/whoami

Welcome!

Welcome to HackToDef.com! I’m Eduard Agavriloae, a dedicated security researcher on a mission to help defenders fortify their environments by revealing how hackers can breach them.

This is what Hack to Def is about. Showing relevant offensive techniques and how to defend against them.

Background

I'm learning and practicing offensive cybersecurity since 2017 and I've never been bored ever since.

I started in 2023 to do Cloud Security Research, I was a Senior Penetration Tester for KPMG Romania from 2021, I have a Master's Degree in cybersecurity and I worked as a Web Developer for 3 years.

I have extensive experience with Cloud Security (mostly AWS and focused on offensive), Web Application Security, Network Penetration Testing and Security Source Code Review. Along the way I got a few certifications such as OSCP, AWS Security Specialty, GIAC Cloud Penetration Tester and Certified Hybrid Multi-Cloud Red Team Specialist.

Research

AWS CloudQuarry: Digging for Secrets in Public AMIs (2024)

Money, secrets and mass exploitation: This research done in collaboration with Matei Josephs unveils a quarry of sensitive data stored in public AMIs. Digging through each AMI we managed to collect 500 GB of credentials, private repositories, access keys and more. The next article is the detailed analysis of how we did it and what the data represents.

For this research we did a coordinated disclosure with AWS’s security team before publishing the article.

Link: https://securitycafe.ro/2024/05/08/aws-cloudquarry-digging-for-secrets-in-public-amis/

7 lesser-known AWS SSM Document techniques for code execution (2023)

This research is a deep dive into AWS SSM Run Command which shows that there are multiple documents attackers can use for executing code remotely on EC2 instances. In the next article I present 7 other documents that can be used when AWS-RunShellScript or AWS-RunPowerShellScript are not allowed.

Link: https://securitycafe.ro/2023/04/19/7-lesser-known-aws-ssm-document-techniques-for-code-execution/

Talks and presentations

In 2022 I gave my first talk and since then I was motivated to speak and present at security conferences or focus meetings.

Elevating Access: A Methodical Approach to Privilege Escalation in AWS (2024)

In this talk I show my methodology, techniques and tips from over 2 years of cloud projects where I searched and accomplished multiple and all kinds of privilege escalation vectors.

Presented at:

AWS CloudQuarry: Digging for Secrets in Public AMIs (2024)

In this presentation I show the research done with Matei Josephs where we filtered and scanned over 3.1 public AMIs from all AWS regions. The talk shows how we managed to find a solution for mass scanning the AMIs along with the funny and not so funny results and conclusions we managed to gather.

Presented at:

  • Hacknet Barcelona edition (Spain): no recording available

  • DEF CON 32: coming soon

Cloud Security: Transitioning from Reactivity to Proactivity (2024)

This presentation was given for the Romanian chapter of Cloud Security Alliance. Here I talk about the importance of cloud security, how cloud can also mean Kubernetes and CI/CD, and showed some examples of misconfigurations inspired by engagements.

Link: https://www.youtube.com/watch?v=TVWCs401VIk

The C2 tool no one talks about: AWS SSM - Run Command (2023)

This talk is about how the feature Run Command from the service Systems Manager (SSM) can be used as a perfect C2 tool, even if you don't have network connectivity to the instance or even if the instance is private altogether. The talk is a deep dive in how this feature can be used offensively, presenting 7 lesser-known documents for RCE along with a tool I developed called EC2StepShell.

Presented at:

Cloud Configuration Review – The new internal pentest (2022)

This talk is about how the mentality around cloud security is the same as the old mentality about internal penetration testing. Meaning that, if something is in my internal network that can't be accessed by anyone from the internet, then I don't need to worry about it. As we know now, you should worry about the systems in your internal network and this mentality should be applied to cloud environments as well.

Presented at DefCamp Romania:

Link: https://www.youtube.com/watch?v=eyIQ82vvGLk

CVEs

CVE-2023-51946

Multiple reflected cross-site scripting (XSS) vulnerabilities in nasSvr.php in actidata actiNAS-SL-2U-8 3.2.03-SP1 allow remote attackers to inject arbitrary web script or HTML.

CVE-2023-51947

Improper access control on nasSvr.php in actidata actiNAS SL 2U-8 RDX 3.2.03-SP1 allows remote attackers to read and modify different types of data without authentication.

CVE-2023-51948

A Site-wide directory listing vulnerability in /fm in actidata actiNAS SL 2U-8 RDX 3.2.03-SP1 allows remote attackers to list the files hosted by the web application.

Tools

CloudShovel

A tool for scanning public or private AMIs for sensitive files and secrets. The tool follows the research made on AWS CloudQuarry where we scanned 20k+ public AMIs.

EC2StepShell

EC2StepShell is an AWS post-exploitation tool for getting high privileges reverse shells in public or private EC2 instances.

fun-with-ssm

A repository with resources for AWS post-exploitation scenarios where you have the permission ssm:SendCommand, but you can't use the AWS-RunPowerShellScript or AWS-RunShellScript documents.

Since June 2024 this is my official blogging platform, but I wrote in the past on securitycafe.ro a series of articles:

Get in touch

I'm open for collaborations, workshops on cloud security, mentoring and chatting. Feel free to reach me out on my social media accounts or via email 🤝

Thanks for being here,

Eduard Agavriloae