AWS - ECS Post Exploitation

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

ECS

Kwa maelezo zaidi angalia:

AWS - ECS Enum

Host IAM Roles

Katika ECS, IAM role inaweza kupewa kazi inayokimbia ndani ya kontena. Ikiwa kazi inakimbia ndani ya EC2 instance, EC2 instance itakuwa na IAM role nyingine iliyounganishwa nayo. Hii inamaanisha kwamba ikiwa utaweza kudhoofisha instance ya ECS unaweza kupata IAM role inayohusiana na ECR na EC2 instance. Kwa maelezo zaidi kuhusu jinsi ya kupata akreditivu hizo angalia:

Cloud SSRFHackTricks

Kumbuka kwamba ikiwa EC2 instance inatekeleza IMDSv2, kulingana na nyaraka, jibu la ombi la PUT litakuwa na kipimo cha hop cha 1, na kufanya iwe vigumu kufikia metadata ya EC2 kutoka kwa kontena ndani ya EC2 instance.

Privesc to node to steal other containers creds & secrets

Lakini zaidi, EC2 inatumia docker kuendesha kazi za EC, hivyo ikiwa unaweza kutoroka hadi node au kufikia docker socket, unaweza kuangalia ni kontena gani nyingine zinazoendeshwa, na hata kuingia ndani yao na kuiba IAM roles zao zilizounganishwa.

Making containers run in current host

Zaidi ya hayo, EC2 instance role kwa kawaida itakuwa na idhini ya kutosha kubadilisha hali ya instance ya kontena za EC2 zinazotumika kama nodes ndani ya klasta. Mshambuliaji anaweza kubadilisha hali ya instance kuwa DRAINING, kisha ECS it aondoe kazi zote kutoka kwake na zile zinazokimbia kama REPLICA zita kimbia katika instance tofauti, labda ndani ya instance ya mshambuliaji ili aweze kuiba IAM roles zao na taarifa nyeti zinazoweza kuwa ndani ya kontena.

aws ecs update-container-instances-state \
--cluster <cluster> --status DRAINING --container-instances <container-instance-id>

Ile ile mbinu inaweza kufanywa kwa kuondoa EC2 instance kutoka kwa klasta. Hii inawezekana kuwa na ufanisi mdogo lakini it lazimisha kazi kufanywa katika instances nyingine:

aws ecs deregister-container-instance \
--cluster <cluster> --container-instance <container-instance-id> --force

Njia ya mwisho ya kulazimisha utekelezaji wa kazi tena ni kwa kuashiria ECS kwamba kazi au kontena ilisimamishwa. Kuna API 3 zinazoweza kutumika kufanya hivi:

# Needs: ecs:SubmitTaskStateChange
aws ecs submit-task-state-change --cluster <value> \
--status STOPPED --reason "anything" --containers [...]

# Needs: ecs:SubmitContainerStateChange
aws ecs submit-container-state-change ...

# Needs: ecs:SubmitAttachmentStateChanges
aws ecs submit-attachment-state-changes ...

Pora taarifa nyeti kutoka kwa kontena za ECR

Ili ya EC2 huenda pia ikawa na ruhusa ecr:GetAuthorizationToken ikiruhusu kupakua picha (unaweza kutafuta taarifa nyeti ndani yao).

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - ECR Post Exploitation NextAWS - EFS Post Exploitation

Last updated 3 days ago

ECS

Kwa maelezo zaidi angalia:

AWS - ECS Enum

Host IAM Roles

Privesc to node to steal other containers creds & secrets

Making containers run in current host

aws ecs update-container-instances-state \
--cluster <cluster> --status DRAINING --container-instances <container-instance-id>

Ile ile mbinu inaweza kufanywa kwa kuondoa EC2 instance kutoka kwa klasta. Hii inawezekana kuwa na ufanisi mdogo lakini it lazimisha kazi kufanywa katika instances nyingine:

aws ecs deregister-container-instance \
--cluster <cluster> --container-instance <container-instance-id> --force

Njia ya mwisho ya kulazimisha utekelezaji wa kazi tena ni kwa kuashiria ECS kwamba kazi au kontena ilisimamishwa. Kuna API 3 zinazoweza kutumika kufanya hivi:

# Needs: ecs:SubmitTaskStateChange
aws ecs submit-task-state-change --cluster <value> \
--status STOPPED --reason "anything" --containers [...]

# Needs: ecs:SubmitContainerStateChange
aws ecs submit-container-state-change ...

# Needs: ecs:SubmitAttachmentStateChanges
aws ecs submit-attachment-state-changes ...

Pora taarifa nyeti kutoka kwa kontena za ECR

Ili ya EC2 huenda pia ikawa na ruhusa ecr:GetAuthorizationToken ikiruhusu kupakua picha (unaweza kutafuta taarifa nyeti ndani yao).