Step by step AWS Cloud Hacking

C0999631eb2c54a20ee559c44f8c7080?s=47 andresriancho
September 25, 2020

Step by step AWS Cloud Hacking

C0999631eb2c54a20ee559c44f8c7080?s=128

andresriancho

September 25, 2020
Tweet

Transcript

  1. Ekoparty 2020 Andrés Riancho

  2. 2

  3. 3

  4. None
  5. 5

  6. need credentials • • • 6

  7. 7

  8. IAM permissions 8

  9. 9 http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}

  10. 10

  11. 11 from urllib.request import urlopen from flask import request @app.route('/ssrf')

    def handler(): url = request.args.get('url') return urlopen(url).read()
  12. Instance metadata and S3 compromise

  13. 13

  14. None
  15. two ways to enumerate permissions IAM service In most cases

    this will fail brute-force 15
  16. Get* / List* / Describe* DryRun parameter 16

  17. 17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]

  18. 18

  19. ./enumerate-iam.py

  20. 20

  21. many things the attacker doesn't know. 21 { "Statement":[ {

    "Effect":"Allow", "Action":[ "s3:*", "lambda:*", "..." ], "Resource":"*" } ] }
  22. try to elevate privileges to a principal with full access

    22 { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }
  23. Lambda function will have access to the IAM role 23

  24. Getting * on *

  25. None
  26. existing trust policy in the AdminRole 26

  27. 27

  28. 28 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::925877178748:root" }, "Action":

    "sts:AssumeRole" } { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::925877178748:root", "arn:aws:iam::320222540496:root"] }, "Action": "sts:AssumeRole" }
  29. Never trust the trust policy

  30. 30 ARN for the backdoored role

  31. None
  32. 32 most resources in the AWS account VPC is completely

    isolated from the Internet
  33. None
  34. 34 VPN between the attacker's workstation and a VPC

  35. 35

  36. vpc-vpn-pivot

  37. None
  38. From zero to full pwn

  39. None
  40. 40 • enumerate-iam • pacu • vpc-vpn-pivot Follow @AndresRiancho

  41. None