RyanJarv

Keybase proof

I hereby claim:

• I am ryanjarv on github.
• I am jarv (https://keybase.io/jarv) on keybase.
• I have a public key ASACfHGzgHATBhGVD2yHMqxR3spcvlku-I6NFddD4sKAwwo

To claim this, I am signing this object:

RyanJarv

Echo Example

% cat echo.msh                              
#!/usr/local/bin/msh exec docker build -t {{.Name}} -f {{.Path}} {{.ContextDir}}; docker run {{.Name}} hello world
FROM alpine:3
ENTRYPOINT ["echo"]

% ./echo.msh                               

RyanJarv

#!/usr/bin/env bash
#
# Count AWS API's on the closest commit before a specific date by year. This takes into account
# different versions of the same API and only uses the newest.
#
set -euo pipefail

day="12-01" 

for y in $(seq 2020 2015); do

RyanJarv

for y in $(seq 0 8); do git checkout -q `git rev-list -1 --before="$(date -v-${y}y)" master`; git show --no-patch --no-notes --pretty="%as"|tr -d '\n'; { find -E botocore/data -type d -mindepth 1 -maxdepth 1 -not -path botocore/data/aws; find -E botocore/data/aws -type d -mindepth 1 -maxdepth 1; find -E botocore/data/aws -type file -regex '.*/[^/_]*.json' -mindepth 1 -maxdepth 1; } 2>/dev/null|wc -l; sleep 0.2 ; done

RyanJarv

Hey all, here's the PoC's/posts for what I went over in the talk in case you want to dig into any of them a bit more.

• cli-hijacker
  • Poc: https://github.com/RyanJarv/cli-hijacker-vagrant
• User data swap
  • Poc: https://github.com/RyanJarv/UserDataSwap
  • Post: https://blog.ryanjarv.sh/2020/11/27/backdooring-user-data.html
• EC2FakeIMDS
  • PoC: https://github.com/RyanJarv/EC2FakeImds
  • Post: https://blog.ryanjarv.sh/2020/10/19/imds-persistence.html
• Route53 Authorization

RyanJarv

package main

import (
	"bytes"
	"context"
	"fmt"
	"github.com/aws/aws-sdk-go-v2/aws"
	"github.com/aws/aws-sdk-go-v2/config"
	"github.com/aws/aws-sdk-go-v2/service/s3"
	"github.com/aws/smithy-go/middleware"

RyanJarv

# Oneliner for copy/paste:
#
# NAME=libtool VERSION=2.4.6_4; OSX_CODENAME=big_sur; curl -o "${NAME}-${VERSION}.${OSX_CODENAME}.bottle.tar.gz" -L -H 'Authorization: Bearer QQ==' -XGET "https://ghcr.io/v2/homebrew/core/${NAME}/blobs/sha256:$(curl -H 'Accept: application/vnd.oci.image.index.v1+json' -H 'Authorization: Bearer QQ==' -XGET https://ghcr.io/v2/homebrew/core/${NAME}/manifests/${VERSION} | jq '.manifests|.[]|select(.annotations."org.opencontainers.image.ref.name" == "'"${VERSION}.${OSX_CODENAME}"'")|.annotations."sh.brew.bottle.digest"' -r)"
#
# Formatted version:

NAME=libtool
VERSION=2.4.6_4
OSX_CODENAME=big_sur

RyanJarv

GetAccessKeyLastUsedRequest: ["AccessKeyId"]
GetContextKeysForCustomPolicyRequest: ["PolicyInputList"]
GetContextKeysForPrincipalPolicyRequest: ["PolicySourceArn"]
GetGroupRequest: ["GroupName"]
GetGroupPolicyRequest: ["GroupName","PolicyName"]
GetInstanceProfileRequest: ["InstanceProfileName"]
GetLoginProfileRequest: ["UserName"]
GetOpenIDConnectProviderRequest: ["OpenIDConnectProviderArn"]
GetOrganizationsAccessReportRequest: ["JobId"]
GetPolicyRequest: ["PolicyArn"]

RyanJarv

#!/usr/bin/env python

import json
from dataclasses import dataclass
from pathlib import Path
from typing import List, Dict, Literal, Union, Optional

import typer

RyanJarv

# Works in bash, zsh untested

function assume() {
        SOURCE_IDENTITY=""
        TAG=""

        RST="\033[0m"
        GRN="\033[32m"
        RED="\033[31m"