Step by step AWS Cloud Hacking

Transcript

1. Ekoparty 2020 Andrés Riancho

2. 2

3. 3

4. None

5. 5

6. need credentials • • • 6

7. 7

8. IAM permissions 8

9. 9 http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}

10. 10

11. 11 from urllib.request import urlopen from flask import request @app.route('/ssrf')

    def handler(): url = request.args.get('url') return urlopen(url).read()

12. Instance metadata and S3 compromise

13. 13

14. None

15. two ways to enumerate permissions IAM service In most cases

    this will fail brute-force 15

16. Get* / List* / Describe* DryRun parameter 16

17. 17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]

18. 18

19. ./enumerate-iam.py

20. 20

21. many things the attacker doesn't know. 21 { "Statement":[ {

    "Effect":"Allow", "Action":[ "s3:*", "lambda:*", "..." ], "Resource":"*" } ] }

22. try to elevate privileges to a principal with full access

    22 { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }

23. Lambda function will have access to the IAM role 23

24. Getting * on *

25. None

26. existing trust policy in the AdminRole 26

27. 27

28. 28 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::925877178748:root" }, "Action":

    "sts:AssumeRole" } { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::925877178748:root", "arn:aws:iam::320222540496:root"] }, "Action": "sts:AssumeRole" }

29. Never trust the trust policy

30. 30 ARN for the backdoored role

31. None

32. 32 most resources in the AWS account VPC is completely

    isolated from the Internet
33. None

34. 34 VPN between the attacker's workstation and a VPC

35. 35

36. vpc-vpn-pivot

37. None

38. From zero to full pwn

39. None

40. 40 • enumerate-iam • pacu • vpc-vpn-pivot Follow @AndresRiancho

41. None