AWS - CloudFront Post Exploitation

Reading time: 3 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

CloudFront

Kwa taarifa zaidi angalia:

AWS - CloudFront Enum

cloudfront:Delete*

attacker aliyepatiwa ruhusa za cloudfront:Delete* anaweza kufuta distributions, policies na vitu vingine muhimu vya usanidi wa CDN — kwa mfano distributions, cache/origin policies, key groups, origin access identities, functions/configs, na rasilimali zinazohusiana. Hii inaweza kusababisha usumbufu wa huduma, upotevu wa yaliyomo, na kuondolewa kwa usanidi au mashahidi ya forensiki.

Ili kufuta distribution, attacker anaweza kutumia:

bash
aws cloudfront delete-distribution \
--id <DISTRIBUTION_ID> \
--if-match <ETAG>

Man-in-the-Middle

This blog post linapendekeza matukio kadhaa tofauti ambapo Lambda inaweza kuongezwa (au kubadilishwa ikiwa tayari inatumiwa) katika communication through CloudFront kwa lengo la kuiba taarifa za watumiaji (kama session cookie) na kubadilisha response (kuingiza script ya JS hasidi).

Senario 1: MitM ambapo CloudFront imewekwa kufikia baadhi ya HTML ya bucket

  • Unda function ya hasidi.
  • Unganisha na CloudFront distribution.
  • Weka event type kuwa "Viewer Response".

Kwa kufikia response unaweza kuiba cookie za watumiaji na kuingiza JS hasidi.

Senario 2: MitM ambapo CloudFront tayari inatumia lambda function

  • Badilisha code ya lambda function ili kuiba taarifa nyeti

Unaweza kuangalia tf code to recreate this scenarios here.

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks