Pacu

Introduction

Pacu is an open source AWS exploitation framework created and maintained by Rhino Security Labs to assist in offensive security testing against cloud environments. Pacu allows penetration testers to exploit configuration flaws within an AWS environment using an extensible collection of modules with a diverse feature-set. Current modules enable a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.

What we are going to cover

We will cover how to use Pacu and a step by step guide for analysing & exploiting configuration flaws within AWS environment.

Requirements

Pacu is a relatively simple program that requires Python 3 and pip to handle any module dependencies in the environment.

Installation

  1. Open your terminal, run the following command.

    git clone https://github.com/RhinoSecurityLabs/pacu.git

  2. Now we'll install pip dependencies.

    cd pacu && pip install -r requirements.txt

  3. You should be able to run ./cli.py to start pacu.

Steps to audit

  • The first time Pacu is launched, you will be prompted to start and name a new session.

    pacu intro

  • This session will be used to store AWS key pairs, as well as any data obtained from running various modules. You can have any number of different sessions in Pacu, each with their own sets of AWS keys and data, and resume a session at any time (though a restart is currently required to switch between sessions). Enter any session name.

    pacu intro

  • Set AWS access credentials in pacu. Use any alias and enter the keys retrieved in step 1.

    pacu intro

  • List pacu modules. Here there are bunch of modules, most of them are authenticated scans.

    pacu intro

Running Privilege escalation module

  • Run the pacu module to scan for any privilege escalations.

    pacu intro

  • This cloud-dev user has multiple policy versions & in which one of them has high privileges.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "account:*",
            "Resource": "*"
        }
    ]
}

  • The policy which has high privileges.

    pacu intro

Aditional references

PreviousGoogle Security Command CenterNextProwler for AWS

Last updated