Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
iam:PassRole , sagemaker:CreateNotebookInstance, sagemaker:CreatePresignedNotebookInstanceUrlStart creating a noteboook with the IAM Role to access attached to it:
The response should contain a NotebookInstanceArn field, which will contain the ARN of the newly created notebook instance. We can then use the create-presigned-notebook-instance-url API to generate a URL that we can use to access the notebook instance once it's ready:
Navigate to the URL with the browser and click on `Open JupyterLab`` in the top right, then scroll down to “Launcher” tab and under the “Other” section, click the “Terminal” button.
Now It's possible to access the metadata credentials of the IAM Role.
Potential Impact: Privesc to the sagemaker service role specified.
sagemaker:CreatePresignedNotebookInstanceUrlIf there are Jupyter notebooks are already running on it and you can list them with sagemaker:ListNotebookInstances (or discover them in any other way). You can generate a URL for them, access them, and steal the credentials as indicated in the previous technique.
Potential Impact: Privesc to the sagemaker service role attached.
sagemaker:CreateProcessingJob,iam:PassRoleAn attacker with those permissions can make sagemaker execute a processingjob with a sagemaker role attached to it. The attacked can indicate the definition of the container that will be run in an AWS managed ECS account instance, and steal the credentials of the IAM role attached.
Potential Impact: Privesc to the sagemaker service role specified.
sagemaker:CreateTrainingJob, iam:PassRoleAn attacker with those permissions will be able to create a training job, running an arbitrary container on it with a role attached to it. Therefore, the attcke will be able to steal the credentials of the role.
This scenario is more difficult to exploit than the previous one because you need to generate a Docker image that will send the rev shell or creds directly to the attacker (you cannot indicate a starting command in the configuration of the training job).
Potential Impact: Privesc to the sagemaker service role specified.
sagemaker:CreateHyperParameterTuningJob, iam:PassRoleAn attacker with those permissions will (potentially) be able to create an hyperparameter training job, running an arbitrary container on it with a role attached to it. I haven't exploited because of the lack of time, but looks similar to the previous exploits, feel free to send a PR with the exploitation details.
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.
