3.3 KiB
AWS - MSK Privesc
{% hint style="success" %}
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
MSK
For more information about MSK (Kafka) check:
{% content-ref url="../aws-services/aws-msk-enum.md" %} aws-msk-enum.md {% endcontent-ref %}
msk:ListClusters, msk:UpdateSecurity
With these privileges and access to the VPC where the kafka brokers are, you could add the None authentication to access them.
{% code overflow="wrap" %}
aws msk --client-authentication <value> --cluster-arn <value> --current-version <value>
{% endcode %}
You need access to the VPC because you cannot enable None authentication with Kafka publicly exposed. If it's publicly exposed, if SASL/SCRAM authentication is used, you could read the secret to access (you will need additional privileges to read the secret).
If IAM role-based authentication is used and kafka is publicly exposed you could still abuse these privileges to give you permissions to access it.
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.