Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Step by step AWS Cloud Hacking
Search
andresriancho
September 25, 2020
Technology
0
620
Step by step AWS Cloud Hacking
andresriancho
September 25, 2020
Tweet
Share
More Decks by andresriancho
See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
2
2.9k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
12k
Threat Modelling
andresriancho
0
1.4k
Automated Security Analysis AWS Clouds
andresriancho
1
3.2k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
250
Galería de Fallos en Unicornios
andresriancho
1
240
Esoteric Web Application Vulnerabilities
andresriancho
0
1.1k
String Compare Timing Attacks
andresriancho
0
590
Timing Attacks
andresriancho
1
340
Other Decks in Technology
See All in Technology
AWS DMS で SQL Server を移行してみた/aws-dms-sql-server-migration
emiki
0
220
デザインとエンジニアリングの架け橋を目指す OPTiMのデザインシステム「nucleus」の軌跡と広げ方
optim
0
110
OCIjp_Oracle AI World_Recap
shinpy
1
180
ゼロコード計装導入後のカスタム計装でさらに可観測性を高めよう
sansantech
PRO
1
330
事業開発におけるDify活用事例
kentarofujii
5
1.4k
Behind Postgres 18: The People, the Code, & the Invisible Work | Claire Giordano | PGConfEU 2025
clairegiordano
0
130
ソフトウェアエンジニアの生成AI活用と、これから
lycorptech_jp
PRO
0
900
会社を支える Pythonという言語戦略 ~なぜPythonを主要言語にしているのか?~
curekoshimizu
3
660
個人でデジタル庁の デザインシステムをVue.jsで 作っている話
nishiharatsubasa
3
5k
AI時代、“平均値”ではいられない
uhyo
8
2.5k
現場データから見える、開発生産性の変化コード生成AI導入・運用のリアル〜 / Changes in Development Productivity and Operational Challenges Following the Introduction of Code Generation AI
nttcom
1
470
AIとともに歩んでいくデザイナーの役割の変化
lycorptech_jp
PRO
0
870
Featured
See All Featured
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
jQuery: Nuts, Bolts and Bling
dougneiner
65
7.9k
Build The Right Thing And Hit Your Dates
maggiecrowley
38
2.9k
Context Engineering - Making Every Token Count
addyosmani
8
300
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4k
[RailsConf 2023] Rails as a piece of cake
palkan
57
5.9k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
31
2.7k
Making the Leap to Tech Lead
cromwellryan
135
9.6k
KATA
mclloyd
PRO
32
15k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
1.7k
Unsuck your backbone
ammeep
671
58k
The Straight Up "How To Draw Better" Workshop
denniskardys
238
140k
Transcript
Ekoparty 2020 Andrés Riancho
2
3
None
5
need credentials • • • 6
7
IAM permissions 8
9 http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}
10
11 from urllib.request import urlopen from flask import request @app.route('/ssrf')
def handler(): url = request.args.get('url') return urlopen(url).read()
Instance metadata and S3 compromise
13
None
two ways to enumerate permissions IAM service In most cases
this will fail brute-force 15
Get* / List* / Describe* DryRun parameter 16
17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]
18
./enumerate-iam.py
20
many things the attacker doesn't know. 21 { "Statement":[ {
"Effect":"Allow", "Action":[ "s3:*", "lambda:*", "..." ], "Resource":"*" } ] }
try to elevate privileges to a principal with full access
22 { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }
Lambda function will have access to the IAM role 23
Getting * on *
None
existing trust policy in the AdminRole 26
27
28 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::925877178748:root" }, "Action":
"sts:AssumeRole" } { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::925877178748:root", "arn:aws:iam::320222540496:root"] }, "Action": "sts:AssumeRole" }
Never trust the trust policy
30 ARN for the backdoored role
None
32 most resources in the AWS account VPC is completely
isolated from the Internet
None
34 VPN between the attacker's workstation and a VPC
35
vpc-vpn-pivot
None
From zero to full pwn
None
40 • enumerate-iam • pacu • vpc-vpn-pivot Follow @AndresRiancho
None