From 51ad5f141c708d8c6765cc45e86a13ec60c559aa Mon Sep 17 00:00:00 2001
From: Vladyslav <68342736+VL4DYSL4V@users.noreply.github.com>
Date: Thu, 5 Dec 2024 11:54:48 +0200
Subject: [PATCH 1/3] Added an SSM Port Forward post-exploitation technique

Added an SSM Port Forward post-exploitation technique to pivot from locked down EC2 instances that do not have access to the Internet (aka Bastion hosts)
---
 .../README.md                                 | 41 +++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md b/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
index 479789aaba..37bcf14924 100644
--- a/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
+++ b/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
@@ -450,6 +450,47 @@ if __name__ == "__main__":
     main()
 ```
 
+### SSM Port Forwarding - **`ssm:StartSession`
+
+In addition to command execution, SSM allows for traffic tunneling which can be abused to pivot from EC2 instances that do not have network access because of Security Groups or NACLs.
+One of the scenarios where this is useful is pivoting from a [Bastion Host](https://www.geeksforgeeks.org/what-is-aws-bastion-host/) to a private EKS cluster.
+
+> [!Error]
+> In order to start a session you need the SessionManagerPlugin installed: https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html
+
+1. Install the SessionManagerPlugin on your machine
+2. Log in to the Bastion EC2 using the following command:
+
+```shell
+aws ssm start-session --target "$INSTANCE_ID"
+```
+
+3. Get the Bastion EC2 AWS temporary credentials with the [Abusing SSRF in AWS EC2 environment](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#abusing-ssrf-in-aws-ec2-environment) script
+4. Transfer the credentials to your own machine in the `$HOME/.aws/credentials` file as `[bastion-ec2]` profile
+5. Log in to EKS as the Bastion EC2:
+
+```shell
+aws eks update-kubeconfig --profile bastion-ec2 --region <EKS-CLUSTER-REGION>
+```
+
+6. Update the `server` field in `$HOME/.kube/config` file to point to `https://localhost`
+7. Create an SSM tunnel as follows:
+
+```shell
+sudo aws ssm start-session --target $INSTANCE_ID --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters '{"host":["<TARGET-IP-OR-DOMAIN>"],"portNumber":["443"], "localPortNumber":["443"]}' --region <BASTION-INSTANCE-REGION>
+```
+
+8. The traffic from the `kubectl` tool is now forwarded throug the SSM tunnel via the Bastion EC2 and you can access the private EKS cluster from your own machine by running:
+
+```shell
+kubectl get pods --insecure-skip-tls-verify 
+```
+
+Note that the SSL connections will fail unless you set the `--insecure-skip-tls-verify ` flag (or its equivalent in K8s audit tools). Seeing that the traffic is tunnelled through the secure AWS SSM tunnel, you are safe from any sort of MitM attacks.
+
+Finally, this technique is not specific to attacking private EKS clusters. You can set arbitrary domains and ports to pivot to any other AWS service or a custom application.
+
+
 {% hint style="success" %}
 Learn & practice AWS Hacking:<img src="/.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/image.png" alt="" data-size="line">\
 Learn & practice GCP Hacking: <img src="/.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

From 0afce5ffe218307705bfa4330cc9ddaea345b7ef Mon Sep 17 00:00:00 2001
From: Vladyslav <68342736+VL4DYSL4V@users.noreply.github.com>
Date: Thu, 5 Dec 2024 11:58:25 +0200
Subject: [PATCH 2/3] Added an SSM Port Forward post-exploitation technique

Added an SSM Port Forward post-exploitation technique that allows pivoting from EC2 instances that do not have access to the Internet (aka Bastion hosts)
---
 .../aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md     | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md b/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
index 37bcf14924..2b9a19915a 100644
--- a/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
+++ b/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
@@ -450,12 +450,14 @@ if __name__ == "__main__":
     main()
 ```
 
-### SSM Port Forwarding - **`ssm:StartSession`
+### SSM Port Forwarding
+
+Required permissions:
+- `ssm:StartSession`
 
 In addition to command execution, SSM allows for traffic tunneling which can be abused to pivot from EC2 instances that do not have network access because of Security Groups or NACLs.
 One of the scenarios where this is useful is pivoting from a [Bastion Host](https://www.geeksforgeeks.org/what-is-aws-bastion-host/) to a private EKS cluster.
 
-> [!Error]
 > In order to start a session you need the SessionManagerPlugin installed: https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html
 
 1. Install the SessionManagerPlugin on your machine

From be31e5b30063e79f09a330634ceb6ebbd81b4ef7 Mon Sep 17 00:00:00 2001
From: Vladyslav <68342736+VL4DYSL4V@users.noreply.github.com>
Date: Thu, 5 Dec 2024 12:26:40 +0200
Subject: [PATCH 3/3] Fixed eks update-kubeconfig command

---
 .../aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md b/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
index 2b9a19915a..fa70a76008 100644
--- a/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
+++ b/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
@@ -472,7 +472,7 @@ aws ssm start-session --target "$INSTANCE_ID"
 5. Log in to EKS as the Bastion EC2:
 
 ```shell
-aws eks update-kubeconfig --profile bastion-ec2 --region <EKS-CLUSTER-REGION>
+aws eks update-kubeconfig --profile bastion-ec2 --region <EKS-CLUSTER-REGION> --name <EKS-CLUSTER-NAME>
 ```
 
 6. Update the `server` field in `$HOME/.kube/config` file to point to `https://localhost`