gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-03-12 21:22:57 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
936fbc42858cf0140f28cb4af7ff3d3fd2ca5060
hacktricks-cloud/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc/README.md
carlospolop 9df8a4ac92 organize aws + new attacks
2025-10-09 12:26:40 +02:00

966 B
Raw Blame History

AWS - MSK Privesc

{{#include ../../../../banners/hacktricks-training.md}}

MSK

For more information about MSK (Kafka) check:

{{#ref}} ../../aws-services/aws-msk-enum.md {{#endref}}

msk:ListClusters, msk:UpdateSecurity

With these privileges and access to the VPC where the kafka brokers are, you could add the None authentication to access them.

aws msk --client-authentication <value> --cluster-arn <value> --current-version <value>

You need access to the VPC because you cannot enable None authentication with Kafka publicly exposed. If it's publicly exposed, if SASL/SCRAM authentication is used, you could read the secret to access (you will need additional privileges to read the secret).
If IAM role-based authentication is used and kafka is publicly exposed you could still abuse these privileges to give you permissions to access it.

{{#include ../../../../banners/hacktricks-training.md}}

Reference in New Issue View Git Blame Copy Permalink