Hey all, here's the PoC's/posts for what I went over in the talk in case you want to dig into any of them a bit more.
- cli-hijacker
- User data swap
- EC2FakeIMDS
- Route53 Authorization
# Works in bash, zsh untested | |
function assume() { | |
SOURCE_IDENTITY="" | |
TAG="" | |
RST="\033[0m" | |
GRN="\033[32m" | |
RED="\033[31m" |
#!/usr/bin/env python | |
import json | |
from dataclasses import dataclass | |
from pathlib import Path | |
from typing import List, Dict, Literal, Union, Optional | |
import typer | |
GetAccessKeyLastUsedRequest: ["AccessKeyId"] | |
GetContextKeysForCustomPolicyRequest: ["PolicyInputList"] | |
GetContextKeysForPrincipalPolicyRequest: ["PolicySourceArn"] | |
GetGroupRequest: ["GroupName"] | |
GetGroupPolicyRequest: ["GroupName","PolicyName"] | |
GetInstanceProfileRequest: ["InstanceProfileName"] | |
GetLoginProfileRequest: ["UserName"] | |
GetOpenIDConnectProviderRequest: ["OpenIDConnectProviderArn"] | |
GetOrganizationsAccessReportRequest: ["JobId"] | |
GetPolicyRequest: ["PolicyArn"] |
# Oneliner for copy/paste: | |
# | |
# NAME=libtool VERSION=2.4.6_4; OSX_CODENAME=big_sur; curl -o "${NAME}-${VERSION}.${OSX_CODENAME}.bottle.tar.gz" -L -H 'Authorization: Bearer QQ==' -XGET "https://ghcr.io/v2/homebrew/core/${NAME}/blobs/sha256:$(curl -H 'Accept: application/vnd.oci.image.index.v1+json' -H 'Authorization: Bearer QQ==' -XGET https://ghcr.io/v2/homebrew/core/${NAME}/manifests/${VERSION} | jq '.manifests|.[]|select(.annotations."org.opencontainers.image.ref.name" == "'"${VERSION}.${OSX_CODENAME}"'")|.annotations."sh.brew.bottle.digest"' -r)" | |
# | |
# Formatted version: | |
NAME=libtool | |
VERSION=2.4.6_4 | |
OSX_CODENAME=big_sur |
package main | |
import ( | |
"bytes" | |
"context" | |
"fmt" | |
"github.com/aws/aws-sdk-go-v2/aws" | |
"github.com/aws/aws-sdk-go-v2/config" | |
"github.com/aws/aws-sdk-go-v2/service/s3" | |
"github.com/aws/smithy-go/middleware" |
Hey all, here's the PoC's/posts for what I went over in the talk in case you want to dig into any of them a bit more.
for y in $(seq 0 8); do git checkout -q `git rev-list -1 --before="$(date -v-${y}y)" master`; git show --no-patch --no-notes --pretty="%as"|tr -d '\n'; { find -E botocore/data -type d -mindepth 1 -maxdepth 1 -not -path botocore/data/aws; find -E botocore/data/aws -type d -mindepth 1 -maxdepth 1; find -E botocore/data/aws -type file -regex '.*/[^/_]*.json' -mindepth 1 -maxdepth 1; } 2>/dev/null|wc -l; sleep 0.2 ; done |
#!/usr/bin/env bash | |
# | |
# Count AWS API's on the closest commit before a specific date by year. This takes into account | |
# different versions of the same API and only uses the newest. | |
# | |
set -euo pipefail | |
day="12-01" | |
for y in $(seq 2020 2015); do |
I hereby claim:
To claim this, I am signing this object: