null Dubai Meetup - Raining shells in AWS by chaining vulnerabilities

Riyaz Ahemed Walikar
Feature image

Raining shells in AWS by chaining vulnerabilities

This post is about a talk given at null Dubai special meet in the late hours of 16th March 2023.

The talk covers common security misconfigurations in the cloud that lead to access to systems and data beyond the plane of attack. The initial foothold onto a cloud resource and then lateral and horizontal movement by abusing misconfigurations.

The talk comprises of 3 cool scenarios that we have encountered before and use recreated labs to showcase the attack path an attacker would take.

Case 1 - Misconfigured bucket to system shells

This is the case of a domain name that pointed to an S3 bucket via a CNAME DNS configuration. Knowing the bucket naming convention allowed for the enumeration of additional buckets.

One of the discovered buckets was world readable, allowing for data to be downloaded. A SSH private key was found in a zip file allowing shell access to an EC2 instance.

Case 2 – SSRF to Shell via IAM Policies

This was a case where an exposed web application allowed users to register and browse around. One of the features in the application was vulnerable to a Server Side Request Forgery (SSRF). The SSRF was used to extract temporary credentials from the instance role that was attached to the underlying EC2 instance.

The privileges on the attached role allowed for S3 buckets to be read and additional data to be downloaded.

Using the same temporary credentials we were able to execute commands on EC2 instances using EC2 Systems Manager and obtain a reverse shell.

Case 3 - Client-Side Keys, IAM Policies and a Vulnerable Lambda

AWS IAM user access keys and secret keys were found in client side JS. The permissions on these keys were enumerated using ScoutSuite.

The credentials were used to enumerate the Lambda functions within the account and download the source code for the Lambda. This was then analyzed for additional vulnerabilities which lead to the discovery of an RCE.

Using EC2 enumeration and instance connect, a shell was obtained to a running instance to complete the attack path.

Recording of the talk

Here’s a recording of the talk

Slides from the talk

Here are the slides from the talk

← Back to Blog