AWS - Codepipeline Privesc
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
For more info about codepipeline check:
AWS - DataPipeline, CodePipeline & CodeCommit Enumiam:PassRole
, codepipeline:CreatePipeline
, codebuild:CreateProject, codepipeline:StartPipelineExecution
When creating a code pipeline you can indicate a codepipeline IAM Role to run, therefore you could compromise them.
Apart from the previous permissions you would need access to the place where the code is stored (S3, ECR, github, bitbucket...)
I tested this doing the process in the web page, the permissions indicated previously are the not List/Get ones needed to create a codepipeline, but for creating it in the web you will also need: codebuild:ListCuratedEnvironmentImages, codebuild:ListProjects, codebuild:ListRepositories, codecommit:ListRepositories, events:PutTargets, codepipeline:ListPipelines, events:PutRule, codepipeline:ListActionTypes, cloudtrail:<several>
During the creation of the build project you can indicate a command to run (rev shell?) and to run the build phase as privileged user, that's the configuration the attacker needs to compromise:
codebuild:UpdateProject, codepipeline:UpdatePipeline, codepipeline:StartPipelineExecution
It might be possible to modify the role used and the command executed on a codepipeline with the previous permissions.
codepipeline:pollforjobs
When this API is called, CodePipeline returns temporary credentials for the S3 bucket used to store artifacts for the pipeline, if the action requires access to that S3 bucket for input or output artifacts. This API also returns any secret values defined for the action.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)