Step by step AWS Cloud Hacking

C0999631eb2c54a20ee559c44f8c7080?s=47 andresriancho
September 25, 2020
Technology
0
340

Step by step AWS Cloud Hacking

C0999631eb2c54a20ee559c44f8c7080?s=128

andresriancho

September 25, 2020
Tweet

More Decks by andresriancho

See All by andresriancho
C0999631eb2c54a20ee559c44f8c7080?s=48 andresriancho
2
2.2k
C0999631eb2c54a20ee559c44f8c7080?s=48 andresriancho
1
5.1k
C0999631eb2c54a20ee559c44f8c7080?s=48 andresriancho
0
530
C0999631eb2c54a20ee559c44f8c7080?s=48 andresriancho
1
2k
C0999631eb2c54a20ee559c44f8c7080?s=48 andresriancho
0
73
C0999631eb2c54a20ee559c44f8c7080?s=48 andresriancho
1
69
C0999631eb2c54a20ee559c44f8c7080?s=48 andresriancho
0
350
C0999631eb2c54a20ee559c44f8c7080?s=48 andresriancho
0
300
C0999631eb2c54a20ee559c44f8c7080?s=48 andresriancho
1
120

Other Decks in Technology

See All in Technology
928b1395afedebb5ee48d44ab917c5f1?s=48 ryusa
1
250
2564c99f616f1ecfc0f617a6fe87e2a9?s=48 penguin045
0
150
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
130
Da467feb3ca0106d571915faedb714f2?s=48 enakai00
3
150
0d29d155ce5c5a93ed46363626da3ea7?s=48 ocise
1
1.9k
8a84268593355816432ceaf78777d585?s=48 dena_tech
0
510
A97eee01397705443a72a48ce29d3e19?s=48 cybozuinsideout
0
210
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
160
8434e5fcdb11033234455d4b2bfb6bb3?s=48 voyage_tech
0
390
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
150
C82711d1ecc5cc7a4474dd9314736f33?s=48 macole
0
150
Ccb58352bdd1be66ebb2daf12ba1b993?s=48 mirie_sd
0
160

Featured

See All Featured
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
191
8.3k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
90
13k
245cee81a9c424266e5e401d844ea881?s=48 lara
13
2.4k
053e75a5b48b44d6dd0612795dfb326d?s=48 notwaldorf
2
820
4394ceb8b277f35ee3da7030384efb5d?s=48 davidbonilla
69
3.5k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
492
110k
Eb8975af8e49e19e3dd6b6b84a542e26?s=48 qrush
283
18k
C4de88ea47538e4594750e3861a341c8?s=48 brettharned
91
2.8k
7edec06b5435e0dac07a353b2cc26253?s=48 geeforr
331
29k
79acae287842acf29084005533a7fb3b?s=48 hursman
104
9.1k
C0b42577cfc2b321be3474618107e933?s=48 samanthasiow
54
6k
F57e2136eb9895eb95ff5dc8a1c02677?s=48 zakiwarfel
87
3.2k

Transcript

  1. Ekoparty 2020 Andrés Riancho

  2. 2

  3. 3

  4. None

  5. 5

  6. need credentials • • • 6

  7. 7

  8. IAM permissions 8

  9. 9 http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}

  10. 10

  11. 11 from urllib.request import urlopen from flask import request @app.route('/ssrf')

    def handler(): url = request.args.get('url') return urlopen(url).read()

  12. Instance metadata and S3 compromise

  13. 13

  14. None

  15. two ways to enumerate permissions IAM service In most cases

    this will fail brute-force 15

  16. Get* / List* / Describe* DryRun parameter 16

  17. 17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]

  18. 18

  19. ./enumerate-iam.py

  20. 20

  21. many things the attacker doesn't know. 21 { "Statement":[ {

    "Effect":"Allow", "Action":[ "s3:*", "lambda:*", "..." ], "Resource":"*" } ] }

  22. try to elevate privileges to a principal with full access

    22 { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }

  23. Lambda function will have access to the IAM role 23

  24. Getting * on *

  25. None

  26. existing trust policy in the AdminRole 26

  27. 27

  28. 28 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::925877178748:root" }, "Action":

    "sts:AssumeRole" } { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::925877178748:root", "arn:aws:iam::320222540496:root"] }, "Action": "sts:AssumeRole" }

  29. Never trust the trust policy

  30. 30 ARN for the backdoored role

  31. None

  32. 32 most resources in the AWS account VPC is completely

    isolated from the Internet
  33. None

  34. 34 VPN between the attacker's workstation and a VPC

  35. 35

  36. vpc-vpn-pivot

  37. None

  38. From zero to full pwn

  39. None

  40. 40 • enumerate-iam • pacu • vpc-vpn-pivot Follow @AndresRiancho

  41. None