AWS - EMR Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

EMR

More info about EMR in:

`iam:PassRole`, `elasticmapreduce:RunJobFlow`

An attacker with these permissions can run a new EMR cluster attaching EC2 roles and try to steal its credentials. Note that in order to do this you would need to know some ssh priv key imported in the account or to import one, and be able to open port 22 in the master node (you might be able to do this with the attributes EmrManagedMasterSecurityGroup and/or ServiceAccessSecurityGroup inside --ec2-attributes).

# Import EC2 ssh key (you will need extra permissions for this)
ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q -N ""
chmod 400 /tmp/sshkey
base64 /tmp/sshkey.pub > /tmp/pub.key
aws ec2 import-key-pair \
    --key-name "privesc" \
    --public-key-material file:///tmp/pub.key


aws emr create-cluster \
    --release-label emr-5.15.0 \
    --instance-type m4.large \
    --instance-count 1 \
    --service-role EMR_DefaultRole \
    --ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=privesc

# Wait 1min and connect via ssh to an EC2 instance of the cluster)
aws emr describe-cluster --cluster-id <id>
# In MasterPublicDnsName you can find the DNS to connect to the master instance
## You cna also get this info listing EC2 instances

Note how an EMR role is specified in --service-role and a ec2 role is specified in --ec2-attributes inside InstanceProfile. However, this technique only allows to steal the EC2 role credentials (as you will connect via ssh) but no the EMR IAM Role.

Potential Impact: Privesc to the EC2 service role specified.

`elasticmapreduce:CreateEditor`, `iam:ListRoles`, `elasticmapreduce:ListClusters`, `iam:PassRole`, `elasticmapreduce:DescribeEditor`, `elasticmapreduce:OpenEditorInConsole`

With these permissions an attacker can go to the AWS console, create a Notebook and access it to steal the IAM Role.

Even if you attach an IAM role to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM role related.

Potential Impact: Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile

`elasticmapreduce:OpenEditorInConsole`

Just with this permission an attacker will be able to access the Jupyter Notebook and steal the IAM role associated to it. The URL of the notebook is https://<notebook-id>.emrnotebooks-prod.eu-west-1.amazonaws.com/<notebook-id>/lab/

Even if you attach an IAM role to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM role related.

Potential Impact: Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - Elastic Beanstalk Privesc NextAWS - Gamelift

Last updated 2 months ago