🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
☁️ HackTricks Cloud / AWS - MSK Privesc

AWS - MSK Privesc

{{#include ../../../../banners/hacktricks-training.md}}

MSK

For more information about MSK (Kafka) check:

{{#ref}}
../../aws-services/aws-msk-enum.md
{{#endref}}

msk:ListClusters, msk:UpdateSecurity

With these privileges and access to the VPC where the kafka brokers are, you could add the None authentication to access them.

aws msk --client-authentication <value> --cluster-arn <value> --current-version <value>

You need access to the VPC because you cannot enable None authentication with Kafka publicly exposed. If it's publicly exposed, if SASL/SCRAM authentication is used, you could read the secret to access (you will need additional privileges to read the secret).\
If IAM role-based authentication is used and kafka is publicly exposed you could still abuse these privileges to give you permissions to access it.

{{#include ../../../../banners/hacktricks-training.md}}