diff --git a/Enumeration/AWS.md b/Enumeration/AWS.md index 2c1adc8..5e8ae15 100644 --- a/Enumeration/AWS.md +++ b/Enumeration/AWS.md @@ -435,6 +435,66 @@ A Unique ID is create through the following scheme arn:aws::::/ ``` +### IAM - Gain Access through Vulnerabilities + +#### Gathering Credentials + +Git repositories, especially on GitLab and Github but also other repositories, +can be a source of found credentials. A tool to find sensitive data inside git +repository is [Trufflesecurity's +Trufflehog](https://github.com/trufflesecurity/trufflehog). + +Other repositories, like package repository for programming, are also prone to +contain credentials unintentionally. + +#### Gain Access through CloudFormation + +It is possible to phish credentials through url manipulation and sending it to +someone with higher privileges. + +This may be achieved through link manipulation. A link for a CloudFormation +Stackset creation looks like this. + +```http +https://console.aws.amazon.com/cloudformation/home?region=#/stacks/new?stackName=&templateURL=https://s3.amazonaws.com//.template +``` + +CloudFormation Stacks can be listed through aws cli. + +```sh +aws cloudformation describe-stacks | jq . +``` + +#### Gaining Access through Metadata Service + +Metdata Service (IMDS) returns information about the EC2 instance and IAM it uses. +Take a look at chapter [Metadata Service](#Metadata-Service) to get in to the details. + +To gain access from the web, you need something like an LFI or a SSRF to +request the IMDS through the EC2 instance, indirectly. Goal is to gain access +to the environment variables and as a result to `AWS_SESSION_TOKEN`, +`AWS_SECRET_ACCESS_KEY` and `AWS_ACCESS_KEY_ID`. + +Query the the role name first. Use them to query the instance profile role afterwards. + +```http +http://169.254.169.254/latest/meta-data/iam/security-credentials/ +http://169.254.169.254/latest/meta-data/iam/security-credentials/ +``` + +Export the variables and check if you got the instance profile permissions +correctly via aws cli. + +```sh +aws sts get-caller-identity +``` + +#### Credentials Gain through CI/CD + +Credentials can be found directly inside files of a bucket or through the use +of the bucket by other services, which store credentials inside the bucket as a +result of some executed scripts. + ## Services An [action on an @@ -1490,13 +1550,17 @@ inside these Lambda authorizer policies to get unexpected permissions. #### Use an API Gateway as a Reverse Proxy -Rotation of IP addresses for an attack may bypass restrictions, like rate-limiting, set for an address. -This can be done via VPNs, e.g. Tor or more suitable in this case using the AWS -API Gateway to rotate the IP address via FireProx. +Rotation of IP addresses for an attack may bypass restrictions, like +rate-limiting, set for an address. This can be done via VPNs, e.g. Tor or more +suitable in this case using the AWS API Gateway to rotate the IP address via +FireProx. -Use the Cloudshell inside a browser to clone and install the [Fireprox repository](https://github.com/ustayready/fireprox). Start `fire.py` afterwards. +Use the Cloudshell inside a browser to clone and install the [Fireprox +repository](https://github.com/ustayready/fireprox). Start `fire.py` +afterwards. -You can use Fireprox externally from the AWS, but you have set an endpoint via a URL to achieve a connection. +You can use Fireprox externally from the AWS, but you have set an endpoint via +a URL to achieve a connection. ```sh ./fire.py --command create --url @@ -1506,4 +1570,4 @@ Using any of these two lets you list existing APIs. ```sh ./fire.py --command list - +```