AWS - EMR Privesc
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Maelezo zaidi kuhusu EMR katika:
AWS - EMR Enumiam:PassRole
, elasticmapreduce:RunJobFlow
Mshambuliaji mwenye ruhusa hizi anaweza kuendesha klasta mpya ya EMR akishikilia majukumu ya EC2 na kujaribu kuiba akidi zake.
Kumbuka kwamba ili kufanya hivi unahitaji kujua funguo za ssh zilizopitishwa katika akaunti au kuagiza moja, na uweze kufungua bandari 22 katika nodi ya mkuu (unaweza kuwa na uwezo wa kufanya hivi kwa kutumia sifa EmrManagedMasterSecurityGroup
na/au ServiceAccessSecurityGroup
ndani ya --ec2-attributes
).
Note how an EMR role is specified in --service-role
and a ec2 role is specified in --ec2-attributes
inside InstanceProfile
. However, this technique only allows to steal the EC2 role credentials (as you will connect via ssh) but no the EMR IAM Role.
Potential Impact: Privesc to the EC2 service role specified.
elasticmapreduce:CreateEditor
, iam:ListRoles
, elasticmapreduce:ListClusters
, iam:PassRole
, elasticmapreduce:DescribeEditor
, elasticmapreduce:OpenEditorInConsole
With these permissions an attacker can go to the AWS console, create a Notebook and access it to steal the IAM Role.
Hata kama unachanganya jukumu la IAM kwa mfano wa notebook katika majaribio yangu niliona kwamba niliweza kuiba akiba inayosimamiwa na AWS na si akiba zinazohusiana na jukumu la IAM.
Potential Impact: Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
elasticmapreduce:OpenEditorInConsole
Just with this permission an attacker will be able to access the Jupyter Notebook and steal the IAM role associated to it.
The URL of the notebook is https://<notebook-id>.emrnotebooks-prod.eu-west-1.amazonaws.com/<notebook-id>/lab/
Hata kama unachanganya jukumu la IAM kwa mfano wa notebook katika majaribio yangu niliona kwamba niliweza kuiba akiba inayosimamiwa na AWS na si akiba zinazohusiana na jukumu la IAM.
Potential Impact: Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)