Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Step by step AWS Cloud Hacking
Search
andresriancho
September 25, 2020
Technology
0
590
Step by step AWS Cloud Hacking
andresriancho
September 25, 2020
Tweet
Share
More Decks by andresriancho
See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
2
2.7k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
11k
Threat Modelling
andresriancho
0
1.1k
Automated Security Analysis AWS Clouds
andresriancho
1
3k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
190
Galería de Fallos en Unicornios
andresriancho
1
130
Esoteric Web Application Vulnerabilities
andresriancho
0
790
String Compare Timing Attacks
andresriancho
0
490
Timing Attacks
andresriancho
1
230
Other Decks in Technology
See All in Technology
サーバーレスAPI(API Gateway+Lambda)とNext.jsで 個人ブログを作ろう!
shuntaka
PRO
0
560
成長期に歩みを止めないための創業期の開発文化形成
mayah
6
420
「我々はどこに向かっているのか」を問い続けるための仕組みづくり / Establishing a System for Continuous Inquiry about where we are
daitasu
0
170
AWS IAMのアンチパターン/AWSが考える最低権限実現へのアプローチ概略(JAWS-UG朝会#59資料改修20分版)
htan
0
330
サービスの持続的な成長と技術負債について
siva_official
PRO
10
4.4k
What if...? 처음부터 다시 LLM 어플리케이션을 개발한다면
huffon
0
1k
LLMアプリケーションの評価の実践と課題 ~PharmaXにおける今後の展望~
pharma_x_tech
2
170
Datadog Cloud SIEMを使ってAWS環境の脅威を可視化した話/lifeistech-datadog-cloud-siem
gidajun
0
480
開発と事業を繋ぐ!SREのオブザーバビリティ戦略 ~ Developers Summit 2024 Summer ~
leveragestech
0
640
コンテナ・K8s研修 - 前半 コンテナ基礎・ハンズオン【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
170
AWSでRAGを作る法方
sonoda_mj
1
140
20240724_cm_odyssey_hibiyatech
hiashisan
0
110
Featured
See All Featured
GraphQLとの向き合い方2022年版
quramy
36
13k
Teambox: Starting and Learning
jrom
130
8.6k
From Idea to $5000 a Month in 5 Months
shpigford
377
46k
Stop Working from a Prison Cell
hatefulcrawdad
266
20k
5 minutes of I Can Smell Your CMS
philhawksworth
200
19k
Happy Clients
brianwarren
94
6.6k
Building Effective Engineering Teams - LeadDev
addyosmani
47
2.2k
Leading Effective Engineering Teams 2024
addyosmani
3
300
Art, The Web, and Tiny UX
lynnandtonic
291
20k
Documentation Writing (for coders)
carmenintech
63
4.2k
GraphQLの誤解/rethinking-graphql
sonatard
59
9.6k
WebSockets: Embracing the real-time Web
robhawkes
59
7.2k
Transcript
Ekoparty 2020 Andrés Riancho
2
3
None
5
need credentials • • • 6
7
IAM permissions 8
9 http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}
10
11 from urllib.request import urlopen from flask import request @app.route('/ssrf')
def handler(): url = request.args.get('url') return urlopen(url).read()
Instance metadata and S3 compromise
13
None
two ways to enumerate permissions IAM service In most cases
this will fail brute-force 15
Get* / List* / Describe* DryRun parameter 16
17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]
18
./enumerate-iam.py
20
many things the attacker doesn't know. 21 { "Statement":[ {
"Effect":"Allow", "Action":[ "s3:*", "lambda:*", "..." ], "Resource":"*" } ] }
try to elevate privileges to a principal with full access
22 { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }
Lambda function will have access to the IAM role 23
Getting * on *
None
existing trust policy in the AdminRole 26
27
28 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::925877178748:root" }, "Action":
"sts:AssumeRole" } { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::925877178748:root", "arn:aws:iam::320222540496:root"] }, "Action": "sts:AssumeRole" }
Never trust the trust policy
30 ARN for the backdoored role
None
32 most resources in the AWS account VPC is completely
isolated from the Internet
None
34 VPN between the attacker's workstation and a VPC
35
vpc-vpn-pivot
None
From zero to full pwn
None
40 • enumerate-iam • pacu • vpc-vpn-pivot Follow @AndresRiancho
None