AWS - ECS Enum

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.

ECS

Basic Information

Amazon Elastic Container Services or ECS inatoa jukwaa la kuendesha applications zilizofungashwa kama containers kwenye cloud. ECS ina mbinu mbili za deployment, aina ya instance ya EC2 na chaguo la serverless, Fargate. Service hii hufanya kuendesha containers kwenye cloud kuwa rahisi sana na bila maumivu.

ECS hufanya kazi kwa kutumia building blocks tatu zifuatazo: Clusters, Services, na Task Definitions.

• Clusters ni vikundi vya containers vinavyokimbia kwenye cloud. Kama ilivyotajwa hapo awali, kuna aina mbili za launch za containers, EC2 na Fargate. AWS inafafanua aina ya launch ya EC2 kama kuruhusu customers “kuendesha applications zao zilizofungashwa kama containers kwenye cluster ya Amazon EC2 instances ambazo [w]anaz manage”. Fargate ni sawa na inafafanuliwa kama “[kuruhusu] kuendesha applications zako zilizofungashwa kama containers bila hitaji la kuandaa na kumanage backend infrastructure”.
• Services huundwa ndani ya cluster na zinawajibika kwa kuendesha tasks. Ndani ya service definition unafafanua idadi ya tasks za kuendesha, auto scaling, capacity provider (Fargate/EC2/External), taarifa za networking kama VPC’s, subnets, na security groups.
• Kuna aina 2 za applications:
• Service: Kikundi cha tasks kinachoshughulikia kazi ya computing ya muda mrefu inayoweza kusitishwa na kuanzishwa upya. Kwa mfano, web application.
• Task: Task ya pekee inayokimbia na kumalizika. Kwa mfano, batch job.
• Miongoni mwa service applications, kuna aina 2 za service schedulers:
• REPLICA: Strategy ya replica scheduling huweka na huhifadhi idadi inayotakiwa ya tasks katika cluster yako. Ikiwa kwa sababu fulani task itazimwa, mpya huzinduliwa kwenye node ile ile au tofauti.
• DAEMON: Hu-deploy exactly one task kwenye kila active container instance yenye requirements zinazohitajika. Hakuna haja ya kubainisha idadi inayotakiwa ya tasks, task placement strategy, au kutumia Service Auto Scaling policies.
• Task Definitions zinawajibika kwa kufafanua containers zipi zitakazoendesha na parameters mbalimbali zitakazosanidiwa pamoja na containers kama port mappings na host, env variables, Docker entrypoint…
• Angalia env variables kwa sensitive info!

Sensitive Data In Task Definitions

Task definitions zinawajibika kwa kusanidi actual containers zitakazoendesha ndani ya ECS. Kwa kuwa task definitions zinafafanua jinsi containers zitakavyoendesha, taarifa nyingi zinaweza kupatikana humo.

Pacu inaweza ku-enumerate ECS (list-clusters, list-container-instances, list-services, list-task-definitions), pia inaweza kudump task definitions.

Enumeration

# Clusters info
aws ecs list-clusters
aws ecs describe-clusters --clusters <cluster>

# Container instances
## An Amazon ECS container instance is an Amazon EC2 instance that is running the Amazon ECS container agent and has been registered into an Amazon ECS cluster.
aws ecs list-container-instances --cluster <cluster>
aws ecs describe-container-instances --cluster <cluster> --container-instances <container_instance_arn>

# Services info
aws ecs list-services --cluster <cluster>
aws ecs describe-services --cluster <cluster> --services <services>
aws ecs describe-task-sets --cluster <cluster> --service <service>

# Task definitions
aws ecs list-task-definition-families
aws ecs list-task-definitions
aws ecs list-tasks --cluster <cluster>
aws ecs describe-tasks --cluster <cluster> --tasks <tasks>
## Look for env vars and secrets used from the task definition
aws ecs describe-task-definition --task-definition <TASK_NAME>:<VERSION>

Uchanganuzi wa On-Host kupitia ECS Agent State DB (agent.db)

Unapokuwa na shell access kwenye ECS container instance , au umeescape kutoka kwenye container yenye host bind-mount ya /var/lib/ecs** (hitilafu ya kawaida ya usanidi wakati tasks zinaendeshwa privileged au kwa volumesFrom ikifunua host data dir), ECS agent huacha agent.db kwenye disk ambayo inaweza kusomwa bila kuita AWS API, bila ruhusa yoyote ya IAM, na bila kuchochea CloudTrail.

/var/lib/ecs/data/agent.db

(au, wakati wa kusoma kutoka kwenye container ambayo host ime-mountiwa kwenye /host, /host/var/lib/ecs/data/agent.db).

# Most useful one-liner — dumps everything readable
strings /var/lib/ecs/data/agent.db

# From inside a container with the host mounted at /host
strings /host/var/lib/ecs/data/agent.db

# Filter for the highest-value artefacts
strings /var/lib/ecs/data/agent.db | grep -aE 'arn:aws:|AKIA|ASIA|"secret|password|TOKEN|credentials|taskRoleArn|executionRoleArn'

# Save the outcome from strings for offline analysis
strings /host/var/lib/ecs/data/agent.db >> /tmp/agent.txt
tr -s '{}[],:"\\' '\n' < /tmp/agent.txt | sed 's/^[[:space:]]*//; s/[[:space:]]*$//' | awk 'NF && length($0)>2 && !/^[0-9.]+$/' | sort -u

Unachoweza kurecover

Kulingana na umri wa cluster na mabadiliko ya workload, strings dhidi ya agent.db kwa kawaida hutoa:

• Task na execution IAM role ARNs (taskRoleArn, executionRoleArn) kwa kila task ambayo agent imewahi kuendesha — malengo muhimu kwa credential retrieval via the task metadata endpoint (169.254.170.2).
• Full task definitions — image URIs (mara nyingi private ECR repos), command, entrypoint, port mappings, mount points, log configuration, na plaintext environment variables ambazo mara nyingi hujumuisha database URLs, API tokens, na third-party secrets.
• Secrets references — secretOptions na secrets blocks zinazoelekeza kwenye SSM Parameter Store paths na Secrets Manager ARNs (orodha nzuri ya pivot).
• Container instance ARN, cluster ARN, na registration token — huthibitisha cluster name na account/region context bila API call.
• ENI metadata — private IPs, MAC addresses, subnet IDs, na security group IDs zilizogawiwa katika mode ya awsvpc (zinafaa kwa kupanga lateral movement).
• Image pull credentials — task definition ikitumia repositoryCredentials, referenced Secrets Manager ARN iko hapa; kwenye agents za zamani private-registry auth blobs (ECS_ENGINE_AUTH_DATA) zinaweza pia kuwa cached.
• Recently-stopped task containers — ikijumuisha majina, IDs, exit codes na labels, wakati mwingine muda mrefu baada ya aws ecs describe-tasks call husika kuziweka nje ya API response.

Unauthenticated Access

AWS - ECS Unauthenticated Enum

Privesc

Kwenye ukurasa ufuatao unaweza kuangalia jinsi ya abuse ECS permissions to escalate privileges:

AWS - ECS Privesc

Post Exploitation

AWS - ECS Post Exploitation

Persistence

AWS - ECS Persistence

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.