Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
For more info about SSM check:
AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum
ssm:SendCommandAn attacker with the permission ssm:SendCommand can execute commands in instances running the Amazon SSM Agent and compromise the IAM Role running inside of it.
In case you are using this technique to escalate privileges inside an already compromised EC2 instance, you could just capture the rev shell locally with:
Potential Impact: Direct privesc to the EC2 IAM roles attached to running instances with SSM Agents running.
ssm:StartSessionAn attacker with the permission ssm:StartSession can start a SSH like session in instances running the Amazon SSM Agent and compromise the IAM Role running inside of it.
In order to start a session you need the SessionManagerPlugin installed: https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html
Potential Impact: Direct privesc to the EC2 IAM roles attached to running instances with SSM Agents running.
When ECS tasks run with ExecuteCommand enabled users with enough permissions can use ecs execute-command to execute a command inside the container.
According to the documentation this is done by creating a secure channel between the device you use to initiate the “exec“ command and the target container with SSM Session Manager. (SSM Session Manager Plugin necesary for this to work)
Therefore, users with ssm:StartSession will be able to get a shell inside ECS tasks with that option enabled just running:
Potential Impact: Direct privesc to the ECSIAM roles attached to running tasks with ExecuteCommand enabled.
ssm:ResumeSessionAn attacker with the permission ssm:ResumeSession can re-start a SSH like session in instances running the Amazon SSM Agent with a disconnected SSM session state and compromise the IAM Role running inside of it.
Potential Impact: Direct privesc to the EC2 IAM roles attached to running instances with SSM Agents running and disconected sessions.
ssm:DescribeParameters, (ssm:GetParameter | ssm:GetParameters)An attacker with the mentioned permissions is going to be able to list the SSM parameters and read them in clear-text. In these parameters you can frequently find sensitive information such as SSH keys or API keys.
Potential Impact: Find sensitive information inside the parameters.
ssm:ListCommandsAn attacker with this permission can list all the commands sent and hopefully find sensitive information on them.
Potential Impact: Find sensitive information inside the command lines.
ssm:GetCommandInvocation, (ssm:ListCommandInvocations | ssm:ListCommands)An attacker with these permissions can list all the commands sent and read the output generated hopefully finding sensitive information on it.
Potential Impact: Find sensitive information inside the output of the command lines.
You can also use SSM to get inside a codebuild project being built:
AWS - Codebuild PrivescLearn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
