Skip to content

Latest commit

 

History

History
51 lines (31 loc) · 3.74 KB

aws-ebs-privesc.md

File metadata and controls

51 lines (31 loc) · 3.74 KB

AWS - EBS Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

EBS

ebs:ListSnapshotBlocks, ebs:GetSnapshotBlock, ec2:DescribeSnapshots

An attacker with those will be able to potentially download and analyze volumes snapshots locally and search for sensitive information in them (like secrets or source code). Find how to do this in:

{% content-ref url="../aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md" %} aws-ebs-snapshot-dump.md {% endcontent-ref %}

Other permissions might be also useful such as: ec2:DescribeInstances, ec2:DescribeVolumes, ec2:DeleteSnapshot, ec2:CreateSnapshot, ec2:CreateTags

The tool https://github.com/Static-Flow/CloudCopy performs this attack to extract passwords from a domain controller.

Potential Impact: Indirect privesc by locating sensitive information in the snapshot (you could even get Active Directory passwords).

ec2:CreateSnapshot

Any AWS user possessing the EC2:CreateSnapshot permission can steal the hashes of all domain users by creating a snapshot of the Domain Controller mounting it to an instance they control and exporting the NTDS.dit and SYSTEM registry hive file for use with Impacket's secretsdump project.

You can use this tool to automate the attack: https://github.com/Static-Flow/CloudCopy or you could use one of the previous techniques after creating a snapshot.

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: