HackTricks CloudAWS - Codepipeline Privesc
Reading time: 3 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
codepipeline
Kwa maelezo zaidi kuhusu codepipeline angalia:
AWS - DataPipeline, CodePipeline & CodeCommit Enum
iam:PassRole, codepipeline:CreatePipeline, codebuild:CreateProject, codepipeline:StartPipelineExecution
Unapotengeneza code pipeline unaweza kubainisha codepipeline IAM Role to run, kwa hivyo unaweza kuzipata.
Mbali na ruhusa zilizotajwa hapo juu utahitaji ufikiaji kwenye mahali ambapo code imehifadhiwa (S3, ECR, github, bitbucket...)
Nilijaribu hili nikiwa kwenye ukurasa wa wavuti; ruhusa zilizotajwa hapo juu si zile za List/Get zinazohitajika kuunda codepipeline, lakini kwa kuunda kupitia wavuti pia utahitaji: codebuild:ListCuratedEnvironmentImages, codebuild:ListProjects, codebuild:ListRepositories, codecommit:ListRepositories, events:PutTargets, codepipeline:ListPipelines, events:PutRule, codepipeline:ListActionTypes, cloudtrail:<several>
Wakati wa kuunda build project unaweza kubainisha command to run (rev shell?) na kuendesha build phase kama privileged user, hiyo ndiyo configuration mshambuliaji anahitaji kuzipata:
.png)
.png)
?codebuild:UpdateProject, codepipeline:UpdatePipeline, codepipeline:StartPipelineExecution
Inaweza kuwa inawezekana kubadilisha role inayotumika na command inayotekelezwa kwenye codepipeline ukitumia ruhusa zilizotajwa hapo juu.
codepipeline:pollforjobs
Wakati API hii inapoitwa, CodePipeline hurejesha temporary credentials for the S3 bucket inayotumika kuhifadhi artifacts za pipeline, ikiwa action inahitaji ufikiaji wa S3 bucket hiyo kwa input au output artifacts. API hii pia hurejesha any secret values defined for the action.
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.