HackTricks CloudAWS - EFS Enum
Reading time: 9 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
EFS
Basic Information
Amazon Elastic File System (EFS) inawasilishwa kama sistema ya faili ya mtandao inayosimamiwa kikamilifu, inayoweza kupanuka, na elastiki na AWS. Huduma hii inarahisisha uundaji na usanidi wa sistema za faili ambazo zinaweza kufikiwa kwa pamoja na EC2 instances nyingi na huduma nyingine za AWS. Vipengele muhimu vya EFS ni pamoja na uwezo wake wa kupanuka kiotomatiki bila uingiliaji wa mikono, kutoa ufikiaji wa latency ya chini, kusaidia mzigo wa kazi wa juu, kuhakikisha kudumu kwa data, na kuunganishwa kwa urahisi na mitambo mbalimbali ya usalama ya AWS.
Kwa kawaida, folda ya EFS ya kuunganisha itakuwa / lakini inaweza kuwa na jina tofauti.
Network Access
EFS inaundwa katika VPC na itakuwa kwa kawaida inapatikana katika subnetworks zote za VPC. Hata hivyo, EFS itakuwa na Kundi la Usalama. Ili kutoa ufikiaji kwa EC2 (au huduma nyingine yoyote ya AWS) kuunganisha EFS, inahitajika kuruhusu katika kundi la usalama la EFS sheria ya NFS ya kuingia (bandari 2049) kutoka kwa Kundi la Usalama la EC2.
Bila hii, hu wezi kuwasiliana na huduma ya NFS.
Kwa maelezo zaidi kuhusu jinsi ya kufanya hivi angalia: https://stackoverflow.com/questions/38632222/aws-efs-connection-timeout-at-mount
Enumeration
# Get filesystems and access policies (if any)
aws efs describe-file-systems
aws efs describe-file-system-policy --file-system-id <id>
# Get subnetworks and IP addresses where you can find the file system
aws efs describe-mount-targets --file-system-id <id>
aws efs describe-mount-target-security-groups --mount-target-id <id>
aws ec2 describe-security-groups --group-ids <sg_id>
# Get other access points
aws efs describe-access-points
# Get replication configurations
aws efs describe-replication-configurations
# Search for NFS in EC2 networks
sudo nmap -T4 -Pn -p 2049 --open 10.10.10.0/20 # or /16 to be sure
caution
Inaweza kuwa kwamba eneo la EFS linapatikana ndani ya VPC hiyo hiyo lakini katika subnet tofauti. Ikiwa unataka kuwa na uhakika kwamba unapata EFS zote ni bora skana /16 netmask.
Mount EFS
sudo mkdir /efs
## Mount found
sudo apt install nfs-common
sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport <IP>:/ /efs
## Mount with efs type
## You need to have installed the package amazon-efs-utils
sudo yum install amazon-efs-utils # If centos
sudo apt-get install amazon-efs-utils # If ubuntu
sudo mount -t efs <file-system-id/EFS DNS name>:/ /efs/
IAM Access
Kwa kawaida mtu yeyote mwenye ufikiaji wa mtandao kwa EFS ataweza kuunganisha, kusoma na kuandika hata kama mtumiaji wa root. Hata hivyo, sera za Mfumo wa Faili zinaweza kuwepo zinazoruhusu tu wakuu wenye ruhusa maalum kuweza kuzipata.
Kwa mfano, sera hii ya Mfumo wa Faili haitaruhusu hata kuunganisha mfumo wa faili ikiwa huna ruhusa ya IAM:
{
"Version": "2012-10-17",
"Id": "efs-policy-wizard-2ca2ba76-5d83-40be-8557-8f6c19eaa797",
"Statement": [
{
"Sid": "efs-statement-e7f4b04c-ad75-4a7f-a316-4e5d12f0dbf5",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "",
"Resource": "arn:aws:elasticfilesystem:us-east-1:318142138553:file-system/fs-0ab66ad201b58a018",
"Condition": {
"Bool": {
"elasticfilesystem:AccessedViaMountTarget": "true"
}
}
}
]
}
Au hii itazuia ufikiaji wa siri:
.png)
Kumbuka kwamba ili kuunganisha mifumo ya faili iliyolindwa na IAM LAZIMA utumie aina "efs" katika amri ya kuunganisha:
sudo mkdir /efs
sudo mount -t efs -o tls,iam <file-system-id/EFS DNS name>:/ /efs/
# To use a different pforile from ~/.aws/credentials
# You can use: -o tls,iam,awsprofile=namedprofile
Access Points
Access points ni vituo maalum vya kuingia katika mfumo wa faili wa EFS vinavyorahisisha usimamizi wa ufikiaji wa programu kwa seti za data zinazoshirikiwa.
Unapounda kituo cha ufikiaji, unaweza kueleza mmiliki na ruhusa za POSIX kwa faili na saraka zinazoundwa kupitia kituo cha ufikiaji. Pia unaweza kufafanua saraka ya mzizi ya kawaida kwa kituo cha ufikiaji, ama kwa kueleza saraka iliyopo au kwa kuunda mpya yenye ruhusa zinazohitajika. Hii inakuwezesha kudhibiti ufikiaji wa mfumo wako wa faili wa EFS kwa msingi wa programu au mtumiaji, na kufanya iwe rahisi kusimamia na kulinda data zako za faili zinazoshirikiwa.
Unaweza kuunganisha Mfumo wa Faili kutoka kwa kituo cha ufikiaji kwa kitu kama:
# Use IAM if you need to use iam permissions
sudo mount -t efs -o tls,[iam],accesspoint=<access-point-id> \
<file-system-id/EFS DNS> /efs/
warning
Kumbuka kwamba hata kujaribu kuunganisha sehemu ya ufikiaji bado unahitaji kuwa na uwezo wa kuwasiliana na huduma ya NFS kupitia mtandao, na ikiwa EFS ina sera ya mfumo wa faili, unahitaji idhini za kutosha za IAM ili kuunganisha.
Sehemu za ufikiaji zinaweza kutumika kwa madhumuni yafuatayo:
- Rahisisha usimamizi wa ruhusa: Kwa kufafanua mtumiaji wa POSIX na kundi kwa kila sehemu ya ufikiaji, unaweza kwa urahisi kusimamia ruhusa za ufikiaji kwa programu au watumiaji tofauti bila kubadilisha ruhusa za mfumo wa faili wa msingi.
- Kuthibitisha saraka ya mzizi: Sehemu za ufikiaji zinaweza kuzuia ufikiaji kwa saraka maalum ndani ya mfumo wa faili wa EFS, kuhakikisha kwamba kila programu au mtumiaji anafanya kazi ndani ya folda yake iliyotengwa. Hii husaidia kuzuia kufichuliwa au kubadilishwa kwa data kwa bahati mbaya.
- Ufikiaji rahisi wa mfumo wa faili: Sehemu za ufikiaji zinaweza kuunganishwa na kazi ya AWS Lambda au kazi ya AWS Fargate, rahisisha ufikiaji wa mfumo wa faili kwa programu zisizo na seva na zilizofungwa kwenye kontena.
EFS IP anwani
Kwa kutumia taarifa zinazohusiana na anwani ya IP ya EFS, skripti ifuatayo ya Python inaweza kusaidia katika kupata maelezo kuhusu mfumo wa EFS. Taarifa hii ni muhimu kwa kujenga amri ya mfumo wa kuunganisha au kufanya uainishaji zaidi kwa maarifa ya ID ya subnet. Zaidi ya hayo, skripti inaonyesha sehemu za ufikiaji, ambazo zinaweza kuwa na thamani wakati saraka ya mzizi au njia kuu ya kuunganisha imezuiliwa. Katika hali kama hizo, sehemu za ufikiaji zinatoa njia mbadala za kufikia taarifa nyeti.
Usage: python efs_ip_enum.py <IP_ADDRESS>
import boto3
import sys
def get_efs_info(ip_address):
try:
session = boto3.Session(profile_name="profile")
ec2_client = session.client('ec2')
efs_client = session.client('efs')
print(f"[*] Enumerating EFS information for IP address: {ip_address}\n")
try:
response = ec2_client.describe_network_interfaces(Filters=[
{'Name': 'addresses.private-ip-address', 'Values': [ip_address]}
])
if not response['NetworkInterfaces']:
print(f"[!] No network interface found for IP address {ip_address}")
return
network_interface = response['NetworkInterfaces'][0]
network_interface_id = network_interface['NetworkInterfaceId']
print(f"[+] Found network interface: {network_interface_id}\n")
except Exception as e:
print(f"[!] Error retrieving network interface: {str(e)}")
return
try:
efs_response = efs_client.describe_file_systems()
file_systems = efs_response['FileSystems']
except Exception as e:
print(f"[!] Error retrieving EFS file systems: {str(e)}")
return
for fs in file_systems:
fs_id = fs['FileSystemId']
try:
mount_targets = efs_client.describe_mount_targets(FileSystemId=fs_id)['MountTargets']
for mt in mount_targets:
if mt['NetworkInterfaceId'] == network_interface_id:
try:
policy = efs_client.describe_file_system_policy(FileSystemId=fs_id).get('Policy', 'No policy attached')
except Exception as e:
policy = f"Error retrieving policy: {str(e)}"
print("[+] Found matching EFS File System:\n")
print(f" FileSystemId: {fs_id}")
print(f" MountTargetId: {mt['MountTargetId']}")
print(f" DNSName: {fs_id}.efs.{session.region_name}.amazonaws.com")
print(f" LifeCycleState: {mt['LifeCycleState']}")
print(f" SubnetId: {mt['SubnetId']}")
print(f" SecurityGroups: {', '.join(mt.get('SecurityGroups', [])) if mt.get('SecurityGroups') else 'None'}")
print(f" Policy: {policy}\n")
try:
access_points = efs_client.describe_access_points(FileSystemId=fs_id)['AccessPoints']
if access_points:
print(f"[+] Access Points for FileSystemId {fs_id}:")
for ap in access_points:
print(f" AccessPointId: {ap['AccessPointId']}")
print(f" Name: {ap.get('Name', 'N/A')}")
print(f" OwnerId: {ap['OwnerId']}")
posix_user = ap.get('PosixUser', {})
print(f" PosixUser: UID={posix_user.get('Uid', 'N/A')}, GID={posix_user.get('Gid', 'N/A')}")
root_dir = ap.get('RootDirectory', {})
print(f" RootDirectory: Path={root_dir.get('Path', 'N/A')}")
creation_info = root_dir.get('CreationInfo', {})
print(f" CreationInfo: OwnerUID={creation_info.get('OwnerUid', 'N/A')}, OwnerGID={creation_info.get('OwnerGid', 'N/A')}, Permissions={creation_info.get('Permissions', 'N/A')}\n")
else:
print(f"[!] No Access Points found for FileSystemId {fs_id}\n")
except Exception as e:
print(f"[!] Error retrieving access points for FileSystemId {fs_id}: {str(e)}\n")
except Exception as e:
print(f"[!] Error processing file system {fs_id}: {str(e)}\n")
except Exception as e:
print(f"[!] General Error: {str(e)}\n")
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python efs_enum.py <IP_ADDRESS>")
sys.exit(1)
ip_address = sys.argv[1]
get_efs_info(ip_address)
Privesc
Post Exploitation
Persistence
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.