mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2025-12-23 15:37:53 -08:00
175 lines
8.7 KiB
Markdown
175 lines
8.7 KiB
Markdown
# AWS - EFS Enum
|
||
|
||
{% hint style="success" %}
|
||
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
|
||
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>Support HackTricks</summary>
|
||
|
||
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
|
||
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
{% endhint %}
|
||
|
||
## EFS
|
||
|
||
### Basic Information
|
||
|
||
Amazon Elastic File System (EFS) is presented as a **fully managed, scalable, and elastic network file system** by AWS. The service facilitates the creation and configuration of **file systems** that can be concurrently accessed by multiple EC2 instances and other AWS services. The key features of EFS include its ability to automatically scale without manual intervention, provision low-latency access, support high-throughput workloads, guarantee data durability, and seamlessly integrate with various AWS security mechanisms.
|
||
|
||
By **default**, the EFS folder to mount will be **`/`** but it could have a **different name**.
|
||
|
||
### Network Access
|
||
|
||
An EFS is created in a VPC and would be **by default accessible in all the VPC subnetworks**. However, the EFS will have a Security Group. In order to **give access to an EC2** (or any other AWS service) to mount the EFS, it’s needed to **allow in the EFS security group an inbound NFS** (2049 port) **rule from the EC2 Security Group**.
|
||
|
||
Without this, you **won't be able to contact the NFS service**.
|
||
|
||
For more information about how to do this check: [https://stackoverflow.com/questions/38632222/aws-efs-connection-timeout-at-mount](https://stackoverflow.com/questions/38632222/aws-efs-connection-timeout-at-mount)
|
||
|
||
### Enumeration
|
||
|
||
```bash
|
||
# Get filesystems and access policies (if any)
|
||
aws efs describe-file-systems
|
||
aws efs describe-file-system-policy --file-system-id <id>
|
||
|
||
# Get subnetworks and IP addresses where you can find the file system
|
||
aws efs describe-mount-targets --file-system-id <id>
|
||
aws efs describe-mount-target-security-groups --mount-target-id <id>
|
||
aws ec2 describe-security-groups --group-ids <sg_id>
|
||
|
||
# Get other access points
|
||
aws efs describe-access-points
|
||
|
||
# Get replication configurations
|
||
aws efs describe-replication-configurations
|
||
|
||
# Search for NFS in EC2 networks
|
||
sudo nmap -T4 -Pn -p 2049 --open 10.10.10.0/20 # or /16 to be sure
|
||
```
|
||
|
||
{% hint style="danger" %}
|
||
It might be that the EFS mount point is inside the same VPC but in a different subnet. If you want to be sure you find all **EFS points it would be better to scan the `/16` netmask**.
|
||
{% endhint %}
|
||
|
||
### Mount EFS
|
||
|
||
{% code overflow="wrap" %}
|
||
```bash
|
||
sudo mkdir /efs
|
||
|
||
## Mount found
|
||
sudo apt install nfs-common
|
||
sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport <IP>:/ /efs
|
||
|
||
## Mount with efs type
|
||
## You need to have installed the package amazon-efs-utils
|
||
sudo yum install amazon-efs-utils # If centos
|
||
sudo apt-get install amazon-efs-utils # If ubuntu
|
||
sudo mount -t efs <file-system-id/EFS DNS name>:/ /efs/
|
||
```
|
||
{% endcode %}
|
||
|
||
### IAM Access
|
||
|
||
By **default** anyone with **network access to the EFS** will be able to mount, **read and write it even as root user**. However, File System policies could be in place **only allowing principals with specific permissions** to access it.\
|
||
For example, this File System policy **won't allow even to mount** the file system if you **don't have the IAM permission**:
|
||
|
||
```json
|
||
{
|
||
"Version": "2012-10-17",
|
||
"Id": "efs-policy-wizard-2ca2ba76-5d83-40be-8557-8f6c19eaa797",
|
||
"Statement": [
|
||
{
|
||
"Sid": "efs-statement-e7f4b04c-ad75-4a7f-a316-4e5d12f0dbf5",
|
||
"Effect": "Allow",
|
||
"Principal": {
|
||
"AWS": "*"
|
||
},
|
||
"Action": "",
|
||
"Resource": "arn:aws:elasticfilesystem:us-east-1:318142138553:file-system/fs-0ab66ad201b58a018",
|
||
"Condition": {
|
||
"Bool": {
|
||
"elasticfilesystem:AccessedViaMountTarget": "true"
|
||
}
|
||
}
|
||
}
|
||
]
|
||
}
|
||
```
|
||
|
||
Or this will **prevent anonymous access**:
|
||
|
||
<figure><img src="../../../.gitbook/assets/image (278).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
Note that to mount file systems protected by IAM you MUST use the type "efs" in the mount command:
|
||
|
||
```bash
|
||
sudo mkdir /efs
|
||
sudo mount -t efs -o tls,iam <file-system-id/EFS DNS name>:/ /efs/
|
||
# To use a different pforile from ~/.aws/credentials
|
||
# You can use: -o tls,iam,awsprofile=namedprofile
|
||
```
|
||
|
||
### Access Points
|
||
|
||
**Access points** are **application**-specific entry points **into an EFS file system** that make it easier to manage application access to shared datasets.
|
||
|
||
When you create an access point, you can **specify the owner and POSIX permissions** for the files and directories created through the access point. You can also **define a custom root directory** for the access point, either by specifying an existing directory or by creating a new one with the desired permissions. This allows you to **control access to your EFS file system on a per-application or per-user basis**, making it easier to manage and secure your shared file data.
|
||
|
||
**You can mount the File System from an access point with something like:**
|
||
|
||
```bash
|
||
# Use IAM if you need to use iam permissions
|
||
sudo mount -t efs -o tls,[iam],accesspoint=<access-point-id> \
|
||
<file-system-id/EFS DNS> /efs/
|
||
```
|
||
|
||
{% hint style="warning" %}
|
||
Note that even trying to mount an access point you still need to be able to **contact the NFS service via network**, and if the EFS has a file system **policy**, you need **enough IAM permissions** to mount it.
|
||
{% endhint %}
|
||
|
||
Access points can be used for the following purposes:
|
||
|
||
* **Simplify permissions management**: By defining a POSIX user and group for each access point, you can easily manage access permissions for different applications or users without modifying the underlying file system's permissions.
|
||
* **Enforce a root directory**: Access points can restrict access to a specific directory within the EFS file system, ensuring that each application or user operates within its designated folder. This helps prevent accidental data exposure or modification.
|
||
* **Easier file system access**: Access points can be associated with an AWS Lambda function or an AWS Fargate task, simplifying file system access for serverless and containerized applications.
|
||
|
||
## Privesc
|
||
|
||
{% content-ref url="../aws-privilege-escalation/aws-efs-privesc.md" %}
|
||
[aws-efs-privesc.md](../aws-privilege-escalation/aws-efs-privesc.md)
|
||
{% endcontent-ref %}
|
||
|
||
## Post Exploitation
|
||
|
||
{% content-ref url="../aws-post-exploitation/aws-efs-post-exploitation.md" %}
|
||
[aws-efs-post-exploitation.md](../aws-post-exploitation/aws-efs-post-exploitation.md)
|
||
{% endcontent-ref %}
|
||
|
||
## Persistence
|
||
|
||
{% content-ref url="../aws-persistence/aws-efs-persistence.md" %}
|
||
[aws-efs-persistence.md](../aws-persistence/aws-efs-persistence.md)
|
||
{% endcontent-ref %}
|
||
|
||
{% hint style="success" %}
|
||
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
|
||
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>Support HackTricks</summary>
|
||
|
||
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
|
||
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
{% endhint %}
|