gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-05 20:40:18 -08:00
Code Issues Packages Projects Releases Wiki Activity

f

Browse Source
This commit is contained in:
carlospolop
2025-08-24 13:22:10 +02:00
parent a45973b8a7
commit 15ff9a7d1c
3 changed files with 10 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md
View File

@@ -198,7 +198,7 @@ aws ec2 modify-launch-template \
**Potential Impact:** Direct privesc to a different EC2 role.
### `autoscaling:CreateLaunchConfiguration`, `autoscaling:CreateAutoScalingGroup`, `iam:PassRole`
### (`autoscaling:CreateLaunchConfiguration` | `ec2:CreateLaunchTemplate`), `iam:PassRole`, (`autoscaling:CreateAutoScalingGroup` | `autoscaling:UpdateAutoScalingGroup`)
An attacker with the permissions **`autoscaling:CreateLaunchConfiguration`,`autoscaling:CreateAutoScalingGroup`,`iam:PassRole`** can **create a Launch Configuration** with an **IAM Role** and a **rev shell** inside the **user data**, then **create an autoscaling group** from that config and wait for the rev shell to **steal the IAM Role**.

7
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md
View File

@@ -247,9 +247,12 @@ Check in the **ec2 privesc page** how you can abuse these permissions to **prive
aws-ec2-privesc.md
{{#endref}}
### `?ecs:RegisterContainerInstance`
### `ecs:RegisterContainerInstance`, `ecs:DeregisterContainerInstance`, `ecs:StartTask`, `iam:PassRole`
An attacker with these permissions could potentially register an EC2 instance in an ECS cluster and run tasks on it. This could allow the attacker to execute arbitrary code within the context of the ECS tasks.
- TODO: Is it possible to register an instance from a different AWS account so tasks are run under machines controlled by the attacker??
TODO: Is it possible to register an instance from a different AWS account so tasks are run under machines controlled by the attacker??
### `ecs:CreateTaskSet`, `ecs:UpdateServicePrimaryTaskSet`, `ecs:DescribeTaskSets`

4
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md
View File

@@ -266,6 +266,10 @@ aws iam get-open-id-connect-provider --open-id-connect-provider-arn <ARN>
aws iam update-open-id-connect-provider-thumbprint --open-id-connect-provider-arn <ARN> --thumbprint-list 359755EXAMPLEabc3060bce3EXAMPLEec4542a3
```
### `iam:PutUserPermissionsBoundary`
This permissions allows an attacker to update the permissions boundary of a user, potentially escalating their privileges by allowing them to perform actions that are normally restricted by their existing permissions.
## References
- [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)