AWS - MSK Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

MSK

For more information about MSK (Kafka) check:

AWS - MSK Enum

`msk:ListClusters`, `msk:UpdateSecurity`

With these privileges and access to the VPC where the kafka brokers are, you could add the None authentication to access them.

aws msk --client-authentication <value> --cluster-arn <value> --current-version <value>

You need access to the VPC because you cannot enable None authentication with Kafka publicly exposed. If it's publicly exposed, if SASL/SCRAM authentication is used, you could read the secret to access (you will need additional privileges to read the secret). If IAM role-based authentication is used and kafka is publicly exposed you could still abuse these privileges to give you permissions to access it.

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - MQ Privesc NextAWS - RDS Privesc

Last updated 8 days ago

MSK

msk:ListClusters, msk:UpdateSecurity

`msk:ListClusters`, `msk:UpdateSecurity`