Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Step by step AWS Cloud Hacking
Search
andresriancho
September 25, 2020
Technology
0
590
Step by step AWS Cloud Hacking
andresriancho
September 25, 2020
Tweet
Share
More Decks by andresriancho
See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
2
2.7k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
11k
Threat Modelling
andresriancho
0
1.2k
Automated Security Analysis AWS Clouds
andresriancho
1
3k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
200
Galería de Fallos en Unicornios
andresriancho
1
140
Esoteric Web Application Vulnerabilities
andresriancho
0
820
String Compare Timing Attacks
andresriancho
0
510
Timing Attacks
andresriancho
1
250
Other Decks in Technology
See All in Technology
DuckDB雑紹介(1.1対応版)@DuckDB座談会
ktz
6
1.4k
JEP 480: Structured Concurrency
aya_ebata
0
130
自作Cコンパイラ 8時間の奮闘
soukouki
0
850
『GRANBLUE FANTASY: Relink』クオリティと物量の両立に挑戦したフェイシャルアニメーション事例 ~カットシーンからランタイムまで~
cygames
0
120
タイミーのレコメンドにおける ABテストの運用
ozeshun
1
210
どこよりも遅めなWinActor Ver.7.5.0 新機能紹介
tamai_63
0
210
実務における脅威モデリングを考えよう
nikinusu
0
710
ロリポップ! for Gamersを支えるインフラ/lolipop for gamers infrastructure
takumakume
0
140
Kubernetesって何? -大規模なKubernetesを運用するKubernetes as a Serviceチームの話を添えて-
lycorptech_jp
PRO
0
440
LLVM/ASMを使った有限体の高速実装
herumi
0
120
o1のAPIで実験してみたが 制限きつすぎて辛かった話
pharma_x_tech
0
230
不動産 x AIことはじめ~データの真価を拓くために
estie
0
130
Featured
See All Featured
Product Roadmaps are Hard
iamctodd
PRO
48
10k
Building Your Own Lightsaber
phodgson
101
6k
The Brand Is Dead. Long Live the Brand.
mthomps
53
38k
Speed Design
sergeychernyshev
22
430
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
354
29k
4 Signs Your Business is Dying
shpigford
179
21k
Building Adaptive Systems
keathley
36
2.1k
Robots, Beer and Maslow
schacon
PRO
157
8.2k
What's in a price? How to price your products and services
michaelherold
242
11k
Code Review Best Practice
trishagee
62
16k
Being A Developer After 40
akosma
84
590k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
278
13k
Transcript
Ekoparty 2020 Andrés Riancho
2
3
None
5
need credentials • • • 6
7
IAM permissions 8
9 http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}
10
11 from urllib.request import urlopen from flask import request @app.route('/ssrf')
def handler(): url = request.args.get('url') return urlopen(url).read()
Instance metadata and S3 compromise
13
None
two ways to enumerate permissions IAM service In most cases
this will fail brute-force 15
Get* / List* / Describe* DryRun parameter 16
17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]
18
./enumerate-iam.py
20
many things the attacker doesn't know. 21 { "Statement":[ {
"Effect":"Allow", "Action":[ "s3:*", "lambda:*", "..." ], "Resource":"*" } ] }
try to elevate privileges to a principal with full access
22 { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }
Lambda function will have access to the IAM role 23
Getting * on *
None
existing trust policy in the AdminRole 26
27
28 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::925877178748:root" }, "Action":
"sts:AssumeRole" } { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::925877178748:root", "arn:aws:iam::320222540496:root"] }, "Action": "sts:AssumeRole" }
Never trust the trust policy
30 ARN for the backdoored role
None
32 most resources in the AWS account VPC is completely
isolated from the Internet
None
34 VPN between the attacker's workstation and a VPC
35
vpc-vpn-pivot
None
From zero to full pwn
None
40 • enumerate-iam • pacu • vpc-vpn-pivot Follow @AndresRiancho
None