AWS - MSK Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

MSK

For more information about MSK (Kafka) check:

`msk:ListClusters`, `msk:UpdateSecurity`

With these privileges and access to the VPC where the kafka brokers are, you could add the None authentication to access them.

aws msk --client-authentication <value> --cluster-arn <value> --current-version <value>

You need access to the VPC because you cannot enable None authentication with Kafka publicly exposed. If it's publicly exposed, if SASL/SCRAM authentication is used, you could read the secret to access (you will need additional privileges to read the secret). If IAM role-based authentication is used and kafka is publicly exposed you could still abuse these privileges to give you permissions to access it.

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - MQ Privesc NextAWS - RDS Privesc

Last updated 2 months ago

MSK

msk:ListClusters, msk:UpdateSecurity

`msk:ListClusters`, `msk:UpdateSecurity`