mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-12 22:33:00 +00:00
AWS Patterns
This commit is contained in:
parent
0b14b12fb4
commit
c5ac4e9eff
3 changed files with 44 additions and 10 deletions
|
@ -152,22 +152,24 @@ aws s3 ls s3://<bucketname> --recursive | grep -v -E "(Bucket: |Prefix: |LastWr
|
|||
## AWS - Extract Backup
|
||||
|
||||
```powershell
|
||||
aws --profile flaws sts get-caller-identity
|
||||
$ aws --profile flaws sts get-caller-identity
|
||||
"Account": "XXXX26262029",
|
||||
|
||||
aws --profile flaws ec2 describe-snapshots --owner-id XXXX26262029 --region us-west-2
|
||||
|
||||
$ aws --profile profile_name ec2 describe-snapshots
|
||||
$ aws --profile flaws ec2 describe-snapshots --owner-id XXXX26262029 --region us-west-2
|
||||
"SnapshotId": "snap-XXXX342abd1bdcb89",
|
||||
|
||||
Create a volume using snapshot
|
||||
aws --profile swk ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-XXXX342abd1bdcb89
|
||||
$ aws --profile swk ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-XXXX342abd1bdcb89
|
||||
In Aws Console -> EC2 -> New Ubuntu
|
||||
chmod 400 YOUR_KEY.pem
|
||||
ssh -i YOUR_KEY.pem ubuntu@ec2-XXX-XXX-XXX-XXX.us-east-2.compute.amazonaws.com
|
||||
$ chmod 400 YOUR_KEY.pem
|
||||
$ ssh -i YOUR_KEY.pem ubuntu@ec2-XXX-XXX-XXX-XXX.us-east-2.compute.amazonaws.com
|
||||
|
||||
Mount the volume
|
||||
lsblk
|
||||
sudo file -s /dev/xvda1
|
||||
sudo mount /dev/xvda1 /mnt
|
||||
$ lsblk
|
||||
$ sudo file -s /dev/xvda1
|
||||
$ sudo mount /dev/xvda1 /mnt
|
||||
```
|
||||
|
||||
## Bucket juicy data
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
|
||||
* [Training](#training)
|
||||
* [Tools](#tools)
|
||||
* [AWS - Patterns](#aws---patterns)
|
||||
* [AWS - Metadata SSRF](#aws---metadata-ssrf)
|
||||
* [Method for Elastic Cloud Compute (EC2)](#method-for-elastic-cloud-compute-ec2)
|
||||
* [Method for Container Service (Fargate)](#method-for-container-service-fargate)
|
||||
|
@ -122,6 +123,35 @@
|
|||
find_admins: Look at IAM policies to identify admin users and roles, or principals with specific privileges
|
||||
```
|
||||
|
||||
## AWS Patterns
|
||||
| Service | URL |
|
||||
|-------------|--------|
|
||||
| s3 | https://{user_provided}.s3.amazonaws.com |
|
||||
| cloudfront | https://{random_id}.cloudfront.net |
|
||||
| ec2 | ec2-{ip-seperated}.compute-1.amazonaws.com |
|
||||
| es | https://{user_provided}-{random_id}.{region}.es.amazonaws.com |
|
||||
| elb | http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443 |
|
||||
| elbv2 | https://{user_provided}-{random_id}.{region}.elb.amazonaws.com |
|
||||
| rds | mysql://{user_provided}.{random_id}.{region}.rds.amazonaws.com:3306 |
|
||||
| rds | postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432 |
|
||||
| route 53 | {user_provided} |
|
||||
| execute-api | https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided} |
|
||||
| cloudsearch | https://doc-{user_provided}-{random_id}.{region}.cloudsearch.amazonaws.com |
|
||||
| transfer | sftp://s-{random_id}.server.transfer.{region}.amazonaws.com |
|
||||
| iot | mqtt://{random_id}.iot.{region}.amazonaws.com:8883 |
|
||||
| iot | https://{random_id}.iot.{region}.amazonaws.com:8443 |
|
||||
| iot | https://{random_id}.iot.{region}.amazonaws.com:443 |
|
||||
| mq | https://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:8162 |
|
||||
| mq | ssl://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:61617 |
|
||||
| kafka | b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}.amazonaws.com |
|
||||
| kafka | {user_provided}.{random_id}.c{1,2}.kafka.useast-1.amazonaws.com |
|
||||
| cloud9 | https://{random_id}.vfs.cloud9.{region}.amazonaws.com |
|
||||
| mediastore | https://{random_id}.data.mediastore.{region}.amazonaws.com |
|
||||
| kinesisvideo | https://{random_id}.kinesisvideo.{region}.amazonaws.com |
|
||||
| mediaconvert | https://{random_id}.mediaconvert.{region}.amazonaws.com |
|
||||
| mediapackage | https://{random_id}.mediapackage.{region}.amazonaws.com/in/v1/{random_id}/channel |
|
||||
|
||||
|
||||
## AWS - Metadata SSRF
|
||||
|
||||
### Method for Elastic Cloud Compute (EC2)
|
||||
|
@ -360,3 +390,4 @@ https://github.com/DenizParlak/Zeus
|
|||
* [PACU Spencer Gietzen - 30 juil. 2018](https://www.youtube.com/watch?v=XfetW1Vqybw&feature=youtu.be&list=PLBID4NiuWSmfdWCmYGDQtlPABFHN7HyD5)
|
||||
* [Cloud security instance metadata - PumaScan](https://pumascan.com/resources/cloud-security-instance-metadata/)
|
||||
* [Privilege escalation in the Cloud: From SSRF to Global Account Administrator - Maxime Leblanc - Sep 1, 2018](https://medium.com/poka-techblog/privilege-escalation-in-the-cloud-from-ssrf-to-global-account-administrator-fd943cf5a2f6)
|
||||
* [AWS - Cheatsheet - @Magnussen](https://www.magnussen.funcmylife.fr/article_35)
|
|
@ -410,3 +410,4 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an
|
|||
* [Building Free Active Directory Lab in Azure - @kamran.bilgrami](https://medium.com/@kamran.bilgrami/ethical-hacking-lessons-building-free-active-directory-lab-in-azure-6c67a7eddd7f)
|
||||
* [Attacking Azure/Azure AD and introducing Powerzure - SpecterOps](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a)
|
||||
* [Azure AD connect for RedTeam - @xpnsec](https://blog.xpnsec.com/azuread-connect-for-redteam/)
|
||||
* [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/)
|
Loading…
Reference in a new issue