Breaching AWS

Introduction
Introduction
2 Topics
How to access the Labs
BAWS Lab Objectives
Breaching AWS – Rules of Engagement
Breaching TWOCAPITALS
BAWS 01 – Enumerating S3 Buckets
2 Topics
BAWS 01 – Lab
BAWS 01 – Lab Solution
BAWS 02 – AWS Subdomain Takeover
BAWS 02 – Dumping EBS Secrets
3 Topics
BAWS 02 – Lab 2
BAWS 02 – Video Walkthrough
BAWS 02 – Lab 2 – Solution
BAWS 03 – Enumeration & Command Execution via SSM
3 Topics
BAWS 03 – Lab 1
BAWS 03 – Video Walkthrough
BAWS 03 – Lab 1 Solution
BAWS 04 – Abuse IAM User Roles, Instance Metadata & SNS
3 Topics
BAWS 04 – Abusing Instance Metadata Service (IMDS)
BAWS 04 – Lab
BAWS 04 – Lab Solution
BAWS 05 – Capture Credentials from SNS Service
2 Topics
BAWS 05 – Lab
BAWS 05 – Lab Solution
BAWS 06 – Get Remote Code Execution on a Lambda Function
2 Topics
BAWS 06 – Lab
BAWS 06 – Lab Solution
BAWS 07 – Enumerate and Read Data from DynamoDB
2 Topics
BAWS 07 – Lab
BAWS 07 – Lab Solution
BAWS 08 – Upload Malicious Image into ECR
2 Topics
BAWS 08 – Lab
BAWS 08 – Lab Solution
BAWS 09 – AWS SSO Phishing Attack
2 Topics
BAWS 09 – Lab
BAWS 09 – Lab Solution
BAWS 10 – Enumerate AWS IAM Identity Center Permissions
2 Topics
BAWS 10 – Lab
BAWS 10 – Lab Solution
BAWS 11 – Enumerate AWS IAM Permission & Retrieve Secrets from Secret Manager
2 Topics
BAWS 11 – Lab 1
BAWS 11 – Lab Solution
BAWS 12 – Utilising Rancher to Gain Shell Access to a Pod
3 Topics
BAWS 12 – Amazon Elastic Kubernetes Service (AWS EKS)
BAWS 12 – Lab
BAWS 12 – Lab Solution
BAWS 13 – Enumerate RDS and Retrieve the Final Flag
2 Topics
BAWS 13 – Lab
BAWS 13 – Lab Solution
Previous Lesson
Next Topic

BAWS 02 – Dumping EBS Secrets

Breaching AWS BAWS 02 – Dumping EBS Secrets

Authenticated Reconnaissance

Once you have a pair of valid AWS Account and Access keys, you can start enumerating resources and roles available to that user. 

Enumerating IAM Permissions

Firstly we would like to retrieve information about AWS IAM user or role making the call and the Account ID. The Account ID is a unique identifier of an AWS account.

aws sts get-caller-identity

Return information about the user, including Permissions Boundary, Password Last Used, etc:  

aws iam get-user --user-name <breached_username>

Returns a list of policies attached to the target user:

aws iam list-user-policies –user-name <breached_username>

Returns in-line policies attached to a user:

aws iam list-attached-user-policies --user-name <breached_username>

Retrieves a specific in-line policy:

aws iam get-user-policy --user-name <breached_username> --policy-name <policyname>

Using automated tools such as Pacu you can easily enumerate the permissions assigned to the compromised user. It should be noted that depending on the level of security maturity of the organisation, all actions will be recorded on AWS CloudTrail logs.

What is Pacu?

Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments. Created and maintained by Rhino Security Labs, Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality.

> run iam__enum_permissions

Enumerating AWS Resources

Amazon cloud infrastructure is hosted in different locations around the world. These locations are classified to 32 AWS Regions, 102 Availability Zones, and Local Zones. Each AWS Region is a separate geographic area. Each AWS Region has multiple, isolated locations known as Availability Zones.

Each AWS region operates independently and may offer different services and features, providing a flexible and robust infrastructure for deploying applications globally. The full list of regions can be found here

Elastic Compute Cloud EC2

Amazon Web Services (AWS) Elastic Compute Cloud (EC2) is a web service that provides resizable compute capacity in the cloud. EC2 is one of AWS’s most popular services and is designed to make web-scale cloud computing easier for developers. It allows you to run virtual servers, known as instances, on-demand. These instances can be customised based on computing capacity, storage, and networking options, giving you the flexibility to choose the right mix of resources for your applications.

EC2 is well-integrated with other AWS services like Amazon RDS, AWS Lambda, and Amazon S3, making it easier to build comprehensive cloud-based applications. In terms of security features, EC2s can be placed in network segments that are isolated called Virtual Private Clouds (VPCs).

To describe EC2 instances, you can use:

aws ec2 describe-instances

Next, to list EBS volumes use the describe command:

aws ec2 describe-volumes

And, if you want to describe EBS snapshots:

aws ec2 describe-snapshots

Ensure that your AWS CLI is configured with the correct credentials using aws configure before running these commands.

Also, keep in mind that these commands will return JSON outputs by default. If you have a specific attribute you’re interested in, you can make use of the –query parameter to filter the output.

Amazon Elastic Block Store (EBS)

Amazon Elastic Block Store (EBS) is a block storage service designed to be used with Amazon Elastic Compute Cloud (EC2) instances for both throughput and transaction-intensive workloads at any scale. Offered by Amazon Web Services (AWS), EBS provides scalable, durable, high-performance storage that can be attached to running EC2 instances and used like a traditional hard drive.
EBS volumes behave like raw, unformatted block devices that can be attached to a single EC2 instance. You can create an EBS volume independently and then attach it to an EC2 instance or create an EBS volume as part of the EC2 instance launch.
The data stored on an EBS volume persists independently of the life of the associated EC2 instance, unlike instance store volumes that are ephemeral.

To list all EBS volumes:

aws ec2 describe-volumes

Amazon Elastic Block Store (EBS) Snapshot

An Amazon Elastic Compute Cloud (Amazon EC2) snapshot is a point-in-time copy of an Amazon Elastic Block Store (Amazon EBS) volume. It captures the data and configuration of an EBS volume, allowing you to create a backup or replicate volumes for data protection, disaster recovery, or creating new instances with similar configurations. EC2 snapshots are crucial for ensuring the durability and availability of your data, as they enable you to recover from data loss or system failures, and efficiently manage your EC2 instances and storage resources.

List the publicly available and the one that you may have access to EC2 snapshots:

aws ec2 describe-snapshots --region <region>
Lesson Content
0% Complete 0/3 Steps
Previous Lesson
Back to Course
Next Topic