Discovering and pillaging EBS
Last updated
Last updated
Amazon Elastic Block Store (Amazon EBS) provides persistent block storage volumes for use with Amazon EC2 instances in the AWS Cloud. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. Amazon EBS volumes offer the consistent and low-latency performance needed to run your workloads.
This chapter is about finding a public EBS snapshot and working with it to discover interesting information.
In this exercise, we will
Discover a snapshot that has been leaked accidentally on AWS
Make a volume out of it
Attach the volume to our attacker machine
Mount the partition and browse the file system to find interesting information
In the EC2 console, under Elastic Block Store > Snapshots, search for 'company secrets'
You can also perform the above step using AWS CLI. On the student machine, run the following command. The AWS CLI part of the command lists all the publicly accessible EBS snapshots in us-east-1 region across AWS. We are using grep to identify public EBS snapshots with certain patterns.
This is a public snapshot from a different account, leaked accidentally
Obtain the availability zone and instance id of your attacker EC2 by running the command
Once the availability zone is obtained, insert it into the following command to create a new volume using the discovered snapshot
Once the volume is created, note the 'VolumeID'
Next step is to attach the newly created volume to the EC2 attacker machine using the instance id of your attacker EC2 and the volume id of the newly created volume
This may take some time. To check the status of the volume (it should say "in use")
Once the volume is attached, identify the partition using lsblk and mount it. Run the following commands on the attacker machine as that is where the volume has been attached using the AWS CLI
Access the secret company data at /mnt/home/ubuntu/companydata