mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2026-06-12 19:11:44 -07:00
SirBroccoli
@@ -53,6 +53,43 @@ aws ecs describe-tasks --cluster <cluster> --tasks <tasks>
|
||||
aws ecs describe-task-definition --task-definition <TASK_NAME>:<VERSION>
|
||||
```
|
||||
|
||||
### On-Host Enumeration via the ECS Agent State DB (`agent.db`)
|
||||
|
||||
When you have **shell access on an ECS container instance** , or you have **escaped a container with a host bind-mount of `/var/lib/ecs`** (a common misconfiguration when tasks run privileged or with `volumesFrom` exposing the host data dir), the ECS agent leaves `agent.db` on disk that can be read **without any AWS API call**, **without any IAM permission**, and **without triggering CloudTrail**.
|
||||
|
||||
```
|
||||
/var/lib/ecs/data/agent.db
|
||||
```
|
||||
|
||||
(or, when reading from a container that has the host mounted at `/host`, `/host/var/lib/ecs/data/agent.db`).
|
||||
|
||||
```bash
|
||||
# Most useful one-liner — dumps everything readable
|
||||
strings /var/lib/ecs/data/agent.db
|
||||
|
||||
# From inside a container with the host mounted at /host
|
||||
strings /host/var/lib/ecs/data/agent.db
|
||||
|
||||
# Filter for the highest-value artefacts
|
||||
strings /var/lib/ecs/data/agent.db | grep -aE 'arn:aws:|AKIA|ASIA|"secret|password|TOKEN|credentials|taskRoleArn|executionRoleArn'
|
||||
|
||||
# Save the outcome from strings for offline analysis
|
||||
strings /host/var/lib/ecs/data/agent.db >> /tmp/agent.txt
|
||||
tr -s '{}[],:"\\' '\n' < /tmp/agent.txt | sed 's/^[[:space:]]*//; s/[[:space:]]*$//' | awk 'NF && length($0)>2 && !/^[0-9.]+$/' | sort -u
|
||||
```
|
||||
|
||||
#### What you can recover
|
||||
|
||||
Depending on the cluster's age and workload churn, `strings` against `agent.db` typically yields:
|
||||
|
||||
- **Task and execution IAM role ARNs** (`taskRoleArn`, `executionRoleArn`) for every task the agent has run — useful targets for [credential retrieval via the task metadata endpoint](https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.html) (`169.254.170.2`).
|
||||
- **Full task definitions** — image URIs (often private ECR repos), command, entrypoint, port mappings, mount points, log configuration, and **plaintext environment variables** that frequently include database URLs, API tokens, and third-party secrets.
|
||||
- **Secrets references** — `secretOptions` and `secrets` blocks pointing at SSM Parameter Store paths and Secrets Manager ARNs (great pivot list).
|
||||
- **Container instance ARN, cluster ARN, and registration token** — confirms the cluster name and account/region context with no API call.
|
||||
- **ENI metadata** — private IPs, MAC addresses, subnet IDs, and security group IDs assigned in `awsvpc` mode (useful for lateral movement planning).
|
||||
- **Image pull credentials** — when the task definition uses `repositoryCredentials`, the referenced Secrets Manager ARN is here; on older agents private-registry auth blobs (`ECS_ENGINE_AUTH_DATA`) may also be cached.
|
||||
- **Recently-stopped task containers** — including names, IDs, exit codes and labels, sometimes long after the corresponding `aws ecs describe-tasks` call has aged them out of the API response.
|
||||
|
||||
### Unauthenticated Access
|
||||
|
||||
{{#ref}}
|
||||
|
||||
Reference in New Issue
Block a user