diff --git a/enumeration/docs/aws.md b/enumeration/docs/aws.md new file mode 100644 index 0000000..7f93f56 --- /dev/null +++ b/enumeration/docs/aws.md @@ -0,0 +1,84 @@ +# AWS S3 Enumeration + +## Usage + +* [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions) + * `--region` +### Simple Storage Service (S3) +* [S3](https://aws.amazon.com/s3/) +* Methods of access control are as follows + * [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html) + * [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html) + +* Scheme is +```sh +http://.s3.amazonaws.com/file.name +``` +or +```sh +http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext +``` + +* __List content of public bucket via__ +```sh +aws s3 ls s3:/// --no-sign-request +``` +* Download via `curl`, `wget` or `s3` cli via +```sh +aws s3 cp s3:///foo_public.xml . --no-sign-request +``` + +#### ACL +* `Anyone`, just `curl` +* `AuthenticatedUsers`, `s3` cli with aws key + +## IAM +* Not necessarily used by s3 +* Access key ID, starts with `AKIA` + 20 chars +* Secret access key +* Session token, `ASIA` + sessionToken + +* Add credentials to profile via +```sh +aws configure --profile PROFILENAME +``` +* Config and credentials is stored at `~/.aws` +* Sanity test profile via +```sh +aws s3 ls --profile PROFILENAME +``` +* Find account ID to an access key +```sh +aws sts get-access-key-info --access-key-id AKIAEXAMPLE +``` +* Find username to an access key +```sh +aws sts get-caller-identity --profile PROFILENAME +``` +* Listing EC2 instances of an account +```sh +aws ec2 describe-instances --output text --profile PROFILENAME +``` +* aws ec2 describe-instances --output text --profile PROFILENAME +```sh +aws ec2 describe-instances --output text --profile PROFILENAME +``` + * In another region +```sh +aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME +``` + +### AWS ARN +* Unique ID is create via the following scheme +```sh +arn:aws::::/ +``` + +### Secrets + +```sh +aws secretsmanager help +aws secretsmanager list-secrets +ws secretsmanager get-secret-value --secret-id --region +``` + diff --git a/exploit/yaml/deserialization.md b/exploit/yaml/deserialization.md new file mode 100644 index 0000000..4a3b281 --- /dev/null +++ b/exploit/yaml/deserialization.md @@ -0,0 +1,13 @@ +# YAML Deserialization + +* [CVE-2019-20477](https://packetstormsecurity.com/files/cve/CVE-2019-20477) +* RCE via Yaml execution by Python + +* [jolt](https://thej0lt.com/2020/06/21/cve-2019-20477-0day-yaml-deserialization-attack-on-pyyaml-version/) + +## Usage + +* Example Payload insid foo.yaml gets executed via Python +```sh +!!python/object/apply:os.system ["id"] +```