Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Step by step AWS Cloud Hacking

andresriancho
September 25, 2020
Technology
0
610

Step by step AWS Cloud Hacking

andresriancho

September 25, 2020
Tweet

More Decks by andresriancho

See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
2
2.8k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
12k
Threat Modelling
andresriancho
0
1.2k
Automated Security Analysis AWS Clouds
andresriancho
1
3.1k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
220
Galería de Fallos en Unicornios
andresriancho
1
170
Esoteric Web Application Vulnerabilities
andresriancho
0
880
String Compare Timing Attacks
andresriancho
0
530
Timing Attacks
andresriancho
1
270

Other Decks in Technology

See All in Technology
Amazon Q Developerで.NET Frameworkプロジェクトをモダナイズしてみた
kenichirokimura
1
200
[IBM TechXchange Dojo]Watson Discoveryとwatsonx.aiでRAGを実現!座学①
siyuanzh09
0
110
Amazon Route 53, 待ちに待った TLSAレコードのサポート開始
kenichinakamura
0
170
【Oracle Cloud ウェビナー】2025年のセキュリティ脅威を読み解く:リスクに備えるためのレジリエンスとデータ保護
oracle4engineer
PRO
1
100
AWSサービスアップデート 2024/12 Part3
nrinetcom
PRO
0
140
EMConf JP の楽しみ方 / How to enjoy EMConf JP
pauli
2
150
Godot Engineについて調べてみた
unsoluble_sugar
0
400
Kotlin Multiplatformのポテンシャル
recruitengineers
PRO
2
150
【NGK2025S】動物園(PINTO_model_zoo)に遊びに行こう
kazuhitotakahashi
0
230
メールヘッダーを見てみよう
hinono
0
110
iPadOS18でフローティングタブバーを解除してみた
sansantech
PRO
1
140
AWS re:Invent 2024 recap in 20min / JAWSUG 千葉 2025.1.14
shimy
1
100

Featured

See All Featured
Bash Introduction
62gerente
610
210k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.4k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
jQuery: Nuts, Bolts and Bling
dougneiner
62
7.6k
A better future with KSS
kneath
238
17k
Six Lessons from altMBA
skipperchong
27
3.6k
Measuring & Analyzing Core Web Vitals
bluesmoon
5
210
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
49
2.2k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
1.2k
GraphQLとの向き合い方2022年版
quramy
44
13k
How STYLIGHT went responsive
nonsquared
96
5.3k
Art, The Web, and Tiny UX
lynnandtonic
298
20k

Transcript

  1. Ekoparty 2020 Andrés Riancho

  2. 2

  3. 3

  4. None

  5. 5

  6. need credentials • • • 6

  7. 7

  8. IAM permissions 8

  9. 9 http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}

  10. 10

  11. 11 from urllib.request import urlopen from flask import request @app.route('/ssrf')

    def handler(): url = request.args.get('url') return urlopen(url).read()

  12. Instance metadata and S3 compromise

  13. 13

  14. None

  15. two ways to enumerate permissions IAM service In most cases

    this will fail brute-force 15

  16. Get* / List* / Describe* DryRun parameter 16

  17. 17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]

  18. 18

  19. ./enumerate-iam.py

  20. 20

  21. many things the attacker doesn't know. 21 { "Statement":[ {

    "Effect":"Allow", "Action":[ "s3:*", "lambda:*", "..." ], "Resource":"*" } ] }

  22. try to elevate privileges to a principal with full access

    22 { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }

  23. Lambda function will have access to the IAM role 23

  24. Getting * on *

  25. None

  26. existing trust policy in the AdminRole 26

  27. 27

  28. 28 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::925877178748:root" }, "Action":

    "sts:AssumeRole" } { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::925877178748:root", "arn:aws:iam::320222540496:root"] }, "Action": "sts:AssumeRole" }

  29. Never trust the trust policy

  30. 30 ARN for the backdoored role

  31. None

  32. 32 most resources in the AWS account VPC is completely

    isolated from the Internet
  33. None

  34. 34 VPN between the attacker's workstation and a VPC

  35. 35

  36. vpc-vpn-pivot

  37. None

  38. From zero to full pwn

  39. None

  40. 40 • enumerate-iam • pacu • vpc-vpn-pivot Follow @AndresRiancho

  41. None