forked from lacework-dev/scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlw_aws_exploit.sh
executable file
·57 lines (51 loc) · 2.23 KB
/
lw_aws_exploit.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/bin/sh
# Lacework sample AWS exploit
# Creates a new user with power user privileges, then creates an S3 bucket and puts a file into it.
# The script then cleans up after itself, deleting the bucket and the user.
# Accepts an optional argument for the username that gets created, otherwise defaults to 'system'
set -e
red=$'\e[1;31m'
grn=$'\e[1;32m'
yel=$'\e[1;33m'
blu=$'\e[1;34m'
mag=$'\e[1;35m'
cyn=$'\e[1;36m'
end=$'\e[0m'
USERNAME=${1:-system}
PROFILE=lacework
# Create a new IAM user
echo "${grn}Creating a new IAM user called ${mag}$USERNAME${end}"
echo ""
aws iam create-user --user-name $USERNAME | jq
aws iam create-access-key --user-name $USERNAME > creds.json
echo ""
echo "${grn}Granting PowerUser access to ${mag}$USERNAME${end}"
aws iam attach-user-policy --user-name $USERNAME --policy-arn arn:aws:iam::aws:policy/PowerUserAccess
export KEY=$(cat creds.json | jq -r .AccessKey.AccessKeyId)
export SECRET=$(cat creds.json | jq -r .AccessKey.SecretAccessKey)
# Here we start using the new account profile and creds
echo ""
echo "${grn}Creating a new S3 bucket and uploading a file...${end}"
aws configure set aws_access_key_id "$KEY" --profile $PROFILE
aws configure set aws_secret_access_key "$SECRET" --profile $PROFILE
sleep 10
bucket=$(aws s3api create-bucket --bucket lacework-test-$RANDOM --region us-east-1 --profile $PROFILE | jq -r .Location)
bucket=${bucket#/}
curl -H "Accept: application/json" https://icanhazdadjoke.com/ > badfile.json
echo ""
echo "${grn}Uploading secret data...${end}"
aws s3api put-object --bucket $bucket --key badfile.json --body badfile.json --profile $PROFILE
echo ""
echo "${grn}Data uploaded. Preparing to destroy...${end}"
sleep 10
echo "${grn}Deleting file and S3 bucket...${end}"
aws s3api delete-object --bucket $bucket --key badfile.json --profile $PROFILE
aws s3api delete-bucket --bucket $bucket --profile $PROFILE
# Exit back out to our regular context
echo "${grn}Cleaning up..."
aws iam detach-user-policy --user-name $USERNAME --policy-arn arn:aws:iam::aws:policy/PowerUserAccess
aws iam delete-access-key --access-key-id $KEY --user-name $USERNAME
aws iam delete-user --user-name $USERNAME
rm creds.json
echo ""
echo "${cyn}Script complete. Check your Lacework console for activity in about an hour.${end}"