https:// .Security Version 1.0
Copyright 2022 by Stage 2 Security
Outplay Your Adversary!
Bryce Kunz // @TweekFawkes
Slide 2
Slide 2 text
https:// .Security Version 1.0
Copyright 2022 by Stage 2 Security
Cloud Red Teaming:
Initial Access & Privilege Escalation
Slide 3
Slide 3 text
Copyright 2022 by Stage 2 Security
https:// .Security
Who Am I?
Go From Zero to Cloud Admin!
● Globally Shared Resources
● SSO Tokens & Browser Cookies
● Cloud Native Phishing
Agenda
Privilege Escalation
● Graph Database Technologies
● IAM Roles
● iam:PassRole
● Basic Priv Esc Example via Graph DB
● Common Priv Esc Access Vectors
Cloud Lab Envs
● Tools & Techniques
Slide 4
Slide 4 text
Copyright 2022 by Stage 2 Security
https:// .Security
WhoAmI
Overview
Slide 5
Slide 5 text
Copyright 2022 by Stage 2 Security
https:// .Security
Defense
DHS SOC
Offense
NSA
Red Team
Adobe
Digital Exp. (DX)
Bryce Kunz; @TweekFawkes
Services
● Hack (Pentest)
● Hunt (Splunk ES)
● Train (Cloud Sec.)
Copyright 2022 by Stage 2 Security
https:// .Security
BSidesSLC.org Hardware Badge by
@professor__plum
Friday Apr. 12th 2024
Salt Lake City, Utah
https://BSidesSLC.org
Slide 11
Slide 11 text
Copyright 2022 by Stage 2 Security
https:// .Security
BSidesSLC.org Hardware Badge by
@professor__plum
Friday Apr. 14th 2023 &
Saturday Apr. 15th 2023
Salt Lake City, Utah
https://BSidesSLC.org
Slide 12
Slide 12 text
Copyright 2022 by Stage 2 Security
https:// .Security
Go From Zero to
Cloud Admin!
Overview
Slide 13
Slide 13 text
Copyright 2022 by Stage 2 Security
https:// .Security
AWS Account
External Resources
Typical Steps:
● Exploit App
● Collect Creds
● Reuse Creds
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS IAM
Role
AWS STS
Temporary
Credentials
Temporary
Credentials
Policies
Identities
Global Cloud
Copyright 2022 by Stage 2 Security
https:// .Security
Public Elastic Block Storage (EBS) Snapshots
Dufflebag is a tool that searches through public Elastic Block Storage (EBS)
snapshots for secrets that may have been accidentally left in. You may be
surprised by all the passwords and secrets just laying around!
https://github.com/BishopFox/dufflebag
Slide 19
Slide 19 text
Copyright 2022 by Stage 2 Security
https:// .Security
SSO Tokens
& Browser Cookies
Client-Side
Copyright 2022 by Stage 2 Security
https:// .Security
SocialStackSetSmother v0.0.1
Areas for Improvement in v0.0.1:
● CF Template Assumes the User Has the Permissions/Ability to:
○ Create an IAM Role with “AdministratorAccess” policy attached
○ Create & Execute a Lambda Function e.g. lambda:InvokeFunction
● CF Template creates an IAM Role which contains the AWS Account ID#
of the Attacker’s AWS Account, making it easy to report abuse to AWS
● CF Template contains Python code which is easy to analyze and
determine it looks suspicious
○ Python Code also contains Attacker’s API GW URL
● Phish contains link to Attacker’s Globally Unique S3 Bucket Name
Slide 51
Slide 51 text
Copyright 2022 by Stage 2 Security
https:// .Security
SocialStackSetSmother v0.0.2
Slide 52
Slide 52 text
Copyright 2022 by Stage 2 Security
https:// .Security
AWS Account - Client - #90210 AWS Account - Attacker - #31337
S3
EC2
SocialStackSetSmother
Instances
AWS IAM
Role Policies
Admin
Public Object
cf_template.yaml S3 Bucket
API GW
S3 Bucket
Object
results001.txt
Endpoint
Lambda
Function
Cloud
Formation
Template
Stack
Lambda
Function
Email
AWS IAM
Policies
Role AWS SAM
Slide 53
Slide 53 text
Copyright 2022 by Stage 2 Security
https:// .Security
Phish Contains Link to Attacker’s S3 Bucket Name
Ideas to Remediate:
● Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name
● CDN to S3 Bucket to Mask Name
● Find Another AWS User’s S3 Bucket with Misconfigured Permissions
and Upload our CloudFormation.yaml Template to their S3 Bucket
Slide 54
Slide 54 text
Copyright 2022 by Stage 2 Security
https:// .Security
Phish Contains Link to Attacker’s S3 Bucket Name
Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name
✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template-
v2-0-1.yaml
Slide 55
Slide 55 text
Copyright 2022 by Stage 2 Security
https:// .Security
AWS Account - Client - #90210 AWS Account - Attacker - #31337
S3
EC2
SocialStackSetSmother
Instances
AWS IAM
Role Policies
Admin
Public Object
cf_template.yaml S3 Bucket
API GW
S3 Bucket
Object
results001.txt
Endpoint
Lambda
Function
Cloud
Formation
Template
Stack
Lambda
Function
Email
AWS IAM
Policies
Role AWS SAM
Slide 56
Slide 56 text
Copyright 2022 by Stage 2 Security
https:// .Security
Phish Contains Link to Attacker’s S3 Bucket Name
Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name
✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template-
v2-0-1.yaml
❌ Invalid Input // No Object in S3 Bucket: https://tmnttime.s3.us-east-
2.amazonaws.com/template-v0-0-0.yaml
https://www.youtube.com/watch?v=nDei76dTTdY
Slide 57
Slide 57 text
Copyright 2022 by Stage 2 Security
https:// .Security
Phish Contains Link to Attacker’s S3 Bucket Name
Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name
✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template-
v2-0-1.yaml
✅ Invalid Input // Invalid Scheme: bryce://tmnttime.s3.us-east-
2.amazonaws.com/template-v2-0-1.yaml
https://www.youtube.com/watch?v=nDei76dTTdY
Slide 58
Slide 58 text
Copyright 2022 by Stage 2 Security
https:// .Security
Phish Contains Link to Attacker’s S3 Bucket Name
Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name
✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template-
v2-0-1.yaml
✅ Invalid Input // Invalid TCP Port: https://tmnttime.s3.us-east-
2.amazonaws.com:2222/template-v2-0-1.yaml
https://www.youtube.com/watch?v=nDei76dTTdY
Slide 59
Slide 59 text
Copyright 2022 by Stage 2 Security
https:// .Security
Idea: Leverage an obfuscated url to mislead
Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name
✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template-
v2-0-1.yaml
✅ Invalid Input // Invalid Protocol & TCP Port: ftp://tmnttime.s3.us-east-
2.amazonaws.com:2222/template-v2-0-1.yaml
Anyone going to ftp on port 2222 will be rejected but the AWS CF service
will still deploy the malicious template.
https://www.youtube.com/watch?v=nDei76dTTdY
Slide 60
Slide 60 text
Copyright 2022 by Stage 2 Security
https:// .Security
Phish Contains Link to Attacker’s S3 Bucket Name
Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name
✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template-
v2-0-1.yaml
❌ Invalid Input // FQDN Not Containing “s3” & “amazonaws.com”:
https://[email protected]/template-v2-0-1.yaml
https://www.youtube.com/watch?v=nDei76dTTdY
Slide 61
Slide 61 text
Copyright 2022 by Stage 2 Security
https:// .Security
Phish Contains Link to Attacker’s S3 Bucket Name
Ideas to Remediate:
● Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name
● CDN to S3 Bucket to Mask Name
● Find Another AWS User’s S3 Bucket with Misconfigured Permissions
and Upload our CloudFormation.yaml Template to their S3 Bucket
Slide 62
Slide 62 text
Copyright 2022 by Stage 2 Security
https:// .Security
Phish Contains Link to Attacker’s S3 Bucket Name
Ideas: CDN to S3 Bucket to Mask Name
✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template-
v2-0-1.yaml
❌ Invalid Input // FQDN Not Containing “s3” & “amazonaws.com”:
https://d111111abcdef8.cloudfront.net/template-v2-0-1.yaml
https://www.youtube.com/watch?v=nDei76dTTdY
Slide 63
Slide 63 text
Copyright 2022 by Stage 2 Security
https:// .Security
Phish Contains Link to Attacker’s S3 Bucket Name
Ideas to Remediate:
● Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name
● CDN to S3 Bucket to Mask Name
● Find Another AWS User’s S3 Bucket with Misconfigured Permissions
and Upload our CloudFormation.yaml Template to their S3 Bucket
Slide 64
Slide 64 text
Copyright 2022 by Stage 2 Security
https:// .Security
AWS Account - Client - #90210 AWS Account - Attacker - #31337
S3
EC2
SocialStackSetSmother
Instances
AWS IAM
Role Policies
Admin
Public Object
cf_template.yaml S3 Bucket
API GW
S3 Bucket
Object
results001.txt
Endpoint
Lambda
Function
Cloud
Formation
Template
Stack
Lambda
Function
Email
AWS IAM
Policies
Role AWS SAM
Slide 65
Slide 65 text
Copyright 2022 by Stage 2 Security
https:// .Security
Finding S3 Buckets with Public PutObject Perms
Crime Group:
https://www.zdnet.com/article/new-magecart-attacks-leverage-misconfigured-s3-buckets-to-infect-over-17k-sites/
Slide 66
Slide 66 text
Copyright 2022 by Stage 2 Security
https:// .Security
Thinking…
Crime Group:
https://www.zdnet.com/article/new-magecart-attacks-leverage-misconfigured-s3-buckets-to-infect-over-17k-sites/
This was in 2019… is something similar to
this even still possible in 2023?
If it is possible, what would be the level of
effort required before an attacker would
be able to find a misconfigured S3 bucket
where they could upload and/or modify
an object hosted within the S3 Bucket?
Can anyone pull this off or is this
something only a nation state will be able
to execute on now?
Slide 67
Slide 67 text
Copyright 2022 by Stage 2 Security
https:// .Security
AWS Serverless Application Model (SAM)
https://aws.amazon.com/serverless/build-a-web-app/
Slide 68
Slide 68 text
Copyright 2022 by Stage 2 Security
https:// .Security
AWS Serverless Application Model (SAM)
Infrastructure as Code
Based on CloudFormation, but much simpler to implement common Serverless Application Models...
https://aws.amazon.com/serverless/sam/
Slide 69
Slide 69 text
Copyright 2022 by Stage 2 Security
https:// .Security
AWS Serverless Application Model (SAM)
The Serverless Application Model is commonly referred to as “SAM” in AWS documentation
SAM is NOT an AWS Service, it’s more similar to Zappa or Terraform
New Resource Types with SAM:
● AWS::Serverless::Function -> AWS Lambda Functions
● AWS::Serverless::Api -> AWS API Gateway APIs
● AWS::Serverless::SimpleTable -> AWS Dynamo DB Tables
https://aws.amazon.com/serverless/sam/
Slide 70
Slide 70 text
Copyright 2022 by Stage 2 Security
https:// .Security
Leverage SAM to Create...
SAM:
● template.yaml
● app.py
● etc.
CloudFormation
Slide 71
Slide 71 text
Copyright 2022 by Stage 2 Security
https:// .Security
SAM Template
A simple AWS SAM application that triggers a Lambda function
every 120 seconds using CloudWatch Events
SAM Template:
● CloudWatch Events
○ Every 120 Seconds
● Lambda
○ Python 3.9
● Attach Policy to Enable:
○ s3:PutObject to Specific bucketname e.g. sds3bn001
● Set Timeout to Max:
○ 15 Minutes (900 Seconds)
Slide 72
Slide 72 text
Copyright 2022 by Stage 2 Security
https:// .Security
Lambda Application - Part 1
Create Random Bucket Names:
● Generate an Random Bucket Name
Slide 73
Slide 73 text
Copyright 2022 by Stage 2 Security
https:// .Security
Lambda Application - Part 2
Create Random Bucket Names:
● Generate an Random Bucket Name
● Ensure the Bucket Name meets the AWS
requirements for S3 Bucket Names
Slide 74
Slide 74 text
Copyright 2022 by Stage 2 Security
https:// .Security
Lambda Application - Part 3
Create Random Bucket Names:
● Generate an Random Bucket Name
● Ensure the Bucket Name meets the AWS
requirements for S3 Bucket Names
Try 33x Random Names
● 200 - S3 Bucket Exists
● 403 - S3 Denied
● 404 - S3 Does NOT Exist
Slide 75
Slide 75 text
Copyright 2022 by Stage 2 Security
https:// .Security
Lambda Application - Part 4
Create Random Bucket Names:
● Generate an Random Bucket Name
● Ensure the Bucket Name meets the AWS
requirements for S3 Bucket Names
Try 33x Random Names
● 200 - S3 Bucket Exists
● 403 - S3 Denied
● 404 - S3 Does NOT Exist
Write Results to S3 Bucket
Slide 76
Slide 76 text
Copyright 2022 by Stage 2 Security
https:// .Security
Lambda Application
Create Random Bucket Names:
● Generate an Random Bucket Name
● Ensure the Bucket Name meets the AWS
requirements for S3 Bucket Names
Try 33x Random Names
● 200 - S3 Bucket Exists
● 403 - S3 Denied
● 404 - S3 Does NOT Exist
Write Results to S3 Bucket
Slide 77
Slide 77 text
Copyright 2022 by Stage 2 Security
https:// .Security
Cron via CloudWatch Events
https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-function-schedule.html
Cloud Watch Events - Every 120 seconds (*/2 * * *
*)
33x
0-3
Second Delay
w/ Max 15 Min
~ 300 Buckets (200s)
in ~5 Days
python3 requests https://' + sRandomString + '.s3.amazonaws.com
HTTP 200 means the Bucket Exists
SAM:
● template.yaml
● app.py
● etc.
CloudFormation
Slide 78
Slide 78 text
Copyright 2022 by Stage 2 Security
https:// .Security
Cloud9 IDE
https://aws.amazon.com/cloud9/
Slide 79
Slide 79 text
Copyright 2022 by Stage 2 Security
https:// .Security
PyCharm IDE
https://aws.amazon.com/blogs/aws/new-aws-toolkits-for-pycharm-intellij-preview-and-visual-studio-code-preview/
Slide 80
Slide 80 text
Copyright 2022 by Stage 2 Security
https:// .Security
Processing Scripts
001_download_objects_from_s3.py
● Download all the objects from S3
● Combine the contents into one python list
002_find_valid_s3_buckets.py
● Sort through the python list to find all the HTTP 200 Response Codes
○ Meaning the S3 Bucket Exists and we have some level of access to it e.g. it’s a public bucket
003_find_public_write.py
● Attempt to Upload an object with a .yml extension to the S3 Bucket
● Double Check that we can access the object publicly via the Internet
● If Successful, Attempt to Delete the Uploaded .yml Object
And the Results…?
Slide 81
Slide 81 text
Copyright 2022 by Stage 2 Security
https:// .Security
The Results?
And the Results…?
In approximately ~5 days it discovered around ~10 S3 buckets which are publicly accessible and anyone
can upload a file to presumably host a malicious CloudFormation template :/
Slide 82
Slide 82 text
Copyright 2022 by Stage 2 Security
https:// .Security
Answers…
This was in 2019… is something similar to this even still possible in 2023?
YES!
Slide 83
Slide 83 text
Copyright 2022 by Stage 2 Security
https:// .Security
Answers…
This was in 2019… is something similar to this even still possible in 2023?
YES!
If it is possible, what would be the level of effort required before an attacker
would be able to find a misconfigured S3 bucket where they could upload and/or
modify an object hosted within the S3 Bucket?
A few hours of coding and ~5 days or less to run
Slide 84
Slide 84 text
Copyright 2022 by Stage 2 Security
https:// .Security
Answers…
This was in 2019… is something similar to this even still possible in 2023?
YES!
If it is possible, what would be the level of effort required before an attacker
would be able to find a misconfigured S3 bucket where they could upload and/or
modify an object hosted within the S3 Bucket?
A few hours of coding and ~5 days or less to run
Can anyone pull this off or is this something only a nation state will be able to
execute on now?
Anyone with basic python3 scripting skills and some AWS can pull this off.
Slide 85
Slide 85 text
Copyright 2022 by Stage 2 Security
https:// .Security
SocialStackSetSmother v0.0.2
Areas for Improvement in v0.0.2:
● CF Template Assumes the User Has the Permissions/Ability to:
○ Create an IAM Role with “AdministratorAccess” policy attached
○ Create & Execute a Lambda Function e.g. lambda:InvokeFunction
● CF Template creates an IAM Role which contains the AWS Account ID#
of the Attacker’s AWS Account, making it easy to report abuse to AWS
● CF Template contains Python code which is easy to analyze and
determine it looks suspicious
○ Python Code also contains Attacker’s API GW URL
● Phish contains link to Attacker’s Globally Unique S3 Bucket Name
Slide 86
Slide 86 text
Copyright 2022 by Stage 2 Security
https:// .Security
June & July – More Code Releases
with Updates on LinkedIn
August - Black Hat USA Training – Las Vegas
Astute AWS/Azure/GCP Cloud Red Team: It's Raining Shells! - 2023 Edition
October – SaintCon - Utah
What’s Next?
Slide 87
Slide 87 text
Copyright 2022 by Stage 2 Security
https:// .Security
Contact Info
Twitter: @TweekFawkes
LinkedIn: https://www.linkedin.com/in/brycekunz/
Email: [email protected]
Slide Decks: https://speakerdeck.com/tweekfawkes/
Code on GitHub: https://github.com/TweekFawkes/SocialStackSetSmother