Skip to content

Commit

Permalink
ssm post fix
Browse files Browse the repository at this point in the history
  • Loading branch information
@carlospolop
carlospolop committed Dec 5, 2024
1 parent 08c8403 commit 4ec1029
Showing 1 changed file with 41 additions and 0 deletions.
41 changes: 41 additions & 0 deletions ...urity/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,47 @@ For [**more information check this**](../../aws-privilege-escalation/aws-ec2-pri
aws ec2 delete-flow-logs --flow-log-ids <flow_log_ids> --region <region>
```

### SSM Port Forwarding

Required permissions:
- `ssm:StartSession`

In addition to command execution, SSM allows for traffic tunneling which can be abused to pivot from EC2 instances that do not have network access because of Security Groups or NACLs.
One of the scenarios where this is useful is pivoting from a [Bastion Host](https://www.geeksforgeeks.org/what-is-aws-bastion-host/) to a private EKS cluster.

> In order to start a session you need the SessionManagerPlugin installed: https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html
1. Install the SessionManagerPlugin on your machine
2. Log in to the Bastion EC2 using the following command:

```shell
aws ssm start-session --target "$INSTANCE_ID"
```

3. Get the Bastion EC2 AWS temporary credentials with the [Abusing SSRF in AWS EC2 environment](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#abusing-ssrf-in-aws-ec2-environment) script
4. Transfer the credentials to your own machine in the `$HOME/.aws/credentials` file as `[bastion-ec2]` profile
5. Log in to EKS as the Bastion EC2:

```shell
aws eks update-kubeconfig --profile bastion-ec2 --region <EKS-CLUSTER-REGION> --name <EKS-CLUSTER-NAME>
```

6. Update the `server` field in `$HOME/.kube/config` file to point to `https://localhost`
7. Create an SSM tunnel as follows:

```shell
sudo aws ssm start-session --target $INSTANCE_ID --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters '{"host":["<TARGET-IP-OR-DOMAIN>"],"portNumber":["443"], "localPortNumber":["443"]}' --region <BASTION-INSTANCE-REGION>
```
8. The traffic from the `kubectl` tool is now forwarded throug the SSM tunnel via the Bastion EC2 and you can access the private EKS cluster from your own machine by running:
```shell
kubectl get pods --insecure-skip-tls-verify
```

Note that the SSL connections will fail unless you set the `--insecure-skip-tls-verify ` flag (or its equivalent in K8s audit tools). Seeing that the traffic is tunnelled through the secure AWS SSM tunnel, you are safe from any sort of MitM attacks.

Finally, this technique is not specific to attacking private EKS clusters. You can set arbitrary domains and ports to pivot to any other AWS service or a custom application.


### Share AMI

{% code overflow="wrap" %}
Expand Down

0 comments on commit 4ec1029

Please sign in to comment.