gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-28 13:43:24 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
5ef56bb6b38468e009a1ce34747dd626ea22acb7
hacktricks-cloud/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md
Carlos Polop 5ef56bb6b3 Recreating repository history for branch master
2024-12-12 19:35:48 +01:00

109 lines
7.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# AWS - ECS Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## ECS
### Basic Information
Amazon **Elastic Container Services** or ECS provides a platform to **host containerized applications in the cloud**. ECS has two **deployment** methods, **EC2** instance type and a **serverless** option, **Fargate**. The service **makes running containers in the cloud very easy and pain free**.
ECS operates using the following three building blocks: **Clusters**, **Services**, and **Task Definitions**.
* **Clusters** are **groups of containers** that are running in the cloud. As previously mentioned, there are two launch types for containers, EC2 and Fargate. AWS defines the **EC2** launch type as allowing customers “to run \[their] containerized applications on a cluster of Amazon EC2 instances that \[they] **manage**”. **Fargate** is similar and is defined as “\[allowing] you to run your containerized applications **without the need to provision and manage** the backend infrastructure”.
* **Services** are created inside a cluster and responsible for **running the tasks**. Inside a service definition **you define the number of tasks to run, auto scaling, capacity provider (Fargate/EC2/External),** **networking** information such as VPCs, subnets, and security groups.
* There **2 types of applications**:
* **Service**: A group of tasks handling a long-running computing work that can be stopped and restarted. For example, a web application.
* **Task**: A standalone task that runs and terminates. For example, a batch job.
* Among the service applications, there are **2 types of service schedulers**:
* [**REPLICA**](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html): The replica scheduling strategy places and **maintains the desired number** of tasks across your cluster. If for some reason a task shut down, a new one is launched in the same or different node.
* [**DAEMON**](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html): Deploys exactly one task on each active container instance that has the needed requirements. There is no need to specify a desired number of tasks, a task placement strategy, or use Service Auto Scaling policies.
* **Task Definitions** are responsible for **defining what containers will run** and the various parameters that will be configured with the containers such as **port mappings** with the host, **env variables**, Docker **entrypoint**...
* Check **env variables for sensitive info**!
### Sensitive Data In Task Definitions
Task definitions are responsible for **configuring the actual containers that will be running in ECS**. Since task definitions define how containers will run, a plethora of information can be found within.
Pacu can enumerate ECS (list-clusters, list-container-instances, list-services, list-task-definitions), it can also dump task definitions.
### Enumeration
```bash
# Clusters info
aws ecs list-clusters
aws ecs describe-clusters --clusters <cluster>
# Container instances
## An Amazon ECS container instance is an Amazon EC2 instance that is running the Amazon ECS container agent and has been registered into an Amazon ECS cluster.
aws ecs list-container-instances --cluster <cluster>
aws ecs describe-container-instances --cluster <cluster> --container-instances <container_instance_arn>
# Services info
aws ecs list-services --cluster <cluster>
aws ecs describe-services --cluster <cluster> --services <services>
aws ecs describe-task-sets --cluster <cluster> --service <service>
# Task definitions
aws ecs list-task-definition-families
aws ecs list-task-definitions
aws ecs list-tasks --cluster <cluster>
aws ecs describe-tasks --cluster <cluster> --tasks <tasks>
## Look for env vars and secrets used from the task definition
aws ecs describe-task-definition --task-definition <TASK_NAME>:<VERSION>
```
### Unauthenticated Access
{% content-ref url="../aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md" %}
[aws-ecs-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md)
{% endcontent-ref %}
### Privesc
In the following page you can check how to **abuse ECS permissions to escalate privileges**:
{% content-ref url="../aws-privilege-escalation/aws-ecs-privesc.md" %}
[aws-ecs-privesc.md](../aws-privilege-escalation/aws-ecs-privesc.md)
{% endcontent-ref %}
### Post Exploitation
{% content-ref url="../aws-post-exploitation/aws-ecs-post-exploitation.md" %}
[aws-ecs-post-exploitation.md](../aws-post-exploitation/aws-ecs-post-exploitation.md)
{% endcontent-ref %}
### Persistence
{% content-ref url="../aws-persistence/aws-ecs-persistence.md" %}
[aws-ecs-persistence.md](../aws-persistence/aws-ecs-persistence.md)
{% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Reference in New Issue View Git Blame Copy Permalink