Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Step by step AWS Cloud Hacking
Search
andresriancho
September 25, 2020
Technology
0
580
Step by step AWS Cloud Hacking
andresriancho
September 25, 2020
Tweet
Share
More Decks by andresriancho
See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
2
2.6k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
11k
Threat Modelling
andresriancho
0
1k
Automated Security Analysis AWS Clouds
andresriancho
1
2.9k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
160
Galería de Fallos en Unicornios
andresriancho
1
110
Esoteric Web Application Vulnerabilities
andresriancho
0
720
String Compare Timing Attacks
andresriancho
0
450
Timing Attacks
andresriancho
1
200
Other Decks in Technology
See All in Technology
滑空スポーツ講習会2023 航空安全講習会 第4回 日常整備に役立ちそうな雑情報 / JSA Safety Seminar 2023 glider maintenance
jsaseminar
0
110
なんでもかんでもコンテナ化すればいいってもんでもないけど なんでもかんでもコンテナ化したらスッキリしました
saramune
1
160
Server-Side Kotlin + Spring Boot + Exposedでやったこと
ikefukurou777
0
110
テストだけで品質は上がらない?! エセ自己組織化した品質組織からの脱却 / JaSST'24 Tokyo
visional_engineering_and_design
9
3k
S3成長記録@Storage-JAWS#3
p0n
0
130
マルチテナントの実現におけるDB設計とRLS / Utilizing RSL in multi-tenancy
soudai
20
5k
AWS IAM の結果整合性を避けるためセッションポリシーを用いてポリシーの動作確認を行う、を解説する
yukihirochiba
0
380
Combineを中心とした処理をSwift Concurrencyへ (これまでも調べた調査と向き合い)
fumiyasac0921
1
180
The Twelve-Factor App とクラウドアプリケーションのコスト
ny7760
3
260
SwiftUIのpropertyWrapperをふんわり理解する
jambo_develop_team
0
110
令和最新版 ソフトウェアエンジニアのためのDJ入門、あるいはDJに学ぶ仕事術 #ya8
stefafafan
1
140
小さく始めるAnsible
stopendy
0
210
Featured
See All Featured
Code Review Best Practice
trishagee
54
15k
How to train your dragon (web standard)
notwaldorf
71
5k
The Language of Interfaces
destraynor
150
22k
Creatively Recalculating Your Daily Design Routine
revolveconf
209
11k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
11
1.4k
Making Projects Easy
brettharned
106
5.4k
Bash Introduction
62gerente
604
210k
Learning to Love Humans: Emotional Interface Design
aarron
266
39k
Code Reviewing Like a Champion
maltzj
512
39k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.8k
Pencils Down: Stop Designing & Start Developing
hursman
115
11k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
51k
Transcript
Ekoparty 2020 Andrés Riancho
2
3
None
5
need credentials • • • 6
7
IAM permissions 8
9 http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}
10
11 from urllib.request import urlopen from flask import request @app.route('/ssrf')
def handler(): url = request.args.get('url') return urlopen(url).read()
Instance metadata and S3 compromise
13
None
two ways to enumerate permissions IAM service In most cases
this will fail brute-force 15
Get* / List* / Describe* DryRun parameter 16
17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]
18
./enumerate-iam.py
20
many things the attacker doesn't know. 21 { "Statement":[ {
"Effect":"Allow", "Action":[ "s3:*", "lambda:*", "..." ], "Resource":"*" } ] }
try to elevate privileges to a principal with full access
22 { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }
Lambda function will have access to the IAM role 23
Getting * on *
None
existing trust policy in the AdminRole 26
27
28 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::925877178748:root" }, "Action":
"sts:AssumeRole" } { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::925877178748:root", "arn:aws:iam::320222540496:root"] }, "Action": "sts:AssumeRole" }
Never trust the trust policy
30 ARN for the backdoored role
None
32 most resources in the AWS account VPC is completely
isolated from the Internet
None
34 VPN between the attacker's workstation and a VPC
35
vpc-vpn-pivot
None
From zero to full pwn
None
40 • enumerate-iam • pacu • vpc-vpn-pivot Follow @AndresRiancho
None