EC2

Enumeration

Instances

List all instances

aws ec2 describe-instances --query 'Reservations[*].Instances[*].[Tags[?Key == `Name`].Value,InstanceId,State.Name,InstanceType,PublicIpAddress,PrivateIpAddress]' --output text | sed 'N;s/\n/ /'

Download the UserData script file from all instances

ec2_list=$(aws ec2 describe-instances --region us-east-1 --query Reservations[].Instances[].InstanceId --output text --profile ec2-capstone)
for i in $ec2_list; do
  aws ec2 describe-instance-attribute --profile ec2-capstone --instance-id $i --attribute userData --output text --query UserData --region us-east-1 | base64 --decode > $i-USERDATA.txt
done

Network

aws ec2 describe-network-interfaces    #display all
aws ec2 describe-network-interfaces --filters "Name=attachment.instance-id,Values=<instance id>"
aws ec2 describe-network-interfaces | jq '.NetworkInterfaces[0]'

Connect to instance

Direct SSH or RDP

Use a standard SSH or RDP connection to reach the instance.

Requires knowing the Elastic or Private IP of the machine
The Security Group associated with the instance must allow inbound SSH or RDP connections
The SSH or RDP service must be configured and running on the machine
Since the authentication procedure is managed directly on the instance, no AWS credentials or keys are needed

EC2 Connect

A browser based shell leveraging temporary SSH keys as backed against IAM credentials. Can be accessed from the AWS dashboard or from the url below

Requires configuration of an agent on the target machine
In order to use this access method from a remote SSH Client, the SSH port must be reachable from the internet and the user must own valid IAM credentials

Direct URL:

https:/<region>.console.aws.amazon.com/ec2-instance-connect/ssh?region=<region>&connType=standard&instanceId=<instance id>osUser=<ec2 user>&sshPort=22#/

AWS SSM

AWS Simple System Management allows to install a package or run a command on a Linux or Windows server. This service can also be used to obtain a shell on the EC2 instance using the AWS Systems Manager Session Manager service.

Requires configuration of an agent on the target machine
The EC2 instance must own the correct IAM permissions to enable this service
The user must own valid IAM user credentials to use this service
Does not require direct network access to the instance

EC2 Serial Console

This method of authentication allows a user to authenticate on the EC2 instance only by knowing the host's username and password.

An administrator must enable the EC2 Serial Console for the whole region
Users on the instance must have a password defined, otherwise it will be impossible to login as them
Does not require valid IAM User credentials
Does not require direct network access to the EC2 instance

IMDS

IMDS vs IMDSv2

Authentication

While in IMDS it is possible to send a request without authentication, IMDSv2 requires to perform an authentication step and obtain a taken before sending API requests.

This code will request a token and store it into a variable. The TTL header can be set to any value in seconds.

IMDS_TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

Enable IMDSv2

Enable IMDv2 for current instance

aws ec2 modify-instance-metadata-options --instance-id <instance id> --http-tokens required --region <region>

One line command with required calls included

aws ec2 modify-instance-metadata-options --instance-id $(curl -s http://169.254.169.254/latest/meta-data/instance-id) --http-tokens required --region $(curl -s http://169.254.169.254/latest/meta-data/placement/region)

Get instance information

Get current role

curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/

Get instance ID

curl -s http://169.254.169.254/latest/meta-data/instance-id

Get instance region

curl -s http://169.254.169.254/latest/meta-data/placement/region

Get instance Availability Zone

curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone

PreviousFile upload to RCE Nextcloud-init Exploits

Last updated 1 year ago