gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-06-12 19:11:44 -07:00
Code Issues Packages Projects Releases Wiki Activity

arte-veue

Browse Source
This commit is contained in:
0x1337
2026-04-28 00:10:52 +02:00
parent 979375b432
commit 2e66838b27
1 changed files with 37 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md
+37
View File
@@ -53,6 +53,43 @@ aws ecs describe-tasks --cluster <cluster> --tasks <tasks>
aws ecs describe-task-definition --task-definition <TASK_NAME>:<VERSION>
```
### On-Host Enumeration via the ECS Agent State DB (`agent.db`)
When you have **shell access on an ECS container instance** , or you have **escaped a container with a host bind-mount of `/var/lib/ecs`** (a common misconfiguration when tasks run privileged or with `volumesFrom` exposing the host data dir), the ECS agent leaves `agent.db` on disk that can be read **without any AWS API call**, **without any IAM permission**, and **without triggering CloudTrail**.
```
/var/lib/ecs/data/agent.db
```
(or, when reading from a container that has the host mounted at `/host`, `/host/var/lib/ecs/data/agent.db`).
```bash
# Most useful one-liner — dumps everything readable
strings /var/lib/ecs/data/agent.db
# From inside a container with the host mounted at /host
strings /host/var/lib/ecs/data/agent.db
# Filter for the highest-value artefacts
strings /var/lib/ecs/data/agent.db | grep -aE 'arn:aws:|AKIA|ASIA|"secret|password|TOKEN|credentials|taskRoleArn|executionRoleArn'
# Save the outcome from strings for offline analysis
strings /host/var/lib/ecs/data/agent.db >> /tmp/agent.txt
tr -s '{}[],:"\\' '\n' < /tmp/agent.txt | sed 's/^[[:space:]]*//; s/[[:space:]]*$//' | awk 'NF && length($0)>2 && !/^[0-9.]+$/' | sort -u
```
#### What you can recover
Depending on the cluster's age and workload churn, `strings` against `agent.db` typically yields:
- **Task and execution IAM role ARNs** (`taskRoleArn`, `executionRoleArn`) for every task the agent has run — useful targets for [credential retrieval via the task metadata endpoint](https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.html) (`169.254.170.2`).
- **Full task definitions** — image URIs (often private ECR repos), command, entrypoint, port mappings, mount points, log configuration, and **plaintext environment variables** that frequently include database URLs, API tokens, and third-party secrets.
- **Secrets references** — `secretOptions` and `secrets` blocks pointing at SSM Parameter Store paths and Secrets Manager ARNs (great pivot list).
- **Container instance ARN, cluster ARN, and registration token** — confirms the cluster name and account/region context with no API call.
- **ENI metadata** — private IPs, MAC addresses, subnet IDs, and security group IDs assigned in `awsvpc` mode (useful for lateral movement planning).
- **Image pull credentials** — when the task definition uses `repositoryCredentials`, the referenced Secrets Manager ARN is here; on older agents private-registry auth blobs (`ECS_ENGINE_AUTH_DATA`) may also be cached.
- **Recently-stopped task containers** — including names, IDs, exit codes and labels, sometimes long after the corresponding `aws ecs describe-tasks` call has aged them out of the API response.
### Unauthenticated Access
{{#ref}}