From c5ac4e9effdcb9451389c97f7e58a8b66bef51e2 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 23 Feb 2020 20:58:53 +0100 Subject: [PATCH] AWS Patterns --- AWS Amazon Bucket S3/README.md | 18 +++++----- .../Cloud - AWS Pentest.md | 33 ++++++++++++++++++- .../Cloud - Azure Pentest.md | 3 +- 3 files changed, 44 insertions(+), 10 deletions(-) diff --git a/AWS Amazon Bucket S3/README.md b/AWS Amazon Bucket S3/README.md index 98042560..e9a574f5 100644 --- a/AWS Amazon Bucket S3/README.md +++ b/AWS Amazon Bucket S3/README.md @@ -152,22 +152,24 @@ aws s3 ls s3:// --recursive | grep -v -E "(Bucket: |Prefix: |LastWr ## AWS - Extract Backup ```powershell -aws --profile flaws sts get-caller-identity +$ aws --profile flaws sts get-caller-identity "Account": "XXXX26262029", -aws --profile flaws ec2 describe-snapshots --owner-id XXXX26262029 --region us-west-2 + +$ aws --profile profile_name ec2 describe-snapshots +$ aws --profile flaws ec2 describe-snapshots --owner-id XXXX26262029 --region us-west-2 "SnapshotId": "snap-XXXX342abd1bdcb89", Create a volume using snapshot -aws --profile swk ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-XXXX342abd1bdcb89 +$ aws --profile swk ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-XXXX342abd1bdcb89 In Aws Console -> EC2 -> New Ubuntu -chmod 400 YOUR_KEY.pem -ssh -i YOUR_KEY.pem ubuntu@ec2-XXX-XXX-XXX-XXX.us-east-2.compute.amazonaws.com +$ chmod 400 YOUR_KEY.pem +$ ssh -i YOUR_KEY.pem ubuntu@ec2-XXX-XXX-XXX-XXX.us-east-2.compute.amazonaws.com Mount the volume -lsblk -sudo file -s /dev/xvda1 -sudo mount /dev/xvda1 /mnt +$ lsblk +$ sudo file -s /dev/xvda1 +$ sudo mount /dev/xvda1 /mnt ``` ## Bucket juicy data diff --git a/Methodology and Resources/Cloud - AWS Pentest.md b/Methodology and Resources/Cloud - AWS Pentest.md index b733cd19..50175642 100644 --- a/Methodology and Resources/Cloud - AWS Pentest.md +++ b/Methodology and Resources/Cloud - AWS Pentest.md @@ -4,6 +4,7 @@ * [Training](#training) * [Tools](#tools) +* [AWS - Patterns](#aws---patterns) * [AWS - Metadata SSRF](#aws---metadata-ssrf) * [Method for Elastic Cloud Compute (EC2)](#method-for-elastic-cloud-compute-ec2) * [Method for Container Service (Fargate)](#method-for-container-service-fargate) @@ -122,6 +123,35 @@ find_admins: Look at IAM policies to identify admin users and roles, or principals with specific privileges ``` +## AWS Patterns +| Service | URL | +|-------------|--------| +| s3 | https://{user_provided}.s3.amazonaws.com | +| cloudfront | https://{random_id}.cloudfront.net | +| ec2 | ec2-{ip-seperated}.compute-1.amazonaws.com | +| es | https://{user_provided}-{random_id}.{region}.es.amazonaws.com | +| elb | http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443 | +| elbv2 | https://{user_provided}-{random_id}.{region}.elb.amazonaws.com | +| rds | mysql://{user_provided}.{random_id}.{region}.rds.amazonaws.com:3306 | +| rds | postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432 | +| route 53 | {user_provided} | +| execute-api | https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided} | +| cloudsearch | https://doc-{user_provided}-{random_id}.{region}.cloudsearch.amazonaws.com | +| transfer | sftp://s-{random_id}.server.transfer.{region}.amazonaws.com | +| iot | mqtt://{random_id}.iot.{region}.amazonaws.com:8883 | +| iot | https://{random_id}.iot.{region}.amazonaws.com:8443 | +| iot | https://{random_id}.iot.{region}.amazonaws.com:443 | +| mq | https://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:8162 | +| mq | ssl://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:61617 | +| kafka | b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}.amazonaws.com | +| kafka | {user_provided}.{random_id}.c{1,2}.kafka.useast-1.amazonaws.com | +| cloud9 | https://{random_id}.vfs.cloud9.{region}.amazonaws.com | +| mediastore | https://{random_id}.data.mediastore.{region}.amazonaws.com | +| kinesisvideo | https://{random_id}.kinesisvideo.{region}.amazonaws.com | +| mediaconvert | https://{random_id}.mediaconvert.{region}.amazonaws.com | +| mediapackage | https://{random_id}.mediapackage.{region}.amazonaws.com/in/v1/{random_id}/channel | + + ## AWS - Metadata SSRF ### Method for Elastic Cloud Compute (EC2) @@ -359,4 +389,5 @@ https://github.com/DenizParlak/Zeus * [Pacu Open source AWS Exploitation framework - RhinoSecurityLabs](https://rhinosecuritylabs.com/aws/pacu-open-source-aws-exploitation-framework/) * [PACU Spencer Gietzen - 30 juil. 2018](https://www.youtube.com/watch?v=XfetW1Vqybw&feature=youtu.be&list=PLBID4NiuWSmfdWCmYGDQtlPABFHN7HyD5) * [Cloud security instance metadata - PumaScan](https://pumascan.com/resources/cloud-security-instance-metadata/) -* [Privilege escalation in the Cloud: From SSRF to Global Account Administrator - Maxime Leblanc - Sep 1, 2018](https://medium.com/poka-techblog/privilege-escalation-in-the-cloud-from-ssrf-to-global-account-administrator-fd943cf5a2f6) \ No newline at end of file +* [Privilege escalation in the Cloud: From SSRF to Global Account Administrator - Maxime Leblanc - Sep 1, 2018](https://medium.com/poka-techblog/privilege-escalation-in-the-cloud-from-ssrf-to-global-account-administrator-fd943cf5a2f6) +* [AWS - Cheatsheet - @Magnussen](https://www.magnussen.funcmylife.fr/article_35) \ No newline at end of file diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md index 54aec01b..e41836aa 100644 --- a/Methodology and Resources/Cloud - Azure Pentest.md +++ b/Methodology and Resources/Cloud - Azure Pentest.md @@ -409,4 +409,5 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an * [Windows Azure Active Directory in plain English](https://www.youtube.com/watch?v=IcSATObaQZE) * [Building Free Active Directory Lab in Azure - @kamran.bilgrami](https://medium.com/@kamran.bilgrami/ethical-hacking-lessons-building-free-active-directory-lab-in-azure-6c67a7eddd7f) * [Attacking Azure/Azure AD and introducing Powerzure - SpecterOps](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a) -* [Azure AD connect for RedTeam - @xpnsec](https://blog.xpnsec.com/azuread-connect-for-redteam/) \ No newline at end of file +* [Azure AD connect for RedTeam - @xpnsec](https://blog.xpnsec.com/azuread-connect-for-redteam/) +* [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/) \ No newline at end of file