AWS - Elastic Beanstalk Privesc
Elastic Beanstalk
More info about Elastic Beanstalk in:
pageAWS - Elastic Beanstalk EnumIn order to perform sensitive actions in Beanstalk you will need to have a lot of sensitive permissions in a lot of different services. You can check for example the permissions given to arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk
elasticbeanstalk:RebuildEnvironment
, S3 write permissions & many others
elasticbeanstalk:RebuildEnvironment
, S3 write permissions & many othersWith write permissions over the S3 bucket containing the code of the environment and permissions to rebuild the application (it's needed elasticbeanstalk:RebuildEnvironment
and a few more related to S3
, EC2
and Cloudformation
), you can modify the code, rebuild the app and the next time you access the app it will execute your new code, allowing the attacker to compromise the application and the IAM role credentials of it.
elasticbeanstalk:CreateApplication
, elasticbeanstalk:CreateEnvironment
, elasticbeanstalk:CreateApplicationVersion
, elasticbeanstalk:UpdateEnvironment
, iam:PassRole
, and more...
elasticbeanstalk:CreateApplication
, elasticbeanstalk:CreateEnvironment
, elasticbeanstalk:CreateApplicationVersion
, elasticbeanstalk:UpdateEnvironment
, iam:PassRole
, and more...The mentioned plus several S3
, EC2
, cloudformation
,autoscaling
and elasticloadbalancing
permissions are the necessary to create a raw Elastic Beanstalk scenario from scratch.
Create an AWS Elastic Beanstalk application:
Create an AWS Elastic Beanstalk environment (supported platforms):
If an environment is already created and you don't want to create a new one, you could just update the existent one.
Package your application code and dependencies into a ZIP file:
Upload the ZIP file to an S3 bucket:
Create an AWS Elastic Beanstalk application version:
Deploy the application version to your AWS Elastic Beanstalk environment:
elasticbeanstalk:CreateApplicationVersion
, elasticbeanstalk:UpdateEnvironment
, cloudformation:GetTemplate
, cloudformation:DescribeStackResources
, cloudformation:DescribeStackResource
, autoscaling:DescribeAutoScalingGroups
, autoscaling:SuspendProcesses
, autoscaling:SuspendProcesses
elasticbeanstalk:CreateApplicationVersion
, elasticbeanstalk:UpdateEnvironment
, cloudformation:GetTemplate
, cloudformation:DescribeStackResources
, cloudformation:DescribeStackResource
, autoscaling:DescribeAutoScalingGroups
, autoscaling:SuspendProcesses
, autoscaling:SuspendProcesses
First of all you need to create a legit Beanstalk environment with the code you would like to run in the victim following the previous steps. Potentially a simple zip containing these 2 files:
Once you have your own Beanstalk env running your rev shell, it's time to migrate it to the victims env. To so so you need to update the Bucket Policy of your beanstalk S3 bucket so the victim can access it (Note that this will open the Bucket to EVERYONE):
Last updated