gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-28 13:43:24 -08:00
Code Issues Packages Projects Releases Wiki Activity

fix ec2 + automation accounts

Browse Source
This commit is contained in:
Carlos Polop
2025-01-10 12:59:11 +01:00
parent 6d926a6f72
commit d9f6b34673
7 changed files with 513 additions and 258 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md
View File

@@ -90,7 +90,7 @@ aws iam add-role-to-instance-profile --instance-profile-name <name> --role-name
If the **instance profile has a role** and the attacker **cannot remove it**, there is another workaround. He could **find** an **instance profile without a role** or **create a new one** (`iam:CreateInstanceProfile`), **add** the **role** to that **instance profile** (as previously discussed), and **associate the instance profile** compromised to a compromised i**nstance:**
- If the instance **doesn't have any instance** profile (`ec2:AssociateIamInstanceProfile`) \*
- If the instance **doesn't have any instance** profile (`ec2:AssociateIamInstanceProfile`)
```bash
aws ec2 associate-iam-instance-profile --iam-instance-profile Name=<value> --instance-id <value>
@@ -102,7 +102,7 @@ aws ec2 associate-iam-instance-profile --iam-instance-profile Name=<value> --ins
With these permissions it's possible to change the instance profile associated to an instance so if the attack had already access to an instance he will be able to steal credentials for more instance profile roles changing the one associated with it.
- If it **has an instance profile**, you can **remove** the instance profile (`ec2:DisassociateIamInstanceProfile`) and **associate** it \*
- If it **has an instance profile**, you can **remove** the instance profile (`ec2:DisassociateIamInstanceProfile`) and **associate** it
```bash
aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-0d36d47ba15d7b4da
@@ -110,13 +110,11 @@ aws ec2 disassociate-iam-instance-profile --association-id <value>
aws ec2 associate-iam-instance-profile --iam-instance-profile Name=<value> --instance-id <value>
```
- or **replace** the **instance profile** of the compromised instance (`ec2:ReplaceIamInstanceProfileAssociation`). \*
- or **replace** the **instance profile** of the compromised instance (`ec2:ReplaceIamInstanceProfileAssociation`).
````
```bash
aws ec2 replace-iam-instance-profile-association --iam-instance-profile Name=<value> --association-id <value>
```
````
**Potential Impact:** Direct privesc to a different EC2 role (you need to have compromised a AWS EC2 instance and some extra permission or specific instance profile status).