/whoami
Welcome!
Welcome to HackToDef.com! I’m Eduard Agavriloae, a dedicated security researcher on a mission to help defenders fortify their environments by revealing how hackers can breach them.
This is what Hack to Def
is about. Showing relevant offensive techniques and how to defend against them.
Background
I'm learning and practicing offensive cybersecurity since 2017 and I've never been bored ever since.
I started in 2023 to do Cloud Security Research, I was a Senior Penetration Tester for KPMG Romania from 2021, I have a Master's Degree in cybersecurity and I worked as a Web Developer for 3 years.
I have extensive experience with Cloud Security (mostly AWS and focused on offensive), Web Application Security, Network Penetration Testing and Security Source Code Review. Along the way I got a few certifications such as OSCP, AWS Security Specialty, GIAC Cloud Penetration Tester and Certified Hybrid Multi-Cloud Red Team Specialist.
Research
AWS CloudQuarry: Digging for Secrets in Public AMIs (2024)
Money, secrets and mass exploitation: This research done in collaboration with Matei Josephs unveils a quarry of sensitive data stored in public AMIs. Digging through each AMI we managed to collect 500 GB of credentials, private repositories, access keys and more. The next article is the detailed analysis of how we did it and what the data represents.
For this research we did a coordinated disclosure with AWS’s security team before publishing the article.
Link: https://securitycafe.ro/2024/05/08/aws-cloudquarry-digging-for-secrets-in-public-amis/
7 lesser-known AWS SSM Document techniques for code execution (2023)
This research is a deep dive into AWS SSM Run Command which shows that there are multiple documents attackers can use for executing code remotely on EC2 instances. In the next article I present 7 other documents that can be used when AWS-RunShellScript or AWS-RunPowerShellScript are not allowed.
Link: https://securitycafe.ro/2023/04/19/7-lesser-known-aws-ssm-document-techniques-for-code-execution/
Talks and presentations
In 2022 I gave my first talk and since then I was motivated to speak and present at security conferences or focus meetings.
Elevating Access: A Methodical Approach to Privilege Escalation in AWS (2024)
In this talk I show my methodology, techniques and tips from over 2 years of cloud projects where I searched and accomplished multiple and all kinds of privilege escalation vectors.
Presented at:
- DefCamp Cluj-Napoca edition (Romania): https://www.youtube.com/watch?v=XTKtjhn3Dwc
AWS CloudQuarry: Digging for Secrets in Public AMIs (2024)
In this presentation I show the research done with Matei Josephs where we filtered and scanned over 3.1 public AMIs from all AWS regions. The talk shows how we managed to find a solution for mass scanning the AMIs along with the funny and not so funny results and conclusions we managed to gather.
Presented at:
Hacknet Barcelona edition (Spain): no recording available
DEF CON 32: coming soon
Cloud Security: Transitioning from Reactivity to Proactivity (2024)
This presentation was given for the Romanian chapter of Cloud Security Alliance. Here I talk about the importance of cloud security, how cloud can also mean Kubernetes and CI/CD, and showed some examples of misconfigurations inspired by engagements.
Link: https://www.youtube.com/watch?v=TVWCs401VIk
The C2 tool no one talks about: AWS SSM - Run Command (2023)
This talk is about how the feature Run Command from the service Systems Manager (SSM) can be used as a perfect C2 tool, even if you don't have network connectivity to the instance or even if the instance is private altogether. The talk is a deep dive in how this feature can be used offensively, presenting 7 lesser-known documents for RCE along with a tool I developed called EC2StepShell.
Presented at:
- Security Fest Sweden: https://www.youtube.com/watch?v=cn7XLaGmmCg
RSTCon #3 (in Romanian): https://www.youtube.com/watch?v=6Wymc9US4Ik
DefCamp Romania: https://www.youtube.com/watch?v=SKXzwDy4vkw
Cloud Configuration Review – The new internal pentest (2022)
This talk is about how the mentality around cloud security is the same as the old mentality about internal penetration testing. Meaning that, if something is in my internal network that can't be accessed by anyone from the internet, then I don't need to worry about it. As we know now, you should worry about the systems in your internal network and this mentality should be applied to cloud environments as well.
Presented at DefCamp Romania:
Link: https://www.youtube.com/watch?v=eyIQ82vvGLk
CVEs, tools and other articles
CVEs
Multiple reflected cross-site scripting (XSS) vulnerabilities in nasSvr.php in actidata actiNAS-SL-2U-8 3.2.03-SP1 allow remote attackers to inject arbitrary web script or HTML.
Improper access control on nasSvr.php in actidata actiNAS SL 2U-8 RDX 3.2.03-SP1 allows remote attackers to read and modify different types of data without authentication.
A Site-wide directory listing vulnerability in /fm in actidata actiNAS SL 2U-8 RDX 3.2.03-SP1 allows remote attackers to list the files hosted by the web application.
Tools
CloudShovel
A tool for scanning public or private AMIs for sensitive files and secrets. The tool follows the research made on AWS CloudQuarry where we scanned 20k+ public AMIs.
EC2StepShell
EC2StepShell is an AWS post-exploitation tool for getting high privileges reverse shells in public or private EC2 instances.
fun-with-ssm
A repository with resources for AWS post-exploitation scenarios where you have the permission ssm:SendCommand, but you can't use the AWS-RunPowerShellScript or AWS-RunShellScript documents.
Other articles
Since June 2024 this is my official blogging platform, but I wrote in the past on securitycafe.ro a series of articles:
7 lesser-known AWS SSM Document techniques for code execution
EC2StepShell: A Tool for Getting Reverse Shells on Instances with Network Restrictions
AWS ssm:SendCommand or network agnostic built-in RCE as root
AWS Enumeration – Part I (Where to start, Approaches and Tools)
Get in touch
I'm open for collaborations, workshops on cloud security, mentoring and chatting. Feel free to reach me out on my social media accounts or via email 🤝
Thanks for being here,