Cloud Red Teaming: AWS Initial Access & Privilege Escalation

https:// .Security Version 1.0
Copyright 2022 by Stage 2 Security
Outplay Your Adversary!
Bryce Kunz // @TweekFawkes

View Slide

https:// .Security Version 1.0
Cloud Red Teaming:
Initial Access & Privilege Escalation

View Slide

https:// .Security
Who Am I?
Go From Zero to Cloud Admin!
● Globally Shared Resources
● SSO Tokens & Browser Cookies
● Cloud Native Phishing
Agenda
Privilege Escalation
● Graph Database Technologies
● IAM Roles
● iam:PassRole
● Basic Priv Esc Example via Graph DB
● Common Priv Esc Access Vectors
Cloud Lab Envs
● - Tools & Techniques

View Slide

https:// .Security
WhoAmI
Overview

View Slide

https:// .Security
Defense
DHS SOC
Offense
NSA
Red Team
Adobe
Digital Exp. (DX)
Bryce Kunz; @TweekFawkes
Services
● Hack (Pentest)
● Hunt (Splunk ES)
● Train (Cloud Sec.)

View Slide

https:// .Security
AWS:
● Amazon Machine Images (AMI) Snapshots
● Elastic Block Storage (EBS) Snapshots
● Amazon Relational Database Service (RDS) Snapshots
● Serverless Application Repository
Azure:
● Azure Compute Gallery
…

View Slide

https:// .Security
BSidesSLC.org Hardware Badge by
@professor__plum
Friday Apr. 14th 2023 &
Saturday Apr. 15th 2023
Salt Lake City, Utah
https://BSidesSLC.org

View Slide

https:// .Security
Go From Zero to
Cloud Admin!
Overview

View Slide

https:// .Security
AWS Account
External Resources
Typical Steps:
● Exploit App
● Collect Creds
● Reuse Creds
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS IAM
Role
AWS STS
Temporary
Credentials
Temporary
Credentials
Policies
Identities
Global Cloud

View Slide

https:// .Security
AWS Account
Globally Shared
Resources:
● EC2 AMIs
● EBS Snapshots
● RDS Snapshots
● etc…
Volume Snapshot
Instance Instances
Global Cloud
Secrets

View Slide

https:// .Security
AWS Account
Client-Side
Vectors:
● RCE
● Cookies
● Phishing
● AiTM
● Supply Chain
● Social Engineering
● Extensions
● etc…
Volume Snapshot
Instance Instances
AWS IAM
Role
AWS STS
Temporary
Credentials
Policies
Identities
Global Cloud
Admin

View Slide

https:// .Security
Globally Shared
Resources

View Slide

https:// .Security
Globally Public Resources
AWS:
● Amazon Machine Images (AMI) Snapshots
● Elastic Block Storage (EBS) Snapshots
● Amazon Relational Database Service (RDS) Snapshots
● Serverless Application Repository
Azure:
● Azure Compute Gallery
https://github.com/SummitRoute/aws_exposable_resources

View Slide

https:// .Security
Public Elastic Block Storage (EBS) Snapshots
Dufﬂebag is a tool that searches through public Elastic Block Storage (EBS)
snapshots for secrets that may have been accidentally left in. You may be
surprised by all the passwords and secrets just laying around!
https://github.com/BishopFox/dufﬂebag

View Slide

https:// .Security
SSO Tokens
& Browser Cookies
Client-Side

View Slide

https:// .Security
Overview
Methods Include:
● Malicious Browser Extension
● Adversary-in-the-Middle (AiTM)
Other Common Methods Include:
● Malicious Documents (e.g. Ofﬁce Macros)
● Malicious Applications

View Slide

https:// .Security
Malicious Browser Extensions

View Slide

https:// .Security
Malicious Browser Extension
Users
Evil Server
SSO / App
TLS
Browser

View Slide

https:// .Security
CursedChrome
Red Team Toolkit Options
https://github.com/mandatoryprogrammer/CursedChrome

View Slide

https:// .Security
ChatGPT-4 Build me an Extension please! :)
https://www.linkedin.com/posts/danielperjesi_how-i-created-a-chrome-extension-with-chatgpt-activity-7021098555054432256-W3Kl

View Slide

https:// .Security
ChatGPT-4 Builds an Extension
https://developer.chrome.com/docs/webstore/publish/

View Slide

https:// .Security
CursedChrome
Backdoor the Extension
https://www.youtube.com/watch?v=cdSXdwa5trc

View Slide

https:// .Security
Defense: Enterprise Policies (e.g. Chrome)
Users
Evil Server
SSO / App
TLS
Browser
https://github.com/mandatoryprogrammer/ChromeGalvanizer

View Slide

https:// .Security
Adversary-in-the-Middle (AiTM)

View Slide

https:// .Security
Adversary-in-the-Middle (AiTM)
Users
Evil Proxy SSO / App
TLS
TLS
Browser

View Slide

https:// .Security
Phishing + AiTM
TLS
TLS
Browser
Users
Email

View Slide

https:// .Security
Browser Access
TLS
TLS
Browser
Users
Email
Browser
TLS

View Slide

https:// .Security
SaaS & Cloud Access
TLS
TLS
Browser
Users
Email
Browser
TLS
SaaS / CSP
TLS

View Slide

https:// .Security
EDRs: Largely Ignore Browser Sessions!
TLS
TLS
Browser
Users
Email
Browser
TLS
SaaS / CSP
TLS
EDR
EDR Cloud

View Slide

https:// .Security
AiTM
Evilginx2
https://github.com/kgretzky/evilginx2
https://github.com/drk1wi/Modlishka
https://github.com/muraenateam/muraena
https://github.com/ustayready/CredSniper
Phishing
GoPhish
https://github.com/gophish/gophish
https://github.com/pentestgeek/phishing-frenzy
https://github.com/rsmusllp/king-phisher

View Slide

https:// .Security
AiTM
Evilginx2
Phishing
GoPhish
= EvilGoPhish
https://github.com/ﬁn3ss3g0d/evilgophish
+

View Slide

https:// .Security
Defense: Incorrect FQDN
Okta-Test.com Okta.com
TLS
TLS
Browser
Users
Email
Browser
TLS
SaaS / CSP
TLS
EDR
EDR Cloud

View Slide

https:// .Security
Defense: FIDO2 (Hardware/YubiKey) + WebAuthn
Okta-Test.com Okta.com
TLS
TLS
Browser
Users
Email
Browser
TLS
SaaS / CSP
TLS
EDR
EDR Cloud

View Slide

https:// .Security
One More Thing!
Cloud Native Phishing

View Slide

https:// .Security
Scott Piper
@0xdabbad00
Shout Out!
https://tldrsec.com/blog/lesser-known-aws-attacks/

View Slide

https:// .Security
SocialStackSetSmother v1

View Slide

https:// .Security
AWS Account - Client - #90210 AWS Account - Attacker - #31337
EC2
SocialStackSetSmother
Instances
AWS IAM
Role Policies
Admin
Cloud
Formation
Template
Stack
Lambda
Function

View Slide

https:// .Security
Click Link
In Email
https://us-east-1.console.aws.amazon.com/cloud
formation/home?region=us-east-1#/stacks/create
/review?templateURL=https://TODO_BUCKET_NAME.s
3.amazonaws.com/TODO_TEMPLATE_NAME.yml&stackNa
me=TODO_STACK_NAME
https://aws.amazon.com/blogs/devops/construct-your-own-launch-stack-url/

View Slide

https:// .Security
S3
EC2
Instances
AWS IAM
Role Policies
Admin
Public Object
cf_template.yaml S3 Bucket
API GW
S3 Bucket
Object
results001.txt
Endpoint
Lambda
Function
Cloud
Formation
Template
Stack
Lambda
Function
Email
AWS IAM
Policies
Role

View Slide

https:// .Security
https://aws.amazon.com/blogs/devops/construct-your-own-launch-stack-url/

View Slide

https:// .Security
S3
EC2
Instances
AWS IAM
Role Policies
Admin
Public Object
API GW
S3 Bucket
Object
results001.txt
Endpoint
Lambda
Function
Cloud
Formation
Template
Stack
Lambda
Function
Email
AWS IAM
Policies
Role AWS SAM

View Slide

https:// .Security
Attacker Needs Targets AWS Account ID#
To Follow The Path Back

View Slide

https:// .Security
S3
EC2
Instances
AWS IAM
Role Policies
Admin
API GW
S3 Bucket
Object
results001.txt
Endpoint
Lambda
Function
Cloud
Formation
Template
Stack
Lambda
Function
AWS IAM
Policies
Role AWS SAM

View Slide

https:// .Security
S3
EC2
Instances
AWS IAM
Role Policies
Admin
Public Object
API GW
S3 Bucket
Object
results001.txt
Endpoint
Lambda
Function
Cloud
Formation
Template
Stack
Lambda
Function
Email
AWS IAM
Policies
Role AWS SAM

View Slide

https:// .Security
Sample Code
https://github.com/TweekFawkes/SocialStackSetSmother

View Slide

https:// .Security
SocialStackSetSmother v0.0.1
Areas for Improvement in v0.0.1:
● CF Template Assumes the User Has the Permissions/Ability to:
○ Create an IAM Role with “AdministratorAccess” policy attached
○ Create & Execute a Lambda Function e.g. lambda:InvokeFunction
● CF Template creates an IAM Role which contains the AWS Account ID#
of the Attacker’s AWS Account, making it easy to report abuse to AWS
● CF Template contains Python code which is easy to analyze and
determine it looks suspicious
○ Python Code also contains Attacker’s API GW URL
● Phish contains link to Attacker’s Globally Unique S3 Bucket Name

View Slide

https:// .Security
SocialStackSetSmother v0.0.2

View Slide

https:// .Security
S3
EC2
Instances
AWS IAM
Role Policies
Admin
Public Object
API GW
S3 Bucket
Object
results001.txt
Endpoint
Lambda
Function
Cloud
Formation
Template
Stack
Lambda
Function
Email
AWS IAM
Policies
Role AWS SAM

View Slide

https:// .Security
Phish Contains Link to Attacker’s S3 Bucket Name
Ideas to Remediate:
● Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name
● CDN to S3 Bucket to Mask Name
● Find Another AWS User’s S3 Bucket with Misconﬁgured Permissions
and Upload our CloudFormation.yaml Template to their S3 Bucket

View Slide

https:// .Security
Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name
✅ Valid Input:
https://tmnttime.s3.us-east-2.amazonaws.com/template-v2-0-1.yaml

View Slide

https:// .Security
S3
EC2
Instances
AWS IAM
Role Policies
Admin
Public Object
API GW
S3 Bucket
Object
results001.txt
Endpoint
Lambda
Function
Cloud
Formation
Template
Stack
Lambda
Function
Email
AWS IAM
Policies
Role AWS SAM

View Slide

https:// .Security
✅ Valid Input:
❌ Invalid Input // No Object in S3 Bucket:
https://www.youtube.com/watch?v=nDei76dTTdY

View Slide

https:// .Security
✅ Valid Input:
✅ Invalid Input // Invalid Scheme:
bryce://tmnttime.s3.us-east-2.amazonaws.com/template-v2-0-1.yaml

View Slide

https:// .Security
✅ Valid Input:
✅ Invalid Input // Invalid TCP Port:
https://tmnttime.s3.us-east-2.amazonaws.com:2222/template-v2-0-1.yaml

View Slide

https:// .Security
Idea: Leverage an obfuscated url to mislead
✅ Valid Input:
✅ Invalid Input // Invalid Protocol & TCP Port:
ftp://tmnttime.s3.us-east-2.amazonaws.com:2222/template-v2-0-1.yaml
Anyone going to ftp on port 2222 will be rejected but the AWS CF service
will still deploy the malicious template.

View Slide

https:// .Security
✅ Valid Input:
❌ Invalid Input // FQDN Not Containing “s3” & “amazonaws.com”:
https://[email protected]/template-v2-0-1.yaml

View Slide

https:// .Security
Ideas to Remediate:

View Slide

https:// .Security
Ideas: CDN to S3 Bucket to Mask Name
✅ Valid Input:
❌ Invalid Input // FQDN Not Containing “s3” & “amazonaws.com”:
https://d111111abcdef8.cloudfront.net/template-v2-0-1.yaml

View Slide

https:// .Security
Ideas to Remediate:

View Slide

https:// .Security
S3
EC2
Instances
AWS IAM
Role Policies
Admin
Public Object
API GW
S3 Bucket
Object
results001.txt
Endpoint
Lambda
Function
Cloud
Formation
Template
Stack
Lambda
Function
Email
AWS IAM
Policies
Role AWS SAM

View Slide

https:// .Security
Finding S3 Buckets with Public PutObject Perms
Crime Group:
https://www.zdnet.com/article/new-magecart-attacks-leverage-misconﬁgured-s3-buckets-to-infect-over-17k-sites/

View Slide

https:// .Security
Thinking…
Crime Group:
https://www.zdnet.com/article/new-magecart-attacks-leverage-misconfigured-s3-buckets-to-infect-over-17k-sites/
This was in 2019… is something similar to
this even still possible in 2023?
If it is possible, what would be the level of
effort required before an attacker would
be able to find a misconfigured S3 bucket
where they could upload and/or modify an
object hosted within the S3 Bucket?
Can anyone pull this off or is this
something only a nation state will be able
to execute on now?

View Slide

https:// .Security
AWS Serverless Application Model (SAM)
https:/
/aws.amazon.com/serverless/build-a-web-app/

View Slide

https:// .Security
Infrastructure as Code
Based on CloudFormation, but much simpler to implement common Serverless Application Models...
https:/
/aws.amazon.com/serverless/sam/

View Slide

https:// .Security
The Serverless Application Model is commonly referred to as “SAM” in AWS documentation
SAM is NOT an AWS Service, it’s more similar to Zappa or Terraform
New Resource Types with SAM:
● AWS::Serverless::Function -> AWS Lambda Functions
● AWS::Serverless::Api -> AWS API Gateway APIs
● AWS::Serverless::SimpleTable -> AWS Dynamo DB Tables
https:/
/aws.amazon.com/serverless/sam/

View Slide

https:// .Security
Leverage SAM to Create...
SAM:
● template.yaml
● app.py
● etc.
CloudFormation

View Slide

https:// .Security
SAM Template
A simple AWS SAM application that triggers a Lambda function
every 120 seconds using CloudWatch Events
SAM Template:
● CloudWatch Events
○ Every 120 Seconds
● Lambda
○ Python 3.9
● Attach Policy to Enable:
○ s3:PutObject to Speciﬁc bucketname e.g. sds3bn001
● Set Timeout to Max:
○ 15 Minutes (900 Seconds)

View Slide

https:// .Security
Lambda Application - Part 1
Create Random Bucket Names:
● Generate an Random Bucket Name
●

View Slide

https:// .Security
● Ensure the Bucket Name meets the AWS
requirements for S3 Bucket Names

View Slide

https:// .Security
Try 33x Random Names
● 200 - S3 Bucket Exists
● 403 - S3 Denied
● 404 - S3 Does NOT Exist

View Slide

https:// .Security
● 403 - S3 Denied
Write Results to S3 Bucket

View Slide

https:// .Security
Lambda Application
● 403 - S3 Denied
Write Results to S3 Bucket

View Slide

https:// .Security
Cron via CloudWatch Events
https:/
/docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-function-schedule.html
Cloud Watch Events - Every 120 seconds (*/2 * * * *)
33x
0-3
Second Delay
w/ Max 15 Min
~ 300 Buckets (200s)
in ~5 Days
python3 requests https://' + sRandomString + '.s3.amazonaws.com
HTTP 200 means the Bucket Exists
SAM:
● template.yaml
● app.py
● etc.
CloudFormation

View Slide

https:// .Security
Cloud9 IDE
https:/
/aws.amazon.com/cloud9/

View Slide

https:// .Security
PyCharm IDE
https:/
/aws.amazon.com/blogs/aws/new-aws-toolkits-for-pycharm-intellij-preview-and-visual-studio-code-preview/

View Slide

https:// .Security
Processing Scripts
002.py
● Download all the objects from S3
● Combine the contents into one python list
003.py
● Sort through the python list to ﬁnd all the HTTP 200 Response Codes
○ Meaning the S3 Bucket Exists and we have some level of access to it e.g. it’s a public bucket
004.py
● Attempt to Upload an object with a .yml extension to the S3 Bucket
● Double Check that we can access the object publicly via the Internet
● If Successful, Attempt to Delete the Uploaded .yml Object
And the Results…?

View Slide

https:// .Security
The Results?
And the Results…?
In approximately ~5 days it discovered around ~10 S3 buckets which are publicly accessible and anyone
can upload a ﬁle to presumably host a malicious CloudFormation template :/

View Slide

https:// .Security
Answers…
This was in 2019… is something similar to this even still possible in 2023?
YES!

View Slide

https:// .Security
Answers…
YES!
If it is possible, what would be the level of effort required before an attacker would
be able to ﬁnd a misconﬁgured S3 bucket where they could upload and/or modify
an object hosted within the S3 Bucket?
A few hours of coding and ~5 days or less to run

View Slide

https:// .Security
Answers…
YES!
If it is possible, what would be the level of effort required before an attacker would
be able to ﬁnd a misconﬁgured S3 bucket where they could upload and/or modify
an object hosted within the S3 Bucket?
A few hours of coding and ~5 days or less to run
Can anyone pull this off or is this something only a nation state will be able to
execute on now?
Anyone with basic python3 scripting skills and some AWS can pull this off.

View Slide

https:// .Security
What’s Next?
April 1st - BSidesTampa - Will Upload Code Shorty - Twitter: @TweekFawkes
April 14th - BSidesSLC - More Code Released to GitHub
May 5th - BSidesAustin - More Code Released to GitHub

View Slide

https:// .Security
Contact Info
Twitter: @TweekFawkes
LinkedIn: https://www.linkedin.com/in/brycekunz/
Email: [email protected]
Slide Decks: https://speakerdeck.com/tweekfawkes/
Code on GitHub: https://github.com/TweekFawkes/SocialStackSetSmother

View Slide

https:// .Security
Privilege Escalation
Overview

View Slide

https:// .Security
Graph Database
Technologies
Overview

View Slide

https:// .Security
Why Graph DBs?

View Slide

https:// .Security
…
Quickly Find Priv Esc Paths

View Slide

https:// .Security
…
1. Set The Goal

View Slide

https:// .Security
…
2. Generate Inbound Paths

View Slide

https:// .Security
…
3. Analyze the Paths for Access Vectors

View Slide

https:// .Security
But How Are All Those Lines Useful?

View Slide

https:// .Security

View Slide

https:// .Security
IAM Roles

View Slide

https:// .Security
AWS Account
Identity and Access Management (IAM)
IAM Users
Permissions Policy
Action sts:AssumeRole
Resource arn…role/rds-ro
IAM User
joe
AWS IAM Users & AWS Service RDS, &...
Relational Database Service (RDS)
DB Cluster Secrets

View Slide

https:// .Security
AWS Account
IAM Users
Permissions Policy
IAM User
joe
AWS IAM Users & AWS Service RDS, &...
DB Cluster Secrets
Blocked!
Requires…
Action rds:Describe*

View Slide

https:// .Security
AWS Account
IAM Roles
Permissions Policy
What can be done with the role
Resource *
Role
rds-ro
AWS IAM Roles & Policies

View Slide

https:// .Security
AWS Account
IAM Roles
Permissions Policy
Resource *
Role
rds-ro
DB Cluster Secrets

View Slide

https:// .Security
AWS Account
IAM Roles
Trust Policy
aka “AssumeRolePolicy”
Who can assume the role
Principal arn…user/joe
Permissions Policy
Resource *
Role
rds-ro

View Slide

https:// .Security
AWS Account
IAM Roles
Trust Policy
Permissions Policy
Resource *
Role
rds-ro
DB Cluster Secrets

View Slide

https:// .Security
AWS Account
IAM Users IAM Roles
Trust Policy
Permissions Policy
Resource *
Role
rds-ro
Permissions Policy
IAM User
joe
AWS IAM Users & IAM Roles

View Slide

https:// .Security
AWS Account
IAM Users IAM Roles
Trust Policy
Permissions Policy
Resource *
Role
rds-ro
Permissions Policy
IAM User
joe
AWS IAM Users, IAM Roles, & AWS Services
DB Cluster Secrets

View Slide

https:// .Security
iam:PassRole

View Slide

https:// .Security
AWS Account
IAM Users
Permissions Policy
AmazonEC2FullAccess
Resource *
IAM User
rydia
App on EC2 Instance, Needs S3 Objects, &...
Simple Storage Service (S3)
AWS EC2
Instances App
Objects
S3 Bucket Secrets

View Slide

https:// .Security
AWS Account
IAM Users
Permissions Policy
AmazonEC2FullAccess
Resource *
IAM User
rydia
App on EC2 Instance, Needs S3 Objects, &...
AWS EC2
Instances App
Objects
S3 Bucket Secrets
Blocked!
Requires…
Action s3:Get*

View Slide

https:// .Security
AWS Account
IAM Users
Permissions Policy
AmazonEC2FullAccess
Resource *
IAM User
rydia
Attach Role to Instance, &…
AWS EC2
Instances App
Objects
S3 Bucket Secrets
IAM
Instance
Profile
Instance
Profile
ec2-s3-ro
Role ec2-s3-ro

View Slide

https:// .Security
AWS Account
IAM Users IAM Roles
Trust Policy
Principal Service EC2
Permissions Policy
AmazonS3ReadOnlyAccess
Resource *
Role
ec2-s3-ro
Permissions Policy
AmazonEC2FullAccess
Resource *
IAM User
rydia
AWS EC2
Instances App
Objects
S3 Bucket Secrets
IAM
Instance
Profile
Instance
Profile
ec2-s3-ro
Role ec2-s3-ro

View Slide

https:// .Security
AWS Account
IAM Users IAM Roles
Trust Policy
Permissions Policy
Resource *
Role
ec2-s3-ro
Permissions Policy
AmazonEC2FullAccess
Resource *
IAM User
rydia
AWS EC2
Instances App
Objects
S3 Bucket Secrets
IAM
Instance
Profile
Instance
Profile
ec2-s3-ro
Role ec2-s3-ro
Blocked!
Requires…
Action iam:PassRole*

View Slide

https:// .Security
Create a Policy Allowing Pass Role
Instances

View Slide

https:// .Security
AWS Account
IAM Users IAM Roles
Trust Policy
Permissions Policy
Resource *
Role
ec2-s3-ro
Permissions Policy
AmazonEC2FullAccess
Resource *
IAM User
rydia
AWS EC2
Instances App
Objects
S3 Bucket Secrets
IAM
Instance
Profile
Instance
Profile
ec2-s3-ro
Role ec2-s3-ro
New Policy
pass-ec2-s3-ro

View Slide

https:// .Security
AWS Account
IAM Users IAM Roles
Trust Policy
Permissions Policy
Resource *
Role
ec2-s3-ro
Permissions Policy
AmazonEC2FullAccess
Resource *
pass-ec2-s3-ro
IAM User
rydia
S3 Bucket Policies & S3 ACLs
S3
AWS EC2
Instances App
Objects
Secrets
IAM
Instance
Profile
Instance
Profile
ec2-s3-ro
Role ec2-s3-ro
S3 Bucket Policies S3 ACLs S3 Bucket

View Slide

https:// .Security
AWS Account
IAM Users IAM Roles
Trust Policy
Permissions Policy
Resource *
Role
ec2-s3-ro
Permissions Policy
AmazonEC2FullAccess
Resource *
pass-ec2-s3-ro
IAM User
rydia
AWS EC2
Instances App
Objects
S3 Bucket Secrets
IAM
Instance
Profile
Instance
Profile
ec2-s3-ro
Role ec2-s3-ro
S3
S3 Bucket Policies S3 ACLs

View Slide

https:// .Security
S3
AWS Account
IAM Users IAM Roles
Trust Policy
Permissions Policy
Resource *
Role
ec2-s3-ro
Permissions Policy
AmazonEC2FullAccess
Resource *
pass-ec2-s3-ro
IAM User
rydia
AWS EC2
Instances App
Objects
S3 Bucket Secrets
IAM
Instance
Profile
Instance
Profile
ec2-s3-ro
Role ec2-s3-ro
S3 Bucket Policies S3 ACLs

View Slide

https:// .Security
Basic Priv Esc Example via Graph DB

View Slide

https:// .Security
…
1. Set The Goal

View Slide

https:// .Security
…
2. Generate Inbound Paths

View Slide

https:// .Security
…
3. Analyze the Paths for Access Vectors

View Slide

https:// .Security
…
IAM Policy with * Permissions!

View Slide

https:// .Security
…
Role w/ Trust Policy allowing EC2

View Slide

https:// .Security
…
Instance Proﬁle to Role

View Slide

https:// .Security
…
iam:PasRole Permissions within Policy

View Slide

https:// .Security
…
IAM User with Permissions Policy

View Slide

https:// .Security
…
Compromise of “privesc3-…” User…
To Admin Access!

View Slide

https:// .Security
Create New EC2
Instance w/ Role
Attached
Instance
Role
Temporary
Credentials
Policies
Instance
Profile
Objects
S3 Bucket Secrets
Elastic Compute Cloud (EC2) AWS IAM

View Slide

https:// .Security
…
To Admin Access!

View Slide

https:// .Security
Get Access To EC2
Instance via Connect
Back to NC
Instance
Role
Temporary
Credentials
Policies
Instance
Profile
User Data
Launch Script
Objects
S3 Bucket Secrets
NetCat
Listener

View Slide

https:// .Security
C2 via NetCat
Instance
Role
Temporary
Credentials
Policies
Instance
Profile
Objects
S3 Bucket Secrets
C2
NetCat
Listener

View Slide

https:// .Security
…

View Slide

https:// .Security
Access Metadata via
Curl 169.254. 169.254
Instance
AWS IAM
Role
Temporary
Credentials
Policies
Instance
Profile
NetCat
Listener
Metadata
Service
Objects
S3 Bucket Secrets
C2

View Slide

https:// .Security
Access Metadata via
Curl 169.254. 169.254
To
Collect
Creds! Instance
AWS IAM
Role
Temporary
Credentials
Policies
Instance
Profile
NetCat
Listener
Metadata
Service
Temporary
Credentials
Objects
S3 Bucket Secrets
C2

View Slide

https:// .Security
…
To Admin Access!

View Slide

https:// .Security
Conﬁgure aws cli
Instance
AWS IAM
Role
Temporary
Credentials
Policies
Instance
Profile
NetCat
Listener
Metadata
Service
Temporary
Credentials
Objects
S3 Bucket Secrets
C2

View Slide

https:// .Security
…
To Admin Access!

View Slide

https:// .Security
Reuse Creds for
S3 Access!
Instance
AWS IAM
Role
Temporary
Credentials
Policies
Instance
Profile
NetCat
Listener
Metadata
Service
Temporary
Credentials
Objects
S3 Bucket Secrets
C2

View Slide

https:// .Security
…
To Admin Access!

View Slide

https:// .Security
Common Priv Esc Access Vectors

View Slide

https:// .Security
IAM Permissions
Manipulating Resources

View Slide

https:// .Security
IAM Permissions
Users
iam:CreateAccessKey
iam:UpdateLoginProfile
iam:AddUserToGroup
etc…

View Slide

https:// .Security
IAM Permissions
Users
iam:CreateAccessKey
iam:AddUserToGroup
etc…
Permissions Policies
iam:CreatePolicyVersion
iam:SetDefaultPolicyVersion
iam:Attach*Policy
iam:Put*Policy
etc…

View Slide

https:// .Security
IAM Permissions
Users
iam:CreateAccessKey
iam:AddUserToGroup
etc…
iam:Attach*Policy
iam:Put*Policy
etc…
AssumeRole Policies
iam:UpdateAssumeRolePolicy
+
sts:AssumeRole

View Slide

https:// .Security
IAM Permissions
Users
iam:CreateAccessKey
iam:AddUserToGroup
etc…
iam:Attach*Policy
iam:Put*Policy
etc…
AssumeRole Policies
+
sts:AssumeRole
PassRole Policies
iam:PassRole
+
Processing Data

View Slide

https:// .Security
IAM Permissions
Users
iam:CreateAccessKey
iam:AddUserToGroup
etc…
iam:Attach*Policy
iam:Put*Policy
etc…
AssumeRole Policies
+
sts:AssumeRole
Resources Processing Data
PassRole Policies
iam:PassRole
+
Processing Data
Create New
Affect Inputs

View Slide

https:// .Security
IAM Permissions
Users
iam:CreateAccessKey
iam:AddUserToGroup
etc…
iam:Attach*Policy
iam:Put*Policy
etc…
AssumeRole Policies
+
sts:AssumeRole
PassRole Policies
iam:PassRole
+
Processing Data
Create New
Affect Inputs
Lambda
lambda:UpdateFunctionCode
lambda:PublishLayerVersion
+
Function w/ Role

View Slide

https:// .Security
IAM Permissions
Users
iam:CreateAccessKey
iam:AddUserToGroup
etc…
iam:Attach*Policy
iam:Put*Policy
etc…
AssumeRole Policies
+
sts:AssumeRole
PassRole Policies
iam:PassRole
+
Processing Data
Create New
Affect Inputs
SSM & EC2
SendCommand
StartSession
+
Instance Profile w/ Role
Lambda
+
Function w/ Role

View Slide

https:// .Security
IAM Permissions
Users
iam:CreateAccessKey
iam:AddUserToGroup
etc…
iam:Attach*Policy
iam:Put*Policy
etc…
AssumeRole Policies
+
sts:AssumeRole
PassRole Policies
iam:PassRole
+
Processing Data
Create New
Affect Inputs
SSM & EC2
SendCommand
StartSession
+
Instance Profile w/ Role
Lambda
+
Function w/ Role
AWS
Services
Numerous…
e.g. w/ a Role

View Slide

https:// .Security
Cloud Lab Envs
Overview

View Slide

https:// .Security
Why?
TL;DR:
● Learn by Hands-on Experience
● Be Able to Talk To Experience in Interviews
● Be Able to Mentor Others on Common TTPs
○ Tactics, Techniques, and Procedures (TTPs)

View Slide

https:// .Security
AiTM
Evilginx2
● https://cloud.hacktricks.xyz/pentesting-cloud/aws-security
● https://github.com/BishopFox/iam-vulnerable
● https://github.com/RhinoSecurityLabs/cloudgoat
● https://github.com/bridgecrewio/terragoat
● https://github.com/nccgroup/sadcloud
● https://hackingthe.cloud/aws/capture_the_ﬂag/cicdont
● https://github.com/ine-labs/AWSGoat
Vulnerable Lab Environments
CloudGoat

View Slide

https:// .Security
TL;DR:
● Focused on AWS’s IAM Service
○ Identity and Access Management (IAM)
● Deploys via Terraform
● 31 Privilege Escalation Paths
● GitHub Links to Solutions
● Great for Testing GraphDB Tools (e.g. AWSpx, PMapper, etc.)
● REF: https://github.com/BishopFox/iam-vulnerable
Iam Vulnerable

View Slide

https:// .Security
CloudGoat
TL;DR:
● Focused on AWS
○ Resources: Lambda, EC2, S3, etc.
○ + Identity and Access Management (IAM)
● 12 Scenarios
● Solutions are easily Google-able
● Great for Reference or Testing Speciﬁc Technique/Tools (e.g. Pacu)
● REF: https://github.com/RhinoSecurityLabs/cloudgoat
CloudGoat

View Slide

https:// .Security
SadCloud
TL;DR:
● Focused on AWS
○ Resources: Lambda, EC2, S3, etc.
○ + Identity and Access Management (IAM)
● 84 Misconﬁgurations
● Great for Testing Cloud Vuln Scan Tools (e.g. ScoutSuite)
● REF: https://github.com/nccgroup/sadcloud

View Slide

https:// .Security
AzureGoat
TL;DR:
● Focused on Azure
● REF: https://github.com/ine-labs/AzureGoat

View Slide

https:// .Security
GCPGoat
TL;DR:
● Focused on GCP
● Good for 101 Basics… Needs More Complex Scenarios
● REF: https://gcpgoat.joshuajebaraj.com/

View Slide

https:// .Security
Others
REFs
● https://hackingthe.cloud/aws/capture_the_flag/cicdont/
● https://github.com/nccgroup/sadcloud
● https://github.com/bridgecrewio/terragoat
● https://github.com/ine-labs/AWSGoat
● http://flaws.cloud/
● http://flaws2.cloud/

View Slide

https:// .Security
Tools & Techniques
Overview

View Slide

https:// .Security
Guides
● https://cloud.hacktricks.xyz/pentesting-cloud/
● https://pentestbook.six2dez.com/enumeration/cloud/
● https://github.com/dafthack/CloudPentestCheatsheets
● PayloadsAllTheThings:
○ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology
%20and%20Resources/Cloud%20-%20AWS%20Pentest.md
○ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology
%20and%20Resources/Cloud%20-%20Azure%20Pentest.md
● https://github.com/vengatesh-nagarajan/Cloud-pentest
● https://github.com/CyberSecurityUP/Awesome-Cloud-PenTest
● https://github.com/kh4sh3i/cloud-penetration-testing

View Slide

https:// .Security
…
Visualization Tools
● https://github.com/nccgroup/PMapper
● https://github.com/Azure/Stormspotter
● https://github.com/duo-labs/cloudmapper
● https://github.com/WithSecureLabs/awspx
● https://github.com/SygniaLabs/security-cloud-scout
● https://github.com/BloodHoundAD/BloodHound
● https://pentestbook.six2dez.com/enumeration/cloud/azure
Steps:
1. Collection
2. Processing
3. Analysis

View Slide

https:// .Security
Tailored
Collection &
Processing +
Neo4j GraphDB
Aws Cloud Capability Tool (ACCT)

View Slide

https:// .Security
Contact Info
Twitter: @TweekFawkes
LinkedIn: https://www.linkedin.com/in/brycekunz/
Email: [email protected]
Slide Decks: https://speakerdeck.com/tweekfawkes/
Code on GitHub: https://github.com/TweekFawkes/SocialStackSetSmother

View Slide

https:// .Security
Trainings @ BlackHat & On-Site!
Thank You! [email protected]
.sh
@TweekFawkes

View Slide

https:// .Security
End
Overview

View Slide

Cloud Red Teaming: AWS Initial Access & Privilege Escalation

Cloud Red Teaming: AWS Initial Access & Privilege Escalation

TweekFawkes

More Decks by TweekFawkes

Other Decks in Technology

Featured

Transcript