From 1ce5afd912d2cde777f3426cafdb272e25050c79 Mon Sep 17 00:00:00 2001 From: stefan Date: Sat, 17 Feb 2024 00:58:08 +0100 Subject: [PATCH] added details --- Enumeration/AWS.md | 57 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 56 insertions(+), 1 deletion(-) diff --git a/Enumeration/AWS.md b/Enumeration/AWS.md index 509176a..70ba617 100644 --- a/Enumeration/AWS.md +++ b/Enumeration/AWS.md @@ -531,6 +531,11 @@ default. 1. [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html) 2. [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html) +Every bucket that was created before November 2018 has a default public access +permissions. Since November 2018 public access is blocked by default. + +A typical attack includes modifying files on a bucket another service is using. + #### S3 Policies Useful permissions to an attack, set through a policy, are `s3:GetObject` and `s3:PutObject`. @@ -592,6 +597,13 @@ or http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext ``` +#### Check Read Permissions of a bucket + +Use the aws cli to store data from a bucket locally. + +```sh +aws s3 sync --no-sign-request s3:// . + #### Check Permissions of a bucket Use a `PUT` method to see if the bucket may be writeable to upload a file via @@ -658,7 +670,6 @@ the resources behind the IP addresses. ```sh drill assets.example.com drill <$IP_ADDRESS> -x - ``` How to find a potentially interesting CloudFront assets domain @@ -667,3 +678,47 @@ How to find a potentially interesting CloudFront assets domain * Do some dorking with a search engine to list the content of a bucket behind an S3 subdomian * Spider a website via wget or [Linkfinder](https://github.com/GerbenJavado/LinkFinder) * Search for certificate details + +### EC2 + +Virtual machine service. + +### Restore an Amazon Machine Image + +An EC2 VM can be created from an Amazon Machine Image, +that can be found in some S3 buckets. + +```sh +aws ec2 create-restore-image-task --object-key --bucket --name +``` + +An `ImageId` will be returned. This `imageId` is needed to create the image later. + +Create a keypair to connect to the created VM via SSH. the keypair is set for +EC2 instances by aws cli automatically. + +```sh +aws ec2 create-key-pair --key-name --query "KeyMaterial" --output text > ./mykeys.pem +``` + +A subnet for the the creation of the ec2 is needed, pick one via aws cli. + +```sh +aws ec2 describe-subnets +``` + +Further, a security group with SSH access is needed + +```sh +aws ec2 describe-security-groups +``` + +Create an image including the found information + +```sh +aws ec2 run-instances --image-id --instance-type t3a.micro --key-name --subnet-id --security-group-id +``` + +Take a look at the EC2 dashboard inside the webconsole to see the IP address of the created EC2 instance. Connect to the VM via SSH, using the generated keypair. + +