Web Hacking Tips
  • Web App Hacking Tips & Tricks
  • Weekly Tips
    • Week 1 - XSS Filter Evasion
    • Week 2 - CSRF Token Bypass
    • Week 3 - CORS Exploitation
    • Week 4 - Finding XSS
    • Week 5 - CSRF Explanation
    • Week 6 - XSS Types
    • Week 7 - Advanced SQLMap
    • Week 8 - Stealing HttpOnly Cookies from PHPINFO
    • Week 9 - SQLMap Tamper Scripts
    • Week 10 - XSS Obfuscated Payloads
    • Week 11 - XS-Search: Cross-Origin Enumeration
    • Week 12 - Subdomain Takeovers
    • Week 13 - XSS Keylogger
    • Week 14 - Algolia API Keys
    • Week 15 - GraphQL Introspection
    • Week 16 - Naming BurpSuite Repeater Tabs
    • Week 17 - GoBuster Tips
    • Week 18 - Burp Request to Python Script
    • Week 19 - Customizing Nikto Scans
    • Week 20 - Google Phishing Page
    • Week 21 - Google BITB
    • Week 22 - XSS Through SVG File
    • Week 23 - FoxyProxy Extension
    • Week 24 - CSP Bypasses
    • Week 25 - Pilfering LocalStorage with XSS
    • Week 26 - Cloud SSRF
    • Week 27 - Blind XSS
    • Week 28 - Firebase Misconfigurations
    • Week 29 - XSS to CSRF
  • Week 30 - SQLMap Debugging
  • Week 31 - WayBack Machine
  • Week 32 - O365 BITB
  • Week 33 - Burp Intruder Attacks
  • Week 34 - GraphQL Bruteforcing
  • Week 35 - User Accounts
  • Week 36 - CVE Submission
  • Week 37 - Second Order SQLi
  • Week 38 - Out of Band SQLi
  • Week 39 - Broken Link Hijacking
  • Week 40 - JWT Testing
  • Week 41 - BURP ATOR
  • Week 42 - ProxyChains
  • Week 43 - CSS Keylogging
  • Week 44 - SVG SSRF
  • Week 45 - Request Smuggling
  • Week 46 - XSS Payloads
  • Week 47 - DNS Re-binding
  • Week 48 - SSRF Bypass
  • Week 49 - File Upload Bypass
  • Week 50 - CRLF Injection
  • Week 51 - HTML to PDF
  • Week 52 - Parameter Pollution
  • Week 53 - Pre-Account Takeover
  • Week 54 - Race Conditions
  • Week 55 - SQLi to RCE
  • Week 56 - Cloud SSRF PrivEsc
  • Week 57 - Response Queue Poisoning
  • Week 58 - Directory Traversal
  • Week 59 - File Upload -> CSRF
  • Week 60 - Modern CSRF Attacks
Powered by GitBook
On this page

Week 56 - Cloud SSRF PrivEsc

PreviousWeek 55 - SQLi to RCENextWeek 57 - Response Queue Poisoning

Last updated 1 year ago

Picture this: you discover Cloud SSRF on an engagement, and you’re staring at a set of access keys. If you’re anything like me, you’ll be thinking: now what?? In this post, I will document how to turn those keys into AWS Admin and RCE! Most of the time with Cloud SSRF, you’ll be dealing with an AWS environment. This is because Google Cloud and Azure by default require a custom header to be passed in the SSRF request, which means that unless you can specify a custom header for the server to use, you will be SOL. *Interestingly to note, metadata SSRF can also be prevented in AWS by switching from IMDSv1 to IMDSv2 Once you pull those access keys, the first step is to figure out what permissions they have associated with them. This can be done through two amazing tools: enumerate-iam and pacu (linked in comments). I will cover enumerate-iam first since it’s easier and has a lower learning curve. You can run it like this: python3 enumerate-iam[.]py –access-key [access_key_here] –secret-key [secret_key_here] –session-token [session_token_here] It will then go through and enumerate the permissions associated with the access key. Some dangerous permissions that could be used to further the severity are: s3:ListBuckets => List out S3 buckets, probably some sensitive info in there iam:PassRole and ec2:RunInstances => create ec2 instance and pass an existing role to it. Then you have RCE on an OS in the AWS environment iam:PutGroupPolicy or iam:PutUserPolicy => attach policy with higher permissions to your own group/role iam:CreatePolicyVersion => create a new version of your policy with higher permissions iam:AddUserToGroup or iam:CreateAccessKey => add your user to a group with higher permissions If you are lazy like me, you can automate this with aws_escalate[.]py (linked in comments). Now onto Pacu. I like to call this tool the Metasploit of the cloud. It can have a steeper learning curve, but there is so much you can do with it once you get comfortable. Once setup, you can run the following module: run iam__bruteforce_permissions This will spit out your permissions associated with the access key. Say you don’t have Admin access. Just run the following module in Pacu: run privesc_scan If Pacu finds a PrivEsc route, it will automatically make you an Administrator. Doesn’t get much easier than that! If you found this informative, please hit me with a re-post! I’m hoping to get to 10k followers here soon!

#AppSec