Merge pull request #44 from Ari-Weinberg/master

arte-LaughingLion

pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md

@@ -45,6 +45,21 @@ make docker/build
 IMAGE="<download_file>.img" make docker/run #With the snapshot downloaded
 ```
 
+**Note** that dsnap will not allow you to download public snapshots. To circumvent this, you can make a copy of the snapshot in your personal account, and download that:
+```bash
+# Copy the snapshot
+aws ec2 copy-snapshot --source-region us-east-2 --source-snapshot-id snap-09cf5d9801f231c57 --destination-region us-east-2 --description "copy of snap-09cf5d9801f231c57"
+
+# View the snapshot info
+aws ec2 describe-snapshots --owner-ids self --region us-east-2
+
+# Download the snapshot. The ID is the copy from your account
+dsnap --region us-east-2 get snap-027da41be451109da
+
+# Delete the snapshot after downloading
+aws ec2 delete-snapshot --snapshot-id snap-027da41be451109da --region us-east-2
+```
+
 For more info on this technique check the original research in [https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/](https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/)
 
 You can do this with Pacu using the module [ebs\_\_download\_snapshots](https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details#ebs\_\_download\_snapshots)

pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md

@@ -51,6 +51,8 @@ aws ec2 describe-snapshots --restorable-by-user-ids all | jq '.Snapshots[] | sel
 ```
 {% endcode %}
 
+If you find a snapshot that is restorable by anyone, make sure to check [AWS - EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump) for directions on downloading and looting the snapshot.
+
 #### Public URL template
 
 ```bash