Share this page!

gatitohacs 😼 Profile picture
Twitter logo
Mar 2 11 tweets 4 min read
I pet a cat today and now my allergies are killing me, so obviously this calls for a follow up of, hey you found some #aws creds, what to do meow:

#cloud #hacking #Recon
👇
Step 1: First you gotta decide if this is more of a lazy space vibe kinda thing (A), or (B) calls for some illegal dirty acidcore and adjust your playlist accordingly:
A:
B: soundcloud.com/pitch1/i-can-h…
next drop the keys in your .aws creds file. I typically name the first set initial and work with the --profile tag in the cli, so I can keep track on were I am. Then check who you are first, with:
aws sts get-caller-identity --profile initial
Now next up there is a lot to look for, permissions, roles, services, ressources etc, today I will just show two basic examples on what to keep an eye out for
EC2 is always interesting, you can look for instances with
aws ec2 describe-instances
but you can also check for instances, which are directly connected to your IAM, via profile association. terminal output of linked e...
from there enumerate further, possible next could be to find a way to connect and try to get metadata out, which could provide a new set of keys. This is an extra topic in itself. You still have beat, still listening?
It is official #aws and #rootcathacking best practice to always listen to good beat and take occasional dance breaks. I'm serious folks!
Then we look at lambda functions, always a good point of pawsible escalation
aws lambda list-functions output of aws lambda list-f...
Vulnerable lambdas, or the ability to change its code etc, maaaany pawsibilties. Simply put at some point you wanna achieve something like:
…h.execute-api.us-east-2.amazonaws.com/dev/system?cmd…
meaning any way to get a new set of keys, e.g. by reading env
Also a whole topic in itself
You always wanna look for interesting policies. A quick way is just to use iam list-polices, but, you can pipe and filter it, so you can identify aws or custom roles, look at this output. The first one shows your arn:aws:iam:aws <- meaning its an aws policy, Image
the second one shows ....:iam:NUMBER, meaning its a custom policy and therefore always interesting, you can search for admin synonyms, or interesting names you already discovered, these can be anything, like vault,key,dev, aunt-mary
@threadreaderapp unroll

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with gatitohacs 😼

gatitohacs 😼 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @rootcathacking

gatitohacs 😼 Profile picture
Mar 1
So you found #aws creds to an S3, lets do some #cloud #hacking #recon:

👇
First of all, S3 stands for serious summertime sadness
and allows the general operations of:

list
get
put
delete

An S3 is a bucket and within a bucket there are objects. Basically an object can be anyfile. Objects have keys assoziated
and a bucket nayme must be globally unique and not contain spaces or uppercase letters.
Example:
mrlee.s3.us-west-2.amazonaws.com/mafia/pizza.jpg

the bucket mrlee in the west region with an object pizza.jpg and a key of /mafia/pizza.jpg
Read 10 tweets
gatitohacs 😼 Profile picture
Feb 28
So you wanna do some #azure #recon:

I give you a few pointers.
👇
Step 1: Say kiitos to @DrAzureAD then install AADInternals, set your phasers to stun and your POWAHSHELL to german to ensure MAXIMUM efficiency german powershell screenshot
To import the modul you might have to set your execution pawliciy 🐾.
For maximum fun we can set this to
Set-ExecutionPolicy unrestricted
on our managed company super safe devices. Do some privesc first if needed 😀
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(