Post Exploitation

This is a good place to start if you've got credentials.

Set credentials for AWS cli

Add the credentials to ~/.aws/credentials. It should look something like this:

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token=AQoDYXdzEJr...<remainder of security token>

Make sure to set the proper region as well in ~/.aws/config, which you can get using this command on the compromised instance:

curl http://169.254.169.254/latest/dynamic/instance-identity/document

An alternative with wget:

wget -O - -q http://169.254.169.254/latest/dynamic/instance-identity/document

It should look something like this (the region will obviously vary):

[default]
region = us-east-2

Pacu

Set the keys

This will use the keys in ~/.aws/credentials from the default region:

import_keys default

Set the region

This will set the region to us-east-2:

set_regions us-east-2

Verify credentials

whoami

List modules

ls

Run module

This will run a module to enumerate permissions the current account has:

run iam__enum_permissions

AWS Pentesting