With the correct RDS permissions, we can potentially gain full access to any RDS database instance in our target account as the administrator user, which would grant us full access to the data stored within.

This attack process can be done manually, or with the rds__explore_snapshots Pacu module. The goal is to abuse RDS database instance backups to create a new copy of the existing databases with our own private access. If we gained access to RDS and there was a single instance and no backups, the process would entail the following steps:

1. Create a snapshot of the running database instance.
2. Restore that snapshot to a new database instance.
3. Change the master password of our new database instance to something we know.
4. Change the database to be publicly accessible and modify any security group rules to allow us inbound access to the correct ports.
5. Connect to the database with the credentials we set.
6. Use something like mysqldump to exfiltrate the entire database.

Once connected, it will be a complete copy of the single production database in the account, meaning we can do anything we want with it. A good move, depending on the amount of data in the database, would be to use a tool like mysqldump to exfiltrate the SQL database to comb manually or import it into another external database that isn't at risk of having access revoked at any point. Make sure to delete the snapshot you created of the original database and the database instance that you created when you're done; otherwise, you may run up some charges in the target account. That could be bad for a few reasons, including making your client angry and/or getting your activity caught by billing alerts.

It is a simple process to do manually, but often it will be a better decision to automate, so that you don't make any manual mistakes and screw up a production database in the process. You can simply run the following Pacu command to automate most of the process for all database instances (use the --regions flag for specific regions):

run rds__explore_snapshots

The preceding screenshot shows part of the output from the rds__explore_snapshots module. It will scan the regions you specify for RDS instances, give you their names, and then prompt you to copy it or not. If you select yes, it will create a snapshot of that database, restore that snapshot to a new database, modify the master password, and then provide you with the connection credentials. Then, you can go about dumping the database with something like mysqldump or grabbing specific data you require from within the DB. After that, you would press Enter in Pacu to move on to the next database that's available, to which the module would then delete the database snapshot and database instance that it just created. If the module fails at all during any of its processes, it will try to clean up any outstanding resources from previous runs when you run it again. That way, you don't need to worry about deleting any resources that you created for your attack.

Another interesting point about this attack on RDS is that modifying the master password is lumped in with a whole bunch of other configuration changes, so it isn't necessarily a highly monitored API call. It uses the RDS ModifyDbInstance API to change the master password, but that same API is also used to modify networking settings, monitoring settings, authentication settings, logging settings, and a lot more.