Pawel Rzepa, profile picture
Uploaded byPawel Rzepa
PPTX, PDF107 views

Attacking aws workshops - teaser

This document announces a workshop on attacking AWS hosted by Pawel Rzepa. The workshop will include two hands-on labs: the first explores vulnerabilities in the S3 storage service by detecting and accessing a publicly available S3 bucket, and the second involves deploying a lab environment on EC2 to practice privilege escalation. Participants need an AWS account and basic AWS knowledge. The workshop is free and will be held on December 17th in Wroclaw, Poland, with both in-person and remote participation options.

Embed presentation

Download to read offline
www.securing.pl Pawel Rzepa (@Rzepsky) ATTACKING AWS workshop
www.securing.pl Prerequisites • What do you need to have to participate in this workshop? • AWS account • Basic understanding of AWS • SSH client • And… good mood  • During the workshop you’ll deploy the lab machine – all required stuff is there ;) • I’ll share the presentation with all step-by-step instructions – you’ll be able to go through all the steps after the workshop!
www.securing.pl Agenda • Preparing the lab • Vulnerabilities in S3 service - KrkAnalytica challenge • Privilege escalation (via EC2) • Clean the environment
www.securing.plwww.securing.pl LAB 1: VULNERABILITIES IN S3 SERVICE
www.securing.pl What we gonna do in this lab? • We’ll go through some theory of the problem and why this stuff is so important • Detect publicly available KrkAnalytica bucket • Explore the bucket’s content to find the public snapshot ID • Mount the snapshot and explore its content • Find the secret!
www.securing.plwww.securing.pl LAB 2: PRIVILEGE ESCALATION (VIA EC2)
www.securing.pl What we gonna do? • Deploy the lab (new account + EC2 instance) • Enumerate permissions • Attack!
www.securing.pl Passwords vs Keys Access key ID = AKIAJIS2NP37SW1AYBHA Secret access key = nTRcofv3N9ls6MqFhsR8lxQp+ NfoDv+2lXzv9nT Login = admin Password = Dupa.8 VS New User Data www.securing.biz
www.securing.pl Interested? • Join OWASP Meetup on 17th December in EY GDS building (address: Sucha 2, 50- 086 Wroclaw) at 18:00. -> https://www.meetup.com/owasp-poland/events/266995301/ • Participation in the workshop is for free!!! • Labs are hands-on – that’s the best way to learn and have a good time, but sits for people with laptops are limited, so please send me an email on pawel.rzepa@owasp.org, that you want to bring your own laptop! • If you want to just listen – no problem, you’re very welcome to join us! • Sooo… Can’t wait to see you there!

More Related Content

PDF
7 Apache Process Cloudstack Developer Day
byKimihiko Kitase
 
PDF
Your first c# app on OpenStack
byLiang Bo
 
PPTX
Flink Community Update April 2015
byRobert Metzger
 
PDF
Microservices and serverless in python projects
byJose Manuel Ortega Candel
 
PDF
Scala for java developers 6 may 2017 - yeni
byBaris Dere
 
PDF
Collaborative communication
byIcinga
 
PPTX
Icinga Camp Antwerp - Icinga2 Configuration
byIcinga
 
PDF
Icinga Director
byIcinga
 
7 Apache Process Cloudstack Developer Day
byKimihiko Kitase
 
Your first c# app on OpenStack
byLiang Bo
 
Flink Community Update April 2015
byRobert Metzger
 
Microservices and serverless in python projects
byJose Manuel Ortega Candel
 
Scala for java developers 6 may 2017 - yeni
byBaris Dere
 
Collaborative communication
byIcinga
 
Icinga Camp Antwerp - Icinga2 Configuration
byIcinga
 
Icinga Director
byIcinga
 

What's hot

ODP
On the Importance of Infrastructure as Code
byKris Buytaert
 
PDF
Aws lambda-beware-of-escapes
byMichael H. Oshita
 
PPTX
Nautilus
byINRIA-OAK
 
PDF
State of Development - Icinga Meetup Linz August 2019
byIcinga
 
PDF
Icinga Web 2 at Icinga Camp Antwerp
byIcinga
 
PPTX
So youwanttobeopenstackcontributor
byIccha Sethi
 
PPTX
Icinga Camp Bangalore - Icinga2 and Salt Stack at SnapDeal
byIcinga
 
PDF
Reactive Xamarin. UA Mobile 2016.
byUA Mobile
 
PDF
Icinga Web 2 is more
byIcinga
 
PPTX
OpenStack Documentation Projects and Processes
byAnne Gentle
 
PDF
Exploring the Scala ecosystem
byDenis
 
PPTX
Akkurate Akka
byYurii Ostapchuk
 
PDF
20140708 - Jeremy Edberg: How Netflix Delivers Software
byDevOps Chicago
 
PPTX
Open Source Monitoring with Icinga at Fossasia 2015
byIcinga
 
PDF
Icinga Camp Bangalore - Icinga2 and Ansible
byIcinga
 
PPTX
Blackhat Europe17 - Cloud Security Suite
byjayesh singh chauhan
 
PPT
Drupal and Elasticsearch
byNikolay Ignatov
 
KEY
Migrating big data
bylauraxthomson
 
KEY
Avoiding integration hell
byaaronbassett
 
PPTX
Codecamp Iasi 7 mai 2011 Exception tail.com
byCodecamp Romania
 
On the Importance of Infrastructure as Code
byKris Buytaert
 
Aws lambda-beware-of-escapes
byMichael H. Oshita
 
Nautilus
byINRIA-OAK
 
State of Development - Icinga Meetup Linz August 2019
byIcinga
 
Icinga Web 2 at Icinga Camp Antwerp
byIcinga
 
So youwanttobeopenstackcontributor
byIccha Sethi
 
Icinga Camp Bangalore - Icinga2 and Salt Stack at SnapDeal
byIcinga
 
Reactive Xamarin. UA Mobile 2016.
byUA Mobile
 
Icinga Web 2 is more
byIcinga
 
OpenStack Documentation Projects and Processes
byAnne Gentle
 
Exploring the Scala ecosystem
byDenis
 
Akkurate Akka
byYurii Ostapchuk
 
20140708 - Jeremy Edberg: How Netflix Delivers Software
byDevOps Chicago
 
Open Source Monitoring with Icinga at Fossasia 2015
byIcinga
 
Icinga Camp Bangalore - Icinga2 and Ansible
byIcinga
 
Blackhat Europe17 - Cloud Security Suite
byjayesh singh chauhan
 
Drupal and Elasticsearch
byNikolay Ignatov
 
Migrating big data
bylauraxthomson
 
Avoiding integration hell
byaaronbassett
 
Codecamp Iasi 7 mai 2011 Exception tail.com
byCodecamp Romania
 

Similar to Attacking aws workshops - teaser

PPTX
001 - Get acquainted with the AWS platform -- hide01.ir.pptx
bynitinscribd
 
PPTX
AWS Meet-up San Francisco: Cloud Security
byAaron Klein
 
PDF
Automated security analysis of aws clouds v1.0
byCSA Argentina
 
PPTX
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
byPROIDEA
 
PPTX
[Wroclaw #7] AWS (in)security - the devil is in the detail
byOWASP
 
PDF
Attacking AWS: the full cyber kill chain
bySecuRing
 
PPTX
DevSecCon Boston 2018: Inside an enterprise breach by Sam Bisbee
byDevSecCon
 
PDF
AWS Cloud Account Hacked
byAli Raza
 
PDF
Web Application Security: Introduction to common classes of security flaws an...
byThoughtworks
 
PDF
Tw noche geek quito webappsec
byThoughtworks
 
PDF
Serverless security: attack & defense
bySecuRing
 
PPTX
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
byGarth Boyd
 
PPT
Reading the Security Tea Leaves
byEd Bellis
 
001 - Get acquainted with the AWS platform -- hide01.ir.pptx
bynitinscribd
 
AWS Meet-up San Francisco: Cloud Security
byAaron Klein
 
Automated security analysis of aws clouds v1.0
byCSA Argentina
 
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
byPROIDEA
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
byOWASP
 
Attacking AWS: the full cyber kill chain
bySecuRing
 
DevSecCon Boston 2018: Inside an enterprise breach by Sam Bisbee
byDevSecCon
 
AWS Cloud Account Hacked
byAli Raza
 
Web Application Security: Introduction to common classes of security flaws an...
byThoughtworks
 
Tw noche geek quito webappsec
byThoughtworks
 
Serverless security: attack & defense
bySecuRing
 
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
byGarth Boyd
 
Reading the Security Tea Leaves
byEd Bellis
 

More from Pawel Rzepa

PDF
Hunting for the secrets in a cloud forest
byPawel Rzepa
 
PPTX
Aws(in)security - the devil is in the detail
byPawel Rzepa
 
PPTX
Owasp for testing_mobile_apps_opd
byPawel Rzepa
 
PDF
Fuzzing underestimated method of finding hidden bugs
byPawel Rzepa
 
PPTX
Owasp mobile top 10
byPawel Rzepa
 
PPTX
Ataki po stronie klienta w publicznych punktach dostępowych
byPawel Rzepa
 
Hunting for the secrets in a cloud forest
byPawel Rzepa
 
Aws(in)security - the devil is in the detail
byPawel Rzepa
 
Owasp for testing_mobile_apps_opd
byPawel Rzepa
 
Fuzzing underestimated method of finding hidden bugs
byPawel Rzepa
 
Owasp mobile top 10
byPawel Rzepa
 
Ataki po stronie klienta w publicznych punktach dostępowych
byPawel Rzepa
 

Recently uploaded

PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
PPTX
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
PDF
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
PPTX
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 

Attacking aws workshops - teaser

  • 1.
  • 2.
    www.securing.pl Prerequisites • What doyou need to have to participate in this workshop? • AWS account • Basic understanding of AWS • SSH client • And… good mood  • During the workshop you’ll deploy the lab machine – all required stuff is there ;) • I’ll share the presentation with all step-by-step instructions – you’ll be able to go through all the steps after the workshop!
  • 3.
    www.securing.pl Agenda • Preparing thelab • Vulnerabilities in S3 service - KrkAnalytica challenge • Privilege escalation (via EC2) • Clean the environment
  • 4.
  • 5.
    www.securing.pl What we gonnado in this lab? • We’ll go through some theory of the problem and why this stuff is so important • Detect publicly available KrkAnalytica bucket • Explore the bucket’s content to find the public snapshot ID • Mount the snapshot and explore its content • Find the secret!
  • 6.
  • 7.
    www.securing.pl What we gonnado? • Deploy the lab (new account + EC2 instance) • Enumerate permissions • Attack!
  • 8.
    www.securing.pl Passwords vs Keys Accesskey ID = AKIAJIS2NP37SW1AYBHA Secret access key = nTRcofv3N9ls6MqFhsR8lxQp+ NfoDv+2lXzv9nT Login = admin Password = Dupa.8 VS New User Data www.securing.biz
  • 9.
    www.securing.pl Interested? • Join OWASPMeetup on 17th December in EY GDS building (address: Sucha 2, 50- 086 Wroclaw) at 18:00. -> https://www.meetup.com/owasp-poland/events/266995301/ • Participation in the workshop is for free!!! • Labs are hands-on – that’s the best way to learn and have a good time, but sits for people with laptops are limited, so please send me an email on pawel.rzepa@owasp.org, that you want to bring your own laptop! • If you want to just listen – no problem, you’re very welcome to join us! • Sooo… Can’t wait to see you there!