ECS

Basic Information

Amazon Elastic Container Services or ECS provides a platform to host containerized applications in the cloud. ECS has two deployment methods, EC2 instance type and a serverless option, Fargate. The service makes running containers in the cloud very easy and pain free.

ECS operates using the following three building blocks: Clusters, Services, and Task Definitions.

• Clusters are groups of containers that are running in the cloud. As previously mentioned, there are two launch types for containers, EC2 and Fargate. AWS defines the EC2 launch type as allowing customers “to run [their] containerized applications on a cluster of Amazon EC2 instances that [they] manage”. Fargate is similar and is defined as “[allowing] you to run your containerized applications without the need to provision and manage the backend infrastructure”.

• Services are created inside a cluster and responsible for running the tasks. Inside a service definition you define the number of tasks to run, auto scaling, capacity provider (Fargate/EC2/External), networking information such as VPC’s, subnets, and security groups.

  • There 2 types of applications:

    • Service: A group of tasks handling a long-running computing work that can be stopped and restarted. For example, a web application.

    • Task: A standalone task that runs and terminates. For example, a batch job.

  • Among the service applications, there are 2 types of service schedulers:

    • REPLICA: The replica scheduling strategy places and maintains the desired number of tasks across your cluster. If for some reason a task shut down, a new one is launched in the same or different node.

    • DAEMON: Deploys exactly one task on each active container instance that has the needed requirements. There is no need to specify a desired number of tasks, a task placement strategy, or use Service Auto Scaling policies.

• Task Definitions are responsible for defining what containers will run and the various parameters that will be configured with the containers such as port mappings with the host, env variables, Docker entrypoint...

  • Check env variables for sensitive info!

Sensitive Data In Task Definitions

Task definitions are responsible for configuring the actual containers that will be running in ECS. Since task definitions define how containers will run, a plethora of information can be found within.

Pacu can enumerate ECS (list-clusters, list-container-instances, list-services, list-task-definitions), it can also dump task definitions.

Enumeration

# Clusters info
aws ecs list-clusters
aws ecs describe-clusters --clusters <cluster>

# Container instances
## An Amazon ECS container instance is an Amazon EC2 instance that is running the Amazon ECS container agent and has been registered into an Amazon ECS cluster.
aws ecs list-container-instances --cluster <cluster>
aws ecs describe-container-instances --cluster <cluster> --container-instances <container_instance_arn>

# Services info
aws ecs list-services --cluster <cluster>
aws ecs describe-services --cluster <cluster> --services <services>
aws ecs describe-task-sets --cluster <cluster> --service <service>

# Task definitions
aws ecs list-task-definition-families
aws ecs list-task-definitions
aws ecs list-tasks --cluster <cluster>
aws ecs describe-tasks --cluster <cluster> --tasks <tasks>
## Look for env vars and secrets used from the task definition
aws ecs describe-task-definition --task-definition <TASK_NAME>:<VERSION>

Unauthenticated Access

Privesc

In the following page you can check how to abuse ECS permissions to escalate privileges:

Post Exploitation

Persistence