AWS - EBS Privesc

Reading time: 2 minutes

tip

Impara e pratica il hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Impara e pratica il hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Impara e pratica il hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Supporta HackTricks

EBS

ebs:ListSnapshotBlocks, ebs:GetSnapshotBlock, ec2:DescribeSnapshots

Un attacker con quei permessi potrà potenzialmente scaricare e analizzare localmente gli snapshot dei volumi e cercare informazioni sensibili al loro interno (come secrets o source code). Trova come farlo in:

AWS - EBS Snapshot Dump

Altri permessi potrebbero essere utili come: ec2:DescribeInstances, ec2:DescribeVolumes, ec2:DeleteSnapshot, ec2:CreateSnapshot, ec2:CreateTags

The tool https://github.com/Static-Flow/CloudCopy performs this attack to estrarre le password da un domain controller.

Potential Impact: Privesc indiretto individuando informazioni sensibili nello snapshot (potresti anche ottenere le password di Active Directory).

ec2:CreateSnapshot

Any AWS user possessing the EC2:CreateSnapshot permission can steal the hashes of all domain users by creating a snapshot of the Domain Controller mounting it to an instance they control and exporting the NTDS.dit and SYSTEM registry hive file for use with Impacket's secretsdump project.

You can use this tool to automate the attack: https://github.com/Static-Flow/CloudCopy or you could use one of the previous techniques after creating a snapshot.

tip

Impara e pratica il hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Impara e pratica il hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Impara e pratica il hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Supporta HackTricks