Links

AWS - DataPipeline, CodePipeline & CodeCommit Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

DataPipeline

AWS Data Pipeline is designed to facilitate the access, transformation, and efficient transfer of data at scale. It allows the following operations to be performed:
  1. 1.
    Access Your Data Where It’s Stored: Data residing in various AWS services can be accessed seamlessly.
  2. 2.
    Transform and Process at Scale: Large-scale data processing and transformation tasks are handled efficiently.
  3. 3.
    Efficiently Transfer Results: The processed data can be efficiently transferred to multiple AWS services including:
    • Amazon S3
    • Amazon RDS
    • Amazon DynamoDB
    • Amazon EMR
In essence, AWS Data Pipeline streamlines the movement and processing of data between different AWS compute and storage services, as well as on-premises data sources, at specified intervals.

Enumeration

aws datapipeline list-pipelines
aws datapipeline describe-pipelines --pipeline-ids <ID>
aws datapipeline list-runs --pipeline-id <ID>
aws datapipeline get-pipeline-definition --pipeline-id <ID>

Privesc

In the following page you can check how to abuse datapipeline permissions to escalate privileges:

CodePipeline

AWS CodePipeline is a fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates. CodePipeline automates the build, test, and deploy phases of your release process every time there is a code change, based on the release model you define.

Enumeration

aws codepipeline list-pipelines
aws codepipeline get-pipeline --name <pipeline_name>
aws codepipeline list-action-executions --pipeline-name <pl_name>
aws codepipeline list-pipeline-executions --pipeline-name <pl_name>
aws codepipeline list-webhooks
aws codepipeline get-pipeline-state --name <pipeline_name>

Privesc

In the following page you can check how to abuse codepipeline permissions to escalate privileges:

CodeCommit

It is a version control service, which is hosted and fully managed by Amazon, which can be used to privately store data (documents, binary files, source code) and manage them in the cloud.
It eliminates the requirement for the user to know Git and manage their own source control system or worry about scaling up or down their infrastructure. Codecommit supports all the standard functionalities that can be found in Git, which means it works effortlessly with user’s current Git-based tools.

Enumeration

# Repos
aws codecommit list-repositories
aws codecommit get-repository --repository-name <name>
aws codecommit get-repository-triggers --repository-name <name>
aws codecommit list-branches --repository-name <name>
aws codecommit list-pull-requests --repository-name <name>
# Approval rules
aws codecommit list-approval-rule-templates
aws codecommit get-approval-rule-template --approval-rule-template-name <name>
aws codecommit list-associated-approval-rule-templates-for-repository --repository-name <name>
# Get & Put files
## Get a file
aws codecommit get-file --repository-name backend-api --file-path app.py
## Put a file
aws codecommit get-branch --repository-name backend-api --branch-name master
aws codecommit put-file --repository-name backend-api --branch-name master --file-content fileb://./app.py --file-path app.py --parent-commit-id <commit-id>
# SSH Keys & Clone repo
## Get codecommit keys
aws iam list-ssh-public-keys #User keys for CodeCommit
aws iam get-ssh-public-key --user-name <username> --ssh-public-key-id <id> --encoding SSH #Get public key with metadata
# The previous command will give you the fingerprint of the ssh key
# With the next command you can check the fingerprint of an ssh key and compare them
ssh-keygen -f .ssh/id_rsa -l -E md5
# Clone repo
git clone ssh://<SSH-KEY-ID>@git-codecommit.<REGION>.amazonaws.com/v1/repos/<repo-name>

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: