Step by step AWS Cloud Hacking

Transcript

1. Ekoparty 2020
   Andrés Riancho
   

   View Slide

2. 2
   

   View Slide

3. 3
   

   View Slide

4. View Slide

5. 5
   

   View Slide

6. need
   credentials
   ●
   ●
   ●
   6
   

   View Slide

7. 7
   

   View Slide

8. IAM
   permissions
   8
   

   View Slide

9. 9
   http://169.254.169.254/
   /latest/meta-data/iam/security-credentials/
   /latest/meta-data/iam/security-credentials/{role-name}
   

   View Slide

10. 10
    

    View Slide

11. 11
    from urllib.request import urlopen
    from flask import request
    @app.route('/ssrf')
    def handler():
    url = request.args.get('url')
    return urlopen(url).read()
    

    View Slide

12. Instance metadata and S3 compromise
    

    View Slide

13. 13
    

    View Slide

14. View Slide

15. two ways to enumerate permissions
    IAM service In most cases
    this will fail
    brute-force
    15
    

    View Slide

16. Get* / List* / Describe*
    DryRun parameter
    16
    

    View Slide

17. 17
    SUPPORTED_SERVICES = [
    'ec2',
    's3'
    ]
    

    View Slide

18. 18
    

    View Slide

19. ./enumerate-iam.py
    

    View Slide

20. 20
    

    View Slide

21. many things the attacker doesn't know.
    21
    {
    "Statement":[
    {
    "Effect":"Allow",
    "Action":[
    "s3:*",
    "lambda:*",
    "..."
    ],
    "Resource":"*"
    }
    ]
    }
    

    View Slide

22. try to elevate privileges to a
    principal with full access
    22
    {
    "Statement":[
    {
    "Effect":"Allow",
    "Action":[
    "*",
    ],
    "Resource": "*"
    }
    ]
    }
    

    View Slide

23. Lambda function will have access to the IAM role
    23
    

    View Slide

24. Getting * on *
    

    View Slide

25. View Slide

26. existing
    trust policy in the AdminRole
    26
    

    View Slide

27. 27
    

    View Slide

28. 28
    {
    "Effect": "Allow",
    "Principal": {
    "AWS": "arn:aws:iam::925877178748:root"
    },
    "Action": "sts:AssumeRole"
    }
    {
    "Effect": "Allow",
    "Principal": {
    "AWS": ["arn:aws:iam::925877178748:root",
    "arn:aws:iam::320222540496:root"]
    },
    "Action": "sts:AssumeRole"
    }
    

    View Slide

29. Never trust the trust policy
    

    View Slide

30. 30
    ARN for the backdoored role
    

    View Slide

31. View Slide

32. 32
    most resources in the AWS account
    VPC is completely isolated from
    the Internet
    

    View Slide

33. View Slide

34. 34
    VPN
    between the attacker's workstation and a VPC
    

    View Slide

35. 35
    

    View Slide

36. vpc-vpn-pivot
    

    View Slide

37. View Slide

38. From zero to full pwn
    

    View Slide

39. View Slide

40. 40
    ●
    enumerate-iam
    ● pacu
    ● vpc-vpn-pivot
    Follow @AndresRiancho
    

    View Slide

41. View Slide