Today you will learn about an app that allows you to perform an exploit at the Amazon Cloud Infrastructure. Letting you understand the cloud computing.
It will allow you to setup an environment to perform fingertrips and exploits to the Amazon API.
For being able to do this in a legal environment you will have to use the nimbostratus-target found here:
This process is better known as pivoting in the amazon clouds. The main propose goals are to have a knowledge about the Amazon EC2:
-Allowing to enumerate access to the AWS services for current IAM role.
-Use a poorly configured IAM role to create a new AWS user.
-Allowing you to extract the current AWS credentials from the meta-data , boto.cfg, the environment variables and more.
-Letting you clone the DB to access the information stored in a snapshot.
-Injecting raw Celery task for a pickle attack.
For example, with a instance meta-data you will be able to get inside this information:
-Local IP Address
-Instance Profile: with AWS API credentials.
-The Amazon Machine Images , AMI.
The Amazon EC2 instance will generate a script that will be run by the EC2 instance OS as one of the last booting steps. The script that is also called "user data" will be stored by the AWS in the meta data instancing and retrieved by the OS when boots.
At ubuntu the cloud-init daemon will be responsible from retrieving and running the script.
The user data scripts are the common way to configure the Amazon EC2 instances and the common structure are as follows:
-Base package installation and updating
-Installing the Git Client
-Defining variables such as the source code repository URL, branch and SSH keys.
-Download the app source code used in this instance from the repository.
-Compiling and/or deploying the source code
-Starting the required daemons.
As in most of the cases the repository where the instance app source code is private. the SSH keys are used to access to it.
GitHub, BitBucket and other high range usd source repositories call these "Deploy SSH Keys". These keys used to access the repository are normally hard-coded into the user data script or stored into an alternate location where the script can download those.
For further information and a full explanation follow the links at the end of the article.
Here you have how to start the setup for this app:
git clone email@example.com:andresriancho/nimbostratus.git
pip install -r requirements.txt
Providing AWS credentials
With some nimbostratus sub-commands it will require you to provide the AWS credentials. You can manage to get those with the following command line arguments:
--token , which is only used when the credentials were extracted from the instance profile.
This identify the credentials available in this host and prints them out to the console. This is normally the first command you have to run after gaining the access to the EC2 instance.
After you manage to the the credentials from EC2 instance you've exploited, you are able to$ nimbostratus dump-credentials Found credentials Access key: ... Secret key: ...
continue to work from any other host with internet access, just remember: The EC2 instances are in many cases spawned for a specific task and then will be terminated.
VERY IMPORTANT: This procedure will extract info from
boto's credential configuration sources and from the instance meta-data. If the system uses other libraries to connect to AWS the specific credentials wont be dumped.
For the full usage tutorial follow this link:
You can research now for yourself following these links from the authors:
Pivoting in Amazon Clouds ( PDF )
Also feel free to comment about the Amazon Cloud Exploiting tutorial.
By Dustin Greer.