AWS & Cloud
Ext-Break ● Did anyone get xsscsp2?○ It was a hard one lol
Quite. Quite hard.
Xsscsp2 Solution poc redacted
Overview
● What is the cloud● Who is this 4chan?● Access Keys/Roles● Acquiring Keys● Pivoting● Microservices● Common Vulns
Note on ethics
● Everything here is p o s t e x p l o i t a t i o n ● Everything you do at this point is illegal if you don’t have explicit permission● Most bug bounties do not permit you to do things in this realm
○ Unless you ask nicely● This will get you a nice knock on the door from the AFP. ● This is purely theoretical knowledge. ● You may be examined on this.
What is the cloud
● You all already should know● Where we outsource the hosting of our * to a third party● They provide us * level of control over the stack.
Scales of Clouds
*aaS
● Differing levels of control● Differing methods of exploitation/persistence/pivoting.● Everyone does it differently.
Impact of *aaS
Who is this 4chan? (AWS)
● Grab bag of everything.● Anything of your service you can have it.
Things AWS has
Things most people care about
More things AWS has
More things we care about
● We discussed this last week● What are access keys?
Access Keys and Roles
Roles & Policies
● Roles delegate access to functions by services. ● Can have different permissions/access controls (policies)●
Sometimes super permissive.
More realistically restricted permissions
Summary
● AWS big. ● Cloud bigger.● Things need permissions● Access uses keys
Acquiring Keys
● 169.254.169.254/latest/meta-data/iam/info● SSRF● LFD -> /docker-entrypoint.sh /init.sh ~/.aws/credentials.json etc.etc.● Use some vulnerability● Leaked config files (config.json)
Pivoting/Post-Exploitation
● Why do we need to pivot.○ Poor security hygiene○ Breaching security boundaries. ○ Expand control○ Find internal sensitive resources
Wat do?
● If you’re on the host○ Dump AWS-metadata○ Local privesc (if you can be stealthy)○ Dump users & readable files○ Dump local services/network subnet○ Look for source repos○ Look for private S3 buckets.
Becareful, it’s dangerous out there
● Be careful of logging○ AWS LogWatch/Cloudtrail○ Logs all activity○ Logs all errors○ Logs all logins. ○ (Depending on configuration)
https://www.blackhat.com/docs/us-16/materials/us-16-Amiga-Account-Jumping-Post-Infection-Persist
ency-And-Lateral-Movement-In-AWS-wp.pdf
Threat Modelling
● If you’re attacking Netflix vs attacking Yahoo.com○ One has really good security posture○ One has legacy code from the 90s○ Who is going to have better logging and infrastructure.
Bleeding Edge
● Microservices○
Scales of Clouds
*aaS
● You only provide a function● It runs it in the instance only as long as the function runs● After that everything is deleted.
Serverless/Lambda model
Stolen Slides
Exploitation
● Exfil is easy. You can get info out.
Extra reading
● https://www.blackhat.com/docs/us-16/materials/us-16-Amiga-Account-Jumping-Post-Infection-Persistency-And-Lateral-Movement-In-AWS-wp.pdf● Pivoting in AWS - https://blackhat.com/docs/us-14/materials/us-14-Riancho-Pivoting-In-Amazon-Clouds.pdf● Serverless Runtime - https://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes-wp.pdf● Slide deck for notes - https://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes.pdf ● Offensive Security -
https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ryan-Baxendale-Microservices-and-FaaS-for-Offensive-
Security.pdf
● Post compromise AWS - https://danielgrzelak.com/exploring-an-aws-account-after-pwning-it-ff629c2aae39● AWS Cloud Recon ( A bit basic ) -
https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdf
● GREAT TALK ON MICROSERVICE EXPLOITATION - https://www.youtube.com/watch?v=YZ058hmLuv0
https://www.blackhat.com/docs/us-16/materials/us-16-Amiga-Account-Jumping-Post-Infection-Persistency-And-Lateral-Movement-In-AWS-wp.pdfhttps://blackhat.com/docs/us-14/materials/us-14-Riancho-Pivoting-In-Amazon-Clouds.pdfhttps://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes-wp.pdfhttps://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes.pdfhttps://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ryan-Baxendale-Microservices-and-FaaS-for-Offensive-Security.pdfhttps://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ryan-Baxendale-Microservices-and-FaaS-for-Offensive-Security.pdfhttps://danielgrzelak.com/exploring-an-aws-account-after-pwning-it-ff629c2aae39https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdfhttps://www.youtube.com/watch?v=YZ058hmLuv0