HackTricks CloudAWS - EMR Privesc
Reading time: 4 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
EMR
Taarifa zaidi kuhusu EMR ziko katika:
iam:PassRole, elasticmapreduce:RunJobFlow
Mshambulizi mwenye ruhusa hizi anaweza kuendesha cluster mpya ya EMR akiongeza EC2 roles na kujaribu kuiba credentials zake.
Fahamu kuwa ili kufanya hivyo utahitaji kujua ssh priv key iliyopakiwa katika akaunti au kuipakia mwenyewe, na uweze kufungua port 22 kwenye master node (huenda uweze kufanya hivyo kwa kutumia vigezo EmrManagedMasterSecurityGroup na/au ServiceAccessSecurityGroup ndani ya --ec2-attributes).
# Import EC2 ssh key (you will need extra permissions for this)
ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q -N ""
chmod 400 /tmp/sshkey
base64 /tmp/sshkey.pub > /tmp/pub.key
aws ec2 import-key-pair \
--key-name "privesc" \
--public-key-material file:///tmp/pub.key
aws emr create-cluster \
--release-label emr-5.15.0 \
--instance-type m4.large \
--instance-count 1 \
--service-role EMR_DefaultRole \
--ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=privesc
# Wait 1min and connect via ssh to an EC2 instance of the cluster)
aws emr describe-cluster --cluster-id <id>
# In MasterPublicDnsName you can find the DNS to connect to the master instance
## You cna also get this info listing EC2 instances
Note how an EMR role is specified in --service-role and a ec2 role is specified in --ec2-attributes inside InstanceProfile. However, this technique only allows to steal the EC2 role credentials (as you will connect via ssh) but no the EMR IAM Role.
Kumbuka jinsi EMR role inavyoainishwa katika --service-role na ec2 role inavyoainishwa katika --ec2-attributes ndani ya InstanceProfile. Hata hivyo, mbinu hii inaruhusu tu kuiba kredenshiali za EC2 role (kwa kuwa utaungana kupitia ssh) lakini si EMR IAM Role.
Potential Impact: Privesc to the EC2 service role specified.
Athari Inayowezekana: Privesc kwa EC2 service role iliyotajwa.
elasticmapreduce:CreateEditor, iam:ListRoles, elasticmapreduce:ListClusters, iam:PassRole, elasticmapreduce:DescribeEditor, elasticmapreduce:OpenEditorInConsole
With these permissions an attacker can go to the AWS console, create a Notebook and access it to steal the IAM Role.
Kwa ruhusa hizi mwizi anaweza kwenda kwenye AWS console, kuunda Notebook na kuipata ili kuiba IAM Role.
caution
Even if you attach an IAM role to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM role related.
caution
Hata nikibandika IAM role kwenye notebook instance katika majaribio yangu niligundua kwamba nilifanikiwa kuiba AWS managed credentials na si kredenshiali zinazohusiana na IAM role.
Potential Impact: Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
Athari Inayowezekana: Privesc kwa AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
elasticmapreduce:OpenEditorInConsole
Just with this permission an attacker will be able to access the Jupyter Notebook and steal the IAM role associated to it.
The URL of the notebook is https://<notebook-id>.emrnotebooks-prod.eu-west-1.amazonaws.com/<notebook-id>/lab/
Kwa ruhusa hii pekee mwizi ataweza kufikia Jupyter Notebook na kuiba IAM role inayohusiana nayo.
URL ya notebook ni https://<notebook-id>.emrnotebooks-prod.eu-west-1.amazonaws.com/<notebook-id>/lab/
caution
Even if you attach an IAM role to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM role related
caution
Hata nikibandika IAM role kwenye notebook instance katika majaribio yangu niligundua kwamba nilifanikiwa kuiba AWS managed credentials na si kredenshiali zinazohusiana na IAM role
Potential Impact: Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
Athari Inayowezekana: Privesc kwa AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.