EFS是什么
Amazon Elastic File System (EFS) 由 AWS 作为完全托管、可扩展且具有弹性的网络文件系统提供。该服务有助于创建和配置可由多个 EC2 实例和其他 AWS 服务同时访问的文件系统。EFS 的主要功能包括无需人工干预即可自动扩展、预置低延迟访问、支持高吞吐量工作负载、保证数据持久性以及与各种 AWS 安全机制无缝集成。
EFS就是由AWS提供的一个文件系统服务,有权限的EC2实例等可以挂载它从而访问EFS里的文件。
枚举
# Get filesystems and access policies (if any)aws efs describe-file-systemsaws efs describe-file-system-policy --file-system-id <id># Get subnetworks and IP addresses where you can find the file systemaws efs describe-mount-targets --file-system-id <id>aws efs describe-mount-target-security-groups --mount-target-id <id>aws ec2 describe-security-groups --group-ids <sg_id># Get other access pointsaws efs describe-access-points# Get replication configurationsaws efs describe-replication-configurations# Search for NFS in EC2 networkssudo nmap -T4 -Pn -p 2049 --open 10.10.10.0/20 # or /16 to be sure
环境搭建
先创建一个策略efs_lab_1_start:
{"Version": "2012-10-17","Statement": [{"Sid": "VisualEditor0","Effect": "Allow","Action": ["iam:ListPolicies","elasticfilesystem:DescribeBackupPolicy","elasticfilesystem:DescribeMountTargets","ec2:List*","elasticfilesystem:DescribeReplicationConfigurations","elasticfilesystem:Describe*","iam:ListRoles","elasticfilesystem:DescribeAccessPoints","elasticfilesystem:DescribeAccountPreferences","ec2:Describe*","elasticfilesystem:DescribeTags","elasticfilesystem:DescribeLifecycleConfiguration","ssm:Describe*","elasticfilesystem:DescribeFileSystemPolicy","iam:ListUsers","iam:ListGroups","elasticfilesystem:DescribeFileSystems","secretsmanager:ListSecrets","elasticfilesystem:DescribeMountTargetSecurityGroups"],"Resource": "*"},{"Sid": "VisualEditor1","Effect": "Allow","Action": "ssm:SendCommand","Resource": ["arn:aws:ssm:<region>::document/*","arn:aws:ec2:<region>:<account id>:instance/<instance id>"]}]}
然后创建一个用户efs-lab-1-start-point,并将efs_lab_1_start策略附加给它
然后创建一个VPC和子网
然后编辑默认的安全组,增加一条入站规则:允许VPC子网内的所有IP访问2049端口
![[AWS渗透]EFS](http://cn-sec.com/wp-content/uploads/2025/03/8-1742304521.png "[AWS渗透]EFS")
同时允许所有的出站流量
然后创建一台EC2实例,分配之前创建的用户、VPC、子网和安全组,并分配公网IP(否则无法连接)
然后创建一个EFS文件系统,同样分配之前创建的VPC、子网和安全组
这里一定要让EC2实例和EFS处于同一VPC、子网和安全组
利用过程
连接上EC2实例
先枚举EFS
$ aws efs describe-file-systems > 1.txt{..."FileSystemId": "<FileSystemId>",...}
可以看到:"FileSystemId": "<FileSystemId>"
使用上面查询到的 FileSystemId 查询挂载目标的信息
$ aws efs describe-mount-targets --file-system-id <FileSystemId>{..."MountTargetId": "<MountTargetId>","NetworkInterfaceId": "<NetworkInterfaceId>"...}
返回了挂载目标的唯一标识符:"MountTargetId": "<MountTargetId>"和弹性网络接口:"NetworkInterfaceId": "<NetworkInterfaceId>"
然后查询安全组ID:
$ aws efs describe-mount-target-security-groups --mount-target-id <MountTargetId>{"SecurityGroups": ["<SecurityGroups>"]}
然后查询安全组详细信息
aws ec2 describe-security-groups --group-ids <SecurityGroups> > 3.txt{...}
让AI解释一下结果:
入站规则:
允许所有流量到任意地址(0.0.0.0/0)。
出站规则:
允许所有流量到任意地址(0.0.0.0/0)。
所以我的EC2实例能连接这个EFS的2049端口,所以这台实例能挂载这个EFS
查询 弹性网络接口(Elastic Network Interface, ENI) 的详细信息,这条命令用于获取EFS的IP:
$ aws ec2 describe-network-interfaces --network-interface-ids <NetworkInterfaceId> > 2.txt{..."PrivateIpAddress": "<PrivateIpAddress>"...}
从返回中,我们可以看到EFS的IP地址:"PrivateIpAddress": "<PrivateIpAddress>"
然后挂载EFS:
$ mkdir /efs$ sudo mount -v -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport <PrivateIpAddress>:/ /efsmount.nfs4: timeout set for <time>mount.nfs4: trying text-based options 'nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport,addr=<PrivateIpAddress>,clientaddr=<clientaddr>'
挂载成功后往里面丢一个flag
touch flag.txtmv ./flag.txt /efs/flag.txt
然后查看文件:
cat /efs/flag.txtflag{3c4...}
如果最开始没有枚举EFS的权限,也可以用nmap扫描:
$ nmap -Pn -p 2049 --open <ip>/24...Nmap scan report for <ip>Host is up (0.00019s latency).PORT STATE SERVICE2049/tcp open nfsNmap done: 256 IP addresses (256 hosts up) scanned in 3.59 seconds
扫出IP后直接尝试挂载:
sudo mount -v -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport <ip>:/ /efs还原环境:
卸载挂载的EFS:
sudo umount /efs原文始发于微信公众号(不是黑客):[AWS渗透]EFS
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论