 Greetings to everyone, I'm Mohammed al-Dub from Kuwait, and today I'm going to talk to you about AWS Post Exploitation using the tool called PARC. So, first of all, that's me, Mohammed al-Dub from Kuwait. I'm an independent security consultant in Kuwait. I worked on creating Kuwait's national infrastructure for VKI, cryptography, smart guys, authentication. So, I've been there, you know, in the government kitchen, doing national size projects. Even though national size for Kuwait is still pretty small, then I delivered security trainings and workshops in the topics about cloud security, API security, application security, and Black Hat, for example, and all around the world. Now, focusing on that security of APIs and modern cloud applications. Now, to make a long story short, before I actually start, I want to share my resources. So, I'd like to share my resources before I actually start. Those two books have been really great in learning about AWS security and AWS exploitation and post-exploitation. So, I do definitely recommend you check out these two books, you mind it. So, as I said, these two books are a great resource for AWS security. I do definitely recommend you check them out. And also, this is a tribute to a great friend of the AWS security community, Spencer Geitz. He passed away this year, unfortunately. Spencer did a lot to the AWS security community and did a lot to me personally in terms of AWS security research, answering my questions. So, you will be missed, dearly, Spencer. And Spencer is actually one of the people who worked on the PAKU AWS post-exploitation tool. So, now why should we attack AWS services? Because AWS is the king of cloud services with the market share of more than half of the market. AWS services are documented and whites are bred. So, they run the gamut from simple stuff like S3 buckets to ground, satellite stations, all the way to AWS and FiniDash. Just kidding about the last one. So, so many services in AWS. So, you need to be really aware of how big your attack service is as far as running an AWS cloud infrastructure. Now, let's talk about EC2 instances. Attacking EC2 instances is nothing special. So, you attack it like you attack any other application or server on the internet. So, exploit vulnerabilities in running diamonds like RDB exploits, trying to exploit applications running on top of it, especially web applications. So, things like OS command ejection, remote file includes SSRF to access internal resources. However, EC2 instances can have some special properties that make attacking them a bit more special. So, for example, the internal metadata service that runs in this internal private IB inside each instance can be accessed using vulnerabilities like SSRF or LFI or even remote code execution. Internal metadata service can be used to expose AWS credentials for the instance that's running. And the, for example, the user data startup scripts can be downloaded in order to discover sensitive data. So, the user data startup script is a script that you can run or set to bootstrap any running instance. When it starts, it runs that user data script. For example, updating stuff, pulling latest source code from GitHub, things like that. So, sometimes they have interesting or sensitive data inside of these credentials, inside of these startup scripts. The AWS volume that's attached to instance can be, for example, detached and reattached to an attacker-controlled EC2 instance. So, an attacker, for example, could try to reattach that instance to his, that actually... The AWS volume is like a cloud flash drive, like a cloud hard disk. So, it can just reattach it or copy it and attach it to your own instance. Then you can just browse around inside it to see what kind of interesting stuff you can find. For example, if you're running an instance that is running Windows Active Directory and attacker could use that to copy the hash files into the s.dit database that contains all the hashes for that Active Directory. Interestingly for AWS, also a very interesting opportunity for embezzlement. So, for example, a rogue admin or maybe a compromised account could create a very expensive AMI. AMI is an Amazon image and there is like a marketplace for images that you can purchase. For example, any of the popular software tools that you want could potentially be available as an image in the marketplace. So, instead of you buying like a regular license for a software, you actually buy a subscription to use that software inside AWS. So, AWS runs an instance that runs that license software for you. So, you pay for AWS because of running the cloud servers and you pay for the software company or the owner of that software, a license to use that software. So, you could, for example, create a very expensive AMI image and put it in the marketplace and then purchase that from accounts that you compromise or maybe a rogue admin doing that to build the enterprise from inside AWS itself. So, as far as billing is concerned, this is coming from your monthly AWS bill. Anyway, let's talk about BARC. So, BARC in Arabic means lightning, you know, cloud and lightning. So, BARC is the word in Arabic for lightning. So, the reason I built BARC is to serve my own needs while doing cloud penetration testing and cloud security consulting. So, sometimes in a cloud engagement, you find the AWS API keys somewhere. For example, an SSR vulnerability, you find it, you social engineer and admin. You, for example, find it somewhere in the source code of an application or web application at the configuration file, for example. So, you obtain those API keys and they can be used to attack other AWS services. For example, you can put that API key in your command line or programming languages, like, for example, the Boto3 SDK for Python. Anyway, I developed this tool, BARC, to serve a specific need, which is that when you're running an EC2 instance, suppose the EC2 instance is all running and you want to have access inside it and you don't have the SSH key that was set for that EC2 instance. How can you SSH or maybe have a shell on that running instance? From the AWS API keys that you have, you can't really have direct access to those running EC2 servers if you don't have the SSH key unless you use the SSM service, which is the session management service inside Amazon. That service is interesting because it exposes many APIs, including an API that actually allows you to run commands inside running instances. Given, of course, they are running with a particular set of permissions. So, interestingly, that was a very manual process to do. So, I built BARC to automate that aspect. So, BARC is actually able to dump AWS-saved credentials from AWS Secrets Manager and Parameter Store, remotely control EC2 instances, Linux or Windows without having the access to the SSH key and, for example, get them exploit Metershare reverse shells or regular bash shells on EC2 instances, dump metadata of EC2 instances and user data, dump lambda code and lambda function environmental variables. And also, if you want to play with BARC, it has a training mode that allows you to test it without messing with production environment. So, that's how it looks like. The training mode is you just go to the menu inside training mode and then you say start. It will create like a temporary role for you and instance for you. And once it's done with the training mode, it will destroy all of these resources it created for the training mode. So, you can just play with it safely without having to play with the current running instances. And, of course, you can just... One of the payloads available inside BARC is to run Metersploit Metabrotor payloads on the running EC2 servers. So, once, for example, we're going to show with this one actually a live demo. And also can dump AWS password secrets and parameters from the parameter store and the AWS secrets manager, which usually contains database passwords, keys, interesting stuff like that. When you start running BARC, you say, AWS attack surface to check what kind of stuff you have, lambda functions, EC2 instances, security groups, and then you see details about these, then you can launch further demos on them. Now, I'm going to show you the demo for BARC. So, let me show you my Kali terminal. Hopefully, that's very, very clear. So, I'm going to say to run BARC. Now, BARC, I can run BARC with different options. So, I'm going to show you the help options for BARC. Of course, all the ASCII are needed stuff. So, you can run it to the profile that you currently are already configured in your terminal, or you can set a certain key ID to supply the key and the secret. And the session token, for example, if you've got the credentials from the SASRF availability on an EC2 instance. Now, I'm going to run BARC. So now, BARC, first of all, many options. You see two attacks, dumping secrets, training mode, and security groups, for example. But before all of that, we have to run the attack surface, let's say, command to check what kind of stuff we have in this target ID list account. So, I'm going to say attack surface. Now, it's going through all of the available regions inside Amazon Cloud to check all of the available instances, all of the available security groups. And then, once it finds anything interesting, it will show it to you. For example, this security group has the following IPs. This security group allows everyone to connect. And then it will go and search for other stuff like, for example, Lambda functions, EC2 instances, through all of the regions available. And of course... Is there any way you can make that a bit larger for the people who are watching? Sure, sure, sure. Okay, sure. So now, let's go to check EC2 instances in all regions. So, for example, this is Asia-Basific region. I think this is maybe Canada, South Asia as well, maybe, or maybe... No, this is, I think, maybe, South Africa, or is it... Anyway, so it's going through all the regions now one by one. It could take some time, US West too. So, it tries to do an extensive attack surface check on all the available instances and resources that we have. For example, so here it found some Lambda functions. Here it found some EC2 instances running. So, I can say, for example, show me all the Lambda functions. Now, I have all my... I can check the Help menu. So, I can check, for example, for the current security groups that are available in all of the regions and all of the rules. So, I can check for anything that's maybe suspicious or interesting, certain IP addresses, for example. And then I can also check, for example, to dump the secrets in this account. And to also go and dump all the secrets from the parameters of the secret manager from all the AWS regions. Then it will find anything interesting. It will post it to you and also will store it for you as a reference. So, you don't have to, like, for example, check the output for this command all the time. Now, of course, while it... It tries to keep on running. Maybe you can check some of the interesting stuff we have before. Actually, try to pull me down all the way. So, anyway, we will see an example of how we can actually run, like, pass a meter payload from using the AWS services, the AWS Session Manager. So, interesting, the AWS Session Manager is a service inside Amazon itself. So, as far as we are concerned, this attack looks to come from inside Amazon itself, from inside the SSM service itself. That's the one that's actually running those commands. Now, interestingly, it found many interesting secrets inside, passwords for databases, BI keys. Of course, you can always show what you have collected using the command show secrets. So, it shows you all the secrets that it has found in your account. Now, let's say, for example, lambda functions. Maybe I want to actually download a lambda function that I have found to download its source code, check what kind of stuff it contains. So, here it's going to check to me all the available lambda functions I have. I have this lambda function, this lambda function, I could, for example, give it a name of one of the lambda functions to download. I'm going to say download this function to me, and then it's going to show me an address, a URL that I can actually use to download stuff. So, if I go, for example, and download this URL, it's going to download the function for me, I can just open it, try to open what kind of details it has inside of it. So, for example, this is the actual lambda code itself that's running in this lambda function. So, I can check the source code for anything interesting or maybe vulnerabilities so I can try to exploit them. Now, interestingly, going back to what we had in our BARC tool, let's now do the ac2 attacks. So, I'm going to list all the instances I found, and I'm going to run one of the ac2 attacks against all these instances. So, I could, for example, target all the instances I have or maybe just one of them. So, I'm going to use option two. Then I can just post or maybe tab complete the instance that I want to target based on its ID. So, I'm going to target this one, Selenix instance. This is the profile name that's running inside it. So, then I have many options. I can run any command I want. I can have a reverse shell. I can ask it to visit URL. I can download the metadata inside it. I can display a file. For example, if I want to run a command, I'm going to choose number five. Enter the command to run, maybe who am I, for example. So, probably it's going to run as root. And that's interesting. This attack runs as root. So, the SSM manager inside AWS, when it pushes those commands to run on those running ac2 instances, even if you don't have the SSH key, it runs them as root. So, that's an extra privilege for you. So, the output is root. Now, let's run another attack. See if we can get the meter interpreter shell against that running instance. So, I'm going to choose its ID. And I'm going to choose the number four for the meta-sploit. Now, it says, give me the remote IB you want to connect back to. So, I'm going to give it the internal IB for my Kali machine. And then I'm going to use the sport. And then it wants to ask what kind of payload do you want to run? So, I'm going to choose payload number one. So, it says if you want, you can just paste this command in your Kali server. But I have already my listener running. My listener is already ready to me. Waiting for it. And that's the command that's being sent. That's the command that's being sent to the instance. So, it's a Python command to actually exploit this. Now, it should be running. We should have a session in a short while. Okay, so now I'm praying that it all works. Sessions. Okay, and we have a session. So, let's check this session. Sessions-i and then session number one. And then we can see that we all have a session inside. So, I can, for example, maybe run some commands like ps to check all of the processes running on that AEC on that server. So, we can see, for example, our command that actually run the payload is the SSM manager that's running. So, now, of course, it timed out here because this command is taking a long time to run because it's captured the session already. But otherwise, it's just going normal. So, for example, I can just, you know, see the help menu. And I can, for example, get a shell inside. So, now I have a shell inside the server who are my am routes, maybe as context to check if I'm running actually inside an AEC2 server. So, interestingly, that's my AEC2 image that's running. For example, I can maybe back to our curl against the metadata internal service, which we discussed before. See if we can ask this one in response to us. And yes, it does respond. So, this is obviously an AEC2 server that's actually running for us. Now, I can run other types of attacks, for example. I can try to download the metadata inside it, for example, or maybe ask it to run any command they want or a regular reverse shell. So, maybe display a file to run to display the TCE password file. So, now it's going to send the command to this instance and then it's going to display the file that's actually... Obviously, it worked. Now, it actually launched that command to show the TCE password file on that remote EEC2 instance, even though I don't have any access to it normally. I don't have the SSH key for that. But we're doing the access from inside AWS using the SSM feature inside AWS. And even though it's a well-documented feature, many, many security admins in AWS don't know about it. So, unless you actually know what you're looking for, this command will look like as if it was coming from inside AWS. So, it's not coming from outside. So, maybe people might not find it, might not look for it properly in their logging systems. So, that's something to care about if you're running any cloud, let's say, environment. Now, if I were to run this against a bunch of EEC2 instances, all of them, maybe I have like 10 EEC2 instances, I can just choose number one. It will say, do you want to do this on all instances? Yes, I want. What kind of thing do you want to do? I'm going to actually run the command, which is, for example, CAT ETC password. Now, it's going to run it on all targets. It's going to give you a command for Linux instances and for Windows, because they could be different. For instance, I'm going to say, for example, who am I? And then it says, now it's going to launch the attack on all of them. If you want to check the results of those attacks on all of these instances, maybe 10 or 20 instances, you can check the command results option. So I'm going to say command results. Yes. Sorry. I'm continuously interrupting you. Apologies. It's now at 39 minutes past. So just to give you an example. So you have about five minutes. Excellent. Excellent. Yes, excellent. So now if I check the command result option, it's going to say, command ID. And then for this particular instance, the command result is success. And then it's going to give me the command output. So whatever commands I can run on all of the instances that I have, it will go and run that command on all of these instances. And then it's going to report to me the output for that command. So obviously, Barf can help you in launching attacks against many instances at the same time, or one particular instance that you want. And the attacks are very, let's say customized. You can use some of the ready ones, or you can just run any command that you want by yourself. So in a nutshell, that's what Barf is. I can also show you the training mode, but it's going to take a few minutes. So otherwise, those are the available features inside Barf so far. And of course, I'm going to keep on working on it. So for example, next for Barf is to do more Lambda-focused attacks. You see in the attack where we downloaded the Lambda function, I'm going to add one where you can actually upload or backdoor the Lambda function. Do some persistence and backdooring to add, for example, utilize or maybe abuse trust relationships between accounts or maybe open up some security groups and also enable third-party model support and also a web interface API. So if you would like, if you think Barf is interesting to help you in your inventory testing inside AWS, maybe you can contribute at this URL. I'm not going to bite. I'm going to be very, very, very pleased with your contributions to Barf. Now I'm finished and now it's time for questions. So if you have any questions, I'll be more than ready to answer.