Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Step by step AWS Cloud Hacking
Search
andresriancho
September 25, 2020
Technology
0
580
Step by step AWS Cloud Hacking
andresriancho
September 25, 2020
Tweet
Share
More Decks by andresriancho
See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
2
2.7k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
11k
Threat Modelling
andresriancho
0
1k
Automated Security Analysis AWS Clouds
andresriancho
1
2.9k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
170
Galería de Fallos en Unicornios
andresriancho
1
110
Esoteric Web Application Vulnerabilities
andresriancho
0
740
String Compare Timing Attacks
andresriancho
0
460
Timing Attacks
andresriancho
1
210
Other Decks in Technology
See All in Technology
マルチアカウント環境への発見的統制の導入
ch1aki
1
1.3k
検証を通して見えてきたTiDBの性能特性
lycorptech_jp
PRO
6
3.2k
インシデントレスポンスのライフサイクルを廻すポイントってなに / Pinpoints of Incidentresponse Lifecycle for Operation
sakaitakeshi
1
300
Hands-on / Kaname Frusawa / Cloud Compare Users Meetup 2024 at University of Tokyo on April 17
paraworld
2
470
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
210
開発生産性向上サービスを作るFindyが自分たちで開発生産性を爆上げした組織づくりの歩み / Findy's path to boosting its own development productivity 2024-04-17
ma3tk
3
310
Microsoft Cloudで開発ライフサイクルを保護する
kkamegawa
0
140
レガシーをぶっ壊せ。AEONで始めるDevRelの話 / Qiita Night 2024-2-22
aeonpeople
3
150
カオナビの利用実績をアウトカムへつなげる旅 / example-of-data-management-startup-in-kaonavi
kaonavi
0
120
プロデザ! BY リクルート vol.18_リクルートのリサーチ実践組織「リサーチブーストコミュニティ」
recruitengineers
PRO
3
240
TransitGatewayの基礎
toru_kubota
0
230
オーナーシップを持つ領域を明確にする
konifar
11
2.2k
Featured
See All Featured
How STYLIGHT went responsive
nonsquared
92
4.8k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
How GitHub (no longer) Works
holman
304
140k
Producing Creativity
orderedlist
PRO
336
39k
GitHub's CSS Performance
jonrohan
1023
450k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
119
38k
Making the Leap to Tech Lead
cromwellryan
123
8.5k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
356
22k
Reflections from 52 weeks, 52 projects
jeffersonlam
344
19k
YesSQL, Process and Tooling at Scale
rocio
163
13k
Documentation Writing (for coders)
carmenintech
59
3.9k
Docker and Python
trallard
33
2.7k
Transcript
Ekoparty 2020 Andrés Riancho
2
3
None
5
need credentials • • • 6
7
IAM permissions 8
9 http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}
10
11 from urllib.request import urlopen from flask import request @app.route('/ssrf')
def handler(): url = request.args.get('url') return urlopen(url).read()
Instance metadata and S3 compromise
13
None
two ways to enumerate permissions IAM service In most cases
this will fail brute-force 15
Get* / List* / Describe* DryRun parameter 16
17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]
18
./enumerate-iam.py
20
many things the attacker doesn't know. 21 { "Statement":[ {
"Effect":"Allow", "Action":[ "s3:*", "lambda:*", "..." ], "Resource":"*" } ] }
try to elevate privileges to a principal with full access
22 { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }
Lambda function will have access to the IAM role 23
Getting * on *
None
existing trust policy in the AdminRole 26
27
28 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::925877178748:root" }, "Action":
"sts:AssumeRole" } { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::925877178748:root", "arn:aws:iam::320222540496:root"] }, "Action": "sts:AssumeRole" }
Never trust the trust policy
30 ARN for the backdoored role
None
32 most resources in the AWS account VPC is completely
isolated from the Internet
None
34 VPN between the attacker's workstation and a VPC
35
vpc-vpn-pivot
None
From zero to full pwn
None
40 • enumerate-iam • pacu • vpc-vpn-pivot Follow @AndresRiancho
None