Merge branch 'master' of github.com:HackTricks-wiki/hacktricks-cloud

HackTricks-wiki · Feb 4, 2025 · 856522b · 856522b
2 parents a71de9c + 357265a
commit 856522b
Showing 1 changed file with 100 additions and 0 deletions.
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md
@@ -123,6 +123,106 @@ Access points can be used for the following purposes:
 - **Enforce a root directory**: Access points can restrict access to a specific directory within the EFS file system, ensuring that each application or user operates within its designated folder. This helps prevent accidental data exposure or modification.
 - **Easier file system access**: Access points can be associated with an AWS Lambda function or an AWS Fargate task, simplifying file system access for serverless and containerized applications.
 
+## EFS IP address
+
+Using the information related to the EFS IP address, the following Python script can assist in retrieving details about the EFS system. This information is useful for building the mount system command or performing further enumeration with knowledge of the subnet ID. Additionally, the script shows access points, which can be valuable when the root directory or primary mount path is restricted. In such cases, the access points provide alternative paths to access sensitive information
+
+```bash
+Usage: python efs_ip_enum.py <IP_ADDRESS>
+```
+
+```python
+import boto3
+import sys
+
+def get_efs_info(ip_address):
+    try:
+        session = boto3.Session(profile_name="profile")
+        ec2_client = session.client('ec2')
+        efs_client = session.client('efs')
+
+        print(f"[*] Enumerating EFS information for IP address: {ip_address}\n")
+
+        try:
+            response = ec2_client.describe_network_interfaces(Filters=[
+                {'Name': 'addresses.private-ip-address', 'Values': [ip_address]}
+            ])
+
+            if not response['NetworkInterfaces']:
+                print(f"[!] No network interface found for IP address {ip_address}")
+                return
+
+            network_interface = response['NetworkInterfaces'][0]
+            network_interface_id = network_interface['NetworkInterfaceId']
+            print(f"[+] Found network interface: {network_interface_id}\n")
+        except Exception as e:
+            print(f"[!] Error retrieving network interface: {str(e)}")
+            return
+
+        try:
+            efs_response = efs_client.describe_file_systems()
+            file_systems = efs_response['FileSystems']
+        except Exception as e:
+            print(f"[!] Error retrieving EFS file systems: {str(e)}")
+            return
+
+        for fs in file_systems:
+            fs_id = fs['FileSystemId']
+
+            try:
+                mount_targets = efs_client.describe_mount_targets(FileSystemId=fs_id)['MountTargets']
+
+                for mt in mount_targets:
+                    if mt['NetworkInterfaceId'] == network_interface_id:
+                        try:
+                            policy = efs_client.describe_file_system_policy(FileSystemId=fs_id).get('Policy', 'No policy attached')
+                        except Exception as e:
+                            policy = f"Error retrieving policy: {str(e)}"
+
+                        print("[+] Found matching EFS File System:\n")
+                        print(f"    FileSystemId: {fs_id}")
+                        print(f"    MountTargetId: {mt['MountTargetId']}")
+                        print(f"    DNSName: {fs_id}.efs.{session.region_name}.amazonaws.com")
+                        print(f"    LifeCycleState: {mt['LifeCycleState']}")
+                        print(f"    SubnetId: {mt['SubnetId']}")
+                        print(f"    SecurityGroups: {', '.join(mt.get('SecurityGroups', [])) if mt.get('SecurityGroups') else 'None'}")
+                        print(f"    Policy: {policy}\n")
+
+                        try:
+                            access_points = efs_client.describe_access_points(FileSystemId=fs_id)['AccessPoints']
+
+                            if access_points:
+                                print(f"[+] Access Points for FileSystemId {fs_id}:")
+                                for ap in access_points:
+                                    print(f"    AccessPointId: {ap['AccessPointId']}")
+                                    print(f"    Name: {ap.get('Name', 'N/A')}")
+                                    print(f"    OwnerId: {ap['OwnerId']}")
+                                    posix_user = ap.get('PosixUser', {})
+                                    print(f"    PosixUser: UID={posix_user.get('Uid', 'N/A')}, GID={posix_user.get('Gid', 'N/A')}")
+                                    root_dir = ap.get('RootDirectory', {})
+                                    print(f"    RootDirectory: Path={root_dir.get('Path', 'N/A')}")
+                                    creation_info = root_dir.get('CreationInfo', {})
+                                    print(f"        CreationInfo: OwnerUID={creation_info.get('OwnerUid', 'N/A')}, OwnerGID={creation_info.get('OwnerGid', 'N/A')}, Permissions={creation_info.get('Permissions', 'N/A')}\n")
+                            else:
+                                print(f"[!] No Access Points found for FileSystemId {fs_id}\n")
+                        except Exception as e:
+                            print(f"[!] Error retrieving access points for FileSystemId {fs_id}: {str(e)}\n")
+            except Exception as e:
+                print(f"[!] Error processing file system {fs_id}: {str(e)}\n")
+
+    except Exception as e:
+        print(f"[!] General Error: {str(e)}\n")
+
+if __name__ == "__main__":
+    if len(sys.argv) != 2:
+        print("Usage: python efs_enum.py <IP_ADDRESS>")
+        sys.exit(1)
+
+    ip_address = sys.argv[1]
+    get_efs_info(ip_address)
+
+```
+
 ## Privesc
 
 {{#ref}}