TABLENAME--key file://FILE.json --endpoint-url http://s3.DOMAIN.COM/
# where FILE.json is:
{
"title": {"S": "TITLECONTENT"},
"data": {"S": "DATACONTENT"}
}
References¶
- https://book.hacktricks.xyz/pentesting/pentesting-web/buckets/aws-s3
- https://docs.aws.amazon.com/cli/latest/reference/dynamodb/index.html
- https://sanderwind.medium.com/escalating-ssrf-to-rce-7c0147371c40
- https://github.com/six2dez/pentest-book/blob/dd75c8af72e4906593c744a3aacc4888d7c04430/enumeration/cloud/aws.md#basic-commands-1